MAY 11 12, 2017 SAN FRANCISCO, CA One Hospital s Cybersecurity Journey SanFrancisco.HealthPrivacyForum.com #HITprivacy
Introduction Senior Director Information Systems Technology, Children s Mercy Hospital Chief Technology Officer and Chief Information Security Officer, Huntzinger Owner / Principal, East End Technology Consulting, Inc. Senior Vice President Architecture and Business Operations, Discovery Communications Master of Business Administration, Healthcare The George Washington University School of Business
How the Journey Began Children s Mercy Hospital, a premiere children s healthcare system, has grown immensely over the last 10 years. Unfortunately, information systems technology particularly cybersecurity had not kept pace with that growth. We teamed with PwC, our strategic partner, to develop our security roadmap, implement quick wins, and enhance the network perimeter over 6 months. New IT Leadership Team Audit Findings Our Trusted Consulting Partner Cybersecurity Strategic Plan
Listened to Our Employees The internet is too slow The ticketing system doesn t work There aren t enough IT resources It takes too long to get access
Developed Our Strategic Goals 1 2 3 Patient Driven Cloud Provided Secure Solution Preventing business impact to continue providing top-tier service to our patients Migrating services to the cloud where possible to minimize maintenance Securing our environment to with leading technologies and documented processes Complexity Reducing the complexity of the system environment, including the hardware and software utilized
Aligned Projects to Audit Items for the Strategic Plan Strategic Initiatives Network Security Enhancement Threat Discovery and Management Identity Management and Information Protection Process Improvement and Documentation Current Projects: Current Projects: Current Projects: Current Projects: Network Perimeter Migration Palo Alto Migration OpenDNS IP Address Management Future Projects: Network Access Control Network Infrastructure Upgrade Mobile Device Security Medical Device Security Security Tool and Personnel Alignment Vulnerability Management Program Penetration Testing Patch Management Managed Security Service Provider SIEM Deployment / Splunk Cloud Future Projects: Active Directory Cleanup User Access Review IAM Business Requirements and Vendor Selection Future Projects: IAM Implementation Multi-Factor Authentication Data Inventory and Classification HIPAA Data Assessment and Logging IT Service Management / ServiceNow Implementation Risk, Asset, and Change Management Processes Policies, Standards, Procedures, and MSBs Future Projects: Business Continuity and Disaster Recovery Planning Third Party Risk Management Security Awareness Training Data Loss Prevention Office365 Migration Develop a zero trust network Use the best tools for monitoring Follow principle of least privilege Define repeatable processes
Identified and Tackled Quick Wins Working with our partner, we tackled quick wins - which allowed our team to continue day to day operations. Upgraded Operating Systems Migrated Windows systems running 2000 and 2003 to newer versions Reduced Help Desk Tickets Directed the completion of LAN Desk tickets to meet business SLAs Changed Local Admin Passwords Began the process of managing local administrator credentials through the use of Microsoft LAPS Investigated Basic Security Alerts Removed med devices with Confliker Infrastructure Upgrade Ticketing SLAs Sustainable Security Behaviours Local Administrator Password Solution Cyber Crisis Response Network Troubleshooting Quick Wins Incident and Crisis Management Security Strategy Remediated Network Issues Troubleshot network related issues at specific sites Information Systems Process Documentation Email Security Identity and Access Management Documented Processes Assisted with defining and improvement the procurement process to handle purchase orders and invoices Configured ProofPoint Configured ProofPoint with the proper settings to drastically increase email security Enabled Password Vault Completed testing of Secret Server vaulting and password rotation for privileged accounts
Enhanced the Perimeter Network Network Perimeter Migration Palo Alto Migration Consolidated the internet connection to simplify CMH network architecture and improve network performance, while providing future scalability Replaced the perimeter Cisco ASA firewalls with next generation firewalls to increase the security and improve visibility into network traffic Audit findings Complex management requirements High maintenance costs Multiple egress points Multiple firewall appliances OpenDNS Implemented a domain name security solution to filter out internet traffic from CMH systems to malicious destinations (e.g. malware sites) IP Address Management Installed the IP Address Management (IPAM) tool to CMH devices for the organization and troubleshooting of IP addresses Simplified network design Increased traffic visibility Amplified internet speeds Improved security
Identified and Tackled Quick Wins In the past, we had been able to simply upgrade a circuit to increase speeds, but recent upgrades had not been successful. Our edge equipment was undersized and not performing correctly. During the enhancement projects, adequately sized Cisco networking and Palo Alto Firewalls were deployed. The result drastically increased speeds and a happy customer base. Before After We also realized where all the bandwidth was going
Established Proactive Security Services Security Tool and Personnel Alignment Provided an analysis of tool rationalization and job descriptions for needed roles Vulnerability Management Program (Qualys) Created the routine process of vulnerability scanning within Qualys, vulnerability categorization, and remediation Penetration Testing Performed a network penetration test against publicly-facing and internal CMH systems to identify critical vulnerabilities that could lead to systems compromise Patch Management Documented the process of using SCCM to schedule patching activities on CMH systems Managed Security Service Provider (MSSP) Transitioned the network and systems security monitoring to PwC for continuous coverage and proper alerting of discoveries SIEM Deployment (Splunk Cloud) Implemented enterprise-level security information event management system to collect, consolidate, and correlate security events from CMH systems for incident monitoring and response As vulnerabilities were discovered, our partner guided our team towards a remediation path and offered continual guidance.
Stood Up Managed SOC in 60 days Detection Policy Development & Rule Response Develop, Tune, and Maintain Response rules Analyze SIEM events for false positives Continuous Monitoring and tune detection rules accordingly Provide 24/7/365 Security Event monitoring Event Triage and Escalation Escalate identified SIEM incidents that needs further investigation up the support tiers or to client Documentation Maintain technical, and functional documentation for the Monitoring program Use Case Development Log Source Ingestion Identify gaps in coverage and work with client teams on an enrichment strategy Development of parsers for new log sources Tuning existing parsers for more effective/efficient data ingestion Hunt/Find Performs incident detection, analysis and classification Coordinate with client for analysis, containment and remediation Maintenance SIEM solution health check and maintenance Deploy updates, patches and minor release upgrades Create and respond to tickets for technical and functional issues arising with the SIEM Continuous Improvement through additional use case development and implementation and lifecycle monitoring review
Protected Access to Information To supplement our on-going efforts in implementing an IAM solution, we worked with our partner and created numerous automated scripts to maintain a clean Active Directory. Review users Review access Begin IAM process Future Projects Active Directory Cleanup User Access Review IAM Business Requirements Implement the chosen IAM solution with role based access based on the principle of least privilege to limit access Perform, cleanup, and establish a process for periodic review of users with access to the CMH network control by Active Directory Review and document CMH user access to the multitude of applications within the CMH environment Define and prioritize the requirements for an identity and access management solution
Defined and Improved Processes IT Service Management: Developed the processes to deliver the highest level of IT service, while implementing ServiceNow to track requests and incidents Risk, Asset, and Change Management Processes: Documented and implemented the processes for maintaining a log of assets, potential risks, and changes to the CMH environment Policies, Standards, Procedures, and MSBs: Created an IT and Security program with the supporting documentation to define the expectations of CMH and configuration standards
Measured Our Progress and Success Safety People Quality Delivery Stewardship The installation of monitors and setup numerous dashboards to track the team s progress through the process.
Understood the Continuous Process for Improvement Continuous Improvement
With the Opportunity to Learn Throughout Ignore the sins of the past Build before your audit, not after Cybersecurity is a journey, not a destination
Darin Prill Children's Mercy Hospital @dprill in/dprill SanFrancisco.HealthPrivacyForum.com #HITprivacy