1. Cybersecurity Risk, Remediation, Response Nathan Gibson, CCE, CEH

2. Today’s Presentation  Introduction  Governance  Cyber Risk  Remediation Strategies –Passwords –Phishing –Security Updates  Incident Response  Challenge  Summary

3. Definitions  Information Security –The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.  Cybersecurity –The ability to protect or defend the use of cyberspace from cyber attacks

4. Terms  Phishing  Threat Actor  Malware  OCR

5. Governance  Leadership –Executive Leadership –Board Accountability –Incident Response Team Confidentiality & Security Team (CST) Computer Emergency Response Team (CERT)  Frameworks –NIST Cybersecurity Framework –NIST 800-Series Guidance –SANS 20 Critical Security Controls

6. Compliance Secure

7. Next Steps Cyber Risk Risk Remediation Response

8. Cyber Risk  Criminal Attacks Up 125%  Medical Identity Theft Doubled –1.4M to more than 2.3M  Average of $13,500 to Restore Credit

9. Cyber Risk  The Numbers... –Medical record: $10 - $50 –Mother’s Maiden Name: $6 –Social Security Number: $3 –Date of Birth: $3 –Credit Card: $1.00  Risks –Patient safety (medical record) –Coverage (routine physical to major surgery) –Fraudulent claims –Credit accounts

18. Cyber Risk Phishing Phishing (TBD) Phishing

19. Cyber Risk OCR Breach Portal: October, 2015 139 Breaches (Hacking), >115M Patients

20. Cyber Risk  Verizon Data Breach Report –23% of recipients open phishing messages –11% click on attachments –97% of exploits target 10 CVEs –Mobile malware not a primary threat –Threat Actors 80% of breaches reviewed (external) 17% of breaches reviewed (internal) 3% of breaches reviewed (partners)

22. Cyber Risk  Risk Assessment –NIST 800-30 Rev. 1 Conducting Risk Assessments –NIST 800-39 Managing Information Security Risk –Vulnerability Assessments –Stored and Transmitted

23. Cyber Risk  Stored –Databases –Thumbdrives –Workstations –File Servers –Medical Devices  Transmitted –Email –VPN (clients) –Site-to-Site VPN Tunnel –Secure Web Front-End  Know your data!  Don’t overlook non-sensitive systems

24. Cyber Risk  Tools –Security Risk Assessment (SRA Tool) https://www.healthit.gov/providers- professionals/security-risk-assessment-tool Additional resources oTop 10 Tips for Cybersecurity in Health Care –HIPAA Security Rule Toolkit http://scap.nist.gov/hipaa/

25. Next Steps Remediation Strategies Risk Remediation Response

26. Remediation Strategies  Accept –Within organizational risk tolerance  Avoid –Risk exceeds organizational risk tolerance  Mitigate –NIST 800-53 –20 Critical Security Controls  Share or Transfer –Outsourcing –Cyber Insurance

27. Remediation Strategies  Cyber Insurance –Breach Costs (forensics, notification, identity protection) –Privacy Protection (regulatory) –Multimedia Protection –Cyber Extortion  Analysis –Incident History –Ponemon Study: $204 per record –Verizon Data Breach Report

28. Remediation Strategies  Verizon Data Breach Report –Cost Per Record

29. Remediation Strategies  Example Safeguards –Encryption –Malware Protection –Microsoft & Third Party Updates –Physical Access Controls –Intrusion Detection & Prevention –Policies & Procedures –Disaster Recovery & Business Continuity –Incident Response –Two-Factor Authentication –Strong Password Enforcement

30. Next Steps Video Passwords

31.  Which one is more secure? take the survey Xq!5#7pK 8 characters 3 days to crack 15 characters 49 million years to crack

32. Passwords  Passwords –Minimum of 8 characters (10-52 seconds) –Upper & lower case (45-180 minutes) –Numbers (3-15 hours) –Special characters (3-5 days)  Passphrases –Minimum of 15 characters (13,000 years) –Upper & lower case (435 million years) –Numbers (6 billon years) –Special characters (157 billion years)

33. Passwords  Two-Factor Authentication –Password, Pin –Hard Token, Soft Token, Certificate

34. Phishing  Security awareness and training

35. Phishing  Phishing tests –Social Engineering Toolkit (SET) –Simple Phishing Toolkit –SpearPhisher

36. Phishing Test

37. Security Updates  Windows Updates –120 Windows Updates, Per Server, Per Year –12,000 Windows Updates Per Year (per 100 Servers)  Microsoft Updates –Office –SQL  Third Party Updates –Adobe –Oracle (Java)

38. Next Steps Incident Response Risk Remediation Response

39. Incident Response  Incident Response Team  Reporting & Tracking  Breach Assessment –Notification Requirements  Law Enforcement & NCCIC  Disaster and Contingency Planning

40. Incident Response  National Cybersecurity and Communications Integration Center (NCCIC) –US-CERT (United States Computer Emergency Readiness Team) –ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) –NCC (National Coordinating Center) –COC (NCCIC Cyber Operations Center) –DTA (Discovery and Technical Analysis) –MM (Mission Management)

42. Challenge #1  Vulnerability Assessment Report –US-CERT: Top 30 Targeted High Risk Vulnerabilities –https://www.us-cert.gov/ncas/alerts/TA15-119A

43. Challenge #2  Malware Report –Virus definitions –Detection history –Rogue system detection

44. Challenge #3  Security Update Status Report –Microsoft updates –Third party software

45. Challenge #4  Security Awareness and Training –Training certifications/verification –Review/update content –Phishing test  Free Resources –CyberAwareness Challenge (Federal Version) http://iatraining.disa.mil/eta/cyberchallenge/launchpage.htm –Identifying and Safeguarding PII http://iatraining.disa.mil/eta/piiv2/launchPage.htm –Privacy and Security Training Games https://www.healthit.gov/providers-professionals/privacy-security-training-games

46. Summary  Risk  Remediation  Response

47. Additional Information  Verizon Data Breach Report (2015) –http://www.verizonenterprise.com/DBIR/2015/  National Institute of Standards and Technology (NIST) –http://www.nist.gov –800-Series Guidance: http://csrc.nist.gov/publications/PubsSPs.html  OCR Breach Portal –https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf  NCCIC –http://www.dhs.gov/about-national-cybersecurity-communications- integration-center  US-CERT –https://www.us-cert.gov/ –Incident Reporting: https://www.us-cert.gov/forms/report

48. Additional Information  Cybercrime and the Healthcare Industry (EMC & RSA) –http://www.emc.com/collateral/white-papers/h12105-cybercrime- healthcare-industry-rsa-wp.pdf  Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data (Ponemon Institute) –https://www2.idexpertscorp.com/fifth-annual-ponemon-study-on- privacy-security-incidents-of-healthcare-data  Cyber-Risk Oversight Handbook –https://www.nacdonline.org/Resources/Article.cfm?ItemNumber=1068 8

49. Contact Information Have a question, comment, or suggestion? Contact Nathan Gibson at: ngibson@wvmi.org 304-346-9864 ext. 2236