BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

Transcription

1 BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security August 2014 w w w.r e d s p in.c o m

2 Introduction This paper discusses the relevance and usefulness of security penetration testing within the healthcare industry. It covers the purpose, scope, and benefits of penetration testing for healthcare organizations. Risks Are Inherent in a Dynamic IT Landscape Gone are the days when the IT infrastructure of healthcare organizations consisted of a couple of isolated workstations or a mainframe used only by a handful of computer specialists. Today, healthcare delivery requires providers to store, handle, transmit, and access larger volumes of data than ever using a variety of IT components. As a consequence, the information technology landscape of healthcare organizations has become a dynamic one expanding, transforming, and interconnecting with third parties and open external networks. Sensitive data can now be accessed from a variety of end points by a multitude of users, including many who are not even employees of the provider organization. Thus, it should not be a surprise that this complex situation increases the risk of data breach and data corruption. The Ponemon Institute 2014 Benchmark Study on Patient Privacy & Data Security reports that: 1 The primary security concerns of healthcare organizations are insecure exchange of patient information between healthcare providers and third parties, patient data on insecure databases, and patient registration on insecure websites. 90% of healthcare organizations in this study had at least one data breach in the past two years. 38% reported more than five incidents. In particular, the risk of external criminal attacks is highlighted as a major challenge for the healthcare industry. Such attacks have increased over 100% since For the most part, those data breaches did not even require the use of sophisticated programming skills. Instead, offenders simply exploited well-known vulnerabilities and process weaknesses. Healthcare organizations continue to struggle to comply with increasingly complex federal and state privacy and security regulations. In the article Health Care Companies Have Worse Cybersecurity Than Retailers, Dune Lawrence, a reporter for Bloomberg News in New York, puts the spotlight on the healthcare industry by stating that healthcare information security is behind that of other regulated industries. 2 In fact, a recent analysis found that healthcare and pharmaceutical companies performed worse in security analysis than financial institutions, utilities, and even retailers. Many healthcare organizations are neglecting to put into place even basic protective measures. The Ponemon report stresses that the growth in criminal attacks against healthcare organizations calls for assessments of areas vulnerable to attack and investments in technologies that protect organizations from malicious outsiders. Implementing these measures is a huge challenge but critical to the future of the healthcare industry. It requires a well-structured and optimized risk management strategy, in which penetration testing holds an essential function. The definition of practical remediation plans take into account the specificity of the industry, the applicable regulations, and the limited resources and budget assigned to the IT security and compliance effort. Security Penetration Testing Redspin, Inc. Page 2

3 Security penetration testing, also referred to as a pen test, is a network security assessment in which ethical hacking is performed. It supports the risk management strategy of the organization by: 1. Determining and validating the genuineness and severity of weaknesses, thereby rationalizing investments. 2. Confirming that the protection mechanisms are operating as expected and according to specific standards. In other words, determining whether the security controls that are supposed to detect and block security issues and alert appropriate parties actually work. Why IT Penetration Testing is Important for the Healthcare Industry There are many compelling reasons to perform regular penetration testing: Penetration tests allow healthcare organizations to assess all three pillars of their IT security posture people, processes, and technology by providing a more thorough evaluation of their risks and other information that is useful to IT professionals and decision makers. In a dynamic IT landscape, constant monitoring for failure and adaptation to new threats is required. The IT infrastructure is made of heterogeneous system components, each a potential source of weakness and requiring specialized knowledge, skills, and solutions to implement improvements. Implemented defences (as with any IT component) are made and configured by human beings and, therefore, subject to errors and carelessness within their conception, installation, configuration, maintenance, and usage. Using the analogy of a prescription medication, any change within the IT environment could induce negative side effects. For instance, the installation of a patch could impact the configuration of the system on which it is applied, creating a new avenue for malicious activities. Often healthcare organizations have underinvested in their IT infrastructure and have not given the right priorities or attention to its defence mechanisms. This can lead to obsolescence or degeneration to the great satisfaction of malicious individuals. The IT infrastructure is under constant attack, motivated by possibilities of gaining access to patient medical and financial data, disrupting service, or, frankly, just for fun. A recent report revealed that 94% of hospitals and other healthcare organizations have been targeted by hackers. 3 Business continuity is a primary security concern for many organizations. Vulnerabilities can often be exploited to produce a denial of service condition, which usually crashes the vulnerable service and breaches the server availability. Organizations may have sufficient policies and procedures in place; but until they actually have to deal with an intruder inside their network, they cannot be certain about how to proceed in the event of a real attack. Much like a fire drill, a penetration test allows them to develop a working strategy to respond to any unusual activity. For the above reasons, the healthcare industry should carefully monitor the effectiveness of their defence mechanisms by conducting regular penetration tests to assess the three pillars of their information security. This will mitigate the risks of medical and financial data theft or service disruption Redspin, Inc. Page 3

4 Penetration Testing for Regulatory Compliance Penetration testing helps healthcare organizations comply with the challenging requirements of HIPAA and the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS V3, which is applicable to any organization storing, processing, and transmitting credit card data (including the healthcare industry), requires at least one annual penetration test as well as a follow-up test after any significant infrastructure modification. HIPAA regulations determine the way that healthcare industry must implement, monitor, and audit their safeguards on protected health information (PHI) on their computer networks. To learn more about specific HIPAA requirements, please refer to the Redspin white paper: The Facts about HIPAA, HITECH, and the Omnibus Rule What You Need to Know. 4 While penetration testing is not specified by HIPAA, it should be considered a permanent part of any ongoing information security program. Pen tests are an efficient way to provide covered entities and business associates with demonstrated compliance with requirements for a continuous program of assessment and improvements to the specific Security Rule sections below: Security Management Process ( (a)(1) Security Incident Procedures ( (a)(6) Evaluation ( (a)(8) Audit Controls ( (b) Policies and Procedures ( (a)) Access Control ( (a)(1)) Penetration Testing Versus Vulnerability Scanning Scanning is a term shared between the IT security and the healthcare industry that provides a useful analogy. In both cases, scanners are used to identify potential anomalies or deviations against a defined normality. In healthcare delivery, scanners assess the human body. Security scanners assess the IT infrastructure and its endpoints. In short, they help answer the question IS THERE SOMETHING WRONG? The presence of defective cells may indicate abnormalities in the human body, while the presence of misconfigurations may indicate vulnerabilities in IT components. However, the sole use of scanners in either industry is not sufficient to determine whether these anomalies are dangerous to the entity in question. Thus, penetration testing is used to answer the next question: SO WHAT? It helps clarify the level of danger of an anomaly or the level of exploitability of an IT weakness. If scanners help detect potential issues, penetration tests help validate the reality of these findings by assessing the risks for the entity and priorities for remediation. It may be as simply described as: Scanner: Abnormalities detected! Pen test: Are they real? Should we worry about them? How should we act and when? In addition, there is no proven correlation between a clean vulnerability scanning report (absence of detected issues) and the effectiveness of the defences. In other words, one cannot conclude that their defence mechanisms are adequate simply because a scanner reports no issues. Inappropriate firewall rules, wrongly configured access controls, weak passwords, and naïve users may never show up on an automated vulnerability report. But the reality is that attackers are clever and determined. They will not hesitate to take advantage of any glitch within the defence mechanisms Redspin, Inc. Page 4

5 Penetration Testing, a Valuable Tool in the Security Arsenal Some benefits of regular penetration testing for the healthcare industry are: Meeting compliance (HIPAA, PCI-DSS) Validating the reality of identified vulnerabilities Identifying weaknesses that may be difficult or impossible to detect with a scanner Determining the feasibility of a particular set of attack vectors Testing the ability of the defence mechanisms (people, processes, and technology) to successfully detect and respond to attacks Assessing the magnitude of potential business and operational impacts of successful attacks Focusing resources and budget on real issues to secure the medical and financial data Supporting a thorough risk management process already under scrutiny by the director of the Department of Health and Human Services' Office for Civil Rights 5 Avoiding security incidents that threaten its corporate image, put its reputation at risk, and impact customer loyalty Setting the Scope of Penetration Testing The scope of penetration testing for the healthcare industry should encompass all systems that store, process, or transmit PHI and cardholder data including any connected system components. This includes databases that store cardholder and/or patient data, servers and applications that process said data, networking components that transit the information, security components that protect identities, and assets that help manage this system. A Chain is Only as Strong as its Weakest Link To be thorough, healthcare entities should also consider the human aspects of the equation by testing the end-users ability to follow documented policies and procedures while avoiding common traps set by malicious attackers. External and Internal Security Assessments Penetration testing can be carried out from two perspectives: an outsider who tries to attack the entity over the Internet, or from the perspective of a malicious insider. These two approaches are called external and internal security assessments. Most organizations start with testing their ability to detect, block, and alert in the event of attacks from the Internet. However, an internal penetration test is equally as valuable for an entity looking to diminish the risk of rogue employees getting unauthorized access to cardholder or medical data or creating a denial of services of the IT systems supporting the medical and administrative activities Redspin, Inc. Page 5

6 Take Away Getting a penetration test is a bit like going to get a biopsy. It is never something we want to do and we hope the results come back negative, but we do it for the peace of mind. Given the findings highlighted in the Ponemon report and the risks evidenced by the recent breaches at Fortune 1000 companies (such as Target, ebay, Adobe), healthcare organizations should definitely get pen tested on a regular basis. The challenge for the healthcare industry is to find a cost-effective way to sustain this process with a trusted partner. They need a company that will guide them through this complex process and help them define the objectives, scope, and scenarios of an attack a company that will not only put a team of experts at their disposal, but also make sensible recommendations from both a technical and business perspective. About Redspin Redspin was founded in 2001 with a singular mission to help our clients better protect their IT assets and lower their security risks. Since that time, we have conducted more than 2,500 IT security risk assessments for nearly 1,000 clients. Our services protect confidential data and critical infrastructure, harden web applications, maintain compliance, and reduce overall risk. We offer penetration testing, application security assessments, external and internal vulnerability analysis, network security audits, policy and compliance reviews, social engineering services, and mobile device security risk analysis (BYOD or "bring your own device"). Redspin specifically tailors its work for every customer, whether it is a Fortune 500 enterprise or community hospital, a multinational corporation or a small-to-medium sized bank. We bring a real-word perspective to each engagement with a methodology shaped by security frameworks but battle-tested by thousands of assessments. Fueled by our deep industry-specific experience in healthcare, banking, financial services, retail, energy, technology, hospitality and casinos, we are able present our findings, analysis, and recommendations within your business context Redspin, Inc. Page 6