Leveraging Internal Partnerships and Resources for Cybersecurity · 2019-11-18 · Cyber threat...
Transcript of Leveraging Internal Partnerships and Resources for Cybersecurity · 2019-11-18 · Cyber threat...
1
Kristina Freas, MS, RN, EMT-P, CEMFreas Emergency Management Group
Stephanie Cervantes, CISSP & CIPTHF Tech Services, Inc.
Leveraging Internal Partnerships and Resources for Cybersecurity
2
Emergency Management & IT PartnershipsKrist ina Freas MS, RN, EMT ‐P, CEMStephan ie Cervantes , CISSP, CIPT
Objectives
Cyber threat information from DHS to assist with mitigation, planning, response and recovery objectives.Review
The cultural gap between Emergency Management hospital incident response and IT incident response.Discuss
Lessons learned and best practices to further prepare for cyber related incidents.Explore
3
Cyberattacks such as phishing, ransomware and corruption of medical devices are a growing threat to hospitals. To minimize risk, IT security and emergency management teams must work together.
Most hospitals have a mature EM function that is centric to physical risks (earthquakes, fire, HVAC failure, communication failure, etc.); however, the consequences of cyber attacks have the potential of overarching ramifications affecting patient and staff safety in comparison to physical risks.
Our challenge is to present strategies to overcome cultural differences and create efficiencies between IT security and Emergency Management disciplines and to highlight resources from the Department of Homeland Security (DHS) for protecting critical infrastructure from cyberattacks.
Cybercrime by the numbers…• The global cost of cybercrime will reach $2 trillion USD by 2019.1
• The average cost of $4 to $7 million USD per data security breach. 2
• The average cost per stolen record is between $150 to $200 USD. 2
• Theft of trade secrets/IPR results in $749 billion to $2.2 trillion annually. 3
• Only 48% of breaches are caused by acts of malicious intent. 3
4
Current Threats1. Stolen Financial Data
◦ 2015, hackers accessed personal information for 80 million customers and employees.
◦ 2017, May – July –Personally Identifiable Information (PII) of 143 million people in the US, UK & Canada was accessed by hackers exploiting unpatched vulnerabilities in the website of one of the three large credit reporting agencies in the US. Credit card information of 209 thousand was also accessed.
2. Insurance Fraud ◦ Patient data like diagnosis codes, billing information, policy numbers, and birth dates is all that is
necessary to file fake claims with an insurer, resulting in reimbursement for services never provided.
3. Ransomware◦ WannaCry
4. Social Engineering◦ Hackers target companies that publicly display their employees’ contact information. Individuals are
then sent phishing emails containing links or attachments that appear to be innocent in nature
5. MEDJACK◦ This method will target medical devices that integrate with applications, often through methods that
are not highly protected against. This allows backdoors to be created across an enterprise system
The 5 Most Visible Cyber Attacks on Hospitals (2016). Retrieved from: http://resources.infosecinstitute.com/the‐5‐most‐visible‐cyber‐attacks‐on‐hospitals/#gref
Ransomeware: What is it?
5
Current Events
In early May 2017, over 200,000 victims in over 150 nations were affected during widespread attacks involving a strain of ransomware variously dubbed WannaCry, WCry, or WannaCrypt. Prominent among them were numerous healthcare organizations of the UK’s National Health Service or NHS – in a scenario disturbingly similar to those predicted in recent assessments of the enterprise security landscape.
Healthcare Cyber Attacks – Hospital’s Critical Unit and The Cyber Threat (2017). http://www.cyberisk.biz/healthcare‐cyber‐attacks‐hospitals‐critical‐unit‐cyber‐threat/
https://www.healthcare‐informatics.com/news‐item/cybersecurity/hhs‐notice‐wannacry‐malware‐continues‐impact‐us‐healthcare‐orgs
6
Lessons LearnedLessons Learned from the MedStar Health System Outage: An Interview with Craig DeAtley, PA‐C
• IT professionals providing the technical expertise were critical in helping corporate and facility staff understand the scope of the problem, but were not necessarily in charge.
• Getting incident command to bring those disciplines together isn’t always easy, but we did that—we have traditionally done that.
• Out of happenstance, foresight, or good luck, this experience reinforced that while IT/Information Systems personnel were not in charge, they had to be at the table.
• Another key takeaway from the event was the need for those at the table to be able to take a highly technical field with its own jargon and make it understandable to everyone else who has a response role.
• The integration and mutual respect are both important; so is trust from senior leadership.
ASPR TRACIE (2016). Lessons Learned for the MedStar Helath System Outage: An Interview with Craig DeAtley, PA‐C. https://asprtracie.hhs.gov/documents/newsletter/ASPR‐TRACIE‐Newsletter‐The‐Exchange‐Issue‐2.pdf
Lessons Learned
• Disruption of essential safeguards protecting against human error
• Longer processing times
• Paper downtime processes lacking critical patient information and depth to manage patient care for extended periods of time
• Patient treatment/procedure delays
• Reputation and patient confidence issues
Woodrow Cox, J. (2017). MedStar Health turns away patients after likely ransomware attack. https://www.washingtonpost.com/local/medstar‐health‐turns‐away‐patients‐one‐day‐after‐cyberattack‐on‐its‐computers/2016/03/29/252626ae‐f5bc‐11e5‐a3ce‐f06b5ba21f33_story.html?utm_term=.cacf0c33c56f
7
Framework of Threat“Healthcare cybersecurity is in critical condition”
To combat this, the task force identified six key imperatives:
o Define and streamline leadership, governance and expectations for healthcare cybersecurity;
o Improve medical device and health IT security and resilience;
o Develop the necessary healthcare workforce capacity to prioritize and ensure cybersecurity awareness and technical capabilities;
o Increase industry readiness with better cybersecurity awareness and education;
o Identify mechanisms to protect research and development efforts and intellectual property from attacks and exposures;
o Improve data sharing of industry threats, risks and mitigation.
U.S. Department of Health and Human Services’ Health Care Industry Cybersecurity Task Force report.
J. Davis (2017) Healthcare IT News
8
Risk of Cyber IncidentsHealth care cybersecurity is a key public health concern
that needs immediate and aggressive attention.
• Lacking infrastructure to identify and track threats.
• Many organizations have not crossed the digital divide in not having the technology resources and expertise to address current and emerging cybersecurity threats.
• Both large and small health care delivery organizations struggle with numerous unsupported legacy systems that cannot easily be replaced (hardware, software and operating systems) with large numbers of vulnerabilities and few modern countermeasures U.S. Department of Health and Human Services’ Health Care Industry Cybersecurity Task Force report.
Bridging Interdisciplinary Differences ‐ GAPSThe ability to bridge interdisciplinary differences in representation, categorization and tools.
◦ Recognize the two different communities and priority sets
◦ Seek out common reference points
◦ Joint training to elicit communications
9
Misalignments
Lack of understanding
priorities
Priorities are not shared
Race to restore services without collaboration
and/or different priorities
Alignment in Interdisciplinary Teamwork
Alignment in Interdisciplinary
Teamwork
Collective Communication
Integration Readiness
Collaboration
Establishing Common Ground
Negotiation of Differences
Conflict Management
Setting priorities
Interdisciplinary bidirectional reliance
10
Emergency Management & IT It is important that the Emergency Manager (continuity planner) and IT personnel work together in a cyber incident because the continuity planner understands the essential functions of their organization and the impact of losing that capability, while IT personnel should understand the technical requirements needed to support the performance of essential functions.
• The continuity planner understands the organization's essential functions and the impact of losing this capability.
• IT personnel, with input from subject matter experts, understand the technical requirements to support performance of essential functions.
Though their roles are different, essential functions cannot be successfully accomplished without the cooperative and collaborative input from both the continuity planner and IT personnel.
(FEMA IS‐534. Exercising Continuity Plans for Cyber Incidents Course)
IT DR
Cyber Incident Planning Themes
Hospital Emergency Management
IT Incident Response
IT Security Response
• Establish a multidisciplinary team.• Threat analysis and threat communication and awareness.• Establish (internal/external) communication and escalation processes.• Refine roles and expectations during incident response (decision making authority).• Train, educate, collaborating during drills and exercises to refine roles, response and recovery
procedures.• Revisit BCP/COOP processes, plans and identified interdependencies.• Central location for sharing information (local, service area, corporate).• Define internal and external dependencies (Ex Management, IT DR, IT Incident Management,
Legal, HR, BCP, Facilities, Security, Vendors, Insurance Companies). • Develop succession plans and delegation of authority.
System Emergency Management
11
Planning/Response ExamplesLarge Academic Medical Center:
Department Operations Center provides a Tech/Spec to the HCC.
System Response:
HCC and IT EOC maintain IC’s who communicate in a Unified Command capacity. IT provides a Tech/Spec to the HCC and the business (Hospital) provides a Liaison to IT EOC.
HCC manage incident specifics and report to a regional coordinating command center. The regional command center coordinates with IT.
Small Hospital (CAH):
???
• Incident Commander• Public Information Officer• Liaison Officer• Medical Technical Specialist• Operations Section Chief
• Planning Section Chief• Documentation Unit Leader
Hospital Incident Management Team‐White Plains Hospital, TJC Conference Presentation
12
Computer Security Incident Handling Guide (2012). http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800‐61r2.pdf
DHS Resources
Cyber Resilience Review
1. The CRR is a one‐day, on‐site facilitation and interview of key cyber security personnel.
2. The participants will receive a draft report within 45 calendar days to review and provide feedback report results. DHS will subsequently issue a final CRR Report.
3. CRR results are afforded protections under the DHS Protected Critical Infrastructure Information— the results are for organization use and DHS does not share results.
14
Resources & Incident Reporting
www.IC3.gov [email protected](855) 292‐3937
Resources & Information SharingNational Cybersecurity and Communications Integration Center (NCCIC)
Cyber Information Sharing and Collaboration Program (CISCP)
US‐CERT
ICS‐CERT
Homeland Security Information network (HSIN)
InfraGard
National Fusion Center Association
FBI Internet Crime Complaint Center (IC3)
Enhanced Cybersecurity Services (ECS)
15
Resource DocumentsComputer Security Incident Handling Guide
Guidance to Assist Non‐Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015
Healthcare Organization and Hospital Discussion Guide for Cybersecurity
Ransomware and HIPAA
Template for Healthcare Cybersecurity Incident Action Plan
Thank you!
Stephanie Cervantes, Director of Technology [email protected]‐201‐7778
Kristina Freas, [email protected]‐333‐0333
16
ReferencesASPR TRACIE (2016). Lessons Learned for the MedStar Health System Outage: An Interview with Craig DeAtley, PA‐C. https://asprtracie.hhs.gov/documents/newsletter/ASPR‐TRACIE‐Newsletter‐The‐Exchange‐Issue‐2.pdf
California Hospital Association (2017). Cyber Resources http://www.calhospitalprepare.org/cybersecurity
Computer Security Incident Handling Guide (2012). http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800‐61r2.pdf
Davis, J. (2017). HHS task force says healthcare cybersecurity in 'critical condition’. Healthcare IT News, June 5, 2017. Retrieved from http://www.healthcareitnews.com/news/hhs‐task‐force‐says‐healthcare‐cybersecurity‐critical‐condition
FEMA IS‐534. Exercising Continuity Plans for Cyber Incidents Course
Healthcare Cyber Attacks – Hospital’s Critical Unit and The Cyber Threat (2017). http://www.cyberisk.biz/healthcare‐cyber‐attacks‐hospitals‐critical‐unit‐cyber‐threat/
Klein, Julie Thompson, Communication and Collaboration in Interdisciplinary Research https://msu.edu/~orourk51/800‐Phil/Handouts/Readings/ID/02‐Orourke.pdf
Landi, H. (2017). HHS Notice: WannaCry Malware Continues to Impact U.S. Healthcare Orgs. Retrieved from: https://www.healthcare‐informatics.com/news‐item/cybersecurity/hhs‐notice‐wannacry‐malware‐continues‐impact‐us‐healthcare‐orgs
The 5 Most Visible Cyber Attacks on Hospitals (2016). Retrieved from: http://resources.infosecinstitute.com/the‐5‐most‐visible‐cyber‐attacks‐on‐hospitals/#gref
U.S. Department of Health and Human Services’ Health Care Industry Cybersecurity Task Force report (2017). Retrieved from https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf
Woodrow Cox, J. (2017). MedStar Health turns away patients after likely ransomware attack. https://www.washingtonpost.com/local/medstar‐health‐turns‐away‐patients‐one‐day‐after‐cyberattack‐on‐its‐computers/2016/03/29/252626ae‐f5bc‐11e5‐a3ce‐f06b5ba21f33_story.html?utm_term=.cacf0c33c56f