1
Breaches and Ransomware! How Does Your Security Compare?
Session #31, February 20, 2017
Ron Mehring, CISO, Texas Health Resources
David Houlding, Director of Healthcare Privacy & Security, Intel
2
Speakers Introduction
David Houlding, MSc CISSP CIPPDirector, Healthcare Privacy & SecurityIntel Health & Life Sciences
Ron MehringVP, Technology & SecurityTexas Health Resources
3
Conflict of Interest
Ron Mehring and David Houlding
Have no real or apparent conflicts of interest to report.
4
Agenda
1. Healthcare Breaches, Ransomware, and Compliance
2. How Does Your Security Compare?
3. Healthcare Industry Security - Gaps and Opportunities for Improvement
4. Healthcare: Face Security Challenges as a Team
5. Information Sharing in Practice
6. Opportunities to Engage in Healthcare Security Information Sharing
7. Q&A
5
Learning Objectives
• Discuss effective approaches to defending
cybersecurity attacks
• Apply effective approaches to sharing
cybersecurity information
• Discuss cybersecurity benchmarking
6
An Introduction of How Benefits Were Realized for the Value of Health IT
• Satisfaction: improve patient satisfaction and build trust by helping to improve security and reduce breaches and ransomware
• Electronic Secure Data: improve security of sensitive patient information
– Highlight gaps, enable information sharing to improve security
• Savings: reduce breaches and ransomware and associated business impacts and costs
7
Breaches & Ransomware – A Perfect Storm
Breaches &Ransomware
Data
More Widely
Available
Intolerant
to Disruption
Data More
Valuable
Security
Lagging
8
Healthcare Breaches and Ransomware Impact
$80
$112
$129
$131
$133
$139
$145
$148
$156
$164
$172
$195
$208
$221
$246
$355
Public
Research
Transportation
Media
Consumer
Hospitality
Technology
Energy
Industrial
Communications
Retail
Life science
Services
Financial
Education
Healthcare
Per capita cost by industry 4
Healthcare has the
highest data breach
costs per capita.2
More than half of
hospitals hit with
ransomware in last 12
months 3
Cost 1.6B Per Year in US 1
9
Healthcare Security - Survival
• Severe impact of breaches
• Compliance is necessary
… but not sufficient
• How far do you have to go?
• How does your security compare?
• How can you benchmark your security?
10
Improved Breach Security, Usability, Cost, IT Operations
Enhanced+ Device control
+ Penetration testing / vulnerability scan
+ Client Solid State Drive (encrypted)
+ Endpoint Data Loss Prevention
+ Network Data Loss Prevention (monitoring, capture)
+ Anti-theft: remote locate, lock, wipe
+ Multi-factor authentication w timeout
+ Secure remote administration
+ Policy based encryption for files and folders
+ Server / database / backup encryption
+ Network segmentation
+ Network Intrusion Prevention System
+ Business associate agreements
+ Virtualization
Advanced+ Server Solid State Drive (encrypted)
+ Network Data Loss Prevention (prevention)
+ Database activity monitoring
+ Digital forensics
+ Security Information and Event Management
+ Threat intelligence
+ Multi-factor authentication with walk-away lock
+ Client Application Whitelisting
+ Server Application Whitelisting
+ De-identification / anonymization
+ Tokenization
+ Business Continuity and Disaster Recovery
Baseline+ Policy, Risk assessment
+ Audit and compliance
+ User training
+ Endpoint device encryption
+ Mobile device management
+ Data Loss Prevention (discovery)
+ Anti-malware
+ IAM, Single factor access control
+ Firewall
+ Email gateway
+ Web gateway
+ Vulnerability management, patching
+ Security incident response plan
+ Secure Disposal
+ Backup and Restore
11
Healthcare Security Benchmark• How does your security compare to the healthcare industry?
• Comprehensive: 8 breach types, 42 security capabilities
• 51+ healthcare organizations, projected to grow by multiples
• Global: 8+ countries
• Maturity, priorities, and capabilities
• Compliance: HIPAA, NIST, PCI DSS, ISO2700x, GDPR, CIS, …
• Sample report: Intel.com/BreachSecurity
• Open industry collaboration, with 40+ partners globally
• Different industries for example Retail enable cross vertical comparisons
12
Healthcare Priorities by Breach Type# Breach Type Priority / Level of Concern
1 Ransomware High 88%
2 Cybercrime Hacking Medium / High 78%
3 Insider Accidents or Workarounds Medium 59%
4 Loss or Theft of Mobile Device or Media Medium 52%
5 Business Associates Medium 47%
6 Insider Snooping Medium 47%
7 Improper Disposal Low / Medium 41%
8 Malicious Insiders or Fraud Low / Medium 41%
Intel.com/BreachSecurity N=51, Global Scope, Thursday, 5 Jan 2017 15:20 PST
13
Ransomware Readiness• Percentage of relevant capabilities implemented
Lowest: 17% Highest: 85%Average: 59%
• Large variation in readiness, lack of awareness
• Raise awareness, bring in stragglers
• Help iterate healthcare industry up levels of maturity
14
User Awareness Training Capability
• Foundational
• Phishing
– Ransomware
– Cybercrime Hacking
• Accidents and Workarounds
15
Risk Assessment Capability• Foundational
• Prioritize Risks
• Maximize Budget
• Prepare for audits
16
Endpoint Device Encryption Capability
• Foundational
• Protect Confidentiality
• Loss or Theft of Mobile Device or Media
17
Security Incident Response Plan Capability• Foundational
• Decisive and coordinated response to security incidents
• Stop loss
• Minimize impact
• Remediate
• Avoid improvising during a security incident
• Many steps and organizations involved
18
Threat Intelligence Capability• (Early!) detection is key
• Acquisition and sharing threat and vulnerability information
• Reputational
• Static / dynamic analysis
• Behavioral analytics
• Enable healthcare to face threats as an industry vs individually
19
How Does Your Security Compare?• Benchmark security relative to healthcare
industry
– Maturity, Priorities, Capabilities
– Mappings to HIPAA, NIST, PCI DSS, ISO2700x, GDPR, CIS, …
• 1 hour, complementary, confidential
• Sample report at Intel.com/BreachSecurity
• Information sharing through benchmarks
20
Security from a Healthcare Delivery System Perspective
21
Setting the Organizational Risk Profile and Priorities
• In even the smallest healthcare organizations risk
prioritization can be difficult.
• Security programs have many different pressure
points that complicate risk decisions.
• Using benchmarks can help inform risk
management.
22
Healthcare and the integrated cyber future
• Optimization of healthcare operations is
driving the adoption new and innovative
technology platforms
• Merger and acquisition is occurring at an
increasing rate.
• Tighter technology integration is occurring
across multiple platforms types.
• The end user and the patient are driving
new and innovative technology use cases.
23
Living with Risk in a Healthcare Delivery System
• Design and operate controls with the understanding that both
unknown and known risk will exist in the healthcare system.
• Inventory as much risk as possible. Treat as a portfolio of
risk vice independent risks.
• Be cautious of aggregate pooling of risk.
• Consider using all hazards approach. Inventory threat
scenarios and orientate them to risk.
• Use “High Reliability Principles” when analyzing risk and
associated scenarios and designing controls.
• Be data driven!
Cyber
Risk
Portfolio
Medical
Device
Vendor
Risk
Applications
Core
Infrastructure
JV - Partners
24
Operations and Risk• Ensure operational performance data is fed back into risk program.
• Apply techniques such as Kanban and Theory of Constraints
Techniques can help improve performance.
• Use risk scenarios (threat models) as a bridge between risk
management and operations.
• Recognize that security risk decisions are tradeoffs.
• Best practices still must have a risk analysis performed. Not all best
practices are appropriate for every environment.
• Be cautious of using “cybersecurity dogma” as a basis for risk
prioritization.
Appetite - Requirements
Performance - Outcomes
Operations
Risk
25
Information Sharing and Benchmarks
26
Navigating unfamiliar waters
• Have you ever wondered what your industry peers are focused on?
• What attacks are your industry peers seeing?
We all have the same questions and
problem sets.
27
Sharing is caring
https://www.infragard.org
https://nhisac.org
https://hitrustalliance.net
Information sharing is an
excellent way to crowdsource
your cyber security program.
There are multiple sharing
forums for threat information,
implementation experiences and
benchmark data.
28
Inventory of Risk, Benchmarks and Exposure
Identified
Risks
Benchmarks
• Should we invest in clinical
workstation encryption or
not?
• Benchmarks can be helpful
and provide great context
but proceed with caution.
Clinical Workstations do not store
data and are not encrypted.
29
In the absence of benchmarks create your own
30
Medical Devices - Shining Light in Dark Places
Medical Device Risk
Management Identify exposure
Design high reliability
based controls
Continuously Monitor,
measure and act
Cross Functional
Steering Group
Get Involved with
Industry Groups such
as NH ISAC and
MDISS
Perform Risk
assessments
Group by vendor
device type and
use case.
Threat and
Vulnerability
Identification
Recognize control
limitations.
Understand the
uniqueness of
medical device
systems.
Appropriate balance
between safety and
privacy must be
recognized.
Establish risk
thresholds
Tailored Incident
response plan
1 2 3 4
31
Lets start with Vulnerability Management
• The problem with many vulnerability management programs is that they assume
a bad outcome will occur. This can make it difficult to prioritize.
• In most cases there is an enormity of weighted data with limited context.
• There is a need to inform the vulnerability process with bad outcome and threat
intelligence data.
• Applying risk based approaches toward remediation prioritization requires
synchronization of risk scenarios and harm events.
• Most organizations do not have the ability to fix all of the high risk vulnerabilities.
32
Creating a more effective, data driven Vulnerability Management program
• At Texas Health Resources we use a data driven approach that melds high reliability principles, theory
of constraints and kanban processes.
• Prioritization and controlling Work in Progress drives a successful operationally sensitive vulnerability
management program.
• Vulnerability management has a daily cadence and rhythm.
33
Threat and Security Incident Management
• Directly integrating threat events and incidents into a risk management framework is critically important.
• Create a feedback loop of indicators and risk thresholds that flow into operations and continuous
improvement processes.
• Data driven workflows allow for the measuring of control performance – effectiveness.
• There are benchmarks and reports that can assist.
34
Continuous Improvement, Data Driven Assessments and Exercises
• Improving incident response performance and baselining control effectiveness requires continuous assessments, exercising and testing.
• A quarterly driven independent assessment cycle ensures regular testing of control effectiveness.
• The addition of risk exposure and threat data into assessment helps ensure assessment cycle is focused on testing weakness in compensating controls.
• Data helps feed the continuous improvement cycle and reinforces high reliability principles.
35
A Summary of How Benefits Were Realized for the Value of Health IT
• Satisfaction: improve patient satisfaction and build trust by helping to improve security and reduce breaches and ransomware
– Benchmarks, information sharing, collaboration
• Electronic Secure Data: improve security of sensitive patient information
– Highlight maturity, 8 priorities, 42 capabilities, gaps, to enable information sharing in order to improve security
• Savings: reduce breaches and ransomware and associated business impacts and costs
– Frequency of occurrence, business impact
36
Questions?• [email protected]
linkedin.com/in/DavidHoulding
twitter.com/DavidHoulding
• Please complete online session evaluation
twitter.com/mehringrclinkedin.com/in/ron-mehring
