Cybersecurity: How to Handle a Growing Threat in...

Internal use only - U.S. and PwC Member Firm use only

Cybersecurity: How toHandle a GrowingThreat in Healthcare

SoCal HIMSS CIO ForumDec 8, 2016


With you today

Patrick Hynes

Patrick is a Principal in PwC’s Cyber Crime and BreachResponse practice. He and his team help clients investigatebreaches and system compromise by either external parties(state sponsored; organized crime, etc.) or through insiderthreat. He also helps clients prepare for breaches byincreasing board and executive awareness, evaluating andenhancing detect and respond capabilities, and helpingclients assess the current vulnerabilities in their environmentthat puts them at risk for a successful attack. Patrick hashelped health care organizations in both identifying threatsand weaknesses on their networks caused by clinical devices,as well as led investigations into breaches and cyberattacks athospitals and insurance companies.

Home office: Los Angeles, CA

Internal use only - U.S. and PwC Member Firm use only3

The actors and the information they target

Adversary

Input from Office of the National Counterintelligence Executive, Report to Congress onthe Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011.

Emergingtechnologies

Energy data

Advanced materials andmanufacturing techniques

Healthcare,pharmaceuticals, andrelated technologies

Business dealsinformation

What’s most at risk?

Nation State

Organized Crime

Insiders

Hacktivists

Health records andother personal data

Industrial ControlSystems (SCADA)

R&D and / or productdesign data

Payment card and relatedinformation / financialmarkets

Information andcommunicationtechnology and data

Motives and tactics evolve and what adversaries target vary depending on theorganization and the products and services they provide.


Medical Information Cyber Threat Landscape

Many Health Information Systems are vulnerable to compromise, creating anew set of risks in healthcare. Threat actors are targeting medical information forsome of the reasons listed below:


The life cycle of a typical breach

Source: ISACA – Responding to Targeted Cyberattacks


The cost of breaches.

Cybersecurity breaches are common and costly

18%of breaches cost more

than $1 million toremediate

85%of large health organizations experienced

a data breach in 2014


Customers value Security over Utility!

…knowing myhealth data is

secure

…functionalityand ease of

use

“When using medical devices or healthcare mobile apps, I most value…”

38% 62%

PwC HRI Consumer Survey 2015


Over the years, health information systems and medical devices have seendramatic technological advances, transforming how and whereinformation can be accessed…


Governance of networked clinical systems– keyquestions

TechnologySolutions

Policies andProcedures

Resources,Roles andResponsibilities

ComplianceMonitoring

• Who is in charge of securing networked clinical systems?

• Do we know how many systems do we have and where they are?

• Do we know how much PHI/HIPAA sensitive information is stored on each, and forhow long?

• Do we have enough staffing focused on secure management of these systems?

• Do we have a procedure to “harden” new systems before they are put on the network?

• Do we segregate the devices from the rest of the network or limit where they can talk?

• Can we detect if new unmanaged / “rogue” hosts have been placed on the network?

• How are vendors remotely supporting these devices?

• Do we have a way to monitor where these devices are talking and/or if they are stillcompliance with our standards?


Manage / monitor what is on the network

• Network restrictions

- Discover / map: Determine list of clinicaldevices

- Group: Place into one or more groups atfirewall / routers / other network control devices

- Restrict: Restrict from accessing Internet and/or restrict to strict list of Internetsites (i.e. for patching / software upgrades)

• Network monitoring

- Beaconing: Infected device “phoning home”

- Data Transfer: Large transfers of data toexternal sites

- Internal connection patterns: Internalworkstation connecting to multiple devicesfrom unusual location or at unusual times

- Participation in DDoS attacks: Yourorganization may be attacking others!


Health Network and Medical Device Cybersecurity Framework

HealthNetworkSecurityProgram

Governance

NetworkSecurity

MedicalIT-RiskMgmt.

AssetMgmt.

DeviceSecurity

ConfigurationMgmt.

1. Medical IoT Governance Development of Governance Model with clearly established

roles, responsibilities, and FTE Information Sharing and Analysis Organization (ISAO) Security Strategy, Risk Mgt PolicyMinimum Security Baseline

6. Asset Management Host Inventory Host Attribute Collection Asset Management Secure Device Procurement

Processes

5. Host Security Host / Data Encryption

Access Control and Authentication

Wireless Security Controls

2. Network Security Network Segmentation and Access Control Logging and Monitoring for Malicious Activity Forensic Toolkit for Intrusion Analysis Secure Remote Access Secure Medical IoT Device Network

3. Medical IT Risk Management Vendor Risk Risk Profiling Control Profile Development Secure Disposal Processes Physical Host Security Device Risk Assessment Process

4. Configuration Management Patch Management Processes Software Version Control Processes Change Management Processes Logging and Monitoring for configuration changes

The following diagram outlines the key components of the Health Network CybersecurityFramework, including roles and responsibilities for management of security risks:


Other Considerations:Crossover of breach into SOX and financial reporting controls

Financial Systems


Before the breach I wish I …

People

• ...knew who to call for help• …had grabbed senior

management’s ear moreabout privacy and securityinitiatives

• ...had an incident responseteam that met regularly

• …had held regular training• ...had my outside team on

retainer (forensic experts,privacy counsel, andcommunications firm)

• ...had paid closer attentionto breaches in the news toobserve how the marketreacts to differentmessages

• ...had considered lawenforcement assistance

Process

• ...knew what sensitive dataI have to protect.

• …knew where my sensitivedata was

• ...had gone through tabletop exercises orhypothetical breachscenarios with the team

• ...knew what applicationseach employee had accessto

• ...had considered theprivacy implications of ourglobal locations

• …was more aware of ourregulatory reportingobligations

Technology

• ...had network loggingenabled with sufficient sizeallocated

• ...had servers backed upand backups under control

• ...had enforced recordsmanagement and gottenrid of old data – especiallyonline

• ...had full disk encryptionon my laptops

• ...had better securitymeasures (passwordstandards / accountmanagement standards)

• ...had DLP in place tomonitor the perimeter

• ...had more effectivelymanaged securityintegration fromacquisitions


During the breach I wish I …

People

• ...had kept the circle of“people in the know” small

• ...had engaged forensicexperts, a Communicationsteam, and privacy counselfrom the start

• ...had informed the executiveleadership group / Boardsooner

• ...had better ProjectManagement of the incidentresponse process

• …had regularly met as anincident response tiger team

• ...had anticipated the myriadthreats from inside and out

• …thought about the impactof/from my third parties

Process

• ...had acted immediately toremediate vulnerabilities

• ...had not reached out to thepublic too soon

• ...started to quantify broaderexposure sooner

• ...had cast the data miningnet broader

• ... had better documentationof actions taken

• ...held standing updates withthe investigative team

• ...had not communicatedpreliminary numbers toanyone

• ...had considered thebusiness impact/risk of eachnew finding as we went

• … remembered that bad newsdoesn’t get better with age

Technology

• ...had taken live memorydumps before shutting downservers

• …had insisted on full forensicimages of servers and laptops

• ...had imaged more serversand laptops from the start

• ...had pulled network logsimmediately and increasedlog capacity

• …had pulled oldest availablebackups from the start

• ...had reset passwords morequickly

• …had been more careful withevidence handling


After the breach I wish I …

People

• ...had used the exposure tothe Board to enhance mysecurity program while Ihad their attention

• …had used theopportunity to revisit ourgovernance structure -security, legal and riskmanagementrelationships

• ...had prepared theemployee base with atransparent, consistentmessage

• ...had used this as anopportunity to roll outprivacy training

• ...had engaged my expertsunder privilege

Process

• …had not assumed it wasover when it seemed so

• ...had used this as anopportunity to build andexpand my privacy andsecurity programs

• ...had documented lessonslearned / done anaftermath review

• ...had not over-communicated or revisednumbers

• ...had anticipated longterm regulatory scrutiny

• ...had used this as anopportunity to buildprivacy and security riskassessments into newinitiatives

• …had used this experienceto build a playbook

Technology

• ...had developed aremediation plan withtechnology enhancements,security programimprovements, datareduction

• ...had tested myremediation actions

• ...had considered globalimprovements

• ...had preservedinvestigative evidencemore effectively

• …had changed encryption,external media, USB,email policies

• …had reconsidered bycloud and third partytechnology providerspreparedness


Thank You!

Patrick HynesPrincipal, Cyber Crime& Breach ResponseT: +1-213-217-3776E: [email protected]

Cybersecurity: How to Handle a Growing Threat in...

Documents

Transcript of Cybersecurity: How to Handle a Growing Threat in...