Preparing for a Breach October 14, 2016 Jeremy Gilbert, GCFE, GASF, EnCE, CPA Manager, DHG Forensics forensics 1
Agenda Medical data breaches Why? Types? Frequency? Impact of a data breach How to prepare for a breach Streamline the breach response effort Not if, when 2
There are two kinds of big companies in the United States. There are those who ve been hacked [ ] and those who don t know they ve been hacked [ ] -James Comey, FBI Director October 5, 2014 60 Minutes interview Speaking about China 3
2013 Breaches by Industry Business Education Healthcare 42.5% Government Financial Healthcare http://www.idtheftcenter.org/itrc-surveys-studies/2013-data-breaches.html 4
Why do criminals want health info? Common prices for ID information: Credit card account - $4 to $13 Date of birth - $11 Health Insurance Credentials - $20 US Fullz - $30 Bank account with $75,000 - less than $300 Source: Dell SecureWorks 5
Attacks on health care providers typically not terribly well protected from a network-security standpoint, even given the regulations and the data at stake are the next big breach wave that's coming. -Brian Krebs, March/April 2015 Fraud Magazine 6
Recent Large Breaches 7
Recent medical data breaches 8
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf 9
Breach Type Frequency, 2013 Insider Theft Hacking Data on the Move Accidental Exposure Subcontractor Employee Negligence Physical Theft Other http://www.idtheftcenter.org/itrc-surveys-studies/2013-data-breaches.html 13
Statistics 1.5 million monitored cyber attacks in the United States in 2013 12% year-to-year increase in security events Average Cost = $3.5 million http://www-935.ibm.com/services/us/en/it-services/security-services/data-breach/index.html http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis 14
Data Breach Response What information does a forensic consultant need to conduct an investigation? 15
Incident Responders Initial Steps 1. Information gathering meeting with IR team and management 2. Provide a list of requested reports, logs, and system access 16
Incident Responders Need prompt access to critical systems and information Access and support from IT personnel List of systems with PII or PHI Copy of Incident Management Policy List of Incident Response Team Members and IT personnel 17
Information About the Environment Core business functions and processes Current and complete network diagram Population of servers Location of all critical applications Processing Applications EMR Systems Databases Web server 18
Incident Responders Initial Steps 1. Information gathering meeting with IR team and management 2. Provide a list of requested reports, logs, and system access 3. Begin forensic acquisition of data from suspect systems 19
Forensic Acquisition Proper forensic procedures important Methodology depends on Impact of system downtime Particulars of infection Nature of information on system 20
Incident Responders Initial Steps 1. Information gathering meeting with IR team and management 2. Provide a list of requested reports, logs, and system access 3. Begin forensic acquisition of data from suspect systems 4. Review key logs and reports 21
Security Logs and Reports Firewall logs IDS logs Operating system event logs Core application (database, web server, etc.) logs Antimalware scan logs Antimalware update logs 22
Preparing for a Breach Critical controls that can help expedite an investigation 23
Incident Response Plan Documented Incident Response Plan Management Buy-in Incident Response Team Senior Management IT Legal Public Relations 24
Incident Response Plan (continued) Are IT security controls reviewed? Current reporting requirements (HIPAA, state regulations, etc.)? Vendors & Business Associates Does IT have a thorough process for vetting Business Associate Agreements? Are they prepared? Regularly review and update the plan 25
IR Plan - Triage Procedures Critical to Document: What is the suspicious activity? Who identified the suspicious activity? What investigative actions have been taken and by whom? Exactly when did the actions take place and by whom? Why were those actions performed? Who handled the evidence? Where is the evidence stored? 26
Critical Control - Logging LOGGING, LOGGING, LOGGING! Does IT know what is being logged? Does IT periodically review logs or have an alerting system? Sufficient log retention - attacks may last for months or years Can IT quickly gather logs in the event of investigation? Log aggregation 27
Additional Controls Perimeter defense Strong access controls Intrusion detection/prevention Antimalware Physical security Spam filtering Encryption 28
Security Awareness Information Security Awareness Develop a Security Awareness Program Culture of awareness Clear, consistent training Regular updates of current threats Social Engineering Testing 29
Fusion: Real Future, episode 8
Engaging an Incident Response Consultant Beyond typical IT consultants Different skill set Have a trusted partner before you need one Be open, honest, and responsive 31
To Summarize Data breaches are costly You have data thieves want Not if but when mentality Preparation can reduce Investigation cost Regulatory fines and penalties Brand damage 32
@DHG_Cyber Jeremy Gilbert, GCFE, GASF, EnCE, CPA Manager, DHG Jeremy.Gilbert@dhgllp.com 843-722-6443 33