CHIME Lead Forum - Seattle 2015

A CHIME Leadership Education and Development Forum in collaboration with iHT2
What is Cyber Security and Why is it
Crucial to Your Organization?
_______
Key Attributes for Success, Challenges and
Critical Success Factors
● Mac McMillan | FHIMSS/CISM | CEO | CynergisTek, Inc. ●
#LEAD14

Sun Tzu & Cybercrime
“If you know the enemy, and know yourself,
then you may not fear the results of a
hundred battles. If you know yourself but
not the enemy, for every victory gained you
will suffer a defeat.”

HIMSS Cyber Security Survey
Limited Disruption to Operations
Loss of Data/Information
Significant Impact on IT Systems
Damage to IT Systems
Other Impact
62%
21%
8%
8%
7%

Threat Actors & Their Motivation
• Organized Crime
• Hacktivists
• Cyber Thieves
• Malicious Insiders
• Careless Insiders
• Busy Insiders
• State Actors
• Financial Gain
• Intellectual Property
• Extortion
• ID/Med ID Theft
• Espionage
• Embarrassment
• Good Intentions

Accidents, Mistakes & Deliberate Acts
• Phishing/hacking nets nearly $3M from six healthcare entities
• Vendor sells hospital’s X-rays (films) to third party
• Resident loses track of USB with over 500 orthopedic patients information
• Portable electronic device with patient data stolen from hospital
• Physician has laptop stolen from vacation home
• 2,200 physicians victims of ID theft/tax fraud
• Printers returned to leasing company compromise thousands of patient records
• Health System reports third stolen laptop with 13,000 patient records
• 400 hospitals billings delayed as clearinghouse hit with ransomware
• Children’s hospital hacked with successful DOS for three days in protest for treatment and
holding of girl by Anonymous
• Physician robbed at gun point, phone and computer taken, thief demands passwords
• International hacking group uses phishing, then steals information on almost 80M people
• Medical devices hacked to compromise hospital networks using MedJack attack
• Seven health systems hit by phishing resulting in major breaches
• New York hospital hacked by pro-ISIS supporters, website defaced with ISIS propoganda
• And, on and on it goes…

The Emergent Threat
DefCon/BlackHat 2015
• Medical Devices: Pawnage and Honey Pots
• Shall We Play a Game?
• USB Attack to Decrypt WiFi
• WhyMI so Sexy? WMI Attacks & Defense
• I Will Kill You
• Scared Poopless – LTE and “your” Laptop
• Confessions of a Professional Cyber Stalker
• From 0 to Pwnd – Social Engineering
• Jailbreaking & Rooting Devices
• Advanced Infrastructure Hacking
• Advanced Windows Exploitation
• Advanced Web Attacks

Healthcare in the Media
• Hacking healthcare: A Guide to
Standards, Workflows and MU
• Hacking Healthcare
• MIT Hacking Medicine
• Hacking Health Care
• Let’s Hack Healthcare

Significant Threats of the Future
34%
39%
49%
50%
53%
53%
59%
63%
65%
69%
Brute Force Attacks
Denial of Services (DoS)
Social Engineering Attacks
Malicious Insiders
Exploit Known Software Vulnerabilities
Zero Day Attacks
Cyber Attacks
APT Attacks
Negligent Insiders
Phishing Attacks

Challenges To Data Security
CISOComplexity
Insiders
Vendors
Mobile
Devices
mHealth
Fraud
ID Theft
Physical
Loss/Theft
Cyber
Attacks
Regulations
Staffing

Increased Reliance
• More than 98% of all processes
are automated, more than 98%
of all devices are networkable,
more than 95% of all patient
information is digitized
• Hyper connectivity dominates
what we do
• IT systems and applications
are critical to care delivery,
business operations
• Moving to a patient centric
model will only further
complicate the enterprise

Insider Abuse: Trust, But Verify
• It is estimated that more than half of
all security incidents involve staff.
• 51% of respondents in a SANS study
believe the negligent insider is the
chief threat.
• 37% believe that security awareness
training is ineffective.
• Traditional audit methods & manual
auditing is completely inadequate.
• Behavior modeling, pattern analysis
and anomaly detection is what is
needed.

Questionable Supply Chains
• Better inventories of vendors w/ PHI
• Risk based approach to managing third
parties
• Greater due diligence in vetting vendors
• Security requirements in contracting
should be SLA based
• Particular attention to cloud, SaaS,
infrastructure support, critical service
providers
• Life cycle approach to data protection
• Detailed breach and termination
provisions

Devices Threaten Safety & Information
• 2010/2011 successful hacks of an
insulin pump and ICD
• In June 2013 the DHS tested 300
devices from 40 vendors, ALL failed
• 2014 multiple variants of a popular
blood pump hacked
• 2015 MedJack hacks demonstrates
vulnerability of the network from
medical devices
• We are no closer….
“Yes, Terrorists could have
hacked Dick Cheney’s heart.”
-The Washington Post

Malware & Persistent Threats
• 3.4 million BotNets active
• 20-40% of recipients in phishing exercises fall for
scam
• 26% of malware delivered via HTML, one in less than
300 emails infected
• Malware analyzed was found undetectable by nearly
50% of all anti-virus engines tested
• As of April 2014 Microsoft no longer provides patches
for WN XP, WN 2003 and WN 2000, NT, etc.
• EOL systems still prevalent in healthcare networks
• Hardening, patching, configuration, change
management…all critical
• Objective testing and assessment
“FBI alert warns healthcare
not prepared”
2006
200K 2008
17M
2013
73M

Mobility & Data
• Medical staff are turning to their mobile devices to
communicate because its easier, faster, more efficient…
• Sharing lab or test results, locating another physician
for a consult, sharing images of wounds and radiology
images, updating attending staff on patient condition,
getting direction for treatment, locating a specialist
and collaborating with them, transmitting trauma
information or images to EDs, prescribing or placing
orders
• Priority placed on the data first and the device second
• Restrict physical access where possible, encrypt the
rest

ID Theft & Fraud
• Medical Identity theft and fraud costs billions
each year, affecting everyone
• US CERT estimates 47% of cybercrime aimed at
healthcare
• Healthcare directed attacks have increased more
than 20% per year for the last three years
• Identity theft comes in all forms and is costly
– Insiders selling information to others
– Hackers exploiting systems
– Malware with directed payloads
– Phishing for the “big” ones

Theft & Losses Thriving
• 68% of healthcare data breaches due to
loss or theft of assets
• 1 in 4 houses is burglarized, a B&E
happens every 9 minutes, more than
20,000 laptops are left in airports each
year…
• First rule of security: no one is immune
• 138%: the % increase in records exposed in
2013
• 6 – 10%: the average shrinkage rate for
mobile devices
• Typical assets inventories are off by 60%
“Unencrypted laptops and mobile devices
pose significant risk to the security of
patient information.” -Sue McAndrew,
OCR

Hacking & Other Cyber Criminals
• Defenses are not keeping pace
• Three most common attacks: spear
phishing, Trojans & Malvertising
• APTs, phishing, water cooler attacks, fraud,
etc.
• Most organizations can’t detect or address
these threats effectively
• An advanced incident response capability is
required
• Results in losses of time, dollars, downtime,
reputation, litigation, etc.
• Conduct independent risk assessments
regularly
0 50 100
Organizations suffering a
targeted attack
Sophistication of attack
hardest element to defeat
No increase in budget for
defenses
Targeted Attacks
“I feel like I am a targeted class, and I
want to know what this institution is
doing about it!” -Anonymous Doctor

More Compliance
• OIG shifts focus to funds recovery
• OCRs permanent audit program will resume in
FY 2015 with new capabilities
• Improvements and automation in reporting
and handling complaints
• Meaningful Use takes a step backwards with
Stage 3
• The FTC, FDA, FCC, HHS and DoJ take a more
active role in Healthcare privacy and security
• States continue to create new laws
– Florida Information Protection Act
– New Jersey Health Insurers Encryption Law
SB1353 seeks to establish common framework for security
and create universal requirement for notification.
When organizations tell consumers
they will protect their personal
information, the FTC can and will
take enforcement action to ensure
they live up to these promises.

CISO Needed…
• HIMSS Cyber Security survey found 52%
had a full time security person
• In a 2014 study HC CISOs gave themselves
an average maturity rating of 4.35 on a scale
of 1-7
• Many report missing critical technologies
to fight today’s threats, improving in 2015
• More than half of healthcare entities spend
less than 3% of their IT budget on data
protection, no improvement
• Focus, alignment, and staffing challenges
• Many healthcare security managers are first
timers
Healthcare finds itself in a contest for
security professionals when everyone,
both government and private sector,
need them – and the outlook is not
positive.

Barriers to Successful
Implementation of Data Security
Percent
Lack of Personnel 64%
Lack of Financial Resources 60%
Too Many Emerging/New Threats 42%
Too Many Endpoints 32%
Not Enough Cyber Threat Intelligence 28%
Too Many Applications 25%
Lack of Tools to Use/Deploy Cyber Threat Intel 20%

Q & A
Mac McMillan
mac.mcmillan@cynergistek.com
(512) 402-8555
@mmcmillan07

CHIME Lead Forum - Seattle 2015

More Related Content

What's hot (20)

Similar to CHIME Lead Forum - Seattle 2015 (20)

More from Health IT Conference – iHT2 (20)

Recently uploaded (20)

CHIME Lead Forum - Seattle 2015