improving readinessgo2.cynergistek.com/rs/376-bko-495/images/...2018.pdf · decade in information...
TRANSCRIPT
IMPROVING READINESS
MEETING CYBER THREATS
2018 REPORT
2
REPORT CONTENTS
3 REPORT AUTHORS
4 A NEW DIRECTION
5 EXECUTIVE SUMMARY
7 NIST CSF ASSESSMENT RESULTS
14INFORMATION SECURITY & ENTERPRISE RISK MANAGEMENT
18PRINTERS & PRINTING ON THE RISE DESPITE SECURITY & PRIVACY RISKS
20DETECTION & PREVENTION: THE GIFTS THAT KEEP ON GIVING ... IF YOU DO THEM
24SCOURGE OF RANSOMWARE & MALWARE INCIDENTS: HEALTHCARE UNDER ATTACK
26PREPARING FOR THE UNTHINKABLE WITH INCIDENT RESPONSE PLANNING
28 FINAL THOUGHTS
16RISK MANAGEMENT & BEHAVIORAL ANALYTICS: NEW APPROACHES TO MANAGING DATA PRIVACY
3
REPORT AUTHORS
DAVID FINNEVP, Strategic Innovation
David Finn has been involved in leading the planning, management, and control of enterprise-wide, mission-critical information technology and business processes for more than 30 years.
SEAN HUGHESEVP, Managed Print Services
Sean Hughes has over 25 years of experience within mid to large healthcare delivery systems and has spent the last 15 years in a variety of senior Information Technology leadership roles.
JEREMY MOLNARSVP, Security Services
Jeremy Molnar has nearly 20 years of experience dedicated to information security, with the majority of it focused on healthcare IT.
MAC McMILLANCEO & President
Mac McMillan has nearly 40 years of combined intelligence, security countermeasures and consulting experience from senior positions within both the government and private sector.
JOHN NYEVP, Cybersecurity Strategy
John Nye has spent nearly a decade in information security, including time with the U.S. Army, CSG International, Peter Kiewit and Sons, First Data Corp, and KPMG LLP.
DAVID HOLTZMANVP, Compliance Strategies
David Holtzman has nearly 15 years of experience in developing, implementing and evaluating healthcare privacy and security compliance programs from both government and private sector positions.
CLYDE HEWITTVP, Security Strategy
Clyde Hewitt has more than 30 years of cybersecurity leadership experience from various senior IT and information security positions both in the United States Air Force and the private sector.
MARTI ARVINVP, Audit Strategy
Marti Arvin has extensive operational and leadership experience in compliance, research and regulatory oversight in academic medical and traditional hospital care settings.
4
A NEW DIRECTION
This year’s annual report takes a decidedly different approach than past years’ annual threat reports and focuses instead on a key question that many boards and executives in healthcare are asking today: “How ready are we for a cyber event?” It is certainly a question we hear regularly and clearly from the organizations where we work.
We try to answer that question with this report by first analyzing the aggregated maturity ratings of assessments performed in 2017 using the NIST Cyber Security Framework (CSF) as their benchmark standard. That sample represents the entire continuum of care including Business Associates. It includes everything from Critical Access Hospitals to large Academic Medical Centers. It represents rural medical centers to large multi-state, multi-hospital systems. It is comprised of hundreds of facilities across America. It represents payers large and small, clinics and physician groups. And it represents many different businesses that make up healthcare’s extended supply chain. This represents the new reality within which healthcare operates. In this age of hyper connectivity, each of us is only as secure and prepared as those we connect with and to.
The maturity ratings are then dissected by multiple criteria: size, revenues, type, etc., to allow multiple perspectives on the subject. It is important to remember that these are averages across several hundred entities. Meaning there
are some entities that actually did very well, some that did not do so well and many that were somewhere near the mean. Some of these organizations also employed other standards as part of their assessment such as ITIL, ISO 27001, PCI/DSS, FERPA, FISMA, HIPAA and others. And many also included state level requirements.
All of the subjects of this analysis were also measured against the HIPAA Security Rule and turned in markedly higher results. But HIPAA measures an organization primarily for compliance purposes, which while important does not deter or protect against modern cybersecurity threats. The HIPAA Security Rule is narrowly focused, overwhelmingly concentrated on confidentiality, and more than 15 years old with no updates. It is not a framework, nor an industry standard, and not sufficient to base an organization’s cybersecurity readiness on.
The CSF allows us to measure more holistically an entity’s readiness to deter, detect, respond and recover from cybersecurity incidents. Understanding readiness was our primary goal for this report using an industry-vetted, comprehensive and contemporary standard. It is time to change the dialogue and our approach to information security in healthcare. The focus going forward needs to be predicting where the threat is going and on improving our readiness posture to effectively protect systems, data and patients.
Kathryn Drake | Editor
5
If healthcare is to be more successful in the future in protecting its systems and data, and by default, that which is most important – the patient, it has to start looking forward, focusing on readiness, investing in state of the art security to match its state of the art care delivery ecosystem and recognizing that going it alone isn’t going to work. Once again, we saw healthcare experience an incredible number of cyber events as reported in the press. What is even more chilling is that there were far more events that were not reported, because they did not meet the threshold for reporting and as an industry we need to become less preoccupied with breaches of confidentiality and adopt equal priority for breaches involving integrity and availability.
This report presents a sobering analysis of the results of over a hundred assessments, representing hundreds of individual hospitals, clinics, ancillary facilities, payers, business associates, etc. against the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). It tells us that despite over ten years of regulation there is still considerable room for improvement in cybersecurity. Those same organizations overwhelmingly received passing grades against the HIPAA Security and Privacy Rules when measured for compliance, demonstrating once again that compliance does not equate to security, nor will it protect your health system from a cyber incident.
Everything that we have focused on in the past will not apply going forward. Knowing the bad actors is not possible as the threat has become both ubiquitous and for the most part anonymous. Building fortresses with high walls, gates and moats will not stop the threat in a hyper-connected healthcare organization that is reliant on its affiliates, associates and supply chain to provide care and services. Security will need to use machine learning and artificial intelligence to identify threats and take action. Focusing on the past will have limited value as the threat is changing constantly and more rapidly than ever before.
Creating a centralized security team with all of the skills and expertise needed is also an antiquated concept. First, because the necessary resources do not exist for everyone, and secondly, because it would be cost prohibitive. Instead, two new concepts need to replace this idea. One, that every IT person must acquire cybersecurity skills, and two, it will take building a community of support organizations to respond to needs when they are required.
Mac McMillan | CEO & President
EXECUTIVE SUMMARY
Cybersecurity is not just an IT issue – it is the number one business risk of the 21st century.
6
Networks, systems and applications are also no longer considered the biggest targets for cyber criminals. People represent the fastest growing attack surface we have. In 2015, 25 percent of the population was connected to the internet. In 2017, that number was 51 percent, and by 2022 it is expected to be 75 percent. Healthcare is counting on this and moving to more patient-centric models of care that envision taking advantage of millions of devices that will connect care givers to patients. Those devices represent one of the fastest-growing threats in the cyber world.
Healthcare operates today in a world where everything is being attacked and exploited in one manner or another. Things that they have counted on for years and in many cases taken for granted are now at risk. Critical infrastructures like power grids, public transportation and communications are all increasingly popular targets for hacker groups, particularly nation state actors and organized crime. Responding to and recovering from disasters and making sure operations can continue in the presence of these events need to be re-evaluated. This is particularly true when considering operations and the continuum of data for critical services.
The level of sophistication of attackers continues to rise, and healthcare can no
longer assume they are not the targets of very capable cyber criminal elements. Sensitive information of all types has value and is the currency of the underworld. Attackers know that healthcare organizations offer a treasure trove of information. Human intervention as a reliable security concept in the face of this new reality is obsolete. In the future, systems will use artificial intelligence to do amazing things with data and hackers will use it against those systems and to try to avoid detection. From a cyber perspective, systems will need to be able to measure behavioral norms to identify questionable activity and take action, just as successfully recognizing and stopping fraud and inappropriate acts by users will require advanced behavioral analysis.
Cyber attacks will continue to grow in sophistication, speed and impact in 2018. While we need to rethink our philosophy around security and our approach, one constant remains: good cyber hygiene is the foundation of a solid cybersecurity program. And the blueprint for that is a solid cyber security framework. The fact that more and more hospitals and health systems are focusing on the NIST CSF and not just the HIPAA Privacy and Security Rules is a very positive step forward. This report is a first attempt to provide the industry with glimpse into healthcare’s state of readiness to meet this challenge.
You can’t do cybersecurity after the fact. You have to be proactive; reactivity is a no-win strategy.Dr. Ron Ross, Fellow at the National Institute of Standards and Technology (NIST)
7
MEDIAN NIST CSF CONFORMANCE
NIST CSF ASSESSMENT RESULTS
Data Gathered from Healthcare Organizations Throughout the Nation
26%
STANDARD DEVIATION ACROSS
ALL ASSESSMENTS
AVERAGE NIST CSF CONFORMANCE
45% 45%
Based on our assessments for 2017 and using a 6-point scale (0 – 5) ranging from “0 – Incomplete” to “5 – Optimized Process” (process is defined, meets its outcomes and is continuously improved to meet relevant current and projected business goals), we determined the national average and then broke the details down based on organization type and size.
Looking at all the data, we see an average (mean) of 45% conformance with NIST CSF. Assuming that the maximum potential is 100%, our average of 45% is not a particularly promising sign. While the NIST CSF is only four years old, the HIPAA Security Rule will turn 13 in 2018 and healthcare is still catching up.
Because we had a significant standard deviation we know that we had broad distribution above and below the median. That was indeed the findings in the data; we had some very high scoring organizations and some that had barely moved the dial on NIST CSF.
The message, once again, is that as an industry we are not equipped or prepared to address cyber threats or incidents when they occur, or even identify where those risks may be or recognize them when they happen. While the aphorism that, “a rising tide lifts all boats,” might be comforting, in the world of cyber risk and threats, it is – unfortunately – more accurate to invoke a different maxim: “A chain is only as strong as its weakest link.”
8
AVERAGE CONFORMANCE WITH NIST CSF BY NUMBER OF EMPLOYEES
≤500 20%
47%
56%
64%
61%
65%
500-2,500
2,500-5,000
5,000-7,500
7,500-10,000
≥10,000
AVERAGE CONFORMANCE WITH NIST CSF BY HOSPITAL TYPE
Critical AccessHospital
Short Term Acute Care Hospital
Children’sHospital
HealthSystem
Academic Medical Center
18%
48%
50%
56%
65%
AVERAGE CONFORMANCE WITH NIST CSF BY BED SIZE
≤100
100-250
250-500
500-750
750-1,000
1,000-2,000
≤2,000
21%
53%
61%
51%
54%
55%
66%
AVERAGE CONFORMANCE WITH NIST CSF BY ORGANIZATION TYPEPhysicians
Group
Hospital/Health System
Business Associate
27%
49%
59%
Digging into the data, we found that physician groups lag both hospitals/health systems and business associates. Based on our base of assessments, business associates lead hospitals and health systems in NIST compliance, but it should be noted that these are business associates who actively sought security risk assessments in 2017.
By hospital type, not surprisingly, the smaller, the lower the level of NIST compliance. This should be a reminder that we are all connected and while your organization may have many of the NIST practices and guidelines in place, connecting with organizations that have less security raises your risk.
9
AVERAGE CONFORMANCE WITH NIST CSF BY ANNUAL REVENUE
≤$50M
$50M-$100M
$100M-$250M
$250M-$500M
$500M-$750M
$750M-$1B
$1B-$2B
≥$2B
27%
16%
39%
50%
58%
70%
64%
65%
Interestingly, revenue is not necessarily a good predictor of better security. Organizations with less than $50M in revenue scored significantly higher than those in the $50M to $100M range. Organizations in the range of $500M to $1B in revenue scored higher than the next two tiers, and higher than any other revenue range.
25% of consumers have changed their healthcare provider in response to a data breach.Accenture, 2017 Consumer Survey on Cybersecurity and Digital Trust.
10
Drilling down into the NIST CSF itself, we looked at the Core Elements (Identify, Protect, Detect, Respond, Recover).
The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event. An average of 2.2 indicates another area for significant improvement.
Across the board, the lowest ratings were in the detect function. The Detect Function enables timely discovery of cybersecurity events. Examples of outcome Categories within this Function include: Anomalies and Events; Security
Continuous Monitoring; and Detection Processes. The average here of 2.1 indicates great need for improvement across the sector.
Understanding that events will happen, and no one can prevent every incident, response should be an area of more focus – it will be critical to almost every organization at some point. The rating of just over 2.5 indicates most organizations are not prepared to respond comprehensively to a cyber incident at their organization.
2.4
INCOMPLETEPERFORMED
PROCESSMANAGEDPROCESS
ESTABLISHEDPROCESS
PREDICTABLE PROCESS
OPTIMIZEDPROCESS
0 1 2 3 4 52.2
INCOMPLETEPERFORMED
PROCESSMANAGEDPROCESS
ESTABLISHEDPROCESS
PREDICTABLE PROCESS
OPTIMIZEDPROCESS
0 1 2 3 4 5
2.1
INCOMPLETEPERFORMED
PROCESSMANAGEDPROCESS
ESTABLISHEDPROCESS
PREDICTABLE PROCESS
OPTIMIZEDPROCESS
0 1 2 3 4 52.5
INCOMPLETEPERFORMED
PROCESSMANAGEDPROCESS
ESTABLISHEDPROCESS
PREDICTABLE PROCESS
OPTIMIZEDPROCESS
0 1 2 3 4 5
2.5
INCOMPLETEPERFORMED
PROCESSMANAGEDPROCESS
ESTABLISHEDPROCESS
PREDICTABLE PROCESS
OPTIMIZEDPROCESS
0 1 2 3 4 5
AVERAGE CONFORMANCE WITH NIST CSF BY FUNCTION
IDENTIFY
DETECT
RECOVER
PROTECT
RESPOND
11
AVERAGE NIST CSF CONFORMANCE BY FUNCTION BY HOSPITAL TYPE
Identify Protect Detect Respond Recover
Academic Medical Center 2.8 2.4 2.5 2.8 3.0
Children’s Hospital 2.4 2.1 2.0 2.8 2.8
Health System 2.5 2.2 2.3 2.7 2.6
Short Term Acute Care Hospital 2.5 2.3 2.2 2.6 2.6
Critical Access Hospital 2.2 1.7 1.0 1.7 1.8
AVERAGE NIST CSF CONFORMANCE BY FUNCTION BY ORGANIZATION TYPE
Identify Protect Detect Respond Recover
Physicians Group 2.0 1.8 1.7 2.0 1.8
Hospital/Health System 2.5 2.2 2.2 2.6 2.5
Business Associate 2.6 2.5 2.3 2.8 2.9
Not surprisingly, physician practices lag all other covered entities and business associates across all five Core Elements. While not surprising, it is of great concern, since so much care actually occurs in doctors’ offices. Those same physicians also connect to hospitals, health systems, payers, other physicians, and business associates, posing new and additional risks for everyone.
The industry has long recognized that critical access hospitals have the greatest struggle in achieving not only compliance with the HIPAA Privacy and Security Rules, but also lacking financial and human resources, their focus is on keeping operations up and running. It will be important that organizations connecting to and sharing with critical access hospitals understand what is actually in place and where the risks are.
12
AVERAGE NIST CSF CONFORMANCE BY FUNCTION BY NUMBER OF EMPLOYEES
Identify Protect Detect Respond Recover
≤500 2.1 1.7 1.2 1.9 1.8
500-2,500 2.5 2.2 2.1 2.7 2.7
2,500-5,000 2.6 2.3 2.3 2.6 2.6
5,000-7,500 2.7 2.3 2.8 2.8 2.7
7,500-10,000 2.7 2.3 2.7 2.7 3.0
≥10,000 2.7 2.3 2.2 3.0 3.0
AVERAGE NIST CSF CONFORMANCE BY FUNCTION BY ANNUAL REVENUE
Identify Protect Detect Respond Recover
≤$50M 2.3 1.8 1.4 2.2 2.2
$50M-$100M 2.0 1.9 1.4 1.9 1.8
$100M-$250M 2.5 2.2 2.1 2.5 2.4
$250M-$500M 2.5 2.2 2.2 2.7 2.7
$500M-$750M 2.6 2.2 2.3 2.7 2.6
$750M-$1B 2.8 2.3 2.6 3.1 3.0
$1B-$2B 2.7 2.4 2.5 2.8 2.9
≥$2B 2.7 2.3 2.4 3.0 2.9
AVERAGE NIST CSF CONFORMANCE BY FUNCTION BY BED SIZE
Identify Protect Detect Respond Recover
≤100 2.1 2.0 1.4 2.0 2.0
100-250 2.6 2.3 2.2 2.8 2.7
250-500 2.6 2.3 2.4 2.7 2.8
500-750 2.5 2.1 2.3 2.6 2.6
750-1,000 2.5 2.3 2.5 2.7 2.2
1,000-2,000 2.7 2.3 2.4 2.7 2.6
≥2,000 2.6 2.3 2.2 3.0 3.2
Size does matter. Consistently, across all five Core Elements, organizations with larger numbers of employees and higher bed counts scored significantly higher than those with either a smaller number of employees or smaller bed counts.
Money matters less. Revenue is a less consistent predictor of CSF maturity across all Core Elements.
13
$6 trillion
The cost of cybercrime is expected to be
Cybersecurity Ventures, 2017 Annual Cybercrime Report.
by 2021 – more profitable than the world’s drug trade.
14
INFORMATION SECURITY & ENTERPRISE RISK MANAGEMENT
Marti Arvin | VP, Audit Strategy
Enterprise risk management (ERM) is not a term or process that has always been understood by healthcare organizations.
The COSO definition of risk is, “The possibility that events will occur and affect the achievement of strategy and business objectives.”
In 2017, we saw more health systems and business associates have operations disrupted by cybersecurity incidents costing the industry millions in dollars lost. Not to mention higher costs in incident response and recovery. Disruption not confidentiality became the number one risk as it threatens both the business and patient safety. These attacks included hacking of systems directly, social engineering people through phishing and other scams, interfering with supply chain partners and even nation state actors attacking the infrastructure healthcare relies on. One could hardly argue that enterprise risks had not increased.
Healthcare has traditionally addressed risk by looking at it in silos. Executives have talked with their risk officers about malpractice risk and other types of litigation liability risks. They talk to their compliance officers about fraud and abuse risks and to their privacy officers about privacy risk or the information security officer about information technology risks. But the concept of ERM is strategically assessing all the different risk the organization faces and understanding the implications and interplay of all of those risks. This allows for a deeper understanding and more strategic planning of how to address the risk through common risk mitigation methods.
Because healthcare organizations have not traditionally viewed risk across the enterprise but rather in a more segmented fashion, information security risks have been thought of as an IT issue. The evolution is occurring, but it is still not common practice to view risks in the more holistic context of ERM. By approaching it through ERM and bringing all areas responsible for risk oversight to the table, the organization will have a fuller picture of its risk.
When thinking of information security risk, it is easy to fall in to the trap that this can all be handled through technology. However, that is not the case and can lead to missing the implication of information security risk to other areas of the organization.
1COSO 2017 ERM Framework, Aligning Risk with Strategy and Performance.
The Committee on Sponsoring Organizations (COSO) defines ERM as, “The culture, capabilities, and practices, integrated with strategy and execution, that organizations rely on to manage risk in creating, preserving, and realizing value.”1
15
If an organization has an information security incident it can lead to implications in a number of other components of the business such as:
• Cancelling elective services because systems are down which will result in a reduction in revenue
• Increased time lag to get charges submitted which will lead to a lag in payment having implications on cash flow
• Increased risk of staff cutting corners as they are asked to do work in a less efficient manner which increases compliance risks
• Increased medical errors as downtime procedures are initiated on paper making it more difficult to communicate changes to the patient’s condition or to calculate appropriate drug dosages
• Increased unanticipated cost to recover from the data incident, provide notification to impacted individuals and hire external parties to assist
• Increased stress on staff operating in the more chaotic environment
These are just a few of the ways an information security incident can impact the organization beyond the IT department. These risks and others need to be understood by the governing body of the organization and the often-multiple players responsible for oversight of different risk areas. Assuring a strong ERM system that includes all risk areas, particularly information security, will help healthcare organizations more strategically plan for such risk. It will also allow for a more coordinated response if such a risk does occur. Information security is an organizational risk not just an IT issue.
“More people are killed every year by pigs than by sharks, which shows you how good we are at evaluating risk.”Schneier, Bruce. Interview with Doug Kaye. IT Conversations: Bruce Scheier. 2004-04-16.
16
Traditional approaches to monitoring and auditing what users are doing with access to sensitive data are no longer effective. UEBA is a type of machine learning model that identifies anomalies in the use or disclosure of data. These new technologies use advanced data analytics, aggregate data from logs and reports, and associate intelligence about users to flag certain activity and behavior that could constitute a threat to the confidentiality of sensitive patient information.
It is often said that you cannot have privacy without security. The traditional approach to privacy assurance has been a focus on protecting people from the harm of unauthorized disclosure in compliance with the HIPAA Privacy Rule or other regulatory requirements. However, the current compliance-based approach was developed in response to an environment where health information was managed and controlled largely by and for the needs of a single institution.
New approaches to collecting and using data about an individual, and how they are using information networks suggests that a risk-based approach may improve the ability of healthcare organizations to more effectively handle the personal information they create, maintain, and share on a daily basis.
Advances in user and entity behavioral analytics (UEBA) provide powerful tools that use machine learning capabilities to increase accuracy and enable healthcare organizations to track and analyze data access. These solutions allow an organization to focus attention on protecting patient confidentiality as they add technologies with unidentified vulnerabilities and enable secondary collection and uses that may pose significant risk of compromise to the data as well as harm to the individual.
As a complement to its extensive guidance for information security, NIST developed a systems engineering and risk management approach
for privacy that can help organizations address privacy concerns from the collection and uses of data.1 To help organizations conduct privacy engineering, NIST developed a set of objectives to help focus on the types of capabilities information system administrators need in order to demonstrate how privacy policies and system privacy requirements have been implemented. The NIST project also introduces a privacy risk model to enable organizations to conduct privacy risk assessments based on the likelihood that an operation performed by a system would create a risk to confidentiality when processing personal information and the impact of that action should it occur.
1NISTIR 8062 “An Introduction to Privacy Engineering and Risk Management in Federal Systems” http://nvlpubs.nist.gov/nistpubs/ir/2017/NIST.IR.8062.pdf
RISK MANAGEMENT & BEHAVIORAL ANALYTICS: NEW APPROACHES TO MANAGING DATA PRIVACY
David Holtzman | VP, Compliance Strategies
17
These technologies provide dynamic tools for identifying anomalous behaviors with a high degree of accuracy and flexibility. UEBA employs advanced analytics to better process behavioral analysis and is proving to be highly effective in exposing insider threats, hijacked accounts, and compromised credentials. It monitors user accounts and works with endpoint devices or embedded applications and networks. UEBA is also a learning system, utilizing machine learning capabilities to build higher accuracy and sensitivity over repetitive use.
Introduction of a common taxonomy for privacy engineering, demonstrating a standard approach to demonstrating how privacy safeguards have been baked into
an information system, and establishing a process for identifying and assessing risk of compromise to the data can help organizations better integrate effective privacy assurance with management of large, sharing-based integrated information systems.
UEBA is a technology that presents a better model for accurately detecting misuse and threats to the compromise of sensitive personal information. These advances in the development of an assessment framework and maturity model to manage privacy risk and new behavioral analytics tools to address improper data use represent significant steps towards marrying privacy with security.
“Behind every line of data and medical record number there is a person. ... When you get on the phone with a patient whose information has been breached, and hear them cry, or how they feel violated, that is not a piece of data, that is a person.”Meredith Phillips, Chief Information Privacy & Security Officer, Henry Ford Health System
18
Healthcare organizations continue to print an increasing amount post EHR adoption with an average increase in print volume of 11% across the industry according to Logicalis.com. This increase in printing occurs at the same time the Office of Civil Rights (OCR) reports that 21% of breaches impacting over 500 individuals were the result of paper.
The increase in printed volume is coupled with an increase of the number of devices being used to process that paper volume. Healthcare saw an average increase in the number of print devices (copiers, printers, fax) of 6%. This growth in print devices is disconcerting when you take into consideration that most healthcare organizations are significantly underutilizing the capacity of their current print fleet. On average healthcare organizations are only using 33% of the capacity of their copier fleet, only 11% of their printer fleet, and 16% of their fax capacity.
The continued proliferation of print devices even without the full utilization of the current assets within the healthcare environment means that we are multiplying the number of potential threats by increasing the overall attack surface. Printers are smart/networked devices that present many of the same challenges that any other information system present. Your average business class device can have around 250 security settings making a growing fleet a real challenge to manage.
Our analysis demonstrates that many entities have inadequate inventories, configuration
guides, hardening standards, testing practices, access controls, maintenance and/or disposal practices. What is more, most fleets are not managed by IT, but rather Supply Chain organizations that are not focused on these issues.
Often ownership of printers is in question between IT, facilities and the group that purchased them causing confusion around security responsibility and gaps. Ultimately these computers within printers that hold sensitive data, are attached to the network and represent a sizable attack surface. This combination coupled with poor cybersecurity hygiene translates to increased risk to the ecosystem. Hackers can use unprotected printers as resources to mine cryptocurrencies, turn them into zombies as part of a Botnet to attack their owner or others in DDOS attacks, use them to steal or spy on content, or cause the printer to malfunction.
Having a solid inventory of print devices and an appreciation for criticality will help to right size the fleet which is important. Right sizing the fleet is not just about reducing devices to save dollars, but understanding back up and spare printer requirements for emergent situations/outages.
PRINTERS & PRINTING ON THE RISE DESPITE SECURITY & PRIVACY RISKS
Sean Hughes | EVP, Managed Print Services
1Logicalis: http://www.us.logicalis.com/news/eight-little-known-printing-facts-costing-hospitals-millions-of-dollars/
2Office for Civil Rights: Presentation at NIST and OCR Conference. Sept. 5, 2017.
3CynergisTek Client Assessment Data
2.4
INCOMPLETEPERFORMED
PROCESSMANAGEDPROCESS
ESTABLISHEDPROCESS
PREDICTABLE PROCESS
OPTIMIZEDPROCESS
0 1 2 3 4 5
IDENTIFY
19
Organizations need to take a hard look at what they are printing, where they are printing and how they are printing to ensure they understand the overall risk this function is providing and develop an approach that allows for progress on both the security and privacy front.
Reducing the volume of print provides an organization a much smaller footprint to be concerned about. Less print means less devices needed to process that volume. Once an organization has the number of devices and volume correct they can apply tools such as data loss prevention (DLP) to understand what they are printing and by whom. Many industry standard applications in the print management space have taken on adding security and privacy functionality to address these growing issues.
11%
Healthcare organizations have experienced an increase of post EHR adoption print volume by an average of
20
DETECTION & PREVENTION: THE GIFTS THAT KEEP ON GIVING ... IF YOU DO THEM
John Nye | VP, Cybersecurity Services
2017 was by no means an easy year in the world of information security. We saw numerous critical vulnerabilities, NSA hacking tool leaks, an exponential increase in the number of malware and ransomware attacks and a plethora of major breaches in healthcare and other verticals. While progress has been made in some areas, there are some lingering issues in healthcare that we need to address in 2018.
As we studied the data from 2017 we realized that there were some important trends in the results that highlighted the need for focused attention on cyber readiness. We also realized that the assessment data, when taken in aggregate, presents a compelling baseline for helping healthcare executives understand the depth of the opportunity for improvement and the imperative for re-evaluating investment in cybersecurity.
What Did We See?
The most significant change we saw last year was a major shift from reliance on HIPAA requirements in security assessments to operationalizing the NIST Cybersecurity Framework (CSF). This has allowed the organizations we work with to look at their overall security posture from a more holistic perspective. The NIST CSF covers significantly more aspects of the average enterprise infrastructure than the HIPAA Security Rule, providing both CynergisTek and the organization a better overall picture of the state of their security posture than ever before.
As expected, we saw big challenges and opportunities from the 2017 assessments in incident response preparedness and asset/software inventories. Both of these categories were lacking across a majority of entities assessed and were identified as an important remediation priority for 2018. The greatest opportunities were identified in the protection and detection focus areas. The data shows that the healthcare industry is severely lagging in its efforts to prevent, detect and eliminate threats effectively inside their networks.
Protection
Once again 2017 saw an overwhelming number of cyberattacks take advantage of obsolete systems and software, mistakes and lack of attention in administration and maintenance. Most attacks started with the attacker finding a system no longer supported, not configured properly, an unsafe service running or a missing
2.2
INCOMPLETEPERFORMED
PROCESSMANAGEDPROCESS
ESTABLISHEDPROCESS
PREDICTABLE PROCESS
OPTIMIZEDPROCESS
0 1 2 3 4 5
PROTECT
2.1
INCOMPLETEPERFORMED
PROCESSMANAGEDPROCESS
ESTABLISHEDPROCESS
PREDICTABLE PROCESS
OPTIMIZEDPROCESS
0 1 2 3 4 5
DETECT
21
patch giving them the door they required to begin their attack. This is not surprising as the number of vulnerabilities identified in systems shot up 31 percent in 2017 setting yet another record according to Risk Based Security Inc.’s1
latest report. An even more sobering statistic in that report is the fact that 24 percent of the vulnerabilities identified have no known fix.
Organizations that delay in addressing vulnerabilities in their environment are far more susceptible to exploitation. No matter how sophisticated the attack may have been, it almost always started with something that probably could have been avoided. Poor performance against this area of the CSF provided evidence of missing or lax controls and practices. Organizations are not getting the time they need or applying the resources necessary to maintain their systems in an optimal state.
The most significant realization was in how the threat was and is shifting to focus more on the newest and largest attack surface – people. People are now connected to the network in more ways than ever before. As healthcare embraces more patient-centric models incorporating countless devices that enable point of care at the patient, those devices become new avenues for attack. Devices were commandeered by IoT Botnets and used against the very entities that owned them.
Other incidents involved direct attacks that sought to exploit human vulnerability such as phishing through email, which saw the instance of malware attached increase to 1 in 131 emails (over the course of 2016) making user awareness an absolute necessity. Most entities had some form of proactive user training for the phishing threat, but despite best efforts incidents continue to occur. Training alone will not solve this problem.
Organizations are also adopting advanced malware detection solutions like next generation firewalls, anomaly detecting antivirus, advanced malware solutions, and email gateways, but without active monitoring these solutions also prove less than effective. Using the NIST CSF gives healthcare entities a better appreciation for the integration of their controls, processes, and people to better understand where there are gaps.
Preparedness and Detection
Poor cyber hygiene, lack of advanced cyber security technology, and poorly defined or implemented controls and practices contribute to challenges in threat detection. This category includes items such as threat detection tools, proactive event logging and monitoring, working together to identify threats contributing to longer than acceptable response times.
This 90-day average is down from 100 days in 2016 and almost 200 days of “dwell time” in 2015, but is still much too slow to avoid negative consequences for victims. Dwell time is a term used to describe the length of time an attacker spends inside a victim’s information ecosystem. This is very different from events where entities lost hundreds or thousands of systems and suffered considerable downtime from malware attacks that propagated across their
The average length of a compromise in 2017 was 3 months2, and these lingered specifically because the organizations that were the victim of these attacks lacked the ability to detect their attackers within any reasonable timeframe.
21
1Risk Based Security: https://www.riskbasedsecurity.com/2018/02/7900-vulnerabilities-in-2017-you-arent-aware-of-may-put-your-organization-at-risk/
2DARKReading: https://www.darkreading.com/attacks-breaches/attacker-dwell-time-average-dips-slightly-to-86-days/d/d-id/1330580
22
infrastructure in a matter of minutes or hours, not days, weeks or months.
It is good news that the average time to detection has gone down, but 90 days is still far too long as an attacker can do an excessive amount of damage in that timeframe. As with many other aspects of cybersecurity, many entities assessed in 2017 recognized that their organization may take more than 90 days to detect an attack by a sophisticated attacker.
Effectively detecting cyber attacks is not just a technology issue nor are its consequences just an IT problem. How fast an entity can recognize an event, identify the attacker, and isolate the damage and critical systems has a direct correlation to their avoidance of disruption and cost. The dwell time of attackers and ability to detect them and their activities needs to be addressed specifically in the modern healthcare organization’s boardroom as time, money and other resources are key to dealing with this threat.
What Can We Be Doing?
In 2018 we, as an industry, need to step up and make a real effort to get detection in place or we will never reduce the average dwell time down to a defensible level. That means creating better baselines, paying more attention to maintenance responsibilities, employing advanced controls, enhancing employee awareness, and continuously monitoring activities across the network. We can drive the number of compromised patient records down and stop this alarming trend of growing threats year over year. If we want to make headway we first have to recognize that we cannot do anything without the support of the entire organization from the board to senior
management and every employee, workforce member, and even our third parties.
We are very aware of the fact that not all healthcare organizations are created equal – even HIPAA recognized that – and therefore the methods by which your organization could tackle these issues will be different from others. However, there are some key elements that should be in place regardless of your organization’s size, type or resources. These may be provided by an internal department and software or hardware purchases that allow your organizations to detect and respond to the attacks, or they may be third-party services engaged to monitor your systems, watch for intruders, anomalous behaviors, data exfiltration, or other known threats.
Regardless of how you approach the issue, there must be very well-defined rules as to when an alert is triggered, how it is addressed, and perhaps most importantly, how those findings are built into the ongoing monitoring process. If you already have a Security Operation Center (SOC) and are running a well-tuned and sufficiently advanced Security Event and Incident Monitoring (SEIM) solution, then look at the average “dwell time” of intrusions last year. Crunch the numbers and look at how the tools and teams can be better utilized to bring the response time down and better protect your organization.
Overall, the most important step you can take is to do something. If you have no monitoring solution in place, start looking for one. If you have a full SOC and multiple monitoring solutions in place, look at how well they are working and which efficiencies can be built into the processes to ensure these solutions effectively keep your organization safe. Look
23
at historical data to define trends, outliers, and help determine what to look for and what to alert on. One lesson we have learned is that if you address one threat, there will always be “the next one”. NIST is about continuous
monitoring and on-going risk management. Business today requires that every process and every technology must be about continuous improvement.
Healthcare was the top industry hit by W-2 phishing scams in
2017, with 28% of total cross-industry incidents.
Beazley, 2018 Breach Briefing.
Healthcare was the top industry hit by ransomware in 2017, with 45% of total cross-industry incidents.Beazley, 2018 Breach Briefing.
24
SCOURGE OF RANSOMWARE & MALWARE INCIDENTS: HEALTHCARE UNDER ATTACK
David Holtzman | VP, Compliance StrategiesJeremy Molnar | SVP, Security Strategies
A company is hit with ransomware every 40 seconds somewhere in America1. Without a doubt malware and in particular ransomware is and has been the main stage actor in the world of cyber attacks and based on all indicators will continue its run. Attacks have gotten more sophisticated, more costly and more disruptive over time. At risk today is not only the organization’s own information systems and data, but the very infrastructure it relies upon and the ever growing supply chain that is a part of their operations.
Healthcare organizations are under constant attack from ransomware and malware according to surveys of healthcare providers and reports of breaches filed with the Department of Health and Human Services, Office for Civil Rights (OCR). Healthcare organizations reported more than twice as many incidents of ransomware and malware as the primary cause of breaches of e-PHI to OCR in 2017 than 2016.
Attackers devised numerous variants of ransomware and malware strains that caused substantial downtime and financial loses for victims across many industry sectors including healthcare. Notable widespread attacks included new families of malware and ransomare including WannaCry, NotPetya, and Defray. Locky, a previously known malware strain made a come back with a massive email campaign targeting healthcare organizations.
Data around impact of malware and ransomware incidents affecting healthcare organizations paints a remarkable picture:
• A survey of 1,300 physicians conducted by the AMA and Accenture2 found that four out of five had experienced some form of a cyberattack, such as a phishing or malware episode. 55 percent of physicians responded they are worried about future cyberattacks.
• A survey of hospital staff by HIMSS Analytics and Mimecast3 found three out of four said they had a malware or ransomware attack in the last year. One in five responded that they had 16 or more malware incidents during that period.
• Healthcare organizations and vendors handling information protected by the HIPAA rules reported 178 breaches in 2017 were due to a cybersecurity incident. Breaches caused by ransomware and malware attacks including phishing incidents were tied as the leading cause, reported to be found in 37 percent of all cases reported.4
It is widely accepted that cyber attackers are constantly probing information systems looking for opportunities to introduce malware or ransomware. The crucial differentiator between the healthcare organization that suffers a debilitating cyberattack and those that succeed in maintaining critical information system operations is having strong, defined controls in
1 Barkly: https://blog.barkly.com/ransomware-statistics-2017
2Accenture and the American Medical Association (AMA): Taking the Physician’s Pulse. December 2017.
3Mimecast and HIMSS Analytics Survey. December 2017.
4Protenus: 2017 Breach Barometer Annual Report. January 2018.
25
place so that they can quickly identify, isolate, and respond to an incident. The NIST CSF has emerged as an essential tool in identifying and assessing the effectiveness of information security measures.
The NIST CSF is divided into five functional areas. One such functional area that is key to defending against cybsecurity threats is the capability to “detect.” This includes monitoring tools such as security information and event management (SIEM), intrusion detection/prevention systems (IDS/IPS), as well as anti-virus solutions.
The most effective detection solutions support both signature-based and anamoly-based detection methods. The key to successful implementation is to ensure that the configurations are defined and consistent with expectations, processes are developed based on those configurations and solution capabilities, and an appropriate number of resources are provided and trained on the solution. Organizations that fail to detect malware or ransomware struggle to devise a solution that allows them to continue critical operations because they ofen lack appropriate staff or well-defined processes to follow or implement.
Another functional area in the NIST CSF critical to successful cybersecurity defense are policies and processes to Respond to an incident.
A key control in this area is the ability to isolate affected systems, something often provided by network restrictions or segmentation.
Organizations often face challenges implementing or managing segmentation because of the administrative burdens that it can introduce. Successful implementation requires understanding data flows and potential chokepoints that can be used to limit traffic traversing the network. In addition, identification and isolation of critical assets utilizing segmentation can slow down or even remove the potential of ransomware or malware impacting those critical assets where the sensitive data resides.
While some of the year over year increase in these types of incidents being reported to OCR may be due to some organizations doing a better job about reporting in response to OCR’s guidance on how to respond when they have experienced a cyberattack, there is no doubt that the incidence of phishing, ransomware, and malware attacks continue to rise every year.
Healthcare organizations and vendors handling health information protected by HIPAA are on notice that it is up to them to safeguard their information systems and data from the threat of a cybersecurity incident. Aligning with NIST CSF is a good way to ensure that your organization is prepared.
2.1
INCOMPLETEPERFORMED
PROCESSMANAGEDPROCESS
ESTABLISHEDPROCESS
PREDICTABLE PROCESS
OPTIMIZEDPROCESS
0 1 2 3 4 5
DETECT
2.5
INCOMPLETEPERFORMED
PROCESSMANAGEDPROCESS
ESTABLISHEDPROCESS
PREDICTABLE PROCESS
OPTIMIZEDPROCESS
0 1 2 3 4 5
RESPOND
26
PREPARING FOR THE UNTHINKABLE WITH INCIDENT RESPONSE PLANNING
Clyde Hewitt | VP, Security Strategy
By now, healthcare executives and their boards have seen the myriad reports of security and privacy incidents involving ransomware, and can only imagine the devastating impacts to the targeted organizations. In response to the increasing frequency and severity of reported incidents, they are genuinely concerned. Consequently, they are asking tough questions about their organizations’ ability to respond to similar attacks, but this focus on ransomware may not be helping to address the root causes.
Based on our own findings included in this report only the very largest (by employee count) organizations routinely achieve a score of three (established process) in the Respond category.
This was reiterated in the bed size measure, as hospitals or systems with more than 2,000 beds were more likely to achieve a rating of three. Revenue is a mixed bag, but inconclusive. Maturity ratings varied only .3 for organizations ranging in revenues from $750M to over $2B.
Lessons Learned from Current Events
First, when board members ask the CIO questions about a provider’s ability to recover, the answers tend to be focused on the IT
organization’s ability to recover the clinical systems from backups. Responses tend to address how long it will take to bring systems back online. This message doesn’t tell the entire story as the full recovery can takes months. The primary reason is that paper medical records created during downtime procedures must be entered into the electronic medical records so that the claims can be processed.
Second, we have seen an increasing trend toward litigation following a privacy or security incident. Early attempts at this have been dfficult; however, a recent shift toward proving negligence has advanced through the courts. In response, any privacy and security incident response should have a strong legal oversight starting with the first report to help build shield details. This entails a detailed analysis of all data that could have been accessed or compromised by the incident.
Third, incidents happen for a reason, and boards should insist that a comprehensive root cause analysis be performed to identify both the vulnerabilities that caused the incident, as well as other vulnerabilities that can be exploited the next time. A better strategy is for the board to ask executives which steps they
2.5
INCOMPLETEPERFORMED
PROCESSMANAGEDPROCESS
ESTABLISHEDPROCESS
PREDICTABLE PROCESS
OPTIMIZEDPROCESS
0 1 2 3 4 5
RESPOND
Between lost charge capture, unforeseen overtime, and payment delays providers can end up as much as $10-50 million in the red quickly.
27
are taking to ensure that all vulnerabilities are found, risks are classified, and individuals held accountable for reducing risk to a level within the organization’s risk appetite.
The fourth, and primary, lesson is to recognize that incident response is an enterprise issue, not an IT issue. There is no doubt that IT is a key enabler of clinical operations; however, IT is not the primary resource – people are. Long before IT helped speed up the delivery of information, doctors, nurse, and other medical staff were delivering care. As we have become more dependent on technology, providers need to ensure that downtime procedures are sufficient to provide patient care (a HIPAA requirement under 164.308(a)(7)), but also have plans to continue operations in non-clinical areas as well, such as HR , payroll, supply chain management, and facility operations (a NIST Cyber Security Requirement under RC:RP – Recovery Planning).
In 2017, CynergisTek conducted hundreds of assessments. We concluded that very few organizations had what could be considered mature incident response processes, but an even more disturbing trend is that a very high percentage do not have some or all of the necessary basic structures in place.
Many elements important to effective and timely recovery were missing: detailed inventories of assets, critical resource data bases, priorities for taking down as well as recovering assets, current architectural diagrams, configuration diagrams, baseline images or hardening standards to name a few on the technical side; up to date run books for staff procedures, current staff recall lists, alternates if needed, contacts for external assistance, written procedures for communications, public affairs guidance, etc. Many had not performed readiness exercises, table tops or formal training for the organization. Generally ,recovery was still a matter of hoping that whoever was in charge knew what they were doing. This is at best a recipe for taking longer than necessary, at worst a recipe for disaster. In today’s threat environment incident response planning needs to be a dedicated ongoing function if it is to be successful.
If you do not have a plan, you need to develop a comprehensive, enterprise-wide plan, incident response cannot just happen in IT. If you have a plan review it regularly, or better yet, get a third party to review and help assure you have all the bases (and functions) covered. A documented plan will not be good until it is tested – run exercises with it and use different scenarios to exercise all areas of your organization that will be impacted. Benjamin Franklin may have said it best: “By failing to prepare, you are preparing to fail.”
For more details, see the NIST Information Technology Laboratory, ITL BULLETIN FOR FEBRUARY 2017 - GUIDE FOR CYBERSECURITY INCIDENT RECOVERY.
2.5
INCOMPLETEPERFORMED
PROCESSMANAGEDPROCESS
ESTABLISHEDPROCESS
PREDICTABLE PROCESS
OPTIMIZEDPROCESS
0 1 2 3 4 5
RECOVER
28
FINAL THOUGHTS
David Finn | EVP, Strategic Innovation
It is not uncommon to hear healthcare security practitioners and professionals in other industries express concerns of how far healthcare is behind in cybersecurity compared to other industries. It resonates in many ways, both professionally and personally, for everyone. We are all patients. No one wants their personal information such as social security number, diagnosis, birthday, or address compromised. It has been an ongoing challenge to determine the status of healthcare security for most. Many trade and private organizations have attempted to produce surveys to try to quantify this. The biggest challenge and unaddressed issue to date is that there has not been a standardized framework used across the industry. It is time to have a common framework and do what we need to do – protect the patient’s information and provide the best care possible.
On a positive note, it has drastically improved since 2013 with the development of the NIST CSF to help critical infrastructure sectors and organizations reduce and manage their cyber risk regardless of size or cybersecurity sophistication.
The next challenge has been getting the industry to adopt the NIST CSF. In the fall of 2016, HIMSS North America Board of Directors approved the “Cybersecurity Call to Action” and since that time, has been advocating for the adoption of holistic security measures. Accordingly, HIMSS supports NIST’s inclusion of holistic security principles throughout the framework, including the alignment of cybersecurity risk management
with the business context and resources that support critical functions.
In April of 2017, the CEO of the American Medical Association, James Madera wrote, “we value NIST’s ability to identify cybersecurity trends and aggregate best practices, particularly at a time in which patients and physicians regularly interact with health information technology (health IT) both within and outside of physician practices.”
Furthermore, in early 2018, the CEO of CHIME and the Board Chairs of both CHIME and AEHIS wrote to the Director of NIST, “CHIME and AEHIS continue to be strong champions of the NIST CSF and believe it should be used by the entire healthcare sector.”
This report reflects the first real analysis across the industry with a consistently applied standard for assessing:
• Cyber risk: Measuring preparedness and an organization’s ability to identify digital and physical assets and their interconnections
• Protect assets: Through the development and implementation of safeguards that will limit or contain the impact of potential cybersecurity events.
• Organizations will be able to better detect cybersecurity events by implementing appropriate measures that allow for continuous monitoring that detect anomalous activity and other threats to operational continuity.
29
• When a cyber incident occurs, organizations must respond with the response plan they have in place, the defined communication lines among appropriate parties, and the ability to collect and analyze information about the event.
• Recover with a coordinated set of restoration activities internally and with external parties that incorporate the lessons learned into an updated recovery plan.
In addition to improved capabilities at the local level, the adoption of NIST helps raise the overall security of the entire sector. In this age of hyper connectivity in healthcare, your security is only as good as the security of the weakest link along the continuum of data. The NIST CSF consists of standards, guidelines, and best practices to manage cybersecurity-related risk that is risk-based, unlike other frameworks. Additionally, the NIST CSF is prioritized, flexible, and a cost-effective approach that helps to promote the protection and resilience of critical infrastructure, especially in healthcare.
Together, we can have a standard that we can all measure ourselves against, with a common language to share and communicate security risks and security practices. We can finally improve healthcare through:
• Better capabilities in protecting our patients’ data and the clinical and financial platforms used to deliver care.
• An enhanced collective understanding of the state of cybersecurity in healthcare for regulators and the industry.
• Greater intra-sector, cross-sector, and international cybersecurity collaboration and understanding.
• Improved internal and external oversight and due diligence for third parties, or business associates with vendor risk management.
• Improved senior management and boardroom engagement.
• Reduced cybersecurity administrative and regulatory compliance complexity.
• More efficient and effective resource allocation to address risks.
• Greater innovation for technology companies who will have clear and common requirements around security.
• And most importantly, protecting your patients’ information so you can focus on delivering safe, uninterrupted care.
CynergisTek hopes this report will bring some clarity and insights to this vision as we evolve into the future of healthcare. We hope that everyone will join this journey to a more secure, safer world for all of us as patients and professionals.
Contact us to empower your organization to facilitate the NIST CSF and provide your patients with the upmost security.
30
ABOUT CYNERGISTEK
Healthcare leaders turn to CynergisTek for trustworthy and reliable support in cybersecurity, privacy, compliance, and information management expertise. Since 2004, CynergisTek has provided a holistic and pragmatic approach to help healthcare organizations meet their cybersecurity and information management goals. The company has also been recognized in numerous third-party research reports as one of the top cybersecurity and privacy firms that provider organizations turn to and won the prestigious 2017 Best in KLAS award for Cyber Security Advisory Services.
Our People
We employ the best talent in health IT, security, privacy, compliance and information management. Our subject matter experts are recognized as thought leaders by the industry and are committed to sharing their expertise with the industry. These executives contribute to hundreds of top-tier news publications and healthcare conferences every year. Our consultants are highly qualified and experienced professionals with a focus on providing excellent service and knowledge in their given field. Our workforce has spent decades working in healthcare institutions across the country.
Our Industry Recognition
We are consistently highlighted as an industry leader by industry publications, associations, and organizations, as well as by our customers. CynergisTek won the 2017 Best in KLAS award for Cyber Security Advisory Services and has been recognized for having the highest impact and value, client satisfaction and best overall performance. Many of our customers identify CynergisTek as an extension of their team and a true partner.
512.402.8550 [email protected] cynergistek.com @CynergisTek
The Trusted Advisors in Healthcare Cybersecurity, Privacy and Compliance