1

Getting Ready for the NextInternational Cyber-attackSession CYB2, March 5, 2018

Kristopher Kusche, VP & CISO

Albany Medical Center

2

Kristopher Kusche, M.Eng., CISSP, CPHIMS, FHIMSS

Has no real or apparent conflicts of interest to report.

Conflict of Interest

3

Agenda• Review Learning Objectives

• Presentation

• Question and Answer

4

Learning Objectives

• Outline how and why WannaCry, NotPetya, and other recent significant security incidents affected healthcare organizations

• Explain what healthcare organizations are doing to enhance their cyber preparedness for the next significant cyber security incident

• Illustrate the role and value of cyber threat information sharing

5

Recent Cyber Attacks

• Multiple attacks using the leaked NSA Toolkit known as “EternalBlue”

– “WannaCry”, “NotPetya”

• Other major variants

– “Bad Rabbit”

• 2017 ransomware impacts are estimated at $5B worldwide

• Healthcare is the #1 cyber attacked sector

6

WannaCry Global Impacts• Targeted a known (and patched) vulnerability in the Windows OS

• Hundreds of thousands of computers encrypted in several days

• Many hospitals world-wide with services impacted

– Medical devices hit specifically hard

• Radiology modalities, contract injectors

• Patient monitoring systems, others

• Estimated that less than $150,000 total ransom paid

• Damages due to downtime and mitigation efforts estimated in the hundreds of millions!!!

7

Other Impact Example

• Erie County Medical Center in Western New York, 2017

• Hit by an undisclosed ransomware asking for $30k in Bitcoin

• Recovery of computer systems lasted for more than a month

– Estimated 6,000 hard drives wiped/restored

• Impact was estimated at $10M

– Covered by cyber insuranceSources:

1) https://www.distilnfo.com/hitrust/2017/05/29/erie-county-medical-center/

2) https://www.cybersecurity-insiders.com/ecmc-spends-10-million-to-recover-from-a-cyber-attack/

8

Other Impact Example (cont.)

• No technology will keep 100% of attacks out of your network

• Ask your organization if you have:

– Good data backups?

– Layered security aka Defense in Depth

– A strong emergency preparedness program including downtime procedures?

– (Enough) cyber insurance?

9

Why Healthcare?

• Why are these cyber attacks occurring?

• How does Healthcare stack up against other sectors?

• What can we do to prevent or recover from an attack?

Let’s start at the beginning…

10

Critical Infrastructure• Established in 2003 under Homeland Security Presidential Directive

7 and updated in 2013 under Presidential Policy Directive 21 (PPD-21)

• Identifies 16 critical infrastructure sectors that are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety

• Department of Health and Human Services is the Healthcare sector-specific agency responsible for implementing and managing PPD21

11

Critical Infrastructure Sectors• Chemical Sector

• Commercial Facilities Sector

• Communications Sector

• Critical Manufacturing Sector

• Dams Sector

• Defense Industrial Base Sector

• Emergency Services Sector

• Energy Sector

• Financial Services Sector

• Food and Agriculture Sector

• Government Facilities Sector

• Healthcare and Public Health Sector

• Information Technology Sector

• Nuclear Reactors, Materials, and Waste Sector

• Transportation Systems Sector

• Water and Wastewater Systems Sector

12

Breach Statistics for Healthcare

In 2017, healthcare was the most breached sector:

• 374 total reported healthcare breaches

• Over 5.1 million patient records impacted

• Accounts for over 28% of all breaches across all sectors

• The average cost of a breach per organization was $7.35M

• Each breached healthcare record cost approximately $380 vs. $141 across all sectors

Sources:

1) 2017 Breach Stats Summary, Identity Theft Resource Center, www.itrc.org

2) 2017 Cost of Data Breach Study, Ponemon Institute, www.ponemon.org

Sources:

1) 2017 Breach Stats Summary, Identity Theft Resource Center, www.itrc.org

Banking, 7%

All Other, 51%

Education, 9%

Government, 5%

Healthcare, 28%

2017 Breaches by Industry

14

Attack Motives

• Espionage, Data Exfiltration

• Money (i.e., ransomware)

• Disruption (political, economic, functional)

– WannaCry (N. Korea); NotPetya, Bad Rabbit (Russia)

– All attributed to nation states

• In short, many of the recent attacks are NOT targeting healthcare BUT healthcare becomes a victim based on gaps in security best practices

15

Causes of Breaches in HealthcareBreaches are always a mix of external and internal technical and non-

technical causes:

– Workforce awareness

• Phishing leading to account breaches

– Open network borders (e.g., protocols, ports, defaults)

– Inadequate PHI policies and processes

– Inadequate internal defenses

• We need the Simple AND the Complex solutions

Compliance vs. Effectiveness

16

PHI Breach Impacts• 10 OCR Settlements in 2017

• Fines can range up to $50,000 per violation per incident

• Settlements cost ~$20M

• Root causes:

– No HIPAA BAA

– Inadequate Risk Assessment and Audit

– Lack of Technical Measures to protect PHI, including access management and encryption

• Not to mention corrective costs and reputational damage

17

Security Program Overview

• Choose a Security Framework (e.g., NIST, HITRUST) and map your program to it

• Measure against a Capabilities Maturity Model (e.g., COBIT)

• Program completeness measured at the lower levels

• Program effectiveness measured at the higher levels

• Leadership awareness, support AND participation for successful implementation

• Does your organization’s IT security program have Board level sponsorship and access?

Sample Cyber Security FrameworkCybersecurity

Data at

Rest

Data in

Transit

Data Loss

Prevention

Threat Monitoring & Assessment

Web Traffic

Filtering

Network

Governance and Policy

Risk ManagementRemote

Access

Control

Email

Security

Mobile

Device

Mgmt.

Planning

and Testing

DR/BC

Bus/App

Impact

Analysis

Intrusion

Detection/Pr

evention

Network

Segment.

Email

GatewayFirewalls

Network

Access

Control

Threat

Intelligence

& Alerting

Advanced

Threat

Detection

Threat

Intelligence

Exchange

Endpoint/

Workforce

Protection

Managed

Security

Services

Sec. Info. Event Mgmt. (SIEM)

Incident Response

Case Mgmt.Security

Operations

Center

Forensics

Capabilities

Vulnerability Management

Software

Version

Control

Penetration

Testing

Scan/Patch

Reporting

Security

Oversight

Policies and

Procedures

PCI DSS

Compliance

Reviews

Regulatory

Compliance

Reviews

Performance

Reports and

Metrics

Admin Rights

Audit

Access

ReviewFERPA

Roadmap

Refresh

BA

Agreements

Security

Program

Management

3rd Party

Assess.Application

Assess.

EHR Access

Monitoring

Litigation & Contract Review

Medical

Device

Assess.

Proactive

Access

MonitoringVendors

Identity and Access

Security

Metrics

Privileged

Accounts

Mgmt.

Vendor

Access

Identity

Access

Mgmt.

Account

Admin.

Active

Directory

Mgmt.

Single

Sign-On

Multifactor

Auth.

Workforce Security

Background

Check

Security

Awareness

Training

Training Joint

Comm.

19

Risk Assessment• Sounds basic but almost ALL OCR settlements cited Risk

Assessment as a critical lapse of compliance!!!

– Does your organization have a formal Risk Register?

• Must begin with a solid inventory:

– Inventory Control # associated to make, model, serial, software/firmware versions, patch levels, etc.

– Understanding of upstream/downstream connectivity points and dependencies

• Risk assessment and Risk Registers are living processes!!!

Sample Risk Register

Risk Identification Risk Analysis

Risk Mitigation

Risk ID

Risk Title Risk Description

Risk Trigger Description

(if > this)

Potential Outcome

(then > this)

Risk Exposure

Risk Response

Type

Risk Response Description

R010 Firewall wrongly configured for DMZ

Wrongly configured firewall can allow malicious traffic access to systems

Mistake made in firewall rules; exploited vulnerability in the firewall

DMZ compromise; System shutdown, integritybreach

0.060 Mitigate Implement the application firewall feature in the DMZ for tighter security beyond the hardware firewall.

21

Protective MeasuresOnce a Risk Assessment process is established, then protection can

begin:

• Education

• Patching

• IDS/IPS (Intrusion Detection/Prevention System)

• Application Whitelisting (TIE/ATD)

• SIEM (Security Incident and Event Management)

• Life cycle management

22

Education Sample

23

IDS/IPS• What it does:

Scans network traffic and automates alerting and action based

on rule sets and machine learning

• Effectiveness:

Can detect, alert and block, in real-time, malicious code or attempted network connections

Can retrospectively determine if indeterminate traffic is malicious

• Examples:

Malware file download, CNC connections, TOR attempts

24

IDS/IPS SampleIntrusion Detection and Prevention Systems allow for automated

alerting and action based on rule sets and machine learning:

**Auto Generated Email** -- Network Based Retrospective

Alerts

<*- Network Based Retrospective at Thu Jan 18 06:25:58 2018 UTC -*>Sha256: 6cecd0164877dab3e90b94ad6d0b6e2eb54d0c43969991f6def00b8ae63218d0Disposition: MalwareThreat name: Win.Worm.Mydoom-90

Alert Name

Hash

Result

Malware Name

25

Application Whitelisting• What it does:

Monitors for applications running unapproved applications on networked devices and automates alerting and action based on rule sets and machine learning

• Effectiveness:

Can detect, alert and block, in real-time, malicious code execution or unlicensed/unapproved installations

• Examples:

Malware via email attachment execution or website code launch

26

Application Whitelisting SampleThreat Analysis Report

Threat Level - Malicious

File Name

V031336_0036_OIS-INSTALLER.EXE

MD5 Hash Identifier

31B2A96058B45168C012789710C71F04

SHA-1 Hash Identifier -8E71D3E2FA7217142C1CEE7715EE88A4D4A5D088

SHA-256 Hash Identifier -D5F8449DB842F39119ACD5E201193

B1E83CDD80A2B6A1A7BA0B2C85CA85FBBAE

Sandbox Replication 182 seconds

Behavior Classification

Hiding, Camouflage, Stealthiness, Detection and Removal Protection Medium

Security Solution / Mechanism bypass, termination and removal, AntiDebugging, VM Detection Low

Dynamic Analysis (1% of code dynamically executed)

27

SIEM – MUST HAVE!!!

• Message/Event Aggregator

– System integration

• Automation

– Alerts

– Downstream Rules

• In-house or service

• This is complex!!!(Non-modified artwork attributed to Jorge Arimany (Own work) [CC BY-SA 3.0 (https://creativecommons.org/licenses/by-sa/3.0)], via Wikimedia Commons)

28

SIEM ExampleSample is malicious

= ALARM DETAILS START =

Alarm Name: ATD- Cyber Threat Feed

Alarm Description: ATD TIE CyberThreatfeed

= ALARM DETAILS END =

=== CORRELATED EVENT START ===

Device Name: ATD01Rule Message: Sample is malicious Signature ID: 525-2089798990Source IP: XXX.XXX.147.150Destination IP:Source User:Destination User:

=== CORRELATED EVENT END ===

29

SIEM ExampleMalware Traffic with a known Botnet CnC

= ALARM DETAILS START =

Alarm Name: Traffic to and from known Botnet IP

Correlation RULE: Sig ID: 47-6111152

= ALARM DETAILS END =

=== CORRELATED EVENT START ===

Device Name: Rule CorrelationRule Message: Malware Traffic with a

known Botnet CnCSignature ID: 47-6111152Source IP: 43.248.73.6Destination IP: XXX.XXX.213.86

=== CORRELATED EVENT DETAILS END ===

30

Incident Response• Playbooks (NASA)

• Documentation of systems, networks, data sources

• Disconnect policy

• Requires inventory of systems and business processes impacted

• Understanding of connectivity

• Application to application

• Data Sharing (e.g., extra-organizational, HIE)

• Rules for activation

31

Medical Device VulnerabilitiesMedical device security is complicated for many reasons:

• FDA position on patching

• Connectivity Requirements Complicates Isolation and Mitigation

• Unalterable configurations

• End-of-Life or turn-key operating system installs

• Incompatible with many IT security toolsets

• Knowledge and interaction between CE and IT

Difficulty in Isolation

PACS

RIS

EHR

Radiology

Modality

Integration

Engine

Users

33

Medical Device Strategy

• Risk Assessment (CVSS)

• Contracting (MDS2)

• Inventory

• Isolation

• Patching

• Enforce standards

Medical Device Risk Assessment Sample

Asset

DescriptionManufacturer

Model

Number

Risk

ScoreDevice Notes Security Review

Recommendations & CVSS

Vector

ABLATION UNIT XYZ CORP. Ablatomatic

2000

1.9 Used to ablate calcium in

coronary arteries.

- No PHI

- No network connection

- Physical access only

- Risks

1) System modified to

increase power to cause

more damage

2) Failure during use

Assure system is tested before

use to verify power setting

per manufacturer instructions

CVSS VectorCVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:X/RC:X

35

Info Sharing OrganizationsMultiple State, Federal, Private/Public Cyber Info Sharing Groups

• Information Sharing and Analysis Centers (NH-ISAC, MS-ISAC)

• Computer Emergency Readiness Teams (US-CERT)

• State Police (e.g., NYSIC CAU)

• Dept of Homeland Security, FBI, InfraGard

These organizations provide sector intelligence and alerts, action recommendations and Indicators of Compromise (IoCs)

36

Indicators of Compromise• Hashes

2201da686961c95063ee92f5ff371e5143198c79aaa58b0c04cf110d143d2871

e8a21f95c6e5b722bbf999e6ea10ee4ca5185130c4c3564349b7f936047ced58

86aa82558c4005111a7d1df1cf23f76eeaae0039268b6b0e262164ebf9cea79a

8eabfa74d88e439cfca9ccabd0ee34422892d8e58331a63bea94a7c4140cf7ab

72832db9b951663b8f322778440b8720ea95cde0349a1d26477edd95b3915479

• Files names

msvcsexec.exe

• Patches

Microsoft Windows Defender definitions

Version: 1.261.29.0

Released: Jan 19,2018 08:50 AM UTC

WannaCry Timeline Case Study

Friday, May 12, 2017

2:49pm – Initial alert received from NYSIC-CAU

2:53pm – Receive alert from anti-malware security vendor

3:18pm – IDS/IPS network address and file blocking signatures applied

4:09pm – Notified by EHR vendor that servers require patching

4:55pm – Workforce-wide communications sent

5:43pm – Network traffic pattern block rules implemented

6:15pm – Initial anti-malware signature update

8:31pm – Second anti-malware signature update

9:00pm – EHR system patching begins with application vendor

9:20pm – Patching of 1,100+ servers begins

10:00pm – Patching of 9,000+ devices and 300+ medical devices begins

10:31pm – Additional traffic rules applied

WannaCry Timeline Case StudySaturday, May 13, 2017

2:05am – Additional traffic rules applied

3:15am – PACS enterprise imaging system patched

3:56am – EHR patching completed

1:59pm – Additional IDS/IPS IoCs applied

2:15pm – Additional anti-malware signature update

3:10pm – Microsoft announces an unprecedented release of patches for

discontinued Windows XP and Windows 2003 Server

Sunday May 14

10:34am – Additional anti-malware signature update

2:34pm – Additional anti-malware signature update

6:47pm – Alerts of potentially infected machines on “Guest Wireless” network and devices

removed from the network

39

Summary• Cyber attacks are the new norm

• WannaCry was the wake up call!!!

• Protection still requires layers and “Defense in Depth”

• Security Framework

• Policy and Process

• Investment in technical measures (simple to complex)

• Communication and Information Sharing are Critical

• Inside and outside the organization

40

Questions?

Contact Information:

Kristopher Kusche, M.Eng., CISSP, CPHIMS, FHIMSS

VP & CISO, Albany Medical Center

kuschek@amc.edu

(518) 262-4690

Thank you and please remember to complete the online session

evaluation provided by HIMSS. Enjoy the rest of the conference!!!