Managing Cyber Threats for Health Systems Dan Bowden, Vice President & CISO January, 2018

The Health Care Industry Cybersecurity Task Force Report Severe Lack of Cybersecurity Talent Legacy Equipment Premature/Over Connectivity Vulnerabilities Impact Patient Care Known Vulnerabilities Epidemic

HCIC Task Force Report – Executive Summary Health care cybersecurity is a key public health concern that needs immediate and aggressive attention

HCIC Report -- Imperatives Six High-Level Imperatives 1. Define and streamline leadership, governance, and expectations for health care industry cybersecurity. 2. Increase the security and resilience of medical devices and health IT. 3. Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities. 4. Increase health care industry readiness through improved cybersecurity awareness and education. 5. Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure. 6. Improve information sharing of industry threats, weaknesses, and mitigations.

What now, HHS? Alignment of Imperatives, Recommendations and Action Items with CISA 405(d) Task Group: CHIME / AEHIS: Association of Executives in Health Information Security, Public Policy Group

What is the Task Group Doing? The U.S. Department of Health and Human Services (HHS) is leading the development of a common set of voluntary cybersecurity guidance and best practices that cost-effectively reduce the cybersecurity risks of healthcare providers. HHS is conducting this work through a collaborative, multi-stakeholder process that will create an initial set of recommended cybersecurity practices that are actionable, practical, and relevant to healthcare providers of every size and resource level. Healthcare providers have long identified a need for a common set of consensus-based and industry-led cybersecurity practices that cost-effectively reduce their cybersecurity risks. Congress recognized this need in Section 405(d) of the Cybersecurity Information Sharing Act of 2015 (CISA), which directs the Secretary of HHS to develop voluntary, consensus-based, and industry-led guidelines in collaboration with key stakeholders.

What’s in it? Call to Action Most Impactful Threats Detailed Best Practice Recommendations: “How To Guide” Best Practices sub-divided for varying sized systems

What’s in it? Most Impactful Threats Phishing Ransomware/Malware Insider Threat Lost/Stolen Equipment Medical Device Support

What’s in it? Best Practices Email Projection Network Management Endpoint Protection IAM DLP Asset Management Network Management Vuln Mgmt SOC and IR Medical Device Security Policies and Procedures

Stuff Going on At Sentara

Handling Cyber Security Threats OPERATIONAL LEADERSHIP Key Technologies and Process are a must for all Organizations SECURITY OPERATIONS CENTER (SOC) 2 FACTOR AUTHENTICATION NETWORK SEGMENTATION OPERATIONAL LEADERSHIP 3rd PARTY RISK Practice of separating networks to protect and limit exposure to threats. Utilizing IBM Watson to be smarter at detecting and prioritizing Cyber Threats Secure Remote Access for all users 81% of hacking-related breaches leveraged either stolen and/or weak passwords Evaluate and manage risk from: Business Associates Subcontractors Affiliated Providers Joint Ventures Strategic Partners Key operational leaders meet monthly to review discuss and act on Cyber Security Metrics and emerging threats All organizations need to implement both key technologies and process to protect against Cyber Threats as well as defining organizational processes to manage risk. Some of the key technologies and process that Sentara has implemented are: Network Segmentation – Diving the network into manageable parts and monitoring communications between each of the part provides early detection of potential cyber threats while limiting organizational risk. Security Operations Center (SOC) – We have partnered with IBM to provide us the with 24x7 Monitoring of Sentara’s Cyber Security Threats. Utilizing Watson this service provides AI capabilities to both detect and prioritize potential cyber security threats. Two Factor Authentication – Most cyber Security Breaches are due to compromised passwords, Sentara has taken a strong view that all external access requires two factor authentication to prevent comprising our systems.( We use the company DUO for this service) Operational Leadership – Security is everyone’s responsibility at Sentara. Engaging key operational leaders to participate on decision making for cyber has improved both the knowledge and the pace of execution for implementing cyber security initiatives. Our COO and CIO co-chair a group of leaders who meet monthly to review, prioritize and act on cyber initiatives. 3rd Party Risk Sentara utilizes tools that assess public information about 3rd parties with respect to their cyber security posture. This assessment is like a Cyber Security Credit Score which enables us to make informed decisions when partnering with new organizations as well as allows us to focus resources on mitigating potential issues. Many of these initiatives are visible by the Board of Directors and are stated annual organizational goals

Simplified Incident Response Strategy How do we respond to a cyber security incident? 2. EVALUATION & TRIAGE Recovery 3. MANAGING THE SHORT TERM CRISIS Forensic Investigation Containment / Mitigation Legal Review Recovery Immediate Response Planning Communications, PR, Crisis Management 1. DISCOVERY 4. LONG TERM RESPONSE MANAGEMENT Incident Response Team Incident Analysis – Assess the Impact MINOR: Detect & Resolve MAJOR: Escalate through Incident Response Plan Report Discovery via proper channels Long Term Recovery Planning: Legal, Reputational, Media Customer Communications Recommend Improvements Our formal Incident Response Plan is owned by Info Security and is over 20 pages long, this is a Simplified version of that plan. Discovery ---- Assess the incident and engage the Incident Response Team (more details on who makes up the team on the next slide) Investigate, Contain, and Mitigate the issue, begin the recovery process Manage the Short Term Crisis: Engage our partners within Sentara & outside of Sentara as necessary, Craft customer messaging Long Term Management: The IRT works to ensure we have long term plans in place and recommends improvements 0. PREVENTION Simplified Incident Response Strategy

Membership of the Incident Response Team Incident Response Team leader/coordinator Privacy Officer Legal Risk Management Others as appropriate Information security Law Enforcement HR, employee relations, patient relations Public relations / Marketing Fulfillment Vendor Beazley/Broker Outside legal counsel Crisis Management Firm Dealing with major Cyber Security Issues involves the entire team at Sentara. It is important to have the entire team working early since the time to notify patients has direct reputational impact (i.e. Equifax waiting 6 or more months) Some of the key participants that have critical roles to play early in the management process include CISO Legal Council Privacy Marketing/Communications HR Cyber Security Broker or Cyber Insurance Representatives Many others as appropriate are vital to the successful management of an incident

Cyber Security influences on operational and strategic processes Proactive Cyber Audits for new partnerships Annual Planning for Cyber Investments Cyber Security is a Team Sport Implementing a robust Cyber Security program takes significant resources and focus. Given the prevalence of Cyber Threats and the potential risk implementing a Cyber Security Program should be a top priority for all Healthcare Organizations. Some ways that our Cyber Program has influenced both operational and strategic processes in our organization including planning, growth and workforce development Proactive Audit for new partnerships- Proactive Cyber Audits are conducted on all new partnerships to assess risk and assess remediation efforts. New practices, hospital or joint ventures many time are unaware of latent cyber vulnerabilities and require significant remediation as partnerships are negotiated. Annual Planning - Each year our information security oversight committee plans initiatives based upon the greatest potential risk to our organization. Transparency of these initiatives have led to transformative discussions with the Board of Directors and stronger partnership with internal audit. Cyber Security is a team sport -Workforce Education and Development are essential to a well-run cyber program. Education on Phishing emails, remote access and good security hygiene have contributed to early detection of issues as well as vigilance of employees in protecting our patient health information.

Evaluating partners cyber security risk Gain objective insight into 3rd party cyber security 3 Engage partners with accurate, actionable security insights 1 2 Allocate risk resources to where they are most needed Continuously monitor partner performance 4 In today’s environment where sharing of Patient and Member data is critical to population health efforts and essential to providing the best possible care. Understanding partners cyber security risk is becoming important part of negotiations and managing relationships. Sentara utilizes public information available on the internet to assess and managing 3rd Party risk. This allows us to establish a “Security Credit Score” for all partners and focus our time and resources on partners who may not have the best credit score.   (For Howard only) These partners include SQCN, Cloud Software Companies, or any service we use in the internet ie. Eligibility, claims scrubbing, Radiology Nighthawk Services. The tool we use that provides us with these Security Credit Scores is Risk Recon) Collaborate with partners to reduce risks 5)

Sentara’s ISAO Partners This slide is static and does not animate. Who are your partners in developing best practice for Cyber Security? Sentara’s ISAO Partners WHAT IS Information Sharing & Analysis Organization (ISAO)? Mission: Improve the Nation’s cybersecurity posture by identifying standards and guidelines for robust and effective information sharing and analysis related to cybersecurity risks, incidents, and best practices. The Cybersecurity Information Sharing Act of 2015 (“CISA”) was signed into law on December 18, 2015. Provided guidance and certain protections to encourage companies voluntarily to share information—specifically, information about “cyber threat indicators” and “defensive measures”—with the federal government, state and local governments, and other companies and private entities.    Sentara has worked with several progressive organizations to share security best practices and cyber threat information aimed at improving the quality of healthcare cyber readiness. (For Howard only) We share technology decision making process, technical configurations, policy and procedure information, incident response processes and threat information. Information Sharing & Analysis Organization (ISAO) Members with common cybersecurity objectives

Internal Cyber Vulnerability Dashboard Appendix Slides   We have two slides that I thought were to technical for the presentation but will include them if you would like. The first is our Security Credit Score for Sentara and the second is our internal dashboard to manage issues from Internal Audit. I am not sure how long you want to talk to slides vs open dialog but we have a few more options.

Looking Forward Partnering with FBI, Homeland Security towards more active cyber threat sharing and management Research creation of cross sector, national cyber security infrastructure to include partnerships with law enforcement Leverage Partnerships with Academic Institutions creating internship and training for next generation of Cyber Security Professionals Howard – Let me know your thoughts on this and I can edit and provide you another draft   One point I thought might be good to make is our partnership with Academic institutions to utilize internship as security staff. We currently have 10 students that rotate through the program and do real security work for Sentara. This provides us with highly motivated staff and a good hiring pool for new cyber security talent