There is No Diplomatic Immunity in

Cybersecurity

Martin Littmann, Chief Technology Officer & CISO

2016 HIMSS Cybersecurity Survey

• Based on 150 responses of US-based hospitals and providers

• Acute care (79.3%) vs. Non-Acute Care (20.7%)

• Executives 43.3% (CIO, CISO) and Non-Executives 56.7% (Director, Senior Staff)

Tools Implemented

Greatest Vulnerability

Detect vs. Protect

Opinions

Guiding Principles

• IT Security is here to protect the Business and enable stable Operations

• Delicate and Artful Balance when Business Needs and Security needs conflict

• IT Security is Everybody’s Responsibility

• We will invest in Security Resources and Achieve results consistent with Healthcare Industry Benchmarks

The Starting Point: The Top

• CEO/Chairman Level Support

• Continuous Visibility

• Discuss Regulatory Risk

• Leverage Current News

• Every is a target

There are no Silver Bullets

• Security is a process and not an achievement

• Success is a combination of people, process, and technology

• Avoid ROI Thinking

• Insurance Mentality

• Demonstrable Results should be expected

• Prioritize investments

Processes

• USB Management▪ Encryption

▪ MTP/PTP protocols

▪ Read-only policies

• Geo blocking

• Data loss protection▪ Block personal mail or block attachments

▪ Block peer to peer file sharing

• Automation of reboots or lockdown upon infection

• Password Policy

Password Policy – NIST Guidance

• 12/14 character minimum

• No “complexity” required

• Long life (1 year)

• Dictionary for un-allowed passwords, patterns

• Forced reset on compromise▪ Phishing – test or real

▪ Lost/stolen device

▪ Sharing

• Guidance not to re-use for any personal accounts

Defense In Depth

Defense in depth is the coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise.

• It is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier.

• Helps system administrators and security personnel identify incidents more rapidly

• Minimizes the adverse impact and gives administrators and engineers time to deploy new or updated countermeasures to prevent recurrence.

Security Program Components

• Staffing & Executive Sponsorship• Layered Defense and Resiliency Strategy• Security Tools, Technologies, Services

▪ Firewall▪ DNS Protection▪ Email Security▪ Malware Detection & Prevention▪ Two Factor Authentication ▪ PHI Monitoring▪ Incident Response▪ Education & Testing

ProofPoint – Email Security

• Spam & Malware protection• Email Classification & Tagging• Attachment Defense• URL Re-writes Sandboxing

Firewall – IPS/IDS & Web

Next-Gen firewalls often provide multiple capabilities:

• IPS/IDS• Anti-Malware• APT Prevention• Detailed Policy Capabilities• SSL Inspection• Web filtering & Management

DNS Protection - Umbrella

• Malware and breach protection

• Uses the Internet DNS layer• Helps stop botnets or

phishing• Leverages analysis of 2% of

the world’s Internet activity

Zero-Day Protection

• Monitors all web interactions• Signature-less technology detects most zero-day threats• Automatically issues blocks to web proxy• Highest value tool for active threat detection

Vulnerability Scanning

• Key to business situational risk awareness and remediation• Nightly scans of servers for risk assessment.• Prioritization of security risks• Organization wide consolidation and evaluation of risk data

in meaningful comprehensive reports• Assurance Report Cards – provides meaningful view into

effectiveness of security program

FairWarning

• Provides monitoring the progress of investigations/incidents and reporting on resolution activities.

• Detection & alerting of inappropriate PHI access • Consolidate view of PHI access• Provides PHI access investigation tool

• Current Alerts✓ Deceased Patient Record Access✓ EPIC Restricted Patient Access✓ Family Member Snooping✓ Supervisor Snooping✓ Meds Order Alerts✓ Self Modification

SIEM

• Consolidates system logs for alerting

• Leverages machine learning techniques

• Risk-based-priority algorithm

• Powerful and quick log search capability

• Automated incident response

Identity Management

• Privileged Account Management

• Active Directory tools

• Two Factor Authentication

• Single Sign On

• EPCS

Risk & Penetration Assessments

• 3rd Party HIPAA audit• Based on NIST SP 800-115 and HITRUST CSF• Identifies gaps and areas for improvement • Penetration Test

▪ identify exploitable security vulnerabilities and insufficiently configured security controls to determine the likelihood that an individual with little or no prior knowledge of the environment (e.g., an uninformed outsider or an insider) could obtain unauthorized access to an entity’s Internet-facing and internal resources

Greatest Risk

Phishing Program

• Regularly test/train users

• Craft test to match current actual threats

• Run same test multiple times

• Educate AND “penalize” offenders

• Support program with awareness education ▪ Intranet postings

▪ Signage

▪ All-User emails (leverage current incidents)

Q & A