1

Securing the Clinically-IntegratedSupply Chain

W308C, Monday, February 11, 2019

Karl J. West, Intermountain Healthcare

2

A Large, Integrated Health System with a Tradition of

Innovation

Helping people live the healthiest lives possible ®

37,500 employees

$2 B non-labor spend

AA+ Standard & Poor’s

Aa1 Moody’s

Based in Salt

Lake City, Utah

Hospitals

• 1975 Began

• 23 Hospitals

• 2,800 Beds

• 1983 Started

• SelectHealth

• 900,000

Members

Health Plans Medical Group• 1994 Started

• 1,600

Employed

physicians

• 4,000 Affiliated

physicians

• 180 Clinics

Continuum Care

• TeleHealth

• Homecare

• Life Flight

• Central lab

• Central

pharmacy

3

• Implemented as a centralized function in 2006

• About 740 employees

• Presence at all facilities, including linen

utilization

• Cover 6 major functional areas and 30

specialties

• $2+ billion spend overseen by the SCO

Supply Chain Overview

4186 Band-Aid choices to 12

A Focus on Reducing Variation

5

• Broader inventory support

• Cost visibility to the patient

• Asset-light approach

• Revenue generating opportunities

Benefits of a Clinically-IntegratedSupply Chain

6

• Pre-infected hardware (bloatware & malware)

• Malware insertion

• Vulnerabilities

• Counterfeit hardware

• Consumables fraud

• Supply Chain vulnerability becomes attack point in hospital

Threats

7

Attacker

Capability

Accessibility

ExploitVulnerabilit

y

Vulnerability Pathway

8

2004GPCode

Encrypts files

on Windows OS

2006Archievus appears

on Windows.

Trojan.Ransom.A

distributed

2010Operation

Aurora

2012Reveton

de buts

2015LockerPin attacks

mobile devices.

Encoder, Chimera, Petya,

Mischa, Tox, Ransom32,

and CryptoLocker

2014CrytoWall

distributed

CTB-locker & Sypeng

introduced

2017WannaCry fast

spreading malware

NotPetya spreads fast

bent on destruction

2016Jigsaw targets Macs.

SamSam, Petya, Mamba

Zcryptor, CryptXXX

introduced

Attacks are Growing in Frequency

Healthcare cyberattacks rose

320%between 2015 and 2016

Healthcare most frequently

industry with

194 attacks per 1000 devices

9

Attacks are Growing in Sophistication

HIGH

HIGH

LOW

LOWTHREAT

SOPHISTICATION

Non-Malware

Malware

HACKTIVISM E-CRIME NATION-STATE

10

What is Your Risk Tolerance?

What are you willing to pay?

11

Methods for Risk Management

Risks

Risk Inventory

Catalog

Risk Register

12

Accurate Risk Register

• Description

• Rating (Low, Moderate, High, Critical)

• Area

• Owner (Technical & Business)

• Business Process/Impact

• Financial Impact

• Plan of Action

• Target Resolution Date

• Status

13

14

Data Classification

PUBLIC INTERNAL USE

SENSTIVE CRITICAL

15

Accurate Data Inventory

• Application Name

• Application Description

• Data Classification

• Security Review ID

• Business Owner Contact

• Technical Owner Contact

• Asset Location

• Access: Internal/External/Both

• Contains PHI?

• Number of Records/Users

16

Risk Management Plan

• A strategic risk management plan is imperative

– Identify organizational risk appetite

– Identify key technology assets

– Identify and evaluate IT security controls

– Identify residual risks

– Document acceptance of residual risks

• Demand incremental and evolutionary improvements to cyber maturity

• Establish a culture of security

17

Email Protection

End-Point Protection

Access Management

Asset Management

Data Protection &

Loss Prevention

Network Management

Vulnerability Management

Incident Response

Cybersecurity Policies

Medical Device Security

1

2

3

4

5

6

7

8

9

10

18

Questions?