cyber risk in healthcare industry- are you protected?

MAJOR CYBER ATTACKS IN HEALTHCARE INDUSTRY

Copyright 2017 by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited. Compliant Resilient Competitive

AvMed, Inc. 1,2 M victims

2009, U.S.

BlueCross BlueShield of Tennessee

1 M victims 2009, U.S.

North Bronx Healthcare Network

1,7 M victims 2010, U.S.

The Nemours Foundation 1 M victims 2011, U.S.

TRICARE Management

Activity 4,9 M victims

2011, U.S.

Health Net, Inc. 1,9 M victims

2011, U.S.

Advocate Medical Group

4 M victims 2013, U.S.

Community Health Systems


Anthem, Inc. 80 M victims

2015, U.S.

Banner Health 3,62 M victims

2016, U.S.

Newkirk Products Inc


21 Century Oncology Holdings


More than 150,000* victims of cyber

breaches in healthcare sector in January 2017,

U.S. (*HHS)

25 breaches affecting 500+ individuals were

recorded by HHS in January 2017 in U.S.

Partnering With EC-Council

World’s Largest Cyber Security Consulting, Professional Training & Certification Body

CYBER RISK IN HEALTHCARE INDUSTRY

is an estimated cost for cyberattacks against

hospitals, clinics and doctors in the U.S. healthcare

industry (Ponemon Institute).

$6

billion

$200-400

83%

It has already been two years since hackers shifted their main focus from BFSI

sector to healthcare industry aggressively targeting hospitals all over the world,

while U.S. is experiencing the most severe threat.

The FBI warned

the healthcare industry

that cyber-criminals would be

directing more attention

their way.

News.security-intelligence,

2015


of recorded breaches in 2016 were in the medical and

healthcare industries (Identity Theft Resource Center).

6

The healthcare sector

is the most vulnerable

industry to cyber-attacks

and data breaches.

ICO, Data security incident

trends, 2016

of the U.S. population (143+ M people) have become

victims of cyber breaches in healthcare industry in 5 years

(U.S. Department of Health and Human Services, 2015).

45%

per one record (client profile) is an estimates cost to

remediate a healthcare breach (Vasco).


• Inability to operate

• Financial losses

• Damage to reputation

3. SYSTEMS’ BREAKDOWN

• Health risk

• Identity theft

• Financial fraud

2. UNAUTHORISED CHANGES IN DATA BASES

OUTCOME OF CYBER ATTACKS IN HEALTHCARE INDUSTRY

1. LOSS OF CUSTOMERS’ DATA

(Security number, insurance ID, credit card

number, passport, address, biometric data,

medical history, etc.)

FOR HOSPITALS:

FOR PATIENTS:

65% of people would avoid

healthcare provides that

experience a data breach.

Among adults below 35 years

the statistic is 73%.

(TransUnionHealthcare, 2015)

It is a primary responsibility of

the management to prevent

the industry from cyber breaches

and to protect its patients from

physical, financial and mental

damages caused

by cyber attacks. (Cancelled operations, outpatient appointments

and diagnostic procedures, etc.)

(Prescription of wrong medications and treatments, etc.)

HEALTHCARE DATA BREACHES - IMPACT

~90% of healthcare organizations had a data

breach in the past 2 years according to Ponemon’s

research.

45% of them had more than 5 data breaches.

(Ponemon Institute LLC Ponemon Institute

Research Report. Sixth Annual Benchmark Study

on Privacy & Security of Healthcare Data, 2016).

$3,7M

$1,1M

$0,9M

$0,6M

$0,6M $0,5M

$0,4M

Lost brand

value

Breach

notification

Forensics

Lawsuits

HIPPA

settlement

fine

Lost revenue

Post-breach

clean-up

AVERAGE COSTS OF A DATA BREACH

IN THE U.S. HEALTHCARE INDUSRTY*


*Protenus ‘Cost of a Breach: A Business Case for Proactive Privacy Analytics”

Copyright 2017 by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

WHERE CYBER RISKS LIE FOR HEALTHCARE INDUSTRY

Compliant Resilient Competitive 9

SaaS

Insider

Threats

Data

Bases

File

Server

Compliance

Patient Data

Applications

Network Intrusion Social Engineering

Unauthorized Access

Espionage

Malware

Phishing Attacks

Ransomware

Network Attack

Hospital

The healthcare industry is holding

the #1 spot in a lack of qualified

cyber security professionals.

Job Market Intelligence:

Cybersecurity Jobs, 2015

Ensuring that the healthcare C-suites have necessary cybersecurity skills is the

only way to create a strong data security approach. It is vital for a healthcare

provider to maintain cyber security awareness and most up-to-date cyber

security skills among all employees.


Last year the Department of

Health and Human Services

awarded $87 million to 1,310

health centers across the U.S. to

upgrade their IT systems and

cyber security skills.

Compliant Resilient Competitive 13

of healthcare providers have no human resources dedicated

to cyber security (Healthcare Information & Management

Systems Society, 2016).

58%

‘’There is a rising demand for

cybersecurity professionals with

skills pertinent to healthcare’’

(Healthcare-informatics.com, 2015).

‘’A cybersecurity skills shortage

may eventually affect the healthcare

industry’’ (McAfee’s Hacking the

Skills Shortage, 2016).

CYBER SECURITY SKILL GAP IN THE HEALTHCARE SECTOR

Cyber Security

Awareness,

Upskilling and

Training

Compliance with

Regulations

(HIPPA and PCI)

Coverage of Cyber

Security Gaps in the

Infrastructure

Cyber Security

Risk Assessment

EC-COUNCIL APPROACH FOR HEALTHCARE INDUSTRIES


WE BUILD CORE HANDS-ON ON INFORMATION SECURITY SKILLS FOR ALL LEVELS AND DEPARTMENTS


Cyb

er S

ecu

rity

exp

erie

nce

, kn

ow

led

ge a

nd

ski

lls

For Information security Officers, Information Security Decision Makers

For various specialties, Computer Forensics, Pen Testing, Mobile Forensics

For Information Security Officers, Pen Testers, Information System Security Auditors, Information Security Auditors, Incidents Handlers, Persons responsible for defending systems, networks and application

For various specialties, Forensics Investigators, Incident Handlers, Disaster Recovery Professional

For Network Administrator, Network Engineer, CND Analyst, Network Defense Technician, Network Security Analyst, Security Operators, anyone who is in network operations

For end-users: anyone who uses the Internet extensively to work

EC-Council Global Services (EGS) is the

consultation arm of the EC-Council

Group.

• EGS is an advisory firm that provides

customized and tailored solutions to

complex challenges in Corporate

Information Security.

• EGS is vendor-agnostic and

technology-solutions market

independent entity.

• EGS is based in Malaysia and has

an outstanding local team supported

globally.

IDE

NT

IFY

1.Cyber Security Posture Assessment

2.Security Strategy and Transformation

3.Vendor Risk Management

PR

OT

EC

T

IT Governance

IT Risk Assessment

ISO 27001 Advisory

PCI-DSS Advisory

Managed Security Services

Identity & Access Management

Training

Data Privacy

DE

TE

CT

Vulnerability Assessment & Penetration Testing

Secure Code Review

Secure Software Development Lifecycle

Cloud Security

Software License Compliance

Revenue Assurance

RE

SP

ON

D

Security Incident and Event Management (SIEM)

Security Operations (SOC)

RE

CO

VE

R

Business Continuity Management

Disaster Recovery Planning

Forensics Services

Compliant Resilient Competitive Copyright 2017 by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

OUR INFORMATION SECURITY CONSULTING AND

ADVISORY SERVICES

HIPAA SECURITY AND PRIVACY

HIPAA is the Health Insurance Portability and Accountability Act, a federal law that…

• Protects the privacy of a patient’s personal and health information (PII & PHI)

• Provides for electronic and physical security of personal and health information

• Simplifies billing and other transactions

Covered entities must protect an individual’s personal and

health information that:

• Is created, kept, filed, used or shared

• Is written, spoken, or electronic

EC-COUNCIL’S DETAILED HIPAA METHODOLGY AND OFFERING IS PROVIDED IN

APPENDIX A TOWARDS THE END OF THE DOCUMENT


ABOUT EC-COUNCIL

World’s Largest Cyber Security Consulting, Professional Training & Certification Body

ICECC International Council of E-Commerce

Consultants

EC-Council Group

ECCU EC-Council University

Division of Academic Education

ECC EC-Council Training & Certification

Division of Professional Workforce Development

EGS EC-Council Global Services

Division of Corporate Consulting & Advisory Services

EGE EC-Council Global Events

Division of Conferences, Forums, Summits, Workshops & Industry Awards

ECF EC-Council Foundation

Non-Profit Organization for Cyber Security Awareness Increase.

16+ YEARS EXPERIENCE

40+ TRAINING & CERTIFICATION PROGRAMS

145+ COUNTRIES

350+ SUBJECT MATTER EXPERTS

700+ TRAINING PARTNERS WORLDWIDE

3000 TOOLS & TECHNOLOGIES

150,000 CERTIFIED MEMBERS

EC-Council is known as

worlds’ largest technical

certification body. It is also

famous for being a creator of

Certified Ethical Hacker and

LPT standards.

Some of the finest

organizations around the

world such as the U.S. Army,

U.S. Navy, DoD, the FBI,

Microsoft, IBM, and the United

Nations have trusted ECC to

develop and advance their

security infrastructure.

WE ARE

INFORMATION

SECURITY

EC-COUNCIL AT A GLANCE

WE WROTE

THE STANDARDS

Compliant Resilient Competitive Copyright 2017 by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Critical Information Security

Skill Development Solutions


WE BUILD CORE HANDS-ON ON INFORMATION SECURITY SKILLS FOR ALL LEVELS AND DEPARTMENTS • Often 70% Of An Organization's InfoSec Challenges Are Addressed By Just Investing In Upskilling

Their Staff With The Information Security Hands-on Skills.


EC-Council HIPAA Offering Appendix A

HEALTHCARE BUSINESS CONCERNS


1. Protect patient records

2. Maintain compliance with HIPAA standards for retention, recoverability & security

3. Healthcare data is stored in cloud hosted SaaS solutions

4. Secure Communication about patient information

5. Business partner/vendor integration

6. Protect employee healthcare records

7. Provide training to employees

8. Avoid fines from the government

9. Maintain brand and reputation

10. Minimize customer loss

WHY HIPAA STANDARDS?


Collaboration

Engage with business partners, suppliers, and customers

Speed

Deploy faster by integrating with existing systems

Agility

Adapt to changing business needs faster

Accessibility

Data available and useable today, tomorrow, years from now

Cost

Reduce acquisition and operating costs

Protection

Provide a standard level of protection around protected health information (PHI)

HEALTHCARE – WHAT DO WE HAVE TO OFFER?


1. Training and development for IT, Risk, Compliance and Security teams. 2. HIPAA Security and Privacy Assessment 3. Hospital Physical Security Assessment 4. IT GAP Analysis 5. Employee Training 6. Data Loss Prevention 7. Policy Development 8. Healthcare Application Security Test 9. HIPAA HHS Audit Readiness Assessment

EXAMPLE USE CASES FOR DATA PROTECTION NEEDS


Accounting departments needs to:

Share encrypted files with customers

Legal departments needs to:

Block all staff from saving data to USB flash drives Share encrypted data on CDs / DVDs Shared cloud storage

Retail organizations needs to:

Block unauthorized software from work computers Prevent all data from being transferred via any port or connection to customers over insecure channels

Hospitals needs to:

Allow select usage of doctors’ smartphones Log all data exchanged between devices and hospital network for compliance

WHERE IS YOUR CORPORATE PROTECTED DATA?


Convenience and storage

USB flash drives, CDs, DVDs, Bluetooth-enabled devices, etc. Devices used for transferring and storage of data, music, pictures, etc. Everything is kept in email

More mobile data, more data to lose

Users retain everything by default Users transfer data between endpoint devices and corporate network Mobility increases risk of theft and accidental loss of data

Prevent a data breach

Monitor and enforce data loss prevention on removable media, mobile disks and connections Control device usage and log activity

COMPLIANCE: HISTORICALLY COSTLY & DIFFICULT TO IMPLEMENT


Enforcement

Policy compliance required manual user & administrator intervention

User Training

New deployments required additional training due to significant user impact

Administrative Burden

Differing management interfaces & demands for enrollment administration

Patch Management

Each application creates an additional patch burden when updated

Mobile / Online applications

Each application is a point solution without common administration & policy

Integration

Lack of common integration & configuration with existing infrastructure

DATA PROTECTION IMPLEMENTATION CHALLENGES


Corporate access to data

Employee dismissal cannot result in data loss

Central deployment, management, & updates

How can thousands of distributed users be tracked and managed? Software installation can be uncontrolled

Initial & ongoing management cost

Constrained by existing IT resources Can compliance grow with the business?

User experience

What additional user processes are required? Cannot rely on users to make security decisions Non-disruptive implementation is essential

HIPAA SECURITY ASSESSMENTS


POLICY AND PROCESS (Security Posture Creation)

ASSESSMENT (Security Posture Maintenance)

SECURITY POLICY DEVELOPMENT VULNERABILITY

SECURITY STRATEGY GAP ANALYSIS

(Where you are vs. Where you need to be)

TEMPORARY CSO AUDIT & COMPLIANCE (HIPPA, PCI, SOX, etc.)

ROADMAP STRATEGY WEB APPLICATION

EMPLOYEE AWARENESS TRAINING SUPPLIER SECURITY

QUESTIONS FOR YOUR HOSPITAL OR CLINIC


Security architecture

Can the compliance framework provide an encryption platform that can expand to accommodate additional applications?

Comprehensive protection

Can the compliance solution comprehensively protect sensitive data without tremendous administrative overhead or changes to user behavior?

Security management

Can the compliance framework be efficiently managed by using an integrated management processes?

Application risk

What other applications / products will need to be installed / deployed as part of the total enterprise framework strategy?

DO YOU NEED TO INVEST IN INFORMATION SECURITY TRAINING, CONSULTING AND ADVISORY


Does the organization allow removable devices such as CDs, USB drives, etc.?

Is there a corporate policy on information security and HIPAA Privacy and Security?

Do you want to keep track of where and how confidential data is transferred onto portable media?

Do you have a lot of users who work offline / are disconnected from the corporate network?

How do you protect data within/leaving your enterprise (laptops, email, servers, mobile)?

What are the consequences if data is stolen or compromised?

Company brand damage? Lost customers? Regulatory fines?

How do you control access to information based on the different roles within the

organization, for example across-departments, with contractors, etc?

CONTACT US


MARK MERRILL Executive Sales & Business Development | Global Services EC-Council Global Services: An EC-Council Division [email protected]

Web: http://www.eccouncil.org http://www.eccgs.com US Cell : +1.(817).821.4200

mailto:[email protected]

THANK YOU