July 18 th , 2019 The NCTRC Webinar Series Presented by The National Consortium of Telehealth Resource Centers
Cybersecurity and Telehealth Julie Chua, Jordan Berg, Risk Management Branch Chief Telehealth Technology Assessment Specialist HHS Office of Information Security National Telehealth Technology Assessment Center Alaska Native Tribal Health Consortium (ANTHC)
Who is TTAC? • TTAC is federally funded through the Office for the Advancement of Telehealth (OAT) • TTAC provides Technology Assessment services to the 12 regional TRCs as well as the other national TRC. • Between the three TTAC staff, there is over 50 years of experience in Telehealth
Telehealth Resource Centers Provide FREE RESOURCES for Telehealth program development and sustainability 4
405(d)- Aligning Healthcare Industry Security Approaches Who is Participating Medical Community What is the 405(d) Our Mandate Baseline Initiative? Series of one-on- The 405(d) Task Group is To strengthen the Qualitative research to An industry-led process to one interviews with convened by HHS and cybersecurity posture of establish the level of the health develop consensus-based practitioners and comprised of over 150 the HPH Sector, sector’s awareness and guidelines, practices, and practice information security officers, Congress mandated the prioritization of cybersecurity methodologies to strengthen the administrators from medical professionals, privacy effort in the Cybersecurity HPH- sector’s cybersecurity the Northwest, experts, and industry leaders. Act of 2015 (CSA), Northeast, and posture against cyber threats. Section 405(d). Southeast Alaska Was hingt on 7 Focus Group Washington North Dakota 405(d) Health Industry Cybersecurity Practices: Hampshire Maine Montana 4 in-person Minnesota New Oregon Idaho VT Oregon Managing Threats and Protecting Patients (HICP) Wisconsin 3 virtual Idaho South Dakota Mass New York New Jersey V i CT Wyoming Michigan r g i n Pennsylvania I Iowa Health Industry Cybersecurity Practices: Managing Threats Nebraska s Delaware l Nevada a Ohio n Qualitative d Illinois Indiana Utah s West Colorado and Protecting Patients (HICP) aims to raise awareness, California Virginia Maryland Virginia Kansas Research with Missouri Kentucky IX provide vetted cybersecurity practices, and move towards North Carolina medical Arizona Tennessee Oklahoma HI New Mexico South Carolina consistency in mitigating the current most pertinent Arkansas professionals, Georgia Mississippi Alabama cybersecurity threats to the sector. It seeks to aid Texas Louisiana HPH, AS Healthcare and Public Health organizations to develop CIOs/CISOs etc Florida Guam meaningful cybersecurity objectives and outcomes. The four-volume publication includes a main document, two technical volumes, and resources and templates 2017 HHS convened the 405(d) Task Group leveraging the Healthcare and Public Health (HPH) Sector Critical Infrastructure Security and Our Future Resilience Public-Private Partnership. Become the leading collaboration center for developing healthcare cybersecurity focused resources Continue to build upon the HICP publication Develop new cybersecurity resources National Pretesting sessions were both in-person and virtual, and feedback was gathered with focus groups of 9-15 participants via roundtable discussion. A total of 123 took part in the pretesting efforts
Cybersecurity Or Overview
Objectives: • What is Cybersecurity? • Why is Cybersecurity Important? • Tools and Resources • National Institute of Standards and Technology (NIST) Framework • Health Industry Cybersecurity Practices (HICP) Report • Telemedicine Specific Concerns • Big Cybersecurity Ideas
What is Cybersecurity? “The process of protecting information by preventing, detecting, and responding to attacks.” -NIST Cybersecurity Framework
Why does it matter? 90% of hospitals have reported a breach in past two years
Why does it matter?
Why does it matter?
Tools and Resources: NIST Framework Provides a method for: • Describing current cybersecurity posture • Describing a target state for cybersecurity • Identifying and prioritizing continuous improvement of Cybersecurity practices • Assessing progress toward the target state • Communicating among internal and external stakeholders about cybersecurity Risk
Tools and Resources: NIST Framework (Cont.) Function Function Unique Identifier ID Identify PR Protect DE Detect RS Respond RC Recover
Tools and Resources: NIST Framework (Cont.) ID Identify ID.AM Asset Management ID.BE Business Environment ID.GV Governance ID.RA Risk Assessment ID.RM Risk Management Strategy ID.SC Supply Chain Risk Management
Tools and Resources: NIST Framework (Cont.) PR Protect PR.AC Identity Management and Access Control PR.AT Awareness and Training PR.DS Data Security PR.IP Information Protection Process and Procedures PR.MA Maintenance PR.PT Protective Technology
Tools and Resources: NIST Framework (Cont.) DE Detect DE.AE Anomalies and Events DE.CM Security and Continuous Monitoring DE.DP Detection Processes
Tools and Resources: NIST Framework (Cont.) RS Respond RS.RP Response Planning RS.CO Communications RS.AN Analysis RS.MI Mitigation RS.IM Improvements
Tools and Resources: NIST Framework (Cont.) RC Recover RC.RP Recovery Planning RC.IM Improvements RC.CO Communications
Tools and Resources: HICP Report • Managing Threats and Protecting Patients – 5 current threats – 10 practices • Technical Volume 1: Practices for Small Health Care Organizations • Technical Volume 2: Practices for Medium and Large Health Care Organizations
Tools and Resources: HICP Report (Cont.) • 5 Core Threats – Email Phishing Attacks – Ransomware Attacks – Loss or Theft of Equipment or Data – Insider, Accidental or Intentional Data Loss – Attacks Against Connected Medical Devices that May Affect Patient Safety
Tools and Resources: HICP Report (Cont.) 10 Practices – Network – E-mail protection Management systems – Vulnerability – Endpoint protection management systems – Incident Response – Access Management – Medical Device – Data Protection and Security Loss Prevention – Cybersecurity – Asset Management Policies
HICP Report Threat: E-mail Phishing Attack E-mail phishing is an attempt to trick you into giving out information using e-mail. An inbound phishing e-mail includes an active link or file (often a picture or graphic). The e-mail appears to come from a legitimate source. Clicking to open the link or file takes the user to a website that may solicit sensitive information or proactively infect the computer. Vulnerabilities Practices to Consider Lack of awareness training Be suspicious of e-mails from unknown senders, e-mails that request sensitive information such as PHI or personal Lack of IT resources for managing information, or e-mails that include a call to action that suspicious emails stresses urgency or importance Lack of software scanning e-mails for Train staff to recognize suspicious e-mails and to know malicious content/ bad links where to forward them Lack of e-mail detection software Never open e-mail attachments from unknown senders testing for malicious content Tag external e-mails to make them recognizable to staff Lack of e-mail sender and domain validation tools Implement advanced technologies for detecting and testing e-mail for malicious content or links
HICP Report Threat: Ransomware Attack Ransomware is a type of malware (malicious software) that attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker, until a ransom is paid. Vulnerabilities Practices to Consider Lack of system backup Patch software according to authorized procedures Lack of anti-phishing capabilities Use strong/unique usernames and passwords with multi- factor authentication Unpatched software Limit users who can log in from remote desktops Lack of anti-malware detection and remediation tools Separate critical or vulnerable systems from threats Lack of testing and proven data back- Implement a backup strategy and secure the backups, so up and restoration they are not accessible on the network they are backing up Lack of network security controls such Establish cyber threat information sharing with other as segmentation and access control health care organizations
Recommend
More recommend