Cybersecurity Handouts Combined Presentations Updated · from home has become essential to keeping...

Defending Data in the Digital Age: Understanding Cybercrime in Healthcare

NABP Webinar - August 19, 2020 1

Faegre Drinker Biddle & Reath LLP

NABP Cybersecurity Webinar

Presenters

Paul H. Luehr

Doriann H. Cain

August 19, 2020

5.5% Annual increase in US costs(-1.5% globally)

US average cost of a data breach($3.86M globally)

$8.64MUS average cost per record (2019)($146 globally)

$242

Threats: Data Breach Costs

Megabreaches:1 million-10 million records = estimated $50 million50 million records = estimated $392 million

Source: Ponemon/IBM 2020 Cost of Data Breach Report

1

2




65%Indirect Costs:Staff hoursLost goodwillCustomer “churn”

35%Direct Costs:Outside counselOutside expertsID theft insuranceNotification costs

Source: Ponemon/IBM 2020 Cost of Data Breach Report

$1.08

$1.53

$1.65

$1.72

$2.01

$2.59

$3.01

$3.58

$3.86

$3.90

$4.08

$4.23

$4.99

$5.04

$5.06

$5.85

$6.39

$7.13

Public sectorResearch

MediaHospitality

RetailConsumer

CommunicationsTransportationGlobal Average

EducationEntertainment

ServicesIndustrial

TechnologyPharmaceuticals

FinancialEnergyHealth

2020 - Global Data Breach Costby Industry (in millions)


Source: Ponemon/IBM 2020 Cost of Data Breach Report: Global Analysis

+10%

3

4



Threats

Phishing Emails – Delivery point for 94% of malware

Source: 2019 Data Breach Investigations Report, Verizon, 12th ed. (May 2019)

Threats: Ransomware

Ransomware accounted for more than 70% of malware outbreaks in the health care industry (Verizon)

Source: 2019 Data Breach Investigations Report, Verizon, 12th ed. (May 2019)

5

6



2020 – New Variations

• Higher monetary demands (e.g., $30M)

• Double threat1) Threat to encrypt files on network2) Threat to reveal already stolen files

E.g., Blackbaud platform for non-profits

Threats: Ransomware

Threats: Compromised Email

$26 billion lost (2016-2019) 166,349 reported complaints

100% increase, May 2018-July 2019

Across 50 states and 177 countries

Average loss: $25K - $90K in the past, now $400K+

Facebook and Google: $123 million in combined losses

Source: FBI Alert Number I-091019-PSA (Sept. 10, 2019); Trend Micro, Fortune

7

8



Threats: Compromised Email

Sources: Bloomberg News, the Verge, ArsTechnica, DomainTools, Abnormal Security

Potential Impacts of COVID-19

9

10



Source: FaegerDrinker.com

Potential Impacts of COVID-19

Remote work

• 54% require remote work

• 76% increase in time to identify and contain breaches

• 70% increase in cost of breaches


11

12



Looking Ahead: Authentication Challenges

Authentication

Provider

Patient

Third Parties

Content

Authentication Issues: Patients

13

14



https://secureandtransparent.org/

Authentication Issues: Organizations

Sources::

“DEEP FAKES”

Authentication Issues: Content

ohadf.com

15

16



Takeaways: Periodic Data Mapping

Types of Data• PHI• PII• Confidential, trade secrets

Locations of Sensitive Data• Geography• Device or function• Flows

17

18



Takeaways: Conduct a Risk Assessment

RISK = Vulnerabilities x Threats x Impact x Probability

Likelihood

Remote < 1 %

Most Unlikely1% to 10%

Unlikely10% ‐ 30%

Possible30% ‐ 70%

Likely70% ‐ 90%

Almost Certain90% ‐ 99%

Catastrophic

I

m

p

a

c

t

Critical

Major

Moderate

Minor

Insignificant

Takeaways: Incident Response (IR) Planning

• Multiple Representatives

• Realistic Triggers

• Counsel as Lead

• Contact Sheets for:• Outside counsel• Forensic experts• Crisis communicators• Notification firms• Insurance agent/broker• Law enforcement

• Practice the Plan!

Incident Response

Team

Outside Forensics Experts

Outside Counsel

Client & Media

Relations

In-House Counsel

In-House IT

BusinessUnit

Human Resources

CPO, CSO Compliance

19

20



Include:• Specific “playbooks”• Escalation paths• Regulatory drivers or triggers• Risk levels• Timing expectations

Unknown Author is licensed under Creative Commons

Takeaways: IR Planning

Data Breach: Mitigating Factors

-$73,196

-$78,054

-$144,940

-$164,386

-$172,817

-$191,618

-$199,148

-$199,677

-$202,874

-$234,351

-$237,176

-$238,019

-$243,184

-$259,354

-$272,786

-$278,697

-$295,267

-$350,000 -$300,000 -$250,000 -$200,000 -$150,000 -$100,000 -$50,000 $0

ID theft protection

Managed security services

CISO appointed

Data loss prevention

Vulnerability testing

DevSecOps approach

Cyber insurance

Board involvement

Threat intel sharing

Use of security analytics

Extensive encryption

Employee training

Red team testing

AI platform

Formation of IR team

Business continuity mgmt

Incident response (IR) testing


21

22



Source: technews.olemiss.edu

Takeaways: Training

When? All the time: new hires, annually, ongoing

How? Seminars, conferences, alerts, “real-world” exercises

Who? Everyone

What?• Technical Training

○ Safe email handling, strong passwords○ Safely work from home○ Safe surfing, safe traveling

• Financial Training○ Fake CEO/CFO messages, domains, invoices, wires○ Clear protocols for “new” payments, and establish monetary thresholds

Takeaways: Training

23

24



QUESTIONS?

Paul H. LuehrFaegre Drinker

[email protected] 612/766-7195

Doriann H. CainFaegre Drinker

[email protected] 317/569-4837

CybersecurityKeeping your accounts safe during these unprecedented times

25

26



Topics

We will cover a few important topics aimed to keep your digital footprint safe and secure:

• Working from home

• Password management

• Phishing and social engineering

Keep in mind that your organization’s rules and regulations should take precedence.

Working From Home

The coronavirus disease 2019 (COVID-19) pandemic has altered the operating structure for many businesses and organizations. Working from home has become essential to keeping individuals safe and productive.

An increase in working from home presents a few challenges. Individuals working from home should:

• Physically secure their work devices

• Keep sensitive information out of view

• Monitor personal device security

Work-From-Home Tips

• Follow your IT rules and guidelines

• Only connect to secure and trusted Wi-Fi networks

• Limit personal use of work devices

27

28



Password Management

Your user credentials are the keys to your online accounts; it is important to keep them safe and secure.

Password recommendations:

• Length > complexity

• Update frequently

• Separate password for each account

• Use a password manager

Multifactor authentication (MFA) is a powerful tool which should be enabled on your sensitive accounts. Be sure to safely store backup MFA codes; you never know when your device may be lost or destroyed.

Password Managers

Simplify and secure your credential lifecycle with popular password management tools:

• Keeper Security

• LastPass

• Dashlane

• 1Password

Phishing and Social Engineering

Bad actors are constantly producing new methods to trick you into giving them your information.

Social engineering attacks target you using various methods:

• Sense of urgency

• Offers something for nothing

• Acts vulnerable/needs help

Be suspicious and pay attention to the details. If a coworker is making an odd request, reach out to them directly to validate.

Security Tips

Do not send sensitive information through insecure channels, such as:

Email

• Insecure

• Avoid opening attachments from unknown senders

Social Media

• Limit the personal information posted to public social media platforms

Web

• Validate the URL and HTTPS icon

29

30



Questions?

31

Cybersecurity Handouts Combined Presentations Updated · from home has become essential to keeping...

Documents

Transcript of Cybersecurity Handouts Combined Presentations Updated · from home has become essential to keeping...