Real World Healthcare Security Exposures Brian Selfridge, Partner, Meditology Services 2
Agenda Introduction Background and Industry Context Anatomy of a Pen Test Top 10 Healthcare Security Exposures Lessons Learned: Getting the Most from Your Penetration Test Conclusion Q&A 3
INTRODUCTION 4
Brian Selfridge, Meditology 13+ years experience in healthcare IT security and compliance leadership Previously CISO of health system in the northeast and healthcare security consultant at PricewaterhouseCoopers Published author and presenter, certified CISSP Leads Meditology s IT Risk Management practice including Ethical Hacking and Penetration Testing services Meditology is dedicated to delivering expertise and leadership in information privacy and security, compliance, and audit, specifically for healthcare 5
BACKGROUND AND INDUSTRY CONTEXT 6
Healthcare is a Soft Target o Medical identity theft affected an estimated 1.5 million people in the U.S. at a cost of $41.3 billion last year o Healthcare organizations are a newly favored target among cybercriminals o Information contained in medical records has much broader utility, can be used to commit multiple types of fraud or identity theft, and does not change, even if compromised o Medical fraud takes more than twice as long to identify as regular identity theft o $50 for stolen medical information vs. $1 for a stolen SSN Key point: the value of personal data to a cybercriminal is much higher than a credit card or bank account number. 7 7 Fourth Annual Benchmark Study on Patient Privacy and Data Security by Ponemon Institute, March 2014 RSA White Paper: Cybercrime and the Healthcare Industry, 2014
Hacking on the Rise o Hacking incidents the dominant healthcare breach source for 2015 1 o Notable breaches 2 : Anthem 80 million records Premera Blue Cross 11 million records UCLA Health System 4.5 million records 8 1. Bitglass Healthcare Breach Report 2016 Hacking Accounts for 98% of Healthcare Data Breaches in 2015 - Healthcare IT Security.com Sara Heath. January 2016 2. Top Healthcare Breaches Reported in 2014-2015, Health Data Management, 10/30/20145 8
Why Should We Hack Our Own Systems? Simulate the activities of a hacker or malicious insider to expose weaknesses Test real life scenarios to validate assumptions and prevent incidents Identify the current security posture Uncover technical exposures requiring remediation Validate effectiveness of critical security controls Quite simply: Find the security holes before the bad guys do 9
Compliance Requirements 3 NIST Special Publications (800 Series). (2008) An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. 4 PCI Security Standards Council. (2015) Payment Card Industry (PCI) Data Security Standard, Version 3.1. 10
ANATOMY OF A PEN TEST 11
Penetration Testing Methodology 12
No Access Anatomy of a Pen Test Internal & External Assessment Scanned company network for vulnerabilities Access Control Configuration Management Identified internetfacing system with default /guessable password Configuration Management Account Management Access Control Training & Awareness Created local administrator accounts Logged into the server Ran hacking tools Obtained administrators password hashes Endpoint Security Malware Protection Password Management Access Control Remotely acquired password hashes for all Active Directory users, cracked and obtained 80% of passwords Used domain admin to access databases, servers, file shares, and other sensitive systems (found documents containing over 4.2 million patient records including SSN, DOB, diagnosis, doses, physicians, payer information, cancer treatment, bank accounts, labs results, date of service, and more Obtained login passwords for domain administrators Social Engineering Called help desk Impersonated a physician Help desk analyst reset password without verification of the user Accessed EHR from public internet Gained full to EHR with physician-level access Access Control Password Management Training & Awareness Access Control Remote Access Accessed Human Resources and Finance systems Accessed documents and files containing benefit, health plan, salary, physicians SSNs, direct deposit, DOB, credit card and bank account numbers 13
Phishing Campaigns Phishing attempts to trick users into divulging sensitive information including login credentials Can target all employees or specific individuals (spear phishing 14
Social Engineering Does the help desk validate a caller s identity? For terminated employee, is it possible to re-establish network access through deceptive means? Are employees aware of password policies that prohibit the sharing of passwords? Do employees know who to contact if they experience a security incident or witness suspicious behavior? 15
Medical Device Security Often the weakest link in the security chain Default passwords, missing patches, remote access, and other weaknesses make them a prime target for entry Increasingly connected to the network and Internet Devices have direct impact to patient safety Pen testing includes a combination of vulnerability scanning and cautious exploitation of weaknesses 16
Other Attack Vectors and Tests Account and password testing Wireless assessments Physical security Web application assessments 17
TOP 10 HEALTHCARE SECURITY EXPOSURES 18
Top 10 Hacking Exposure Areas 19
Top 10 Hacking Exposure Areas 20
Risky Practices Storing large volumes of medical data on dozens of systems and applications with varying security controls Supporting legacy systems that are not configured with routine security updates Ineffective vetting of medical devices and third party vendor security Relying on one or two layers of security to protect sensitive data (e.g. passwords) Under-funding security budgets that must address both regulatory and risk-based security remediation and controls Conducting organizational risk assessments without validating technical security exposures 21
LESSONS LEARNED: GETTING THE MOST FROM YOUR PEN TEST 22
How Often Should You Test? If a penetration test has never been conducted, test as soon as possible After conducting the initial penetration test, retest annually and after any major infrastructure change If a penetration test identifies critical vulnerabilities, retest after remediation is complete If an organization conducts a risk assessment (e.g., HIPAA, PCI), conduct a penetration test at the same time To address specific security concerns, schedule targeted penetration tests either quarterly or semiannually 23
What to Look for in a Vendor Is the vendor only conducting vulnerability scanning? o A penetration test consists of more than just identifying vulnerabilities o A thorough test also involves exploiting the vulnerabilities and manually testing for security holes that an automated tool might not be able to discover Does the vendor know how to minimize the potential for impacting patient safety and critical systems? Does the vendors technical team know how to communicate the results to non-technical stakeholders? Does the vendor understand healthcare and provide clear, prescriptive, and tailored recommendations? 24
CONCLUSION 25
Summary Healthcare organizations are increasingly becoming a target for hackers and cybercriminals The value of patient data has made healthcare organizations a rich target Conducting regular penetration testing can assist your organization in identifying weaknesses and taking the necessary actions to prevent a data breach event 26
Wolters Kluwer Health Compliance Solutions Effectively manage risk with Information Security Assessment Manager (ISAM) ISAM is the practical, affordable, and complete solution for managing privacy and information security compliance and risk, across the enterprise 27
Thank You Brian Selfridge Partner, IT Risk Management brian.selfridge@meditologyservices.com Download the white paper: http://www.meditologyservices.com/whitepapers/meditology-hacking-healthcare/ 28