CYB III

CYB 4301, Cybersecurity and Crime 1

Course Learning Outcomes for Unit III At the end of this unit, you should be able to:

4. Investigate breach notification requirements for protecting data. 4.1 Identify the consequences of a consumer financial and health information breach. 4.2 Describe breach notification requirements for a breach of consumer financial or health

information.

Required Unit Resources Chapter 6: Security and Privacy of Health Information (ULO 4.1, and 4.2)

Unit Lesson Lesson: Consumer Financial and Health Information (ULO 4.1, 4.2)

Consumer Financial and Health Information In Unit III, you will learn about the business challenges of protecting consumer financial and health information; what makes health information sensitive; and several important laws governing consumer financial and health information such as the Payment Card Industry (PCI) Data Security Standard (DSS), the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA). With the rise of the internet and the World Wide Web, financial institutions and the healthcare industry are under constant threat of attack like at no other time in history. The breadth, depth, and frequency of cybercrimes against these two sectors has grown significantly in the past decade. Why? We will turn to history for an answer. American bank robber Willie Sutton was one of the earliest fugitives named to the Federal Bureau of Investigation (FBI) most wanted list. Sutton was certainly not alone in his thinking (FBI, 2022). Grama (2022) provided two examples of how the modern Suttons of the world leverage the internet to multiply the impact of their cybercrime activity, the 2013 hacking ring that struck ATMs around the globe and stole more than $45 million and the 2008 Heartland Payment Systems breach in which hackers caused $170 million in losses related to payroll and credit card payments. It should come as little surprise then that hackers and organized crime syndicates target the financial and health sectors because these industries are high profile targets for money and sensitive data.

Why is Cardholder and Healthcare Information Sensitive? Now that you understand why banks and financial institutions are targeted, what makes health information sensitive, and why are hackers interested in patient data? There are several considerations that require your attention and analysis. Health-related data, also referred to as protected health information (PHI), is comprised of data related to your physical and your mental health and the provision of care for your health. Some of this data is sensitive in nature. For example, many people generally do not want the details of their care to be known outside of their most intimate circle. When this information is inappropriately handled or disclosed, a privacy breach occurs; however, health data is often so sensitive that negative consequences can result. Nass et al. (2009), recognized that discrimination based on health and genetics could result in measurable economic harm in health insurance and employment screening. Think about the monetary value associated with this sensitive data. Beyond these significant considerations, health care data often contains a treasure trove of personally identifiable information (PII). Hackers and cyber criminals can exfiltrate information from payment and medical records systems, then resell that information on the dark Web. Clearly, cyber criminals are lured by the potential monetary gain of sensitive data. Thus, it is critically important that cybersecurity professionals safeguard this data.

UNIT III STUDY GUIDE

Consumer Financial and Health Information

CYB 4301, Cybersecurity and Crime 2

UNIT x STUDY GUIDE

Title

The PCI-DSS, GLBA, and HIPAA

In Unit II, you learned about the American legal system, and you were introduced to the security and the privacy of consumer information. Did you know that there are many similarities between the payment card and healthcare industries? Modern payment systems and Electronic Medical Records (EMR)/Electronic Health Records (EHR) systems contain a vast amount of information that is extremely valuable to cyber criminals. We have already discussed some of the reasons why these industries are targeted, and the sheer number of data breaches offers valuable insights. For example, 45% of US-based organizations have experienced a data breach (Surfshark, 2022). In response to the growing number of data breaches, private industry and governments have created industry-based regulations and laws passed by legislative bodies. Let’s start with industry-based regulations. The PCI-DSS is not a law (Grama, 2022) but the result of an industry-led effort culminating in 2006 to self-regulate and standardize the protection of credit cardholder data (Jones & Bartlett Learning, 2022). The 12 categories of security requirements within the PCI-DSS will be a valuable tool at your disposal for securing credit cardholder data as a cybersecurity professional. It is also important to note that while the PCI-DSS is not a binding statute, the Federal Trade Commission (FTC) as a regulatory body investigates data breaches. As Lab 3 highlights, “The FTC will argue that failing to comply with the PCI DSS rules is an unfair trade practice” (Jones & Bartlett Learning, 2022). Moving to the GLBA, also known as the Financial Services Modernization Act of 1999, the act is the primary law within the U.S. designed to protect consumer financial information (Grama, 2022). The act allowed large financial organizations to merge to better serve consumers, but, of importance to this course, the act clearly requires financial institutions to protect the privacy of consumers. You have probably received an annual notice of privacy. This is a direct result of the GLBA, “that governs the treatment of nonpublic personal information (NPI) about consumers by financial institutions” (FDIC, 2021, p. 2). GLBA prohibits financial institutions from disclosing NPI about a consumer to nonaffiliated third parties. Grama (2022) detailed that NPI consists of social security numbers, account numbers, credit card numbers, dates of birth, names, addresses, phone numbers (when combined with financial data), and the details of transactions or even that an individual is a customer of the financial institution. Now you have a greater appreciate for this little-known statute. PHI is governed by HIPAA, (Health and Human Services, 2022). Congress conceived of HIPAA to “improve the efficiency and effectiveness of the health care system, the, included Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security” (HHS, 2022 para 1). Notably for cybersecurity professionals, HIPAA includes the Privacy Rule and the Security Rule. The Privacy Rule protects the privacy of PHI while the Security Rule is focused on protecting the confidentiality, integrity, and availability of the electronic systems containing PHI.

Conclusion In this unit, you learned about the business challenges of protecting consumer financial and health information, what makes heath information sensitive, the PCI-DSS, GBLA, and HIPAA. Sensitive payment card and healthcare data are yet another reason why ransomware attacks are both prevalent and effective. The ransomware lifecycle is comprised of 6 phases: infiltrate, activate, encrypt, demand, decide, and recover (Galliano, 2022). The activate phase begins when the attacker’s ransomware (malicious code) is installed and ready for action. Note that the ransomware may be dormant for an extended period before the attack is initiated. During this period, the attacker may attempt to move laterally across multiple systems within your network to establish persistence and broaden access to sensitive data. In fact, some ransomware has been observed to specifically target backup systems to make restoration efforts more challenging and thus increase the likelihood that the victim will pay the ransom demand. This is a dangerous situation because as a cybersecurity professional, you may be completely unaware that your network is compromised. Worse, if the adversary is sophisticated and has done the research to understand your operations, they may simply await an opportunity for the optimal time to unleash the ransomware to maximize the impacts and the likelihood of collecting a big payday.

CYB 4301, Cybersecurity and Crime 3

UNIT x STUDY GUIDE

Title

References Federal Bureau of Investigation (FBI). (2022). Famous Cases & Criminals: Willie Sutton. United States

Department of Justice. https://www.fbi.gov/history/famous-cases/willie-sutton Federal Deposit Insurance Corporation (FDIC). (2021, April). Gramm-Leach-Bliley Act (Privacy of Consumer

Financial Information) Section VIII. Privacy — GLBA. https://www.fdic.gov/resources/supervision-and- examinations/consumer-compliance-examination-manual/documents/8/viii-1-1.pdf

Galliano, J. (2022). The 6 Stages of the Ransomware Lifecycle. Grama, J. L. (2022). Legal and privacy issues in information security (3rd ed.). Jones and Bartlett.

https://online.vitalsource.com/#/books/9781284231465 Health and Human Services (HHS). (2022). HIPAA for professionals. https://www.hhs.gov/hipaa/for-

professionals/index.html Jones & Bartlett Learning. (2022). Lab 3: Securing credit card holder data lab access for legal and privacy

issues in information security, 3rd Ed. Jones & Bartlett. https://jbl-lti.hatsize.com/labguide Nass, S., Levit, L., and Gostin, L. (2009). Institute of Medicine (US) committee on health research and the

privacy of health information: The HIPAA privacy rule. National Academies Press, 2 (The Value and Importance of Health Information Privacy). https://www.ncbi.nlm.nih.gov/books/NBK9579/

Surfshark. (2022, April 13). Data Breach Statistics by Country In 2021. Surfshark B.V.

https://surfshark.com/blog/data-breach-statistics-by-country-in-2021

CYB 4301, Cybersecurity and Crime 1

Course Learning Outcomes for Unit III At the end of this unit, you should be able to:

4. Investigate breach notification requirements for protecting data. 4.1 Identify the consequences of a consumer financial and health information breach. 4.2 Describe breach notification requirements for a breach of consumer financial or health

information.

Required Unit Resources Chapter 6: Security and Privacy of Health Information (ULO 4.1, and 4.2)

Unit Lesson Lesson: Consumer Financial and Health Information (ULO 4.1, 4.2)

Consumer Financial and Health Information In Unit III, you will learn about the business challenges of protecting consumer financial and health information; what makes health information sensitive; and several important laws governing consumer financial and health information such as the Payment Card Industry (PCI) Data Security Standard (DSS), the Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act (GLBA). With the rise of the internet and the World Wide Web, financial institutions and the healthcare industry are under constant threat of attack like at no other time in history. The breadth, depth, and frequency of cybercrimes against these two sectors has grown significantly in the past decade. Why? We will turn to history for an answer. American bank robber Willie Sutton was one of the earliest fugitives named to the Federal Bureau of Investigation (FBI) most wanted list. Sutton was certainly not alone in his thinking (FBI, 2022). Grama (2022) provided two examples of how the modern Suttons of the world leverage the internet to multiply the impact of their cybercrime activity, the 2013 hacking ring that struck ATMs around the globe and stole more than $45 million and the 2008 Heartland Payment Systems breach in which hackers caused $170 million in losses related to payroll and credit card payments. It should come as little surprise then that hackers and organized crime syndicates target the financial and health sectors because these industries are high profile targets for money and sensitive data.

Why is Cardholder and Healthcare Information Sensitive? Now that you understand why banks and financial institutions are targeted, what makes health information sensitive, and why are hackers interested in patient data? There are several considerations that require your attention and analysis. Health-related data, also referred to as protected health information (PHI), is comprised of data related to your physical and your mental health and the provision of care for your health. Some of this data is sensitive in nature. For example, many people generally do not want the details of their care to be known outside of their most intimate circle. When this information is inappropriately handled or disclosed, a privacy breach occurs; however, health data is often so sensitive that negative consequences can result. Nass et al. (2009), recognized that discrimination based on health and genetics could result in measurable economic harm in health insurance and employment screening. Think about the monetary value associated with this sensitive data. Beyond these significant considerations, health care data often contains a treasure trove of personally identifiable information (PII). Hackers and cyber criminals can exfiltrate information from payment and medical records systems, then resell that information on the dark Web. Clearly, cyber criminals are lured by the potential monetary gain of sensitive data. Thus, it is critically important that cybersecurity professionals safeguard this data.

UNIT III STUDY GUIDE

Consumer Financial and Health Information

CYB 4301, Cybersecurity and Crime 2

UNIT x STUDY GUIDE

Title

The PCI-DSS, GLBA, and HIPAA

In Unit II, you learned about the American legal system, and you were introduced to the security and the privacy of consumer information. Did you know that there are many similarities between the payment card and healthcare industries? Modern payment systems and Electronic Medical Records (EMR)/Electronic Health Records (EHR) systems contain a vast amount of information that is extremely valuable to cyber criminals. We have already discussed some of the reasons why these industries are targeted, and the sheer number of data breaches offers valuable insights. For example, 45% of US-based organizations have experienced a data breach (Surfshark, 2022). In response to the growing number of data breaches, private industry and governments have created industry-based regulations and laws passed by legislative bodies. Let’s start with industry-based regulations. The PCI-DSS is not a law (Grama, 2022) but the result of an industry-led effort culminating in 2006 to self-regulate and standardize the protection of credit cardholder data (Jones & Bartlett Learning, 2022). The 12 categories of security requirements within the PCI-DSS will be a valuable tool at your disposal for securing credit cardholder data as a cybersecurity professional. It is also important to note that while the PCI-DSS is not a binding statute, the Federal Trade Commission (FTC) as a regulatory body investigates data breaches. As Lab 3 highlights, “The FTC will argue that failing to comply with the PCI DSS rules is an unfair trade practice” (Jones & Bartlett Learning, 2022). Moving to the GLBA, also known as the Financial Services Modernization Act of 1999, the act is the primary law within the U.S. designed to protect consumer financial information (Grama, 2022). The act allowed large financial organizations to merge to better serve consumers, but, of importance to this course, the act clearly requires financial institutions to protect the privacy of consumers. You have probably received an annual notice of privacy. This is a direct result of the GLBA, “that governs the treatment of nonpublic personal information (NPI) about consumers by financial institutions” (FDIC, 2021, p. 2). GLBA prohibits financial institutions from disclosing NPI about a consumer to nonaffiliated third parties. Grama (2022) detailed that NPI consists of social security numbers, account numbers, credit card numbers, dates of birth, names, addresses, phone numbers (when combined with financial data), and the details of transactions or even that an individual is a customer of the financial institution. Now you have a greater appreciate for this little-known statute. PHI is governed by HIPAA, (Health and Human Services, 2022). Congress conceived of HIPAA to “improve the efficiency and effectiveness of the health care system, the, included Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security” (HHS, 2022 para 1). Notably for cybersecurity professionals, HIPAA includes the Privacy Rule and the Security Rule. The Privacy Rule protects the privacy of PHI while the Security Rule is focused on protecting the confidentiality, integrity, and availability of the electronic systems containing PHI.

Conclusion In this unit, you learned about the business challenges of protecting consumer financial and health information, what makes heath information sensitive, the PCI-DSS, GBLA, and HIPAA. Sensitive payment card and healthcare data are yet another reason why ransomware attacks are both prevalent and effective. The ransomware lifecycle is comprised of 6 phases: infiltrate, activate, encrypt, demand, decide, and recover (Galliano, 2022). The activate phase begins when the attacker’s ransomware (malicious code) is installed and ready for action. Note that the ransomware may be dormant for an extended period before the attack is initiated. During this period, the attacker may attempt to move laterally across multiple systems within your network to establish persistence and broaden access to sensitive data. In fact, some ransomware has been observed to specifically target backup systems to make restoration efforts more challenging and thus increase the likelihood that the victim will pay the ransom demand. This is a dangerous situation because as a cybersecurity professional, you may be completely unaware that your network is compromised. Worse, if the adversary is sophisticated and has done the research to understand your operations, they may simply await an opportunity for the optimal time to unleash the ransomware to maximize the impacts and the likelihood of collecting a big payday.

CYB 4301, Cybersecurity and Crime 3

UNIT x STUDY GUIDE

Title

References Federal Bureau of Investigation (FBI). (2022). Famous Cases & Criminals: Willie Sutton. United States

Department of Justice. https://www.fbi.gov/history/famous-cases/willie-sutton Federal Deposit Insurance Corporation (FDIC). (2021, April). Gramm-Leach-Bliley Act (Privacy of Consumer

Financial Information) Section VIII. Privacy — GLBA. https://www.fdic.gov/resources/supervision-and- examinations/consumer-compliance-examination-manual/documents/8/viii-1-1.pdf

Galliano, J. (2022). The 6 Stages of the Ransomware Lifecycle. Grama, J. L. (2022). Legal and privacy issues in information security (3rd ed.). Jones and Bartlett.

https://online.vitalsource.com/#/books/9781284231465 Health and Human Services (HHS). (2022). HIPAA for professionals. https://www.hhs.gov/hipaa/for-

professionals/index.html Jones & Bartlett Learning. (2022). Lab 3: Securing credit card holder data lab access for legal and privacy

issues in information security, 3rd Ed. Jones & Bartlett. https://jbl-lti.hatsize.com/labguide Nass, S., Levit, L., and Gostin, L. (2009). Institute of Medicine (US) committee on health research and the

privacy of health information: The HIPAA privacy rule. National Academies Press, 2 (The Value and Importance of Health Information Privacy). https://www.ncbi.nlm.nih.gov/books/NBK9579/

Surfshark. (2022, April 13). Data Breach Statistics by Country In 2021. Surfshark B.V.

https://surfshark.com/blog/data-breach-statistics-by-country-in-2021