Healthcare Industry Cybersecurity Attack Trends

Healthcare Industry Cybersecurity Attack Trends

Healthcare Industry Cybersecurity Attack Trends Research eBook ▪ Healthcare Industry Realities ▪ Breach & Cyber Attack Realities ▪ Top Compliance Trends, Concerns ▪ Healthcare Needs, Requirements www.vertek.com 2 Healthcare Industry Realities Healthcare Industry Realities: A Large Target Significant Part of the U.S. Economy, Millions of Businesses, Massive Cyber & Compliance Drivers ▪ 26% of the U.S. economy ▪ 5,000,000 small and midsize businesses ▪ CE & Vendors (BA) ▪ 400% increase in enforcement ▪ 70%+ audit failure rate ▪ Healthcare #1 vertical for MSPs in 2018 Compliancy Group, MSPs & HIPAA Webcast 2018 Healthcare organizations are required to disclose ransomware attacks as though they were confirmed breaches due to U.S. regulatory requirements. This is the second straight year that ransomware incidents were over 70% of all malware outbreaks in this industry. https://healthitsecurity.com/news/health-sector-most-targeted-by-hackers-breach-costs-rise-to-17.76b www.vertek.com 4 Pandemic Driving Attacks The FBI’s IC3, or its Internet Crime Complaint Center, has reported a major increase in received cybersecurity complaints each day, according to The Hill — who goes on to explain that the number of cybersecurity complaints went up from 1,000 complaints every day, to over 3,000 to 4,000 per day since the beginning of the COVID-19 pandemic. www.vertek.com 5 Targeted Attacks Against Healthcare www.vertek.com 6 Pandemic Realities ▪ 100% of our clients instituted a work-from-home policy. ▪ 10-20% were fully prepared. Trusted sources that have posted home security tips for individuals and healthcare ▪ 1,700 malicious domains institutions: using “corona” or “covid” th as of April 14 . ▪ 1,200 domains are currently active. www.vertek.com 7 Healthcare Industry Realities Cont. Criminals capitalize on human and business weaknesses. ▪ Healthcare Staff: ▪ Mentally tired ▪ Emotionally tired ▪ Overworked ▪ IT, InfoSec, Operations: ▪ Legacy & unpatched systems ▪ Legacy and unpatched applications ▪ Understaffed IT departments ▪ Understaffed infosec departments ▪ Understaffed operations ▪ Unsecured 3rd party partners https://healthitsecurity.com/news/87-health-orgs-lack-security-personnel-for-effective-cyber-posture www.vertek.com 8 Cyber-Attack Realities Data Breach Realities 2019-2020 Education 6% Food/Bev 2% Mobile Telecom 0% Gaming 1% Cryptocurrency 0% Banking/Insurance Financial 12% Healthcare 43% Travel 1% Social Media 0% Government 5% Technology 4% Retail 5% Real Estate 1% Legal 1% Other 19% www.vertek.com 10 Healthcare Data: Under Attack Criminals look for specific data types. Personal Identifiable Information: Personal data, also known as personal information or personally identifiable information, is any information relating to an identifiable person. Electronic Health & Medical Records: Electronic Health Records are designed to follow a patient from one practice or specialist to the next throughout their lives. They provide a complete picture of the patient’s symptoms, vaccinations, treatments, and prescriptions. Electronic Medical Records (EMRs) live primarily at a single practice and show a clear picture of the symptoms and prescribed treatment for each visit. While they can be shared among medical facilities, EMRs are designed to remain in the office the patient visits. Protected Health Information: Protected health information under the U.S. law is any information about an individual’s health status, type of healthcare, or payment for healthcare that is collected by a covered entity. www.vertek.com 11 Healthcare Data: Under Attack & Valuable www.vertek.com 12 Inside the Mind of a Hacker Learn why hackers do what they do…and how they think. www.vertek.com 13 Healthcare Cyber Attack Realities: Growth Healthcare has been decimated by cyber-attacks. Healthcare Data Breaches of 500 Or More Records Number of Breaches in January 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2015 2016 2017 2018 2019 2020 https://www.hipaajournal.com/january-2020-healthcare-data-breach-report/ www.vertek.com 14 Healthcare Cyber Attack Realities: HTH Hacking the Human (HTH) is the most effective and common method of attack. 2019 Healthcare Data Breaches: Causes of 2019 Healthcare Breaches Location of Breached PHI Other Portable Electronic Device Improper Disposal Laptop Desktop Computer Loss Electronic Medical Record Theft Other Paper/Films Unauthorized Access/Disclosure Network Server Hacking/IT Incident Email https://www.hipaajournal.com/january-2020-healthcare-data-breach-report/ www.vertek.com 15 Healthcare Compliance Realities: Losses HIPAA settlements and civil and legal penalties are growing significantly. 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 https://www.hipaajournal.com/january-2020-healthcare-data-breach-report/ www.vertek.com 16 Healthcare Cyber Attack Realities: Jan 2020 Healthcare has been owned, and the attacks are not slowing down. January 2020 Healthcare Data Breaches Healthcare Data Breaches By Month Location of Breached PHI Desktop Electronic Network Other Paper/ Email Feb 19 Mar 19 Apr 19 May 19 Jun 19 Jul 19 Aug 19 Sep 19 Oct 19 Nov 19 Dec 19 Jan 20 Computer Medical Server Films Record https://www.hipaajournal.com/january-2020-healthcare-data-breach-report/ www.vertek.com 17 Healthcare Cyber Attack Realities: Jan 2020 Healthcare supply chain attacks and breaches continue to increase. January 2020 Healthcare Data Breaches January 2020 Healthcare Data Breaches Covered Entity Type Causes of Breaches Health Plan 5% Theft Business Improper Disposal Associate 2% Unauthorized Access/Disclosure Hacking/IT Incident Healthcare Provider 25% June 30, 2020 - Proofpoint researchers detected an increase in the number of email-based phishing campaigns used to deploy ransomware attacks as a first-stage payload over the last month. A stark contrast to the past year, where hackers primarily leveraged downloaders as the initial payload. According to the latest report, the small increase in the amount of ransomware sent via phishing emails may be a sign of what’s to come in the near future, as these attacks bear hallmarks to larger ransomware campaigns deployed in 2018. https://www.hipaajournal.com/january-2020-healthcare-data-breach-report/ www.vertek.com 18 Top 10 Corporate Attacks Phishing = 60% of fraud & malware attacks Ransomware = $8B to $11.5B in 36 Months Business Email Compromise = $4B to $8B in 36 Months Business Process Compromise = 50% of Market Unaware. Other Attacks Growing In Frequency AI-Malware-Exploit Kits Botnet-DDoS-PDos Brute Force, APT, Malwareless Attacks Harvesting, Snooping, Skimming System Process Compromise Embedded Code McAfee Labs 2018-2019 Embedded Code: Specter, Meltdown AI-Malware-Exploit Kits: GandCrab, Coinhive, Dorkbot Botnet-DDoS-PDos: Mirai, WireX, Reaper, Hajime, BrickerBot https://www.comparitech.com/blog/vpn-privacy/phishing-statistics-facts/ Telnet Brute Force, SSH, APT, Malwareless Attacks: Stuxnet, RDP. https://www.agari.com/email-security-blog/email-fraud-trends-report-q1-2020/ Harvesting, Snooping, Skimming: Traffic Spirit, MageCart, etc. https://www.darkreading.com/attacks-breaches/ransomware-damage-hit-$115b-in-201 9/d/d-id/1337103 www.vertek.com 19 You Are “Low Hanging Fruit” If You Are… Running devices and/or websites that have open ports and can be easily scanned and found via the internet Running older or have unpatched software and/or hardware Successful in the media, a CPA, Legal, a tech firm, healthcare firm, retailer, etc. holding private, sensitive data Serving high net worth, consumers, regulated businesses, or entities Sharing unencrypted data with 3rd parties via cloud, dropbox, or email A victim of or were part of a ransomware or malware attack or breach www.vertek.com 20 Growing Attack Surface (IoT) = Risk www.vertek.com 21 Healthcare Impact: TODAY www.vertek.com 22 Healthcare Impact: TODAY www.vertek.com 23 Compliance Trends, Concerns Compliance Trends: Growing Complexity, Costs ▪ State Level Regulation Complexity: NY (DFS), CA (CCPA), Others ▪ Federal-Gov Level Regulation Complexity: GDPR, EO13800, *137 Others ▪ Industry Regulation Complexity: Heavy Rate of Change Due to Cyber Threats, Legislation, Fed, Gov Actions ▪ Operational Complexity: Frameworks are heavily focused on technical controls & lack integrated view, critical program components: culture, capabilities, accountability, sustainability, resiliency, change California Consumer Privacy Act Enforcement, Fines Begin, HIPAA Fines Increasing, PCI Compliance Audit Methods Change to Address COVID-19 www.vertek.com 25 Data Privacy Compliance Concerns ▪ HIPAA: Any electronic health record or physical medical record, any patient related information or treatment information. ▪ PCI DSS: Any organization receiving payments via credit cards from patients will need to comply with the payment card industry data security standard. ▪ Personal Identifiable Information (PII): State regulations like NY DFS Regulation, California Consumer Privacy Act (CCPA), the General Data Protection Regulation (GDPR) 2016/679 (a EU law), and others are driving strict disclosure and protection regulations on consumer personal and private information such as name, address, telephone number, email. ▪ NIST: Any company, provider, insurer, or vendor that is exchanging information with state, local, higher education entities, or that is partnering with these entities, may be expected to adhere with the National Institute of Standards and Technology (NIST) framework. www.vertek.com 26 Regulatory Compliance Frameworks: Ongoing Complexity C NIST 800-53:

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    34 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us