1. Cybercrime and the Hidden
Perils of Patient Data
Stephen Cobb, CISSP
Senior Security Researcher

2. Stephen Cobb
Sr. Security Researcher, ESET North America
Stephen Cobb has been a CISSP since 1996
and has helped companies large and small to
manage their information security, with a
focus on emerging threats and data privacy
issues. The author of several books and
hundreds of articles on IT security, Cobb leads
a San Diego based security research team for
ESET North America.

3. Cybercrime risk and response
• Information technology can improve
productivity and profitability in healthcare
delivery, but IT comes with risks
• The risks inherent in patient data increase
as cybercrime increases
• Non-compliance with regulations is not
the only cybercrime liability
• There are proven methodologies to
reduce risk

4. Ripped from the headlines…

5. It’s not your fault!
• Yes, humans do make mistakes,
and there are acts of nature, and
system failures
• But most of that can be mitigated
• Criminal activity is harder to stop
• The global trade in stolen data
makes any system that contains
marketable data a target of
criminal activity

6. How does cybercrime pay?
1. Criminals steal PII to sell on the black market
– Low risk, high reward
2. Different criminals buy the stolen data and
commit fraud, e.g.
– Charge or debit credit/bank accounts
– File fraudulent tax refunds
– Make fraudulent wire transfers
– Carry out more complex scams like billing fraud
– Riskier than #1 but still safer than robbing banks

7. You are not alone

8. Patient Data Abuse 101

9. Cybercrime
= low risk +
high return

10. 0
1000
2000
3000
4000
5000
6000
7000
8000
9000
$-
$100
$200
$300
$400
$500
$600
$700
$800
$900
MillionsBank robbery vs. Internet fraud
Cybercrime numbers: annual IC3 report on computer fraud cases.
Mainly US, mainly those cases referred for investigation.
$ cyber fraud
losses
# of bank robberies

11. Cybercrime has created an efficient
global market for data and tools

12. Black market structure
Markets for Cybercrime Tools and Stolen Data (RAND, 2014)

13. Tools of the trade: malicious code

14. This is a RAT’s eye view of an
infected computer:
• Remote Access Tool
• As seen in the movie Blackhat
• Access to your microphone,
webcam, files, passwords, and
everything else…

15. Card data sold here
• Carding sites
• Just one example:
– McDumpals
• Cards sold in “dumps”
– Priced by
– Freshness
– Balance
– Type
– Location

16. Thanks to krebsonsecurity.com for screenshots

17. Not just credit card data

18. YOUR NAME, PHYSICAL ADDRESS,
PHONE, EMAIL, EMPLOYER
YOUR DATE OF BIRTH,
MEDICAL RECORD NUMBER,
SOCIAL SECURITY NUMBER,
DRIVER’S LICENSE DETAILS
YOUR INSURANCE PROVIDER,
PLAN TYPE, PAYMENT INFO,
CREDIT CARD, BANK ACCOUNT
PATIENT HISTORY, BLOOD TYPE,
ALLERGIES, SYMPTOMS, MEDICAL
CONDITIONS, PRESCRIPTIONS,
GENETIC DATA
ELECTRONIC HEALTH RECORD L1: Basic personal: stolen to
sell to spammers and for data
mining, profiling, appending
L2: Non-public identifiers: sold
for various kinds of identity
theft such as tax ID fraud
L3: Financial data: sold for
financial fraud, billing scams,
theft of funds
L4: Medical data: sold for use
in medical ID fraud, billing
fraud, drug and service
theft and abuse

20. Nightmare scenario?
• Your organization is
identified as the
source of information
that causes harm
• Tammy Wynette case:
Pittsburgh Medical
Center employee sold
records to newspaper

21. How to respond?
• Make sure everyone in your organization
is taking security seriously
• But treat rules like HIPAA as a base line
– Liability for breached data does not begin or
end with HIPAA
• Negligence claims are heating up
– Such claims are decided on the standard of
due care, what is reasonable
– An organization may be held liable for actions
of an employee even if it is “HIPAA compliant”

22. The ABCs of Cybersecurity
• Assess your assets, risks, resources
• Build your policy
• Choose your controls
• Deploy controls
• Educate employees, execs, vendors
• Further assess, audit, test
A B C D E F
F E D C B A

23. The top three strategies
#1. Perform and document a risk assessment
– It’s the basis of your security program
– Your defense in case of a breach
– And a hedge against fines!
Meaningful Use optometry clinic audit MN:
Failed to perform a proper risk assessment.
Failed to follow policies and procedures.
Penalty: Initial incentive payments had to be
repaid, plus 2 more years of payments totaling
more than $40,000 put in doubt (just 3 ODs).
OCR hospital ePHI breach NY:
Hospital failed to complete an
accurate and thorough risk
analysis identifying all systems
that access ePHI.
Penalty: Fined $4.8 million.

24. The top three strategies
#2. Get an outside review of your security
– Even with the best of intentions there can be
security gaps
– Real world, healthcare company examples:
• “We require passwords to be changed every six months”
• The system allowed passwords to remain unchanged
• “We delete access for all ex-employees”
• Several dozens ex-employees still had access
• “We use antivirus on all our endpoints”
• But it was turned off in the HR department

25. Which of the following attack types have exploited
your company in 2014?
2015 ISACA and RSA Conference Survey

26. Top 3 strategies: 4 key controls
1. Strong authentication
Defeats many hacking attack strategies
2. Encryption
Prevents loss from lost/stolen equipment
3. Anti-malware
Stops infections, phishing, and more
4. Backup
A strong defense against ransomware,
data loss, natural and human disasters

27. Build your security policy
• Security begins with policy
• Policy begins with C-level buy-in
• High-level commitment to protecting the
privacy and security of data
• Then a set of policies that spell out the
protective measures

28. Choose the controls you will use to
enforce your policies
• For example:
– Policy: Only authorized employees can access
sensitive data
– Controls:
• Require identification and authentication of all
employees via unique user name and password
• Limit access through application(s) by requiring
authentication
• Log all access

29. Deploy controls and
make sure they work
• Put control in place; for example,
antivirus (anti-malware, anti-
phishing, anti-spam)
• Test control
– Does it work technically?
– Does it “work” with your work?
– Can employees work it?

30. Educate employees, execs, vendors,
partners, patients
• Everyone needs to know
– What the security policies are, and
– How to comply with them through proper use of
controls
• Pay attention to any information-sharing
relationships
– Vendors, partners, even clients
• Be clear that failure to protect shared data
has serious consequences

31. Further assess, audit, test…
This is a process, not a project
• Re-assess security on a periodic basis
• Stay up-to-date on emerging threats
• Be vigilant around change
– New vendor relationships
– Employees departing
– Hiring practices

33. Thank You!
stephen.cobb@eset.com