Security Breaches
What should we be doing to stay out of the
headlines?
Alan DeVaughan, CISA, MCSE, MCSA
adevaughan@bswllc.com
Tel: 314 824-5278
Breaches & Settlements 2014
Still an Issue – Stolen Laptops & Computers
 One of top ten reported breaches in 2014 involves stolen laptops
 Sutherland HC Services (#3) - billing, collections vendor for LA
County – 8 unencrypted desktop computers stolen – 168,000
individuals – class action lawsuit
 One of largest federal fines in 2014 – $1.7M – assessed against
Springfield, Mo. – based Concentra Health Services (Humana
subsidiary) – unencrypted laptop stolen from physical therapy center
– 870 patient records
Security Breaches - What should we be doing to stay out of the headlines? – Munns,
Brown Smith
BrownWallace
Smith Wallace
LLC
LLC
2
2
Breaches & Settlements 2014
Still an issue – Unauthorized Access or Theft of Paper
 Two of top ten reported breaches in 2014 involve paper
 Walgreen, IL (#6) – 160,000 individuals
 St. Vincent Hosp. and Health Care Center, IN (#9)
– 63,325 individuals
 At least four of the smallest ten reported breaches in 2014
involved involve theft or unauthorized access to paper
 One of larger Federal fines in 2014 - $800,000 involved
Parkview Health System (Ft. Wayne, IN)
 Dropped off 71 cardboard boxes of patient medical
records in the driveway of a physician’s home
Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC
3
Breaches & Settlements 2014
Smaller organizations not immune to
cybersecurity threats
 18-bed Clay County Hospital in Flora, IL received
anonymous email on 11/2/14 with patient information,
threatening public release unless a ransom was paid
 12,621 patients potentially affected
 Investigation found system not hacked – insider?
 Information was name, address, SSN, DOB – no
medical information
Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC
4
Breaches & Settlements 2014
 Anchorage Community Mental Health Services fined
$150,000 and will adopt a corrective action plan under a
12/2/14 Resolution Agreement with HHS/OCR
 Malware compromised PHI for 2,743
 ACMHA adopted sample security rule policies &
procedures in 2005, but didn’t follow or update until
after the breach
 Sixth fine levied by HHS/OCR in 2014
Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC
5
Looking beyond HIPAA and PHI
Information Security =
Protecting information from cyber criminals
and those who do not have a need to view,
access, modify or use.
Cybersecurity =
Measures taken to protect a computer or
computer system connected to the Internet
against unauthorized access or attack.
Personally Identifiable Information (PII) =
Any data that could potentially identify a
specific individual.
Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC
6
2014 Cost of Cyber Crime Study: United States
 Cyber crimes continue to be very costly for
organizations.
 Mean annualized cost for 59 benchmarked organizations
$12.7 M, which was 9.3% increase over prior year.
 Cyber crime cost varies by organizational size.
 Most costly cyber crimes are those caused by denial
of services, malicious insiders and malicious code.
Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC
7
2014 Cost of Cyber Crime Study: United States
 Cyber attacks can get costly if not resolved quickly.
 Average time to resolve a cyber attack was 45 days, with an average
cost to participating organizations of $1,593,627 during this 45-day
period.
 Malicious insider attacks can take more than 65 days on average to
contain.
 Information theft continues to represent the highest
external cost, followed by the costs associated with
business disruption.
 Recovery and detection are the most costly internal
activities.
 Activities relating to IT security in the network layer
receive the highest budget allocation.
 Lack of data encryption increases cost
Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC
8
2014 Cost of Cyber Crime Study: United States
 Deployment of security intelligence systems makes a
difference.
 A strong security posture moderates the cost of cyber
attacks.
 Companies deploying security intelligence systems
experienced a substantially higher ROI at 30 percent
than all other technology categories presented.
 Deployment of enterprise security governance
practices moderates the cost of cyber crime.
Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC
9
Cost of Data Breach
What is the value of information that is in your custody, that
you own, store, process or transmit?

Value vs. cost of protection? What is your risk appetite?

What is the cost if your data is compromised?

Reputation, lost of revenue, legal fines and restitution?
•
Healthcare
businesses paid an
average cost of
$5.9 million per
data breach
•
•
For all industries the total annualized cost of cyber
crime in 2014 ranges from a low of $1.6 million to a
high of $60.5 million.
The median annualized cost of cyber crime in the
benchmark sample is $9.7 million – an increase from
last year’s median value of $9.1.
The mean value is $12.7 million. This is an increase of
$1.1 million or a 9.3 percent from last year’s mean of
$11.6 million.
Source: Ponemon 2014 Cost of Data Breach Study
Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC
10
Major Causes of Data Breach
Malicious attacks most costly, more frequent
Ponemon 2013 Cost of Data Breach Study
Malicious or
criminal attack
System glitch
Human Factor
•
•
•
• Malicious attacks cause
37% of data breaches, with
a per capita cost of $277
• Human Factors cause 35%
with a cost of $174
• Employee Negligence cause
29% with a cost of $159
Malicious or criminal attacks include malware, criminal insiders (employees,
contractors or other third parties), phishing/social engineering and web site attacks
System glitch includes loss of system or component, IT and Business process
failures
Human factor includes individuals (negligent insiders) who cause a data breach
because of their carelessness, as determined in a post data breach investigation.
Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC
11
Steps to Reduce the Risk
Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC
12
7 Factors that Influence the Cost of a Data Breach
 The organization had an incident management plan.
 The organization had a relatively strong security posture at
the time of the incident.
 CISO (or equivalent title) has overall responsibility for
enterprise data protection.
 Data was lost due to third party error.
 The organization notified data breach victims quickly.
 The data breach involved lost or stolen devices.
 Consultants were engaged to help remediate the data breach.
Source: Ponemon 2013 Cost of Data Breach Study
Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC
13
Security Risk Assessment
Organizations should conduct an annual formal risk assessment for
all systems to assess potential risks and vulnerabilities to the
confidentiality, integrity, and availability of systems and data. There
are several excellent resources:
 NIST Special Publication SP 800-30 Guide for Conducting Risk
Assessments, and
 NIST Special Publication SP 800-66 Introductory Resource
Guide for Implementing the HIPAA Security Rule. In this
document Appendix E is the Risk Assessment Guidelines.

OCR has published “Guidance on Risk Analysis Requirements
under the HIPAA Security Rule”
HHS – Encryption, Methods for Protecting
Two approved methods for protecting: encrypt or destroy
 Two types of encryption:


Data at rest: NIST SP 800-111, Guide to Storage Encryption
Technologies for End User Devices
Data in transit: compliance with the Federal Information
Processing Standard (FIPS) 140-2 requirements – 140-3 has
been issued as draft
 Two methods of destruction:


Non-electronic media: shredded or destroyed such that
PII/PHI cannot be recovered
Should be cleared, purged, or destroyed consistent with
NIST SP 800-88, Guidelines for Media Sanitization such that
PHI cannot be recovered
Paper Breaches included?
• HIPAA Rule: yes
• FTC Rule:
– No…BUT dumpster diving cases have been among their
most often pursued
– Joint prosecutions of RiteAid and CVS with HHS
– Using unfair and/or deceptive trade practices since
2005 in lieu of current breach regulation
• States: Generally no, only covers systems
data, but round 2 of State Laws are changing
that
Vendor Management
Formal procedures should be established for hardware,
software, or services vendor qualification. Considerations for
their selection should include the following:
 Applicability of the IT solutions to the intended environment –
consider the sensitivity of the data, is this PII or PHI?
 The organization's security policies, procedures, and
standards and other requirements such as resources available
for operation, maintenance, and training.
 What evidence can be reviewed: Security Audits, Pen Tests,
SSAE 16 SOC 1 or SOC 2 Type 2 reports, PCI DSS ROC
reports
Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC
17
Security Frameworks
Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC
18
Frameworks: Areas of Information Security &
Privacy Management
 Information Security Governance
 Information Risk Management and Compliance
 Information Security Program Development and
Management
 Information Security Incident Management
Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC
19
Information Security Governance
Responsibilities and practices exercised by the board and executive management
with the goal of providing strategic direction, ensuring that objectives are
achieved, and determining that risk is managed appropriately and verifying that
the enterprise’s resources are used responsibly.
Source Information Security Governance
– IT Governance Institute (ITGI)
Guidance
for
Boards
of
Directors
and
Executive
Management
Couple of Key Points:
Establish and maintain an information security strategy in alignment with organizational
goals; including a security framework to guide activities that support the strategy including:
 Information security policies that communicate management’s directives and guide the
development of standards, procedures and guidelines
 Develop business cases to support investments in information security.
 Holistic (internal and external) influences to the organization (e.g. technology, business
environment, geographic location, etc.)
 Define and communicate roles and responsibilities throughout the organization
 Measure the effectiveness of the information security strategy.
Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC
20
Information Risk Management and Compliance
Systematic application of management policies, procedures and practices that
identify, analyze, evaluate, report, treat and monitoring information risks
Some Key Points:
 Asset classification to ensure that measures taken to protect assets are
proportional to their business value – don’t forget data
 Identify legal, regulatory, organizational and other applicable requirements to
manage the risk of noncompliance to acceptable levels (e.g. HIPAA, PCI, GLBA)
 Ensure risk assessments, vulnerability assessments and threat analysis are
conducted periodically to identify risk to the organization’s information
 Integrate information risk management into business and IT processes (e.g.
development, procurement, project management) to promote a consistent and
comprehensive information risk management process across the enterprise
 Monitor existing risk to ensure that changes are identified and managed
appropriately
Compliance does not mean your information is secure.
Governance Frameworks
Plenty of good frameworks out there – pick one:
–
COBIT 5 - It's the leading framework for the governance and management of
enterprise IT.
–
ISO 27001 - The ISO 27000 family of standards helps organizations keep
information assets secure.
–
ITIL - The Information Technology Infrastructure Library (ITIL) defines the
organizational structure and skill requirements of an information technology
organization and a set of standard operational management procedures and
practices to allow the organization to manage an IT operation and associated
infrastructure.
–
NIST Cybersecurity Framework – recently announced, immature, still being
developed. NIST released the first version of the Framework for Improving
Critical Infrastructure Cybersecurity on February 12, 2014.
–
See also the Cloud Security Alliance Cloud Controls Matrix Version 3.0.1 that
side-by-side compares different frameworks
Information Security Program –
Development and Management
Development and documentation of activities, projects, and/or initiatives to implement the information security
strategy and manage the program,
Key Points:
 Program needs to align with information security strategy, and needs to integrate with other business
functions such as HR, accounting, procurement and IT - Integrate information security requirements into
organizational processes and based on Security Risk Assessment updates
 Establish and maintain information security architectures (people, process, technology) – segmentation,
minimum necessary
 Robust perimeter – firewalls, DMZs, VPNs, File Sharing, secure email
 Intrusion Prevention/Detection systems and consider Security information and event management (SIEM)
 Consider Data Leak Prevention technologies (DLP)
 Vendor management program
 Robust change management system
 Secure software development
 Data backups, Business Impact Analysis, Business Continuity & Disaster Recovery Planning
 Develop and conduct security awareness and training
 Continually measure the program
Information Security Incident Management
Manage unexpected disruptive events minimizing impacts and maintaining or restoring
normal operations within a defined time period. This is not an IT only plan.
Key Points:
 Establish a hierarchy to accurately identify and response to incidents
 Develop and maintain an incident response plan to be able to respond
appropriately (e.g. legal and regulatory requirements)
 Establish external relationships: e.g. PR firm, Forensic Investigators, Specialist
Counsel, Insurance Company (understand cybersecurity policy- cover as well as
resources)
 Develop processes, train teams and periodically conduct tests to effectively
identify and respond of information security incidents
 Establish incident escalation and notification processes
 Establish and maintain internal and external communication plans.
 Perform root cause analysis post-incident and record as “lessons learned”.
 Integrate incident response plan, disaster recovery plan and business continuity
plan.
HIPAA Definition of Breach and Required Notification
The final regulations modify the definition of breach. Under the interim final breach notification rule, a breach
would have been considered to have occurred if the access, use or disclosure poses “a significant risk of financial,
reputational or other harm to an individual.”
The final regulations stipulate that “an acquisition, access, use, or disclosure of protected health information in a
manner not permitted…is presumed to be a breach unless the covered entity or business associate, as
applicable, demonstrates that there is a low probability that the protected health information has been
compromised.”
if the organization believes the risk of compromise is unknown or low, you must perform a documented risk
assessment.
The assessment of whether there is a low probability that the protected health information has been
compromised must be based on an assessment of at least the following factors:
•
The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification.
•
The identity of the unauthorized person who used the PHI or to whom the disclosure was made.
•
Whether the PHI was actually acquired or viewed.
•
The extent to which the risk to the PHI has been mitigated.
HIPAA Clarification of Breach
Breaches do not include:

unintentional acquisition, access, or use of PHI by a workforce member or
person acting under the authority of a CE or BA, if such acquisition,
access, or use was made in good faith & within the scope of authority &
doesn’t result in further use or disclosure in a manner not permitted by
the Privacy Rule

inadvertent disclosures of PHI from a person who is authorized to access
protected health information at a covered entity or business associate to
another person authorized to access protected health information at the
same covered entity, business associate, or organized health care
arrangement in which the covered entity participates.

disclosures of PHI where a CE or a BA has a good faith belief that an
unauthorized person to whom the disclosure was made wouldn’t
reasonably have been able to retain such information.
Responsibilities
 Be very careful with terminology – if you term it a breach, the
rules kick in. Let legal make the call. And, the great majority of
breaches are not notice-triggering
 Service Provider should:

Be aware of applicable Business Associate Agreement
terms.

Contact covered entity when it first suspects a data breach,
NOT after it has been investigated

Follow the instructions of the covered entity

Assume financial responsibility (negotiate credit monitoring
costs – for number of enrollees accessing, not records
breached)(and, don’t assume insurance will cover the
costs)
Questions You Should Ask of
Executive and IT Management to
Reduce the Risk
Questions to Reduce the Risk
 Do we Perform an Annual Security Risk
Assessment?
And do we have a program to mitigate risks
identified as they change?
 Do we have a Security Awareness Program?
Do we educate employees on how to handle
confidential information?
 Do we Harden, Update and Patch Systems?
Does this include all systems, programs, utilities,
everything?
Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC
29
Questions to Reduce the Risk
 Do we Use Intrusion Detection & Data Leak
Prevention?
Do we monitor sensitive data and control it leaving the
organization?
 Do we Utilize Encryption?
Data at rest and in motion, websites, peripherals, email,
etc.?
 Do we have a Vendor Management Program?
Do we determine if are they “fit for purpose”?
 Do we have an Incident Response Plan?
Does it include all key partners: IT, forensics, legal, PR and
Management?
Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC
30
Conclusion
 Information Security impacts all our lives on a daily basis. Due diligence
and caution should be taken when divulging personal information via public
networks and social media outlets.
 Controls need to be defined, documented and implemented to reduce the
risk of information being viewed, accessed or compromised.
Proper
mixture of people, processes and technology needs to exist. And
education…
 The need for information security will continue to increase, possibly
exponentially, as technology continues to evolve and becomes integrated
into the mainstream of business processes. Network perimeters once
defined and controlled by business and educational institutions continue to
erode (e.g. BYOD).
 Security and privacy is a continuous process, not just a product. Having
good compliance does not mean you are secure. Vulnerability assessment
and penetrating testing are one of the tools that can help an organization
gain a better understanding of their security strengths and weaknesses.
Questions
Disclaimer
Whilst all information in this document is believed to be correct at the time of writing, the
Information in this presentation is for educational and awareness purposes only. For legal
advice, please consult an attorney.
Speaker’s Contact Information
Alan DeVaughan, CISA, MCSE, MCSA
Advisory Services
314-824-5278
adevaughan@bswllc.com
Brown Smith Wallace, LLC
6 City Place Drive, Suite 900
St. Louis, Missouri 63141