Presentation is loading. Please wait.

Presentation is loading. Please wait.

Texas Assisted Living Association 2019 Conference

Published byJohan ter Linde Modified over 4 years ago

Similar presentations

Presentation on theme: "Texas Assisted Living Association 2019 Conference"— Presentation transcript:

1 Texas Assisted Living Association 2019 Conference

2 Cyber Threats— Are You Ready?

3 Headline News

4 The Cyber Threat Cyber attacks are widespread, systemic and difficult to detect. Companies in regulated industries or which have proprietary technology, sensitive customer data, or intellectual property are most at risk.

5 Who’s Doing the Hacking?
Outsiders Financially motivated cybercriminals “Hacktivists” Hackers for hire Nation-state-supported actors The malicious insider

6 Categories of Attack Theft of Trade Secrets/Economic Espionage
Theft of Consumer and Financial Data Data Destruction/ Disruption of Operations Website Defacements

7 Methods of Attack Exploitation of Network Vulnerabilities
Mismanaged computer systems “Zero-day” vulnerabilities Social Engineering Physical Devices DDoS Attacks Misuse of Permissions

8 Healthcare is a Sizable Portion of All Breaches
Health care, with 16 percent reaches, continued to be particularly vulnerable to physical breaches, although malware and hacking breaches are starting to increase as the sector’s transition to electronic medical records progresses. The most vunerable information in health care was medical information, such as patient records, and Social Security Numbers. Source: California State AG Data Breach Report 2016

9

10 Key Consequences of a Hack
Governmental Inquiries OCR States Attorney General DOJ/SEC/FTC/FDA . . . Litigation Class Actions/Consumer Litigation Negligence and negligent omission Invasion of privacy Breach of contract Shareholder Derivative Demands Breach of fiduciary duties Loss of Competitive Advantage/Reputational Harm Costs of Responding to an Attack

11 How to Minimize and Respond to a Cyber Attack
Pre-Breach Preparation Incident Response Framework

12 A Global Approach to Cyber Risk
Develop and implement a comprehensive information security plan. Can’t do piecemeal – coordinate to avoid weak points. Must address internal and external threats, both human and technical. Plan must be customized to organization’s business operations. Once implemented, plan should be reviewed and updated regularly. There should be clear lines of communication and authority for cyber security within the organization.

13 Cyber Risk Assessment Identify internal and external threats.
Review computer network and identify/assess vulnerabilities. For example: Are software patches applied in a timely fashion? Is the network adequately segmented? Are access controls sufficient? Is data encrypted where necessary? Are network logs appropriately detailed and maintained? Is the network topology map up to date? Review vendor relationships (esp. data storage vendors). For example: Do they have cyber risk protocols? Do my clients require me to have cyber risk protocols?

14 Anatomy of a Modern Cyber Attack Credit: CyberSecurity Insights , Eija Paajanen, 5/22/2017

15 A Closer Look at the Mechanics: The Target Attack
Reconnaissance Phishing Control Exfiltration A Closer Look at the Mechanics: The Target Attack

16 Cybersecurity: Phishing

17 Attack!! What Now?

18 The Clock Starts Ticking …
Record the date and time Alert Team Contain the breach Engage legal counsel WHAT TO DO IN THE FIRST 24 HOURS Document everything Activate Response Plan Bring in Forensic Team Contact Law Enforcement

19

20 Duty to Warn – State Data Breach – State Notification Laws
48 states require private entities to notify individuals of security breaches of information involving “personally identifiable information PLUS Laws specify notification requirements including: Recipients Content Timing Form Identity theft prevention and mitigation services

21 Duty to Warn – Federal Federal Breach Notification Laws
HIPAA/HITECH Breach Notification Requirements FTC Health Breach Notification Rule

22 Duty to Disclose Cyber Risks – SEC
Generally, SEC requires companies to report “material” events or risks to shareholders. Materiality depends on what a reasonable investor would consider important to an investment decision. “Registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.” (SEC Disclosure Guidance Topic No. 2 (Oct. 13, 2011).

23 Healthcare Leads Data Breach Costs
Source: Ponemon Institute 2017 Cost of Data Breach Study: United States

24 Final Thoughts Cyber security is a business risk, not an “IT problem.”
It must be managed and mitigated like any other risk. Think in terms of compliance. This is a long-term process.

25 Edward P. Jones Ana E. Cowan Deborah C. Hiser Thomas Brown
Chief Compliance Officer Third Rock, Incorporated Ana E. Cowan Deborah C. Hiser Senior Counsels Husch Blackwell LLP Thomas Brown

Download ppt "Texas Assisted Living Association 2019 Conference"

Similar presentations

Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Protecting Personal Information Guidance for Business.

Protecting Personal Information Guidance for Business.
Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.

Identity Theft “Red Flags” Rules Under the FACT Act Reid Fudge CISSP, CISA Pulte Mortgage, LLC November 2008.
IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.

IDENTITY THEFT & THE RED FLAGS RULE Presented by Brady Keith, Assistant General Counsel CREDIT MANAGEMENT SERVICES, INC.
Rise in cyber attacks at US companies “This threat to our country’s economic and national security, and to companies’ bottom line, is real and it is growing.”

Rise in cyber attacks at US companies “This threat to our country’s economic and national security, and to companies’ bottom line, is real and it is growing.”
Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.

Draft of June 9, 2015 Cyber Risks in the Boardroom Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing.
Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.

Company LOGO Copyright Carrie Kerskie Data Breach & Identity Theft By Carrie Kerskie Kerskie Group, Inc.
External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.

External Threats to Healthcare Data Joshua Spencer, CPHIMS, C | EH.
In the Belly of the Breach: What Every In-House Counsel Needs to Know about Data Breach Response ACC International Legal Affairs Committee Legal Quick.

In the Belly of the Breach: What Every In-House Counsel Needs to Know about Data Breach Response ACC International Legal Affairs Committee Legal Quick.
Did You Hear That Alarm? The impacts of hitting the information security snooze button.

Did You Hear That Alarm? The impacts of hitting the information security snooze button.
WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, 2013 11:30 am – 12:30 pm.

WHAT EVERY RISK MANAGER NEEDS TO KNOW ABOUT DATA SECURITY RIMS Rocky Mountain Chapter Meeting Thursday, July 25, :30 am – 12:30 pm.
Cybersecurity and the Department of Justice Vincent A. Citro, Assistant United States Attorney July 9-10, 2014 Unclassified – For Public Use.

Cybersecurity and the Department of Justice Vincent A. Citro, Assistant United States Attorney July 9-10, 2014 Unclassified – For Public Use.
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.

Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.

Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, 2014 -WITH THANKS TO.

PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.

GSHRM Conference Cyber Security Education Shri Cockroft, CISO Piedmont Healthcare, Inc. September 21, 2015.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

℠ Pryvos ℠ Computer Security and Forensic Services May 27, 2015 Copyright © 2015 Pryvos, Inc. 1.

Similar presentations

Ads by Google