Don't Be Such a Hack: How to Develop a Cybersecurity Program to Help Protect Your Company from Cyber Crime

Presented by:

Jennifer L. Rathburn, Partner, Quarles & Brady LLPFausto Molinet, Senior Cyber Security Consultant, Delta Risk LLC

Agenda• Interesting Statistics• How to Develop a Cybersecurity Program• FDA Device Cybersecurity Guidance• Evolving Cybersecurity Law Updates• DOJ Guidance• Board of Directors Considerations• Cybersecurity Table Top Exercise

2

Cyber Attacks on the Rise!

• Cyber attacks on health care organizations were the # 1 cause of data breaches in 2014. First time in Ponemon Survey history!

• Nearly half the health care organizations (45%) reported experiencing a criminal-attack.

• Cyber attacks spiked 125% over the past five years.

3

Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, Ponemon Institute LLC.

Cyber Attackers – Efficient & Hidden• In 60% of cases, attackers are able to compromise an organization within minutes.• And it often takes a long time to detect them.

4

HOW LONG DO HACKERS HIDE?

Goodwill

Michaels

Home Depot

Neiman Marcus

JP Morgan Chase

Target

2015 Data Breach Investigations Report, Verizon; How Did Hackers Hide From JPMorgan for Two Months, ObserveIT.

Perfect Storm• Cyber criminals recognize two critical

facts about health care organizations:– Manage a treasure trove of financially

lucrative personal information; and – Do not have the resources, processes,

and technologies to prevent and detect attacks and adequately protect patient data.

Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, Ponemon Institute LLC.

5

What is a Cybersecurity Program?• Essentially means preparation for a cybersecurity attack at

the Board level.• Goal:

– To prevent data breaches, loss of business continuity, harm to public, etc.

– From nation-states, hackers, organized criminals, insiders.• Not an IT program – rather, development of risk management

program based on level of risk with Board oversight.

6

Cybersecurity Under HIPAA

• HIPAA compliance is required but it will not ensure protection from cyber attacks.

• Risk Management Process Standard.– Implement policies and procedures to prevent, detect,

contain, and correct security violations.

• Really, the NIST Framework is becoming standard in many industries.– More on this later.

7

HIPAA Risk Analysis • CEs and BAs must “conduct an accurate and

thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of” ePHI.

• Required Implementation Specification.• Should be ongoing, but at a minimum recommend

update annually or when new technologies or business operations are implemented.

• Core objective for providers seeking payment through the Meaningful Use Program.

8

HIPAA Risk Management and Evaluation • Risk Management Implementation Specification

(Required)– Implement security measures sufficient to reduce risks and

vulnerabilities to a reasonable and appropriate level.

• Evaluation Standard– Perform a periodic technical and nontechnical

evaluation that establishes the extent to which security policies and procedures meet the requirements of the HIPAA Security Rule.

– Evaluation is based initially upon the initial standards implemented and, subsequently, in response to environmental or operational changes affecting the security of ePHI.

9

Other Relevant HIPAA Provisions

• Encryption is heavily recommended – but not mandated under HIPAA in all cases. Determine what is reasonable and appropriate.

• Security Awareness Training – security reminders, protection from malicious software, log-in monitoring, password management.

• Security Incident policies and procedures to identify and respond to suspected or known security incidents and mitigate harmful effects to the extent practicable.

• Information System Activity Review procedures and Audit controls to regularly review and record information system activity (e.g., audit logs, access reports, and security incident tracking reports).

• Access controls to ensure appropriate access to ePHI.• Authentication procedures to verify that the person or entity seeking

access to ePHI is appropriate.• Integrity controls to protect ePHI from improper alteration or

destruction.

10

Some Relevant Guidance

• OCR “Guidance on Risk Analysis Requirements under the HIPAA Security Rule.”

• OCR/ONC Security Risk Assessment (SRA) Tool released in 2014.

• NIST Special Publications.• ONC On-Line Cybersecurity Resources for the

Health Care Sector.• OCR “Guidance to Render Unsecured Protected

Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.”

11

The NIST Framework – Intent• Framework for Improving Critical Infrastructure Cybersecurity.

• Despite the name, applicable to any organization or business.

• A voluntary, risk-based approach to manage cybersecurity risk, in a cost-effective way, based on business needs.

• The framework is not law.– There is no compliance requirement.

It’s about MANAGING RISKS and making

SOUND INVESTMENTS in

cybersecurity efforts

What do you

do?

How well

do you do it?

What do you need

to do?

12

Develop, adopt, or

confirm your TARGET PROFILE

Two key steps:1. Determine WHICH

subcategories are most important to you within your business context

2. Determine a desired Tier level for each of the important subcategories

Assess your CURRENT PROFILE

Determine or confirm your BUSINESS CONTEXT

What constitutes your threat? Environment, legal and regulatory requirements; business objectives and constraints; and key services, service delivery and security goals

Assess what Tier describes your practices in each of the key subcategories

Perform a GAP

ANALYSIS

… between your Current and Target Profiles

Select controls or practices for further investment, prioritize them, and develop a plan to implement

Determine INVESTMENTS and an ACTION

PLAN

The NIST Framework – In Practice

13

FDA Device Cybersecurity Guidance

• To assist industry by identifying issues related to cybersecurity that manufacturers should consider in preparing premarket submissions for medical devices.

• Reasoning Device functionality has become more important with the increased use of wireless, internet- and network-connected devices, and the frequent electronic exchange of medical device-related health information.

• Contains nonbinding cybersecurity principles, functions, and documentation recommendations.

14

FDA Device Cybersecurity Guidance

• Urges manufacturers to build in the necessary cybersecurity safeguards on the front-end, during the design and development of a device.

• Recommends 5 NIST Framework Core Functions that manufacturers should use to manage potential cybersecurity risks:– Identify– Protect– Detect– Respond– Recover

• Advises manufacturers to include specific information relating to cybersecurity of their medical devices in premarket submissions (e.g., a listing of cybersecurity risks that were considered).

15

Evolving Cybersecurity Law Updates

• Legislative Updates• Case Law Updates

16

DOJ Guidance• Asset Prioritization• Incident Response Plan

– Assessment– Mitigation– Recordkeeping– Notification– Training & Exercises

• Technology & Network Monitoring

• Legal Counsel• Consistent Policies• Law Enforcement &

Information Sharing• Post-Incident Follow-

Up• What Not To Do

17

Cybersecurity Collaboration• White House creation of the Cyber Threat Intelligence Integration

Center (CTIIC).– Encourages collaboration between National Cyber Investigative Joint Task

Force (NCIJTF), National Cybersecurity and Communications Integration Center (NCCIC), and U.S. Cyber Command.

• Some ways to collaborate about cybersecurity threats:– The Health Information Trust Alliance (HITRUST).

• HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3).

– Cyber Threat Xchange (CTX)

– Information Sharing and Analysis Centers (ISACs).• National Health ISAC (NH-ISAC)

– Information Sharing and Analysis Organizations (ISAOs).– The Critical Infrastructure Cyber Community C³ Voluntary

Program.

18

Core Duties for Board Privacy and Security Governance • Implement a cybersecurity program to ensure fiduciary duties

are met.• Decisions should be made with the duties of care and loyalty in

mind. • Oversee the cybersecurity program and ensure staff are

taking measures to secure data.• Organizations using the NIST Framework will have the ability

to demonstrate that they used prudent practices and due care in line with nationally recognized industry standards.

19

Key Governance Questions to Consider

• What is the organization’s data profile and risk?– What information might be of interest to potential hackers, and

what data and systems could be stolen or corrupted? What are the crown jewels?

• What information and systems warrant the very highest safeguards?• Are cyber risks adequately communicated across the organization?• How do existing safeguards compare with emerging best practices

(and the practices of similarly situated organizations)?• Are critical risks receiving appropriate management attention and

director oversight? • Does the organization have a robust written incident response plan?

– Is there a response team in place that has clear responsibilities and authority?

20

Key Governance Questions to Consider• Do the organization’s public statements to date

accurately reflect risks, safeguards, and controls (past, present, and anticipated)?

• Does the organization limit its data privacy and security promises to those best practices it is able to satisfy?

• Does the organization’s due diligence include the target organization’s data privacy and security?

• Is the organization appropriately monitoring and coordinating with vendors regarding vendors’ data privacy and security?

• Does the organization have appropriate resources (e.g., insurance) to make it resilient if breaches occur?

21

Board Cybersecurity Issues: Key Takeaways• Cybersecurity should be viewed as an enterprise-

wide risk issue.• Cyber risk education for directors.• Determine whether entire Board, audit committee, or

risk committee will assume responsibility for cybersecurity oversight.

• Meet with the CISO at least annually.  • Invest time and resources into ensuring

management has developed a response plan that is well-constructed, deliberate, and consistent with best practices for an organization in the same industry.

22

Board Cybersecurity Issues: Key Takeaways

• Develop a business culture that prioritizes cybersecurity. • Maintain cybersecurity insurance policy. • Be aware of dependencies on any third-party IT service

providers, such as data center operators and cloud services, and the measures taken to ensure they are adequately protecting sensitive data.

• Board's role is at a high level, but board audit/risk management committee in particular should be scrutinizing the quality of cybersecurity planning done by the firm's executives and IT leaders.  – E.g., consider requiring internal auditors to perform an

annual check of the organization's cybersecurity program.

23

Cybersecurity Table Top Exercise (TTX)

24

Threat Intelligence-Based Planning

• Adaptive threats – Beyond the old virus/worm/Trojan paradigm, adversaries are getting more sophisticated in their attacks.

– Advanced Persistent Threat (APT) – targeted and motivated– Polymorphing malware – mass-distribution yet avoiding detection– Insiders being leveraged or coerced – often by cyber means

• Different industries have different threats.– Adversary tracking – knowing their Tactics, Techniques and Procedures

(TTP) helps prioritize and organize your defenses– Case studies and trends provided by independent security analysts and

managed-security service companies

• Exercises to aid in finding the weak spots.– Designed with the threat adversary in mind– How the organization responds to most likely risk scenario– Where to spend $$ and other resources

25

Table Top Exercise Overview

26

Approach:• Conduct interviews of security and IT

managers and staff to identify concerns to form basis of the exercise scenario

• Develop scenario and exercise products for control, execution, and evaluation

• Conduct exercise, document response, and formulate recommendations

Deliverables:• High-impact cyber focused scenario with

backstory, ground truth, and evaluation guide• Execution of live testing during functional

exercises in tightly controlled manner• Assessment of participant responses to

identified expected actions• Recommendations for improving security• Capacity training for building organic

exercise design and execution capabilities

A Notional Scenario• Medical device manufacturing company has created a

product called “iHeartsMonitor” that monitors several vital signs and controls the activity of implanted pacemakers, for easy-to-configure adjustments on implanted devices.

• The hospital has procured these devices and installed them on the medical device-segmented network.

• During the latest C-Suite meeting, the Chief Information Security Officer (CISO) reported several incidents that caught his attention from the Security Operations Center (SOC).– Finding significant latency on the medical network – New, unidentified malware discovered on employees’

laptops

27

Initial Response Actions

• Do these things warrant a response?• What internal messaging would you initiate to the

employees?• Is the security response or IT operations aware

of legal obligations concerning the new technology when responding to incidents?

• Are there requirements to report to the Board of Directors within a certain time frame of incidents of a certain severity?

28

Escalation of Events – CISO• The boundary protection team has identified a large amount

of data being transferred outbound from the hospital data center.

• The information stream is encrypted, so they cannot determine what the data is, but it seems to be flowing to a site in Asia.

• Further examination of the server indicates a “backdoor” – software that allows an external entity to have unrestricted access remotely.

• An employee reports one of his coworkers has been acting strangely and staying late at night.

• An anonymously sent email to the CISO directly indicates a ransom of $2M to prevent the release of EHR data and other sensitive information.

29

Questions• The CISO suggests to the CEO that the Crisis Action

Team be activated. Is there such a team defined by the company?

• What data could the outside entity have retrieved? Do the teams even have a way of knowing?

• What do you communicate to consumers or other stakeholders?

• Have you engaged a cyber insurance provider, lawyer, and/or breach coach?

• What is the “worst-case scenario”?• How do you balance actions to “stop-the-bleeding” with

root-cause attribution and “preservation of prosecutability”?

30

Public Awareness of Breach• A news story erupts on the Internet regarding a well-

known cyberterrorist group that claims to have access to EHRs and technical data on the new product, with a “proof-of-concept” hack to enable unauthorized access to override the pacemaker settings of someone’s device.

• The news team has approached Public Affairs for comment on the situation.

• Social media is trending that the hospital has exposed everyone’s health records.

• Rumors begin spreading about someone’s device being attacked by a “hacker,” resulting in their death.

• A class-action suit has been filed against the device manufacturer and the hospital.

31

Company Reaction• How has the response and prioritization changed

now that it’s public information?• What is communicated to the public regarding the

situation?• If the root cause is able to be identified, what

information gets released?• How does the company control rumors from within

the company?• What other inquiries might the hospital expect?• What might this TTX have highlighted to the

hospital?

32

We Observe Trends and Indicators… • Process undefined, and ad-hoc actions.• Lack of plans for quick action.• Unknown legal, partner, or regulatory obligations.• Lack of [central] visibility to malicious activity.• Inaccurate or total lack of correlation of activities, incidents

and access.• Silos of activity without coordination.• Knee-jerk reaction to events that could be nothing (reacting

prior to identification).• Panic when hearing PHI/PII involvement (or even alleged).• Lack of standards for new hardware/software acquisitions.

33

Incidentresponse

Recommendations

1. Develop global incident response plan: Codify key processes based on incident type and asset compromised. Supplement with tactical checklists to increase rigor and specificity.

2. Create guidance for high stakes business decisions that may surface in threat response (e.g., taking a core customer-facing system off line).

3. Create capability to conduct “active defense” by building dedicated intelligence analytic function.

4. Increase transparency required for diagnostics and response (e.g., real time DLP monitoring, database monitoring).

5. Enhance ability to leverage specialized technical vendors (e.g., forensics companies on retainer).

6. Put in place mechanism to engage with vendors to manage risk (e.g., proactive engagement during IR).

▪ Incident response protocols do not offer usable guidance for coordinating overall response

▪ Incident response protocols not understood or followed

Businessimpact

▪ No/limited ability to assess business impact or data integrity

▪ No effective contingency plans in place for each category of asset compromised

Security analysis & response

▪ Breach not detected internally and not diagnosed in timely fashion

▪ No ability to track/stop lateral movement once detected

Vendor interaction

▪ Incomplete and out-of-date information about vendor interfaces and data accessed

▪ No protocols in place to deal with 3rd party/vendors on an operational level

Sample Observations & Recommendations from a Table Top

Exercise

34

TTX After-Action Benefits• Response is a critical component of a holistic Cyber

Defense Capability, and often not considered in planning.

• Lessons learned from a fictitious (but realistic) scenario allows you to make changes before having to do damage control from a public or stakeholder perspective.

• Imagination and creativity of participants can result in new initiatives that would not have otherwise been planned.

• External resources used in the TTX process helps incorporate recent and/or emerging regulations, trends, and threats otherwise not known.

35

Questions?

Jennifer L. RathburnQuarles & Brady LLP411 East Wisconsin Ave., Ste 2350 Milwaukee, WI 53202(414) 277-5256Jennifer.Rathburn@quarles.com

Fausto MolinetDelta Risk LLC4600 N Fairfax Dr., Ste 906Arlington, VA, 22203(808) 282-5931fmolinet@delta-risk.net

36

©2014 Quarles & Brady LLP. This document provides information of a general nature. None of the information contained herein is intended as legal advice or opinion relative to specific matters, facts, situations or issues. Additional facts and information or future developments may affect the subjects addressed in this document. You should consult with a lawyer about your particular circumstances before acting on any of this information because it may not be applicable to you or your situation.