![Page 1: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/1.jpg)
1
Breaches and Ransomware! How Does Your Security Compare?
Session #31, February 20, 2017
Ron Mehring, CISO, Texas Health Resources
David Houlding, Director of Healthcare Privacy & Security, Intel
![Page 2: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/2.jpg)
2
Speakers Introduction
David Houlding, MSc CISSP CIPPDirector, Healthcare Privacy & SecurityIntel Health & Life Sciences
Ron MehringVP, Technology & SecurityTexas Health Resources
![Page 3: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/3.jpg)
3
Conflict of Interest
Ron Mehring and David Houlding
Have no real or apparent conflicts of interest to report.
![Page 4: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/4.jpg)
4
Agenda
1. Healthcare Breaches, Ransomware, and Compliance
2. How Does Your Security Compare?
3. Healthcare Industry Security - Gaps and Opportunities for Improvement
4. Healthcare: Face Security Challenges as a Team
5. Information Sharing in Practice
6. Opportunities to Engage in Healthcare Security Information Sharing
7. Q&A
![Page 5: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/5.jpg)
5
Learning Objectives
• Discuss effective approaches to defending
cybersecurity attacks
• Apply effective approaches to sharing
cybersecurity information
• Discuss cybersecurity benchmarking
![Page 6: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/6.jpg)
6
An Introduction of How Benefits Were Realized for the Value of Health IT
• Satisfaction: improve patient satisfaction and build trust by helping to improve security and reduce breaches and ransomware
• Electronic Secure Data: improve security of sensitive patient information
– Highlight gaps, enable information sharing to improve security
• Savings: reduce breaches and ransomware and associated business impacts and costs
![Page 7: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/7.jpg)
7
Breaches & Ransomware – A Perfect Storm
Breaches &Ransomware
Data
More Widely
Available
Intolerant
to Disruption
Data More
Valuable
Security
Lagging
![Page 8: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/8.jpg)
8
Healthcare Breaches and Ransomware Impact
$80
$112
$129
$131
$133
$139
$145
$148
$156
$164
$172
$195
$208
$221
$246
$355
Public
Research
Transportation
Media
Consumer
Hospitality
Technology
Energy
Industrial
Communications
Retail
Life science
Services
Financial
Education
Healthcare
Per capita cost by industry 4
Healthcare has the
highest data breach
costs per capita.2
More than half of
hospitals hit with
ransomware in last 12
months 3
Cost 1.6B Per Year in US 1
![Page 9: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/9.jpg)
9
Healthcare Security - Survival
• Severe impact of breaches
• Compliance is necessary
… but not sufficient
• How far do you have to go?
• How does your security compare?
• How can you benchmark your security?
![Page 10: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/10.jpg)
10
Improved Breach Security, Usability, Cost, IT Operations
Enhanced+ Device control
+ Penetration testing / vulnerability scan
+ Client Solid State Drive (encrypted)
+ Endpoint Data Loss Prevention
+ Network Data Loss Prevention (monitoring, capture)
+ Anti-theft: remote locate, lock, wipe
+ Multi-factor authentication w timeout
+ Secure remote administration
+ Policy based encryption for files and folders
+ Server / database / backup encryption
+ Network segmentation
+ Network Intrusion Prevention System
+ Business associate agreements
+ Virtualization
Advanced+ Server Solid State Drive (encrypted)
+ Network Data Loss Prevention (prevention)
+ Database activity monitoring
+ Digital forensics
+ Security Information and Event Management
+ Threat intelligence
+ Multi-factor authentication with walk-away lock
+ Client Application Whitelisting
+ Server Application Whitelisting
+ De-identification / anonymization
+ Tokenization
+ Business Continuity and Disaster Recovery
Baseline+ Policy, Risk assessment
+ Audit and compliance
+ User training
+ Endpoint device encryption
+ Mobile device management
+ Data Loss Prevention (discovery)
+ Anti-malware
+ IAM, Single factor access control
+ Firewall
+ Email gateway
+ Web gateway
+ Vulnerability management, patching
+ Security incident response plan
+ Secure Disposal
+ Backup and Restore
![Page 11: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/11.jpg)
11
Healthcare Security Benchmark• How does your security compare to the healthcare industry?
• Comprehensive: 8 breach types, 42 security capabilities
• 51+ healthcare organizations, projected to grow by multiples
• Global: 8+ countries
• Maturity, priorities, and capabilities
• Compliance: HIPAA, NIST, PCI DSS, ISO2700x, GDPR, CIS, …
• Sample report: Intel.com/BreachSecurity
• Open industry collaboration, with 40+ partners globally
• Different industries for example Retail enable cross vertical comparisons
![Page 12: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/12.jpg)
12
Healthcare Priorities by Breach Type# Breach Type Priority / Level of Concern
1 Ransomware High 88%
2 Cybercrime Hacking Medium / High 78%
3 Insider Accidents or Workarounds Medium 59%
4 Loss or Theft of Mobile Device or Media Medium 52%
5 Business Associates Medium 47%
6 Insider Snooping Medium 47%
7 Improper Disposal Low / Medium 41%
8 Malicious Insiders or Fraud Low / Medium 41%
Intel.com/BreachSecurity N=51, Global Scope, Thursday, 5 Jan 2017 15:20 PST
![Page 13: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/13.jpg)
13
Ransomware Readiness• Percentage of relevant capabilities implemented
Lowest: 17% Highest: 85%Average: 59%
• Large variation in readiness, lack of awareness
• Raise awareness, bring in stragglers
• Help iterate healthcare industry up levels of maturity
![Page 14: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/14.jpg)
14
User Awareness Training Capability
• Foundational
• Phishing
– Ransomware
– Cybercrime Hacking
• Accidents and Workarounds
![Page 15: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/15.jpg)
15
Risk Assessment Capability• Foundational
• Prioritize Risks
• Maximize Budget
• Prepare for audits
![Page 16: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/16.jpg)
16
Endpoint Device Encryption Capability
• Foundational
• Protect Confidentiality
• Loss or Theft of Mobile Device or Media
![Page 17: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/17.jpg)
17
Security Incident Response Plan Capability• Foundational
• Decisive and coordinated response to security incidents
• Stop loss
• Minimize impact
• Remediate
• Avoid improvising during a security incident
• Many steps and organizations involved
![Page 18: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/18.jpg)
18
Threat Intelligence Capability• (Early!) detection is key
• Acquisition and sharing threat and vulnerability information
• Reputational
• Static / dynamic analysis
• Behavioral analytics
• Enable healthcare to face threats as an industry vs individually
![Page 19: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/19.jpg)
19
How Does Your Security Compare?• Benchmark security relative to healthcare
industry
– Maturity, Priorities, Capabilities
– Mappings to HIPAA, NIST, PCI DSS, ISO2700x, GDPR, CIS, …
• 1 hour, complementary, confidential
• Sample report at Intel.com/BreachSecurity
• Information sharing through benchmarks
![Page 20: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/20.jpg)
20
Security from a Healthcare Delivery System Perspective
![Page 21: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/21.jpg)
21
Setting the Organizational Risk Profile and Priorities
• In even the smallest healthcare organizations risk
prioritization can be difficult.
• Security programs have many different pressure
points that complicate risk decisions.
• Using benchmarks can help inform risk
management.
![Page 22: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/22.jpg)
22
Healthcare and the integrated cyber future
• Optimization of healthcare operations is
driving the adoption new and innovative
technology platforms
• Merger and acquisition is occurring at an
increasing rate.
• Tighter technology integration is occurring
across multiple platforms types.
• The end user and the patient are driving
new and innovative technology use cases.
![Page 23: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/23.jpg)
23
Living with Risk in a Healthcare Delivery System
• Design and operate controls with the understanding that both
unknown and known risk will exist in the healthcare system.
• Inventory as much risk as possible. Treat as a portfolio of
risk vice independent risks.
• Be cautious of aggregate pooling of risk.
• Consider using all hazards approach. Inventory threat
scenarios and orientate them to risk.
• Use “High Reliability Principles” when analyzing risk and
associated scenarios and designing controls.
• Be data driven!
Cyber
Risk
Portfolio
Medical
Device
Vendor
Risk
Applications
Core
Infrastructure
JV - Partners
![Page 24: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/24.jpg)
24
Operations and Risk• Ensure operational performance data is fed back into risk program.
• Apply techniques such as Kanban and Theory of Constraints
Techniques can help improve performance.
• Use risk scenarios (threat models) as a bridge between risk
management and operations.
• Recognize that security risk decisions are tradeoffs.
• Best practices still must have a risk analysis performed. Not all best
practices are appropriate for every environment.
• Be cautious of using “cybersecurity dogma” as a basis for risk
prioritization.
Appetite - Requirements
Performance - Outcomes
Operations
Risk
![Page 25: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/25.jpg)
25
Information Sharing and Benchmarks
![Page 26: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/26.jpg)
26
Navigating unfamiliar waters
• Have you ever wondered what your industry peers are focused on?
• What attacks are your industry peers seeing?
We all have the same questions and
problem sets.
![Page 27: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/27.jpg)
27
Sharing is caring
https://www.infragard.org
https://nhisac.org
https://hitrustalliance.net
Information sharing is an
excellent way to crowdsource
your cyber security program.
There are multiple sharing
forums for threat information,
implementation experiences and
benchmark data.
![Page 28: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/28.jpg)
28
Inventory of Risk, Benchmarks and Exposure
Identified
Risks
Benchmarks
• Should we invest in clinical
workstation encryption or
not?
• Benchmarks can be helpful
and provide great context
but proceed with caution.
Clinical Workstations do not store
data and are not encrypted.
![Page 29: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/29.jpg)
29
In the absence of benchmarks create your own
![Page 30: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/30.jpg)
30
Medical Devices - Shining Light in Dark Places
Medical Device Risk
Management Identify exposure
Design high reliability
based controls
Continuously Monitor,
measure and act
Cross Functional
Steering Group
Get Involved with
Industry Groups such
as NH ISAC and
MDISS
Perform Risk
assessments
Group by vendor
device type and
use case.
Threat and
Vulnerability
Identification
Recognize control
limitations.
Understand the
uniqueness of
medical device
systems.
Appropriate balance
between safety and
privacy must be
recognized.
Establish risk
thresholds
Tailored Incident
response plan
1 2 3 4
![Page 31: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/31.jpg)
31
Lets start with Vulnerability Management
• The problem with many vulnerability management programs is that they assume
a bad outcome will occur. This can make it difficult to prioritize.
• In most cases there is an enormity of weighted data with limited context.
• There is a need to inform the vulnerability process with bad outcome and threat
intelligence data.
• Applying risk based approaches toward remediation prioritization requires
synchronization of risk scenarios and harm events.
• Most organizations do not have the ability to fix all of the high risk vulnerabilities.
![Page 32: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/32.jpg)
32
Creating a more effective, data driven Vulnerability Management program
• At Texas Health Resources we use a data driven approach that melds high reliability principles, theory
of constraints and kanban processes.
• Prioritization and controlling Work in Progress drives a successful operationally sensitive vulnerability
management program.
• Vulnerability management has a daily cadence and rhythm.
![Page 33: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/33.jpg)
33
Threat and Security Incident Management
• Directly integrating threat events and incidents into a risk management framework is critically important.
• Create a feedback loop of indicators and risk thresholds that flow into operations and continuous
improvement processes.
• Data driven workflows allow for the measuring of control performance – effectiveness.
• There are benchmarks and reports that can assist.
![Page 34: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/34.jpg)
34
Continuous Improvement, Data Driven Assessments and Exercises
• Improving incident response performance and baselining control effectiveness requires continuous assessments, exercising and testing.
• A quarterly driven independent assessment cycle ensures regular testing of control effectiveness.
• The addition of risk exposure and threat data into assessment helps ensure assessment cycle is focused on testing weakness in compensating controls.
• Data helps feed the continuous improvement cycle and reinforces high reliability principles.
![Page 35: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/35.jpg)
35
A Summary of How Benefits Were Realized for the Value of Health IT
• Satisfaction: improve patient satisfaction and build trust by helping to improve security and reduce breaches and ransomware
– Benchmarks, information sharing, collaboration
• Electronic Secure Data: improve security of sensitive patient information
– Highlight maturity, 8 priorities, 42 capabilities, gaps, to enable information sharing in order to improve security
• Savings: reduce breaches and ransomware and associated business impacts and costs
– Frequency of occurrence, business impact
![Page 36: Breaches and Ransomware! How Does Your Security Compare? › sites › himss... · Breaches and Ransomware! How Does Your Security Compare? Session #31, February 20, 2017 Ron Mehring,](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0bde737e708231d4329d3a/html5/thumbnails/36.jpg)
36
Questions?• [email protected]
linkedin.com/in/DavidHoulding
twitter.com/DavidHoulding
• Please complete online session evaluation
twitter.com/mehringrclinkedin.com/in/ron-mehring