Part 6: Building a Strong Security Program
Presented by: Susan Clarke, Health Care Information Security and Privacy Practitioner
June 5 & 6, 2018
The presenter is not an attorney and the information provided is the presenter(s)’ opinion and should not be taken as legal advice. The information is presented for informational purposes only.
Compliance with regulations can involve legal subject matter with serious consequences. The information contained in the webinar(s) and related materials (including, but not limited to, recordings, handouts, and presentation documents) is not intended to constitute legal advice or the rendering of legal, consulting or other professional services of any kind. Users of the webinar(s) and webinar materials should not in any manner rely upon or construe the information as legal, or other professional advice. Users should seek the services of a competent legal or other professional before acting, or failing to act, based upon the information contained in the webinar(s) in order to ascertain what is may be best for the users individual needs.
Legal Disclaimer
2
Learning Objectives
Best Practices for building a strong security program. Will cover WannaCry ransomware case study and medical device management challenges.
3
• BA: Business Associate• CE: Covered Entity• CEHRT: Certified Electronic Health Record Technology• CMS: Centers for Medicare and Medicaid Services• EHR: Electronic Health Record• ePHI: Electronic Protected Health Information• HHS: Department of Health and Human Services• HIPAA: Health Insurance Portability and Accountability Act• HIT: Health Information Technology• IT: Information Technology• NIST: National Institute of Standards and Technology• OCR: Office for Civil Rights• PHI: Protected Health Information• SP: Special Publication• SRA: Security Risk Analysis
Acronyms…
4
• Strong security program starts at the top• Economic impact of cybersecurity• Time to get serious• Top four: get the most out of your security
program today• How patient safety intersects
Today’s Overview
5
Why Health Care is Targeted?
• In 2017 health care was the most breached sector with an average cost of $7.35 million per organization
• Health care accounted for 28 percent of all breaches across all sectors impacting 5.1 million patient records.
• Many recent attacks are NOT targeting health care BUT health care becomes a victim based on gaps in security best practices
Sources :1)2017 Breach Stats Summary, Identity Theft Resource Center, www.itrc.org2)2017 Cost of Data Breach Study, Ponemon Institute, www.ponemon.org 6
Health Care Today is a Hotbed for Cybersecurity Activity
EHRs+ sharing patient records across ecosystem + data-based collaborative care + analytics used to enhance care + electronic registries for population health + personalized medicine
= Data Explosion!7
Oversight and Governance
Identify all PHI
Safeguard all PHI
Detect Incidents
Respond with a Plan
Recover to normal
operations
• Risk assessment and management
• Patch and vulnerability management
• Data inventory• Identity management• Third-party assessment• Effectively communicate
your program!
8
Managing Security Risk in Enterprise
9
Compliance Does Not Equal Security
We are faced with an unprecedented security risk. Organizations need to bring EVERYONE along and develop a mature compliance AND security program over time.
People first, then Process, then Technology
10
What Can You Afford?
Making a case:– Impacts to patient care– Significant employee downtime– Technical time and skill to recover– Removing the malware– Fines, reporting, legal fees, reputation
WannaCry Ransomware Global Impacts:Estimated that less than $150,000 total ransom paid yet damages due to downtime and mitigation efforts estimated in the hundreds of millions.
11
Security, areas often overlooked
• Consider the proliferation of ePHI within our environments, look at work flow
• Mobile devices are vulnerable and more are personal than corporate. Many still falsely think they can’t become infected, these problems can be shared with the corporate network. (If allowed consider specialized training for those permitted)
• Look for an easy way for users to report issues
Note: There is no such thing as 100 percent security or zero risks.
https://healthitsecurity.com/resources/white-papers/2018-ransomware-hostage-rescue-manual?elqTrackId=ab68e2e6c753421d8622af966c30c7fb&elq=cc6bdc42b33448c5b95f2e26d574e5ed&elqaid=5235&elqat=1&elqCampaignId=4856
12
IT Security and CIA Triad
What if my health record isn’t kept private?
What if my health record isn’t there when needed?
What if my health record isn’t accurate?
Confidentiality
AvailabilityIntegrity
Information Assets
13
Changing Priorities
Healthcare has undergone a Paradigm Shift. Traditionally:• HIPAA-driven priorities: Confidentiality, Integrity, Availability of ePHI• Checklist approach to satisfy the auditorOver the past 2-3 years, Availability has become a growing concern• Ransomware impacted information access and therefore clinical
workflows• WannaCry shut down of hospitals (UK NHS)• Medical Device incidents have impacted care delivery (WannaCry,
MedJack)And we are starting to understand the Integrity problem• Again, Medical Devices (hacks that could kill – but research only so
far)• Risk to critical systems and data … and Patient Trust• Even just the perception of Loss of Integrity is a problem!
14
15
Security systems need to win every time, hackers only have to win once
Does your organization have:• Good data backups?• Layered security aka defense in depth?• A strong emergency preparedness program
including downtime procedures?• Cyber insurance?
16
Recruit your staff, from dedication to commitment
• Technical, communication, presentation and collaboration skills
• Leader of the leaders• Understands health care operations and issues• Financial acumen• Visionary, inspires action• Ready and able to walk on water!
17
Lead by building trust and influence, not by pointing at the org chart
• Build up your cybersecurity team• Extend your staff with help from consultants
and vendors• Review policies and procedures with your
team• Transfer knowledge, delegate tasks, empower• Look for “net adds,” there is always a small
win and they can add up quickly
18
Reveal Their Secrets—Protect Our OwnTop 4, 85% mitigated
• Use application whitelisting to help prevent malicious software and unapproved programs from running
• Patch applications such as Flash, web browsers, Microsoft Office, Java and PDF viewers
• Patch operating systems• Restrict administrative privileges to operating
systems and applications based on user duties
Source: https://www.asd.gov.au/infosec/mitigationstrategies.htm19
Patching Software and OS
It is important that patch management is considered a core function of IT management and is carried out in a timely and efficient manner. Patch management for operating systems and applications are closely related and the procedures followed should be similar. These procedures should be tightly integrated with corporate change management processes to ensure that they are effective and auditable across the entire organization.
Source: https://www.asd.gov.au/infosec/mitigationstrategies.htm20
Application Whitelisting
Whitelisting, when implemented correctly, makes it harder for an adversary to compromise an organization's system. Application whitelisting is a technical measure which only allows specifically authorized applications to run on a system. This helps prevent malicious software and unauthorized applications running.
Source: https://www.asd.gov.au/infosec/mitigationstrategies.htm21
Restrict Admin Privileges
When an adversary targets a system, they will primarily look for user accounts with administrative privileges. Administrators are targeted because they have a high level of access to the organization's system. If an adversary gains access to a user account with administrative privileges they can access any data the administrator can access – which generally means everything. Minimizing administrative privileges makes it more difficult for the adversary to spread or hide their existence on a system.
Administrative privileges should be tightly controlled. It is important that only staff and contractors that need administrative privileges have them. In these cases, separate accounts with administrative privileges should be created which do not have access to the internet. This reduces the likelihood of malware infecting the administrator as they should not be web browsing or checking emails while using their privileged account.
Source: https://www.asd.gov.au/infosec/mitigationstrategies.htm 22
23
24
25
26
Medical Devices Status Quo
• Despite cyber threat data and growing awareness, healthcare remains unprepared*72% of healthcare providers have less than 200 beds and inadequate funds or resources*80% of device vendors have less than 50 employees and lack knowledge and experience
• Industry continues to be an “easy” target for cyber attack• Medical devices still sold with Windows XP - unsupported since 2014 and no plans
for upgrading from Windows 7*Healthcare providers cannot manage medical devices like other technology
• Risks are attempted to be managed through “guidance”, collaboration and hand-crafted custom solutions
• There are currently few incentives or demand to sell secure devices or consequences to selling poorly secured devices
• Little consistency across vendors or devices in technology, software and security
Source=HIMSS Cybersecurity Forum 27
http://orprima.org/images/meeting/092717/pin_171017_001.pdf28
FBI Cyber Division Report
“The ransomware attack highlighted the industry’s challenges to provide timely patching and remediation for medical devices software. For example, in the case of WannaCry, Microsoft released a Windows 7 security patch several months earlier to protect against such an attack, but healthcare providers were victimized because some medical devices operated on other unsupported Windows versions.”
29
Report continued…
“…multiple US organizations suffered operational disruption to medical devices which impacted healthcare services - including computed tomography (CT) scanners and injection systems and radiology scan viewing workstations. In some instances, devices had to be removed from the network for remediation while other cases required the transfer of patients to other facilities for continued services, resulting in a delay of care.”
30
31
32
For assistance please contact:
Susan Clarke: [email protected], (307) 248-8179
Please let me know how I can help?
33
Questions
34