Protect, Protect, Protect… Now SHARE John D. Halamka MD Chief Information Officer The State of the Internet • • • • Studies indicate 48% of internet systems are infected now (worldwide) Escalation of malware quality and quantity, began in March-April of 2011 (organized crime now uses internet identity theft as a business) A new virus is released every 30 seconds, there is a 400% increase in Android device hacking, and150000 malware variants are found on the internet at any moment (80% are on legitimate websites) Risk exists on all Windows, Mac OS X, and Linux platforms (alas, there is no silver bullet) The State of the Internet • • • • • • • Commercialization of root kits Fast flux re-packaging Signature solutions becoming less effective Angry Birds Steganography on the rise Content cloaking on Google and Facebook Adobe and Java vulnerabilities The State of BIDMC • • • • • 14501 total devices on network 3353 research, departmental and personal devices are not managed by IT (these are the most often infected) 11566 BIDMC user accounts 589 Needham user accounts 212 Websites or applications with remote access • • • • The Risk Every day users download malware and we eliminate it via early detection, remote access to the device or a visit to the device We have much more sophisticated monitoring systems than most hospitals so we can see what is happening We have hired numerous industry specialists from McAfee, RSA and Verizon to study our environment. Although they have made a few technology suggestions, the major need is policy improvement The Risk - Home Computers Drop Server 200.63.44.172 Finding Type Corporate Credentials Description An authorized user accessed one of the organization's resources, BIDMC Portal, from an infected machine (a screenshot is attached). The Trojan horse captured the credentials. URL https://portal.bidmc.org/login.aspx?item=/default&user=extranet\Anonymous&site=website&url=/default.aspx IP Address 24.63.18.108 Timestamp Wed, 17 Aug 2011 01:06:01 GMT Rawtext "1856";"TOSHIBA-PC_775A658D6522DF69";"-- default -";"33556489";"https://portal.bidmc.org/login.aspx?item=/default&user=extranetAnonymous&site=website&url=/default.aspx";"";"1313543161";"188203365";"14400";"#6;#0;?#29; #0;";"1033";"C:Program Files (x86)Internet Exploreriexplore.exe";"ToshibaPCToshiba";"12";"https://portal.bidmc.org/login.aspx?item=/default&user=extranetAnonymous&site=website&url=/default.aspx Referer: https://portal.bidmc.org/login.aspx?item=/default&user=extranetAnonymous&site=website&url=/default.aspx User input: lxxxxxaKxxxxx3 POST data: __EVENTVALIDATION=/wEWBALh8vWcAgKvpuq2CALyveCRDwL jNCfD1D ONbAiUFgkw75ofRC13PVI8NZ username=sxxxxxa password=Kxxxxx13 LoginButton.x=0 LoginButton.y=0";"24.63.18.108";"US";"1313543148" Mitigation • • Surveillance and Detection • • • Scheduled vulnerability scans of managed devices using Nexpose Augment internal capability with Dell SecureWorks hosting services More extensive use of logs to identify and correlate suspicious behavior Containment and Cleaning • • • • Locking down outbound connection from servers, i.e. “white listing” More aggressive anti-virus update cycle as released rather than time of day More frequent full scans 3x daily rather than 2x weekly Higher sensitivity settings on scans Mitigation • Prevention • • • • • • • Increase Internet content filtering restrictions Reduce/eliminate local administrative rights on workstations and laptops Introduce McAfee Site Advisor to alert users of web site reputation Stepped up use of Intrusion Protection blocks on web activity More aggressive updates of Java, Adobe and other high risk apps Two-factor identification for remote users Isolate FDA regulated devices Mitigation • Metrics and Controls • • • • • • Baseline “risk” level of each subnet Past incidence of malware Extent of local administrative rights Content filtering rules Average Nexpose score Incidence of devices with out-of-date antivirus files Digital Loss Prevention Pilot • • • • Determine impact of controls Tune as needed Apply across the enterprise only after Ops review of data and additional policymaking Observe and adjust on continuing basis My Breaches in 2012 • The Stolen Laptop • The Infected Radiology Workstation A 20 Step Program • • • • • • • • • • 1. Inventory of Authorized and Unauthorized Devices 2. Inventory of Authorized and Unauthorized Software 3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers 4. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches 5. Boundary Defense 6. Maintenance, Monitoring, and Analysis of Security Audit Logs 7. Application Software Security 8. Controlled Use of Administrative Privileges 9. Controlled Access Based on Need to Know 10. Continuous Vulnerability Assessment and Remediation A 20 Step Program • • • • • • • • • • 11. Account Monitoring and Control 12. Malware Defenses 13. Limitation and Control of Network Ports, Protocols, and Services 14. Wireless Device Control 15. Data Loss Prevention 16. Secure Network Engineering 17. Penetration Tests 18. Incident Response Capability 19. Data Recovery Capability 20. Security Skills Assessment and Appropriate Training to Fill Gaps Creating a Secure Regional HIE HIE Services Repository of physician names, entities, affiliations, and security credentials Provider directory “Lookup” services Repository of security certificates for authorized users of HIE services Certificate repository DIRECT gateway Adaptor that transforms messages from one standard to another without decrypting the message “Message-handling” services Secure, encrypted mailbox for users without standards-compliant EHR Web portal mailbox 14 3 ways to connect to MA HIway User types HIE Services 3 methods of accessing HIE services Physician practice Provider directory EHR connects directly Hospital Certificate repository EHR connects through LAND Long-term care Other providers Public health Health plans DIRECT gateway Browser access to webmail inbox Web portal mailbox Labs and imaging centers 15 Golden Spike Transactions MA HIway production exchanges transacted on October 16, 2012 Use Case From To Content Eastern Hospital to Western Hospital Massachusetts General Hospital Baystate Medical Center Governor Patrick medical record (CCD) ACO to ACO Beth Israel Deaconess Medical Center Massachusetts General Hospital Patient summary record (CCD) Hospital to Practice Childrens’ Hospital Atrius Health Patient summary record (CCD) Suburban Hospital to MetroWest (Vanguard) Academic Medical Center (bidirectional) Tufts Medical Center Patient summary record (CCD) ACO to Quality Data Warehouse Beth Israel Deaconess Physician Organization Massachusetts eHealth Collaborative Encounter summary (CCD) Hospital to Referring PCP Beth Israel Deaconess Medical Center Dr. Ayobami Ojutalayo (Lawrence) Patient summary record (CCD) ACO to Health Plan Beth Israel Deaconess Medical Center Network Health Plan Patient summary record (CCD) Participating vendors: Orion Health, Meditech, Cerner, eClinicalWorks, LMR (Partners), webOMR (BID), Epic, Siemens 16 Phase 1 infrastructure • Release 1 (October 16, 2012) – Direct Gateway with 4 integration options: SMTP/SMIME, XDR/SOAP, LAND appliance – Provider directory v1 – AIMS/Public key infrastructure v1 • Release 2 (December 17, 2012) – Participant enrollment portal (November, 2012) – Webmail (November, 2012) – HL7 Gateway (syndromic surveillance, ELR, CBHI) – IMPACT (SEE, web-based CDA-editor for long-term care facilities) – Provider directory v2 – AIMS/Public key infrastructure v2 • Vendor-hosted cloud supports both HIE and HIX/IES – Orion Health prime contractor – Unlimited license for Oracle Software for all 3 Phases of HIE and HIX/IES – Enterprise license for Orion Rhapsody Integration Engine – Leveraging existing IBM Initiate licenses 17 Updated plan Original high-level plan from 12/11/2011 Updated plan as of 10/23/2012 18 Questions? • http://geekdoctor.blogspot.com