healthcare data security: report from the dark web ... · 64.1% 13.7% 5.7% 5.6% 3.1% 2.4% drugs...
TRANSCRIPT
HEALTHCARE DATA SECURITY: REPORT FROM THE DARK WEB
24th NATIONAL HIPAA SUMMIT
WASHINGTON D.C.
BEN GOODMAN
4A Security & Compliance
WE ARE DEDICATED TO HELPING HEALTHCARE ORGANIZATIONS SECURE THEIR DATA, MAINTAIN COMPLIANCE, EDUCATE THEIR PEOPLE, AND MANAGE CYBER RISK.
DARK NET ACTORS
70%
20%
5% 4%
1%
Individuals & Sm Groups
Criminal Organizations
Cyber Terrorists
Nation States
Hacktivists
2014 Rand Corporation
DARK NET LANGUAGE DISTRIBUTION
41%
41%
4%
2% 2% 2% 2%
1% 1% 1%
3% Russian
English
Korean
French
Bulgarian
Polish
German
Finish
Portuguese
Catalan
Other 2015 Trend Micro
CYBER CRIMINAL ECOSYSTEM
Administrators
Subject-Matter Experts
Root Kit Creators
Data Traffickers
Cryptanalysts
Zero-day Researchers
Malware Writers
Identity Collectors
Programmers
Intermediaries Brokers
Spammers Botnet Owners
Drop Service Distributors
Hosted Systems Providers
Cashiers ID/Financial
Data Providers
General Membership
Member Cells
Buyers Observers
Member Cells
Buyers Observers Money Mules
Wire Transfers
Shipping Goods
Naïve Dupes
Money Mules
Wire Transfers
Shipping Goods
Naïve Dupes
2014 Rand Corporation
ATTACK LIFECYCLE
Research Infiltration
Mapping Capture
Exfiltration
Monetization
64.1% 13.7%
5.7%
5.6%
3.1% 2.4%
Drugs & Chemicals Fraud
Digital Products Guides & Tutorials
Services Counterfeit Items
Carded Items Other Listings
Softwware & Malware Weapons
Jewels & Gold Security & Hosting
DARK NET MARKET LISTINGS # DARK NET MARKET LISTINGS %
0
10,000
20,000
30,000
40,000
50,000
60,000
70,000
80,000 Cannabis Ecstasy Cocaine-related Products Account for about 70% of all [DNM] sales*
* "Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem", Soska & Christin 2015
DARK NET MARKET SALES
DARK NET MARKET SIZE EXAMPLE
56,226 Members 465,222 Messages
61,291 Discussions
DNMs ARE RESILIENT TO LAW
ENFORCEMENT TAKEDOWNS
Sales volume rebounded quickly following
Operation Omynous and Evolution, Pandora and
Sheep, exit scams.*
* "Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem", Soska & Christin 2015
DARK NET MARKET LISTINGS #
HACKERS’ SHARE OF PHI BREACHES
0% 5% 8% 8% 8% 12%
21%
0%
10% 2%
[VALUE]
3%
14%
99%
0%
20%
40%
60%
80%
100%
2009 2010 2011 2012 2013 2014 2015
% of Breaches % of Records
DATA AT RISK
420,000 ROOT:ROOT COMPROMISES
165 MILLION IPs WITH THE TOP 150 PORTS OPEN & RETURNING DATA
Vulnerability Scans, Fingerprinting
Buffer Overflows, Telnet Sessions
NetBios Audits
Extract Users, Groups, Permissions
FTP - Get and Put Files, Execute Malicious
Scripts, etc.
0%
20%
40%
60%
80%
100%
2008 2009 2010 2011 2012 2013
Minutes Hours Days Weeks Months
TIME FROM ENTRY TO COMPROMISE
60%
24%
0%
20%
40%
60%
80%
100%
2008 2009 2010 2011 2012 2013
Minutes Hours Days Weeks Months
TIME FROM COMPROMISE TO EXFILTRATION
26%
36%
ATTACK TYPE: OPPORTUNISTIC VS. TARGETED
0%
20%
40%
60%
80%
100%
2008 2009 2010 2011 2012 2013 2014
Targeted Opportunistic
71%
29%
ATTACK TYPE: TRENDING TOWARD MORE TARGETED ATTACKS
Malware searching Hostnames, IPs, etc. for strings: • Pediatric • Orthoped • Nurse • Hospital, etc. Malware phones home to report if it’s a desirable target or not Increasingly malware designed to use Tor & Hidden Services infrastructure
theDataMap™ Data Privacy Lab
HEALTHCARE DATA SHARING ECOSYSTEM ATTACK SURFACE
MEDICAL IDENTITY THEFT: VALUE OF A MEDICAL RECORD ON THE DARK NET MARKET
Like any market, black market prices fluctuate. Medical records values on DNMs are consistently higher than other FULLZ.
$3 $1.50 $3 $5
$50
$0
$10
$20
$30
$40
$50
$60
Social Security # Credit Card Info Date of Birth Mother's Maiden Name
Medical Record
WHAT’S A MEDICAL RECORD REALLY WORTH ON A DNM?
FULLZ $.01 FULLZ w/Medical $1 Medical FULLZ $10 ea Medical FULLZ $10 – 20 ea Medicare IDs $470 ea
Life Insurance $7 ea
MEDICAL IDENTITY THEFT
* KrebsonSecurity, Sept. 18, 2014, “Medical Records For Sale in Underground Stolen From Texas Life Insurance Firm”
Database records from McKesson subsidiary PST Services showing up on Dark Net Markets 1+ year after breach
DETECTION LAG TIMES
IDENTITY THEFT - CRIME TO DISCOVERY*
MEDICAL DATA BREACH
* Identity Theft Resource Center, Aftermath Surveys 2003 - 2014
0%
10%
20%
30%
40%
50%
60%
2004 2005 2006 2007 2008 2009 2013 2014
0 - 6 Mos 7 - 12 Mos 1 - 2 Yrs 2 + Yrs
0% 10% 20% 30% 40% 50% 60% 70% 80%
2010 2011 2012 2013 2014
COMPROMISE TO DISCOVERY*
Days Weeks Months Years
* Verizon, 2015 Protected Health Information Data Breach Report
MEDICAL IDENTITY THEFT (MIT)
• 7M PHI records breached in 2013* • 12.7M PHI records breached in 2014*
• 2.32M adult MIT victims in U.S. as of 2014**
• 13% of 17.6M Identity Theft victims in 2014†
• 500,000 MIT victims in 2014 **
* U.S. Department of Health & Human Services, OCR “Wall of Shame” ** Ponemon Institute, “Fifth Annual Study on Medical Identity Theft” † U.S. Department of Justice, Bureau of Justice Statistics, “Victims of Identity Theft, 2014”
113,258,966 INDIVIDUALS’ PHI EXPOSED 268 REPORTED BREACHES
2015 33
Hours
1 Breach of PHI Every
2016 MEDICAL IDENTITY THEFT ?
“To date, we have no knowledge that any of our patients’ information has been accessed or used improperly.” BITGLASS HONEYPOT EXPERIMENT
10,104 PST
Services
Tenet Health
680 Midwest
Orthopaedic Center
520 Williamson
Medical Center
520 24 ON
Physicians
InCompass
Healthcare
Day 1: 3 logins & 5 logins on portal
Day 2: Files exfiltrated
Day 30: 1,400 login attempts 30 countries 5 continents
! ! ! : Credentials used on other accounts
HIPAAHealthcare Data Systems are part of a broader, interconnected ecosystem • Get to know how & where you
fit within the entire ecosystem • Inform your risk analysis • Align risk and compliance
ALIGNMENT OF SECURITY & COMPLIANCE
CYBER���RISK