Protect, Protect, Protect… Now

SHARE

John D. Halamka MDChief Information Officer

The State of the Internet

• Studies indicate 48% of internet systems are infected now (worldwide)

• Escalation of malware quality and quantity, began in March-April of 2011 (organized crime now uses internet identity theft as a business)

• A new virus is released every 30 seconds, there is a 400% increase in Android device hacking, and150000 malware variants are found on the internet at any moment (80% are on legitimate websites)

• Risk exists on all Windows, Mac OS X, and Linux platforms (alas, there is no silver bullet)

The State of the Internet

•Commercialization of root kits

•Fast flux re-packaging

•Signature solutions becoming less effective

•Angry Birds

•Steganography on the rise

•Content cloaking on Google and Facebook

•Adobe and Java vulnerabilities

The State of BIDMC

•14501 total devices on network

•3353 research, departmental and personal devices are not managed by IT (these are the most often infected)

•11566 BIDMC user accounts

•589 Needham user accounts

•212 Websites or applications with remote access

The Risk

• Every day users download malware and we eliminate it via early detection, remote access to the device or a visit to the device

• We have much more sophisticated monitoring systems than most hospitals so we can see what is happening

• We have hired numerous industry specialists from McAfee, RSA and Verizon to study our environment.

• Although they have made a few technology suggestions, the major need is policy improvement

The Risk - Home Computers

Drop Server 200.63.44.172

Finding Type Corporate Credentials

Description An authorized user accessed one of the organization's resources, BIDMC Portal, from an infected machine (a screenshot is attached). The Trojan horse captured the credentials.

URL https://portal.bidmc.org/login.aspx?item=/default&user=extranet\Anonymous&site=website&url=/default.aspx

IP Address 24.63.18.108

Timestamp Wed, 17 Aug 2011 01:06:01 GMT

Rawtext

"1856";"TOSHIBA-PC_775A658D6522DF69";"-- default --";"33556489";"https://portal.bidmc.org/login.aspx?item=/default&user=extranetAnonymous&site=website&url=/default.aspx";"";"1313543161";"188203365";"-14400";"#6;#0;?#29; #0;";"1033";"C:Program Files (x86)Internet Exploreriexplore.exe";"Toshiba-PCToshiba";"12";"https://portal.bidmc.org/login.aspx?item=/default&user=extranetAnonymous&site=website&url=/default.aspxReferer: https://portal.bidmc.org/login.aspx?item=/default&user=extranetAnonymous&site=website&url=/default.aspxUser input: lxxxxxaKxxxxx3POST data: __EVENTVALIDATION=/wEWBALh8vWcAgKvpuq2CALyveCRDwL jNCfD1D ONbAiUFgkw75ofRC13PVI8NZusername=sxxxxxapassword=Kxxxxx13LoginButton.x=0LoginButton.y=0";"24.63.18.108";"US";"1313543148"

Mitigation• Surveillance and Detection

• Scheduled vulnerability scans of managed devices using Nexpose

• Augment internal capability with Dell SecureWorks hosting services

• More extensive use of logs to identify and correlate suspicious behavior

• Containment and Cleaning

• Locking down outbound connection from servers, i.e. “white listing”

• More aggressive anti-virus update cycle as released rather than time of day

• More frequent full scans 3x daily rather than 2x weekly

• Higher sensitivity settings on scans

Mitigation• Prevention

• Increase Internet content filtering restrictions

• Reduce/eliminate local administrative rights on workstations and laptops

• Introduce McAfee Site Advisor to alert users of web site reputation

• Stepped up use of Intrusion Protection blocks on web activity

• More aggressive updates of Java, Adobe and other high risk apps

• Two-factor identification for remote users

• Isolate FDA regulated devices

Mitigation• Metrics and Controls

• Baseline “risk” level of each subnet

• Past incidence of malware

• Extent of local administrative rights

• Content filtering rules

• Average Nexpose score

• Incidence of devices with out-of-date anti-virus files

Digital Loss Prevention Pilot

•Determine impact of controls

•Tune as needed

•Apply across the enterprise only after Ops review of data and additional policymaking

•Observe and adjust on continuing basis

My Breaches in 2012

•The Stolen Laptop

•The Infected Radiology Workstation

A 20 Step Program

1. Inventory of Authorized and Unauthorized Devices

2. Inventory of Authorized and Unauthorized Software

3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers

4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

5. Boundary Defense

6. Maintenance, Monitoring, and Analysis of Security Audit Logs

7. Application Software Security

8. Controlled Use of Administrative Privileges

9. Controlled Access Based on Need to Know

10. Continuous Vulnerability Assessment and Remediation

A 20 Step Program

11. Account Monitoring and Control

12. Malware Defenses

13. Limitation and Control of Network Ports, Protocols, and Services

14. Wireless Device Control

15. Data Loss Prevention

16. Secure Network Engineering

17. Penetration Tests

18. Incident Response Capability

19. Data Recovery Capability

20. Security Skills Assessment and Appropriate Training to Fill Gaps

14

Creating a Secure Regional HIE

Provider directory

Certificate repository

DIRECT gateway

Web portal mailbox

Repository of physician names, entities, affiliations, and security credentials

Repository of security certificates for authorized users of HIE services

Adaptor that transforms messages from one standard to another without decrypting the message

Secure, encrypted mailbox for users without standards-compliant EHR

“Lookup” services

“Message-handling” services

HIE Services

15

3 ways to connect to MA HIway

Provider directory

Certificate repository

DIRECT gateway

Web portal mailbox

HIE ServicesUser types3 methods of accessing HIE

services

EHR connects directly

Browser access to webmail inbox

Physician practice

Hospital

Long-term careOther providersPublic healthHealth plans

Labs and imaging centers

EHR connects through LAND

16

Use Case From To Content

Eastern Hospital to Western Hospital

Massachusetts General Hospital

Baystate Medical Center

Governor Patrick medical record (CCD)

ACO to ACO Beth Israel Deaconess Medical Center

Massachusetts General Hospital

Patient summary record (CCD)

Hospital to Practice Childrens’ Hospital Atrius Health Patient summary record (CCD)

Suburban Hospital to Academic Medical Center (bi-directional)

MetroWest (Vanguard)

Tufts Medical Center Patient summary record (CCD)

ACO to Quality Data Warehouse

Beth Israel Deaconess Physician Organization

Massachusetts eHealth Collaborative

Encounter summary (CCD)

Hospital to Referring PCP Beth Israel Deaconess Medical Center

Dr. Ayobami Ojutalayo (Lawrence)

Patient summary record (CCD)

ACO to Health Plan Beth Israel Deaconess Medical Center

Network Health Plan Patient summary record (CCD)

Golden Spike Transactions

MA HIway production exchanges transacted on October 16, 2012

Participating vendors: Orion Health, Meditech, Cerner, eClinicalWorks, LMR (Partners), webOMR (BID), Epic, Siemens

17

• Release 1 (October 16, 2012)– Direct Gateway with 4 integration options: SMTP/SMIME, XDR/SOAP,

LAND appliance– Provider directory v1– AIMS/Public key infrastructure v1

• Release 2 (December 17, 2012)– Participant enrollment portal (November, 2012)– Webmail (November, 2012)– HL7 Gateway (syndromic surveillance, ELR, CBHI)– IMPACT (SEE, web-based CDA-editor for long-term care facilities)– Provider directory v2– AIMS/Public key infrastructure v2

• Vendor-hosted cloud supports both HIE and HIX/IES– Orion Health prime contractor– Unlimited license for Oracle Software for all 3 Phases of HIE and

HIX/IES – Enterprise license for Orion Rhapsody Integration Engine– Leveraging existing IBM Initiate licenses

Phase 1 infrastructure

18

Updated plan

Original high-level plan from 12/11/2011 Updated plan as of 10/23/2012

Questions?

•http://geekdoctor.blogspot.com