Click to edit Master title style Evaluating the Security of Your IT Network Vulnerability Scanning & Network Map Kyle Stafford / M-CEITA 5/12/2017 1 1
Disclaimer This presentation was current at the time it was published or uploaded onto the web. Medicare and Medicaid policy changes frequently, so links to source documents have been provided for your reference. This presentation was prepared as a service to the public and is not intended to grant rights or impose obligations. This presentation may contain references or links to statutes, regulations, or other policy materials. The information provided is only intended to be a general summary. It is not intended to take the place of either the written law or regulations. We encourage participants to review the specific statutes, regulations, and other interpretive materials for a full and accurate statement of their contents. 2
Agenda Overview of M-CEITA Security Updates Rise of Hacking Attacks Security Mitigation Vulnerability Scan Network Map Questions and Answers 3
Who is M-CEITA? Michigan Center for Effective Information Technology Adoption (M-CEITA) One of 62 ONC Regional Extension Centers (REC) providing education & technical assistance to primary care providers across the country Founded as part of the HITECH Act to accelerate the adoption, implementation, and effective use of electronic health records (EHR), e.g. 90-days of MU Funded by ARRA of 2009 (Stimulus Plan) Purpose: support the Triple Aim by achieving 5 overall performance goals THE TRIPLE AIM Improve patient experience Improve population health 3Reduce costs Improve Quality, Safety & Efficiency Engage Patients & Families Performance Measurement Improve Care Coordination Improve Population And Public Health Meaningful Use Ensure Privacy And Security Protections Certified Technology Infrastructure 4
M-CEITA Services Meaningful Use Support Security Risk Assessment & Network Security Evaluation Audit Preparation Targeted Process Optimization (Lean) GLPTN - Great Lakes Practice Transformation Network Chronic Care Management (CCM) Quality Payment Program Resource Center www.mceita.org 1-888-MICH-EHR www.qppresourcecenter.com 5
Security Updates Rise Of Hacking Attacks Pre-determined healthcare cybersecurity attacks rise by 320% within the 2016 calendar year. (HealthITSecurity.com, 2016) 113 healthcare providers within 2016 reported a breach in relation to Hacking/IT incidents. (500+) records. The average cost of a patient medical record post breach is up to $402. (Ponemon Institute, 2016) U.S. Department of Health and Human Services https://ocrportal.hhs.gov/ocr/breach/ 6
Security Updates Rise Of Hacking Attacks Hacking Attacks Against Healthcare Providers 2016 113 2015 57 0 20 40 60 80 100 120 2015 2016 7
Security Updates Rise Of Hacking Attacks 2017 38 hacking incidents have been reported - HHS 969,091 individuals affected Total Hacking incidents now make up 75% of all individuals affected on the HHS wall of shame. (Ponemon Institute, 2016) 8
Security Updates Rise Of Hacking Attacks How are hackers gaining access to your network? Exploiting a vulnerability/weakness. Inefficient security controls Lack of security/network awareness 9
How To Mitigate Against Attacks Be aware of where your weaknesses exist Identify critical assets Ensure appropriate measures are implemented How do you know what to implement?... 10
Vulnerability Database New vulnerabilities identified every day https://nvd.nist.gov/ Operating systems, software & applications, network devices, configurations Determine if your devices are prone to known vulnerabilities 11
Vulnerability Ranking & Scoring Vulnerabilities classified? CVE Common Vulnerabilities and Exposures Structure and consistency CVSS Scoring CVSS Common Vulnerability Scoring System Used to rank vulnerabilities CVSS Ratings V2: Low (0.0.-3.9)Medium (4.0-6.9)High (7.0-10.0) V3: Low (0.0.-3.9)Medium (4.0-6.9)High (7.0-8.9) Critical (9.0-10.0) 12
Vulnerability Scanning - Explained What is a vulnerability scan? A vulnerability scan is a tool used to detect and identify technical vulnerabilities and provide remediation recommendations to address, prioritize, and mitigate risk. Why have a vulnerability scan? Commonly, a medical practice will not be aware of their weak points with their current technical configurations. Awareness is necessary to defend against attacks. 13
Vulnerability Scanning Compliance While not explicitly referenced by the security rule, vulnerability scans and network maps are common methods for meeting numerous requirements of HIPAA. Vulnerability scans are common methods for meeting the Evaluation requirement of the HIPAA Security Rule. 14
Vulnerability Scanning Compliance Security Rule 164.308(a)(8) Evaluation Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which a covered entity's or business associate s security policies and procedures meet the requirements of this subpart. Summary: Practices are required to identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-phi. 15
Vulnerability Scanning Common Questions How do I know if I need a vulnerability scan? You are a HIPAA Covered Entity Your network has devices which store / process / transmit / or maintain sensitive information (including ephi) Your network has undergone significant changes / upgrades to technology Your internal or external operating environment experienced significant technology-related changes within the past year 16
Vulnerability Scanning Common Questions How does this compare to a Security Risk Assessment? Risk assessment identifies the presence of risk as it pertains to the assets and information flows in place. Evaluation should determine how effectively you protect that risk from being actualized. The need for technical evaluation is likely to be identified in a risk assessment. 17
Vulnerability Scanning The Process Define Scope Access Network Scan Generate Report Present Results Define the scope of computers/devices to be scanned. (What to scan & what not to scan) Access the devices and network being scanned. (wired/wireless) Scan using the scope of assets defined and confirmed. Report is generated from the data collected from the scan. Present the results to appropriate parties (management, IT, security officer). 18
Vulnerability Scanning The Process Define Scope Access Network Scan Generate Report Present Results Define Determine which assets should be scanned. Do you have ownership of ALL the devices? Are some devices shared within the network? 19
Vulnerability Scanning The Process Define Scope Access Network Scan Generate Report Present Results Access Ensure that that scanner will be able to communicate with the devices Device with the scanner should be on the same network Preferably a wired connection 20
Vulnerability Scanning The Process Define Scope Access Network Scan Generate Report Present Results Scan Configure the vulnerability scanner Input the scope of devices to be scanned Specify devices which need to be avoided 21
Vulnerability Scanning The Process Define Scope Access Network Scan Generate Report Present Results Report Generate a report based on the findings Executive summary for management Full details report for IT and compliance 22
Vulnerability Scanning The Process Define Scope Access Network Scan Generate Report Present Results Present Appropriate staff should be notified of the findings Office/Practice Managers Executive Management IT Staff Compliance Officers 23
Vulnerability Scanning Types Of Assets What types of assets can be scanned? Computers: Desktops, Laptops, Tablets, Smart Phones Operating Systems: Windows, Apple, Linux Software: Web Browsers, Word Processing, Mail Clients, OS. Network Devices & Configurations: Routers, Modems, Firewalls 24
25
26
27
Understand Your Network Now that you know what devices are vulnerable, what next? Understanding the relation between devices and how they can reveal how vulnerabilities are related. 28
Network Map - Explained What is a Network Map? A network map is a visual schematic outlining the topology of a currently configured computer network. Why obtain a Network Map? This map will not only assist with determining assets in which create, maintain, receive, or transmit ephi and sensitive information but will make the HIPAA audit protocol much easier. 29
Network Map Compliance Security Rule 164.310(d)(2)(iv) Device and Media Controls -- Data Backup and Storage Procedures Security Rule 164.312(e)(1) Transmission Security Rule 164.310(b) Workstation Use 30
Network Map The Process Define Scope List Assets Gather Details Design Diagram Present Results Define the boundary of assets within the network to be included. List will be formalized with which assets to be included. Gather physical, technical, and configuration information of all assets included in the network map. Design the visual representation of the network topology. Present the final copy of the network diagram to appropriate parties. 31
Network Map The Process Define Scope List Assets Gather Details Design Diagram Present Results Define Determine what assets should be included within the network map. Are some devices not connected to the network? Should some assets not be included? 32
Network Map The Process Define Scope List Assets Gather Details Design Diagram Present Results List Formalize a readable list to be used for the design process List of devices will be larger than expected 33
Network Map The Process Define Scope List Assets Gather Details Design Diagram Present Results Gather Leverage automation tools (network scanners) Determine what details should be included IP address, FQDN/Hostname, MAC address 34
Network Map The Process Define Scope List Assets Gather Details Design Diagram Present Results Design Choose a software that you feel most comfortable with Microsoft Visio is commonly used Other drafting alternatives are available Draw and label how the devices are connected Wired or wireless connections Represent the network map to display an easy way to determine how one device can interact with another 35
Network Map The Process Define Scope List Assets Gather Details Design Diagram Present Results Present Present the results to appropriate staff Ensure that this document is secured Encrypted and stored in a secure location This could be used as a roadmap to where critical assets are located within your network 36
37
Conclusion Hacking attacks are at an all time high, increasingly targeting the health care industry In response to this trend, medical offices need to understand and actively improve their network security more than ever Technical evaluation of a network will reveal important details about where security needs to be improved Vulnerability scanning and network mapping are important tools for a complete evaluation of a medical practice s security 38
Questions Additional Contact Info: MIPS, MACRA & MU www.mceita.org 888-MICH-EHR mceita@altarum.org Presenter: Kyle Stafford Kyle.Stafford@Altarum.org Phone: 734-302-5627 39