Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
11/9/2017
1
PROTECTING HEALTH CARE PROVIDERS FROM CYBER & FRAUD THREATS
H. Bryan Callahan, CPA, CFF, CFE, [email protected]
Jan Hertzberg, CIPP, [email protected]
November 9, 2017
11/9/2017
2
• Participate in entire webinar• Answer polls when they are provided• If you are viewing this webinar in a group Complete group attendance form with
• Title & date of live webinar• Your company name• Your printed name, signature & email address
All group attendance sheets must be submitted to [email protected] within 24 hours of live webinar
Answer polls when they are provided
• If all eligibility requirements are met, each participant will be emailed their CPE certificates within 15 business days of live webinar
TO RECEIVE CPE CREDIT
Your PresenterJan Hertzberg, Director• Cybersecurity practice leader
• More than 30 years of experience providing IT audit, risk, cybersecurity & privacy compliance services
11/9/2017
3
Your PresenterBryan Callahan, Director• BKD East Region forensic services leader
• More than 13 years of experience in forensic accounting & investigations
Objectives
Internal Fraud & Embezzlement
Health Care Cyber Threats
11/9/2017
4
Cyber Risk Management
Describe how health care cybersecurity risk landscape has changed
Ransomware – “new” threat
How to survive a breach
Rapidly Evolving Cyber Threats – Motivational Shifts
ADDITIVE MOTIVATION PROGRESSION LINE
HACKTIVISTS NATION-STATESFRAUDSTERS
THEFT DISRUPTION DESTRUCTION
11/9/2017
5
Examples from the News 2017
Ransomware canceled operations in Pennsylvania-based health care system
2016
2017
Ransomware malware encrypted X-ray images,files & documents for 128k patients
2016
Ransomware attack that limited internal web services; prompted internal state of emergency
Unauthorized third-party access of database containing personal data of 34k patients
Top Cybercrimes• Ransomware
• Business email compromise
• Corporate account takeover
• Identity theft
• Theft of sensitive data
• Theft of intellectual property
• Denial of service
11/9/2017
6
Ransomware – The Threat• U.S. government interagency report: There have been 4,000 daily attacks
since early 2016 (300% increase over 2015)• Exploits human & technical weakness to gain access to infrastructure to deny
organization its own data• Malicious software infects systems, e.g., medical devices, & encrypts user
data• HIPAA Security Rule requires
– Conducting risk analysis to identify threats & vulnerabilities; remediate gaps– Implementing procedures to guard against & detect malware– Training users to detect & report malware– Implementing access controls to limit access to ePHI to only those persons or
software programs requiring access
Case StudyMidsize hospital sustained two consecutive ransomware attacks, which greatly disrupted access to patient records. After the first attack, hardware & software upgrades were identified; however, budgetary constraints delayed their purchase. There was no formal incident response plan.
After the second attack, the hospital hired a forensic investigator to perform a forensic evaluation of the attack, verify its extent &
eradicate malware from the IT environment. Also, the hospital had a cybersecurity assessment performed to identify additional
vulnerabilities.
The hospital was compelled to pay the ransom; yet eventually it was able to evaluate & purge the malware. The assessment successfully identified additional improvements to strengthen cybersecurity controls.
Issue
Solution
Results
11/9/2017
7
Example: Business Email Compromise• Hospital admin receives email from “CFO” requesting all employee W-2s pursuant to an IRS
inquiry
• Needs it today (received in the afternoon)
• Admin puts it all together into one PDF, alphabetized
• Hacker responds, telling her, “this is more than I had hoped for”
• Compromised W-2 information sold on the underground market
• Numerous employees contacted by real IRS about issues with their returns, or why they submitted two returns
Why It Succeeds
The state is screaming at me & I need to send them all employee W-2s. I need this ASAP!– the Boss
You don’t want to be the one to hold up payment of that invoice—I need the money sent immediately!
Sense of urgency
“Weakest link” attributes
Similarity in tone & wording
11/9/2017
8
Ransom Letter
Potential Breach Impacts
Negative publicity
Regulatorysanctions
Refusal to share personal
information
Damage to brand
Regulatorscrutiny
Legal liability
Fines
Damaged patient
relationships
Damaged employee
relationships
Deceptive orunfair tradecharges
!
Diversion of resources
Lost productivity
11/9/2017
9
Interesting Statistics• Timing
– In 93% of breaches, it took attackers minutes or less to compromise systems (Adobe products easiest to hack; Mozilla the most difficult)
– In 83% of cases, it took weeks or more to discover an incident occurred– Attackers take easiest route (63% leveraged weak, default or stolen passwords)– 95% of breaches were made possible by nine patterns including poor IT support
processes, employee error & insider/privilege misuse of access
• Companies go back to basics once breached– 53% training & awareness– 49% additional manual controls– 52% expand use of encryption– 19% security certification or audit
Source: Verizon Data Breach Report, 2016
Cost of Data Breaches
Ponemon 2016 Cost of Data Breach Study
11/9/2017
10
What Drives Cost of Breaches?
$ $INCREASEDECREASE
Third-party error
Slow notification
Lost or stolen devices
Experts engaged
CISO appointment
Strong security posture
Incident response plan
$43
$37
$10$13
$23
$34
$42
Surviving an Incident: Breach PlanningKey Components1. Policy – establishes goals & vision for the breach response process,
defined scope (application & circumstances), roles & responsibilities, standards, metrics, feedback, remediation & requirements for awareness training
2. Plan – covers all phases of the response activities
3. Procedures – derives from the plan & codifies specific tasks, actions & activities that are part of the breach response effort
11/9/2017
11
Incident Response Plan: Contents• Individuals/team that will lead the breach response process & make the final
determination that an actual breach has occurred • Emergency contacts • Reporting a breach
– Internal reporting system to alert legal, senior management, communications, employees, board of directors & others
– External reporting to customers, business partners, public at large
• Information on relevant regulatory & law enforcement agencies that must be contacted
• Steps required to assess scope of breach & preparation of response (including containment, eradication & recovery)
• Post-mortem assessment, remediation, ongoing training
Roles• Designated incident lead
– One individual (& backup) has been designated to coordinate the response– Acts as go-between for management & response team– Typically someone from legal– Coordinates efforts among all groups, notifies appropriate people within the
company & externally, documents the response, identifies key tasks & estimates remediation costs
• Who makes the call?– Consists of representatives from IT/security, legal & senior leadership– Once the facts are gathered, the most senior-level executive makes the
determination that a breach has/has not occurred & "breaks the glass" to execute the response plan
11/9/2017
12
Emergency Contacts & Internal Reporting System• Emergency contact list should include
– Representative(s) of executive management team– Legal, privacy & compliance– Operations (security & IT)– Customer service &/or HR– Communications/public relations– Representatives of third-party vendors– Outside experts
• Incident response plan should designate structure of internal reporting system
Reporting a Breach• There should be a widely understood mechanism for all
employees to report a suspected breach of sensitive information
• There should be recurring training for all staff that includes
– What constitutes a breach
– What does NOT constitute a breach
– How/what to communicate to patients, employees, board, regulators, media, etc., should a breach be suspected
• Plan should be tested & rehearsed (tabletop testing) not less than once per year
11/9/2017
13
Forensic Activities, Lessons Learned & Assessing Vulnerabilities• Incident plan should contain steps necessary to contain the breach & conduct a preliminary
internal assessment of the scope of the breach, considering the following– Isolating the affected system to prevent further release– Reviewing/activating auditing software– Preserving pertinent system logs– Making backup copies of altered files to be kept secure– Identifying systems that connect to the affected system– Retaining an external forensic expert to assist with the investigation– Documenting conversations with law enforcement & steps taken to restore the integrity of the system
• Take stock of the breach results– What did we do correctly?– What improvements need to be made?
• Assess additional risks that may exist yet have not been identified
Objectives
Internal Fraud & Embezzlement
Health Care Cyber Risk
11/9/2017
14
Agenda• Recent Trends in Fraud – 2016 Report to the Nations
• Fraud in Health Care
• Utilizing Technology to Mitigate Risk
©2016 Association of Certified Fraud Examiners, Inc.
11/9/2017
15
©2016 Association of Certified Fraud Examiners, Inc.
©2016 Association of Certified Fraud Examiners, Inc.
11/9/2017
16
11/9/2017
17
©2016 Association of Certified Fraud Examiners, Inc.
11/9/2017
18
©2014 Association of Certified Fraud Examiners, Inc.
©2016 by the Association of Certified Fraud Examiners, Inc.
11/9/2017
19
©2014 by the Association of Certified Fraud Examiners, Inc.
11/9/2017
20
Profile of Fraud Perpetrator• No prior criminal history (5%)
• Well liked by co-workers
• Likes to give gifts/compulsive shopper
• Gambling problems not unusual
• Long-term employee
• Rationalizes, starts small or “borrows”
• Lifestyle clues©2016 Association of Certified Fraud Examiners, Inc.
11/9/2017
21
Real Example #1 – Surgery Center• Director of surgery center• Collusion with manager• $500,000 taken over three-year period• Five methods
– Personal use of credits cards– AP checks– ACH payments– Cash withdrawals– Payroll– Lessons learned – reds flags
Real Example #2 – Recruitment Agreement• Surgeon enters into PRA 2007, extended
• Guaranteed $37,500 income per month through July 2013
• Rolls into loan, forgiven over six years
• Tip
• Investigation
• Bankruptcy
• Amount
• Result
11/9/2017
22
Real Example #3• Acted alone
• Did not have credit card in his name
• Used his supervisor’s card (memorized credit card number)
• Long-term employee
• Red flags noted
• Amount
“ ”Preventive Measures
“An ounce of prevention is worth a pound of cure”– Ben Franklin
11/9/2017
23
Big Data – information of extreme size, diversity & complexity
Data Analytics – … processes & activities designed to obtain & evaluate data to extract useful information & answer strategic questions ...
Source: Gartner, Inc., http://www.gartner.com/technology/topics/big-data.jsp
Definitions
11/9/2017
24
11/9/2017
25
JobTotal
TransactionsTransaction
CountCategorical
HitsHoliday
TransactionsTransactions
with Keywords
Transactions at Merchants of
InterestPotential Split Transactions
Transactions on PTO
Round Hundred Dollar
TransactionsWeekend
TransactionsSales Representative 1,239,885.17 16,131 6 52 215 178 - 81 21 1,463 Vice President Sales 564,654.06 4,112 6 15 7 62 - 13 4 459 Technical Sales Rep 524,032.93 5,504 6 19 61 34 - 40 2 587 Business Unit Manager 495,998.25 5,001 6 16 10 79 - 12 2 454 Customer Service Rep 270,665.16 3,272 6 13 3 56 - 22 1 300 Executive Vice President 263,505.40 1,724 6 14 7 31 - 2 7 189 Regional Vice President 223,448.47 1,819 6 5 59 11 - 15 2 178 VP Operations 194,824.17 1,433 6 11 1 7 - 5 1 181 Print Production Manager 190,866.42 2,310 6 9 4 19 - 10 2 185 General Manager 156,892.40 1,915 6 5 21 4 - 23 2 215 Plant Manager 101,922.90 1,324 6 2 5 6 - 15 2 141 Production Manager 87,231.55 949 6 1 12 3 - 13 5 72 n/a 406,902.25 3,704 5 10 20 75 - - 2 316 Sales Division Manager 297,656.65 2,470 5 10 3 31 - 3 - 217 Operations Manager 106,736.03 1,221 5 4 5 20 - 7 - 106 IT Manager 100,892.16 759 5 2 5 29 - 2 - 132 Finance Manager 79,946.48 507 5 1 - 7 - 1 4 39 Chief Financial Officer 77,086.00 317 5 1 15 1 - 1 - 27 CEO & President 72,371.44 433 5 6 5 1 - 1 - 60 Business Development Mgr 64,449.41 803 5 1 3 15 - - 1 58 Quality Control Manager 50,332.81 634 5 1 - 7 - 5 1 42
Summary of Categories
Weekend PurchasesTransaction
DateTransaction
Amount Merchant Name Original Address City NameState
ProvinceExpense
Description7/7/2013 79.08 SHERIDAN NURSERIES EST MISSISSAUGA ON
10/5/2013 28.20 VALUE VILLAGE #2027 MISSISSAUGA ON10/12/2013 56.44 HOMESENSE 013 ETOBICOKE ON1/11/2014 124.42 CLOVERDALE HOME HARDWA ETOBICOKE ON1/11/2014 50.76 KITCHEN STUFF PLUS #7 ETOBICOKE ON1/11/2014 14.63 HOME OUTFITTERS #5116 TORONTO ON1/11/2014 22.59 TARGET CANADA T3715 TORONTO ON1/11/2014 31.56 HOMESENSE 013 ETOBICOKE ON2/2/2014 36.01 HOUSE WARMINGS INC OAKVILLE ON
2/23/2014 235.04 LULULEMON 262 ETOBICOKE ON
11/9/2017
26
Transaction Date
Transaction Amount Merchant Name Original City Name Expense Description
9/7/2013 48.22 ALBERTSONS #4132 DALLAS personal expense to be reimbursed by Amy8/11/2013 6.36 STARBUCKS #02240 WOODR WOODRIDGE Card used in error - will send check12/5/2013 17.71 NOODLES CO 611 LAGRANGE Check Included - personal mistake11/2/2013 2,000.00 PTI MARKETING TECH 8588476613 This was billed by mistake and was credited on January 2014 statement3/26/2014 65.04 FRONT STREET CAFE NEW RICHMOND Personal Expense Check Inclosed6/29/2013 44.90 LILYDALE BP QPS LILYDALE gas for personal vehicle7/3/2013 31.10 HOLIDAY STNSTORE 0336 BROOKLYN PARK gas for personal vehicle7/9/2013 48.05 LILYDALE BP QPS LILYDALE gas for personal vehicle
7/13/2013 46.36 LILYDALE BP QPS LILYDALE gas for personal vehicle7/17/2013 35.92 HOLIDAY STNSTORE 0336 BROOKLYN PARK gas for personal vehicle7/19/2013 41.19 HOLIDAY STNSTORE 0336 BROOKLYN PARK gas for personal vehicle7/21/2013 35.58 LILYDALE BP QPS LILYDALE gas for personal vehicle
Keyword Search
Accounts Payable Payroll
General Ledger
Purchasing Cards
Examples of Uses in Examinations
11/9/2017
27
Employee/Vendor Matching
Address Mining – Mailbox Services
11/9/2017
28
Address Mining – Proximity
Vendor Trending AnalysisVendor: JLM Plumbing Authorized: Janice L. McPhearson
Test phase
Acceleration as confidence builds
Getting greedy
11/9/2017
29
QUESTIONS?
CONTINUING PROFESSIONAL EDUCATION (CPE) CREDITS
BKD, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org.
The information contained in these slides is presented by professionals for your information only & is not to be considered as legal advice. Applying specific information to your situation requires careful consideration of facts & circumstances. Consult your BKD advisor or legal counsel before acting on any matters covered.
11/9/2017
30
• CPE credit may be awarded upon verification of participant attendance
• For questions, concerns or comments regarding CPE credit, please email the BKD Learning & Development Department at [email protected]
CPE CREDIT
THANK YOU!FOR MORE INFORMATION
Bryan Callahan | 317.383.4000 | [email protected]
Jan Hertzberg | 630.282.9600 | [email protected]
11/9/2017
31