virencehealth.com
What does “Cybersecurity” Really Mean in Healthcare?
Bob FruthPrincipal Product Security Leader, VirenceNovember 10, 2018
Agenda – What does “Cybersecurity” Really Mean In Healthcare?
1. Introduction
2. Virence Cybersecurity
3. What keeps Bob up at night (& what doesn’t)
4. What you can do
5. Summary / Resources / Q&A
Introduction
Who is Bob Fruth?
19+ Years at Microsoft• Involved in numerous product & service releases – most recently as the Security &
Privacy Program Manager for the Bing.com search engine• 6+ years in Trustworthy Computing – internal security advisor• 8 years on Windows – focused on kernel• Edited & published 3 major updates to the Microsoft Crypto Standards• Wrote several Security Development Lifecycle (SDL) requirements
Before Microsoft – positions at several companies on multiple products, including several that defined and/or led markets
Now at Virence Health, protecting medical data one record at a time… (& ALL of them…)
What is Cybersecurity?
“The protection of computer systems from theft of or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the services they provide.” [Source – Wikipedia.org]
Also known as –
• Computer Security
• IT Security
• Internet Security
What does Healthcare Cybersecurity care about?
Providing CIA for data at all times• Confidentiality • Integrity• Availability
What does Healthcare Cybersecurity care about?
Providing CIA for data at all times• Confidentiality – Data is secure; only available to
people/systems/processes who are authorized to access it
• Integrity – Data is changed only by people/systems/processes authorized to modify/delete it
• Availability – Data is available when and where needed
The Security Practitioner’s Mindset
Assume the worst case
Verify everything
Be vigilant – monitoring, etc.
Practice transparency to the greatest extent possible
Share sensitive information on a need-to-know basis
• Examples – threat models, network diagrams, security testing reportsEncourage & practice responsible disclosure
Get the straightforward stuff done promptly
• Examples – monthly patching, keeping signatures up-to-date, etc.
Make informed risk-based decisions
Virence Cybersecurity
Secure in Deployment
Virence Secure Product Development
Focused on Key Risk areas: Service Security, Separation of Data, Regulatory Compliance
ü Design with security in mindü Threat Modelingü Security Risk & Privacy Impact Assessmentsü Principle of Least Privilege applied throughout
Secure by Design
Secure by Default
ü Secure coding practicesü Clean static analysis reportsü Code reviewsü Security Testing / Penetration Testing
ü All deployed services are regulatory compliantü Security Operations Centers – 24x7 Monitoringü Enable secure on premise deployments
Security Throughout the
Product Lifecycle
ü Dedicated Product Security Leader
Virence Cybersecurity – Proactive Activities
Cybersecurity Policy – ownership
Security / Privacy best practices –
• Secure design & development
• Security testing – internal & 3rd party
• Secure operations – own jointly with DevOps
Certifications (e.g. HITRUST)
Outreach
• Partners
• Conferences
• Customer materials – white papers, etc. (coming in 2019)
Virence Cybersecurity – Reactive Activities
Incident Response –
• Virence is a 24x7x365 company
• Work closely with partners, e.g. Microsoft
Actively monitor worldwide security ecosystem for vulnerabilities and trends
• US-CERT
• The “Dark Web”
Customer inquiries
Partner inquiries
Cybersecurity – What We Provide
Policies, guidance and best practices
Holding Virence product teams accountable
Transparency to the greatest extent possible without creating an 0-day
Focal point for Certifications
Help Product Teams prepare customer facing materials
• Product documentation
• Responses to questionnaires
• White Papers
Customer interactions
Cybersecurity – What We Won’t Provide
Direct consulting to customers or partners
Direct review of customers’ network/environment
Opinions on other vendors’ products, VBC add-ons, security tools, etc.
Sensitive product/service information
Anything that compromises legal, regulatory or ethical responsibilities
What keeps Bob up at Night & What Doesn’t
What keeps Bob up at Night
Customers’ on premise networks
• Virence doesn’t own
• Virence doesn’t control
• I have to assume the worst…
Sleeplessness due to User-Focused Attacks
Phishing
Spear-Phishing
Social Engineering
Þ Impactful threat vectors
Tendency to blame the user instead of the technology and/or the lack of usability
What keeps Bob up at Night
The Internet of Things…
“Let’s connect everything to the network!”
• Potentially without segmentation or airgaps
“Then we’ll connect the network to the Internet”
What could possibly go wrong?
“The Internet of Ransomware Things”
Copyright 2018 Robert C. Fruth
What keeps Bob up at Night
Technology distracting Healthcare providers from focusing on patient care
Uninformed decisions
Missed opportunities –
• Not learning from others’ experiences
• Failure to heed warning signs, e.g. WannaCry
The “Next WannaCry” costs Bob sleep
WannaCry –
• Medium impact to the Internet
• Compare with SQL Slammer or Heartbleed• Preventable – if you were fully patched, you weren’t impacted
My concerns regarding the “Next WannaCry” –
• Will our customers be prepared?
• Ensure that Virence has timely response capabilities
What keeps Bob up at Night
Driving security into Virence products & services
Secure by default vs. compatibility
• Example – encryption of CPS database
Supporting older versions of our products
“I’m too busy to …”
But what about the Cloud?
Well, what about it?
The Cloud doesn’t keep Bob up at Night
Cloud deployments transfer risk to the Cloud providers
Consider Microsoft’s nightmare scenarios for Azure –
• Failure of Tenant Separation
• Data alteration / disclosure
• Denial-of-service
Microsoft has a lot of people losing sleep over the above, so Virence and Virence customers don’t have to J
More Things that don’t cost Bob sleep…
Healthcare privacy awareness
• Healthcare folks – IT, providers, etc. – understand privacy• Privacy conversations at Virence are short; they can be lengthy at non-
healthcare technology firms…
Partners & vendors that Virence works with
• Development partners
• Integration partners
• Security testing firms
What You Can Do
Define Realistic Goals
Technology / Cybersecurity fully support the medical mission
Regulatory compliance maintained
End user frustration level is low
IT resiliency is built in
IT folks are bored and sleep well at night (no 3am phone calls)
Deploy and Maintain Secure Networks
Firewalls
• Close all ports by default
• Open only what is needed
Leverage new and not-so-new technologies
• Active Directory (LDAP)
• Certificate Management
• Security Groups
Deploy & Maintain Secure Systems
Systems tuned to specific purposes
No extraneous software!
• No browsers on servers
• Nothing on systems used for domain management
• End users’ client systems have what they need and nothing more
All systems kept fully patched
All systems scanned regularly with updated AV/AM software
Deploy and Maintain Secure Environments
Segment & air gap intelligently
Encryption throughout
• TLS is your friend
• Encrypted storage
Test Backup & Restore capabilities regularly
• Automated backups are a plus
Consider Threat Modeling your environment / network topology
Only use Supported Versions
Only deploy supported OS versions
• Windows XP?
• NO!!
Regularly upgrade to latest versions of applications (including Virence’s)
Define & Follow Procedures
Upgrades
Change requests
Exception requests and approvals
Monitoring
Emergencies
• Know what you need to do before you need to do it
• Containment procedures
• Escalation & Notifications paths – who to notify? What to tell them?
• Emergency changes
Learn from Others
Leverage best practices
In response to a breach / incident, ask “why weren’t we impacted?”
Example from Healthcare IT News – “How not to handle a data breach brought to you by Uber, Equifax and many others”
• Equifax –
• Failure to patch Apache Struts
• Attempted to blame Apache
• Email from official account sent users to a phishing site!
• Uber – paid $100K to hackers to keep a breach secret
• Others – glossed over the truth / lack of transparency
User Management
Enabling vs. Managing
Apply Principle of Least Privilege / Role Based Access Controls
• Grant permissions as needed
Mandate complex passwords
• Consider deploying a password manager
Whatever you do, don’t blame users!
• Victim blaming doesn’t solve anything• Assess related misunderstanding & take positive actionEducation & enabling are key
Educate Your Users
Build a security culture
Conduct Phishing exercises to build awareness
“15 Examples of Phishing Emails from 2016-2017”
(https://www.edts.com/edts-blog/15-examples-of-phishing-emails-from-2016-2017)
• False urgency
• “You missed…”
• “Your account has been suspended/locked…”
Plan Ahead
Recognize that upgrades are necessary
• Plan & budget accordingly
• New features!
• Other improvements that aren’t as obviously apparent
Don’t underbudget / underfund IT
“If it ain’t broke, don’t fix it” – doesn’t apply in Cybersecurity
“If it ain’t broke now, it may/will be in the foreseeable future…”
Summary / Resources / Q&A
Conclusions
No one is ever “done” with cybersecurity
There are no “silver bullets”
• There are best practices that significantly reduce risk
The scope can be daunting; attackers only need to find one vulnerability
Leverage The Security Practitioner’s Mindset
Assume the worst case
Verify everything
Be vigilant
Practice transparency to the greatest extent possible
Share sensitive information on a need-to-know basis
Encourage & practice responsible disclosure
Get the straightforward stuff done promptly
Make informed risk-based decisions
Apply common sense
Resources
US-CERT – https://www.us-cert.gov/
• “Avoiding Social Engineering and Phishing Attacks” – https://www.us-cert.gov/ncas/tips/ST04-014
HITRUST
• Virence Press Release –https://www.businesswire.com/news/home/20181105005072/en/Virence-Health-Technologies-Achieves-HITRUST-CSF%C2%AE-Certification
• HITRUST – https://hitrustalliance.net/
Resources
General Secure Development Resources
• Microsoft SDL – https://www.microsoft.com/sdl• Application Security – OWASP – https://www.owasp.org/index.php/Main_Page
Threat Modeling
• My talk at BSides Vancouver 2015 –https://www.youtube.com/watch?v=EClmWcRESP8
• Threat Modeling Book – Threat Modeling: Designing for Security
Thank you!
Robert “Bob” Fruth
Principal Product Security [email protected] (subject to change)206-607-5123
Backup Materials
Abstract
What does “Cybersecurity” Really Mean In Healthcare?: The term “Cybersecurity” appears in news headlines every day. But what does this buzzword mean for you and your practice? In this session learn what “cybersecurity” really looks like for an ambulatory practice and walk away from this session with tips and tricks that you can put in place to help ensure the cybersecurity for your practice. While the technology you use is plays a big part in this, it’s also important to create a culture where data is used correctly. This session will address technological, practical and cultural aspects of what cybersecurity looks like for an ambulatory practice. Note: This session will be given by a GE Healthcare/NewCo Cybersecurity expert.
Speaker Biography
Bob Fruth has been involved with more successful product and service releases than he cares to remember. After many successful years in Silicon Valley, Microsoft brought him to Seattle. While at Microsoft, Bob provided security guidance for most of the company’s major product teams, served on and ran the Microsoft Crypto Board and was the focal point for Bing.com security and privacy. After being recruited to focus on security and privacy at GE Healthcare, he has transitioned with the businesses to Virence Health, where he finds himself teaching security essentials and authoring needed policies, all the while worrying about protecting patient medical and financial data. In his spare time, Bob watches soccer and hockey, plays music and enjoys traveling.
46
Enhance care quality
“Centricity™ solutions help me
unlock value in my organization in
many ways. We use the EMR in a
way that guides our staff down a
path -- building rules into the
software to help us. Using GE
Healthcare products has actually
helped us improve the [patient]
wait time, and we are able to help
our staff do the right thing.”
-Rhonda Draper, Ortho Northeast
©2018 Virence Health Technologies. All rights reserved.The contents provided herein are for information purposes only. Virence Health makes no representations or warranties as to current or future product functionality, or in any other respect, and Virence Health disclaims all liability from any reliance on the content or information provided herein.
Customer is responsible for understanding and meeting the requirements of achieving Meaningful Use and MACRA-related payment programs as applicable through use of HHS certified EHR technology and associated standards. Customer is responsible for understanding applicable Virence Health documentation regarding functionality and reporting specifications, including for Meaningful Use and MACRA-related payment programs, and for using that information to confirm the accuracy of attestation for Meaningful Useand MACRA-related payment programs. Customer is responsible for ensuring an accurate attestation is made and Virence Health does not guarantee incentive payments. Use of the product does not ensure customer will be eligible to receive payments.
Centricity Practice Solution v. 12.3 EHR Module and Centricity EMR v. 9.12 are ONC 2015 Edition compliant and have been certified by Drummond Group in accordance with certifiable action criteria. For additional certification and transparency information, visit www.gehealthcare.com/certifications.