BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

Similar documents
Preemptive security solutions for healthcare

Overview. Figure 1 - Penetration testing screenshot examples showing (i) PACS image and (ii) breached Electronic Health Record system

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Real World Healthcare Security Exposures. Brian Selfridge, Partner, Meditology Services

Application Security in the Software Development Lifecycle

Nine Steps to Smart Security for Small Businesses

Why You Need to Test All Your Cloud, Mobile and Web Applications

The Business Case for Security Information Management

Cybersecurity for Meaningful Use FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

Impact of Data Breaches

PCI Compliance for Healthcare

Everything You Wanted to Know about DISA STIGs but were Afraid to Ask

Closing Wireless Loopholes for PCI Compliance and Security

ALERT LOGIC FOR HIPAA COMPLIANCE

Nine Network Considerations in the New HIPAA Landscape

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

PCI Compliance for Cloud Applications

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

SECURITY. Risk & Compliance Services

A Decision Maker s Guide to Securing an IT Infrastructure

PCI-DSS Penetration Testing

Guide to Vulnerability Management for Small Companies

The Impact of HIPAA and HITECH

Cisco SAFE: A Security Reference Architecture

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Information Security Organizations trends are becoming increasingly reliant upon information technology in

PCI Solution for Retail: Addressing Compliance and Security Best Practices

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

WHITE PAPER. The Need for Wireless Intrusion Prevention in Retail Networks

HEALTHCARE SECURITY AND PRIVACY CATALOG OF SERVICES

Big Data, Big Risk, Big Rewards. Hussein Syed

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

What is required of a compliant Risk Assessment?

Managing Business Risk

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

AUTOMATED PENETRATION TESTING PRODUCTS

Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

Data Breach Lessons Learned. June 11, 2015

ITAR Compliance Best Practices Guide

IT Compliance Volume II

McAfee Database Security. Dan Sarel, VP Database Security Products

How To Test For Security On A Network Without Being Hacked

Strategic Plan On-Demand Services April 2, 2015

End-user Security Analytics Strengthens Protection with ArcSight

PCI DSS 3.1 and the Impact on Wi-Fi Security

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

What is Penetration Testing?

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Website Security: How to Avoid a Website Breach. Jeff Bell, CISSP, CPHIMS, ACHE Director, IT Security and Risk Services CareTech Solutions

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Cyber Security An Exercise in Predicting the Future

Maintaining Strong Security and PCI DSS Compliance in a Distributed Retail Environment

Reducing Cyber Risk in Your Organization

Cyberprivacy and Cybersecurity for Health Data

Data Loss Prevention Program

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

PCI Data Security Standards (DSS)

Achieving Regulatory Compliance through Security Information Management

Managing Vulnerabilities for PCI Compliance White Paper. Christopher S. Harper Managing Director, Agio Security Services

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

HIPAA Security Rule Compliance

AUTOMATED PENETRATION TESTING PRODUCTS

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

Cyber Security Management

Is your business at risk? DO YOU NEED TO KNOW?

Managed Security Monitoring Quick Guide 5/26/ EarthLink. Trademarks are property of their respective owners. All rights reserved.

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

Click to edit Master title style

White Paper: Consensus Audit Guidelines and Symantec RAS

Vulnerability Risk Management 2.0. Best Practices for Managing Risk in the New Digital War

Security and Privacy of Electronic Medical Records

Security for NG9-1-1 SYSTEMS

How To Protect Yourself From Cyber Threats

THE HITECH ACT - THE TEETH AND CLAWS OF HIPAA

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

Using WinReporter to perform security audits on Windows TM networks

Vulnerability Audit: Why a Vulnerability Scan Isn t Enough. White Paper

CYBERSECURITY & EXPECTATIONS FOR INDEPENDENT GROCERS

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

InfoGard Healthcare Services InfoGard Laboratories Inc.

What a Vulnerability Assessment Scanner Can t Tell You. Leveraging Network Context to Prioritize Remediation Efforts and Identify Options

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

HIPAA and HITECH Compliance for Cloud Applications

2015 VORMETRIC INSIDER THREAT REPORT

The Essentials Series. PCI Compliance. sponsored by. by Rebecca Herold

White Paper. Data Breach Mitigation in the Healthcare Industry

Best Practices for PCI DSS V3.0 Network Security Compliance

Transcription:

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security August 2014 w w w.r e d s p in.c o m

Introduction This paper discusses the relevance and usefulness of security penetration testing within the healthcare industry. It covers the purpose, scope, and benefits of penetration testing for healthcare organizations. Risks Are Inherent in a Dynamic IT Landscape Gone are the days when the IT infrastructure of healthcare organizations consisted of a couple of isolated workstations or a mainframe used only by a handful of computer specialists. Today, healthcare delivery requires providers to store, handle, transmit, and access larger volumes of data than ever using a variety of IT components. As a consequence, the information technology landscape of healthcare organizations has become a dynamic one expanding, transforming, and interconnecting with third parties and open external networks. Sensitive data can now be accessed from a variety of end points by a multitude of users, including many who are not even employees of the provider organization. Thus, it should not be a surprise that this complex situation increases the risk of data breach and data corruption. The Ponemon Institute 2014 Benchmark Study on Patient Privacy & Data Security reports that: 1 The primary security concerns of healthcare organizations are insecure exchange of patient information between healthcare providers and third parties, patient data on insecure databases, and patient registration on insecure websites. 90% of healthcare organizations in this study had at least one data breach in the past two years. 38% reported more than five incidents. In particular, the risk of external criminal attacks is highlighted as a major challenge for the healthcare industry. Such attacks have increased over 100% since 2010. For the most part, those data breaches did not even require the use of sophisticated programming skills. Instead, offenders simply exploited well-known vulnerabilities and process weaknesses. Healthcare organizations continue to struggle to comply with increasingly complex federal and state privacy and security regulations. In the article Health Care Companies Have Worse Cybersecurity Than Retailers, Dune Lawrence, a reporter for Bloomberg News in New York, puts the spotlight on the healthcare industry by stating that healthcare information security is behind that of other regulated industries. 2 In fact, a recent analysis found that healthcare and pharmaceutical companies performed worse in security analysis than financial institutions, utilities, and even retailers. Many healthcare organizations are neglecting to put into place even basic protective measures. The Ponemon report stresses that the growth in criminal attacks against healthcare organizations calls for assessments of areas vulnerable to attack and investments in technologies that protect organizations from malicious outsiders. Implementing these measures is a huge challenge but critical to the future of the healthcare industry. It requires a well-structured and optimized risk management strategy, in which penetration testing holds an essential function. The definition of practical remediation plans take into account the specificity of the industry, the applicable regulations, and the limited resources and budget assigned to the IT security and compliance effort. Security Penetration Testing 1 http://www.ponemon.org/blog/fourth-annual-benchmark-study-on-patient-privacy-and-data-security 2 http://www.businessweek.com/articles/2014-05-28/health-care-companies-have-worse-cybersecurity-than-retailers 2014 Redspin, Inc. www.redspin.com Page 2

Security penetration testing, also referred to as a pen test, is a network security assessment in which ethical hacking is performed. It supports the risk management strategy of the organization by: 1. Determining and validating the genuineness and severity of weaknesses, thereby rationalizing investments. 2. Confirming that the protection mechanisms are operating as expected and according to specific standards. In other words, determining whether the security controls that are supposed to detect and block security issues and alert appropriate parties actually work. Why IT Penetration Testing is Important for the Healthcare Industry There are many compelling reasons to perform regular penetration testing: Penetration tests allow healthcare organizations to assess all three pillars of their IT security posture people, processes, and technology by providing a more thorough evaluation of their risks and other information that is useful to IT professionals and decision makers. In a dynamic IT landscape, constant monitoring for failure and adaptation to new threats is required. The IT infrastructure is made of heterogeneous system components, each a potential source of weakness and requiring specialized knowledge, skills, and solutions to implement improvements. Implemented defences (as with any IT component) are made and configured by human beings and, therefore, subject to errors and carelessness within their conception, installation, configuration, maintenance, and usage. Using the analogy of a prescription medication, any change within the IT environment could induce negative side effects. For instance, the installation of a patch could impact the configuration of the system on which it is applied, creating a new avenue for malicious activities. Often healthcare organizations have underinvested in their IT infrastructure and have not given the right priorities or attention to its defence mechanisms. This can lead to obsolescence or degeneration to the great satisfaction of malicious individuals. The IT infrastructure is under constant attack, motivated by possibilities of gaining access to patient medical and financial data, disrupting service, or, frankly, just for fun. A recent report revealed that 94% of hospitals and other healthcare organizations have been targeted by hackers. 3 Business continuity is a primary security concern for many organizations. Vulnerabilities can often be exploited to produce a denial of service condition, which usually crashes the vulnerable service and breaches the server availability. Organizations may have sufficient policies and procedures in place; but until they actually have to deal with an intruder inside their network, they cannot be certain about how to proceed in the event of a real attack. Much like a fire drill, a penetration test allows them to develop a working strategy to respond to any unusual activity. For the above reasons, the healthcare industry should carefully monitor the effectiveness of their defence mechanisms by conducting regular penetration tests to assess the three pillars of their information security. This will mitigate the risks of medical and financial data theft or service disruption. 3 http://www.jrn.com/kgun9/news/hospitals-open-to-hackers-94-of-hospitals-targeted--269477451.html 2014 Redspin, Inc. www.redspin.com Page 3

Penetration Testing for Regulatory Compliance Penetration testing helps healthcare organizations comply with the challenging requirements of HIPAA and the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS V3, which is applicable to any organization storing, processing, and transmitting credit card data (including the healthcare industry), requires at least one annual penetration test as well as a follow-up test after any significant infrastructure modification. HIPAA regulations determine the way that healthcare industry must implement, monitor, and audit their safeguards on protected health information (PHI) on their computer networks. To learn more about specific HIPAA requirements, please refer to the Redspin white paper: The Facts about HIPAA, HITECH, and the Omnibus Rule What You Need to Know. 4 While penetration testing is not specified by HIPAA, it should be considered a permanent part of any ongoing information security program. Pen tests are an efficient way to provide covered entities and business associates with demonstrated compliance with requirements for a continuous program of assessment and improvements to the specific Security Rule sections below: Security Management Process ( 164.308(a)(1) Security Incident Procedures ( 164.308(a)(6) Evaluation ( 164.308(a)(8) Audit Controls ( 164.312(b) Policies and Procedures ( 164.316(a)) Access Control ( 164.312(a)(1)) Penetration Testing Versus Vulnerability Scanning Scanning is a term shared between the IT security and the healthcare industry that provides a useful analogy. In both cases, scanners are used to identify potential anomalies or deviations against a defined normality. In healthcare delivery, scanners assess the human body. Security scanners assess the IT infrastructure and its endpoints. In short, they help answer the question IS THERE SOMETHING WRONG? The presence of defective cells may indicate abnormalities in the human body, while the presence of misconfigurations may indicate vulnerabilities in IT components. However, the sole use of scanners in either industry is not sufficient to determine whether these anomalies are dangerous to the entity in question. Thus, penetration testing is used to answer the next question: SO WHAT? It helps clarify the level of danger of an anomaly or the level of exploitability of an IT weakness. If scanners help detect potential issues, penetration tests help validate the reality of these findings by assessing the risks for the entity and priorities for remediation. It may be as simply described as: Scanner: Abnormalities detected! Pen test: Are they real? Should we worry about them? How should we act and when? In addition, there is no proven correlation between a clean vulnerability scanning report (absence of detected issues) and the effectiveness of the defences. In other words, one cannot conclude that their defence mechanisms are adequate simply because a scanner reports no issues. Inappropriate firewall rules, wrongly configured access controls, weak passwords, and naïve users may never show up on an automated vulnerability report. But the reality is that attackers are clever and determined. They will not hesitate to take advantage of any glitch within the defence mechanisms. 4 http://www.redspin.com/resources/whitepapers-datasheets/request_hipaa_hitech_act.php 2014 Redspin, Inc. www.redspin.com Page 4

Penetration Testing, a Valuable Tool in the Security Arsenal Some benefits of regular penetration testing for the healthcare industry are: Meeting compliance (HIPAA, PCI-DSS) Validating the reality of identified vulnerabilities Identifying weaknesses that may be difficult or impossible to detect with a scanner Determining the feasibility of a particular set of attack vectors Testing the ability of the defence mechanisms (people, processes, and technology) to successfully detect and respond to attacks Assessing the magnitude of potential business and operational impacts of successful attacks Focusing resources and budget on real issues to secure the medical and financial data Supporting a thorough risk management process already under scrutiny by the director of the Department of Health and Human Services' Office for Civil Rights 5 Avoiding security incidents that threaten its corporate image, put its reputation at risk, and impact customer loyalty Setting the Scope of Penetration Testing The scope of penetration testing for the healthcare industry should encompass all systems that store, process, or transmit PHI and cardholder data including any connected system components. This includes databases that store cardholder and/or patient data, servers and applications that process said data, networking components that transit the information, security components that protect identities, and assets that help manage this system. A Chain is Only as Strong as its Weakest Link To be thorough, healthcare entities should also consider the human aspects of the equation by testing the end-users ability to follow documented policies and procedures while avoiding common traps set by malicious attackers. External and Internal Security Assessments Penetration testing can be carried out from two perspectives: an outsider who tries to attack the entity over the Internet, or from the perspective of a malicious insider. These two approaches are called external and internal security assessments. Most organizations start with testing their ability to detect, block, and alert in the event of attacks from the Internet. However, an internal penetration test is equally as valuable for an entity looking to diminish the risk of rogue employees getting unauthorized access to cardholder or medical data or creating a denial of services of the IT systems supporting the medical and administrative activities. 5 http://www.govinfosecurity.com/hipaa-audits-more-to-come-in-2014-a-6090 2014 Redspin, Inc. www.redspin.com Page 5

Take Away Getting a penetration test is a bit like going to get a biopsy. It is never something we want to do and we hope the results come back negative, but we do it for the peace of mind. Given the findings highlighted in the Ponemon report and the risks evidenced by the recent breaches at Fortune 1000 companies (such as Target, ebay, Adobe), healthcare organizations should definitely get pen tested on a regular basis. The challenge for the healthcare industry is to find a cost-effective way to sustain this process with a trusted partner. They need a company that will guide them through this complex process and help them define the objectives, scope, and scenarios of an attack a company that will not only put a team of experts at their disposal, but also make sensible recommendations from both a technical and business perspective. About Redspin Redspin was founded in 2001 with a singular mission to help our clients better protect their IT assets and lower their security risks. Since that time, we have conducted more than 2,500 IT security risk assessments for nearly 1,000 clients. Our services protect confidential data and critical infrastructure, harden web applications, maintain compliance, and reduce overall risk. We offer penetration testing, application security assessments, external and internal vulnerability analysis, network security audits, policy and compliance reviews, social engineering services, and mobile device security risk analysis (BYOD or "bring your own device"). Redspin specifically tailors its work for every customer, whether it is a Fortune 500 enterprise or community hospital, a multinational corporation or a small-to-medium sized bank. We bring a real-word perspective to each engagement with a methodology shaped by security frameworks but battle-tested by thousands of assessments. Fueled by our deep industry-specific experience in healthcare, banking, financial services, retail, energy, technology, hospitality and casinos, we are able present our findings, analysis, and recommendations within your business context. 2014 Redspin, Inc. www.redspin.com Page 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information