evolving healthcare cybersecurity programs with lessons ...dan bowden, ciso, sentara healthcare. 2...
TRANSCRIPT
1
Evolving Healthcare Cybersecurity Programs with Lessons Learned
Session CYB5, March, 5, 2018
Bayardo Alvarez, Director IT, Boston PainCare Center
Dan Bowden, CISO, Sentara Healthcare
2
Agenda• Introductions
• Sentara’s IT Security Journey
• Boston PainCare Center’s IT Security Journey
• Lessons Learned & Best Practices
• Questions
3
Conflict of InterestBayardo Alvarez, Director IT, Boston PainCare Center
Dan Bowden, CISO, Sentara Healthcare
Have no real or apparent conflicts of interest to report.
4
Learning Objectives• Explain how to communicate and educate your senior leadership
and management about cybersecurity initiatives and events
• Explore the challenges with managing a cybersecurity program, its people, processes, and technology
• Illustrate associated best practices and provide guidance for small and medium providers, based upon experiences and lessons learned
5
Introductions• Dan Bowden
– VP & CISO, Sentara Healthcare
– 25+ years in cybersecurity and technology architecture
– CHIME/AEHIS member, Public Policy and CISA 405(d) Task Group
• Bayardo Alvarez
– Director, Information Technology at Boston PainCare Center
– 10 years in healthcare industry, 30+ years in I.T.
– Chair, HIMSS Privacy & Security Committee
6
Sentara Healthcare
Building an Effective IT Security Program
Sentara Healthcare – At A Glance
130-Year Not-for-Profit
Mission
$6.4B Total Assets
7Magnet Nursing
Hospitals
11Long-Term / Assisted Living Centers / PACE3,800
Physicians
2,758Beds
12Hospitals
300+Sites of Care
$5.1BTotal OperatingRevenues
Aa2/AARatings
4Medical Groups(1,000+Providers)
445,000Member HealthPlan
Sentara College of Health Sciences
28,000+Members of the Team
8
Educating Leadership & BoardSetting Priorities
Find out what the Board wants
Continually work on establishing Risk Tolerance with Executive Leadership
Based on the two points above, set the agenda and priorities
How does the program benchmark against premier peers?
What threats and vulnerabilities are most likely to be exploited? Impact?
Handling Cyber Security ThreatsKey Technologies and Process are a must for all Organizations
NETWORK SEGMENTATION
SECURITY OPERATIONSCENTER (SOC)
2 FACTORAUTHENTICATION
OPERATIONAL LEADERSHIP
Many of these initiatives are visible by the Board of Directors and are stated annual organizational goals
Practice of separating networks to protect and limit exposure to threats.
3rd PARTY RISK
Utilizing IBM Watson to be smarter at detecting and prioritizing Cyber Threats
Secure RemoteAccess for all users
81% of hacking-related breaches leveraged either stolen and/or weak passwords
Evaluate and manage risk from:• Business
Associates• Subcontractors• Affiliated
Providers• Joint Ventures• Strategic
Partners
Key operational leaders meet monthly to review discuss and act on Cyber Security Metrics and emerging threats
10
Who are your partners in developing best practices
for Cyber Security?
• What is the Information Sharing & Analysis Organization (ISAO)?
Mission: Improve the Nation’s cybersecurity posture by identifying standards and guidelines for robust and effective information sharing and analysis related to cybersecurity risks, incidents, and best practices.
Simplified Incident Response Strategy
How do we respond to a cyber security incident?
1. DISCOVERY
0. PREVENTION
2. EVALUATION & TRIAGE3. MANAGING THE SHORT TERM
CRISIS
4. LONG TERM
RESPONSE
MANAGEMENT
• Forensic Investigation• Containment / Mitigation• Legal Review• Recovery
• Incident Response Team• Incident Analysis – Assess the Impact
MINOR: Detect & ResolveMAJOR: Escalate through Incident Response Plan
• Report Discovery via proper channels
• Immediate Response Planning• Communications, PR, Crisis Management
Recovery
• Long Term Recovery Planning: Legal, Reputational, Media
• Customer Communications• Recommend Improvements
12
Cyber Security influences on operational and strategic processes
• Proactive Cyber Audits for new partnerships
• Annual Planning for Cyber Investments
• Cyber Security is a Team Sport
Evaluating 3rd parties cyber security risk
Gain objective insight into 3rd
party cyber security
Allocate risk resources to
where they are most needed
Engage partners with accurate,
actionable security insights
Continuously monitor partner
performance
Collaborate with partners to reduce
risks
1
2
3
4
5)
14
Dashboards
15
Managing Challenges – Getting Things Done• Governance vs. Culture
– Governance is how the organization says it makes decisions and gets things done
– Culture is how the organization actually makes decisions and get thigs done
– A large gap between Governance and Culture requires more communication
– Effective Program Strategy must account for both: “Culture eats Strategy for Breakfast”
• People Strategy
• Process Strategy
• Technology Strategy
16
Best Practices & Guidance
• Top Threats
• Cybersecurity Hygiene vs. Control Compliance
• Hygiene provides meaningful, tangible Capabilities against Threats
• Capability Functions: Identify, Protect, Detect, Respond, Recover
17
Best Practices & Guidance
– Identity and Access Management
– Phishing -- Email Protection
– Malware, Ransomware --Endpoint Protection
– Medical Device Security
– Vulnerability Management
– Insider Threat
– Lost/Stolen Devices
– Asset Management
– ePHI Inventory – DLP
– Network Management, Segmentation
– Security Operations Center, Incident Response
– Policies and Procedures
What would “any decent CISO” put on the agenda?
18
Dan - Top 10 Lessons Learned
• Seek first to understand, and then to be understood – Covey
• Lead by building trust and influence, not by pointing at the org chart
• Telegraph your plans, allow others buy-in, create joint ownership
• Act and speak like the C-Suite and Board to be included
• Make your boss and their boss look good
• Create pre-determined outcomes
• People first, then Process, then Technology
• Recruit and re-recruit your People, from dedication to commitment
• Look for “net adds”, there is always a small win available, they add up
• Capitalize on crisis
20
Boston PainCare Center
Challenges, Goals, Approach
21
Boston PainCare Center
• Chronic Pain Management
• Interdisciplinary Practice
• 3 Centers & Billing Office
• Physicians, Staff, Consultants < 100
• On-premise Servers & Endpoints < 250
22
23
Challenges
• Limited budget
• Resources constraints
• Cost-competitive technologies
• Cybersecurity knowledge gap
• Keeping management on board
• Staff with multiple roles, many priorities
• Smaller scale, similar threats
• COMPLY WITH THE SAME RULES AND REGULATIONS
24
Our Goals
HIPAACOMPLIANCE
Confidentiality
Integrity Availability
25
Risk-based Approach
• Prioritize data, systems and infrastructure
• Understand vulnerabilities and threats
• Choose to mitigate, remediate, transfer, accept
• Identify and implement safeguards
• Review, revise and repeat
26
Prioritizing Cybersecurity
• 20 CIS Controls:
– Prioritized set of actions
– Highly effective actionable steps
– Maximize limited resources
– Maps to compliance frameworks
27
Communicating Cybersecurity
• Keep cybersecurity on the agenda
• Avoid technical jargon, translate to business
• Be realistic, don’t understate or overstate
• Cybersecurity is not static, it is not binary
• Inform yourself before you inform others
28
• Make security a core value
• Increase awareness, educate staff
• Onboard training, updates and bulletins
• Remind people what to do, how to respond, who to report to
• Help people understand risks:
Cause & Effect
The Human Factor
29
• Operating System Policies:
– Password complexity
– Software restrictions
– Control removable storage
– Browser security features
– Prevent driver execution
– Centralized updates
• Multi-Function Devices:
– Change default passwords
– Rename default user accounts
– Restrict administrative access
– Disable Universal PnP
– Disable unused protocols
– Disable insecure protocols
Leverage Features
30
https://www.cisecurity.org/cis-benchmarks/
31
LayerSecurity
DATA
Operating System
Group Policies
Anti-Malware
Intrusion Detection
Awareness & Education
Server Spam Filter
Web Filter
Firewall
BIOS
Cloud Spam Filter
32
Open Source & “Free” Solutions
• Consider project’s activity, maturity, downloads, reviews
• Reach out to community for support, insight, feedback
• Understand features and limitations before implementing
• Caveats:
– Often requires advanced technical knowledge to implement
– Lack of technical support, guarantees, development continuity
– Some projects eventually become commercial products
– Some projects become stale, cease to evolve
33
Account Lockout Examiner
34
Empower Staff
• Build up your cybersecurity team
• Extend your staff with outside team “champions”
• Team-up staff with staff, consultants and vendors
• Review policies and procedures with your team
• Transfer knowledge, delegate tasks, empower
35
Centralize Compliance Information
Endpoint Protection
Backup JobsWeb Filter
Configuration Changes
36
An Ever Evolving Program
Identify
Protect
DetectRespond
Recover
Identify
Assets
Evaluate
Threats/Risks
Apply/Monitor
Safeguards
Respond to Security Incidents
Adjust as Needed
1)Categorize System
2)Select Security Controls
3)Implement Security Controls
4)Assess Security Controls
5)Authorize System
6)Monitor Security Controls
37
• Start with basic, fundamental controls
• Balance cybersecurity and functionality
• Keep management apprised and on-board
• Awareness and education are cost-effective controls
• Approach cybersecurity as a program, not a project
• It’s about the business, not the technology
Bayardo - Lessons Learned