Cybersecurity: Achieving Prevailing Practices Session 229, March 8 Mark W. Dill, Partner and Principal Consultant, 1
Conflict of Interest Mark W. Dill, CISM, CRISC Has no real or apparent conflicts of interest to report. 2
Agenda Learning Objectives NIST Cyber Security Framework (CSF) How the information was collected and distilled Critical controls discussion across hospitals of all sizes Critical Access Small-Medium Large Academic Medical Centers Resources Questions 3
Learning Objectives Compare how hospitals of all sizes have defined "prevailing practices" for information security and compliance Explain the common tools, processes, and talent levels that are being used Categorize the security practices using the NIST Cyber Security Framework (CSF): Identify, Protect, Detect, Respond, and Recover Recognize the top tactics used to defend against leading cyber threats: Hacking Malware Phishing Ransomware Discuss what is working versus what is not 4
NIST Cyber Security Framework (CSF) + 5
InfoSec Maturity 6
Note: * Not statistically relevant (yet ), given 5,500+ hospitals in 7 the U.S. Distillation Criteria Facts and opinions must be: Technically interesting and compliance relevant Useful to the audience Presented in a way that allows comparison (bed size) A reasonable sample size (30 hospitals) * Readily obtainable and current (since late 2015) Validated (partially) Sorted by objective (NIST CSF) Focused on the critical few vs. trivial many (CIS Top-20 Critical Controls)
Critical Controls Identify 1. Risk Analysis & Risk Management 2. Control Framework Detect 15. SIEM Tools (Security Information & Event Mgmt. Network 16. SIEM Tools Applications (EMR & Other Applications) 17. Penetration Testing 18. Vulnerability Scanning Respond 19. Incident Response Recover 20. IT Disaster Recovery Protect 3. Security Awareness 4. Access Control: Password Usage 5. Access Control: Access Reviews 6. Firewalls 7. Endpoint Antivirus 8. Intrusion Prevention Systems and Advanced Persistent Threat Tools (IPS and APT) 9. Network Access (or Admission) Control (NAC) 10. Patch Management 11. Encrypted Laptops 12. Encrypted Workstations 13. Mobile Device Management (MDM) 14. Encrypted EHR 8
Hospital Size Name Critical Access Hospital # Beds 25 or less Small-Medium 26-250 Large > 250 Academic Medical Center Not defined by # of beds but more than 1,000 in this research 9
Control to Threat Matching Control List Hacking Malware Phishing Ransomware Theft/Loss Identify: Risk Analysis X X X X Prevent: Security Awareness X X X Prevent: Password Strength X X Prevent: Access Control Reviews X Prevent: Firewalls X X X X Prevent: Endpoint X X X X Prevent: Intrusion Prevention Systems & Advanced Persistent Threats (IPS & APTs) X X X X Prevent: Network Access (or Admission) Control (NAC) X X X Prevent: Patch Management X X X X Prevent: Encrypted Laptops and Workstations Prevent: Mobile Device Management X X X Prevent: Encrypted EHRs X Detect: Security Information and Event Management (SIEM) X X X X Detect: Application-Layer SIEM for EHR & Other Applications X Detect: Penetration Testing X X X X Detect: Vulnerability Scanning X X X Respond: Incident Response X X X X Recover: IT Disaster Recovery X X X X 10 X
Identify: Risk Analysis Large AMC Have you performed a Risk Analysis? Yes 100% 100% 100% 100% How often? Yrs. 1.4 1.6 1.3 1.0 Do you use internal resources? Yes 17% 56% 20% 50% Do you use external resources? Yes 100% 100% 100% 100% Do you use a manual process or automated tool? Manual 100% 100% 100% 50% Do you have a Prioritized Action Plan (aka Risk Management Plan)? Yes 100% 89% 100% 100% Do you have at least 3 years of History? Yes 50% 89% 80% 100% Has management signed off on the Remediation Plan? Yes 50% 89% 30% 50% Have you identified the threat, controls in place, vulnerability and 11 Critical Access Small Med Yes 100% 89% 100% 100% possible outcome? Have you calculated the likelihood, harm level and risk score? Yes 100% 89% 100% 100% Do you maintain a risk register Yes 100% 100% 100% 100% Does your process include biomedical devices/systems Yes 0% 44% 40% 100%
Identify: Control Frameworks - 1 What Control Framework do you use? COBIT HITRUST ISO 27001 and 27002 Critical Access Yes Yes 4 Yes NIST CSF 2 Yes 17% NIST SP 800-53 1 Hybrid Popularity Yes 57% PCI Yes SANS CSC 3 Yes Hybrid (some combination of the above) Yes 83% 100% 43% 100% Small Med Large AMC 12
Identify: Control Frameworks - 2 Critical Small Access Med Large AMC How are you using the framework? Use (influenced by concepts)? Yes 13% Decision making guidiance? Yes 13% Reference Material? Yes Basis for IT policy but not practices? Yes 100% 100% 38% Extensively used for practices, (compliance not verified)? Yes 25% 50% Practices applied and compliance validated? Yes 13% 50% Frequently used to assess program maturity 13
Prevent: Security Awareness Large AMC Do you have an Awareness Plan? Yes 0% 0% 67% 100% At what frequency is the workforce awareness content presented? Months 12 12 12 12 Is your training role-based? Yes 0% 0% 33% 100% Do you use a simple slide show? Yes 100% 100% 67% 100% Do you provide periodic reminders? Yes 100% 100% 100% 100% Are you using a Learning Management System (LMS)? Yes 100% 100% 100% 100% Are you using commercially acquired content? Yes 50% 0% 0% 100% Can you capture the attendee list? Yes 100% 100% 67% 100% Do you require the completion of a quiz before passing? Yes 0% 0% 33% 100% Are users required to complete awareness/training before access is granted? Yes 100% 50% 0% 100% Do you proactively phish the workforce? Yes 50% 50% 67% 100% Are you using a homegrown tool to phish? Yes 0% 50% 0% 0% Are you using a commercial tool to phish? Yes 50% 0% 67% 100% Are your workers required to complete the assigned training? Yes 50% 50% 0% 100% 14 Critical Access Small Med
Prevent: Password Strength Password Attribute PCI Critical Small Access Mid Large Academic Minimum length? # 8 8.25 7.60 6.78 7.50 Complexity (mixture of numeric and alphanumeric)? On On 100% 29% 78% 50% Forced expiration frequency (days)? Days 90 125 90 170 128 Intruder lockout set? Yes 63% 56% 78% 50% Intruder Lockout after X attempts # 5 6 5 3 Minutes before retry allowed? Minutes 15 8 7 30 Upon reset, cannot be the same as prior X passwords? # 4 6 3 4 5 Require initial password uniqueness? On On 0% 29% 22% 50% Require change upon 1st use? On On 20% 29% 77% 100% Note: NIST SP 800-63B Digital Identity Guidelines: Authentication & Lifecycle Management will likely play a role in the future of the prevailing practices for passwords. 15
Prevent: Access Control Reviews Critical Access Large AMC Are user access rights periodically reviewed? Yes 50% 67% 70% 50% What is the frequency? Mos. 12 12 11 12 Small Med 16
Prevent: Firewalls Are you following an industry standard for addressing out of the box vulnerabilities? Critical Access Yes 17% 0% 50% 0% Is console access encrypted? Yes 17% 78% 80% 50% Are you repelling traffic to and from countries you are not doing business with (geofencing)? Yes 33% 67% 90% 0% If you have a DMZ, is a firewall in place to prevent direct access into your network? Yes 67% 78% 90% 100% Do you review the firewall rule sets at least once per year? Yes 67% 33% 50% 50% Small Med Large AMC 17
Prevent: Endpoint Are you using a technology that is not dependent upon pattern file updates? Are you using a technology that prohibits the launching of unauthorized software or processes? Critical Access Small Med Large AMC Yes 33% 33% 20% 0% Yes 33% 56% 20% 100% 18
Prevent: Intrusion Prevention Systems & Advanced Persistent Threats (IPS & APTs) Critical Small Access Med Large AMC Are the tools baked into the firewall? Yes 83% 78% 80% 0% Are the tools stand alone? Yes 17% 22% 10% 100% Are the baseline and signatures/heuristics kept up to date? Yes 83% 100% 80% 100% 19
Prevent: Network Access (or Admission) Control (NAC) Critical Small Access Med Large AMC Do you use a NAC solution? Yes 17% 11% 10% 0% Are you using a commercial tool for NAC? Yes 17% 0% 10% 0% Are you in monitor mode only? Yes 33% 11% 0% 0% Are you in block mode? Yes 0% 0% 10% 0% Does your solution offer a remedial path for devices? Yes 0% 0% 0% 0% 20
Prevent: Patch Management Critical Small Access Med Large AMC Do you patch your servers? Yes 100% 100% 100% 100% Server patch latency? Days 30-180 30-120 30-90 30-60 Do you patch your network infrastructure? Yes 100% 100% 100% 100% Infrastructure patch latency? Days 30-180 30-120 90-120 45-90 Do you patch your endpoints? Yes 100% 100% 100% 100% Endpoint patch latency? Days 0-120 15-120 30-90 30-60 Can Laptops in the field be updated while off the network? Yes 33% 11% 40% 0% Is your Office Suite being patched? Yes 0% 89% 50% 100% Office suite patch latency? Days 30-365 30-120 0-120 30-180 Are commonly vulnerable applications being patched? Yes 17% 33% 40% 100% Common vulnerable application patch latency? Days 60-120 60-120 30-90 30-180 For the platforms you patch, is the function in or outsourced? Insourced 100% 100% 80% 50% 21
Prevent: Encrypted Laptops Critical Small Access Med Large AMC Do you encrypt 100% of your laptops? Yes 67% 100% 100% 100% Are you using an OS vendor-provided tool? Yes 50% 33% 20% 50% Are you using a commercial tool? Yes 50% 67% 100% 50% Are you using pre-boot authentication with a different password? Yes 0% 44% 60% 0% How long before the screen saver is applied? Minutes 8 13 15 15 Number of lost or stolen devices reported? # 0 0 1 10+ 22
Prevent: Encrypted Workstations Critical Small Access Med Large AMC Do you encrypt any workstations? Yes 17% 33% 50% 50% Are you using AES-256/ FIPS 140-2 algorithm? Yes 17% 56% 40% 50% Are you using a risk-based approach to encryption? Yes 0% 67% 70% 50% Are your EMR Downtime (read only devices) encrypted? Yes 0% 44% 30% 0% Do you use an OS vendor-provided tool? Yes 17% 0% 20% 50% Do you use a commercial tool? Yes 0% 33% 60% 0% Do you use pre-boot authentication? Yes 0% 11% 30% 0% Do you have a reporting console? Yes 0% 11% 40% 100% Number of lost or stolen devices reported? # 0 0 0 10+ 23
Prevent: Mobile Device Management Critical Attribute Access Small Mid Large Academic MDM enforced controls? 50% 89% 75% 100% Signed usage agreement? 17% 67% 50% 100% Password/PIN length? 4 4 4-6 4 Complexity enabled? 0% 0% 0% 0% Forced expiration frequency (days)? Wipe after X tries? 8 10-16 10 Screen lock in X minutes? 5 5-10 15 15 Encryption enabled? 50% 89% 75% 100% MDM enabled remote wipe? 17% 89% 75% 100% Controlled use of unsigned applications? 0% 22% 75% 50% Monitor/block for rooted or jailbroken devices? 0% 22% 50% 100% Antivirus or spyware tools used? 0% 0% 0% 0% 24
Prevent: Encrypted EHRs Critical Small Access Med Large AMC Are the SAN or RAID disks encrypted? Yes 50% 22% 50% 0% Is the database encrypted? Yes 17% 22% 10% 0% Are there features of the EMR that are encrypted (reports, file xfers, etc.) Yes 17% 67% 20% 0% What algorithm is in use 128-bit or 256-bit? AES-256 is the norm, though some smaller EMRs are using 128-bit 25
Detect: Security Information and Event Management (SIEM) Critical Small Access Med Large AMC Collecting logs according to a plan? Yes 67% 89% 100% 100% Reactive log review (troubleshooting only)? Yes 50% 67% 50% 0% Forwarding logs to a secondary/secured server (syslog server or SIEM tool)? Yes 17% 56% 80% 100% Using open sourced tools? Yes 17% 56% 10% 50% Using a commercial tool? Yes 33% 22% 70% 100% Proactive log review (hunting for anomalies and problems)? Yes 17% 22% 60% 100% Using inhouse staff to monitor? Yes 67% 44% 70% 100% Using a managed service to monitor? Yes 17% 22% 40% 50% Number of log sources correlated <=5, 6-10, and >10? # 3-5 5-10 12 10 or More Applying User (and device) Behavior Analytics (UBA)? Yes 17% 0% 20% 50% How long are log files retained? Mos. 12 5 9 3 26
Detect: Application-Layer SIEM for EHR & Other Applications Critical Small Access Med Large AMC Reactive only Yes 50% 56% 80% 0% Proactive log review (hunting for anomalies and problems) Yes 33% 44% 20% 100% Granular enough to report on view-only access Yes 33% 67% 70% 100% Using a commercial tool? Yes 33% 44% 70% 100% Are applications beyond the EMR in scope? Yes 17% 0% 40% 100% 27
Detect: Penetration Testing Critical Small Access Med Large AMC Doing Y/N? Yes 50% 78% 60% 100% Frequency? Mos. 36 12-24 12-24 12 Performed by Internal Staff only? Yes 0% 0% 0% 0% Performed by 3rd Party? Yes 50% 78% 60% 100% Scope: Public facing systems only? Yes 33% 56% 60% 0% Scope: Public and internal systems? Yes 17% 22% 40% 100% Scope: Biomedical devices? Yes 0% 0% 0% 50% 28
Detect: Vulnerability Scanning Critical Small Access Med Large AMC Doing Y/N? Yes 67% 78% 80% 100% Using an open sourced tool? Yes 17% 11% 0% 0% Using a commercial tool? Yes 50% 67% 80% 100% Are results shared with leadership and remediated quickly? Yes 50% 67% 30% 100% Performed by Internal Staff only? Yes 33% 56% 50% 100% Performed by 3rd Party? Yes 33% 33% 50% 0% Scope: Public facing systems only? Yes 17% 44% 20% 0% Scope: Public and internal systems? Yes 50% 33% 60% 100% Scope: Biomedical devices? Yes 0% 0% 10% 100% 29
Respond: Incident Response Critical Small Access Med Large AMC Do you have a policy and procedure? Yes 100% 89% 100% 100% Do you use an incident reporting form? Yes 83% 56% 80% 100% Do you have an incident response team? Yes 50% 67% 90% 100% Do you have a playbook(s)? Yes 0% 22% 50% 100% Are the playbooks scenario-specific? Yes 0% 11% 50% 100% Do you exercise the playbooks in a tabletop? Yes 0% 22% 50% 100% What is the frequency of your testing? Mos. 0 12-24 12-18 12 Do you test beyond tabletop? Yes 0% 0% 0% 100% 30
Recover: IT Disaster Recovery Critical Small Access Med Large AMC Do you have a policy and procedure? Yes 50% 89% 90% 100% Have you performed a Business Impact Analysis (BIA)? Yes 0% 33% 40% 50% Do you have a compliance-oriented plan? Yes 0% 33% 60% 100% Do you have step-by-step recovery plans? Yes 17% 33% 20% 100% Do you exercise the plans in a tabletop Yes 0% 33% 30% 50% Do you exercise the plans in fail over or bare metal recovery tests? Yes 0% 0% 10% 50% Are the Recovery Time and Recovery Point Objectives (RTO & RPO) regularly Yes 0% 0% 50% 50% met? Have you increased backup retention to address ransomware Yes 0% 0% 10% 0% Do you redirect My Documents to the network and back it up? Yes 17% 67% 30% 100% How do you backup laptop data? Yes Undefined (or "end user is responsible"), a few small-mid sized hospitals provide a virtual desktop 31
Recap Risk analysis implementing NIST SP800-30 is not that difficult Policies and procedures are the basis for setting behavioral expectations and awareness content Awareness static content about HIPAA will not manage anything but compliance risk real time awareness at "time-of-click" works best Prevailing practices achieve them first before striving for a best practice Layered defenses are still required: Preventive controls are usually best Don't ignore detective, response and recovery capabilities Cost not all improvements need to "break the bank" Outsourcing InfoSec source only "High Volume/Low Complexity" processes 32
Summary In this session, we Compared "prevailing practices" for information security and compliance by hospital size Explained the common tools, processes, and talent levels that are being used Categorized the security practices using the NIST Cyber Security Framework Reviewed the top tactics used to defend against leading cyber threats Discussed what is working versus what is not 33
Resources CIS Critical Controls (Top-20) https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf CIS Measurement Companion https://www.cisecurity.org/white-papers/a-measurement-companion-to-the-ciscritical-controls/ Free Nessus vulnerability scanner (for not-for-profit hospitals) https://www.tenable.com/about-tenable/tenable-in-the-community/tenablecharitable-organization-subscription-program Free awareness content (branded, but good content) https://phishme.com/resources/cbfree-computer-based-training/ NIST Cybersecurity Framework Assessment Tool Draft https://www.nist.gov/sites/default/files/documents/2016/09/15/baldrigecybersecurity-excellence-builder-draft-09.2016.pdf 34
Questions Mark W. Dill, CISM, CRISC Partner and Principal Consultant, tw-security Mark.Dill@tw-security.com 440-549-6009 Please complete the online session evaluation 35