cyber security to reduce cyber liability
DESCRIPTION
Knowing cyber risks is essential to manage cyber liabilities. Cyber Security to Reduce Cyber Liability. Discover the prevalence of cyber attacks. Realize the monetary penalties attached to breached data. Review steps that a company can take to try to control risks. - PowerPoint PPT PresentationTRANSCRIPT
Knowing cyber risks is essential to manage cyber liabilities
CYBER SECURITY TO REDUCE CYBER LIABILITY
• Discover the prevalence of cyber attacks.• Realize the monetary penalties attached to
breached data.• Review steps that a company can take to try to
control risks.• Take advantage of web resources to understand
how to defend against data breaches.
Today we will…
Medical conditions
Credit Card numbers
Debit Card numbers
Family members’ name
Work locations
Practices acquire and keep highly sensitive data
• Names
• Birthdates
• Social Security Numbers
• Addresses
• Medicare Numbers
• Insurance Numbers
CYBER SECURITY
Cyber Security
• Hackers have attacked almost every computer system.• The government has taken extraordinary steps to protect
computerized data.• Breaching firewalls and obtaining sensitive data occurs daily.• Some cyber attacks go unnoticed for weeks, months and even
years by users when hackers attach malware to computers.
Cyber Security Breach Frequency
Companies in the computer software, IT and healthcare sectors accounted for 93 percent of the total number of identities stolen in 2011.
Theft or loss was the most frequent cause, across all sectors, accounting for 34.3 percent, or approximately 18.5 million identities exposed in 2011.
Internet Security Threat Report Volume 17, Symantec, April 2012
Cyber Security Breaches
Most data breach victims fell prey because they were found to possess an (often easily) exploitable weakness rather than because they were pre-identified for attack; 79 percent of victims were targets of opportunity, and 96 percent of attacks were not highly difficult.
2012 Data Breach Investigations Report (DBIR), Verizon Business, April 2012
By the Numbers
In 2012, the Identity Theft Resource Center (ITRC) documented 447 breaches in the United States, exposing 17,317,184 records. In the first half of 2013, there have so far been 255 incidents, exposing 6,207,297 records.
Thus far in 2013, 48 percent of reported data breaches in the United States have been in the medical/healthcare industry. In 2012, there were 154 breaches in the medical and healthcare sector, accounting for 34.5 percent of all breaches in 2012, and 2,237,873 total records lost.
ITRC Breach Report, Identity Theft Resource Center, May 2013
CYBER SECURITY
“With a little bit of research, some crafty writing and the right technology, crooks make a good living running targeted attacks to steal corporateand government data.” --Trustwave.com “Inside a Hacker’s Playbook”.
Cyber Security
As personal devices become more integrated into daily lives, creating “smart homes”, criminals take advantage:According to the Wall Street Journal August 1, 2013: ‘Smart Homes’ Are A Hacking Risk
“From his computer Mr. Crowley can disarm a home security system, open a garage door and turn off lights. He just needs those gadgets to be connected to the Internet—a step consumers are increasingly taking to control facets of their lives using smartphones and tablets.”
Cyber Security: Knowing it has happened
In 2012:• 76% of breached organizations need someone else to
tell them they had been compromised.• 48% were informed by regulatory bodies.• 25% informed by law enforcement.• 2% by a third party.• 1% by the public.
Cyber Security
If sensitive data falls into the wrong hands, it can lead to:• Fraud.• Identity theft.• Financial theft.• Public ridicule.• Loss of business interest.• Loss of trust.• Interrupted business.• Lawsuits.
The manner in which data is protected can determine the extent of liability in the event of a cyber attack:• Manage Passwords.• Maintain and confirm activation of firewalls.• Control Downloads.• Restrict access.• Prohibit internet access through unapproved sites.• Education.• Discipline employees for non-compliance.
Data: Practices acquire and keep highly sensitive data
Cyber Safety Steps
• Always lock cell phones and tablets with password protection, and set them up for a remote wipe if they are lost or stolen.
• Disable all automatic logins and enable automatic screen locks after a few minutes of inactivity.
• Never send patient information via text. Text messages are not protected.
Penalties
Penalties
Section 160.404 of the HITECH Act refers to the amount of civil monetary penalty as administered under the HITECH (Health Information Technology for Economic and Clinical Health) Act. When data is breached, the company can be fined:Violation Type Each Violation Repeat Violations/yearDid Not Know $100 – $50,000 $1,500,000Reasonable Cause $1,000 – $50,000 $1,500,000Willful Neglect – Corrected $10,000 – $50,000 $1,500,000Willful Neglect – Not Corrected $50,000 $1,500,000
DATA BREACHES ARE TRACKED AND POSTED BY HHS:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Reporting Encrypted Data Breach
Covered entities and business associates that implement the specified technologies and methodologies with respect to protected health information are not required to provide notifications in the event of a breach of such information—that is, the information is not considered ‘‘unsecured’’ in such cases.”
Federal Register vol. 78 No. 17 January 25, 2013
Called the “Get out of Jail Free Card”
Many of the breaches of electronic data would have been avoidable if the data had been encrypted (a ‘Get Out of Jail Free Card’ in the data breach reporting rule).
Encryption software, often less then $200.00, can protect data in the event of a cyber attack. In some cases, the software is free.
5 PRINCIPLES TO INCREASE SECURITY
5 Key Principles
1. Know: Know what data is housed on your computer systems. Take stock of the sensitive nature of the data. Knowing what is attractive to cyber criminals will reduce the risk of inadvertently making data available:
1. Credit card numbers2. Medicare Numbers3. Birthdates4. Mother’s Maiden Name5. Addresses6. Maiden Name
5 Key Principles
2. Keep it Small: Keep only the minimum data necessary to provide services.
Determine when data can be eliminated and deleted to reduce the risk of damage in the event of a breach. Set timeframes to delete unnecessary, obsolete and outdated data.
Keeping a medical record may not need to include information such as: credit card numbers, maiden names, Medicare numbers, social security numbers. Glean files of sensitive data on discharge.
5 Key Principles
3. Lock it: Just as you would lock a file cabinet, lock the information stored on computers, disks, CD, videos and servers.
• Restrict the number of people who have access to the locked room.
• Lock laptop computers in a locked cabinet.• Restrict access to areas where computers are used.• Check for new virus threats daily; assign one employee
to notify all employees of newly identified threats.• Never permit employees to download software.• Increase security on e-mails to restrict spam.• Run virus scan daily.
5 Key Principles
3. Lock It:• Use passwords that are difficult to break: contain
symbols, numbers and upper and lower case letters.• Maintain strong firewalls and malware protection.• Remember: data can be stored on copiers and
electronic fax.• NEVER store data on laptop computers, only on
servers.• Change passwords at least every six months.• Monitor the company website for cyber attacks at least
weekly.
5 Security Principles
3. Lock It:• Use firewalls to protect computers from hackers.• Use network firewalls in addition to station firewalls.• Limit wireless access to the network.• Encrypt all wireless devices.• Apply all security protections on digital copiers.
5 Key Principles
4. Destroy it properly: • Have a plan to destroy computers effectively. Prevent
data stored on discarded computers from being accessed.
• Destroy computers through a commercial destruction company.
• If in-house computer destruction is conducted, confirm strategic approaches to render all computers completely destroyed by using wipe software.
• Empty sent e-mails routinely.• Empty “trash” files daily.
5 Key Principles
4. Destroy it properly:• Shred all documents containing personal data.• Make sure employees accessing information remotely
follow the same procedures for disposing sensitive documents and old computers and storage devices.
• If using credit reports as part of your business, destroy them once the information has been gathered for its purpose.
5 Key Principles
5. Plan Ahead: Ask what would we do “IF”• Have a data recovery plan in the event of lost data, e.g.
data breach, virus, flood, tornado, earthquake.• Back-up data regularly.• Consider off-site secured server storage.• Have a plan to replace computers in case of theft, loss
or destruction.• Use “remote find” services to recover lost computers,
phones or tablets.
TRAINING
Training
• Conduct training at hire and annually.• Teach staff to recognize cyber threats.• Obtain confidentiality and compliance agreements from
every employee.• Keep records of who needs updated training as new
applications are introduced. Prompt training will go a long way to reduce risks.
• Limit access to sensitive data by job description; do not train applications that are not “need to know” to perform jobs.
Training
• Conduct competency testing to determine whether or not staff is compliant with company requirements.
• Train employees to recognize phishing scams.• Teach employees how to handle callers seeking
personal data on patients such as social security or credit card numbers.
Training
Encourage every employee keep current with security topics at the FTC interactive tutorials, and HIPAA websites at:
http://business.ftc.gov/privacy-and-security
http://business.ftc.gov/privacy-and-security/data-security
http://omnibus.healthcareinfosecurity.com/breach-notification-c-327
Wall Street Journal, August 1, 2013
Federal Trade Commission: http://www.ftc.gov/bcp/index.shtml
Federal Trade Commission: Protecting Personal Information, A Guide for Business: http://business.ftc.gov/documents/bus69-protecting-personal-information-guide-business
REFERENCES
Trustwave “Inside a Hacker’s Playbook” http://www2.trustwave.com/rs/trustwave/images/Inside%20a%20Hacker%27s%20Playbook.pdf
Zephyr Networks: http://www.zephyrnetworks.com/hipaa-healthcare-data-breaches-financial-penalties/
HHS Data Breach Rule: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
REFERENCES
REFERENCES
Federal Register Jan. 25, 2013http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf