Cybersecurity in Healthcare: From the sidelines to the headlines. Sean P. Murphy CISSP, ISSMP, CPHIMS, FACHE, HCISPP, CIPP / IT

Transcription

1 Cybersecurity in Healthcare: From the sidelines to the headlines Sean P. Murphy CISSP, ISSMP, CPHIMS, FACHE, HCISPP, CIPP / IT

2 By way of introduction Sean Murphy FACHE, CPHIMS, CISSP-ISSMP, CIPT, HCISPP Vice President, Chief Information Security Officer Premera Blue Cross, Seattle, WA Retired Air Force Medical Service (Lieutenant Colonel) Experience in military and civilian healthcare organizations as CIO, CISO, and CTO Chair, HIMSS Privacy and Security Committee (2010) (ISC) 2 Committee to establish HCISPP credential (2014) Job Analysis and Exam Writer Author of multiple chapters, white papers, and conference speaker to include Healthcare Information Security and Privacy, (2015) McGraw Hill Served as founder, officer, working group member, and active member of affiliated local professional groups over many years

3 Agenda The road to here for healthcare How times have changed Sideline to headlines Cybersecurity enters healthcare Peeking forward Questions / Comments / Criticisms

4 The road to here in healthcare Breaches are epidemic Often multiple per org Data loss is costly It is getting worse Healthcare lags behind Patients are affected SOURCE: ID Experts: Ponemon Study; Third Annual Benchmark Study on Patient Privacy & Data Security ; Dec 2012 ; Infographic included

5 The road to here in healthcare Electronic healthcare record implementation > 75% As of 2011, over 150 EXABYTES {1000 (10 18 )} of data; projected to double / year Every healthcare customer has a requirement to analyze / mitigate risk Monitoring and incident response emerging as must-have as well HIPAA Omnibus Final Rule increased accountability; adds 3 rd party risk Daily headlines on security breaches; rising to Board Level Concerns Healthcare organizations are not in the business of providing worldclass cybersecurity; the adversary is world-class HIPAA is not prescriptive; but getting it wrong is costly (fines/penalties) Healthcare depends on interoperability and sharing Unlike financial records, medical record misuse is hard to rectify

6 The road to here in healthcare NOW THEN

7 (A detour on our road) What is a medical device? The challenge in cybersecurity starts with telling the difference between a medical device and any other IT computing platform

8 (A detour on our road) What is a medical device? Used for diagnosis, treatment, and therapy Sensors, Imaging, Measures, Alerts, and Radiation to name just a few functions Special purpose, regulated by US Food and Drug Administration (FDA) IMHO this has been a key dependency for implementing cybersecurity in healthcare

9 (A detour on our road) What is a medical device? Not always digital or networked, but they increasingly are. X-ray, MRI, Infusion Pumps, Pacemakers Also, movement toward implantable, ingestible, and wearable inter-connected devices

10 (Detour continued) Increase in embedded IT & networking WAN MAN LAN Personal Area Network Body Area Network BAN and PAN are medical networks using the hospital network Federal Communications Commission (FCC) authorized specific frequency for BAN Protocols: RFID, DICOM, IEEE x / WiFi, Bluetooth, ZigBee (2.4 GHz), IEEE 11073, medical instrumentation bus 10

11 (Detour continued) Increase in embedded IT & networked Body Area Networks Home health networks In hospital settings, allow free movement of patient and around patient 11

12 (Merging back on our road) Impact of cybersecurity: patient care / safety IT = Mission Critical while CE = Life Critical One size IT security best practices, indiscriminately applied without manufacturer evaluation = patient safety risk

13 (Merging back on our road) Impact of cybersecurity: patient care / safety Health Org s do not manufacturer med devices Even after purchase (21 CFR Part 820) Regulated independently FDA plus international standards Clinicians (customers) are not asking for cyber capability they want (pay for) clinical capability

14 (Merging back on our road) Impact of cybersecurity: patient care / safety Health Org s do not manufacturer med devices Even after purchase, manufacturer is key Medical device incident reporting process Patch management Access management

15 (Back on the road) The road to here in healthcare SOLUTION?: Implement best practices from banking, military, telecomm, etc. IMPACT: Usually, intended. -- compliance -- privacy -- security Often, unintended. -- risk -- patient safety

16 A Horse is NOT a Zebra

17 How times have changed: from the sidelines to the headlines FUTURE Over 50% of breaches come from employees or business associates (HITRUST) 35% of breaches were lost or stolen laptops (2013) (Redspin) Unauthorized use second-most prevalent source of data breach Traditional breach Current hacking attacks make up 11%, but the number is growing Of these, 11% were phishing Ransomware, intentional attacks, monetized medical records increasing (healthitsecurity) 2015 Year of Cyberattack EHR and Health Information Exchange increases risk State-sponsored terrorism will target healthcare (MGMA 2014) Detection and correction are becoming the imperative (Gartner) Data Focus

18 How times have changed: from the sidelines to the headlines Fifth Annual Benchmark Study on Patient Privacy and Data Security, Poneman Institute (2015)

19 How times have changed: from the sidelines to the headlines High Costs Of Healthcare Data Breaches Delay care W / hold info TRUST Investigations Fines & Penalties Class Action law suits Abnormal Churn Reputation Board Action Identity theft / false claims Availability of information Security at any cost

20 How times have changed: from the sidelines to the headlines High Cost of Healthcare Data Breaches Source: Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, Ponemon Institute

21 How times have changed: from the sidelines to the headlines High Cost of Healthcare Data Breaches Near-misses (non-data breaches that still require detection and escalation) increase costs Source: Ponemon Institute/Symantec

22 How times have changed: from the sidelines to the headlines High Cost of Healthcare Data Breaches Source: Gartner BYOD Survey

23 And now the headlines HEALTH IT SECURITY September 8, 2015 (Major Academic Medical Center) joins list of largest health data breaches of 2015 USA TODAY April 14, 2015 Health data breaches sow confusion, frustration I had no idea (they) had my data. Why did (they) have my data? I-HEALTH BEAT June (Indiana Health System) is notifying about 220,000 patients of a breach that could go back as far as November 2013 Mean time to discovery (MTD) is around 270 days

24 F I N E S S E T T L E M E N T S Behind the headlines: Settlement Costs and Fines Date of Increasing Company AvMed (Florida) Stanford University (CA) Breach/ Settlement 2010/ Jan / Apr No. of Records Type of Records 1 million Social Security Numbers and Health records Settlement Fund Basis $3.1 M Partial refund of insurance premiums (up to $30 per individual) for not receiving the level of security promised. 20,000 Health records $4.1 M Patients will receive $100 each and the hospital will have to fund a program for 2 years that trains medical professionals to protect patient records. Entity New York Presbyterian/ Columbia University Triple S Management Date Fine Amount Cause May 2014 $4.8 M Improper deactivation of a server containing personal information. Feb $6.8 M Failure to take all required steps in a breach. WellPoint Jul $1.7 M Leaving confidential information accessible over the internet.

25 Cybersecurity enters healthcare Old Reality Keep them out Servers in the datacenter Users connecting to the office network from corporate computers Dumb malware targeting everyone Attackers exploit vulnerabilities Protect the systems: - Patch vulnerabilities - Anti-virus catches malware Network architecture: - Web servers in the DMZ - Everything else in trusted internal network Accounts are safe with username and a strong password Prevention New Reality Stop them on the inside Services in the cloud Users connecting from the Internet on BYOD and mobile Smart, deliberate attackers targeting you Attackers exploit accounts Systems are always vulnerable: - Attackers can compromise any server - Attackers can compromise any endpoint - Any Internet access is an entry point Network architecture: - Protect the servers from the users - Use segmentation to contain breaches Strong authentication is necessary to protect accounts from compromise Detection and Response

26 Cybersecurity enters healthcare: Current Security Methods are Not Sufficient Source: Chris Williams (Leidos Cybersecurity) with modifications from Sean Murphy (Leidos Health) IDS = intrusion detection system VPN = virtual private network

27 ANATOMY OF A CYBER ATTACK Increasingly popular Or Elevation! Or Ransomware!

28 Cybersecurity enters healthcare Security Training Protect Risk Assessment Recover Security Identity Management Incident Forensics Correct Detect Continuous Security Monitoring

29 Cybersecurity enters healthcare: CyberSecurity Talent Search

30 Cybersecurity enters healthcare: CyberSecurity Talent Search Primary Sources of Information Protection Workforce Privacy Health Information Management Legal Risk Management Internal IT Staff Other Industry InfoTech Medical Technician Clinical Engineering Device System Administrators Super Users (Lab, Rad, Pharm)

31 Cybersecurity enters healthcare: Cybersecurity Talent Search Getting to the desired competencies Healthcare Industry Regulatory Environment Privacy and Security in Healthcare Information Governance and Risk Management Third Party Risk Management Privacy Ethical/Legal Program Management IT Security Incident Reporting Admin, Technical, and Physical Controls Business Continuity Disaster Recovery Telecommunications IT Security Medical Technician Healthcare Clinical Engineering Manufacturer/Vendor Risk Specific Medical Device Clinical Workflow IT Security Patient Safety

32 Peeking forward 1. Emphasis on detection 2. Less reliance on the endpoint and server 3. Application whitelisting 4. Network segmentation 5. Two-factor authentication 6. Log aggregation and security incident event management (SIEM) 7. 24x7 security monitoring and incident response 8. Incident rapid response teams 9. Forensics tools and capabilities 10. Security incident metrics Build defenses around disrupting the attack sequence Don t believe that by doing everything right you will be immune Measure attacks and defenses using metrics

33 Peeking forward This is a national security concern: Healthcare is a critical infrastructure Hacktivists, organized crime, nation states are at our door (in our house?) The data is being monetized Crystal ball: Cyber offense continues to get easier and more complex Cyber defense is a battle against complexity, patience, purpose Cloud, mobile and BYOD only make the defense harder No silver bullets from technology, ever Rapid change though, so you need to stay current Focus must be on swift detection and response Speed of attacks is going to increase Automated attacks will necessitate automated defenses Attackers will improve, share info we must too

34 Peeking forward What healthcare cyber pros should do: Make sure security is a management priority Build defenses around disrupting the attack sequence Don t believe that by doing everything right you will be immune Measure attacks and defenses using metrics (threat intelligence) Affiliate locally, participate as much as you can, network!

35 Agenda The road to here for healthcare How times have changed Sideline to headlines Cybersecurity enters healthcare Peeking forward Questions / Comments / Criticisms

36 Cybersecurity in Healthcare: From the sidelines to the headlines Sean P. Murphy CISSP, ISSMP, CPHIMS, FACHE, HCISPP, CIPP / IT