Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Transcription

1

2 Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2

3 Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons Learned: Getting the Most from Your Penetration Test Conclusion Q&A 3

4 INTRODUCTION 4

5 Brian Selfridge, Meditology 13+ years experience in healthcare IT security and compliance leadership Previously CISO of health system in the northeast and healthcare security consultant at PricewaterhouseCoopers Published author and presenter, certified CISSP Leads Meditology s IT Risk Management practice including Ethical Hacking and Penetration Testing services Meditology is dedicated to delivering expertise and leadership in information privacy and security, compliance, and audit, specifically for healthcare 5

6 BACKGROUND AND INDUSTRY CONTEXT 6

7 Healthcare is a Soft Target o Medical identity theft affected an estimated 1.5 million people in the U.S. at a cost of $41.3 billion last year o Healthcare organizations are a newly favored target among cybercriminals o Information contained in medical records has much broader utility, can be used to commit multiple types of fraud or identity theft, and does not change, even if compromised o Medical fraud takes more than twice as long to identify as regular identity theft o $50 for stolen medical information vs. $1 for a stolen SSN Key point: the value of personal data to a cybercriminal is much higher than a credit card or bank account number. 7 7 Fourth Annual Benchmark Study on Patient Privacy and Data Security by Ponemon Institute, March 2014 RSA White Paper: Cybercrime and the Healthcare Industry, 2014

8 Hacking on the Rise o Hacking incidents the dominant healthcare breach source for o Notable breaches 2 : Anthem 80 million records Premera Blue Cross 11 million records UCLA Health System 4.5 million records 8 1. Bitglass Healthcare Breach Report 2016 Hacking Accounts for 98% of Healthcare Data Breaches in Healthcare IT Security.com Sara Heath. January Top Healthcare Breaches Reported in , Health Data Management, 10/30/

9 Why Should We Hack Our Own Systems? Simulate the activities of a hacker or malicious insider to expose weaknesses Test real life scenarios to validate assumptions and prevent incidents Identify the current security posture Uncover technical exposures requiring remediation Validate effectiveness of critical security controls Quite simply: Find the security holes before the bad guys do 9

10 Compliance Requirements 3 NIST Special Publications (800 Series). (2008) An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. 4 PCI Security Standards Council. (2015) Payment Card Industry (PCI) Data Security Standard, Version

11 ANATOMY OF A PEN TEST 11

12 Penetration Testing Methodology 12

13 No Access Anatomy of a Pen Test Internal & External Assessment Scanned company network for vulnerabilities Access Control Configuration Management Identified internetfacing system with default /guessable password Configuration Management Account Management Access Control Training & Awareness Created local administrator accounts Logged into the server Ran hacking tools Obtained administrators password hashes Endpoint Security Malware Protection Password Management Access Control Remotely acquired password hashes for all Active Directory users, cracked and obtained 80% of passwords Used domain admin to access databases, servers, file shares, and other sensitive systems (found documents containing over 4.2 million patient records including SSN, DOB, diagnosis, doses, physicians, payer information, cancer treatment, bank accounts, labs results, date of service, and more Obtained login passwords for domain administrators Social Engineering Called help desk Impersonated a physician Help desk analyst reset password without verification of the user Accessed EHR from public internet Gained full to EHR with physician-level access Access Control Password Management Training & Awareness Access Control Remote Access Accessed Human Resources and Finance systems Accessed documents and files containing benefit, health plan, salary, physicians SSNs, direct deposit, DOB, credit card and bank account numbers 13

14 Phishing Campaigns Phishing attempts to trick users into divulging sensitive information including login credentials Can target all employees or specific individuals (spear phishing 14

15 Social Engineering Does the help desk validate a caller s identity? For terminated employee, is it possible to re-establish network access through deceptive means? Are employees aware of password policies that prohibit the sharing of passwords? Do employees know who to contact if they experience a security incident or witness suspicious behavior? 15

16 Medical Device Security Often the weakest link in the security chain Default passwords, missing patches, remote access, and other weaknesses make them a prime target for entry Increasingly connected to the network and Internet Devices have direct impact to patient safety Pen testing includes a combination of vulnerability scanning and cautious exploitation of weaknesses 16

17 Other Attack Vectors and Tests Account and password testing Wireless assessments Physical security Web application assessments 17

18 TOP 10 HEALTHCARE SECURITY EXPOSURES 18

19 Top 10 Hacking Exposure Areas 19

20 Top 10 Hacking Exposure Areas 20

21 Risky Practices Storing large volumes of medical data on dozens of systems and applications with varying security controls Supporting legacy systems that are not configured with routine security updates Ineffective vetting of medical devices and third party vendor security Relying on one or two layers of security to protect sensitive data (e.g. passwords) Under-funding security budgets that must address both regulatory and risk-based security remediation and controls Conducting organizational risk assessments without validating technical security exposures 21

22 LESSONS LEARNED: GETTING THE MOST FROM YOUR PEN TEST 22

23 How Often Should You Test? If a penetration test has never been conducted, test as soon as possible After conducting the initial penetration test, retest annually and after any major infrastructure change If a penetration test identifies critical vulnerabilities, retest after remediation is complete If an organization conducts a risk assessment (e.g., HIPAA, PCI), conduct a penetration test at the same time To address specific security concerns, schedule targeted penetration tests either quarterly or semiannually 23

24 What to Look for in a Vendor Is the vendor only conducting vulnerability scanning? o A penetration test consists of more than just identifying vulnerabilities o A thorough test also involves exploiting the vulnerabilities and manually testing for security holes that an automated tool might not be able to discover Does the vendor know how to minimize the potential for impacting patient safety and critical systems? Does the vendors technical team know how to communicate the results to non-technical stakeholders? Does the vendor understand healthcare and provide clear, prescriptive, and tailored recommendations? 24

25 CONCLUSION 25

26 Summary Healthcare organizations are increasingly becoming a target for hackers and cybercriminals The value of patient data has made healthcare organizations a rich target Conducting regular penetration testing can assist your organization in identifying weaknesses and taking the necessary actions to prevent a data breach event 26

27 Wolters Kluwer Health Compliance Solutions Effectively manage risk with Information Security Assessment Manager (ISAM) ISAM is the practical, affordable, and complete solution for managing privacy and information security compliance and risk, across the enterprise 27

28 Thank You Brian Selfridge Partner, IT Risk Management Download the white paper: 28