healthcares losing battle against the hyper-connected machines
TRANSCRIPT
The Leader in Active Cyber Defense
CONFIDENTIAL DO NOT DISTRIBUTE
Healthcare’s Losing Battle Against
the Hyper-Connected Machines
Kurt Hagerman CISO
MARCH 1, 2016
Dr. Chase
Cunningham
Director of Cyber Threat
Research
CONFIDENTIAL DO NOT DISTRIBUTE | BETWEEN YOU AND THE THREAT
Your Armor Presenters
2
Dr. Chase Cunningham
• Former Cryptologist for the
National Security Agency
• U.S. Navy (Chief Ret.)
• PhD in Cybersecurity
• TRU Team Founder
• Co-Author of The Cynja
Director of Cyber Threat
Research & Innovation
Kurt Hagerman
• CISA- and CISSP-certified
• Frequent speaker and
author on security for the
payments industry,
healthcare industry and
cloud security
• 25-year veteran in IT,
security, consulting and
auditing
Chief Information
Security Officer
Is IOT Leaving Hospitals Vulnerable
to the Cruelest Attack Vectors?
3
CONFIDENTIAL DO NOT DISTRIBUTE | BETWEEN YOU AND THE THREAT
Inside the Healthcare Threat Landscape
4
Security Gaps Affect Real Patients
5
6
Ender’s Game© 2013 Lionsgate Films
CONFIDENTIAL DO NOT DISTRIBUTE | BETWEEN YOU AND THE THREAT
SCOTT ERVEN
Associate Director
Protiviti
It’s going to come to
a breaking point
sooner or later.
7
During the 2016
Kaspersky Lab Security
Analyst Summit in Spain
“
“
CONFIDENTIAL DO NOT DISTRIBUTE | BETWEEN YOU AND THE THREAT
Healthcare Threats
8
“Thousands of
medical devices
are vulnerable to
hacking, security
researchers say”
Devices Innovation Treatment
Healthcare is “10 to
15 years” behind
the retail sector
when it comes to
security.
Systems for cardiology,
infusion and MRIs all
showed more than 30
vulnerabilities per device.
This will soon have a
direct impact on
treatment and patient
care. — Threatpost | February 2016— PCWorld | September 2015 — Threatpost | February 2016
The Threat Actor Methodology
9
CONFIDENTIAL DO NOT DISTRIBUTE | BETWEEN YOU AND THE THREAT
What Threat Actors Target in Healthcare
10
“Securing Hospitals: A Research Study & Blueprint”
— Independent Security Evaluators, February 23, 2016
Patient Assets Hospital Assets
Patient Health
Patient Records
Service Availability
Community Confidence
Research / IP
Business Advantages
Hospital Finances
Hospital Reputation
Physician Reputation
$
CONFIDENTIAL DO NOT DISTRIBUTE | BETWEEN YOU AND THE THREAT
How Threat Actors Select
11
“Securing Hospitals: A Research Study & Blueprint”
— Independent Security Evaluators, February 23, 2016
How do threat actors choose their attacks?
It’s a simple business proposition.
If the cost and reward are the same,
choose the lower risk attack.
If the risk and reward are the
same, choose the lower cost
attack.
<Cost + Risk Reward = Do It
CONFIDENTIAL DO NOT DISTRIBUTE | BETWEEN YOU AND THE THREAT
Why The Formula Matters
12
As healthcare
becomes more
connected,
more devices
are available.
As more attack
vectors are
added, it drives
down the
operating cost for
threat actors.
As more devices
are connected,
there’s more
opportunity for
compromise.
As the cost goes down
and the value of
healthcare data
increases, more and
more attacks will
occur.
21 3 4
Why Can’t We Do Better?
13
CONFIDENTIAL DO NOT DISTRIBUTE | BETWEEN YOU AND THE THREAT
Defending the Healthcare Landscape
14
• Don’t Understand My Data Landscape
• Poor Authentication
• Weak Role-Based Controls
• Stubborn End-User Adoption
• Compliance Isn’t Prescriptive
Objectives Challenges
• Protect ePHI Data
• Build Secure Infrastructure
• Secure Medical End Points
• Enable Seamless Processes
• Make Security Easy for End-Users
(e.g., doctors, nurses, administrators)
CONFIDENTIAL DO NOT DISTRIBUTE | BETWEEN YOU AND THE THREAT
It’s Just ’Ones & Zeroes’
15
Only so many ways to secure data
that’s stored, transmitted,
processes or accessed.
Simplify Learn
Understand FollowYou and your organization are
responsible for the data of your
patients, customers and partners.
Take responsibility for securing it.
Get to know your data — where it’s
stored, what it is and who is accessing it.
Learn to do the big things right.
Use other compliance controls — PCI or
NIST — as guideposts. They are more
prescriptive and will help you achieve
compliance and basic security objectives.
Security Must Be Bi-Directional
16
CONFIDENTIAL DO NOT DISTRIBUTE | BETWEEN YOU AND THE THREAT 17
Think Bi-Directionally
‘0000’
18
Segment & Defend
19
CONFIDENTIAL DO NOT DISTRIBUTE | BETWEEN YOU AND THE THREAT
Big Cloud Problems
20
InternetMassive
Healthcare Cloud
CONFIDENTIAL DO NOT DISTRIBUTE | BETWEEN YOU AND THE THREAT
A Micro-Cloud Approach
21
Internet
HSC ICU Rx Imaging
App App App App App App App AppApp App
The Time to Act?
Now.
22
CONFIDENTIAL DO NOT DISTRIBUTE | BETWEEN YOU AND THE THREAT
Remember Three
23
Understand
Your Data
Everything,
Everywhere Is
Connected
Leverage
Clouds the
Correct Way
QUESTIONS?
24
The Leader in Active Cyber Defense
CONFIDENTIAL DO NOT DISTRIBUTE
Thank YouKurt Hagerman | [email protected]| CISO
Dr. Chase Cunningham | chase.cunningham.com| Director of Cyber Threat Research
MARCH 1, 2016