Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
1
Securing the Clinically-IntegratedSupply Chain
W308C, Monday, February 11, 2019
Karl J. West, Intermountain Healthcare
2
A Large, Integrated Health System with a Tradition of
Innovation
Helping people live the healthiest lives possible ®
37,500 employees
$2 B non-labor spend
AA+ Standard & Poor’s
Aa1 Moody’s
Based in Salt
Lake City, Utah
Hospitals
• 1975 Began
• 23 Hospitals
• 2,800 Beds
• 1983 Started
• SelectHealth
• 900,000
Members
Health Plans Medical Group• 1994 Started
• 1,600
Employed
physicians
• 4,000 Affiliated
physicians
• 180 Clinics
Continuum Care
• TeleHealth
• Homecare
• Life Flight
• Central lab
• Central
pharmacy
3
• Implemented as a centralized function in 2006
• About 740 employees
• Presence at all facilities, including linen
utilization
• Cover 6 major functional areas and 30
specialties
• $2+ billion spend overseen by the SCO
Supply Chain Overview
4186 Band-Aid choices to 12
A Focus on Reducing Variation
5
• Broader inventory support
• Cost visibility to the patient
• Asset-light approach
• Revenue generating opportunities
Benefits of a Clinically-IntegratedSupply Chain
6
• Pre-infected hardware (bloatware & malware)
• Malware insertion
• Vulnerabilities
• Counterfeit hardware
• Consumables fraud
• Supply Chain vulnerability becomes attack point in hospital
Threats
7
Attacker
Capability
Accessibility
ExploitVulnerabilit
y
Vulnerability Pathway
8
2004GPCode
Encrypts files
on Windows OS
2006Archievus appears
on Windows.
Trojan.Ransom.A
distributed
2010Operation
Aurora
2012Reveton
de buts
2015LockerPin attacks
mobile devices.
Encoder, Chimera, Petya,
Mischa, Tox, Ransom32,
and CryptoLocker
2014CrytoWall
distributed
CTB-locker & Sypeng
introduced
2017WannaCry fast
spreading malware
NotPetya spreads fast
bent on destruction
2016Jigsaw targets Macs.
SamSam, Petya, Mamba
Zcryptor, CryptXXX
introduced
Attacks are Growing in Frequency
Healthcare cyberattacks rose
320%between 2015 and 2016
Healthcare most frequently
industry with
194 attacks per 1000 devices
9
Attacks are Growing in Sophistication
HIGH
HIGH
LOW
LOWTHREAT
SOPHISTICATION
Non-Malware
Malware
HACKTIVISM E-CRIME NATION-STATE
10
What is Your Risk Tolerance?
What are you willing to pay?
11
Methods for Risk Management
Risks
Risk Inventory
Catalog
Risk Register
12
Accurate Risk Register
• Description
• Rating (Low, Moderate, High, Critical)
• Area
• Owner (Technical & Business)
• Business Process/Impact
• Financial Impact
• Plan of Action
• Target Resolution Date
• Status
13
14
Data Classification
PUBLIC INTERNAL USE
SENSTIVE CRITICAL
15
Accurate Data Inventory
• Application Name
• Application Description
• Data Classification
• Security Review ID
• Business Owner Contact
• Technical Owner Contact
• Asset Location
• Access: Internal/External/Both
• Contains PHI?
• Number of Records/Users
16
Risk Management Plan
• A strategic risk management plan is imperative
– Identify organizational risk appetite
– Identify key technology assets
– Identify and evaluate IT security controls
– Identify residual risks
– Document acceptance of residual risks
• Demand incremental and evolutionary improvements to cyber maturity
• Establish a culture of security
17
Email Protection
End-Point Protection
Access Management
Asset Management
Data Protection &
Loss Prevention
Network Management
Vulnerability Management
Incident Response
Cybersecurity Policies
Medical Device Security
1
2
3
4
5
6
7
8
9
10
18
Questions?