Today’s Presenter • Co-founder & CEO CynergisTek, Inc. • Chair, HIMSS P&S Policy Task Force Cyber Forum Webinar • CHIME, AEHIS Advisory Board • Healthcare Most Wired Advisory Board Presented by: • HCPro Editorial Advisory Board Mac McMillan • HealthInfoSecurity.com Editorial Advisory Board CEO, CynergisTek • Top 10 Influencers in Health IT 2013 • Top 50 Leaders in Health IT 2015 Mac McMillan • Director of Security, DoD FHIMSS, CISM • Excellence in Government Fellow CEO, CynergisTek, Inc. • US Marine Intelligence Officer, Retired CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 2 CynergisTek, Inc. Agenda Founded in 2004 Consulting Services Ransomware 2015-2016 CynergisTek has been providing services CynergisTek provides consulting services to our clients since 2004, but many and solutions around information OCR Permanent Audit Program of our clients have been with one or security, privacy, IT architecture, and both of the founders since well before audit with specific focus on regulatory Current Enforcement Landscape the company was founded. compliance in healthcare. Answering The Threat Synergistic Securing the Mission of Care The name “CynergisTek” came from the CynergisTek Services are specifically synergy realized by combining the geared to address the needs of the expertise of the two co-founders – healthcare community including building scalable, mature information providers, payers, and their business security programs and architecting associates who provide services into enterprise technical solutions. those entities. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 3 CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 4
Cybersecurity Incidents Rise • Breaches in healthcare rose for the third straight quarter in 2016 with Q3 reporting 118 versus 89 and 63 in both the second and first quarters respectively. • 32% of the breaches reported in Q3 involved hacking, including ransomware and other malware attacks. Ransomware 2015/2016 • While insider attacks still outnumber hacking incidents, hacking continues to represent the highest number of records exposed. • Ransomware attack volumes remain approximately 4000 a day, with 1000 new variants a day being identified. • More than 80% of all ransomware attacks target healthcare. CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 5 CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 6 The Stakes Are Higher Cyber Extortion is Rampant • • Cyber extortion Multiple Forms: Crypto ransomware (data) and Locker ransomware • Cyber espionage (system) • Sophisticated attacks use: • Hacktivism • New asymmetric keys for each infection • Targeted attacks • Industrial strength & private/public key encryption • Cyber terrorism • Privacy enabling services like TOR and bitcoins for payments • APTs & malware • Indifferent to target, everyone is a The United States is the largest target target (home/business) worldwide by a huge margin. • Multiple extortion approaches SOCs worldwide report as much as a 10X increase in ransomware attacks from • Malvertising, spam email, December to January with no abatement. Motivated, Persistent & Disruptive downloaders/botnets & social engineering CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 7 CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 8
Growth of Encryption Ransomware Against All Other Malware Percentage of Phishing Emails Delivering Ransomware 100% 100% 90% 90% 80% 80% Percentage of phishing emails Percentage of total analyses 70% 70% 60% 60% 50% 50% 40% 40% 30% 30% 20% 20% 10% 10% 0% 0% October 2015 November 2015 December 2015 January 2016 February 2016 March 2016 October 2015 November 2015 December 2015 January 2016 February 2016 March 2016 Ransomware Not Ransomware Phishing emails delivering ransomware Phishing emails delivering other malware Source: PhishMe Q1 Malware Review Source: PhishMe Q1 Malware Review CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 9 CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 10 Your Adversary Has Changed Responding to Cybersecurity Incidents • Determine scope of incident to identify what networks, systems or 655,000 health records for sale on the dark web (June 28, 2016) applications are affected “Next time an ADVERSARY comes to you and offers you an opportunity to cover • Determine the origination of the incident this up and make it go away for a small fee to prevent the leak, take the offer. – Who/what/where/when There is a lot more to come.” • Determine whether is incident is finished, ongoing or has propagated additional incidents throughout the environment 9 million plus more health records online (June 30, 2016) • Determine how the incident occurred Healthcare HL7 Interoperability Software Source Code, Signing Keys & Licensing • Contain the impact and propagation of the ransomware Database for sale (July 12, 2016) – Tools and attacks methods used, vulnerabilities exploited • Eradicate the instance of the ransomware “There will likely be two buyers for this, someone with nefarious intentions or someone from a small country wanting to use it for business.” CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 11 CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 12
Should You Pay Ransom for Your Data? OCR Ransomeware Guidance • US Dept. of Justice Guidance on Ransomware says “No” • Only two things you need to know: • Paying a ransom does not guarantee an organization will regain – A ransomware event is considered a breach, when someone access to its data; in fact, some victims were never provided with or something takes control of your data and renders is decryption keys after paying ransom unavailable (no matter for how long) you have been breached • Some victims who paid the demand have reported being targeted – Notification is tied to “compromise” not the event itself. If again by cyber actors after investigation you find: • After paying the originally demanded ransom, some victims have • The manner in which the malware was deployed on your been asked to pay more to get the promised decryption key network involved physical access by the hacker, or • Paying ransom could inadvertently encourage this criminal • You data is rendered unavailable to you (you cannot business model to continue recover) then you have been compromised CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 13 CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 14 And They Saw Opportunity … • A little initiative, a curious nature, a deviant behavior, a Bitcoin wallet, PGP for Answering The Threat encrypted communication, and a TOR browser and you are in business … CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 info@cynergistek.com cynergistek.com @CynergisTek 16
Recommend
More recommend
