Cyber Security - NAHU Continuing Education Course

CYBER SECURITY

Scott DiehlVice President of Product Management

Aka. The Tech Guy

WORD & BROWN GENERAL AGENCY

INTRODUCTION

What is Cyber Security?

How Cyber-Safe is Your Business? / Statistics

Cyber Threats

Relevant Security and Privacy Laws

Consequences of a Breach

Tools to Aid in Cyber Security


COURSE OBJECTIVES

• Understand Cyber Security & Common Threats

• Understand relevant security laws with which we must

comply

• Understand that any Internet-connected system can be

hacked and what to do in the event of a breach

• Obtain tools to aid in the event of a breach and to aid in

preventing a breach


WHAT IS CYBER SECURITY?

• History

– 1988 – The Morris Worm

• Current

– A method of preventative security

measures designed to protect

systems and networks from such

attacks.


FAST FACTS

• What is the cloud?

– This is storage on a centralized

server owned by a hosting company

– Ex: Azure, iCloud, AWS

• Think: “Accessible Anywhere”

• Aug 31, 2014 iCloud Hack – 200

celebrity photos posted to 4chan


WHY IS HACKING SO PREVALENT?

• $$$$

– The TOR Network

• The AlphaBay Market

– Credit Cards for Sale

– RDP Access for Sale


HOW CAN I BE HACKED?

• Implanted Medical Devices (~2006)

• 'Smart" Phone

• Connected Cars

• Communication Infrastructure (P25

Radio)

• Public Recording& Reflections (UNC

Labs)

• SmartPhone Accelerometer


PERMISSIBLE HACKING?

• Advertising

– Ex: Gmail

• You’re being tracked on the

Internet at all times.


PERMISSABLE HACKING?

• Gary Kovacs – Firefox

– Behavioral Tracking


PERMISSABLE HACKING?

Gary Kovacs – Tracking the Trackers:

http://bit.ly/2cfUiWI


HOW CYBER-SAFE IS YOUR BUSINESS & LIFE?

• 2015 Major Breaches– Experian – 15 Million Records

– Anthem - 80 Million Records

– Target – 50 Million Records

– Home Depot – 15 Million Records

– JP Morgan Chase – 12 Million Records



• And healthcare is becoming

increasingly targeted … with very

good reasons ... And results.



• 2016 Data Breach Category Summary

• Institution Type | # Breaches

• Banking/Credit/Financial: 4

• Business: 82

• Educational: 20

• Government/Military: 8

• Medical/Healthcare: 63

SOURCE: 2016 DATA BREACH CATEGORY SUMMARY | IDENTITY THEFT

RESOURCE CENTER



• 2016 Data Breach Category Summary

• Institution Type | # Records

• Banking/Credit/Financial: 4,382

• Business: 365,356

• Educational: 307,457

• Government/Military: 102,459

• Medical/Healthcare: 3,828,098

SOURCE: 2016 DATA BREACH CATEGORY SUMMARY | IDENTITY THEFT

RESOURCE CENTER



• From all the news, you might

assume that only big companies

like these are targets.



• WRONG!

• The National Small Business

Association (NSBA) released

statistics showing 68% of their

small business membership

reported being a cyber-victim more

than once.


CYBER THREATS

• 2016 Targets– Attacks through employees– The cloud– Seniors– Automobiles– Cloud Services– Hardware & VMs– Wearable Tech– Internet Ads– Wifi Hotspots


CYBER THREATS

• Employee Attacks

– Phishing & Whaling

– Our security is as strong as our

least-informed employee.

– Do you have employee security

awareness training?


CYBER THREATS

• The Clouds

– Microsoft Azure, Yammer

– Amazon Web Services

– Salesforce Cloud

– Cisco & Citrix

– File-Sharing: Box, Dropbox, Cubby


CYBER THREATS

• Internet Ads

• Ads when clicked can take you to a predator site that loads viruses, malware, adware, spyware and other harmful code.

• According to the Association of National Advertisers: ad-fraud has cost global advertisers more then $6 Billion in 2015.


CYBER THREATS

• Malware

• An umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, trojan horses, ransomware, spyway, adware, scareware and other malicious programs. It can take the form of executable code, scriprts, active contet and other software.


CYBER THREATS

Google: Three tips for spotting Malware

http://bit.ly/2ctzzCU


CYBER THREATS

• Phishing

• The attempt to acquire sensitive information such as usernames, passwords and credit card details, often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.


CYBER THREATS

What is Phishing?

http://bit.ly/2bEYUJY


CYBER THREATS

• Ransomware

• A type of malware that can be covertly installed on a computer without knowledge or intention of the user that restricts access to the infected computer system in some way and demads the user pay a ransom to the operators to remove restrictions.

• EX: Hollywood Presbyterian

https://youtu.be/1KlNFwEB-Y8


CYBER THREATS

RansomWare – Hollywood Presbyterian Story:

http://bit.ly/2bF06wW


CYBER THREATS

• Whaling

• A new phenomenon

• Executive-directed


CYBER THREATS

• Social Engineering

– Harvard Study

• Social Engineering

https://www.youtube.com/watch?v=opRMrEfAIiI


CYBER THREATS

What is your Password?

https://www.youtube.com/watch?v=InTxJIF_bC

o


CYBER THREATS

• Public Wifi

– How many here are connected to the free “public” wifi?

– Are you sure you’re connected to the right connection?

• Public Wifi

https://www.indiegogo.com/projects/keezel-online-freedom-for-every-device-everywhere--2#/


RELEVANT SECURITY AND PRIVACY

LAWS

• HIPAA

• Stands for?



LAWS

• HIPAA

• Enacted in 1996

• Set standards for the protection of health care information.

• Provides the ability to transfer and continue health insurance coverage for workers when they change or lose their jobs.

• Reduce health care fraud and abuse.



LAWS

• HIPAA - Factoid

• The FBI estimates that Health

Care Fraud costs American tax

payers $80 Billion/yr.

• Examples?



LAWS

• What agency administers HIPAA?

• FBI

• HHS

• CMS

• CDI



LAWS

• HIPAA

– Privacy

– Portability

– Accountability



LAWS• HIPAA – Portability

– Limits the ability for a new employer to exclude someone from coverage due to a pre-existing condition.

– Provides additional opportunities to enroll in a group health plan if you lose coverage.

– Prohibits discrimination based on health factors such as a prior medical condition.

– Guarantees that certain individuals will have access to and can renew their individual health insurance policies.



LAWS

• HIPAA – Portability

– Certificates of Creditable Coverage

• Issued after a loss of coverage, enables

continuation of coverage

• Who was covered

• Start & end dates of coverage

• Details the coverage provided



LAWS

• HIPAA – Portability

– Certificates of Creditable Coverage

• Issued after a loss of coverage, enables

continuation of coverage

• Who was covered

• Start & end dates of coverage

• Details the coverage provided



LAWS

• HIPAA + ARRA – Business

Associates

– General Agencies

– Insurance Brokers

– 3rd Party Administrators



LAWS

• HITECH

– Health Information Technology for

Economic & Clinical Health



LAWS

• HITECH

– Strengthened the notification and

penalty requirements for HIPAA

violations

– Business Associates are now subject

to ARRA’s civil and criminal penalty

provisions.



LAWS

• HIPAA – Health Information

– Individually identifiable information

that relates to:

• The past, present or future physical or

mental health or condition of a member

• The provisions of health care to a member

of a plan

• The past, present or future payment for

the provisions of health care to a member



LAWS


– Examples …

• Medical Conditions

• Treatments

• Medications

• Payment Information for Health Care

Services



LAWS


– PII vs. PHI



LAWS

• HIPAA – Health Information– PII vs. PHI

– Personally Identifiable Information refers to information that can be used to uniquely identify, contact, locate a single person or that can be used by other sources to uniquely identify a single individual.



LAWS

• HIPAA – Health Information– Personaly Identifiable Information

• Name

• Phone Number

• E-mail Address

• Address

• SSN

• License Plate #

• Account Number

• City

• Medical Record Number



LAWS


– Protected Health Information (PHI)

• Any information about health status,

provisions of health care or payments of

health care that can be linked to a

specific individual



LAWS


– Protected Health Information (PHI)

• Medical Condition + SSN = PHI

• Treatments + Phone # = PHI

• Payment Info + E-Mail Address = PHI



LAWS


– EPHI?



LAWS


– EPHI

• Emails which contain PHI.



LAWS

• PCI DSS

– Payment Card Industry – Data

Security Standards



LAWS

• State Laws

– like California SB 1386 & AB 1710

– Security Breech Notification, 2003

– Purchased Data, 2014


CONSEQUENCES OF A BREACH

• Identify a breach– Incorrectly sending PHI to the wrong

email

– Sending email not-encrypted (SSL + TLS or Encryption Service)

– Intruision

– Improper disclosure

– Los Information



• Identify a breach

– ITRC defines a breach as, “an

incident in which sensitive,

protected, or confidential data has

potentially been viewed, stolen, or

used by an individual unauthorized

to do so.



• Fines

– Violations range from $100.00 to

$50,000 per violation per day.

– Ignorance is no excuse!



• No one can put the consequences

more eloquently than someone

who has suffered a breach.

• Monika Lewinsky



Monica Lewinsky – The Price of Shame:

https://www.youtube.com/watch?v=xvSxxpFKJ5

w



• HIPAA Violation Fines

• Loss of clients

• Loss of reputation

• Personal liabilities – including

consequences at work


TOOLS TO AID IN CYBER SECURITY

• BE PREPARED

– Identify a procedure for breach

protocol

– Designate someone to understand

compliance

– Have an investigative process in-

place to define a breach


TOOLS TO AID IN CYBER SECURITY

• BE PREPARED

– Use 2-Factor Authentication

– Strong Passwords (get a password

manager for your phone!)

– Avoid unknown Android Apps (20K

apps with Malware)

– Don’t use public Wifi


Thank you!

If you have any questions: [email protected]