HIPAA Security Rule & Live Hack Tod Ferran, CISSP, QSA
Intro Tod Ferran, CISSP, QSA 25 years working with IT and physical security 2 years PCI and HIPAA security consulting, performing entity compliance audits SecurityMetrics Assisted over 1 million businesses with data security and compliance since 2000 Headquartered in Orem, Utah Stevie Award winner for customer support HIPAA and PCI security assessor
Live Hack Demo
Sir, did you know that you could save time by doing this online?
Understand Your Motivation Desire to be compliant Avoid fines Avoid fines Desire to be secure Reduce risk of breach Reduce possibility of bad publicity Reduce loss of public trust
Privacy vs. Security Healthcare entities haven t separated Security/Privacy regulation, and often leave many Security Rule regulations unfulfilled Privacy Rule compliance doesn t extend to Security Rule compliance To be truly HIPAA compliant, must comply with both aspects.
Policy vs. Implementation Common to conglomerate HIPAA policies and implementation Healthcare religiously generates Privacy Rule policies,, but few implement principles A policy doesn t cover business from compromise, but through h implementation, you stand a fair chance against data thieves
The Unfortunate Reality IT specialists typically: Don t fulfill HIPAA requirements for a business Won t pay for a compromise Don t suffer brand damage if a business is compromised o Risk and liability rest entirely upon the CE
How Is The CIA Involved? Confidentiality Integrity Availability
HIPAA Reported Breaches Jan 1, 2013 to Oct 1, 2013 35 30 25 20 15 10 Hacking/IT Incident Improper Disposal Loss Other Theft hf Unauthorized Access Unknown 5 0 Laptop Paper Desktop Server Other E mail Electronic Medical Record
Relative by # of Incidents Relative by # of Records Hacking/IT Incident Improper Disposal Loss Other Theft Unauthorized Access Unknown Hacking/IT Incident Improper Disposal Loss Other Theft Unauthorized Access Unknown
Two Types of Organizations Those that have been hacked Those that don t know they ve been hacked
We Don t Know We ve Been Breached Lack of Current anti-malware Intrusion detection systems Data loss prevention systems File integrity monitoring systems Centralized logging and alerting Security specific training for IT staff
Value of Data Credit card = $1 to $3.50 Fullz = $500 Name/address, email account/password, etc. +$20 Health insurance account/password +$20 Dental/Vision/Chiropractic Kitz = $1,200 - $1,500 Counterfeit physical docs Di Driver s license, credit cards, insurance cards
Attack Types Defacements Most frequent Stealing server bandwidth Porn websites, launching attacks Corporate espionage DNS poisoning (redirection) Denial of service Spyware Phishing Malware Theft, loss & misuse of data Costly Loss of trust
Defacement What was previously a normal website was changed overnight into a hacker ad.
Hacking Brag-Site www.zone-h.org
Hacking Tools Consumer market products easily obtained by anyone! Most have legitimate business applications
Vulnerabilities Based on Root Origins Origins Software Vulnerability Exploitation Software Misconfiguration Social Engineering Potential Vulnerabilities Accidental or Inappropriate Disposal Device Takeover Lost Items Theft Inappropriate Business Procedure Staff X X Business Associates X X Workstations X X X X X X Electronic Data (Storage and processing) X X X X X Office Equipment (Printer, Fax, Copier, Call X X X X X Recordings) Networked Devices (other than workstations) X X X X X X Internet Use X X X X Medical Devices (Not Networked) X X X Mobile Electronic Devices X X X X X X X Multiple Locations X Remote Access X X X Web Site X X X Wireless Networks X X X X Paper Data X X X X Third party inadequate security
Today s Hack Target Firewall Web server Hacker Attacking through a firewall to the web server. We only use the private network today to avoid the possibility of putting a vulnerable server on the public Internet.
For demonstration purposes, we performed a scan on our target computer. This is the summary page indicating a failed PCI compliance status, and providing a chart of
For our demonstration today, if we ve selected this vulnerability that allows anyone to execute commands on the target computer, we need to further research the specific bug. To do this, we ll take thecve 2000 0884 identifier or the BugTrac ID (BID) numberof 1806 andsearch the web for more information.
A popular site for security information is SecurityFocus. Here we see our bug is listed and that many devices were known to be vulnerable.
1 By selecting the Exploit tab in this site, we were able to find the specific instructions on how to use or test this exploit on our web site.
Slide 25 1 Tod Ferran, 10/2/2013
HIPAA Security
45 CFR 164.530(c)(1) ) Standard: safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.
Attorneys and CPAs Neurosurgeon performing a CABG
Security Specialist Role
HIPAA Requirement #1 Complete a Risk Analysis Create a Risk Management Plan Use a Prioritized Approach to implement the Risk Management Plan Update BAAs Update NPPs
Prioritized Approach Assign a Chief Security Officer Empower with executive level backing and resources Dust off the P&P Update the P&P throughout the process, Provide training to staff as new procedures implemented Password and user account policies i Physical firewalls Anti-malware
Prioritized Approach (cont.) Remote Access VPN 2 Factor authentication Wireless networking Change all defaults WPA2 Unauthorized Internet browsing Whitelist ACL based workstation access Deny access to/from servers
Prioritized Approach (cont.) Insecure email Restrict access to personal accounts Theft Social engineering Stay current Train and remind Periodic evaluations VA scanning and penetration tests Internal and external consultants
Prioritized Approach (cont.) Accountability Centralized logging with active alerts Disposal Evaluate all possible areas of data leakage (copiers) Recycle? Media Repurpose Secure wipe Emergency access
Prioritized Approach (cont.) Authorization / Supervision Org chart Role-based authentication system Add/change/terminate user accounts Security awareness training Role-based Frequent Reminders
Prioritized Approach (cont.) Password Management Minimum length Complexity Re-use Lockout and duration No sharing!! Encryption and decryption All ephi at rest Mobile devices
Prioritized Approach (cont.) Integrity Tighten FW rules Enable software FWs Encrypted communications Physical access controls Authentication of ephi FIM IDS/IPS DLP
Prioritized Approach (cont.) Workstation use Restrict t physical, logical l access Restrict application access Workforce clearance Automatic idle disconnect Physician office vs. exam room Contingency, disaster, backup, emergency plans Test, test, test!
Prioritized Approach (cont.) Review the application and data criticality analysis Sanction policy Facility security Disable USB & CD drives Mitigate risk of damage from flood, fire and electrical l interference Maintenance procedures and records
Prioritized Approach (cont.) Response and reporting Tracking Reporting Remediation Training Post-incident analysis Update P&P and training
Wrap-up p Privacy rule and security rule are completely separate Use security specialists (internal or external) Validate credentials (CISSP, SSCP or CAP) Complete risk analysis Use internal & external sources Create a risk mitigation plan Begin implementing risk mitigation plan
QUESTIONS? tod@securitymetrics.com www.securitymetrics.com/hipaa