A CHIME Leadership Education and Development Forum in collaboration with iHT2

In the Cyber Trenches

● Rusty Yeager, SVP and CIO, HealthSouth Corporation ●

#LEAD15

Inpatient Rehabilitation

Sept. 30, 2015 Portfolio as of... Oct. 1, 2015

109 Inpatient Rehabilitation Hospitals

120

33 Number of IRFs operated as JVs with acute care partners 33

7,422 Licensed Beds 8,324

29 Number of States (plus Puerto Rico) 29

HealthSouth - Post Reliant and CareSouth

Encompass Home Health and Hospice

Sept. 30, 2015 Portfolio as of... Nov. 1, 2015

134 Home Health Locations 179

7 Pediatric Home Health Locations 7

23 Hospice Locations 23

18 Number of States 23

The Game has Changed

Don’t Fight the Last War!

Key Observations

• Threat actors continue to evolve and innovate at a rapid pace which increases their ability to penetrate and compromise systems and to avoid detection

• Healthcare information is more valuable to thieves than credit card numbers or other Personal Identifiable Information

• The game has changed and the Human (user/administrator)has become the main target

The Evolving War….now its personal!

• The Warriors

– Hacktivists

– Sovereign cyber-warriors

– Organized crime

• The Weapons

– Spear-Phishing

– Malvertising

45% of respondents say that their organizations suffered a targeted attack in the last year.

54% of respondents say that their biggest challenge to thwarting these attacks is the increased sophistication of threats.

95% of directed attacks were accomplished using the Spear Phish. A well-crafted and personally/ professionally-relevant email is sent to a targeted user(s), prompting them to open an attachment or click a link within the message. Inevitably, they take the bait, at which point malware installs on the system, a backdoor or command channel opens, and the attacker begins a chain of actions moving toward their objective. Winter 2013 survey by Information Security Media Group of 200

CISOs, CIOs, Directors of IT and other senior leaders who work primarily in the financial services industry.

2014 Data Breach Investigations Report: Verizon

How Does it Go Down? • Reconnaissance or Intelligence Gathering

– Publically available information about business processes and employees

– Vendors and business partners are often used as well

• Perimeter Service Enumeration – Publically available services in the DMZ

– Cloud based services

– Business Partners

• Persistence – Attackers will implement a persistent foot hold into the network. This can include multiple persistent services in the network, or

having access to multiple credentials that allows them access into the network.

• Privilege Escalation and internal service enumeration – Attackers will often attempt to gain administrative access to the targets network.

– This is not always necessary if their current access provides access to sensitive data or infrastructure

• Exfiltration – Attackers will attempt to ex-filtrate sensitive data or information from the targets network.

– Access to email, and cloud services are often used. 7-zip is also very common as attackers reduce the size and split data into undetectable block of data.

“Governance To-Dos”

• Process Review

– Pick a Framework

• Technical Review

– “No-Holds barred”

• Environmental Assessment

“Cultural To-Dos”

• Leadership is Key… From the top

• Security is everyone’s problem

• Show Don’t Tell

• Continued Messaging

• Think like an attacker

“Technical To-Dos”

• Dual Factor Authentication

• Network Segmentation – Internal firewalls

– ACLs

• Authentication Reviews – Access

– Process

• Password Strenthening

Q & A

Speaker(s) Contact Information Rusty.Yeager@healthsouth.com

A CHIME Leadership Education and Development Forum in collaboration with iHT2

Insert Twitter handle(s) here

A CHIME Leadership Education and Development Forum in collaboration with iHT2

Dee Cantrell, RN, BSN, MS, FHIMSS

Chief Information Officer Emory Healthcare

#LEAD15

Emory’s Story Things to try Threat Profile Technical Security Profile Frameworks Biggest Threats Lessons Learned

“WARNING. You have violated information security safeguards, an email notification has been sent to a federal agency, your supervisor and your mother.”

What happens when the security system detects unauthorized access.

Emory’s Threat Landscape

• 900 attackers quarantined per month

• 4.2 M explicit attacks blocked per month

• 161 M communication attempts blocked

per month

• 49M malicious web sites blocked per

month

Basic Stats

• Blocked

32.2 Million Messages

• Quarantined

28.9 Million Messages

• Delivered

5.8 million Messages

Messages

Emory’s Technical Security

Profile

Frameworks

Emory’s Framework

Biggest Threats

Lessons Learned • Employees still biggest threat • Risk management part of Org Culture – Enterprise

Risk Management Board • Constant campaigns and approaches for awareness –

“Search and Secure”, phishing, etc. • Annual required education with competency

assessment • Onboarding training for new staff • Continuous improvement of Breach Investigation and

Notification Process

A CHIME Leadership Education and Development Forum in collaboration with iHT2

@cantrelldedra