Healthcare Security Vulnerabilities. Adam Goslin Chief Operations Officer High Bit Security

Transcription

1 Healthcare Security Vulnerabilities Adam Goslin Chief Operations Officer High Bit Security

2 Webinar Overview IT Security and Data Loss Breach Sources / Additional Information Recent Medical Breach / Loss Vulnerability Scanning Penetration Testing / Sample Social Engineering / Sample Ways to Improve Healthcare Security

3 IT Security & Data Loss Increase in small scale breaches Lost/stolen devices (phones, laptops, etc.) Social networking exposure Data encryption <> security silver bullet Data breach notification regulations Mobile threats Critical infrastructure attacks source: Trends-for-the-Year-Ahead.aspx Breach costs are presently averaged at $194 per record detection, escalation, notification, resolution and after-the-fact response Source: (March 2012)

4 Breach Sources / Information Less than 10% of developers / network administrators document security considerations while formulating solutions. ( Insider Threat: unresolved vulnerabilities exploited by terminated IT employees US Government building a hacking monitoring facility Foreign hacking rings Consumers leave or avoid companies that have suffered a security breach ( In 2011, 86% of the data breach cases originated from hacking, and 92% were carried out by an external agent rather than an insider or partner (

5 Recent Medical Breach / Loss May, different reported breaches Breach Sources: Web breach, Hospital breach, Physical breach, Lost device, Internet exposure, inappropriate employee access Total records known = almost 103,500 4 incidents not yet reported record $194 / record, total over $20 million dollars Average records = approx 6500 ( over $1.2 million dollars)

6 Security Testing Vulnerability Scanning Relatively inexpensive Pre-configured, automated computer scan Evaluates system for known, configured vulnerabilities External network layer Cursory website coverage Will not evaluate custom code (websites) Will not evaluate logical faults in code Automated report will contain false positives Better than no testing at all, provides a false sense of security

7 Penetration Testing More costly than vulnerability scanning Expanded coverage External and internal network/websites; Printers, photo copiers, scanners, fax machines; Wireless systems; All major development languages (including custom code); Virtual (i.e. cloud), physical, hosted environments Performed by a certified security engineer Multiple vulnerability scanners; Detailed website testing; Extensive manual testing; Results evaluated by engineer: think, analyze, track, follow-up and judge; False positives eliminated, validated results Final Report Exec Summary; Detailed, prioritized findings including specifics on how to address Remediation Testing Once findings are addressed, security company should validate closed properly

8 Penetration Testing - Sample Medical Facility Penetration Test Had support via Electronic Medical Records (EMR) provider; unsure about security Performed a full coverage external and internal penetration testing engagement Externally achieved external access to the internal network Internally took over every server, workstation, the firewall; gained access to sensitive medical data, including prescriptions, full contact information for patients, SSNs, doctor signatures and narcotics ID number

9 Social Engineering Security company is engaged to leverage a ruse while performing an assessment of specific objectives in relation to the target organization. Testing objectives may include: Physical security assessment Unauthorized access to facilities Unauthorized access to systems Assessment of security awareness training Often performed in conjunction with penetration testing and as postassessment of an audit.

10 Social Engineering - Sample Target: Hospital in the US Objectives: Physical security assessment, security awareness training of personnel, unauthorized access to technical resources Results: Physical Security Generator, roof access, boiler room, electrical, water supply Data Safety direct breach of hospital and IT PCs, unescorted access in admin bldg

11 Ways to Improve Healthcare Security Security covers a broad range of topics, and there is no silver bullet. Firewall: patched, locked down, remove vendor default accounts, IPS Servers & Workstations patching, antivirus, remove all unnecessary software Wireless separate guests from internal network; use strong encryption, turn off broadcast Passwords Servers, workstations and wireless: Strong passwords of >8 characters, UPPER and lower case, numbers and symbols. Ex: #1CP@f1RM! Password Handling: Use password manager i.e. KeePass Not a post-it note! Policies / Training: Policies maintained, security awareness, social engineering Physical / Electronic Data Destruction: shred docs, wipe or destroy electronic storage devices Security Testing Pen Testing recommended annually with periodic interim vulnerability scans

12 Q & A Adam Goslin Chief Operations Officer Cell: AGoslin@HighBitSecurity.com