Looking Back—Key Take-Aways from HITRUST 2016

I was fortunate enough to attend the HITRUST 2016 conference and enjoyed the opportunity to join a number of sessions. I also had the pleasure of meeting with some of the presenters, speakers, panelists and attendees. Captured here are some of the main highlights from everything I saw and heard during my time at the conference.

Setting the HITRUST Baseline

While a majority of the attendees were extremely familiar with the HITRUST Alliance, many might not completely understand the role HITRUST plays in the world of information security. Here are a few of the key points I learned:

  • HITRUST is very healthcare-focused, taking into consideration patient health—first and foremost.
  • While HITRUST started with the common security framework (CSF), it has evolved to incorporate much more, including the Cyber Threat Exchange (CTX) and CyberRx exercises.
  • HITRUST has also formed several key partnerships:
    • Cloud Security Alliance (CSA)—to promote the secure use of cloud technologies in healthcare.
    • NIST—to help author section 405.
    • FDA—for increased thought leadership in the biomedical space.

HITRUST is truly innovative, cutting-edge, and leading the industry—not just with questions but also with examples. The organization also continues to evolve beyond its roots in security and privacy to look at all areas of risk, such as disaster recovery.

Combatting Ransomware

I also picked up some great tips to prepare for the inevitability of ransomware knocking on healthcare’s door. Awareness training is the single most important tool a company can implement since ransomware oftentimes occurs through phishing. There’s no replacement for an educated and aware community.

Sure, basic blocking and tackling are necessary, but there should also be complimentary safeguards such as warnings displayed directly to users as they prepare to respond to a risky email. This could be a pop-up dialog that reads something like, <Don’t Deliver this Email>.

Attestation that the users have received training also needs to occur more than once per year—organizations must employee on-demand, targeted awareness training on an as-needed basis for system admins, end users, executives and others that log in to the system. If and when end users fail, it’s important to have a plan for this as well.

Another key factor in battling ransomware is the approach you take to backups and user access:

  • Keep Current Backups: Backups help resist the coercion hoisted upon you—threats don’t have much impact if you can go to a recent backup to restore your data.
  • Air Gap Your Backups: Ransomware sometimes tries to corrupt or encrypt backups in addition to just locking down production data. Most systems today don’t have an air gap between their live data and their backed-up data—no one has backup tapes sitting on a shelf like in the old days. However, organizations can still put some hefty logical controls between normal operating systems and their backups. This can be achieved by using a different set of credentials, 2FA and other logical controls to ensure the backups stay out of ransomwares’ way.
  • Separate Home from Work: There are number of instances where people cross-pollinate credentials, using the same login details for their home email as their work email and other system-access. A compromise to the home system means the attacker can re-use those credentials to access work emails and systems.

Responding to a Breach

Following the tips on ransomware, I also came across some forensic tips about what to do and not to do if and when a breach occurs:

  • Don’t Poke Around: Consider the cybercrime scene as you would any other crime scene. It should be taped off, and let no one in except for the person or people dedicated to collecting the evidence. Allowing yourself and others to browse the system to see what might have happened is the equivalent of letting your smartest detective walk right through the crime scene. Someone could “step on” evidence, change dates and artifacts, or possibly even lay down new data on top of the evidence data on disk and in memory.
  • Don’t Unplug the System: The shut-down process will lose the evidence stored in RAM. The re-boot process could also override other evidence residing on the disk.
  • Know Your Recovery Time: Don’t wait to determine if and how long it will take to gain access to your data, especially if it is hosted by a third party. While the evidence is gathered, you should have a proven recovery plan where you know if it will be minutes, hours, days or even weeks to get back up-and-running.
  • Anticipate the Need to Re-Build Critical Servers: Sometimes it’s necessary to re-build servers from the ground up to guarantee you are not leaving a back door for intruders. The best way to re-build machines is to begin with fresh hardware and a “golden image” (up-to-date and fully-patched OS and applications). The question is, do you have the machines handy or do you need to order them? Don’t assume you can go to your traditional backup and be OK. That last backup could also be infected and could be used to re-introduce the back door all over again.

Taking Healthcare to the Cloud

Other experts I met with shared insights related to leveraging the cloud for improved healthcare. To provide the highest quality of care possible, organizations need to utilize the technologies that make sense from a business perspective. Everyone should look seriously at the cloud as a means to deliver better healthcare, but when you say cloud, security often comes up as the core and sometimes the blocking issue.

Many may not recognize, however, that the healthcare industry is already using a lot of cloud services—roughly $3.5 billion. Without the cloud, shadow IT will take over. Unless provided with an approved option, users will find a way to do their job and share their data outside the physical corporate network.

One of the experts I spoke to suggested that there are four pillars to achieve as a company embraces technology to help deliver better healthcare:

  • Visibility
  • Protection
  • Security
  • Compliance

In order to build these pillars using the cloud, here’s a set of recommended best practices:

  1. Leverage a Cloud Access Services Broker (CASB): This technology sits between end users and the cloud service provider acting like a cop. It looks at what users are doing, what they are sending, what they are accessing—and then blocking actions that don’t match the defined security policies.
  2. Leverage Existing Enterprise Security Layers: Take advantage of your proxies as well as your data loss prevention (DLP) and identity and access management (IAM) technologies to help further police your environment.
  3. Encryption Is Critical: When transporting data from endpoints/servers to the cloud, the transfer needs to be encrypted. When the data lands at rest in the cloud, it needs to be encrypted there as well. Make sure you can hold the keys yourself by taking advantage of such services that are offered by Box.
  4. Implement a Reverse Proxy: A reverse proxy blocks unauthorized access directly to the cloud service. It takes advantage of the company’s IAM solution such that, as users attempt to go to the cloud outside of the traditional proxy, the cloud would then revert back to the company to validate users before letting them in.

Getting Buy-In from Above

As another key tip, CISOs should realize that everyone in their  company is looking up to them as the security leader of the organization. They want to see a good plan that is honest and highlights the risk and the security challenges for those that need to know. They want to help you elevate it so the plan can be executed with support from above. It’s important to understand the gaps, have a good plan, and then tell the story in such a way that it garners the support of the C-suite and the board.

One member from the audience asked how small companies with only a dozen employees can tackle these same cybersecurity challenges, and even more pointedly, what can be accomplished from a security perspective given that small companies have limited resources. The consensus seems to agree that at the end of the day, it’s all about risk management. You have to manage risk regardless of size. Understand your assets and understand their valuation. Recognize your data is an asset and plan accordingly. Decisions and methodologies are the same regardless of size, though the scope will be different.

Cyber Insurance Guidance

Regarding cyber insurance programs, here are a few pitfalls to watch out for:

  • Claims are often limited to systems under your complete control—be aware that systems located in the cloud and controlled by a cloud provider may fall outside of your policy’s coverage.
  • Intentional acts of an employee (conduct exclusion) may also limit a claim—be sure your policy has the necessary language to define the severability between malicious employees and executives to ensure the company is still covered.
  • Don’t accept exclusions around the lack of encryption. Period.

The Closing Is as Good as the Beginning

To close out this article, here’s a recommended five-point take-away that summarize the thoughts of many experts I spoke to:

  1. Keep cybersecurity on your agenda
  2. Do your math homework
  3. Have a plan and exercise it
  4. Train, train, train—and then train some more
  5. Continue to share information

Okay, how about a 6th point...read the full keynote recap on the HITRUST Blog for additional details and additional tips.