cyber hacking in healthcare & the best practices for securing ephi in 2015

World Leader in Digital Faxing 1

IN PARTNERSHIP WITH:

World Leader in Digital Faxing 2

Meet the Speakers

Michael FlavinSr. Product Marketing Managerj2 Cloud Services

Michael PearsonChief Information Security ConsultantHealth Security Solutions

World Leader in Digital Faxing 3

Michael FlavinSr. Product Marketing Managerj2 Cloud Services

Michael PearsonCISSP

World Leader in Digital Faxing 4

Cyber Hacking in Healthcare: Snapshot

HHS Office for Civil Rights

1,199 incidents41.5 million individuals

FBI warnings to industry: “The FBI has observed malicious actors targeting healthcare related systems…for the purpose of obtaining Protected Healthcare Information (PHI)”

Top 5 Health Data Breaches in

2014

7.4 million individuals

affected

Data BreachesYear to date

90+ million individuals

affected

Huge change in scope

1,800%! increase from

2008-2013

World Leader in Digital Faxing 5

Sources of a Breach

ORGANIZED

CRIMINAL

WELL-MEANING

INSIDER

MALICIOUS

INSIDER

World Leader in Digital Faxing 6

Stages of a Breach

CAPTURE

Access data on unprotected systems

Install root kits to capture

network data

3

DISCOVERY

Map organization’s systems

Automatically find confidential data

2

INCURSION

Attacker breaks in via targeted

malware, improper credentials or SQL

injection

1

EXFILTRATION

Confidential data sent to hacker team in the

clear, wrapped in encrypted packets or in zipped files with passwords

4

World Leader in Digital Faxing 7

Six Best Practices for Securing ePHI Using the SANS Security Model and HIPAA Compliance

• SANS Security Model provides a good framework for protecting, storing and transmitting ePHI – focus on security!

• HIPAA Compliance does NOT equal a plan secure PHI

• IT Executives must balance security, data protection and training with conduct of regular business

World Leader in Digital Faxing 8

SANS Security Model

Defensive Wall 1: Proactive Software Assurance

Application Security Skills Assessment & Certification

World Leader in Digital Faxing 9

SANS Security Model

Defensive Wall 2: Blocking Attacks: Network Based

IDS/IPS, FW, MSS

World Leader in Digital Faxing 10

SANS Security Model

Defensive Wall 3: Blocking Attacks: Host Based

Endpoint Security, NAC

World Leader in Digital Faxing 11

SANS Security Model

Defensive Wall 4: Eliminating Security Vulnerabilities

Vulnerability Management, Patch Management, Penetration testing.

World Leader in Digital Faxing 12

SANS Security Model

Defensive Wall 5: Safely Supporting Authorized Users

Encryption, VPN, DLP

World Leader in Digital Faxing 13

SANS Security Model

Defensive Wall 6: Tools to Manage Security and Maximize Effectiveness

Log Management, SIEM, Training, Forensics

World Leader in Digital Faxing 14

Firewalls Are Not Enough

NIDS Monitoring

NIDS Monitoring - Botnet C&C Detection

NIDS Monitoring - Watchlist Detection

NIDS Monitoring

NIDS Monitoring - Botnet C&C Detection

NIDS Monitoring - Watchlist Detection

Firewall Logs Associated with IDS Alerts

NIDS Monitoring

NIDS Monitoring - Botnet C&C Detection

NIDS Monitoring - Watchlist Detection

Firewall Logs Associated with IDS Alerts

Firewall Logs - Scan Detection

Firewall Logs - Botnet C&C Detection

Firewall Logs - Backdoor Detection

Firewall Logs - Anomaly Detection

Firewall Logs - Watchlist Detection

NIDS Monitoring

NIDS Monitoring - Botnet C&C Detection

NIDS Monitoring - Watchlist Detection

Firewall Logs Associated with IDS Alerts

Firewall Logs - Scan Detection

Firewall Logs - Botnet C&C Detection

Firewall Logs - Backdoor Detection

Firewall Logs - Anomaly Detection

Firewall Logs - Watchlist Detection

HIDS Alerts

OS / Application / Database Logs

Endpoint Protection Alerts

Average: NIDS Monitoring

~32%

Good: NIDS Monitoring +

Core Firewall Monitoring

~50%

Better: NIDS Monitoring +

Firewall Advanced Analysis

~80%

Best: NIDS Monitoring +

Firewall Advanced Analysis +

HIDS + LMS + MEP

Approaching 100%

World Leader in Digital Faxing 15

What are the Threats? Technology Impacting.

Security Architecture – Firewalls, Anti-Virus

Unpatched Client Side Software and Applications

Advanced Malware and Ransomware

Accessing Malicious Website

World Leader in Digital Faxing 16

What are the Threats? Technology Impacting.

Poor Configuration Management

Cloud Computing/Storage

Unencrypted ePHI and Removable Media

Mobile Devices, aka BYOD

Botnets

Phishing

World Leader in Digital Faxing 17

What are the Threats? Business Impacting.

Marketplace Reputation and Customer Loyalty

Liability

o Legal costso Credit assistance for customerso Training, call center triageo Fraudulent chargeso Stock price, earnings, etc.o IT Resources

World Leader in Digital Faxing 18

Most Common Pitfalls

Risk Assessment

Lack of Accurate Data Inventory/Controlso Audit logs (critical for compliance and root cause)

Humanso “Accidents happen”o Social Engineering and o Security Awareness Training

World Leader in Digital Faxing 19

Most Common Pitfalls

Missing Policies and Procedures

Incident Response Team and Plan & Audit Trail

World Leader in Digital Faxing 20

Most Common Pitfalls

Password Security (may overlap with 3rd Party vendors)

o 40% have a password from the top 100

o 79% have a password from the top 500

o 91% have a password from the top 1000

World Leader in Digital Faxing 21

Why do Compliance Mandates get More Complicated?

Compliance ≠ Security

Compliance is the output of post-mortem

– Some organization did not secure their data, and now everyone

else must deploy solutions, software, policies, and guidelines

Compliance will always be a step behind the latest threat

World Leader in Digital Faxing 22

Faxing in Healthcare Today - Trends

Faxing is still a widely used, especially in highly regulated

industries such as healthcare, finance, legal (1)

Trend is toward cloud faxing from on premise faxing

Cloud faxing offers a secure, reliable way to send ePHI and

to covered entities or business associates, enhancing

HIPAA Compliance

World Leader in Digital Faxing 23

Email, Secure Browser, Mobile App & eFax

Messenger User Interfaces

TLS Encrypted in Transit

Hosted Fax ServiceEncrypted Fax Storage

via eFax Secure (optional)

PSTNTelco Service

Inbound/Outbound Faxes

The world’s #1 online fax company – and the industry’s most experienced hosted fax service

The most widely deployed online fax service for the Fortune 500

Trusted by more major healthcare, legal, financial and other highly-regulated firms than any other online fax provider to transmit sensitive documents

World Leader in Digital Faxing 24

Product Spotlight: eFax Secure™

Secure: TLS-encrypted transmission and storage of ePHI data to enhance security and HIPAA compliance – encryption at rest and motion

Reduce costs – eliminate cost of physical fax servers, phone lines, and enhance compliance with routing to specific user’s email

Improve your overall communications with our highly redundant network delivering 99.5% uptime SLAs and unparalleled transmission security

Tier III or IV colocations for servers with high redundancy and failover capabilities

World Leader in Digital Faxing 25

Helpful Links

SANS Security Model

DHS HIPAA Security 101 for Covered Entities

DHS HIPAA Security: Physical Safeguards

enterprise.eFax.com

Recorded slides of this presentation

Whitepaper: “Is Cloud-based Faxing Right for You?”

World Leader in Digital Faxing 26

Q&A

Visit us at enterprise.eFax.com

Visit us at HIMSS Booth #7756

Email:

Michael Flavin: michael.flavin@j2.com

Mike Pearson: mike@healthsecuritysolutions.com

World Leader in Digital Faxing 27

Thank You