SlideShare a Scribd company logo

5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk

C
ClearDATACloud

Healthcare PHI breaches resulting from technology vendor mistakes and misunderstandings have spiked over the past 2-3 years. Litigation, fines, remediation, and restitution can reach into the millions of dollars. This presentation will cover five common, but frequently overlooked, ways that technology vendors put their healthcare customer's PHI at risk. Just as importantly, it provides real world examples and pragmatic recommendations for addressing these issues to significantly reduce risk to you and your customers.

Technology
1 of 33
Download to read offline
Chris Bowen, MBA, CISSP, CIPP/US, CIPT Founder, Chief Privacy & Security Officer AVOIDING THE BREACH 5 Common Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
2PROPRIETARY & CONFIDENTIAL The majority of breaches occur as the result of third parties. http://searchsecurity.techtarget.com/feature/Third-party-risk-management-Horror-stories-You-are-not-alone
3PROPRIETARY & CONFIDENTIAL Attacks Increasing • 42% of serious data breaches in 2014 were in the healthcare sector – 34% in first halfof 2015 • Business associates were the culpable party for 118 out of the 458 breaches (OCR Reportto Congress) • (PHI) is worth roughly 50 times more than credit card or Social Security numbers • Most profitable type of fraud stemming from identity theft is now Medicare fraud – Particularly attractive targets because ofpayment data and detailed patientrecords used to collect reimbursements • One in 10 Americans has been affected by a large health data breach
4PROPRIETARY & CONFIDENTIAL What’s in the presentation for me? • You’re trying to serviceyour customers, including protecting their data • Bad guys want to steal your customers’ data • Regulators want to punish you if bad guys steal your customers’ data • So do lawyers… • Understand five commonly overlooked mistakes vendors make • View examples of what happens as a result Key Learnings
Source: https://cybersponse.com/data-breaches-by-the-numbers Objective Breach Ramifications
Source: https://cybersponse.com/data-breaches-by-the-numbers Objective Breach Ramifications
Source: https://cybersponse.com/data-breaches-by-the-numbers Objective Breach Ramifications
8PROPRIETARY & CONFIDENTIAL Recent Breaches Source: http://www.informationisbeautiful.net/visualizations/ worlds-biggest-data-breaches-hacks/ Organizatio n Records Breached Anthem 80,000,000 Premera 11,000,000 CHS 4,500,000 UCLA Health 4,500,000 Carefirst 1,100,000 Objective Breach Ramifications
9PROPRIETARY & CONFIDENTIAL The Aftermath Identity Theft Espionage Future AttacksMoney Spent Reputations Lost
10PROPRIETARY & CONFIDENTIAL Breaches by Business Associates January 2014 - Blue Cross Blue Shield of New Jersey Loss of data affecting 839,711 individuals. Alaptop was stolen – there was no encryption. January 2014 - Triple-C, Inc. Theft of data affecting 398,000 individuals. Anetwork server was stolen – there was no encryption. May 2014 - Sutherland Healthcare Solutions, Inc. Thieves stole eight computers from Sutherland’s Torrance, Calif. Office. They got away with the medical records of 342,197 individuals. There was no encryption. August 2014 - Community Health Pro-Services Corporation Unauthorized access. In a legal dispute with Texas HHS, Xerox removed patient records from servers and hard drives and permitted other parties to view the records of 2,000,000 individuals. December 2014 - Senior Health Partners Theft of 2,700 records after laptop and mobile phone belonging to a registered nurse employed by its business associates were reported. 1 2 3 4 5
11PROPRIETARY & CONFIDENTIAL Defense in Depth in IT Defense in depth uses multiple layers of defense to address technical, personnel and operational issues. Data Devices Servers Applications Network Physical Policies, Procedures, Awareness OS/Software Firewall Hardware Router / Firewall Antivirus / Anti-malware Security Patches User Access Controls Attack
Healthcare is Depending on YOU! Healthcare IT is depending on you to keep systems secure, private, available, and untouched by the unauthorized. This includes data exchange,VoIP Phones,Enterprise Wireless, Mobile EMR, Billing, PACS, Patient Portal, Registration, Prescribing, Lab integrations, X-Ray equipment, Monitoring equipment, Physician Communications and scheduling, online bill-bay, patient scheduling, Medical devices, mobile computing, internal communications, etc. etc. etc….
13PROPRIETARY & CONFIDENTIAL Mistake #1: Failure to Assess Risk • 33% of businesses have not commissioned a risk assessment (1) • Risk Assessment has been required since adoption of HIPAA Security Rule • Requirement not taken seriously • HITECH – 2009 – Added Fines Skipping SRA is Not Reasonable – OCR • This applies to the Business Associate too! Defense Layer:All (1) 2014 State of Risk Report. (2015, January). Trustwave, 4-4.
14PROPRIETARY & CONFIDENTIAL Security Risk Assessment Inventory Review Safeguards Analysis Deliverables 1 2 3 4 • Inventory ePHI • Identify Safeguards in place • Inventory critical Apps • Inventory what comprises the system • Administrative • Policies & Procedures • Technical • Access Controls • Technical Controls • Physical • Threats • Vulnerabilities • Risks • Evaluate Policies & Procedures • Effective, Operational, Applicable • Data Inventory • Application Criticality Analysis • Threat Matrix • Risk Matrix • Remediation Roadmap Defense Layer:All
15PROPRIETARY & CONFIDENTIAL Mistake #1: Failure to Assess Risk • OCR enforcement including civil monetary penalties and resolution agreements • Increased risk of suffering data breaches • CMS enforcement to recoup EHR incentive payments • OIG enforcement under the False Claims Act – Liability of up to 3 times the EHR incentive payment – Exclusion from federally funded healthcare programs Defense Layer:All Failure to conduct an SRA can result in:
16PROPRIETARY & CONFIDENTIAL Mistake #2: Unaware of System Activity • Not knowing what’s going on in or around your network and systems • Ineffective System Activity Reviews Defense Layer: Network, Server, App, Data
17PROPRIETARY & CONFIDENTIAL Mistake #2: Unaware of System Activity • 80,000,000 records stolen via Hack • Traced to April 2014 • Attackers created a bogus domain name, "we11point.com” to mimic legitimate domain wellpoint.com. • Used malware to mimic Citrix VPN software • Harvested user credentials • Became aware in December 2014 • That’s 9 months of covert activity inside the network! Defense Layer: Network, Server, App, Data
18PROPRIETARY & CONFIDENTIAL Mistake #2: Unaware of System Activity Organizations are not able to detect a breach in a timely manner. When was the breach discovered? Source: 2014: A Year of Mega Breaches. (2015, January 15). Ponemon Institute© Research Report, 10-10. Defense Layer: Network, Server, App, Data
19PROPRIETARY & CONFIDENTIAL Mistake #2: Unaware of System Activity Ineffective use Security Information & Event Management Systems (SIEM) Defense Layer: Network, Server, App, Data Asset Discovery Vulnerability Assessment Threat Detection Event Collection Correlation Event Management Log Storage ~Source: 2014: A Year of Mega Breaches. (2015, January 15). Ponemon Institute© Research Report, 3-3. SIEM The #1 technology investment made in response to mega breaches!~
20PROPRIETARY & CONFIDENTIAL Mistake #3: Patching Fail Defense Layer: Network, Server, App Failure to keep up to date on patching and firmware
21PROPRIETARY & CONFIDENTIAL Mistake #3: Patching Fail • This is a Covered Entity AND a BusinessAssociate • Failed to patch their systems • Continued to run outdated, unsupported software • Led to a malware data breach affecting 2,743 individuals • ACMHS reported the breach to HHS back in March 2012 • Fined $150,000 • Lesson learned: security-related patches should be applied as soon as possible Defense Layer: Network, Server, App
22PROPRIETARY & CONFIDENTIAL • ACMHS was negligent but fine issued on the heels of a year of patching woes for most Microsoft customers. • Patching policies delayed for critical updates – Microsoft had trouble delivering an error-free month Balancing Act • Deal with fallout of botched patch? • Or wait to patch? Document decisions. But don’t be negligent. Mistake #3: Patching Fail Defense Layer: Network, Server, App More Context
23PROPRIETARY & CONFIDENTIAL Mistake #4: Training on the Right Stuff Defense Layer: All Failure to Train Your Users
24PROPRIETARY & CONFIDENTIAL Mistake #4: Training on the Right Stuff Defense Layer: All • Security flaw in the vendor database • Vendor exposed 7,000 records to the web • General Security Awareness Training is a HIPAA requirement • But what about training for secure development practices? • What about training on a Software Development Lifecycle (SDLC)?
25PROPRIETARY & CONFIDENTIAL Mistake #4: Training on the Right Stuff Defense Layer: All Open Web Application Security Project (OWASP) • www.owasp.org • Open group focused on understanding and improving the security of web applications and web services Top Ten Project • Goal is to Raise Awareness If you create web-enabled apps make this part of your training! Web and App Server Misconfiguration Remote Administration Flaws Insecure Use of Cryptography Error Handling Problems Command Injection Flaws Buffer Overflows Cross-Site Scripting Flaws (XSS) Broken Account& Session Management Broken Access Control Un-validated Parameters
26PROPRIETARY & CONFIDENTIAL Mistake #5: Failure to Manage Changes • Change Control: The process of managing change to an organization’s environment and assessing the potential impact on business Defense Layer:All HAVE CHANGE CONTROL COVERING INFORMATION TECHNOLOGYASSETSAND BUSINESS PROCESSES 54% Fully 39% Partially 7% Not at All (1) 2014 State of Risk Report. (2015, January). Trustwave, 13-13.
27PROPRIETARY & CONFIDENTIAL Mistake #5: Failure to Manage Changes • Average cost of downtime is around the $8,000 per minute mark(1) • 80% of unplanned outages are due to ill-planned changes made by operations staff or developers(2) • 60% of availability and performance errors are the result of misconfigurations(3) • Through 2015, 80% of outages impacting mission-critical services will be caused by people and process issues(4) – more than 50% of those outages will be caused by change/configuration/release integration and hand-off issues Defense Layer:All (1) www.datacenterknowledge.com/.../study-cost-data-center-downtime-rising/ (2) IT Process Institute's Visible Ops Handbook (3) Enterprise Management Association (4) Ronni J. Colville and George Spafford Configuration Management for Virtual andCloud Infrastructures
28PROPRIETARY & CONFIDENTIAL Mistake #5: Failure to Manage Changes Defense Layer:All 23% 22% 20% 18% 17% Outage Causes http://www.channelinsider.com/storage/slideshows/helping-combat-downtime-on-premise-and-in-the-cloud.html Hardware Failure Upgrades & Migration Power Outages Application Error Human Error
29PROPRIETARY & CONFIDENTIAL Mistake #5: Failure to Manage Changes • Reduce access to systems that can be changed – Assign a limited group with access as the only entity that can make changes • Inventory information assets and detailed information about equipment, backups, etc. (build a RACI) • Create a repeatable build library • Continual improvement Defense Layer:All Starting ITIL in 4 Practical Steps: Google:Amazon.com + Visible Ops
30PROPRIETARY & CONFIDENTIAL Bonus Mistake: Failure to Remediate High Priority Examples: •Risk Analysis (#1) §164.308(a)(1)(ii)(A) •Information System Activity (ii)(D) •Security Awareness and Training Program (#11) §164.308(a)(5)(i) •Encryption and Decryption (#42) §164.312(a)(2)(iv) •Data Backup Plan - §164.308(a)(7)(ii)(A) •Audit Controls (#43) §164.312(b) •Policy and Procedures (#48) §164.316(a) •More… Risk Analysis helps identify and prioritize issues. Defense Layer:All • Identifying the list of items to fix is just the beginning • You actually have to fix them before the bad guys exploit them ASAP <30 days
31PROPRIETARY & CONFIDENTIAL Bonus Mistake: Failure to Remediate Organizations are not able to quickly resolve. When was the breach resolved? Source: 2014: A Year of Mega Breaches. (2015, January 15). Ponemon Institute© Research Report, 11-11. Defense Layer: All
32PROPRIETARY & CONFIDENTIAL Five Common Mistakes & Consequences Defense Layer:All No Formal Change Management Downtime, Break Systems, Failure to Communicate Unaware of Vulnerabilities Failure to Conduct a Risk Assessment Hackers Inside for Months Ineffective Activity Reviews Lack of Timely Patches Vulnerable Systems Data Breaches Lack of Proper Training 5 4 21 3 Flawed Systems Promoted to Production
MODERNIZE THE INFRASTRUCTURE • SECURE PATIENT DATA • IMPROVE DATA INTEROPERABILITY John Perales National Channel Sales Director 512.993.5899 John.Perales@cleardata.com

Recommended

5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...ClearDATACloud
 
AI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAlex G. Lee, Ph.D. Esq. CLP
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughMartin Opsahl
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Radware
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guideanpapathanasiou
 
Anatomy of a Ransomware Event
Anatomy of a Ransomware EventAnatomy of a Ransomware Event
Anatomy of a Ransomware EventArt Ocain
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.marketingunitrends
 

Recommended

5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...
5 Ways to Protect Your Healthcare Organization from a Ransomware Attack - HIM...ClearDATACloud
 
AI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAI for Ransomware Detection & Prevention Insights from Patents
AI for Ransomware Detection & Prevention Insights from PatentsAlex G. Lee, Ph.D. Esq. CLP
 
Triangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughTriangulum - Ransomware Evolved - Why your backups arent good enough
Triangulum - Ransomware Evolved - Why your backups arent good enoughMartin Opsahl
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Radware
 
Cisa ransomware guide
Cisa ransomware guideCisa ransomware guide
Cisa ransomware guideanpapathanasiou
 
Anatomy of a Ransomware Event
Anatomy of a Ransomware EventAnatomy of a Ransomware Event
Anatomy of a Ransomware EventArt Ocain
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.marketingunitrends
 
WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowIBM Security
 
Crack the Code
Crack the CodeCrack the Code
Crack the CodeInnoTech
 
Cyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoSCyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoSKenny Huang Ph.D.
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
Think Like a Hacker
Think Like a HackerThink Like a Hacker
Think Like a HackerNormShield, Inc.
 
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessStorage Switzerland
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyVeriato
 
IT security in 2021: Why Ransomware Is Still The Biggest Threat
IT security in 2021: Why Ransomware Is Still The Biggest ThreatIT security in 2021: Why Ransomware Is Still The Biggest Threat
IT security in 2021: Why Ransomware Is Still The Biggest ThreatETech 7
 
How to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterHow to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterSpanning Cloud Apps
 
Cybersecurity…real world solutions
Cybersecurity…real world solutions Cybersecurity…real world solutions
Cybersecurity…real world solutions ErnestStaats
 
Ransomware: Can you protect against attacks?
Ransomware: Can you protect against attacks?Ransomware: Can you protect against attacks?
Ransomware: Can you protect against attacks?Osirium Limited
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...wajug
 
Take the Ransom Out of Ransomware
Take the Ransom Out of RansomwareTake the Ransom Out of Ransomware
Take the Ransom Out of RansomwareUnitrends
 
Cybersecurity
CybersecurityCybersecurity
CybersecurityUmairFirdous
 
How to Take the Ransom Out of Ransomware
How to Take the Ransom Out of RansomwareHow to Take the Ransom Out of Ransomware
How to Take the Ransom Out of Ransomwaremarketingunitrends
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Ransomware 2020 Report
Ransomware 2020 ReportRansomware 2020 Report
Ransomware 2020 ReportFortis
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaStefano Maccaglia
 
Ransomware: Attack, Human Impact and Mitigation
Ransomware: Attack, Human Impact and MitigationRansomware: Attack, Human Impact and Mitigation
Ransomware: Attack, Human Impact and MitigationMaaz Ahmed Shaikh
 
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryHow COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryCR Group
 
Questionnaire
QuestionnaireQuestionnaire
Questionnairesalinadaniel
 
Near by me
Near by meNear by me
Near by meSE HYUN JEON
 

More Related Content

What's hot

WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowIBM Security
 
Crack the Code
Crack the CodeCrack the Code
Crack the CodeInnoTech
 
Cyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoSCyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoSKenny Huang Ph.D.
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessStorage Switzerland
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyVeriato
 
IT security in 2021: Why Ransomware Is Still The Biggest Threat
IT security in 2021: Why Ransomware Is Still The Biggest ThreatIT security in 2021: Why Ransomware Is Still The Biggest Threat
IT security in 2021: Why Ransomware Is Still The Biggest ThreatETech 7
 
How to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterHow to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterSpanning Cloud Apps
 
Cybersecurity…real world solutions
Cybersecurity…real world solutions Cybersecurity…real world solutions
Cybersecurity…real world solutions ErnestStaats
 
Ransomware: Can you protect against attacks?
Ransomware: Can you protect against attacks?Ransomware: Can you protect against attacks?
Ransomware: Can you protect against attacks?Osirium Limited
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...wajug
 
Take the Ransom Out of Ransomware
Take the Ransom Out of RansomwareTake the Ransom Out of Ransomware
Take the Ransom Out of RansomwareUnitrends
 
How to Take the Ransom Out of Ransomware
How to Take the Ransom Out of RansomwareHow to Take the Ransom Out of Ransomware
How to Take the Ransom Out of Ransomwaremarketingunitrends
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Ransomware 2020 Report
Ransomware 2020 ReportRansomware 2020 Report
Ransomware 2020 ReportFortis
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaStefano Maccaglia
 
Ransomware: Attack, Human Impact and Mitigation
Ransomware: Attack, Human Impact and MitigationRansomware: Attack, Human Impact and Mitigation
Ransomware: Attack, Human Impact and MitigationMaaz Ahmed Shaikh
 
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryHow COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryCR Group
 

What's hot (20)

WannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do NowWannaCry Ransomware Attack: What to Do Now
WannaCry Ransomware Attack: What to Do Now
 
Crack the Code
Crack the CodeCrack the Code
Crack the Code
 
Cyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoSCyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoS
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
Think Like a Hacker
Think Like a HackerThink Like a Hacker
Think Like a Hacker
 
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup SuccessWebinar: Backup vs. Ransomware - 5 Requirements for Backup Success
Webinar: Backup vs. Ransomware - 5 Requirements for Backup Success
 
Ransomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your CompanyRansomware Has Evolved And So Should Your Company
Ransomware Has Evolved And So Should Your Company
 
IT security in 2021: Why Ransomware Is Still The Biggest Threat
IT security in 2021: Why Ransomware Is Still The Biggest ThreatIT security in 2021: Why Ransomware Is Still The Biggest Threat
IT security in 2021: Why Ransomware Is Still The Biggest Threat
 
How to Recover from a Ransomware Disaster
How to Recover from a Ransomware DisasterHow to Recover from a Ransomware Disaster
How to Recover from a Ransomware Disaster
 
Cybersecurity…real world solutions
Cybersecurity…real world solutions Cybersecurity…real world solutions
Cybersecurity…real world solutions
 
Ransomware: Can you protect against attacks?
Ransomware: Can you protect against attacks?Ransomware: Can you protect against attacks?
Ransomware: Can you protect against attacks?
 
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
Wajug: Cyber war, Cyber Attacks and Ethical Hacking - Frédéric de Pauw - Dece...
 
Take the Ransom Out of Ransomware
Take the Ransom Out of RansomwareTake the Ransom Out of Ransomware
Take the Ransom Out of Ransomware
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
How to Take the Ransom Out of Ransomware
How to Take the Ransom Out of RansomwareHow to Take the Ransom Out of Ransomware
How to Take the Ransom Out of Ransomware
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
Ransomware 2020 Report
Ransomware 2020 ReportRansomware 2020 Report
Ransomware 2020 Report
 
UN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - MaccagliaUN Presentation - 10-17-2018 - Maccaglia
UN Presentation - 10-17-2018 - Maccaglia
 
Ransomware: Attack, Human Impact and Mitigation
Ransomware: Attack, Human Impact and MitigationRansomware: Attack, Human Impact and Mitigation
Ransomware: Attack, Human Impact and Mitigation
 
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryHow COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
 

Viewers also liked

Film trailer analysis
Film trailer analysisFilm trailer analysis
Film trailer analysisSMUGGYY1298
 
Slideshare Presentation
Slideshare PresentationSlideshare Presentation
Slideshare PresentationBrianball51
 
Mitä tiedetään hoitomenetelmistä?
Mitä tiedetään hoitomenetelmistä?Mitä tiedetään hoitomenetelmistä?
Mitä tiedetään hoitomenetelmistä?THL
 
El Periodismo en tiempos de la Web 2.0
El Periodismo en tiempos de la Web 2.0El Periodismo en tiempos de la Web 2.0
El Periodismo en tiempos de la Web 2.0Vanina Berghella
 
Inspirational director
Inspirational director Inspirational director
Inspirational director Shauna-Mullen
 
ideas for Non diegetic sound
ideas for Non diegetic soundideas for Non diegetic sound
ideas for Non diegetic soundShauna-Mullen
 
marites recede cruz cv 1
marites recede cruz cv 1marites recede cruz cv 1
marites recede cruz cv 1Marites Cruz
 

Viewers also liked (14)

Questionnaire
QuestionnaireQuestionnaire
Questionnaire
 
Near by me
Near by meNear by me
Near by me
 
Film trailer analysis
Film trailer analysisFilm trailer analysis
Film trailer analysis
 
Practica 1
Practica 1Practica 1
Practica 1
 
Jose Michael Tanalgo RESUME- pdf
Jose Michael Tanalgo RESUME- pdfJose Michael Tanalgo RESUME- pdf
Jose Michael Tanalgo RESUME- pdf
 
Solo queda lo que damos
Solo queda lo que damosSolo queda lo que damos
Solo queda lo que damos
 
SR Contractors Revista Company Profile
SR Contractors Revista Company ProfileSR Contractors Revista Company Profile
SR Contractors Revista Company Profile
 
CV 2016
CV 2016CV 2016
CV 2016
 
Slideshare Presentation
Slideshare PresentationSlideshare Presentation
Slideshare Presentation
 
Mitä tiedetään hoitomenetelmistä?
Mitä tiedetään hoitomenetelmistä?Mitä tiedetään hoitomenetelmistä?
Mitä tiedetään hoitomenetelmistä?
 
El Periodismo en tiempos de la Web 2.0
El Periodismo en tiempos de la Web 2.0El Periodismo en tiempos de la Web 2.0
El Periodismo en tiempos de la Web 2.0
 
Inspirational director
Inspirational director Inspirational director
Inspirational director
 
ideas for Non diegetic sound
ideas for Non diegetic soundideas for Non diegetic sound
ideas for Non diegetic sound
 
marites recede cruz cv 1
marites recede cruz cv 1marites recede cruz cv 1
marites recede cruz cv 1
 

Similar to 5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk

"Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ..."Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ...Health IT Conference – iHT2
 
Securing Mobile Healthcare Application
Securing Mobile Healthcare ApplicationSecuring Mobile Healthcare Application
Securing Mobile Healthcare ApplicationCitiusTech
 
Kaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz Abdeen
 
Cyber Security for Financial Planners
Cyber Security for Financial PlannersCyber Security for Financial Planners
Cyber Security for Financial PlannersMichael O'Phelan
 
Cyber Attack Survival
Cyber Attack SurvivalCyber Attack Survival
Cyber Attack SurvivalSkoda Minotti
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and HealthcareJonathon Coulter
 
2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf
2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf
2022-02-17-1300-emr-in-healthcare-tlpwhite.pdfMOHAMMED YASER HUSSAIN
 
Increasing Challenges in Healthcare Privacy and Security
Increasing Challenges in Healthcare Privacy and SecurityIncreasing Challenges in Healthcare Privacy and Security
Increasing Challenges in Healthcare Privacy and SecurityCynergisTek, Inc.
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...IT Network marcus evans
 
201512 - Vulnerability Management -PCI Best Practices - stepbystep
201512 - Vulnerability Management -PCI Best Practices - stepbystep201512 - Vulnerability Management -PCI Best Practices - stepbystep
201512 - Vulnerability Management -PCI Best Practices - stepbystepAllan Crowe PCIP
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataStephen Cobb
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Secure Multimedia Content Protection and Sharing
Secure Multimedia Content Protection and SharingSecure Multimedia Content Protection and Sharing
Secure Multimedia Content Protection and SharingIRJET Journal
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...SolarWinds
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsPriyanka Aash
 

Similar to 5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk (20)

"Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ..."Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
"Case Studies from the Field: Putting Cyber Security Strategies into Action" ...
 
Securing Mobile Healthcare Application
Securing Mobile Healthcare ApplicationSecuring Mobile Healthcare Application
Securing Mobile Healthcare Application
 
Cybersecurity 101 final
Cybersecurity 101 finalCybersecurity 101 final
Cybersecurity 101 final
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
 
Kaseya Kaspersky Breaches
Kaseya Kaspersky BreachesKaseya Kaspersky Breaches
Kaseya Kaspersky Breaches
 
Shariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentationShariyaz abdeen data leakage prevention presentation
Shariyaz abdeen data leakage prevention presentation
 
Cyber Security for Financial Planners
Cyber Security for Financial PlannersCyber Security for Financial Planners
Cyber Security for Financial Planners
 
Cyber Attack Survival
Cyber Attack SurvivalCyber Attack Survival
Cyber Attack Survival
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and Healthcare
 
2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf
2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf
2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf
 
Increasing Challenges in Healthcare Privacy and Security
Increasing Challenges in Healthcare Privacy and SecurityIncreasing Challenges in Healthcare Privacy and Security
Increasing Challenges in Healthcare Privacy and Security
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offering
 
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
Data Breaches and Security: Ditching Data Disasters-Michael McNeil, Philips H...
 
201512 - Vulnerability Management -PCI Best Practices - stepbystep
201512 - Vulnerability Management -PCI Best Practices - stepbystep201512 - Vulnerability Management -PCI Best Practices - stepbystep
201512 - Vulnerability Management -PCI Best Practices - stepbystep
 
Cybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient DataCybercrime and the Hidden Perils of Patient Data
Cybercrime and the Hidden Perils of Patient Data
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Secure Multimedia Content Protection and Sharing
Secure Multimedia Content Protection and SharingSecure Multimedia Content Protection and Sharing
Secure Multimedia Content Protection and Sharing
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
 
Evidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five ControlsEvidence-Based Security: The New Top Five Controls
Evidence-Based Security: The New Top Five Controls
 

Recently uploaded

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

5 Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk

  • 1. Chris Bowen, MBA, CISSP, CIPP/US, CIPT Founder, Chief Privacy & Security Officer AVOIDING THE BREACH 5 Common Ways Technology Vendors Put Their Healthcare Customer's PHI at Risk
  • 2. 2PROPRIETARY & CONFIDENTIAL The majority of breaches occur as the result of third parties. http://searchsecurity.techtarget.com/feature/Third-party-risk-management-Horror-stories-You-are-not-alone
  • 3. 3PROPRIETARY & CONFIDENTIAL Attacks Increasing • 42% of serious data breaches in 2014 were in the healthcare sector – 34% in first halfof 2015 • Business associates were the culpable party for 118 out of the 458 breaches (OCR Reportto Congress) • (PHI) is worth roughly 50 times more than credit card or Social Security numbers • Most profitable type of fraud stemming from identity theft is now Medicare fraud – Particularly attractive targets because ofpayment data and detailed patientrecords used to collect reimbursements • One in 10 Americans has been affected by a large health data breach
  • 4. 4PROPRIETARY & CONFIDENTIAL What’s in the presentation for me? • You’re trying to serviceyour customers, including protecting their data • Bad guys want to steal your customers’ data • Regulators want to punish you if bad guys steal your customers’ data • So do lawyers… • Understand five commonly overlooked mistakes vendors make • View examples of what happens as a result Key Learnings
  • 8. 8PROPRIETARY & CONFIDENTIAL Recent Breaches Source: http://www.informationisbeautiful.net/visualizations/ worlds-biggest-data-breaches-hacks/ Organizatio n Records Breached Anthem 80,000,000 Premera 11,000,000 CHS 4,500,000 UCLA Health 4,500,000 Carefirst 1,100,000 Objective Breach Ramifications
  • 9. 9PROPRIETARY & CONFIDENTIAL The Aftermath Identity Theft Espionage Future AttacksMoney Spent Reputations Lost
  • 10. 10PROPRIETARY & CONFIDENTIAL Breaches by Business Associates January 2014 - Blue Cross Blue Shield of New Jersey Loss of data affecting 839,711 individuals. Alaptop was stolen – there was no encryption. January 2014 - Triple-C, Inc. Theft of data affecting 398,000 individuals. Anetwork server was stolen – there was no encryption. May 2014 - Sutherland Healthcare Solutions, Inc. Thieves stole eight computers from Sutherland’s Torrance, Calif. Office. They got away with the medical records of 342,197 individuals. There was no encryption. August 2014 - Community Health Pro-Services Corporation Unauthorized access. In a legal dispute with Texas HHS, Xerox removed patient records from servers and hard drives and permitted other parties to view the records of 2,000,000 individuals. December 2014 - Senior Health Partners Theft of 2,700 records after laptop and mobile phone belonging to a registered nurse employed by its business associates were reported. 1 2 3 4 5
  • 11. 11PROPRIETARY & CONFIDENTIAL Defense in Depth in IT Defense in depth uses multiple layers of defense to address technical, personnel and operational issues. Data Devices Servers Applications Network Physical Policies, Procedures, Awareness OS/Software Firewall Hardware Router / Firewall Antivirus / Anti-malware Security Patches User Access Controls Attack
  • 12. Healthcare is Depending on YOU! Healthcare IT is depending on you to keep systems secure, private, available, and untouched by the unauthorized. This includes data exchange,VoIP Phones,Enterprise Wireless, Mobile EMR, Billing, PACS, Patient Portal, Registration, Prescribing, Lab integrations, X-Ray equipment, Monitoring equipment, Physician Communications and scheduling, online bill-bay, patient scheduling, Medical devices, mobile computing, internal communications, etc. etc. etc….
  • 13. 13PROPRIETARY & CONFIDENTIAL Mistake #1: Failure to Assess Risk • 33% of businesses have not commissioned a risk assessment (1) • Risk Assessment has been required since adoption of HIPAA Security Rule • Requirement not taken seriously • HITECH – 2009 – Added Fines Skipping SRA is Not Reasonable – OCR • This applies to the Business Associate too! Defense Layer:All (1) 2014 State of Risk Report. (2015, January). Trustwave, 4-4.
  • 14. 14PROPRIETARY & CONFIDENTIAL Security Risk Assessment Inventory Review Safeguards Analysis Deliverables 1 2 3 4 • Inventory ePHI • Identify Safeguards in place • Inventory critical Apps • Inventory what comprises the system • Administrative • Policies & Procedures • Technical • Access Controls • Technical Controls • Physical • Threats • Vulnerabilities • Risks • Evaluate Policies & Procedures • Effective, Operational, Applicable • Data Inventory • Application Criticality Analysis • Threat Matrix • Risk Matrix • Remediation Roadmap Defense Layer:All
  • 15. 15PROPRIETARY & CONFIDENTIAL Mistake #1: Failure to Assess Risk • OCR enforcement including civil monetary penalties and resolution agreements • Increased risk of suffering data breaches • CMS enforcement to recoup EHR incentive payments • OIG enforcement under the False Claims Act – Liability of up to 3 times the EHR incentive payment – Exclusion from federally funded healthcare programs Defense Layer:All Failure to conduct an SRA can result in:
  • 16. 16PROPRIETARY & CONFIDENTIAL Mistake #2: Unaware of System Activity • Not knowing what’s going on in or around your network and systems • Ineffective System Activity Reviews Defense Layer: Network, Server, App, Data
  • 17. 17PROPRIETARY & CONFIDENTIAL Mistake #2: Unaware of System Activity • 80,000,000 records stolen via Hack • Traced to April 2014 • Attackers created a bogus domain name, "we11point.com” to mimic legitimate domain wellpoint.com. • Used malware to mimic Citrix VPN software • Harvested user credentials • Became aware in December 2014 • That’s 9 months of covert activity inside the network! Defense Layer: Network, Server, App, Data
  • 18. 18PROPRIETARY & CONFIDENTIAL Mistake #2: Unaware of System Activity Organizations are not able to detect a breach in a timely manner. When was the breach discovered? Source: 2014: A Year of Mega Breaches. (2015, January 15). Ponemon Institute© Research Report, 10-10. Defense Layer: Network, Server, App, Data
  • 19. 19PROPRIETARY & CONFIDENTIAL Mistake #2: Unaware of System Activity Ineffective use Security Information & Event Management Systems (SIEM) Defense Layer: Network, Server, App, Data Asset Discovery Vulnerability Assessment Threat Detection Event Collection Correlation Event Management Log Storage ~Source: 2014: A Year of Mega Breaches. (2015, January 15). Ponemon Institute© Research Report, 3-3. SIEM The #1 technology investment made in response to mega breaches!~
  • 20. 20PROPRIETARY & CONFIDENTIAL Mistake #3: Patching Fail Defense Layer: Network, Server, App Failure to keep up to date on patching and firmware
  • 21. 21PROPRIETARY & CONFIDENTIAL Mistake #3: Patching Fail • This is a Covered Entity AND a BusinessAssociate • Failed to patch their systems • Continued to run outdated, unsupported software • Led to a malware data breach affecting 2,743 individuals • ACMHS reported the breach to HHS back in March 2012 • Fined $150,000 • Lesson learned: security-related patches should be applied as soon as possible Defense Layer: Network, Server, App
  • 22. 22PROPRIETARY & CONFIDENTIAL • ACMHS was negligent but fine issued on the heels of a year of patching woes for most Microsoft customers. • Patching policies delayed for critical updates – Microsoft had trouble delivering an error-free month Balancing Act • Deal with fallout of botched patch? • Or wait to patch? Document decisions. But don’t be negligent. Mistake #3: Patching Fail Defense Layer: Network, Server, App More Context
  • 23. 23PROPRIETARY & CONFIDENTIAL Mistake #4: Training on the Right Stuff Defense Layer: All Failure to Train Your Users
  • 24. 24PROPRIETARY & CONFIDENTIAL Mistake #4: Training on the Right Stuff Defense Layer: All • Security flaw in the vendor database • Vendor exposed 7,000 records to the web • General Security Awareness Training is a HIPAA requirement • But what about training for secure development practices? • What about training on a Software Development Lifecycle (SDLC)?
  • 25. 25PROPRIETARY & CONFIDENTIAL Mistake #4: Training on the Right Stuff Defense Layer: All Open Web Application Security Project (OWASP) • www.owasp.org • Open group focused on understanding and improving the security of web applications and web services Top Ten Project • Goal is to Raise Awareness If you create web-enabled apps make this part of your training! Web and App Server Misconfiguration Remote Administration Flaws Insecure Use of Cryptography Error Handling Problems Command Injection Flaws Buffer Overflows Cross-Site Scripting Flaws (XSS) Broken Account& Session Management Broken Access Control Un-validated Parameters
  • 26. 26PROPRIETARY & CONFIDENTIAL Mistake #5: Failure to Manage Changes • Change Control: The process of managing change to an organization’s environment and assessing the potential impact on business Defense Layer:All HAVE CHANGE CONTROL COVERING INFORMATION TECHNOLOGYASSETSAND BUSINESS PROCESSES 54% Fully 39% Partially 7% Not at All (1) 2014 State of Risk Report. (2015, January). Trustwave, 13-13.
  • 27. 27PROPRIETARY & CONFIDENTIAL Mistake #5: Failure to Manage Changes • Average cost of downtime is around the $8,000 per minute mark(1) • 80% of unplanned outages are due to ill-planned changes made by operations staff or developers(2) • 60% of availability and performance errors are the result of misconfigurations(3) • Through 2015, 80% of outages impacting mission-critical services will be caused by people and process issues(4) – more than 50% of those outages will be caused by change/configuration/release integration and hand-off issues Defense Layer:All (1) www.datacenterknowledge.com/.../study-cost-data-center-downtime-rising/ (2) IT Process Institute's Visible Ops Handbook (3) Enterprise Management Association (4) Ronni J. Colville and George Spafford Configuration Management for Virtual andCloud Infrastructures
  • 28. 28PROPRIETARY & CONFIDENTIAL Mistake #5: Failure to Manage Changes Defense Layer:All 23% 22% 20% 18% 17% Outage Causes http://www.channelinsider.com/storage/slideshows/helping-combat-downtime-on-premise-and-in-the-cloud.html Hardware Failure Upgrades & Migration Power Outages Application Error Human Error
  • 29. 29PROPRIETARY & CONFIDENTIAL Mistake #5: Failure to Manage Changes • Reduce access to systems that can be changed – Assign a limited group with access as the only entity that can make changes • Inventory information assets and detailed information about equipment, backups, etc. (build a RACI) • Create a repeatable build library • Continual improvement Defense Layer:All Starting ITIL in 4 Practical Steps: Google:Amazon.com + Visible Ops
  • 30. 30PROPRIETARY & CONFIDENTIAL Bonus Mistake: Failure to Remediate High Priority Examples: •Risk Analysis (#1) §164.308(a)(1)(ii)(A) •Information System Activity (ii)(D) •Security Awareness and Training Program (#11) §164.308(a)(5)(i) •Encryption and Decryption (#42) §164.312(a)(2)(iv) •Data Backup Plan - §164.308(a)(7)(ii)(A) •Audit Controls (#43) §164.312(b) •Policy and Procedures (#48) §164.316(a) •More… Risk Analysis helps identify and prioritize issues. Defense Layer:All • Identifying the list of items to fix is just the beginning • You actually have to fix them before the bad guys exploit them ASAP <30 days
  • 31. 31PROPRIETARY & CONFIDENTIAL Bonus Mistake: Failure to Remediate Organizations are not able to quickly resolve. When was the breach resolved? Source: 2014: A Year of Mega Breaches. (2015, January 15). Ponemon Institute© Research Report, 11-11. Defense Layer: All
  • 32. 32PROPRIETARY & CONFIDENTIAL Five Common Mistakes & Consequences Defense Layer:All No Formal Change Management Downtime, Break Systems, Failure to Communicate Unaware of Vulnerabilities Failure to Conduct a Risk Assessment Hackers Inside for Months Ineffective Activity Reviews Lack of Timely Patches Vulnerable Systems Data Breaches Lack of Proper Training 5 4 21 3 Flawed Systems Promoted to Production
  • 33. MODERNIZE THE INFRASTRUCTURE • SECURE PATIENT DATA • IMPROVE DATA INTEROPERABILITY John Perales National Channel Sales Director 512.993.5899 John.Perales@cleardata.com