The NCTRC Webinar Series · CIOs/CISOs etc Our Mandate Become the leading collaboration ......
Transcript of The NCTRC Webinar Series · CIOs/CISOs etc Our Mandate Become the leading collaboration ......
The NCTRC
Webinar Series
Presented by
The National Consortium of
Telehealth Resource Centers
July 18th, 2019
Cybersecurity and Telehealth
Jordan Berg, Telehealth Technology Assessment SpecialistNational Telehealth Technology Assessment Center Alaska Native Tribal Health Consortium (ANTHC)
Julie Chua,Risk Management Branch Chief HHS Office of Information Security
• TTAC is federally funded through the Office for the Advancement of Telehealth (OAT)
• TTAC provides Technology Assessment services to the 12 regional TRCs as well as the other national TRC.
• Between the three TTAC staff, there is over 50 years of experience in Telehealth
Who is TTAC?
4
Provide FREE RESOURCES for Telehealth program development and sustainability
Telehealth Resource Centers
405(d)- Aligning Healthcare Industry Security
Approaches
Qualitative
Research with
medical
professionals,
HPH,
CIOs/CISOs etc
Our Mandate
Become the leading collaboration
center for developing healthcare
cybersecurity focused resources
Continue to build upon the HICP
publication
Develop new cybersecurity
resources
Our Future
Health Industry Cybersecurity Practices: Managing Threats
and Protecting Patients (HICP) aims to raise awareness,
provide vetted cybersecurity practices, and move towards
consistency in mitigating the current most pertinent
cybersecurity threats to the sector. It seeks to aid
Healthcare and Public Health organizations to develop
meaningful cybersecurity objectives and outcomes. The
four-volume publication includes a main document, two
technical volumes, and resources and templates
405(d) Health Industry Cybersecurity Practices:
Managing Threats and Protecting Patients (HICP)
To strengthen the
cybersecurity posture of
the HPH Sector,
Congress mandated the
effort in the Cybersecurity
Act of 2015 (CSA),
Section 405(d).
An industry-led process to
develop consensus-based
guidelines, practices, and
methodologies to strengthen the
HPH-sector’s cybersecurity
posture against cyber threats.
The 405(d) Task Group is
convened by HHS and
comprised of over 150
information security officers,
medical professionals, privacy
experts, and industry leaders.
What is the 405(d)
Initiative?
2017 HHS convened the 405(d) Task Group
leveraging the Healthcare and Public Health
(HPH) Sector Critical Infrastructure Security and
Resilience Public-Private Partnership.
National Pretesting sessions were
both in-person and virtual, and
feedback was gathered with focus
groups of 9-15 participants via
roundtable discussion. A total of
123 took part in the pretesting
efforts
Who is Participating
Qualitative research to
establish the level of the health
sector’s awareness and
prioritization of cybersecurity
Medical Community
Baseline
7 Focus Group
4 in-person
3 virtual New JerseyNew York
V
i
r
g
i
n
I
s
l
a
n
d
s
Alabama
Florida
Georgia
Kentucky
Mississippi
North Carolina
South Carolina
Tennessee
Arkansas
Louisiana
New Mexico
Oklahoma
Texas
CT
Maine
Mass
New
Hampshire
VT
Delaware
Maryland
Pennsylvania
Virginia
West
Virginia
Illinois Indiana
Michigan
Minnesota
Ohio
Wisconsin
Colorado
Montana
North Dakota
South Dakota
Utah
Wyoming
IdahoOregon
Washington
Was
hingt
on
Alaska
Iowa
KansasMissouri
Nebraska
IX
Arizona
California
Nevada
HI
AS
Guam
Oregon
Idaho
Series of one-on-
one interviews with
practitioners and
practice
administrators from
the Northwest,
Northeast, and
Southeast
OrCybersecurity
Overview
• What is Cybersecurity?
• Why is Cybersecurity Important?
• Tools and Resources• National Institute of Standards and Technology (NIST)
Framework
• Health Industry Cybersecurity Practices (HICP) Report
• Telemedicine Specific Concerns
• Big Cybersecurity Ideas
Objectives:
What is Cybersecurity?
“The process of protecting information
by preventing, detecting, and
responding to attacks.”
-NIST Cybersecurity Framework
Why does it matter?
90% of hospitals have reported a breach in past two years
Why does it matter?
Why does it matter?
Provides a method for:
• Describing current cybersecurity posture
• Describing a target state for cybersecurity
• Identifying and prioritizing continuous improvement of Cybersecurity practices
• Assessing progress toward the target state
• Communicating among internal and external stakeholders about cybersecurity Risk
Tools and Resources: NIST Framework
Tools and Resources: NIST Framework (Cont.)
Function Unique
Identifier
Function
ID Identify
PR Protect
DE Detect
RS Respond
RC Recover
Tools and Resources: NIST Framework (Cont.)
ID Identify
ID.AM Asset Management
ID.BE Business Environment
ID.GV Governance
ID.RA Risk Assessment
ID.RM Risk Management Strategy
ID.SC Supply Chain Risk Management
Tools and Resources: NIST Framework (Cont.)
PR Protect
PR.AC Identity Management and Access Control
PR.AT Awareness and Training
PR.DS Data Security
PR.IP Information Protection Process and Procedures
PR.MA Maintenance
PR.PT Protective Technology
Tools and Resources: NIST Framework (Cont.)
DE Detect
DE.AE Anomalies and Events
DE.CM Security and Continuous Monitoring
DE.DP Detection Processes
Tools and Resources: NIST Framework (Cont.)
RS Respond
RS.RP Response Planning
RS.CO Communications
RS.AN Analysis
RS.MI Mitigation
RS.IM Improvements
Tools and Resources: NIST Framework (Cont.)
RC Recover
RC.RP Recovery Planning
RC.IM Improvements
RC.CO Communications
Tools and Resources: HICP Report
• Managing Threats and Protecting Patients– 5 current threats– 10 practices
• Technical Volume 1: Practices for Small Health Care Organizations
• Technical Volume 2: Practices for Medium and Large Health Care Organizations
Tools and Resources: HICP Report (Cont.)
• 5 Core Threats
– Email Phishing Attacks
– Ransomware Attacks
– Loss or Theft of Equipment or Data
– Insider, Accidental or Intentional Data Loss
– Attacks Against Connected Medical Devices that May Affect Patient Safety
Tools and Resources: HICP Report (Cont.)
10 Practices – E-mail protection
systems
– Endpoint protection systems
– Access Management
– Data Protection and Loss Prevention
– Asset Management
– Network Management
– Vulnerability management
– Incident Response
– Medical Device Security
– Cybersecurity Policies
HICP ReportThreat: E-mail Phishing Attack
E-mail phishing is an attempt to trick you into
giving out information using e-mail.
An inbound phishing e-mail includes an active link or file (often
a picture or graphic). The e-mail appears to come from a
legitimate source. Clicking to open the link or file takes the user
to a website that may solicit sensitive information or proactively
infect the computer.
Vulnerabilities Practices to Consider Lack of awareness training
Lack of IT resources for managing
suspicious emails
Lack of software scanning e-mails for
malicious content/ bad links
Lack of e-mail detection software
testing for malicious content
Lack of e-mail sender and domain
validation tools
Be suspicious of e-mails from unknown senders, e-mails
that request sensitive information such as PHI or personal
information, or e-mails that include a call to action that
stresses urgency or importance
Train staff to recognize suspicious e-mails and to know
where to forward them
Never open e-mail attachments from unknown senders
Tag external e-mails to make them recognizable to staff
Implement advanced technologies for detecting and testing
e-mail for malicious content or links
HICP ReportThreat: Ransomware Attack
Ransomware is a type of malware (malicious
software) that attempts to deny access to a user’s
data, usually by encrypting the data with a key
known only to the hacker, until a ransom is paid.
Vulnerabilities Practices to Consider Lack of system backup
Lack of anti-phishing capabilities
Unpatched software
Lack of anti-malware detection and
remediation tools
Lack of testing and proven data back-
up and restoration
Lack of network security controls such
as segmentation and access control
Patch software according to authorized procedures
Use strong/unique usernames and passwords with multi-
factor authentication
Limit users who can log in from remote desktops
Separate critical or vulnerable systems from threats
Implement a backup strategy and secure the backups, so
they are not accessible on the network they are backing up
Establish cyber threat information sharing with other
health care organizations
HICP ReportThreat: Loss or Theft of Equipment or Data
Loss of mobile devices such as laptops, tablets,
smartphones, and USB/thumb drives have costs
far greater than the value of the equipment.
Vulnerabilities Practices to Consider Lack of asset inventory and control
Lack of encryption
Lack of physical security practices and
safeguards
Lack of effective vendor security
management
Lack of “End-of Service” process to
clear sensitive data before assets are
discarded
Maintain a complete, accurate, and current asset inventory
Encrypt sensitive data, especially when transmitting to
other devices or organizations
Implement proven and tested data backups, with proven
and tested restoration of data
Implement a safeguards policy for mobile devices
supplemented with user awareness training on securing
devices
Promptly report loss/theft to designated individuals to
terminate access to the device and/or network
Define a process for cleaning sensitive data from every
device before it is retired, refurbished or resold
HICP ReportThreat: Insider, Accidental or Intentional Data Loss
Insider threats exist within every organization
where employees, contractors, or other users
access the organization’s technology
infrastructure, network, or databases.
Threats can be accidental and intentional.
Vulnerabilities Practices to Consider Files with sensitive data accidentally e-
mailed to incorrect or unauthorized
addresses
Lack of monitoring, tracking, and
auditing of access to patient
information in EHR and other critical
assets (e-mail, file storage)
Lack of technical controls to monitor
the e-mailing of sensitive data outside
the organization’s network
Lack of training about social
engineering and phishing attacks
Train staff and IT users on data access and financial control
procedures to mitigate social engineering and procedural
errors
Implement and use workforce access auditing of health
record systems and sensitive data
Implement and use privileged access management tools to
report access to critical technology infrastructure and
systems
Implement and use data loss prevention tools to detect and
block leakage of PHI and PII via e-mail and web upload
HICP ReportThreat: Attacks Against Connected Medical Devices That May Affect Patient Safety
Impact:
• Broad hospital operational impact due to
unavailable medical devices and systems
• Medical devices do not function as required
for patient treatment and recovery
• Patient safety compromised due to breach
Vulnerabilities Practices to Consider Devices not patched promptly
Equipment not current, or legacy
equipment that is outdated and lacks
current functionality
Devices cannot be monitored by
organizations intrusion detection
systems
Heterogeneity of medical devices
means that identifying vulnerabilities
and remediation processes is complex
and resource intensive
Establish and maintain contact with medical device
manufacturer’s product security teams
Implement pre-procurement security requirements form
vendors
Patch devices after patches have been validated,
distributed, and properly tested
Assess inventory traits for devices that may include MAC, IP,
or other elements relevant to managing information
security risks
Engage information security as a stakeholder for clinical
device procurement
Telemedicine Specific Concerns
• User Management/Access
• Vendor Selection
• Asset Management
• Attacks Against Connected Medical Devices that May affect Patient Safety
• Device Management
• Cybersecurity is not a passive or binary state
• Cybersecurity is a vital part of providing healthcare
• Cybersecurity is not an IT issue
28
Big Ideas
• National Institute of Standards and Technology Framework:
https://www.nist.gov/cyberframework
• Health Industry Cybersecurity Practices:https://www.phe.gov/Preparedness/planning/405d/Pages/reportandtools.aspx
Resources
30
Thank You
Contact Us:www.telehealthtechnology.org1-844-242-0075
31
The NCTRC Webinar Series
Occurs 3rd Thursday of every month.
Our Next Webinar
Telehealth Topic: Finding and Vetting the Perfect Specialty
Service Provider
Date: Thursday, January 17th 2019
Times: : 9:00AM HST, 10:00AM AKST, 11:00AM PST,
12:00PM MST, 1:00PM CST, 2:00PM EST