Healthcare Security Vulnerabilities. Adam Goslin Chief Operations Officer High Bit Security



Similar documents
PCI-DSS Penetration Testing

Goals. Understanding security testing

Cybersecurity Health Check At A Glance

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Cyber Self Assessment

THE TOP 4 CONTROLS.

Small Business IT Risk Assessment

Client Security Risk Assessment Questionnaire

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

PCI Requirements Coverage Summary Table

Automation Suite for. 201 CMR Compliance

SANS Top 20 Critical Controls for Effective Cyber Defense

HIPAA RISK ASSESSMENT

PCI Compliance Updates

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Reducing Application Vulnerabilities by Security Engineering

The Protection Mission a constant endeavor

DiamondStream Data Security Policy Summary

Securing the Service Desk in the Cloud

Critical Controls for Cyber Security.

Network and Security Controls

IT Security Procedure

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

AUTOMATED PENETRATION TESTING PRODUCTS

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Information Blue Valley Schools FEBRUARY 2015

Information Technology Security Procedures

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

Payment Card Industry Self-Assessment Questionnaire

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

CONTENTS. PCI DSS Compliance Guide

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

8 Steps for Network Security Protection

Remote Deposit Terms of Use and Procedures

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

8 Steps For Network Security Protection

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Presented by Evan Sylvester, CISSP

Top 20 Critical Security Controls

Hackers are here. Where are you?

Introduction. PCI DSS Overview

Achieving Compliance with the PCI Data Security Standard

Penetration Testing Getting the Most out of Your Assessment. Chris Wilkinson Crowe Horwath LLP September 22, 2010

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

PCI Requirements Coverage Summary Table

Security & Compliance, Sikich LLP

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Security Controls for the Autodesk 360 Managed Services

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Network Security Policy

Working Practices for Protecting Electronic Information

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Overcoming PCI Compliance Challenges

Attachment A. Identification of Risks/Cybersecurity Governance

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Best Practices For Department Server and Enterprise System Checklist

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Intro. Tod Ferran, CISSP, QSA. SecurityMetrics. 2 years PCI and HIPAA security consulting, performing entity compliance audits

AUTOMATED PENETRATION TESTING PRODUCTS

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Section 12 MUST BE COMPLETED BY: 4/22

GFI White Paper PCI-DSS compliance and GFI Software products

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

How To Protect Your Data From Being Stolen

UF IT Risk Assessment Standard

Miami University. Payment Card Data Security Policy

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

A Decision Maker s Guide to Securing an IT Infrastructure

A practical guide to IT security

PCI DSS Requirements - Security Controls and Processes

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Chapter 15: Computer and Network Security

Penetration Testing Service. By Comsec Information Security Consulting

Automate PCI Compliance Monitoring, Investigation & Reporting

INFORMATION SECURITY FOR YOUR AGENCY

Industrial Security for Process Automation

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

IBM Managed Security Services Vulnerability Scanning:

Enterprise Computing Solutions

WHITE PAPER AUTOMATED, REAL-TIME RISK ANALYSIS AND REMEDIATION

State of Minnesota. Office of Enterprise Technology (OET) Enterprise Vulnerability Management Security Standard

Payment Cardholder Data Handling Procedures (required to accept any credit card payments)

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

Managed Security Services

Transcription:

Healthcare Security Vulnerabilities Adam Goslin Chief Operations Officer High Bit Security

Webinar Overview IT Security and Data Loss Breach Sources / Additional Information Recent Medical Breach / Loss Vulnerability Scanning Penetration Testing / Sample Social Engineering / Sample Ways to Improve Healthcare Security

IT Security & Data Loss Increase in small scale breaches Lost/stolen devices (phones, laptops, etc.) Social networking exposure Data encryption <> security silver bullet Data breach notification regulations Mobile threats Critical infrastructure attacks source: http://www.krollontrack.com/blog/post/krolle28099s-2011-data-security-forecast-top-ten- Trends-for-the-Year-Ahead.aspx http://blog.trendmicro.com/usenix-leet-2012-observations-on-emerging-threats Breach costs are presently averaged at $194 per record detection, escalation, notification, resolution and after-the-fact response Source: http://www.symantec.com/content/en/us/about/media/pdfs/b-ponemon-2011-cost-of-data-breach-us.en-us.pdf (March 2012)

Breach Sources / Information Less than 10% of developers / network administrators document security considerations while formulating solutions. (http://www.cs.toronto.edu/~gelahi/compsac-secinwild_11.pdf) Insider Threat: unresolved vulnerabilities exploited by terminated IT employees US Government building a hacking monitoring facility Foreign hacking rings Consumers leave or avoid companies that have suffered a security breach (www.infosecuritymagazine.com) In 2011, 86% of the data breach cases originated from hacking, and 92% were carried out by an external agent rather than an insider or partner (www.infosecurity-magazine.com)

Recent Medical Breach / Loss May, 2012 www.datalossdb.org 16 different reported breaches Breach Sources: Web breach, Hospital breach, Physical breach, Lost device, Internet exposure, inappropriate employee access Total records known = almost 103,500 4 incidents not yet reported record counts @ $194 / record, total over $20 million dollars Average records = approx 6500 ( over $1.2 million dollars)

Security Testing Vulnerability Scanning Relatively inexpensive Pre-configured, automated computer scan Evaluates system for known, configured vulnerabilities External network layer Cursory website coverage Will not evaluate custom code (websites) Will not evaluate logical faults in code Automated report will contain false positives Better than no testing at all, provides a false sense of security

Penetration Testing More costly than vulnerability scanning Expanded coverage External and internal network/websites; Printers, photo copiers, scanners, fax machines; Wireless systems; All major development languages (including custom code); Virtual (i.e. cloud), physical, hosted environments Performed by a certified security engineer Multiple vulnerability scanners; Detailed website testing; Extensive manual testing; Results evaluated by engineer: think, analyze, track, follow-up and judge; False positives eliminated, validated results Final Report Exec Summary; Detailed, prioritized findings including specifics on how to address Remediation Testing Once findings are addressed, security company should validate closed properly

Penetration Testing - Sample Medical Facility Penetration Test Had support via Electronic Medical Records (EMR) provider; unsure about security Performed a full coverage external and internal penetration testing engagement Externally achieved external access to the internal network Internally took over every server, workstation, the firewall; gained access to sensitive medical data, including prescriptions, full contact information for patients, SSNs, doctor signatures and narcotics ID number

Social Engineering Security company is engaged to leverage a ruse while performing an assessment of specific objectives in relation to the target organization. Testing objectives may include: Physical security assessment Unauthorized access to facilities Unauthorized access to systems Assessment of security awareness training Often performed in conjunction with penetration testing and as postassessment of an audit.

Social Engineering - Sample Target: Hospital in the US Objectives: Physical security assessment, security awareness training of personnel, unauthorized access to technical resources Results: Physical Security Generator, roof access, boiler room, electrical, water supply Data Safety direct breach of hospital and IT PCs, unescorted access in admin bldg

Ways to Improve Healthcare Security Security covers a broad range of topics, and there is no silver bullet. Firewall: patched, locked down, remove vendor default accounts, IPS Servers & Workstations patching, antivirus, remove all unnecessary software Wireless separate guests from internal network; use strong encryption, turn off broadcast Passwords Servers, workstations and wireless: Strong passwords of >8 characters, UPPER and lower case, numbers and symbols. Ex: #1CP@f1RM! Password Handling: Use password manager i.e. KeePass Not a post-it note! Policies / Training: Policies maintained, security awareness, social engineering Physical / Electronic Data Destruction: shred docs, wipe or destroy electronic storage devices Security Testing Pen Testing recommended annually with periodic interim vulnerability scans

Q & A Adam Goslin Chief Operations Officer Cell: 248-388-4328 Email: AGoslin@HighBitSecurity.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information