The Latest Cyber Security Threats in Healthcare · 2011 2013 2015 IRS Tax Fraud Pre-2010 2012 2014 Sale of Patient Data to Crime Rings Sale of Physician DataData to Crime Ringsto

The Latest Cyber Security Threats in Healthcare Threat Actors See Growing Value in PHI and an Industry that is Highly Valued yet Under Protected

July 28, 2015

Download the Replay on YouTube

http://youtu.be/onzT07dJx_A

David Merkel

Senior VP & CTO FireEye, Inc.

Today’s Speakers

Brian Stone

Manager, Customer Success

FairWarning, Inc.

Kurt Long

Founder & CEO

FairWarning, Inc.

Agenda

• Today’s emerging threat landscape

• Implications and action steps for the healthcare industry

• Outside threats vs inside threats

• How to create a coordinated world-class threat prevention and response framework

4 Copyright © 2015, FireEye, Inc. All rights reserved.

Cyber Attacks and Effective Defense in the Modern Era

The New Normal

Dave Merkel

Chief Technology Officer, FireEye


Introductions …and some definitions


Breaking Down the Threat

Nuisance Data Theft Cyber Crime Hacktivism Network Attack

Objective

Access &

Propagation

Economic, Political

Advantage

Financial

Gain

Defamation, Press

& Policy

Escalation, Destruction

Example Botnets & Spam Advanced Persistent

Threat Credit Card Theft

Website

Defacements

Destroy Critical

Infrastructure

Targeted

Character Automated Persistent Opportunistic Conspicuous Conflict Driven


What’s a Maginot?

French Minister of War

Awarded the Medaille

Militaire for valor

Fencer

Died of typhoid in 1932

Father of the Maginot Line


The Maginot Line

Constructed 1930-

1939

Designed to counter

WWI trench warfare

Cover mobilization of

French Army


The Maginot Line

Constructed 1930-

1939

Designed to counter

WWI trench warfare

Cover mobilization of

French Army

Flanking


“Generals are always preparing for the last war rather than

the next one.”

Credited to Georges Clemenceau

Prime Minister of France


“Generals are always preparing for the last war rather than

the next one.”

Credited to Georges Clemenceau

Prime Minister of France

[INSERT IRONY JOKE HERE]


The line’s “most dangerous aspect is the psychological

one, a false sense of security is engendered, a feeling of

sitting behind an impregnable iron fence…”

General Sir Alan Brooke

War Diaries, 1939-1945


Cybersecurity’s Maginot Line – May 2014


Cybersecurity’s Maginot Line – May 2014


1189 POV Customers

Maginot Revisited – January 2015

67 Countries

20+ Industries

96% Customers

Compromised

27% Had APT


Maginot Revisited – January 2015


40%

31%

21%

N. America EMEA APAC

JAPAN LATAM Rest of World

Data by Region

Number of PoV

Customers

% PoV

N. AMERICA 477 40%

EMEA 369 31%

APAC 252 21%

JAPAN 53 4.5%

LATAM 36 3%

ROW 2 <1%


Average Attack Seen Per Week

Exploit Malware

Download

Command

and Control

Per Week Per Week Per Week

Impacted Hosts Per Week

377


How Do We Know This Is Happening?

Source: Mandiant M-Trends 2015

24 days less than 2013

Longest Presence: 2,982 days


The Malware Lifespan: Two Hours

0

50000

100000

150000

200000

250000

300000

350000

0 1 2 3 4 5 6 7

2012 2013

Source: FireEye Labs

MA

LWA

RE

S

AM

PLE

S

HOURS


OF MALWARE ONLY EXISTS ONCE

OF MALWARE DISAPPEARS AFTER

ONE HOUR


Shark Slide


Case Study Cyber Attacks for Market Manipulation – FIN4


Overview

Financially-motivated threat group

Active since at least mid-2013

Targets confidential business information in emails - likely

for use in gaining insider trading advantage

Members appear to include native English speakers and

Wall Street insiders

Demonstrates familiarity with investment terminology,

inner workings of public companies


Intelligence Sources

Mandiant Incident Response Investigations

FireEye device detections

FireEye as a Service (FaaS) detections

Other research


Targets


Operations

Would you fall for it?

Spear phishing emails sent from

other victims’ email accounts, and

through hijacked email threads

Uses weaponized documents to

capture credentials via malicious

VBA macros; malicious URLs to

fake OWA sites

Difficult to detect because of its

simplicity. The actors real skill is

social engineering.


For every good guy, there

is a bad guy

Cyber, it’s not just for the

big players

All new technologies (e.g.

mobile) become targets

Espionage and Healthcare

This is the new normal

So What?


Addressing the Problem What Successful Organizations Are Doing


Defense in Depth – What Is It?

A military strategy; it seeks to delay rather than prevent

the advance of an attacker…

Rather than defeating an attacker with a single, strong

defensive line, [it] relies on the tendency of an attack to

lose momentum over a period of time…Once an attacker

has lost momentum …defensive counter-attacks can be

mounted on the attacker's weak points [to] drive the

attacker back to its original starting position.

Source: Wikipedia, “Defense in Depth”


Defense in Depth – What Is It?

An information assurance (IA) concept in which multiple

layers of security controls (defense) are placed throughout

an information technology (IT) system. Its intent is to

provide redundancy in the event a security control fails

or a vulnerability is exploited that can cover aspects of

personnel, procedural, technical and physical for the

duration of the system's life cycle.

Source: Wikipedia, “Defense in Depth (computing)”


Defense in Depth

AV FW IDS SIEM


Defense in Depth

AV FW IDS SIEM

Same Model, No Momentum Reduction


Defense in Shallow

AV

FW

IDS

SIEM


Defense in depth

AV

FW

IDS

SIEM

EXPERTISE AND

FORENSICS? ANALYTICS? BEHAVIOR?


So what’s working?

• War-time mindset:

acceptance of the new

normal

• Beyond compliance: look at

efficacy vs. real threats and

budget alignment

• Resilience: ability to

operate through the breach


Detect to Respond in Minutes…


Detect to Respond in Minutes…


2014

© F

airW

arn

ing,

In

c. –

Pri

vate

an

d C

on

fid

enti

al

Patient Privacy Monitoring and Data Visualization

Kurt J. Long FairWarning, Inc.

Escalating Advanced Threats

´1

Lost laptops, media, paper

records

Patient Complaints

Snooping

Medical & Financial ID Theft

2015 2013 2011

IRS Tax Fraud

2012 2014 Pre-2010

Sale of Patient Data

to Crime Rings

Sale of Physician

Data

to Crime Rings

Sale of Employee

Data

to Crime Rings

Rise of Cyber Threats

to Healthcare Industry

Foreign National

Espionage

http://www.idtheftcenter.org/id-theft/data-breaches.html

Visual Analytics for Advanced Threats

• Access patient demographics after hours

• Benchmark users’

activity by self / peers

• Recognize specific

events / actions

Expertise Gap

Pre-2009 vs. 2015 Escalating Advanced Threats

Global Investigations

Partial FTE Advanced Analytics, Filtering, Proactive

Alerts

Investigations & Security Skills

Security Incident Management

Clinical Data & Workflow Expertise

OCR Audit Experience

Security, Forensics & Compliance Expertise

Coordinated Threat Protection & Response

Increase Emphasis on Rapid Response

with FairWarning Ready®

• Faster more coordinated response

• Improve patient privacy

• Efficient and cost effective

• Integrates with All major EHR and over

300+ Enterprise applications and security

vendors

Questions

• Please submit via the WebEx Q&A or Chat windows to the right side of your screen.

For more information, please visit:

www.FairWarning.com

www.fireeye.com

http://www.fairwarning.com/

http://www.fireeye.com/

David Merkel

Senior VP & CTO FireEye, Inc.

Thank you for attending

Brian Stone

Manager, Customer Success

FairWarning, Inc.

Kurt Long

Founder & CEO

FairWarning, Inc. Blog: fairwarning.com/kurt-long-blog

http://www.fairwarning.com/kurt-long-blog/






Documents

The Latest Cyber Security Threats in Healthcare · 2011 2013 2015 IRS Tax Fraud Pre-2010 2012 2014 Sale of Patient Data to Crime Rings Sale of Physician DataData to Crime Ringsto