hipaa cow keith fricke, mba, cissp, pmp april 27, 2018 · ransomware attacks can come with other...
TRANSCRIPT
1
HIPAA COW
Keith Fricke, MBA, CISSP, PMP
April 27, 2018
1
Data Security Trends
OCR Audits
Q&A
Copyright © 2017, tw-Security 3
Data breaches
Denial of service attacks
Internet of Things &
medical devices
Malware
2
Copyright © 2017, tw-Security 4
Top 10 healthcare breaches in 2017 ◦ Commonwealth Health Corporation, Bowling Green, KY, 697,800 affected
individuals (Theft) ◦ Airway Oxygen, Inc. (Business Associate) Wyoming MI, 500,000 affected
individuals (Hacking/IT Incident) ◦ Women’s Healthcare Group of PA, Oaks, PA, 300,000 affected individuals
(Hacking/IT Incident) ◦ Urology Austin, PLLC Austin, TX, 300,000 affected individuals (Hacking/IT
Incident) ◦ Pacific Alliance Medical Center, Los Angeles, CA, 266,123 affected individuals
(Hacking/IT Incident) (Note: PAMC closed in December 2017 due to costs to retrofit facilities to meet seismic requirements)
◦ Peachtree Neurological Clinic P.C., Atlanta, GA, 176,295 affected individuals (Hacking/IT Incident)
◦ Arkansas Oral & Facial Surgery Center, Springdale, AZ ,128,000 affected individuals (Hacking/IT Incident)
◦ McLaren Medical Group, Mid-Michigan Physicians Imaging Center, Lansing, MI 106,008 affected individuals (Hacking/IT Incident – 3rd party issue)
◦ Harrisburg Gastroenterology Ltd., Harrisburg, PA, 93,323 affected individuals (Hacking/IT Incident)
◦ VisionQuest Eyecare, Indianapolis, IN, 85,995 affected individuals (Hacking/IT Incident)
•Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
5
•Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
6
3
7
Hacking continues to be the biggest breach event category, even though it is only 19% of the “Number of Incidents”
15% (330 incidents) of all reported breaches due to Business Associates, affecting 29,907,269 patients
Source: www.hhs.gov
8
9
4
Denial of Service (DoS) ◦ Overwhelming computer systems or data networks to disrupt
service
◦ Recent trend: Exploiting some ”Internet of Things” devices on a large scale for DoS attacks
10
Sidebar on Internet of Things:
• Manhole covers
• ODOT
• Losing keys
Increase in networked medical devices
Enhances delivery of patient care
Risks
Cyber insurance news
11
Using the techniques of deception or persuasion to gain access to information
5
13
Phishing is a method of fraud using fake but legitimate-looking electronic communications to trick recipients into
• Providing sensitive information
• Unknowingly download computer viruses
• Sending money somewhere
Statistic: Q4 2004: 1,609 global phishing attacks per month Q4 2016: 92,564 global attacks per month
Source: www.apwg.org
14
The many forms of phishing
• Spear Phishing – targeting a specific group of individuals
o Finance Department
o Workforce
o Executives
• Smishing – phishing via text message
• Phone calls from fraudsters
15
Ransomware attackers use malware to
encrypt your data and demand payment for the decryption
Attackers can be trusted to provide decryption key. Why?
Ransomware attacks can come with other malware
6
16
Criminals used phishing email to send attachments infected with ransomware Ransomware encrypts data files, preventing access to the data until the hospital paid a ransom fee Encryption means to make data appear scrambled unless you know how to decrypt it Bitcoin is a type of digital currency
Global cyber attack hits hospitals and companies, threat seen fading for now
A global cyber attack leveraging hacking tools believed to have been developed by the U.S. National Security Agency has infected tens of thousands of computers in nearly 100 countries, disrupting Britain's health system and global shipper FedEx.
Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that appeared to contain invoices, job offers, security warnings and other legitimate files.
17
Stages of incident response ◦ Detect
◦ Identify
◦ Contain
◦ Eradicate
◦ Restore
◦ Post Mortem
7
Each encrypted file has a pair of ransom notes (txt and html)
Triage process ◦ Receive calls from users (PC files and server
share files affected)
◦ Confirm presence of encrypted files (expect 1000s of them)
◦ Look at file metadata on file shares to identify last user or workstation that modified the files
8
Triage process continued ◦ Unplug workstations suspected of causing file
encryption
◦ Inventory files affected
◦ Restore backups
◦ Investigate ransomware infection vector (email, web browsing)
◦ Address email & web browsing threat
◦ Submit malware samples for analysis
◦ Remove malware
◦ Resume operations
Neither could we
until…
● Can you guess
which one is not
like the other?
● Attempt to open
a file
● Now responders
have to look at
file creation date
9
Ransomware variants hamper the response process ◦ File extensions are preserved
◦ “Modified by” metadata is erased
Erasing metadata is bad ◦ No easy way to identify infected computers
◦ Triage means unplugging all computers and manually inspecting them
◦ Hopefully the issue is localized to one department
◦ Cloud storage opens up a whole new dimension to the incident response
26
Hover over a link
WITHOUT clicking it
See if the actual link
displayed matches what
is in the status bar
27
Office for Civil Rights (OCR) issues ransomware guidance in April 2016
• Healthcare organizations expected to conduct risk analysis for each ransomware incident
• Purpose is to determine if low probability of a data breach exists
• Document findings
• Rationale for why OCR considers ransomware a potential data breach
10
28
Preparedness of Network Team in IT
Throttling bandwidth through technology
Relationship with your Internet Service Provider
Workforce awareness – don’t forget the Help Desk
Companies should conduct their own phishing campaigns
People are the weakest
link in security
11
Confirm your data backup plan
Patch Management
Vulnerability Management
Advanced Malware Protection
Network Segmentation
Maintain an inventory of medical devices ◦ Connected to network – wired or wireless?
◦ Operating system
◦ Password settings / authentication / encryption
Know the vendor’s patch & vulnerability management process
Incident Response Plans and Capabilities
12
34
35
167 Desk Audits initiated on July 11, 2016
Desk Audit vs. Compliance Audit
Two areas of focus for Desk Audits
December 2016: 45 Desk Audits of Business Associates
March 2017: OCR issues Desk Audit draft reports
2016 desk audits – 166 CE audits in total ◦ 103 desk audits focused on Privacy & Breach
Notification
◦ 63 desk audits focused on Security Compliance
◦ 41 BA desk audits, focusing on Breach Notification and Security Compliance
◦ Note: OCR presenter stated data does not represent a statistically
significant sample
36
Source: HIMSS Boston September 2017
OCR Presentation
13
Documentation submissions were ranked by OCR on a 1 – 5 scale as defined in the following table:
37
Source: HIMSS Boston September 2017
OCR Presentation
Some findings on CE desk audits ◦ For “Timeliness of Notification” documentation provided
(regarding breach notifications)
67 CEs scored a rating of 1
15 CEs scored a rating of 5
◦ For “Request to Access Records” documentation provided
1 CE scored a rating of 1
11 CEs scored a rating of 5
◦ For “Risk Assessment” documentation provided
1 CE scored a rating of 1
13 CEs scored a rating of 13
◦ For “Risk Management” documentation provided
No CEs scored a rating of 1
38
Source: HIMSS Boston September 2017
OCR Presentation
Some findings on CE desk audits ◦ Common failures regarding Timeliness of Notification
documentation
The letter sent to the patients had no date on it
70% of CEs received a score of 2 – 5 rating because their notification letter was missing key content
83% of CEs received ranking of 3 – 5 for their Notice of Privacy Practices because they copied an NPP from the Internet and never customized it for their organization
39
Source: HIMSS Boston September 2017
OCR Presentation
14
Some findings on CE desk audits For “Right to Access” documentation submitted:
Only 1% received a ranking of 1
Inadequate documentation was common
Some CEs claimed they never asked by patients for access to their record
No policy existed
Some submitted a copy of their Authorization Form as their policy
Lacking compliance in having the Right to Access policy state that the hospital will make efforts to send communication via a method specified by the patient
40
Source: HIMSS Boston September 2017
OCR Presentation
Some findings on CE desk audits Details on Risk Analysis evidence provided
No CEs received a ranking of 1
13% received a ranking of 2
30% received a ranking of 3
36% received a ranking of 4
21% received a ranking of 5
Reasons for failures
CE had no risk analysis
CE did not do a risk analysis on all systems
Risk analysis failed to identify threats and vulnerabilities (a checklist was submitted)
Failure to update risk analysis on a regular basis
41
Source: HIMSS Boston September 2017
OCR Presentation
Some findings on CE desk audits Details on Risk Management
1% of CEs received a ranking of 1
5% received a ranking of 2
21% received a ranking of 3
46% received a ranking of 4
27% received a ranking of 5
Many CEs could not show a plan
Many CEs were not working the plan in accordance with risk findings
42
Source: HIMSS Boston September 2017
OCR Presentation
15
Roger Severino, OCR Director Shifting focus back to investigation of reported
breaches
Desk Audits “Phase 3” is only to document lessons learned/best practices from first two phases
Resulting implication of shift in focus is compliance auditing
https://www.healthcareinfosecurity.com/no-slowdown-for-hipaa-enforcement-but-audits-ending-a-10701
43
44
Keith Fricke
Partner and Principal Consultant, tw-Security
216.280.4430