The NCTRC

Webinar Series

Presented by

The National Consortium of

Telehealth Resource Centers

July 18th, 2019

Cybersecurity and Telehealth

Jordan Berg, Telehealth Technology Assessment SpecialistNational Telehealth Technology Assessment Center Alaska Native Tribal Health Consortium (ANTHC)

Julie Chua,Risk Management Branch Chief HHS Office of Information Security

• TTAC is federally funded through the Office for the Advancement of Telehealth (OAT)

• TTAC provides Technology Assessment services to the 12 regional TRCs as well as the other national TRC.

• Between the three TTAC staff, there is over 50 years of experience in Telehealth

Who is TTAC?

4

Provide FREE RESOURCES for Telehealth program development and sustainability

Telehealth Resource Centers

405(d)- Aligning Healthcare Industry Security

Approaches

Qualitative

Research with

medical

professionals,

HPH,

CIOs/CISOs etc

Our Mandate

Become the leading collaboration

center for developing healthcare

cybersecurity focused resources

Continue to build upon the HICP

publication

Develop new cybersecurity

resources

Our Future

Health Industry Cybersecurity Practices: Managing Threats

and Protecting Patients (HICP) aims to raise awareness,

provide vetted cybersecurity practices, and move towards

consistency in mitigating the current most pertinent

cybersecurity threats to the sector. It seeks to aid

Healthcare and Public Health organizations to develop

meaningful cybersecurity objectives and outcomes. The

four-volume publication includes a main document, two

technical volumes, and resources and templates

405(d) Health Industry Cybersecurity Practices:

Managing Threats and Protecting Patients (HICP)

To strengthen the

cybersecurity posture of

the HPH Sector,

Congress mandated the

effort in the Cybersecurity

Act of 2015 (CSA),

Section 405(d).

An industry-led process to

develop consensus-based

guidelines, practices, and

methodologies to strengthen the

HPH-sector’s cybersecurity

posture against cyber threats.

The 405(d) Task Group is

convened by HHS and

comprised of over 150

information security officers,

medical professionals, privacy

experts, and industry leaders.

What is the 405(d)

Initiative?

2017 HHS convened the 405(d) Task Group

leveraging the Healthcare and Public Health

(HPH) Sector Critical Infrastructure Security and

Resilience Public-Private Partnership.

National Pretesting sessions were

both in-person and virtual, and

feedback was gathered with focus

groups of 9-15 participants via

roundtable discussion. A total of

123 took part in the pretesting

efforts

Who is Participating

Qualitative research to

establish the level of the health

sector’s awareness and

prioritization of cybersecurity

Medical Community

Baseline

7 Focus Group

4 in-person

3 virtual New JerseyNew York

V

i

r

g

i

n

I

s

l

a

n

d

s

Alabama

Florida

Georgia

Kentucky

Mississippi

North Carolina

South Carolina

Tennessee

Arkansas

Louisiana

New Mexico

Oklahoma

Texas

CT

Maine

Mass

New

Hampshire

VT

Delaware

Maryland

Pennsylvania

Virginia

West

Virginia

Illinois Indiana

Michigan

Minnesota

Ohio

Wisconsin

Colorado

Montana

North Dakota

South Dakota

Utah

Wyoming

IdahoOregon

Washington

Was

hingt

on

Alaska

Iowa

KansasMissouri

Nebraska

IX

Arizona

California

Nevada

HI

AS

Guam

Oregon

Idaho

Series of one-on-

one interviews with

practitioners and

practice

administrators from

the Northwest,

Northeast, and

Southeast

OrCybersecurity

Overview

• What is Cybersecurity?

• Why is Cybersecurity Important?

• Tools and Resources• National Institute of Standards and Technology (NIST)

Framework

• Health Industry Cybersecurity Practices (HICP) Report

• Telemedicine Specific Concerns

• Big Cybersecurity Ideas

Objectives:

What is Cybersecurity?

“The process of protecting information

by preventing, detecting, and

responding to attacks.”

-NIST Cybersecurity Framework

Why does it matter?

90% of hospitals have reported a breach in past two years

Why does it matter?

Why does it matter?

Provides a method for:

• Describing current cybersecurity posture

• Describing a target state for cybersecurity

• Identifying and prioritizing continuous improvement of Cybersecurity practices

• Assessing progress toward the target state

• Communicating among internal and external stakeholders about cybersecurity Risk

Tools and Resources: NIST Framework

Tools and Resources: NIST Framework (Cont.)

Function Unique

Identifier

Function

ID Identify

PR Protect

DE Detect

RS Respond

RC Recover

Tools and Resources: NIST Framework (Cont.)

ID Identify

ID.AM Asset Management

ID.BE Business Environment

ID.GV Governance

ID.RA Risk Assessment

ID.RM Risk Management Strategy

ID.SC Supply Chain Risk Management

Tools and Resources: NIST Framework (Cont.)

PR Protect

PR.AC Identity Management and Access Control

PR.AT Awareness and Training

PR.DS Data Security

PR.IP Information Protection Process and Procedures

PR.MA Maintenance

PR.PT Protective Technology

Tools and Resources: NIST Framework (Cont.)

DE Detect

DE.AE Anomalies and Events

DE.CM Security and Continuous Monitoring

DE.DP Detection Processes

Tools and Resources: NIST Framework (Cont.)

RS Respond

RS.RP Response Planning

RS.CO Communications

RS.AN Analysis

RS.MI Mitigation

RS.IM Improvements

Tools and Resources: NIST Framework (Cont.)

RC Recover

RC.RP Recovery Planning

RC.IM Improvements

RC.CO Communications

Tools and Resources: HICP Report

• Managing Threats and Protecting Patients– 5 current threats– 10 practices

• Technical Volume 1: Practices for Small Health Care Organizations

• Technical Volume 2: Practices for Medium and Large Health Care Organizations

Tools and Resources: HICP Report (Cont.)

• 5 Core Threats

– Email Phishing Attacks

– Ransomware Attacks

– Loss or Theft of Equipment or Data

– Insider, Accidental or Intentional Data Loss

– Attacks Against Connected Medical Devices that May Affect Patient Safety

Tools and Resources: HICP Report (Cont.)

10 Practices – E-mail protection

systems

– Endpoint protection systems

– Access Management

– Data Protection and Loss Prevention

– Asset Management

– Network Management

– Vulnerability management

– Incident Response

– Medical Device Security

– Cybersecurity Policies

HICP ReportThreat: E-mail Phishing Attack

E-mail phishing is an attempt to trick you into

giving out information using e-mail.

An inbound phishing e-mail includes an active link or file (often

a picture or graphic). The e-mail appears to come from a

legitimate source. Clicking to open the link or file takes the user

to a website that may solicit sensitive information or proactively

infect the computer.

Vulnerabilities Practices to Consider Lack of awareness training

Lack of IT resources for managing

suspicious emails

Lack of software scanning e-mails for

malicious content/ bad links

Lack of e-mail detection software

testing for malicious content

Lack of e-mail sender and domain

validation tools

Be suspicious of e-mails from unknown senders, e-mails

that request sensitive information such as PHI or personal

information, or e-mails that include a call to action that

stresses urgency or importance

Train staff to recognize suspicious e-mails and to know

where to forward them

Never open e-mail attachments from unknown senders

Tag external e-mails to make them recognizable to staff

Implement advanced technologies for detecting and testing

e-mail for malicious content or links

HICP ReportThreat: Ransomware Attack

Ransomware is a type of malware (malicious

software) that attempts to deny access to a user’s

data, usually by encrypting the data with a key

known only to the hacker, until a ransom is paid.

Vulnerabilities Practices to Consider Lack of system backup

Lack of anti-phishing capabilities

Unpatched software

Lack of anti-malware detection and

remediation tools

Lack of testing and proven data back-

up and restoration

Lack of network security controls such

as segmentation and access control

Patch software according to authorized procedures

Use strong/unique usernames and passwords with multi-

factor authentication

Limit users who can log in from remote desktops

Separate critical or vulnerable systems from threats

Implement a backup strategy and secure the backups, so

they are not accessible on the network they are backing up

Establish cyber threat information sharing with other

health care organizations

HICP ReportThreat: Loss or Theft of Equipment or Data

Loss of mobile devices such as laptops, tablets,

smartphones, and USB/thumb drives have costs

far greater than the value of the equipment.

Vulnerabilities Practices to Consider Lack of asset inventory and control

Lack of encryption

Lack of physical security practices and

safeguards

Lack of effective vendor security

management

Lack of “End-of Service” process to

clear sensitive data before assets are

discarded

Maintain a complete, accurate, and current asset inventory

Encrypt sensitive data, especially when transmitting to

other devices or organizations

Implement proven and tested data backups, with proven

and tested restoration of data

Implement a safeguards policy for mobile devices

supplemented with user awareness training on securing

devices

Promptly report loss/theft to designated individuals to

terminate access to the device and/or network

Define a process for cleaning sensitive data from every

device before it is retired, refurbished or resold

HICP ReportThreat: Insider, Accidental or Intentional Data Loss

Insider threats exist within every organization

where employees, contractors, or other users

access the organization’s technology

infrastructure, network, or databases.

Threats can be accidental and intentional.

Vulnerabilities Practices to Consider Files with sensitive data accidentally e-

mailed to incorrect or unauthorized

addresses

Lack of monitoring, tracking, and

auditing of access to patient

information in EHR and other critical

assets (e-mail, file storage)

Lack of technical controls to monitor

the e-mailing of sensitive data outside

the organization’s network

Lack of training about social

engineering and phishing attacks

Train staff and IT users on data access and financial control

procedures to mitigate social engineering and procedural

errors

Implement and use workforce access auditing of health

record systems and sensitive data

Implement and use privileged access management tools to

report access to critical technology infrastructure and

systems

Implement and use data loss prevention tools to detect and

block leakage of PHI and PII via e-mail and web upload

HICP ReportThreat: Attacks Against Connected Medical Devices That May Affect Patient Safety

Impact:

• Broad hospital operational impact due to

unavailable medical devices and systems

• Medical devices do not function as required

for patient treatment and recovery

• Patient safety compromised due to breach

Vulnerabilities Practices to Consider Devices not patched promptly

Equipment not current, or legacy

equipment that is outdated and lacks

current functionality

Devices cannot be monitored by

organizations intrusion detection

systems

Heterogeneity of medical devices

means that identifying vulnerabilities

and remediation processes is complex

and resource intensive

Establish and maintain contact with medical device

manufacturer’s product security teams

Implement pre-procurement security requirements form

vendors

Patch devices after patches have been validated,

distributed, and properly tested

Assess inventory traits for devices that may include MAC, IP,

or other elements relevant to managing information

security risks

Engage information security as a stakeholder for clinical

device procurement

Telemedicine Specific Concerns

• User Management/Access

• Vendor Selection

• Asset Management

• Attacks Against Connected Medical Devices that May affect Patient Safety

• Device Management

• Cybersecurity is not a passive or binary state

• Cybersecurity is a vital part of providing healthcare

• Cybersecurity is not an IT issue

28

Big Ideas

• National Institute of Standards and Technology Framework:

https://www.nist.gov/cyberframework

• Health Industry Cybersecurity Practices:https://www.phe.gov/Preparedness/planning/405d/Pages/reportandtools.aspx

Resources

30

Thank You

Contact Us:www.telehealthtechnology.org1-844-242-0075

31

The NCTRC Webinar Series

Occurs 3rd Thursday of every month.

Our Next Webinar

Telehealth Topic: Finding and Vetting the Perfect Specialty

Service Provider

Date: Thursday, January 17th 2019

Times: : 9:00AM HST, 10:00AM AKST, 11:00AM PST,

12:00PM MST, 1:00PM CST, 2:00PM EST