Forging a Stronger Approach for the Cybersecurity Challenge Session 34, February 12, 2019 Tom Stafford, VP & CIO, Halifax Health 1
Speaker Introduction Tom Stafford, Vice President & CIO Education: Bachelors of Science Aerospace Engineering Masters of Science Mechanical Engineering Career: United States Navy Medical Device Design and Manufacture Healthcare IT IT Accolades: 10 th Best Place to work in IT 2015 Computerworld 2 nd Best Place to work in IT 2016 Computerworld 5 th Best Place to work in IT 2017 Computerworld 5 th Best Place to work in IT 2018 - Computerworld Premier 100 Technology Leaders 2017 Computerworld Top 105 CIOs to watch in 2018 Becker s Healthcare Add Speaker Photo Here 2
Conflict of Interest Tom Stafford, BSAE, MSME Has no real or apparent conflicts of interest to report. 3
Agenda Halifax Health Bad Actors and Healthcare What are we Protecting? Look back at 2018 Look forward to 2019 Governance Halifax s Philosophy: D 3 Anatomy of a Ransomware Attack How Strong are you? Lets be Collaborative 4
Learning Objectives Identify potential threats to cybersecurity and best practices to establish security, scrutiny, and authentication for access to PHI Evaluate effective cybersecurity measures and policies, including system-wide procedures; end user training; and use of technology Analyze strategies aimed at predicting and preventing cyber breaches Identify methods to ensure your cybersecurity insurance policy is effective and senior leadership is prepared prior to being breached or ransomed 5
About Halifax Health Halifax Health Medical Center, Daytona Beach Opened in 1928 600 beds More than 500 physicians, representing 54 subspecialties Halifax Health - Medical Center of Port Orange Opened in 2006 80 bed community hospital 20 bed emergency department 8 bed intensive care unit 6
Bad Actors and Healthcare Who are the Bad Actors? Financially Motivated Cybercriminals Hacktivists Hackers for Hire: RAAS Nation State supports Actors Malicious Insider How do they Attack? Social Engineering Network Vulnerabilities Misuse of Credentials Physical Penetration 7
Bad Actors and Healthcare Why do they attack Healthcare? We are valuable low lying fruit Health Record, includes Identity and other valuable information Data doesn t change Medical history is accurate for a lifetime Healthcare is easier to Hack Interoperability Requirements Great delays between the breach and determining there was one The Electronic Health Record is vital to patient care and operations Data is used for Identity Theft, False Claims, Medical Research Trends, Medical Equipment and Drug Purchases 8
What are we Protecting? Patient Records (ex. ephi) Research Data (ex. cancer treatments IP) Employee Sensitive Information (ex. PII) Business plans, (ex. bids, acquisition targets) Payment Card Information Medical Treatment Devices (ex. insulin pumps, imaging) Contracts (ex. with customers, suppliers, distributors) Employee log-in credentials Physician Compensation Clinical Studies Data 9
Look back at 2018 Tight Budgets and Lack of Resources Email: Friend or Foe Ransomware on the Decline, Crypto-mining on the Incline IoT Security (Including Biomed) Breaches are Back Blockchain GDPR 10
Look forward to 2019 Collective Call to Action Ransomware, Crypto-mining, and Breaches Patient Safety needs Cyber Safety IoT, the dreaded XP Biomed Devices More Cloud Intra-operability, APIs, and AI 2019 11
Governance & Executive Involvement Board C-Suite Executive Approval, Knowing the Landscape Incident Response Team Members 12
Halifax s Security Philosophy eterrents etection D3 eception rd Party Assurance 13
Deterrents? What about Defenses? The number one deterrent? Assisting the User Training and Testing Education, Education, Education External Source warning in emails Fake Phishing Tests Technology Controls Block Webmail Block Malicious Sites USB Privileges External Storage Privileges Local Admin Rights Privileges Two-Factor The User 14
Fake Phishing Email Tests 1.0% Click rate, was sent to 4,573 users. 15
Ransomware Threat and Deterrent Chain IT Security is based on monitoring attack vectors and having deterrent chains in front of the data that is to be wiped, ransomed, or breached. Attack Vector: Zero Day Ransomware attachment in phishing email Legend Deterrents Hackers Actions Halifax Reactions Email Sent External Firewall Does not detect Team Member Clicks on Attachment Cloud Based Scan Attachment opened in cloud does not detect Anti- Virus Does not detect Patched Servers Biomed Servers Not patched Obtain Domain Account Access Hackers own the flat network Last Deterrent: Network Segmentation Last Mitigation: Air Gapped Backup 16
Biomed Devices on the Halifax Data Network 17
Lets Talk about Biomed Why are they vulnerable? The devices last longer than the available support for the operating system or the vendor will not patch the systems since they are FDA Class 2/3 devices. WannaCry, HHS, and the FDA... Notify customers within 30 days after vulnerability is found. Patch within 60 days Manufacturers are not there yet 18
Lets Talk about Biomed and IoT How do we reduce the risk? New Devices: Do not demo or purchase new devices that have outdated Operating Systems and/or the manufacturer will not allow the device to be patched. Updated bid spec to include Halifax Health s IT and Biomed Specifications: 19
Lets Talk about Biomed and IoT How do we reduce the risk? Existing Devices: Vulnerability Scans will help determine what needs to be patched. Work with Biomed and other departments to determine type/location of devices Work with the vendors for them to patch the devices or to allow IT to patch the devices If they cannot be patched, bury the devices (Micro- Segmentation) behind the Internal Firewall prior to having them replaced with a non-vulnerable device 20
Detection and Deception Detection (SIEMS): User Behavior Machine, Biomed, IoT Behavior Network Penetration Deception: Honey pots Domain Account Verification 21
3rd Party (Digital Traders) Assurance Don t be their Target Does anyone know what Fazio Mechanical Systems did? BAA is not enough for Healthcare You are only as strong as your weakest link 22
Understanding your Digital Traders Map your existing digital traders Create controls so you are aware of new Digital Traders Beyond the BAA, Contractual Requirements Quantify their Security Posture Audit Them Do not allow them to dictate how the access your system Require Two-Factor Authentication 23
Anatomy of a Ransomware Attack The Hack The Crash Cyber Insurance External Council To Bit Coin or Not Recovery Key takeaways: Hospital Incident Know your Cyber Insurance Plan Executive Table Top Exercises DR/BD Documents and Logs 24
How Strong are you? Two ways to test this: 1. Do not - You only know if you fail and CIO will have a whole new meaning Career Is Over 2. Ethical Hacking and Penetration Testing 25
Lets be Collaborative! Standards Framework Passwords Two-Factor Webmail USB & External Storage Phishing BioMed Cyber Insurance Tabletop Exercises Quantitative 3 rd Party Risk Assessments Ethical Hacking 26
Lets be Collaborative! Question 1 Which standards framework do you utilize? 1. NIST 2. HITRUST 3. Critical Security Controls 4. ISO 27
Lets be Collaborative! Question 2 Password Reset Duration? 1. 90 Days 2. 180 Days 3. 1 Year 4. Other 28
Lets be Collaborative! Question 3 Require Robust Passwords? 1. Yes 2. No 29
Lets be Collaborative! Question 4 Remote Two-Factor Authentication Utilization? 1. Employees, Physicians, Vendors 2. Employees, Physicians 3. Employees 4. None 30
Lets be Collaborative! Question 5 Webmail Blocking? 1. Yes 2. No 31
Lets be Collaborative! Question 6 Restrict USB Access? 1. Read 2. Write 3. Both 4. None 32
Lets be Collaborative! Question 7 Restrict Internet Based Storage? 1. Yes 2. No 33
Lets be Collaborative! Question 8 Conduct Fake Phishing tests? 1. Yes 2. No 34
Lets be Collaborative! Question 9 Vulnerable Biomed devices location? 1. Yes 2. No 35
Lets be Collaborative! Question 10 Do you have Cyber Insurance? 1. Yes 2. No 3. Don t Know 36
Lets be Collaborative! Question 11 Do you know how to contact your Insurer? 1. Yes 2. No 37
Lets be Collaborative! Question 12 Do you conduct tabletop exercises? 1. Senior Leadership 2. IT Staff 3. Both 4. None 38
Lets be Collaborative! Question 13 Do you have quantitative 3 rd Party RAs? 1. Yes 2. No 39
Lets be Collaborative! Question 14 Conduct Ethical Hacking Tests? 1. Once 2. Annually 3. Bi-Annually 4. Never 40
Questions Tom Stafford tom.stafford@halifax.org 386-425-7309 https://www.linkedin.com/in/tom-stafford-8a69927 *** Don t forget about the online session evaluation 41