Part 6: Building a Strong Security Program

Presented by: Susan Clarke, Health Care Information Security and Privacy Practitioner

June 5 & 6, 2018

The presenter is not an attorney and the information provided is the presenter(s)’ opinion and should not be taken as legal advice. The information is presented for informational purposes only.

Compliance with regulations can involve legal subject matter with serious consequences. The information contained in the webinar(s) and related materials (including, but not limited to, recordings, handouts, and presentation documents) is not intended to constitute legal advice or the rendering of legal, consulting or other professional services of any kind. Users of the webinar(s) and webinar materials should not in any manner rely upon or construe the information as legal, or other professional advice. Users should seek the services of a competent legal or other professional before acting, or failing to act, based upon the information contained in the webinar(s) in order to ascertain what is may be best for the users individual needs.

Legal Disclaimer

2

Learning Objectives

Best Practices for building a strong security program. Will cover WannaCry ransomware case study and medical device management challenges.

3

• BA: Business Associate• CE: Covered Entity• CEHRT: Certified Electronic Health Record Technology• CMS: Centers for Medicare and Medicaid Services• EHR: Electronic Health Record• ePHI: Electronic Protected Health Information• HHS: Department of Health and Human Services• HIPAA: Health Insurance Portability and Accountability Act• HIT: Health Information Technology• IT: Information Technology• NIST: National Institute of Standards and Technology• OCR: Office for Civil Rights• PHI: Protected Health Information• SP: Special Publication• SRA: Security Risk Analysis

Acronyms…

4

• Strong security program starts at the top• Economic impact of cybersecurity• Time to get serious• Top four: get the most out of your security

program today• How patient safety intersects

Today’s Overview

5

Why Health Care is Targeted?

• In 2017 health care was the most breached sector with an average cost of $7.35 million per organization

• Health care accounted for 28 percent of all breaches across all sectors impacting 5.1 million patient records.

• Many recent attacks are NOT targeting health care BUT health care becomes a victim based on gaps in security best practices

Sources :1)2017 Breach Stats Summary, Identity Theft Resource Center, www.itrc.org2)2017 Cost of Data Breach Study, Ponemon Institute, www.ponemon.org 6

Health Care Today is a Hotbed for Cybersecurity Activity

EHRs+ sharing patient records across ecosystem + data-based collaborative care + analytics used to enhance care + electronic registries for population health + personalized medicine

= Data Explosion!7

Oversight and Governance

Identify all PHI

Safeguard all PHI

Detect Incidents

Respond with a Plan

Recover to normal

operations

• Risk assessment and management

• Patch and vulnerability management

• Data inventory• Identity management• Third-party assessment• Effectively communicate

your program!

8

Managing Security Risk in Enterprise

9

Compliance Does Not Equal Security

We are faced with an unprecedented security risk. Organizations need to bring EVERYONE along and develop a mature compliance AND security program over time.

People first, then Process, then Technology

10

What Can You Afford?

Making a case:– Impacts to patient care– Significant employee downtime– Technical time and skill to recover– Removing the malware– Fines, reporting, legal fees, reputation

WannaCry Ransomware Global Impacts:Estimated that less than $150,000 total ransom paid yet damages due to downtime and mitigation efforts estimated in the hundreds of millions.

11

Security, areas often overlooked

• Consider the proliferation of ePHI within our environments, look at work flow

• Mobile devices are vulnerable and more are personal than corporate. Many still falsely think they can’t become infected, these problems can be shared with the corporate network. (If allowed consider specialized training for those permitted)

• Look for an easy way for users to report issues

Note: There is no such thing as 100 percent security or zero risks.

https://healthitsecurity.com/resources/white-papers/2018-ransomware-hostage-rescue-manual?elqTrackId=ab68e2e6c753421d8622af966c30c7fb&elq=cc6bdc42b33448c5b95f2e26d574e5ed&elqaid=5235&elqat=1&elqCampaignId=4856

12

IT Security and CIA Triad

What if my health record isn’t kept private?

What if my health record isn’t there when needed?

What if my health record isn’t accurate?

Confidentiality

AvailabilityIntegrity

Information Assets

13

Changing Priorities

Healthcare has undergone a Paradigm Shift. Traditionally:• HIPAA-driven priorities: Confidentiality, Integrity, Availability of ePHI• Checklist approach to satisfy the auditorOver the past 2-3 years, Availability has become a growing concern• Ransomware impacted information access and therefore clinical

workflows• WannaCry shut down of hospitals (UK NHS)• Medical Device incidents have impacted care delivery (WannaCry,

MedJack)And we are starting to understand the Integrity problem• Again, Medical Devices (hacks that could kill – but research only so

far)• Risk to critical systems and data … and Patient Trust• Even just the perception of Loss of Integrity is a problem!

14

15

Security systems need to win every time, hackers only have to win once

Does your organization have:• Good data backups?• Layered security aka defense in depth?• A strong emergency preparedness program

including downtime procedures?• Cyber insurance?

16

Recruit your staff, from dedication to commitment

• Technical, communication, presentation and collaboration skills

• Leader of the leaders• Understands health care operations and issues• Financial acumen• Visionary, inspires action• Ready and able to walk on water!

17

Lead by building trust and influence, not by pointing at the org chart

• Build up your cybersecurity team• Extend your staff with help from consultants

and vendors• Review policies and procedures with your

team• Transfer knowledge, delegate tasks, empower• Look for “net adds,” there is always a small

win and they can add up quickly

18

Reveal Their Secrets—Protect Our OwnTop 4, 85% mitigated

• Use application whitelisting to help prevent malicious software and unapproved programs from running

• Patch applications such as Flash, web browsers, Microsoft Office, Java and PDF viewers

• Patch operating systems• Restrict administrative privileges to operating

systems and applications based on user duties

Source: https://www.asd.gov.au/infosec/mitigationstrategies.htm19

Patching Software and OS

It is important that patch management is considered a core function of IT management and is carried out in a timely and efficient manner. Patch management for operating systems and applications are closely related and the procedures followed should be similar. These procedures should be tightly integrated with corporate change management processes to ensure that they are effective and auditable across the entire organization.

Source: https://www.asd.gov.au/infosec/mitigationstrategies.htm20

Application Whitelisting

Whitelisting, when implemented correctly, makes it harder for an adversary to compromise an organization's system. Application whitelisting is a technical measure which only allows specifically authorized applications to run on a system. This helps prevent malicious software and unauthorized applications running.

Source: https://www.asd.gov.au/infosec/mitigationstrategies.htm21

Restrict Admin Privileges

When an adversary targets a system, they will primarily look for user accounts with administrative privileges. Administrators are targeted because they have a high level of access to the organization's system. If an adversary gains access to a user account with administrative privileges they can access any data the administrator can access – which generally means everything. Minimizing administrative privileges makes it more difficult for the adversary to spread or hide their existence on a system.

Administrative privileges should be tightly controlled. It is important that only staff and contractors that need administrative privileges have them. In these cases, separate accounts with administrative privileges should be created which do not have access to the internet. This reduces the likelihood of malware infecting the administrator as they should not be web browsing or checking emails while using their privileged account.

Source: https://www.asd.gov.au/infosec/mitigationstrategies.htm 22

23

24

25

26

Medical Devices Status Quo

• Despite cyber threat data and growing awareness, healthcare remains unprepared*72% of healthcare providers have less than 200 beds and inadequate funds or resources*80% of device vendors have less than 50 employees and lack knowledge and experience

• Industry continues to be an “easy” target for cyber attack• Medical devices still sold with Windows XP - unsupported since 2014 and no plans

for upgrading from Windows 7*Healthcare providers cannot manage medical devices like other technology

• Risks are attempted to be managed through “guidance”, collaboration and hand-crafted custom solutions

• There are currently few incentives or demand to sell secure devices or consequences to selling poorly secured devices

• Little consistency across vendors or devices in technology, software and security

Source=HIMSS Cybersecurity Forum 27

http://orprima.org/images/meeting/092717/pin_171017_001.pdf28

FBI Cyber Division Report

“The ransomware attack highlighted the industry’s challenges to provide timely patching and remediation for medical devices software. For example, in the case of WannaCry, Microsoft released a Windows 7 security patch several months earlier to protect against such an attack, but healthcare providers were victimized because some medical devices operated on other unsupported Windows versions.”

29

Report continued…

“…multiple US organizations suffered operational disruption to medical devices which impacted healthcare services - including computed tomography (CT) scanners and injection systems and radiology scan viewing workstations. In some instances, devices had to be removed from the network for remediation while other cases required the transfer of patients to other facilities for continued services, resulting in a delay of care.”

30

31

32

For assistance please contact:

Susan Clarke: sclarke@mpqhf.org, (307) 248-8179

Please let me know how I can help?

33

Questions

34