CYBERSECURITY IN HEALTHCARE · 2019. 2. 9. · BDO USA, LLP, a Delaware limited liability...
Transcript of CYBERSECURITY IN HEALTHCARE · 2019. 2. 9. · BDO USA, LLP, a Delaware limited liability...
BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee, and forms part of the
international BDO network of independent member firms.
CYBERSECURITY IN HEALTHCAREAN OVERVIEW OF THE RECENTLY RELEASED HHS’S HEALTH
INDUSTRY CYBERSECURITY PRACTICES (HICP) GUIDANCE.
February 11, 2019
2
With you today….
KEVIN OLVERAHealthcare Audit
Partner
+1 214 665-0742
GANESH RAMASWAMYRisk Advisory Services
Managing Director
+1 214 908-2744
3
Cybersecurity in Healthcare - Agenda
• Overview of Cybersecurity challenges in Healthcare
• Background of HICP guidance
• Key takeaways
• Questions and open discussion
4
Cybersecurity in Healthcare
• Overview of Cybersecurity challenges in Healthcare
• Background of HICP guidance
• Key takeaways
• Questions and open discussion
5
Background: Legal Basis
Cybersecurity Act of 2015
Health Care Industry Cybersecurity (HCIC) Task Force (2017) Report*
HICP Guidance (2018)**
Reference:
* HCIC Report on Improving Cybersecurity in the Health Care Industry, June 2017
** Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients, December 2018
6
Nature of Health Care Industry Landscape
A mosaic of organizations and players
❑ Large health systems & single physician practices; public & private payers; for-profit, charity, &
academic institutions; device manufacturers & service providers
Serving a wide spread and diverse population
❑ Varied ability to pay, medical needs, and security awareness
Geographical diversity
❑ Rural, sub-urban, urban, & mobile
An unique culture: “open” and “sharing”
❑ Generally in line with the primary mission of the industry, but contradicts information security and
privacy needs
Relatively slow to embrace digitization
❑ Generally data was kept “in-house” for security purposes; recent subsidies for HER, data exchanges and
cloud adoption increases the risk
❑ Emerging online self-service and access through mobile & wearable devices
❑ Increased connectivity (IOT) and volume of data (big-data)
Multiplicity of Regulatory Actors
❑ OCR, CMS, FDA, ONC, ASPR, FTC
7
Health Care Ecosystem
Source: https://www.phe.gov/preparedness/planning/cybertf/documents/report2017.pdf
8
Health Care Regulatory Landscape
Source: https://www.phe.gov/preparedness/planning/cybertf/documents/report2017.pdf
9
HCIC Task Force Imperatives
Released in 2017, provided six high-level imperatives and recommendations for the Healthcare
industry:
1. Define and streamline leadership, governance, and expectations
❑ Create cybersecurity leadership role within HHS
❑ Consistent and consensus based cybersecurity framework
❑ Harmonize existing and future laws (state and other jurisdiction)
❑ Identify scalable best practices
❑ Explore potential conflicts with other Healthcare laws
2. Increase the security and resilience of medical devices and IT
❑ Secure legacy systems
❑ Improve manufacturing & development transparency
❑ Increase adoption and rigor of secure development
❑ Strong authentication for access and identity management
❑ Strategically reduce attack surface
❑ MedCERT team to handle emergency response
3. Develop workforce capacity necessary to prioritize and ensure cybersecurity awareness
❑ Identify cybersecurity leadership role
❑ Establish model for resourcing cybersecurity workforce with qualified individuals
❑ Create MSSP models to support small and medium-sized provider
❑ Evaluate options to migrate patient records and legacy systems to secure environments
10
HCIC Task Force Imperatives (contd.)
4. Increase readiness through cybersecurity awareness and education
❑ Develop executive cybersecurity education programs for executives and BoD
❑ Establish cybersecurity hygiene posture for risk management in secure and sustainable fashion
❑ Establish conformity assessment model (based on NIST Baldrige Cybersecurity excellence
builder)
❑ Increase outreach of cybersecurity across federal, state, local, and private entities
❑ Provide patients with information to manage security and privacy of their personal health
information
5. Identify mechanisms to protect R&D efforts and IP from attacks/exposure
❑ Develop guidance for industry and academia for risk management
❑ Pursue research into protecting healthcare big data sets
6. Improve information sharing of threats, risks, and mitigations
❑ Tailor information sharing for easier consumption by small and medium size organizations
❑ Broaden the scope and depth of information sharing
❑ Encourage annual readiness exercise
❑ Provide security clearance mechanism for Healthcare community members
11
Cybersecurity in Healthcare
• Overview of Cybersecurity challenges in Healthcare
• Background of HICP guidance
• Key takeaways
• Questions and open discussion
12
Approach and Goals of HICP Guidance
Approach to the HICP guidance:
❑ Examine current cybersecurity threats affecting HPH sector
❑ Identify specific weakness that leads to increased vulnerability
❑ Provide practices that experts consider as most effective to mitigate the risks
Three “core” goals:
❑ Cost effectiveness in reducing the risk for a range of organizations
❑ Support voluntary adoption and implementation
❑ Ensure the content is actionable, practical, and relevant to all stakeholder of size
and resource affordability
Not a one-size-fits-all approach
Addressed for awareness of all personnel (i.e., executives, health care
practitioners, providers, delivery organizations).
13
Approach and Goals of HICP Guidance (Contd.)
Structure
❑ Main Document: Addresses current threats and raises awareness
❑ Technical Volume 1: Ten practices and sub-practices for small health care
organizations. Intended for IT and/or IT security personnel and serves to guide the
organization on what to ask of their service providers.
❑ Technical Volume 2: Ten practices and sub-practices for medium-sized and large
healthcare organizations
❑ Resource and Template Volume: Provides additional resources and supplements
Main document explores the most impactful five threats
Technical Volumes detail the ten practices to mitigate the five threats.
14
Selecting the Correct Volume and Fit
Generally the guidance is
clear for small practices
For medium and large
practices, it is recommended
that:
❑ Medium-size organizations
start with medium
organization sub-practices
and also consider adopting
sub-practices of large
organizations
❑ Large-size organizations
review both medium and
large organization sub-
practices *Source: https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf
15
Cybersecurity in Healthcare
• Overview of Cybersecurity challenges in Healthcare
• Background of HICP guidance
• Key takeaways
• Questions and open discussion
16
Key Takeaways: The Five Threats
E-mail phishing attacks
❑ Vulnerabilities: Lack of awareness, lack of IT resources and sender validation tools
❑ Impact: Loss of reputation, patient care and safety, data confidentiality
Ransomware attacks
❑ Vulnerabilities: lack of back-up, anti-phishing tools, patching, detection tools, security controls
❑ Impact: Service disruption, patient care and safety, expensive recovery, data confidentiality
Loss or theft of equipment of data
❑ Vulnerability: Lack of inventory controls, encryption, physical security, awareness, vendor
management, end-of-life processes
❑ Impact: Lost productivity, damage to reputation, improper access to PHI
Insider, accidental or intentional data loss
❑ Vulnerability: Accidental disclosure, lack of monitoring, logging , auditing, and technical controls
❑ Impact: Reportable incidents, financial loss, incorrect patient treatment due to data integrity
issues
Attacks against connected medical devices that may affect patient safety
❑ Vulnerability: Inadequate patching processes and legacy systems, heterogeneity and lack of
security profile for all devices
❑ Impact: Operational impact, compromise of patient safety or care
17
Key Takeaways: The Ten Practices to Mitigate Threats
Practice #1: E-mail Protection Systems
❑ Data Elements: Passwords & PHI
❑ Risk Mitigation: Email Phishing, ransomware, insider data loss
❑ Small: Email configuration, education, phishing simulation
❑ Medium: Basic email protection, multi-factor authentication, email encryption, workforce
education
❑ Large: Advanced and next-gen tools, digital signatures, analytics driven education
Practice #2: Endpoint Protection Systems
❑ Data Elements: Passwords & PHI
❑ Risk Mitigation: Ransomware, theft or loss of equipment/ data
❑ Small & Medium: Basic end-point protection
❑ Large: Automated endpoint provisioning, mobile device management, Host-based IDS/IPS,
endpoint detection response, application whitelisting, micro-segmentation/ virtualization
Practice #3: Identity and Access Management (IAM)
❑ Data Elements: Passwords
❑ Risk Mitigation: Ransomware, theft or loss of equipment/ data, attack on connected devices
❑ Small: Basic access management
❑ Medium: Identity and access management procedures, multi-factor authentication
❑ Large: Federated identity management, Authorization, access governance, single-sign on
18
Key Takeaways: The Ten Practices to Mitigate Threats (contd.)
Practice #4: Data Protection and Loss Prevention
❑ Data Elements: Passwords & PHI
❑ Risk Mitigation: Ransomware, insider data loss, loss of data/ equipment
❑ Small: Policies and procedures
❑ Medium: Data classification, use procedures, data security, backup, DLP
❑ Large: Advanced DLP and data flow mapping
Practice #5: Asset Management
❑ Data Elements: Passwords & PHI
❑ Risk Mitigation: Ransomware, insider data loss, loss of data/ equipment, attack on
interconnected devices
❑ Small: Inventory, procurement, and decommissioning
❑ Medium: Inventory of endpoints and servers, procurement, secure storage, decommissioning
❑ Large: Automated discovery and maintenance, integrated Network Access Control
Practice #6: Network Management
❑ Data Elements: PHI
❑ Risk Mitigation: Ransomware, insider data loss, loss of data/ equipment, attack on
interconnected devices and patient safety
❑ Small: Network segmentation, physical security & guest access, intrusion prevention
❑ Medium: Network profiles and firewalls; segmentation, IPS, web proxy, physical security
❑ Large: Additional segmentation, perimeter monitoring, anomalous network monitoring and
analytics, sandboxing/malware execution, network access control
19
Key Takeaways: The Ten Practices to Mitigate Threats (contd.)
Practice #7: Vulnerability Management
❑ Data Elements: PHI
❑ Risk Mitigation: Ransomware, insider data loss, attack against connected devices
❑ Small: Vulnerability management
❑ Medium: Host/ server and web app scanning, system placement & data classification,
change management
❑ Large: Penetration testing, remediation planning
Practice #8: Security Operations Center (“SOC”)Operations and Incidence
Response
❑ Data Elements: PHI
❑ Risk Mitigation: Phishing, ransomware, loss or theft of data/equipment, insider data loss,
attack against connected devices and patient safety
❑ Small: Incident response, ISAC/ISAO participation
❑ Medium: SOC operations, incident response, information sharing (ISACs/ISAOs)
❑ Large: Advanced SOC & information sharing, incent response plan, baselining network
traffic, user behavior analytics, deception technologies
20
Key Takeaways: The Ten Practices to Mitigate Threats (contd.)
Practice #9: Medical Device Security
❑ Data elements: PHI
❑ Risk Mitigation: Attack against connected devices and patient safety
❑ Small: Medical device security
❑ Medium: Endpoint protection, IAM, medical device, IT asset & network management
❑ Large: Vulnerability management, SOC & incidence response, procurement and security evaluation,
contacting FDA
Practice #10: Cybersecurity Policies
❑ Pervasive risk mitigator for all data elements and risks for all types of organizations
21
Cybersecurity in Healthcare
• Overview of Cybersecurity challenges in Healthcare
• Background of HICP guidance
• Key takeaways
• Questions and open discussion
22
Questions ?
23
Resources/ References
https://www.bdo.com/insights/business-financial-
advisory/implementing-threat-based-cybersecurity-to-secure
https://www.bdo.com/industries/healthcare/overview