2 TABLE OF CONTENTS BACKGROUND... 1 EXECUTIVE SUMMARY... 3 HEALTH CARE ORGANIZATION Cyber Risk Landscape... 5 HCO 1 Risk Management Culture... 5 Gvernance... 5 Gvernance Questins... 7 Strategies fr Success... 7 Strategic Plan... 7 Leadership Invlvement in Incident Respnse... 8 HCO 1 Use Case... 9 The Incident... 9 Lessns Learned and Rules f Thumb Cst/Benefit Cnsideratins Use Case Questins Cybersecurity Insurance HEALTH CARE ORGANIZATION Cyber Risk Landscape Lngstanding Challenges Regulatry Regimes and Audits HIPAA HIPAA s Limits Regulatry Regimes and Audits Questins Academic Freedm Asset Management and Sftware Security Slutins HCO 2 Risk Management Culture Gvernance Strategies fr Success Cmpliance Versus Enterprise Risk Management... 24
3 Csts, Benefits, and the Pwer f Cmpliance Csts, Benefits, and Enterprise Appraches Regulatin Reputatinal Risks HCO 2 Use Case The Incident Use Case Implicatins Cybersecurity Insurance HEALTH CARE ORGANIZATION Cyber Risk Landscape HCO 3 Risk Management Culture Gvernance Strategies fr Success ERM Framewrks Catastrphe Planning HCO 3 Use Case The Incident Incident Observatins Use Case Questins Cst/Benefit Cmmunicatins t Leadership Risk Management Radmaps Assessing Csts Assessing Benefits Mnitring Traffic fr Indicatrs and Events Advanced Persistent Threat Respnse Cybersecurity Insurance CONCLUSION APPENDIX... 42
4 BACKGROUND The Department f Hmeland Security s (DHS) Natinal Prtectin and Prgrams Directrate (NPPD) helps bth private and public sectr partners secure their cyber netwrks, assisting them cllectively and individually and imprving the natin s verall cybersecurity psture in the prcess. Thrugh these interactins, DHS has becme aware f a grwing interest in cybersecurity insurance as well as limitatins in the current market especially when it cmes t first-party market cverage fr cyber-related critical infrastructure lss. 1 T better understand thse limitatins and hw a mre rbust market culd help encurage better cyber risk management, NPPD hsted its first-ever Cybersecurity Insurance Wrkshp during the fall f NPPD had tw main gals fr the event: (1) determine what bstacles prevent carriers frm ffering mre attractive first-party plicies t mre custmers at lwer cst; and (2) prmte stakehlder discussin abut hw t mve the market frward. At that event, NPPD hsted a diverse grup f participants, registered n a first-cme, firstserved basis, frm five stakehlder grups that included insurance carriers, risk managers, infrmatin technlgy/cyber experts, academics/scial scientists, and critical infrastructure wners and peratrs. Several federal agencies als sent representatives. As part f its planning, NPPD asked participants t nminate breakut grup tpics in rder t develp the wrkshp agenda and ensure that it addressed matters f critical interest. Participants nminated the fllwing tpics, which fcused specifically n the first-party market: (1) Defining Insurable and Uninsurable Cyber Risks; (2) Cyber Insurance and the Human Element; (3) Cyber Liability: Wh is Respnsible fr What Harm; (4) Current Cyber Risk Management Strategies and Appraches; (5) Cyber Insurance: What Harms Shuld It Cver and What Shuld It Cst; (6) Imprving the Cyber Insurance Market: Stakehlder Rles and Respnsibilities; and (7) Sequencing Slutins: Hw Shuld the Market Mve Frward? On May 13, 2013, NPPD held a rundtable based n what it had learned during the fall wrkshp. The rundtable fcused n hw rganizatins shuld g abut building mre effective cyber risk cultures as a prerequisite t a strnger and mre respnsive first-party market. With representatives frm each f the same stakehlder grups in attendance, NPPD led a discussin abut fur pillars f such cultures: (1) Engaged Executive Leadership; (2) Targeted Cyber Risk Management and Awareness; (3) Cst-Effective Technlgy Investments Tailred t Organizatinal Needs; and (4) Relevant Infrmatin Sharing. Participants described the imprtance f and challenges with implementing the pillars in three distinct but related cntexts: within cmpanies; between partnering cmpanies; and natinally. They likewise ffered their pinins abut hw large, mid-size, and small cmpanies shuld g abut meeting thse challenges given their traditinally disparate levels f expertise and risk management resurces. 1 First-party cybersecurity insurance plicies cver direct lsses t cmpanies arising frm events such as business interruptin, destructin f data and prperty, and reputatinal harm. Third party plicies, by cntrast, cver lsses that a cmpany causes t its custmers and thers, such as harms arising frm the expsure f persnally identifiable infrmatin (PII) thrugh a data breach. See U.S. Department f Hmeland Security. Cybersecurity Insurance Wrkshp Readut Reprt. ONLINE Natinal Prtectin and Prgrams Directrate. Available: [29 January 2014]. 1
5 During bth events, participants shared a wide range f perspectives n these varius tpics, which were included in wrkshp and rundtable readut reprts. The reprts are available n the DHS Cybersecurity Insurance webpage at Building n the ideas surfaced at the wrkshp and rundtable, and after cnducting its wn additinal research, NPPD publicly annunced its intent t cnvene a secnd rundtable in the fall f That event, the subject f this readut reprt, addressed a fundamental yet unanswered questin that had arisen ver the curse f the prir discussins: hw d cst and benefit cnsideratins infrm the identificatin f nt nly an rganizatin s tp cyber risks but als apprpriate risk management investments t address them? On Nvember 20, 2013, NPPD accrdingly hsted a small number f participants, registered n a first-cme, first-served basis, at the Natinal Intellectual Prperty Rights (IPR) Crdinatin Center in Arlingtn, Virginia, t find answers. NPPD adpted a new frmat fr the rundtable that included three cyber risk management use case presentatins by health care rganizatin (HCO) representatives. The representatives described an actual cyber incident that their rganizatins had experienced; hw they managed the incident; and hw lessns learned frm the incident have influenced their actins and investments t imprve patient safety. The presentatins likewise addressed hw the rganizatins are incrprating cst/benefit cnsideratins as part f cyber risk management strategies; hw their individual risk cultures are evlving as a result; and what rle cybersecurity insurance is playing as part f their prcesses. An extended grup discussin perid fllwed each use case presentatin in rder t examine all f these themes in detail and t identify ptential pprtunities t enhance cyber risk management best practices. Prir t the rundtable, NPPD advised the presenters and participants alike that their input during the event wuld be included in this final readut reprt n a nn-attributin basis. NPPD explained that the purpse f this reprt wuld be t: (1) capture diverse ideas abut hw cst/benefit cnsideratins mtivate cyber risk management investments, including insurance investments; and (2) recrd a wide range f perspectives that might infrm cyber risk management effrts natinally. NPPD further advised that it wasn t lking fr, wuldn t accept, and wuldn t slicit grup r cnsensus recmmendatins during the rundtable. NPPD likewise clarified that neither DHS nr NPPD wuld make any decisins abut agency plicy r psitins during the event. In additin t 8 rundtable leaders, rganizers, and supprt persnnel, NPPD hsted 30 participants frm the fllwing stakehlder grups: Insurance Carriers: 7 Risk Managers: 6 Infrmatin Technlgy/Cyber Experts: 6 Academics/Scial Scientists: 3 Critical Infrastructure Owners/Operatrs: 5 Gvernment: 3 2
6 EXECUTIVE SUMMARY The HCO representatives, all f them Chief Infrmatin Security Officers (CISOs) r risk manager equivalents, hailed frm a variety f rganizatins including an academic medical center and research university, a university hspital system, and a medical vendr that prvides health care cnsumer prducts, pharmaceuticals, and medical devices/technlgy. Althugh each presented very different cyber risk management use cases, they shared many f the same challenges while addressing them. They cnsequently directed their remarks t three principal tpics during the rundtable discussins: (1) making the case fr cybersecurity investments t senir leadership; (2) incrprating cst/benefit cnsideratins int their arguments; and (3) negtiating the bundary between risk mitigatin effrts and risk transfer/insurance ptins t prmte mre effective cyber risk management strategies. ENGAGING LEADERSHIP The HCO representatives described tw appraches t driving cybersecurity investments within their respective rganizatins. Several emphasized the value f enterprise risk management (ERM) t their effrts, nting that invlving senir leadership in bth the identificatin and priritizatin f cyber risks has been critical t building trust in and prmting the effectiveness f their teams. They explained hw they create master lists f pririty cyber risks and crrespnding risk cntrls fr leadership review, drawing heavily n their team members subject matter expertise as infrmed by real wrld cyber incidents. After presenting and discussing his team s list, ne representative reprted that his bard f directrs literally draws a line between thse cntrls that will be funded given available resurces and thse cntrls that will nt. This practice, he nted, generates a sense f wnership by the bard that invests it in the success f its chsen appraches. By cntrast, anther representative explained that mre primal factrs mtivate his leadership t spend against cyber risk: namely, fear f substantial regulatry fines and public shaming under the Health Insurance Prtability and Accuntability Act (HIPAA). 2 The representative advised that even thugh HIPAA des nt fcus n malicius hacking r ther activity that desn t directly impact the delivery f patient care, he nevertheless tries t market all his recmmended risk cntrls n HIPAA grunds. Given its rle as primary driver f IT security funding, he bserved, HIPAA currently serves as a necessary albeit imperfect vehicle fr btaining the cybersecurity funds he needs. Despite these disparate appraches, the HCO representatives cncurred that ERM strategies that include cyber risk becme easier t develp, fund, and implement nce senir leaders mature their understanding f the full range f nline dangers their rganizatins face. COSTS AND BENEFITS The HCO representatives likewise advised that when it cmes t cst/benefit cnsideratins, they use an exclusively qualitative apprach when priritizing cyber risks n the ne hand and making the case fr cyber risk management resurces n the ther. They asserted that cyber risk management tday at least in the health care sectr is mre f an art than a science. One representative explained that his senir leadership usually defers t him regarding tp cyber risks s lng as he 2 The Health Insurance Prtability and Accuntability Act f 1996 (Pub.L ; 110 Stat. 1936). 3
7 maintains a keen sense f what s happening n his rganizatin s netwrks, what s likely t happen n them in the future, and where the greatest ptential fr financial and ther lss exists. This trust in his expertise likewise carries ver directly t his prpsed slutin sets. Spreadsheets with quantitative details abut the merits f ne risk cntrl ver anther, he cntinued, cnsequently have little t d with cnvincing crprate leaders t act. Several representatives agreed and reprted that their leadership instead encurages them t ballpark their cybersecurity investment recmmendatins in relatin t the pack. As ne nted, the rule f thumb is t spend nt s much mre than their peers that sharehlders get angry and nt s much less that regulatrs cme kncking. The representatives agreed that getting their rganizatins t actually fund their cybersecurity investment recmmendatins is the hard part. One stated that the best way fr him t sell a particular investment s benefit is t assign wnership fr ptential cyber incident lsses t specific individuals. He explained that nce department heads understand that they re institutinally n the hk fr such lsses, resurce cnversatins abut purchasing and pre-psitining varius risk cntrls suddenly becme much easier. Anther advised that aviding the csts f a HIPAA audit typically is the nly benefit he needs t demnstrate regarding a prpsed mitigatin. In shrt, casting a cyber risk cntrl s benefits in terms f aviding direct financial pain appears t be a highly successful technique. THE ROLE OF INSURANCE The HCO representatives were smewhat ambivalent abut the rle f cybersecurity insurance within their rganizatins cyber risk management strategies. Several reprted that they meet annually with underwriters t prvide updates abut their rganizatin s cyber incidents and believe that data breach cverage in particular is gd t have. While ne appreciated that his emplyer s insurer paid fr an incident respnse firm t help ut during a majr cyber incident, he stated that he saw cybersecurity insurance as a way t address catastrphic situatins nly. He emphasized that he wuld nt welcme insurers dictating hw he r his team shuld mitigate cyber risks in his day-t-day envirnment. While anther representative cncurred that cybersecurity insurance has value because it purprts t cver csts arising frm unavidable data breaches, he was dubius abut the level f reimbursement his rganizatin culd truly expect in the event f a breach. It s never made a claim t test its plicy. The third representative advised, in turn, that his rganizatin has nt yet invested in cybersecurity insurance. In view f his limited cybersecurity resurces, he added, it makes mre sense t spend n risk mitigatin rather than risk transfer ptins. Under these circumstances, the rundtable participants agreed that bth cybersecurity prfessinals and insurers wuld benefit frm a sustained dialgue abut what each cmmunity brings t the cyber risk management table. Several remarked that a gd first tpic f cnversatin wuld be hw they culd wrk tgether t advance the cybersecurity insurance market s ability t cver cyber-related critical infrastructure lss. 4
8 HEALTH CARE ORGANIZATION 1 ORGANIZATION OVERVIEW: The Chief Infrmatin Security Officer (CISO) fr Health Care Organizatin 1 (HCO 1) described HCO 1 as a natinally tp-ranked research university and academic medical center. HCO 1 cmprises several hspitals and hsts influential and smetimes cntrversial faculty and alumni the prfiles f whm, he nted, smetimes make it a cyber target. He stated that HCO 1 is hme t almst 15,000 students; 28,000 faculty and staff; and 500 central infrmatin technlgy (IT) staff. The CISO advised that HCO 1 emplys eight full-time infrmatin security staff. Fur f thse prfessinals wrk n peratinal and tactical infrmatin security issues such as establishing firewalls and prviding hardware and sftware tkens. The remaining fur fcus n mre strategic issues. Tw f thse fur, he added, wrk strictly n IT cmpliance matters. The CISO described his team s budget as small. Apart frm emplyee salaries, he receives less than a millin dllars annually t fund cyber risk management initiatives. USE CASE PRESENTATION AND DISCUSSION: CYBER RISK LANDSCAPE The CISO described HCO 1 as having a high threat envirnment in which his team, n a mnthly basis, quarantines and/r blcks apprximately 450 new bad actrs; 30 millin cmmunicatins attempts t and frm bad actrs; seven millin malicius websites; and 60 millin s. By cntrast, his team supprts the secure delivery f apprximately six millin s. The CISO added that threat actrs that target HCO 1 typically include identity thieves, phishers and spammers, and natin states. The CISO next described the number f cyber incidents that he and his team must respnd t n an annual basis. They include anywhere frm 400 t 500 minr incidents, including unauthrized beacning ut f the HCO 1 netwrk (indicating malware r spyware); 10 t 15 significant incidents such as identity theft schemes that directly engage his team; and ne t five breach ntificatins. One t three f thse breach ntificatins, he added, include reprtable events under HIPAA. The CISO advised that his team rutinely cperates with lcal and federal law enfrcement n such incidents. HCO 1 RISK MANAGEMENT CULTURE GOVERNANCE The CISO stated that he believes that HCO 1 has a healthy risk culture when it cmes t managing its cyber risk envirnment. He explained that HCO 1 has six gvernance bdies that supprt his team s cybersecurity wrk. They include: A Bard f Trustees Audit Cmmittee. The CISO reprted that he meets with the Bard f Trustees Audit Cmmittee nce a year t prvide an verview f the HCO 1 cyber risk landscape; 5
9 The HCO 1 President s Cabinet and the HCO 1 Healthcare CEO. The CISO stated that he meets with these individuals multiple times per year, as necessary; An Enterprise Risk Management Cmmittee. The CISO advised that the Enterprise Risk Management Cmmittee includes bth an Executive Cmmittee and Risk Management Prcess Owners; and A Breach Ntificatin Team. The CISO explained that the Breach Ntificatin Team includes the HCO 1 Chief Infrmatin Officer (CIO), the CISO (himself), the General Cunsel, and the Chief Risk Officer all f whm have respnsibility fr bth the HCO 1 healthcare system and the university as well as the University Privacy Officer, the Healthcare Privacy Officer, the HIPAA Steering Cmmittee (which mnitrs HCO 1 s HIPAA cmpliance), and an IT Steering Cmmittee (which centralizes IT effrts acrss HCO 1). The CISO advised that these gvernance bdies are cmfrtable making hard cyber risk management decisins and accrdingly will take incnvenient mitigatin steps; ntify parties affected by a cyber incident; and accept institutinal risk, when apprpriate. He explained that HCO 1 leadership is guided by a desire t make the right cyber risk management decisins fr impacted individuals within the HCO 1 cmmunity and fr HCO 1 as an institutin, in that rder. The CISO reprted that the gvernance bdies invlved in HCO 1 cyber incident respnse include the Breach Ntificatin Team, the Enterprise Risk Management Executive Cmmittee, and business unit leaders frm business units impacted by cyber incidents. The CISO nted that the Enterprise Risk Management Cmmittee wrked cllabratively t reduce an riginal list f 1,600 pririty risks t 60 risks three f which invlve data breach and/r expsure risks. He advised that his team meets with the Cmmittee several times a year t prvide updates n the state f HCO 1 s cybersecurity risk. He explained that his primary respnsibility, as the cyber risk management prcess wner, is t get the right infrmatin t the Cmmittee in rder t enable effective management f the mst pressing cyber risks. The CISO further explained that after a cyber incident, the Breach Ntificatin Team gathers the relevant facts and generates a ne-t-tw page, high-level risk dcument with recmmendatins n hw it thinks HCO 1 shuld respnd t the incident. The Team then prvides its recmmendatins t the Enterprise Risk Management Cmmittee which, in turn, determines what actins t take. 6
10 GOVERNANCE QUESTIONS An IT prfessinal asked abut the mechanics f the Breach Ntificatin Team prcess. The CISO replied that it usually takes a shrt but significant amunt f time t cnduct a fact-finding effrt in supprt f the ne-t-tw page Breach Ntificatin Team reprt. He added that the prcess frm initial ntificatin f a breach t final decisin by the Enterprise Risk Management Cmmittee can address bth cyber and physical threats. Fr example, HCO 1 maintains its wn plice department t which the Breach Ntificatin Team can prvide trackable leads such as phne calls. The CISO stated that the plice department in turn can issue subpenas, an authrity which it has exercised n his team s behalf in the past. In return, he nted, his team can prvide technical expertise fr law enfrcement tasks such as frensic analysis f infected wrkstatins. A risk manager asked the CISO abut his cmmunicatins strategy fllwing a cyber incident. He respnded that his team puts tgether the first draft f any message in rder t ensure that all the technical and ther facts abut an event are crrect. The team then sends the draft t the HCO 1 press ffice fr final preparatin. The CISO added that he and his staff are very cgnizant f all the dwnstream impacts that might result frm an incident and that that knwledge infrms everything they d. An IT prfessinal then asked whether the CISO has a hlding press statement at the ready whenever cyber incidents ccur. The CISO respnded in the negative. A critical infrastructure representative asked what participatin the CISO has in higher-level discussins fr business decisins. The CISO respnded that althugh neither he nr his team directly participate in discussins abut large and strategic IT purchases, the Chief Infrmatin Officer (CIO) des s participate and is very security minded. The CISO added that if HCO 1 cnsidered such a purchase, the CIO wuld cme t him and ask fr advice and guidance. STRATEGIES FOR SUCCESS The CISO described a tw-prnged strategy fr his team s cyber risk management success that includes btaining leadership apprval fr HCO 1 s Strategic Plan fr Infrmatin Security and invlving leadership in the incident respnse prcess itself. STRATEGIC PLAN Regarding the first prng, the CISO advised that his team wrks t align HCO 1 s Strategic Plan fr Infrmatin Security, which addresses where large infrmatin security initiatives shuld be fcused fr HCO 1 in the cming mnths, with HCO 1 s verall institutinal visin and strategy. As part f that effrt, his team generates a priritized list f infrmatin security risks every mnths. That list includes a crrespnding series f infrmatin security initiatives designed t address thse priritized risks. Each such initiative includes a descriptin f its estimated ne-time and recurring csts; staffing requirements; and the specific risks e.g., 7
11 thse arising ut f Bring Yur Own Device (BYOD) and ther business trends that they re designed t address. 3 The CISO advised that he seeks funding fr the highest pririty initiatives recmmended by his team but has HCO 1 leadership literally draw a line between the infrmatin security initiatives that it will fund and thse which it will nt. The CISO reprted that this decisin prcess highlights t HCO 1 leadership that, in a resurce-cnstrained envirnment, sme threats will nt be addressed. In this way, leadership is frced t explicitly priritize between different types f threats and risks and accrdingly wn its final decisins in a much mre cmplete manner. He stated that HCO 1 executives have accrdingly becme mre and mre invested ver time in the success f the HCO 1 Strategic Plan fr Infrmatin Security. A critical infrastructure representative asked if the CISO smetimes argues in the ppsite directin, attempting t cnvince his leadership nt t fund specific initiatives that may nt ffer a cmparative value. He respnded that his team des nt make such arguments but that the CIO is much mre likely t d s. LEADERSHIP INVOLVEMENT IN INCIDENT RESPONSE Regarding the secnd prng, the CISO reprted that his team prvides regular cybersecurity briefings t HCO 1 s six gvernance bdies a service that has gne a lng way tward building a great relatinship with key leaders and establishing his team s credibility. As a result, he has btained leadership apprval fr nt nly a unified cyber incident/breach respnse prcess but als incident/breach respnse teams t actually implement that prcess. T frtify this prgress, the CISO ensures that HCO 1 leadership has final decisin making respnsibility fr all strategic cyber risk management decisins that impact the incident/breach respnse prcess. The CISO emphasized that his team s effrts have resulted in strng leadership supprt fr a predetermined funding mdel that impses the direct csts f cyber incidents n the HCO 1 business units respnsible fr them. The CISO mentined that he wants thse units t share the pain that their smetimes pr cybersecurity causes t the enterprise. Using an internal billing cde, he accrdingly charges them fr breach ntificatin, investigatin, and mitigatin expenses as they arise and accrue ver time. The CISO nted that this cst wnership plicy is meant t reduce reliance n institutinal risk acrss HCO 1. He stated that this apprach is very effective and that he rarely, if ever, feels that he s being asked t internalize t much risk. 3 Bring Yur Own Device (BYOD) refers t the practice f allwing an rganizatin s emplyees t use their wn cmputers, smartphnes, r ther devices fr wrk purpses. Oxfrd Dictinaries. BYOD. ONLINE. N.D. Available: [7 January 2014]. 8
12 HCO 1 USE CASE THE INCIDENT In the summer f 2013, HCO 1 s netwrk mnitring tls alerted security administratrs that an unexpected system management tl had executed n several systems. The security team investigated the activity and determined that administrative accunts were accessing systems in a manner that suggested that they had been cmprmised by malicius hackers. HCO 1 s initial investigative effrts revealed that at least a partial list f dmain accunts and passwrd hashes had been cmprmised by the malicius hackers and that they had btained the credentials f at least tw dmain administratrs. T assist with frensic analysis and ther security effrts invlved with the incident, HCO 1 engaged the assistance f ne f the natin s leading incident respnse firms. Ding s tk several days because HCO 1 first had t verify that its insurer wuld pay fr the services the csts fr which exceeded insurance plicy limits befre entering int negtiatins with the firm. HCO 1 actively cperated with federal law enfrcement agents during this time. Thrugh its cmbined investigative effrts, HCO 1 was able t determine that apprximately 44 systems within the HCO 1 envirnment were either cmprmised r accessed by the malicius hackers. Other than the afrementined list f user accunts and hashed passwrds, the investigatin did nt find evidence that the malicius hackers had accessed additinal persnally identifiable infrmatin (PII). HCO 1 tk immediate steps t investigate and cntain the intrusin, including the disabling f privileged accunts t which the malicius hackers had access and replacing ptentially cmprmised Active Directry servers. In cnjunctin with HCO 1 s Enterprise Security team, the incident respnse firm perfrmed investigative activities bth nsite and remtely fr just ver five weeks. The incident respnse firm asked HCO 1 nt t remve the malicius hackers immediately in rder t prvide it with sufficient time t figure ut what they were up t n the HCO 1 netwrk. The CISO and his team accrdingly recmmended t HCO 1 s Enterprise Risk Management Cmmittee that they initially make a very limited mitigatin respnse s the firm culd cnduct its requested assessment. The Enterprise Risk Management Cmmittee agreed. After determining the full scpe f systems impacted by the incident, a secnd rund f remediatin activities were identified and planned. In additin t finally remving the malicius hackers frm the envirnment, thse planned activities were designed t imprve HCO 1 s defenses and enhance its mnitring capabilities ver the lng-term. HCO 1 initiated the secnd rund f remediatin activities tw weeks after the incident respnse firm began its nsite activities. At that time, HCO 1 launched an enterprise-wide 9
13 passwrd change; 4 remved any remaining cmprmised systems that had been identified thrugh the nging investigatin; blcked cmmunicatin with knwn malicius hacker netwrk addresses and dmains; and implemented hardening cuntermeasures t make it mre difficult fr malicius hackers t regain access t HCO 1 s internal netwrk and t mve abut within it. Additinally, HCO 1 implemented enhanced mnitring and alerting capabilities t help detect future attacks. HCO 1 currently is wrking n several additinal lng-term effrts t imprve its ability t prevent, detect, and respnd t similar events in the future. LESSONS LEARNED AND RULES OF THUMB The CISO and his team identified seven lessns learned and rules f thumb fllwing the use case incident that cntinue t infrm their strategic cyber risk management planning acrss the HCO 1 enterprise: Carpe Incident! Be prepared t take advantage f funding pprtunities that may arise frm a cyber incident. The CISO stated that very ften during r immediately after a significant cyber incident, leadership will ask questins like, Is there anything we can d t keep this kind f thing frm happening again? D yu need any additinal resurces t help reslve this? Is there any assistance we can prvide? He advised that if cybersecurity prfessinals have security initiatives waiting in the wings slely because f funding r staffing limitatins, they shuld seize this mment t ask fr the additinal resurces they need. In shrt, having a small prtfli f pre-prepared, ready-t-g prject prpsals might just be the thing that will turn a bad situatin int an pprtunity fr imprvement. During extended incident respnse effrts, having all the members f an incident respnse team share the same physical space while ding their wrk is extremely beneficial. The CISO explained that he c-lcated malware analysts and netwrk engineers thrughut the duratin f the incident respnse cycle, an arrangement that led t many efficiencies and synergies in terms f cmmunicatins, crdinatin, and situatinal awareness. These efficiencies and synergies were imprtant, he bserved, because apprximately 500 individuals acrss HCO 1 and assciated rganizatins, including the incident respnse firm, were invlved in the respnse effrt. 4 The CISO stated that many individuals within the HCO 1 cmmunity were likely using their HCO 1 passwrds fr their persnal accunts. HCO 1 didn t want anyne s persnal accunts t be affected by the incident, s it chse t ntify everyne f the need t change the passwrds fr thse accunts. 10
14 The CISO added that he d tell insurance cmpanies that paying fr an utside incident respnse firm t cnduct an n-site, real-time assessment f a cyber incident is mney well spent. He advised that the csts invlved with the use case firm ttaled $300,000. By cmparisn, he cmmented, traditinal ff-site frensic analysis wuld have cst an rder f magnitude mre and wuld have been slwer. Things are seldm as definitive as they may seem during the early stages f an incident, s CISOs shuld nt verstate r understate the facts. The CISO suggested that cybersecurity prfessinals shuld manage the expectatins f their rganizatin s leadership by phrasing their messaging carefully saying, fr example, the incident is fluid, and this is what we believe at this time and then prviding mre detailed and precise updates as mre (and better) infrmatin becmes available. A decisin nt t fund a security initiative is a de fact risk acceptance decisin and needs t be made by smene with the authrity t accept such risks. The CISO nted that mst security incidents dn t result frm cmpletely nvel attack vectrs. On the cntrary, he cntinued, mst f the ptential avenues f cmprmise likely have been anticipated and ptential slutins identified in advance. The CISO added that the real issue is that cybersecurity prfessinals typically can t d everything at nce, s tradeffs must be made based n pririty. When yu re chsing which initiatives t implement yu shuld be ding s because thse slutins are believed t prvide the highest value in terms f risk reductin versus cst/impact t yur rganizatin, he stated. In cntrast, the initiatives yu chse nt t pursue (fr gd reasn) will mean that there are knwn/anticipated risks that will nt be addressed (at all in sme cases) because the initiative is nt undertaken. The CISO added that chsing nt t fund these initiatives means that, intentinally r nt, an rganizatin als chses t accept certain cyber risks as the cst f ding business. He added that such a decisin may be entirely ratinal, but that the peple making it shuld have nt nly sufficient budgetary authrity t d s but als sufficient management authrity t accept the level f anticipated risk that will result. These are jint decisins, he emphasized, that shuld be decided tgether by the same peple at an enterprise-wide level. A system cmprmise is nt the same thing as a data breach. Knwing early that malicius hacker(s) have nt accessed data, the CISO explained, can save incident respnders a lt f time, effrt, and expense. 11
15 Practively instrumenting an IT envirnment is critical t effectively managing a cyber incident. The CISO explained that he and his team had pre-psitined mst f its instrumentatin prir t the use case incident but nly because they hadn t had it in place befre ther previus incidents. Even s, he cntinued, HCO 1 had nt pre-psitined the slutins that the incident respnse firm ultimately prvided slutins that made a huge impact during and after the use case incident. As a result, HCO 1 is nw deplying thse slutins n a permanent basis t assist with future incidents. Vulnerabilities in nn-critical systems can lead t the cmprmise f critical systems. The CISO advised that HCO 1 had multi-factr authenticatin in place fr its critical systems prir t the use case incident. He nted that the vulnerability that the malicius hacker(s) explited, hwever, existed n a nn-critical system that did nt require tw-factr identificatin. Once the malicius hacker(s) gained access t that system, he added, they wrked laterally acrss the entire HCO 1 netwrk. COST/BENEFIT CONSIDERATIONS The CISO explained that HCO 1 s apprach t identifying tp cyber risks and apprpriate cntrls t address them is qualitative and nt quantitative. He explained that a qualitative apprach fcuses his team n the relative pririty and rdinal ranking f cybersecurity initiatives as utlined in the HCO 1 Strategic Plan fr Infrmatin Security that in turn infrm which specific cyber risk management investments t make. T generate that ranking, the CISO added, his team relies heavily n its wn cybersecurity knwledge and expertise. Cybersecurity is an art, he bserved, nt a science. When asked whether he felt pressure t justify his recmmendatins using return n investment (ROI) analyses, the CISO respnded, It wuld dilute ur message t just put numbers n a spreadsheet. Our relatinship with management is based n trust. The CISO explained that when it cmes t cst/benefit cnsideratins, infrmatin security generally carries a big stick acrss the HCO 1 envirnment. That big stick, he cntinued, derives in part frm the rganizatin s nging defense f a class actin lawsuit invlving the lst PII f several thusand peple. The CISO nted that the lawsuit pwerfully drives hme t HCO 1 leadership every day the cst/benefit reality f infrmatin security investment. The CISO advised that he and his team d nt priritize their risk mitigatin effrts in islatin but in direct reference t the leadership-apprved HCO 1 Strategic Plan fr Infrmatin Security. Everything sunds like a gd idea in a vacuum, he bserved, and therefre must be cnsidered in relatin t the strategic plan. Ding s, he cntinued, helps ensure that the team des nt verreact t the threat f the week. The CISO added, We d nt want t try t d everything and fail in everything due t lack f resurces. 12
16 The CISO nted, hwever, that he and team smetimes rank rder their strategic mitigatin effrts alngside nn-mitigatin initiatives f ptential benefit t the rganizatin. Fr example, they might treat inexpensive quick wins as peratinal initiatives wrthy f actin and will fund them accrdingly. Finally, the CISO advised that his team has been able t reduce csts by leveraging prenegtiated cntracts such as the ne with the incident respnse firm retained during the use case incident last summer. When asked by an insurer whether HCO 1 sustained additinal csts beynd retentin csts fr that firm, the CISO reprted that the enterprise had als suffered a lss in prductivity. USE CASE QUESTIONS A critical infrastructure representative asked if HCO 1 had taken frensic images f the described attacks; whether it had been able t determine the identity f the malicius hacker(s); and the extent t which law enfrcement prvided value. The CISO respnded that mst f HCO 1 s systems were running n virtual machines, s his team easily created necessary frensic images, captured memry, and prduced disk images. He added that HCO 1 had flw data fr days n its netwrk as well as netwrk packet capture slutins that retain hurs f netwrk traffic int and ut f the rganizatin at a time. Every time we identified a suspect system, the CISO added, we added it t ur list [fr netwrk packet capture]. He advised, hwever, that neither the incident respnse firm nr law enfrcement had been able t cnfirm the identity f the malicius hacker(s). While wrk cntinues in this area, he explained, the malicius hacker(s) did nt appear t match ther knwn actrs. The CISO bserved, mrever, that infrmatin sharing with federal law enfrcement during the incident had prven t be a largely ne-way affair, althugh his federal partners during their investigatin had been able t identify fur r five additinal bad guy systems that had been cmmunicating with HCO 1 servers. A risk manager asked whether the CISO believed that HCO 1 has a trusted netwrk with ther universities. The CISO respnded affirmatively and advised that HCO 1 is invlved with the Research and Educatin Netwrking Infrmatin Sharing Analysis Center (REN-ISAC). He added that during the use case incident, HCO 1 reached ut t similarly-situated health care rganizatins thrugh the REN-ISAC wh were als experiencing attacks. The CISO asserted that the natin needs an ISAC f ISACs s rganizatins frm multiple sectrs can share cyber risk and cyber incident infrmatin in real time. An insurer asked what kinds f interactins HCO 1 had r is having with regulatrs in the wake f the use case incident. The CISO respnded that the Department f Educatin asked specific, high-level questins f HCO 1 and that he and his team had prvided backgrund abut the incident. He advised that althugh user IDs and passwrds appeared t have been expsed during the event, there have been n indicatins that ther PII was cmprmised. 13
17 An IT prfessinal asked hw lng it tk t get the incident respnse firm n site. The CISO respnded that a cntract was signed within several days; gear was shipped and installed a few days after that; and that the firm nce it arrived tk 17 days t figure ut what was ging n. The CISO and his team were very pleased with the firm s perfrmance and, as previusly nted, plan t maintain their business relatinship. A secnd IT prfessinal asked if HCO 1 was happy with its insurer s supprt during the incident. The CISO respnded affirmatively, nting that HCO 1 had paid the required deductible and that the carrier cvered all the csts beynd that amunt. He added that the carrier had helped HCO 1 get better prices fr services in sme cases typically frm apprved vendrs and that requiring the use f apprved vendrs was a reasnable demand frm his perspective. CYBERSECURITY INSURANCE The CISO advised that HCO 1 has maintained cybersecurity insurance since 2008 and that he cnsiders it t be the cyber equivalent t a catastrphic health plan in shrt, it prvides limited cverage with a large deductible. In respnse t a questin frm a risk manager, he advised that he s fairly islated frm the financial side f insurance and that his nly interactin with the insurer in that respect is t answer their annual [infrmatin security] questinnaire. While the CISO stated that HCO 1 s risk transfer needs are being met by its existing plicies especially when it came t getting the incident respnse firm n-site quickly he identified several gaps that he d like t see the brader cybersecurity insurance market fill: Identity theft insurance fr breach ntificatin recipients, s individuals wh experience fraud and related lsses as a result f a breach can be made whle; Eliminatin f exceptins fr widespread incidents such as Internet wrms and viruses; and Cverage that applies t HCO 1 data regardless f where it lives fr example, beynd HCO 1 s netwrk t BYOD devices and Clud/SaaS Services. The CISO added that he wuld nt welcme additinal cybersecurity regulatins being impsed by HCO 1 s insurer thrugh the insurance cntract. 14
18 HEALTH CARE ORGANIZATION 2 ORGANIZATION OVERVIEW: The Chief Infrmatin Security Officer (CISO) fr Health Care Organizatin 2 (HCO 2) described HCO 2 as an enterprise that includes six majr hspitals, ver 100 clinics, and a university system that includes a medical cmmunity f almst 60,000 members. It serves millins f patients. Given HCO 2 s size, he explained, he desn t have t lk hard fr examples f cyber incidents that ccur within it. The CISO stated that HCO 2 s netwrk security team emplys apprximately 30 full time equivalent (FTE) emplyees. He advised that apprximately 15 f thse FTEs are applicatin security specialists, meaning that they set up rules dictating user access t systems. He added that apprximately seven ther FTEs wrk directly n netwrk security issues while anther seven fcus n acquisitins r buying security. The CISO cmmented that his team currently lacks risk management experts and data cps. Finding and hiring specialists in these areas is difficult, he explained, because they have inherently tugh and thankless jbs. The CISO advised that he s made the case t HCO 2 leadership that the same persn shuld nt be respnsible fr all netwrk security needs. He cmmented that the cybersecurity field is very specialized and that the persn handling laptp encryptin, fr example, shuld nt als be wrking n netwrk security. As the cyber threat cntinues t escalate, he added, the need fr specialized cybersecurity prfessinals will increase accrdingly. USE CASE PRESENTATION AND DISCUSSION: CYBER RISK LANDSCAPE The CISO described the HCO 2 cyber risk landscape, and the cyber risk landscape fr health care rganizatins generally, thrugh the prism f electrnic health recrds (EHRs) and the increasing number f security issues invlving them. LONGSTANDING CHALLENGES The CISO bserved that mst dctrs still use paper medical recrds despite the fact that health care prviders have been talking abut implementing EHRs since the 1960s. He nted that the transitin t EHRs has been slw fr tw main reasns. First, system designers ften dn t put the needs f end users i.e., the dctrs first. Instead, they develp underlying infrastructure t supprt the creatin, transfer, and strage f EHRs befre they build ut end user applicatins. The CISO cmmented that strict usability requirements f the medical prfessin create a high perfrmance bar fr the technlgy that must be satisfied befre dctrs will adpt it. Fr example, he explained, dctrs examining patients can t wait minutes at a time fr EHRs t lad nt handheld devices. In additin t cutting int the dctr s efficiency and, cnsequently, his r her prfit margin inadequate technlgy (i.e., the end user applicatin) and/r the perceptin theref erdes patient cnfidence. 15
19 Secnd, EHR statutry and/r regulatry requirements themselves impse significant technical challenges that must be successfully addressed. The CISO described the tw primary cmpnents f medical recrd exchange in mst practices: Dcumentatin, the s-called easy part, such as when a dctr prescribes a medicine fr a patient; and Order entry, the s-called harder part, when an rder fr medicine r a test is actually placed based n a dctr s diagnsis and recmmendatin. The CISO emphasized that the Health Infrmatin Technlgy fr Ecnmic and Clinical Health (HITECH) Act, 5 by requiring dctrs t use electrnic rder entry by 2015, 6 has inserted medical IT int the center r medical practice itself. The imprtance f this new requirement, he cmmented, can t be verstated. The CISO added that getting electrnic rder entry wrng culd cause a dctr s life t g frm bad t intlerably bad. Specifically, he stated that sme technlgies already slw dwn trust delegatin data prcesses used by dctrs tday. In view f the fast appraching 2015 deadline, he added, sme dctrs fear that faulty r underperfrming rder entry technlgy culd cmprmise their already brittle medical recrd exchange systems. The CISO bserved that dctrs further wrry that the new mandate will require them t d mre wrk, slw them dwn, and ultimately reduce their prductivity by cutting the ttal number f patients they can see n a daily basis. Given the already lw reimbursement rates f Medicare and ther prgrams, he cncluded, this culd result in severe risk t a health care rganizatin s already lw prfit margins. 5 The HITECH Act, enacted in Title XIII f the American Recvery and Reinvestment Act f 2009 (Pub.L ), set as a critical natinal gal the meaningful use f interperable EHR. Wikipedia. Health Infrmatin Technlgy fr Ecnmic and Clinical Health Act. ONLINE. N.D. Available: [23 January 2014]. The term meaningful use means that health care prviders use certified EHR technlgy in ways that can be measured significantly in quality and quantity. U.S. Department f Health and Human Services. ONLINE. N.D. Available: [24 January 2014]. Under the HITECH Act, health care prviders that achieved meaningful use by 2011 became eligible fr incentive payments. Meaningful Use. ONLINE. N.D. Available: [8 January 2014]. Thse wh fail t d s by 2015 may be penalized. Id. Stage 1 meaningful use criteria set the baseline fr electrnic data capture and infrmatin sharing, while Stage 2 and Stage 3 expected t be implemented in 2015 will cntinue t expand n that baseline. Id. 6 Electrnic rder entry, als knwn as Cmputerized Physician Order Entry (CPOE), refers t a prcess f electrnic entry f medical practitiner instructins fr the treatment f patients (particularly hspitalized patients) under a physician s care. Wikipedia. Cmputerized Physician Order Entry. ONLINE. N.D. Available: [8 January 2014]. These rders are cmmunicated ver a cmputer netwrk t the medical staff r t the departments (pharmacy, labratry, r radilgy) respnsible fr fulfilling the rder. Id. CPOE is intended t decrease delay in rder cmpletin, reduce errrs related t handwriting r transcriptin, allw rder entry at the pint f care r ff-site, prvide errrchecking fr duplicate r incrrect dses r tests, and simplify inventry and psting f charges. Id. 16
20 When anther IT prfessinal respnded that sme f the challenges with adpting electrnic rder entry may arise frm the preferences f individual dctrs rather than frm underlying sectr dynamics, i.e., peple prblems versus prcess prblems, the CISO disagreed. He stated that medical IT applicatins have always slwed dctrs dwn, but that they typically cmplete nly the dcumentatin prtin f the medical recrd exchange prcess leaving rder entry t ther staff such as nurses, pharmacists, and ther licensed prfessinals. Regardless f the technical preference f dctrs, he added, the requirement that they nw play a bigger rle in the rder entry prcess itself impses a significant burden. The CISO cncluded that dctrs typically aren t technphbes but literally can t affrd t be slwed dwn by anything at the patient pint f care. The CISO remarked that the EHR slutins industry is cmparatively immature, likening it t the maturity f enterprise resurce planning (ERP) slutins in the 1980s and 1990s. 7 While massive changes in the EHR slutins industry are underway, he cntinued, btaining the right slutins still can be very hard. He nted that integrating and btaining required levels f interperability amng systems, based n existing Health Level Seven Internatinal (HL7) and ther standards, present even mre cmplex challenges that will require patience and tlerance by all relevant stakehlders as the health care sectr evlves in the years ahead. The CISO then cited the verwhelming need fr health care rganizatins t cmmunicate bth internally amng their varius business units and externally with ther rganizatins in rder t serve their patients. In view f the cmplex crdinatin this requires, he bserved, it s nt surprising that their medical recrd exchange systems are brittle. Securing brittle systems is very difficult, he added, and impsing new layers f security n them nly cntributes t their brittleness. The CISO cncluded that fr these reasns, health care rganizatins generally are nt predispsed t supprting majr cybersecurity investments. REGULATORY REGIMES AND AUDITS HIPAA Despite these challenges, the CISO explained that cyber incidents nevertheless are very much n the radar f mst health care rganizatins given the main regulatry structure against which they must perfrm: HIPAA. Althugh he described HIPAA as a law that s difficult t decipher, he stated that health care rganizatins pay very clse attentin t the results f HIPAA audits in rder t understand hw the Department f Health and Human Services (HHS) assesses and evaluates cybersecurity best practices. The CISO disclsed that HHS recently subjected HCO 2 t 7 Enterprise resurce planning (ERP) sftware refers t business prcess management sftware that allws an rganizatin t use a system f integrated applicatins t manage its business and autmate back ffice functins. Webpedia. ERP Enterprise Resurce Planning. ONLINE. N.D. Available: [14 January 2014]. ERP sftware integrates all facets f an rganizatin s peratin, including prduct planning, develpment, manufacturing prcesses, sales and marketing. Id. 17
Integratin Cmpetency Center ICC Handbk Versin 3.0 29 Nvember 2012 ICC - Integratin Cmpetency Center ICC is a shared service intended fr cmpanies wh wish t design, develp and maintain integratin slutins
A Plan t Transfrm the Empire State s Medicaid Prgram Better Care, Better Health, Lwer Csts M U L T I - Y E A R A C T I O N P L A N TABLE OF CONTENTS Intrductin... page 3 Health System Redesign in New Yrk:
Risk management and internal cntrl systems Reference Framewrk FOREWORD This AMF Reference Framewrk fr French cmpanies whse securities are admitted t trading n a regulated market is a revised and enhanced
WHITE PAPER Hw Encrypting Cntent in Transit and at Rest Reduces Liabilities and Csts fr any Organizatin An Osterman Research White Paper Published August 2011 SPONSORED BY!! SPON spnsred by spnsred Osterman
A Call fr Clarity: Open Questins n the Scpe f FDA Regulatin f mhealth A whitepaper prepared by the mhealth Regulatry Calitin December 22, 2010 Authrs Bradley Merrill Thmpsn Epstein, Becker & Green P.C.
THIS PAGE LEFT INTENTIONALLY BLANK THE DEPARTMENT OF DEFENSE CYBER STRATEGY April 2015 THIS PAGE LEFT INTENTIONALLY BLANK THIS PAGE LEFT INTENTIONALLY BLANK TABLE OF CONTENTS I. INTRODUCTION...1 II. STRATEGIC
SECURITY GUIDANCE FOR CRITICAL AREAS OF FOCUS IN CLOUD COMPUTING V3.0 INTRODUCTION The guidance prvided herein is the third versin f the Clud Security Alliance dcument, Security Guidance fr Critical Areas
Number 13 March 1999 R ELIEF AND R EHABILITATION NETWORK 13 RRN newsletter Imprving aid plicy and practice in cmplex plitical emergencies In this issue... Articles... 1 Cdes f Cnduct: Wh Needs Them?...
TOWARDS INTEGRATED REPORTING Cmmunicating Value in the 21st Century ABOUT THIS DISCUSSION PAPER Cntents Abut this Discussin Paper 1 Summary 2 What is Integrated Reprting? Why d We Need Integrated Reprting?
Interperability in DALLAS Interim versin 1.0 Published: September 2011 i White Paper - Interperability fr DALLAS applicants and cmmunities v1.0 ii Interperability fr DALLAS applicants and cmmunities Warning
PUBLIC WORKS PUBLIC HEALTH HEALTH CARE FIRE SERVICE LAW ENFORCEMENT EMERGENCY MANAGEMENT AGENCY HAZARDOUS MATERIALS PERSONNEL EMERGENCY MEDICAL SERVICES PUBLIC SAFETY COMMUNICATIONS GOVERNMENT ADMINISTRATIVE
FINANCIAL PLANNING GUIDE FOR AIA MEMBERS & COMPONENTS PLANNING FOR RETIREMENT TABLE OF CONTENTS When D Yu Have Enugh? Page 2 Asset Allcatin 4 401(k)s 4 Rth IRAs 5 LIFE INSURANCE Hw Much D Yu Really Need?
Table f Cntents ACKNOWLEDGEMENTS... 2 INTRODUCTION... 3 LESSON PLANS Lessn 1: Welcme and intrductin - What is entrepreneurship?... 6 Lessn 2: Entrepreneurship assets and deficits and Defining expectatins...
N Unsafe Lift Wrkbk Cver and Sectin Break image prvided curtesy f Arj Canada Inc. Table Of Cntents Purpse f this wrkbk... 2 Hw t use this wrkbk...3 SECTION ONE A Brief Review f the Literature...5 SECTION
Teacher s Manual fr the wrld s mst ppular LMS Jaswinder Singh Hw t Use Mdle 2.7 2 Hw t use Mdle 2.7, 1 st Editin Teacher s Manual fr the wrld s mst ppular LMS Jaswinder Singh 3 This bk is dedicated t my
A Frrester Ttal Ecnmic Impact Study Prepared Fr KPN The Ttal Ecnmic Impact Of KPN s Managed Vide Services As Used By A Large Financial Service Organizatin Prject Directr: Sebastian Selhrst March 2012 TABLE
Twards Supprting the Adptin f Sftware Reference Architectures: An Empirically-Grunded Framewrk Silveri Martínez-Fernández Universitat Plitècnica de Catalunya Jrdi Girna, 1-3 08034, Barcelna (Spain) +34
Finding the Way: A Discussin f the Swedish Migrant Integratin System Finding the way: A discussin f the Swedish migrant integratin system OECD 2014 1 July 2014 Finding the way: A discussin f the Swedish
998-2095-07-21-14AR0 by Adam Gauci, P.Eng., Didier Giarratan, and Sandeep Pathania Executive summary The utility industry is under pressure t imprve substatin autmatin cyber security. Manufacturers f substatin
WHITE PAPER Understanding the Benefits f Online Backup and Data Synchrnizatin An Osterman Research White Paper Published September 2011 SPONSORED BY by SPON spnsred by Osterman Research, Inc. P.O. Bx 1058
The Capacity Develpment Results Framewrk A strategic and results-riented apprach t learning fr capacity develpment The Capacity Develpment Results Framewrk A strategic and results-riented apprach t learning