Healthcare Security Essentials

Jean Pawluk, CISSP1

A little bit of background

2Jean Pawluk

Healthcare Headlines in the News

3Jean Pawluk

Cignet

$ 4.2 Million Fine Violations of HIPAA Privacy Rule

4Jean Pawluk

Yep, “They really are out to get you”

5Jean Pawluk

Motivation

Theft of services

Identity theft

Fraud

Embarrassment

Harm

Denial of Services

6Jean Pawluk

Costs of Medical Identity Theft 2010

Data courtesy of Ponemon Institute• 2010 Benchmark Study on Patient Privacy and Data Security•Second Annual Survey on Medical Identity Theft •2010 Annual Study: U.S. Cost of a Data Breach

$214 per healthcare record

$20,663 average cost to victim

$2 Million per healthcare data breach

7Jean Pawluk

Rules

8Jean Pawluk

Lot’s of rules

9Jean Pawluk

Confused ?

You Can…………

You Can’t……...

You Can………

You Can’t …….

10Jean Pawluk

Security is About

• People

• Process

• Technology

It’s everyone businessand it is your business in healthcare

11Jean Pawluk

Lots of Healthcare Rules

• HIPAA

• HiTech

• HL7

• ISO/CEN

• Non-US Healthcare

– EU, Canada, Australia, Singapore

12Jean Pawluk

Sensitive Health Information

individual’s past, present or future physical or mental health or condition,

provision of health care to the individual, or past, present, or future payment for the provision of

health care to the individual

“Individually identifiable health information” is information, including demographic data, that relates to:

13Jean Pawluk

Electronic Protected Health Information

• Name

• Address (all geographic subdivisions smaller than state, including street address, city, county, zip code)

• All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age)

• Telephone numbers

• Fax number

• Email address

• Social Security number

• Medical record number

• Health plan beneficiary number

• Account number

• Certificate/license number

• Any vehicle or other device serial number

• Medical device identifiers or serial numbers on implants

• Finger or voice prints

• Photographic images

• Passport number

• State ID card

• Any other characteristic that could uniquely identify the individual

14Jean Pawluk

Gramm-Leach-Bliley Act (GLBA)

Provided to obtain (or in connection with) a financial product or service

Results from any transaction involving a financial product or service between you and a customer

Examples of customer private personal information include but are not limited to:

• Social Security Number

• Credit Card Number

• Account Numbers

• Account Balances

• Any Financial Transactions

• Tax Return Information

• Driver’s License Number

• Date/Location of Birth 15Jean Pawluk

Even More Rules

• PCI

• SOX (public)

• FISMA

• Privacy Rules

– EU

– Canada

– Australia

16Jean Pawluk

More Challenges

17Jean Pawluk

Health Technology Challenges

• Heterogeneous devices• Laptops, portable devices, backup media, and wireless infrastructure• Portable devices• Medical Devices• Complexity • Boundaries are not fixed

18Jean Pawluk

Sources of Embarrassment ?

19

General Security Standards

200+

Standards for Internet and Information Systems

Authentication

• Identification

• Signature

•Non-repudiation

Data Integrity

•Encryption

•Data Integrity Process

•Permanence

System Security

•Communication

•Processing

•Storage

Internet Security

•Personal Health Records

•Secure Internet Services

Healthcare Security Standards

20

Key Areas of ISO 17799

Security Policy

Security Organization

Asset Classification

Personnel security

System Development &

Maintenance

Communication & Operations

ComplianceBusiness

Continuity Planning

AccessControl

Physical security

Incident Handling

DATA

IntegrityConfidentiality

Availability

21Jean Pawluk

ISO 27799

Security management in health using ISO

• Personal health information• Pseudo- Anonymous data derived from personal health information• Statistical and research data derived by removal of personally identifying

data• Clinical / medical knowledge not related to specific patients (e.g., data on

adverse drug reactions)• Data on health professionals and staff• Information related to public health surveillance• Audit trail data that are produced by health information systems containing

personal health information or data about the actions of users in regard to personal health information

• System security data, e.g.: access control data and other security related system configuration data for health information systems

22

ISO 27799 2008 Healthcare

• Threats to health information security

• How to carry out the tasks of the Healthcare Information Security Management System described in ISO 17799

23

Healthcare Security Steps

1. Identify Systems At RiskSystems containing sensitive healthcare, financial and IP data and/or having a high

business risk

2. Information Gathering and PlanningPartner with subject matter experts to gather information to identify system exposures

3. Evaluate Risk & VulnerabilityRisk is the expectation of damage given the probability of attack

4. Identify Possible Solutions (Controls / Mitigation)Processes, tools & procedures that reduce the probability of a exposure being exploitedLeverage common security architecture & processes

5. Determine Feasibility & Acceptable RiskFeasibility based on key dependencies, technological know-how and business readinessMay decide to accept lower risk factors based on feasibility

6. Roadmap Prioritization Putting it all together

7. Execute the Plan

8 . Repeat 24Jean Pawluk

Information Security

25Jean Pawluk

2010 CWE/SANS Top 25 Programming Errors

1. CWE-79 XSS

2. CWE-89 SQL Injection

3. CWE-120 Classic Buffer Overflow

4. CWE-352 CSRF

5. CWE-285 Improper Authorization

6. CWE-807 Reliance on Untrusted Inputs in Security Decision

7. CWE-22 Path Traversal

8. CWE-434 File Upload

9. CWE-78 OS Command Injection

10. CWE-311 Missing Encryption

11. CWE-798 Hard-coded Credentials

12. CWE-805 Incorrect Length Value in Buffer Access

13. CWE-98 PHP Remote File Inclusion

14. CWE-129 Uncontrolled Array Index

15. CWE-754 Improper Check for Exceptional Conditions

16. CWE-209 Error Message Infoleak

17. CWE-190 Integer Overflow/Wrap

18. CWE-131 Incorrect Buffer Size Calculation

19. CWE-306 Missing Authentication

20. CWE-494 Download of Code Without Integrity Check

21. CWE-732 Insecure Permissions

22. CWE-770 Allocation of Resources Without Limits or Throttling

23. CWE-601 Open Redirect

24. CWE-327 Broken Crypto

25. CWE-362 Race Condition

http://www.sans.org/top25-software-errors/26Jean Pawluk

Dark Side – Think about abuse

27Jean Pawluk

28courtesy of xkdc.com

Knock, knock, who's there? Do you really know who has your data ?

29

Hard Lessons Learned

30

What they did 1

31Jean Pawluk

What they did 2

32

What they did 3

33Jean Pawluk

Summary

• Health Risk Management means You are Liable

• Use Compensating Controls

• Plan for Failure

• Trust but Verify

• Web Services Security is a oxymoron because technology is dynamic and browsers are frail

• Good security = Compliance

but Compliance ≠ Good Security

34

Still Confused ?

35

Additional Information

36Jean Pawluk

Resources NIST Intro Guide to test HIPAA security

http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

NIST Health IT Standards and Testing program

http://healthcare.nist.gov/

PCI DSS Quick Reference Guide https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf

Cloud Security Alliance

http://www.cloudsecurityalliance.org/

JERICHO Forumhttp://www.opengroup.org/jericho/

HIPAA & HiTechhttp://www.sharedassessments.org/

ISO 27799:2008 Healthcare

http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=41298

ISO/TS 21091:2005 Directory services for security, communications and identification of professionals and patients

• Open Web Application Security Project http://www.owasp.org/index.php?title=Category:OWASP_Guide_Project&redirect=no

37Jean Pawluk

Finis

38Jean Pawluk