Healthcare Cybersecurity: State of Industry Addressing Our ever changing Cybersecurity Risks Sean K. Lowder CISSP/CISA/CISM/CRISC © Sean K. Lowder 2016

Why are we under attack? Information we have is much more valuable than retailers: Complete profiles of people, and Medical information Uses of information: Fraudulent lines of credit Medical insurance fraud Order and resell medical equipment, False claims Health care fraud Blackmail and extortion Aftermath: Very difficult to remediate once compromised © Sean K. Lowder 2016

Healthcare Threat landscape increased Personally Identifiable Information (PII) is still the number one target Costs on black market makes it the most attractive target State-sponsored actors China Dossiers Medical Insurance is now in 5 year plan Russia Criminal activity Symbiotic relationship with Government Mules in US for Fraud "We are facing an arms race in terms of security. Every minute, we are seeing about half a million attack attempts that are happening in cyber space." -Derek Manky, Fortinet global security strategist © Sean K. Lowder 2016

Cost of the Attacks* $6.5 million is the average cost of data breach $355 is the cost per capita in healthcare *2016 Cost of Data Breach Study: Global Analysis Ponemon Institute LLC, June 2016 © Sean K. Lowder 2016

Our Data is everywhere Castle and Moat approach is no longer viable to protect our data Cloud Microsoft Google Amazon Hosting Data analytics Claims systems Etc. All else What don’t you know about??? (Dropbox, etc.) How confident are you of Data Loss Prevention implementation? © Sean K. Lowder 2016

So, what are we going to do? What are your Threats? Who wants your stuff? How do you know where you are? Evaluate your program What are you vulnerable to? What is your focus? Highest risk gaps first, prioritize your $ http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924 http://www.networkworld.com/article/2176589/malware-cybercrime/data-breaches-9--more-costly-in-2013-than-year-before.html © Sean K. Lowder 2016

Frameworks are a START Security Frameworks ISO 27000 NIST HiTrust Frameworks provide a BASE level of security Where you have control gaps Maturity gaps for your program CAUTION!!! Don’t fall for the “but the control says…” Don’t “Lawyer up” when implementing controls Check-box Security isn’t security! © Sean K. Lowder 2016

Assumption of Breach Focus on Detection of events Keep your focus on “Detection / Response” technologies Assume you are breached Go find ‘em with “hunt” teams Test your Incident response plan Table tops Full exercises Use Penetration assessments to test your SOC/SIRT © Sean K. Lowder 2016

Identity is the last boundary Where are your ID’s? Cloud Applications SSO/Federation partners Who holds the Keys??? Who are your “privileged” users? How do they use their privileges (MFA)? OK to trust the person, don’t trust the ID! Are you monitoring activities? What’s normal vs. what’s not How are you managing those ID’s? Password Vaulting © Sean K. Lowder 2016

Vendor Risk Management If your vendor’s security is breached, who gets the bad press? Lifecycle of a vendor for Security Oversight Birth Contracting Vendor Risk assessment Operational Monitoring Annual (or more) Vendor Risk assessments Site visits SLA Attestations (SOC2, CEO attestation) Death Where is the data??? © Sean K. Lowder 2016

Are you covered? Cyber Insurance What’s covered? How much do you need? Response assistance Forensic assistance Communications Brand Damage How much do you need? Based upon Ponemon numbers…how many records could you lose? Business Value – What’s catastrophic? Incident responders on retainer Have the “paperwork” all done © Sean K. Lowder 2016

Questions? © Sean K. Lowder 2016