WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor

©20

20 C

lifto

nLar

sonA

llen

LLP

Lee Painter, Principal, HC CyberSecurity and Regulatory Compliance

CyberSecurity – Protect Your Practice

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

About CLA

• A professional services firm with three distinct business lines– Wealth Advisory– Outsourcing– Audit, Tax, and Consulting

• More than 6,100 employees• 120 offices coast to coast

Investment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC.

2

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Speaker Introduction (Huge Nerd)Lee Painter, CISSP, CRISC, HCISPP, CCSFPPrincipal, HealthCare CyberSecurity and Regulatory Compliance• 15 years of operational experience (DoD)

• Threat Analysis and Network Defense• Incident Detection and Response• Insider Threat Analyst/Lead• System/Network Administrator

• 5 years of consulting experience• HIPAA Security Risk Analysis• HIPAA Privacy and Security GAP Assessments• Penetration Testing• Vulnerability Assessments• GDPR Data Protection Impact Assessments• Payment Card Industry Compliance Assessments

3

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Financial Impact of Healthcare Breaches

4

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Raise Your Hand If…

5

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

When a TV is NOT a TV…

6

https://www.theverge.com/2019/6/17/18681683/samsung-smart-tv-virus-scan-malware-attack-tweet

©20

20 C

lifto

nLar

sonA

llen

LLP

WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor

The bad guys

7

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

“Know Thy Enemy”• Hackers have “monetized” their activity

– More sophisticated hacking– More “hands-on” effort– Smaller organizations targeted– Cybercrime as an industry

• Everyone is a target…

• Phishing is a root cause behind the majority of cyber fraud and hacking attacks

8

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Cybercrime as an “Industry”

• Black market economy to support cyber fraud• Hacking is run like a business where people

(criminals) specialize in different areas– Writing malware– Renting botnets– Stealing data– Selling data (collect data from various

sources/BIG DATA)– Etc.

9

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Largest Cyber Fraud Trends - Motivations• Black market economy to support cyber fraud

– Business models and specialization• Most common cyber fraud scenarios we see affecting our clients

– Theft of PII and PFIo W2/Payroll/Benefit info

– Theft of credit card information– Theft of Credentials and

Account take overs– Ransomware and Interference

w/ Operations

10

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Marketplace for Stolen Information

11

Attackers buy and sell data on cyber black market– “The Dark Web” - similar to amazon.com

©20

20 C

lifto

nLar

sonA

llen

LLP

WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor

12

Cautionary Tales

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

RansomwareMalware encrypts everything it can interact with

13

http://www.engadget.com/2016/02/19/hospital-ransomware-a-chilling-wake-up-call/

Common Ransomware Targets• Local Disk(s)• Connected devices (USB)• Managed network devices• Other accessible folders• Vulnerable hosts within the

network

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Everyone is a target

14

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Should Never Happen

15

• 37,000 Flash Drives sent to members

• Never trust a flash drive• Always perform a secure

download• Constantly update AntiVirus

software• Advanced (and maintained)

Firewalls

How to prevent

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Should Never Happen

16

• $10,000 Fine• Patient Information was disclosed

in response to a YELP Review (presumably negative)

• Last Name, Health Condition, Treatment Plan, Insurance, Cost Information

• No policies and procedures around PHI – Social Media Policy?

How to prevent• Policies and Procedures!• Training and Awareness• HIPAA Risk Analysis

©20

20 C

lifto

nLar

sonA

llen

LLP

WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor

Ransomware and Cybercrime

The Attacks!

17

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

RansomwareAttack on the availability of network data

Easier to do than exfiltration of the data

Uses strong encryption to render victims files unreadable

Payments are often in Bitcoin

Cyber criminals attempt to delete host and network backups

User credentials are used for network access

Many variants and constant evolution

18

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Ransomware Evolution

2004 Misleading Applications

2008 Fake anti-virus

2013 Locks you out of your device (browser, etc.)

2015-2019 Locks you out of your data

19

• This evolution of ransomware has been greatly influenced by a range of developments in technology, economics, and security.o Cryptocurrency and anonymization networks has made it difficult to hunt down

cyber criminals

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

RansomwareTypes• CryptoWall, CryptoLocker, etc.• Encrypt all data, hold it “ransom” for $$

– Data on local machine and on network• Attackers are putting much more time and

effort into these types of attacks over the last year(s)

• Starting to target other operating systems, like Macs, Android, IoT

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Ransomware as a Service (RaaS)

Attackers buy and sell anti-security services on cyber black markets– “The Dark Web” - similar to amazon.com

21

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Ransomware(One year ago)

22

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

(Six months ago)

23

Ransomware

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities 24

Ransomware

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Ransomware(More Recently…)

25

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Image source from NPR

26

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Defensive Strategies

• Defense in depth• Staff awareness (users that are aware

and savvy)• Current operating systems and up to

date/patched software• Minimized User Access Rights• Email spam filters

– Setup– Tested– Examine spam

• Removal of ads from the network– Web proxy

27

©20

20 C

lifto

nLar

sonA

llen

LLP

WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor

28

Phishing

The Attacks!

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

What is Phishing?

• Simply put:– Convince someone to perform an action that will benefit the attacker

• What is that action?– Visit a malicious website– Download and open a malicious file– Provide confidential information (Password, Account Number, etc.)– Wire money out of the organization

29

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Types of Attacks

• Traditional Attack (Spamming) – Attacker targets a large amount of users

• Spear Phishing – A custom message is built for a specific target

• Whaling – “C-level” executives or management is specifically targeted

30

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Phishing Email

You can forge the sender address in a letter

31

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Poor Email Filtering

32

Connected to mail.cogentco.com (38.9.X.X).MAIL FROM: <hacker@contoso.com>250 OKRCPT TO: <david.anderson@claconnect.com>250 Accepted

DATA354 Enter message, ending with "." on a line by itselfFROM: <ElonMusk@tesla.com>TO: <david.anderson@claconnect.com>Subject: Free Tesla Car

SMTP Envelope

SMTP Message

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Phishing Email

33

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Phishing Email

34

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Ransomware

35

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Phishing Website

36

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Protect Against Email Phishing

• Harden email gateway (spam filter)– Block potentially malicious file attachments (e.g. ZIP, RAR, HTA, JAR)– Flag Office documents that contain Macros as suspicious– Prevent your organization’s domain from being spoofed

◊ Sender Policy Framework (SPF)◊ Custom rule to evaluate SMTP Letter FROM field

– Flag emails that originate from the Internet◊ E.g. Modify subject line to say ‘External’

37

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Protect Against Email Phishing

• Continue to Train Employees– Train employees how to spot odd wire requests– Politely challenge the request and ask if it has been verified through

proper channels – Provide sample policies/guidelines for organizations that don’t have

them– Explain simple controls to implement (limits, two-step/two-factor,

etc.)– Make sure request is not authorized via email

38

©20

20 C

lifto

nLar

sonA

llen

LLP

WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor

Ransomware Recovery Strategies

None of that worked – Now What?

39

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Data Backup

• Ensure ALL critical systems and data are being backed up

• Practice a full system and data restore to verify your confidence in full system and data restore capabilities– Understand how long it will take to recover various

backup types

• Segment critical backups to prevent deletion– Attackers will attempt to delete or encrypt all

accessible backups

40

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Incident Response

• Playbooks for common incident types• Ensure employees understand their

responsibilities and procedures to follow in the event of an incident

• TEST!

41

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Cyber Insurance

• Average cyber insurance payout:– Median $150,000– Mean $700,000

42

©20

20 C

lifto

nLar

sonA

llen

LLP

WEALTH ADVISORY | OUTSOURCING | AUDIT, TAX, AND CONSULTINGInvestment advisory services are offered through CliftonLarsonAllen Wealth Advisors, LLC, an SEC-registered investment advisor

43

An Ounce of Prevention

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

• Evaluate your risks (and be compliant) – Perform a HIPAA Risk Analysis• Establish policies and procedures• Train staff to policies and procedures• Test your security – Penetration Testing, Vulnerability Assessment(s)• Plan for an incident/disaster• Practice your plan• Assess, Adjust, Operate (Repeat)

Prevent the Breach and/or Limit the Impact

44

“You can outsource IT and the responsibility, but you can never outsource theaccountability for protecting Patient Health Information….Choose yourvendors carefully.” Lee Painter, Today – and a bunch of times since 2014

©20

20 C

lifto

nLar

sonA

llen

LLP

Create Opportunities

Thank you!

45

©20

20 C

lifto

nLar

sonA

llen

LLP

CLAconnect.com

Lee PainterPrincipal, HC CyberSecurity and Regulatory Compliance

lee.painter@CLAconnect.com