Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs
Dominic CussattActing Deputy Assistant Secretary / Chief Information Security Officer (CISO)February 20, 2017
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only
“One of the biggest things we took away from our Anonymous attack was that in the past, I had always thought about cybersecurity related to health IT as safeguarding data ― but our experience made us understand it is more than that.” ~ Daniel Nigrin, M.D., Chief Information Officer at Boston Children’s Hospital, which was attacked by the hacker group Anonymous in 2014
“Hospital network security has been under scrutiny in the past few months. The MedStar Health system in Washington, D.C. recently fell victim to a ransomware attack in which a piece of malware blocked access to patient records and demanded payment.” ~nextgov.com
The Ponemon Institute found that nearly 90% of healthcare organizations represented in a recent study had a data breach in the past two years and nearly half had 5 data breaches in the same period. Estimates based on the study suggested that breaches could be costing the healthcare industry $6.2 billion ~ ponemon.org
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only2
The Cyber Threat to HealthcareHackers now employ more sophisticated methods for penetrating networks and devices, making detection and prevention of cyber attacks more difficult. Recent examples of this threat to healthcare providers include:
Department of Veterans Affairs (VA): By the numbersAs part of the VA, Veterans Health Administration (VHA) is the largest integrated healthcare system in the United States providing care at:
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only3
1,233 Health Care
Facilities 168 VA Medical
Centers 1,053 Outpatient
sites
Mission Statement: To fulfill President Lincoln’s promise “To care for him who shall have
borne the battle, and for his widow, and his orphan” by serving and honoring the men and
women who are American Veterans
Serving more than 8.9 million Veterans each year
Information on this slide is derived from: https://www.va.gov/health/aboutVHA.asp
Explosive growth and use of information technology devices connected to the Internet –“Internet of Things” (IoT)
Proliferation of information systems and networks with virtually unlimited connectivity via mobile technologies and the cloud lending to a larger attack surface
Increasing sophistication of threats including exponential growth rate in ransomware and distributed denial of service (DDoS) attacks leveraging the IoT vulnerabilities
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only4
The opportunity for a malicious attack or a security breach continues to increase
as more devices are becoming Internet-enabled.
The Threat Landscape at VAThe VA environment spans six data centers with over 1,800 locally-managed facilities and 750,000 network devices. With this complex environment, applying cybersecurity consistently is difficult and requires collaboration across several disciplines to protect the data of our Veterans. Below are factors affecting VA’s threat landscape:
VA’s Approach to Improving SecurityThe Department of Veterans Affairs (VA) Enterprise Cybersecurity Strategy Team (ECST) within the Office of Information Technology (OI&T) was established to mature VA’s cybersecurity posture and safeguard Veteran information that is essential to providing quality health care, benefits, and services to our nation’s Veterans. The ECST encompasses activities around
The Enterprise Cybersecurity Strategy encompasses activities around securing VA’s IoT, such as medical devices and special purpose systems.
Information Security professionals work for VA587
750K
71%
4.5M
$200M Amount allocated for information security in
2014
Number of protected devices on the VA
network
Decrease in overall number of critical or high
vulnerabilities between November 2014 - May
2015
Emails monitored per day, 75% blocked due to
malware and other malicious activity
BY THE NUMBERS
Protecting Veteran information and VA
data1
Defending VA’s cyberspace ecosystem2
Protecting VA infrastructure and assets3
Enabling effective operations4Recruiting and retaining a talented
cybersecurity workforce5
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only
Source: Protecting Veteran Information in a Complex Cybersecurity Landscape, VA. 7/2015
Five Strategic Goals of ECST
The Influence of IoTRecent enhancements in technology are allowing federal agencies, including the Department of Veterans Affairs (VA), to find new ways to collect, analyze, share, and act on the data to drive operational efficiencies in support of their mission.
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only6
Examples of IoT at VA
• Networked Medical Devices – used in patient health care for diagnosis, treatment, or monitoring of physiological measurements, or for health analytical purposes*
• Special Purpose Systems (SPS) - network-connected, non-medical systems that play a critical role in supporting a VA facility’s operations and mission fulfillment (e.g., heating, ventilation, and air conditioning (HVAC); water control)*
*Source: U.S. Department of Veterans Affairs
Security Challenges Facing the IoT
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only7
The threat to the security of VA and these network connected devices continues to increase as the capabilities of IoT continue to evolve.
End User
BusinessProcess and Objectives
Data and Information
Architecture
• “Many enterprises are challenged by unclear
business objectives that complicate setting an
IoT architecture strategy to address issues
relating to deployment environments, legacy
infrastructure, complex environments and so
forth” ~ Gartner, Internet of Things —
Architecture Remains a Core Opportunity and
Challenge: A Gartner Trend Insight Report,
2017• “The unprecedented amounts of information
from the IoT and the Internet of Everything
expose organizations to legal, regulatory and
reputational risk.” ~ Gartner, How to Address
the Top Five IoT Challenges With Enterprise
Architecture, 2016
Things
• The Internet of Things will produce two
challenges with information: volume and
velocity. Knowing how to handle large
volumes and/or real-time data cost-effectively
is a requirement for the Internet of Things. ~
Gartner, Hype Cycle for the Internet of Things,
2014
Principles to Securing the IoT Devices
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only8
As we continue to integrate IoT and become more dependent on network connected technologies, there is an increasing emphasis on securing these devices. The Department of Homeland Security (DHS) have issued six strategic principles to securing IoT:
Incorporate
Security at the
Design Phase
0201
Prioritize Security
Measures According
to Potential Impact04
03
05
06
Promote Security
Updates and
Vulnerability
Management
Promote
Transparency
Across IoT
Build on
Recognized
Security Practices
Connect Carefully
and Deliberately
Information on this slide is derived from: https://www.dhs.gov/sites/default/files/publications/IOT%20fact%20sheet_11162016.pdf
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only9
Examples of VA Addressing the Security Challenges of IoTScaling solutions enterprise-wide and establishing the capability for connected devices on the VA network
* Source: ECST accomplishments as of 1/31/2017
** Source: Fiscal Year 2017 VA Medical Device Incident Response Overview
Implemented an
automated inventory
tool and an inventory
reconciliation process
Implementation of the
Isolation Architecture
Change Advisory
Board to evaluate and
recommend
improvements to
standardized
processes and
procedures established
to control VA IT
infrastructure changes
Deployed of VA’s
Medical Device
Vulnerability
Management Program.*
Created the security
control overlay for
medical devices
Published and integrated
a cyber incident root
cause analysis into
standard operating
procedures (SOP)
Leveraged an isolation
architecture for medical
devices connected to
their network.
Implemented a change
management advisory
board
Vulnerability
Management
Aging
Infrastructure
Asset
Management
Unsupported
Operating
System
Solutions
Governance
and Risk
Management
Deployed a Medical
Device Protection
Program**
Provided security,
guidance, training and
outreach to VA employees
and contractors
Implemented continuous
monitoring of evolving
cybersecurity threats
Implemented configuration
controls
Implemented incident
response to remediate
security breaches
Information Data ArchitectureBusiness
ObjectiveEnd UserBusiness
Process Things
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only10
Evolution of VA’s Approach to Securing IoTVA continues to integrate with the business, manage information risks more strategically, and work toward a culture of shared cyber risk ownership across the enterprise.
Enhance the
isolation
architecture to
include connected
devices
Deploy a
centralized
automated
inventory solution
Monitor soon to
be unsupported
operating systems
Work with device
owners and
manufacturers to remove
vulnerable devices from
the network without
affecting patient care
Develop a
incident
response
program for
connected
devices
Mirror security
vulnerability
management of medical
devices for connected
devices
Source: ECST Medical Cyber Domain Projects as of 2/1/2017
Working Draft, Pre-Decisional, Deliberative Document – Internal VA Use Only11
The Future Outlook
“Security is a special challenge for IoT. IoT
systems operate across the public internet; are
deployed outside of the physical control of the
organization; may remain in place in critical
systems for 10 to 20 years; and may control critical
infrastructure, or be capable of coordinated attacks
on other systems…The devices themselves may
lack critical hardware capabilities for securing their
operation against attack. Securing IoT requires
a balance of protecting against long-term
devastation and accelerating value
generation” – Gartner, Internet of Things Primer 2017
“The Internet of Things Market to reach $267
Billion by 2020” – Forbes, 1/29/2017
“Connected health devices should grow to
$14 billion by 2020” – Forbes, 9/1/2016