virencehealth.com

What does “Cybersecurity” Really Mean in Healthcare?

Bob FruthPrincipal Product Security Leader, VirenceNovember 10, 2018

Agenda – What does “Cybersecurity” Really Mean In Healthcare?

1. Introduction

2. Virence Cybersecurity

3. What keeps Bob up at night (& what doesn’t)

4. What you can do

5. Summary / Resources / Q&A

Introduction

Who is Bob Fruth?

19+ Years at Microsoft• Involved in numerous product & service releases – most recently as the Security &

Privacy Program Manager for the Bing.com search engine• 6+ years in Trustworthy Computing – internal security advisor• 8 years on Windows – focused on kernel• Edited & published 3 major updates to the Microsoft Crypto Standards• Wrote several Security Development Lifecycle (SDL) requirements

Before Microsoft – positions at several companies on multiple products, including several that defined and/or led markets

Now at Virence Health, protecting medical data one record at a time… (& ALL of them…)

What is Cybersecurity?

“The protection of computer systems from theft of or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the services they provide.” [Source – Wikipedia.org]

Also known as –

• Computer Security

• IT Security

• Internet Security

What does Healthcare Cybersecurity care about?

Providing CIA for data at all times• Confidentiality • Integrity• Availability

What does Healthcare Cybersecurity care about?

Providing CIA for data at all times• Confidentiality – Data is secure; only available to

people/systems/processes who are authorized to access it

• Integrity – Data is changed only by people/systems/processes authorized to modify/delete it

• Availability – Data is available when and where needed

The Security Practitioner’s Mindset

Assume the worst case

Verify everything

Be vigilant – monitoring, etc.

Practice transparency to the greatest extent possible

Share sensitive information on a need-to-know basis

• Examples – threat models, network diagrams, security testing reportsEncourage & practice responsible disclosure

Get the straightforward stuff done promptly

• Examples – monthly patching, keeping signatures up-to-date, etc.

Make informed risk-based decisions

Virence Cybersecurity

Secure in Deployment

Virence Secure Product Development

Focused on Key Risk areas: Service Security, Separation of Data, Regulatory Compliance

ü Design with security in mindü Threat Modelingü Security Risk & Privacy Impact Assessmentsü Principle of Least Privilege applied throughout

Secure by Design

Secure by Default

ü Secure coding practicesü Clean static analysis reportsü Code reviewsü Security Testing / Penetration Testing

ü All deployed services are regulatory compliantü Security Operations Centers – 24x7 Monitoringü Enable secure on premise deployments

Security Throughout the

Product Lifecycle

ü Dedicated Product Security Leader

Virence Cybersecurity – Proactive Activities

Cybersecurity Policy – ownership

Security / Privacy best practices –

• Secure design & development

• Security testing – internal & 3rd party

• Secure operations – own jointly with DevOps

Certifications (e.g. HITRUST)

Outreach

• Partners

• Conferences

• Customer materials – white papers, etc. (coming in 2019)

Virence Cybersecurity – Reactive Activities

Incident Response –

• Virence is a 24x7x365 company

• Work closely with partners, e.g. Microsoft

Actively monitor worldwide security ecosystem for vulnerabilities and trends

• US-CERT

• The “Dark Web”

Customer inquiries

Partner inquiries

Cybersecurity – What We Provide

Policies, guidance and best practices

Holding Virence product teams accountable

Transparency to the greatest extent possible without creating an 0-day

Focal point for Certifications

Help Product Teams prepare customer facing materials

• Product documentation

• Responses to questionnaires

• White Papers

Customer interactions

Cybersecurity – What We Won’t Provide

Direct consulting to customers or partners

Direct review of customers’ network/environment

Opinions on other vendors’ products, VBC add-ons, security tools, etc.

Sensitive product/service information

Anything that compromises legal, regulatory or ethical responsibilities

What keeps Bob up at Night & What Doesn’t

What keeps Bob up at Night

Customers’ on premise networks

• Virence doesn’t own

• Virence doesn’t control

• I have to assume the worst…

Sleeplessness due to User-Focused Attacks

Phishing

Spear-Phishing

Social Engineering

Þ Impactful threat vectors

Tendency to blame the user instead of the technology and/or the lack of usability

What keeps Bob up at Night

The Internet of Things…

“Let’s connect everything to the network!”

• Potentially without segmentation or airgaps

“Then we’ll connect the network to the Internet”

What could possibly go wrong?

“The Internet of Ransomware Things”

Copyright 2018 Robert C. Fruth

What keeps Bob up at Night

Technology distracting Healthcare providers from focusing on patient care

Uninformed decisions

Missed opportunities –

• Not learning from others’ experiences

• Failure to heed warning signs, e.g. WannaCry

The “Next WannaCry” costs Bob sleep

WannaCry –

• Medium impact to the Internet

• Compare with SQL Slammer or Heartbleed• Preventable – if you were fully patched, you weren’t impacted

My concerns regarding the “Next WannaCry” –

• Will our customers be prepared?

• Ensure that Virence has timely response capabilities

What keeps Bob up at Night

Driving security into Virence products & services

Secure by default vs. compatibility

• Example – encryption of CPS database

Supporting older versions of our products

“I’m too busy to …”

But what about the Cloud?

Well, what about it?

The Cloud doesn’t keep Bob up at Night

Cloud deployments transfer risk to the Cloud providers

Consider Microsoft’s nightmare scenarios for Azure –

• Failure of Tenant Separation

• Data alteration / disclosure

• Denial-of-service

Microsoft has a lot of people losing sleep over the above, so Virence and Virence customers don’t have to J

More Things that don’t cost Bob sleep…

Healthcare privacy awareness

• Healthcare folks – IT, providers, etc. – understand privacy• Privacy conversations at Virence are short; they can be lengthy at non-

healthcare technology firms…

Partners & vendors that Virence works with

• Development partners

• Integration partners

• Security testing firms

What You Can Do

Define Realistic Goals

Technology / Cybersecurity fully support the medical mission

Regulatory compliance maintained

End user frustration level is low

IT resiliency is built in

IT folks are bored and sleep well at night (no 3am phone calls)

Deploy and Maintain Secure Networks

Firewalls

• Close all ports by default

• Open only what is needed

Leverage new and not-so-new technologies

• Active Directory (LDAP)

• Certificate Management

• Security Groups

Deploy & Maintain Secure Systems

Systems tuned to specific purposes

No extraneous software!

• No browsers on servers

• Nothing on systems used for domain management

• End users’ client systems have what they need and nothing more

All systems kept fully patched

All systems scanned regularly with updated AV/AM software

Deploy and Maintain Secure Environments

Segment & air gap intelligently

Encryption throughout

• TLS is your friend

• Encrypted storage

Test Backup & Restore capabilities regularly

• Automated backups are a plus

Consider Threat Modeling your environment / network topology

Only use Supported Versions

Only deploy supported OS versions

• Windows XP?

• NO!!

Regularly upgrade to latest versions of applications (including Virence’s)

Define & Follow Procedures

Upgrades

Change requests

Exception requests and approvals

Monitoring

Emergencies

• Know what you need to do before you need to do it

• Containment procedures

• Escalation & Notifications paths – who to notify? What to tell them?

• Emergency changes

Learn from Others

Leverage best practices

In response to a breach / incident, ask “why weren’t we impacted?”

Example from Healthcare IT News – “How not to handle a data breach brought to you by Uber, Equifax and many others”

• Equifax –

• Failure to patch Apache Struts

• Attempted to blame Apache

• Email from official account sent users to a phishing site!

• Uber – paid $100K to hackers to keep a breach secret

• Others – glossed over the truth / lack of transparency

User Management

Enabling vs. Managing

Apply Principle of Least Privilege / Role Based Access Controls

• Grant permissions as needed

Mandate complex passwords

• Consider deploying a password manager

Whatever you do, don’t blame users!

• Victim blaming doesn’t solve anything• Assess related misunderstanding & take positive actionEducation & enabling are key

Educate Your Users

Build a security culture

Conduct Phishing exercises to build awareness

“15 Examples of Phishing Emails from 2016-2017”

(https://www.edts.com/edts-blog/15-examples-of-phishing-emails-from-2016-2017)

• False urgency

• “You missed…”

• “Your account has been suspended/locked…”

Plan Ahead

Recognize that upgrades are necessary

• Plan & budget accordingly

• New features!

• Other improvements that aren’t as obviously apparent

Don’t underbudget / underfund IT

“If it ain’t broke, don’t fix it” – doesn’t apply in Cybersecurity

“If it ain’t broke now, it may/will be in the foreseeable future…”

Summary / Resources / Q&A

Conclusions

No one is ever “done” with cybersecurity

There are no “silver bullets”

• There are best practices that significantly reduce risk

The scope can be daunting; attackers only need to find one vulnerability

Leverage The Security Practitioner’s Mindset

Assume the worst case

Verify everything

Be vigilant

Practice transparency to the greatest extent possible

Share sensitive information on a need-to-know basis

Encourage & practice responsible disclosure

Get the straightforward stuff done promptly

Make informed risk-based decisions

Apply common sense

Resources

US-CERT – https://www.us-cert.gov/

• “Avoiding Social Engineering and Phishing Attacks” – https://www.us-cert.gov/ncas/tips/ST04-014

HITRUST

• Virence Press Release –https://www.businesswire.com/news/home/20181105005072/en/Virence-Health-Technologies-Achieves-HITRUST-CSF%C2%AE-Certification

• HITRUST – https://hitrustalliance.net/

Resources

General Secure Development Resources

• Microsoft SDL – https://www.microsoft.com/sdl• Application Security – OWASP – https://www.owasp.org/index.php/Main_Page

Threat Modeling

• My talk at BSides Vancouver 2015 –https://www.youtube.com/watch?v=EClmWcRESP8

• Threat Modeling Book – Threat Modeling: Designing for Security

Thank you!

Robert “Bob” Fruth

Principal Product Security LeaderRobert.Fruth@ge.com (subject to change)206-607-5123

Backup Materials

Abstract

What does “Cybersecurity” Really Mean In Healthcare?: The term “Cybersecurity” appears in news headlines every day. But what does this buzzword mean for you and your practice? In this session learn what “cybersecurity” really looks like for an ambulatory practice and walk away from this session with tips and tricks that you can put in place to help ensure the cybersecurity for your practice. While the technology you use is plays a big part in this, it’s also important to create a culture where data is used correctly. This session will address technological, practical and cultural aspects of what cybersecurity looks like for an ambulatory practice. Note: This session will be given by a GE Healthcare/NewCo Cybersecurity expert.

Speaker Biography

Bob Fruth has been involved with more successful product and service releases than he cares to remember. After many successful years in Silicon Valley, Microsoft brought him to Seattle. While at Microsoft, Bob provided security guidance for most of the company’s major product teams, served on and ran the Microsoft Crypto Board and was the focal point for Bing.com security and privacy. After being recruited to focus on security and privacy at GE Healthcare, he has transitioned with the businesses to Virence Health, where he finds himself teaching security essentials and authoring needed policies, all the while worrying about protecting patient medical and financial data. In his spare time, Bob watches soccer and hockey, plays music and enjoys traveling.

46

Enhance care quality

“Centricity™ solutions help me

unlock value in my organization in

many ways. We use the EMR in a

way that guides our staff down a

path -- building rules into the

software to help us. Using GE

Healthcare products has actually

helped us improve the [patient]

wait time, and we are able to help

our staff do the right thing.”

-Rhonda Draper, Ortho Northeast

©2018 Virence Health Technologies. All rights reserved.The contents provided herein are for information purposes only. Virence Health makes no representations or warranties as to current or future product functionality, or in any other respect, and Virence Health disclaims all liability from any reliance on the content or information provided herein.

Customer is responsible for understanding and meeting the requirements of achieving Meaningful Use and MACRA-related payment programs as applicable through use of HHS certified EHR technology and associated standards. Customer is responsible for understanding applicable Virence Health documentation regarding functionality and reporting specifications, including for Meaningful Use and MACRA-related payment programs, and for using that information to confirm the accuracy of attestation for Meaningful Useand MACRA-related payment programs. Customer is responsible for ensuring an accurate attestation is made and Virence Health does not guarantee incentive payments. Use of the product does not ensure customer will be eligible to receive payments.

Centricity Practice Solution v. 12.3 EHR Module and Centricity EMR v. 9.12 are ONC 2015 Edition compliant and have been certified by Drummond Group in accordance with certifiable action criteria. For additional certification and transparency information, visit www.gehealthcare.com/certifications.