Embed Size (px)
Citation preview
The Healthcare Threat Challenge
HealthcareSecurityForum.com/Boston/2017 #HITsecurity
SEPTEMBER 11–13, 2017BOSTON, MA
• Know Your Threat
• Know Your Risk
• Build Your InfoSec Program
• Q&A
Know Your Threat
Know Your Threat:
Ransomware
Overall 40%
HC – 36%
Know Your Threat:
Top 15 - All Time Breaches
• Yahoo (2013-2014) –Total 1.5B accounts compromises
• Adult Friend Finder (Oct 2016) – 20 years of data from six databases compromised
• eBay (May 2014) – 145M users impacted
• Heartland Payment Systems (Mar 2008) –134M credit cards exposed, $145M in compensation paid out
• Target Stores (Dec 2013) – 40M credit cards stolen, 70M customers PII stolen
• TJX Companies (Dec 2006) – 94M credit cards exposed
• JP Morgan Chase (July 2014) – 76M households, 7M small businesses impacted
• US Office of Personnel Management (2012-2014) – 22M federal employees
Know Your Threat
Top 15 - All Time Breaches
• Sony Play Station Network (Apr 2011) – 77M play station accounts hacked - $15 million class action lawsuit
• Anthem – Blue Cross (Feb 2015) – 78.8M personal data records compromised
• RSA Security – (Mar 2011) – 40M employee records stolen
• Stuxnet (2010 origins to 2005) – Malware from Stuxnet designed to target only Siemens SCADA systems – damaged Iran nuclear program enrichment centrifuges
• Verisign (2010) – Never publically announced “access was gained to information on a small portion of computers and servers”
• Home Depot (Sept 2014) – 56M customers, $161M in compensation
• Adobe (Oct 2013) – 3M encrypted customer credit cards – plus login data
Know Your Threat
Know Your Threat:
Ransomware
Ransomware
Ransomware
Ransomware
Ransomware
RansomwareRansomware
• More than 4,000 Ransomware attacks have occurred every day since the beginning of 2016 (300% increase over 2015)
• Global Ransomware damage costs are predicted to exceed $5 billion in 2017 (15X increase in 2 years)
• Cyber security spend to exceed $1 trillion from 2017 to 2021
• Cyber crime damage costs to hit $6 trillion annually by 2021
• Cyber crime will more than triple the number of unfilled Cyber security jobs -predicted to reach 3.5 million by 2021
• Human attack surface to reach 4 billion people by 2020
• The number of IoT devices will surpass the number of people on the planet by the end of the year
CSO Online; Barkly Blog
Know Your Threat
Know Your Risk
5 Point Plan to Risk Management
1. Know your security landscape!
2. Conduct comprehensive Outside/Inside Security
Testing / HIPAA Security Assessment
3. Establish Vulnerability and Patch Management
Program
4. Create a Data Security Management Plan
5. Implement Security Monitoring and Management
How do you address sophisticated threats?
1) Know your security landscape
• Security visibility, clarity, and control across
the landscape
• Is your technology and process working for
you
Security Framework
• PROTECT
• DETECT
• REACT
The Problem – Complex Security Landscape
• Complex security architecture and
“security sprawl”
• Too many vendors to manage
• Too many consoles to monitor
• Technology does not provide unified
visibility
• Complexity Increases Risk and Cost
• Does your $ in security actually make
you more secure?
Security Landscape Optimization
How do you address sophisticated threats?
2) Comprehensive Outside/Inside Security Testing
• Ethical Hacking (fixed and wireless)
• Security Configuration Review
• Social Engineering Testing – Employee
Awareness
• Organization and Policy Review
• For Healthcare - 2) Plus a HIPAA Security
Assessment
Security Framework
• PROTECT
• DETECT
• REACT
Am I Susceptible to an
Outside Attack?
Can My Internal Systems be
Breached, Are They Already?
Can my Employees or Process
be Compromised?
Security Health Report
Security Health Check
• Vulnerability Scanning
• Ethical Hacking
• Wireless Security Testing
• Comprehensive SysConfig Review
• Server and Application
• Employee Awareness (Phishing)
• Organization & Policy Health
• Security Awareness Training
3 Pillars of Security Management:
Protect, Detect, and React• Complete report of all vulnerabilities
• Industry Scoring of vulnerabilities
• Active Directory risk summary
• Configuration risk summary
• Executive Risk Summary
• Remediation recommendations
Security Health Be Prepared with “Protect, Detect, and React”
Build Your INFOSEC Program
Security Risk FrameworkSecuring a Mobile, Interaction-Driven, Connected Customer Experience
The Modern Security Platform is an always-on, seamlessly-delivered, full
visibility security safety net to protect the organization and customers.
PROTECT DETECT REACT
PEOPLE PROCESS TECHNOLOGY
Build a
comprehensive
security program?
InfoSec Program Document Guidance
• Organization of information security
• Authentication and Privilege Management
• Security Policy and Management
• Communication and Operations Management
• Personnel Security
• Physical Security
• Asset Management
• Identity and Access Management
• Roles and Responsibilities
• System Architecture and Integrity
• Application Security
• Data Security Management
Build Your InfoSec Program
• Systems Security Management
• Vulnerability Management
• Security Risk Governance
• Security Incident Management
• Disaster Recovery
• Business Continuity
• Security Education and Awareness
• Audit and Compliance Management
Stephen Nardone
Connection
@CNXN_Nardone
HealthcareSecurityForum.com/Boston/2017 #HITsecurity
