Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs

Transcription

1 Securing the Internet of Things (IoT) at the U.S. Department of Veterans Affairs Dominic Cussatt Acting Deputy Assistant Secretary / Chief Information Security Officer (CISO) February 20, 2017

2 The Cyber Threat to Healthcare Hackers now employ more sophisticated methods for penetrating networks and devices, making detection and prevention of cyber attacks more difficult. Recent examples of this threat to healthcare providers include: One of the biggest things we took away from our Anonymous attack was that in the past, I had always thought about cybersecurity related to health IT as safeguarding data but our experience made us understand it is more than that. ~ Daniel Nigrin, M.D., Chief Information Officer at Boston Children s Hospital, which was attacked by the hacker group Anonymous in 2014 Hospital network security has been under scrutiny in the past few months. The MedStar Health system in Washington, D.C. recently fell victim to a ransomware attack in which a piece of malware blocked access to patient records and demanded payment. ~nextgov.com The Ponemon Institute found that nearly 90% of healthcare organizations represented in a recent study had a data breach in the past two years and nearly half had 5 data breaches in the same period. Estimates based on the study suggested that breaches could be costing the healthcare industry $6.2 billion ~ ponemon.org 2

3 Department of Veterans Affairs (VA): By the numbers As part of the VA, Veterans Health Administration (VHA) is the largest integrated healthcare system in the United States providing care at: 1,233 Health Care Facilities 168 VA Medical Centers 1,053 Outpatient sites Serving more than 8.9 million Veterans each year Mission Statement: To fulfill President Lincoln s promise To care for him who shall have borne the battle, and for his widow, and his orphan by serving and honoring the men and women who are American Veterans Information on this slide is derived from: 3

4 The Threat Landscape at VA The VA environment spans six data centers with over 1,800 locally-managed facilities and 750,000 network devices. With this complex environment, applying cybersecurity consistently is difficult and requires collaboration across several disciplines to protect the data of our Veterans. Below are factors affecting VA s threat landscape: Explosive growth and use of information technology devices connected to the Internet Internet of Things (IoT) Proliferation of information systems and networks with virtually unlimited connectivity via mobile technologies and the cloud lending to a larger attack surface Increasing sophistication of threats including exponential growth rate in ransomware and distributed denial of service (DDoS) attacks leveraging the IoT vulnerabilities The opportunity for a malicious attack or a security breach continues to increase as more devices are becoming Internet-enabled. 4

5 VA s Approach to Improving Security The Department of Veterans Affairs (VA) Enterprise Cybersecurity Strategy Team (ECST) within the Office of Information Technology (OI&T) was established to mature VA s cybersecurity posture and safeguard Veteran information that is essential to providing quality health care, benefits, and services to our nation s Veterans. The ECST encompasses activities around The Enterprise Cybersecurity Strategy encompasses activities around securing VA s IoT, such as medical devices and special purpose systems Five Strategic Goals of ECST Protecting Veteran information and VA data Defending VA s cyberspace ecosystem Protecting VA infrastructure and assets 587 $200M 750K BY THE NUMBERS Information Security professionals work for VA Amount allocated for information security in 2014 Number of protected devices on the VA network 4 5 Enabling effective operations Recruiting and retaining a talented cybersecurity workforce 4.5M 71% s monitored per day, 75% blocked due to malware and other malicious activity Decrease in overall number of critical or high vulnerabilities between November May 2015 Source: Protecting Veteran Information in a Complex Cybersecurity Landscape, VA. 7/2015

6 The Influence of IoT Recent enhancements in technology are allowing federal agencies, including the Department of Veterans Affairs (VA), to find new ways to collect, analyze, share, and act on the data to drive operational efficiencies in support of their mission. Examples of IoT at VA Networked Medical Devices used in patient health care for diagnosis, treatment, or monitoring of physiological measurements, or for health analytical purposes* Special Purpose Systems (SPS) - network-connected, non-medical systems that play a critical role in supporting a VA facility s operations and mission fulfillment (e.g., heating, ventilation, and air conditioning (HVAC); water control)* *Source: U.S. Department of Veterans Affairs 6

7 Security Challenges Facing the IoT The threat to the security of VA and these network connected devices continues to increase as the capabilities of IoT continue to evolve. End User Business Process and Objectives Data and Information Architecture Things Many enterprises are challenged by unclear business objectives that complicate setting an IoT architecture strategy to address issues relating to deployment environments, legacy infrastructure, complex environments and so forth ~ Gartner, Internet of Things Architecture Remains a Core Opportunity and Challenge: A Gartner Trend Insight Report, 2017 The unprecedented amounts of information from the IoT and the Internet of Everything expose organizations to legal, regulatory and reputational risk. ~ Gartner, How to Address the Top Five IoT Challenges With Enterprise Architecture, 2016 The Internet of Things will produce two challenges with information: volume and velocity. Knowing how to handle large volumes and/or real-time data cost-effectively is a requirement for the Internet of Things. ~ Gartner, Hype Cycle for the Internet of Things,

8 Principles to Securing the IoT Devices As we continue to integrate IoT and become more dependent on network connected technologies, there is an increasing emphasis on securing these devices. The Department of Homeland Security (DHS) have issued six strategic principles to securing IoT: 01 Incorporate Security at the Design Phase 04 to Prioritize Security Measures According Potential Impact 02 Promote Security Updates and Vulnerability Management 05 Promote Transparency Across IoT 03 Build on Recognized Security Practices 06 Connect Carefully and Deliberately Information on this slide is derived from: 8

9 Examples of VA Addressing the Security Challenges of IoT Scaling solutions enterprise-wide and establishing the capability for connected devices on the VA network End User Business Process Business Objective Information Data Architecture Things Vulnerability Management Aging Infrastructure Asset Management Unsupported Operating System Governance and Risk Management Solutions Deployed of VA s Medical Device Vulnerability Management Program.* Created the security control overlay for medical devices Published and integrated a cyber incident root cause analysis into standard operating procedures (SOP) Implementation of the Isolation Architecture Change Advisory Board to evaluate and recommend improvements to standardized processes and procedures established to control VA IT infrastructure changes Implemented an automated inventory tool and an inventory reconciliation process * Source: ECST accomplishments as of 1/31/2017 ** Source: Fiscal Year 2017 VA Medical Device Incident Response Overview Leveraged an isolation architecture for medical devices connected to their network. Implemented a change management advisory board Deployed a Medical Device Protection Program** Provided security, guidance, training and outreach to VA employees and contractors Implemented continuous monitoring of evolving cybersecurity threats Implemented configuration controls Implemented incident response to remediate security breaches 9

10 Evolution of VA s Approach to Securing IoT VA continues to integrate with the business, manage information risks more strategically, and work toward a culture of shared cyber risk ownership across the enterprise. Enhance the isolation architecture to include connected devices Deploy a centralized automated inventory solution Develop a incident response program for connected devices Mirror security vulnerability management of medical devices for connected devices Monitor soon to be unsupported operating systems Source: ECST Medical Cyber Domain Projects as of 2/1/2017 Work with device owners and manufacturers to remove vulnerable devices from the network without affecting patient care 10

11 The Future Outlook The Internet of Things Market to reach $267 Billion by 2020 Forbes, 1/29/2017 Connected health devices should grow to $14 billion by 2020 Forbes, 9/1/2016 Security is a special challenge for IoT. IoT systems operate across the public internet; are deployed outside of the physical control of the organization; may remain in place in critical systems for 10 to 20 years; and may control critical infrastructure, or be capable of coordinated attacks on other systems The devices themselves may lack critical hardware capabilities for securing their operation against attack. Securing IoT requires a balance of protecting against long-term devastation and accelerating value generation Gartner, Internet of Things Primer