protecting healthcare data from hackers
TRANSCRIPT
External Threats to Healthcare Data
Joshua Spencer, CPHIMS, C|EH
Certified Ethical Hacker (C|EH) Cyber-security Researcher AVP & Chief Information Security Officer
UT Southwestern Medical Center
Joshua Spencer
Overview Why do hackers want my healthcare data?
Who wants to steal it?
How do they do it?
What is the impact of a breach?
How do I protect against it?
Why do hackers want my healthcare data?
55%30%
10%
5%
Financial FraudMedical Identity TheftIdeology\FunState Sponsored Attacks
*2015 Verizon Data Breach Investigations Report
*2015 CSID Medical Identity Theft Report
*2015 CSID Medical Identity Theft Report
Who are the external “hackers”?
*Dell Secureworks Healthcare Data Security Threats
5%
15%
80%
Advanced Persis-tant Threats (APT)
Script Kiddies
Industrialized Hack-ing Organizations
How am I being hacked?
40%
28%
17%
9%
4% 2%
Employee PhishingVendor CompromiseWebsite HackingEmployee Internet UseEmployee AccidentOn-location Hacking
*2014 Ponemon Benchmark Study on Patient Privacy and Data Security
Employee receives
fraudulent email
reminding employee to
“Confirm their Recent
Promotion” User clicks link in email and logs into fake HR website
Hacker logs Into network
remotely using stolen
password Hacker scans network and
steals databases
Hacker sells stolen
information on black market
to identity thieves
Hacker logs into employee email to send
fraudulent email to all
contacts
Employee Phishing
Employee receives fraudulent email
reminding employee to
“Confirm their Recent Promotion”
User clicks link in email and logs into
fake HR website
Hacker logs into network remotely
using stolen password
Hacker scans network and steals
databases
Hacker sells stolen information on black market
to identity thieves
Hacker logs into employee email to
send fraudulent email to all contacts
Create and sell fraudulent
medical, Social Security and
State ID cards
Obtain prescriptions for
narcotics
Partner with illicit providers for fraudulent
Medicare billing
Employee Phishing
Vendor hacked
Hacker accesses customer databases
Hacker logs Into your network remotely and
steals databases
Hacker sells stolen information on black market
to identity thieves
Hacker logs Into employee email to
send fraudulent email to all
contacts
VendorCompromise
Website had a
software flaw
discovered
Bug allows a
hacker to bypass
the login
Company fails to
apply the security update quickly enough
Hacker uses a
network of
infected computer
s to attack
website
Attack installs data
stealing program
Program scans for juicy data
(SSN)
Data sent to
attacker’s computers
Hacker sells
stolen informati
on on black
market to identity thieves
Computer now used to attack
other companie
s
Website Hacking
Employee’s
computer has a
software flaw
discovered
Employee visits a hacked website
Company fails to
apply the security update quickly enough
Attack installs data
stealing program
Program scans
network for juicy data (tax returns,
spreadsheets with SSN)
Data sent to
attacker’s computers
Hacker sells
stolen information on black market to identity thieves
Computer now used to attack
other companie
s
Internet Use
How am I being successfully hacked?
*2014 Ponemon Benchmark Study on Patient Privacy and Data Security
5%
27%
69%
Company Specific AttackHealthcare Industry AttackUntargeted Attack
What is the impact of a breach?
Consequences of a breach are much greater than most other industries
Incorrect medical records (blood type, allergies, conditions) causes patient safety risks
HIV status disclosure is much more emotionally damaging than a Home Depot purchase history
Can’t give patients a new identity like you can with Credit Cards
*2014 Ponemon Benchmark Study on Patient Privacy and Data Security; Dell Secureworks Healthcare Data Security Threats
What is the impact of a breach? $398 per health record on average in the U.S.
Does not factor in reputational damage
Increasing civil penalties from HHS, up to $1.5 million
Heavy scrutiny from media and regulators
80% of new patients screen their provider on search engines
Increasing use of “vendor scorecards” will hurt customer growth
*2014 Ponemon Benchmark Study on Patient Privacy and Data Security; Dell Secureworks Healthcare Data Security Threats
How do I protect my healthcare data? Factor security into your 3rd party vendor
evaluations
Hire or contract with Information Security specialists
Train employees on recognizing fraud
Know where your data is going
Backup your important data
Use two-factor authentication
Overview Why do hackers want my healthcare data?
Who wants to steal it?
How do they do it?
What is the impact of a breach?
How do I protect against it?