Protect, Protect, Protect… Now SHARE John D. Halamka MD Chief Information Officer The State of the Internet • • • • Studies indicate 48% of internet systems are infected now.

Download Report

Transcript Protect, Protect, Protect… Now SHARE John D. Halamka MD Chief Information Officer The State of the Internet • • • • Studies indicate 48% of internet systems are infected now.

Protect, Protect,
Protect… Now
SHARE
John D. Halamka MD
Chief Information Officer
The State of the Internet
•
•
•
•
Studies indicate 48% of internet systems are infected
now (worldwide)
Escalation of malware quality and quantity, began in
March-April of 2011 (organized crime now uses internet
identity theft as a business)
A new virus is released every 30 seconds, there is a
400% increase in Android device hacking, and150000
malware variants are found on the internet at any
moment (80% are on legitimate websites)
Risk exists on all Windows, Mac OS X, and Linux
platforms (alas, there is no silver bullet)
The State of the Internet
•
•
•
•
•
•
•
Commercialization of root kits
Fast flux re-packaging
Signature solutions becoming less effective
Angry Birds
Steganography on the rise
Content cloaking on Google and Facebook
Adobe and Java vulnerabilities
The State of BIDMC
•
•
•
•
•
14501 total devices on network
3353 research, departmental and personal
devices are not managed by IT (these are
the most often infected)
11566 BIDMC user accounts
589 Needham user accounts
212 Websites or applications with remote
access
•
•
•
•
The Risk
Every day users download malware and we
eliminate it via early detection, remote access to
the device or a visit to the device
We have much more sophisticated monitoring
systems than most hospitals so we can see what is
happening
We have hired numerous industry specialists from
McAfee, RSA and Verizon to study our
environment.
Although they have made a few technology
suggestions, the major need is policy improvement
The Risk - Home Computers
Drop Server
200.63.44.172
Finding Type
Corporate Credentials
Description
An authorized user accessed one of the organization's resources, BIDMC Portal, from an infected machine (a screenshot is attached). The Trojan horse captured the
credentials.
URL
https://portal.bidmc.org/login.aspx?item=/default&user=extranet\Anonymous&site=website&url=/default.aspx
IP Address
24.63.18.108
Timestamp
Wed, 17 Aug 2011 01:06:01 GMT
Rawtext
"1856";"TOSHIBA-PC_775A658D6522DF69";"-- default -";"33556489";"https://portal.bidmc.org/login.aspx?item=/default&user=extranetAnonymous&site=website&url=/default.aspx";"";"1313543161";"188203365";"14400";"#6;#0;?#29; #0;";"1033";"C:Program Files (x86)Internet Exploreriexplore.exe";"ToshibaPCToshiba";"12";"https://portal.bidmc.org/login.aspx?item=/default&user=extranetAnonymous&site=website&url=/default.aspx
Referer: https://portal.bidmc.org/login.aspx?item=/default&user=extranetAnonymous&site=website&url=/default.aspx
User input: lxxxxxaKxxxxx3
POST data:
__EVENTVALIDATION=/wEWBALh8vWcAgKvpuq2CALyveCRDwL jNCfD1D ONbAiUFgkw75ofRC13PVI8NZ
username=sxxxxxa
password=Kxxxxx13
LoginButton.x=0
LoginButton.y=0";"24.63.18.108";"US";"1313543148"
Mitigation
•
•
Surveillance and Detection
•
•
•
Scheduled vulnerability scans of managed devices using Nexpose
Augment internal capability with Dell SecureWorks hosting services
More extensive use of logs to identify and correlate suspicious
behavior
Containment and Cleaning
•
•
•
•
Locking down outbound connection from servers, i.e. “white listing”
More aggressive anti-virus update cycle as released rather than
time of day
More frequent full scans 3x daily rather than 2x weekly
Higher sensitivity settings on scans
Mitigation
•
Prevention
•
•
•
•
•
•
•
Increase Internet content filtering restrictions
Reduce/eliminate local administrative rights on workstations
and laptops
Introduce McAfee Site Advisor to alert users of web site
reputation
Stepped up use of Intrusion Protection blocks on web activity
More aggressive updates of Java, Adobe and other high risk
apps
Two-factor identification for remote users
Isolate FDA regulated devices
Mitigation
•
Metrics and Controls
•
•
•
•
•
•
Baseline “risk” level of each subnet
Past incidence of malware
Extent of local administrative rights
Content filtering rules
Average Nexpose score
Incidence of devices with out-of-date antivirus files
Digital Loss Prevention Pilot
•
•
•
•
Determine impact of controls
Tune as needed
Apply across the enterprise only after Ops
review of data and additional policymaking
Observe and adjust on continuing basis
My Breaches in 2012
• The Stolen Laptop
• The Infected Radiology Workstation
A 20 Step Program
•
•
•
•
•
•
•
•
•
•
1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software on Laptops,
Workstations, and Servers
4. Secure Configurations for Network Devices such as Firewalls, Routers,
and Switches
5. Boundary Defense
6. Maintenance, Monitoring, and Analysis of Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based on Need to Know
10. Continuous Vulnerability Assessment and Remediation
A 20 Step Program
•
•
•
•
•
•
•
•
•
•
11. Account Monitoring and Control
12. Malware Defenses
13. Limitation and Control of Network Ports, Protocols, and
Services
14. Wireless Device Control
15. Data Loss Prevention
16. Secure Network Engineering
17. Penetration Tests
18. Incident Response Capability
19. Data Recovery Capability
20. Security Skills Assessment and Appropriate Training to Fill
Gaps
Creating a Secure Regional HIE
HIE Services
Repository of physician names, entities,
affiliations, and security credentials
Provider directory
“Lookup” services
Repository of security certificates for
authorized users of HIE services
Certificate repository
DIRECT gateway
Adaptor that transforms messages from one
standard to another without decrypting the
message
“Message-handling” services
Secure, encrypted mailbox for users without
standards-compliant EHR
Web portal mailbox
14
3 ways to connect to MA HIway
User types
HIE Services
3 methods of accessing
HIE services
Physician practice
Provider directory
EHR connects directly
Hospital
Certificate repository
EHR connects through LAND
Long-term care
Other providers
Public health
Health plans
DIRECT gateway
Browser access to webmail inbox
Web portal mailbox
Labs and imaging
centers
15
Golden Spike Transactions
MA HIway production exchanges transacted on October 16, 2012
Use Case
From
To
Content
Eastern Hospital to Western
Hospital
Massachusetts General
Hospital
Baystate Medical Center
Governor Patrick medical record
(CCD)
ACO to ACO
Beth Israel Deaconess
Medical Center
Massachusetts General
Hospital
Patient summary record
(CCD)
Hospital to Practice
Childrens’ Hospital
Atrius Health
Patient summary record
(CCD)
Suburban Hospital to
MetroWest (Vanguard)
Academic Medical Center (bidirectional)
Tufts Medical Center
Patient summary record
(CCD)
ACO to Quality Data
Warehouse
Beth Israel Deaconess
Physician Organization
Massachusetts eHealth
Collaborative
Encounter summary
(CCD)
Hospital to Referring PCP
Beth Israel Deaconess
Medical Center
Dr. Ayobami Ojutalayo
(Lawrence)
Patient summary record
(CCD)
ACO to Health Plan
Beth Israel Deaconess
Medical Center
Network Health Plan
Patient summary record
(CCD)
Participating vendors: Orion Health, Meditech, Cerner, eClinicalWorks, LMR (Partners), webOMR (BID), Epic, Siemens
16
Phase 1 infrastructure
• Release 1 (October 16, 2012)
– Direct Gateway with 4 integration options: SMTP/SMIME, XDR/SOAP, LAND
appliance
– Provider directory v1
– AIMS/Public key infrastructure v1
• Release 2 (December 17, 2012)
– Participant enrollment portal (November, 2012)
– Webmail (November, 2012)
– HL7 Gateway (syndromic surveillance, ELR, CBHI)
– IMPACT (SEE, web-based CDA-editor for long-term care facilities)
– Provider directory v2
– AIMS/Public key infrastructure v2
• Vendor-hosted cloud supports both HIE and HIX/IES
– Orion Health prime contractor
– Unlimited license for Oracle Software for all 3 Phases of HIE and HIX/IES
– Enterprise license for Orion Rhapsody Integration Engine
– Leveraging existing IBM Initiate licenses
17
Updated plan
Original high-level plan from 12/11/2011
Updated plan as of 10/23/2012




18
Questions?
• http://geekdoctor.blogspot.com