2. Certified Ethical Hacker (C|EH)
Cyber-security Researcher
AVP & Chief Information Security Officer
UT Southwestern Medical Center
Joshua Spencer
3. Overview
Why do hackers want my healthcare data?
Who wants to steal it?
How do they do it?
What is the impact of a breach?
How do I protect against it?
4. Why do hackers want my
healthcare data?
55%30%
10%
5%
Financial Fraud
Medical Identity Theft
IdeologyFun
State Sponsored Attacks
*2015 Verizon Data Breach Investigations Report
7. Who are the external “hackers”?
*Dell Secureworks Healthcare Data Security Threats
5%
15%
80%
Advanced Persistant
Threats (APT)
Script Kiddies
Industrialized Hacking
Organizations
8. How am I being hacked?
40%
28%
17%
9%
4%
2%
Employee Phishing
Vendor Compromise
Website Hacking
Employee Internet Use
Employee Accident
On-location Hacking
*2014 Ponemon Benchmark Study on Patient Privacy and Data Security
9. Employee
receives
fraudulent email
reminding
employee to
“Confirm their
Recent
Promotion” User clicks link in
email and logs
into fake HR
website
Hacker logs Into
network remotely
using stolen
password
Hacker scans
network and
steals databases
Hacker sells
stolen
information on
black market to
identity thieves
Hacker logs into
employee email
to send
fraudulent email
to all contacts
Employee
Phishing
10. Employee receives
fraudulent email
reminding employee to
“Confirm their Recent
Promotion”
User clicks link in
email and logs into
fake HR website
Hacker logs into
network remotely
using stolen password
Hacker scans network
and steals databases
Hacker sells stolen
information on black
market to identity
thieves
Hacker logs into
employee email to
send fraudulent email
to all contacts
Create and sell
fraudulent medical,
Social Security and
State ID cards
Obtain
prescriptions for
narcotics
Partner with illicit
providers for
fraudulent
Medicare billing
Employee
Phishing
11.
12.
13. Vendor hacked
Hacker accesses
customer databases
Hacker logs Into your
network remotely and
steals databases
Hacker sells stolen
information on black
market to identity
thieves
Hacker logs Into
employee email to
send fraudulent
email to all contacts
Vendor
Compromise
14. Website
had a
software
flaw
discovered
Bug allows
a hacker to
bypass the
login
Company
fails to
apply the
security
update
quickly
enough
Hacker
uses a
network of
infected
computers
to attack
website
Attack
installs
data
stealing
program
Program
scans for
juicy data
(SSN)
Data sent to
attacker’s
computers
Hacker
sells stolen
information
on black
market to
identity
thieves
Computer
now used
to attack
other
companies
Website
Hacking
15. Employee’s
computer
has a
software
flaw
discovered
Employee
visits a
hacked
website
Company
fails to
apply the
security
update
quickly
enough
Attack
installs data
stealing
program
Program
scans
network for
juicy data
(tax
returns,
spreadsheet
s with SSN)
Data sent to
attacker’s
computers
Hacker sells
stolen
information
on black
market to
identity
thieves
Computer
now used to
attack other
companies
Internet
Use
16. How am I being successfully
hacked?
*2014 Ponemon Benchmark Study on Patient Privacy and Data Security
5%
26%
69%
Company Specific Attack
Healthcare Industry Attack
Untargeted Attack
17. What is the impact of a breach?
Consequences of a breach are much greater than most
other industries
Incorrect medical records (blood type, allergies, conditions)
causes patient safety risks
HIV status disclosure is much more emotionally damaging
than a Home Depot purchase history
Can’t give patients a new identity like you can with Credit
Cards
*2014 Ponemon Benchmark Study on Patient Privacy and Data Security; Dell Secureworks Healthcare Data Security Threats
18. What is the impact of a breach?
$398 per health record on average in the U.S.
Does not factor in reputational damage
Increasing civil penalties from HHS, up to $1.5 million
Heavy scrutiny from media and regulators
80% of new patients screen their provider on search engines
Increasing use of “vendor scorecards” will hurt customer
growth
*2014 Ponemon Benchmark Study on Patient Privacy and Data Security; Dell Secureworks Healthcare Data Security Threats
19.
20.
21. How do I protect my
healthcare data?
Factor security into your 3rd party vendor evaluations
Hire or contract with Information Security specialists
Train employees on recognizing fraud
Know where your data is going
Backup your important data
Use two-factor authentication
22. Overview
Why do hackers want my healthcare data?
Who wants to steal it?
How do they do it?
What is the impact of a breach?
How do I protect against it?
Notes de l'éditeur
Apple – 183b, ATT 128b, Siemens 102b, McKesson 137b,,, over $700/person/year