Critical Issues in Fraud Analytics

Critical Issues

in Fraud Analytics

I S A C A - 2 0 1 5

Presenter:

Charles Faircloth, JD, CIG Faircloth Fraud Consulting

Critical Issues in Fraud Analytics

Introduction

1) Factors that drive fraud 2) Current fraud risks

 Data breach fraud

 Mobile & connected device fraud

3) Fraud Analytics Limits

Parameters of presentation:

Specifically covers:

 Short horizon factors

Important for:

 CIOs  CISOs

 System administrators  IT managers

Focus of this review:

 Fraud & fraud analytics in healthcare Health care primary target of fraud  Critical areas of security risk & liability:

 Fraud by data breach

 Mobile & connected device fraud

 Has wide application - all types businesses & agencies  Provides references/review frameworks:

 Normal IT operations  Fraud incidents

Note: This review is not legal advice or counsel. - consult with your attorney.

Part 1:

Factors that

Drive Fraud

Introduction: Fraud in General

Fraud earliest reported urban crimes

 Code of Hammurabi - 1,754 BC

Fraud - is a hidden crime

 Uses deception to steal funds/data  Data breach fraud (worldwide):

 $3.5 trillion plus - lost revenue

 Healthcare fraud (US):

 10% total costs - $30 billion plus

3 Factors Drive Fraud:

Opportunity



Pressure



Rationalization

FRAUD

Rationalization

Factor 1 -

Opportunity

Opportunities for fraud 2 categories:

 Security weaknesses  Position advantage

Security weaknesses:

 More mobile devices/apps - More problems.  Healthcare behind in:

 Anti-fraud & HIPPA security standards  IEEE published 1st_{security standards (2015)}

 Security weaknesses endemic to IT

 Keeps CISOs employed & CEOs up at night!

Internal & external security weakness:

External fraud security weaknesses - more publicity Internal weakness - far more costly

 Due to position advantage

Position advantage:

Increased opportunity for fraud - position of perpetrator Internal example:

 CIO sells proprietary information to competitor.

External example:

 Criminal hacker buys list of credit card numbers  Commits multiple frauds at a point of sale.

Largest fraud losses:

Healthcare: Due to combination of:

 Systemic security weakness (e.g., mutable audit trail)

+

Exchange trading: Combination of:

 Security weaknesses

+

&

Fraud Factor 2 -

Pressure

Usually financial pressure, brought on by:

 Gambling - drug use - negative life events (e.g., divorce, bankruptcy)

Pressure - human resource issue Managers must be aware of employees:

 Life events

 Performance changes

Decreasing internal fraud pressure

Steps to counter pressures:

 Conduct background checks at acceptable levels  Before grant administrator/higher-system privileges

Require:

 Administrators submit credit reports

 At standard intervals & change of position

Employees report:

 Civil suits  criminal arrests & incidents

 service of process  debt collection at work place

Fraud Factor 3 -

Rationalization

“The human capacity for denial and rationalization

is always shocking, but never surprising.”

David Levy, PhD,

Humor in Psychotherapy Lectures

Part 2:

Current Fraud Risks

Data Breach Fraud

Data breach fraud - General

Methods of data breach changing

 In healthcare (and most IT industries)

 In 2014 - leading method data breach in healthcare:  Criminal system attack

Surpassed:

 Employee negligence - lost laptops for 1st_time Reference:

Fifth Annual Benchmark Study on the Privacy & Security of Healthcare Data Ponemon Institute (2015)

FBI Stats - Data breach fraud

According to FBI:

 Criminals target healthcare databases

because they contain in one place:

 PII - Personal identification information  PCI - Personal credit information  PHI - Protected health information

Ask yourself - 2 critical questions

Critical question 1:

 Do you have PII, PCI or PHI on your system?

If answered is yes - know that:

 PII / PCI / PHIs - primary targets of data fraud  Across all enterprises

How secure is your data?

 Criminals constantly work : to keep pace with data technology

Critical question - 2

Data Breach - Fraud pays

 How much is your data worth to criminals?  How is it monetized?

 FBI statistics - fraud monetization (2015):  Credit cards: $0.50 - $1.00(each)  Healthcare data records: $60 - $70(each)  Criminals obtain: Name, DOB, SS, Policy, etc.

Do the math:

How many healthcare records do you have?

1,000 - 10,000 - 100,000

$60,00 - $600,000 - $6 million

Total the number of records in your system

- Calculate the huge financial temptation to criminals  Ka-ching!

Billions of dollars - Very tempting

Stolen data is quickly sold on the Internet:

 To criminal organizations  Using masking sites such as Tor

In a few minutes:

 Your data - sold & resold  All over the planet

Your stolen data - Used & Reused

Criminals use your stolen data:

 To commit more frauds:  Identity theft

 Tax fraud

 Medical device fraud  Prescription fraud  Other crimes

Part 2:

Current Fraud Risks

Mobile/Connected Device Fraud

Mobile/Connected Device Fraud

In healthcare & other large organizations that collect data

 Mobile & connected device devices create:  New data security & liability risks.

Connected devices rapidly in greater use

Mobile devices (e.g., cell phones) universally used

Healthcare - Connected Devices

Connected devices in healthcare:

 Bluetooth-enabled insulin pump connected with a wireless internal glucose monitor  Pump delivers insulin to a diabetic patient

using data from the monitor without human direction (except monitoring)

M/CD - Risks

Risk for mobile/connected devices - similar Connected devices have additional risk

 They preform actions automatically without direct human intervention.

M/CD - Proactive security

To ensure a STRONG anti-fraud program:

1) Address fraud issues via contract provisions with all IT vendors 2) Develop & enforce a written mobile/connected device policy 3) Install mobile/connected device management software 4) Create, update, audit incident plans for all M/CD

5) Integrate personnel management, training, compliance audits

M/CD - 6 critical questions

Make sure you can answer YES to all these questions Do your M/CD devices:

1) Store & transmit data securely?

2) Accept software security updates to address new risks? 3) Avoid creating unauthorized access points of data? 4) Detect & avoid a new way or path to data theft?

5) Connect to institution's IT infrastructure so data are secure? 6) Have secure APIs - software and device connections?

M/CD - 4 Anti-fraud actions

Once you can answer YES to all 6 security questions:

 Implement these

4

Require all IT vendor contracts include:

1) Data encryption

2) Authorized device-only networks 3) Physical security training and measures

M/CD - Data encryption

Healthcare providers (and other organizations) :

 Should require IT vendors agreements ensure Data traffic of devices and applications be encrypted when communicating with:

1) The provider’s private network, 2) Any outsourced providers and 3) Any cloud systems.

M/CD - Provider audits

Vendor contracts must allow provider to audit to:

1) Verify data transmitted in appropriate level of encryption 2) Ensure encryption works on your network

3) Test & retest your data encryption

Authorized device-only networks

Require that IT contracts allow:

 A single mobile or connected device to collect only data required for its intended operation

 Only grant access to data generated by single devices:  By authorized and authenticated individuals,

who need to handle the information

Physical security - training & measures

Device physical security - CRITICAL 5 effective steps - Ensure that:

1) Devices prevent data storage media accessed/removed 2) Devices difficult to take apart & display signs of tampering. 3) Data cannot be removed from device

(otherwise security for transmitted data useless) 4) Train personnel in physical security procedures 5) Test & audit employee physical security awareness.

Credential & password protection

2

(after setup - before critical data used & transmitted) 1) Require vendors change default passwords/usernames

to meet organizational standards

2) All passwords/usernames - random & unassociated (Much more secure against hackers)

3 direct anti-fraud actions

1) Develop & train using written M/CD policy

2) Install mobile/connected device management software 3) Create, update & audit incident plans for M/CD

MC/D - Written policy

Your M/CD policy should at minimum provisions for:

 Purpose  Applicability  Appropriate use

Management software (MDM)

For organizations with multiple employees:

 MDM is a key component in device security

MDM will ensure:

 Control of M/CD access to your infrastructure  Securely manage data usage

 Securely manage internal/external movement  Control M/CD application management features

Incident plans

Important part - comprehensive risk management strategy

 Your incident plan should designate:

 Unit roles & authority with contact info attached

Flowcharting recommended (in addition to written plan)

 Can’t quickly respond - if haven’t assessed weaknesses  Document all incidents - no matter how minor

 Audit devices singly

Final system considerations

M/CD networks must NOT be configured to allow:

 Credentials & passwords be exposed in network traffic  Audit at standard intervals

Vendor contracts should require:

 Connected devices regularly updated:  With improved security

 Testing/verification of updates before being put into use (Usually standard contract language - be sure to check)

Part 3:

Fraud Analytics

Limits

Fraud Analytics Limits

Specific vs. Bulk data collection

In 2014, President Obama tasked Director of National Intelligence:

 Determine feasibility of software targeting specific data transmissions

(Instead of using bulk collection of data transmissions)

ODNI referred to National Academy of Sciences Research Council.

 The Research Council’s answer - in short - was NO:

(Targeted collection could not replace bulk collection. )

Fraud Analytics Limits - Targeted data

 Too limited targeted view  Wrong target source

 Loss of possibly valuable data over time  Lack of context

 Lack of analytic resources

Research Council recommends:

 Continuing use of bulk collection

 Apply automated use controls - prevent privacy breaches

Fraud Analytics Limits - Targeted sourcing

 Very large/mutable telecom databases is insufficient - Then targeted fraud analytics of large datasets

share the same problems.

 Credit, healthcare, insurance, government & others  Using fraud analytics on large datasets

should be aware of the limits of analytic tools.

Fraud analytics are like a searchlight

They brightly illuminate the focal point

Just beyond the beam - it is dark

References

Slide: 6 - "Fraud Statistics." Fraud Statistics. CAIF Coalition Against Insurance Fraud, Web. 01 June 2015.

<http://www.insurancefraud.org/statistics.htm#.VWyNbKxFDIV>.

Slide: 9 - Landwehr, Carl, and Tom Haigh. "Building Code for Medical Device Software Security." IEEE Cybersecurity Initiative. Institute

of Electrical and Electronic Engineers, Mar. 2015. Web. 04 June 2015. <http://cybersecurity.ieee.org/>.

Slide: 16 - "Criminal Attacks Are Now Leading Cause of Data Breach in Healthcare, According to Ponemon Study." Ponemon

Institute/ID Experts, Inc., 06 May 2015. Web. 01 June 2015.

<https://www2.idexpertscorp.com/press/single/criminal-attacks-are-now-leading-cause-of-data-breach-in-healthcare-ponemon>.

Slide: 17 - "FBI Health Care Fraud Release Collection." FBI. 17 June 2014. Web. 01 June 2015.

<http://www.fbi.gov/collections/health-care-fraud>.

Slide: 28 - Tannenbaum, William A. "Healthcare's 'Internet of Things' Should Be the 'Security of Things'" Healthcare IT News. 19 May

2015. Web. 01 June 2015. <http://www.healthcareitnews.com/blog/healthcares-internet-things-should-be-security-things>.

Slide: 35 - Rosciam, Michael, CPA. "Moving Violations: 3 Steps for Taming Mobile Threats." Thomas, Howell, Ferguson, PA., Web. 01

June 2015. <http://www.thf-cpa.com/blog/detail/moving-violations-3-steps-for-taming-mobile-threats#.VWyVyqxFDIV>.

Slide: 40 - "New Report Says No Technological Replacement Exists for Bulk Data Collection;." National-Academies.org. Office of the

Director of National Intelligence, 15 Jan. 2015. Web. 01 June 2015 <http://www8.nationalacademies.org/onpinews/newsitem.aspx? RecordID=19414>.

Focusing on Fraud for over 25 Years

Charles Faircloth, JD, CIG

Principal & Founder