limiting impact in the era of the inevitable data breach€¦ · 1) experian’s 2014 data breach...
TRANSCRIPT
Limiting Impact in the Era
of the Inevitable Data Breach
Sadik Al-Abdulla,
Director of Security Solutions, CDW
March 1, 2016
Conflict of Interest Disclosure
Sadik Al-Abdulla
Has no real or apparent conflicts of interest to report.
2
Agenda
• Level set 2016 threat landscape
• Share learning from 3,500+
security assessments
• Provide tactical and strategic
guidance for truly adaptive
security
• Balancing IT security
People
Technology Process
IDEAL
3
Learning Objectives
Assess the threat landscape in healthcare today
Discuss lessons learned from security assessments that discovered vulnerabilities
Analyze challenges associated with developing a security response
Identify best practices for implementing an efficient and adaptive incident response plan
4
State of Security
Photo: GDIT’s GovTech Works
5
http://www.himss.org/ValueSuite
$2.1m2
Avg. cost of a
data breach
An Introduction to the Benefits Realized for the Value of Health IT
69%1
Biggest
security
concern is
phishing
42%
Effective Incident Response
Increases:
Awareness
Participation
Investment
Minimizes:
Risk –
Patient,
Financial,
Reputation
• Electronic Secure Data E
• Savings S
1) HIMSS 2015 Cybersecurity Survey
2) Ponemon Institute’s 2014 Fifth Annual Benchmark Study
on Privacy and Security of Healthcare Data 6
Threat Landscape – Healthcare
42%
Of all major data breaches
reported in 20141
$363
Avg. cost per stolen health
record2
282%
Increase of financial losses3
1) Experian’s 2014 Data Breach Industry Forecast/Identity Theft Resource Center
2) Ponemon Institute’s Cost of Data Breach Study
3) PwC’s Global State of Information Security Survey 2015
4) Experian’s 2015 Data Breach Industry Forecast
5) Verizon’s 2015 Data Breach Investigations Report
$5.6B
Potential annual cost to the industry4
Top 3
Insider misuse of devices,
physical theft/loss,
errors5
7
2014 Disclosed Healthcare Breaches1
32% Miscellaneous errors
26% Insider misuse of devices
16% Physical theft/loss
12% Point of sale
9% Web app
attacks
4% Cyber espionage
1% Crimeware
1) Verizon’s 2015 Data Breach Investigations Report 8
Recent Stats
69%: Organizations informed of breach from outside entity1
205: Median number of days attackers were present on victim’s network1
60%: Cases in which attackers compromise an organization within minutes2
$2.1M: Average cost of a data breach for healthcare organizations3
Deeper Dive on Healthcare – Reported Beaches Oct. & Nov. 20154
13
9
7
Unauthorized
access/disclosure
Theft/loss
Hacking/IT incident
1) Mandiant’s 2015 M Trends Report
2) Verizon’s 2015 Data Breach Investigations Report
3) Ponemon Institute’s 2014 Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data
4) U.S. Department of Health and Human Services Office for Civil Rights Breach Portal 9
How Is Healthcare Responding?
Good – Procedural Areas:
• Who to call
• What form to fill out
• Contacting compliance/legal
Incidents not identified by internal security team1
Lacking – Technical Areas:
• Identification
• Preparation and investigation
• Identifying scope
Incidents identified by
internal security team1
49 %
51 %
1) HIMSS 2015 Cybersecurity Survey
10
What Should We Learn From That?
Roughly 50% of incidents
aren’t big bad hackers …
… but roughly 50% are
big bad hackers
And these patterns hold true
over multi-year studies
Incidents are mostly identified
when the goodies are sold
Economics suggest there
are many more breaches
than reported
11
The Defenses Are Working … But
Network
telemetry
shows zero
traffic here
12
Findings From Security Assessments
3,500 Compromises in
20 industries
100% Ability to
gain access
<10% Access
detected
0 Times we
tried to hide
13 Source: CDW Security Practice – 2015 Security and DLP Assessment Findings
Top Security Assessment Findings
People/Process
Technology
Insecure default configurations,
gaps in patch discipline #1
Bad passwords #2
Arbitrary trusts #3
Phishing, users like to click #4
Application code issues #5
Man in the middle #6
Lack of encryption or porous
implementation #7
Mobile application
vulnerabilities #8
14 Source: CDW Security Practice – 2015 Security and DLP Assessment Findings
Architectural Issues
>95% distributed local
accounts
(e.g., admin,
backup, service)
<1% sensitive
segmentation
#1
<0.5% effective internal
segmentation
#2 #3
15 Source: CDW Security Practice – 2015 Security and DLP Assessment Findings
Data Loss Prevention (DLP) Findings
300+
Assessments
completed
100%
Discovered sensitive
information outside
approved areas
86%
Loss of sensitive
information during
assessment period
95%
5%
Incidents that were accidental exposure or
by well-meaning insiders
Incidents that were not
80% Email incidents 12% Web incidents
16 Source: CDW Security Practice – 2015 Security and DLP Assessment Findings
DLP Assessment 24-month Trend Line
800% Increase in
upload violations
2,000% Increase in
mobile violations Dropbox, Skydrive, Google Drive, etc.
17 Source: CDW Security Practice – 2015 Security and DLP Assessment Findings
I’ve tried to keep the company real about the fact that I could spend twice as much as I do today on security, and it doesn’t mean that we’re going to eliminate the risk. We might reduce it a bit, but I can’t give a good answer of how much. Compromise is a certainty.
… But I can limit the impact.
– Malcolm Harkins CISO, Intel
18
Managing Impact Means …
Accepting that a
breach is inevitable
Designing for post-breach
detection
Designing to limit
impacts
Planning for a
breach response
19
Identify
Respond
Recover
Protect
Detect
Data Networks
Devices
Old vs. New Security Mindset
NEW OLD
20
Tactical Best Practices
Identify “check the box” activities, repurpose spend and cycles
Identify and map all sources and locations of PHI inventory
Adopt true segmentation
Revisit fundamentals for sensitive data management
Find and revise overly and overtly restrictive policies
Start measuring time to detect and respond to a breach
21
Strategic Best Practices
Measure and invest separately for:
Engage proactively; design other IT projects securely
Build security governance and sponsorship across functions
View security as a process
PEOPLE, PROCESSES, TECHNOLOGY
BEFORE, DURING, AFTER BREACH
22
What Success Looks Like
• Large research function
• Separate, segmented network for all systems
• Separate authentication systems, logging, patching, etc.
• Regularly vulnerability assessments performed by internal staff
• Dedicated security and management staff just for research
network
• IT administrators trained on their technologies and on security
• Security formally built into system development life cycle (SDLC)
and reinforced in database administration, programming and
system support functions
• Supported by dedicated security function in the parent
organization
600-Bed Children’s Hospital
23
E Electronic Secure
Data
S
A Review of Benefits Realized for the Value of Health IT
With an effective incident response plan, you can…
Savings
Reduce amount of time
before a breach is detected,
minimizing damage and
amount of information stolen
Minimize response and
reaction time in order to limit
the financial loss, damages
and information stolen
http://www.himss.org/ValueSuite 24