Cybersecurity: How to Handle a Growing Threat in...
Transcript of Cybersecurity: How to Handle a Growing Threat in...
Internal use only - U.S. and PwC Member Firm use only
Cybersecurity: How toHandle a GrowingThreat in Healthcare
SoCal HIMSS CIO ForumDec 8, 2016
Internal use only - U.S. and PwC Member Firm use only
With you today
Patrick Hynes
Patrick is a Principal in PwC’s Cyber Crime and BreachResponse practice. He and his team help clients investigatebreaches and system compromise by either external parties(state sponsored; organized crime, etc.) or through insiderthreat. He also helps clients prepare for breaches byincreasing board and executive awareness, evaluating andenhancing detect and respond capabilities, and helpingclients assess the current vulnerabilities in their environmentthat puts them at risk for a successful attack. Patrick hashelped health care organizations in both identifying threatsand weaknesses on their networks caused by clinical devices,as well as led investigations into breaches and cyberattacks athospitals and insurance companies.
Home office: Los Angeles, CA
Internal use only - U.S. and PwC Member Firm use only3
The actors and the information they target
Adversary
Input from Office of the National Counterintelligence Executive, Report to Congress onthe Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011.
Emergingtechnologies
Energy data
Advanced materials andmanufacturing techniques
Healthcare,pharmaceuticals, andrelated technologies
Business dealsinformation
What’s most at risk?
Nation State
Organized Crime
Insiders
Hacktivists
Health records andother personal data
Industrial ControlSystems (SCADA)
R&D and / or productdesign data
Payment card and relatedinformation / financialmarkets
Information andcommunicationtechnology and data
Motives and tactics evolve and what adversaries target vary depending on theorganization and the products and services they provide.
Internal use only - U.S. and PwC Member Firm use only4
Medical Information Cyber Threat Landscape
Many Health Information Systems are vulnerable to compromise, creating anew set of risks in healthcare. Threat actors are targeting medical information forsome of the reasons listed below:
Internal use only - U.S. and PwC Member Firm use only5
The life cycle of a typical breach
Source: ISACA – Responding to Targeted Cyberattacks
Internal use only - U.S. and PwC Member Firm use only6
The cost of breaches.
Cybersecurity breaches are common and costly
18%of breaches cost more
than $1 million toremediate
85%of large health organizations experienced
a data breach in 2014
Internal use only - U.S. and PwC Member Firm use only7
Customers value Security over Utility!
…knowing myhealth data is
secure
…functionalityand ease of
use
“When using medical devices or healthcare mobile apps, I most value…”
38% 62%
PwC HRI Consumer Survey 2015
Internal use only - U.S. and PwC Member Firm use only8
Over the years, health information systems and medical devices have seendramatic technological advances, transforming how and whereinformation can be accessed…
Internal use only - U.S. and PwC Member Firm use only9
Governance of networked clinical systems– keyquestions
TechnologySolutions
Policies andProcedures
Resources,Roles andResponsibilities
ComplianceMonitoring
• Who is in charge of securing networked clinical systems?
• Do we know how many systems do we have and where they are?
• Do we know how much PHI/HIPAA sensitive information is stored on each, and forhow long?
• Do we have enough staffing focused on secure management of these systems?
• Do we have a procedure to “harden” new systems before they are put on the network?
• Do we segregate the devices from the rest of the network or limit where they can talk?
• Can we detect if new unmanaged / “rogue” hosts have been placed on the network?
• How are vendors remotely supporting these devices?
• Do we have a way to monitor where these devices are talking and/or if they are stillcompliance with our standards?
Internal use only - U.S. and PwC Member Firm use only10
Manage / monitor what is on the network
• Network restrictions
- Discover / map: Determine list of clinicaldevices
- Group: Place into one or more groups atfirewall / routers / other network control devices
- Restrict: Restrict from accessing Internet and/or restrict to strict list of Internetsites (i.e. for patching / software upgrades)
• Network monitoring
- Beaconing: Infected device “phoning home”
- Data Transfer: Large transfers of data toexternal sites
- Internal connection patterns: Internalworkstation connecting to multiple devicesfrom unusual location or at unusual times
- Participation in DDoS attacks: Yourorganization may be attacking others!
Internal use only - U.S. and PwC Member Firm use only11
Health Network and Medical Device Cybersecurity Framework
HealthNetworkSecurityProgram
Governance
NetworkSecurity
MedicalIT-RiskMgmt.
AssetMgmt.
DeviceSecurity
ConfigurationMgmt.
1. Medical IoT Governance Development of Governance Model with clearly established
roles, responsibilities, and FTE Information Sharing and Analysis Organization (ISAO) Security Strategy, Risk Mgt PolicyMinimum Security Baseline
6. Asset Management Host Inventory Host Attribute Collection Asset Management Secure Device Procurement
Processes
5. Host Security Host / Data Encryption
Access Control and Authentication
Wireless Security Controls
2. Network Security Network Segmentation and Access Control Logging and Monitoring for Malicious Activity Forensic Toolkit for Intrusion Analysis Secure Remote Access Secure Medical IoT Device Network
3. Medical IT Risk Management Vendor Risk Risk Profiling Control Profile Development Secure Disposal Processes Physical Host Security Device Risk Assessment Process
4. Configuration Management Patch Management Processes Software Version Control Processes Change Management Processes Logging and Monitoring for configuration changes
The following diagram outlines the key components of the Health Network CybersecurityFramework, including roles and responsibilities for management of security risks:
Internal use only - U.S. and PwC Member Firm use only12
Other Considerations:Crossover of breach into SOX and financial reporting controls
Financial Systems
Internal use only - U.S. and PwC Member Firm use only13
Before the breach I wish I …
People
• ...knew who to call for help• …had grabbed senior
management’s ear moreabout privacy and securityinitiatives
• ...had an incident responseteam that met regularly
• …had held regular training• ...had my outside team on
retainer (forensic experts,privacy counsel, andcommunications firm)
• ...had paid closer attentionto breaches in the news toobserve how the marketreacts to differentmessages
• ...had considered lawenforcement assistance
Process
• ...knew what sensitive dataI have to protect.
• …knew where my sensitivedata was
• ...had gone through tabletop exercises orhypothetical breachscenarios with the team
• ...knew what applicationseach employee had accessto
• ...had considered theprivacy implications of ourglobal locations
• …was more aware of ourregulatory reportingobligations
Technology
• ...had network loggingenabled with sufficient sizeallocated
• ...had servers backed upand backups under control
• ...had enforced recordsmanagement and gottenrid of old data – especiallyonline
• ...had full disk encryptionon my laptops
• ...had better securitymeasures (passwordstandards / accountmanagement standards)
• ...had DLP in place tomonitor the perimeter
• ...had more effectivelymanaged securityintegration fromacquisitions
Internal use only - U.S. and PwC Member Firm use only14
During the breach I wish I …
People
• ...had kept the circle of“people in the know” small
• ...had engaged forensicexperts, a Communicationsteam, and privacy counselfrom the start
• ...had informed the executiveleadership group / Boardsooner
• ...had better ProjectManagement of the incidentresponse process
• …had regularly met as anincident response tiger team
• ...had anticipated the myriadthreats from inside and out
• …thought about the impactof/from my third parties
Process
• ...had acted immediately toremediate vulnerabilities
• ...had not reached out to thepublic too soon
• ...started to quantify broaderexposure sooner
• ...had cast the data miningnet broader
• ... had better documentationof actions taken
• ...held standing updates withthe investigative team
• ...had not communicatedpreliminary numbers toanyone
• ...had considered thebusiness impact/risk of eachnew finding as we went
• … remembered that bad newsdoesn’t get better with age
Technology
• ...had taken live memorydumps before shutting downservers
• …had insisted on full forensicimages of servers and laptops
• ...had imaged more serversand laptops from the start
• ...had pulled network logsimmediately and increasedlog capacity
• …had pulled oldest availablebackups from the start
• ...had reset passwords morequickly
• …had been more careful withevidence handling
Internal use only - U.S. and PwC Member Firm use only15
After the breach I wish I …
People
• ...had used the exposure tothe Board to enhance mysecurity program while Ihad their attention
• …had used theopportunity to revisit ourgovernance structure -security, legal and riskmanagementrelationships
• ...had prepared theemployee base with atransparent, consistentmessage
• ...had used this as anopportunity to roll outprivacy training
• ...had engaged my expertsunder privilege
Process
• …had not assumed it wasover when it seemed so
• ...had used this as anopportunity to build andexpand my privacy andsecurity programs
• ...had documented lessonslearned / done anaftermath review
• ...had not over-communicated or revisednumbers
• ...had anticipated longterm regulatory scrutiny
• ...had used this as anopportunity to buildprivacy and security riskassessments into newinitiatives
• …had used this experienceto build a playbook
Technology
• ...had developed aremediation plan withtechnology enhancements,security programimprovements, datareduction
• ...had tested myremediation actions
• ...had considered globalimprovements
• ...had preservedinvestigative evidencemore effectively
• …had changed encryption,external media, USB,email policies
• …had reconsidered bycloud and third partytechnology providerspreparedness
Internal use only - U.S. and PwC Member Firm use only
Thank You!
Patrick HynesPrincipal, Cyber Crime& Breach ResponseT: +1-213-217-3776E: [email protected]