Health Care Cybersecurity Title Trends & Best Practices ...Consortium, and is the CSO/CMO of an...
Transcript of Health Care Cybersecurity Title Trends & Best Practices ...Consortium, and is the CSO/CMO of an...
Copyright 2019 © Terra Verde, LLC.All rights reserved.
TitleSub Title
Health Care Cybersecurity Trends & Best Practices
Mark DallmeierCSO/CMO
Terra VerdeMobile: 602-410-7793
Speaker Background
Mark is a Senior Executive, Serial Entrepreneur, CSO, CMO and Board Member of various companies who over the last 25 years, has co-founded and grown companies in multiple markets.
As a market strategist and analyst, Mark has developed innovative revenue growth strategies and marketing methods used in hyper growth, turn around, transformation and mergers - acquisition scenarios that have been used in mid-size and Fortune 50 companies creating over $1.8 B in new revenues for clients over the last 15 years. Mark was the CSO/CMO of IT Partners and co-founder of Channel Savvy – VAR consulting services company that was bought by Avnet in 2009. Prior to that he was President / CEO of The ROBB Group (TRG), a provider of transformation and turn around services to mid market and Fortune 100 companies.
Today, Mark is an advisory board member of various companies, co-founder of the Cyber Awareness Consortium, and is the CSO/CMO of an award winning, fast growth cybersecurity and compliance solutions provider in Phoenix Arizona. Mark often speaks on cybersecurity, risk, technology, growth, and transformation topics and facilitates strategic planning workshops.
Previous Consulting, Advisory Customers
HP
Hitachi Global
Sage Software
MCI
Verizon Business
EDS
Channel Savvy
DellXO Communications3 SigmaBishop FoxVeedogTerra VerdeAugmate
Corporate Background
20 Services
Customers
50 Services
Customers
100+ Services
Customers
150+ Services
Customers
250+ MSSP
Customers
800+ SIEM
Installation &
Training
Customers
220+ Services
Customers
16,400+ MSSP
Customers
1980+ SIEM
Installation &
Training
Customers
Agenda
Recent Events & The Evolution of Cyber Crime
Current Threats to Health Care Organizations
Impact of Breaches, Attacks
Security & Compliance Misperceptions & Realities
Pragmatic Recommendations for Reducing Risk
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Recent EventsThe Evolution of Cyber Crime
Copyright 2019 © Terra Verde, LLC.All rights reserved.
We are not winning.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Now, just a year and a halflater, the dark web markets have
responded with new and extremely sophisticated underground storefronts that help facilitate the sale of stolen PII that’s
increasingly robust, even including voter records.
Why the health care economy is a target.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Reality…Over $100M Stolen since 2011.
Copyright 2019 © Terra Verde, LLC.All rights reserved.https://www.linkedin.com/pulse/why-russian-cybercriminal-targeted-missouri-based-dentistry-kip-boyle/
Your not alone…No one is immune.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
The technical reasons why (what is beyond your control?).
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Questions to ask your IT & security staff:
• Are your networks, applications, devices secure out of the box?
• Are HW/SW manufacturers adhering to secure development practices?
• Is most software secure?
• Are existing “next generation” technologies going to prevent multi-stage, integrated attacks against employees, contractors, 3rd party vendors?
• Are we able to currently detect, prevent embedded attacks or attacks from within the contractor community or vendor supply chain?
• Are we able to detect and prevent all harvesting, snooping, man in the middle attacks?
• Can we predict how future attacks will take place? Where/When/How?
• Are we in “control” of how the business will adopt and utilize IoT?
Predictions Q4 2016.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
RANSOMWARE BEC BPC
$8B $12B $4BThe
Technological Weaponization of a Criminal acts that are
thousands of years old.
Ransom Larceny Fraud
Crimeware as-a-service 2018, 2019.
In recent months
we’ve told you about
ransomware
distribution kits
sold on the Dark Web
to anyone who can
afford it. These RaaS
packages (ransomware
as a service) allow
people with little
technical skill to
attack with relative
ease.
Sophos
Krypt3ia, Luc1F3R’s websites
Reality Q4 2018…today.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Current Cyber-ThreatsHealth care organizations, employees, patients, supply chain
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Top threats, attacks.
• Phishing: Harvesting Credentials, Malware Delivery, Fraud• Ransomware: Coinhive, Dorkbot, SynAck, Black Ruby, Theft• Business Email Compromise: Fraud, Scams, Theft, Malware Delivery• Business Process Compromise: Fake Business Processes, Theft• System Process Compromise: Monero Mining Software
• Embedded Code: Specter, Meltdown• AI-Malware-Exploit Kits: GandCrab, Coinhive, Dorkbot• Botnet-DDoS-PDos: Mirai, WireX, Reaper, Hajime, BrickerBot• Telnet Brute Force, SSH, APT, Malwareless Attacks: Stuxnet, RDP.• Harvesting, Snooping, Skimming: Traffic Spirit, MageCart, etc.
27% Vulnerable
$8B
$12B
$4B
Up 500%
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Understanding the Enemy - Attack Research
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Attack Research Cont.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Top industries attacked.
www.BreachLevelIndex.com
Health care attack surface…IoT example.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Generic IoT
Connected HVAC
Real-TimeHealth System
Surveillance Camera
Smart
Lighting
Medical IoT
Safety
▪ Device and Patient safety – lack of
end point visibility, control
Security
▪ Data and equipment security –
unmonitored IoT network/devices
Quality
▪ Care delivery quality – lack of care
quality supported by IoT devices
Service Continuity
▪ Service integrity & continuity – lack of
device usage, effectiveness, efficiency
AREAS OF CONCERN-FOCUS
“25% of identified attacks in
HDO will involve IoT by 2020”Gartner
Health care breach headlines…third parties & providers.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Health care breaches…value chain examples.
Copyright 2019 © Terra Verde, LLC.
P R
R RV
VP
P
Growing and expanding threat landscape – example 1.
Copyright 2019 © Terra Verde, LLC.All rights reserved. I0T Analytics Global Study 2018 www.iot-analytics.com
Growing and expanding threat landscape – example 2.
Copyright 2019 © Terra Verde, LLC.All rights reserved. I0T Analytics Global Study 2018 www.iot-analytics.com
R
Common questions.
• Why am I not “secure” (when I already use anti-malware, firewalls, etc.)
– Billions in R&D is being spent by cyber-criminals, nation states, hacktivists
– They have the time, resources, access to “next gen” tech, patience, will, intention
• Where do we (I) begin?
– Understand where you are at, what is at risk, what your gaps are – Posture Review
– Assess and test existing websites, applications, systems, facilities, employees
• How much do I need to spend?
– Every company is different. Not a one size fits all. How much is your business worth?
• How can I be sure the vendor I am using is the “right one”?
– Credibility, Curiosity, Credentials, Commitment, Capabilities, Communication
• How do I start?
– Posture Review; People, Passwords, Patching, ProgramCopyright 2019 © Terra Verde, LLC.
All rights reserved.
Impact of Breaches, AttacksLife after fines and after remediation
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Ready yourself for the tsunami.
Brand, Legacy
1. Media coverage
2. Payer backlash
3. Wall of Shame
4. Inability to recover brand, legacy
5. Forced rebranding
6. Forced PR, roadshow, ongoing communications
7. Multi-year commitment to re-establish brand, respect, trust
Employees, Contractors
1. Morale hit
2. Stress increase
3. Chronic fatigue
4. Efficiency impact
5. Personal brand impact
6. Turn over
7. Multi-year commitment to rebuild trust and talent pipeline
Vendors, Partners
1. Loss of strategic opportunities
2. Degradation of service, support
3. Audits
4. Slow response times
5. Reduction of risk share opportunities
6. Reduced involvement, collaboration
7. Multi-year commitment and effort to re-establish
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Example of breaches, fines.
$2,700,000
$150,000
$650,000
HIPAA rules.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
SRAOnly addresses 2 of 6 required audits
Comprehensive Risk Assessment Address all required “Security” areas
Growing scary trend
Becoming secure & compliant.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
A more holistic approach is within
your span of control
Health care breaches and fines.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
• Breach Wall of Shame
– Being asked to provide good faith effort
• 100% of HIPAA Fines Levied
– Failure to assess ALL Risks
– Lack of Administrative
Policy and Procedures
– Failure to have BAA
• Average fine of $1.5Mhttps://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Products are a “partial” fix ~ Cisco Systems.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Deliotte above the surface incident costs
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Deliotte below the surface hidden costs, risks.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Example of long term risk.
Planned to raise $1 billion in debt capital to acquire a health system
Paid $7 million annual premium for a $100 million cyber insurance policy
A laptop containing 2.8 million of its personal health information (PHI) records had been stolen from the company’s health care analytics software vendor. The compromise was revealed days later when the company was notified by a corporate client that the client’s employee information had been listed for sale on cybercrime “dark web” sites.
• $60 billion annual revenue / 50,000 employees
• 23.5 million members across the US (60 percent
subscribed through employer contracts)
• Used a patient care application, which provides medical
alerts and allows health practitioners across its provider
network to access patient records and insurance coverage
information
• Held open enrollment (the annual period when people can
enroll in health insurance plans) November through
January
• Regulated by both state and federal authorities
US Health Company
The Situation Corporate Stats
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Immediate “known” impact, costs, risk…and “unknown”.
Sub-total 59.00 3.52%
Common MisperceptionsCybersecurity & Compliance realities
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Cybersecurity realities and fundamentals.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
• Attackers are well capitalized, supported by criminal syndicates, foreign countries, activists against U.S…knowing your enemy – attacker is the key to building a winning strategy. Work with a provider who can research and profile attackers and hackers and can assist with best practices for defending and protecting the organization.
• We are fighting a global economic human survival battle. Its beyond good vs. evil / right vs. wrong. Its not paranoia if they really are “out to get you”…but calmer heads do prevail, especially during a crisis. Table top exercises and training of breach and ransom scenarios will help identify gaps within internal processes that lead to downtime, loss of life.
• Buying technology and hiring experts is not the end all cure. There are no silver bullets…but event silver bullets can kill a werewolf. So layer your security, diversify your shields, weapons, arsenal. Discuss what should be sourced, deployed, managed internally and what should be managed externally by a third party.
Cybersecurity and compliance complexities.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
1. NIST 800-53: (256 Controls / 18 Families)2. NIST CSF: (5 Sections / 22 Categories (Functions) / 98 Subcategories (Outcomes)3. CIS 20/CIS RAM: (1-6 Basic / 7-16 Foundational / 17-20 Organizational)4. COBIT5. ISO/IEC 270016. NCUA/ASET/AIRES7. FFIEC8. FINRA9. NERC-CIP10. PCI DSS: (6 Sections / 12 Requirements)11. HIPAA: (3 Security Safeguard Sections / 18 Categories)12. HITECH13. HITRUST14. SSAE-18 (16)15. SOX16. OWASP
https://www.cisecurity.org/controls/
Cybersecurity realities and fundamentals.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
• Focus on what is within your span of control….Trying to build a world class compliance or cyber team when that is not your core competency isn’t cost effective or realistic. Determine what skills, capabilities you can and will build in-house and begin the journey. Take a look at launching a cyber hygiene program built around the 4 P’s:
– People are the weakest list and are being cyber-stalked by criminals and hackers. Continuous education and enforcement of practices is critical.
– Passwords best practices include changing out default manufacturer passwords on software and hardware, and moving toward pass phrases with special characters.
– Patching of mission and business critical systems is critical but so is ongoing vulnerability management that includes scanning and identifying vulnerable and unsecure systems and controlling their access to the network.
– Program creation and ongoing maintenance is critical. Leadership, management, employees, contractors and vendors need to be aware that a formal program exists, and the leadership is committed to security through a “Cyber Declaration”.
HIPAA compliance fundamentals.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
• Implementing policies, procedures, standards of conduct.
• Designating a compliance officer and committee.
• Conducting effective training and education.
• Developing effective lines of communication.
• Conducting internal monitoring and auditing.
• Enforcing standards through well-publicized disciplinary guidelines.
• Responding promptly to detected offenses, undertaking corrective action.
Reducing RiskBeing pragmatic, focusing on items within your span of control
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Best practices: cyber hygiene program.
https://www.knowledgenet.com/webinars/cyber-hygiene-best-practices/
People
Passwords
Patching
Program (Holistic)
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Cyber hygiene fundamentals.
Password Phrases with Special
Characters
Infrequent Changes
Password Vaults and Manager
Programs
Prioritize Systems and
Assets that are Vulnerable
(crown jewels)
Understand Frequency of
Updates, Patching
Prioritize Patching
Timeframes, Windows
Core Fundamentals for Reducing Risks & Preventing Cyber-Attacks
Based on servicing thousands of customers from start ups to fortune 500, across dozens of industries, below is a list of 4 specific
areas to focus on, invest within that will help reduce cybersecurity and compliance risks and will help prevent threats and attacks.
Security Education,
Training & Awareness
Programs (SETA)
Cyber Declarations
Phishing Simulations
Document Current
Maturity Level of Program,
Policies, Technologies
Identify Gaps
Determine Investment, Go
Forward Strategy (Build,
Operate, Run, Maintain)
*https://www.knowledgenet.com/webinars/cyber-hygiene-best-practices/
What to do NOW about the threat, risk summary.
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Minimums – Maturity Level?❑ Start with Current State Review❑ People (SETA, Internet Usage)❑ Passwords (Methods, Vault)❑ Patching (Planned, Automated)❑ Program (SIEM, Logging/Monitoring, Policies,
Procedures, Resources)
• Backups (Full-Off Network)• Limit and Lock Down Administrative and
System Access Control/Write• Encryption (At Rest, In Transit)• Limit, block network access (RDP, etc), email
file extension delivery
❑ Update Business Continuity & Disaster Recovery Plans (Ransomware, Social Engineering)
• Business Process Assessments, Security Ops, Monitoring, Next Gen End Point, IoT Protection, Inventory, Assessment & Pen Testing
Optimal❑ Cyber Declaration – Infrequent Training is not Enough• Integrate Physical & Cyber Programs, Assessments, Processes• Expanded SOC; Include Physical & Macro-Micro Geographical –
Social Intelligence
❑ Table Tops & Simulated Physical and Cyber Attacks – Whaling.❑ Simulated Ransomware, BPC, BEC Attacks
• Integrate Response Methods into BCDR Plans• Next Gen Authentication, Access Control Tech-Methods• Master Change Management (its inevitable)
Predictions:
https://www.terraverdeservices.com/risk-management/2018-cyber-attack-trends-and-industry-predictions/
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Resources
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Breaches-Reports-Examples-Trendshttp://compliance-group.com
http://www.freewave.com/iot-security-risks-shouldnt-ignore/
https://iot-analytics.com/top-10-iot-segments-2018-real-iot-projects/
https://www.cbronline.com/cybersecurity/breaches/top-five-biggest-threats-iot-security/
http://www.experian.com/assets/data-breach/white-papers/2018-experian-data-breach-industry-forecast.pdf
https://www.datamation.com/security/slideshows/top-10-iot-security-threats.htmlhttps://softwarestrategiesblog.com/2018/01/01/roundup-of-internet-of-things-forecasts-and-market-estimates-2018/
https://www.businessinsider.com/internet-of-things-report
https://www.techrepublic.com/article/enterprise-iot-adoption-to-hit-critical-mass-by-2019-but-security-remains-a-top-concern/
https://resources.infosecinstitute.com/the-top-ten-iot-vulnerabilities/
https://threatpost.com/cloudpets-may-be-out-of-business-but-security-concerns-remain/132609/
https://threatpost.com/open-mqtt-servers-raise-physical-threats-in-smart-homes/136586/
https://threatpost.com/threatlist-attacks-on-industrial-control-systems-on-the-rise/137251/
https://threatpost.com/threatlist-almost-half-of-the-worlds-top-websites-deemed-risky/136636/
https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/
https://www.statista.com/statistics/485136/global-internet-of-things-market-size/
https://newsroom.trendmicro.com/press-release/commercial/trend-micro-survey-finds-iot-deployment-decisions-made-without-consulting-s
https://www.ciatec.com/2018/03/internet-of-things-iot-definition/
https://arstechnica.com/information-technology/2018/09/dozens-of-ios-apps-surreptitiously-share-user-location-data-with-tracking-firms/
https://freedom-to-tinker.com/2018/04/23/announcing-iot-inspector-a-tool-to-study-smart-home-iot-device-behavior/
https://gizmodo.com/the-house-that-spied-on-me-1822429852
https://threatpost.com/iot-malware-activity-already-more-than-doubled-2016-numbers/126350/
https://www.csoonline.com/article/3302367/security-infrastructure/hacking-smart-buildings.html
https://www.csoonline.com/article/3302367/security-infrastructure/hacking-smart-buildings.html
https://www.csoonline.com/article/3299016/internet-of-things/botnet-of-smart-air-conditioners-and-water-heaters-could-bring-down-the-power-grid.html
https://www.csoonline.com/article/3300336/security/mirai-leveraging-aboriginal-linux-to-target-multiple-platforms.html
https://www.csoonline.com/article/3303796/internet-of-things/securing-iot-devices-fortinets-fortinac-automates-the-process.html
https://threatpost.com/black-hat-exclusive-video-the-iot-security-threat-looms-for-enterprises/134991/
https://threatpost.com/video-bishop-fox-on-device-threats-and-layered-security/136716/
https://www.redpixie.com/blog/iot-security-challenges-finance
https://threatpost.com/post-wannacry-5-5-million-devices-still-expose-smb-port/126249/
https://www.information-age.com/internet-things-security-crisis-123470475/
https://www.forbes.com/sites/forbestechcouncil/2018/07/16/your-iot-is-probably-not-a-ok/#775ca280763d
https://www.congress.gov/bill/115th-congress/senate-bill/1691/actions
https://threatpost.com/black-hat-2018-iot-security-issues-will-lead-to-legal-feeding-frenzy/134997/
https://threatpost.com/belkin-iot-smart-plug-flaw-allows-remote-code-execution-in-smart-homes/136732/
https://threatpost.com/researchers-shine-light-on-smart-bulb-data-theft/137003/
https://threatpost.com/the-vulnerability-disclosure-process-still-broken/137180/
https://threatpost.com/magentocore-card-skimmer-found-on-mass-numbers-of-e-commerce-sites/137117/
Ransomware/Malwarehttps://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-exceed-8-billion-in-2018/
https://www.helpnetsecurity.com/2018/07/11/2018-sonicwall-cyber-threat-report/
https://www.recordedfuture.com/ransomware-trends-2018/
https://blog.barkly.com/ransomware-statistics-2018
https://threatpost.com/threatlist-ransomware-attacks-down-fileless-malware-up-in-2018/136962/
https://threatpost.com/bad-actors-sizing-up-systems-via-lightweight-recon-malware/137364/
https://threatpost.com/threatlist-email-attacks-surge-targeting-execs/137385/
https://threatpost.com/cobalt-group-targets-banks-in-eastern-europe-with-double-threat-tactic/137075/
https://threatpost.com/domestic-kitten-mobile-spyware-campaign-aims-at-iranian-targets/137304/
https://threatpost.com/magentocore-card-skimmer-found-on-mass-numbers-of-e-commerce-sites/137117/
https://threatpost.com/threatlist-supply-chain-defenses-need-improvement/134271/
https://blog.barkly.com/local-government-cybersecurity-2018-ransomware-attacks
https://blog.barkly.com/ransomware-statistics-2018
https://www.aig.co.uk/content/dam/aig/emea/united-kingdom/documents/Insights/cyber-claims-report-may-18.pdf
https://www.aig.co.uk/insights/cyber-ransomeware-disrupts-business?cmpid=SMC-tw-AIGemea-Claims_Intel_Cyber-20180601103600
https://healthitsecurity.com/news/healthcare-cybersecurity-threats-hinder-hit-development
https://www.recordedfuture.com/ransomware-trends-2018/
https://www.comparitech.com/antivirus/ransomware-statistics/#gref
https://www.cyentia.com/2017/07/25/ransomware-p3-prevalence/
https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/unseen-threats-imminent-losses
https://securityboulevard.com/2018/07/gandcrab-v4-ransomware-remove-and-restore-krab-encrypted-files/
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/
https://www.securityweek.com/grandcrab-new-king-ransomware
https://dazeinfo.com/2018/08/14/ransomware-in-india-escan/
https://research.checkpoint.com/gandcrab-ransomware-mindset/
https://www.skyflok.com/2018/08/29/cybercriminals-using-innovative-grandcrab-for-ransomware-attacks/
https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/
https://threatpost.com/active-spy-campaign-exploits-unpatched-windows-zero-day/137237/
https://threatpost.com/in-wake-of-biggest-ever-ddos-attack-experts-say-brace-for-more/130205/c
Copyright 2019 © Terra Verde, LLC.All rights reserved.
Thank You!www.TVRMS.com