Cyber Security and Healthcare

Cyber Security
Luke Schneider
Medicine Bow Technologies
2016

Cyber Security Background
• Cyber security consequences impact national defense, businesses, public
markets, retailers, consumers, and individuals.
• Organized cyber crime has escalated in recent years and is replacing
terrorism as the largest threat to America.
• Cybercriminals are:
• Organized
• Financed
• Looking for high yield
• Adopting (Example: Ransomware)

More Cyber Security Background
• Why are we more at risk now?
• Our reliance on instantaneous data
• Rapidly growing data volumes
• More complex IT infrastructures
• Data integration between systems
• 3rd Party vendor relationships

Biggest Breaches in Recent Years…
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Which Industries are Most at Risk?
http://www.nedocs.com/blog/data-breach-statistics

Why is Healthcare a Major Target?
• Healthcare market forces
• Healthcare records are a rich set of
data:
• Financial, medical, family, and
personal data
• Patient physical characteristics can
be misused to obtain passports,
visas or ID’s
• Basic identity and insurance
information has black market value
between $10 to $100 (whereas cc #’s
may fetch $0.50 to $1 comparatively)

Healthcare Data Breaches Are Costly
• 90% had a data breach in the past 2 years
• 40% had more than 5
• Average economic impact due to data
breaches is 2.1 million dollars / healthcare
organization and 1 million dollars / business
associate organizations over 2 years
• Criminal attacks are now the #1 cause of
data breaches
• 56% of healthcare organizations and 59% of
business associates don’t believe their
incident response process has adequate
funding and resources
www.hhs.gov/ocr

Healthcare Data Breaches Are Costly
• Data breaches in healthcare are the most
expensive to remediate
• In the U.S. healthcare industry, the average
cost was $398 per record
• Average cost across all industries: $154 per
record
http://www-03.ibm.com/security/data-breach/

2015 Trends in Healthcare
The Global State of Information Security® Survey 2016, October 2015
“While the healthcare industry has
traditionally lagged in the maturity of its
cybersecurity programs, some forward-
thinking organizations are beginning to
take steps to improve their security
posture.” The Global State of Information
Security® Survey 2016, October 2015

How do you find out if there is a breach?
• How victims learn of the crime:
• Hospital invoice
• Collection letter
• Insurance statement
• Errors in health record
• Credit report
• 65% of victims spent money to resolve:
• Average cost: $13,500
• Incorrect medical records could jeopardize safety
Fifth Annual Study on Medical Identity Theft, Sponsored by the Medical Identity Fraud Alliance,
Independently conducted by PonemonInstitute LLC, February 2015
Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, Sponsored by ID
Experts, Independently conducted by PonemonInstitute LLC, May 2015

Insider Threats- Employees
• “Insiders” refers to your workforce who are trusted with access to
your systems
• They make mistakes
• They violate policies (snooping, shortcuts)
• A few have criminal intentions
• Huge problem in healthcare!

Outside Threats-Third Parties
• Third parties were the #2 cause of breaches
• Hospitals need to manage third party risks
• Evaluate whether third parties have access to PHI
• Evaluate the level of risk
• For high-risk third parties evaluate the security program
• Before contracting
• Ongoing
• Contract terms to manage third party risks
http://www.idtheftcenter.org/ITRC-Surveys-Studies/2014databreaches.html

Where to begin?
•Get IT security in your budget
• You can’t afford to ignore it

Where to begin?
• Identify
• Protect
• Detect
• Respond
• Recover
Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, National Institute of Standards and Technology, February 12, 2014

Cyber Security: Where to Start?
• Identify:
• Be AWARE: Have analytics and monitoring to recognize and respond to threats
• If you install monitoring or scanning software, carve out the time to work the reports each
month.
• Know what you HAVE: Maintain inventory of authorized users, devices, software
• Often accounting inventory lists and IT inventory lists do not sync because of the fast moving
environment. Make time to reconcile on a quarterly basis.
• KNOW your data: Know what data you have, where it is, who has access
• Only collect what you need, keep as long as it is required and/or has a legit business need
• Perform scans on your network looking for sensitive number formats such as SSN, residing in
shared departmental drives
• Review user access routinely

• Protect:
• Properly deploy ANTIVIRUS/ANTIMALWARE: Use a comprehensive endpoint
security product and keep the definition file up to date to continuously monitor
and protect workstations, server, and mobile devices
• Use ENCRYPTION: If you have encryption layered on your data, sensitive emails,
and mobile devices criminals may get a user name, or password, perhaps a social
security number, but the full record is encrypted. ($1 of data vs. $50)
• Password protect Excel worksheets with sensitive data
• Buy encrypted thumb drives for your employees and use an inventory system to check them
out
• Encrypt your laptops
• Secure email with encryption

• Protect Continued:
• Have POLICIES in place:
• User access policies – how fast can employee be locked out of your network in case of
turnover?
• Password policies – complexity, renewals, and physical protection (no passwords under
keyboards)
• Personal laptops-Do not allow them on your network
• Computer time out policy
• Encryption policies
• Prohibit the use of generic user IDs and common passwords
• Use SECURE CONFIGURATIONS:
• Physical security of your network is important
• Guard your hospital’s network by changing the password often
• Add filters to your guest wireless network

• Protect-Education
• TRAIN Staff: Employees can be one of the biggest threats to security (accidentally and
intentionally), map training to skills required for each job, implement, and test
• Email is vulnerable
• Ransomware is coming in as malicious macros on attachments to email, emails with links
elsewhere and through server vulnerabilities.
• Downloading of ‘free’ software often has its price.
• Know what data is sensitive and what are the procedures are to protect it

• Detection
• Monitoring tools to help detect
• Network Monitoring
• Intrusion Prevention & Detection
• Firewall & Network Configuration
• File transfer monitoring
• Email Protection Tools
• URL (web link) filtering, e-mail quarantining, email encryption, anti-spam/phishing detection
• Workstations and Server Monitoring
• Anti-virus
• Anti-malware
• Web filtering

• Detection-Continued
• Monitoring tools to help detect
• Maintain PATCHES: Apply proactive upgrades/patching of hardware and software
• This is a difficult task in small rural hospitals
• Upgrade before END-OF-LIFE
• MS Server 2003 reached ‘end of life’ July 2015, not maintained for security by Microsoft
• Windows XP reached ‘end of life’ April 8, 2014.
• McAfee email protection tools will be ‘end of life’ December 31, 2016
• Microsoft Windows Vista will reach ‘end of life’ on April 11, 2017.
• User Access
• Password Management
• The tools only help detect….the tools don’t fix issues!
• Rural hospitals are budget constrained and short staffed in IT.

• Respond
• Have a PLAN: Know how to respond to incidents, have trained team in place
• Business continuity
• Disaster recovery
• Ransomware Attacks
• Have a communication plan in place today for a potential data breach
• You want this now so you don’t panic when it happens!
• Periodically validate through neutral 3rd party via penetration testing and red
team exercises

• Recover
• Be able to RECOVER: Have regular backups for disaster recovery and continuity
• Evaluate your risk and determine if offsite backups are needed
• Is there a need for full redundancy for your business?
• Continuous REVIEW: Security is an on-going process. Proactively identify and
repair vulnerabilities to mitigate to an acceptable risk level.
• Work the scanning and monitoring reports on a monthly basis
• Create a process for reviewing employee access on a routine basis
• Walk through the office looking for passwords under keyboards and sensitive data left on
desks
• Make sure software updates ran (did not fail)

Defense-in-Depth / Layers of Security
• The best practice in cyber
security is to use the Defense-in-
depth model. Meaning that our
data protection should be like an
onion
• This will allow all sources of
threats to be covered. (Some of
the security solutions can cover
more than one threat source and
can work in more than one layer
of the model)
http://www.nedocs.com/blog/data-breach-statistics

Wyoming Businesses are at Risk
“That won’t happen in Wyoming, we are small potatoes.”
Our response:
• Are you sure your employees all know not to click on something that could introduce
Malware into your network?
• Are you sure all your terminated employees can’t get into your network?
• Are you sure that all of your workstations and servers have the latest patches for software
on them?
• Are you sure you do not have legacy software anywhere in your organization?
• Are you sure your customer’s sensitive information is being encrypted?
• Are you sure an employee isn’t walking around with a thumb drive with his/her password
on it to your network?

Wyoming Case Studies
• A medium sized company in Wyoming did not have strong policies about
personal devices on their network. An employee brought his personal
laptop to work (because it worked better than the company owned workstation), accessed
the wireless network, and was unaware that a BitTorrent product was
running in the background on this machine.
BitTorrent is a peer to peer file transfer protocol for sharing data over the internet. It is often used to share music or pictures illegally or to
introduce malware. People may not know that they have BitTorrent installed.
This company was sent a letter from their internet service provider telling them they would be
removed from internet service because they had engaged in illegal practices via their network. They
had to engage an attorney to work with their ISP and pursue a time consuming formal IT audit to
determine where the illegal activity had come from.
Once the mystery was solved, to ensure it did not occur again, the company implemented a ‘no
personal devices policy,’ purchased the employee a better workstation, and added web filtering
capabilities to their firewall.

• Proactive Approach
• A behavioral health school for girls decided to increase their IT security and ensure that they meet
HIPAA compliance standards. The school had approximately 13 workstations and 17 users.
• Address Software issues
• Office 365 for Business, Anti-Virus, Secure Emails, Email Archiving
• Address Hardware Issues
• Implemented secure, centralized file storage with re-direction from workstations of the My
Documents folders, including encrypted backups for the server.
• New firewall for network security
• Set Windows updates to occur on routine basis
• Secure wireless access points in a private wireless network
• Configured email notifications to IT to ensure backups work properly

• Password Policies
Throughout Wyoming, most of the organizations I have spoken with have weak password policies
and little to no enforcement.
-8-12 digit passwords
-at least one number, one capital, and one character
-force changes every 3 month
I have seen risk assessors crack 95% of a Wyoming organizations’ employee network passwords in
minutes because these policies were not in place/enforced.
My guess is there are hackers even better than us!

• What we have seen in Wyoming
• Lack of secure email – offices that use personal gmail, yahoo, or msn accounts for business
• Lack of firewall
• Lack of anti-virus
• Lack of encryption on thumb drives, laptops, and mobile devices
• Use of DropBox for file sharing of sensitive information
• Poor or unenforced password policies (use of generic ids and passwords, passwords under the
keyboards, workstations that aren’t secured by passwords)
• Allowing everyone administrative access on workstations
• Old workstations and servers with internet access
• Sensitive data on spreadsheets on a file share where everyone in the company has access
• Unsecured network jacks in public areas of buildings (anyone can plug into your network)
• Downloading of inappropriate software so that your network IP address is flagged.

Six Questions You Should Ask
• Does the organization have a security framework?
• What are the top risks the organization has related to cybersecurity?
• How are employees made aware of their role relating to
cybersecurity?
• Are external and internal threats considered when planning
cybersecurity activities?
• How is security governance managed within the organization?
• In the event of a serious breach, has management developed a robust
response protocol?
Cybersecurity: What the Board of Directors Needs to Ask, Copyright © 2015 by The Institute of Internal Auditors Research Foundation, (“IIARF”) strictly reserved.
No parts of this material may be reproduced in any form without the written permission of IIARF.

What Would You Do?
Knowing your own security practices, would you go to your
hospital and give out your personal information?

Questions?
Luke Schneider, MBA, CHCIO
Medicine Bow Technologies
www.medbowtech.com
Office: 1-866-455-1978
Cell: 307-460-1848
lschneider@medbowtech.com

Cyber Security and Healthcare

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Cyber Security and Healthcare (20)

Recently uploaded (20)

Cyber Security and Healthcare

Editor's Notes