Protecting Your Organization from Cyber Attacks
March 3, 2016 Mac McMillan, Co-founder & CEO, CynergisTek, Inc.
Chuck Kesler, CISO, Duke Medicine
Conflict of Interest
Chuck Kesler, MBA, CISSP, CISM, PMP & Mac McMillan, FHIMSS, CISM
Have no real or apparent conflicts of interest to report.
Agenda
• Learning Objectives
• Threat Landscape
• Building an Information Security Program
Learning Objectives
1. Explain the current cybersecurity landscape in healthcare,
including recent and emerging trends in phishing specifically
2. Identify the risks posed to provider organizations by cyber
attacks, and offer proven strategies for mitigating that risk
3. Examine real-world examples of breaches caused by
phishing attacks and other cybersecurity incidents
4. Distinguish best practices for creating cybersecurity
awareness at an organization-wide level
A Summary of How Benefits Were Realized for the Value of Health IT
Reliance of
information
increases
satisfaction
Knowing
information
is secure
improves
treatment
Effective
information
security
programs
keep
electronic
data secure
Secure data
enhances
patient
engagement
Proactive
security
reduces
likelihood of
a breach
and helps
reduce
expenses
Why information security is challenging in healthcare
1. The prime directive. First priority is taking care of patients, and we
need quick and easy access to information to do that.
2. Innovation. A never-ending stream of new IT products and
services are promising to improve the delivery of care.
3. Complexity. Hundreds to thousands of applications must work
together seamlessly, but also must be secured.
4. Costs. Healthcare organizations are under pressure to reduce
costs, and incremental spending to address security can be a
tough sell.
Why healthcare workers should care about information security
1. Protecting the personal data that we are entrusted with is the right thing to do, and in fact it’s even part of the Hippocratic Oath! I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know.
2. It’s the law. In fact, there are multiple laws that affect healthcare organizations: HIPAA, HITECH, Meaningful Use, FISMA, FERPA, State Laws etc...
3. Healthcare organizations are always under attack, and everyone has a role in preventing those attacks from being successful.
4. Effective management of information security risks can help protect an organization's intellectual property, brand, and mission, most importantly patient care and safety.
Threat Landscape
Cybercriminals Are Attacking Healthcare Because Its Where The Data Is
Cyber threat spectrum
Hactivism Crime Insiders Espionage Terrorism Warfare
Evolving healthcare threat landscape: From lost/stolen devices to hacking
2009 2010 2011 2012* 2013 2014* 2015*
Community Health
4.5M
Hacking
Montana Public
Health
1.3M
Hacking Horizon
BCBS
840K
Laptop
Theft
Advocate Medical
4.03M
Computer Theft
Emory
315K
Lost Backups
Utah Dept. of Health
780K
Hacking
TRICARE
4.9M
Lost Backups
Nemours
1.6M
Lost Backups
Health Net
1.9M
Lost Hard Drives
NYC Health & Hospitals
1.7M
Stolen Backup Tapes
BCBS Tennessee
1.02M
Stolen Hard Drives
AvMed
1.2M
Stolen Laptops
Anthem
BCBS
80M
Hacking
Premera
BCBS
11M
Hacking
CareFirst
1.1M
Hacking
Westchester
Health
Hacked
Pro ISIS
Group
Boston Children’s
Hacked
Anonymous
Beacon Health
225K
Hacking
Multiple Sources
Sources of hacking
Recreational Hacktivism Espionage Cybercrime
• Used to be the
primary motivation
for many attackers
• Still a motivator for
those looking to
prove themselves
• Want to call attention
to their social or
political causes
• Often motivated by
anti-establishment
themes
• Sophisticated attacks
against government,
military, or industry
targets
• May be motivated by
political or monetary
gains
• Goals may be theft of
intellectual property
or disruption of
critical infrastructure
• Cybercriminals have
built a huge black
market for
developing malware,
conducting Internet-
scale operations, and
laundering money
• Stolen data can be
used by criminals for
identity theft and
financial fraud
• Extortion by
attacking availability
of assets or sensitive
nature of data
Black market value of stolen data
$0
$10
$20
$30
$40
$50
$60
Credit Card SSN Email Account Medical Record
Sources: http://histalkmobile.com/2014-a-perfect-storm-for-data-breaches/
http://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/
(per record)
The Internet of Things
Source: Symantec Internet Security Threat Report 2015
Anatomy of a cyber attack
Anatomy of a breach: Community Health Systems (May-June 2014)
How did it happen?
• Attacker used a well publicized security vulnerability to steal user login credentials
• The stolen username and password were used to login to CHS systems via their VPN
• Once inside the network, the attackers identified and extracted files containing records for 4.5 million patients
• This could have also easily happened via a phishing email
As of September CHS reported
breach costs of $256M
Anatomy of a breach: Anthem BCBS (December 2014-January 2015)
How did it happen?
• Mostly still speculation at this point, but it may have been phishing or a "waterhole" attack that allowed sophisticated malware to implant a backdoor on a system at Anthem.
• The backdoor was later used by the attackers to access a database using valid user credentials.
• Note: despite some speculative articles in the press, based on available information, encryption of "data at rest" probably would not have helped in this case.
Phishing example: Webmail message
Phishing example: Cryptolocker
Why chasing hackers is a waste of time
Healthcare challenges
• Legacy systems
• Multiple wireless networks
• Internet enable medical devices
• Mandatory transition to electronic records
• BYOD prevalence
• Stores & combines PHI, PII & PCI
• Victims (patients) are often unaware of loss of data
• Third party vendors w/ network access
• Higher payouts on black market
Building an Information Security Program
Building an information security program: It’s more than anti-virus and encryption
• Inventory information assets and analyze their risks
Identify
• Use technical, administrative, and physical controls to mitigate the identified risks
Protect
• Monitor the environment for signs of intrusion Detect
• Mobilize resources to contain and eradicate an intrusion Respond
• Remediate the effects of an intrusion and return to normal operations Recover
Page 22
Reference: NIST Cybersecurity Framework
Go
vern
an
ce
Where do we start? Risk assessment…
Credit: http://dilbert.com/strips/comic/1997-11-08/
Examples of security controls
Administrative Technical Physical
• Passwords
• 2-factor
authentication
• Encryption
• Firewalls
• Anti-Virus
• Intrusion Detection
• Logging &
Monitoring
• Administrative
• Fencing
• Locks
• Cameras
• Guards
• Alarms
• HVAC
• Backup power
• Fire suppression
• Separation of duties
• Polices
• Procedures
• Standards
• Guidelines
Risk Assessment
Some low-hanging fruit: security awareness
You don't need to wait for the risk assessment to be
complete before you start educating staff on security
issues!
– Use the news
– Avoid the “FUD”
– Make it personal
– Keep it simple
– Never stop
Marketing security awareness
1. Understand and follow our security policies
2. Use strong passwords, and, whenever
possible, use multi-factor authentication
3. Think before I click on links and email
attachments
4. Use a VPN when connecting from public WiFi
networks
5. Apply all security updates in a timely fashion
when prompted
6. Safeguard my personal computers and
devices with anti-virus software
7. Secure my smartphone and computer
screensaver with a PIN or password
8. Use encryption to protect sensitive data when
appropriate
9. Report suspected security concerns
immediately
10. Promote cybersecurity awareness
Be Prepared! Incident response is critical.
Great information security is built on relationships, not just technology
• Identify and cultivate key partnerships between information security and other parts of the organization, such as:
– Medical staff and operational leadership
– Health Information Management
– IT engineering and operational leaders
– Internal audit
– Compliance/privacy officers
– Counsel
"A basketball team is like the five fingers on your
hand. If you can get them all together, you have a
fist. That's how I want you to play."
Coach K
Great information security is built when everyone says, aaaaah…together
How many people do
you have on your
privacy and security
team…
Great information security is achieved when it’s a top down priority
43% of CIO/CISOs think
boards are informed about
threats to IT, while board
members admit their
knowledge about
cybersecurity is limited.
It’s time
Healthcare must think and act differently when it
comes to data security and privacy.
Resources for getting started • HealthIT.gov Guide to Privacy and Security of Electronic Information (v2.0, April 2015)
– http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
• FTC start with security program
– https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business
• Critical security controls project
– https://www.sans.org/critical-security-controls/
• NIST Cybersecurity Framework
– http://www.nist.gov/cyberframework/
• Poster series
– http://www.ncsc.gov/publications/pii/index.html
• Protecting your personal information awareness videos
– http://www.dni.gov/index.php/resources/protecting-personal-information
A Summary of How Benefits Were Realized for the Value of Health IT
Reliance of
information
increases
satisfaction
Knowing
information
is secure
improves
treatment
Effective
information
security
programs
keep
electronic
data secure
Secure data
enhances
patient
engagement
Proactive
security
reduces
likelihood of
a breach
and helps
reduce
expenses
Questions
Chuck Kesler
CISO
Duke Medicine
@chuck_kesler
Mac McMillan
Co-founder & CEO
CynergisTek, Inc.
@mmcmillan07