1 / 38

2013 Utah Telehealth Network Tech & Security Summit

2013 Utah Telehealth Network Tech & Security Summit. June 18 th 2013 Snow College Richfield, Utah. Agenda - Morning. 9:00AM – 9:10AM Summary: Overall UTN Network and Security 9:10AM – 9:45AM Roles & Responsibilities – Security Policy 9:45AM – 10:15AM

xenia
Download Presentation

2013 Utah Telehealth Network Tech & Security Summit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 2013Utah Telehealth NetworkTech & Security Summit June 18th 2013 Snow College Richfield, Utah

  2. Agenda - Morning 9:00AM – 9:10AM Summary: Overall UTN Network and Security 9:10AM – 9:45AM Roles & Responsibilities – Security Policy 9:45AM – 10:15AM Real Consequences, Liabilities, & Breaches 10:15AM – 10:30AM Break 10:30AM – 11:15AM Networking – VLANs and Public Access 11:15AM – 12:15PM Security - Managing Vulnerabilities 12:15PM – 1:15PM LUNCH

  3. Agenda - Afternoon 1:15PM – 2:15PM Security – Web Security and Wireless 2:15 – 2:30PM Security – HIPAA, Cloud, & Edge Security 2:30 – 2:45PM Break 2:45PM – 3:30PM Q&A and parking lot topics.

  4. Summary: Overall UTN Network and Security University Of Utah Utah Telehealth network Member sites

  5. Summary: Overall UTN Network and Security Internet firewalls Site firewalls Device software firewalls

  6. Summary: Overall UTN Network and Security Web security appliance Intrusion detection & prevention Vulnerability Scanning

  7. Summary: Overall UTN Network and Security Anti-virus Anti-malware Anti-spyware

  8. Roles & Responsibilities – Security Policy Deb Lamarche – Utah Telehealth Network Kyle Anderson – Utah Telehealth Network Board Member Peter Bonsavage – Utah Telehealth Network

  9. Real Consequences, Liabilities, & Breaches CVS Pays $2.25 Million & Toughens Disposal Practices to Settle HIPAA Privacy Case In a case that involves the privacy of millions of health care consumers, on January 16, 2009, the U.S. Department of Health & Human Services (HHS) reached agreement with CVS Pharmacy, Inc. to settle potential violations of the HIPAA Privacy Rule.  To resolve the Department’s investigation of its privacy practices, CVS agreed to pay $2.25 million and implement a detailed Corrective Action Plan to ensure that it will appropriately dispose of protected health information such as labels from prescription bottles and old prescriptions.

  10. Real Consequences, Liabilities, & Breaches Shasta Regional Medical Center Settles HIPAA Security Case for $275,000 - June 13, 2013 Idaho State University Settles HIPAA Security Case for $400,000 - May 21, 2013 Massachusetts Provider Settles HIPAA Case for $1.5 Million – September 17, 2012 Alaska DHSS Settles HIPAA Security Case for $1,700,000 – June 26, 2012 HHS settles HIPAA case with BCBST for $1.5 million --March 13, 2012

  11. Real Consequences, Liabilities, & Breaches Utah Dept. of Technology Services – CHIP Breach. Gov. Gary Herbert apologized to the 780,000 victims of the health data security breach on Tuesday. Utah guv fires tech director over health data breach, creates security czar. – Deseret News The programs include free credit monitoring and free enrollment in identify theft insurance for coverage up to $1 million for individuals and $2 million for families. Senate President Michael Waddoups, R-Taylorsville, said Tuesday he expects the response to data breach to cost between $2 million and $10 million — and more if the state faces federal fines or lawsuits.

  12. Verizon Breach Report Verizon Breach Report – gives synopsis of thousands of breaches across industries. http://www.verizonenterprise.com/resources/reports/rp_dbir-industry-snapshot-healthcare_en_xg.pdf Healthcare section build off 60 confirmed breaches within Healthcare in the last two years.

  13. Verizon Breach Report For those Healthcare organizations included within the DBIR data set, attacks were almost entirely the work of financially-motivated organized criminal groupsacting deliberately and maliciously to steal information. These groups are notorious for knocking over smaller, low- risk targets in droves to nab personal and payment data for various and sundry fraud schemes.

  14. HIPAA A person or organization that is obliged to follow the Privacy Rule may face a civil fine of up to $25,000, recently raised to a maximum of $50,000. In extreme cases, the U.S. Department of Justice (DOJ) may be called in to conduct a criminal investigation. If the DOJ becomes involved, violators could face a jail term of up to 10 years and a fine of up to $250,000.

  15. Networking – VLANs and Public Access VLANS – virtual switch or broadcast domain Public Access – wifi for the general public.

  16. VLANS VLANS VLANS Use to segregate traffic for more security, less broadcasts, or logical organizations. Data, VOIP, Video, facilities, Public, Guest, Wifi… Voice/Video sensitive to broadcast traffic. Smaller VLANs Smaller VLANs allows for easier security configurations.

  17. Use ACLs to control traffic within VLANS for security. • ACLs were the first network security. • ACLs on switches and routers are NOT bidirectional. VLANS Access Control List ACL

  18. VLAN networking Layer 2 (MAC addresses) Layer 3 (IP addresses) Broadcast Domain Non-routable Fast Inexpensive L2 switches can have multiple VLANs but cannot communicate between Routable Fast Expensive Broadcast Domain L3 switches can have multiple VLANs and route between them.

  19. Public Internet Customers demand access with smartphones and tablets. How do we provide access within moral and ethical guidelines? How do we limit RISK and LIABILITY for customers surfing habits? Use of Acceptable Use documents.

  20. Public Internet Segregate with VLANs across infrastucture Have users check Acceptable Use form Limit Liability and Risk by allowing only legal categories Possible even to air gap. Use of infrastructure allows better coverage. Bandwidth limitations allow for more users on small circuits.

  21. Managing Vulnerabilities VulNerability Detection and remediation

  22. Qualys • Scans every week starting Monday at 8am until finished ~11am Tuesday. • Currently Scans 3100 devices within UTN. • Each vulnerability assigned CVE or identifier. • Categorized by Level 5 to 1. • 5 – exploit exists and has the highest CVSS score. • 4 – exploit exists but is not easy to use • 3-1 – Informational or best practice

  23. Vulns: Where to start Low hanging fruit Digging in SNMP Password brute force Excess services, FTP, SQL Java SNMP v3 Static systems like Philips that require vendor support Obsolete OS

  24. Windows Software Update Service Free with Windows Server OS

  25. Software Updates Oracle – Sun Java Apple Mozilla Google Use auto updates whenever you can

  26. Obsolete OS – XP and back n 2002 Microsoft introduced its Support Lifecycle policy based on customer feedback to have more transparency and predictability of support for Microsoft products. As per this policy, Microsoft Business and Developer products, including Windows and Office products, receive a minimum of 10 years of support (5 years Mainstream Support and 5 years Extended Support), at the supported service pack level. Thus, Windows XP SP3 and Office 2003 will go out of support on April 8, 2014. If your organization has not started the migration to a modern desktop, you are late. Based on historical customer deployment data, the average enterprise deployment can take 18 to 32 months from business case through full deployment. To ensure you remain on supported versions of Windows and Office, you should begin your planning and application testing immediately to ensure you deploy before end of support. Resources Learn about other companies have benefitted from migrating to Windows 7 and Windows 8 Enterprise. Next: What does end of support mean to customers? http://www.microsoft.com/en-us/windows/endofsupport.aspx

  27. Vulns: Resources UTN Member site techs CVE database - http://cve.mitre.org/cve/ your vulnerability report Univ. of Utah Information Security Office Vendor support sites – www.microsoft.com, etc.

  28. Vulns: UTN overall   Scan Title (Status) : UTN Site Scan   Start Date     : 06/10/2013 at 08:31:23 (GMT-0600)   Duration             : 1 day 01:30:15   Target Groups : UTN ALL Site networks   Hosts Scanned : 65270   Active Hosts : 3448   Option Profile : Standard Scan   Launched By : Peter Bonsavage (hscun_pb)   Company        : HSC University of Utah - Health Sciences Center   Launch Type : Scheduled   Scan Status     : Finished   Next Action     : None ------------------------------------------------------------------------------------------------------------------------------------------  Summary of discovered Vulnerabilities (Trend)   Severity 5 "Urgent" : 927  (-14)   Severity 4 "Critical” : 874  (-2)   Severity 3 "Serious" : 2963 (-28)   Severity 2 "Medium" : 5960 (+91)   Severity 1 "Minimal" : 339  (+7)   Total : 11063

  29. Vulns: UTN Devices   ------------------------------------------------------------------------------------------------------------------------------------------   Email scan summary by QualysGuard   Scan Title (Status) : UTN Devices   Start Date     : 06/11/2013 at 06:03:08 (GMT-0600) Duration             : 02:10:29   Target Groups : No Group   Hosts Scanned : 1280   Active Hosts : 228 OptionProfile : Standard Scan LaunchedBy : Peter Bonsavage (hscun_pb) Company        : HSC University of Utah - HealthSciences Center LaunchType : Scheduled Scan Status     : Finished NextAction     : None ------------------------------------------------------------------------------------------------------------------------------------------ Summary of discoveredVulnerabilities (Trend)   Severity 5 "Urgent" : 2    (=)   Severity 4 "Critical" : 12   (-1)   Severity 3 "Serious" : 183  (-6)   Severity 2 "Medium" : 1198 (-12)   Severity 1 "Minimal" : 7    (=)   Total : 1402   Summary of Potential Vulnerabilities

  30. Vulns: How do you compare?Your email has your line number.

  31. Vulnerabilities What works for you? What Doesn’t Work? Comments and discussion

  32. LUNCH Thanks

  33. Web Security and Wireless Cisco Ironport WLAN Configuration

  34. Cisco WSA Demo

  35. Wireless Config Do! Don’t do it! WPA2 Enterprise with 802.1x authentication is best WPA2 Personal with passphrase is acceptable Use AES Ok to have public on but make sure is at least vlanseperated WEP Passphrase shorter than 10 characters.

  36. Hardening Guide For all new and current Cisco equipment use this guide. It can apply to ALL vendor devices. http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml

  37. Security – Cloud, & Edge Security How do we deal with offsite systems What offering for edge based security do you use?

  38. Q&ATopics for more discussion What do you want to know?

More Related