Intro. Tod Ferran, CISSP, QSA. SecurityMetrics. 2 years PCI and HIPAA security consulting, performing entity compliance audits

Transcription

1 HIPAA Security Rule & Live Hack Tod Ferran, CISSP, QSA

2 Intro Tod Ferran, CISSP, QSA 25 years working with IT and physical security 2 years PCI and HIPAA security consulting, performing entity compliance audits SecurityMetrics Assisted over 1 million businesses with data security and compliance since 2000 Headquartered in Orem, Utah Stevie Award winner for customer support HIPAA and PCI security assessor

3 Live Hack Demo

4 Sir, did you know that you could save time by doing this online?

5 Understand Your Motivation Desire to be compliant Avoid fines Avoid fines Desire to be secure Reduce risk of breach Reduce possibility of bad publicity Reduce loss of public trust

6 Privacy vs. Security Healthcare entities haven t separated Security/Privacy regulation, and often leave many Security Rule regulations unfulfilled Privacy Rule compliance doesn t extend to Security Rule compliance To be truly HIPAA compliant, must comply with both aspects.

7 Policy vs. Implementation Common to conglomerate HIPAA policies and implementation Healthcare religiously generates Privacy Rule policies,, but few implement principles A policy doesn t cover business from compromise, but through h implementation, you stand a fair chance against data thieves

8 The Unfortunate Reality IT specialists typically: Don t fulfill HIPAA requirements for a business Won t pay for a compromise Don t suffer brand damage if a business is compromised o Risk and liability rest entirely upon the CE

9 How Is The CIA Involved? Confidentiality Integrity Availability

10

11 HIPAA Reported Breaches Jan 1, 2013 to Oct 1, Hacking/IT Incident Improper Disposal Loss Other Theft hf Unauthorized Access Unknown 5 0 Laptop Paper Desktop Server Other E mail Electronic Medical Record

12 Relative by # of Incidents Relative by # of Records Hacking/IT Incident Improper Disposal Loss Other Theft Unauthorized Access Unknown Hacking/IT Incident Improper Disposal Loss Other Theft Unauthorized Access Unknown

13 Two Types of Organizations Those that have been hacked Those that don t know they ve been hacked

14 We Don t Know We ve Been Breached Lack of Current anti-malware Intrusion detection systems Data loss prevention systems File integrity monitoring systems Centralized logging and alerting Security specific training for IT staff

15 Value of Data Credit card = $1 to $3.50 Fullz = $500 Name/address, account/password, etc. +$20 Health insurance account/password +$20 Dental/Vision/Chiropractic Kitz = $1,200 - $1,500 Counterfeit physical docs Di Driver s license, credit cards, insurance cards

16 Attack Types Defacements Most frequent Stealing server bandwidth Porn websites, launching attacks Corporate espionage DNS poisoning (redirection) Denial of service Spyware Phishing Malware Theft, loss & misuse of data Costly Loss of trust

17 Defacement What was previously a normal website was changed overnight into a hacker ad.

18 Hacking Brag-Site

19 Hacking Tools Consumer market products easily obtained by anyone! Most have legitimate business applications

20 Vulnerabilities Based on Root Origins Origins Software Vulnerability Exploitation Software Misconfiguration Social Engineering Potential Vulnerabilities Accidental or Inappropriate Disposal Device Takeover Lost Items Theft Inappropriate Business Procedure Staff X X Business Associates X X Workstations X X X X X X Electronic Data (Storage and processing) X X X X X Office Equipment (Printer, Fax, Copier, Call X X X X X Recordings) Networked Devices (other than workstations) X X X X X X Internet Use X X X X Medical Devices (Not Networked) X X X Mobile Electronic Devices X X X X X X X Multiple Locations X Remote Access X X X Web Site X X X Wireless Networks X X X X Paper Data X X X X Third party inadequate security

21 Today s Hack Target Firewall Web server Hacker Attacking through a firewall to the web server. We only use the private network today to avoid the possibility of putting a vulnerable server on the public Internet.

22 For demonstration purposes, we performed a scan on our target computer. This is the summary page indicating a failed PCI compliance status, and providing a chart of

23 For our demonstration today, if we ve selected this vulnerability that allows anyone to execute commands on the target computer, we need to further research the specific bug. To do this, we ll take thecve identifier or the BugTrac ID (BID) numberof 1806 andsearch the web for more information.

24 A popular site for security information is SecurityFocus. Here we see our bug is listed and that many devices were known to be vulnerable.

25 1 By selecting the Exploit tab in this site, we were able to find the specific instructions on how to use or test this exploit on our web site.

26 Slide 25 1 Tod Ferran, 10/2/2013

27 HIPAA Security

28 45 CFR (c)(1) ) Standard: safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.

29 Attorneys and CPAs Neurosurgeon performing a CABG

30 Security Specialist Role

31 HIPAA Requirement #1 Complete a Risk Analysis Create a Risk Management Plan Use a Prioritized Approach to implement the Risk Management Plan Update BAAs Update NPPs

32 Prioritized Approach Assign a Chief Security Officer Empower with executive level backing and resources Dust off the P&P Update the P&P throughout the process, Provide training to staff as new procedures implemented Password and user account policies i Physical firewalls Anti-malware

33 Prioritized Approach (cont.) Remote Access VPN 2 Factor authentication Wireless networking Change all defaults WPA2 Unauthorized Internet browsing Whitelist ACL based workstation access Deny access to/from servers

34 Prioritized Approach (cont.) Insecure Restrict access to personal accounts Theft Social engineering Stay current Train and remind Periodic evaluations VA scanning and penetration tests Internal and external consultants

35 Prioritized Approach (cont.) Accountability Centralized logging with active alerts Disposal Evaluate all possible areas of data leakage (copiers) Recycle? Media Repurpose Secure wipe Emergency access

36 Prioritized Approach (cont.) Authorization / Supervision Org chart Role-based authentication system Add/change/terminate user accounts Security awareness training Role-based Frequent Reminders

37 Prioritized Approach (cont.) Password Management Minimum length Complexity Re-use Lockout and duration No sharing!! Encryption and decryption All ephi at rest Mobile devices

38 Prioritized Approach (cont.) Integrity Tighten FW rules Enable software FWs Encrypted communications Physical access controls Authentication of ephi FIM IDS/IPS DLP

39 Prioritized Approach (cont.) Workstation use Restrict t physical, logical l access Restrict application access Workforce clearance Automatic idle disconnect Physician office vs. exam room Contingency, disaster, backup, emergency plans Test, test, test!

40 Prioritized Approach (cont.) Review the application and data criticality analysis Sanction policy Facility security Disable USB & CD drives Mitigate risk of damage from flood, fire and electrical l interference Maintenance procedures and records

41 Prioritized Approach (cont.) Response and reporting Tracking Reporting Remediation Training Post-incident analysis Update P&P and training

42 Wrap-up p Privacy rule and security rule are completely separate Use security specialists (internal or external) Validate credentials (CISSP, SSCP or CAP) Complete risk analysis Use internal & external sources Create a risk mitigation plan Begin implementing risk mitigation plan

43 QUESTIONS?