CHIME Lead Forum - Seattle 2015

A CHIME Leadership Education and Development Forum in collaboration with iHT2

What is Cyber Security and Why is it Crucial to Your Organization?

_______ Key Attributes for Success, Challenges and

Critical Success Factors

● Mac McMillan | FHIMSS/CISM | CEO | CynergisTek, Inc. ● #LEAD14


Sun Tzu & Cybercrime

“If you know the enemy, and know yourself, then you may not fear the results of a hundred battles. If you know yourself but not the enemy, for every victory gained you will suffer a defeat.”

HIMSS Cyber Security Survey

Limited Disruption to Operations

Loss of Data/Information

Significant Impact on IT Systems

Damage to IT Systems

Other Impact

62%

21%

8%

8%

7%


Threat Actors & Their Motivation

• Organized Crime

• Hacktivists

• Cyber Thieves

• Malicious Insiders

• Careless Insiders

• Busy Insiders

• State Actors

• Financial Gain

• Intellectual Property

• Extortion

• ID/Med ID Theft

• Espionage

• Embarrassment

• Good Intentions


Accidents, Mistakes & Deliberate Acts • Phishing/hacking nets nearly $3M from six healthcare entities • Vendor sells hospital’s X-rays (films) to third party • Resident loses track of USB with over 500 orthopedic patients information • Portable electronic device with patient data stolen from hospital • Physician has laptop stolen from vacation home • 2,200 physicians victims of ID theft/tax fraud • Printers returned to leasing company compromise thousands of patient records • Health System reports third stolen laptop with 13,000 patient records • 400 hospitals billings delayed as clearinghouse hit with ransomware • Children’s hospital hacked with successful DOS for three days in protest for treatment and

holding of girl by Anonymous • Physician robbed at gun point, phone and computer taken, thief demands passwords • International hacking group uses phishing, then steals information on almost 80M people • Medical devices hacked to compromise hospital networks using MedJack attack • Seven health systems hit by phishing resulting in major breaches • New York hospital hacked by pro-ISIS supporters, website defaced with ISIS propoganda • And, on and on it goes…


The Emergent Threat DefCon/BlackHat 2015

• Medical Devices: Pawnage and Honey Pots

• Shall We Play a Game?

• USB Attack to Decrypt WiFi

• WhyMI so Sexy? WMI Attacks & Defense

• I Will Kill You

• Scared Poopless – LTE and “your” Laptop

• Confessions of a Professional Cyber Stalker

• From 0 to Pwnd – Social Engineering

• Jailbreaking & Rooting Devices

• Advanced Infrastructure Hacking

• Advanced Windows Exploitation

• Advanced Web Attacks

Healthcare in the Media

• Hacking healthcare: A Guide to Standards, Workflows and MU

• Hacking Healthcare

• MIT Hacking Medicine

• Hacking Health Care

• Let’s Hack Healthcare

Significant Threats of the Future

34%

39%

49%

50%

53%

53%

59%

63%

65%

69%

Brute Force Attacks

Denial of Services (DoS)

Social Engineering Attacks

Malicious Insiders

Exploit Known Software Vulnerabilities

Zero Day Attacks

Cyber Attacks

APT Attacks

Negligent Insiders

Phishing Attacks

Challenges To Data Security

CISO Complexity

Insiders

Vendors

Mobile Devices

mHealth Fraud

ID Theft

Physical Loss/Theft

Cyber Attacks

Regulations

Staffing


Increased Reliance • More than 98% of all processes

are automated, more than 98% of all devices are networkable, more than 95% of all patient information is digitized

• Hyper connectivity dominates what we do

• IT systems and applications are critical to care delivery, business operations

• Moving to a patient centric model will only further complicate the enterprise


Insider Abuse: Trust, But Verify

• It is estimated that more than half of all security incidents involve staff.

• 51% of respondents in a SANS study believe the negligent insider is the chief threat.

• 37% believe that security awareness training is ineffective.

• Traditional audit methods & manual auditing is completely inadequate.

• Behavior modeling, pattern analysis and anomaly detection is what is needed.


Questionable Supply Chains

• Better inventories of vendors w/ PHI • Risk based approach to managing third

parties • Greater due diligence in vetting vendors • Security requirements in contracting

should be SLA based • Particular attention to cloud, SaaS,

infrastructure support, critical service providers

• Life cycle approach to data protection • Detailed breach and termination

provisions


Devices Threaten Safety & Information

• 2010/2011 successful hacks of an insulin pump and ICD

• In June 2013 the DHS tested 300 devices from 40 vendors, ALL failed

• 2014 multiple variants of a popular blood pump hacked

• 2015 MedJack hacks demonstrates vulnerability of the network from medical devices

• We are no closer….

“Yes, Terrorists could have

hacked Dick Cheney’s heart.” -The Washington Post


Malware & Persistent Threats • 3.4 million BotNets active • 20-40% of recipients in phishing exercises fall for

scam • 26% of malware delivered via HTML, one in less than

300 emails infected • Malware analyzed was found undetectable by nearly

50% of all anti-virus engines tested • As of April 2014 Microsoft no longer provides patches

for WN XP, WN 2003 and WN 2000, NT, etc. • EOL systems still prevalent in healthcare networks • Hardening, patching, configuration, change

management…all critical • Objective testing and assessment

“FBI alert warns healthcare not prepared”

2006 200K 2008

17M

2013 73M


Mobility & Data • Medical staff are turning to their mobile devices to

communicate because its easier, faster, more efficient…

• Sharing lab or test results, locating another physician for a consult, sharing images of wounds and radiology images, updating attending staff on patient condition, getting direction for treatment, locating a specialist and collaborating with them, transmitting trauma information or images to EDs, prescribing or placing orders

• Priority placed on the data first and the device second

• Restrict physical access where possible, encrypt the rest


ID Theft & Fraud • Medical Identity theft and fraud costs billions

each year, affecting everyone

• US CERT estimates 47% of cybercrime aimed at healthcare

• Healthcare directed attacks have increased more than 20% per year for the last three years

• Identity theft comes in all forms and is costly

– Insiders selling information to others

– Hackers exploiting systems

– Malware with directed payloads

– Phishing for the “big” ones


Theft & Losses Thriving • 68% of healthcare data breaches due to

loss or theft of assets • 1 in 4 houses is burglarized, a B&E

happens every 9 minutes, more than 20,000 laptops are left in airports each year…

• First rule of security: no one is immune • 138%: the % increase in records exposed in

2013 • 6 – 10%: the average shrinkage rate for

mobile devices • Typical assets inventories are off by 60%

“Unencrypted laptops and mobile devices pose significant risk to the security of patient information.” -Sue McAndrew, OCR


Hacking & Other Cyber Criminals • Defenses are not keeping pace

• Three most common attacks: spear phishing, Trojans & Malvertising

• APTs, phishing, water cooler attacks, fraud, etc.

• Most organizations can’t detect or address these threats effectively

• An advanced incident response capability is required

• Results in losses of time, dollars, downtime, reputation, litigation, etc.

• Conduct independent risk assessments regularly

0 50 100

Organizations suffering a targeted attack

Sophistication of attack hardest element to defeat

No increase in budget for defenses

Targeted Attacks

“I feel like I am a targeted class, and I want to know what this institution is doing about it!” -Anonymous Doctor


More Compliance • OIG shifts focus to funds recovery • OCRs permanent audit program will resume in

FY 2015 with new capabilities • Improvements and automation in reporting

and handling complaints • Meaningful Use takes a step backwards with

Stage 3 • The FTC, FDA, FCC, HHS and DoJ take a more

active role in Healthcare privacy and security • States continue to create new laws

– Florida Information Protection Act – New Jersey Health Insurers Encryption Law

SB1353 seeks to establish common framework for security and create universal requirement for notification.

When organizations tell consumers they will protect their personal information, the FTC can and will take enforcement action to ensure they live up to these promises.


CISO Needed… • HIMSS Cyber Security survey found 52%

had a full time security person

• In a 2014 study HC CISOs gave themselves an average maturity rating of 4.35 on a scale of 1-7

• Many report missing critical technologies to fight today’s threats, improving in 2015

• More than half of healthcare entities spend less than 3% of their IT budget on data protection, no improvement

• Focus, alignment, and staffing challenges

• Many healthcare security managers are first timers

Healthcare finds itself in a contest for security professionals when everyone, both government and private sector, need them – and the outlook is not positive.

Barriers to Successful Implementation of Data Security

Percent

Lack of Personnel 64%

Lack of Financial Resources 60%

Too Many Emerging/New Threats 42%

Too Many Endpoints 32%

Not Enough Cyber Threat Intelligence 28%

Too Many Applications 25%

Lack of Tools to Use/Deploy Cyber Threat Intel 20%

Q & A

Mac McMillan [email protected]

(512) 402-8555


@mmcmillan07

mailto:[email protected]

mailto:[email protected]

CHIME Lead Forum - Seattle 2015

Healthcare

Transcript of CHIME Lead Forum - Seattle 2015