5 ways technology vendors put their healthcare customers ... · • you’re trying to service your...

Chris Bowen, MBA, CISSP, CIPP/US, CIPTFounder, Chief Privacy & Security Officer

AVOIDING THE BREACH5 Common Ways Technology Vendors Put

Their Healthcare Customer's PHI at Risk

2PROPRIETARY & CONFIDENTIAL

The majority of breaches occur as the result of third parties.

http://searchsecurity.techtarget.com/feature/Third-party-risk-management-Horror-stories-You-are-not-alone


Attacks Increasing

• 42% of serious data breaches in 2014 were in the healthcare sector– 34% in first half of 2015

• Business associates were the culpable party for 118 out of the 458 breaches (OCR Report to Congress)

• (PHI) is worth roughly 50 times more than credit card or Social Security numbers

• Most profitable type of fraud stemming from identity theft is now Medicare fraud

– Particularly attractive targets because of payment data and detailed patient records used to collect reimbursements

• One in 10 Americans has been affected by a large health data breach


What’s in the presentation for me?• You’re trying to service your customers, including protecting their data• Bad guys want to steal your customers’ data• Regulators want to punish you if bad guys steal your customers’ data

• So do lawyers…

• Understand five commonly overlooked mistakes vendors make• View examples of what happens as a result

Key Learnings

Source: https://cybersponse.com/data-breaches-by-the-numbers

Objective Breach Ramifications


Recent Breaches

Source:http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Organization

Records Breached

Anthem 80,000,000

Premera 11,000,000

CHS 4,500,000

UCLA Health 4,500,000

Carefirst 1,100,000

ObjectiveBreach Ramifications


The Aftermath

Identity Theft Espionage

Future AttacksMoney Spent

Reputations Lost


Breaches by Business AssociatesJanuary 2014 - Blue Cross Blue Shield of New Jersey Loss of data affecting 839,711 individuals. A laptop was stolen – there was no encryption.

January 2014 - Triple-C, Inc. Theft of data affecting 398,000 individuals. A network server was stolen –there was no encryption.

May 2014 - Sutherland Healthcare Solutions, Inc. Thieves stole eight computers from Sutherland’s Torrance, Calif. Office. They got away with the medical records of 342,197 individuals. There was no encryption.

August 2014 - Community Health Pro-Services CorporationUnauthorized access. In a legal dispute with Texas HHS, Xerox removed patient records from servers and hard drives and permitted other parties to view the records of 2,000,000 individuals.

December 2014 - Senior Health PartnersTheft of 2,700 records after laptop and mobile phone belonging to a registered nurse employed by its business associates were reported.

1

2

3

4

5


Defense in Depth in ITDefense in depth uses multiple layers of defense to address technical, personnel and operational issues.

Data

DevicesServersApplicationsNetworkPhysicalPolicies, Procedures, Awareness

OS/Software FirewallHardware Router / Firewall

Antivirus / Anti-malwareSecurity Patches

User Access Controls

Attack

Healthcare is Depending on YOU!Healthcare IT is depending on you to keep systems secure, private,

available, and untouched by the unauthorized. This includes data exchange, VoIP Phones, Enterprise Wireless, Mobile EMR, Billing, PACS, Patient

Portal, Registration, Prescribing, Lab integrations, X-Ray equipment, Monitoring equipment, Physician Communications and scheduling, online bill-bay, patient scheduling, Medical devices, mobile computing, internal

communications, etc. etc. etc….


Mistake #1: Failure to Assess Risk• 33% of businesses have not commissioned a risk assessment

(1)

• Risk Assessment has been required since adoption of HIPAA Security Rule

• Requirement not taken seriously• HITECH – 2009 – Added Fines Skipping SRA is Not Reasonable – OCR

• This applies to the Business Associate too!

Defense Layer: All

(1) 2014 State of Risk Report. (2015, January). Trustwave, 4-4.


Security Risk Assessment

Inventory Review Safeguards Analysis Deliverables

1 2 3 4

• Inventory ePHI• Identify Safeguards in place

• Inventory critical Apps• Inventory what comprises

the system

• Administrative• Policies & Procedures

• Technical• Access Controls

• Technical Controls• Physical

• Threats• Vulnerabilities

• Risks• Evaluate Policies & Procedures

• Effective, Operational, Applicable

• Data Inventory• Application Criticality Analysis

• Threat Matrix• Risk Matrix

• Remediation Roadmap

Defense Layer: All


Mistake #1: Failure to Assess Risk

• OCR enforcement including civil monetary penalties and resolution agreements

• Increased risk of suffering data breaches• CMS enforcement to recoup EHR incentive payments

• OIG enforcement under the False Claims Act – Liability of up to 3 times the EHR incentive payment

– Exclusion from federally funded healthcare programs

Defense Layer: All

Failure to conduct an SRA can result in:


Mistake #2: Unaware of System Activity

• Not knowing what’s going on in or around your network and systems

• Ineffective System Activity Reviews

Defense Layer: Network, Server, App, Data


Mistake #2: Unaware of System Activity

• 80,000,000 records stolen via Hack• Traced to April 2014• Attackers created a bogus domain name, "we11point.com”

to mimic legitimate domain wellpoint.com.• Used malware to mimic Citrix VPN software• Harvested user credentials• Became aware in December 2014• That’s 9 months of covert activity inside the network!



Mistake #2: Unaware of System Activity Organizations are not able to detect a breach in a timely manner.When was the breach discovered?

Source: 2014: A Year of Mega Breaches. (2015, January 15). Ponemon Institute© Research Report, 10-10.



Mistake #2: Unaware of System Activity Ineffective use Security Information & Event Management Systems (SIEM)


Asset Discovery

Vulnerability Assessment

Threat Detection

Event Collection

Correlation

Event Management

Log Storage~Source: 2014: A Year of Mega Breaches. (2015, January 15). Ponemon Institute© Research Report, 3-3.

SIEMThe #1 technology investment made in response to mega breaches!~


Mistake #3: Patching Fail Defense Layer: Network, Server, App

Failure to keep up to date on patching and firmware


Mistake #3: Patching Fail

• This is a Covered Entity AND a Business Associate• Failed to patch their systems• Continued to run outdated, unsupported software • Led to a malware data breach affecting 2,743 individuals• ACMHS reported the breach to HHS back in March 2012• Fined $150,000 • Lesson learned: security-related patches should be

applied as soon as possible

Defense Layer: Network, Server, App


• ACMHS was negligent but fine issued on the heels of a year of patching woes for most Microsoft customers.

• Patching policies delayed for critical updates– Microsoft had trouble delivering an error-free month

Balancing Act• Deal with fallout of botched patch?• Or wait to patch?

Document decisions. But don’t be negligent.

Mistake #3: Patching Fail Defense Layer: Network, Server, App

More Context


Mistake #4: Training on the Right Stuff Defense Layer: All

Failure to Train Your Users



• Security flaw in the vendor database• Vendor exposed 7,000 records to the web• General Security Awareness Training is a HIPAA

requirement• But what about training for secure development

practices?• What about training on a Software Development Lifecycle

(SDLC)?



Open Web Application Security Project (OWASP)• www.owasp.org• Open group focused on understanding and improving the security of

web applications and web services

Top Ten Project• Goal is to Raise Awareness

If you create web-enabled appsmake this part of your training!

Web and App Server Misconfiguration

Remote Administration Flaws

Insecure Use of Cryptography

Error Handling Problems

Command Injection Flaws

Buffer Overflows

Cross-Site Scripting Flaws (XSS)

Broken Account & Session Management

Broken Access Control

Un-validated Parameters


Mistake #5: Failure to Manage Changes• Change Control: The process of managing change to an organization’s

environment and assessing the potential impact on business

Defense Layer: All

HAVE CHANGE CONTROL COVERING INFORMATION TECHNOLOGY ASSETS AND BUSINESS PROCESSES

54%Fully

39%Partially 7%

Not at All

(1) 2014 State of Risk Report. (2015, January). Trustwave, 13-13.


Mistake #5: Failure to Manage Changes• Average cost of downtime is around the $8,000 per minute mark(1)

• 80% of unplanned outages are due to ill-planned changes made by operations staff or developers(2)

• 60% of availability and performance errors are the result of misconfigurations(3)

• Through 2015, 80% of outages impacting mission-critical services will be caused by people and process issues(4)

– more than 50% of those outages will be caused by change/configuration/release integration and hand-off issues

Defense Layer: All

(1) www.datacenterknowledge.com/.../study-cost-data-center-downtime-rising/(2) IT Process Institute's Visible Ops Handbook(3) Enterprise Management Association(4) Ronni J. Colville and George Spafford Configuration Management for Virtual and Cloud Infrastructures


Mistake #5: Failure to Manage Changes Defense Layer: All

23%

22%

20%

18%

17%

Outage Causes

http://www.channelinsider.com/storage/slideshows/helping-combat-downtime-on-premise-and-in-the-cloud.html

Hardware Failure

Upgrades & Migration

Power Outages

Application Error

Human Error


Mistake #5: Failure to Manage Changes

• Reduce access to systems that can be changed– Assign a limited group with access as the only entity that can make changes

• Inventory information assets and detailed information about equipment, backups, etc. (build a RACI)

• Create a repeatable build library

• Continual improvement

Defense Layer: All

Starting ITIL in 4 Practical Steps:

Google: Amazon.com + Visible Ops


Bonus Mistake: Failure to Remediate

High Priority Examples: • Risk Analysis (#1) §164.308(a)(1)(ii)(A) • Information System Activity (ii)(D) • Security Awareness and Training Program (#11) §164.308(a)(5)(i) • Encryption and Decryption (#42) §164.312(a)(2)(iv) • Data Backup Plan - §164.308(a)(7)(ii)(A) • Audit Controls (#43) §164.312(b) • Policy and Procedures (#48) §164.316(a) • More…

Risk Analysis helps identify and prioritize issues.

Defense Layer: All

• Identifying the list of items to fix is just the beginning• You actually have to fix them before the bad guys exploit them

ASAP<30 days


Bonus Mistake: Failure to Remediate Organizations are not able to quickly resolve.When was the breach resolved?

Source: 2014: A Year of Mega Breaches. (2015, January 15). Ponemon Institute© Research Report, 11-11.

Defense Layer: All


Five Common Mistakes & Consequences Defense Layer: All

No Formal Change Management

Downtime,Break Systems,

Failure to Communicate

Unaware of Vulnerabilities

Failure to Conduct a Risk Assessment

Hackers Inside for Months

Ineffective Activity Reviews

Lack of Timely Patches

Vulnerable SystemsData Breaches

Lack of Proper Training

5

4

21

3

Flawed SystemsPromoted to Production

MODERNIZE THE INFRASTRUCTURE • SECURE PATIENT DATA • IMPROVE DATA INTEROPERABILITY

John PeralesNational Channel Sales Director

512.993.5899 [email protected]

5 ways technology vendors put their healthcare customers ... · • you’re trying to service your...

Documents