Managed IT & Cybersecurity. Done Better.

THE HACKER IDENTITYBehavioral Threat Modeling

WHY IT MATTERS

3

4WHAT THE BOARDS ARE ASKING

“How do we measure the effectiveness of our current cybersecurity program?”

“What are we doing for medical device cybersecurity?”

“How do we know our business associates are safeguarding patient information?”

”Do we have an incident response plan?”

“How does our security program compare to that of its peers?”

5THREAT LANDSCAPE

6

HOW IT HAPPENS

7THE CLINICAL ATTACK SURFACE AREA

8BEHAVIORAL THREAT MODELING

• Identification of the potential attack surface of your organization vs. the behavior patterns and intent of an attacker

• Considerations:- “Where are the high-value assets?”

- What are the most relevant threats?”

- “Where am I most vulnerable to attack?”

- “Is there an attack vector that might go unnoticed?

• Can be used to identify Advanced Persistent Threats (APT) to the network

9THE INDICATORS

Indicators of Exposure (IOE)

• Zero-day vulnerabilities

• Weaknesses and vulnerabilities in hardware configurations or firmware

• Legacy operating systems and applications

• Medical devices with unknown configurations

Indicators of Compromise (IOC)

• Exfiltration of data in an unusual pattern or destination

• Anomalous acitivity and movement of admin accounts or those with escalated privileges

• Markers of automated bot attack

10NOT JUST LIKELIHOOD AND IMPACT

Low Quantity of Assets

High Barrier to Entry• Deeper security controls, such as MFA

and encryption• Hosted on premises

High Value• Direct impact on patient safety• Current black market value• Subjective risk level of repurposing –

email accounts, bank accounts• Intellectual property

Higher Reputational Risk

High Quantity of Assets

Low Barrier to Entry• Connected web or mobile

applications• Managed by third party• Public cloud

Low Value• No threat to patient safety• Commodity target

Lower Reputational Risk

11MAPPING THE SURFACE ATTACK AREA: INSIDE

=Black Market Value

or Fine PotentialNumber of Records

in Target AreaRelative Risk Rating

and Mapping

Patient Safety Mapping of Assets:

Ecosystem Entry Points

Biomedical Device

Risk to Patient Safety

+Traditional Valuation of Assets:

12

1. Identify the bad actors• Competition for commodity records – crime syndicates, lone wolves• Intellectual property – industrial espionage, overseas manufacturing• Hacktivists• Terrorists or nation states

2. Assess the external infrastructure and entry points for IOEs:• Penetration test results from live IPs• Connectivity to a web or smartphone application• Shared data at a vendor• Vendor with remote access privileges

MAPPING THE SURFACE ATTACK AREA: OUTSIDE

13

Assess the risk of staff and contractors:

• Number of staff members and/or contractors with access to the highest value targets (dollars and safety)

– The relative risk or ability to either introduce malware or open the door to a bad actor

– The relative risk or ability to affect patient safety

• Determine experience, training levels, and frequency of training• Assess, if possible, their exposure to social media

• Conduct frequent social engineering exercises • Profile mobile device and laptop usage; for contractors’ profiles for remote access

THE SURFACE ATTACK AREA: STAFF & CONTRACTORS

14DEVICE ATTACK VIA LEGACY OS: LOW VOLUME & HIGH IMPACT

15

WHAT YOU CAN DO

16INCIDENT RESPONSE PLANNING & TESTING

• Develop runbooks across multiple potential events and test at least twice a year

• Include variations within the runbook based on threat modeling decision trees

• Consider a two-tiered approach to incident response tabletop exercises:- IT management and appropriate staff with DR/BCP and security responsibilities

- Executive and C-Suite with one board member participant

• Common topics for IR plans and exercises:- Unknown exfiltration of data

- Ransomware of the EMR, medical devices, DR sites

- Confirmed IOC of an advanced persistent threat

- Malfunction or critical impairment of device or application not caused by APT

- Denial-of-service attack

17RED & BLUE TEAMS

• Emulates actual hacker behaviors and decision trees

• Designed to test the organization’s people, process, and technology, not just the technical systems

• Can include coordinated script for simultaneous phishing, USB drive baiting, and pretexting

• Generally considered successful when the target data is exfiltrated or command and control (C2) is established

18TAKEAWAYS: NOT ALL DATA AND SYSTEMS ARE CREATED EQUAL

Identify• Profile all servers, applications and devices and develop critical application lists with data categorizations

and those with access

• Analyze your attack surface area across all data locations: physical, virtual, and cloud

• Develop incident response plans around more than just the EMR

Prioritize

• Don’t rely on complex risk and value calculation models; your adversary is a human, not a robot

• Place an equal or higher effort on securing medical devices vs. the EMR

19TAKEAWAYS: NOT ALL DATA IS CREATED EQUAL

Implement• NIST Framework for raising cybersecurity posture

• Vulnerability management program

• Create compensating controls to address legacy systems

Govern

• Test IR plans via tabletop exercises at least twice yearly

• Engage with the Board, Biomed, and Risk Management & Patient Safety Office as often as with IT

• Stay informed:• Information sharing National Health Information Sharing & Analysis Center (NH-ISAC)

• Medical Device Innovation, Safety and Security Consortium (MDISS)

Managed IT & Cybersecurity. Done Better.

QUESTIONS?Ray Hillen | 919.601.5026 | ray.hillen@agio.com