View
122
Download
1
Category
Preview:
Citation preview
IT’S NOT IF… BUT WHEN
CISO Assembly, Dallas, TX
bcaplin1@fairview.org
bc@bjb.org @bcaplin
http://about.me/barrycaplin
http://securityandcoffee.blogspot.com
Barry Caplin
Chief Information Security Official
Fairview Health Services
@bcaplin
http://about.me/barrycaplin
securityandcoffee.blogspot.com
o Not-for-profit established in 1906o Academic Health System since 1997
partnership with University of Minnesotao >22K employeeso >3,300 aligned physicians
o Employed, faculty, independent
o 7 hospitals/medical centers (>2,500 staffed beds)
o 40-plus primary care clinicso 55-plus specialty clinicso 47 senior housing locations o 30-plus retail pharmacies
2014 volumes
o 6.39M outpatient encounters
o 1.4M clinic visits
o 71,049 inpatient admissions
o 76,595 surgeries
o 9,298 births
o 282 blood and marrow transplants
o 340 organ transplants
o >$4 billion total revenue
got
breach? got
job?
2015 – Year of the Breach
2014 – Year of the Breach
2013 – Year of the Breach
2016 – Availability?
Integrity?
BOARD REPORTING EXAMPLE
• Ransomware first appeared in 1989; large growth since 2013
• 2016 Hollywood Presbyterian – first publicized healthcare org
to pay
• $17K ransom paid
• Systems down for over 1 week – ER, OR, imaging, lab, pharmacy
• MedStar, MD – 10 hospital network
• $3+ days of outages – 4 ERs, all inpatient shut down
• 4/7/16, all systems back up
• Most attacks are through email attachment or link based
• Systems must be taken down to stop spread
BOARD REPORTING EXAMPLE
• Estimated >$325M paid in ransoms in 2015
• Some variants charge $100-$500 per workstation
• Some are “flat fee”
• Often the cost of downtime and recovery is more than the
ransom
• It’s not “if”, but “when” an attack will happen
• There is no “prevention” – Each attack is new and unique
• There are “proactive/prevent” responses, and
“detect/remediate” approaches
• We do pursue both
•Can we prevent?
•It’s not If, but When
•Is Incident Management the key part of
our job?
•How we respond makes a difference
•How to start:
•Figure out where your “stuff” is
•Figure out the risks to your “stuff”
•Figure out how you will react if that risk
manifests
•Write it down – Playbooks
•Practice
•Know what’s normal - Monitor
Incident Response
CISO’s Role
•Leadership
•Communication – Internal/External
• Staff/Exec/Board
• Law Enforcement
• External Counsel
•Media
• Regulatory
CISO’s Role
• Incident Response/Forensics
•Outsource?
• Pre-pay?
• Retainer?
•Cyber Insurance – What is covered? How does it
pay?
•Tabletop – Exec Breach exercise
Discussion Questions
•Can you “defend” you architecture/tech choices?
•Can you detect problems, attacks and IoC’s
against your enterprise?
•Do you have response plans? Have you exercised
them?
•Do you have communication plans? Have you
exercised them?
•Does your C-suite have your back? Why?
•
Recommended