1. Cybercrime and the Hidden
Perils of Patient Data
Stephen Cobb, CISSP
Senior Security Researcher
2. Stephen Cobb
Sr. Security Researcher, ESET North America
Stephen Cobb has been a CISSP since 1996
and has helped companies large and small to
manage their information security, with a
focus on emerging threats and data privacy
issues. The author of several books and
hundreds of articles on IT security, Cobb leads
a San Diego based security research team for
ESET North America.
3. Cybercrime risk and response
• Information technology can improve
productivity and profitability in healthcare
delivery, but IT comes with risks
• The risks inherent in patient data increase
as cybercrime increases
• Non-compliance with regulations is not
the only cybercrime liability
• There are proven methodologies to
reduce risk
5. It’s not your fault!
• Yes, humans do make mistakes,
and there are acts of nature, and
system failures
• But most of that can be mitigated
• Criminal activity is harder to stop
• The global trade in stolen data
makes any system that contains
marketable data a target of
criminal activity
6. How does cybercrime pay?
1. Criminals steal PII to sell on the black market
– Low risk, high reward
2. Different criminals buy the stolen data and
commit fraud, e.g.
– Charge or debit credit/bank accounts
– File fraudulent tax refunds
– Make fraudulent wire transfers
– Carry out more complex scams like billing fraud
– Riskier than #1 but still safer than robbing banks
14. This is a RAT’s eye view of an
infected computer:
• Remote Access Tool
• As seen in the movie Blackhat
• Access to your microphone,
webcam, files, passwords, and
everything else…
15. Card data sold here
• Carding sites
• Just one example:
– McDumpals
• Cards sold in “dumps”
– Priced by
– Freshness
– Balance
– Type
– Location
18. YOUR NAME, PHYSICAL ADDRESS,
PHONE, EMAIL, EMPLOYER
YOUR DATE OF BIRTH,
MEDICAL RECORD NUMBER,
SOCIAL SECURITY NUMBER,
DRIVER’S LICENSE DETAILS
YOUR INSURANCE PROVIDER,
PLAN TYPE, PAYMENT INFO,
CREDIT CARD, BANK ACCOUNT
PATIENT HISTORY, BLOOD TYPE,
ALLERGIES, SYMPTOMS, MEDICAL
CONDITIONS, PRESCRIPTIONS,
GENETIC DATA
ELECTRONIC HEALTH RECORD L1: Basic personal: stolen to
sell to spammers and for data
mining, profiling, appending
L2: Non-public identifiers: sold
for various kinds of identity
theft such as tax ID fraud
L3: Financial data: sold for
financial fraud, billing scams,
theft of funds
L4: Medical data: sold for use
in medical ID fraud, billing
fraud, drug and service
theft and abuse
19.
20. Nightmare scenario?
• Your organization is
identified as the
source of information
that causes harm
• Tammy Wynette case:
Pittsburgh Medical
Center employee sold
records to newspaper
21. How to respond?
• Make sure everyone in your organization
is taking security seriously
• But treat rules like HIPAA as a base line
– Liability for breached data does not begin or
end with HIPAA
• Negligence claims are heating up
– Such claims are decided on the standard of
due care, what is reasonable
– An organization may be held liable for actions
of an employee even if it is “HIPAA compliant”
22. The ABCs of Cybersecurity
• Assess your assets, risks, resources
• Build your policy
• Choose your controls
• Deploy controls
• Educate employees, execs, vendors
• Further assess, audit, test
A B C D E F
F E D C B A
23. The top three strategies
#1. Perform and document a risk assessment
– It’s the basis of your security program
– Your defense in case of a breach
– And a hedge against fines!
Meaningful Use optometry clinic audit MN:
Failed to perform a proper risk assessment.
Failed to follow policies and procedures.
Penalty: Initial incentive payments had to be
repaid, plus 2 more years of payments totaling
more than $40,000 put in doubt (just 3 ODs).
OCR hospital ePHI breach NY:
Hospital failed to complete an
accurate and thorough risk
analysis identifying all systems
that access ePHI.
Penalty: Fined $4.8 million.
24. The top three strategies
#2. Get an outside review of your security
– Even with the best of intentions there can be
security gaps
– Real world, healthcare company examples:
• “We require passwords to be changed every six months”
• The system allowed passwords to remain unchanged
• “We delete access for all ex-employees”
• Several dozens ex-employees still had access
• “We use antivirus on all our endpoints”
• But it was turned off in the HR department
25. Which of the following attack types have exploited
your company in 2014?
2015 ISACA and RSA Conference Survey
26. Top 3 strategies: 4 key controls
1. Strong authentication
Defeats many hacking attack strategies
2. Encryption
Prevents loss from lost/stolen equipment
3. Anti-malware
Stops infections, phishing, and more
4. Backup
A strong defense against ransomware,
data loss, natural and human disasters
27. Build your security policy
• Security begins with policy
• Policy begins with C-level buy-in
• High-level commitment to protecting the
privacy and security of data
• Then a set of policies that spell out the
protective measures
28. Choose the controls you will use to
enforce your policies
• For example:
– Policy: Only authorized employees can access
sensitive data
– Controls:
• Require identification and authentication of all
employees via unique user name and password
• Limit access through application(s) by requiring
authentication
• Log all access
29. Deploy controls and
make sure they work
• Put control in place; for example,
antivirus (anti-malware, anti-
phishing, anti-spam)
• Test control
– Does it work technically?
– Does it “work” with your work?
– Can employees work it?
30. Educate employees, execs, vendors,
partners, patients
• Everyone needs to know
– What the security policies are, and
– How to comply with them through proper use of
controls
• Pay attention to any information-sharing
relationships
– Vendors, partners, even clients
• Be clear that failure to protect shared data
has serious consequences
31. Further assess, audit, test…
This is a process, not a project
• Re-assess security on a periodic basis
• Stay up-to-date on emerging threats
• Be vigilant around change
– New vendor relationships
– Employees departing
– Hiring practices
FYI – $50 million is more than the total loot from a year’s worth of bank robberies in America.
And the entire budget of the FBI is about $8 billion.
.
Using various tools and websites, some of which we will look at in a moment, criminals can quickly and efficiently mount a cybercrime operation, purchasing all of the ingredients, and selling or “fencing” their ill-gotten gains, like your company’s banking credentials, or you customers’ credit cards.
Not just Russians
Who was the hero played by? Chris Hemsworth
Note: these are actual screenshots. There is no legal issue with displaying these. Meet McDumpals, an online market where criminals who have stolen payment card data sell it to crooks who then use it for fraudulent purchases. People who know this is the face of cybercrime today tend to take security more seriously.
$8.40 to $6.80 Show typical operations at an online data mart, and some prices. Krebs and others who track prices note rapid declines when large new data collections are put on the market (e.g. Target) and also decline over time as data ages.