10/19/2015

1

2015: “Year of the Hack”HIPAA Security

Drew Labbo

Trent Hein

Who Are These Guys!!??

Trent Hein

•CISSP, CCIE-15, CSSA, ISSMP, ISSAP, CSSA

•Co-Founder and Co-CEO of AppliedTrust

Drew Labbo

•MBA, CISSP, ITIL

•CISO at Denver Health and Hospital Authority

•Principal, RMHG LLC – Rocky Mountain HIPAA Guru

IT Security: The World We Live In

• Worldwide explosion of the Internet has produced an abundance of professional, skilled hackers

• Strong security is required for protecting both image and business operations

• Public awareness/concern for security and privacy has reached a threshold level

• Organizational security is a “second thought”

10/19/2015

2

What Is Security?

• Vigilance

• Knowledge• Risk management

• Methodology and policies• Applied science/forensics

• Architecture• Implementation

• Operations

Security Myths

Myth #1: “We aren’t a likely target of attack.”

Fact: 41.1% of CSI/FBI Computer Crime Survey respondents reported detecting a breach in the prior 12 months.

Security Myths

Myth #2: “A small percent of attacks involve insiders.”

Fact: Actually, about a quarter of all attacks or misuse involve insiders.

10/19/2015

3

Security Myths

Myth #3: “We’re secure because we have a firewall.”

Fact: Almost nothing could be further from the truth. Multiple surveys have established that 95 percent of organizations that had a break-in had a standard commercial firewall in place.

Security Myths

Myth #4: “We haven’t been broken into, therefore we are secure.”

Fact: Most break-ins go undetected for more than 6 months.

Notable 2015 Breaches

• Premera BlueCross BlueShield (January 2015)

• Exposed names, birth dates, SSNs, bank account information, and addresses of up to 11.2 million subscribers.

• According to the Seattle Times, the organization had been warned the previous year that its IT systems were vulnerable to a possible attack.

• The attack is suspected to have been conducted by a Chinese state-sponsored hacking group that used a look-alike domain (prennera.com) designed to trick employees into downloading malicious software.

• Anthem/Wellpoint (February 2015)

• Exposed names, birth dates, SSNs, health-care ID numbers, home addresses, email addresses, employment information, and income data of 80 million patients and employees.

• The Wall Street Journal reported that Anthem had not encrypted the data that was accessed by hackers.

• As with the Premera hacking, the attack is suspected to have been conducted by a Chinese state-sponsored hacking group that used a look-alike domain (we11point.com) designed to trick employees into downloading malicious software.

10/19/2015

4

Notable 2015 Breaches

• Kaspersky Lab (June 2015)• The attack against the Moscow-based security vendor, which it named Duqu

2.0, was believed to be a nation-state-sponsored attack.

• The compromise included information on the company's newest technologies, such as Kaspersky’s Secure Operating System, Kaspersky Fraud Prevention, Kaspersky Security Network, and Anti-APT solutions and services.

• The attackers breached the company’s internal systems using “Duqu 2.0”malware, involving a 19-megabyte toolkit with plugins for various reconnaissance and data-theft activities, as well as at least three zero-day exploits.

• CareFirst BlueCross BlueShield (May 2015)• Exposed names, birth dates, email addresses, and subscriber information of

1.1 million members.

• Occurred when attackers accessed a single CareFirst database in June 2014.

• Discovered as part of a Mandiant-led security review that found hackers had gained access to a database that members use to get access to the company's website and services.

Notable 2015 Breaches

• Army National Guard (July 2015)• Possibly exposed the Social Security numbers, home addresses, and other personal information of approximately 850,000 current and former National Guard members, dating back to 2004.

• The attack resulted from an improperly handled data transfer to a non-accredited data center by a contract employee, according to the organization, highlighting the importance of having strong security practices for internal threats, including those posed by third-party contractors.

• Office Of Personnel Management (April/May 2015)• Two breaches, the larger of which, affecting 21.5 million federal workers, was discovered in late May after a separate, unrelated breach hit the agency in April, exposing the personnel data of 4.2 million individuals.

• Though not confirmed, reports have tied the attacks to China-based hackers.

Breaches: Lessons Learned

• Users behavior and awareness is key• Phishing is #1 vector

• Multifactor Authentication is a MUST

• Manage contractor/vendor access carefully

• External-facing applications MUST be penetration tested

• Automated scanning is NOT adequate

• Zero-day vulnerability strategy?

10/19/2015

5

3 Golden Rules of Mobile

1. Apply appropriate safeguards to the device to mitigate the risk of information exposure due to loss or theft.

2. Report any device that is lost, stolen, or otherwise compromised.

3. Wipe (i.e., erase) all data stored on any device before transferring ownership (e.g., by sale or trade-in).

Appropriate Safeguards?

• Every device must have a PIN

• Every device must be encrypted• IOS enabled with a PIN

• Android enabled under “Security”

• SMS is NOT secure (no ePHI in texts!)

Appropriate Safeguards (cont.)

• Consider a Mobile Device Management (MDM) platform

• But AT THE VERY MINIMUM, enforce any device access requires encryption, PIN, and remote wipe

• Don’t “teach” bad practices by requiring users to install apps that aren’t certified

• ePHI only in approved apps/locations

10/19/2015

6

2015 Enforcement Update

HIPAA Rogues’ Gallery

http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/

$750,000; Stolen Laptop, 55,000 Patients

10/19/2015

7

$218,400; 498 patients; internet file sharing system & 595 patients info on stolen laptop

$125,000; hard copy PHI disposal

Test Your Knowledge

Role of the Privacy Officer…

10/19/2015

8

Privacy Officer

• Regulatory Compliance• HIPAA Privacy

• CFR 21 Substance Abuse

• State Privacy Statutes – (California, Massachusetts, Oklahoma)

• FERPA

• Designated official responsible for HIPAA Privacy

• Policy/Procedures

• Privacy complaint investigation

• Privacy guidance

• Privacy incident breach risk assessment

• Breach Response

Test Your Knowledge

Role of the Security Officer…

Security Officer

• Regulatory Compliance• HIPAA Security Rule

• PCI DSS

• IT General Financial Controls – CoBIT

• Designated official responsible for HIPAA Security

• Information Security Program

• Risk Assessment

• Security incident response

• Security incident breach risk assessment

• Confidentiality, Integrity, and Availability

10/19/2015

9

Test Your Knowledge

Security Value Add and Partnership with Compliance…

Security value for Compliance

• Investigations• Providing audit trail data

• eDiscovery forensic searches and evidence preservation

• Email, hard drive, and file share data searches

• Chain of custody for evidence

• System data for audits and monitoring

• Security incident breach risk assessment

Test Your Knowledge

Compliance Value Add and Partnership with Security…

10/19/2015

10

Compliance value to Security

• Set policy• Data Classification & Retention

• Data Loss Prevention policy

• Other non-technical policies around privacy or security

• Receive privacy and security complaints

• Order or approve organizational investigations

• Potentially a “landing spot” for security leaving IT “fox watching the henhouse”Questions???

Contact us…

• Drew Labbo• Drew Labbo <drew@rmhguru.com>

• Trent Hein• Trent Hein <trent@appliedtrust.com>