White Paper. Identifying Network Security and Compliance Challenges in Healthcare Organizations

Transcription

1 Identifying Network Security and Compliance Challenges in Healthcare Organizations

2 Contents Introduction Increased Demand For Access Mobile devices Medical devices Increased regulatory requirements for achieving compliance Scope of regulations includes medical and mobile devices Protection from malicious software Access, authorization, supervision, termination ephi inventory Documentation as evidence of compliance Provider Practice Acquisitions: Increased Demands On Network Infrastructures Non-standard network acquisitions Multiple hardware vendor platforms Undocumented networks Unknown network endpoints Managed And Unmanaged Devices BYOD Who s in, who s out? Managed/unmanaged Authentication Incident response Conclusion Works Cited Additional Resources About ForeScout

3 Introduction Healthcare IT leaders are facing a growing challenge keeping their networks secure while at the same time opening up access to a myriad of new devices and user populations. Providers, employees, visitors, patients they all demand access to information from their personally owned device of choice. Some healthcare executives have tried to stop the practice by stating, You can only use these approved devices. While dyed-in-the-wool security hawks might like this approach, it is not acceptable in the real world. Consumer devices have become so pervasively accepted that healthcare IT organizations are expected to accommodate them. It is not only people that want more access to data. The decade long trend towards putting medical devices on the IP network contributes to the security and compliance challenge. Regulatory requirements are also increasing. In the United States, regulations such as the ones contained in the Healthcare Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, and the American Recovery and Reinvestment Act (ARRA) are all becoming more challenging to meet. On top of all of that, IT organizations are struggling to improve efficiency by migrating to cloud environments. This whitepaper will explore these challenges and present ideas for how healthcare IT departments can meet these challenges, including: Increased demand for access Elevated regulatory requirements for achieving compliance Increased demands on network infrastructures Securing the network from both managed and unmanaged devices Increased Demand For Access Mobile devices As discussed in the introduction, mobile device use is exploding. During his opening remarks at the 2012 Mobile Devices Roundtable: Safeguarding health information, in Washington, D.C., Farzad Mostashari, former National Coordinator for Health Information Technology, highlighted the disruptive nature of mobile device access: Ubiquitous, connected platform. And the use of these is skyrocketing, as everybody knows, and one of the interesting things about this is that like many disruptive innovations, it starts in one side of the market, the lower cost side of the market, and then it comes in and takes over the higher cost, and in our case, it s consumer technology coming into institutional technology, medicine. The term disruptive is apt. Providers, employees, patients and visitors are all demanding access. When providers are rounding, their diagnoses and treatment recommendations are being researched by family members. As Mostashari highlights, this is cultural change making its way into the healthcare industry, and it cannot be ignored, postponed, or neglected. It is the new normal. So what are these devices that are attaching to the network, and what do they need? Mobile devices can generally be divided by type, management status, and function. Type Management Status Function Smartphones Managed Connected to ephi network Tablets Unmanaged known/authenticated Connected to network with no ephi Phablets Unmanaged unknown/unauthenticated Internet only connectivity Laptops No network connectivity From the table above, mobile devices will have a wide variety of hardware function and management status. IT is essential, and the healthcare IT departments need the have to appropriate tools in place to effectively manage these devices. 3

4 Medical devices Medical devices need to be evaluated and managed in the same way as any other electronic protected health information (ephi) system or computing device. This point was made clear in June 2013 when the U.S. Food and Drug Administration released a Safety Communication stating: Recently, the FDA has become aware of cybersecurity vulnerabilities and incidents that could directly impact medical devices or hospital network operations. The vulnerabilities and incidents cited by the FDA include: Network-connected/configured medical devices infected or disabled by malware The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems, and implanted patient devices Failure to provide timely security software updates and patches to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices) Security vulnerabilities in off-the-shelf software that is designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals, and poor coding/sql injection Specific recommendations for healthcare facilities include: Restricting unauthorized access to the network and networked medical devices Making certain appropriate antivirus software and firewalls are up-to-date Monitoring network activity for unauthorized use Protecting individual network components through routine and periodic evaluation, including updating security patches and disabling all unnecessary ports and services Increased regulatory requirements for achieving compliance Given the increased variety of devices connecting to networks in the healthcare environment, numerous compliance requirements come into play that heretofore have not been necessary. Scope of regulations includes medical and mobile devices HIPAA requires healthcare organizations to implement policies and procedures that specify the proper functions (of computing devices) to be performed, the manner in which those functions are to be performed, and for granting access to electronic protected health information; for example, through access to a workstation, transaction, program, process, or other mechanism (see (a)(4)(ii)B, and b). What is important to note here is that the term workstation refers to any computing device, including mobile devices, medical devices, and any other device attaching to the network with potential access to ephi. According to Susan McAndrew, Deputy Director for Office for Civil Rights (OCR), healthcare organizations are required to treat mobile devices as they do any other ephi system: With regards to mobile devices, it is clear that these are a part of the electronic systems and enterprise within a doctor s office or a health plan, and, so, they do come within the ambit of the HIPAA Security Rule and are subject to all of those protections, including primarily it is important that entities recognize that and include them as part of their risk assessments as they go forward and that they do take the same kinds of protections with regard to those devices as they would to the main computer systems within the enterprise. 4

5 Protection from malicious software Healthcare organizations have been aware for a long time that anti-virus and anti-malware protection is required for computing devices. These protections have been in place for so long that many organizations have assumed that they protect all devices. This is not the case, particularly with smartphones and medical devices. For examples, smartphones with such a large population of users (source name estimates that in million apps were installed) are ripe for introducing viruses and other malware to healthcare network systems. Access, authorization, supervision, termination HIPAA requires that both users and devices must be properly authorized, granted appropriate access and supervised. HIPPA requires that IT organizations have the ability to quickly terminate a user or device s access when it is no longer appropriate. For example, a physician is hired as temporary staff physician (locum) within the healthcare organizations outpatient center. The physician s access and level of access to ephi must be authorized by someone with authority to do so, such as the CMO. After beginning work, the physician s access should be supervised to ensure it is appropriate, and when the service period is complete, his/her ephi access should be terminated in a timely manner. This sounds simple enough, and in fact, it happens every day in healthcare organizations across the country. What is often missed is that personally-owned devices should be treated in the same manner. OCR Deputy Director McAndrew provided guidance on HIPAA regulations related to access by mobile devices, As Farzad (Farzad Mostashari, National Coordinator for Health Information Technology) mentioned in his opening remarks, these devices (mobile) have many roles and many vulnerabilities, including it s not just the information that is sent to and from these devices, but because of the device, it may present access to other systems and those kinds of controls need to be recognized and protected against should the device fall into unauthorized hands. Healthcare organizations must have tools in place to govern access, authorization, supervision of devices with access to ephi, and terminate such access in a timely manner. Most healthcare organizations do not have the technical capabilities in place to sufficiently achieve these standards. ephi inventory Figure 1: According to the Ponemon Institute study* 81% of healthcare organizations allow the use of personal mobile devices. This figure shows that there is extensive use of mobile devices. This same study shows that 54% of these organizations are not confident these devices are secure, with only 9% very confident the devices are secure. In addition to being a HIPAA requirement (see (a)(1)(i) and (a)(7)(ii)(E)), an inventory of ephi means knowing the location of systems, servers, devices and applications that capture, store, transmit and use PHI. The inventory is then used to perform security risk assessment (SRA). Many healthcare organizations go to great lengths to perform SRAs only to ignore many systems, and even more end user devices. The ephi inventory should include mobile devices, medical devices and the network systems that support network transmission. * Reference to: Third Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute LLC, December

6 The inventory also assists technical security teams in identifying the type, management status and function of devices on their networks while also identifying risks and developing mitigation strategies. It s like the saying; you can t fix what you don t know is broken. Proper risk management cannot be performed if critical components are unknown and/or ignored. Documentation as evidence of compliance Compliance audit requirements may have a lot of differences, but they have some things in common. One key component of any compliance program is documentation evidence, often called documentation as evidence of compliance. One area of particular need is documentation related to security incidents. This is not only a HIPAA requirement (see (a)(6)), but also documentation of incidents is critical to identifying threat and behavior patterns that current systems and controls are not effectively addressing. Much like the needs around ephi inventories undiscovered and/or unknown incidents are of serious concern. Healthcare IT departments need to implement tools and associated procedures, to ensure incidents are known and easily documented so they can be appropriately evaluated. Provider Practice Acquisitions: Increased Demands On Network Infrastructures One of the emerging healthcare trends in the last several is the movement of small practices into large ones, including hospital owned physician groups. There are many drivers for this movement including Accountable Care Organizations, Meaningful Use, ICD-10, and economies of scale. More detailed reasons are beyond the scope of this paper, but this movement of physician groups to larger ones, does present complications to the IT and security departments that support them. As any network/security administrator knows, when a physician s practice is acquired, adding that practice s network to the larger network can be challenging. Issues include: Non-standard network acquisitions Many small practices have no internal IT staff. Often their IT contractor may be someone s brother, or just plain inexperienced. Rarely do smaller physician practices have an experienced and competent IT network resource. This often means the networks in these practices are non-standard. So organizations that have spent millions of dollars implementing state of the art network infrastructures are now being tasked with adding non-standard networks. Multiple hardware vendor platforms When implementing an enterprise network, there are several components that are considered when making a vendor selection, from technical knowledge of the staff, maintenance, TCO, performance, security, interoperability, etc. What happens when suddenly a new platform is added to your environment? With increasing acquisitions and rapidly changing demands, having a preferred or single vendor for networking equipment is becoming less and less practical. To successfully integrate these changes into an existing enterprise network, healthcare IT departments need to quickly identify devices, regardless of hardware platform, and access the status of the network and its endpoints. Undocumented networks Another challenge that is often encountered when acquiring additional infrastructure is the lack of documentation. Not only is there an entirely new network that needs to be integrated into the larger enterprise, but with no documentation there is a significant risk exposure in addition to the increased labor hours required to integrate an undocumented network. Unknown network endpoints The next challenge is a natural outpouring from the others. Undocumented non-standard networks are unlikely to have any documentation, or standards related to the endpoints, or even what devices are attaching. What servers, computers, or other devices are endpoints able to connect to? What is the status of their malicious software connection? How often do they attach? These questions and many like it need to be identified as part of normal security and compliance, but even more so before integrating an acquired network to the larger enterprise. 6

7 Managed And Unmanaged Devices BYOD Who s in, who s out? As discussed previously, demands from both employees and patients to use personal mobile devices to view various types of information also known as Bring-Your-Own-Device or BYOD represents a daunting security challenge. How can you accommodate employee and guest requests to use their smartphones, notebooks and tablets on your network while mitigating security risks? Healthcare organizations need to embrace BYOD while preserving security. To accomplish this, IT departments need real-time visibility and control over personal devices on their network that protect data, regardless of what type of device employees or visitors are trying to use. One of the first challenges is to understand the scope of the demand. Who is currently accessing the network? What type of mobile device is it? How many devices are registering in the Mobile Device Management (MDM) portal? Most healthcare enterprises would not be able to answer these questions. In fact, Gartner estimates that the typical enterprise is aware of only 80 percent of the devices that are active on its network. Managed/unmanaged As discussed previously, all devices that have potential access to ephi must have the same kinds of protections as the main ephi systems within the enterprise. How can this be achieved if devices are unknown, or not owned by the organization? Most medical devices are not members of the backend domain and cannot have agents installed to manage them. These are challenges that must be met and protections implemented to ensure the integrity of the ephi. This includes provisioning, management, security, monitoring and support of mobile and medical devices. Traditionally, healthcare IT departments have purchased management tools that require agents to be installed on endpoint devices. With mobile devices, this means using a mobile device management system (MDM) to install an agent. For corporate owned devices, this may acceptable. But, what assurances are there that all devices have been successfully accounted for and have agents installed? What if the user uninstalls the agent? What about personally owned devices? Other types of tools must be evaluated to ensure that all mobile devices are properly managed and controlled. Figure 2: While desktop & laptops are still the greatest source of compromised devices, there is a significant rise in other types of mobile devices, including smartphones & tablets**. ** Reference to: Third Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute LLC, December

8 Authentication Medical and mobile devices must comply with HIPAA authentication requirements. Specifically, (a)(4)(ii)(B) requires that covered entities Implement Policies and Procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. This means that mobile and medical devices should only have access to ephi after they have been authorized. Additionally, the access privileges of these devices should be in line with their intended use. As per (b), when determining the appropriate use of the devices, covered entities should specify the proper functions to be performed, and the manner in which those functions are to be performed. Once the access level of these devices has been determined (and documented); mechanism for proper access authorization should be implemented. But what is required for mobile and medical device authentication? Healthcare IT departments need real-time visibility of personal and mobile devices on its networks and to limit network access of these devices in line with their proper function. Incident response A proper security incident program should include the following: Ownership Who is/are responsible for responding to the incident? If a team is responsible; they will need to examine risk assessment reports and assist with identification of potential incidents that are unknown. Particular attention should be given to medical and mobile devices, as their activity is generally unmanaged. Definitions Healthcare organizations need to determine what constitutes a security incident, how incidents will be classified (e.g., green, yellow, red) and the criteria for these classifications. Response plans Once a security incident has been evaluated and classified, it needs to be responded to. This should focus on addressing the actual incident and, perhaps more importantly, preventative measures should be recommended to mitigate/avoid future incidents. Many times the preventative measures are both procedural (policy, procedures, education) and technical (network management tools, Intrusion prevention, and monitoring). Reviews After incidents have evaluated and addressed, healthcare organizations need to make sure that recommendations are reviewed and re-evaluated to ensure they achieve compliance. An idea that may make sense in theory may not be realized once implemented. Documentation A HIPAA requirement, security incident reports and activities should be documented and retained for at least six years (see (b)(2)(i)) and potentially longer. Conclusion With these daunting challenges facing healthcare IT professionals, what can they do to balance flexible access to information from a plethora of devices; mobile devices, medical devices, corporate and non-corporate, in such a way that meets the ever-increasing federal and state regulatory standards and that keeps the corporate networks secure. Traditional technology solutions called for deploying agents on every device. These agents, theoretically, would report back, allowing you to create rules that would keep guarantee compliance. But in the real world this approach just doesn t work. It is important to decrease the number of unknown devices while at the same time to better manage those which are known. This starts by discovering every device connecting to corporate networks, and a solution not dependent on deployment of agents. This becomes a critical requirement in the medical environment as many medical devices will not accept the use of agents. And, for corporate devices that can accept agents, deploying them to these personal devices is simply not practical. After discovery, verify that the devices are compliant with established security policies. For example, do they have malicious software protection? Are devices running prohibited applications, i.e. like Angry Birds. And, are devices using encrypted storage? This can be accomplished by the use of next-generation NAC solutions. These solutions offer an automated security control platform that delivers real-time visibility and control of all devices on your network, and provide network access control, endpoint compliance, handheld device security and threat control, all in one automated system, enabling innovative patient care without compromising security. To be truly protected in this difficult security environment, healthcare organizations should look at a pervasive network security solution that can discover devices, enforce policy, and ensure all devices are compliant. 8

9 Works Cited FDA. (20013, June 13). Safety Communications. Retrieved from FDA.gov: HeathIT.gov. (2012, March 03). Retrieved from MOBILE DEVICES ROUNDTABLE: SAFEGUARDING HEALTH : Strategic Road Map for Network Access Control, Gartner, 11 October 2011, Lawrence Orans and John Pescatore. Additional Resources NIST Special Publication (PHI at Rest); NIST Special Publication (PHI in Motion); and NIST Special Publication (PHI Disposed) About ForeScout ForeScout delivers pervasive network security by allowing organizations to continuously monitor and mitigate security exposures and cyber attacks. The company s CounterACT appliance dynamically identifies and assesses all network users, endpoints and applications to provide complete visibility, intelligence and policy-based mitigation of security issues. ForeScout s open ControlFabric technology allows a broad range of IT security products and management systems to share information and automate remediation actions. Because ForeScout s solutions are easy to deploy, unobtrusive, flexible and scalable, they have been chosen by more than 1,500 enterprises and government agencies. Headquartered in Campbell, California, ForeScout offers its solutions through its network of authorized partners worldwide. Learn more at ForeScout Technologies, Inc. 900 E. Hamilton Ave., Suite 300 Campbell, CA U.S.A. T (US) T (Intl.) F ForeScout Technologies, Inc. Products protected by US Patent #6,363,489, March All rights reserved. ForeScout Technologies, the ForeScout logo, CounterACT, and ControlFabric are trademarks of ForeScout Technologies, Inc. All other trademarks are the property of their respective owners. Doc: