Healthcare Challenges in the Era of Transformational Technologies

Transcription

1 Healthcare Challenges in the Era of Transformational Technologies Cyber Security, Compliance and Privacy in the Healthcare Industry Mitigating Major Attack Vector Risk with HIPAA/HITECH and NIST

2 Index 1. Healthcare under the microscope: A brief introduction 2. The black market: A serious public problem 3. A primary attack vector targeting PHI 4. Challenges 5. Compliance: HIPAA and HITECH 6. NIST: Reading between the lines to decipher the rules 7. Best practice: Putting it all into perspective 8. Conclusion 9. Further reading from Secunia 10. Footnotes

3 Healthcare under the microscope Administration and operations in the Healthcare industry have been revolutionized. Manual processes and traditional pen and paper consultations have made way for computerized physician order entry (CPOE) systems, electronic health records (EHR) and various radiology, pharmacy and laboratory systems that connect to other systems and external networks, as well as the internet and the cloud. In fact, according to an industry study on patient privacy and data security, only 9% of healthcare organizations in the U.S. do not embrace the cloud. (1) A positive outcome of this digitalized focus on convenience and visibility is the increased availability of data to multiple stakeholders. Medical and administration staff, as well as patients and members, have selfservice access to health information and important processes such as claims and payments and patient correspondence via web-based applications and portals. However, the flip side to such adoption of, and reliance on, technology is an increase in security risks, data breaches and fraud because everything that is accessible via the internet or cloud is also potentially accessible to cybercriminals. Roll outs of new advancements in technology in the near-term and long-term (i.e. big data and next generation systems for managing EHR and clinical information) will only further improve efficiency and enhance patient care. But these technologies will also have the potential to introduce risk, from both human and technology perspectives. threat, with national health care spending topping $2.7 trillion and expenses continuing to outpace inflation. (2) On the patient/customer side, there were 1.85 million victims of medical identity theft in the U.S. in (3) The consequences for the victims of such fraud can range from receiving inaccurate treatment, care and billing; to being denied funds, services, insurance or a job due to falsified medical information. But, putting all of this to one side and focusing on the practicalities, what can IT security and operations teams actually do to help mitigate risk, while at the same time balance availability management with security and navigate complex compliance regulations? This paper therefore presents some of the main facts and threats that organizations in the industry are facing, and outlines an action plan in the specific context of A) the Health Insurance Portability and Accountability Act s (HIPAA s) Security Rule and B) the prioritization of addressing vulnerabilities in software: a proven major attack vector and root cause of security issues. One example of human error could be the unintentional disruption to clinical systems or disclosure of critical or private information caused by non-it personnel who are not aware of best practice dos and don ts. On the technology side, vulnerabilities (errors in software code that can be exploited with a security impact) can be used as catalysts for unauthorized system compromise and exposure of sensitive data by those with criminal intent. We all know scare stories and have heard about the consequences of security breaches. For instance, the fact that: 94% of healthcare organizations had at least one data breach between 2010 and (1) According to the Federal Bureau of Investigation (FBI), healthcare fraud in the U.S. represents an estimated annual cost of $80 billion: And it s a rising

4 The black market: A serious public problem Healthcare institutions and providers, and the endless quantities of Protected Health Information (PHI) that they store, are being targeted by cybercriminals in the same way as with social security numbers. While most people guard the financial and personal information that is held with their social security number, they tend to be more lax about protecting their medical records or medical identity : the historical data that creates a unique, digital portrait of a patient/member (medical conditions, treatments, use of prescription medicine, allergies, etc.). Medical devices, such as wireless heart and insulin pumps and mammogram imaging also contain confidential patient information and rely on commercial PCs to control them, and are thus also at risk of exploitation. (1) Criminal motives can range from disruption of clinical systems and devices on the product side, to stealing sensitive data for fraudulent purposes. For example, stolen data could be bought and sold by fabricated medical supply companies who can then profit from billing insurance companies for private medication or medical equipment. Alternatively, stolen health information could simply be used by, or sold on to, lone criminals or crime syndicates for the purpose of gaining medical services and treatments, acquiring drugs, defrauding private insurers or state benefit programs, or violating health records with false information (fictitious blood type, health conditions, prescription drugs usage, etc.). On the black market you can get more for medical info than you can for a social security number. - Lisa Schifferle, Attorney, Federal Trade Commission (FTC), 2013 (4)

5 A primary attack vector targeting PHI Given the value of PHI on the black market, criminals will continue to buy large sets of breached PHI data and exploit the vulnerabilities that exist in systems and devices that store PHI. The higher street value of PHI will only increase the number of victims of medical identity theft. NBC Bay Area, 2013 (4) Vulnerabilities in software deserve focus and prioritization by the Healthcare industry as they represent a significant problem for the organizations operating within this sector. This is because: Vulnerable software is one of the most popular attack vectors with hackers, as the method of exploiting vulnerabilities creates the doorways into corporate networks and core systems and the valuable PHI stored within. Importantly, software vulnerabilities are one of the attack vectors that can be contained with the use of technology such as vulnerability management and patch management; supplemented with internal security policies and employee training to boost awareness. Each day, new vulnerabilities are identified and made publically available. Cybercriminals access this information as part of their reconnaissance sweeps and use it to develop exploits to utilize the vulnerabilities. They also actively carry out their own research and try to identify vulnerabilities before the software vendors do. In either case, their aim is to use vulnerabilities to remotely access, disrupt and exploit vital assets, controls and data; all without exerting any physical effort. A common scenario could involve intrusions probing from hackers seeking to infiltrate clinical environments by establishing attack points in their internal networks. The widespread adoption of the Bring Your Own Device (BYOD) trend is adding fuel to the fire; serving as both a facilitator and an incubator for vulnerabilities to take hold and thrive. An industry report by the Ponemon Institute flags that: 81% of healthcare entities permit their medical staff and personnel to use personal mobile devices, such as smartphones and tablets, to connect to corporate networks and enterprise systems. The average number of employees doing so is 51%. (1)

6 The danger with this situation is that it multiplies the security risks that IT security and operations teams in healthcare organizations have to manage. For instance, it is challenging enough to ensure visibility and control over the data and software that exists in a corporate environment that is fragmented over numerous sites. However; the magnitude of this challenge increases when you add an open house environment to the equation, complete with a vast array of unmanaged employee-owned devices. A lack of division between corporate and private systems means that noncorporate or non-approved software or downloads could be seeping through IT security safeguards. Take Apple itunes, for instance; not a typical corporate program, but the likelihood is that many employees will have it installed on their personal devices, and potentially open and access it at work. There were 243 vulnerabilities in Apple itunes in (5) Take another scenario: It is a feasible assumption that employees use internet browsers to check private s or read the latest news online during work breaks. In 2012, 739 vulnerabilities were discovered in the five most popular browsers. (5) Further findings from Secunia s Vulnerability Review for 2013 puts this level of unharnessed user freedom into perspective. For instance, an average endpoint (PC, tablet, smartphone) similar to one that staff would bring to use at work typically has a portfolio comprising the top 50 software installed on it. In 2012 alone, the number of vulnerabilities found in this top 50 software portfolio increased by 98% compared to the past five years: 1,137 vulnerabilities were discovered in 18 products by 8 vendors, representing an average of 63 vulnerabilities per vulnerable product. Non-Microsoft (third-party) programs were responsible for the majority of these vulnerabilities. Significantly, the primary attack vector was Remote Network meaning that cybercriminals would not need access to the system or local network in order to exploit the vulnerability. Source: Secunia, 2013 (5) The reality is that endpoints with this type of software portfolio and this type of vulnerability legacy could be logging on to healthcare organizations networks today. An important point to note is that it just takes one insecure program that is left undetected and unremediated to potentially contaminate an entire IT infrastructure.

7 Challenges As part of dealing with the vulnerability attack vector, IT security and operations teams also need to address additional challenges: Outdated and fragmented security systems combining multiple technologies such as Operational Technology (OT - the hardware or software that detects or causes a state change to devices, equipment and associated processes), and Information Technology (IT - the processing, storage, management and transmission of data), are difficult to upgrade or patch due to their diverse testing and development environments. Dealing with alternative models for delivering information. For instance, PHI is not only housed, accessed and shared within healthcare organizations; it is also supplied to, and shared among, a plethora of third-party companies who provide support for various healthcare functions. Managing a heterogenic environment with OS, hardware and system software from a variety of vendors. Achieving visibility of the complete attack surface due to the scattering of systems and assets over various geographic locations. Securing network access to a vast range of devices, from wireless equipment used within healthcare facilities to mobile devices used by medical and administration personnel, while at the same time, limiting access to certain protected networks or specific applications. A study on patient privacy and data security (1) revealed that in 2012, 40% of organizations in the Healthcare sector said that they had confidence in preventing and detecting all patient data loss or theft in their organization. This leaves a significant amount of organizations with confidence issues remaining, despite there being a general awareness in the industry and willingness from organizations to do the right thing such as getting the tools and procedures in place so that they can strengthen their security and avoid fines. However, although industry regulations vaguely specify that a policy and process needs to be in place and proven with documentation, on the whole, it can be difficult to interpret what the requirements actually expect from IT security and operations teams. Here is some guidance.

8 Compliance: HIPAA and HITECH HIPAA was established in 1996 by the U.S. Department of Health & Human Services (HHS). HIPAA sets industry-wide ground rules in terms of helping companies health plan providers, healthcare providers and healthcare clearing houses (referred to by HIPAA as Covered entities ) protect the privacy and security of their electronic protected health information (e-phi) (6). E-PHI is essentially all information that healthcare entities create, maintain, transmit or receive in an electronic format. Specifically: The Privacy Rule: Standards for Privacy of Individually Identifiable Health Information sets forth the foundational requirements for protecting e-phi and interlinks with The Security Rule: Security Standards for the Protection of Electronic Protected Health Information, which focuses on the operational elements (technical and non-technical safeguards) that need to be implemented to ensure the protection of e-phi. Source: U.S. Department of Health & Human Services (HSS) (7) The Health Information Technology for Economic and Clinical Health (HITECH) Act was introduced in 2009 to support and broaden HIPAA regulations, by bringing additional compliance standards for healthcare organizations to address. Examples of HITECH enhancements to HIPAA include: Widening of the scope of the law requiring Health Information Exchanges (HIEs) to be classified as business associates of healthcare entities therefore compliance also applies to them. Significant strengthening of data breach notification laws. Updates concerning the authorized use of personal information (PHI) for marketing and corporate communication purposes. Increased penalties for non-compliance. The cost of non-compliance Failure to comply with HIPAA can result in civil and criminal penalties. There are various degrees of fines, depending on the level of HIPAA violation: The lowest level of violation: the individual wasn t aware that they had violated the regulation. The highest level of violation: due to willful neglect, with the situation left uncorrected. Minimum cost: $100 per violation. Maximum cost: $50,000 per violation with an annual maximum of $1.5 million. There are also additional charges applicable for repeat violations. Source: American Medical Association (AMA). (8)

9 The HIPAA Security Rule The rules of HIPAA and HITECH are risk-based by nature. In the HIPAA Security Rule for instance, the processes of risk analysis and risk management to identify, assess and prioritize risks form the foundation upon which an entity s necessary security activities are built. (9) Due to the increased use of e-phi, and its criticality in relation to operations, service levels and billing/revenues; a general requirement of Security Standard (a) (1) in the Security Rule specifies that covered entities must Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (10) Also, because the Healthcare sector is diverse and dynamic, the HIPAA Security Rule has been designed to be flexible and scalable to suit individual organizations with varying structures, policies, processes and technologies; reflected in the baseline factors listed under rule no (b) (2): (i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity s technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to EPHI. (9) However, a major sticking point for the teams having to meet the requirements of the HIPAA Security Rule securing e-phi and scaling the requirements to their individual organization/infrastructure is the ambiguous nature of the rule and lack of specific instructions to follow. NIST: Reading between the lines So, what do these compliance regulations really mean for IT security and operations teams, their dayto-day work and their organizations security processes? What controls can be applied from a network security perspective to reduce the attack surface? It is widely accepted that recognized government sources and publically available recommendations, such as the National Institute of Standards and Technology s (NIST s) 800 Series of Special Publications (SP), can be adapted and applied as guidelines when dealing with the HIPAA Security Rule, particularly for large organizations. Although not a required prerequisite for HIPAA compliance, the U.S. Department of Health & Human Services (HHS) confirms that Covered entities may use any of the NIST documents to the extent that they provide relevant guidance to that organization s implementation activities. (11) According to NIST, risk assessment is a crucial factor: The results of a risk assessment play a significant role in executing an organization s risk management strategy. In the context of the HIPAA Security Rule, the security control baseline, which consists of the standards and required implementation specifications, should be viewed as the foundation or starting point in the selection of adequate security controls necessary to protect EPHI. (12)

10 HIPAA and NIST The concept of addressing and equalizing OT and IT security issues and requirements is encapsulated by a cyber security strategy which, in turn, should form part of an overarching risk management approach to security. Below is an example, in layman s terms, of how HIPAA specifications can be interpreted and applied using NIST guidelines in the context of tackling vulnerabilities. Why from a vulnerability perspective? Undoubtedly, dealing with vulnerabilities is a small fraction of a large and complex set of requirements that organizations have to face, however, as highlighted earlier in this paper, vulnerabilities are a major attack vector and represent a great threat to corporate security. Additionally, the HIPAA and NIST examples below show that risk assessment and risk management form the basis of the HIPAA Security Rule and accompanying NIST guidelines, within which vulnerability management plays a significant role that should be prioritized. The HIPAA Security Standard, Administrative Safeguards comprises more than half of HIPAA s security requirements and is described as, Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity s workforce in relation to the protection of that information. (9) NIST s interpretation Some of the key activities identified by NIST when addressing this HIPAA Standard and these requirements are: Identifying potential vulnerabilities Covered entities should use internal and external sources to identify potential vulnerabilities. Internal sources may include previous risk assessments, vulnerability scan and system security test results, and audit reports. Determining the likelihood and impact of a threat exercising a vulnerability This information can be obtained from existing organizational documentation, such as business impact and asset criticality assessments An asset criticality assessment identifies and prioritizes the sensitive and critical organization information assets (e.g., hardware, software, systems, services, and related technology assets) that support the organization s critical missions. Source: National Institute of Standards and Technology (NIST) (12) One of the administrative actions, policies and procedures is HIPAA (a) (1) (i) Security Management Process Implement policies and procedures to prevent, detect, contain and correct security violations. Risk Analysis (Required) (a) (1) (ii) (A) Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity. Risk Management (Required) (a) (1) (ii) (B) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a). Source: U.S. Department of Health & Human Services (HHS) (9)

11 Best practice: Putting it all into perspective Risk analysis and risk management are information security processes that are critical to organizations compliance efforts when adhering to the HIPAA Security Rule. Gartner s report on HIPAA s risk-based regulations drills down further into the components of a risk management checklist, with the following recommendations for organizations ( covered entities ): Implement a comprehensive risk management program to identify threats. Seek the advice and counsel of the legal staff and qualified third-party resources that specialize in regulatory compliance and security assessment methodologies to evaluate specific compliance activities. Adjust security budgets and accommodate HIPAA regulatory compliance as part of normal and customary risk management programs. Source: Gartner, 2013 (13) Vulnerability management and patch management are reasonable and appropriate controls to address and mitigate anticipated risk. Remediating and mitigating the vulnerabilities in the software installed on assets and devices is a fundamental element of this control. For instance, as the first stage of the vulnerability management lifecycle, application inventory and patch scanning provides crucial intelligence about the attack surface: the number of connected assets/devices, the number of applications installed on these assets/ devices, the number of these applications that are vulnerable and thus the number of assets/devices that are exposed. Remediation and mitigation actions can then be taken (patches, workarounds, etc.) to avoid security breaches. The scanning technology is essential not only for identifying vulnerabilities, but also for identifying applications on machines and systems. Most of the vulnerability scanners in the market use the active scanning approach which fails to provide an accurate inventory of applications, and thus negatively impacts remediation efforts. Authenticated scanning is an alternative approach that supports operations and security managers by providing visibility for risk assessment. Defensible risk assessment is one thing, however, the intelligence that is generated from such assessment then needs to be harnessed and taken to the next stage of the vulnerability management lifecycle. Specifically, using authenticated scanning as part of a multi-layered approach to managing vulnerabilities from assessment to remediation i.e. a patch management solution anchored by vulnerability intelligence and scanning, and combined with patching capabilities will tell teams: when there is a vulnerability, where it is located within the infrastructure, what software needs to be patched (or a workaround applied) in order of priority, and how to patch the software (if a patch is available) and thus remediate vulnerabilities on a continuous basis. In particular, patch management solutions that have the integration capabilities to also scan private mobile devices, laptops and PCs not regularly connected to the corporate network, can assist teams when dealing with the BYOD challenge, helping them bridge the privatecorporate divide. In addition to this, having complete visibility of the attack surface means that teams can take documented facts to a higher level to lobby for ongoing budget consideration and internal policy inclusion for enterprise security/risk management initiatives. Thus, meeting the areas of HIPAA compliance highlighted earlier within this paper.

12 Conclusion Compliance drives organizations but on its own does not necessarily reduce risk. Addressing risk through risk assessment, management and mitigation controls and actions is key, which in turn helps organizations become compliant and more secure. Vulnerability management, starting with the identification and rating of vulnerabilities in the software and applications that store, maintain or transmit e-phi, is a central component of this approach. There is no A-Z compliance guide to follow (or instructions for patching x amount of programs in x amount of days ) because each organization, its infrastructure and its software portfolio is different. The amount and location of risk will vary from company to company. Having the initial vulnerability intelligence and assessment in place to prioritize specific software that is deemed most important, in relation to an individual organization s patient care and general corporate operations, is particularly crucial, enabling teams to determine the most effective response and remediation/workaround plan to help eliminate risk and ensure privacy and availability. Further reading from Secunia Non-intrusive, authenticated scanning for OT and IT environments. Extensive Feature Description: Secunia Corporate Software Inspector (CSI). Bring Your Own Device: Are all of your employees applying all security updates to all of their devices? /resources/reports/bring-your-own-device-whitepaper/ How to Secure a Moving Target with Limited Resources. /products/corporate/csi/howtosecure2013/ Secunia Vulnerability Review /vulnerability-review/ Secunia Country Reports. Quarterly global and country-specific editions. /resources/countryreports/

13 Notes 1. Third Annual Benchmark Study on Patient Privacy & Data Security. Ponemon Institute. December Rooting out health care fraud is central to the well-being of both our citizens and the overall economy. White Collar Crime: Health Care Fraud. FBI The Growing Threat of Medical Identity Fraud: A Call to Action. Medical Identity Fraud Alliance. July Your Medical Records Could Be Sold on Black Market. NBC Investigative Unit. NBC Bay Area.com. June Secunia Vulnerability Review HIPAA Privacy Rule: To Whom Does the Privacy Rule Apply and Whom Will It Affect? U.S. Department of Health and Human Services, National Institutes of Health Health Information Privacy, Summary of the Security Rule. U.S. Department of Health & Human Services. HHS.gov HIPAA Violations and Enforcement. American Medical Association (AMA). hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page 9. HIPAA Security Series 2. Security Standards: Administrative Safeguards. U.S. Department of Health & Human Services (HHS) HIPAA Security Series 6. Basics of Risk Analysis and Risk Management. U.S. Department of Health & Human Services (HHS) Health Information Privacy FAQ. U.S. Department of Health & Human Services (HHS) NIST Special Publication Revision 1: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. National Institute of Standards and Technology (NIST), U.S. Department of Commerce. October Gartner As HIPAA Regulations Get Teeth, Healthcare Firms Feel The Bite. Page 4. Paul E. Proctor and Wes Rishel. October 2012, Gartner Foundational 5 July 2013.

14 Secunia can help Secunia can assist you with your HIPAA and HITECH compliance questions, and Vulnerability Management and Patch Management needs. Stay Secure. facebook.com/secunia twitter.com/secunia gplus.to/secunia linkedin.com/company/secunia