Massive Amounts of Identity Data

• The most important reason for insurance firms to have top-notch cybersecurity capabilities is that insurance firms by nature collect and store massive amounts of personal, identifying data from their customers.
• This information ranges from the basic, like social security numbers and addresses, to the more complex, like health records and payment data.
• In a survey of insurers, 62% reported that "data leakage or data loss prevention" was a high priority for their firm.
• Additionally, 64% of insurers surveyed reported that "customers’ personal, identifiable information is the most valuable information to cyber criminals."
• In most known security breaches at insurance companies, this personal customer data has been obtained, including the breach of a US health insurer in July 2016 where 3.7 million customers and health care providers had confidential data stolen, a breach of a different health insurer in 2015 where the personal data of 78 million users was obtained, or another IT breach of a different insurer in 2015 where identifying data for 1.1 million members was compromised. These are just some of many examples.
• If consumer data is compromised, consumer confidence in the insurance brand is damaged and there can be severe financial consequences.

Widespread Use of Third-Party Partners

• Insurance firms also make use of many third-party partners like subrogation vendors, law firms, and other business partners.
• As such, insurance firms must not only make certain their cybersecurity programs are state of the art, but also that those of any third party vendors they utilize are on-par. In the words of the experts, "even the most sophisticated insurance company spending hundreds of thousands of dollars on cybersecurity are only as secure as the weakest subrogation vendor or law firm they utilize."
• Currently, this does not seem to be happening. When surveyed, only 41% of insurance companies stated that they held their partners to "the same cybersecurity standards as they do their own business."
• If a data breach were to happen within one of an insurance firms business partners or contractors, the fallout in terms of business reputation, consumer trust, regulatory fines and financial losses could be the same as if the breach occurred at the insurance firm itself.
• Just in January of 2019, a third party vendor of HSBC Life Insurance was breached, Humana insurance was breached via a business partner, and Highmark BCBS, Aetna, Humana, and United Health were all breached due to their use of a third-party administrator.

Increased Regulatory Requirements

• In order to remain in compliance with regulation, insurance companies must have more cyber security protections than required for many other industries.
• One regulation specific to the US is the 23 NYCRR Part 500, a mandatory regulation established by the New York State Department of Financial Services (NYDFS) requiring "covered entities to calibrate their cybersecurity programs by using periodic risk assessments to determine criteria to identify, evaluate and mitigate risks by establishing appropriate controls and technological developments."
• All health insurers in the US are regulated under HIPAA laws.
• Additionally, many of the top US insurers like AIG, Berkshire Hathaway, MetLife and The UnitedHealth Group all work internationally, including in the European Union. Therefore, these insurers must also comply with EU General Data Protection Regulation (GDPR), which has strict data protection requirements.
• Failure to comply with these regulations can result in regulatory fines, especially if data was found to have been compromised.
• Experts have stated that "regulation is one of the key differentiators driving cyber insurance uptake in different geographic regions."

Research Strategy

General Data Collection & Use by Insurance Companies

• Insurance companies collect data on the insured, and use this information to inform the costs of insurance. These companies collect data like: occupations, levels of education, and credit scores – which, in turn, significantly impact the premiums they may pay.
• Some states, like California and Massachusetts for example, have passed laws limiting the information insurance companies can collect and/or use to inform policy cost decisions.
• Although many consumers believe they have the same protections from their insurance companies as they do for their financial institutions, this is not typically the case. Insurance laws vary from state to state, and most “are incomplete by virtue of the fact they do not state the specifics of what must be disclosed,” which leaves plenty of room open for the companies to make their own rules.
• Most “consumers don’t know a database of insurance information is continuously collected on them,” or that it is routinely and widely shared within the industry.
• Insurance companies collect a wealth of private information from the insured (or potentially insured), including: “credit reports, the market value of your home, age, marital status, education, and in the case of a life insurance policy, the status of your health.” Most of these companies have more information on the average person than “legal authorities can often obtain,” without the need for pesky things like warrants.

Homeowners’ / Renters’ Insurance

• To register for homeowners’ or renters’ insurance, individuals must submit personal information, like birthdates and social security numbers, the address of the home, information on the home (cost, size/dimensions, mortgage information – which means financial info), and information on current conditions of the home (including amenities) and whether any renovations or repairs have been done on the home.
• To cover items within the home, listings with descriptions and pictures must also be submitted.

Auto, Boat, Recreational Vehicle Insurance

• To register for auto, boat, or recreational vehicle insurance, individuals must submit various information to insurance companies, including: vehicle information, names of all drivers to be covered, current coverages/limits, as well as personal information, including social security numbers and driver’s license numbers for all potential covered members. Additionally, individuals must submit to a driving history and potential background checks.

Life Insurance

• To register for life insurance, individuals must submit personal information (again – birthdate, social security number, etc), current and past health history information, as well as information on income and assets.

Importance of Protecting the Data

• The primary reason for protecting personal insurance information, which includes most importantly birthdates, social security numbers, driver’s license numbers, and financial information, is the same as it would be for any industry: to avoid identity theft and the fraud that follows.
• Hackers have identified the wealth of private data collected by insurance companies, and in the last few years, data breaches of these companies have been on the rise, largely because they know “the insurance industry as one which handles extremely sensitive information,” and that it “has yet to put in place few measures to effectively safeguard itself and its customers from cyber-attacks.”

Research Strategy

1: Phishing Mail

• According to a 2019 report by EIOPA, phishing mail is among the most common cybersecurity incidents that are affecting insurers, with the term 'cyber incident' being defined as an event that "jeopardizes the cyber security of an information system."
• Phishing mail works by directing unsuspecting users to a website that mimics that of the legitimate organization and then asks the user to update their credentials and personal identity information.
• In September 2019, it was reported that a major phishing scam was affecting the U.S. insurance industry, as cyber criminals were posing as the National Association of Insurance Commissioners while sending fake emails to insurance industry personnel encouraging them to click on a dangerous download.

2: Malware Infections (Ransomware)

• According to a 2019 report by EIOPA, malware is among the most common cybersecurity incidents that are affecting insurers.

• Ransomware blocks a user's access to their own personal data and threatens to publish it unless the user pays a ransom.
• Chicago-based Stradley Ronan published a 2017 report on cyber attacks that target the insurance industry which noted that ransomware is "the fastest-growing malware across all industries" due to the fact that "little expertise is needed to launch the attack."

3: Denial of Service (DDoS)

• According to a 2019 report by EIOPA, DDoS attacks are among the most common cybersecurity incidents that are affecting insurers.
• A DDoS attack enables a hacker to shut down an online service by "overwhelming it with traffic from multiple sources."
• Chicago-based Stradley Ronan notes in their 2017 report on cyber attacks targeting insurers that DDoS attacks are a top risk for the industry.

Research Strategy

The New York Cybersecurity Regulations

• Established by the New York Department of Financial Services (NYDFS), the New York Cybersecurity Regulations applies to insurance companies, banks, and other financial institutions. The regulation went into effect on March 1, 2017.
• The regulations affect “covered entities,” operating under the New York laws governing the banking, insurance, or financial services sectors. The NYDFS developed the regulation to establish adaptable and flexible compliance standards that would allow businesses to assess their risks and implement cybersecurity programs.
• The New York Cyber Regulation uses the risk-based approach versus the complex standards-based approach. It has also set the tone for the development and enactment of new laws and regulations, nationally.

The NAIC Insurance Data Security Model Law

• In 2017, the National Association of Insurance Commissioners (NAIC) also approved the Insurance Data Security Model Law, dubbed as "the Model Law," which establishes compliance standards for data security, investigation, and reporting to the insurance commissioner.
• The standards demand covered licensees to create cybersecurity systems, perform cybersecurity testing, and establish incident response programs for reporting breaches. This law shares several aspects with the New York Cyber Regulation; however, the two are not identical.
• According to the Model Law, the board of directors or a committee consisting of the board of directors is responsible for creating, implementing, and maintaining the information security program.

The South Carolina Data Security Act

• In May 2018, South Carolina became the first state to implement the Model Law, as The South Carolina Data Security Act., which became effective on January 1, 2019, and is nearly identical to the Model Law.
• The South Carolina version mandates licensed insurers to implement a detailed written information security program following a self-performed and compulsory risk assessment. The law further demands insurers to submit annual compliance statements.
• Moreover, insurers are also required to develop incident response programs and report to the Director by following stringent reporting and response procedures in the event of a cybersecurity breach. The law also sets the minimum requirements for the board to oversight the information security program.

The Ohio Insurance Data Security Law

• The Ohio Insurance Data Security Law also borrows from the NAIC Model law, with a few modifications. It became effective on December 19, 2018, when Ohio Governor, John Kasich approved Senate Bill 273. The new law necessitates the need for insurance entities and agents to protect policyholder data.
• It also requires all Ohio licensees under the state’s insurance laws to create written information security programs (WISPs), unless exempted. They must also implement cybersecurity programs to protect business and individual data from cybersecurity breaches. Equally, these entities must establish response plans in the event an attack occurs.
• The response plan includes investigating the breach and reporting the event, along with other relevant details to the state's Department of Insurance. The licensees must also notify the affected parties, i.e., businesses, stakeholders, customers, etc.

The Michigan House Bill 6491

• The Michigan House Bill 6491 was enacted on December 28, 2018, making Michigan the third state to implement a law based on the NAIC Model Law. The Michigan Bill is expected to become effective on January 20, 2021.
• Research findings indicate that the Michigan Bill is almost identical to the South Carolina Bill; however, the former gives licensees ten business days versus 72 hours by the latter to determine and notify the state regulator of a cybersecurity attack.
• The Michigan law requires insurance businesses to provide a detailed WISP, submit certification of compliance statements annually, and annual regulatory reporting to the Department of Insurance and Financial Services, along with notifying the department in case of a breach.

Research Methodology

Meeting Compliance Standards — Insurance Industry

1) NYDFS Cybersecurity Regulations

• The US financial services companies and banks had until March 1, 2019, to modify and create processes that ensure their compliance with the NYDFS Cybersecurity Regulation.

• To ensure that the 1,400 insurance companies regulated by the New York Department of Financial Services (NYDFS) abide by cybersecurity regulations, the NYDFS monitors their compliance.

•  Technical providers like OneSpan, a multi-factor authentication system, are already being used by insurance companies like American National, 21st Century Insurance, Country Financial, and AAA Carolinas, to comply with the NYDFS Cybersecurity Regulation.

• As of December 2018, NYDFS reported that they received approximately 1,000 reports of cybersecurity events from regulated institutions, which complies with the Cybersecurity Regulation requirement that "regulated entities and licensed persons submit notices to the Department of cybersecurity events as defined in the regulation to include both successful and certain unsuccessful attempts."

• The first certification deadline by the NY Department of Financial Services for their Cybersecurity Regulations last February 15, 2018, was "successful and provided DFS with information from which we have been working to improve our processes."

2) The NAIC Insurance Data Security Model Law

• As of August 2019, eight US states have adopted the NAIC Insurance Data Security Model Law, which includes South Carolina, Ohio, Michigan, Mississippi, Alabama, Delaware, Connecticut, and New Hampshire, with Nevada and Rhode Island to follow their legislation enactment.

• Although there are differences between the NAIC Insurance Data Security Model Law and the New York Cybersecurity Regulations, the drafters of the NAIC Model "included a drafting note indicating that a company that complies with the New York Cyber Regulation is also in compliance with the Model Law."

• To comply with the NAIC Insurance Data Security Model Law, different insurance companies across the United States such as AIG, State Farm Group, and Liberty Mutual, continue to hire chief information security officers who are responsible for their cybersecurity programs and implementation of their cyber risk management required by the Model Law for compliance.

3) The Michigan House Bill 6491

• Michigan House Bill 6491 was enacted on December 28, 2018, as the state's cybersecurity law applicable to insurance companies. Its effective date will not be until January 20, 2021.

• The House bill was based on the NAIC Insurance Data Security Model Law, aside from significant differences which include changing of the breach notification deadline from 72 hours, based on NAIC's Model Law, to 10 days in Michigan; and NAIC's exemptions of smaller licensees with fewer than 10 employees and independent contractors, into fewer than 25 employees and independent contractors in Michigan.

Research Strategy:

Emergence of New Cybersecurity Laws

• Insurers in the country are hastening to comply with new state cybersecurity-related laws, as more and more states adopt the Insurance Data Security Model Law of the National Association of Insurance Commissioners (NAIC). Composed of insurance regulators from the country's states and territories, the NAIC is the organization that sets standards and regulations for the country's insurance industry.
• Enacted in October 2017, the Insurance Data Security Model Law serves as a guide for states to follow when they draft cybersecurity-related bills. Quite similar to the cybersecurity rules enacted by the New York Department of Financial Services on March 1, 2017, it establishes the standards for both data security and "the investigation of and notification to the commissioner of a cybersecurity event."
•  South Carolina was the first state to adopt the model law. Its South Carolina Insurance Data Security Act became effective on January 1, 2019.
•  Michigan and Ohio have also enacted their own versions of data security laws for insurers. As of April 5, 2019, there were five states, including Connecticut, Mississippi, and New Hampshire, that were acting on the new model law.
• In general, the model and state data security laws obligate insurers to document and implement information security programs, conduct complete risk assessments, and establish incidence response plans. They also require insurers to notify state insurance commissioners of cybersecurity events within the specified notification period (e.g., 72 hours or 10 business days).
• To prevent unauthorized remote access to their information systems, insurers are required to adopt multi-factor authentication. Other security measures stated in the NAIC model law include non-public information encryption on portable devices and during transit, audit trails, intrusion detection mechanisms, disaster recovery plans, business continuity plans, data retention plans, and data disposal plans.

Emergence of AI-Enabled Cybersecurity Solutions

• Cybersecurity solutions that are enabled by artificial intelligence or machine learning are emerging in the country's insurance industry.
•  Current applications of these solutions include predictive analytics for the detection of suspicious network behavior and malware, advanced visualizations for incoming threats and network cybersecurity, and anomaly detection.
•  Aetna is one example of an insurer that has implemented a machine learning-enabled security system for its mobile and web apps. By examining how and where users use devices, the behavior-based security system provides another layer of protection apart from passwords and fingerprints.
• AXA, a global insurer with operations in the United States, has partnered with Darktrace, a cybersecurity firm whose products are largely enabled by machine learning.
•  Forty percent of insurers in the country are investing in artificial intelligence, machine learning, and automation technologies, while 80% of insurers believe that advanced technologies are crucial in ensuring cybersecurity.

Emergence of Data Breaches as Most Important Risk

• The prevention of cyber attacks and data breaches has become the most top-of-mind emerging risk among insurers in the country. Focus has shifted from natural catastrophes and climate change to cybersecurity and data breach.
•  Sixty percent of insurers have identified cybersecurity and data breach as the most important emerging risk. Only 20% of CEOs in the industry consider their companies prepared in case of a cybersecurity event.
• The key cyber risks that insurers currently face include infrastructure vulnerabilities, identity theft, automated threats (e.g., credential cracking, denial of service, and vulnerability scanning), systemic infection due to a malicious code, and lawsuits. Typical threats relate to data theft, resource availability, and resilience, while less common threats include ransomware attacks and account takeovers.
• Given the massive amounts of financial and personal data that insurers handle, insurers are unsurprisingly viewing data breaches as the top emerging risk or threat.
• There is now increasing pressure on insurers to deliver both security and privacy by design, digitize, and leverage cloud and insurtech innovations.

Research Strategy

First American Title Company

• First American Financial Corporation accidentally exposed personal data of its customers by failing to secure unique URLs to the data properly, allowing anyone to access the information by entering the right URL into a web browser.
• The world's second-largest reported data breach exposed 885 million customer records, including financial and tax records, Social Security numbers, bank account numbers, and drivers’ license photos.
• A study conducted by the Ponemon Institute in 2018 estimated the average cost to the company per stolen record to be about $150, so this breach is likely to cost First American as much as $132.75 billion ($150 * 885 million = $132.75 billion) in the coming years.
• First American appeared to severely downplay the severity of the security breach, first saying that only 484 customer files have been affected by the breach, and stating a few months later that it "identified just 32 consumers whose non-public personal information likely was accessed without authorization."

Premera Blue Cross

• An attack on Premera Blue Cross, which began in May 2014 and was reported by the company in March 2015, exposed data on customer claims, including clinical information, banking account numbers, social security numbers, birth dates and other personal information.
• The attack exposed private records of over 11 million customers, who were mostly Washington state residents.
• In 2019, Premera agreed to pay $74 million to settle a consolidated class action lawsuit related to the breach.
• Premera first reacted by admitting that the breach occurred, but stating that it did not find "evidence that the stolen information has been used for malicious purposes".

Ameritas

• Ameritas announced in 2019 that a phishing scam has affected several of its employees, exposing the personal information of some customers.
• The company did not disclose how many customers were impacted by the breach, nor the financial cost incurred, only saying that it would disclose the information in the final notification to authorities.
• Ameritas responded by immediately disabling access, deploying a company-wide password reset, and hiring Kroll Associates, a risk-consulting firm, to investigate the incident.

Anthem Inc.

• Health insurance company Anthem Inc. was affected by a data breach in which hackers stole customers' personal data, including names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information,
• The affected database contained up to 80 million customer records, but it did not contain credit card or medical information, according to the company.
• One estimate suggested that the cost of the breach would very likely surpass $100 million, the amount covered by Anthem's cyber-crime insurance policy.
• The company publicly apologized to customers, hired a top cybersecurity firm to investigate the breach, and said it would focus on improving security policies.

Executive Summary

• Following is an Executive Summary of the Cybersecurity Analysis of the Insurance Industry;

The Energy and Utilities Industry is a Critical industry

• The energy and utilities sector is considered to be one of the "most critical infrastructure in the world" and extremely pivotal to a well-functioning economy, especially in advanced countries.
• According to the United States government, the energy and utilities sector is one of the 16 vital infrastructure sectors whose destruction or incapacitation will have adverse effects on national security and public health and safety.
• The power sector of the energy industry is considered to be the single most critical sector that enables functions across all important infrastructure sectors. If the power grid system is subjected to cyberattacks, power will go out, bringing many critical day-to-day operations to a total standstill.

The Industry is the Most Vulnerable Sector to Cyber Attacks

• The energy and utilities industry is also vulnerable to cybersecurity attacks. According to a UK survey, 75% of utility companies have experienced cyber attacks, with every single attack requiring an average of $156,000 to clean up.
• Being a critical sector opens this sector to frequent attacks with far-reaching impacts even beyond the energy sector.
• In the US, the energy sector is among the three industries highly susceptible to cyberattacks, with the sector accounting for 20% of cyber breach incidents in 2016. According to the US Energy Secretary, attempted cyber intrusions in electric companies happen hundreds of thousands of times a day, with cyberattacks on the North America electric grid increasing in early 2018.
• The vulnerabilities stem from the sector's reliance on complex supply chains that are difficult to manage. The utility workforce is also massive and mostly works remotely or on-site, giving cybercriminals an avenue of impersonating them, gaining access to sensitive customer data, and sending phishing emails to customers.
• Another factor accelerating the energy sector's vulnerability to cyberattacks is grid modernization. While grid modernization and digitization has immense benefits to the industry, smart grids open up the attack surface to give attackers quite a number of routes to enter the grid system.
• Smart grids also introduce commonly used applications and software and also automate functions at the interconnected grid system. This makes the grid more vulnerable and presents many entry points for hackers.
• The energy and utilities sector is a critical industry whose compromise has far-reaching consequences. Coupled with the increasing vulnerabilities to cyber and phishing attacks, these are top reasons why cybersecurity is important to energy and utilities industry firms.

Cybersecurity Reduces the Cost of Data Breaches

• The financial costs of cyber attacks are astronomical. According to Jason Staggs, from the University of Tulsa, it only takes a single attack on a single system that is transmitted throughout the larger power infrastructure to bring all operations to a stop.
• In the case of a wind farm, hackers only need entry from one single point to spread a malicious attack throughout the wind farm.
• Staggs, from his prior ethical hacking experience into wind farms, noticed that when a wind farm ceases to work due to cyberattacks, it will cost the utility company between $10,000 to $35, 000 per hour. 
• The costs of a data breach on energy companies are directly proportional to the market size of the firms, i.e., the more significant the market size, the more losses a firm makes due to malicious attacks.
• According to a detailed analysis of the cost of cybercrime in the US by Accenture, the utilities industries has the second-highest annual costs of cybercrimes of all 16 analyzed sectors at $17.84 million in 2018, representing a 16% increase from 2017.
• The cybercrime costs in the energy industry are also relatively high, standing at $13.77 million in 2018 from $13.21 million in 2017.
• Given the massive losses the energy and utilities sector can incur in the event of cybercrime, this is a top reason why cybersecurity is important for energy and utilities industry firms.

1: Consumer Payment Information

Description of Data:

• According to information management expert, Gorkem Sevik, energy companies hold a lot of customer data, including payment information.

• This type of data is often stored in multiple locations, such as CRM systems, operational systems, and big data environments.

Why Protection of this Data is Vital:

• A breach of customer payment information can potentially enable hackers to gain access to a customer's bank account and can also be very costly for a company to rectify as well as damaging to their reputation.  
• For example, in 2013, Central Hudson Gas & Electric experienced a data breach that may have allowed hackers to access customers' auto-pay bank account data. The breach affected about 110,000 customers and subsequently required the company to provide each of them a "full year of complimentary credit monitoring."

2: Data Related to Cyber-Physical Systems

Description of Data:

• According to a report published by the U.S. government, cyber-physical systems related to the U.S. energy sector are "engineered systems that are built from, and depend upon, the seamless integration of computational algorithms and physical components to generate, move, and distribute electricity efficiently."
• An industrial control system (ISO) is one example of a cyber-physical system that the U.S. energy industry depends on. ISOs allow equipment to be physically operated through the use of digital controls.

Why Protection of this Data is Vital:

• Cyber-physical systems have replaced systems that were once operated manually, which has made these systems increasingly vulnerable to attack, according to the U.S. government.
• Additionally, because of the way ICS integrates with information and operational technologies, these networks "can become less secure over time," the government report states.
• When hackers infiltrate cyber-physical systems, they can deposit viruses and malware that can disrupt the operations of these highly critical systems, which ultimately may lead to very costly consequences.

3: Data That May Help Facilitate Future Attacks

Description of Data:

• According to industry experts, hackers who target energy companies are rarely doing so for the purposes of data theft (which is instead the primary goal of hackers who target retailers). Instead, utility and energy hackers are primarily focused on reconnaissance.
• In this case, reconnaissance means that "the hackers are checking to see what systems they can breach, the type of information they could access, and where the vulnerabilities are; they can then store away the knowledge for an attack at a later date."
• According to Ankura, during the reconnaissance stage, hackers aim to compile as much information as they can about their target. The types of information they are looking for include personnel lists, information about the network structure, and identifying system vulnerabilities that can potentially be exploited.

Why Protection of this Data is Vital:

• Ankura notes that attackers use the information gathered at the reconnaissance stage of the attack to help them decide on the best method of compromising their target.

• A logical assumption can be made that protecting this type of data is important when it comes to warding off and defending against future attacks.

4: Proprietary Information

Description of Data:

• By definition, proprietary information is "information that is not public knowledge" and is seen as "the property of the holder."
• Proprietary information may include things like trade/company secrets, test results, ad financial data.

Why Protection of this Data is Vital:

• A 2018 article published in the New York Times notes that energy companies tend to have a lot of proprietary information, including data about their exploration and production technologies, which makes energy companies a key target for hackers looking to take advantage of this type of information. Exposure of these types of details can subsequently lead to a compromise of vital equipment such as control valves and pressure monitors, which can have drastic consequences which as "explosions, spills, or fires," according to cybersecurity expert, Andrew R. Lee.

• A logical assumption can be made that theft of a company's proprietary information can also hurt a company's ability to compete in a market by exposing secret information that is critical to the company's growth and success.
• While most data breaches and cyber attacks go unreported, there has been at least one reported case of a U.S. energy company (name undisclosed) that has had proprietary information stolen.
• Another example is that of Tevent Canada (a close neighbor of the U.S.), in which hackers stole proprietary information about one of the company's products under development. It can be logically assumed that this was quite a costly loss given that the product focused on highly advanced technologies (smart-grid system integrations).

5: Credentials of System Users

Description of Data:

• According to Technopedia, 'credentials' are used for identity verification and authentication. They confirm a user's identity as it relates to the system or network they are using.
• IBM defines a 'user credential' as a "user name and password authentication token that is bound to a particular user."

Why Protection of this Data is Vital:

• According to a 2019 report published by Ankura, most cyber attacks involve the hacker compromising user credentials during the initial system compromise. This is done after the attacker has vetted the most vulnerable system they want to attack (which they do during the reconnaissance stage, discussed above). Therefore, user credential data protection is vital because this data is the primary method used by hackers to initially compromise, or break into, a system.
• In 2017, the Department of Homeland Security and FBI sent an alert to the energy industry warning that "‘advanced, persistent threat actors,’ a euphemism for sophisticated foreign hackers, were stealing network login and password information to gain a foothold in company networks."
• According to a 2018 survey of utility companies, 84% said they "believe employee actions to be the most common reason for cyber attacks."

Research Strategy

Electric Grid Modernization

• There are many benefits of modernizing the grid; however, modernization gives hackers more routes they can use to attack utility systems.
• Grids are becoming smart due to the devices and information and communication technologies that are embedded in them. As a result, the systems become complex and access points increase in number.  
• Utilities today are now adding information technologies, software, and automated functions in their operations. Consequently, the accessibility of their systems to adversaries has increased as modern electric grids utilize the internet for various functions.

Supply Chains and Third Parties

• Power companies buy information, software, hardware, and services from various third parties around the world. As a result, threat actors can add compromised components in a network or systems. These inclusions could be done by design or unintentionally.
• For instance, “backdoors” that provide access to devices or software could be created either intentionally or unintentionally.
• The addition of such components could be done through software updates or firmware that can be exploited to include malicious codes. Moreover, the hardware installed in operating systems can also be compromised by adversaries.
• According to the Department of Energy (DOE), several prominent vendors fail to acknowledge and address the vulnerabilities in their software.

Industrial Control Systems (ICS)

•  According to the DOE, industry professionals and cyber researchers have always identified ICS-related equipment vulnerabilities as being a threat to utility systems.

• Devices that function or communicate with utility control systems pose threats to the electric grid.
• A lot of automation components such as programmable logic controllers that function through microprocessors have specific software programming and management capabilities of network paths. These devices continue to be a target of cyber-attacks since they give access to control systems.
• Public tools such as SHODAN, a search engine that identifies internet-connected devices such as industrial control system components, makes these devices discoverable, which gives attackers an upper hand in finding and remotely probing a utility’s supervisory control and data acquisition system for weaknesses.

Energy Policy Act

• In 2005, the Energy Policy Act authorized the Federal Energy Regulatory Commission (FERC) to oversee the dependability of the nation’s power grid or bulk power system. The FERC is also responsible for approving cybersecurity and reliability standards.

• The FERC certified the North American Electric Reliability Corporation (NERC) with the task of developing the Critical Infrastructure Protection (CIP) standards that focus on cybersecurity reliability requirements.

NERC's CIP Standards for Cybersecurity

• Approved in January 2008 by the FERC, NERC’s CIP standards are set in place to be complied with by all cybersecurity professionals and firms that work within the energy and utilities industry in the United States.

• With the rise in cybersecurity attacks on the nation’s electrical power grid over the years, NERC has been continually revising the CIP compliance standards to curb sophisticated external threats. In response to cyber-attack campaigns such as Dragonfly 2.0, Triton, and Industroyer, the NERC introduced new versions (version 5 and version 6) of the CIP standards that classify cyber assets by low, medium, and high impact. It was found that most of the nation’s generating power stations are classified as low impact assets.
• The CIP compliance standards, as of November 2018, that are currently required in the energy and utilities industry in the United States are listed below.

CIP-002-5.1a: BES Cyber System Categorization

• This compliance standard requires professionals in the energy and utilities industry to categorize and identify Bulk Electric Systems (BES) cyber systems along with the BES cyber assets associated with the systems "for the application of cybersecurity requirements commensurate with the adverse impact that loss, compromise, or misuse of those BES cyber systems could have on the reliable operation of the BES".
• The compliance also states that the categorization and identification of BES systems are found to support suitable protection against threats that could result in causing instability or misoperation in the BES.

CIP-003-6: Security Management Controls

• According to this compliance standard, all professionals working within the energy sector would have to specify sustainable and consistent security management controls that initiate accountability and responsibility to safeguard BES cyber systems against threats that could result in causing instability or misoperation in the BES.
• Cybersecurity leadership, policy, access control, exceptions, information protection, configuration management, and change control are aspects that are included in CIP-003-6. However, it was found that adherence to the sub-requirements in place under this compliance varies by impact rating, the criticality of cyber assets, and organization.

CIP-004-6: Personnel and Training

• This compliance standard states that each entity working within the energy and utilities industry in the United States must ensure a suitable degree of personnel training, security awareness, and risk assessment in the support of securing BES cyber systems.
• The CIP-004-6 necessitates that every professional having access to critical cyber assets must have an appropriate level of personnel assessments in terms of risk and awareness. The compliance also requires organizations to update, review, and document any/all training programs every year.

CIP-005-5: Electronic Security Perimeters

• This compliance standard requires organizations/companies/professionals within the energy sector to manage BES cyber systems' electronic access by identifying a controlled Electronic Security Perimeter in order to protect BES cyber systems against threats that could result in causing instability or misoperation in the BES.
• This standard focuses primarily on the efforts to curb vulnerabilities that are experienced during remote access. The electronic security perimeter includes components such as multi-factor authentication, patch updates, remote session encryption, anti-malware updates, and the use of EAP (extensible authentication protocol).

CIP-006-6: Physical Security of BES Cyber-Systems

• In compliance with the CIP-006-6, all entities within the energy sector are required to specify their physical security plan to manage the physical access to any/all BES cyber systems. The goal of this compliance standard is to develop preventive controls that target the protection of access to cyber assets.
• Requirements under the CIP-006-6 include a security plan (physical), maintenance, testing, log retention access, physical access logging, physical access monitoring, physical access controls, the security of electronic access control units, and protection of physical access control units.

CIP-007-6: System Security Management

• This compliance standard entails all organizations within the energy sector to identify select operational, procedural, and technical requirements in the support of managing BES cyber systems. Under this compliance, organizations are required to develop, execute, and maintain procedures and processes for securing systems for non-critical and critical cyber assets.
• Entities working within the energy and utilities industry must also document all security measures such as records of ports and services, test procedures, malicious software prevention, and security patch management.

CIP-008-5: Incident Reporting and Response Planning

• The CIP-008-5 necessitates "mitigation of the risk to the reliable operation of the BES as the result of a cybersecurity incident by specifying incident response requirements". According to this standard, every security incident that is related to critical cyber assets must be determined, categorized, responded to, and reported in an appropriate form required by the NERC.

CIP-009-6: Recovery Plans for BES Cyber-Systems

• This compliance standard requires the reliability functions that are executed by BES cyber systems to be specified via a recovery plan in the "support of the continued stability, operability, and reliability of the BES".
• According to this standard, all critical cyber assets must include recovery plans that line up with the operations of the energy organizations and are coherent with the best practices of disaster recovery. Aspects such as recovery plan, backup process, change control, restoration processes, and media testing are the requirements of this standard.

CIP-010-2: Configuration Change Management and Vulnerability Assessments

• The CIP-010-2 standard states the requirement of detecting and preventing unauthorized system changes to BES cyber units by identifying vulnerability assessment and configuration change management requirements.

CIP-011-2: Information Protection

• This compliance standard essentially requires organizations to avert unauthorized access to any BES cyber systems data by identifying information protection requirements. Applicable systems under this standard include high impact BES cyber systems, medium impact BES cyber systems, electronic access control systems, physical access control systems, and protected cyber assets.

CIP-014-2: Physical Security

• This compliance's purpose is to determine and protect transmission stations, substations, and all their corresponding primary control centers when they have been damaged or rendered inoperable from a physical attack. These attacks may result in cascading within a certain interconnection, uncontrolled separation, and instability of the system.
• According to this standard, every transmission station/sub-station owner must perform initial risk assessments such as a transmission analysis and subsequent risk assessments on a monthly and bi-monthly basis.

North American Electric Reliability Corporation (NERC)

• The North American Reliability Corporation (NERC) is an international regulator for the energy grid with jurisdiction in the U.S., Canada, and some Northern parts of Mexico.
• Its main mission is to efficiently reduce the reliability and security risks attached to the energy grid.
• To achieve this mission, NERC develops reliability standards and enforces them on the companies belonging to the energy sector.

Critical Infrastructure Protection (CIP) standards

•  11 cybersecurity compliance standards have been developed by NERC to be applied to the Energy & Utilities Industry.
• These standards are all subject to enforcement by the NERC, and sanctions can be issued in case of non-compliance.

CIP standards violations

• Despite these cybersecurity standards being subject to enforcement, some of the largest companies in the U.S. energy and utility sector have been found to repeatedly violate them.
• These companies include Duke Energy, PG&E, and DTE Energy. 
• They have recently been sanctioned by NERC for non-compliance to the CIP standards.
• Duke Energy agreed a $10 million fine in February to the NERC, which was the largest sanction given by the regulator for cybersecurity standards breaches.
• The previous record was a $2.7 million fine handed to California's Pacific Gas & Electric in 2018.
• Duke Energy was identified as the guilty entity by news reports despite not being named by the regulator.
• The company has been found guilty of 127 violations that took place between 2015 and 2018.
• These included a majority that was self-reported and 16 uncovered by NERC CIP audits.
• CIP violations by Duke Energy were deemed to have increased cybersecurity risks, due to their repetition, length, and scale.
• The company and its subsidiaries were found to have violated at least three types of CIP standards, including CIP-010-2: Configuration Change Management and Vulnerability Assessments, CIP-011-2: Information Protection, and CIP-014-2: Physical Security.

New Measures to Force Compliance

• Following poor compliance by energy and utility companies, the regulator is currently considering making the names of violators public to discourage violations.
• Currently, they are kept confidential to encourage self-disclosure.
• Utilities and their trade associations are strongly opposed to the naming system, arguing that it would contribute to exposing grid vulnerabilities.

Conflicts of Interests

• According to Tyson Slocum, director of advocacy group Public Citizen's Energy Program, NERC's committees and boards include people with close ties to utilities, creating a potential conflict of interest, and influencing the way utilities are supervised by the regulator.
• The advocacy group is pushing for a change in oversight policy by NERC, including naming the violators, moving away from self-regulation, and increasing funding to boost oversight and compliance.

Reasons for Non-Compliance

• According to Slocum, the first reason for non-compliance is due to costs, and companies that need to maximize shareholder return do not consider cybersecurity protection as a priority.

NERC Enforcement Actions 2019

• In 2019, NERC has enforced actions on 18 occasions between the 25th of January and the 31rst of October.
• All violations come under the following 11 CIP standards. 
• A total of 136 CIP standard violations have been recorded by NERC in 2019, including 83 from an unnamed entity reported to be Duke Energy. 
• 6 of these violations were deemed high-risk, 125 as medium risk, and 5 as low risk.

CIP-002-5.1a: BES Cyber System Categorization

• 5 high-risk violations of this standard have been found in 2019 including 4 violations by an unnamed entity reported to be Duke Energy. 

CIP-003-6: Security Management Controls

•  No violations of this standard have been reported by NERC in 2019.

CIP-004-6: Personnel and Training

•  23 medium risk and 2 lower risk violations of this standard have been found, 16 by an unnamed entity reported to be Duke Energy. 

CIP-005-5: Electronic Security Perimeters

•  13 medium risk violations of this standard have been found in 2019 including 9 violations by an unnamed entity reported to be Duke Energy.

CIP-006-6: Physical Security of BES Cyber-Systems

•  17 medium risk violations of this standard have been found in 2019 including 12 violations by an unnamed entity reported to be Duke Energy. 

CIP-007-6: System Security Management

•  28 medium risk violations of this standard have been found in 2019 including 12 violations by an unnamed entity reported to be Duke Energy. 

CIP-008-5: Incident Reporting and Response Planning

•  No violations of this standard have been reported by NERC in 2019.

CIP-009-6: Recovery Plans for BES Cyber-Systems

•  1 medium risk and 2 lower risk violations of this standard have been found in 2019, all of them by an unnamed entity reported to be Duke Energy. 

CIP-010-2: Configuration Change Management and Vulnerability Assessments

•  33 medium risk violations of this standard have been found in 2019, including 21 by an unnamed entity reported to be Duke Energy. 

CIP-011-2: Information Protection

•  10 medium risk and 1 lower risk violations of this standard have been found in 2019, including 5 by an unnamed entity reported to be Duke Energy. 

CIP-014-2: Physical Security

•  1 high-risk violation of this standard has been found in 2019, by an unnamed entity reported to be Duke Energy. 

#1: Rapidly Increasing Sophistication Among Energy & Utility Hackers

• In recent years, hackers have been motivated by political ideologies to focus on disrupting the electric grid in the United States, according to energy industry research expert, Jason Rodriguez of Zpryme, an energy industry research firm. Deloitte corroborates these findings by noting that the power sector is "one of the most frequently targeted" and that these attacks are evolving to become more invasive and complex.
• According to a 2018 survey of over 1,735 utility operatives, 58% said they had recently suffered a "significant cyber attack," and 84% said they "believe employee actions to be the most common reason for cyber attacks."
• To combat this, the United States energy industry has created a public-private partnership in an effort for the industry to adopt the Cyber Security Capability Maturity Model (C2M2) which aims to help organizations "evaluate, prioritize and improve their own cyber security capabilities" and provides a "common language and appropriate initiatives that non-technical decision makers can readily use to combat the issue."

#2: An Increasing Number of Energy and Utility Companies are hiring CISO's.

• Jason Rodriguez says that it's becoming more common for energy companies to hire a chief information security officer (CISO), whose responsibilities are to "defend and respond rapidly to cyber attacks."

• This trend makes sense given that a recent survey of utility companies found that 53% of utility companies now have a security operations center and 35% say that a lack of awareness among their executive team inhibits the organization's cyber security effectiveness.

• Deloitte notes that one critical area where CISOs will need to establish control is in the area of reducing risk in supply chains, as currently, most CISOs have zero control in this area, and yet, this is an area favorited by sophisticated attackers.

#3: Increasing Adoption of End-to-End Detection and Response Systems

• Jason Rodriguez notes how in recent years, there is a proliferation of the concept that cybersecurity threat detection and response should be a company-wide effort, wherein all employees will play a role in defining and responding to cyber attacks.
• This trend aligns with recent survey findings which reveal that 89% of utilities feel that their "existing cyber security solutions are not fully effective" and 39% say that their organization lacks a sufficient communication plan when it comes to dealing with cyber attacks.
• This trend appears likely to continue developing into the foreseeable future as cybersecurity expert, Ray Rothrock, notes, "Hackers are already likely sitting in various U.S. utility systems and reconnoitering, in what the Department of Homeland Security calls an Advanced Persistent Threat mode" and while most utility systems are pretty simple, they have become more complex over time as utility organizations have grown and "probably not kept up to date in terms of the latest thinking and architecture." Rothrock believes that these organizations will need to develop a "true culture of basic cyber hygiene" which will involve continuously training staff on how to be aware of and manage threats.

Research Strategy

Cybersecurity Breaches — Energy & Utilities Industry

#1. Salt Lake City-based sPower "Denial of Service" Attacks

• On March 5, there was a hack in Utah Wyoming and California when power grid control systems were attacked through a "denial-of-service" attack which disabled Cisco Adaptive Security Appliance devices.
• The breach caused the utility's supervisory control and data acquisition (SCADA) system to temporarily lose visibility of generation sites totaling 500 megawatts.
• The firm reported no financial loss since the hackers did not cause any blackouts or generation outages after it reviewed log files and found no evidence of breach beyond the denial-of-service attack.
• The Department of Energy (DOE) issued a statement showing that sPower reported the breach but did not provide any information on how it reacted to the breach since the incident did not have any impact on its operations.

#2. Dragonfly Energy Sector Cyberattack

• Dragonfly aka Energetic bear cyberattack happened when hackers breached Utility Industrial Controls System (ICS) firewall in the United States, Turkey, and Switzerland and copied configuration information and interface screens.
• The impact of the breach was that the hackers conducted reconnaissance in the systems and assessed the control system design vulnerabilities and capabilities.
• There was no financial loss reported since the hackers only copied configuration information and interface screens.
• Investigators into the attack were made to believe this was an information-gathering phase that could potentially be laying the groundwork for future attacks.

#3. Onslow Water and Sewer Authority (Onwasa) RansomWare Attack

• In October 2018 there was a cyberattack on Onslow Water and Sewer Authority (Onwasa) where Hackers encrypted several ONWASA systems in a ransomware attack as the company was recovering from Hurricane Florence and thus causing a loss of data.
• The breach by the ransomware forced the company to disconnect from the internet and resort to using single utility services computer. This has made service orders to be printed and distributed to workers before they leave for the day.
• The firm is reported to have spent an estimated $277,000 on recovery and changing of its defense systems including billings, new service orders, and other office functions that are done manually.
• The firm responded by disconnecting from the internet and reached out to cybersecurity and the military to help in its investigations and restoration of services.

#4. Duke Energy Corp Cyber Attack

• In March 2018 there was a cyberattack at Duke Energy Corp that affected the operations of at least four natural gas pipeline companies with digital connections to Energy Services Group (ESG) when the electronic data interchanges (EDI) provided by ESG subsidiary Latitude Technologies was hacked.
• The breach of the cyberattack forced the companies to cut off digital connections to Energy Services Group (ESG), based in Massachusetts which affected billing, scheduling, and sharing of documents by the oil companies, electric utilities and gas pipeline operators.
• The firm is reported to have agreed to pay $10 million in regard to fines for lapses and violations of security standards since the year 2015.
• The firm responded by disconnecting from the digital connections to Energy Services Group (ESG) and had contracted a "leading cyber forensics firm" to help in restoring operations.

Executive Summary

• Following is an Executive Summary of the Cybersecurity Analysis of the Energy & Utilities Industry;

To Avoid Losses from Patient Data Leaks

• A large proportion of consumers (88%) "trust their physicians or other healthcare providers to keep digital healthcare data secure".
•  One in two data breaches in the healthcare industry is related to identity theft. Hackers sell the data in the black market, which is later used by identity thieves, or for medicare fraud, or other financial gains.
• In 2016, one in four consumers had their healthcare information stolen. Individuals who experience identity theft lost an average of $2,528 per incident.

• Other than a loss of credibility, leaked patient data can result in costly legal proceedings or even the death of a healthcare enterprise.
• The cost of a data breach in healthcare is the highest across all organizations. The per record cost of a data breach by industry: Healthcare ($408), financial ($206), technology ($170), education ($166), and communication ($128).
• However, the spend on cybersecurity in healthcare is only 4-7% of the total IT budget, compared to 10-14% across industries.
• The healthcare system in the United States lost $6.2 billion owing to data breaches; the average cost of a data breach to a healthcare organization is $2.2 million.

IT Saves the Industry Millions

• The use of technology has brought about great efficiency in the healthcare system. Medical professionals can do more in 8 hours than they did in 12 hours 20 years ago. Technology has made it easier to exchange information with peers.
• The digitization of health records has led to better patient care, an easier and more efficient workflow -- computerized systems consume lesser time than paper-based ones -- and 3% lower healthcare costs for outpatient care. Further, EHR data can be analyzed to bring about greater cost and labor efficiency.
• As documents are saved over the network or cloud (instead of paper), more space has opened up for equipment and beds.
• Ambulatory EHRs result in savings of $44 billion a year and the increased adoption of AI in healthcare saves $150 billion a year by 2026. The increased reliance on EHR systems, big data, and the increased adoption of artificial intelligence require safer storage and more robust cybersecurity.

Efficient Care is Key to Meeting the Needs of a Growing Population

• As patient data is now stored in networks, doctors spend lesser time on paperwork and more time understanding patient concerns. However, despite efficient practices, doctors struggle to keep up.
• Managing a larger population will require more efficient practices. Efficiency can be brought about by greater technology adoption (such as artificial intelligence) and lesser disruptions at work from cyberattacks. Cyberattacks affect healthcare providers to provide care and exchange information with other healthcare entities.
• The senior (65+) population in the United States is expected to grow from 52 million in 2018 to 95 million in 2060; the proportion of the senior population will rise from 16% to 23% in the same period.
• Operational downtime is the most common impact of a cyberattack. Not only does the downtime result in lost time, it compromises the safety of patients in critical care.

Research Strategy

General Data Collection & Use by Healthcare Organizations

• Healthcare providers and insurers collect huge amounts of personal data on patients and users of their programs/systems/plans. Insurance providers use this data in modeling scenarios to determine which of their insured are likely to need which services. In this way, they monetize the data toward increasing rates in areas most likely to be used most often.
• Additionally, healthcare organizations use this vast amount of data to identify patients who may be at greater risk for an illness or disease, and take steps to enable preventive care.
• Some of these firms, like UnitedHealth Group for example, are empowered to legally sell portions of that data (that which isn’t protected under HIPAA and other data privacy laws) to companies who use the information for everything from “designing new drugs to pricing your insurance rates to developing highly-targeted advertising.”
• In addition to specific data, healthcare organizations can sell off (and buy) anonymized data sets, though alarmingly, “even when personal health data is formally anonymized in accordance with privacy rules, research has shown that such data can still be de-anonymized and linked” back to individual patients.

Importance of Protecting the Data

• The primary reason for protecting patient/user personal data is to avoid identity theft or other types of fraud against the person. Hackers steal personal information and either use it to open fraudulent accounts, take out loans, file fake tax returns, or make exorbitant purchases – all of which can haunt the person whose information was stolen for the rest of their lives.
• “Protecting your medical identity is a burden that falls on the victim,” and is vital since identity theft leads to a lifetime of monitoring and credit issues.

Personal Demographic Data

• Healthcare organizations collect a variety of personal data from patients/users, including gender, ethnicity/race, language(s) spoken, age, height, weight, etc. They also collect a person’s address, phone number, birthdate, and next of kin information.
• Other organizations collect information on patient beneficiaries’ demographic (and other personal data), as well.

Personal Financial Data

• Medical providers, insurance companies, and various other healthcare organizations typically collect a patient’s social security number and personal financial data – either through a credit/debit card, personal checks, or through direct connections with a person’s bank. This information can lead directly to a person’s credit history and connections.
• Some healthcare organizations collect information on health-related insurance claims, Medicare or Medicaid claims, hospital claims, and other related information, like appeals, if any.

Personal Health Data

• Medical histories are collected by doctors and insurance companies (and even by some apps!). This includes past and current surgeries, illnesses, injuries, and conditions, as well as allergies and test results, among other data.
• Lab tests or imaging results for patients is also kept and tracked by some health organizations (like medical providers and insurers).
• Additionally, some organizations (or even products, like FitBits) collect real-time biometric data from patients/users, especially those who are on disease- or illness-management programs.
• If a person has ever had cancer – or some other long-term or chronic illness, there are collections of data on that person’s treatment plans, drug regimens, and recovery rates.

Personal Sociological / Psychographic Data

• Other data often collected through various means by healthcare organizations include sociological and psychographic data, like addiction (and treatment) histories, incidences of sexual assault and violence, and others.
• Data collected can also include “cultural lifestyle patterns,” which includes things like “food choices and smoking habits.”
• Some organizations, apps, etc collect geospatial data on their patients/users; this is often used to geo-target marketing materials to particular audiences based on their current locations.

“Shadow Health Record”

• Data that falls outside of HIPAA protections, but is often collected by healthcare organizations includes “alternative data” that is sometimes called the “shadow health record.” This data includes things like “credit scores, court documents, smartphone locations, sub-prime auto loans, search histories, app activity, and social media posts,” among other data.
• A person’s shadow health record can be drawn from myriad sources, including things like a person’s transactions at their gym, local vape shop, health food stores, as well as “interactions with websites, sleep trackers, medical devices, internet-connected exercise bikes, smartwatches, wearable fitness trackers, blood glucose monitors, pacemakers, and the wide, wide world of wellness apps.”

Research Strategy

1. EHR Theft

• Electronic Health Records (EHRs) are sold for as much as $50 in the black market as opposed to financial data (e.g. credit card and social security numbers), which are sold for only $1; this makes EHR theft a notable cybersecurity vulnerability.
• Since EHRs have all the patients' information (e.g. ID, credit card number, insurance, etc) and their health record (e.g. medical reports and prescription), this can lead to the misuse of such information by filing medical insurance claims through the insurance provider or purchasing equipment and/or medication and then reselling them.
• EHR theft is more serious than credit card theft, or any other data breach, since tracking them takes more time as compared to other forms of data and this provides cybercriminals the opportunity and the time they need to leverage and misuse that information for their sinister purposes.

2. IoT Exploitation

• The Internet of Things has a long list of benefits to offer, but it offers a number of cybersecurity vulnerabilities at the same time, e.g. data privacy and security.
• Implantable and wearable IoT devices used in healthcare, e.g. insulin pumps, monitors, pacemakers, etc., are always at risk of cyberattacks.
• The real vulnerability of these devices is their inability to support an endpoint security agent, which leaves them at an open risk of being attacked by malicious behaviors/attacks.

3. Mobile Devices

• Mobile devices add to the vulnerability of a healthcare firm and make them prone to data breaches.
• As per a recent BMC Medicine study, 66% of mobile "health apps that send identifying information over the Internet don’t use encryption while 20 percent don’t have a privacy policy."
• This falls under BYOD (Bring Your Own Device) policies set by healthcare organizations, and these policies need to be made more strict.

4. Ransomware

• Ransomware is a problem for every industry, however, healthcare is probably the most affected by ransomware as its effects are far-reaching and can cause severe financial damage to the affected organization.
• If a retail store was to be hacked and its Point of Sale (POS) system locked up, the company may lose money to the order of millions of dollars, however, if hackers could figure out the process of locking down medical devices, its effects will be far worse.
• "Citrix Chief Security Strategist Kurt Roemer said that ransomware has been “extremely pervasive” within healthcare, and that it really speaks to the model in which most healthcare providers are operating."

Research Strategy

The HIPAA Security Rule Overview

• The primary guiding rule for cybersecurity in healthcare is the HIPAA Security Rule, aka the Security Standards for the Protection of Electronic Protected Health Information.
• One of the major goals of the Security Rule is to enable healthcare organizations "to adopt new technologies to improve the quality and efficiency of patient care" while still safeguarding the privacy of individuals.
• Covered entities must ensure that any e-PHI (electronic protected health information) that they create
• Is protected against breaches of confidentiality or integrity,
• By identifying and protecting against "reasonably anticipated threats,"
• And ensuring workforce compliance.
• "Confidentiality," in this context, means that e-PHI must not be available or disclosed to unauthorized persons.
• "Integrity" means that "e-PHI is not altered or destroyed in an unauthorized manner."
• At the same time, e-PHI must be available and usable on demand by an authorized person.
• The Security Rule is scalable, which means that healthcare entities must continue to review and modify their policies and procedures as they continue to grow.

Risk Analysis

• Covered entities are required "to perform risk analysis as part of their security management processes... to determine which security measures are reasonable and appropriate."
• Proper risk analysis includes (but is not limited to) the following (quoted verbatim):
• Evaluate the likelihood and impact of potential risks to e-PHI;
• Implement appropriate security measures to address the risks identified in the risk analysis;
• Document the chosen security measures and, where required, the rationale for adopting those measures; and
• Maintain continuous, reasonable, and appropriate security protections.

• More complete guidance on conducting a proper risk analysis can be found here.

Administrative Safeguards

• Administrative Safeguards are defined by HIPAA as, "Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information."
•  Administrative Safeguards must be put into place in the following areas:
• Security Management Process
• Security Personnel
• Information Access Management
• Workforce Training and Management
• Evaluation

Physical Safeguards

•  Physical safeguards, which "involve access both to the physical structures of a covered entity and its electronic equipment," are also key to the Security Rule.
• Physical safeguards can be divided into two key areas:
• Facility Access and Control
• Workstation and Device Security

Technical Safeguards

•  Technical Safeguards, which encompass the policies and procedures surrounding the healthcare organization's use of technology as well as the technology itself, must be established in the following areas:
• Access Control
• Audit Controls
• Integrity Controls
• Transmission Security

Organizational Requirements

•  Organizational Requirements for compliance include the following:
• Covered Entity Responsibilities
• Business Associate Contracts.

Documented Policies and Procedures

• Policies and Procedures and Documentation Requirements essentially state that a covered entity must maintain for up to six years after the creation date or last effective date, "written security policies and procedures and written records of required actions, activities or assessments."
• To quote the AMA, "Policies may be changed at any time, so long as the accompanying documentation is also updated. Regulations require periodic review of policies and responses to changes in the ePHI environment."

Most Common HIPAA Violations

• Risk Analysis was not thorough
• Lack of safeguards
• Failure to report a breach
• Use and disclosure issues
• Missing or deficient policies and procedures
• Outdated or insufficient training
• Inconsistent access monitoring
• 3rd party disclosure
• Lost or stolen device — laptop, USB, smartphone
• Lack of encryption

Risk Analysis

• Most healthcare organizations conduct regular risk assessments:
•  14.6% every two or more years
•  45.5% annually
•  5.6% biannually
•  10.7% quarterly
•  9% monthly
•  9.6% daily
•  5.1% did not perform risk assessments at all

• However, not all test all aspects of their security:
•  74.7% assess the network
•  73.5% assess security awareness and training programs
•  71.1% assess physical security
•  69.3% perform asset inventories
• As a result of these risk assessments:
•  83.1% adopted new or improved security measures
•  65.1% replaced or upgraded security solutions
•  56.6% replaced outdated hardware, software, and/or devices
•  2.4% deemed no further actions were necessary

Administrative Safeguards

• While IT incidents were the leading cause of data breaches in 2018 (45.9%), unauthorized access and disclosure (35.9%), along with loss or theft (15.5%) were the other two leading factors, suggesting that the requisite training of individuals to avoid cybersecurity breaches is lagging.
• In addition, 22.5% of healthcare companies report having no budget allocated specifically to data privacy management, though 91.3% report having "a data privacy and awareness program in place."

Physical Safeguards

• A 2017 survey found that "65% of doctors and 41% of nurses admitted they use personal devices despite explicit policy prohibiting such use."
• However, the same survey found that 71% of hospitals do have some manner of bring-your-own-device policy in place, up from 58% in 2016.
• The lapses in cybersecurity due to mobile device use prompted the National Institute of Standards and Technology (NIST) to issue a guide titled, "Securing Electronic Health Records on Mobile Devices" in 2018.

Technical Safeguards

• While "nearly all" US healthcare organizations are making use of the cloud to collect, store, and share e-PHI (electronic protected health information), less than 40% are encrypting their data in those environments.
•  Only 60% of organizations have an automated means to determine when a data breach has occurred.
• Despite this, 73% of healthcare organizations rate their security in implementing new tech deployments as "very" or "extremely" secure, suggesting that they are "overconfident in their ability to thwart security lapses."

Organizational Requirements

• Half of healthcare organizations have over 50 data-sharing agreements, 20% more than businesses in any other industry.
•  61% say they are "more confident" that they were compliant with privacy regulations than they were confident in their partners.

Documented Policies and Procedures

• As noted previously, 91.3% of healthcare organizations report having a documented "data privacy and awareness program in place."
• However, as noted in a 2018 Horizons Report, these policies and procedures are often "weak, or don't align with actual implementation of safeguards."

Additional Reading

• The aforementioned Horizon Report contains some alarming statistics regarding cybersecurity penetration tests (page 8). These statistics were gathered from 2015 to 2017 and consequently, we are uncertain whether they are still valid and have not included them in the body of this brief. Nevertheless, they may be of interest.

Healthcare Cybercrime is Out of Control

• 2019 saw a 300% increase in cyberattacks on healthcare systems, and the HIMSS estimates that 80% of healthcare organizations have had a significant cybersecurity issue (not necessarily a breach) in the last 12 months.
• Healthcare records are among the most valuable on the black market, worth up to $500 per record.
•  One-third of hospitals will experience a cybersecurity incident within the next two years.
• The HIMSS estimates that 80% of healthcare organizations have had a significant cybersecurity issue (not necessarily a breach) in the last 12 months.
• Supply chain or other 3rd party vendors experienced a 78% increase in attacks in 2018.
• FBI Director Christopher Wray states, "Today’s cyberthreat is bigger than any one government agency — in fact it’s bigger than the government itself. The scope, breadth, depth, sophistication and diversity of the threat we face now is unlike anything we’ve had in our lifetimes."

Healthcare Organizations Are Overconfident and Falling Behind

• Overconfidence is a huge issue, with the results of one survey finding that healthcare organizations "have high levels of confidence in their cybersecurity preparedness despite most surveyed organizations using only basic user authentication methods."
•  58% of organizations believe that their patient portal security is "above average or superior when compared to other patient portals."
• While 65% use multifactor authentication, 39% use "a knowledge-based Q&A for verification," which, due to the number of compromised credentials due to data breaches and phishing scams, are inadequate.
•  70% of mid- to large-sized healthcare organizations are "very or extremely confident" in how they secure sensitive data, but only 50% "update their inventory of personal data once a year or less," leaving them vulnerable to ransomware attacks or even simple server crashes.
• This is particularly concerning given the prevalence of ransomware attacks (e.g., WannaCry), which could block access to vital medical records at critical moments.
• Confusing regulatory compliance with security may be a major issue, as noted in a recent article in the Journal of Medical Internet Research.
• As an aside, the JMIR article referenced above is excellent in its own right, though we ultimately deemed it too complicated to introduce into this brief, and reading the abstract and conclusion is highly recommended.
• This is echoed in a 2018 Horizon Report tellingly entitled, "From Compliance to Confidence," which identified three major trends which result in overconfidence despite a lack of security:
•  Weak policies and procedures which don't align with actual safeguard implementation,
• A lack of concise asset inventories (also noted above), and
• A lack of well-structured programs to manage vulnerability.

However, Healthcare Organizations Are Investing More into Cybersecurity

• Healthcare organizations most commonly cite a lack of cybersecurity personnel (52.4%) or financial resources (46.6%) as their primary reasons for being inadequately prepared for cybersecurity attacks; however, nearly four-fifths (79.5%) or more (86% in a separate survey) expected increased resource allocation in 2019.
• Roughly half of healthcare organizations have already invested $100,000 to $500,000 in their data privacy budgets, putting them at a level higher than other industries.
• The largest driver for these increased budgets is regulatory concerns (76%), "including enforcing data retention and classification policies and rapid response to data breaches (61% for both)."

Coplin Health Systems

• An employee of Coplin Health Systems in West Virginia left an unencrypted laptop in a car that was stolen and subsequently the data of 43,000 patients was also stolen.
• Luckily, no one has attempted to use the data from the stolen laptop, as per Derek Snyder, CEO at Coplin Health Systems.
• The organization has since been working with law enforcement agencies about the incident and their systems are being monitored for unauthorized access.
• The data breach has costed the company a total of over $60 million in direct costs in terms of lawsuits, penalties, and fines.

Banner Health

• A cyber attack on Banner Health compromised the data of as many as 3.7 million people in 2016.
• The matter is being investigated by the Office of Civil Rights at the US Health and Human Services and the investigation is still active, and the initial report suggests that the security arrangements at Banner are inadequate.
• Banner informed that they are cooperating with OCR in the investigation and they have made changes to their security systems post the breach.
• The costs associated with the breach were not available; however, as per the 2016 cost of a data breach report, the average of costs of healthcare data breach resolution stood at $355 per record, which could cost Banner Health as much as $1.3 billion (3.7 million * $355) in total direct costs.

Newkirk Products

• Newkirk Products, a healthcare ID card issuer, was involved in a data breach that compromised the records of 3.47 million patients.
• As a result of the breach, one of the largest insurance provider, Blue Cross Blue Shield, was also affected and patients' sensitive information, including "Medicaid ID numbers, names (including those of dependents), dates of birth, premium invoice information, and group ID numbers" were also compromised; however, no misuse of data has yet been reported.
• The company has taken steps to notify all affected individuals by mail and is offering them complimentary identity theft monitoring and resolution services.
• The costs associated with the breach were not available; however, as per the 2016 cost of a data breach report, the average of costs of healthcare data breach resolution stood at $355 per record, which could cost Newkirk as much as $1.2 billion (3.47 million * $355) in total direct costs.

Premier Family Medical

• In one of the more recent cyberattacks, Premier Family Medical in Utah experienced a ransomware attack in July this year, which involved 320,000 patients who were being notified by the healthcare provider.
• As a result of the attack, the provider's access to patient data and some other functions was blocked.
• The provider is working to regain access to the data and investigating with technical consultants' assistance.
• The costs associated with the breach were not available; however, as per the 2019 cost of a data breach report, the average of costs of healthcare data breach resolution stood at $429 per record, which could cost Premier as much as $137.28 million (320,000 * $429) in total direct costs.

Research Strategy

Executive Summary

• Following is an Executive Summary of the Cybersecurity Analysis of the Healthcare Industry;

Importance of Trust in the Industry

• The Banking and Financial Services industry relies on "nurturing trust and credibility" among its customers, and data breaches negatively impact consumer trust.
• Banks and other financial institutions hold very sensitive personal data on their customers. Since the data is highly sensitive, additional care is needed to protect it, compared to other industries.
• Cybersecurity breaches could lead to lost money and time for customers, which makes them highly risk-averse. Therefore, customers are likely to change banks if a major breach occurs.
• Companies in the financial sector experience the highest rate of customer churn compared to all other industries, according to a report by the Identity Theft Resource Center.

Banks are Prime Targets for Cybersecurity Attackers

• The number of data breaches in the Banking and Financial Markets industry is increasing every year. It increased by 44.7% from 2016 to 2017, and the financial sector accounted for 8.5% of all breaches in 2017.
• Companies in the financial services industry are targeted by cybersecurity attackers 300 times more frequently than businesses in other industries.
• According to a report by IBM, "financially-motivated threat actors pose the most significant threat to the financial services industry, with threats from nation state groups in this sector, increasing over the past three years and resulting in the direct theft of millions of dollars from banks around the globe."
• Distributed Denial of Service (DDoS) attacks, one of the most common cybersecurity threats, increased by 56% in the industry in recent years, and 60% of financial services businesses have said that the attacks are becoming larger and more impactful each year.

Regulatory Compliance

• To protect consumers, governments frequently impose more stringent cybersecurity regulations on companies in the Banking and Financial Markets industry. Therefore, companies in the space are forced to make cybersecurity a priority to be in compliance with the regulations.
• One example of such regulations is the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, also known as the 23 NYCRR Part 500. This regulation puts more accountability for cybersecurity breaches on senior executives of financial services companies operating in New York City.
• Just this single regulation is estimated to affect around 1,900 businesses in the Banking and Financial Markets industry. Companies in the industry are required to perform regular audits and employee training activities to be in compliance with the regulation.

1. Identity or Personal Identifiable Information

•  Personal Identifiable Information (PII) is any piece of data an institution receives, that can be directly used to identify/trace an individual, such as the person's name, date of birth, place of birth, social security number, mother‘s maiden name, biometric records, etc.
• It also includes the information that can be linked or is linkable to the person, like home address, email address, passport number, telephone number, country, city, state, postcode, gender, race, age, age range, job position, workplace, etc.
• With the advances in technology and internet communication, banks are concerned as they realize that PII is no longer secure, the information can be leaked, and it has become too easy for fraudsters to find it and use it.
• Several banks in the US are already taking actions and finding alternative ways to identify their clients without the use of previous methods, like stop requesting their SSN, as it is no longer considered secure.
• They're also working together to create a central system that helps banks and financial institutions prove a person's identity.
• Bank of America also takes care of protecting their clients' identity by following different security procedures, including an annual mandatory training about fraud prevention and security for their employees, and creating resources to advise their customers about security practices, like notifying that their emails won't ask for personal information, and using mail certificates to make sure their emails are legit and don't go to the email spam.
• The financial markets firms in the industry are also aware of the importance of identity protection, and implement methods like using secure and authenticated devices and computers for their work, secure networks prepared to face a cyberattack, third-party vendor services that help them increase their security levels, training and testing about cybersecurity for their employees, and plans to receive security breach reports from their customers.

2. Account Information

• Bank account information and online bank account information include log-in details, customer number, bank account number, and financial information like transaction records, credit scores, credit limits, etc.
• In July 2019, there was a security breach in Capital One, where 140,000 SSNs were stolen and over 80,000 bank account numbers, affecting 100 million customers in the US, and a cost of $150 million in damages for the bank.
• To protect the customers' account information that is available online from intrusive access and cyberattacks, banks employ methods like anti-malware protection, antivirus protection, firewalls, SSL encryption, cookies, biometric authentication, and multi-factor authentication.
• They also provide credential confidentiality by promising to protect the client's username and password information.
• Additionally, they guarantee that a future device user won't have access to the information by enabling automatic log-out from the bank account sessions.
• HSBC, for example, protects its customers' accounts from theft by using technology like decryption, encryption, firewalls, digital certificates, different authentication methods, and support through Secure BankMail.
• Bank of America protects the client's bank account information from unauthorized access by maintaining different procedural safeguards for electronic and physical access.
• Financial Markets also use encryption to manage the account access securely and train their employees in fraud prevention.

3. Credit and Debit Card Information

• Banks use methods like a limited liability to make sure the customer is reported or asked when transactions above the limit are made or attempted.
• HSBC prevents credit card theft and unauthorized transactions using a $0 liability online guarantee and offers 100% coverage for unauthorized charges caused by fraud, or account theft.
• Bank of America also offer $0 liability for credit card theft and a direct phone number to report a stolen card at any time.
• Additionally, Bank of America has implemented a geo-location security system that recognizes the place where an online purchase was made.
• Lastly, most banks have ensured the credit and debit cards of their clients are safe by implementing EMV chips and requiring two verification methods to make physical use of it, like chip-and-signature, or chip-and-firm.

Research Strategy

Web-based XML external entity flaws and arbitrary file reading and modification flaws

• Banks' and financial markets companies' web-based banking applications are reported to be the most vulnerable to attack of all the industries. According to security firm Positive Technologies, every financial web-based page tested in their review contained at least one high-severity vulnerability.
• The specific vulnerability found in the banks and financial markets industry when it comes to cybersecurity are "XML external entity flaws and arbitrary file reading and modification flaws" in approximately 50% of the banking and financial sites tested. This means that, in the case of a cyberattack, the attacker can "remotely run code to compromise a vulnerable server — possibly leading to serious consequences for customers who expect their banks to keep their money safe."
• Additionally, 80% of websites are vulnerable to cross-site scripting (XSS) attacks that allow an attacker to implement malicious code on a website.
• Both of these flaws are often usually not considered high-severity are therefore treated with lower priority. This leads to attackers being able to "manipulate how sites look, tricking users into handing over sensitive information that gets silently forwarded to an attacker."

Mobile app software gaps for Android

• Banking and other financial apps run on Android OS allow for the creation of worldwritable files which pose a unique security risk for banks and financial services apps as it allows "other apps to have written access to files, leading to potential security gaps."
• Currently around 33% of banking apps that run on Android OS "created or modified a file such that the file has permissions that allow other apps to write to it."
•  Approximately 60% of banking apps run on Android OS are not obfuscated which means they are effectively putting intellectual property of the bank at risk as these apps can easily be reverse-engineered.

Mobile app software gaps for iOS

• The cookie secure tag is not properly set up for 54% of all banking apps running on iOS devices. When set to true, the "secure flag tells the browser to only send the cookie if the request is sent using a secure channel, which prevents the cookie from being transmitted over unencrypted requests."
• Additionally, 80% of all banking apps running on iOS have sensitive values intercepted while proxying SSL and Transport Layer Security (TLS) app communications, which include the username, password, GPS coordinates, WiFi mac (media access control) address, IMEI (International Mobile Equipment Identity), serial number, and phone number.
• When iOS sends sensitive data without certificate pinning, it allows for the creation of a cyberattack with network privileges, just by accessing the same network the iOS is operating from.

Bank Secrecy Act

• Through the Bank Secrecy Act (aka BSA/Anti Money Laundering), the OCC (Office of the Comptroller of the Currency) supervises the financial institutions in the US and enforces laws to prevent terrorist financing, money laundering, and other criminal activities that may involve the misuse of the nation's financial institutions.
• BSA compliance is ensured by the OCC by regular examinations of agencies of foreign banks in the country, federal branches, national banks, and federal savings associations.
• As per an MoU, the OCC also notifies the U.S. Department of Treasury's Financial Crimes Enforcement Network (FinCEN) and the Office of Foreign Assets Control (OFAC) about BSA violations and/or deficiencies.

Gramm-Leach-Bliley Act

• The Gramm-Leach-Bliley Act (aka GLBA) is a federal law in the United States that mandates financial institutions in the country to publicize their process of sharing and protection of the private information of their customers.
• Financial institutions are expected to follow certain requirements in order for them to be GLBA-compliant. These requirements include communication of the process of sharing the customers' private information, informing customers about their right to opt-out if they do not want their data reaching the hands of third parties, and implement specific data protection techniques to keep customer information safe.

Regulation E

• Regulation E compliance, also known as the Electronic Funds Transfer Act (EFTA), is a regulation implemented by the Federal Reserve and regulates Electronic Funds Transfers (EFTs).
• The regulation "provides guidelines for issuers and sellers of electronic debit cards" and guides customers as well as financial institutions/banks when it comes to electronic funds transfers, including transfers generated using Point of Sale (POS) transactions, Automated Clearing House (ACH) systems, and Automated Teller Machines (ATMs).
• This regulation also encompasses rules that relate to consumer liability when it comes to unauthorized card usage.

USA PATRIOT Act

• The USA PATRIOT Act resulted from the September 11 terrorist attacks and gives law enforcement agencies the power to "investigate, indict and bring terrorists to justice."
• USA PATRIOT is an acronym for "Uniting And Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism".
• While the act applies broadly to security institutions, it also impacts financial institutions that are engaged in cross-border transactions "with a goal of thwarting the exploitation of the American financial system by parties suspected of terrorism, terrorist financing, and money laundering".

Cybersecurity Requirements for Financial Services Companies

• As many as 1,500 banks and financial institutions are regulated by the New York Department of Financial Services, including international institutions that have operations in New York.
• These institutions are subject to the cybersecurity requirements published by the NYDFS. There are 22 provisions that constitute these requirements, each relating to data protection.
• As per the requirements, financial institutions must perform risk assessments in order to identify loopholes and ensure that nonpublic information and information systems are safe from unauthorized access. These may include risk-based authentication, multifactor authentication, and biometric authentication.