8/30/2016

1

Ernie Hayden CISSP CEH GICSP(Gold) PSP

Executive Consultant

This Presentation is Proprietary to Securicon, Inc.  Any use of this document without  express written approval from  Securicon is strictly prohibited.

V 0

Today’s O P A – Outcome, Purpose, Actions Cyber & Today’s Health Care Sector Data Breaches Ransomware Recommended Actions:◦ Preparation◦ Response/Reaction

Q&A References

1

2

The proper pronunciation of…

Tinnitus?

8/30/2016

2

Outcome:◦ Overview Healthcare Industry Data Security

Situation Purpose:◦ Educate Attendees on Causes, Drivers and

Responses to Ransomware and Data Breaches Actions:◦ Discuss Data Breaches◦ Discuss Ransomware◦ Review Prevention/Preparation Activities◦ Discuss Recommended ways to Respond

3

4

The Industry is Under Attack◦ Ransomware Extortion◦ Denial of Service Extortion◦ Medical Record Theft Fraud

Ponemon Institute Study (April 2016)◦ Breaches $6.2 B cost◦ Cost per Record: Healthcare: $355 Education $246 Finance $221

5

2015: Healthcare had the highest rate of data

breaches vs. any other industry -- IBM

8/30/2016

3

48% Malicious or Criminal Attack 25% Negligent Employees or Contractors

(Human Factor) 27% System Errors – IT and Business

Process

6

60+ % of Healthcare Organizations & Business Associates Believe they are More Vulnerable to a Data Breach than Other Industries -- Ponemon

Fraud –◦ Patient Information is Valuable to Identity Thieves

Data Availability Needs◦ Healthcare providers need access to patient

histories, directives, etc. to be able to respond to the patient – Think “Emergency Environment”

Heavy Reliance on Electronic Healthcare Records◦ Computers/workstations, Internet access, heavy

reliance on databases – makes for “perfect” target for cybercriminals

7

Remember: It is About Money! 2015: >$24M collected in >2,400 Reported

Ransomware Attacks (FBI) Healthcare:◦ Easy Targets – Only Security Focus is on HIPAA –

Not on Medical Device or Webpage Security (e.g..)◦ Disruption in a Hospital May Mean Life or Death

8

“Without quick access to drug histories, surgery directives and other information, patient care can

get delayed or halted, which makes hospitals more likely to pay a ransom rather than risk delays that

could result in death or lawsuits.”Kim Zetter, Wired Magazine

8/30/2016

4

9

10

State Data Breach Laws

Friendly, Local Healthcare Information Security Officer

HIPAA BREACH:◦ An impermissible use or disclosure under the

Privacy Rule that compromises the security or privacy of the protected health information. ◦ An impermissible use or disclosure of protected

health information is presumed to be a breach unless demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment

11

http://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

8/30/2016

5

BREACH – STATE DATA BREACH LAWS (47 States) "personal information“◦ First Name or First Initial PLUS Last Name PLUS: (a) Social security number; (b) Driver's license number; or (c) Account number or credit or debit card number, in

combination with any required security code, access code, or password that would permit access to an individual's financial account.

"personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Exception to notification: Encrypted Records

12

Reference: State of Washington RCW 19.255.010

13

Source: Gartner

14

8/30/2016

6

Ransomware a form of malicious software that restricts the user’s access to their device or data in some way and demands a ransom payment in exchange for lifting the restriction.

Crypto-ransomware specifically encrypts the files on the victim’s machine, typically gives a time limit by which the victim must pay a fee to decrypt the files…or else!

Lockscreen Ransomware Locks screen and demands payment – no files encrypted

Master Boot Record Ransomware (MBR) Computer won’t boot, Ransom displayed on Screen

15

First Ransomware 2005

Ransomware Extortion Type of malware that attempts to extort

money from a computer user/company by:◦ Infecting or Taking Control of the Computer or the

Files on it◦ Prevents you from (one or more): Accessing Windows and or Other Devices Encrypts Files So You Can’t Use Them Stops Certain Apps from Running Blocks access to backup repositories

16

Via Email (Phishing) as an Attached File◦ .doc, .pdf, .zip◦ Tricks User into Opening File

Via Email (Phishing) as a Malicious Link Via Compromised Website (Watering Hole

Attack)◦ Download Payload of Exploit Kit◦ Redirected to Malicious Site

17

8/30/2016

7

Malicious Code Infection◦ Downloads an .exe which installs the ransomware

itself Malicious Payload Staging◦ Ransomware sets up, embeds itself in a system

Scanning◦ Searches for content to encrypt◦ Looks on Local Computer, Network Accessible

Resources and even Cloud Resources (e.g.., Dropbox)

Encryption Ransom Note Generation

18

Recommend: Exabeam The Anatomy of a Ransomware Attack

19

4,000 Daily Ransomware Attacks since Early 2016 300% Increase Over the 1,000 Daily Attacks Reported in 2015

(US Govt Interagency Document)

https://www.nsoit.com/Images/SecurityNews/Ransomware-Roundup-Courtesy-of-Proofpoint-(dot)-

com-80pct.png

6 Reported Ransomware Attacks on Healthcare Organizations in US, Affecting 15+ Hospitals from January – April 2016

Hollywood Presbyterian Medical Center, Los Angeles◦ Locky Ransomware Variant◦ Offline for > 1 Week◦ Paid Ransom (~ $17,000 in Bitcoin)

Methodist Hospital, Henderson, Kentucky◦ Did not pay ransom◦ Restored data from backups

20

8/30/2016

8

21

Recommended Reading:◦ Ransomware Hostage

Rescue Manual https://info.knowbe4.com/ransomware-hostage-rescue-manual-0◦ Ransomware (FBI Trifold) https://www.fbi.gov/about-

us/investigate/cyber/ransomware-brochure

Approaches:◦ Prevention◦ Response

22

First Line of Defense - Users◦ Educate Your Personnel Employees, Vendors, Contractors, Volunteers◦ Conduct Simulated Phishing Attacks – Learn from

Your Team’s Mistakes◦ Manage Use of Privileged Accounts (e.g., Admin)

Based on Principle of Least Privilege

23

8/30/2016

9

Software◦ Ensure You are Using a Firewall – Block Known

Malicious IP Addresses◦ Implement Anti-Spam/Anti-Phishing◦ Ensure All Machines Have Up-to-Date Antivirus Better: Include Application Whitelisting, Heuristics◦ Implement Highly Disciplined and Timely Patching Applications and Operating Systems◦ Disable Macro Scripts from Office Files Transmitted

Via Email◦ Scan Incoming/Outgoing Emails to Detect Threats

and Filter Executable Files from Reaching End Users

24

Backups◦ Implement a Backup Solution Software of Hardware-Based (or Both)◦ Ensure All Possible Data You Need to Access or Save

is Backed Up Include USB/mobile Storage◦ Ensure Your Data is Safe, Redundant and Easily

Accessible Once Backed Up Ensure Backups NOT Connected Permanently to

Computers and Networks Backing Up◦ Regularly Test Recovery Function of Backup/Restore

Procedures Test Data Integrity of Physical Backups

25

26

8/30/2016

10

Step 1: Immediate Response◦ Disconnect Everything Unplug Computer from Network DO NOT TURN OFF!

Turn Off Wireless Functionality (Wi-Fi, Bluetooth, NFC) Do Not Erase/Scrub/Wipe/Scan or Clean

Until a Forensic Image is Complete◦ Implement Cyber Emergency Response Plan

27

Step 2: Determine Scope of Infection◦ Mapped or Shared Drives?◦ Mapped or Shared Folders from Other

Computers?◦ Network Storage Devices of Any Kind?◦ External Hard Drives?◦ USB Storage Devices of Any Kind (USB Sticks,

Attached Phones, Cameras)◦ Cloud-based Storage (Drop Box, Google Drive,

etc.)

28

Step 3: Determine Ransomware Strain◦ www.bleepingcomputer.com (good start)◦ Anti-virus Vendor◦ FBI/Law Enforcement

29

8/30/2016

11

Step 4: Evaluate Your Responses◦ Notify FBI Field Office FBI Recommends contacting FBI Field Office

Immediately (Alternative US Secret Service)◦ Restore from a Recent (Uncontaminated)

Backup◦ Decrypt Files Using 3rd Party Decryption (Low

Chance)◦ Do Nothing Lose Your Data◦ Negotiate Pay the Ransom

30

“The FBI does not support paying a ransom to the adversary.”

FBI Ransomware Tri-Fold

Step 5:◦ Restore Systems to Normal◦ Ensure Malware is Entirely Removed – Even

from Old Backups/Backups of Backups, etc.◦ Conduct After-Action Review◦ Take Action on Lessons Learned

31

32

8/30/2016

12

33

Direct Costs:• Customer Breach

Notifications• Post-Breach Customer

Protection• Regulatory Compliance

(Fines)• PR/Crisis Communications• Attorney Fees/Litigation• Cybersecurity

Improvements• Technical Investigations

Hidden Costs:• Insurance Premium

Increases• Increased Cost to Raise

Debt• Operational Disruption or

Destruction• Lost Value of Customer

Relationships• Value of Lost Contract

Revenue• Devalued Trade Name• Loss of Intellectual Property

34

35

Ernie Hayden CISSP CEH GICSP (Gold) PSP

Executive Consultant

425‐765‐1400

Ernie.hayden@securicon.com

8/30/2016

13

36

Slides 5-6: Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data http://www.ponemon.org/library/sixth-annual-benchmark-study-on-privacy-security-of-healthcare-data-1

Slide 8: Why Hospitals are the Perfect Targets for Ransomware https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/

Slide 18: Exabeam – The Anatomy of a Ransomware Attack http://info.exabeam.com/lp-the-anatomy-of-a-ransomware-attack

37

Slide 21: NIST Computer Security Incident Handling Guide SP800-61 R2 http://csrc.nist.gov/publications/drafts/800-61-rev2/draft-sp800-61rev2.pdf

Slide 22: Ransomware Hostage Rescue Manual https://info.knowbe4.com/ransomware-hostage-rescue-manual-0

Slide 22: Ransomware (FBI Trifold) https://www.fbi.gov/about-us/investigate/cyber/ransomware-brochure

38

Slide 32: Deloitte Identifies 14 Business Impacts of a Cyber Attack http://www2.deloitte.com/us/en/pages/about-deloitte/articles/press-releases/deloitte-identifies-14-business-impacts-of-a-cyberattack.html

8/30/2016

14

Evaluating the Customer Journey of Crypto-Ransomware and the Paradox Behind It, F-Secure, https://fsecureconsumer.files.wordpress.com/2016/07/customer_journey_of_crypto-ransomware_f-secure.pdf

Fact Sheet: Ransomware and HIPAA, Department of Health & Human Services http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf

How to Protect Your Networks from Ransomware, U.S. Government Interagency Technical Guidance Document, https://www.justice.gov/criminal-ccips/file/872771/download

Ransomware: All Locked Up and No Place to Go, Kaspersky Labs, http://research.crn.com/content57793

39