 |
|
November 26 , 2007
Clinical systems are increasingly coming under attack from unsavory characters out to do serious harm, prompting healthcare facilities to arm themselves with imposing defense forces. Your healthcare facility is under attack, and you may not realize it. Hordes of hackers, bots, worms, and just plain bad people are tirelessly working to compromise computer networks and steal data. While this may sound like hyperbole or outright paranoia, consider a recent report by National Public Radio that estimated the potential annual cost of Medicare fraud—a crime that accounted for approximately $300 million to $400 million in false claims last year in two Florida counties alone—at $70 billion. Identity theft is big business in America, and healthcare offers opportunities that have barely begun to be exploited. There are a number of ways that computer systems can be compromised. Many attacks involve malware, malicious computer code that embeds itself or is embedded by a hacker. “At the Super Bowl this year, the Miami Dolphins’ Web site was hacked,” says Paul Henry, vice president of technology evangelism at Secure Computing Corp. “Someone added additional JavaScript to their home page, and during that very popular time period, anyone who visited the Miami Dolphins Web site had malware installed on their PC. The malware was a root-kit that added the users’ PCs to the army of spam-sending botnets on the Internet.” Perhaps more surprisingly—and from a healthcare standpoint, more disturbing—the exact same type of attack was applied to the Centers for Disease Control and Prevention’s Web site shortly after the Super Bowl. One common type of malware is a worm, which is frequently spread by servers sending out mass e-mails. “Hackers are trying to get people to open up e-mails or click on links in e-mails that will do bad things to their computers such as the Storm worm, which is one in particular that we’ve been tracking,” says Wayne Haber, CISSP, director of development at SecureWorks. “It’s being used for everything from spreading itself to identity theft to pump-and-dump stock scams to just regular old spam.” While worms aren’t specific to healthcare, they replicate indiscriminately. Key Vulnerability “There was a situation with a large academic medical center that had a CR [computed radiography] device that was way behind on patches, and because the perimeter security was not as strong as it needed to be, an outsider was able to corrupt that physical device because of the vulnerabilities without those patches,” Koller says. “It was discovered at some point in time that there was a very high volume of traffic going in and out of that CR device. After they did the analysis, they found out that somebody from the outside had corrupted it and turned it into a porn server on the Internet.” Although this attack obviously wasn’t designed to steal patient data, it underscores a weakness in healthcare security. If left unaddressed, this weakness may lead to much bigger headaches. “We’ve seen a change in the security threat profile, not just to healthcare, but healthcare’s a particularly effective target because of the volumes of patient information,” says Bob Withers, CISSP, practice leader for security services at KAI Consulting. “In the last three or four years, organized crime has gotten involved in identity theft and, particularly, doing things like launching zombie and bot armies to do that kind of identity theft just because of the lucrative nature of the attacks.” The good news is that while healthcare data is a valuable commodity for obvious reasons, hospital databases remain largely untapped resources for would-be identity thieves—at least for now. The Enemy Within Many of these security breaches can be attributed to an age-old nemesis: curiosity. “I’ve seen cases where people are looking up their spouse or somebody that they’re dating to see what STD [sexually transmitted disease] tests they’ve had done—all sorts of breaches of confidentiality,” he says. “Those problems can run rampant in some organizations.” Even though it’s not recommended, especially in light of HIPAA, many organizations use shared or even generic user IDs and passwords. “You don’t know who’s doing it,” Haber says. “So if you don’t know who’s doing it, but those people are sharing IDs, then they feel more confident in looking at the data in the EMR [electronic medical record].” With such a lack of accountability, it’s easy to see how something such as George Clooney’s medical record could spark an impromptu peep show. “If I worked for a healthcare organization, even though it would be tempting because I’d have a lot of trust in the organization [if I’d be willing to work there], I wouldn’t get my healthcare done there,” says Haber. However, not all insider attacks are of the nuisance variety since some can cause serious damage to a healthcare facility. “There was a case where a person at a hospital got wind that they were going to be fired and basically put in a back door,” he says. “After they were let go, they wiped the financial system and the backups. The hospital almost didn’t make payroll that month. They made it, but it was very close.” In addition, some attacks that appear to be committed from the inside are actually the result of a hole in the network. “The principal for an attacker is that they want to compromise at least one system,” says Withers. “Once they compromise one system, then they can leapfrog to other systems. They can, for example, move from a medical imaging device to attack the hospital informatics system and then do an identity theft attack there to steal patient records or billing records.” HIPAA’s Role “I’ve always been a big fan of HIPAA. I like where they’ve gone with encryption, etc,” says Henry. “But I think that a very simple fact that most people are missing today is HIPAA was originally designed to secure an environment that was Web 1.0-based.” In Henry’s view, the changing nature of our relationship with the Internet has fundamentally affected the way we use data and the way it should be protected. “There is a tremendous inherent risk on the public Internet that is not currently being addressed,” says Henry. “And I think that, at this point in time, we need to seriously consider the risks of Web 2.0 and the impact they can have on a HIPAA-protected network.” Because of the possibilities for bidirectional contact that the Internet provides (social Web sites, blogs, Wikipedia-like sites, etc), Henry cites Web-borne malware as a highly underestimated threat to healthcare data. “From a HIPAA perspective, it is very concerning that by simply visiting a popular Web site on the public Internet, you could, in fact, be exposing your entire network because of this malware,” he says. Necessary Precautions “If you consider a medical device, for example, the medical device should only be talking to a handful of the network protocols, such as DICOM [Digital Imaging and Communications in Medicine] and HL7 [Health Level Seven],” says Withers. “If the device is unpatched—and it may not be able to be patched because the device vendor hasn’t come up with approved patches that they’ve worked through their FDA process—then there are vulnerabilities in the base operating system.” Fortunately, most large medical imaging and informatics vendors are paying more attention to patches and security. “We’re starting to see the vendors taking security very, very seriously and creating mechanisms to respond to the providers in a more timely fashion than they have historically,” says Koller. Another useful type of perimeter security is called a honeypot in honor of Winnie the Pooh. It’s a false computer system that’s set up to look like a real system. “It serves two purposes. One is to let the attackers think they’ve attacked a real system, perhaps broken into a real system, not found anything useful there, and [induce them to] go away,” says Withers. “But the second purpose of a honeypot is also to let you know that the attack is actually underway.” Honeypots help security professionals distinguish between imminent and general threats, as well as determine which attacks are most successful. They can also be used to monitor insider threats. “Honeypots work as a very good trigger inside the perimeter, as well as to let you know that there’s something suspicious going on on the networks,” Withers says. But even with exemplary perimeter security, healthcare facilities still need to be concerned about malware. “Most healthcare facilities today, they do incorporate a firewall, they incorporate antispam technologies, URL filtering technologies, the full gamut,” says Henry. “What they need to do is look at upgrading those technologies to support Web 2.0 functionality. “So one of the new things that’s being done today is a technology called antimalware scanning,” he adds. “Literally, they scan the code that’s being returned as an example from a Web site visit to the public Internet. In scanning it, they rate the malicious intent of any script that may be being downloaded off the user’s PC. … And it’s proving to be a much more effective defense.” Haber echoes these sentiments. “We’re often seeing with organizations that have all this great perimeter network protection, like firewalls and Web proxies and intruder prevention, they’ll still get infected because somebody brings a laptop home; it gets infected and physically brings it into the network,” he says. “So having the antivirus and antispyware on workstations is very important.” A Collaborative Effort “If you follow the best practices of a vendor, such as Microsoft, or even application vendors such as GE or modality vendors such as GE, and you apply their best practices they’ve learned painfully already, then that’s a good start,” says Withers. “Implementing those in the policies and procedures is a good start, but you need an external pair of eyes.” “A facility may have their own in-house staff of very, very competent people, but one common mistake is when you let the same people who build it assess it for vulnerabilities, they miss things,” says Koller. “They miss things because they’re too familiar with it, work-arounds have been created, and they operate unconsciously when those work-arounds come into play. One of the best ways is to have somebody who is not involved in the creation and maintenance of the environment come in and do an assessment with fresh eyes, to have the ability to ask the dumb questions that internal people generally don’t ask and find the holes that way.” Withers cites three levels of security assessment: having someone who’s knowledgeable use a checklist obtained commercially or from the government; actively looking for vulnerabilities, often with automated tools; and penetration testing or ethical hacking, actually attempting to break into your own systems. “Most often in healthcare, people tend to go for the middle level, the vulnerability analysis, simply because more severe types of testing can actually disable networks and disable components, and that’s typically not acceptable in a healthcare environment,” Withers says. Finally, Haber stresses the importance of performing background checks on employees and promptly removing network access when an employee leaves the organization. “Make sure that an insider who is let go doesn’t become an insider again,” he says. — David Yeager is an editorial assistant at For The Record. Resources Paul Henry’s white paper about Web 2.0 threats Investments in Data Security Make Sense and Save Dollars “When you’re looking at structuring the network and classifying data, there are some items that we hope to see but are not,” says Lobel. “When you’re looking at what data you encrypt and where you encrypt it, that decision must be linked to the business strategy. That is what really gives you the business value and the bang for the buck for information security.” Lobel notes that healthcare providers encrypt data at a slightly higher rate than other industries, but they’re less likely to encrypt it while it’s at rest in databases, sitting on a file share in a provider’s network, or on a laptop. Data losses are expensive, not to mention damaging to a facility’s reputation. By incorporating data security into their financial strategies, healthcare facilities can save money in the long run. Lobel explains that security is a function of protection and enablement. “Protection, I would make analogous to purchasing insurance,” says Lobel. “What’s the ROI [return on investment] on insurance? It’s not something you calculate, you calculate it based on risk tolerance, and for the protection side of information security. I think that’s the same calculation.” Enablement, rules that determine who receives access to data, is more conducive to calculating an ROI depending on which initiative a hospital pursues. “If you’re going online, HIPAA regulations [state that] you can’t do that business if you don’t have proper security and privacy controls,” says Lobel. “Then you can figure out: What’s the business opportunity that’s being missed? What percentage of churn are you going to have if there’s a security breach? There are at least some estimates in ROI you can make there. “And then there are some security solutions that help enablement, like identity management, that have not only the soft dollar savings but actual hard dollar savings,” he adds. Identity solutions can function as both protection and enablement. “Identity solutions, I think, work from the protection perspective because they create a centralized place where you can add, change, and delete users,” says Lobel. “They work from the enablement perspective because they allow centralized control and the real-time removal of people when they are transferred or terminated. [It’s] delegated administration that allows your member organizations to manage their user base, making it easier.” By far one of the biggest sources of cost in the identity management enablement arena is password resets, says Lobel. “If you’re using a help desk for password resets, help desk calls are expensive. Password resets can be roughly anywhere between 10% and 40% of your help desk calls.” Password resets are usually the first thing that gets noticed in an identity management ROI calculation. Lobel believes that by removing this burden from the help desk, facilities can save a significant amount of money. “Either you’re going to need less help desk, and you can do a direct cost saving there, or you can put that help desk to something more effective than resetting people’s passwords and authenticating those people,” he says. “That is relatively automatable. ... There’s no reason you need a high-value person doing a task that can be automated.” While these principles can bring varying degrees of cost savings to a facility, don’t look for a hard and fast percentage. Lobel is quick to point out that each facility’s circumstances are unique. “It really depends on the business, the company, its market strategy, its market position, and the opportunity,” he says. For more information, visit here. — DY Social Engineering Designs Trouble for Data Security Passwords and other access mechanisms are often compromised because people have been socially engineered to be compliant. “An example of a social engineering attack is when you call somebody and claim to be from the help desk,” says Withers. “Ask them for their user name and password, and they’ll give it to you as often as not.” Details of a hospital’s IT infrastructure should also be protected. Hackers want to know what computers and software a hospital is using, as well as what type of networking is going on. Information such as the type of PACS [picture archiving and communication system], hospital information system, medical information system, or radiology information system that a facility uses is valuable to an attacker, says Withers. The reason for this, he explains, is because operating systems and networks have better security than ever before. “So the attackers are now attacking the applications much more than they’re attacking the real network,” Withers says. “The way you find out what applications to attack is by asking people, ‘What are you running?’ and they’ll very often tell you.” Finally, employees need to be careful about the type of personal information they provide. Hackers can use employees’ background information to figure out what type of information they use. “For example, they may use their alma mater or their alma mater’s mascot as their password for their network login,” says Withers, “which would then let somebody break into the network and hopscotch across the network until they find something valuable.” — DY |
||
