Upload
gerald-jennings
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
Protect, Protect, Protect… Now
SHARE
John D. Halamka MDChief Information Officer
The State of the Internet
• Studies indicate 48% of internet systems are infected now (worldwide)
• Escalation of malware quality and quantity, began in March-April of 2011 (organized crime now uses internet identity theft as a business)
• A new virus is released every 30 seconds, there is a 400% increase in Android device hacking, and150000 malware variants are found on the internet at any moment (80% are on legitimate websites)
• Risk exists on all Windows, Mac OS X, and Linux platforms (alas, there is no silver bullet)
The State of the Internet
•Commercialization of root kits
•Fast flux re-packaging
•Signature solutions becoming less effective
•Angry Birds
•Steganography on the rise
•Content cloaking on Google and Facebook
•Adobe and Java vulnerabilities
The State of BIDMC
•14501 total devices on network
•3353 research, departmental and personal devices are not managed by IT (these are the most often infected)
•11566 BIDMC user accounts
•589 Needham user accounts
•212 Websites or applications with remote access
The Risk
• Every day users download malware and we eliminate it via early detection, remote access to the device or a visit to the device
• We have much more sophisticated monitoring systems than most hospitals so we can see what is happening
• We have hired numerous industry specialists from McAfee, RSA and Verizon to study our environment.
• Although they have made a few technology suggestions, the major need is policy improvement
The Risk - Home Computers
Drop Server 200.63.44.172
Finding Type Corporate Credentials
Description An authorized user accessed one of the organization's resources, BIDMC Portal, from an infected machine (a screenshot is attached). The Trojan horse captured the credentials.
URL https://portal.bidmc.org/login.aspx?item=/default&user=extranet\Anonymous&site=website&url=/default.aspx
IP Address 24.63.18.108
Timestamp Wed, 17 Aug 2011 01:06:01 GMT
Rawtext
"1856";"TOSHIBA-PC_775A658D6522DF69";"-- default --";"33556489";"https://portal.bidmc.org/login.aspx?item=/default&user=extranetAnonymous&site=website&url=/default.aspx";"";"1313543161";"188203365";"-14400";"#6;#0;?#29; #0;";"1033";"C:Program Files (x86)Internet Exploreriexplore.exe";"Toshiba-PCToshiba";"12";"https://portal.bidmc.org/login.aspx?item=/default&user=extranetAnonymous&site=website&url=/default.aspxReferer: https://portal.bidmc.org/login.aspx?item=/default&user=extranetAnonymous&site=website&url=/default.aspxUser input: lxxxxxaKxxxxx3POST data: __EVENTVALIDATION=/wEWBALh8vWcAgKvpuq2CALyveCRDwL jNCfD1D ONbAiUFgkw75ofRC13PVI8NZusername=sxxxxxapassword=Kxxxxx13LoginButton.x=0LoginButton.y=0";"24.63.18.108";"US";"1313543148"
Mitigation• Surveillance and Detection
• Scheduled vulnerability scans of managed devices using Nexpose
• Augment internal capability with Dell SecureWorks hosting services
• More extensive use of logs to identify and correlate suspicious behavior
• Containment and Cleaning
• Locking down outbound connection from servers, i.e. “white listing”
• More aggressive anti-virus update cycle as released rather than time of day
• More frequent full scans 3x daily rather than 2x weekly
• Higher sensitivity settings on scans
Mitigation• Prevention
• Increase Internet content filtering restrictions
• Reduce/eliminate local administrative rights on workstations and laptops
• Introduce McAfee Site Advisor to alert users of web site reputation
• Stepped up use of Intrusion Protection blocks on web activity
• More aggressive updates of Java, Adobe and other high risk apps
• Two-factor identification for remote users
• Isolate FDA regulated devices
Mitigation• Metrics and Controls
• Baseline “risk” level of each subnet
• Past incidence of malware
• Extent of local administrative rights
• Content filtering rules
• Average Nexpose score
• Incidence of devices with out-of-date anti-virus files
Digital Loss Prevention Pilot
•Determine impact of controls
•Tune as needed
•Apply across the enterprise only after Ops review of data and additional policymaking
•Observe and adjust on continuing basis
My Breaches in 2012
•The Stolen Laptop
•The Infected Radiology Workstation
A 20 Step Program
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers
4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
5. Boundary Defense
6. Maintenance, Monitoring, and Analysis of Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based on Need to Know
10. Continuous Vulnerability Assessment and Remediation
A 20 Step Program
11. Account Monitoring and Control
12. Malware Defenses
13. Limitation and Control of Network Ports, Protocols, and Services
14. Wireless Device Control
15. Data Loss Prevention
16. Secure Network Engineering
17. Penetration Tests
18. Incident Response Capability
19. Data Recovery Capability
20. Security Skills Assessment and Appropriate Training to Fill Gaps
14
Creating a Secure Regional HIE
Provider directory
Certificate repository
DIRECT gateway
Web portal mailbox
Repository of physician names, entities, affiliations, and security credentials
Repository of security certificates for authorized users of HIE services
Adaptor that transforms messages from one standard to another without decrypting the message
Secure, encrypted mailbox for users without standards-compliant EHR
“Lookup” services
“Message-handling” services
HIE Services
15
3 ways to connect to MA HIway
Provider directory
Certificate repository
DIRECT gateway
Web portal mailbox
HIE ServicesUser types3 methods of accessing HIE
services
EHR connects directly
Browser access to webmail inbox
Physician practice
Hospital
Long-term careOther providersPublic healthHealth plans
Labs and imaging centers
EHR connects through LAND
16
Use Case From To Content
Eastern Hospital to Western Hospital
Massachusetts General Hospital
Baystate Medical Center
Governor Patrick medical record (CCD)
ACO to ACO Beth Israel Deaconess Medical Center
Massachusetts General Hospital
Patient summary record (CCD)
Hospital to Practice Childrens’ Hospital Atrius Health Patient summary record (CCD)
Suburban Hospital to Academic Medical Center (bi-directional)
MetroWest (Vanguard)
Tufts Medical Center Patient summary record (CCD)
ACO to Quality Data Warehouse
Beth Israel Deaconess Physician Organization
Massachusetts eHealth Collaborative
Encounter summary (CCD)
Hospital to Referring PCP Beth Israel Deaconess Medical Center
Dr. Ayobami Ojutalayo (Lawrence)
Patient summary record (CCD)
ACO to Health Plan Beth Israel Deaconess Medical Center
Network Health Plan Patient summary record (CCD)
Golden Spike Transactions
MA HIway production exchanges transacted on October 16, 2012
Participating vendors: Orion Health, Meditech, Cerner, eClinicalWorks, LMR (Partners), webOMR (BID), Epic, Siemens
17
• Release 1 (October 16, 2012)– Direct Gateway with 4 integration options: SMTP/SMIME, XDR/SOAP,
LAND appliance– Provider directory v1– AIMS/Public key infrastructure v1
• Release 2 (December 17, 2012)– Participant enrollment portal (November, 2012)– Webmail (November, 2012)– HL7 Gateway (syndromic surveillance, ELR, CBHI)– IMPACT (SEE, web-based CDA-editor for long-term care facilities)– Provider directory v2– AIMS/Public key infrastructure v2
• Vendor-hosted cloud supports both HIE and HIX/IES– Orion Health prime contractor– Unlimited license for Oracle Software for all 3 Phases of HIE and
HIX/IES – Enterprise license for Orion Rhapsody Integration Engine– Leveraging existing IBM Initiate licenses
Phase 1 infrastructure
18
Updated plan
Original high-level plan from 12/11/2011 Updated plan as of 10/23/2012
Questions?
•http://geekdoctor.blogspot.com