Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
Forging a Stronger Approach for the Cybersecurity Challenge
Session 34, February 12, 2019
Tom Stafford, VP & CIO, Halifax Health
2
Speaker Introduction
Tom Stafford, Vice President & CIOEducation:
Bachelors of Science Aerospace Engineering
Masters of Science Mechanical Engineering
Career:
United States Navy
Medical Device Design and Manufacture
Healthcare IT
IT Accolades:
10th Best Place to work in IT 2015 – Computerworld
2nd Best Place to work in IT 2016 – Computerworld
5th Best Place to work in IT 2017 – Computerworld
5th Best Place to work in IT 2018 - Computerworld
Premier 100 Technology Leaders 2017 – Computerworld
Top 105 CIOs to watch in 2018 – Becker’s Healthcare
Add Speaker
Photo Here
3
Tom Stafford, BSAE, MSME
Has no real or apparent conflicts of interest to report.
Conflict of Interest
4
• Halifax Health
• Bad Actors and Healthcare
• What are we Protecting?
• Look back at 2018
• Look forward to 2019
• Governance
• Halifax’s Philosophy: D3
• Anatomy of a Ransomware Attack
• How Strong are you?
• Lets be Collaborative
Agenda
5
• Identify potential threats to cybersecurity and best practices to
establish security, scrutiny, and authentication for access to PHI
• Evaluate effective cybersecurity measures and policies, including
system-wide procedures; end user training; and use of technology
• Analyze strategies aimed at predicting and preventing cyber
breaches
• Identify methods to ensure your cybersecurity insurance policy is
effective and senior leadership is prepared prior to being breached
or ransomed
Learning Objectives
6
About Halifax Health
Halifax Health - Medical Center of
Port Orange
–Opened in 2006
–80 bed community hospital
–20 bed emergency department
–8 bed intensive care unit
Halifax Health Medical Center,
Daytona Beach
–Opened in 1928
–600 beds
–More than 500 physicians,
representing 54 subspecialties
7
Bad Actors and Healthcare
• Who are the Bad Actors?– Financially Motivated Cybercriminals– Hacktivists– Hackers for Hire: RAAS– Nation State supports Actors– Malicious Insider
• How do they Attack?– Social Engineering– Network Vulnerabilities– Misuse of Credentials– Physical Penetration
8
Bad Actors and Healthcare
• Why do they attack Healthcare?
“We are valuable low lying fruit”
– Health Record, includes Identity and other valuable information– Data doesn’t change– Medical history is accurate for a lifetime– Healthcare is easier to Hack– Interoperability Requirements– Great delays between the breach and determining there was one– The Electronic Health Record is vital to patient care and operations
Data is used for Identity Theft, False Claims, Medical Research Trends,
Medical Equipment and Drug Purchases
9
What are we Protecting?
• Patient Records (ex. ePHI)
• Research Data (ex. cancer treatments IP)
• Employee Sensitive Information (ex. PII)
• Business plans, (ex. bids, acquisition targets)
• Payment Card Information
• Medical Treatment Devices (ex. insulin pumps, imaging)
• Contracts (ex. with customers, suppliers, distributors)
• Employee log-in credentials
• Physician Compensation
• Clinical Studies Data
10
Look back at 2018
• Tight Budgets and Lack of Resources
• Email: Friend or Foe
• Ransomware on the Decline, Crypto-mining on the Incline
• IoT Security (Including Biomed)
• Breaches are Back
• Blockchain
• GDPR
11
Look forward to 2019
• Collective Call to Action
• Ransomware, Crypto-mining, and Breaches
• “Patient Safety needs Cyber Safety”
• IoT, the dreaded XP Biomed Devices…
• More Cloud
• Intra-operability, APIs, and AI2019
12
Governance & Executive Involvement
•Board•C-Suite•Executive Approval, “Knowing the Landscape”
• Incident Response Team Members
13
Detectioneception
DD
Halifax’s Security Philosophy
3eterrents
rd Party Assurance
14
Deterrents? What about Defenses?
• The number one deterrent?
• Assisting the User– Training and Testing
• Education, Education, Education• External Source warning in emails• Fake Phishing Tests
– Technology Controls• Block Webmail• Block Malicious Sites• USB Privileges• External Storage Privileges• Local Admin Rights Privileges• Two-Factor
The User
15
Fake Phishing Email Tests
1.0% Click rate, was sent to 4,573 users.
16
Last Deterrent: Network Segmentation
Last Mitigation: Air Gapped Backup
IT Security is based on monitoring attack vectors and having deterrent chains in front of the data that is to be wiped, ransomed, or breached.
Sent
External
Firewall
Team
Member
Cloud
Based
Scan
Deterrents
Hackers
Actions
Halifax
Reactions
Legend
Does not
detectClicks on
Attachment
Attachment
opened in
cloud –
does not
detect
Attack Vector: Zero Day Ransomware attachment in phishing email
Anti-
Virus
Does
not
detect
Patched
Servers
Biomed
Servers –
Not
patched
Obtain
Domain
Account
Access
Hackers own the flat network
Ransomware Threat and Deterrent Chain
17
Biomed Devices on the
Halifax Data Network
18
Lets Talk about Biomed
Why are they vulnerable?
The devices last longer than the available support for the
operating system or the vendor will not patch the systems since
they are FDA Class 2/3 devices.
WannaCry, HHS, and the FDA...
Notify customers within 30 days after vulnerability is found.
Patch within 60 days
Manufacturers are not there yet…
19
Lets Talk about Biomed and IoT
How do we reduce the risk?
New Devices:
– Do not demo or purchase new devices that have outdated Operating Systems and/or the manufacturer will not allow the device to be patched.
– Updated bid spec to include Halifax Health’s IT and Biomed Specifications:
20
How do we reduce the risk?
Existing Devices:
– Vulnerability Scans will help determine what needs to be
patched.
– Work with Biomed and other departments to determine
type/location of devices
– Work with the vendors for them to patch the devices or to
allow IT to patch the devices
– If they cannot be patched, bury the devices (Micro-
Segmentation) behind the Internal Firewall prior to having
them replaced with a non-vulnerable device
Lets Talk about Biomed and IoT
21
Detection and Deception
Detection (SIEMS):
• User Behavior
• Machine, Biomed, IoT Behavior
• Network Penetration
Deception:
• Honey pots
• Domain Account Verification
22
3rd Party (Digital Traders) Assurance
Does anyone know what Fazio Mechanical Systems did?
“BAA is not enough for Healthcare”
“You are only as strong as your weakest link”
Don’t be their Target
23
Understanding your Digital Traders
• Map your existing digital traders
• Create controls so you are aware of new Digital Traders
• Beyond the BAA, Contractual Requirements
• Quantify their Security Posture
• Audit Them
• Do not allow them to dictate how the access your system
• Require Two-Factor Authentication
24
Anatomy of a Ransomware Attack
• The Hack
• The Crash
• Cyber Insurance
• External Council
• To Bit Coin or Not
• Recovery
• Key takeaways:
– Hospital Incident
– Know your Cyber Insurance Plan
– Executive Table Top Exercises
– DR/BD Documents and Logs
25
How Strong are you?
Two ways to test this:
1. Do not - You only know if you fail…
and CIO will have a whole new meaning
2. Ethical Hacking and Penetration Testing
CI
O
areer
sver
26
Lets be Collaborative!
• Standards Framework
• Passwords
• Two-Factor
• Webmail
• USB & External Storage
• Phishing
• BioMed
• Cyber Insurance
• Tabletop Exercises
• Quantitative 3rd Party Risk Assessments
• Ethical Hacking
27
Lets be Collaborative!
Question 1
Which standards framework do you utilize?
1. NIST
2. HITRUST
3. Critical Security Controls
4. ISO
28
Lets be Collaborative!
Question 2Password Reset Duration?
1. 90 Days2. 180 Days3. 1 Year4. Other
29
Lets be Collaborative!
Question 3Require Robust Passwords?
1. Yes2. No
30
Lets be Collaborative!
Question 4Remote Two-Factor Authentication Utilization?
1. Employees, Physicians, Vendors2. Employees, Physicians3. Employees4. None
31
Lets be Collaborative!
Question 5Webmail Blocking?
1. Yes2. No
32
Lets be Collaborative!
Question 6Restrict USB Access?1. Read2. Write3. Both4. None
33
Lets be Collaborative!
Question 7Restrict Internet Based Storage?1. Yes2. No
34
Lets be Collaborative!
Question 8Conduct Fake Phishing tests?1. Yes2. No
35
Lets be Collaborative!
Question 9Vulnerable Biomed devices location?1. Yes2. No
36
Lets be Collaborative!
Question 10Do you have Cyber Insurance?1. Yes2. No3. Don’t Know
37
Lets be Collaborative!
Question 11Do you know how to contact your Insurer?1. Yes2. No
38
Lets be Collaborative!
Question 12Do you conduct tabletop exercises?1. Senior Leadership2. IT Staff3. Both4. None
39
Lets be Collaborative!
Question 13Do you have quantitative 3rd Party RAs?1. Yes2. No
40
Lets be Collaborative!
Question 14Conduct Ethical Hacking Tests?1. Once2. Annually3. Bi-Annually4. Never
41
Questions
Tom Stafford
386-425-7309
https://www.linkedin.com/in/tom-stafford-8a69927
*** Don’t forget about the online session evaluation