2015 atlanta chime lead forum
TRANSCRIPT
A CHIME Leadership Education and Development Forum in collaboration with iHT2
What is Cyber Security and Why is it Crucial to Your Organization?
_______ Key Attributes for Success, Challenges and
Critical Success Factors
● Mac McMillan | FHIMSS/CISM | CEO | CynergisTek, Inc. ● #LEAD14
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Sun Tzu & Cybercrime
“If you know the enemy, and know yourself, then you may not fear the results of a hundred battles. If you know yourself but not the enemy, for every victory gained you will suffer a defeat.”
HIMSS Cyber Security Survey
Limited Disruption to Operations
Loss of Data/Information
Significant Impact on IT Systems
Damage to IT Systems
Other Impact
62%
21%
8%
8%
7%
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Threat Actors & Their Motivation
• Organized Crime
• Hacktivists
• Cyber Thieves
• Malicious Insiders
• Careless Insiders
• Busy Insiders
• State Actors
• Financial Gain
• Intellectual Property
• Extortion
• ID/Med ID Theft
• Espionage
• Embarrassment
• Good Intentions
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Accidents, Mistakes & Deliberate Acts • Phishing/hacking nets nearly $3M from six healthcare entities • Vendor sells hospital’s X-rays (films) to third party • Resident loses track of USB with over 500 orthopedic patients information • Portable electronic device with patient data stolen from hospital • Physician has laptop stolen from vacation home • 2,200 physicians victims of ID theft/tax fraud • Printers returned to leasing company compromise thousands of patient records • Health System reports third stolen laptop with 13,000 patient records • 400 hospitals billings delayed as clearinghouse hit with ransomware • Children’s hospital hacked with successful DOS for three days in protest for treatment and
holding of girl by Anonymous • Physician robbed at gun point, phone and computer taken, thief demands passwords • International hacking group uses phishing, then steals information on almost 80M people • Medical devices hacked to compromise hospital networks using MedJack attack • Seven health systems hit by phishing resulting in major breaches • New York hospital hacked by pro-ISIS supporters, website defaced with ISIS propoganda • And, on and on it goes…
A CHIME Leadership Education and Development Forum in collaboration with iHT2
The Emergent Threat DefCon/BlackHat 2015 Syllabus
• Medical Devices: Pawnage and Honey Pots
• Shall We Play a Game?
• USB Attack to Decrypt WiFi
• WhyMI so Sexy? WMI Attacks & Defense
• I Will Kill You
• Scared Poopless – LTE and “your” Laptop
• Confessions of a Professional Cyber Stalker
• From 0 to Pwnd – Social Engineering
• Jailbreaking & Rooting Devices
• Advanced Infrastructure Hacking
• Advanced Windows Exploitation
• Advanced Web Attacks
Significant Threats of the Future
34%
39%
49%
50%
53%
53%
59%
63%
65%
69%
Brute Force Attacks
Denial of Services (DoS)
Social Engineering Attacks
Malicious Insiders
Exploit Known Software Vulnerabilities
Zero Day Attacks
Cyber Attacks
APT Attacks
Negligent Insiders
Phishing Attacks
Challenges To Data Security
CISO Complexity
Insiders
Vendors
Mobile Devices
mHealth Fraud
ID Theft
Physical Loss/Theft
Cyber Attacks
Regulations
Staffing
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Increased Reliance • More than 98% of all processes
are automated, more than 98% of all devices are networkable, more than 95% of all patient information is digitized
• Hyper connectivity dominates what we do
• IT systems and applications are critical to care delivery, business operations
• Moving to a patient centric model will only further complicate the enterprise
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Insider Abuse: Trust, But Verify
• It is estimated that more than half of all security incidents involve staff.
• 51% of respondents in a SANS study believe the negligent insider is the chief threat.
• 37% believe that security awareness training is ineffective.
• Traditional audit methods & manual auditing is completely inadequate.
• Behavior modeling, pattern analysis and anomaly detection is what is needed.
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Questionable Supply Chains
• Better inventories of vendors w/ PHI • Risk based approach to managing third
parties • Greater due diligence in vetting vendors • Security requirements in contracting
should be SLA based • Particular attention to cloud, SaaS,
infrastructure support, critical service providers
• Life cycle approach to data protection • Detailed breach and termination
provisions
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Devices Threaten Safety & Information
• 2010/2011 successful hacks of an insulin pump and ICD
• In June 2013 the DHS tested 300 devices from 40 vendors, ALL failed
• 2014 multiple variants of a popular blood pump hacked
• 2015 MedJack hacks demonstrates vulnerability of the network from medical devices
• We are no closer….
“Yes, Terrorists could have
hacked Dick Cheney’s heart.” -The Washington Post
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Malware & Persistent Threats • 3.4 million BotNets active • 20-40% of recipients in phishing exercises fall for
scam • 26% of malware delivered via HTML, one in less than
300 emails infected • Malware analyzed was found undetectable by nearly
50% of all anti-virus engines tested • As of April 2014 Microsoft no longer provides patches
for WN XP, WN 2003 and WN 2000, NT, etc. • EOL systems still prevalent in healthcare networks • Hardening, patching, configuration, change
management…all critical • Objective testing and assessment
“FBI alert warns healthcare not prepared”
2006 200K 2008
17M
2013 73M
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Mobility & Data • Medical staff are turning to their mobile devices to
communicate because its easier, faster, more efficient…
• Sharing lab or test results, locating another physician for a consult, sharing images of wounds and radiology images, updating attending staff on patient condition, getting direction for treatment, locating a specialist and collaborating with them, transmitting trauma information or images to EDs, prescribing or placing orders
• Priority placed on the data first and the device second
• Restrict physical access where possible, encrypt the rest
A CHIME Leadership Education and Development Forum in collaboration with iHT2
ID Theft & Fraud • Medical identity theft and fraud costs billions
each year, affecting everyone
• US CERT estimates 47% of cybercrime aimed at healthcare
• Healthcare directed attacks have increased more than 20% per year for the last three years
• Identity theft comes in all forms and is costly
– Insiders selling information to others
– Hackers exploiting systems
– Malware with directed payloads
– Phishing for the “big” ones
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Theft & Losses Thriving • 68% of healthcare data breaches due to
loss or theft of assets • 1 in 4 houses is burglarized, a B&E
happens every 9 minutes, more than 20,000 laptops are left in airports each year…
• First rule of security: no one is immune • 138%: the % increase in records exposed in
2013 • 6 – 10%: the average shrinkage rate for
mobile devices • Typical assets inventories are off by 60%
“Unencrypted laptops and mobile devices pose significant risk to the security of patient information.” -Sue McAndrew, OCR
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Hacking & Other Cyber Criminals • Defenses are not keeping pace
• Three most common attacks: spear phishing, Trojans & Malvertising
• APTs, phishing, water cooler attacks, fraud, etc.
• Most organizations can’t detect or address these threats effectively
• An advanced incident response capability is required
• Results in losses of time, dollars, downtime, reputation, litigation, etc.
• Conduct independent risk assessments regularly
0 50 100
Organizations suffering a targeted attack
Sophistication of attack hardest element to defeat
No increase in budget for defenses
Targeted Attacks
“I feel like I am a targeted class, and I want to know what this institution is doing about it!” -Anonymous Doctor
A CHIME Leadership Education and Development Forum in collaboration with iHT2
More Government Oversight • OIG shifts focus to OCR, MU & Medical
Devices • OCRs permanent audit program will resume in
FY 2015 with new capabilities • Improvements and automation in reporting
and handling complaints • Meaningful Use takes a step backwards with
Stage 3 • The FTC, FDA, FCC, HHS and DoJ take a more
active role in healthcare privacy and security • States continue to create new laws
– Florida Information Protection Act – New Jersey Health Insurers Encryption Law
When organizations tell consumers they will protect their personal information, the FTC can and will take enforcement action to ensure they live up to these promises.
A CHIME Leadership Education and Development Forum in collaboration with iHT2
CISO Needed… • HIMSS Cyber Security survey found 52%
had a full time security person
• In a 2014 study HC CISOs gave themselves an average maturity rating of 4.35 on a scale of 1-7
• Many report missing critical technologies to fight today’s threats, improving in 2015
• More than half of healthcare entities spend less than 3% of their IT budget on data protection, no improvement
• Focus, alignment, and staffing challenges
• Many healthcare security managers are first timers
Healthcare finds itself in a contest for security professionals when everyone, both government and private sector, need them – and the outlook is not positive.
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Board Involvement • 70% of Board Members feel they
understand cyber risks
• 43% of CIO/CISOs think Boards are informed about threats to IT
• Board members do admit their knowledge about cybersecurity is limited
• Board members and IT security need to communicate more often
• It took major breaches like Target, Anthem and Community Health to get the Board’s attention
• Boards are still in the dark concerning security risks and incidents
Barriers to Successful Implementation of Data Security
Percent
Lack of Personnel 64%
Lack of Financial Resources 60%
Too Many Emerging/New Threats 42%
Too Many Endpoints 32%
Not Enough Cyber Threat Intelligence 28%
Too Many Applications 25%
Lack of Tools to Use/Deploy Cyber Threat Intel 20%
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Healthcare’s Culture Must Change
“We are who we are, and companies are what they are, because we want to be. If we wanted to be different we would be about change.”
“We need CISO’s who are not afraid to be a change agent in their institution.”
A CHIME Leadership Education and Development Forum in collaboration with iHT2
What We Can Do Together
• Actively participate in AEHIS
• Create a body of knowledge for all
• Open and maintain a useful dialogue
• Work on changing the perception
Q & A
Mac McMillan [email protected]
(512) 402-8555
A CHIME Leadership Education and Development Forum in collaboration with iHT2
@mmcmillan07