Upload
truongduong
View
213
Download
0
Embed Size (px)
Citation preview
12/4/2015
1
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Changing Landscape of
Information SecurityPresented by:David Holtzman
Vice President for Compliance
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Synergistic
The name “CynergisTek” came from the
synergy realized by combining the
expertise of the two co-founders –
building scalable, mature information
security programs and architecting
enterprise technical solutions.
Founded in 2003
CynergisTek has been providing services
to our clients since mid-2003, but many
of our clients have been with one or
both of the founders since well before
the company was founded.
2
Securing the Mission of Care
CynergisTek Services are specifically
geared to address the needs of the
healthcare community including
providers, payers, and their business
associates who provide services into
those entities.
Consulting Services
CynergisTek provides consulting services
and solutions around information
security, privacy, IT architecture, and
audit with specific focus on regulatory
compliance in healthcare.
CynergisTek, Inc.
12/4/2015
2
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 3
Today’s Presenter
• Vice President of Compliance Services,
CynergisTek, Inc.
• Subject matter expert in health information
privacy policy and compliance issues involving
the HIPAA Privacy, Security and Breach
Notification Rules
• Veteran hand in developing, implementing
and evaluating health information privacy and
security compliance programs
• Former senior advisor for health information
technology and the HIPAA Security Rule,
Office for Civil Rights
David Holtzman
CynergisTek, Inc.
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 4
Agenda
Level Setting Security in 2015
Insider Abuse
Medical Devices
Mobile Devices
Managing Vendors
Priorities for Healthcare
12/4/2015
3
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Level Set Security 2015
5
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 6
More than 98% of all processes are automated, more than 98% of all devices are
networkable, more than 95% of all patient information is digitized, accountable
care/patient engagement rely on it. The enterprise is critical to delivering
healthcare. Any outage, corruption of data, loss of information risks patient safety
and care.
Increased Reliance
BYODPhysician Alignment
ACOs
Patient Engage-
ment
ICD-10
Tele-medicine
MU
FISMA
BAs
HIEsHIPAA/HI
TECH
Research
12/4/2015
4
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Theft &
Loss
20% of all breaches involve some form of theft or loss
of a device not properly protected.
7
26% of breaches in healthcare are carried out by
knowledgeable insiders for identity theft or some
form of fraud.
33% of breaches are caused by mistakes or
unintentional actions such as improper mailings,
errant emails, or facsimiles.
There was nearly a doubling of breaches due to cyber
attacks in 2015. 2nd year in a row of !00% increase.
Top Security Risks in Healthcare
Insider
Abuse
Unintentional
Action
Cyber
Attacks
Verizon 2015 Data Breach Investigations Report
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Top four emergent risk
priorities:
• Hackers attempting to access
records
• Business associates taking
inadequate precautions
• Growing use of mobile
devices
• Using texting or sending PHI
from personal devices
Changing Risk Priorities
21%
19%
14%
11%
Hackers
Increase in Mobile Devices
Sharing PHI BYOD
Business Associates
12/4/2015
5
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 9
• 90% of survey respondents
said that their companies
had spent money of
technology scrapped
before, or soon after,
deployment.
• Reasons: complexity, lack of
expertise, inadequate
resources, other factors
Failed Solutions
Most companies buy
technology based on cost, not
security.
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• This year billed as “more of everything”
as hacking explodes to more devices
• Pwnie Awards went to Shellshock, OPM &
Thomas Dullen
• Miller & Valasek continue to hack cars
• Hacking long range precision guided rifles,
oops don’t tell DoD
• 11,000 attended this year, 73% said their
organization would be hacked
• Workshops and “capture the flag”
contests
• The Hack Fortress contest
• Rubbing elbows with the Pros
Hacking is an Industry
10
“Some hackers call the weeks of Black Hat USA and Def Con Summer Camp”
12/4/2015
6
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• 12 year old learning computers in middle
school
• 14 year old home schooled girl tired of
social events
• 15 year old in New Zealand just joined a
defacement group
• 16 year old in Tokyo learning programming
in high school
• 19 year old in college putting course work
to work
• 20 year old fast food employee that is
bored
• 22 year old in Mali working in a carding ring
• 24 year old black hat trying to hack
whoever he can
• 25 year old soldier in East European country
• 26 year old contractor deployed over seas
• 28 year old in Oregon who believes in
hacktivism
• 30 year old white hat who has a black hat
background
• 32 year old researcher who finds
vulnerabilities in systems
• 35 year old employee who sees a target of
opportunity
• 37 year old rogue intelligence officer
• 39 year old disgruntled admin passed over
• 41 year old private investigator
• 44 year old malware author paid per
compromised host
• 49 year old pharmacist in midlife crisis
• 55 year old nurse with a drug problem
The Face of Cybercriminals
11
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• NEW threats from State Actors, Hacktivists
and terrorist linked groups
• Three most common attacks: spear
phishing, Trojans & Malvertising
• Individual employees remain easy
victims of social engineering
• Most organizations can’t detect or address
these threats effectively
• Top three areas of vulnerability – endpoints,
third parties & mobile devices
• Need to focus on exploitation and
exfiltration
• Results in losses of time, dollars, downtime,
reputation, breaches, litigation, etc.
• Defenses have not kept pace….
Cybersecurity Threat Challenges
0 50 100
Organizations suffering a
targeted attack
Sophistication of attack
hardest element to defeat
No increase in budget for
defenses
Targeted Attacks
12/4/2015
7
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Insider Abuse
13
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 14
• It is estimated that more than half of all security incidents involve
internal staff.
• More than 70% of identity theft and fraud were committed by
knowledgeable insiders – physicians, nurses, pharmacy techs,
admissions, billing, etc.
• 2010 -2015 witnessed an average 20% increase in medical identity theft
year over year.
• 51% of respondents in a SANS study believe the negligent insider is the
chief threat.
• 37% believe the security awareness training is ineffective.
• Traditional audit methods & manual auditing is completely inadequate.
• Behavior modeling, pattern analysis and anomaly detection is what is
needed.
Insider Abuse: Trust, But Verify
12/4/2015
8
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 15
• Lessons from Triple S
– Former employees used privileged access to
database of Medicare enrollees to steal PHI
– No process in place to manage when employees
separated or access no longer required
• Administrative processes for employee terminations
• Technical controls to align HR actions with system
permissions & audit
• Suspend accounts that have no log-on activity
Termination Processes & Controls
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Managing Vendors
16
12/4/2015
9
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 17
• Requirements Definition
• Pre-Contract Due
Diligence
• Contract Security
Specifications
• Performance Monitoring
• Breach Notification
• Contract Termination
• Documentation
Vendor Security Life Cycle
Define
Select
ContractMonitor
Terminate
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• Examine Scope of Effort
• Determine What Level of
Minimum Necessary
• Identify Security
Requirements
• Develop SLAs for Security
• Incorporate into RFI, RFP
and/or SOW
• Classify Vendor
18
Defining Requirements
12/4/2015
10
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• Tailor requests to scope of
contract
• Security standard followed
• Include security
questionnaire
• Request documentation
• Review third party
assessments
• Proof of Training
• Conduct site visit
• Security Incident history
19
Due Diligence: Pre-Contract
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• Define expectations,
material changes,
subcontractors
• Minimum Necessary
• Transmission, storage &
processing
• Incident response
• Audit/monitoring
• Reporting requirements
• Contingency operations
20
Contract Security Specifications
12/4/2015
11
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• For contracts lasting
more than 6 months
• Periodic audits of key
processes
• Testing of contingency
plans/operations
• Renewal of third party
assessments
21
Maintenance
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• Timeliness of
notifications
• Assistance in
investigation/risk
assessment
• Indemnification for
certain costs
• Notifications to public
22
Breach Notification
12/4/2015
12
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• Termination for cause vs.
end of contract
• Disposition of data if in
receipt
• User/system access
• Reminder of Minimal
Necessary
• Other continued
responsibilities
23
Contract Termination
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Medical Device Security
24
12/4/2015
13
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 25
• 2010 successful hacks of an
insulin pump & ICD.
• 2013 DHS tested 300 devices
from 40 vendors. ALL failed.
• 2014 Multiple variants of a
popular blood pump hacked.
• 2015 MedJack hack shows
vulnerability of network from
medical devices.
• 2015 FDA recalls Hospira pumps
due to cybersecurity vulnerability
Devices Threaten Safety & Information
“Yes, Terrorists could have
stopped Dick Cheney’s heart.”
– The Washington Post
In 2015 we are no closer…
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 26
• 3.4 million BotNets identified
• 20-40% of recipients in phishing
exercises fall for scam
• 26% of malware delivered via HTML,
one in less than 300 emails infected
• Malware analyzed was found
undetectable by nearly 50% of all anti-
virus engines tested
• As of April 2014 Microsoft no longer
provides patches for WN XP, WN 2003
and WN 2000, NT, etc.
• EOL systems still prevalent in
healthcare networks
• Hardening, patching, configuration,
change management…all critical
Malware & Advance Persistent Threats
“FBI alert warns
healthcare not prepared”
Various: Symantec, IBM, Solutionary Annual
Threat Reports
12/4/2015
14
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• Part of an Enterprise
Information Security Risk
Management Program
• Manufacturer Disclosure
Statement for Medical
Device Security (MDS2)
• FDA Guidance: Software
updates for cybersecurity do
not require pre-market
review or recall (there are
some exceptions)
Manage Medical Device Security Risk
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Mobile Risks & Concerns
28
12/4/2015
15
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 29
• Medical staff are turning to their
mobile devices to communicate
because its easier, faster, more
efficient…but it is not secure
• Sharing lab results, locating another
physician for a consult, sharing
radiology images, updating staff on
patient condition, getting direction
for treatment, transmitting trauma
information to EDs, prescribing or
placing orders
• Priority placed on the data first and
the device second
• Restrict physical access where
possible, encrypt the rest
Embracing Mobility of Data
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• Mobile devices are easily lost,
stolen, or discarded with e-PHI on
them
• Onboard cameras can be
improperly used to record PHI
• No physical keyboard limits use of
complex passwords
• Can easily transfer or store PHI
from enterprise network
• Easy access to Facebook, Twitter,
and other social media that allows
unauthorized disclosure of PHI
Mobile Device Risks
30
12/4/2015
16
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 31
• Mobile apps have opened a huge number of security
problems which have caught many companies unaware
– Starbucks app stored its passwords in clear text
– Walgreens encouraged shoppers to take pictures of
prescription labels… then those images were saved
so anyone could see them
– Delta Airlines app encrypted passwords but it also
saved its encryption key on the device in clear text
Mobile App Security Concerns
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 32
• 57% of data breaches reported to
OCR due to loss or theft of devices
• 1 in 4 houses is burglarized, a B&E
happens every 9 minutes, more than
20,000 laptops left in airports
• First rule of security: no one is
immune
• 29 million records exposed 2010-13
• Over 100 million records exposed
2014-15
• 6 – 10%: the average shrinkage rate
for mobile devices
• Typical asset inventories are off by
60%
Theft & Losses Thriving
“That’s a big number because it’s
meant to drive home the point that
unencrypted laptops and mobile
devices pose significant risk to the
security of patient information.”
– Sue McAndrew, OCR
12/4/2015
17
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 33
• Identify mobile application needs
• Integrate into information security risk analysis
• Design risk management strategy
• Obtain business associate agreements if necessary and
perform due diligence/vendor management
• Document compliance with the HIPAA Privacy and
Security Rules
• Assure compliance with any posted privacy policy and
terms of use agreement
Design Effective Strategy
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• Identify mobile devices/apps that handle PHI
– What devices/apps create PHI?
(wearable devices, diagnostic apps)
– What devices/apps receive PHI? (email,
EHR portals, vendor modified OTS
devices)
– What devices/apps maintain PHI?
(removable storage media, cloud
email/storage)
– What devices/apps transmit PHI?
(texting, email, cellular/WiFi transmitted
data)
Handling PHI
34
12/4/2015
18
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
• Health Plan Server – Covered
• Physician Tablet – Covered
• Patient Device – Not Covered
Covered by HIPAA?
35
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 36
• NIST Special Publication 800-124 – “Guidelines for Managing the
Security of Mobile Devices in the Enterprise”
– http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8
00-124r1.pdf
• NCCOE Mobile Device Security & Cloud Hybrid Builds:
https://nccoe.nist.gov/projects/building_blocks/mobile_device_s
ecurity
• ENISA report – “Smartphones: Information security risks,
opportunities, and recommendations for users”
– http://bit.ly/1wWmEsw (enisa.europa.eu)
Mobile Device References
12/4/2015
19
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek
Priorities For Healthcare
37
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 38
• Implement continuous program of risk assessment and
management
• Increase knowledge of threat actors
• Maintain current environment
• Improve detection and reaction capabilities
• Implement data exfiltration controls
• Enhance user education and accountability
• Implement active vendor security management
• Address long term challenges around medical devices
• Plan for incidents
Priorities For Healthcare
12/4/2015
20
CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 39
Questions?
David Holtzman
512.405.8550 x7020
@HITprivacy
Questions?
?