Healthcare Industry Cybersecurity Attack Trends

Research eBook ▪ Healthcare Industry Realities

▪ Breach & Cyber Attack Realities

▪ Top Compliance Trends, Concerns

▪ Healthcare Needs, Requirements

www.vertek.com 2 Healthcare Industry Realities Healthcare Industry Realities: A Large Target

Significant Part of the U.S. Economy, Millions of Businesses, Massive Cyber & Compliance Drivers ▪ 26% of the U.S. economy ▪ 5,000,000 small and midsize businesses ▪ CE & Vendors (BA) ▪ 400% increase in enforcement ▪ 70%+ audit failure rate ▪ Healthcare #1 vertical for MSPs in 2018 Compliancy Group, MSPs & HIPAA Webcast 2018

Healthcare organizations are required to disclose ransomware attacks as though they were confirmed breaches due to U.S. regulatory requirements. This is the second straight year that ransomware incidents were over 70% of all malware outbreaks in this industry. https://healthitsecurity.com/news/health-sector-most-targeted-by-hackers-breach-costs-rise-to-17.76b www.vertek.com 4 Pandemic Driving Attacks

The FBI’s IC3, or its Internet Crime Complaint Center, has reported a major increase in received cybersecurity complaints each day, according to The Hill — who goes on to explain that the number of cybersecurity complaints went up from 1,000 complaints every day, to over 3,000 to 4,000 per day since the beginning of the COVID-19 pandemic.

www.vertek.com 5 Targeted Attacks Against Healthcare

www.vertek.com 6 Pandemic Realities

▪ 100% of our clients instituted a work-from-home policy. ▪ 10-20% were fully prepared. Trusted sources that have posted home security tips for individuals and healthcare ▪ 1,700 malicious domains institutions: using “corona” or “covid” th as of April 14 .

▪ 1,200 domains are currently active.

www.vertek.com 7 Healthcare Industry Realities Cont.

Criminals capitalize on human and business weaknesses. ▪ Healthcare Staff: ▪ Mentally tired ▪ Emotionally tired ▪ Overworked ▪ IT, InfoSec, Operations: ▪ Legacy & unpatched systems ▪ Legacy and unpatched applications ▪ Understaffed IT departments ▪ Understaffed infosec departments ▪ Understaffed operations ▪ Unsecured 3rd party partners

https://healthitsecurity.com/news/87-health-orgs-lack-security-personnel-for-effective-cyber-posture www.vertek.com 8 Cyber-Attack Realities Data Breach Realities 2019-2020

Education 6% Food/Bev 2% Mobile Telecom 0% Gaming 1%

Cryptocurrency 0%

Banking/Insurance Financial 12% Healthcare 43%

Travel 1% Social Media 0%

Government 5%

Technology 4%

Retail 5%

Real Estate 1% Legal 1% Other 19% www.vertek.com 10 Healthcare Data: Under Attack

Criminals look for specific data types.

Personal Identifiable Information: Personal data, also known as personal information or personally identifiable information, is any information relating to an identifiable person.

Electronic Health & Medical Records: Electronic Health Records are designed to follow a patient from one practice or specialist to the next throughout their lives. They provide a complete picture of the patient’s symptoms, vaccinations, treatments, and prescriptions. Electronic Medical Records (EMRs) live primarily at a single practice and show a clear picture of the symptoms and prescribed treatment for each visit. While they can be shared among medical facilities, EMRs are designed to remain in the office the patient visits.

Protected Health Information: Protected health information under the U.S. law is any information about an individual’s health status, type of healthcare, or payment for healthcare that is collected by a covered entity. www.vertek.com 11 Healthcare Data: Under Attack & Valuable

www.vertek.com 12 Inside the Mind of a Hacker

Learn why hackers do what they do…and how they think.

www.vertek.com 13 Healthcare Cyber Attack Realities: Growth

Healthcare has been decimated by cyber-attacks.

Healthcare Data Breaches of 500 Or More Records Number of Breaches in January

2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2015 2016 2017 2018 2019 2020 https://www.hipaajournal.com/january-2020-healthcare-data-breach-report/ www.vertek.com 14 Healthcare Cyber Attack Realities: HTH

Hacking the Human (HTH) is the most effective and common method of attack.

2019 Healthcare Data Breaches: Causes of 2019 Healthcare Breaches Location of Breached PHI

Other Portable Electronic Device Improper Disposal Laptop

Desktop Computer Loss

Electronic Medical Record Theft Other

Paper/Films Unauthorized Access/Disclosure Network Server

Email Hacking/IT Incident

https://www.hipaajournal.com/january-2020-healthcare-data-breach-report/

www.vertek.com 15 Healthcare Compliance Realities: Losses

HIPAA settlements and civil and legal penalties are growing significantly.

2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019

https://www.hipaajournal.com/january-2020-healthcare-data-breach-report/ www.vertek.com 16 Healthcare Cyber Attack Realities: Jan 2020

Healthcare has been owned, and the attacks are not slowing down.

January 2020 Healthcare Data Breaches Healthcare Data Breaches By Month Location of Breached PHI

Desktop Electronic Network Other Paper/ Email Feb 19 Mar 19 Apr 19 May 19 Jun 19 Jul 19 Aug 19 Sep 19 Oct 19 Nov 19 Dec 19 Jan 20 Computer Medical Server Films Record https://www.hipaajournal.com/january-2020-healthcare-data-breach-report/ www.vertek.com 17 Healthcare Cyber Attack Realities: Jan 2020

Healthcare supply chain attacks and breaches continue to increase.

January 2020 Healthcare Data Breaches January 2020 Healthcare Data Breaches Covered Entity Type Causes of Breaches

Health Plan 5% Theft

Business Improper Disposal Associate 2%

Unauthorized Access/Disclosure

Hacking/IT Incident Healthcare Provider 25%

June 30, 2020 - Proofpoint researchers detected an increase in the number of email-based phishing campaigns used to deploy ransomware attacks as a first-stage payload over the last month. A stark contrast to the past year, where hackers primarily leveraged downloaders as the initial payload. According to the latest report, the small increase in the amount of ransomware sent via phishing emails may be a sign of what’s to come in the near future, as these attacks bear hallmarks to larger ransomware campaigns deployed in 2018. https://www.hipaajournal.com/january-2020-healthcare-data-breach-report/

www.vertek.com 18 Top 10 Corporate Attacks

Phishing = 60% of fraud & malware attacks Ransomware = $8B to $11.5B in 36 Months Business Email Compromise = $4B to $8B in 36 Months Business Process Compromise = 50% of Market Unaware.

Other Attacks Growing In Frequency AI-Malware-Exploit Kits Botnet-DDoS-PDos Brute Force, APT, Malwareless Attacks Harvesting, Snooping, Skimming System Process Compromise Embedded Code McAfee Labs 2018-2019

Embedded Code: Specter, Meltdown AI-Malware-Exploit Kits: GandCrab, Coinhive, Dorkbot Botnet-DDoS-PDos: Mirai, WireX, Reaper, Hajime, BrickerBot https://www.comparitech.com/blog/vpn-privacy/phishing-statistics-facts/ Telnet Brute Force, SSH, APT, Malwareless Attacks: Stuxnet, RDP. https://www.agari.com/email-security-blog/email-fraud-trends-report-q1-2020/ Harvesting, Snooping, Skimming: Traffic Spirit, MageCart, etc. https://www.darkreading.com/attacks-breaches/ransomware-damage-hit-$115b-in-201 9/d/d-id/1337103

www.vertek.com 19 You Are “Low Hanging Fruit” If You Are…

Running devices and/or websites that have open ports and can be easily scanned and found via the internet

Running older or have unpatched software and/or hardware

Successful in the media, a CPA, Legal, a tech firm, healthcare firm, retailer, etc. holding private, sensitive data

Serving high net worth, consumers, regulated businesses, or entities

Sharing unencrypted data with 3rd parties via cloud, dropbox, or email

A victim of or were part of a ransomware or malware attack or breach

www.vertek.com 20 Growing Attack Surface (IoT) = Risk

www.vertek.com 21 Healthcare Impact: TODAY

www.vertek.com 22 Healthcare Impact: TODAY

www.vertek.com 23 Compliance Trends, Concerns Compliance Trends: Growing Complexity, Costs

▪ State Level Regulation Complexity: NY (DFS), CA (CCPA), Others

▪ Federal-Gov Level Regulation Complexity: GDPR, EO13800, *137 Others

▪ Industry Regulation Complexity: Heavy Rate of Change Due to Cyber Threats, Legislation, Fed, Gov Actions

▪ Operational Complexity: Frameworks are heavily focused on technical controls & lack integrated view, critical program components: culture, capabilities, accountability, sustainability, resiliency, change

California Consumer Privacy Act Enforcement, Fines Begin, HIPAA Fines Increasing, PCI Compliance Audit Methods Change to Address COVID-19

www.vertek.com 25 Data Privacy Compliance Concerns

▪ HIPAA: Any electronic health record or physical medical record, any patient related information or treatment information.

▪ PCI DSS: Any organization receiving payments via credit cards from patients will need to comply with the payment card industry data security standard.

▪ Personal Identifiable Information (PII): State regulations like NY DFS Regulation, California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) 2016/679 (a EU law), and others are driving strict disclosure and protection regulations on consumer personal and private information such as name, address, telephone number, email.

▪ NIST: Any company, provider, insurer, or vendor that is exchanging information with state, local, higher education entities, or that is partnering with these entities, may be expected to adhere with the National Institute of Standards and Technology (NIST) framework.

www.vertek.com 26 Regulatory Compliance Frameworks: Ongoing Complexity

C NIST 800-53: (17 Families / 240 Controls) B NIST CSF: (5 Sections / 23 Categories (Functions) / 98 Subcategories (Outcomes) / 108 Controls) A CIS 20/CIS RAM: (1-6 Basic / 7-16 Foundational / 17-20 Organizational) ISO/IEC 27001 NCUA/ASET/AIRES FFIEC FINRA

B NERC-CIP

A PCI DSS: (6 Sections / 12 Requirements / 267 Controls) HIPAA: (3 Security Safeguard Sections / 2 Privacy Safeguard Sections / 18 Categories / 245 Controls) GDPR CCPA NY REG HITRUST SSAE-18 (16) SOX

www.vertek.com 27 Healthcare Needs, Requirements Regulatory Compliance Complexity, Risk

HIPAA Risk Assessment (Title II) 245 Controls Measures an organization’s ability to meet the HIPAA standards and requirements set forth by Congress and the Department of Health and Human Services (HHS) around electronic health data (electronic Protected Health Information – ePHI)

Privacy Rule (both paper and ePHI) ▪ 2 Privacy Safeguards: Use and Disclosures…………89 Controls

Security Rule (ePHI – only) ▪ Administrative Safeguards …………73 Controls ▪ Technical Safeguards …………45 Controls ▪ Physical Safeguards …………38 Controls

Https://privacyruleandresearch.nih.gov/pr_06.asp www.vertek.com 29 HIPAA Fines, Updated for 2020

Individual did not know (and by exercising $100 - $50,000 per violation, with an $59,522 per violation, with an annual reasonable diligence, would not have known) annual maximum of $25,000 for maximum of $1,789,651 for repeat violations that he/she violated HIPAA repeat violations

HIPAA violation due to reasonable cause and not $1,000 - $50,000 per violation, with an $59,522 per violation, with an annual due to willful neglect annual maximum of $100,000 for maximum of $1,789,651 for repeat violations repeat violations

HIPAA violation due to willful neglect, but $10,000 - $50,000 per violation, with $59,522 per violation, with an annual violation is corrected within the required time an annual maximum of $250,000 for maximum of $1,789,651 for repeat violations period repeat violations

HIPAA violation is due to willful neglect and is not $59,522 per violation, with an annual $59,522 per violation, with an annual corrected maximum of $1,789,651 for repeat maximum of $1,789,651 for repeat violations violations https://www.govinfo.gov/content/pkg/FR-2020-01-17/pdf/2020-00738.pdf https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement#:~:text=Civil%20violations&text=The%20secretary%20is%20prohibited%20from,extended%2 0at%20HHS'%20discretion).

www.vertek.com 30 Regulatory Actions Under Review in 2020

Regulatory Actions Currently Under Review by Agency Pending Actions by Rule Stage

Prerule 2% Notice 11% Final Rule No Material Change 1%

Proposed Rule 71% Number of Pending Actions

Final Rulec45%

USDA DOC DOD ED DOE HHS DHS HUD DOI DOJ DOL State Treas VA Others

Interim Final Rule 7%

https://www.reginfo.gov/public/

www.vertek.com 31 Healthcare Breach Wall of Shame

Office of Civil Rights Portal

Breach Wall of Shame ▪ Failed to demonstrate good faith effort

100% of HIPAA Fines Levied ▪ Failure to assess ALL Risks ▪ Lack of administrative controls ▪ Policy and procedures ▪ Failure to have BAA

Average fine of $1.5M

www.vertek.com 32 Cyber Insurance Realities: Not Guaranteed

Mondelez, owner of dozens of well-known food brands like Cadbury chocolate and Philadelphia cream cheese, was one of the hundreds of companies struck by the so-called NotPetya cyber strike in 2017.

Laptops froze suddenly as Mondelez employees worked at their desks. Email was unavailable, as was access to files on the corporate network. Logistics software that orchestrates deliveries and tracks invoices crashed.

Even with teams working around the clock, it was weeks before Mondelez recovered. Once the lost orders were tallied and the computer equipment was replaced, its financial hit was more than $100 million, according to court documents.

After the ordeal, executives at the company took some solace in knowing that insurance would help cover the costs. Or so they thought…

Mondelez’s insurer, Zurich Insurance, said it would not be sending a reimbursement check. It cited a common, but rarely used, clause in insurance contracts: the “war exclusion,” which protects insurers from being saddled with costs related to damage from war.

Mondelez was deemed collateral damage in a cyberwar. https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html

www.vertek.com 33 Learn more at: www.vertek.com/managed-cybersecurity/