cyberhacking data breach: who is winning the war on phi ...€¦ · idrc 2016 data breach report...
TRANSCRIPT
Cyberhacking Data Breach: Who Is Winning the War on PHI and PII?
Linda VincentPrincipalVincent & AssociatesSan Pedro, California
6C-1
Today’s Plan of Action/Discussion
• What are the risks in data breaches• What are your strategies when it happens• What are resources for prevention and for
protection• Key takeaways
6C-2
Just What is Cybersecurity
• Information technology security• Focus of protecting computers, networks,
programs and data• Prevention of unintended or unauthorized
access, change or destruction.• Everyday term—Data Breaches
6C-3
Device Management• Have a BYOD policy and procedure in place
– Allow no other users (family) to access device– No personal work on employer computer (banking, searching internet)– Maintain a lost or stolen policy– Return policy if terminated or terminating– Employer access at anytime– Add two-factor authentication
• All mobile devices should have encryption• All should have anti-virus and be up to date• All should use a VPN• Remember, an employee can unknowingly download malware!
6C-4
2016 Review of 6 Most Serious Cyber Threats
• Ransomware• Mega data breaches• Identity theft• Smartphone insecurities• IoT ~ The internet of things• Augmented reality gaming
6C-5
Ransomware• Will block access to your files and systems• Allows no access until you pay• Two types
– Encrypting• Blocks system with algorithms—Decryption—Pay up
– Lockers• Locks you out—Pay or no access
• Request ransom is usually BitCoins– If you don’t pay in specific period, it may double or then may never
gain access again– Bitcoin (CNN money) a currency that was created in 2009 by an
unknown person using the alias Satoshi Nakamoto. Transactions are made with no middle men—Meaning, no banks! There are no transaction fees and no need to give your real name.
6C-6
Healthcare Now THE Most Targeted by Ransomware
• Earlier this year—Hollywood Presbyterian• No data backup• Used paper and pencil 10 days• Finally resorted to paying ransom for access -$17,000
– FBI suggests not to
• Chino Valley and Desert Valley in CA both got hit this year as well
• Methodist Hospital in Kentucky also fell to ransomware (‘Locky’)
6C-7
Just What are Botnetsand Their Threat in Spreading Malware
and Creating Data Breaches
• Botnets are a collection of computerized devices, under control of hacker
• These devices are infected with malware-thus remotely controlled
• They can spread spam, malware, viruses, DOS attacks• They are also called a zombie army~today’s largest
threat in digital universe
6C-8
4 Steps to Prevent Botnets From Attacking Your System
1.Use a different password for each and every account
2.Install effective anti-malware software—Keep it up to date
3.Avoid downloading and running pirated software4.Don’t be afraid to seek professional help
There is legislation called Botnet Prevention Act—It’s not having success.
6C-9
Data Breach Dangers• Data often includes, names, DoB, social security numbers, credit
card accounts and numbers, healthcare information• Difficulty lies in harder to detect plan breach vs credit card breach• Medical files have more info and longer ‘self life’ more valuable
– The ‘Dark Web’ gets 10-20 times more cash for medical information than credit cards
• Wikipedia:The dark web is the World Wide Web content that exists on darknets, overlay networks which use the public Internet but which require specific software, configurations or authorization to access.[2][3] The dark web forms a small part of the deep web, the part of the Web not indexed by search engines
• Consider who is maintaining data, and how it’s protected
6C-10
Data Protection is a Fiduciary Duty
• Employers must understand protecting health plan information is their duty
• Create a plan for protecting information on and off site, and who are the 3rd party vendors
• Create a record for the protection plan• Involve the IT department at every level
6C-11
HHS has Initiated Phase Two of Audits
• New HIPAA compliance audits are happening• First phase is about covered entities• Next focus will be on Business Associates• Must maintain written privacy and security
policies• Case report University of Miss. Med. Center—
$2.75 Million settlement
6C-12
Case of HIPAA Violations UMMC
• Began with unsecured electronic protect health information (‘ePHI’)• Affected 10,000 individuals• Investigation by OCR (Office of Civil Rights) that UMMC was aware
of risks vulnerabilities to own systems since 2005• No risk management until breach occurred
– Organizational deficiencies and oversight were lacking
• Agree to violations of HIPAA and settled for $2,750,000 • Must adopt corrective action plan for compliance
– Including unique user names– Notification of each individual whose information access, acquired,
used, disclosed
6C-13
5 Most Common HIPAA Violations
1. Lack of Business Associate agreements2. ePHI-mobile devices and apps compliance3. Healthcare data security-transmission security4. 4 Workforce security 5. Data Management/Recovery Plan
– Disposing of information– Data backup security
6C-14
IDRC 2016 Data Breach Report
• As of 7.19.16, Total breaches: 538• Total records: 12,993,474• In 2015—277 breaches exposed 112 MILLION
records • Still over 400 + days in being reported• Medical Identity Theft occurs in nearly 25% of
cases
6C-15
What is Medical Identity Theft?
Medical Identity Theft occurs when someone uses your personal information to:• Fraudulently procure medical services• Improperly acquire prescription drugs• Submit fake billings to Medicare or private
insurers• Obtain expensive medical equipment
6C-16
Impact of Medical Identity Theft
• Death• Medical records in shambles• Physical harm• Credit issues • Employment issues• On the hook for thousands of dollars• Long term recovery and dispute resolution
6C-17
Cyber Liability Insurance
• Insurance is a cost effective solution.• Work with a broker who understands it.• Premiums for coverage are now very affordable for most
plans.• Learn about cyber policy exclusions and endorsements.• Understand where mobile devices fit in to plan• A benefit plan’s other insurance policies do not provide
the needed protection since these policies were not designed for these exposures.
6C-18
Cyber Liability Policiesper NAIC (National Association of Insurance Commissioners)
• Liability for security or privacy breaches. This would include loss of confidential information by allowing, or failing to prevent, unauthorized access to computer systems.
• The costs associated with a privacy breach, such as consumer notification, customer support and costs of providing credit monitoring services to affected consumers.
• The costs associated with restoring, updating or replacing business assets stored electronically.
• Business interruption and extra expense related to a security or privacy breach.
• Liability associated with libel, slander, copyright infringement, product disparagement or reputational damage to others when the allegations involve a business website, social media or print media.
• Expenses related to cyber extortion or cyber terrorism.
• Coverage for expenses related to regulatory compliance for billing errors, physician self-referral proceedings and Emergency Medical Treatment and Active Labor Act proceedings.
6C-19
The Purpose of Cyber Liability Insurance
• Used to protect plan assets• Helps meet legal obligations• Provides various professionals to assist in
handling a data breach event• Offers participants certain protections
6C-20
Comprehensive Coverage!
• Provides partial to full risk transfer that risk assessments and IRPs (internal response programs)
do not eliminate• Provides experienced professionals• Provides data-packed web sites to help create
a robust internal control environment• Provides first-party cost coverage not available
in other policies• Protects against third-party liability
6C-21
Current State of the Market
• Evolving coverage; broader and cheaper• Many carriers; many approaches• Different risk appetites; size/complexity• Modular; buy only the coverage you need
6C-22
Cyber Liability Carriers
• Travelers• AIG• Chubb• Hiscox Business Insurance• Lockton Companies• Check your own D and O carrier
6C-23
Steps to Take when Breach Occurs
• Respond to allegations• Provide copies of documents related to internal investigation
and risk assessment• Provide policies and procedure regarding PHI uses,
safeguards and disclosure• Provide Business Associate agreements• Provide documents of networks scans or testing• Provide access management policy• Provide security awareness and training materials• Give evidence of anti-virus software, access controls,
password management
6C-24
How to Remove Malware
1. Go to safe mode2. Delete all temp files3. Download Malware Scanners
– Kaspersky– Malwarebytes– Super Antispy– Bit Defender
4. Run scan with Malware 5. Go back to normal operations mode
6C-25
Educational Resources• Heimdal Security ~ https://heimdalsecurity.com• Bloomberg BNA ~ www.bna.com• DataBreach Today ~ http://www.databreachtoday.com• CISCO ~ www.cisco.com/c/en/us/index.html• United States Computer Emergency Team ~ https://www.us-
cert.gov/ncas/alerts• Department of Homeland Security-Cyber ~ https://www.dhs.gov/office-
cybersecurity-and-communications• American Hospital Association Solutions ~ AHA.org • The Identity Advocate/Vincent & Associates ~www.theidentityadvocate.com
6C-26
Key Takeaways
• Act Now• Test systems now• Always back up your data• Review all business associate agreements• Know the greatest liability is still your
employees, despite hackers• Implement cyber liability insurance
6C-27
Questions?
Thank you!
6C-28