Healthcare Security Posture at Centura Health in Southern California

Slide Note
Embed
Share

Centura Health in Southern California has a robust healthcare security posture overseen by Scott Raymond, encompassing five hospitals, 350 employed physicians, 400 specialists, and various affiliated centers. The approach covers best practices, breach prevention, threats, NIST, HIPAA compliance, and quick wins. It also focuses on identifying assets, risk assessment, access control, training, data security, incident response, and recovery planning. The detailed environment assessment includes data security monitoring, mobile device protection, governance tools, vulnerability management, endpoint protection, and disaster recovery measures.


Uploaded on Oct 04, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. HEALTHCARE SECURITY POSTURE SCOTT RAYMOND, MHA/INF, BSN, RN ACIO VP, INFORMATION TECHNOLOGY CENTURA HEATLTH

  2. SOUTHERN CALIFORNIA IDN 5 hopitals 350 employed physicians 400 specialist 250 affiliates Free standing Surgery centers Free standing Radiology centers Free standing Dialysis centers

  3. THINGS TO COVER Best Practice Security Posture Breaches Threats NIST HIPAA Quick Wins Q&A

  4. BEST PRACTICE SECURITY POSTURE Identify Asset Management Business Environment Governance Risk Assessment Risk Management Protect Access Control Awareness & Training Data Security Information Protection Processes & Procedures Maintenance Protective Technology Detect Anomalies & Events Security Continuous Monitoring Detection Processes Respond Response Planning Communication Analysis (RCA) Mitigation Improvements (Post Mortem) Recover Recovery Planning Improvements Communication

  5. ENVIRONMENT ASSESSMENT Data Security Monitoring and Control Unstructured - High level visibility/ control of cloud file sharing services via Open DNS. iScan for sensitive data discovery. Currently minimal on-prem control or DLP capabilities. No policies limiting access to data or mandating periodic audits. Structured - Stored procedures used instead of accounts/ credentials, control of service accounts, use non-standard ports, SQL authentication. No security monitoring today (just performance). Total Security Monitoring Have LogRhythm for log management/aggregation currently deployed on Domain Controllers. Not currently using today for correlation or proactive monitoring across security devices. No 24/7 network or security monitoring capability. Mobile Data Protection None today. Own and committed to deploying Trend Encryption on laptops. No removable device encryption today but plan to provide USB encrypted drives to staff. Whitelisting of major cloud file sharing solutions on-prem via Open DNS. Governance, Regulatory, and Compliance Tracking Tools (GRC) Excel Security Awareness SANS Securing the Human. Outlook report suspicious email button. Not performing phishing testing. Vulnerability/ Patch Management Nessus Enterprise for vulnerability management (scanning all internal and external ip spaces) Altiris for patching. Better patching of 3rd party apps for endpoints than servers. 10-15 Windows Server 2003 systems remaining. Not currently patching Linux environment (~5% of servers). NextGen Endpoint Malware Protection and Incident Response No capability currently deployed. Could potentially tie to network platform (Cisco AMP) or possibly SIEM (LogRhythm pro agents). Mobile Device Management Windows laptops GPO + Trend. ~350 issued phones; handful BYOD. No MDM solution today. Hourly employees able to check email outside business hours. Employee Remote Access Termination to be implemented on ASA X firewalls Cisco AnyConnect. Split tunnel VPN clients currently intend to fully encapsulate. TLS 1.1.2 currently but will upgrade with firewall. No MFA or endpoint certs but exploring in 2017. Employees Disaster Recovery Protection Tape b/u of AS400 shipping to SunGard. Backing up server VMs and some network shares using Data Domain (replicating backups). Recent successful test of AS400 partitions. Very long RPO/RTO business needs to accept. Advanced Persistant Threat Monitoring/Detection/Blocking (APT) Security Policy Published Acceptable Use policy. Developed a set of policies to be rolled out incrementally over time (not deployed yet). Vendors/ Visitors Identity and Access Management Different for AS400 / Windows environments. Minimal password complexity/length/etc. standards in place. AS400 3 different LPARS each with own PROD/DEV easily confused. Windows - Session timeouts enforced for access via RDP and workstations. Some servers and web applications have long or non-expiring session timeouts. Have public web apps that don t enforce lockouts. No MFA. Looking at MS PAW model for implementing privileged access. Some individual accounts configured as service accounts. Native integration of AD for IIS hosted apps. No role based access controls for structured or unstructured data access. Minimal use of principle of least privilege. Security Monitoring, Log Correlation, Event Alerting Employees (Remote) Users are local Administrators Working on removing IT admin privileges first then moving to other users. VPN Internal Processes (Change, Test, QA,) Access, Identity, and Authority Management DATA WAN Architecture Internal MPLS WAN to all sites with centralized internet control at Office transitioning termination point to DC. Backup is internet based VPN. Currently using internet routable IPs for internal network. Internal Network Segmentation & Access Control Development IPS IDS Internet Cloud Security Some visibility/control of cloud services in use with Open DNS. Minimal DLP capabilities or granular visibility. Not all cloud applications are tied to ADFS or use Multifactor Authentication. System/ Software Development Lifecycle Controls AS400 3 different LPARS each with Router QA, Test own PROD/DEV easily confused. Windows - have internally developed .NET apps running on IIS exposed through firewall externally (443). Also see ID+Access above. No code security scanning. Working on standardizing development teams/ environments. Initiative starting to transfer control of web server infrastructure away from developers IPS IDS IPS IDS Core Data & Databases Desktops/Laptops + Perimeter and DMZ Network Monitoring and Protection Perimeter Controls/Monitoring currently in transition. Plan to put ASA X at each site (implementing now). Purchased AMP for network. MS Forefront (EOL) for WAF. 95% of sites w/ SSL redirect. OpenDNS only egress filtering. Cisco WSAs capable of SSL inspection but not using. Application Layer Client Traffic DMZ, Portal, Websites Internal Segmentation, Monitoring, and Traffic Protection Minimal internal segmentation/filtering/control applied. Endpoints on the network can reach any server/db, no proxy. No access control in place today for wired network other than physical controls. External Email Cleaning/Scanning Client Front-End, Wireless Control Cisco APs/Controllers. Guest segmented onto separate internet connection. WPA2 AES. MS Radius for wireless APs. Client Web Traffic Protection ASA X firewalls currently being deployed. Cisco WSAs. Open DNS. Network Edge Credentials used for wireless access (no MFA or NAC capability deployed). Traditional Endpoint Malware Protection Trend Micro Email Protection Mimecast for spam filtering. Example

  6. OUR CURRENT POSTURE Firewall Endpoint Security Microsoft Identification Management Data Loss Prevention/Email Encryption SIEM MDM 2FA AD Password Management Web Filtering Remote Access/Remote Support

  7. CURRENT POSTURE Security Tool Security Function Fortinet Used Product Utilization Notes Primary Secondary Support info FortiGate Firewall Enterprise firewall. Web Filtering malicious and inappropriate sites Malware blocking and detection Intrusion Prevention for incoming traffic DDOS prevention and detection Data Loss Prevention via SSL inspection and ICAP Geographic Region blocking Client VPN Business to Business VPN Reporting and troubleshooting Single Sign On for Web Access profiles Configuration Backup/Sync Endpoint Protection VPN Client Intel Security 24x7 24x7 24x7 24x7 24x7 24x7 24x7 24x7 24x7 as needed 24/7 24/7 IT Only 24/7 High High High High High High High High Medium high high Low Low Low MCMF is using site to site VPN FortiAnalyzer FortiAuthenticator FortiManager FortiClient Is replacing Cisco IPSEC McAfee AntiVirus Data Loss Prevention Endpoint Encryption End-point - Carbon Black Protect Endpoint Malware Protection USB Blocking USB and File Encryption Application Whitelisting 24/7 24/7 24/7 24/7 high high high Medium Can be replaced with a GPO and managed in AD Can be replaced with BitLocker 2003 servers and Administrative Jump servers Microsoft Active Directory Identity Management Single Sign On Group Policy Configuraiton Management Security Patching Application deployment OS encryption USB Encryption ProofPoint 24/7 24/7 24/7 High High High Medium Medium low High Unused System Center Configuration Manager Business hours Monthly As needed 24/7 - Workstations only Workstations only Workstations only BitLocker BitLocker to go ProofPoint Email Encryption Spam and Malware filtering Attachment Security URL Defense Digital Guardian 24/7 24/7 24/7 24/7 High High High High Cloud Sandbox for attachments URL re-write for blocking malicious links Code Green Data Loss Prevention ICAP - Web detection Email encryption IBM 24/7 24/7 High High QRadar Security Information and Event Management QFlow network security User Anomaly detection Vulnerability Scanning Baseline assessments AirWatch 24/7 24/7 Medium QRadar Vulnerability Manager Weekly - low - Mobile Device Management Remote wipe lost or stolen devices Mobile application deployment Duo Security Duo Authentication Gateway Remote Access Security Administrative Consoles Remote Desktop Protocol AD Federations Services Quest 24/7 24/7 24/7 - High Low low - Cloud service ActiveRoles Quest Enterprise Reporter for AD Quest Password Manager Identity Management User Device and Policy Reporting Self-Service Password management F5 24/7 High Application Security Manager Access Policy Manger Web Application Firewall Remote Application Delivery Center for Internet Security - not used low As needed CIS Benchmarks Security Benchmarks As needed low We have only been able to deploy for network equipment

  8. THINGS TO WORK ON Security Best Practice Standards Security & Incident Response Playbook (Think Pilot Check Playbook) Elevated credentials 2FA for DBAs Log Aggregator Tap Badging for Clinicians (2FA on the inside) BioMed Management & Surveillance Eliminating Generic Machines and Desktops Published Desktop (CHD) VDI Strategy and deployment

  9. BREACHES An intentional or unintentional release of secure or private/confidential information to an untrusted environment

  10. 2016 WAS THE YEAR OF THE BREACH Democratic National Committee U.S. Department of Justice Internal Revenue Service Yahoo LinkedIn Oracle Cisco Target Wendy s Snapchat And many more

  11. HEALTHCARE BREACHES Premier Healthcare 200,000 patient records 21st Century Oncology 2.2 million patient records MedStar Health Ransomware Newkirk Products 3.3 million customer health insurance plans According to HIPAA Journal there were 329 healthcare breaches in 2016 exposing 16.5 million records!

  12. BREACH THREATS External Threats Malware Spyware Ransomware Vandalism Business Disruption No Vendor Back-up or Contingency Internal Threats Bad Actors Negligence/Accidental Inappropriate Access Lack of Controls Lack of Security No Back-up or Contingency

  13. NIST Achieving adequate information security for organizations, mission/business processes, and information systems is a multifaceted undertaking that requires: Clearly articulated security requirements and security specifications; Well-designed and well-built information technology products based on state-of-the-practice hardware, firmware, and software development processes; Sound systems/security engineering principles and practices to effectively integrate information technology products into organizational information systems; Sound security practices that are well documented and seamlessly integrated into the training requirements and daily routines of organizational personnel with security responsibilities; Continuous monitoring of organizations and information systems to determine the ongoing effectiveness of deployed security controls, changes in information systems and environments of operation, and compliance with legislation, directives, policies, and standards;21 and Information security planning and system development life cycle management.22

  14. HIPAA Technical Safeguards Access Control Audit Controls Integrity (P&Ps) Person or Entity Authentication Transmission Security (encryption) Organizational Requirements BAAs & Other Arrangements Requirements for Group Health Plans Implement Safeguards Ensure Adequate Separation Ensure Agent Safeguards Report Security Incidents Policy & Procedures Administrative Safeguards Access Controls Security Awareness Training Security Incident Procedures Evaluation Business Associate Contracts Physical Safeguards Facility Access Controls Workstation Use & Security Device & Media Controls Disposal Media & Media Reuse

  15. NIST & HIPAA CROSSWALK Access Control Awareness & Training Audit & Accessibility Security Assessment & Authorization Configuration Management Contingency Planning/Business Continuity Identification & Authentication Incident Response Maintenance Media Protection Physical Environment Protection Planning Personnel Security Rick Assessment System & Services Acquisitions System & Communication Protection System & Information Integrity Program Management

  16. QUICK WINS Secure the DMZ Firewall 2FA for all remote access No webmail Network Segmentation Patch Management N+30 Automation End user Education Phishing Campaigns Outlook reporting button SOC 24/7/365 monitoring Managed Services Consulting/Staff Aug Yearly Security Audits Pen Testing Red Team/Blue Team Vendor Audits Security Scorecard Contracts

  17. Questions ?

  18. BEST PRACTICE SECURITY POSTURE TAKEAWAWAYS Secure the DMZ Firewall 2FA for all remote access No webmail Network Segmentation Patch Management N+30 Automation Scott Raymond scottraymond@centura.com

Related


More Related Content