November 26 , 2007

Keyboard Kops
By David Yeager
For The Record
Vol. 19 No. 24 P. 16

Clinical systems are increasingly coming under attack from unsavory characters out to do serious harm, prompting healthcare facilities to arm themselves with imposing defense forces.

Your healthcare facility is under attack, and you may not realize it. Hordes of hackers, bots, worms, and just plain bad people are tirelessly working to compromise computer networks and steal data. While this may sound like hyperbole or outright paranoia, consider a recent report by National Public Radio that estimated the potential annual cost of Medicare fraud—a crime that accounted for approximately $300 million to $400 million in false claims last year in two Florida counties alone—at $70 billion. Identity theft is big business in America, and healthcare offers opportunities that have barely begun to be exploited.

There are a number of ways that computer systems can be compromised. Many attacks involve malware, malicious computer code that embeds itself or is embedded by a hacker. “At the Super Bowl this year, the Miami Dolphins’ Web site was hacked,” says Paul Henry, vice president of technology evangelism at Secure Computing Corp. “Someone added additional JavaScript to their home page, and during that very popular time period, anyone who visited the Miami Dolphins Web site had malware installed on their PC. The malware was a root-kit that added the users’ PCs to the army of spam-sending botnets on the Internet.” Perhaps more surprisingly—and from a healthcare standpoint, more disturbing—the exact same type of attack was applied to the Centers for Disease Control and Prevention’s Web site shortly after the Super Bowl.

One common type of malware is a worm, which is frequently spread by servers sending out mass e-mails. “Hackers are trying to get people to open up e-mails or click on links in e-mails that will do bad things to their computers such as the Storm worm, which is one in particular that we’ve been tracking,” says Wayne Haber, CISSP, director of development at SecureWorks. “It’s being used for everything from spreading itself to identity theft to pump-and-dump stock scams to just regular old spam.” While worms aren’t specific to healthcare, they replicate indiscriminately.

Key Vulnerability
Another common tactic deploys a different type of malware called a bot, which allows a hacker to gain complete control of a computer and turn it into a “zombie.” This practice isn’t healthcare-specific either, but healthcare facilities may be particularly vulnerable to this type of attack. “Clinical systems, especially things like modalities, are governed by the FDA, so they can’t necessarily keep up with the patches that other, more commercial types of IT systems can,” says John S. Koller, president of KAI Consulting.

“There was a situation with a large academic medical center that had a CR [computed radiography] device that was way behind on patches, and because the perimeter security was not as strong as it needed to be, an outsider was able to corrupt that physical device because of the vulnerabilities without those patches,” Koller says. “It was discovered at some point in time that there was a very high volume of traffic going in and out of that CR device. After they did the analysis, they found out that somebody from the outside had corrupted it and turned it into a porn server on the Internet.”

Although this attack obviously wasn’t designed to steal patient data, it underscores a weakness in healthcare security. If left unaddressed, this weakness may lead to much bigger headaches. “We’ve seen a change in the security threat profile, not just to healthcare, but healthcare’s a particularly effective target because of the volumes of patient information,” says Bob Withers, CISSP, practice leader for security services at KAI Consulting. “In the last three or four years, organized crime has gotten involved in identity theft and, particularly, doing things like launching zombie and bot armies to do that kind of identity theft just because of the lucrative nature of the attacks.”

The good news is that while healthcare data is a valuable commodity for obvious reasons, hospital databases remain largely untapped resources for would-be identity thieves—at least for now.

The Enemy Within
Many security breaches in healthcare facilities don’t come from the outside. “The healthcare-specific attacks that we’ve seen are typically insider attacks, somebody who’s an employee or a contractor for the organization looking at data that they shouldn’t be,” says Haber.

Many of these security breaches can be attributed to an age-old nemesis: curiosity. “I’ve seen cases where people are looking up their spouse or somebody that they’re dating to see what STD [sexually transmitted disease] tests they’ve had done—all sorts of breaches of confidentiality,” he says. “Those problems can run rampant in some organizations.”

Even though it’s not recommended, especially in light of HIPAA, many organizations use shared or even generic user IDs and passwords. “You don’t know who’s doing it,” Haber says. “So if you don’t know who’s doing it, but those people are sharing IDs, then they feel more confident in looking at the data in the EMR [electronic medical record].” With such a lack of accountability, it’s easy to see how something such as George Clooney’s medical record could spark an impromptu peep show. “If I worked for a healthcare organization, even though it would be tempting because I’d have a lot of trust in the organization [if I’d be willing to work there], I wouldn’t get my healthcare done there,” says Haber.

However, not all insider attacks are of the nuisance variety since some can cause serious damage to a healthcare facility. “There was a case where a person at a hospital got wind that they were going to be fired and basically put in a back door,” he says. “After they were let go, they wiped the financial system and the backups. The hospital almost didn’t make payroll that month. They made it, but it was very close.”

In addition, some attacks that appear to be committed from the inside are actually the result of a hole in the network. “The principal for an attacker is that they want to compromise at least one system,” says Withers. “Once they compromise one system, then they can leapfrog to other systems. They can, for example, move from a medical imaging device to attack the hospital informatics system and then do an identity theft attack there to steal patient records or billing records.”

HIPAA’s Role
When Atlanta’s Piedmont Hospital was audited by Health and Human Services (HHS) in March, people in the HIM profession took notice. Although neither HHS nor Piedmont is willing to discuss the matter, it is widely believed that the audit was the first of its kind under the HIPAA security rules that took effect in April 2005. No one can be sure if this will lead to stricter enforcement of security rules, but few people believe that this is the last audit of its kind. Whether healthcare organizations like it or not, they’re going to have to pay more attention to data security. What remains to be seen is whether HIPAA’s security rules are adequate for protecting patient data.

“I’ve always been a big fan of HIPAA. I like where they’ve gone with encryption, etc,” says Henry. “But I think that a very simple fact that most people are missing today is HIPAA was originally designed to secure an environment that was Web 1.0-based.”

In Henry’s view, the changing nature of our relationship with the Internet has fundamentally affected the way we use data and the way it should be protected. “There is a tremendous inherent risk on the public Internet that is not currently being addressed,” says Henry. “And I think that, at this point in time, we need to seriously consider the risks of Web 2.0 and the impact they can have on a HIPAA-protected network.”

Because of the possibilities for bidirectional contact that the Internet provides (social Web sites, blogs, Wikipedia-like sites, etc), Henry cites Web-borne malware as a highly underestimated threat to healthcare data. “From a HIPAA perspective, it is very concerning that by simply visiting a popular Web site on the public Internet, you could, in fact, be exposing your entire network because of this malware,” he says.

Necessary Precautions
No method of security is 100% effective, but there are precautions that can greatly reduce a healthcare system’s data theft risk. One is perimeter security, firewalls at the edge of a network that regulate the traffic going in and out. Koller says some institutions add an extra layer of security at the edge of a department, putting “rules in place for data going in and out of certain areas that can increase the security and compensate for the vulnerabilities of the devices that aren’t necessarily patched up to the latest levels.”

“If you consider a medical device, for example, the medical device should only be talking to a handful of the network protocols, such as DICOM [Digital Imaging and Communications in Medicine] and HL7 [Health Level Seven],” says Withers. “If the device is unpatched—and it may not be able to be patched because the device vendor hasn’t come up with approved patches that they’ve worked through their FDA process—then there are vulnerabilities in the base operating system.”

Fortunately, most large medical imaging and informatics vendors are paying more attention to patches and security. “We’re starting to see the vendors taking security very, very seriously and creating mechanisms to respond to the providers in a more timely fashion than they have historically,” says Koller.

Another useful type of perimeter security is called a honeypot in honor of Winnie the Pooh. It’s a false computer system that’s set up to look like a real system. “It serves two purposes. One is to let the attackers think they’ve attacked a real system, perhaps broken into a real system, not found anything useful there, and [induce them to] go away,” says Withers. “But the second purpose of a honeypot is also to let you know that the attack is actually underway.”

Honeypots help security professionals distinguish between imminent and general threats, as well as determine which attacks are most successful. They can also be used to monitor insider threats. “Honeypots work as a very good trigger inside the perimeter, as well as to let you know that there’s something suspicious going on on the networks,” Withers says.

But even with exemplary perimeter security, healthcare facilities still need to be concerned about malware. “Most healthcare facilities today, they do incorporate a firewall, they incorporate antispam technologies, URL filtering technologies, the full gamut,” says Henry. “What they need to do is look at upgrading those technologies to support Web 2.0 functionality.

“So one of the new things that’s being done today is a technology called antimalware scanning,” he adds. “Literally, they scan the code that’s being returned as an example from a Web site visit to the public Internet. In scanning it, they rate the malicious intent of any script that may be being downloaded off the user’s PC. … And it’s proving to be a much more effective defense.”

Haber echoes these sentiments. “We’re often seeing with organizations that have all this great perimeter network protection, like firewalls and Web proxies and intruder prevention, they’ll still get infected because somebody brings a laptop home; it gets infected and physically brings it into the network,” he says. “So having the antivirus and antispyware on workstations is very important.”

A Collaborative Effort
While technology is essential for dealing with security threats, the human element should not be overlooked when assessing a network’s vulnerabilities. Haber recommends asking IT staff what’s on their to-do list. It’s also not a bad idea to take advantage of others’ experiences.

“If you follow the best practices of a vendor, such as Microsoft, or even application vendors such as GE or modality vendors such as GE, and you apply their best practices they’ve learned painfully already, then that’s a good start,” says Withers. “Implementing those in the policies and procedures is a good start, but you need an external pair of eyes.”

“A facility may have their own in-house staff of very, very competent people, but one common mistake is when you let the same people who build it assess it for vulnerabilities, they miss things,” says Koller. “They miss things because they’re too familiar with it, work-arounds have been created, and they operate unconsciously when those work-arounds come into play. One of the best ways is to have somebody who is not involved in the creation and maintenance of the environment come in and do an assessment with fresh eyes, to have the ability to ask the dumb questions that internal people generally don’t ask and find the holes that way.”

Withers cites three levels of security assessment: having someone who’s knowledgeable use a checklist obtained commercially or from the government; actively looking for vulnerabilities, often with automated tools; and penetration testing or ethical hacking, actually attempting to break into your own systems.

“Most often in healthcare, people tend to go for the middle level, the vulnerability analysis, simply because more severe types of testing can actually disable networks and disable components, and that’s typically not acceptable in a healthcare environment,” Withers says.

Finally, Haber stresses the importance of performing background checks on employees and promptly removing network access when an employee leaves the organization. “Make sure that an insider who is let go doesn’t become an insider again,” he says.

— David Yeager is an editorial assistant at For The Record.

Resources
Antimalware report

National Public Radio report

Paul Henry’s white paper about Web 2.0 threats

Piedmont Hospital

Zombies and bots

Investments in Data Security Make Sense and Save Dollars
A recent survey by PricewaterhouseCoopers found that while many healthcare facilities are aware of the importance of data security, they are lagging behind in implementing security measures. And according to Mark Lobel of PricewaterhouseCoopers, these facilities are missing out on a golden business opportunity.

“When you’re looking at structuring the network and classifying data, there are some items that we hope to see but are not,” says Lobel. “When you’re looking at what data you encrypt and where you encrypt it, that decision must be linked to the business strategy. That is what really gives you the business value and the bang for the buck for information security.”

Lobel notes that healthcare providers encrypt data at a slightly higher rate than other industries, but they’re less likely to encrypt it while it’s at rest in databases, sitting on a file share in a provider’s network, or on a laptop.

Data losses are expensive, not to mention damaging to a facility’s reputation. By incorporating data security into their financial strategies, healthcare facilities can save money in the long run. Lobel explains that security is a function of protection and enablement. “Protection, I would make analogous to purchasing insurance,” says Lobel. “What’s the ROI [return on investment] on insurance? It’s not something you calculate, you calculate it based on risk tolerance, and for the protection side of information security. I think that’s the same calculation.”

Enablement, rules that determine who receives access to data, is more conducive to calculating an ROI depending on which initiative a hospital pursues. “If you’re going online, HIPAA regulations [state that] you can’t do that business if you don’t have proper security and privacy controls,” says Lobel. “Then you can figure out: What’s the business opportunity that’s being missed? What percentage of churn are you going to have if there’s a security breach? There are at least some estimates in ROI you can make there.

“And then there are some security solutions that help enablement, like identity management, that have not only the soft dollar savings but actual hard dollar savings,” he adds.

Identity solutions can function as both protection and enablement. “Identity solutions, I think, work from the protection perspective because they create a centralized place where you can add, change, and delete users,” says Lobel. “They work from the enablement perspective because they allow centralized control and the real-time removal of people when they are transferred or terminated. [It’s] delegated administration that allows your member organizations to manage their user base, making it easier.”

By far one of the biggest sources of cost in the identity management enablement arena is password resets, says Lobel. “If you’re using a help desk for password resets, help desk calls are expensive. Password resets can be roughly anywhere between 10% and 40% of your help desk calls.” Password resets are usually the first thing that gets noticed in an identity management ROI calculation.

Lobel believes that by removing this burden from the help desk, facilities can save a significant amount of money. “Either you’re going to need less help desk, and you can do a direct cost saving there, or you can put that help desk to something more effective than resetting people’s passwords and authenticating those people,” he says. “That is relatively automatable. ... There’s no reason you need a high-value person doing a task that can be automated.”

While these principles can bring varying degrees of cost savings to a facility, don’t look for a hard and fast percentage. Lobel is quick to point out that each facility’s circumstances are unique. “It really depends on the business, the company, its market strategy, its market position, and the opportunity,” he says.

For more information, visit here.

— DY

Social Engineering Designs Trouble for Data Security
Share. Play nice. Be helpful. From an early age, we’re socialized to cooperate. And in many cases, cooperation greases the machinery of society. But when it comes to data security, people are often too cooperative. “It’s remarkable how much information can be gotten just by asking,” says Bob Withers, CISSP, practice leader for KAI Consulting.

Passwords and other access mechanisms are often compromised because people have been socially engineered to be compliant. “An example of a social engineering attack is when you call somebody and claim to be from the help desk,” says Withers. “Ask them for their user name and password, and they’ll give it to you as often as not.”

Details of a hospital’s IT infrastructure should also be protected. Hackers want to know what computers and software a hospital is using, as well as what type of networking is going on. Information such as the type of PACS [picture archiving and communication system], hospital information system, medical information system, or radiology information system that a facility uses is valuable to an attacker, says Withers. The reason for this, he explains, is because operating systems and networks have better security than ever before. “So the attackers are now attacking the applications much more than they’re attacking the real network,” Withers says. “The way you find out what applications to attack is by asking people, ‘What are you running?’ and they’ll very often tell you.”

Finally, employees need to be careful about the type of personal information they provide. Hackers can use employees’ background information to figure out what type of information they use. “For example, they may use their alma mater or their alma mater’s mascot as their password for their network login,” says Withers, “which would then let somebody break into the network and hopscotch across the network until they find something valuable.”

— DY