This document summarizes a presentation on cybersecurity threats facing healthcare organizations. It discusses how threat actors have evolved tactics like spear phishing and malware to target individuals. The presentation outlines the typical stages of an attack from initial reconnaissance to exfiltration of data. It provides recommendations for technical defenses like multifactor authentication and network segmentation as well as cultural changes like leadership support and security awareness training. Case studies from Emory Healthcare show the types of attacks blocked each month and techniques used to manage risk through frameworks and continuous improvement.

1. A CHIME Leadership Education and Development Forum in collaboration with iHT2
In the Cyber Trenches
● Rusty Yeager, SVP and CIO, HealthSouth Corporation ●
#LEAD15

2. Inpatient Rehabilitation
Sept. 30, 2015 Portfolio as of... Oct. 1, 2015
109
Inpatient Rehabilitation
Hospitals 120
33
Number of IRFs operated as
JVs with acute care partners 33
7,422 Licensed Beds 8,324
29
Number of States (plus Puerto
Rico) 29
HealthSouth - Post Reliant and CareSouth
Encompass
Home Health and Hospice
Sept. 30, 2015 Portfolio as of... Nov. 1, 2015
134 Home Health Locations 179
7
Pediatric Home Health
Locations 7
23 Hospice Locations 23
18 Number of States 23

3. The Game has Changed
Don’t Fight the Last War!

4. Key Observations
• Threat actors continue to evolve and innovate at a rapid
pace which increases their ability to penetrate and
compromise systems and to avoid detection
• Healthcare information is more valuable to thieves than
credit card numbers or other Personal Identifiable
Information
• The game has changed and the Human
(user/administrator)has become the main target

5. The Evolving War….now its personal!
• The Warriors
– Hacktivists
– Sovereign cyber-warriors
– Organized crime
• The Weapons
– Spear-Phishing
– Malvertising
45%
of respondents say that their
organizations suffered a
targeted attack in the last year.
54%
of respondents say that their
biggest challenge to thwarting
these attacks is the increased
sophistication of threats.
95%of directed attacks were accomplished using the Spear Phish. A
well-crafted and personally/ professionally-relevant email is
sent to a targeted user(s), prompting them to open an
attachment or click a link within the message. Inevitably, they
take the bait, at which point malware installs on the system, a
backdoor or command channel opens, and the attacker begins a
chain of actions moving toward their objective.Winter 2013 survey by Information Security Media Group of 200
CISOs, CIOs, Directors of IT and other senior leaders who work
primarily in the financial services industry.
2014 Data Breach Investigations Report: Verizon

6. How Does it Go Down?
• Reconnaissance or Intelligence Gathering
– Publically available information about business processes and employees
– Vendors and business partners are often used as well
• Perimeter Service Enumeration
– Publically available services in the DMZ
– Cloud based services
– Business Partners
• Persistence
– Attackers will implement a persistent foot hold into the network. This can include multiple persistent services in the network, or
having access to multiple credentials that allows them access into the network.
• Privilege Escalation and internal service enumeration
– Attackers will often attempt to gain administrative access to the targets network.
– This is not always necessary if their current access provides access to sensitive data or infrastructure
• Exfiltration
– Attackers will attempt to ex-filtrate sensitive data or information from the targets network.
– Access to email, and cloud services are often used. 7-zip is also very common as attackers reduce the size and split data into
undetectable block of data.

7. “Governance To-Dos”
• Process Review
– Pick a Framework
• Technical Review
– “No-Holds barred”
• Environmental Assessment

8. “Cultural To-Dos”
• Leadership is Key… From the top
• Security is everyone’s problem
• Show Don’t Tell
• Continued Messaging
• Think like an attacker

9. “Technical To-Dos”
• Dual Factor Authentication
• Network Segmentation
– Internal firewalls
– ACLs
• Authentication Reviews
– Access
– Process
• Password Strenthening

10. Q & A
Speaker(s) Contact Information
Rusty.Yeager@healthsouth.com
A CHIME Leadership Education and Development Forum in collaboration with iHT2
Insert Twitter
handle(s) here

11. A CHIME Leadership Education and Development Forum in collaboration with iHT2
Dee Cantrell, RN, BSN, MS, FHIMSS
Chief Information Officer
Emory Healthcare
#LEAD15

12. Emory’s Story
Things to try
Threat Profile
Technical Security Profile
Frameworks
Biggest Threats
Lessons Learned

13. “WARNING. You have
violated information
security safeguards, an
email notification has been
sent to a federal agency,
your supervisor and your
mother.”

14. What happens
when the security
system detects
unauthorized
access.

16. Emory’s
Threat Landscape

17. • 900 attackers quarantined per month
• 4.2 M explicit attacks blocked per month
• 161 M communication attempts blocked
per month
• 49M malicious web sites blocked per
month
Basic Stats

18. • Blocked
32.2 Million Messages
• Quarantined
28.9 Million Messages
• Delivered
5.8 million Messages
Messages

19. Emory’s Technical Security
Profile

20. Frameworks

21. Emory’s Framework

23. Biggest Threats

28. Lessons Learned
• Employees still biggest threat
• Risk management part of Org Culture – Enterprise
Risk Management Board
• Constant campaigns and approaches for awareness –
“Search and Secure”, phishing, etc.
• Annual required education with competency
assessment
• Onboarding training for new staff
• Continuous improvement of Breach Investigation and
Notification Process

29. A CHIME Leadership Education and Development Forum in collaboration with iHT2
@cantrelldedra