Protecting from Ransomware & Modern Disasters: An El Camino Case StudySession 45, August 10, 2021

1

Chief Technology Officer, Veritas

Rick Bryant

DISCLAIMER: The views and opinions expressed in this presentation are solely those of the author/presenter and do not necessarily represent any policy or position of HIMSS.

Chief Information Officer, El Camino Health

Deb Muro

2#HIMSS21

Welcome

Chief Information Officer, El Camino Health

Deb MuroChief Technology Officer,

Veritas

Rick Bryant

#HIMSS21

Conflict of Interest

Rick Bryant, CTO at Veritas and Deb Muro, CIO and El Camino Health have no

real or apparent conflicts of interest to report.

3

#HIMSS21

Agenda

• Overview of Veritas and El Camino Health

• Discussion of today’s complex threat landscape

• Case study on El Camino Health’s Ransomware Incident response, including

prevention, detection, containment, and remediation

• Tips for implementing a cybersecurity defense strategy and improving overall

quality of disaster response

4

#HIMSS21

Who is Veritas?The Global Leader in Enterprise Backup & Data Recovery Solutions

5

AvailabilityEnsure predictable availability, application resiliency and storage efficiency across multi-cloud, virtual and physical environments

InsightsGain visibility into your data, storage and backup infrastructure, so you can take control of data associated risks

ProtectionProtect your organization from the unforeseen and ensure your data is always secure, compliant and available—no matter where it lives

+ +

16x #16,000+

EmployeesWorldwide

2,000+

EngineersWorldwide

20,000+

GlobalPartners

80,000+

GlobalCustomers

800+

SupportedWorkloads

2,140+

GlobalPatents

87%

Fortune Global 500Trust Us

A LEADER IN GARTNER’S MQ FOR DATA CENTER BACKUP AND RECOVERY SOLUTIONS

MARKET SHARE FOR BACKUP AND RECOVERY SOFTWARE

THE PRESENTATION TITLE GOES HERE #HIMSS21

Who is El Camino Health?

6

#HIMSS21 7

Availability

Protection

Insights

InfoScaleVRP

NetBackup & AppliancesBackup ExecAccess & AppliancesFlex AppliancesCloudPointSaaS Backup

APTAREInformation StudioData InsightEnterprise Vault / Enterprise Vault.cloudeDiscovery Platform

#HIMSS21 8

In the Headlines

The 7 Biggest Ransomware Attacks of 2021 (So Far)

The DarkSide ransomware attack on Colonial Pipeline shut down fuel delivery for most of the South Eastern USA in May 2021. The victim paid almost $5 million USD ransom in Bitcoin to retrieve almost 100 gigabytes of data. A single compromised virtual private network (VPN) password was all the attackers needed to get access to Colonial Pipeline's network.

1

Acer $50MM3

Brenntag $4.4MM In May of 2021, Brenntag SE, a German chemical distribution company operating in over 77 countries, was attacked by DarkSideransomware and was forced to pay$4.4 million in Bitcoin. This came just days after the Colonial Pipeline attack.

2

4

Colonial Pipeline $5MM USD

In March 2021, computer giant Acer suffered the largest cyber attack in history when hackers used REvil ransomware to cripple the Taiwan-based manufacturer’s network defenses. The cost for Acer to retrieve their data was $50M USD in Monero cryptocurrency.

JBS Foods June 2021 $11M Bitcoin

#HIMSS21 9

• Immediate access to patient data• Lack of email scanning/filtering technology (86%

of hospitals)• High-value data regarding COVID-19• TeleHealth reimbursement enabled by national

emergency declaration • Thousands of caregivers started practicing at home using whatever

technology was available to them

• RDP improves ransomware success by 37%

• Difficulty with emerging threats – hospitals 6X more likely to host their own servers

• Hackers waiting dormant for the best time to strike

Why Target Public Sector?

Source: “Ransomware attacks on Healthcare rose 350% in Q4 2019,” Health IT Security, March 9, 2020

#HIMSS21

What’s the New Approach? Why Change?

• Ransomware attacks in healthcare were typically not reported due to high confidence that the data had not been exfiltrated, e.g. no actual data breach

• OCR requires disclosure for any breach of 50+ records after a formal risk analysis determines there is a reasonable determination the records have been exposed

• Ransomware-as-a-Service gives any actor a prebuilt kit and existing attack systems; they just need to customize their target, write a ransom note, and set up a BitCoin wallet

• Two new ransomware variants emerged that actually exfiltrate the data before encrypting it at the attack site (Zeppelin and REvil/Sodinokibi)

• Exfiltration is used as “proof” but also requires healthcare to now report the breach, regardless of the ability to recover. Hackers then can sell the data and receive ransom

10

#HIMSS21

What Does the New Tactic Look Like?

11

Phishing emails with a

malicious attachment

Users clicking on a malicious

link

Users viewing an ad

containing malware

(malvertising)

Phish Targeting Foreign Visitors

Example of DocuSign Credential-Harvesting

Phish

SMS Delivery of Malware Links

Social Media Phishing Landing Page

Source: IANS, 2020

#HIMSS21

Ransomware Regulations by Industry

12

HealthcareAll healthcare providers must have a backup and protect all PHI (HIPAA 1996)

State & Local Government

Legal experts are generally skeptical that new laws are what's needed to secure the nation's cyber infrastructure within state, local and federal government

In California, ransomware is a felony –treated as a form of extortion

Michigan law criminalizes and prosecutes the possession of ransomware

Connecticut, Texas and Wyoming laws state that using ransomware software is a crime and can be prosecuted as a felony

Federal Government

The federal government does not negotiate with terrorists

The Federal Bureau of Investigation directs victims to their Internet Crime Complaint Center (IC3), and notes that paying the ransom also encourages future attacks from hackers

The Department of Justice (DoJ) does not encourage paying ransomware. In some cases, victims have been targeted again because of their willingness to pay

The Central Intelligence Agency follows the DoJ and FBI's guidelines on paying ransomware

The Department of Homeland Security follows guidelines from the U.S. Computer Emergency Readiness Team

#HIMSS21 13

• Required Risk Assessment Factors:• Nature and extent of PHI involved• The unauthorized person who used the PHI or

to whom the disclosure was made• Whether the PHI actually was acquired

or viewed• The extent to which the risk to the PHI has

been mitigated

Breach Notifications for Unsecured PII

Source: “Ransomware attacks on Healthcare rose 350% in Q4 2019,” Health IT Security, March 9, 2020

#HIMSS21

Reasonable Diligence

14

HIPAA Enforcement Rule

Reasonable Cause

Willful Neglect

#HIMSS21

Willful Neglect & New Safe Harbors

• Willful Neglect: Conscious, intentional failure or reckless indifference• No policy equals reckless indifference

• OCR will investigate all cases of possible willful neglect

• OCR will impose penalties on all violations

• OCR may penalize organizations without seeking informal resolution (settlements)

• CMS and HHS OIG finalized federal anti-kickback and Stark Law rules, which included provisions allowing health systems and hospitals to donate cybersecurity technologies to provider offices.

15Source: “Final HHS Rules Provide Safe Harbor for Cybersecurity Tech Donations,” Health IT Security, Nov. 24, 2020

#HIMSS21

Breach Notification for Unsecured PHI

16

Harm Threshold

1

2

3

Notification of the Media

Notification of the Secretary

Notification by a Business Associate41The new rule does not say what “compromised” means.

Source: HIPAA Omnibus Final Rule

#HIMSS21

The Veritas Ransomware Solution

17

Protect

Detect

Recover

18

Prevent

#HIMSS21

Prevent Ransomware

19

Hardened Appliance

Reliable Backups

IT Analytics

20

Protect

#HIMSS21

Veritas Enterprise Data Protection

21

#HIMSS21 22

Security Controls for Data Integrity

PROTECT

• Identity and Access Management (Multi-factor auth via SAML) – Zero Trust Access

• Data Encryption – In-Flight & at REST

• Solution Hardening – Intrusion Detection/Intrusion Prevention

• Immutable Image Management and Storage (On-premises and Cloud)

Cohasset immutability assessment (in compliance mode): • Securities & Exchange Commission (SEC) in 17 CFR §

240.17a-4(f)• Commodity Futures Trading Commission (CFTC) in

regulation 17 CFR § 1.31(c)-(d)

#HIMSS21

NetBackup | Flex Immutability Solution

23

Immutable Storage Management

• Immutable storage and policy setup

• Backup image management

Immutable Storage with Flex (5150 & 5340/5350)

Data Integrity, Security Controls across Backup Software & Appliance(s)

Support for primary, backup, and AIR replication

• WORM Storage Server (MSDP Container)

• Compliance timer\clock

• Compliance and Enterprise modes

#HIMSS21

NetBackup Flex Security

24

Updated hardware and software architecture to protect immutable storage

Logical attack protection

• NetBackup WORM storage server

• Appliance Platform Security

• Zero Trust Access

• Enterprise and Compliance lock down modes

• No storage reset

• No custom ISO boot

• Hardened containers & storage array

• Intrusion Detection System (IDS) / Intrusion Protection System (IPS)

#HIMSS21

NetBackup with NetBackup Flex Immutable Storage

25

Logical architecture

26

Detect

#HIMSS21

Anomaly Detection Workflow

27

Initial Configuration

Anomaly Detection

Train base model using customer information

Customer Historical Backup Metadata ML Database

Customer Sensitivity Setting Backup Job Metadata ML Database

ML DetectionAlgorithm

Anomaly Alerts

Eliminate false positives

Valid observations for continued

learning

#HIMSS21

Anomaly Detection in Backup Flow

• Jobs data based features would be considered

• Below are the 3 new services will be created in NetBackup • Management Service

• This service mainly used for data gather• Data gather from two different sources: Image data / Jobs data

• Detection Service• Detection service will leverage clustered ML implementation to detect

the Anomaly.• Alert Service

• Alert service would be used to send alerts for example NetBackup WebUI

28

No Features

1 Client Name

2 Policy Name

3 Schedule

4 Policy Type

5 Storage Name

6 Image Size

7 Number Files

8 Total Time

9 Kilobytes Transferred

10 Dedup Ratio

#HIMSS21 29

Illuminate Anomalies

Ransomware Detection: Risk Mitigation Analytics

Baseline of Last Known Successful Backups by Application

Predictive Analytics Correlating 50,000 Unique Data Points

Historical Trending of Dozens of Risk Analysis KPIs

#HIMSS21

Detect Ransomware

30

Data Management

• Scan for ransomware item typesData Insight

• Monitor data change and deduplication ratesData Insight / APTARE & OpsCenter

• Monitor file access by usersData Insight

Third Party Tools

• Endpoint securitySymantec

• Monitoring of file changesTripwire

31

Recover

#HIMSS21

Meet RPO and RTO Requirements at Scale

32

NetBackup Resiliency

• Automation and orchestration

• Full RPO coverage

• Test, Validate, Disinfect

#HIMSS21

NetBackup Resiliency | Automated Recovery in AWS

33

#HIMSS21

Support Diverse RPO and RTO Requirements

34

Comprehensive Recovery Options

• NetBackup Resiliency

• Continuous Data Protection (CDP)

• Instant Access: VM and SQL

• Cloud and On-Prem Snapshots

• Bare Metal Recovery (BMR)

• Traditional recovery

#HIMSS21 35

• What is it?• An expert assistance program giving

customers comprehensive advice on ransomware protection strategies and issues

• Key Differentiators:• Holistic approach to overall data

protection, including detection, prevention and data recovery

• Providing practical advice based on our real-world experiences – not just providing a high-level “what to do” but also “how to do it”experiences and best practices

• Customizing solutions to each customer’s environment and readiness

Veritas Ransomware Data Protection Assessment Program

Source: “Ransomware attacks on Healthcare rose 350% in Q4 2019,” Health IT Security, March 9, 2020

Assessment One-week, data-

driven and consulting-led services designed to assess “as-is” posture of data protection against ransomware

High-level roadmap with action items and defined future technical architecture

Delivered by Advisory and Consulting

#HIMSS21

With a Unified Approach, You Get:

36

Better resiliency against ransomware

Data that’s protected and recoverable no matter where it lives

Simplified management across heterogeneous environments

More visibility to optimize infrastructure, cost, and compliance

All without compromise

37

El Camino Health

Prevention, detection, containment, and remediation

RANSOMWARE INCIDENT RESPONSE

#HIMSS21

Questions?

38

#HIMSS21

Thank you!

39

Rick Bryant, CTORick.bryant1@veritas.com

Deb Muro, CIODeb_muro@elcaminohospital.org