Digital Enterprise Unit. White Paper. Securing Patient Information HIPAA and Mobile Healthcare Applications

Transcription

1 Digital Enterprise Unit White Paper Securing Patient Information HIPAA and Mobile Healthcare Applications

2 About the Authors Colonel Rajmohan, CISSP Senior Consultant, TCS Colonel Rajmohan heads the digital security practice within the Digital Enterprise Services and Solutions unit of TCS. He has over 24 years of experience in application security, identity and access management, cryptography, and infrastructure security. He holds a Master s degree in Computer Security and IT Management from the Naval Postgraduate School (NPS), California. Besides having published a number of papers on security in leading journals, he has also filed patents on secure mobile computing. Colonel Rajmohan is a certified Information Systems Security professional governed by the International Information Systems Security Certification Consortium. Ahamed V Associate Consultant, TCS Ahamed is a pre-sales and solutions Consultant with the Digital Security Practice unit of TCS. His areas of expertise include mobile security and application security and he has delivered customized IT application services programs to global banking, financial services and business conglomerate clients for several years. He holds a Bachelor's degree in Computer Science and Engineering from Visvesvaraya Technological University, India.

3 Abstract The adoption of mobile technologies in healthcare has gathered pace in recent years, helping provide real-time access to relevant information to address patient care needs and facilitate mobility of the medical workforce. Increasingly, people have started using mobile devices to access information pertaining to healthcare which has also led to a higher number of security breaches. Organizations are now exploring options to combat security threats to patients' electronic protected health information (e-phi) and their critical systems. The Health Insurance Portability and Accountability Act (HIPAA) in the US establishes security and privacy standards for organizations to protect health information. This paper discusses security risks of mobile healthcare applications, and the approach for enabling HIPAA security standards compliance. The key to securing e-phi with mobility lies in implementing a scalable and robust mobile application security program that enables HIPAA compliance in a timely and economical way.

4 Contents About the authors 2 Abstract 3 Contents 4 Introduction 5 Security Breaches continue to occur 6 Security Issues in Mobile Healthcare Applications 6 HIPAA security standards 7 HIPAA security standards compliance for Mobile Healthcare Apps 8 Conclusion 8

5 Introduction Healthcare providers worldwide are adopting digitally-driven initiatives to ensure ease of access to real-time health information from different sites. Healthcare professionals access patient data on mobile devices using the hospital's internal network and often through insecure networks when outside the perimeter. Technology companies are seeking to contribute to making health data widely accessible. The bundling of the latest release of ios with the HealthKit framework, for example, could spark a trend with third-party-app builders crafting software allowing access to critical health information on mobile devices. The exchange of this data among service providers, insurers, patients, pharmacies, researchers, and external service providers is definitely a necessity. However, there could be security and privacy concerns over access, transmission and storage of this critical data. As health information access expands through mobile devices and apps, without the required safeguards at application layer and other layers, healthcare organizations face security threats to patients' electronic protected health information (e-phi) and their critical systems. The Health Insurance Portability and Accountability Act (HIPAA)¹ in the US establishes security standards for organizations to protect health information that is held or transferred in electronic form. The provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act² strengthen the civil and criminal enforcement of the HIPAA rules and mandate notification of any data breach. Federal Trade Commission (FTC) rules³, moreover, protect against theft of medical identity. It requires that healthcare providers implement programs to detect and report incidents of identity theft. Organizations in other countries must similarly adhere to stringent local regulations. HIPAA standards for privacy of Individually Identifiable Health Information (IIHI) address use and disclosure of individual's protected health information by organizations. They set forth what uses and disclosures are authorized or required, and what rights patients have over their health information. The protection of privacy of information depends extensively on the existence of security measures to protect that information. Ensuring compliance with security-related regulations requires solutions that address vulnerabilities in network infrastructure, application layer, and at the device level. Intrusion detection and prevention systems, mobile Virtual Private Networks (mvpn), and Mobile Device Management (MDM) solutions mitigate the security risks at the network and device layers. The mobile application layer is a targeted attack surface as developers work under delivery pressures of short development cycles and must keep abreast of continuously evolving platform features. Consequently, they overlook even the most obvious application security vulnerabilities, creating an inherent weakness in this layer. The security standards specified by HIPAA must be incorporated into the overall scope of mobile application development for e-phi and critical systems security. [1] U.S Department of Health and Human Services, HIPAA Security Standards Final Rule, Revision date 20-Feb-2003, Retrieved date 22-Aug-2014, [2] U.S Department of Health and Human Services, HIPAA Omnibus Final Rule, Revision date 25-Jan-2013, Retrieved date 22-Aug-2014, [3] U.S Federal Trade Commission, Red Flags Rule, Published date 9-Nov-2007, Retrieved date 22-Aug-2014, 5

6 Security Breaches continue to occur Mobile operating system (OS) and device original equipment manufacturers (OEMs) have been striving to eliminate security vulnerabilities, yet attacks by unauthorized users continue to occur. Several major attacks on applications and systems of healthcare providers have been reported in the media. Regulators have levied maximum allowable penalties on health care providers where causes for security breaches of ephi have known to be due to lack of implementing safeguards as mandated by HIPAA regulations. PrivacyRights.org, a non-profit corporation, maintains a chronology of security breaches, number of patient records exposed and fines imposed that have occurred since With increasing mobility, this list is likely to see exponential increase unless mobile application security is addressed on priority. Security Issues in Mobile Healthcare Applications Attackers exploit weaknesses in application design and development to gain access to sensitive data for malicious purposes. Some of the vulnerable areas include: n Poor authentication and authorization: Weak login credentials, the lack of strong authentication controls, and authorization flaws make it easy for attackers to gain access to the target systems. Once they gain access, the attackers can retrieve e-phi records in an unauthorized manner. n Insecure data storage or broken cryptography: Storage of sensitive data by the client in plain text in a database or file, or weak encryption of data, exposes it to various exploit vectors. The use of weak encryption algorithms that are known to be broken or customized algorithms with insecure key generation and management can impact confidentiality of the data stored by applications. A lost or stolen mobile device can risk patient e-phi, as a result of which sensitive data such as social security numbers stored in the database or file may land in the hands of the attacker. n Man-in-the-middle attack: Sensitive data sent over a network in plain text or faulty implementation of Secure Sockets Layer (SSL) can be easily intercepted, and is susceptible to attack vectors such as data sniffing and data tampering man-in-the-middle attacks. n Health data of chronic illnesses or elderly patients being monitored remotely by intensive care professionals and doctors can be tampered with while in transit, risking the patient's life. Data transmitted to health insurance companies can similarly be stolen to obtain medical identities and financial details for fraudulent purposes. n Client side injection attack: Structured Query Language (SQL) injection through the input field could help the attacker gain access to patient data. The technique could also enable the hacker to alter the data in a manner not intended by the application or even steal the entire database. Medical identity thefts can be used by criminal entities to raise fraudulent claims with health insurance companies. n Unintended data leak: Data can leak from an application to a malicious user or software through several channels. The data may be extracted from a stolen device or automatically uploaded by a coexistent malicious application on the device. System logs, stray files, copy-paste buffers, app-crash logs, web cache, app-state snapshots, and keystroke logs are some of the data leakage sources that can be used to derive sensitive information. Attackers can gain access to patient e-phi through data leakage from side channels. 6

7 n Jail breaking or rooting: This provides means to circumvent all OS security controls, making it easy for malware to steal and relay confidential data to its control server. It is possible to prevent detection by jailbreak detection routines and Mobile Device Management (MDM) controls can be evaded by various spoofing techniques. Therefore, an application has to protect itself and cannot rely on the OS controls. n Session hijack, code tampering and other forms of attacks targeting user behavior: These techniques can risk e-phi and privacy, leading to loss of patient trust. There exists no single client architecture option that consistently outperforms the other two. Often, given conflicting real world business constraints, its difficult to pick the ideal fit every time. Nevertheless, it is imperative that this complex decision still be a well-informed one. HIPAA Security Standards HIPAA security standards that address application security issues are listed below.⁴ However, this is not a comprehensive list, and each organization needs to conduct an analysis to incorporate regulatory controls. The standards are categorized as 'addressable' and 'required'. While the 'required' specifications are mandatory, the 'addressable' specifications are not optional and permit healthcare organizations referred to as covered entities to determine whether the guidelines are reasonable and appropriate for themselves. Required standards mandated by HIPAA security rules for application security: n Unique user identification n Emergency access procedure n Audit controls to record and examine access and other activity in information systems that contain or use e-phi n Person or entity authentication Addressable standards: n Automatic logoff to terminate a session after a predetermined time of inactivity n Encryption and decryption of e-phi n Mechanism to authenticate electronic protected health information n Integrity controls to ensure that e-phi is not improperly altered or destroyed n Transmission security to guard against unauthorized access to e-phi that is being transmitted over an electronic network [4] U.S Department of Health and Human Services, HIPAA Security Standards Final Rule, Revision date 20-Feb-2003, Retrieved date 22-Aug-2014, 7

8 HIPAA Security Standards Compliance for Mobile Healthcare Apps The stress on enforcement of security standards for healthcare providers and the heavy penalties highlights the urgency of addressing security risks. The security standards specified by HIPAA must be incorporated into the overall scope of application development. There is a need for a thorough review of application security design with respect to HIPAA standards. To help conduct mobile application security checks before every release, an automated mobile app security testing solution needs to be integrated into the software development life cycle (SDLC). Automation of the security assurance process that covers static, dynamic, and behavioral analysis of mobile applications is key to detecting vulnerabilities in each release. Timely remediation makes the application more resilient to attacks. An effective way to secure e-phi, therefore, is implementing a scalable and robust mobile application security program, which enables HIPAA compliance validation audit in a timely and cost-effective manner. Conclusion HIPAA and HITECH are legal frameworks that help secure e-phi in the US, while allowing healthcare providers to adopt technologies to improve the quality and efficiency of patient care. Organizations in other countries must adhere to stringent local regulations. Mobile applications have vulnerabilities that increase chances of a security breach by malicious users. Healthcare applications that are developed as per HIPAA security standards curb security breaches and protect health information from thefts and unauthorized access. A robust and scalable security program aided by automated vulnerability assessment tools is critical in order to support secure mobile application development.. 8

9 About TCS' Digital Enterprise Unit TCS adapts the capabilities of the digital five forces Mobility and Pervasive Computing, Big Data and Analytics, Social Media, Cloud, and Artificial Intelligence & Robotics to the unique needs and opportunities of each industry. We leverage a combination of these technologies to help clients digitally reimagine their business models, products and services, customer segments, channels, business processes, and workplaces to gain sustained competitive advantage. Our experienced global team includes strategy experts, business analysts, digital marketers, user experience designers, data scientists, and engineers trained and certified in the latest technologies. By combining our technology vendor partnerships, our pre-built customizable products and reusable assets, and our deep industry expertise, we offer enterprises everything they need for a complete digital transformation from strategy and use cases, to system implementation and maintenance and everything in between. Contact For more information about TCS Digital Enterprise Unit, contact digital.enterprise@tcs.com Subscribe to TCS White Papers TCS.com RSS: Feedburner: About Tata Consultancy Services (TCS) Tata Consultancy Services is an IT services, consulting and business solutions organization that delivers real results to global business, ensuring a level of certainty no other firm can match. TCS offers a consulting-led, integrated portfolio of IT and IT-enabled infrastructure, engineering and TM assurance services. This is delivered through its unique Global Network Delivery Model, recognized as the benchmark of excellence in software development. A part of the Tata Group, India s largest industrial conglomerate, TCS has a global footprint and is listed on the National Stock Exchange and Bombay Stock Exchange in India. For more information, visit us at IT Services Business Solutions Consulting All content / information present here is the exclusive property of Tata Consultancy Services Limited (TCS). The content / information contained here is correct at the time of publishing. No material from here may be copied, modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from TCS. Unauthorized use of the content / information appearing here may violate copyright, trademark and other applicable laws, and could result in criminal or civil penalties. Copyright 2015Tata Consultancy Services Limited TCS Design Services I M I 01 I 15