Changing Land ape of Information Security · Changing Land ape of Information Security ... “Some hackers call the weeks of Black Hat USA and DefCon Summer Camp ... • 22 year old

12/4/2015

1

CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek

Changing Landscape of

Information SecurityPresented by:David Holtzman

Vice President for Compliance


Synergistic

The name “CynergisTek” came from the

synergy realized by combining the

expertise of the two co-founders –

building scalable, mature information

security programs and architecting

enterprise technical solutions.

Founded in 2003

CynergisTek has been providing services

to our clients since mid-2003, but many

of our clients have been with one or

both of the founders since well before

the company was founded.

2

Securing the Mission of Care

CynergisTek Services are specifically

geared to address the needs of the

healthcare community including

providers, payers, and their business

associates who provide services into

those entities.

Consulting Services

CynergisTek provides consulting services

and solutions around information

security, privacy, IT architecture, and

audit with specific focus on regulatory

compliance in healthcare.

CynergisTek, Inc.

12/4/2015

2

CynergisTek, Inc. 11410 Jollyville Road, Suite 2201, Austin TX 78759 512.402.8550 [email protected] cynergistek.com @CynergisTek 3

Today’s Presenter

• Vice President of Compliance Services,

CynergisTek, Inc.

• Subject matter expert in health information

privacy policy and compliance issues involving

the HIPAA Privacy, Security and Breach

Notification Rules

• Veteran hand in developing, implementing

and evaluating health information privacy and

security compliance programs

• Former senior advisor for health information

technology and the HIPAA Security Rule,

Office for Civil Rights

David Holtzman

CynergisTek, Inc.


Agenda

Level Setting Security in 2015

Insider Abuse

Medical Devices

Mobile Devices

Managing Vendors

Priorities for Healthcare

12/4/2015

3


Level Set Security 2015

5


More than 98% of all processes are automated, more than 98% of all devices are

networkable, more than 95% of all patient information is digitized, accountable

care/patient engagement rely on it. The enterprise is critical to delivering

healthcare. Any outage, corruption of data, loss of information risks patient safety

and care.

Increased Reliance

BYODPhysician Alignment

ACOs

Patient Engage-

ment

ICD-10

Tele-medicine

MU

FISMA

BAs

HIEsHIPAA/HI

TECH

Research

12/4/2015

4


Theft &

Loss

20% of all breaches involve some form of theft or loss

of a device not properly protected.

7

26% of breaches in healthcare are carried out by

knowledgeable insiders for identity theft or some

form of fraud.

33% of breaches are caused by mistakes or

unintentional actions such as improper mailings,

errant emails, or facsimiles.

There was nearly a doubling of breaches due to cyber

attacks in 2015. 2nd year in a row of !00% increase.

Top Security Risks in Healthcare

Insider

Abuse

Unintentional

Action

Cyber

Attacks

Verizon 2015 Data Breach Investigations Report


Top four emergent risk

priorities:

• Hackers attempting to access

records

• Business associates taking

inadequate precautions

• Growing use of mobile

devices

• Using texting or sending PHI

from personal devices

Changing Risk Priorities

21%

19%

14%

11%

Hackers

Increase in Mobile Devices

Sharing PHI BYOD

Business Associates

12/4/2015

5


• 90% of survey respondents

said that their companies

had spent money of

technology scrapped

before, or soon after,

deployment.

• Reasons: complexity, lack of

expertise, inadequate

resources, other factors

Failed Solutions

Most companies buy

technology based on cost, not

security.


• This year billed as “more of everything”

as hacking explodes to more devices

• Pwnie Awards went to Shellshock, OPM &

Thomas Dullen

• Miller & Valasek continue to hack cars

• Hacking long range precision guided rifles,

oops don’t tell DoD

• 11,000 attended this year, 73% said their

organization would be hacked

• Workshops and “capture the flag”

contests

• The Hack Fortress contest

• Rubbing elbows with the Pros

Hacking is an Industry

10

“Some hackers call the weeks of Black Hat USA and Def Con Summer Camp”

12/4/2015

6


• 12 year old learning computers in middle

school

• 14 year old home schooled girl tired of

social events

• 15 year old in New Zealand just joined a

defacement group

• 16 year old in Tokyo learning programming

in high school

• 19 year old in college putting course work

to work

• 20 year old fast food employee that is

bored

• 22 year old in Mali working in a carding ring

• 24 year old black hat trying to hack

whoever he can

• 25 year old soldier in East European country

• 26 year old contractor deployed over seas

• 28 year old in Oregon who believes in

hacktivism

• 30 year old white hat who has a black hat

background

• 32 year old researcher who finds

vulnerabilities in systems

• 35 year old employee who sees a target of

opportunity

• 37 year old rogue intelligence officer

• 39 year old disgruntled admin passed over

• 41 year old private investigator

• 44 year old malware author paid per

compromised host

• 49 year old pharmacist in midlife crisis

• 55 year old nurse with a drug problem

The Face of Cybercriminals

11


• NEW threats from State Actors, Hacktivists

and terrorist linked groups

• Three most common attacks: spear

phishing, Trojans & Malvertising

• Individual employees remain easy

victims of social engineering

• Most organizations can’t detect or address

these threats effectively

• Top three areas of vulnerability – endpoints,

third parties & mobile devices

• Need to focus on exploitation and

exfiltration

• Results in losses of time, dollars, downtime,

reputation, breaches, litigation, etc.

• Defenses have not kept pace….

Cybersecurity Threat Challenges

0 50 100

Organizations suffering a

targeted attack

Sophistication of attack

hardest element to defeat

No increase in budget for

defenses

Targeted Attacks

12/4/2015

7


Insider Abuse

13


• It is estimated that more than half of all security incidents involve

internal staff.

• More than 70% of identity theft and fraud were committed by

knowledgeable insiders – physicians, nurses, pharmacy techs,

admissions, billing, etc.

• 2010 -2015 witnessed an average 20% increase in medical identity theft

year over year.

• 51% of respondents in a SANS study believe the negligent insider is the

chief threat.

• 37% believe the security awareness training is ineffective.

• Traditional audit methods & manual auditing is completely inadequate.

• Behavior modeling, pattern analysis and anomaly detection is what is

needed.

Insider Abuse: Trust, But Verify

12/4/2015

8


• Lessons from Triple S

– Former employees used privileged access to

database of Medicare enrollees to steal PHI

– No process in place to manage when employees

separated or access no longer required

• Administrative processes for employee terminations

• Technical controls to align HR actions with system

permissions & audit

• Suspend accounts that have no log-on activity

Termination Processes & Controls


Managing Vendors

16

12/4/2015

9


• Requirements Definition

• Pre-Contract Due

Diligence

• Contract Security

Specifications

• Performance Monitoring

• Breach Notification

• Contract Termination

• Documentation

Vendor Security Life Cycle

Define

Select

ContractMonitor

Terminate


• Examine Scope of Effort

• Determine What Level of

Minimum Necessary

• Identify Security

Requirements

• Develop SLAs for Security

• Incorporate into RFI, RFP

and/or SOW

• Classify Vendor

18

Defining Requirements

12/4/2015

10


• Tailor requests to scope of

contract

• Security standard followed

• Include security

questionnaire

• Request documentation

• Review third party

assessments

• Proof of Training

• Conduct site visit

• Security Incident history

19

Due Diligence: Pre-Contract


• Define expectations,

material changes,

subcontractors

• Minimum Necessary

• Transmission, storage &

processing

• Incident response

• Audit/monitoring

• Reporting requirements

• Contingency operations

20

Contract Security Specifications

12/4/2015

11


• For contracts lasting

more than 6 months

• Periodic audits of key

processes

• Testing of contingency

plans/operations

• Renewal of third party

assessments

21

Maintenance


• Timeliness of

notifications

• Assistance in

investigation/risk

assessment

• Indemnification for

certain costs

• Notifications to public

22

Breach Notification

12/4/2015

12


• Termination for cause vs.

end of contract

• Disposition of data if in

receipt

• User/system access

• Reminder of Minimal

Necessary

• Other continued

responsibilities

23

Contract Termination


Medical Device Security

24

12/4/2015

13


• 2010 successful hacks of an

insulin pump & ICD.

• 2013 DHS tested 300 devices

from 40 vendors. ALL failed.

• 2014 Multiple variants of a

popular blood pump hacked.

• 2015 MedJack hack shows

vulnerability of network from

medical devices.

• 2015 FDA recalls Hospira pumps

due to cybersecurity vulnerability

Devices Threaten Safety & Information

“Yes, Terrorists could have

stopped Dick Cheney’s heart.”

– The Washington Post

In 2015 we are no closer…


• 3.4 million BotNets identified

• 20-40% of recipients in phishing

exercises fall for scam

• 26% of malware delivered via HTML,

one in less than 300 emails infected

• Malware analyzed was found

undetectable by nearly 50% of all anti-

virus engines tested

• As of April 2014 Microsoft no longer

provides patches for WN XP, WN 2003

and WN 2000, NT, etc.

• EOL systems still prevalent in

healthcare networks

• Hardening, patching, configuration,

change management…all critical

Malware & Advance Persistent Threats

“FBI alert warns

healthcare not prepared”

Various: Symantec, IBM, Solutionary Annual

Threat Reports

12/4/2015

14


• Part of an Enterprise

Information Security Risk

Management Program

• Manufacturer Disclosure

Statement for Medical

Device Security (MDS2)

• FDA Guidance: Software

updates for cybersecurity do

not require pre-market

review or recall (there are

some exceptions)

Manage Medical Device Security Risk


Mobile Risks & Concerns

28

12/4/2015

15


• Medical staff are turning to their

mobile devices to communicate

because its easier, faster, more

efficient…but it is not secure

• Sharing lab results, locating another

physician for a consult, sharing

radiology images, updating staff on

patient condition, getting direction

for treatment, transmitting trauma

information to EDs, prescribing or

placing orders

• Priority placed on the data first and

the device second

• Restrict physical access where

possible, encrypt the rest

Embracing Mobility of Data


• Mobile devices are easily lost,

stolen, or discarded with e-PHI on

them

• Onboard cameras can be

improperly used to record PHI

• No physical keyboard limits use of

complex passwords

• Can easily transfer or store PHI

from enterprise network

• Easy access to Facebook, Twitter,

and other social media that allows

unauthorized disclosure of PHI

Mobile Device Risks

30

12/4/2015

16


• Mobile apps have opened a huge number of security

problems which have caught many companies unaware

– Starbucks app stored its passwords in clear text

– Walgreens encouraged shoppers to take pictures of

prescription labels… then those images were saved

so anyone could see them

– Delta Airlines app encrypted passwords but it also

saved its encryption key on the device in clear text

Mobile App Security Concerns


• 57% of data breaches reported to

OCR due to loss or theft of devices

• 1 in 4 houses is burglarized, a B&E

happens every 9 minutes, more than

20,000 laptops left in airports

• First rule of security: no one is

immune

• 29 million records exposed 2010-13

• Over 100 million records exposed

2014-15

• 6 – 10%: the average shrinkage rate

for mobile devices

• Typical asset inventories are off by

60%

Theft & Losses Thriving

“That’s a big number because it’s

meant to drive home the point that

unencrypted laptops and mobile

devices pose significant risk to the

security of patient information.”

– Sue McAndrew, OCR

12/4/2015

17


• Identify mobile application needs

• Integrate into information security risk analysis

• Design risk management strategy

• Obtain business associate agreements if necessary and

perform due diligence/vendor management

• Document compliance with the HIPAA Privacy and

Security Rules

• Assure compliance with any posted privacy policy and

terms of use agreement

Design Effective Strategy


• Identify mobile devices/apps that handle PHI

– What devices/apps create PHI?

(wearable devices, diagnostic apps)

– What devices/apps receive PHI? (email,

EHR portals, vendor modified OTS

devices)

– What devices/apps maintain PHI?

(removable storage media, cloud

email/storage)

– What devices/apps transmit PHI?

(texting, email, cellular/WiFi transmitted

data)

Handling PHI

34

12/4/2015

18


• Health Plan Server – Covered

• Physician Tablet – Covered

• Patient Device – Not Covered

Covered by HIPAA?

35


• NIST Special Publication 800-124 – “Guidelines for Managing the

Security of Mobile Devices in the Enterprise”

– http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8

00-124r1.pdf

• NCCOE Mobile Device Security & Cloud Hybrid Builds:

https://nccoe.nist.gov/projects/building_blocks/mobile_device_s

ecurity

• ENISA report – “Smartphones: Information security risks,

opportunities, and recommendations for users”

– http://bit.ly/1wWmEsw (enisa.europa.eu)

Mobile Device References

12/4/2015

19


Priorities For Healthcare

37


• Implement continuous program of risk assessment and

management

• Increase knowledge of threat actors

• Maintain current environment

• Improve detection and reaction capabilities

• Implement data exfiltration controls

• Enhance user education and accountability

• Implement active vendor security management

• Address long term challenges around medical devices

• Plan for incidents

Priorities For Healthcare

12/4/2015

20


Questions?

David Holtzman

[email protected]

512.405.8550 x7020

@HITprivacy

Questions?

?

Documents

Changing Land ape of Information Security · Changing Land ape of Information Security ... “Some hackers call the weeks of Black Hat USA and DefCon Summer Camp ... • 22 year old