HEALTHCARE DATA SECURITY: REPORT FROM THE DARK WEB

24th NATIONAL HIPAA SUMMIT

WASHINGTON D.C.

BEN GOODMAN

4A Security & Compliance

WE ARE DEDICATED TO HELPING HEALTHCARE ORGANIZATIONS SECURE THEIR DATA, MAINTAIN COMPLIANCE, EDUCATE THEIR PEOPLE, AND MANAGE CYBER RISK.

DARK NET ACTORS

70%

20%

5% 4%

1%

Individuals & Sm Groups

Criminal Organizations

Cyber Terrorists

Nation States

Hacktivists

2014 Rand Corporation

DARK NET LANGUAGE DISTRIBUTION

41%

41%

4%

2% 2% 2% 2%

1% 1% 1%

3% Russian

English

Korean

French

Bulgarian

Polish

German

Finish

Portuguese

Catalan

Other 2015 Trend Micro

CYBER CRIMINAL ECOSYSTEM

Administrators

Subject-Matter Experts

Root Kit Creators

Data Traffickers

Cryptanalysts

Zero-day Researchers

Malware Writers

Identity Collectors

Programmers

Intermediaries Brokers

Spammers Botnet Owners

Drop Service Distributors

Hosted Systems Providers

Cashiers ID/Financial

Data Providers

General Membership

Member Cells

Buyers Observers

Member Cells

Buyers Observers Money Mules

Wire Transfers

Shipping Goods

Naïve Dupes

Money Mules

Wire Transfers

Shipping Goods

Naïve Dupes

2014 Rand Corporation

ATTACK LIFECYCLE

Research Infiltration

Mapping Capture

Exfiltration

Monetization

64.1% 13.7%

5.7%

5.6%

3.1% 2.4%

Drugs & Chemicals Fraud

Digital Products Guides & Tutorials

Services Counterfeit Items

Carded Items Other Listings

Softwware & Malware Weapons

Jewels & Gold Security & Hosting

DARK NET MARKET LISTINGS # DARK NET MARKET LISTINGS %

0

10,000

20,000

30,000

40,000

50,000

60,000

70,000

80,000 Cannabis Ecstasy Cocaine-related Products Account for about 70% of all [DNM] sales*

* "Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem", Soska & Christin 2015

DARK NET MARKET SALES

DARK NET MARKET SIZE EXAMPLE

56,226 Members 465,222 Messages

61,291 Discussions

DNMs ARE RESILIENT TO LAW

ENFORCEMENT TAKEDOWNS

Sales volume rebounded quickly following

Operation Omynous and Evolution, Pandora and

Sheep, exit scams.*

* "Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem", Soska & Christin 2015

DARK NET MARKET LISTINGS #

HACKERS’ SHARE OF PHI BREACHES

0% 5% 8% 8% 8% 12%

21%

0%

10% 2%

[VALUE]

3%

14%

99%

0%

20%

40%

60%

80%

100%

2009 2010 2011 2012 2013 2014 2015

% of Breaches % of Records

DATA AT RISK

420,000 ROOT:ROOT COMPROMISES

165 MILLION IPs WITH THE TOP 150 PORTS OPEN & RETURNING DATA

Vulnerability Scans, Fingerprinting

Buffer Overflows, Telnet Sessions

NetBios Audits

Extract Users, Groups, Permissions

FTP - Get and Put Files, Execute Malicious

Scripts, etc.

0%

20%

40%

60%

80%

100%

2008 2009 2010 2011 2012 2013

Minutes Hours Days Weeks Months

TIME FROM ENTRY TO COMPROMISE

60%

24%

0%

20%

40%

60%

80%

100%

2008 2009 2010 2011 2012 2013

Minutes Hours Days Weeks Months

TIME FROM COMPROMISE TO EXFILTRATION

26%

36%

ATTACK TYPE: OPPORTUNISTIC VS. TARGETED

0%

20%

40%

60%

80%

100%

2008 2009 2010 2011 2012 2013 2014

Targeted Opportunistic

71%

29%

ATTACK TYPE: TRENDING TOWARD MORE TARGETED ATTACKS

Malware searching Hostnames, IPs, etc. for strings: •  Pediatric •  Orthoped •  Nurse •  Hospital, etc. Malware phones home to report if it’s a desirable target or not Increasingly malware designed to use Tor & Hidden Services infrastructure

theDataMap™ Data Privacy Lab

HEALTHCARE DATA SHARING ECOSYSTEM ATTACK SURFACE

MEDICAL IDENTITY THEFT: VALUE OF A MEDICAL RECORD ON THE DARK NET MARKET

Like any market, black market prices fluctuate. Medical records values on DNMs are consistently higher than other FULLZ.

$3 $1.50 $3 $5

$50

$0

$10

$20

$30

$40

$50

$60

Social Security # Credit Card Info Date of Birth Mother's Maiden Name

Medical Record

WHAT’S A MEDICAL RECORD REALLY WORTH ON A DNM?

FULLZ $.01 FULLZ w/Medical $1 Medical FULLZ $10 ea Medical FULLZ $10 – 20 ea Medicare IDs $470 ea

Life Insurance $7 ea

MEDICAL IDENTITY THEFT

* KrebsonSecurity, Sept. 18, 2014, “Medical Records For Sale in Underground Stolen From Texas Life Insurance Firm”

Database records from McKesson subsidiary PST Services showing up on Dark Net Markets 1+ year after breach

DETECTION LAG TIMES

IDENTITY THEFT - CRIME TO DISCOVERY*

MEDICAL DATA BREACH

* Identity Theft Resource Center, Aftermath Surveys 2003 - 2014

0%

10%

20%

30%

40%

50%

60%

2004 2005 2006 2007 2008 2009 2013 2014

0 - 6 Mos 7 - 12 Mos 1 - 2 Yrs 2 + Yrs

0% 10% 20% 30% 40% 50% 60% 70% 80%

2010 2011 2012 2013 2014

COMPROMISE TO DISCOVERY*

Days Weeks Months Years

* Verizon, 2015 Protected Health Information Data Breach Report

MEDICAL IDENTITY THEFT (MIT)

•  7M PHI records breached in 2013* •  12.7M PHI records breached in 2014*

•  2.32M adult MIT victims in U.S. as of 2014**

•  13% of 17.6M Identity Theft victims in 2014†

•  500,000 MIT victims in 2014 **

* U.S. Department of Health & Human Services, OCR “Wall of Shame” ** Ponemon Institute, “Fifth Annual Study on Medical Identity Theft” † U.S. Department of Justice, Bureau of Justice Statistics, “Victims of Identity Theft, 2014”

113,258,966 INDIVIDUALS’ PHI EXPOSED 268 REPORTED BREACHES

2015 33

Hours

1 Breach of PHI Every

2016 MEDICAL IDENTITY THEFT ?

“To date, we have no knowledge that any of our patients’ information has been accessed or used improperly.” BITGLASS HONEYPOT EXPERIMENT

10,104 PST

Services

Tenet Health

680 Midwest

Orthopaedic Center

520 Williamson

Medical Center

520 24 ON

Physicians

InCompass

Healthcare

Day 1: 3 logins & 5 logins on portal

Day 2: Files exfiltrated

Day 30: 1,400 login attempts 30 countries 5 continents

! ! ! : Credentials used on other accounts

HIPAAHealthcare Data Systems are part of a broader, interconnected ecosystem •  Get to know how & where you

fit within the entire ecosystem •  Inform your risk analysis •  Align risk and compliance

ALIGNMENT OF SECURITY & COMPLIANCE

CYBER���RISK

HEALTHCARE

DATA SECURITY

COMPLIANCE

EDUCATION

484.858.0427 info@4ASecurity.com