cybersecurity in healthcare: from the sidelines to the …€¦ · · 2016-04-21cybersecurity in...
TRANSCRIPT
Cybersecurity in Healthcare: From the sidelines to the headlines
Sean P. Murphy CISSP, ISSMP, CPHIMS, FACHE, HCISPP, CIPP / IT
By way of introduction…
Sean Murphy
FACHE, CPHIMS, CISSP-ISSMP, CIPT, HCISPP
Vice President, Chief Information Security Officer Premera Blue Cross, Seattle, WA
Retired Air Force Medical Service (Lieutenant Colonel)
Experience in military and civilian healthcare organizations as CIO, CISO, and CTO
Chair, HIMSS Privacy and Security Committee (2010)
(ISC)2 Committee to establish HCISPP credential (2014)
Job Analysis and Exam Writer
Author of multiple chapters, white papers, and conference speaker to include “Healthcare Information Security and Privacy,” (2015) McGraw Hill
Served as founder, officer, working group member, and active member of affiliated local professional groups over many years
Agenda
The road to here for healthcare
How times have changed
−Sideline to headlines
Cybersecurity enters healthcare
Peeking forward
Questions / Comments / Criticisms
SOURCE: ID Experts: Ponemon Study;
Third Annual Benchmark Study on Patient
Privacy & Data Security ; Dec 2012 ;
Infographic included
• Breaches are epidemic • Often multiple per org • Data loss is costly • It is getting worse • Healthcare lags behind • Patients are affected
The road to here in healthcare
The road to here in healthcare
Electronic healthcare record implementation > 75%
− As of 2011, over 150 EXABYTES {1000 (1018)} of data; projected to double / year
Every healthcare customer has a requirement to analyze / mitigate risk
− Monitoring and incident response emerging as “must-have” as well
HIPAA Omnibus Final Rule increased accountability; adds 3rd party risk
Daily headlines on security breaches; rising to Board Level Concerns
Healthcare organizations are not in the business of providing world-
class cybersecurity; the adversary is world-class
HIPAA is not prescriptive; but getting it wrong is costly (fines/penalties)
Healthcare depends on interoperability and sharing
Unlike financial records, medical record misuse is hard to rectify
THEN
NOW
The road to here in healthcare
(A detour on our road) What
is a medical device?
The challenge in cybersecurity starts with telling the difference
between a medical device and any other IT computing platform
(A detour on our road) What
is a medical device? Used for diagnosis, treatment, and
therapy
Sensors, Imaging, Measures, Alerts, and
Radiation to name just a few functions
Special purpose, regulated by US Food
and Drug Administration (FDA)
IMHO—this has been a key dependency for
implementing cybersecurity in healthcare
(A detour on our road) What is a
medical device?
Not always digital or networked, but
they increasingly are.
X-ray, MRI, Infusion Pumps, Pacemakers
Also, movement toward implantable,
ingestible, and wearable inter-connected
devices
(Detour continued) Increase
in embedded IT & networking BAN and PAN are medical
networks using the hospital network
Federal Communications Commission (FCC) authorized specific frequency for BAN
Protocols: RFID, DICOM, IEEE 802.11x / WiFi, Bluetooth, ZigBee (2.4 GHz), IEEE 11073, medical instrumentation bus
10
WAN
MAN
LAN
Personal Area Network
Body Area
Network
(Detour continued) Increase
in embedded IT & networked
Body Area
Networks
Home health
networks
In hospital
settings, allow
free movement
of patient and
around patient
11
(Merging back on our road)
Impact of cybersecurity: patient
care / safety IT = Mission Critical while CE = Life Critical
One size IT security best practices, indiscriminately
applied without manufacturer evaluation = patient
safety risk
(Merging back on our road)
Impact of cybersecurity: patient
care / safety Health Org’s do not manufacturer med devices
Even after purchase…(21 CFR Part 820)
Regulated independently
FDA plus international standards
Clinicians (customers) are not asking for cyber
capability…
they want (pay for) clinical capability
(Merging back on our road)
Impact of cybersecurity: patient
care / safety Health Org’s do not manufacturer med
devices
Even after purchase, manufacturer
is key
Medical device incident reporting
process
Patch management
Access management
• SOLUTION?:
Implement best practices from banking, military, telecomm, etc.
• IMPACT:
Usually, intended.
-- compliance
-- privacy
-- security
Often, unintended.
-- risk
-- patient safety
(Back on the road) The road to here in healthcare
A Horse is NOT a Zebra
How times have changed: from the sidelines
to the headlines
• Over 50% of breaches come from
employees or business associates
(HITRUST)
• 35% of breaches were lost or
stolen laptops (2013) (Redspin)
• Unauthorized use second-most
prevalent source of data breach
• Current “hacking” attacks
make up 11%, but the
number is growing
• Of these, 11% were phishing
• Ransomware, intentional
attacks, monetized medical
records increasing
(healthITsecurity)
FUTURE
• EHR and Health Information
Exchange increases risk
• State-sponsored terrorism will
target healthcare (MGMA
2014)
• Detection and correction are
becoming the imperative
(Gartner)
Traditional breach 2015 Year of
Cyberattack Data Focus
Fifth Annual Benchmark Study on Patient Privacy and Data
Security, Poneman Institute (2015)
How times have changed: from the sidelines
to the headlines
High Costs Of
Healthcare Data
Breaches
• Abnormal Churn
• Reputation
• Board Action
• Delay care
• W / hold info
• TRUST
• Investigations
• Fines & Penalties
• Class Action law suits
• Identity theft / false claims
• Availability of information
• Security at any cost
How times have changed: from the sidelines to the headlines
High Cost of Healthcare Data Breaches
Source: Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute
How times have changed: from the sidelines to the headlines
“Near-misses”
(non-data breaches
that still require
detection and
escalation) increase
costs
Source: Ponemon Institute/Symantec
High Cost of Healthcare Data Breaches
How times have changed: from the sidelines to the headlines
High Cost of Healthcare Data Breaches
Source: Gartner BYOD Survey
How times have changed: from the sidelines to the headlines
And now the headlines…
HEALTH IT SECURITY | September 8, 2015
(Major Academic Medical Center) joins list of largest health
data breaches of 2015
USA TODAY | April 14, 2015 “I had no idea (they)
had my data. Why did
(they) have my data?”
I-HEALTH BEAT | June 1 2015
(Indiana Health System) is notifying
about 220,000 patients of a breach that
could go back as far as November 2013
“Mean time to
discovery (MTD) is
around 270 days”
Health data breaches sow
confusion, frustration
Behind the headlines:
Settlement Costs and Fines
Increasing
SE
TT
LE
ME
NT
S
Company
Date of
Breach/
Settlement
No. of
Records
Type of
Records
Settlement
Fund Basis
AvMed
(Florida)
2010/
Jan. 2014
1 million Social Security
Numbers and
Health records
$3.1 M Partial refund of insurance premiums
(up to $30 per individual) for not
receiving the level of security
promised.
Stanford
University
(CA)
2009/
Apr. 2014
20,000 Health records $4.1 M Patients will receive $100 each and the
hospital will have to fund a program
for 2 years that trains medical
professionals to protect patient
records.
FIN
ES
Entity Date
Fine
Amount Cause
New York
Presbyterian/
Columbia University
May 2014 $4.8 M Improper deactivation of a server containing personal
information.
Triple S
Management
Feb. 2014 $6.8 M Failure to take all required steps in a breach.
WellPoint Jul. 2013 $1.7 M Leaving confidential information accessible over the internet.
Cybersecurity enters healthcare
Old Reality New Reality
“Keep them out” “Stop them on the inside”
Servers in the datacenter Services in the cloud
Users connecting to the office network
from corporate computers
Users connecting from the Internet on BYOD
and mobile
Dumb malware targeting everyone Smart, deliberate attackers targeting you
Attackers exploit vulnerabilities Attackers exploit accounts
Protect the systems:
- Patch vulnerabilities
- Anti-virus catches malware
Systems are always vulnerable:
- Attackers can compromise any server
- Attackers can compromise any endpoint
- Any Internet access is an entry point
Network architecture:
- Web servers in the DMZ
- Everything else in “trusted internal
network”
Network architecture:
- Protect the servers from the users
- Use segmentation to contain breaches
Accounts are safe with username and a
strong password
Strong authentication is necessary to
protect accounts from compromise
Prevention Detection and Response
Cybersecurity enters healthcare: Current
Security Methods are Not Sufficient
Source: Chris Williams (Leidos Cybersecurity)
with modifications from Sean Murphy (Leidos Health)
IDS = intrusion detection system VPN = virtual private network
ANATOMY OF A CYBER ATTACK
Or…Ransomware!
Or…Elevation!
Increasingly
popular
Cybersecurity enters healthcare
Protect
Identity
Detect Correct
Recover
Risk Assessment
Continuous
Security
Monitoring
Incident
Forensics
Security
Management
Security
Training
Cybersecurity enters healthcare:
CyberSecurity Talent Search
• Primary Sources of Information Protection Workforce
Privacy
Medical Technician
InfoTech
Health Information Management
Legal
Risk Management
Clinical Engineering
Device System Administrators
Super Users (Lab, Rad, Pharm)
Internal IT Staff
Other Industry
Cybersecurity enters healthcare:
CyberSecurity Talent Search
• Getting to the desired competencies
Privacy
Medical Technician
IT Security
Ethical/Legal
Program Management
IT Security
Incident Reporting
Healthcare
Clinical Engineering
Manufacturer/Vendor Risk
Specific Medical Device
Clinical Workflow
IT Security
Patient Safety
Admin, Technical, and
Physical Controls
Business Continuity
Disaster Recovery
Telecommunications
Healthcare Industry
Regulatory Environment
Privacy and Security in Healthcare
Information Governance and
Risk Management
Third Party Risk Management
Cybersecurity enters healthcare: Cybersecurity Talent Search
Peeking forward
1. Emphasis on detection
2. Less reliance on the endpoint and server
3. Application whitelisting
4. Network segmentation
5. Two-factor authentication
6. Log aggregation and security incident event management (SIEM)
7. 24x7 security monitoring and incident response
8. Incident rapid response teams
9. Forensics tools and capabilities
10. Security incident metrics
− Build defenses around disrupting the attack sequence
− Don’t believe that “by doing everything right” you will be immune
− Measure attacks and defenses using metrics
Peeking forward
This is a national security concern: − Healthcare is a critical infrastructure
− Hacktivists, organized crime, nation states are at our door (in our house?)
− The data is being monetized
Crystal ball: − Cyber offense continues to get easier and more complex
− Cyber defense is a battle against complexity, patience, purpose
− Cloud, mobile and BYOD only make the defense harder
− No silver bullets from technology, ever
− Rapid change though, so you need to stay current
− Focus must be on swift detection and response
− Speed of attacks is going to increase
− Automated attacks will necessitate automated defenses
− Attackers will improve, share info…we must too
Peeking forward
What healthcare cyber pros should do: −Make sure security is a management priority
−Build defenses around disrupting the attack sequence
−Don’t believe that “by doing everything right” you will
be immune
−Measure attacks and defenses using metrics (threat
intelligence)
−Affiliate locally, participate as much as you can,
network!
Agenda
The road to here for healthcare
How times have changed
−Sideline to headlines
Cybersecurity enters healthcare
Peeking forward
Questions / Comments / Criticisms
Cybersecurity in Healthcare: From the sidelines to the headlines
Sean P. Murphy CISSP, ISSMP, CPHIMS, FACHE, HCISPP, CIPP / IT