Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ransomware, Hack and Breach: The Year of the Healthcare Breach

Published byLuke Carter Modified over 6 years ago

Similar presentations

Presentation on theme: "Ransomware, Hack and Breach: The Year of the Healthcare Breach"— Presentation transcript:

1 Ransomware, Hack and Breach: The Year of the Healthcare Breach
South Carolina Hospital Association Trustee Administrator Physician Conference Trish Markus Roy Wyman September 16, 2016

2 Overview Recent Developments Types of Breaches and Trends Definitions
Examples Ransomware Defenses Practical Tips

3 Year of the Health Care Hack

4 Recent Developments 2015 widely referenced as "Year of the Health Care Hack" Anthem, Premera, OPM hacks compromised millions of records FBI report $24 million in payments to hackers 1,000 attacks per day 1st quarter of 2016 $209 million in payments to hackers Up to 4,000 attacks per day

5 Types of Breaches The Old-Fashioned Hack The Older-Fashioned Insiders
4/5 go undetected a week or more Some up to a year The Older-Fashioned Insiders Disgruntled Broke Mistakes Access Attacks: Denial of Service (DoS) Ransomware

6 An Ugly Year Getting Uglier
Old Fashioned Breaches Healthcare Suffers Estimated $6.2 Billion In Data Breaches Nearly 90% of healthcare entities had a breach in last two years averaging $2.2MM in cost.* 35% Increase in Healthcare Breaches over last year** Ransomware Government Actions 25 States Considering Notification Bills SC (Private Right of Action) *Ponemon Institute Sixth Annual Benchmark Study ** Piper Jaffray

7 Hacking and Ransomware Trends
Both targeting health care providers Both exploit human vulnerabilities via phishing 93% of phishing s now deliver ransomware Both affect availability and integrity of records, not simply confidentiality

8 Phishing "Phisherman" targets individuals through social media or through company websites Example 1 (Magnolia): employee gets sent by company CEO seeking spreadsheet of all employees' personal info, including SSNs . . . Except it wasn't company CEO Example 2 (Anthem): "The IT department is doing an update, so I need you to go to and log in using your ID and password . . ." Hackers then gained access to the database

9 Hacker and Phishing Defined
A hacker is someone who uses a computer to secretly gain unauthorized access to data in a system Phishing is a fraudulent attempt to steal someone's personal information by pretending to be a trustworthy entity in an electronic communication (usually )

10 Ransomware Defined Ransomware is malicious software that denies access to a user's data by encrypting data with a key only known to the hacker who deployed the ransomware, until the ransom is paid Some ransomware also destroys or transfers information to another system

11 Examples Advocate: 4 Million Individuals, $5.55MM Fine
Lack of Risk Assessment Physical Access Business Associate Agreements Encrypt Laptops and Mobile Devices Bon Secours BA, R-C Healthcare Mgmt—655,000 Patients Attack of Business Associate Patient information accessible on the web During adjustment of network settings

12 Examples (Continued) University of Washington Medicine:
$750,000 fine Failure to assure that "Affiliated Covered Entities" implement policies and procedures Raleigh Orthopaedic Clinic Failure to execute Business Associate Agreements $0 loss to patients, no show of breach

13 Examples (Continued) Rotech Healthcare (Respiratory/Apnea Facility)
June 13—Notified by Police PHI Recovered Copies received July 11 from US Secret Service Forensic Investigators attempt to determine scope

14 Ransomware in Health Care
Hollywood Presbyterian Methodist Hospital (KY) MedStar Health King's Daughters' Health (IN) Kansas Heart Hospital Sometimes paying the ransom doesn't work As of early August, CryptoLocker ransomware had stolen $27 million from hospitals in 2016

15 Ransomware Types Phishing and Drive-by Downloads Multiple variants
Malvertisements Multiple variants Some threaten to disclose data ("Exfiltration") Most utilize the same old tools and tricks Bad attachments Bad links

16 Ransomware OCR Release of Guidance 7/11/16
Presence of ransomware (or any malware) is a security incident Encryption of data resulting from ransomware is a breach because the ePHI was "acquired" (i.e., control of data was taken) by the hacker* Need to show a "low probability that the PHI has been compromised," or report breach Potential exfiltration not the only issue *No, you haven't taken Crazy Pills™, this makes no sense

17 Ransomware Six of 10 ransomware victim organizations made changes to security infrastructure after ransomware attack Unplanned data center downtime costs hospitals $7,900 per minute* It takes physicians twice as long to perform admin tasks manually (without EHR) *Ponemon Institute survey

18 DON'T LOOK FOR A PRODUCT . . . CREATE A PROCESS
Defenses DON'T LOOK FOR A PRODUCT CREATE A PROCESS

19 Defenses Keep Patches Up to Date Limit Access
Training (especially in social engineering) Quick Identification and Response Web Filtering Application Whitelisting Insurance

20 Preparation and Response
Plan Written Plan with List of Contacts Tabletop Exercises Bitcoin Account Backups

21 Preparation and Response
Respond Initial Analysis (Scope, 4 Ws, Ongoing, etc.) Contain Impact and Propagation Eradicate Recover Post-Incident Review

22 STOP PANICKING! Compliance, Compliance, Compliance Continuous Cycle of
Risk Assessment Risk Management Policies and Procedures Education Monitoring/Auditing Benchmark Continuous Cycle of Improvement

23 Questions? Trish Markus (919) 329-3853 trish.markus@nelsonmullins.com
Roy Wyman (615)

Download ppt "Ransomware, Hack and Breach: The Year of the Healthcare Breach"

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Information Security Jim Cusson, CISSP. Largest Breaches 110,000 2009-11-27 NorthgateArinso, Verity Trustees 6,400 2009-11-25 Aurora St. Luke's Medical.

Information Security Jim Cusson, CISSP. Largest Breaches 110, NorthgateArinso, Verity Trustees 6, Aurora St. Luke's Medical.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.

DHS SECURITY INCIDENT REPORTING AND RESPONSE SECURITY INCIDENT REPORTING AND RESPONSE DHS managers, employees, and other authorized information users.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.

Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
Your Trusted Partner In All Things IT. 20 Years of IT Experience University Automotive Food Service Banking Insurance Legal Medical Dental Software Development.

Your Trusted Partner In All Things IT. 20 Years of IT Experience University Automotive Food Service Banking Insurance Legal Medical Dental Software Development.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, 2014 -WITH THANKS TO.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
A Growing Threat Debbie Russ 1/28/2015. What is Ransomware? A type of malware which restricts access to the computer system that it infects, and demands.

A Growing Threat Debbie Russ 1/28/2015. What is Ransomware? A type of malware which restricts access to the computer system that it infects, and demands.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey 07458 All rights reserved.

Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

Similar presentations

Ads by Google