2

Contents

Overview ....................................................................................................................................................... 3

Why Should We Hack Our Own Systems? .................................................................................................... 4

Healthcare is a Soft Target ........................................................................................................................ 4

How About Those Compliance Requirements .......................................................................................... 5

Breach Avoidance: Compliance Is Not Enough ......................................................................................... 6

Supporting Information Security Teams ................................................................................................... 6

Anatomy of a Penetration Test & Top 10 Exposure Areas ........................................................................... 7

Overview ................................................................................................................................................... 7

Penetration Testing Methodology ................................................................................................... 7

Top 10 Hacking Exposure Areas ........................................................................................................ 8

Penetration Testing Approaches................................................................................................................... 9

Internal and External Penetration Testing ................................................................................................ 9

Social Engineering and Phishing Testing ................................................................................................... 9

Wireless Security Testing — a View into the Company Network from the Parking Lot ......................... 10

Web Application and Patient Portal Testing ........................................................................................... 10

Medical Device Security Testing ............................................................................................................. 11

Account and Password Security Assessments ........................................................................................ 11

Getting Help with Penetration Testing ....................................................................................................... 13

What to Look for When Hiring a Vendor ................................................................................................ 13

How Often Should You Conduct a Penetration Test? ............................................................................. 13

Conclusion ................................................................................................................................................... 14

About Meditology ....................................................................................................................................... 14

For More Information ............................................................................................................................. 14

3

Overview

Many organizations make assumptions regarding the security and integrity of their IT systems and network without ever confirming that these assumptions are valid. Oftentimes it is not until an actual security incident occurs that the security risk is exposed and the response capabilities are tested, which is often too late to prevent damage to the organization.

One does not have to look far to see the increase of data breaches and hacking attacks that are have been occurring recently, as this seems to be almost a daily headline in the news. Although many of the recent large breaches have been targeted at organizations outside of healthcare, the increase of attacks on health data is significantly on the rise, as highlighted by the recent Anthem and Premera Blue Cross data breaches.

Penetration testing, also sometimes referred to as ethical hacking, is terminology used by members of the information technology security community to describe an authorized assessment that simulates the activities a hacker or malicious insider might carry out. Such a test provides the closest thing to a real-life scenario for dealing with an attack.

Performing a penetration test can help identify the current state of the security posture and actual technical exposures of an organization to support the prioritization of remediation activities.

Testing helps to validate if patching processes are operating effectively, users have strong passwords, IT teams are securely implementing applications and infrastructure components, firewalls are securely configured, medical devices are protected, and other critical security controls are effective.

Figure 1 - Penetration testing screenshot examples showing (i) PACS image and (ii) breached Electronic Health Record system

4

Why Should We Hack Our Own Systems?

Healthcare is a Soft Target

Organizations often struggle to understand why a cybercriminal would want to attack a healthcare facility versus other industries with direct access to payment systems such finance or retail. The primary reason to target healthcare data is because medical data and medical identity theft can be very lucrative and it is relatively easier to access due to the lax state of information security in healthcare.

Credit card numbers sell for anywhere between $1 and $20 on the black market and Social Security numbers sell for about a $1, whereas medical data sells for an estimated $50 per record.1 As such, medical data is effectively 50 times more valuable than other data types. Medical data is more valuable because it can be used to file false medical insurance claims, commit traditional identity theft, or to order controlled substances and other prescription medications.

A typical healthcare facility may have one or more of the following factors that increase the likelihood of a breach event:

Storing large volumes of medical data on dozens of systems and applications with varying security controls.

Maintaining sensitive data types including Social Security numbers of patients and employees, and credit card data for patient payment systems, gift shops, donations, and other purposes.

Supporting legacy systems that are not configured with routine security updates.

Allowing open physical security policies and procedures intended to permit patients and visitors access to healthcare services.

Connecting unsecure medical devices to the network.

Granting access to vendors and Business Associates with limited security and monitoring controls.

Under-funding security budgets that must address both regulatory and risk-based security remediation and controls.

1 RSA, the security division of EMC. (2013) Cybercrime and the Healthcare Industry. Available from http://www.emc.com/collateral/white-papers/h12105-cybercrime-healthcare-industry-rsa-wp.pdf.

2 Ponemon Institute. 2013 Cost of Data Breach Study: Global Analysis. Available from http://www.ponemon.org/library/2013-cost-of-data-breach-global-analysis.

According to the Ponemon Institute,

Criminal attacks on healthcare organizations have increased 100% since 2010.

Healthcare breaches have a per record cost of $305 which is higher than the $188 per record cost in other industries.2

5

How About Those Compliance Requirements

Healthcare organizations are faced with regulatory compliance programs with formidable security requirements that must be addressed on a continuous basis. The most common regulatory programs include the HIPAA Security Rule, HIPAA Omnibus, American Recovery and Reinvestment Act (HITECH), Meaningful Use incentive program requirements, and the Payment Card Industry Data Security Standard (PCI DSS). Each compliance program has specific requirements for security testing as outlined below.

The HITECH Act and HIPAA Omnibus Rule acknowledge the increased risk associated with storing and transmitting Protected Health Information (PHI) by introducing strong penalties (i.e. using a “heavy stick” approach) for healthcare providers and their Business Associates and subcontractors who fail to meet the HIPAA Security and Privacy Rule mandates.

Prior to the enactment of the HITECH Act, the imposition of civil penalties under HIPAA was limited to a maximum of $100 per violation and $25,000 for all violations of an identical requirement or prohibition occurring within the same calendar year. In February 2009, HITECH increased the penalties with a minimum of $100 up to $50,000 per violation, with maximum penalties for violations of the same HIPAA provision of $1.5 million per year. Additionally, criminal penalties of up to $250,000 and up to 10 years in prison for HIPAA violations apply to healthcare “covered entities” and also to employees and other individuals. In 2013, the Omnibus Rule upped the ante even further by allowing for fines of up to $1.5 million per violation, regardless of how many violations occur concurrently within a given calendar year.

The Meaningful Use incentive provisions also threaten reduced reimbursement, starting in 2015, for entities who have not met the requirements for securing Electronic Health Records (EHRs) and patient portals.

3 NIST Special Publications (800 Series). (2008) An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Available from http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf.

4 PCI Security Standards Council. (2015) Payment Card Industry (PCI) Data Security Standard, Version 3.1. Available from https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf.

•PCI Requirement 11.34 requires penetration testing (internal and external testing) if an organization accepts credit card payments from patients or visitors.

•Required annually or after any major infrastructure change.

•Exploited vulnerablities must be corrected and re-tested.

PCI - DSS

•NIST SP800-663 states a penetration test should be conducted as part of a HIPAA security risk technical evaluation.

•Supports a thorough risk analysis of environment and application testing in line with Meaningful Use.

•Can be aligned with HITRUST framework and testing of risk domains.

HIPAA/HITECH/ Omnibus &

Meaningful Use

6

Breach Avoidance: Compliance Is Not Enough

There is no silver bullet for preventing breaches, mature security programs need to provide multiple layers of protection to be effective at addressing risks and threats. Hardening systems, conducting regular vulnerability scanning, testing application code, putting robust processes and procedures in place, and having tools to detect and stop attacks are all necessary for building an effective security program.

Conducting penetration tests can provide an organization with a check-up on whether or not the security program is working as designed. Conducting an annual penetration test can also help show the progress of the security program and whether the program is moving forward and keeping pace with emerging threats.

Figure 2 - Example vulnerability assessment conducted as part of a penetration test

Supporting Information Security Teams

The importance of information security and risk management is not always well understood at the senior leadership level of many healthcare organizations. This can lead to the information security team not having the full support of the leadership team resulting in difficulties justifying the resources and budgets necessary to support the security program.

Presenting the results of a penetration test and demonstrating possible attack scenarios and outcomes specific to the organization can create an eye-opening experience for senior leadership.

During recent penetration testing exercises, Meditology was able to obtain millions of patient records and gain access to the organization’s most sensitive applications and systems both from the internal network as well as from public-facing Internet touch points. These exercises exposed security weaknesses that IT and security teams were able to rectify well in advance of any potential malicious attacks which could exploit those weaknesses. These real-world attack simulations emphasized to senior leadership the importance of continuing to build and maintain a robust security and risk management program.

Penetration tests are also valuable as an educational tool to help IT departments understand the implications of misconfigured systems and applications. Such tests provide teachable moments, which can be one of the most effective ways to impact the overall security posture of an organization over time.

7

Anatomy of a Penetration Test & Top 10 Exposure Areas

Overview

A typical penetration testing assessment may take several weeks to complete depending on the size of the organization and includes both external (malicious outsider) and internal (malicious insider) testing assessments. After testing is complete, a detailed report is produced that outlines the tests conducted, access propagation, security weaknesses and recommendations to correct them, and details of each component tested.

Typical penetration testing assessments include:

External Penetration Testing

Internal Penetration Testing

Social Engineering Exercises

Phishing Email Campaigns

Physical Security Testing

Wireless Security Assessments

Patient Portal and Web Application Testing

Medical Device Assessments

Account and Password Assessments

These assessments are further outlined in the document section, Penetration Testing Approaches.

Penetration Testing Methodology

Penetration testing assessments are conducted according to specific methodologies depending on the type of testing. The following describes five phases for typical internal and external testing assessments. Each phase builds upon the previous phase.

Reconnaissance

Network Surveying

Vulnerability Testing

Manual Testing (Ethical Hacking)

Analysis and Reporting

8

Top 10 Hacking Exposure Areas

The following list is the top 10 most common security exposure areas that Meditology has observed from penetration tests of healthcare organizations across the country from the period of 2013 through 2015.

Weak & Easily Guessable Passwords

Plaintext Credentials

Missing Critical Security Patches / Outdated OS's

Weak Database Administrative Passwords

Generic or Default Accounts & Passwords

Network Shares with Improper Access Controls

Unauthenticated VNC Remote System Access

Insecure File Transfer Protocol (FTP)

Physical Security Gaps

Social Engineering Weaknesses

9

Penetration Testing Approaches

Internal and External Penetration Testing

Internal penetration testing examines the security surrounding internally connected systems, typically within a corporate network. An internal assessment involves the finding and exploitation of actual known and unknown vulnerabilities from the perspective of an inside attacker or someone with physical or logical access to the internal network. An internal assessment attempts to breach the target as a user with vary levels of access.

The internal assessment can simulate:

A malicious employee or malevolent contractor

A hacker who gains physical access to a network port or computer

External penetration testing examines the external systems for any weakness that could be used by an attacker to disrupt the confidentially, availability or integrity of the network. This test is conducted from the viewpoint of an outside attacker (from the Internet) exploiting a weakness in the security of a public-facing network or application. An external penetration test also involves finding and exploiting actual known and unknown vulnerabilities to determine what information is exposed to the outside world.

The external assessment can simulate:

A hacker targeting systems from the Internet

A competitor or foreign entity targeting the organization

Social Engineering and Phishing Testing

Social Engineering involves psychologically manipulating people into performing actions or divulging confidential information, such as their password, and as a result bypassing normal security procedures. The attacker uses public information from company websites, social media sites, social skills and human interaction to obtain information about an organization, its computer systems and other information in order to gain access to the network.

Phishing is a method of obtaining sensitive information from users through deception. Phishing attacks target the acquisition of account information, including user names and passwords, that can be used to obtain unauthorized access to systems that contain PHI or other confidential information. Phishing techniques, typically conducted via email, involve deception to try and convince users to provide personal information that should not be released.

According to the Verizon Data Breach Report:

“Analysis found that 78 percent of initial intrusions into corporate networks were relatively easy. Many attackers used a phishing attack, convincing employees to give up credentials, and taking advantage of weak or default passwords on remote services to gain initial access to the network”.5

10

Conducting social engineering and phishing exercises helps to reduce the risk and exposure to some of these attacks, and also helps to determine the effectiveness of the security training and awareness program. Social engineering exercises also help an organization test the effectiveness of their policies and procedures.

Figure 3 - Example emails used in Meditology phishing campaigns

5 Verizon. 2013 Data Breach Investigations Report. Available from http://www.verizonenterprise.com/resources/reports/rp_data-breach-

investigations-report-2013_en_xg.pdf.

Wireless Security Testing — a View into the Company Network from the Parking Lot

Wireless testing examines the wireless network to identify and exploit accessible wireless access points and wireless traffic to gain access to the organization’s network and sensitive data. Since wireless signals often leak outside buildings or can be reached with high-range antennas, wireless security poses additional risks to an organization. Wireless testing may include encryption key attacks, wireless traffic sniffing, man-in-the-middle attacks, and vulnerability attacks.

The wireless assessment can simulate:

A malicious user connected to the guest network and attempting to gain access to the internal network.

A hacker attempting to bypass wireless security and gain access to the internal network or sensitive data.

Web Application and Patient Portal Testing

Web application security testing combines application-specific vulnerability and penetration testing to assess the security and integrity of the application. This test checks the application for security and coding weaknesses and attempts to exploit them to gain unauthorized access to the application or to sensitive data and functions.

Patient portals serve as a critical component of a healthcare organization. Meaningful Use Stage 2 requires the establishment of a secure web-based patient portal used by both providers and a substantial number of patients. Conducting a patient portal assessment helps demonstrate the portal is secure and can meet Meaningful Use Stage 2 requirements.

11

The web application and patient portal assessment can simulate:

A hacker from the outside attempting to exploit a vulnerability or security weakness to gain access.

A malicious authorized user that attempts to circumvent security controls within the application to gain access to unauthorized sensitive data or manipulate data.

For more information, see Meditology’s patient portal security whitepaper available from http://www.meditologyservices.com/thought-leadership/2014/securing-patient-portals/

Medical Device Security Testing

The security of medical devices and biomedical equipment is an area increasingly subject to scrutiny by the healthcare industry and associated regulators. Many medical devices contain configurable embedded operating systems that can be vulnerable to security breaches. In addition, medical devices are increasingly interconnected both within and outside an organization’s network. As such, there is an increased risk of security breaches which could affect how a medical device operates or the safety of patients.

The FDA recently issued recommendations for medical device manufacturers and health care facilities to ensure that appropriate safeguards are in place to reduce the risk of failure due to cyber security attacks. Conducting an assessment of medical devices can help to identify security weakness before a breach occurs and potentially causes harm to a patient.

The medical device assessment can simulate:

A cyber security attack initiated by the introduction of malware into the medical device.

Unauthorized access to configuration settings in medical devices and the organization’s network.

Figure 4 - Penetration testing of medical devices commonly connected to the network

Account and Password Security Assessments

Network accounts and their associated passwords are oftentimes the weakest security link in healthcare organizations. Organizations maintain many accounts, and these accounts may have weaknesses such as generic or default accounts with default or easily guessable passwords. A simple weakness of having a generic account with an easily guessable password could lead to a full compromise of the network.

12

Conducting periodic account and password assessments can help to find and correct these weaknesses before a hacker does. This testing involves obtaining the account database and using password cracking and analysis tools to report on what is in place and what actions can be taken (technical, process, and training) to help mitigate the risks identified.

Figure 5 - The above shows examples of analysis from a typical password assessment

02000400060008000

1000012000

Nu

mb

er

of

Acc

ou

nts

Password Complexity Requirements

Password Complexity

13

Getting Help with Penetration Testing

What to Look for When Hiring a Vendor

There are a many different vendors that offer penetration testing services, but the quality and types of services vary. Use the following tips to help select the right security partner:

1. Does the vendor have experience in conducting healthcare penetration testing? Is healthcare the primary focus? What are the vendor’s qualifications in the industry? Is the vendor familiar with healthcare environments and their unique issues, healthcare applications, and medical equipment? Ask the vendor for references from healthcare organizations.

2. Does the vendor know the healthcare regulatory landscape (e.g., HIPAA, HITECH, Omnibus, and PCI)?

3. Does the vendor conduct a comprehensive test that includes many types of scenarios? 4. Is the vendor only conducting a vulnerability scanning assessment? A penetration test consists

of more than just identifying vulnerabilities. A thorough test also involves exploiting the vulnerabilities and manually testing for security holes that an automated tool might not be able to discover.

5. Does the vendor try to gain access as well as identify an organization’s security weaknesses through the penetration tests?

6. Is the vendor’s staff professional and do they know how to communicate the technical results through reporting and presentation to senior leadership and other non-technical stakeholders? Does the vendor have testing methodologies?

7. Does the vendor know how to minimize the potential for impacting patient safety and critical systems including common healthcare applications that may be brought offline due to vulnerability scanning activities?

8. Does the vendor provide clear, prescriptive, and tailored recommendations and offer advice to

help an organization address and correct the weaknesses discovered during the testing?

How Often Should You Conduct a Penetration Test? There is no hard and fast rule regarding when and how often an organization should conduct a penetration test. The frequency is based on many factors such as regulatory compliance obligations, the value of the information being protected, the objectives and type of security problem being assessed, major changes to the environment, the size of the organization, and the type of support and budget for these activities.

The following section offers recommendations regarding the frequency of penetration tests:

If an organization has never conducted a penetration test and wants to protect valuable assets, conduct a comprehensive test as soon as possible.

If an organization has conducted its first penetration test, plan to conduct penetration tests annually and after any major infrastructure change.

If a penetration test identifies critical vulnerabilities, retest after remediation is complete.

If an organization conducts a risk assessment (e.g., HIPAA, PCI), conduct a penetration test at the same time to support the risk assessment process from a deep technical perspective.

If an organization wants to address specific security concerns, schedule targeted types of penetrations tests either quarterly or semiannually. These tests may include vulnerability scanning (external and internal), security awareness testing (social engineering and phishing), wireless security assessments, application assessments, or account and password assessments.

14

Conclusion

Healthcare organizations are increasingly becoming a target for hackers and cybercriminals as the recent major healthcare data breaches have shown. The value of patient data, coupled with a growing number of complex systems and applications electronically storing, communicating and exchanging sensitive data within a typical healthcare facility, have made it a rich target. Conducting regular penetration testing as described in this white paper can assist organizations in identifying their weaknesses, gaining the support they need, and taking the necessary actions to prevent a data breach from occurring and maturing their overall security program.

About Meditology

Meditology Services LLC is a healthcare-focused advisory services firm with core principles of quality, integrity, loyalty, and value. Our executive team has an average of 15 years of consulting and operational experience in healthcare with provider and payer clients nationally of varying size and complexity. We understand the importance of relationships, and derive much of our business from a long list of satisfied clients who value the quality of our work products combined with the professionalism, approach, and innovative solutions we bring to our engagements.

Meditology’s security professionals have decades of experience and expertise in conducting penetration testing specifically for healthcare organizations across the country.

For More Information

Meditology Services LLC 5256 Peachtree Road, Suite 190 Atlanta, GA 30341 info@MeditologyServices.com Tel. (404) 382-7591 www.meditologyservices.com