Limiting Impact in the Era

of the Inevitable Data Breach

Sadik Al-Abdulla,

Director of Security Solutions, CDW

March 1, 2016

Conflict of Interest Disclosure

Sadik Al-Abdulla

Has no real or apparent conflicts of interest to report.

2

Agenda

• Level set 2016 threat landscape

• Share learning from 3,500+

security assessments

• Provide tactical and strategic

guidance for truly adaptive

security

• Balancing IT security

People

Technology Process

IDEAL

3

Learning Objectives

Assess the threat landscape in healthcare today

Discuss lessons learned from security assessments that discovered vulnerabilities

Analyze challenges associated with developing a security response

Identify best practices for implementing an efficient and adaptive incident response plan

4

State of Security

Photo: GDIT’s GovTech Works

5

http://www.himss.org/ValueSuite

$2.1m2

Avg. cost of a

data breach

An Introduction to the Benefits Realized for the Value of Health IT

69%1

Biggest

security

concern is

phishing

42%

Effective Incident Response

Increases:

Awareness

Participation

Investment

Minimizes:

Risk –

Patient,

Financial,

Reputation

• Electronic Secure Data E

• Savings S

1) HIMSS 2015 Cybersecurity Survey

2) Ponemon Institute’s 2014 Fifth Annual Benchmark Study

on Privacy and Security of Healthcare Data 6

Threat Landscape – Healthcare

42%

Of all major data breaches

reported in 20141

$363

Avg. cost per stolen health

record2

282%

Increase of financial losses3

1) Experian’s 2014 Data Breach Industry Forecast/Identity Theft Resource Center

2) Ponemon Institute’s Cost of Data Breach Study

3) PwC’s Global State of Information Security Survey 2015

4) Experian’s 2015 Data Breach Industry Forecast

5) Verizon’s 2015 Data Breach Investigations Report

$5.6B

Potential annual cost to the industry4

Top 3

Insider misuse of devices,

physical theft/loss,

errors5

7

2014 Disclosed Healthcare Breaches1

32% Miscellaneous errors

26% Insider misuse of devices

16% Physical theft/loss

12% Point of sale

9% Web app

attacks

4% Cyber espionage

1% Crimeware

1) Verizon’s 2015 Data Breach Investigations Report 8

Recent Stats

69%: Organizations informed of breach from outside entity1

205: Median number of days attackers were present on victim’s network1

60%: Cases in which attackers compromise an organization within minutes2

$2.1M: Average cost of a data breach for healthcare organizations3

Deeper Dive on Healthcare – Reported Beaches Oct. & Nov. 20154

13

9

7

Unauthorized

access/disclosure

Theft/loss

Hacking/IT incident

1) Mandiant’s 2015 M Trends Report

2) Verizon’s 2015 Data Breach Investigations Report

3) Ponemon Institute’s 2014 Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data

4) U.S. Department of Health and Human Services Office for Civil Rights Breach Portal 9

How Is Healthcare Responding?

Good – Procedural Areas:

• Who to call

• What form to fill out

• Contacting compliance/legal

Incidents not identified by internal security team1

Lacking – Technical Areas:

• Identification

• Preparation and investigation

• Identifying scope

Incidents identified by

internal security team1

49 %

51 %

1) HIMSS 2015 Cybersecurity Survey

10

What Should We Learn From That?

Roughly 50% of incidents

aren’t big bad hackers …

… but roughly 50% are

big bad hackers

And these patterns hold true

over multi-year studies

Incidents are mostly identified

when the goodies are sold

Economics suggest there

are many more breaches

than reported

11

The Defenses Are Working … But

Network

telemetry

shows zero

traffic here

12

Findings From Security Assessments

3,500 Compromises in

20 industries

100% Ability to

gain access

<10% Access

detected

0 Times we

tried to hide

13 Source: CDW Security Practice – 2015 Security and DLP Assessment Findings

Top Security Assessment Findings

People/Process

Technology

Insecure default configurations,

gaps in patch discipline #1

Bad passwords #2

Arbitrary trusts #3

Phishing, users like to click #4

Application code issues #5

Man in the middle #6

Lack of encryption or porous

implementation #7

Mobile application

vulnerabilities #8

14 Source: CDW Security Practice – 2015 Security and DLP Assessment Findings

Architectural Issues

>95% distributed local

accounts

(e.g., admin,

backup, service)

<1% sensitive

segmentation

#1

<0.5% effective internal

segmentation

#2 #3

15 Source: CDW Security Practice – 2015 Security and DLP Assessment Findings

Data Loss Prevention (DLP) Findings

300+

Assessments

completed

100%

Discovered sensitive

information outside

approved areas

86%

Loss of sensitive

information during

assessment period

95%

5%

Incidents that were accidental exposure or

by well-meaning insiders

Incidents that were not

80% Email incidents 12% Web incidents

16 Source: CDW Security Practice – 2015 Security and DLP Assessment Findings

DLP Assessment 24-month Trend Line

800% Increase in

upload violations

2,000% Increase in

mobile violations Dropbox, Skydrive, Google Drive, etc.

17 Source: CDW Security Practice – 2015 Security and DLP Assessment Findings

I’ve tried to keep the company real about the fact that I could spend twice as much as I do today on security, and it doesn’t mean that we’re going to eliminate the risk. We might reduce it a bit, but I can’t give a good answer of how much. Compromise is a certainty.

… But I can limit the impact.

– Malcolm Harkins CISO, Intel

18

Managing Impact Means …

Accepting that a

breach is inevitable

Designing for post-breach

detection

Designing to limit

impacts

Planning for a

breach response

19

Identify

Respond

Recover

Protect

Detect

Data Networks

Devices

Old vs. New Security Mindset

NEW OLD

20

Tactical Best Practices

Identify “check the box” activities, repurpose spend and cycles

Identify and map all sources and locations of PHI inventory

Adopt true segmentation

Revisit fundamentals for sensitive data management

Find and revise overly and overtly restrictive policies

Start measuring time to detect and respond to a breach

21

Strategic Best Practices

Measure and invest separately for:

Engage proactively; design other IT projects securely

Build security governance and sponsorship across functions

View security as a process

PEOPLE, PROCESSES, TECHNOLOGY

BEFORE, DURING, AFTER BREACH

22

What Success Looks Like

• Large research function

• Separate, segmented network for all systems

• Separate authentication systems, logging, patching, etc.

• Regularly vulnerability assessments performed by internal staff

• Dedicated security and management staff just for research

network

• IT administrators trained on their technologies and on security

• Security formally built into system development life cycle (SDLC)

and reinforced in database administration, programming and

system support functions

• Supported by dedicated security function in the parent

organization

600-Bed Children’s Hospital

23

E Electronic Secure

Data

S

A Review of Benefits Realized for the Value of Health IT

With an effective incident response plan, you can…

Savings

Reduce amount of time

before a breach is detected,

minimizing damage and

amount of information stolen

Minimize response and

reaction time in order to limit

the financial loss, damages

and information stolen

http://www.himss.org/ValueSuite 24

Questions?

Sadik Al-Abdulla

Director of Security Solutions

CDW

sadik.al-abdulla@cdw.com