At the VigiTrust "How to Prevent Data Loss and Breaches in the Healthcare Industry" forum, held at the Irish Consulate in New York City, the conference was an eye-opener on how vulnerable people, institutions, and business enterprises are to cyber and phishing attacks.
For the health care industry, which is master of patient information and will become more so with the rollout of ObamaCare in 2014, the costs of data breaches to hospitals have been blown open by a pair of class action lawsuits in New York and Florida last month, a practice that will undoubtedly spread across many more states.
With industry heavyweights, such as Verizon, Triumfant, and New World Technology Partners (NWTP), along with emerging companies, the VigiTrust-sponsored forum presented startling statistics, human fallibility stories, and the costs and headaches associated with disaster recovery and reputation repair. Email (disclosure: I was a presenter, with a "The Achilles' Heel of Email" presentation) earned a major sore point as the favorite tool for hackers to break into corporate networks.
Andi Baritchi, managing principal of security consulting at Verizon Business, spoke in depth about Verizon's Data Breach Investigation Report (DBIR) 2013. He highlighted that "one in five emails are malware," that "the web is both an attack vector and support for other attack vectors," and that of the billions of spam mail sent each day, "92 percent of them have potentially malicious web links."
He noted as cybercriminal change their methods, malicious emails will be in vogue in 2013. For hackers, the method is too simple with too much success to ignore. One slide (pg. 38 of the DBIR report), titled "The Inevitability of a Click," showed a graph of phishing email click-throughs that in sending just few emails climb from 20 percent to 90 percent success rate.
Mr. Baritchi concluded, "Traditional anti-virus and firewall defenses can no longerbe trusted to prevent these web-borne threats."
So is anyone's data safe? No. But there is hope with new solutions.
Mathieu Gorge, CEO and founder of VigiTrust (est. 2003), gave the opening and closing presentations flanking eight other speakers. He discussed the five pillars of IT security, saying:
"It's critical for our clients to map their IT ecosystems. Without knowing what that network with their endpoints look like it is a challenge to provide the right eSecurity solutions. The five pillars of security for evaluating a corporation are physical, people, data, and infrastructure security, and crisis management."
Security is a lot more than just managing phishing attacks. VigiTrust offers three solutions: security training and eLearning, compliance and readiness validation, and security and Governance, Risk and Compliance (GRC) services.
He said, "One of the first things we ask new customers for are their ecosystem diagram, dataflow diagram, and network diagram. You won't believe how many clients don't have an ecosystem diagram, which just makes the evaluation process harder."
Gorge, like other speakers that day, cited statistics from the Ponemon Institute's "Third Annual Benchmark Study on Patient Privacy & Data Security," showing that compliance of both data loss prevention and the Healthcare Insurance Portability and Accountability Act (HIPAA) of 1996 today is a real challenge for physicians, hospitals, and medical centers.
He pulled his own research study that VigiTrust, in association with Barclaycard and Visa Europe, from a joint survey, stating, "58 percent are not aware of their responsibility to train on incident reporting. 75 percent have no awareness of the secure coding requirements." Gorge emphasized, "The top three compliance challenges are lack of understanding, time, and cost."
On types of fraud Mathieu Gorge broke it down to various types of bank and personal fraud and categorized them as one, but then discussed Fraud 2 as being" the new vectors and new targets of fraud, including social media, multi-purpose mobile platforms, pre-paid fraud, contactless fraud, and generation focused fraud. For the latter, younger people are definitely more at risk than before. Older people on the Internet are at risk, too."
Triumfant's Security Remediation Solution
John Prisco, CEO of Triumfant, gave a presentation on "Why Cyber Defenses are Failing." On the opening slide, "The World has Changed," Mr. Prisco said, "The RSA (tokens) breach affected over 700 companies and cost the banking industry more than $100 million."
Mr. Prisco also noted that less than 5 percent of breaches are detected in the first hour and 40 percent are detected in the first thirty days. He explained that the old guard of cybersecurity technology no longer cuts it with the new threats out there.
He said, "Triumfant detects the attacks that evades other tools and removes the attack without re-imaging." Their focus is not merely on the detection of malware and other cyber infections, but remediation, which few competitors provide.
Mr. Prisco went into the "Anatomy of an Advanced Malware Attack," showing what happens in the first three minutes. Scary stuff.
Triumfant's patented analytics engine is the differentiator from other tools, such as anti-virus, whitelist, and sandbox, by a margin of four to one in detection success rate. But it's the remediation that matters. It "finds and removes malware that other defenses miss" and does not require "signatures or any prior knowledge to find malware."
Other Speakers on the Ripple Effect of Data Breaches
Robert Gardner, founded NWTP into 1977 to incubate strategic technologies that serve both business and public policy interests (aka national security), has put a more recent focus on technologies with cyber risk management "for complex critical infrastructure."
On the cover of Mr. Gardner's deck he noted, "Cyber risk is not a technical issue, but an enterprise issue." That means IT security decisions must be made in the CEO office and boardroom. He underscored that theme with the slide: "Executive cyber risk dilemma."
Get attacked, lose data, and lose shareholder confidence.
"You are constantly considering factors affecting earnings, free cash flow and PE multiples, as well as reputation and brand erosion," he said.
This applies to the health care industry, as malpractice takes new forms with data breaches, theft of personal data, and data loss.
North Shore-Long Island Jewish Health System, which is the third largest in the nation, Michael Johnson, CISSP and Senior Project Manager, spoke about being in the trenches and overhauling their 16-hospital IT system from the legacy era. He said, "You have to take a holistic approach to cybersecurity. You must understand people, process and technology." With a diagram of four cardinal points around a bear-trap labeled "Risk," he discussed the importance of GAP Analysis, Evaluate, Prioritize, and Remediate. And that once you have figured out these critical items, he said, "You must know your metrics."
He said there is a mix of "standards and regulations that overlap in the medical industry. The lines between compliance requirements, such as the HIPAA Ombudsman and PCI and card brand rules, are blurring."
He concluded his presentation by listing 20 security requirements. Speaking from the medical trenches of data loss prevention and compliance focused the forum on the challenges that lie ahead for the healthcare industry.
In Mathieu Gorge's wrap up presentation -- "Where do we go from? Best practices to Secure PHI, Secure and Maintain Compliance" -- it will take a combination of the best cybersecurity tools and eLearning security that might turn the tide against myriad hacks and breaches that occur everyday.
As I moderated Q&A with the speakers and audience, I asked Mathieu Gorge, "What are your thoughts on Apple and Facebook recently being hacked?"
"I think it's unavoidable for organizations of that type to be targeted by hackers. What is worrying is the fact that some of them still fail for basic technical attacks or from social engineering attacks. This begs the question as to whether they are properly looking at security awareness," he said. "Unfortunately, in 2013 we can expect more of the same. The security awareness issue needs to be taken into the boardroom so that C-level executives take corrective and mostly pre-emptive corrective action."