1

Session 198, February 22, 2017

THE NEW BATTLEGROUND: RANSOMWARE AND OTHER ADVANCED THREATS

LYNNE A. DUNBRACK: RESEARCH VPIDC HEALTH INSIGHTS

JOSH KINSLER: SECURITY ENGINEERING MGR COMMUNITY HEALTH NETWORK

2

LYNNE A. DUNBRACK

RESEARCH VICE PRESIDENT: IDC Health Insights

SPEAKER INTRODUCTION

JOSH KINSLER

SECURITY ENGINEERING MANAGER: Community Health Network

3

CONFLICT OF INTEREST

LYNNE A. DUNBRACK JOSH KINSLER

NO REAL or APPARENT CONFLICTS of INTEREST to report.

4

AGENDA

THE SECURITY

IMPERATIVE IN

HEALTHCARE

LESSONS

LEARNED FROM

COMMUNITY

HEALTH NETWORK

Q & A

?

5

LEARNING OBJECTIVES

RECOGNIZE

TOP THREATS STALKING Healthcare environments, medical devices, virtual infrastructures, and other medical technologies

ASSESS

HOW HACKERS AND CYBER-EXTORTIONISTS are able to rapidly build up automated systems and tools to probe healthcare networks for exploitable vulnerabilities

IDENTIFY

A PRAGMATIC PLAN with technology considerations, mitigation strategies, and impactful counter measures across all attack vectors

REALIZING THE VALUE OF

HEALTH ITHealth IT creates five kinds

of value of benefit to patients, healthcare

providers and communities

S SATISFACTION

SECURITY across a highly distributed health system without compromising access to critical information

IMPROVED SECURITY PERFORMANCE and uptime equates to man-hours saved and a reallocation of resources to other IT priorities

T TREATMENT/CLINICAL

S SAVINGS

E ELECTRONIC SECURE DATA

REALIZING THE VALUE OF HEALTH IT WITHOUTSIDE-IN AND INSIDE-OUT PROTECTION

PPATIENT ENGAGEMENT & POPULATION MANAGENT

RENEWED confidence in the security infrastructure and security awareness training

7

HEALTHCARE TRENDS WITHSECURITY IMPLICATIONS

Source: Providing Outside In and Inside Out Protection against Ransomware and Other Intensifying Cyberthreats, An IDC Health Insights White Paper sponsored by Fortinet

8

CYBERSECURITY THREATS INTENSIFY

1000sOF THREATS ON A DAILY BASIS

100sOF THREATS POTENTIALLY DANGEROUS

10ARE SO SEVERE, THE CISO SHOULD CALL LAW ENFORCEMENT

9

SHIFT FROM LOST & STOLEN DEVICES TOHACKING AND MALICIOUS IT INCIDENTS

0

20,000,000

40,000,000

60,000,000

80,000,000

100,000,000

120,000,000

2009 2010 2011 2012 2013 2014 2015 2016

Unknown

Unauthorized Access/Disclosure

Theft

Other

Loss

Improper Disposal

Hacking/IT Incident

112 million individuals affected due

to a hacking/IT

incident reported in

2015 up from 1.8

million in 2014

744K individuals affected due to

loss and theft reported in 2015

Source: U.S. Department of Health and Human Services Office for Civil Rightshttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

84.4% of breached

records in 2016 were the

result of hacking or IT

incidents

10

IDC HEALTH: IDC PREDICTION #2

IT IMPACT

Already overburdened IT staff further taxed

IT systems held hostage for exorbitant ransom payments

Mission-critical clinical systems are not available

GUIDANCE

Educate users that security is everyone’s responsibility

Design incidence response procedures for cyber attacks

Be hyper vigilant about patches and SW updates

By 2018, there will be a doubling of ransomware attacks on healthcare organizations

11

INTERNET OF THREATS: EXPANDING ATTACK SURFACES ARE INCREASINGLY BORDERLESS

HOW DO YOU MAKE THESE DEVICES, THAT YOU DON'T OWN OR CONTROL, SECURE FOR YOUR ENVIRONMENT?

-– Josh Kinsler, Security Engineering Manager, Community Health Network

“ “Source: Providing Outside In and Inside Out Protection against Ransomware and Other Intensifying Cyberthreats, An IDC Health Insights White Paper sponsored by Fortinet

12

MEDJACKING: EXPLOITING VULNERABLE INTERCONNECTED MEDICAL DEVICE ENDPOINTS

9.6%OF HEALTHCARE ORGANIZATIONS HAVE NETWORKED MEDICAL DEVICES INTEGRATED INTO THEIR ENTERPRISE SECURITY ARCHITECTURE

10.6%HAVE NOT BEGUN!

13

BREAKING THE KILL CHAIN WITH ADVANCED NETWORK SECURITY LINES OF DEFENSE

14

PLANNED SECURITY INVESTMENT: 46% OF PROVIDERS WILL INCREASE IT SECURITY SPEND

Source: IDC Health Insights, Healthcare

Provider Technology Spend Survey

DATA CENTER SECURITY

MOBILE DEVICE SECURITY

INTRUSION/BREACH DETECTION

PHYSICAL SECURITY

SHADOW IT

IMPROVING SECURITY REQS FOR CLOUD SERVICE PROVIDERS

USER EDUCATION/ANTI-PHISHING STRATEGIES

MU COMPLIANCE

COMPLIANCE/HIPAA

DISASTER RECOVERY

VIRUS AND MALWARE DETECTION

BUSINESS CONTINUITY

DUAL FACTOR AUTHENTICATION

45%

37%

34%

33%

33%

30%

25%

23%

23%

17%

14%

13%

9%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

15

PROTECTION FROM THE OUTSIDE IN: BENEFITS OF ADVANCED THREAT PROTECTION

THREAT INTELLIGENCEFROM MILLIONS OF SENSORS AND THREAT INFORMATION SHARING

PROTECTIONAGAINST KNOWN AND UNKNOWN THREATS

SHARED CYBERTHREAT INTELLIGENCEAMONG HEALTHCARE ORGANIZATIONS

16

SEGMENT THE NETWORK WITH ISFWS STRATEGICALLY PLACED IN FRONT OF VALUABLE IT ASSETS

OPERATE AT MULTI-GIGABIT SPEED TO ENSURE OPTIMAL NETWORK PERFORMANCE

PREVENT UNFETTERED ACCESS TO THE NETWORK IF A THREAT GETS THROUGH THE FIRST LINES OF DEFENSE AT THE PERIMETER

COMPLEMENT NEXT GENERATION FIREWALLS AND UNIFIED THREAT MANAGEMENT SECURITY

PROTECTION FROM THE INSIDE OUT

A New Class of Firewall—Internal Segmentation Firewalls

17

SECURITY BEST PRACTICES

INCLUDE ALL DEVICES AND DEVICE TYPES IN THE CYBERTHREAT

ASSESSMENT

SEGREGATE MEDICAL DEVICES AND OTHER VALUABLE IT ASSETS

DEPLOY A BALANCED COMBINATION OF ADVANCED THREAT

PROTECTION TECHNOLOGIES

BE HYPER VIGILANT ABOUT INSTALLING SECURITY PATCHES

PERFORM AND TEST REGULAR BACKUPS OF KEY SYSTEMS

USE SECURITY PRODUCTS BASED ON EXTENSIVE SECURITY

INTELLIGENCE

1:

2:

3:

4:

5:

6:

18

HEALTHCARE HAS CHANGED

DDoS RANSOMWARE MALWARE PHISHING

TOP 4ATTACKSSorry We’re

CLOSED

9 0 %ORGANIZATIONS

USE AT LEAST ONE

TYPE OF MOBILE

DEVICE TO ENGAGE

PATIENTS

646 MILLIONIoT DEVICES

TO BE USED IN

HEALTHCARE

PROVIDER ORGANIZATIONS

ADMITTED A RECENT

“SIGNIFICANT SECURITY

INCIDENT” 80%

BILLIONHEALTHCARE CLOUD

COMPUTING MARKET

IS EXPECTED TO

REACH

$9.5

19

MEDICAL DEVICES

19

X-RAY and PACSTARGETED MALWARE

PACEMAKERS, INSULIN PUMPS

NOTORIETY

Hacktivism / Assassination

Medicine Dispensers

High $$$ value on the street

Other Vulnerable Systems

Shared Workstations

IoT DEVICES – Badge readers, Alarm Systems, IP Cameras, Heart Monitors

PAGER SYSTEMS

Hospital

Remote Clinic

Hospital

Primary

Data Center

Hospital

Backup

Data Center

Remote Clinic

Remote Clinic

Hospital

Remote Clinic

Mobile

Medical

Devices

TODAY’S BORDERLESS ATTACK SURFACE…

WITH MORE WAYS IN…

AND MORE WAYS OUT…

600M Taiwan

IOT HACKS on the RISE

ASUS UDP Command Execution

9 Million Hits (September 2016)

10’s of MILLIONS of IP’s“ “

22

OUR PHILOSOPHY

AWARENESS

EDUCATE USERS TO REDUCE DANGEROUS BEHAVIOR

EMAIL/Phishing Awareness Campaign/Continuing Education

BLOCK THREATS BEFORE THEY ENTER OUR NETWORK

NEXT GEN FIREWALL

SANDBOXING

MAIL GATEWAYS

DNS FIREWALLING

PREVENTION

RESPONSE TO THE THREATS WE’VE DETECTED AS QUICKLY AS POSSIBLE

SIEM/IR

DETECT THE THREATS THAT WEREN’T BLOCKED

IDS/SIEM

MACHINE LEARNING

RESPONSE DETECTION

23

Question 1

Which do you feel your company does the best currently?

1. Awareness

2. Prevention

3. Response

4. Detection

24

25

MALICIOUSINFRASTRUCTURE

MALICIOUS CODE LAUNCHES

USER CLICKS A LINK OR MALVERTISING

RANSOMWARE PAYLOAD

OR

USER DOWNLOADS

MALICIOUS EMAIL

ATTACHMENT

RANSOMWARE PAYLOAD

How Does Ransomware Get In

26

MALICE WEBSITE

END USER INTERNETDNS SERVER COMPANY B

FIREWALL

COMPANY WEBSITE PUBLIC DNS

PHISHING ATTACK DNS QUERY

The END USER gets an email that has a link in it that looks like it is for COMPANY A WEBSITE, but it is missing a “Y” in the URL, and the end user CLICKS ON THE LINK which does a DNS Query for www.compana.com

27

PHISHING DNS RESPONSE

MALICE WEBSITE

END USER INTERNETDNS SERVER COMPANY B

FIREWALL

COMPANY WEBSITE PUBLIC DNS

DNS RESPONSE

to query is

2.2.2.2

28

OH NO!!! RANSOMWARE

MALICE WEBSITE

END USER INTERNET

COMPANY B END USER starts a TCP session with MALICE WEBSITE.

DNS SERVER COMPANY B

FIREWALL

COMPANY WEBSITE PUBLIC DNS

YOUR

FILES ARE

ENCRYPTED!

30

ONE BAND-AID DNS SINKHOLE

WHAT IS A DNS SINKHOLE/FIREWALL?

USING STANDARD DNS REQUESTS THAT SHOULD GO

TO ONE SITE AND REDIRECTING THEM TO ANOTHER.

31

DNS SINKHOLE WITH PHISHING ATTACK

MALICE WEBSITE

END USER INTERNET

The END USER gets an email that has a link in it that looks like it is for COMPANY A WEBSITE, but it is missing a “Y” in the URL, and the end user CLICKS ON THE LINK which does a DNS Query for www.compana.com

DNS SERVER COMPANY B

FIREWALL

COMPANY A WEBSITE

DNS Query

PUBLIC DNS

32

MALICE WEBSITE

END USER INTERNET

The FIREWALL sees that it is a DNS request for a MALICIOUS WEBSITE and forges a response with the IP that you setup as a non-routable IP, or to your own site letting the end user know that their PC just tried to visit a MALICIOUS WEBSITE.

DNS SERVER COMPANY B

FIREWALL

DNS SINKHOLE RESPONSE

COMPANY A WEBSITE

DNS

RESPONSE

10.10.10.10

PUBLIC DNS

33

DNS SINKHOLE

COMPANY A WEBSITE MALICE WEBSITEPUBLIC DNS

As the END USER tries to get to the site now it is going to a NON ROUTABLE IP ADDRESS that doesn’t go off the firewall. You now get logs that the end user is getting SINK-HOLED and can start to investigate why.

END USER INTERNETDNS SERVER COMPANY B

FIREWALL

34

Question 2

What causes the biggest risk in your organization?

1. End Users

2. Company Owned Devices

3. Vendor/Partner PC’s and Medical Devices

4. Food Truck sitting in the Parking Lot

35

36

WHO HAS HEARD THIS MYTH?

WE CAN’T CHANGE ANYTHINGON IT BECAUSE IT IS AN FDA APPROVED DEVICE.

“ “

Data Center

SDN Orchestration

DCFW

Cloud

Branch

Office

PoS

IoT

NGFW

Campus

Mobile

Endpoint

Data Center

DCFW

UTM

External

Internal

Medical Devices

CURRENT NETWORK

38

Data Center

SDN Orchestration

DCFW

Branch

Office

PoS

IoT

NGFW

Campus

Data Center

DCFW

Endpoint

UTM

External

Mobile

Internal Segmentation

NGFW

NGFWUTM

UTM

NGFW

NGFW

Cloud

NGFW

Medical Devices

NGFW

NETWORK SEGMENTATION

NGFW

39

REALIZING THE VALUE OF

HEALTH ITHealth IT creates five kinds

of value of benefit to patients, healthcare

providers and communities

S SATISFACTION

30%INCREASED VIEW/SECURITY ALERTS INTO THE INFRASTRUCTURE

5%FINANCIAL SAVINGS BY REDUCING MAN HOURS FOCUSED ON SECURTY FROM OTHER IT GROUPS

T TREATMENT/CLINICAL

S SAVINGS

E ELECTRONIC SECURE DATA

PPATIENT ENGAGEMENT & POPULATION MANAGENT

78%END USERS SUCCESSFULLY COMPLETING PHISHING CAMPAIGNS

A Summary of How Benefits Were Realized for the Value of Health IT

22%TRUE SECURITY EVENTS COMPARED TO 58% FALSE POSITIVES

!

$$

40

QUESTIONS

ldunbrack@idc.com

www.linkedin.com/in/lynne-dunbrack-8002b2

@ldunbrack

LYNNE A. DUNBRACK JOSH KINSLER

josh@ecommunity.com

www.linkedin.com/in/josh-kinsler-806a874

@secjokin