Security vs Compliance in Healthcare

Sean Whalensean@seanpwhalen.com

@SeanTheGeek

Disclaimer

The views and opinions expressed here are my own, and may not represent those of my past, current, and post-apocalyptic employers.

AbstractBy 2014, medical facilities nationwide implemented Electronic Health Records (EHR) as mandated by congress. Today, most of these systems are still using shared kiosk Windows accounts. This talk explores the risks of shared accounts, and alternatives that can provide much greater security and accountability, while maintaining ease of access.

Background I’m a network defender I’ve never worked for a hospital or medical center But I do have chronic health problems, so I visit a lot of them I see lots of the same InfoSec problems I’d like to offer solutions to these problems

The session is not secure

Plenty of time Average alone time in

oncology exam rooms: 34.9 minutes (Hamel et al, 2014)

Attack vectors Download malware from the web Copy data to/from a flash drive Drive-by downloads from web browsing USB rubber ducky and PowerShell

What can someone do with alone time? Install malware

Keyloggers Screenshots Destructive payloads

Poke around the system Alter records Degrade the system Browse risky websites

"Why would someone do that?" Because they can Nosy Personal grudge Fraud

Financial fraud is relatively easy to spot and contain. Medical fraud...not so much

Healthcare data is largely static Identifying vulnerable people - OPM,

anyone? Offers to pay medical debt Blackmail Extortion

Kiosk accounts are everywhere Not just in healthcare

Warehouses Call centers Factories Distribution centers Embedded devices

Risky business Many organizations with kiosk accounts have official policies which

discourage/prohibit shared accounts Exceptions Accepted risks POAMs

No regulation (that I am aware of) requires separate system accounts in healthcare

Shared accounts provide no accountability

How can you be sure that employee is the one who stole/altered the records, if anyone could install a keylogger on the system in seconds?

Which employee clicked that phishing link? How do you know which customers may have been impacted? How long would your records stand up in court?

CountermeasuresDefense in depth

Current authentication options Passwords – We all know they are terrible Fingerprint readers – Very prone to read errors, especially with lots of hand

washing Phone – Way too slow and too many points of failure RFID/Contactless “smart cards” - Easy to spoof or steal RSA Tokens – Annoying to use when moving between many systems Contact smart/PIC/CIV/CAC cards

Initial setup can be challenging/costly if you don’t already have a robust PKI Can be used to for authentication to drive encryption, Windows, SharePoint, enterprise

web apps, cloud services Can be used to encrypt and/or sign files, documents, and emails

Contact smart cards/CIV Cards Smart cards aren’t a cure-all, but they are a very good solution for for

controlling physical access to a system Can be used as an ID; can include RFID for existing door badge systems Should be used with a PIN for multi-factor authentication

Can double as E-Prescription authentication Should be configured to force log off upon removal (GPO) That way, the user is required to log off of a system before they can log onto

another one With smartcard reader keyboards, it’s harder to forget your card Further reading

Managed PKI providers Symantec and other Certificate Authorities offer managed PKI services

Advantages Your certificates are trusted outside of your org for things like email Much shorter setup time Usually lower costs when compared with starting from scratch in a large org Interoperability with federal government PKI, and state and local agencies that follow

federal PKI standards Disadvantages

Relaying on the provider to remain secure

Restrict removable media Block removable media via endpoint security and/or GPO

This wouldn’t stop a USB Rubber Ducky, but why make it even easier for the attacker?

Place systems in locked cabinets or other enclosures where ports cannot be accessed

An attacker could still use the keyboard and mouse to download malware if the system is left unlocked

Application Whitelisting Most medical systems are kiosks, running a specific set of applications Windows AppLocker is included with Windows Enterprise

Can inventory and whitelist currently installed applications Block everything else

Make sure PowerShell and other built-in scripting is blocked

Restrict internet communications Block all outgoing traffic that is not your proxies and SMTP servers Block all “uncategorized” sites at the proxy

Blocks new, obscure domains for a brief time, until they have been automatically evaluated

Blocks many common types of web phishing, drive-by attacks, and C2 Better yet, only allow internet browsing in a separate VDI session

Other critical controls Microsoft EMET (free 0-day killer) Multi-factor authentication for remote access (DUO is easy-to-use and extremely

flexible) Webmail, VPNs, Citrix, etc

Email sandboxing and URL filtering (e.g. Proofpoint) Block any outflow that isn’t your from your mail servers or web proxies Suricata IDS/IPS (Emerging Threats has great open and subscription rules)

Write custom rules Automatic, multi-factor full-time VPNs for all remote workers Tune your AV (It isn’t dead; you might not be using it right) Remove local admins

The new big trend: VDI Virtual Desktop Infrastructure (VDI) solutions like Citrix are gaining

popularity They are often used backwards, allowing insecure systems to access

sensitive data, like EHRs When I compromise the client, I can spy on the VDI session

Instead, they should be used for secure systems to access untrusted services (e.g. internet web browsing) That way if a browser gets popped, it only compromises the VM, not the system

with the EHR software

Conclusion Right now multi-factor authentication is mostly used for E-Prescriptions As a patient, I care much more about the confidentiality, integrity, and

availability of my health records, than I care about prescription fraud By securing workstations, you can reduce the risk for both

Making the transition separate accounts is a lot of work upfront But without separate accounts, any investigators will have very little to go

on Shared accounts should never be used on non-public systems – No

exceptions! Consider risks beyond compliance Explain the risks to management by demonstrating

References Hamel, L. M., Chapman, R., Eggly, S., Penner, L. A., Tkatch, R., Vichich, J., &

Albrecht, T. L. (2014). Measuring the Use of Examination Room Time in Oncology Clinics: A Novel Approach to Assessing Clinic Efficiency and Patient Flow. Journal of Oncology Practice, 10(6). Retrieved from http://jop.ascopubs.org/content/10/6/e385.full DOI: 10.1200/jop.2013.001359

Questions?sean@seanpwhalen.com

@SeanTheGeek