SlideShare a Scribd company logo

OSINT and RECON in Healthcare

Download as PPTX, PDF
M
Mitch Parker

1) Healthcare organizations operate more like independent kingdoms than a unified system, making information security challenges. 2) Building an OSINT and recon program can help address these challenges by replacing constant fear with actionable intelligence from monitoring external sources and reconnaissance within the organization. 3) Such a program aims to make security professionals the first contact for issues, establish trust by listening and following up, and focus on addressing what matters to different groups rather than just senior leadership.

Technology
1 of 32
Building an OSINT and Recon Program to address Healthcare Information Security Issues Mitchell Parker, Exec. Dir., Information Security and Compliance
Purposes of Presentation 2 1. To replace the constant stream of fear, uncertainty, and doubt that is the main driver behind Healthcare Information Security in many organizations with actionable intelligence 2. To illustrate how to implement #1 3. Profit!
Why am I here? 3  Healthcare organizations are a series of unstructured kingdoms operating in a loose confederation under one ruler - think Prussian city states before German Unification:
This changes at budget time 4 
How are they designed? 5 They are designed to operate separately and disjointed Departments are Kingdoms and Doctors are Rulers Medical Staffs per hospital are separate Everyone gets their own budgets They can separately contract with other institutions for services and are both profit and cost centers IT is normally a cost center! They even get their own vendors ⎻ Golden Rule – he who has the gold makes the rules Finance and support services are separate and considered drains on profit, innovation, and productivity
Structure 6 They are not used to centralized anything, let alone IT, telling them what to do and how to operate The prevailing structure does not lend itself to good communication or cooperation If anything, it’s like a series of small companies that work together sometimes I’ve had discussions with famous healthcare CIOs that couldn’t tell me what their privacy teams were doing This is very common for orgs to be this disjointed
Healthcare adopted technology early… 7 And could not get out from under their decisions You have a significant amount of legacy applications and data underpinning the business My favorite examples: Pagers and faxes are still used despite the evident risks due to high replacement cost Departments and business units want to remain fiercely independent Or in the case of some universities, centralization costs more money than doing it yourself and running your own Shadow IT department At least one health system has admitted paying for ransomware because departments didn’t pay for central backup
Healthcare Organizations are risk-averse 8  This means that they purposely inhibit change Technology changes, especially, are put off in favor of workflow and efficiency It takes going to numerous stakeholders to get a major initiative completed Rolling out patient privacy monitoring took over 25 meetings spread across several months and 4 people Two Factor Authentication took at least 10 meetings and signoff from multiple leadership teams ⎻ Even though the doctors already had it as part of their university employment You have to align risks with the rest of the org to get the attention of senior leadership
HIPAA isn’t known well 9 Very few people truly understand the Privacy and Security rules or their intent This causes significant fear, uncertainty, and doubt with team members Especially when disciplinary issues occur because of it! Very few know what it is or what it means, and even fewer can actually explain it to someone outside the privacy and security realm Lack of knowledge is considered to be one of the stumbling blocks inhibiting better healthcare, ironically
Vendor FUD 10  Numerous vendors seize on the financial penalties levied by the Office for Civil Rights (OCR) to sell software that doesn’t work They lie about HIPAACompliance and the costs of data breaches They make grand claims about audit programs and OCR going after organizations for HIPAA compliance They promise providers that by buying their programs that they will be in compliance with the security rule No, this software really doesn’t work well, and many providers have a false sense of security
In the words of Chris Rock, Sit Down 11 
What are other complicating factors? 12  Very few people in healthcare have ever had someone sit down and explain it to them Risk assessments as inquisitions leave team members are genuinely afraid for their jobs
Let’s Get To Business 13  Now that I’ve painted a picture of how many organizations that provide medical care are loose confederations, we can get down to business You cannot effectively have decent security in healthcare without help To build that help you need to develop OSINT and recon programs that have more contact than your Information Systems department
Our customers are targets 14 Phishing Business Email Compromise/Targeted social engineering attacks Malware Curious onlookers Ransomware Robocalls
Communication Concerns 15 Corporations, in general, do not handle communications about security well: Concerns about liability with issuing recommendations for personal lives or devices Concerns about taking a stance with divisive social issues ⎻ #MeToo, Gamergate, Social Media Need to align messaging with corporate values There’s always a use case that completely challenges training or instructions you put out ⎻ Remember: Risk Averse! If one use case doesn’t fit it can and will derail you! It takes a long time to navigate large companies
KNOW YOUR STRUCTURE 16  Healthcare is unique with leadership churn at the top To get promoted or advance, you usually have to move to another organization ⎻ I only ever worked for one CIO that spent more than 10 years in a job This results in an executive class (Director and up) that routinely changes jobs every few years This executive class knows each other very well – many were peers at other institutions You normally don’t become a healthcare executive without knowing someone There is a palpable disconnect between the Senior Leadership Team and everyone else, no matter what org you work for
The Groups That Matter 17  There is also a group that has the team members that have been with the organization the longest and have the most history Typically this has the managers and team members as the main members of the cohort In my experience, very few people actually work their way up from team member to executive in a company – they leave beforehand This is the group you want to be best friends with
What we have to account for… 18 There is a disconnect between the executive leadership and team members that you have to account for The communication you would expect between them may not be there There is a lack of knowledge of the whys of issues There is also a lack of trust between upper management and teams Governance is therefore difficult
How are risk assessments normally completed? 19  Managers are often the ones with the most knowledge, but are not normally part of the decisioning or risk assessment processes Enterprise Risk usually includes directors and executives with little manager input Information Security RiskAssessments usually have hand-picked team members that senior leadership and consultants vet I’ve been in these meetings. This is normal behavior for the C suite
We need to start with the basics 20 Know the business well. Interview everyone you can possibly speak to. People will talk and open up if you actively listen to them Understand customer needs. Understand personal concerns of team members
The goal: Get people to speak with you first about security issues 21 There are two things you need to do: Listen and follow up consistently This includes personal security issues Your credibility is based on the ability to do these two things You will be viewed as an outsider if you don’t do this If you pull this off, your customers will tip you off to what is going on If you don’t, they will ignore issues and perceive the organization as not caring
The truth: Risk assessments don’t capture much and here’s why 22  Many members of upper management view risk assessment results or audit results as a direct knock on their ability to manage There are some CIOs and executives that will purposely hide known issues to look better in front of peers. I have personally seen a CIO hide evidence of known issues because he didn’t want the CFO finding out and making him look bad ⎻I later made it my mission to resolve said issues after he retired
The truth: Risk assessments don’t capture much and here’s why 23  This means that there are many managers who aren’t telling their Directors or above what’s really going on because they are afraid for their jobs There are managers and above that want to look good to make it to the next level, so they proceed to cover these items up Little do many of these managers realize that we are wise to their actions However, this means that when you assess for risk, you’re getting a sanitized answer Human nature is security’s worst enemy They make themselves look good, and hand pick people to answer ⎻ This eventually gets found out and it’s not good!
Who do you make friends with? 24 SimonTravaglia had it right with the BOFH. Make friends with the cleaning staff, facilities, and security. The PCTechs are your best friends for finding out what is really going on. The actual application administrators are also your friends You also should know every Administrative Assistant in the organization Remember where the swag goes! If you are a provider, Nursing and the Call Center Admin staff are also your best friends
Be your own PR Firm 25  No one knows who you are if you don’t advertise You need to get out there and speak at conferences, do webinars, and publish articles Your customers read them and will follow you on social media People will come up to you, especially over yourTwitter feed You need to constantly publish and present internally for people for outreach Otherwise, you’re going to be sitting in a corner with no customers
SENIOR LEADERSHIP 26  Senior leadership is more apt to listen to analysts, the Big 4, or their peers than their own teams Hence the “I met this person at a CIO or IT Executive conference who can solve all our problems” meetings If you’re delivering the message at the conferences, you’re more credible Senior Leadership listens when you publish and can be cited ⎻Not in some vendor-sponsored mag they ignore They also listen when you work with standards bodies ⎻Especially IEEE, NIST,ANSI, or ISO
Be your own publisher 27  Don’t let the perception of security for your customers be that from the major analyst firms, Big 4 consultants, or scary ads from vendors They don’t have boots on the ground or get it Witness the large number talking about emerging tech without discussing the new classes of risks (Blockchain anyone?) Get the word out on what is really going on to your customers directly Get onto the good threat intel lists such as REN-ISAC, H-ISAC, and the FBI’s alerts and distill the word out to your friends
Be your own Publisher 28 Avoid the circumspect march toward yet another unneeded high priced technical solution with a smiling face and get people to something they can actually use that produces results “Tell me what I need to do” – Former CIO I worked for in a leadership meeting Focus on distilling news and OSINT into actionable operational knowledge Follow up with customers to make sure they understand Be their guide and they will be yours OSINT is nothing without action and it becomes less than intelligence
What are the end goals? 29 OSINT –You take the knowledge that’s out there and adapt it for the people in the organization that will use it for more than PowerPoint fodder OSINT –You replace the constant stream of FUD with real applicable information, not what the latest buzzword of the week is that someone wants to sell you or scare senior leadership with
What are the end goals? 30 RECON –You get people across the organization feeding you information you can use to better secure it RECON –You reduce risk by addressing what the team finds important, not what’s distilled up to senior management to make aspirational managers look good
How do I follow up? 31 I will be around to answer questions Follow or DM me onTwitter at @mitchparkerciso Follow or connect on LinkedIn: https://www.linkedin.com/in/mitchparkerciso/ View my blog at: https://www.csoonline.com/blog/security-from-the- upside-down/
Thank you! 32 

Recommended

Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...
Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...
Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...Gradytl
 
Realizing the potential of trust management
Realizing the potential of trust managementRealizing the potential of trust management
Realizing the potential of trust management
Tyrone Grandison
 
Health Care Social Media Summit Highlights 2011
Health Care Social Media Summit Highlights 2011Health Care Social Media Summit Highlights 2011
Health Care Social Media Summit Highlights 2011
Mike Boehmer
 
Partnering with Health Systems: Potholes and Pitfalls on the road from Custom...
Partnering with Health Systems: Potholes and Pitfalls on the road from Custom...Partnering with Health Systems: Potholes and Pitfalls on the road from Custom...
Partnering with Health Systems: Potholes and Pitfalls on the road from Custom...
Levi Shapiro
 
Partneringwithhealthsystemsfinal 180425103202
Partneringwithhealthsystemsfinal 180425103202Partneringwithhealthsystemsfinal 180425103202
Partneringwithhealthsystemsfinal 180425103202
Daisuke Tanaka
 
The Corporate Ethics CommitteeIn some organizations, ethics is m.docx
The Corporate Ethics CommitteeIn some organizations, ethics is m.docxThe Corporate Ethics CommitteeIn some organizations, ethics is m.docx
The Corporate Ethics CommitteeIn some organizations, ethics is m.docx
mehek4
 
Presentation of Research Findings, by YouGov’s Oliver Rowe, Director of Reput...
Presentation of Research Findings, by YouGov’s Oliver Rowe, Director of Reput...Presentation of Research Findings, by YouGov’s Oliver Rowe, Director of Reput...
Presentation of Research Findings, by YouGov’s Oliver Rowe, Director of Reput...Mattcartmell
 
500 Word Essay On Leadership GSA. Online assignment writing service.
500 Word Essay On Leadership GSA. Online assignment writing service.500 Word Essay On Leadership GSA. Online assignment writing service.
500 Word Essay On Leadership GSA. Online assignment writing service.
Melody Rios
 

Recommended

Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...
Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...
Whitepaper: Misconduct Rarely Happens in Isolation: How You Can Detect Critic...Gradytl
 
Realizing the potential of trust management
Realizing the potential of trust managementRealizing the potential of trust management
Realizing the potential of trust management
Tyrone Grandison
 
Health Care Social Media Summit Highlights 2011
Health Care Social Media Summit Highlights 2011Health Care Social Media Summit Highlights 2011
Health Care Social Media Summit Highlights 2011
Mike Boehmer
 
Partnering with Health Systems: Potholes and Pitfalls on the road from Custom...
Partnering with Health Systems: Potholes and Pitfalls on the road from Custom...Partnering with Health Systems: Potholes and Pitfalls on the road from Custom...
Partnering with Health Systems: Potholes and Pitfalls on the road from Custom...
Levi Shapiro
 
Partneringwithhealthsystemsfinal 180425103202
Partneringwithhealthsystemsfinal 180425103202Partneringwithhealthsystemsfinal 180425103202
Partneringwithhealthsystemsfinal 180425103202
Daisuke Tanaka
 
The Corporate Ethics CommitteeIn some organizations, ethics is m.docx
The Corporate Ethics CommitteeIn some organizations, ethics is m.docxThe Corporate Ethics CommitteeIn some organizations, ethics is m.docx
The Corporate Ethics CommitteeIn some organizations, ethics is m.docx
mehek4
 
Presentation of Research Findings, by YouGov’s Oliver Rowe, Director of Reput...
Presentation of Research Findings, by YouGov’s Oliver Rowe, Director of Reput...Presentation of Research Findings, by YouGov’s Oliver Rowe, Director of Reput...
Presentation of Research Findings, by YouGov’s Oliver Rowe, Director of Reput...Mattcartmell
 
500 Word Essay On Leadership GSA. Online assignment writing service.
500 Word Essay On Leadership GSA. Online assignment writing service.500 Word Essay On Leadership GSA. Online assignment writing service.
500 Word Essay On Leadership GSA. Online assignment writing service.
Melody Rios
 
ACUACandUJurnalSummer_14_FinalWeb
ACUACandUJurnalSummer_14_FinalWebACUACandUJurnalSummer_14_FinalWeb
ACUACandUJurnalSummer_14_FinalWebLaDonna Flynn
 
Independent-Fall-2015-Edition
Independent-Fall-2015-EditionIndependent-Fall-2015-Edition
Independent-Fall-2015-EditionTodd C. Schultze
 
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Case IQ
 
Social Media Policies, Procedures
 and Governance part 1: Employees
Social Media Policies, Procedures
 and Governance part 1: EmployeesSocial Media Policies, Procedures
 and Governance part 1: Employees
Social Media Policies, Procedures
 and Governance part 1: Employees
NikComm Inc.
 
Failure to Connect: Why You're Not Getting More From SharePoint
Failure to Connect: Why You're Not Getting More From SharePointFailure to Connect: Why You're Not Getting More From SharePoint
Failure to Connect: Why You're Not Getting More From SharePoint
C5 Insight
 
Safety and Social Media Dia webinar 12 sep2013
Safety and Social Media Dia webinar 12 sep2013 Safety and Social Media Dia webinar 12 sep2013
Safety and Social Media Dia webinar 12 sep2013
Michael Ibara
 
10 social media tips for directors
10 social media tips for directors10 social media tips for directors
10 social media tips for directors
Martin Thomas
 
Digital Governance in Complex Organisations philly13
Digital Governance in Complex Organisations philly13Digital Governance in Complex Organisations philly13
Digital Governance in Complex Organisations philly13
onlineredin
 
Lecture Notes First Hint of Trouble    CareNet Systems   .docx
Lecture Notes First Hint of Trouble    CareNet Systems   .docxLecture Notes First Hint of Trouble    CareNet Systems   .docx
Lecture Notes First Hint of Trouble    CareNet Systems   .docx
smile790243
 
Part1 Respond to the following in a minimum of 175.docx
Part1 Respond to the following in a minimum of 175.docxPart1 Respond to the following in a minimum of 175.docx
Part1 Respond to the following in a minimum of 175.docx
write4
 
Presentation by alankar karpe.doc
Presentation by alankar karpe.docPresentation by alankar karpe.doc
Presentation by alankar karpe.docPMI_IREP_TP
 
Trust: How to Get It, Keep It, Measure It and Regain It
Trust: How to Get It, Keep It, Measure It and Regain It Trust: How to Get It, Keep It, Measure It and Regain It
Trust: How to Get It, Keep It, Measure It and Regain It
Paine Publishing
 
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Dana Gardner
 
Executive Breach Response Playbook
Executive Breach Response PlaybookExecutive Breach Response Playbook
Executive Breach Response Playbook
Hewlett Packard Enterprise Business Value Exchange
 
Boundaryless Organisation
Boundaryless OrganisationBoundaryless Organisation
Boundaryless Organisation
Lindsey Jones
 
What Is The Purpose Of An Essay - Writing For College 1.2
What Is The Purpose Of An Essay - Writing For College 1.2What Is The Purpose Of An Essay - Writing For College 1.2
What Is The Purpose Of An Essay - Writing For College 1.2
Stacy Taylor
 
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Group
 
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
WolfPAC - Integrated Risk Management
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 

More Related Content

Similar to OSINT and RECON in Healthcare

ACUACandUJurnalSummer_14_FinalWeb
ACUACandUJurnalSummer_14_FinalWebACUACandUJurnalSummer_14_FinalWeb
ACUACandUJurnalSummer_14_FinalWebLaDonna Flynn
 
Independent-Fall-2015-Edition
Independent-Fall-2015-EditionIndependent-Fall-2015-Edition
Independent-Fall-2015-EditionTodd C. Schultze
 
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Case IQ
 
Social Media Policies, Procedures
 and Governance part 1: Employees
Social Media Policies, Procedures
 and Governance part 1: EmployeesSocial Media Policies, Procedures
 and Governance part 1: Employees
Social Media Policies, Procedures
 and Governance part 1: Employees
NikComm Inc.
 
Failure to Connect: Why You're Not Getting More From SharePoint
Failure to Connect: Why You're Not Getting More From SharePointFailure to Connect: Why You're Not Getting More From SharePoint
Failure to Connect: Why You're Not Getting More From SharePoint
C5 Insight
 
Safety and Social Media Dia webinar 12 sep2013
Safety and Social Media Dia webinar 12 sep2013 Safety and Social Media Dia webinar 12 sep2013
Safety and Social Media Dia webinar 12 sep2013
Michael Ibara
 
10 social media tips for directors
10 social media tips for directors10 social media tips for directors
10 social media tips for directors
Martin Thomas
 
Digital Governance in Complex Organisations philly13
Digital Governance in Complex Organisations philly13Digital Governance in Complex Organisations philly13
Digital Governance in Complex Organisations philly13
onlineredin
 
Lecture Notes First Hint of Trouble    CareNet Systems   .docx
Lecture Notes First Hint of Trouble    CareNet Systems   .docxLecture Notes First Hint of Trouble    CareNet Systems   .docx
Lecture Notes First Hint of Trouble    CareNet Systems   .docx
smile790243
 
Part1 Respond to the following in a minimum of 175.docx
Part1 Respond to the following in a minimum of 175.docxPart1 Respond to the following in a minimum of 175.docx
Part1 Respond to the following in a minimum of 175.docx
write4
 
Presentation by alankar karpe.doc
Presentation by alankar karpe.docPresentation by alankar karpe.doc
Presentation by alankar karpe.docPMI_IREP_TP
 
Trust: How to Get It, Keep It, Measure It and Regain It
Trust: How to Get It, Keep It, Measure It and Regain It Trust: How to Get It, Keep It, Measure It and Regain It
Trust: How to Get It, Keep It, Measure It and Regain It
Paine Publishing
 
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Dana Gardner
 
Executive Breach Response Playbook
Executive Breach Response PlaybookExecutive Breach Response Playbook
Executive Breach Response Playbook
Hewlett Packard Enterprise Business Value Exchange
 
Boundaryless Organisation
Boundaryless OrganisationBoundaryless Organisation
Boundaryless Organisation
Lindsey Jones
 
What Is The Purpose Of An Essay - Writing For College 1.2
What Is The Purpose Of An Essay - Writing For College 1.2What Is The Purpose Of An Essay - Writing For College 1.2
What Is The Purpose Of An Essay - Writing For College 1.2
Stacy Taylor
 
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Group
 
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
WolfPAC - Integrated Risk Management
 

Similar to OSINT and RECON in Healthcare (18)

ACUACandUJurnalSummer_14_FinalWeb
ACUACandUJurnalSummer_14_FinalWebACUACandUJurnalSummer_14_FinalWeb
ACUACandUJurnalSummer_14_FinalWeb
 
Independent-Fall-2015-Edition
Independent-Fall-2015-EditionIndependent-Fall-2015-Edition
Independent-Fall-2015-Edition
 
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
Hybrid Workplace Harassment: Are You Protecting Your Company from Hidden Thre...
 
Social Media Policies, Procedures
 and Governance part 1: Employees
Social Media Policies, Procedures
 and Governance part 1: EmployeesSocial Media Policies, Procedures
 and Governance part 1: Employees
Social Media Policies, Procedures
 and Governance part 1: Employees
 
Failure to Connect: Why You're Not Getting More From SharePoint
Failure to Connect: Why You're Not Getting More From SharePointFailure to Connect: Why You're Not Getting More From SharePoint
Failure to Connect: Why You're Not Getting More From SharePoint
 
Safety and Social Media Dia webinar 12 sep2013
Safety and Social Media Dia webinar 12 sep2013 Safety and Social Media Dia webinar 12 sep2013
Safety and Social Media Dia webinar 12 sep2013
 
10 social media tips for directors
10 social media tips for directors10 social media tips for directors
10 social media tips for directors
 
Digital Governance in Complex Organisations philly13
Digital Governance in Complex Organisations philly13Digital Governance in Complex Organisations philly13
Digital Governance in Complex Organisations philly13
 
Lecture Notes First Hint of Trouble    CareNet Systems   .docx
Lecture Notes First Hint of Trouble    CareNet Systems   .docxLecture Notes First Hint of Trouble    CareNet Systems   .docx
Lecture Notes First Hint of Trouble    CareNet Systems   .docx
 
Part1 Respond to the following in a minimum of 175.docx
Part1 Respond to the following in a minimum of 175.docxPart1 Respond to the following in a minimum of 175.docx
Part1 Respond to the following in a minimum of 175.docx
 
Presentation by alankar karpe.doc
Presentation by alankar karpe.docPresentation by alankar karpe.doc
Presentation by alankar karpe.doc
 
Trust: How to Get It, Keep It, Measure It and Regain It
Trust: How to Get It, Keep It, Measure It and Regain It Trust: How to Get It, Keep It, Measure It and Regain It
Trust: How to Get It, Keep It, Measure It and Regain It
 
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
 
Executive Breach Response Playbook
Executive Breach Response PlaybookExecutive Breach Response Playbook
Executive Breach Response Playbook
 
Boundaryless Organisation
Boundaryless OrganisationBoundaryless Organisation
Boundaryless Organisation
 
What Is The Purpose Of An Essay - Writing For College 1.2
What Is The Purpose Of An Essay - Writing For College 1.2What Is The Purpose Of An Essay - Writing For College 1.2
What Is The Purpose Of An Essay - Writing For College 1.2
 
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attack
 
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
The Role of the Chief Risk Officer Why You are the Most Important Person in Y...
 

Recently uploaded

Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 

Recently uploaded (20)

Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 

OSINT and RECON in Healthcare

  • 1. Building an OSINT and Recon Program to address Healthcare Information Security Issues Mitchell Parker, Exec. Dir., Information Security and Compliance
  • 2. Purposes of Presentation 2 1. To replace the constant stream of fear, uncertainty, and doubt that is the main driver behind Healthcare Information Security in many organizations with actionable intelligence 2. To illustrate how to implement #1 3. Profit!
  • 3. Why am I here? 3  Healthcare organizations are a series of unstructured kingdoms operating in a loose confederation under one ruler - think Prussian city states before German Unification:
  • 4. This changes at budget time 4 
  • 5. How are they designed? 5 They are designed to operate separately and disjointed Departments are Kingdoms and Doctors are Rulers Medical Staffs per hospital are separate Everyone gets their own budgets They can separately contract with other institutions for services and are both profit and cost centers IT is normally a cost center! They even get their own vendors ⎻ Golden Rule – he who has the gold makes the rules Finance and support services are separate and considered drains on profit, innovation, and productivity
  • 6. Structure 6 They are not used to centralized anything, let alone IT, telling them what to do and how to operate The prevailing structure does not lend itself to good communication or cooperation If anything, it’s like a series of small companies that work together sometimes I’ve had discussions with famous healthcare CIOs that couldn’t tell me what their privacy teams were doing This is very common for orgs to be this disjointed
  • 7. Healthcare adopted technology early… 7 And could not get out from under their decisions You have a significant amount of legacy applications and data underpinning the business My favorite examples: Pagers and faxes are still used despite the evident risks due to high replacement cost Departments and business units want to remain fiercely independent Or in the case of some universities, centralization costs more money than doing it yourself and running your own Shadow IT department At least one health system has admitted paying for ransomware because departments didn’t pay for central backup
  • 8. Healthcare Organizations are risk-averse 8  This means that they purposely inhibit change Technology changes, especially, are put off in favor of workflow and efficiency It takes going to numerous stakeholders to get a major initiative completed Rolling out patient privacy monitoring took over 25 meetings spread across several months and 4 people Two Factor Authentication took at least 10 meetings and signoff from multiple leadership teams ⎻ Even though the doctors already had it as part of their university employment You have to align risks with the rest of the org to get the attention of senior leadership
  • 9. HIPAA isn’t known well 9 Very few people truly understand the Privacy and Security rules or their intent This causes significant fear, uncertainty, and doubt with team members Especially when disciplinary issues occur because of it! Very few know what it is or what it means, and even fewer can actually explain it to someone outside the privacy and security realm Lack of knowledge is considered to be one of the stumbling blocks inhibiting better healthcare, ironically
  • 10. Vendor FUD 10  Numerous vendors seize on the financial penalties levied by the Office for Civil Rights (OCR) to sell software that doesn’t work They lie about HIPAACompliance and the costs of data breaches They make grand claims about audit programs and OCR going after organizations for HIPAA compliance They promise providers that by buying their programs that they will be in compliance with the security rule No, this software really doesn’t work well, and many providers have a false sense of security
  • 11. In the words of Chris Rock, Sit Down 11 
  • 12. What are other complicating factors? 12  Very few people in healthcare have ever had someone sit down and explain it to them Risk assessments as inquisitions leave team members are genuinely afraid for their jobs
  • 13. Let’s Get To Business 13  Now that I’ve painted a picture of how many organizations that provide medical care are loose confederations, we can get down to business You cannot effectively have decent security in healthcare without help To build that help you need to develop OSINT and recon programs that have more contact than your Information Systems department
  • 14. Our customers are targets 14 Phishing Business Email Compromise/Targeted social engineering attacks Malware Curious onlookers Ransomware Robocalls
  • 15. Communication Concerns 15 Corporations, in general, do not handle communications about security well: Concerns about liability with issuing recommendations for personal lives or devices Concerns about taking a stance with divisive social issues ⎻ #MeToo, Gamergate, Social Media Need to align messaging with corporate values There’s always a use case that completely challenges training or instructions you put out ⎻ Remember: Risk Averse! If one use case doesn’t fit it can and will derail you! It takes a long time to navigate large companies
  • 16. KNOW YOUR STRUCTURE 16  Healthcare is unique with leadership churn at the top To get promoted or advance, you usually have to move to another organization ⎻ I only ever worked for one CIO that spent more than 10 years in a job This results in an executive class (Director and up) that routinely changes jobs every few years This executive class knows each other very well – many were peers at other institutions You normally don’t become a healthcare executive without knowing someone There is a palpable disconnect between the Senior Leadership Team and everyone else, no matter what org you work for
  • 17. The Groups That Matter 17  There is also a group that has the team members that have been with the organization the longest and have the most history Typically this has the managers and team members as the main members of the cohort In my experience, very few people actually work their way up from team member to executive in a company – they leave beforehand This is the group you want to be best friends with
  • 18. What we have to account for… 18 There is a disconnect between the executive leadership and team members that you have to account for The communication you would expect between them may not be there There is a lack of knowledge of the whys of issues There is also a lack of trust between upper management and teams Governance is therefore difficult
  • 19. How are risk assessments normally completed? 19  Managers are often the ones with the most knowledge, but are not normally part of the decisioning or risk assessment processes Enterprise Risk usually includes directors and executives with little manager input Information Security RiskAssessments usually have hand-picked team members that senior leadership and consultants vet I’ve been in these meetings. This is normal behavior for the C suite
  • 20. We need to start with the basics 20 Know the business well. Interview everyone you can possibly speak to. People will talk and open up if you actively listen to them Understand customer needs. Understand personal concerns of team members
  • 21. The goal: Get people to speak with you first about security issues 21 There are two things you need to do: Listen and follow up consistently This includes personal security issues Your credibility is based on the ability to do these two things You will be viewed as an outsider if you don’t do this If you pull this off, your customers will tip you off to what is going on If you don’t, they will ignore issues and perceive the organization as not caring
  • 22. The truth: Risk assessments don’t capture much and here’s why 22  Many members of upper management view risk assessment results or audit results as a direct knock on their ability to manage There are some CIOs and executives that will purposely hide known issues to look better in front of peers. I have personally seen a CIO hide evidence of known issues because he didn’t want the CFO finding out and making him look bad ⎻I later made it my mission to resolve said issues after he retired
  • 23. The truth: Risk assessments don’t capture much and here’s why 23  This means that there are many managers who aren’t telling their Directors or above what’s really going on because they are afraid for their jobs There are managers and above that want to look good to make it to the next level, so they proceed to cover these items up Little do many of these managers realize that we are wise to their actions However, this means that when you assess for risk, you’re getting a sanitized answer Human nature is security’s worst enemy They make themselves look good, and hand pick people to answer ⎻ This eventually gets found out and it’s not good!
  • 24. Who do you make friends with? 24 SimonTravaglia had it right with the BOFH. Make friends with the cleaning staff, facilities, and security. The PCTechs are your best friends for finding out what is really going on. The actual application administrators are also your friends You also should know every Administrative Assistant in the organization Remember where the swag goes! If you are a provider, Nursing and the Call Center Admin staff are also your best friends
  • 25. Be your own PR Firm 25  No one knows who you are if you don’t advertise You need to get out there and speak at conferences, do webinars, and publish articles Your customers read them and will follow you on social media People will come up to you, especially over yourTwitter feed You need to constantly publish and present internally for people for outreach Otherwise, you’re going to be sitting in a corner with no customers
  • 26. SENIOR LEADERSHIP 26  Senior leadership is more apt to listen to analysts, the Big 4, or their peers than their own teams Hence the “I met this person at a CIO or IT Executive conference who can solve all our problems” meetings If you’re delivering the message at the conferences, you’re more credible Senior Leadership listens when you publish and can be cited ⎻Not in some vendor-sponsored mag they ignore They also listen when you work with standards bodies ⎻Especially IEEE, NIST,ANSI, or ISO
  • 27. Be your own publisher 27  Don’t let the perception of security for your customers be that from the major analyst firms, Big 4 consultants, or scary ads from vendors They don’t have boots on the ground or get it Witness the large number talking about emerging tech without discussing the new classes of risks (Blockchain anyone?) Get the word out on what is really going on to your customers directly Get onto the good threat intel lists such as REN-ISAC, H-ISAC, and the FBI’s alerts and distill the word out to your friends
  • 28. Be your own Publisher 28 Avoid the circumspect march toward yet another unneeded high priced technical solution with a smiling face and get people to something they can actually use that produces results “Tell me what I need to do” – Former CIO I worked for in a leadership meeting Focus on distilling news and OSINT into actionable operational knowledge Follow up with customers to make sure they understand Be their guide and they will be yours OSINT is nothing without action and it becomes less than intelligence
  • 29. What are the end goals? 29 OSINT –You take the knowledge that’s out there and adapt it for the people in the organization that will use it for more than PowerPoint fodder OSINT –You replace the constant stream of FUD with real applicable information, not what the latest buzzword of the week is that someone wants to sell you or scare senior leadership with
  • 30. What are the end goals? 30 RECON –You get people across the organization feeding you information you can use to better secure it RECON –You reduce risk by addressing what the team finds important, not what’s distilled up to senior management to make aspirational managers look good
  • 31. How do I follow up? 31 I will be around to answer questions Follow or DM me onTwitter at @mitchparkerciso Follow or connect on LinkedIn: https://www.linkedin.com/in/mitchparkerciso/ View my blog at: https://www.csoonline.com/blog/security-from-the- upside-down/