2016 spring chima 2016 year of the hack · 5/6/2016 1 drew lbblabbo trent hein who are these...
TRANSCRIPT
5/6/2016
1
D L bbDrew Labbo
Trent Hein
Who Are These Guys!!??
Trent Hein
CISSP, CCIE‐15, CSSA, ISSMP, ISSAP, CSSA
Co‐Founder and Co‐CEO of Applied Trust
Drew Labbo
MBA, CISSP, ITIL
CISO at Denver Health and Hospital Authority
Principal, RMHG LLC – Rocky Mountain HIPAA Guru
5/6/2016
2
IT Security: The World We Live In Worldwide explosion of the Internet has produced an Worldwide explosion of the Internet has produced an abundance of professional, skilled hackers
Strong security is required for protecting both image and business operations
Public awareness/concern for security and privacy has reached a threshold level
Organizational security is a “second thought”
What Is Security? VigilanceVigilance
Knowledge
Risk management
Methodology and policies
Applied science/forensics
Architecture
Implementation
Operations
5/6/2016
3
Security Myths
Myth #1: “We aren’t a likely target of attack.”
Fact: 41.1% of CSI/FBI Computer Crime Survey respondents reported detecting a breach in the prior 12
hmonths.
Security Myths
Myth #2: “A small percent of attacks involve insiders.”
Fact: Actually, about a quarter of all attacks or misuse involve insiders.
5/6/2016
4
Security Myths
Myth #3: “We’re secure because we have a firewall.”
Fact: Almost nothing could be further from the truth. Multiple surveys have established that 95 percent of
h h d b k h d d dorganizations that had a break‐in had a standard commercial firewall in place.
Security Myths
Myth #4: “We haven’t been broken into, therefore we are secure.”
Fact: Most break‐ins go undetected for more than 6 hmonths.
5/6/2016
5
Notable 2015 Breaches Premera BlueCross BlueShield (January 2015)Premera BlueCross BlueShield (January 2015)
Exposed names, birth dates, SSNs, bank account information, and addresses of up to 11.2 million subscribers.
According to the Seattle Times, the organization had been warned the previous year that its IT systems were vulnerable to a possible attack.
The attack is suspected to have been conducted by a Chinese state‐sponsored hacking group that used a look‐alike domain (prennera.com) designed to trick employees into downloading malicious software.
Anthem/Wellpoint (February 2015)Anthem/Wellpoint (February 2015)
Exposed names, birth dates, SSNs, health‐care ID numbers, home addresses, email addresses, employment information, and income data of 80 million patients and employees.
The Wall Street Journal reported that Anthem had not encrypted the data that was accessed by hackers.
As with the Premera hacking, the attack is suspected to have been conducted by a Chinese state‐sponsored hacking group that used a look‐alike domain (we11point.com) designed to trick employees into downloading malicious software.
Notable 2015 Breaches Kaspersky Lab (June 2015)Kaspersky Lab (June 2015)
The attack against the Moscow‐based security vendor, which it named Duqu 2.0, was believed to be a nation‐state‐sponsored attack.
The compromise included information on the company's newest technologies, such as Kaspersky’s Secure Operating System, Kaspersky Fraud Prevention, Kaspersky Security Network, and Anti‐APT solutions and services.
The attackers breached the company’s internal systems using “Duqu 2.0” malware, involving a 19‐megabyte toolkit with plugins for various reconnaissance and data‐theft activities, as well as at least three zero‐day exploits.
CareFirst BlueCross BlueShield (May 2015)E d bi th d t il dd d b ib i f ti f Exposed names, birth dates, email addresses, and subscriber information of 1.1 million members.
Occurred when attackers accessed a single CareFirst database in June 2014.
Discovered as part of a Mandiant‐led security review that found hackers had gained access to a database that members use to get access to the company's website and services.
5/6/2016
6
Notable 2016 Breaches University of California at Berkeley (February 2016)
Possibly exposed the Social Security and bank account numbers of 80 000 Possibly exposed the Social Security and bank account numbers of 80,000 current and former faculty, staff, students and vendors.
The attack occurred in December 2015, when an unauthorized party obtained access to portions of computers that are part of the Berkeley Financial System (BFS) through a security flaw that UC Berkeley was in the process of patching.
21st Century Oncology (March 2016) 2.2 million patients may have had their names, Social Security numbers,
physician names, diagnosis and treatment data, and insurance information accessed by an "unauthorized third party" that broke into a company database in October 2015.
The breach involved patients in all 50 states and several foreign countries. Office Of Child Support Enforcement (April 2016)
A personal laptop computer and several hard drives were stolen from a federal office building in the state of Washington in February. The stolen items contained up to 5 million individual names, Social Security numbers, birthdates, addresses and phone numbers.
The stolen personal laptop was used to conduct child‐support audits for the state; it was unclear whether it was encrypted.
Breaches: Lessons Learned Users behavior and awareness is keyUsers behavior and awareness is key
Phishing is #1 vector
Multifactor Authentication is a MUST
Manage contractor/vendor access carefully
External‐facing applications MUST be penetration tested
Automated scanning is NOT adequate
Zero‐day vulnerability strategy?
5/6/2016
7
3 Golden Rules of Mobile1. Apply appropriate safeguards to the device to 1. Apply appropriate safeguards to the device to
mitigate the risk of information exposure due to loss or theft.
2. Report any device that is lost, stolen, or otherwise compromised.
3. Wipe (i.e., erase) all data stored on any device before transferring ownership (e.g., by sale or trade‐in).
Appropriate Safeguards? Every device must have a PINEvery device must have a PIN
Every device must be encrypted
IOS enabled with a PIN
Android enabled under “Security”
SMS is NOT secure (no ePHI in texts!)
5/6/2016
8
Appropriate Safeguards (cont.) Consider a Mobile Device Management (MDM) Consider a Mobile Device Management (MDM) platform
But AT THE VERY MINIMUM, enforce any device access requires encryption, PIN, and remote wipe
Don’t “teach” bad practices by requiring users to install h ’ f dapps that aren’t certified
ePHI only in approved apps/locations
2016 Enforcement UpdateHIPAA Rogues’ GalleryHIPAA Rogues Gallery
5/6/2016
9
http://www.hhs.gov/hipaa/for‐professionals/compliance‐enforcement/agreements/index.html
Laptop stolen out of car; 13,000 patients
5/6/2016
10
Lessons Learned
Mobile devices *MUST* be encrypted
Mobile devices issued *MUST* be inventoried and d ll h l h f lmanaged especially when leaving the facility
A locked car is *not* a reasonable safeguard for storing PHI
HIPAA policies and procedures and a security management process *MUST* be in place
Stolen laptop; 9,497 patients; no BAA in place
5/6/2016
11
Lessons Learned
Mobile devices *MUST* be encrypted
A locked car is *not* a reasonable safeguard for storing PHI
A risk analysis *MUST* be performed and updated
BAAs *MUST* be in place when PHI is shared with third party business associates
PHI Used in Online Internet Site Testimonials without Patient Authorization
5/6/2016
12
Lessons Learned
Authorization *MUST* be obtained if PHI is shared in public relations and marketing initiatives
l d d f b HIPAA policies and procedures for obtaining authorization must be documented and implemented
Affiliate Sharing of PHI with No Risk Analysis Requested or Shared
5/6/2016
13
Lessons Learned
Organizations *MUST* conduct risk analysis
Organizations must get assurances beyond just BAAs h ll b l dthat PHI will be appropriately protected
Organizations should be defining in Agreements the right to request risk analysis from affiliates and business associates
Organizations should be requesting evidence of risk analysis activity for affiliates and business associatesanalysis activity for affiliates and business associates
For Covered Entities
Remind everyone who the customer isRemind everyone who the customer is
Vendors/BA’s **DO** have security responsibility
If security controls cause issues with vendor technology, it must be addressed rather than controls disabled
5/6/2016
14
For Business Associates
You bear as much HIPAA security safeguard responsibility as covered entities do (Omnibus Rule)
Having a strong security program is the right thing to do and a potential market differentiator
Transparency with information security controls, risk management, and HIPAA security safeguard compliance will become increasingly expected
HHS HIPAA Audit Protocolhttp://www.hhs.gov/hipaa/for‐professionals/compliance‐enforcement/audit/protocol‐current/
5/6/2016
15
From HHS… The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to
f ( ) frequest privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
The protocol covers Security Rule requirements for administrative, physical, and technical safeguardsadministrative, physical, and technical safeguards
The protocol covers requirements for the Breach Notification Rule.
HHS Audit Protocol
Not just security but also privacy!Not just security but also privacy!
Policies and procedures will be requested
Evidence that policies and procedures are implemented operationally will be requested
Evidence of controls effectiveness could be requested
5/6/2016
16
Ransomware
Anti‐virus/anti‐malware countermeasures *MUST* be running on all servers and endpoints
Key to backup data and perform periodic backup restore tests
Phishing awareness for the workforce is key
Two factor authentication for remote access can prevent compromised credentials from being abused
Questions???
5/6/2016
17
Contact us…
Drew Labbo
Drew Labbo <[email protected]>
Trent Hein
Trent Hein <[email protected]>@ pp