Written by HITRUST Independent Security Journalist Sean Martin.
Retired Air Force Brigadier General Gregory Touhill, the Deputy Assistant Secretary of Cybersecurity and Communications for the Department of Homeland Security, opened the HITRUST 2016 conference with an audience-engaging keynote, calling it “a meeting of the cybersecurity neighborhood watch with a focus on healthcare,” and making reference to his self-declared unofficial role as the “captain of our nation’s cyber neighborhood watch program.”
“Your role in cybersecurity as healthcare professionals is critical,” said Touhill while addressing the audience of nearly 300 attendees. “The healthcare system represents a major component of the nation’s critical infrastructure; and it’s constantly under attack with people doing reconnaissance on a daily basis. Meetings like this are critical to the success of the industry.”
Breaches are happening and they are bad. The market is growing for healthcare records: $75-$150 per record based on the buyer and the veracity of the record. The value of your healthcare record will likely outlast you, and the value is appreciating over time (unlike a credit card, which is perishable).
“This summer is and will be the Summer of Ransomware,” said Touhill, sharing his forecast for this trend continuing this year and into 2017. “We’ll continue to see medical records held hostage and denying access to this information as a means to extract ransom payments from healthcare organizations.”
We can’t be blinkered by the sensationalism associated with this threat; things are about to change: “I anticipate that next summer likely will be the summer of attacks on data integrity,” Touhill added. “Soon, the attackers will hold people’s health and safety hostage with their data potentially being compromised and changed.”
We need to prepare to handle data theft and data loss. We must also prepare to deal with the integrity of our data that’s being tested. This begs the question: how do we defend, detect and respond to each of these types of attacks?
Touhill suggests that the first step is to understand the assailants and the methods they use to perform their attacks, providing the following list of six threat vectors for which the healthcare industry needs to prepare:
- Vandals: This group focuses on the destruction and defacement of their targets’ properties and assets, a clear threat to the reputation of the victims. Anonymous is an example of a vandal.
- Burglars: This group is financially motivated and focuses on stealing money. They target banks, retailers and other financial organizations, looking for something to steal and resell. Target is an example victim of a burglarized organization.
- Thugs/Muggers: This group uses their tactics to further their goal, whatever that goal may be. Sony probably feels like they got mugged.
- Spies: This group primarily comprises nation-state actors, but also includes corporate actors looking to steal IP and other information that can result in a competitive advantage. The goal for this group often orients around the ability to accelerate research and development efforts as a means to beat competitors to market. Compensation for spies continues to grow.
- Saboteurs: This is the group that keeps General Touhill up at night as it impacts the critical infrastructure. This group looks to establish a foothold in the critical infrastructure, just waiting to pounce. Black Energy, a piece of malware, represents a sample attack tool that could be used by saboteurs. “We find a lot of companies that don’t believe their company infrastructures are connected to the Internet and are shocked when they get breached,” says Touhill.
- The Careless, Negligent and Indifferent: This is the most prevalent group. Touhill said that the department finds time and again that 99.44% of incidents responded to can be traced to this group—essentially, someone not following the rules to implement proper cyber security hygiene and best practices. “99% of these attacks are preventable,” added Touhill. “It’s important to educate your people so they are neither careless nor indifferent about cybersecurity.”
Now, with this information on hand, what do you do?
“You need to defend what’s really important,” said Touhill. “Have a plan; identify what you have; determine its value; classify and prioritize; and then protect it accordingly.”
It’s not enough to only create a plan; the plan must also be exercised, and everyone from the board to the employees and partners has a role. “In the most successful organizations, everybody plays—they all have a stake,” said Touhill. “It’s critical that the organization quantify and manage their risk; if you don’t understand your risk you can’t make good decisions.
Strategically, Touhill recommended the audience leave the presentation with these five action items:
- Keep cybersecurity on your agenda: All too often the C-suite says “this is a server room issue.” However, cybersecurity is much more than that. Cybersecurity is a boardroom issue, a lunch room issue, a class room issue, and a living room issue. Consider that senior citizen parents are now the #1 mark for cybercriminals, second in line to industry.
- Do your math homework: Cybersecurity is all about risk, and risk is based on value to the business. Do the work to calculate the costs: What is the cost of an attack on your reputation if someone conducts a ransomware attack on you? $17-$25K is the average ransom. So compare that to the cost of implementing whitelisting and data backups. If you pay $25K on one ransom, word gets around, you get marked, and you’ll see more ransom hits. Be sure to factor in the cost to your brand and reputation; it is sure to be more valuable than the ransom itself!
- Have a plan and exercise it: Everyone needs to play—boards and officers at companies often push participation in exercises down to lower levels in the IT organization and then claim they didn’t’ have the information to make good decisions. It’s not an IT exercise, it’s a business exercise.
- Train, train, train—and then train some more: Practice makes perfect…perhaps organizations should look at is as perfect practice makes perfect—if you practice the wrong things or incompletely, you can’t respond correctly. Practice regularly so you can get closer and closer to perfect.
- Continue to share information: Join the cyber neighborhood watch. When your threat information is shared with DHS, it’s anonymized to protect privacy, brands and reputations.
Touhill provided a single overarching message that suggest we all need to continue to meet each other, stay connected and plan together. “You can’t exchange business cards in the middle of a crisis and be successful.”
While Touhill encourages organizations to stay focused on the business—looking at the problem strategically—there’s also some low-hanging fruit that can help counteract 99.99% of the bad stuff.
Here’s what Touhill recommends:
Multi-factor authentication (MFA) works: Almost every single event we respond to is the result of a compromised username/password. Put it in place for your most important stuff.
Segment your network: Yes, it drives up the cost of our infrastructure, but leaving your network flat allows an adversary to leverage a compromised username/password to move laterally across the non-segmented network.
Control privileged access: Organizations need to minimize the number of people that have the keys to the kingdom. Your adversaries are going after this group more than any other group in your organization. How many SysAdmins show (brag about) their SysAdmin status on LinkedIn? Finding these accounts is just a way for the bad guys to use social engineering attacks to gain access and have their way with the network.
Employ whitelisting: Define policies that ensure nothing runs on endpoints, servers and networks without prior approval. This can prevent non-authorized apps such as ransomware from executing on your network. It does cost money, but it’s worth it. Have you looked at what it will cost? This one thing can seriously knock down the risk you face.
Guard your back door: With the plethora of outsourcing and trusted partnerships, organizations need to make sure their back door is guarded. With the recent Office of Personnel Management (OPM) breach, the attackers went to a trusted third party via a compromised username/password and acted just like a normal user accessing the OPM data. This begs the following questions: Are your contracted firms meeting security baselines that you’ve set? Can you audit them? Do you know if they are maintaining the same level—or a better level—than you are?
At the end of the day, it’s about our ability to deal with the implications of a really bad cybersecurity event—how does everyone play their part to get through it? Organizations should leverage each other, leverage the government, and leverage cybersecurity frameworks to help them define and execute the plans that will save their business from cybersecurity failure.