health care cybersecurity title trends & best practices ...consortium, and is the cso/cmo of an...

Copyright 2019 © Terra Verde, LLC.All rights reserved.

TitleSub Title

Health Care Cybersecurity Trends & Best Practices

Mark DallmeierCSO/CMO

Terra VerdeMobile: 602-410-7793

[email protected]

Speaker Background

Mark is a Senior Executive, Serial Entrepreneur, CSO, CMO and Board Member of various companies who over the last 25 years, has co-founded and grown companies in multiple markets.

As a market strategist and analyst, Mark has developed innovative revenue growth strategies and marketing methods used in hyper growth, turn around, transformation and mergers - acquisition scenarios that have been used in mid-size and Fortune 50 companies creating over $1.8 B in new revenues for clients over the last 15 years. Mark was the CSO/CMO of IT Partners and co-founder of Channel Savvy – VAR consulting services company that was bought by Avnet in 2009. Prior to that he was President / CEO of The ROBB Group (TRG), a provider of transformation and turn around services to mid market and Fortune 100 companies.

Today, Mark is an advisory board member of various companies, co-founder of the Cyber Awareness Consortium, and is the CSO/CMO of an award winning, fast growth cybersecurity and compliance solutions provider in Phoenix Arizona. Mark often speaks on cybersecurity, risk, technology, growth, and transformation topics and facilitates strategic planning workshops.

Previous Consulting, Advisory Customers

HP

Hitachi Global

Sage Software

MCI

Verizon Business

EDS

Channel Savvy

DellXO Communications3 SigmaBishop FoxVeedogTerra VerdeAugmate

Corporate Background

20 Services

Customers

50 Services

Customers

100+ Services

Customers

150+ Services

Customers

250+ MSSP

Customers

800+ SIEM

Installation &

Training

Customers

220+ Services

Customers

16,400+ MSSP

Customers

1980+ SIEM

Installation &

Training

Customers

Agenda

Recent Events & The Evolution of Cyber Crime

Current Threats to Health Care Organizations

Impact of Breaches, Attacks

Security & Compliance Misperceptions & Realities

Pragmatic Recommendations for Reducing Risk


Recent EventsThe Evolution of Cyber Crime


We are not winning.


Now, just a year and a halflater, the dark web markets have

responded with new and extremely sophisticated underground storefronts that help facilitate the sale of stolen PII that’s

increasingly robust, even including voter records.

Why the health care economy is a target.


Reality…Over $100M Stolen since 2011.

Copyright 2019 © Terra Verde, LLC.All rights reserved.https://www.linkedin.com/pulse/why-russian-cybercriminal-targeted-missouri-based-dentistry-kip-boyle/

Your not alone…No one is immune.


The technical reasons why (what is beyond your control?).


Questions to ask your IT & security staff:

• Are your networks, applications, devices secure out of the box?

• Are HW/SW manufacturers adhering to secure development practices?

• Is most software secure?

• Are existing “next generation” technologies going to prevent multi-stage, integrated attacks against employees, contractors, 3rd party vendors?

• Are we able to currently detect, prevent embedded attacks or attacks from within the contractor community or vendor supply chain?

• Are we able to detect and prevent all harvesting, snooping, man in the middle attacks?

• Can we predict how future attacks will take place? Where/When/How?

• Are we in “control” of how the business will adopt and utilize IoT?

Predictions Q4 2016.


RANSOMWARE BEC BPC

$8B $12B $4BThe

Technological Weaponization of a Criminal acts that are

thousands of years old.

Ransom Larceny Fraud

Crimeware as-a-service 2018, 2019.

In recent months

we’ve told you about

ransomware

distribution kits

sold on the Dark Web

to anyone who can

afford it. These RaaS

packages (ransomware

as a service) allow

people with little

technical skill to

attack with relative

ease.

Sophos

Krypt3ia, Luc1F3R’s websites

Reality Q4 2018…today.


Current Cyber-ThreatsHealth care organizations, employees, patients, supply chain


Top threats, attacks.

• Phishing: Harvesting Credentials, Malware Delivery, Fraud• Ransomware: Coinhive, Dorkbot, SynAck, Black Ruby, Theft• Business Email Compromise: Fraud, Scams, Theft, Malware Delivery• Business Process Compromise: Fake Business Processes, Theft• System Process Compromise: Monero Mining Software

• Embedded Code: Specter, Meltdown• AI-Malware-Exploit Kits: GandCrab, Coinhive, Dorkbot• Botnet-DDoS-PDos: Mirai, WireX, Reaper, Hajime, BrickerBot• Telnet Brute Force, SSH, APT, Malwareless Attacks: Stuxnet, RDP.• Harvesting, Snooping, Skimming: Traffic Spirit, MageCart, etc.

27% Vulnerable

$8B

$12B

$4B

Up 500%


Understanding the Enemy - Attack Research


Attack Research Cont.


Top industries attacked.

www.BreachLevelIndex.com

Health care attack surface…IoT example.


Generic IoT

Connected HVAC

Real-TimeHealth System

Surveillance Camera

Smart

Lighting

Medical IoT

Safety

▪ Device and Patient safety – lack of

end point visibility, control

Security

▪ Data and equipment security –

unmonitored IoT network/devices

Quality

▪ Care delivery quality – lack of care

quality supported by IoT devices

Service Continuity

▪ Service integrity & continuity – lack of

device usage, effectiveness, efficiency

AREAS OF CONCERN-FOCUS

“25% of identified attacks in

HDO will involve IoT by 2020”Gartner

Health care breach headlines…third parties & providers.


Health care breaches…value chain examples.

Copyright 2019 © Terra Verde, LLC.

P R

R RV

VP

P

Growing and expanding threat landscape – example 1.

Copyright 2019 © Terra Verde, LLC.All rights reserved. I0T Analytics Global Study 2018 www.iot-analytics.com

Growing and expanding threat landscape – example 2.

Copyright 2019 © Terra Verde, LLC.All rights reserved. I0T Analytics Global Study 2018 www.iot-analytics.com

R

Common questions.

• Why am I not “secure” (when I already use anti-malware, firewalls, etc.)

– Billions in R&D is being spent by cyber-criminals, nation states, hacktivists

– They have the time, resources, access to “next gen” tech, patience, will, intention

• Where do we (I) begin?

– Understand where you are at, what is at risk, what your gaps are – Posture Review

– Assess and test existing websites, applications, systems, facilities, employees

• How much do I need to spend?

– Every company is different. Not a one size fits all. How much is your business worth?

• How can I be sure the vendor I am using is the “right one”?

– Credibility, Curiosity, Credentials, Commitment, Capabilities, Communication

• How do I start?

– Posture Review; People, Passwords, Patching, ProgramCopyright 2019 © Terra Verde, LLC.

All rights reserved.

Impact of Breaches, AttacksLife after fines and after remediation


Ready yourself for the tsunami.

Brand, Legacy

1. Media coverage

2. Payer backlash

3. Wall of Shame

4. Inability to recover brand, legacy

5. Forced rebranding

6. Forced PR, roadshow, ongoing communications

7. Multi-year commitment to re-establish brand, respect, trust

Employees, Contractors

1. Morale hit

2. Stress increase

3. Chronic fatigue

4. Efficiency impact

5. Personal brand impact

6. Turn over

7. Multi-year commitment to rebuild trust and talent pipeline

Vendors, Partners

1. Loss of strategic opportunities

2. Degradation of service, support

3. Audits

4. Slow response times

5. Reduction of risk share opportunities

6. Reduced involvement, collaboration

7. Multi-year commitment and effort to re-establish



Example of breaches, fines.

$2,700,000

$150,000

$650,000

HIPAA rules.


SRAOnly addresses 2 of 6 required audits

Comprehensive Risk Assessment Address all required “Security” areas

Growing scary trend

Becoming secure & compliant.


A more holistic approach is within

your span of control

Health care breaches and fines.


• Breach Wall of Shame

– Being asked to provide good faith effort

• 100% of HIPAA Fines Levied

– Failure to assess ALL Risks

– Lack of Administrative

Policy and Procedures

– Failure to have BAA

• Average fine of $1.5Mhttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Products are a “partial” fix ~ Cisco Systems.


Deliotte above the surface incident costs



Deliotte below the surface hidden costs, risks.


Example of long term risk.

Planned to raise $1 billion in debt capital to acquire a health system

Paid $7 million annual premium for a $100 million cyber insurance policy

A laptop containing 2.8 million of its personal health information (PHI) records had been stolen from the company’s health care analytics software vendor. The compromise was revealed days later when the company was notified by a corporate client that the client’s employee information had been listed for sale on cybercrime “dark web” sites.

• $60 billion annual revenue / 50,000 employees

• 23.5 million members across the US (60 percent

subscribed through employer contracts)

• Used a patient care application, which provides medical

alerts and allows health practitioners across its provider

network to access patient records and insurance coverage

information

• Held open enrollment (the annual period when people can

enroll in health insurance plans) November through

January

• Regulated by both state and federal authorities

US Health Company

The Situation Corporate Stats


Immediate “known” impact, costs, risk…and “unknown”.

Sub-total 59.00 3.52%

Common MisperceptionsCybersecurity & Compliance realities


Cybersecurity realities and fundamentals.


• Attackers are well capitalized, supported by criminal syndicates, foreign countries, activists against U.S…knowing your enemy – attacker is the key to building a winning strategy. Work with a provider who can research and profile attackers and hackers and can assist with best practices for defending and protecting the organization.

• We are fighting a global economic human survival battle. Its beyond good vs. evil / right vs. wrong. Its not paranoia if they really are “out to get you”…but calmer heads do prevail, especially during a crisis. Table top exercises and training of breach and ransom scenarios will help identify gaps within internal processes that lead to downtime, loss of life.

• Buying technology and hiring experts is not the end all cure. There are no silver bullets…but event silver bullets can kill a werewolf. So layer your security, diversify your shields, weapons, arsenal. Discuss what should be sourced, deployed, managed internally and what should be managed externally by a third party.

Cybersecurity and compliance complexities.


1. NIST 800-53: (256 Controls / 18 Families)2. NIST CSF: (5 Sections / 22 Categories (Functions) / 98 Subcategories (Outcomes)3. CIS 20/CIS RAM: (1-6 Basic / 7-16 Foundational / 17-20 Organizational)4. COBIT5. ISO/IEC 270016. NCUA/ASET/AIRES7. FFIEC8. FINRA9. NERC-CIP10. PCI DSS: (6 Sections / 12 Requirements)11. HIPAA: (3 Security Safeguard Sections / 18 Categories)12. HITECH13. HITRUST14. SSAE-18 (16)15. SOX16. OWASP

https://www.cisecurity.org/controls/

Cybersecurity realities and fundamentals.


• Focus on what is within your span of control….Trying to build a world class compliance or cyber team when that is not your core competency isn’t cost effective or realistic. Determine what skills, capabilities you can and will build in-house and begin the journey. Take a look at launching a cyber hygiene program built around the 4 P’s:

– People are the weakest list and are being cyber-stalked by criminals and hackers. Continuous education and enforcement of practices is critical.

– Passwords best practices include changing out default manufacturer passwords on software and hardware, and moving toward pass phrases with special characters.

– Patching of mission and business critical systems is critical but so is ongoing vulnerability management that includes scanning and identifying vulnerable and unsecure systems and controlling their access to the network.

– Program creation and ongoing maintenance is critical. Leadership, management, employees, contractors and vendors need to be aware that a formal program exists, and the leadership is committed to security through a “Cyber Declaration”.

HIPAA compliance fundamentals.


• Implementing policies, procedures, standards of conduct.

• Designating a compliance officer and committee.

• Conducting effective training and education.

• Developing effective lines of communication.

• Conducting internal monitoring and auditing.

• Enforcing standards through well-publicized disciplinary guidelines.

• Responding promptly to detected offenses, undertaking corrective action.

Reducing RiskBeing pragmatic, focusing on items within your span of control


Best practices: cyber hygiene program.

https://www.knowledgenet.com/webinars/cyber-hygiene-best-practices/

People

Passwords

Patching

Program (Holistic)


Cyber hygiene fundamentals.

Password Phrases with Special

Characters

Infrequent Changes

Password Vaults and Manager

Programs

Prioritize Systems and

Assets that are Vulnerable

(crown jewels)

Understand Frequency of

Updates, Patching

Prioritize Patching

Timeframes, Windows

Core Fundamentals for Reducing Risks & Preventing Cyber-Attacks

Based on servicing thousands of customers from start ups to fortune 500, across dozens of industries, below is a list of 4 specific

areas to focus on, invest within that will help reduce cybersecurity and compliance risks and will help prevent threats and attacks.

Security Education,

Training & Awareness

Programs (SETA)

Cyber Declarations

Phishing Simulations

Document Current

Maturity Level of Program,

Policies, Technologies

Identify Gaps

Determine Investment, Go

Forward Strategy (Build,

Operate, Run, Maintain)

*https://www.knowledgenet.com/webinars/cyber-hygiene-best-practices/

What to do NOW about the threat, risk summary.


Minimums – Maturity Level?❑ Start with Current State Review❑ People (SETA, Internet Usage)❑ Passwords (Methods, Vault)❑ Patching (Planned, Automated)❑ Program (SIEM, Logging/Monitoring, Policies,

Procedures, Resources)

• Backups (Full-Off Network)• Limit and Lock Down Administrative and

System Access Control/Write• Encryption (At Rest, In Transit)• Limit, block network access (RDP, etc), email

file extension delivery

❑ Update Business Continuity & Disaster Recovery Plans (Ransomware, Social Engineering)

• Business Process Assessments, Security Ops, Monitoring, Next Gen End Point, IoT Protection, Inventory, Assessment & Pen Testing

Optimal❑ Cyber Declaration – Infrequent Training is not Enough• Integrate Physical & Cyber Programs, Assessments, Processes• Expanded SOC; Include Physical & Macro-Micro Geographical –

Social Intelligence

❑ Table Tops & Simulated Physical and Cyber Attacks – Whaling.❑ Simulated Ransomware, BPC, BEC Attacks

• Integrate Response Methods into BCDR Plans• Next Gen Authentication, Access Control Tech-Methods• Master Change Management (its inevitable)

Predictions:

https://www.terraverdeservices.com/risk-management/2018-cyber-attack-trends-and-industry-predictions/

[email protected]


Resources


Breaches-Reports-Examples-Trendshttp://compliance-group.com

http://www.freewave.com/iot-security-risks-shouldnt-ignore/

https://iot-analytics.com/top-10-iot-segments-2018-real-iot-projects/

https://www.cbronline.com/cybersecurity/breaches/top-five-biggest-threats-iot-security/

http://www.experian.com/assets/data-breach/white-papers/2018-experian-data-breach-industry-forecast.pdf

https://www.datamation.com/security/slideshows/top-10-iot-security-threats.htmlhttps://softwarestrategiesblog.com/2018/01/01/roundup-of-internet-of-things-forecasts-and-market-estimates-2018/

https://www.businessinsider.com/internet-of-things-report

https://www.techrepublic.com/article/enterprise-iot-adoption-to-hit-critical-mass-by-2019-but-security-remains-a-top-concern/

https://resources.infosecinstitute.com/the-top-ten-iot-vulnerabilities/

https://threatpost.com/cloudpets-may-be-out-of-business-but-security-concerns-remain/132609/

https://threatpost.com/open-mqtt-servers-raise-physical-threats-in-smart-homes/136586/

https://threatpost.com/threatlist-attacks-on-industrial-control-systems-on-the-rise/137251/

https://threatpost.com/threatlist-almost-half-of-the-worlds-top-websites-deemed-risky/136636/

https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/

https://www.statista.com/statistics/485136/global-internet-of-things-market-size/

https://newsroom.trendmicro.com/press-release/commercial/trend-micro-survey-finds-iot-deployment-decisions-made-without-consulting-s

https://www.ciatec.com/2018/03/internet-of-things-iot-definition/

https://arstechnica.com/information-technology/2018/09/dozens-of-ios-apps-surreptitiously-share-user-location-data-with-tracking-firms/

https://freedom-to-tinker.com/2018/04/23/announcing-iot-inspector-a-tool-to-study-smart-home-iot-device-behavior/

https://gizmodo.com/the-house-that-spied-on-me-1822429852

https://threatpost.com/iot-malware-activity-already-more-than-doubled-2016-numbers/126350/

https://www.csoonline.com/article/3302367/security-infrastructure/hacking-smart-buildings.html

https://www.csoonline.com/article/3302367/security-infrastructure/hacking-smart-buildings.html

https://www.csoonline.com/article/3299016/internet-of-things/botnet-of-smart-air-conditioners-and-water-heaters-could-bring-down-the-power-grid.html

https://www.csoonline.com/article/3300336/security/mirai-leveraging-aboriginal-linux-to-target-multiple-platforms.html

https://www.csoonline.com/article/3303796/internet-of-things/securing-iot-devices-fortinets-fortinac-automates-the-process.html

https://threatpost.com/black-hat-exclusive-video-the-iot-security-threat-looms-for-enterprises/134991/

https://threatpost.com/video-bishop-fox-on-device-threats-and-layered-security/136716/

https://www.redpixie.com/blog/iot-security-challenges-finance

https://threatpost.com/post-wannacry-5-5-million-devices-still-expose-smb-port/126249/

https://www.information-age.com/internet-things-security-crisis-123470475/

https://www.forbes.com/sites/forbestechcouncil/2018/07/16/your-iot-is-probably-not-a-ok/#775ca280763d

https://www.congress.gov/bill/115th-congress/senate-bill/1691/actions

https://threatpost.com/black-hat-2018-iot-security-issues-will-lead-to-legal-feeding-frenzy/134997/

https://threatpost.com/belkin-iot-smart-plug-flaw-allows-remote-code-execution-in-smart-homes/136732/

https://threatpost.com/researchers-shine-light-on-smart-bulb-data-theft/137003/

https://threatpost.com/the-vulnerability-disclosure-process-still-broken/137180/

https://threatpost.com/magentocore-card-skimmer-found-on-mass-numbers-of-e-commerce-sites/137117/

Ransomware/Malwarehttps://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-exceed-8-billion-in-2018/

https://www.helpnetsecurity.com/2018/07/11/2018-sonicwall-cyber-threat-report/

https://www.recordedfuture.com/ransomware-trends-2018/

https://blog.barkly.com/ransomware-statistics-2018

https://threatpost.com/threatlist-ransomware-attacks-down-fileless-malware-up-in-2018/136962/

https://threatpost.com/bad-actors-sizing-up-systems-via-lightweight-recon-malware/137364/

https://threatpost.com/threatlist-email-attacks-surge-targeting-execs/137385/

https://threatpost.com/cobalt-group-targets-banks-in-eastern-europe-with-double-threat-tactic/137075/

https://threatpost.com/domestic-kitten-mobile-spyware-campaign-aims-at-iranian-targets/137304/

https://threatpost.com/magentocore-card-skimmer-found-on-mass-numbers-of-e-commerce-sites/137117/

https://threatpost.com/threatlist-supply-chain-defenses-need-improvement/134271/

https://blog.barkly.com/local-government-cybersecurity-2018-ransomware-attacks

https://blog.barkly.com/ransomware-statistics-2018

https://www.aig.co.uk/content/dam/aig/emea/united-kingdom/documents/Insights/cyber-claims-report-may-18.pdf

https://www.aig.co.uk/insights/cyber-ransomeware-disrupts-business?cmpid=SMC-tw-AIGemea-Claims_Intel_Cyber-20180601103600

https://healthitsecurity.com/news/healthcare-cybersecurity-threats-hinder-hit-development

https://www.recordedfuture.com/ransomware-trends-2018/

https://www.comparitech.com/antivirus/ransomware-statistics/#gref

https://www.cyentia.com/2017/07/25/ransomware-p3-prevalence/

https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/unseen-threats-imminent-losses

https://securityboulevard.com/2018/07/gandcrab-v4-ransomware-remove-and-restore-krab-encrypted-files/

https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/

https://www.securityweek.com/grandcrab-new-king-ransomware

https://dazeinfo.com/2018/08/14/ransomware-in-india-escan/

https://research.checkpoint.com/gandcrab-ransomware-mindset/

https://www.skyflok.com/2018/08/29/cybercriminals-using-innovative-grandcrab-for-ransomware-attacks/

https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/

https://threatpost.com/active-spy-campaign-exploits-unpatched-windows-zero-day/137237/

https://threatpost.com/in-wake-of-biggest-ever-ddos-attack-experts-say-brace-for-more/130205/c


Thank You!www.TVRMS.com

health care cybersecurity title trends & best practices ...consortium, and is the cso/cmo of an...

Documents