Security Breaches What should we be doing to stay out of the headlines? Alan DeVaughan, CISA, MCSE, MCSA adevaughan@bswllc.com Tel: 314 824-5278 Breaches & Settlements 2014 Still an Issue – Stolen Laptops & Computers One of top ten reported breaches in 2014 involves stolen laptops Sutherland HC Services (#3) - billing, collections vendor for LA County – 8 unencrypted desktop computers stolen – 168,000 individuals – class action lawsuit One of largest federal fines in 2014 – $1.7M – assessed against Springfield, Mo. – based Concentra Health Services (Humana subsidiary) – unencrypted laptop stolen from physical therapy center – 870 patient records Security Breaches - What should we be doing to stay out of the headlines? – Munns, Brown Smith BrownWallace Smith Wallace LLC LLC 2 2 Breaches & Settlements 2014 Still an issue – Unauthorized Access or Theft of Paper Two of top ten reported breaches in 2014 involve paper Walgreen, IL (#6) – 160,000 individuals St. Vincent Hosp. and Health Care Center, IN (#9) – 63,325 individuals At least four of the smallest ten reported breaches in 2014 involved involve theft or unauthorized access to paper One of larger Federal fines in 2014 - $800,000 involved Parkview Health System (Ft. Wayne, IN) Dropped off 71 cardboard boxes of patient medical records in the driveway of a physician’s home Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC 3 Breaches & Settlements 2014 Smaller organizations not immune to cybersecurity threats 18-bed Clay County Hospital in Flora, IL received anonymous email on 11/2/14 with patient information, threatening public release unless a ransom was paid 12,621 patients potentially affected Investigation found system not hacked – insider? Information was name, address, SSN, DOB – no medical information Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC 4 Breaches & Settlements 2014 Anchorage Community Mental Health Services fined $150,000 and will adopt a corrective action plan under a 12/2/14 Resolution Agreement with HHS/OCR Malware compromised PHI for 2,743 ACMHA adopted sample security rule policies & procedures in 2005, but didn’t follow or update until after the breach Sixth fine levied by HHS/OCR in 2014 Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC 5 Looking beyond HIPAA and PHI Information Security = Protecting information from cyber criminals and those who do not have a need to view, access, modify or use. Cybersecurity = Measures taken to protect a computer or computer system connected to the Internet against unauthorized access or attack. Personally Identifiable Information (PII) = Any data that could potentially identify a specific individual. Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC 6 2014 Cost of Cyber Crime Study: United States Cyber crimes continue to be very costly for organizations. Mean annualized cost for 59 benchmarked organizations $12.7 M, which was 9.3% increase over prior year. Cyber crime cost varies by organizational size. Most costly cyber crimes are those caused by denial of services, malicious insiders and malicious code. Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC 7 2014 Cost of Cyber Crime Study: United States Cyber attacks can get costly if not resolved quickly. Average time to resolve a cyber attack was 45 days, with an average cost to participating organizations of $1,593,627 during this 45-day period. Malicious insider attacks can take more than 65 days on average to contain. Information theft continues to represent the highest external cost, followed by the costs associated with business disruption. Recovery and detection are the most costly internal activities. Activities relating to IT security in the network layer receive the highest budget allocation. Lack of data encryption increases cost Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC 8 2014 Cost of Cyber Crime Study: United States Deployment of security intelligence systems makes a difference. A strong security posture moderates the cost of cyber attacks. Companies deploying security intelligence systems experienced a substantially higher ROI at 30 percent than all other technology categories presented. Deployment of enterprise security governance practices moderates the cost of cyber crime. Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC 9 Cost of Data Breach What is the value of information that is in your custody, that you own, store, process or transmit? Value vs. cost of protection? What is your risk appetite? What is the cost if your data is compromised? Reputation, lost of revenue, legal fines and restitution? • Healthcare businesses paid an average cost of $5.9 million per data breach • • For all industries the total annualized cost of cyber crime in 2014 ranges from a low of $1.6 million to a high of $60.5 million. The median annualized cost of cyber crime in the benchmark sample is $9.7 million – an increase from last year’s median value of $9.1. The mean value is $12.7 million. This is an increase of $1.1 million or a 9.3 percent from last year’s mean of $11.6 million. Source: Ponemon 2014 Cost of Data Breach Study Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC 10 Major Causes of Data Breach Malicious attacks most costly, more frequent Ponemon 2013 Cost of Data Breach Study Malicious or criminal attack System glitch Human Factor • • • • Malicious attacks cause 37% of data breaches, with a per capita cost of $277 • Human Factors cause 35% with a cost of $174 • Employee Negligence cause 29% with a cost of $159 Malicious or criminal attacks include malware, criminal insiders (employees, contractors or other third parties), phishing/social engineering and web site attacks System glitch includes loss of system or component, IT and Business process failures Human factor includes individuals (negligent insiders) who cause a data breach because of their carelessness, as determined in a post data breach investigation. Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC 11 Steps to Reduce the Risk Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC 12 7 Factors that Influence the Cost of a Data Breach The organization had an incident management plan. The organization had a relatively strong security posture at the time of the incident. CISO (or equivalent title) has overall responsibility for enterprise data protection. Data was lost due to third party error. The organization notified data breach victims quickly. The data breach involved lost or stolen devices. Consultants were engaged to help remediate the data breach. Source: Ponemon 2013 Cost of Data Breach Study Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC 13 Security Risk Assessment Organizations should conduct an annual formal risk assessment for all systems to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of systems and data. There are several excellent resources: NIST Special Publication SP 800-30 Guide for Conducting Risk Assessments, and NIST Special Publication SP 800-66 Introductory Resource Guide for Implementing the HIPAA Security Rule. In this document Appendix E is the Risk Assessment Guidelines. OCR has published “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” HHS – Encryption, Methods for Protecting Two approved methods for protecting: encrypt or destroy Two types of encryption: Data at rest: NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices Data in transit: compliance with the Federal Information Processing Standard (FIPS) 140-2 requirements – 140-3 has been issued as draft Two methods of destruction: Non-electronic media: shredded or destroyed such that PII/PHI cannot be recovered Should be cleared, purged, or destroyed consistent with NIST SP 800-88, Guidelines for Media Sanitization such that PHI cannot be recovered Paper Breaches included? • HIPAA Rule: yes • FTC Rule: – No…BUT dumpster diving cases have been among their most often pursued – Joint prosecutions of RiteAid and CVS with HHS – Using unfair and/or deceptive trade practices since 2005 in lieu of current breach regulation • States: Generally no, only covers systems data, but round 2 of State Laws are changing that Vendor Management Formal procedures should be established for hardware, software, or services vendor qualification. Considerations for their selection should include the following: Applicability of the IT solutions to the intended environment – consider the sensitivity of the data, is this PII or PHI? The organization's security policies, procedures, and standards and other requirements such as resources available for operation, maintenance, and training. What evidence can be reviewed: Security Audits, Pen Tests, SSAE 16 SOC 1 or SOC 2 Type 2 reports, PCI DSS ROC reports Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC 17 Security Frameworks Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC 18 Frameworks: Areas of Information Security & Privacy Management Information Security Governance Information Risk Management and Compliance Information Security Program Development and Management Information Security Incident Management Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC 19 Information Security Governance Responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, and determining that risk is managed appropriately and verifying that the enterprise’s resources are used responsibly. Source Information Security Governance – IT Governance Institute (ITGI) Guidance for Boards of Directors and Executive Management Couple of Key Points: Establish and maintain an information security strategy in alignment with organizational goals; including a security framework to guide activities that support the strategy including: Information security policies that communicate management’s directives and guide the development of standards, procedures and guidelines Develop business cases to support investments in information security. Holistic (internal and external) influences to the organization (e.g. technology, business environment, geographic location, etc.) Define and communicate roles and responsibilities throughout the organization Measure the effectiveness of the information security strategy. Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC 20 Information Risk Management and Compliance Systematic application of management policies, procedures and practices that identify, analyze, evaluate, report, treat and monitoring information risks Some Key Points: Asset classification to ensure that measures taken to protect assets are proportional to their business value – don’t forget data Identify legal, regulatory, organizational and other applicable requirements to manage the risk of noncompliance to acceptable levels (e.g. HIPAA, PCI, GLBA) Ensure risk assessments, vulnerability assessments and threat analysis are conducted periodically to identify risk to the organization’s information Integrate information risk management into business and IT processes (e.g. development, procurement, project management) to promote a consistent and comprehensive information risk management process across the enterprise Monitor existing risk to ensure that changes are identified and managed appropriately Compliance does not mean your information is secure. Governance Frameworks Plenty of good frameworks out there – pick one: – COBIT 5 - It's the leading framework for the governance and management of enterprise IT. – ISO 27001 - The ISO 27000 family of standards helps organizations keep information assets secure. – ITIL - The Information Technology Infrastructure Library (ITIL) defines the organizational structure and skill requirements of an information technology organization and a set of standard operational management procedures and practices to allow the organization to manage an IT operation and associated infrastructure. – NIST Cybersecurity Framework – recently announced, immature, still being developed. NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014. – See also the Cloud Security Alliance Cloud Controls Matrix Version 3.0.1 that side-by-side compares different frameworks Information Security Program – Development and Management Development and documentation of activities, projects, and/or initiatives to implement the information security strategy and manage the program, Key Points: Program needs to align with information security strategy, and needs to integrate with other business functions such as HR, accounting, procurement and IT - Integrate information security requirements into organizational processes and based on Security Risk Assessment updates Establish and maintain information security architectures (people, process, technology) – segmentation, minimum necessary Robust perimeter – firewalls, DMZs, VPNs, File Sharing, secure email Intrusion Prevention/Detection systems and consider Security information and event management (SIEM) Consider Data Leak Prevention technologies (DLP) Vendor management program Robust change management system Secure software development Data backups, Business Impact Analysis, Business Continuity & Disaster Recovery Planning Develop and conduct security awareness and training Continually measure the program Information Security Incident Management Manage unexpected disruptive events minimizing impacts and maintaining or restoring normal operations within a defined time period. This is not an IT only plan. Key Points: Establish a hierarchy to accurately identify and response to incidents Develop and maintain an incident response plan to be able to respond appropriately (e.g. legal and regulatory requirements) Establish external relationships: e.g. PR firm, Forensic Investigators, Specialist Counsel, Insurance Company (understand cybersecurity policy- cover as well as resources) Develop processes, train teams and periodically conduct tests to effectively identify and respond of information security incidents Establish incident escalation and notification processes Establish and maintain internal and external communication plans. Perform root cause analysis post-incident and record as “lessons learned”. Integrate incident response plan, disaster recovery plan and business continuity plan. HIPAA Definition of Breach and Required Notification The final regulations modify the definition of breach. Under the interim final breach notification rule, a breach would have been considered to have occurred if the access, use or disclosure poses “a significant risk of financial, reputational or other harm to an individual.” The final regulations stipulate that “an acquisition, access, use, or disclosure of protected health information in a manner not permitted…is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” if the organization believes the risk of compromise is unknown or low, you must perform a documented risk assessment. The assessment of whether there is a low probability that the protected health information has been compromised must be based on an assessment of at least the following factors: • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification. • The identity of the unauthorized person who used the PHI or to whom the disclosure was made. • Whether the PHI was actually acquired or viewed. • The extent to which the risk to the PHI has been mitigated. HIPAA Clarification of Breach Breaches do not include: unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or BA, if such acquisition, access, or use was made in good faith & within the scope of authority & doesn’t result in further use or disclosure in a manner not permitted by the Privacy Rule inadvertent disclosures of PHI from a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity, business associate, or organized health care arrangement in which the covered entity participates. disclosures of PHI where a CE or a BA has a good faith belief that an unauthorized person to whom the disclosure was made wouldn’t reasonably have been able to retain such information. Responsibilities Be very careful with terminology – if you term it a breach, the rules kick in. Let legal make the call. And, the great majority of breaches are not notice-triggering Service Provider should: Be aware of applicable Business Associate Agreement terms. Contact covered entity when it first suspects a data breach, NOT after it has been investigated Follow the instructions of the covered entity Assume financial responsibility (negotiate credit monitoring costs – for number of enrollees accessing, not records breached)(and, don’t assume insurance will cover the costs) Questions You Should Ask of Executive and IT Management to Reduce the Risk Questions to Reduce the Risk Do we Perform an Annual Security Risk Assessment? And do we have a program to mitigate risks identified as they change? Do we have a Security Awareness Program? Do we educate employees on how to handle confidential information? Do we Harden, Update and Patch Systems? Does this include all systems, programs, utilities, everything? Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC 29 Questions to Reduce the Risk Do we Use Intrusion Detection & Data Leak Prevention? Do we monitor sensitive data and control it leaving the organization? Do we Utilize Encryption? Data at rest and in motion, websites, peripherals, email, etc.? Do we have a Vendor Management Program? Do we determine if are they “fit for purpose”? Do we have an Incident Response Plan? Does it include all key partners: IT, forensics, legal, PR and Management? Security Breaches - What should we be doing to stay out of the headlines? – Brown Smith Wallace LLC 30 Conclusion Information Security impacts all our lives on a daily basis. Due diligence and caution should be taken when divulging personal information via public networks and social media outlets. Controls need to be defined, documented and implemented to reduce the risk of information being viewed, accessed or compromised. Proper mixture of people, processes and technology needs to exist. And education… The need for information security will continue to increase, possibly exponentially, as technology continues to evolve and becomes integrated into the mainstream of business processes. Network perimeters once defined and controlled by business and educational institutions continue to erode (e.g. BYOD). Security and privacy is a continuous process, not just a product. Having good compliance does not mean you are secure. Vulnerability assessment and penetrating testing are one of the tools that can help an organization gain a better understanding of their security strengths and weaknesses. Questions Disclaimer Whilst all information in this document is believed to be correct at the time of writing, the Information in this presentation is for educational and awareness purposes only. For legal advice, please consult an attorney. Speaker’s Contact Information Alan DeVaughan, CISA, MCSE, MCSA Advisory Services 314-824-5278 adevaughan@bswllc.com Brown Smith Wallace, LLC 6 City Place Drive, Suite 900 St. Louis, Missouri 63141