part 6: building a strong security...
TRANSCRIPT
![Page 1: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/1.jpg)
Part 6: Building a Strong Security Program
Presented by: Susan Clarke, Health Care Information Security and Privacy Practitioner
June 5 & 6, 2018
![Page 2: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/2.jpg)
The presenter is not an attorney and the information provided is the presenter(s)’ opinion and should not be taken as legal advice. The information is presented for informational purposes only.
Compliance with regulations can involve legal subject matter with serious consequences. The information contained in the webinar(s) and related materials (including, but not limited to, recordings, handouts, and presentation documents) is not intended to constitute legal advice or the rendering of legal, consulting or other professional services of any kind. Users of the webinar(s) and webinar materials should not in any manner rely upon or construe the information as legal, or other professional advice. Users should seek the services of a competent legal or other professional before acting, or failing to act, based upon the information contained in the webinar(s) in order to ascertain what is may be best for the users individual needs.
Legal Disclaimer
2
![Page 3: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/3.jpg)
Learning Objectives
Best Practices for building a strong security program. Will cover WannaCry ransomware case study and medical device management challenges.
3
![Page 4: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/4.jpg)
• BA: Business Associate• CE: Covered Entity• CEHRT: Certified Electronic Health Record Technology• CMS: Centers for Medicare and Medicaid Services• EHR: Electronic Health Record• ePHI: Electronic Protected Health Information• HHS: Department of Health and Human Services• HIPAA: Health Insurance Portability and Accountability Act• HIT: Health Information Technology• IT: Information Technology• NIST: National Institute of Standards and Technology• OCR: Office for Civil Rights• PHI: Protected Health Information• SP: Special Publication• SRA: Security Risk Analysis
Acronyms…
4
![Page 5: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/5.jpg)
• Strong security program starts at the top• Economic impact of cybersecurity• Time to get serious• Top four: get the most out of your security
program today• How patient safety intersects
Today’s Overview
5
![Page 6: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/6.jpg)
Why Health Care is Targeted?
• In 2017 health care was the most breached sector with an average cost of $7.35 million per organization
• Health care accounted for 28 percent of all breaches across all sectors impacting 5.1 million patient records.
• Many recent attacks are NOT targeting health care BUT health care becomes a victim based on gaps in security best practices
Sources :1)2017 Breach Stats Summary, Identity Theft Resource Center, www.itrc.org2)2017 Cost of Data Breach Study, Ponemon Institute, www.ponemon.org 6
![Page 7: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/7.jpg)
Health Care Today is a Hotbed for Cybersecurity Activity
EHRs+ sharing patient records across ecosystem + data-based collaborative care + analytics used to enhance care + electronic registries for population health + personalized medicine
= Data Explosion!7
![Page 8: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/8.jpg)
Oversight and Governance
Identify all PHI
Safeguard all PHI
Detect Incidents
Respond with a Plan
Recover to normal
operations
• Risk assessment and management
• Patch and vulnerability management
• Data inventory• Identity management• Third-party assessment• Effectively communicate
your program!
8
![Page 9: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/9.jpg)
Managing Security Risk in Enterprise
9
![Page 10: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/10.jpg)
Compliance Does Not Equal Security
We are faced with an unprecedented security risk. Organizations need to bring EVERYONE along and develop a mature compliance AND security program over time.
People first, then Process, then Technology
10
![Page 11: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/11.jpg)
What Can You Afford?
Making a case:– Impacts to patient care– Significant employee downtime– Technical time and skill to recover– Removing the malware– Fines, reporting, legal fees, reputation
WannaCry Ransomware Global Impacts:Estimated that less than $150,000 total ransom paid yet damages due to downtime and mitigation efforts estimated in the hundreds of millions.
11
![Page 12: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/12.jpg)
Security, areas often overlooked
• Consider the proliferation of ePHI within our environments, look at work flow
• Mobile devices are vulnerable and more are personal than corporate. Many still falsely think they can’t become infected, these problems can be shared with the corporate network. (If allowed consider specialized training for those permitted)
• Look for an easy way for users to report issues
Note: There is no such thing as 100 percent security or zero risks.
https://healthitsecurity.com/resources/white-papers/2018-ransomware-hostage-rescue-manual?elqTrackId=ab68e2e6c753421d8622af966c30c7fb&elq=cc6bdc42b33448c5b95f2e26d574e5ed&elqaid=5235&elqat=1&elqCampaignId=4856
12
![Page 13: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/13.jpg)
IT Security and CIA Triad
What if my health record isn’t kept private?
What if my health record isn’t there when needed?
What if my health record isn’t accurate?
Confidentiality
AvailabilityIntegrity
Information Assets
13
![Page 14: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/14.jpg)
Changing Priorities
Healthcare has undergone a Paradigm Shift. Traditionally:• HIPAA-driven priorities: Confidentiality, Integrity, Availability of ePHI• Checklist approach to satisfy the auditorOver the past 2-3 years, Availability has become a growing concern• Ransomware impacted information access and therefore clinical
workflows• WannaCry shut down of hospitals (UK NHS)• Medical Device incidents have impacted care delivery (WannaCry,
MedJack)And we are starting to understand the Integrity problem• Again, Medical Devices (hacks that could kill – but research only so
far)• Risk to critical systems and data … and Patient Trust• Even just the perception of Loss of Integrity is a problem!
14
![Page 15: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/15.jpg)
15
![Page 16: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/16.jpg)
Security systems need to win every time, hackers only have to win once
Does your organization have:• Good data backups?• Layered security aka defense in depth?• A strong emergency preparedness program
including downtime procedures?• Cyber insurance?
16
![Page 17: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/17.jpg)
Recruit your staff, from dedication to commitment
• Technical, communication, presentation and collaboration skills
• Leader of the leaders• Understands health care operations and issues• Financial acumen• Visionary, inspires action• Ready and able to walk on water!
17
![Page 18: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/18.jpg)
Lead by building trust and influence, not by pointing at the org chart
• Build up your cybersecurity team• Extend your staff with help from consultants
and vendors• Review policies and procedures with your
team• Transfer knowledge, delegate tasks, empower• Look for “net adds,” there is always a small
win and they can add up quickly
18
![Page 19: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/19.jpg)
Reveal Their Secrets—Protect Our OwnTop 4, 85% mitigated
• Use application whitelisting to help prevent malicious software and unapproved programs from running
• Patch applications such as Flash, web browsers, Microsoft Office, Java and PDF viewers
• Patch operating systems• Restrict administrative privileges to operating
systems and applications based on user duties
Source: https://www.asd.gov.au/infosec/mitigationstrategies.htm19
![Page 20: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/20.jpg)
Patching Software and OS
It is important that patch management is considered a core function of IT management and is carried out in a timely and efficient manner. Patch management for operating systems and applications are closely related and the procedures followed should be similar. These procedures should be tightly integrated with corporate change management processes to ensure that they are effective and auditable across the entire organization.
Source: https://www.asd.gov.au/infosec/mitigationstrategies.htm20
![Page 21: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/21.jpg)
Application Whitelisting
Whitelisting, when implemented correctly, makes it harder for an adversary to compromise an organization's system. Application whitelisting is a technical measure which only allows specifically authorized applications to run on a system. This helps prevent malicious software and unauthorized applications running.
Source: https://www.asd.gov.au/infosec/mitigationstrategies.htm21
![Page 22: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/22.jpg)
Restrict Admin Privileges
When an adversary targets a system, they will primarily look for user accounts with administrative privileges. Administrators are targeted because they have a high level of access to the organization's system. If an adversary gains access to a user account with administrative privileges they can access any data the administrator can access – which generally means everything. Minimizing administrative privileges makes it more difficult for the adversary to spread or hide their existence on a system.
Administrative privileges should be tightly controlled. It is important that only staff and contractors that need administrative privileges have them. In these cases, separate accounts with administrative privileges should be created which do not have access to the internet. This reduces the likelihood of malware infecting the administrator as they should not be web browsing or checking emails while using their privileged account.
Source: https://www.asd.gov.au/infosec/mitigationstrategies.htm 22
![Page 23: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/23.jpg)
23
![Page 24: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/24.jpg)
24
![Page 25: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/25.jpg)
25
![Page 26: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/26.jpg)
26
![Page 27: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/27.jpg)
Medical Devices Status Quo
• Despite cyber threat data and growing awareness, healthcare remains unprepared*72% of healthcare providers have less than 200 beds and inadequate funds or resources*80% of device vendors have less than 50 employees and lack knowledge and experience
• Industry continues to be an “easy” target for cyber attack• Medical devices still sold with Windows XP - unsupported since 2014 and no plans
for upgrading from Windows 7*Healthcare providers cannot manage medical devices like other technology
• Risks are attempted to be managed through “guidance”, collaboration and hand-crafted custom solutions
• There are currently few incentives or demand to sell secure devices or consequences to selling poorly secured devices
• Little consistency across vendors or devices in technology, software and security
Source=HIMSS Cybersecurity Forum 27
![Page 28: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/28.jpg)
http://orprima.org/images/meeting/092717/pin_171017_001.pdf28
![Page 29: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/29.jpg)
FBI Cyber Division Report
“The ransomware attack highlighted the industry’s challenges to provide timely patching and remediation for medical devices software. For example, in the case of WannaCry, Microsoft released a Windows 7 security patch several months earlier to protect against such an attack, but healthcare providers were victimized because some medical devices operated on other unsupported Windows versions.”
29
![Page 30: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/30.jpg)
Report continued…
“…multiple US organizations suffered operational disruption to medical devices which impacted healthcare services - including computed tomography (CT) scanners and injection systems and radiology scan viewing workstations. In some instances, devices had to be removed from the network for remediation while other cases required the transfer of patients to other facilities for continued services, resulting in a delay of care.”
30
![Page 31: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/31.jpg)
31
![Page 32: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/32.jpg)
32
![Page 33: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/33.jpg)
For assistance please contact:
Susan Clarke: [email protected], (307) 248-8179
Please let me know how I can help?
33
![Page 34: Part 6: Building a Strong Security Program18vtj92co9zb1qy8011oc0fw-wpengine.netdna-ssl.com/wp-content/u… · Learning Objectives. Best Practices for building a strong security program](https://reader034.vdocuments.site/reader034/viewer/2022042323/5f0d124e7e708231d438897b/html5/thumbnails/34.jpg)
Questions
34