Forging a Stronger Approach for the Cybersecurity Challenge · Forging a Stronger Approach for the Cybersecurity Challenge Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax

1

Forging a Stronger Approach for the Cybersecurity Challenge

Session 34, February 12, 2019

Tom Stafford, VP & CIO, Halifax Health

2

Speaker Introduction

Tom Stafford, Vice President & CIOEducation:

Bachelors of Science Aerospace Engineering

Masters of Science Mechanical Engineering

Career:

United States Navy

Medical Device Design and Manufacture

Healthcare IT

IT Accolades:

10th Best Place to work in IT 2015 – Computerworld

2nd Best Place to work in IT 2016 – Computerworld

5th Best Place to work in IT 2017 – Computerworld

5th Best Place to work in IT 2018 - Computerworld

Premier 100 Technology Leaders 2017 – Computerworld

Top 105 CIOs to watch in 2018 – Becker’s Healthcare

Add Speaker

Photo Here

3

Tom Stafford, BSAE, MSME

Has no real or apparent conflicts of interest to report.

Conflict of Interest

4

• Halifax Health

• Bad Actors and Healthcare

• What are we Protecting?

• Look back at 2018

• Look forward to 2019

• Governance

• Halifax’s Philosophy: D3

• Anatomy of a Ransomware Attack

• How Strong are you?

• Lets be Collaborative

Agenda

5

• Identify potential threats to cybersecurity and best practices to

establish security, scrutiny, and authentication for access to PHI

• Evaluate effective cybersecurity measures and policies, including

system-wide procedures; end user training; and use of technology

• Analyze strategies aimed at predicting and preventing cyber

breaches

• Identify methods to ensure your cybersecurity insurance policy is

effective and senior leadership is prepared prior to being breached

or ransomed

Learning Objectives

6

About Halifax Health

Halifax Health - Medical Center of

Port Orange

–Opened in 2006

–80 bed community hospital

–20 bed emergency department

–8 bed intensive care unit

Halifax Health Medical Center,

Daytona Beach

–Opened in 1928

–600 beds

–More than 500 physicians,

representing 54 subspecialties

7

Bad Actors and Healthcare

• Who are the Bad Actors?– Financially Motivated Cybercriminals– Hacktivists– Hackers for Hire: RAAS– Nation State supports Actors– Malicious Insider

• How do they Attack?– Social Engineering– Network Vulnerabilities– Misuse of Credentials– Physical Penetration

8

Bad Actors and Healthcare

• Why do they attack Healthcare?

“We are valuable low lying fruit”

– Health Record, includes Identity and other valuable information– Data doesn’t change– Medical history is accurate for a lifetime– Healthcare is easier to Hack– Interoperability Requirements– Great delays between the breach and determining there was one– The Electronic Health Record is vital to patient care and operations

Data is used for Identity Theft, False Claims, Medical Research Trends,

Medical Equipment and Drug Purchases

9

What are we Protecting?

• Patient Records (ex. ePHI)

• Research Data (ex. cancer treatments IP)

• Employee Sensitive Information (ex. PII)

• Business plans, (ex. bids, acquisition targets)

• Payment Card Information

• Medical Treatment Devices (ex. insulin pumps, imaging)

• Contracts (ex. with customers, suppliers, distributors)

• Employee log-in credentials

• Physician Compensation

• Clinical Studies Data

10

Look back at 2018

• Tight Budgets and Lack of Resources

• Email: Friend or Foe

• Ransomware on the Decline, Crypto-mining on the Incline

• IoT Security (Including Biomed)

• Breaches are Back

• Blockchain

• GDPR

11

Look forward to 2019

• Collective Call to Action

• Ransomware, Crypto-mining, and Breaches

• “Patient Safety needs Cyber Safety”

• IoT, the dreaded XP Biomed Devices…

• More Cloud

• Intra-operability, APIs, and AI2019

12

Governance & Executive Involvement

•Board•C-Suite•Executive Approval, “Knowing the Landscape”

• Incident Response Team Members

13

Detectioneception

DD

Halifax’s Security Philosophy

3eterrents

rd Party Assurance

14

Deterrents? What about Defenses?

• The number one deterrent?

• Assisting the User– Training and Testing

• Education, Education, Education• External Source warning in emails• Fake Phishing Tests

– Technology Controls• Block Webmail• Block Malicious Sites• USB Privileges• External Storage Privileges• Local Admin Rights Privileges• Two-Factor

The User

15

Fake Phishing Email Tests

1.0% Click rate, was sent to 4,573 users.

16

Last Deterrent: Network Segmentation

Last Mitigation: Air Gapped Backup

IT Security is based on monitoring attack vectors and having deterrent chains in front of the data that is to be wiped, ransomed, or breached.

Email

Sent

External

Firewall

Team

Member

Cloud

Based

Scan

Deterrents

Hackers

Actions

Halifax

Reactions

Legend

Does not

detectClicks on

Attachment

Attachment

opened in

cloud –

does not

detect

Attack Vector: Zero Day Ransomware attachment in phishing email

Anti-

Virus

Does

not

detect

Patched

Servers

Biomed

Servers –

Not

patched

Obtain

Domain

Account

Access

Hackers own the flat network

Ransomware Threat and Deterrent Chain

17

Biomed Devices on the

Halifax Data Network

18

Lets Talk about Biomed

Why are they vulnerable?

The devices last longer than the available support for the

operating system or the vendor will not patch the systems since

they are FDA Class 2/3 devices.

WannaCry, HHS, and the FDA...

Notify customers within 30 days after vulnerability is found.

Patch within 60 days

Manufacturers are not there yet…

19

Lets Talk about Biomed and IoT

How do we reduce the risk?

New Devices:

– Do not demo or purchase new devices that have outdated Operating Systems and/or the manufacturer will not allow the device to be patched.

– Updated bid spec to include Halifax Health’s IT and Biomed Specifications:

20

How do we reduce the risk?

Existing Devices:

– Vulnerability Scans will help determine what needs to be

patched.

– Work with Biomed and other departments to determine

type/location of devices

– Work with the vendors for them to patch the devices or to

allow IT to patch the devices

– If they cannot be patched, bury the devices (Micro-

Segmentation) behind the Internal Firewall prior to having

them replaced with a non-vulnerable device

Lets Talk about Biomed and IoT

21

Detection and Deception

Detection (SIEMS):

• User Behavior

• Machine, Biomed, IoT Behavior

• Network Penetration

Deception:

• Honey pots

• Domain Account Verification

22

3rd Party (Digital Traders) Assurance

Does anyone know what Fazio Mechanical Systems did?

“BAA is not enough for Healthcare”

“You are only as strong as your weakest link”

Don’t be their Target

23

Understanding your Digital Traders

• Map your existing digital traders

• Create controls so you are aware of new Digital Traders

• Beyond the BAA, Contractual Requirements

• Quantify their Security Posture

• Audit Them

• Do not allow them to dictate how the access your system

• Require Two-Factor Authentication

24

Anatomy of a Ransomware Attack

• The Hack

• The Crash

• Cyber Insurance

• External Council

• To Bit Coin or Not

• Recovery

• Key takeaways:

– Hospital Incident

– Know your Cyber Insurance Plan

– Executive Table Top Exercises

– DR/BD Documents and Logs

25

How Strong are you?

Two ways to test this:

1. Do not - You only know if you fail…

and CIO will have a whole new meaning

2. Ethical Hacking and Penetration Testing

CI

O

areer

sver

26

Lets be Collaborative!

• Standards Framework

• Passwords

• Two-Factor

• Webmail

• USB & External Storage

• Phishing

• BioMed

• Cyber Insurance

• Tabletop Exercises

• Quantitative 3rd Party Risk Assessments

• Ethical Hacking

27


Question 1

Which standards framework do you utilize?

1. NIST

2. HITRUST

3. Critical Security Controls

4. ISO

28


Question 2Password Reset Duration?

1. 90 Days2. 180 Days3. 1 Year4. Other

29


Question 3Require Robust Passwords?

1. Yes2. No

30


Question 4Remote Two-Factor Authentication Utilization?

1. Employees, Physicians, Vendors2. Employees, Physicians3. Employees4. None

31


Question 5Webmail Blocking?

1. Yes2. No

32


Question 6Restrict USB Access?1. Read2. Write3. Both4. None

33


Question 7Restrict Internet Based Storage?1. Yes2. No

34


Question 8Conduct Fake Phishing tests?1. Yes2. No

35


Question 9Vulnerable Biomed devices location?1. Yes2. No

36


Question 10Do you have Cyber Insurance?1. Yes2. No3. Don’t Know

37


Question 11Do you know how to contact your Insurer?1. Yes2. No

38


Question 12Do you conduct tabletop exercises?1. Senior Leadership2. IT Staff3. Both4. None

39


Question 13Do you have quantitative 3rd Party RAs?1. Yes2. No

40


Question 14Conduct Ethical Hacking Tests?1. Once2. Annually3. Bi-Annually4. Never

41

Questions

Tom Stafford

[email protected]

386-425-7309

https://www.linkedin.com/in/tom-stafford-8a69927

*** Don’t forget about the online session evaluation

mailto:[email protected]

https://www.linkedin.com/in/tom-stafford-8a69927