1
Getting Ready for the NextInternational Cyber-attackSession CYB2, March 5, 2018
Kristopher Kusche, VP & CISO
Albany Medical Center
2
Kristopher Kusche, M.Eng., CISSP, CPHIMS, FHIMSS
Has no real or apparent conflicts of interest to report.
Conflict of Interest
4
Learning Objectives
• Outline how and why WannaCry, NotPetya, and other recent significant security incidents affected healthcare organizations
• Explain what healthcare organizations are doing to enhance their cyber preparedness for the next significant cyber security incident
• Illustrate the role and value of cyber threat information sharing
5
Recent Cyber Attacks
• Multiple attacks using the leaked NSA Toolkit known as “EternalBlue”
– “WannaCry”, “NotPetya”
• Other major variants
– “Bad Rabbit”
• 2017 ransomware impacts are estimated at $5B worldwide
• Healthcare is the #1 cyber attacked sector
6
WannaCry Global Impacts• Targeted a known (and patched) vulnerability in the Windows OS
• Hundreds of thousands of computers encrypted in several days
• Many hospitals world-wide with services impacted
– Medical devices hit specifically hard
• Radiology modalities, contract injectors
• Patient monitoring systems, others
• Estimated that less than $150,000 total ransom paid
• Damages due to downtime and mitigation efforts estimated in the hundreds of millions!!!
7
Other Impact Example
• Erie County Medical Center in Western New York, 2017
• Hit by an undisclosed ransomware asking for $30k in Bitcoin
• Recovery of computer systems lasted for more than a month
– Estimated 6,000 hard drives wiped/restored
• Impact was estimated at $10M
– Covered by cyber insuranceSources:
1) https://www.distilnfo.com/hitrust/2017/05/29/erie-county-medical-center/
2) https://www.cybersecurity-insiders.com/ecmc-spends-10-million-to-recover-from-a-cyber-attack/
8
Other Impact Example (cont.)
• No technology will keep 100% of attacks out of your network
• Ask your organization if you have:
– Good data backups?
– Layered security aka Defense in Depth
– A strong emergency preparedness program including downtime procedures?
– (Enough) cyber insurance?
9
Why Healthcare?
• Why are these cyber attacks occurring?
• How does Healthcare stack up against other sectors?
• What can we do to prevent or recover from an attack?
Let’s start at the beginning…
10
Critical Infrastructure• Established in 2003 under Homeland Security Presidential Directive
7 and updated in 2013 under Presidential Policy Directive 21 (PPD-21)
• Identifies 16 critical infrastructure sectors that are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety
• Department of Health and Human Services is the Healthcare sector-specific agency responsible for implementing and managing PPD21
11
Critical Infrastructure Sectors• Chemical Sector
• Commercial Facilities Sector
• Communications Sector
• Critical Manufacturing Sector
• Dams Sector
• Defense Industrial Base Sector
• Emergency Services Sector
• Energy Sector
• Financial Services Sector
• Food and Agriculture Sector
• Government Facilities Sector
• Healthcare and Public Health Sector
• Information Technology Sector
• Nuclear Reactors, Materials, and Waste Sector
• Transportation Systems Sector
• Water and Wastewater Systems Sector
12
Breach Statistics for Healthcare
In 2017, healthcare was the most breached sector:
• 374 total reported healthcare breaches
• Over 5.1 million patient records impacted
• Accounts for over 28% of all breaches across all sectors
• The average cost of a breach per organization was $7.35M
• Each breached healthcare record cost approximately $380 vs. $141 across all sectors
Sources:
1) 2017 Breach Stats Summary, Identity Theft Resource Center, www.itrc.org
2) 2017 Cost of Data Breach Study, Ponemon Institute, www.ponemon.org
Sources:
1) 2017 Breach Stats Summary, Identity Theft Resource Center, www.itrc.org
Banking, 7%
All Other, 51%
Education, 9%
Government, 5%
Healthcare, 28%
2017 Breaches by Industry
14
Attack Motives
• Espionage, Data Exfiltration
• Money (i.e., ransomware)
• Disruption (political, economic, functional)
– WannaCry (N. Korea); NotPetya, Bad Rabbit (Russia)
– All attributed to nation states
• In short, many of the recent attacks are NOT targeting healthcare BUT healthcare becomes a victim based on gaps in security best practices
15
Causes of Breaches in HealthcareBreaches are always a mix of external and internal technical and non-
technical causes:
– Workforce awareness
• Phishing leading to account breaches
– Open network borders (e.g., protocols, ports, defaults)
– Inadequate PHI policies and processes
– Inadequate internal defenses
• We need the Simple AND the Complex solutions
Compliance vs. Effectiveness
16
PHI Breach Impacts• 10 OCR Settlements in 2017
• Fines can range up to $50,000 per violation per incident
• Settlements cost ~$20M
• Root causes:
– No HIPAA BAA
– Inadequate Risk Assessment and Audit
– Lack of Technical Measures to protect PHI, including access management and encryption
• Not to mention corrective costs and reputational damage
17
Security Program Overview
• Choose a Security Framework (e.g., NIST, HITRUST) and map your program to it
• Measure against a Capabilities Maturity Model (e.g., COBIT)
• Program completeness measured at the lower levels
• Program effectiveness measured at the higher levels
• Leadership awareness, support AND participation for successful implementation
• Does your organization’s IT security program have Board level sponsorship and access?
Sample Cyber Security FrameworkCybersecurity
Data at
Rest
Data in
Transit
Data Loss
Prevention
Threat Monitoring & Assessment
Web Traffic
Filtering
Network
Governance and Policy
Risk ManagementRemote
Access
Control
Security
Mobile
Device
Mgmt.
Planning
and Testing
DR/BC
Bus/App
Impact
Analysis
Intrusion
Detection/Pr
evention
Network
Segment.
GatewayFirewalls
Network
Access
Control
Threat
Intelligence
& Alerting
Advanced
Threat
Detection
Threat
Intelligence
Exchange
Endpoint/
Workforce
Protection
Managed
Security
Services
Sec. Info. Event Mgmt. (SIEM)
Incident Response
Case Mgmt.Security
Operations
Center
Forensics
Capabilities
Vulnerability Management
Software
Version
Control
Penetration
Testing
Scan/Patch
Reporting
Security
Oversight
Policies and
Procedures
PCI DSS
Compliance
Reviews
Regulatory
Compliance
Reviews
Performance
Reports and
Metrics
Admin Rights
Audit
Access
ReviewFERPA
Roadmap
Refresh
BA
Agreements
Security
Program
Management
3rd Party
Assess.Application
Assess.
EHR Access
Monitoring
Litigation & Contract Review
Medical
Device
Assess.
Proactive
Access
MonitoringVendors
Identity and Access
Security
Metrics
Privileged
Accounts
Mgmt.
Vendor
Access
Identity
Access
Mgmt.
Account
Admin.
Active
Directory
Mgmt.
Single
Sign-On
Multifactor
Auth.
Workforce Security
Background
Check
Security
Awareness
Training
Training Joint
Comm.
19
Risk Assessment• Sounds basic but almost ALL OCR settlements cited Risk
Assessment as a critical lapse of compliance!!!
– Does your organization have a formal Risk Register?
• Must begin with a solid inventory:
– Inventory Control # associated to make, model, serial, software/firmware versions, patch levels, etc.
– Understanding of upstream/downstream connectivity points and dependencies
• Risk assessment and Risk Registers are living processes!!!
Sample Risk Register
Risk Identification Risk Analysis
Risk Mitigation
Risk ID
Risk Title Risk Description
Risk Trigger Description
(if > this)
Potential Outcome
(then > this)
Risk Exposure
Risk Response
Type
Risk Response Description
R010 Firewall wrongly configured for DMZ
Wrongly configured firewall can allow malicious traffic access to systems
Mistake made in firewall rules; exploited vulnerability in the firewall
DMZ compromise; System shutdown, integritybreach
0.060 Mitigate Implement the application firewall feature in the DMZ for tighter security beyond the hardware firewall.
21
Protective MeasuresOnce a Risk Assessment process is established, then protection can
begin:
• Education
• Patching
• IDS/IPS (Intrusion Detection/Prevention System)
• Application Whitelisting (TIE/ATD)
• SIEM (Security Incident and Event Management)
• Life cycle management
23
IDS/IPS• What it does:
Scans network traffic and automates alerting and action based
on rule sets and machine learning
• Effectiveness:
Can detect, alert and block, in real-time, malicious code or attempted network connections
Can retrospectively determine if indeterminate traffic is malicious
• Examples:
Malware file download, CNC connections, TOR attempts
24
IDS/IPS SampleIntrusion Detection and Prevention Systems allow for automated
alerting and action based on rule sets and machine learning:
**Auto Generated Email** -- Network Based Retrospective
Alerts
<*- Network Based Retrospective at Thu Jan 18 06:25:58 2018 UTC -*>Sha256: 6cecd0164877dab3e90b94ad6d0b6e2eb54d0c43969991f6def00b8ae63218d0Disposition: MalwareThreat name: Win.Worm.Mydoom-90
Alert Name
Hash
Result
Malware Name
25
Application Whitelisting• What it does:
Monitors for applications running unapproved applications on networked devices and automates alerting and action based on rule sets and machine learning
• Effectiveness:
Can detect, alert and block, in real-time, malicious code execution or unlicensed/unapproved installations
• Examples:
Malware via email attachment execution or website code launch
26
Application Whitelisting SampleThreat Analysis Report
Threat Level - Malicious
File Name
V031336_0036_OIS-INSTALLER.EXE
MD5 Hash Identifier
31B2A96058B45168C012789710C71F04
SHA-1 Hash Identifier -8E71D3E2FA7217142C1CEE7715EE88A4D4A5D088
SHA-256 Hash Identifier -D5F8449DB842F39119ACD5E201193
B1E83CDD80A2B6A1A7BA0B2C85CA85FBBAE
Sandbox Replication 182 seconds
Behavior Classification
Hiding, Camouflage, Stealthiness, Detection and Removal Protection Medium
Security Solution / Mechanism bypass, termination and removal, AntiDebugging, VM Detection Low
Dynamic Analysis (1% of code dynamically executed)
27
SIEM – MUST HAVE!!!
• Message/Event Aggregator
– System integration
• Automation
– Alerts
– Downstream Rules
• In-house or service
• This is complex!!!(Non-modified artwork attributed to Jorge Arimany (Own work) [CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons)
28
SIEM ExampleSample is malicious
= ALARM DETAILS START =
Alarm Name: ATD- Cyber Threat Feed
Alarm Description: ATD TIE CyberThreatfeed
= ALARM DETAILS END =
=== CORRELATED EVENT START ===
Device Name: ATD01Rule Message: Sample is malicious Signature ID: 525-2089798990Source IP: XXX.XXX.147.150Destination IP:Source User:Destination User:
=== CORRELATED EVENT END ===
29
SIEM ExampleMalware Traffic with a known Botnet CnC
= ALARM DETAILS START =
Alarm Name: Traffic to and from known Botnet IP
Correlation RULE: Sig ID: 47-6111152
= ALARM DETAILS END =
=== CORRELATED EVENT START ===
Device Name: Rule CorrelationRule Message: Malware Traffic with a
known Botnet CnCSignature ID: 47-6111152Source IP: 43.248.73.6Destination IP: XXX.XXX.213.86
=== CORRELATED EVENT DETAILS END ===
30
Incident Response• Playbooks (NASA)
• Documentation of systems, networks, data sources
• Disconnect policy
• Requires inventory of systems and business processes impacted
• Understanding of connectivity
• Application to application
• Data Sharing (e.g., extra-organizational, HIE)
• Rules for activation
31
Medical Device VulnerabilitiesMedical device security is complicated for many reasons:
• FDA position on patching
• Connectivity Requirements Complicates Isolation and Mitigation
• Unalterable configurations
• End-of-Life or turn-key operating system installs
• Incompatible with many IT security toolsets
• Knowledge and interaction between CE and IT
33
Medical Device Strategy
• Risk Assessment (CVSS)
• Contracting (MDS2)
• Inventory
• Isolation
• Patching
• Enforce standards
Medical Device Risk Assessment Sample
Asset
DescriptionManufacturer
Model
Number
Risk
ScoreDevice Notes Security Review
Recommendations & CVSS
Vector
ABLATION UNIT XYZ CORP. Ablatomatic
2000
1.9 Used to ablate calcium in
coronary arteries.
- No PHI
- No network connection
- Physical access only
- Risks
1) System modified to
increase power to cause
more damage
2) Failure during use
Assure system is tested before
use to verify power setting
per manufacturer instructions
CVSS VectorCVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:X/RC:X
35
Info Sharing OrganizationsMultiple State, Federal, Private/Public Cyber Info Sharing Groups
• Information Sharing and Analysis Centers (NH-ISAC, MS-ISAC)
• Computer Emergency Readiness Teams (US-CERT)
• State Police (e.g., NYSIC CAU)
• Dept of Homeland Security, FBI, InfraGard
These organizations provide sector intelligence and alerts, action recommendations and Indicators of Compromise (IoCs)
36
Indicators of Compromise• Hashes
2201da686961c95063ee92f5ff371e5143198c79aaa58b0c04cf110d143d2871
e8a21f95c6e5b722bbf999e6ea10ee4ca5185130c4c3564349b7f936047ced58
86aa82558c4005111a7d1df1cf23f76eeaae0039268b6b0e262164ebf9cea79a
8eabfa74d88e439cfca9ccabd0ee34422892d8e58331a63bea94a7c4140cf7ab
72832db9b951663b8f322778440b8720ea95cde0349a1d26477edd95b3915479
• Files names
msvcsexec.exe
• Patches
Microsoft Windows Defender definitions
Version: 1.261.29.0
Released: Jan 19,2018 08:50 AM UTC
WannaCry Timeline Case Study
Friday, May 12, 2017
2:49pm – Initial alert received from NYSIC-CAU
2:53pm – Receive alert from anti-malware security vendor
3:18pm – IDS/IPS network address and file blocking signatures applied
4:09pm – Notified by EHR vendor that servers require patching
4:55pm – Workforce-wide communications sent
5:43pm – Network traffic pattern block rules implemented
6:15pm – Initial anti-malware signature update
8:31pm – Second anti-malware signature update
9:00pm – EHR system patching begins with application vendor
9:20pm – Patching of 1,100+ servers begins
10:00pm – Patching of 9,000+ devices and 300+ medical devices begins
10:31pm – Additional traffic rules applied
WannaCry Timeline Case StudySaturday, May 13, 2017
2:05am – Additional traffic rules applied
3:15am – PACS enterprise imaging system patched
3:56am – EHR patching completed
1:59pm – Additional IDS/IPS IoCs applied
2:15pm – Additional anti-malware signature update
3:10pm – Microsoft announces an unprecedented release of patches for
discontinued Windows XP and Windows 2003 Server
Sunday May 14
10:34am – Additional anti-malware signature update
2:34pm – Additional anti-malware signature update
6:47pm – Alerts of potentially infected machines on “Guest Wireless” network and devices
removed from the network
39
Summary• Cyber attacks are the new norm
• WannaCry was the wake up call!!!
• Protection still requires layers and “Defense in Depth”
• Security Framework
• Policy and Process
• Investment in technical measures (simple to complex)
• Communication and Information Sharing are Critical
• Inside and outside the organization
40
Questions?
Contact Information:
Kristopher Kusche, M.Eng., CISSP, CPHIMS, FHIMSS
VP & CISO, Albany Medical Center
(518) 262-4690
Thank you and please remember to complete the online session
evaluation provided by HIMSS. Enjoy the rest of the conference!!!