External Threats to Healthcare Data

Joshua Spencer, CPHIMS, C|EH

Certified Ethical Hacker (C|EH) Cyber-security Researcher AVP & Chief Information Security Officer

UT Southwestern Medical Center

Joshua Spencer

Overview Why do hackers want my healthcare data?

Who wants to steal it?

How do they do it?

What is the impact of a breach?

How do I protect against it?

Why do hackers want my healthcare data?

55%30%

10%

5%

Financial FraudMedical Identity TheftIdeology\FunState Sponsored Attacks

*2015 Verizon Data Breach Investigations Report

*2015 CSID Medical Identity Theft Report

*2015 CSID Medical Identity Theft Report

Who are the external “hackers”?

*Dell Secureworks Healthcare Data Security Threats

5%

15%

80%

Advanced Persis-tant Threats (APT)

Script Kiddies

Industrialized Hack-ing Organizations

How am I being hacked?

40%

28%

17%

9%

4% 2%

Employee PhishingVendor CompromiseWebsite HackingEmployee Internet UseEmployee AccidentOn-location Hacking

*2014 Ponemon Benchmark Study on Patient Privacy and Data Security

Employee receives

fraudulent email

reminding employee to

“Confirm their Recent

Promotion” User clicks link in email and logs into fake HR website

Hacker logs Into network

remotely using stolen

password Hacker scans network and

steals databases

Hacker sells stolen

information on black market

to identity thieves

Hacker logs into employee email to send

fraudulent email to all

contacts

Employee Phishing

Employee receives fraudulent email

reminding employee to

“Confirm their Recent Promotion”

User clicks link in email and logs into

fake HR website

Hacker logs into network remotely

using stolen password

Hacker scans network and steals

databases

Hacker sells stolen information on black market

to identity thieves

Hacker logs into employee email to

send fraudulent email to all contacts

Create and sell fraudulent

medical, Social Security and

State ID cards

Obtain prescriptions for

narcotics

Partner with illicit providers for fraudulent

Medicare billing

Employee Phishing

Vendor hacked

Hacker accesses customer databases

Hacker logs Into your network remotely and

steals databases

Hacker sells stolen information on black market

to identity thieves

Hacker logs Into employee email to

send fraudulent email to all

contacts

VendorCompromise

Website had a

software flaw

discovered

Bug allows a

hacker to bypass

the login

Company fails to

apply the security update quickly enough

Hacker uses a

network of

infected computer

s to attack

website

Attack installs data

stealing program

Program scans for juicy data

(SSN)

Data sent to

attacker’s computers

Hacker sells

stolen informati

on on black

market to identity thieves

Computer now used to attack

other companie

s

Website Hacking

Employee’s

computer has a

software flaw

discovered

Employee visits a hacked website

Company fails to

apply the security update quickly enough

Attack installs data

stealing program

Program scans

network for juicy data (tax returns,

spreadsheets with SSN)

Data sent to

attacker’s computers

Hacker sells

stolen information on black market to identity thieves

Computer now used to attack

other companie

s

Internet Use

How am I being successfully hacked?

*2014 Ponemon Benchmark Study on Patient Privacy and Data Security

5%

27%

69%

Company Specific AttackHealthcare Industry AttackUntargeted Attack

What is the impact of a breach?

Consequences of a breach are much greater than most other industries

Incorrect medical records (blood type, allergies, conditions) causes patient safety risks

HIV status disclosure is much more emotionally damaging than a Home Depot purchase history

Can’t give patients a new identity like you can with Credit Cards

*2014 Ponemon Benchmark Study on Patient Privacy and Data Security; Dell Secureworks Healthcare Data Security Threats

What is the impact of a breach? $398 per health record on average in the U.S.

Does not factor in reputational damage

Increasing civil penalties from HHS, up to $1.5 million

Heavy scrutiny from media and regulators

80% of new patients screen their provider on search engines

Increasing use of “vendor scorecards” will hurt customer growth

*2014 Ponemon Benchmark Study on Patient Privacy and Data Security; Dell Secureworks Healthcare Data Security Threats

How do I protect my healthcare data? Factor security into your 3rd party vendor

evaluations

Hire or contract with Information Security specialists

Train employees on recognizing fraud

Know where your data is going

Backup your important data

Use two-factor authentication

Overview Why do hackers want my healthcare data?

Who wants to steal it?

How do they do it?

What is the impact of a breach?

How do I protect against it?