Ransomware, Hack and Breach: The Year of the Healthcare Breach South Carolina Hospital Association Trustee Administrator Physician Conference Trish Markus Roy Wyman September 16, 2016

Overview Recent Developments Types of Breaches and Trends Definitions Examples Ransomware Defenses Practical Tips

Year of the Health Care Hack

Recent Developments 2015 widely referenced as "Year of the Health Care Hack" Anthem, Premera, OPM hacks compromised millions of records FBI report $24 million in payments to hackers 1,000 attacks per day 1st quarter of 2016 $209 million in payments to hackers Up to 4,000 attacks per day

Types of Breaches The Old-Fashioned Hack The Older-Fashioned Insiders 4/5 go undetected a week or more Some up to a year The Older-Fashioned Insiders Disgruntled Broke Mistakes Access Attacks: Denial of Service (DoS) Ransomware

An Ugly Year Getting Uglier Old Fashioned Breaches Healthcare Suffers Estimated $6.2 Billion In Data Breaches Nearly 90% of healthcare entities had a breach in last two years averaging $2.2MM in cost.* 35% Increase in Healthcare Breaches over last year** Ransomware Government Actions 25 States Considering Notification Bills SC 39-1-90 (Private Right of Action) *Ponemon Institute Sixth Annual Benchmark Study ** Piper Jaffray

Hacking and Ransomware Trends Both targeting health care providers Both exploit human vulnerabilities via phishing 93% of phishing e-mails now deliver ransomware Both affect availability and integrity of records, not simply confidentiality

Phishing "Phisherman" targets individuals through social media or through company websites Example 1 (Magnolia): employee gets e-mail sent by company CEO seeking spreadsheet of all employees' personal info, including SSNs . . . Except it wasn't company CEO Example 2 (Anthem): "The IT department is doing an update, so I need you to go to www.we11point.com and log in using your ID and password . . ." Hackers then gained access to the database

Hacker and Phishing Defined A hacker is someone who uses a computer to secretly gain unauthorized access to data in a system Phishing is a fraudulent attempt to steal someone's personal information by pretending to be a trustworthy entity in an electronic communication (usually e-mail)

Ransomware Defined Ransomware is malicious software that denies access to a user's data by encrypting data with a key only known to the hacker who deployed the ransomware, until the ransom is paid Some ransomware also destroys or transfers information to another system

Examples Advocate: 4 Million Individuals, $5.55MM Fine Lack of Risk Assessment Physical Access Business Associate Agreements Encrypt Laptops and Mobile Devices Bon Secours BA, R-C Healthcare Mgmt—655,000 Patients Attack of Business Associate Patient information accessible on the web During adjustment of network settings

Examples (Continued) University of Washington Medicine: $750,000 fine Failure to assure that "Affiliated Covered Entities" implement policies and procedures Raleigh Orthopaedic Clinic Failure to execute Business Associate Agreements $0 loss to patients, no show of breach

Examples (Continued) Rotech Healthcare (Respiratory/Apnea Facility) June 13—Notified by Police PHI Recovered Copies received July 11 from US Secret Service Forensic Investigators attempt to determine scope

Ransomware in Health Care Hollywood Presbyterian Methodist Hospital (KY) MedStar Health King's Daughters' Health (IN) Kansas Heart Hospital Sometimes paying the ransom doesn't work As of early August, CryptoLocker ransomware had stolen $27 million from hospitals in 2016

Ransomware Types Phishing and Drive-by Downloads Multiple variants Malvertisements Multiple variants Some threaten to disclose data ("Exfiltration") Most utilize the same old tools and tricks Bad attachments Bad links

Ransomware OCR Release of Guidance 7/11/16 Presence of ransomware (or any malware) is a security incident Encryption of data resulting from ransomware is a breach because the ePHI was "acquired" (i.e., control of data was taken) by the hacker* Need to show a "low probability that the PHI has been compromised," or report breach Potential exfiltration not the only issue *No, you haven't taken Crazy Pills™, this makes no sense

Ransomware Six of 10 ransomware victim organizations made changes to security infrastructure after ransomware attack Unplanned data center downtime costs hospitals $7,900 per minute* It takes physicians twice as long to perform admin tasks manually (without EHR) *Ponemon Institute survey

DON'T LOOK FOR A PRODUCT . . . CREATE A PROCESS Defenses DON'T LOOK FOR A PRODUCT . . . CREATE A PROCESS

Defenses Keep Patches Up to Date Limit Access Training (especially in social engineering) Quick Identification and Response Web Filtering Application Whitelisting Insurance

Preparation and Response Plan Written Plan with List of Contacts Tabletop Exercises Bitcoin Account Backups

Preparation and Response Respond Initial Analysis (Scope, 4 Ws, Ongoing, etc.) Contain Impact and Propagation Eradicate Recover Post-Incident Review

STOP PANICKING! Compliance, Compliance, Compliance Continuous Cycle of Risk Assessment Risk Management Policies and Procedures Education Monitoring/Auditing Benchmark Continuous Cycle of Improvement

Questions? Trish Markus (919) 329-3853 trish.markus@nelsonmullins.com Roy Wyman (615) 664-5362 roy.wyman@nelsonmullins.com