anatomy of a data breach - txc – intranet...anatomy of a data breach juan gonzalez, cio emergence...

Anatomy of a Data BreachJuan Gonzalez, CIOEmergence Health Network

DISCLAIMER: EDUCATIONAL ONLY

THIS TRAINING IS PROVIDED FOR GENERAL INFORMATION AND

EDUCATIONAL PURPOSES ONLY. IT DOES NOT CONSTITUTE

TECHNICAL ADVICE OR OPINIONS. THE INFORMATION IS NOT

INTENDED TO CREATE, AND THE RECEIPT DOES NOT CONSTITUTE, A CONSULTATIVE RELATIONSHIP BETWEEN SPEAKER AND THE

AUDIENCE. FOR TECHNICAL ASSISTANCE, SEEK ADVICE FROM A IT

CONSULTANT. FOR LEGAL ADVICE, YOU SHOULD CONSULT AN

ATTORNEY.

Breached! What Happened? Forensic Impact Before/After

Breach Sustainability



• 8/14/2015 – HHSC detects unusual activity

• SSH login activity originating from Vietnam

• How? PTP-T1 used for CARE and BMOW

• Breached FTP server

• Took server offline; preserve the environment

• Internal investigation revealed

• Conclusive evidence of breach

• Connections established lasted only seconds

• Insufficient evidence to establish loss/transfer of PHI



• Forensic investigation – Incident Response Analysis

• Original date of compromise – September 11, 2012• Originated from Madison, New Jersey

• Rootkit exploiting OS vulnerabilities; insufficient patch management

• Server used as Internet proxy for porn

• Multiple users

• Analysis Conclusion

• “Compromised data was not added, modified, deleted or exfiltrated from the SFTP server…” – Altep Incident Response Analysis, 10/1/2015



• Records• 11,197 records compromised

• Financial• Direct impact $50,000

• (2) Firewalls, Forensic Investigation, notifications, data validation

• Potential impact *$3.974,935 ($355/record) *Ponemon Institute 2015

• $380 in 2017

• Reputation• Over 11,000 letters mailed to consumers

• Fielded hundreds of calls (setup special 800 number)

• Press Release



• Reputation

• Local and regional media outlets

• Notified

• HHSC/DSHS

• Office of Civil Rights

• Law Enforcement (FBI, Sheriff's Office)



• Before

• Old firewalls; outdated configuration

• No intrusion prevention/detection system

• I.T. skills gaps

• Old versions of FTP software

• Inactive user accounts

• No IP filtering

• Data retention rules

• Default Log monitoring settings

• Inadequate/No Information Security policies



• Before

• Inadequate information security training

• Inadequate HIPAA training

• Weak staff awareness

• No information security committee

• No internal/external penetration tests



• After

• (2) new, state of the art firewall

• Outsourced firewall management; IPS/IDS

• Cybersecurity training; additional staff

• Created staff security awareness training programs (cybersecurity & HIPAA)

• Built new FTP server; applied system hardening techniques, password complexity, IP filtering, etc.

• Extended log retention timeframes to 90 days

• Applied data retention rules



• After

• System Encryption program

• Laptop check in/out program

• Internet filtering

• Comprehensive Information Security Policies & Procedures

• Comprehensive Privacy Policies & Procedures

• Created an Health Information Security Committee

• Yearly internal/external network penetration test

• Yearly HIPAA Security Risk Analysis/Cybersecurity Analysis



• Office of Civil Rights continues investigation

• Constant monitoring

• Strengthening all security programs

• Replacing old technology – keep it retired!

• Create awareness; keep staff informed

• CEO commitment

• Facetime with Board of Directors

anatomy of a data breach - txc – intranet...anatomy of a data breach juan gonzalez, cio emergence...

Documents