Healthcare and Security: A Hacker’s Perspective

Monday, December 27, 2010

Renee Chronister


WikiLeaks. WikiLeaks. Everywhere I turn I hear about WikiLeaks followed by “What does that mean for healthcare?”

Well…it means absolutely nothing for healthcare. I know you’re scratching your head right now going “huh?”

Here’s why: healthcare has already outpaced other verticals when it comes to data security breaches, including government, by as much as threefold in 2010 alone according to a recent report issued by Identity Theft Resource Center. So to put it bluntly, healthcare is the winner when it comes to security breaches.

Here’s another heart-stopper. The latest Ponemon Institute study reveals 60% of healthcare providers had more than 2 security breaches in the last year with the average breach costing them $2 million. Whoa! It then goes on to state that 70% of hospitals say protecting patient data is not a priority. Biting my tongue! See previous paragraph.

Healthcare providers in the Ponemon study also say they lack resources, trained personnel, policies and procedures to safeguard patient records. 58% claim they have little or no confidence in their ability to protect records in their possession. Forget WikiLeaks, as a hacker, this is music to my ears.

So what this really means for healthcare is that something has got to change. Specifically, the mindset that data security is not a priority and that all I have to be is HIPAA compliant to be secure.

Well, I hate to be the bearer of bad news but I can’t tell you how many times I’ve hacked HIPAA compliant healthcare providers but I guess telling your patients, personnel and anyone else affected by the data breach that “I was HIPAA compliant” is better than “Data security isn’t a priority” but I’m guessing that will still go over like a lead balloon.

So the real question here should be: How am I going to improve data security? The answer (and read carefully): SECURITY. Did you get it? When it comes to improving data security, U R IT.

From an ethical hacker’s perspective (thought it was time to add “ethical” so you could breathe a little easier), security is two-fold – Internal and External. So let’s start with some internal security measures.

Background Checks for Employment

Knowing who you are hiring can help mitigate security risks. Organizations need to ensure they work better to screen those who will be handling sensitive data.

Case & Point: University of Texas Medical Branch

Using a stolen identity to gain employment at UTMD’s medical biller, MedAssets, Katina Rochelle Candrick helped herself to up to 2,400 UTMD patient records.

Access & Permissions

Unless an employee needs access to sensitive data to successfully complete their job function, they shouldn’t have access. Levels of access controls need to be implemented. Meaning, a receptionist/front desk person should have not have the same access permissions to patient data or any other sensitive data that a doctor would have access to.

Case & Point: Community Hospital of San Bernardino

Community Hospital of San Bernardino, failed to prevent unauthorized access of 204 patients’ medical information by one employee. The same hospital also failed to prevent unauthorized access of three patients’ medical information by one employee in a separate incident.

Physical Security

Physical Security is just as important as electronic security. You need a gate keeper. In fact, all employees at your healthcare organization need to be gate keepers. Don’t let just anyone wander into the office; question why they are there; do not leave laptops or any other mobile device for that matter unattended so that they grow legs; and create and put into place physical security measures to protect your fort.

Case & Point: AvMed Health Plan

More than 200,000 AvMed Health Plan subscribers’ sensitive personal information fell into the wrong hands after a pair of laptops were stolen from a conference room at the company’s corporate headquarters. The laptops contained current and former subscribers’ names, addresses, Social Security numbers and health information.

Creating & Enforcing Policies & Procedures

Creating security policies and procedures is necessary and all employees need to be made aware of what these policies and procedures are. Once that happens, it is essential to ensure these policies and procedures are adhered to, otherwise it’s a waste of time and paper if they are not enforced.

Case & Point: Cardinal Health

The buyer of a laptop sold on eBay contacted Cardinal Health to tell them the used laptop that he/she purchased online contained company information. According to Cardinal Health’s policies, data on decommissioned computers are to be securely deleted by their IT department and then securely destroyed by a vendor. Rather, an employee in their IT department said he had not properly destroyed the data nor did he send it to a third-party to destroy and, in fact, had sold it on eBay.

End-User Security Awareness Training

Common sense isn’t so common anymore. Training employees on what sensitive data is and what it isn’t is a start but training them on what can and can’t leave the premise and when it can, how it can, is another story.

Case & Point: Keystone Mercy Health Plan & AmeriHealth Mercy Health Plan

A flash drive was taken to a community health fair by an employee of the two affiliated Philadelphia companies, Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan which then turns up missing. On this flash drive – 280,000 Medicaid recipients’ information including names, addresses, personal health information and even social security numbers.

IT Staff Security Training:

Sorry to burst everyone’s bubble but IT doesn’t know everything. If they did, these back-up tapes and disks would never have left the premise let alone been left unattended in the IT guy’s car. Proper IT staff security training is essential to better lock down networks, wireless, mobile devices and more. These people can help or harm your data security just as the typical end-user can.

Case & Point: Providence Home Services, a Division of Providence Health System

An IT employee was fired in connection with the theft of backup computer tapes and disks containing personal information and medical records on about 365,000 hospice and home health care patients. A Providence Home Services IT department worker took backup tapes and disks home as part of the home health care division’s backup protocol. The disks and tapes were stolen after they were left in the employee’s car overnight. The information on the disks and tapes included names, addresses, dates of birth, physicians’ names, insurance data, diagnoses, prescriptions, lab results, social security numbers and patient financial information.

Vendor Due Diligence

Just because a vendor can do something doesn’t mean they should. Again, knowing who you do business with is important because even though you are using a third-party, they do not assume complete liability for a security breach. You do. (U R IT)

Case & Point: South Shore Hospital & Archive Data Solutions

800,000 records containing sensitive, personal health and financial information were compromised when South Shore’s data management company, Archive Data Solutions, lost backup tapes containing copies of the hospital’s most sensitive databases created between 2006 and early 2010. On these tapes were: names, addresses, phone numbers, birth dates, social security numbers, patient health information and bank account data.

Destruction of Medical Records

Anyone heard of shredding? How about HIPAA compliance? When you are dealing with sensitive data proper disposal of data files – electronic or paper – has to occur. You are ultimately responsible for that data.

Case & Point: Avalon Center

An Erie County worker tossing garbage into a dumpster discovers odd boxes filled with files containing Avalon patient medical records. Files included full names, addresses, social security numbers and diagnosis information left in the trash for anyone to access.

Are you sick to your stomach yet? How about we look at some external security controls?

Penetration Testing

Knowing your weaknesses and remediating them is better when discovered before a hack instead of after. Even your best IT people can leave a hole in network security on a bad day and/or because they are fighting the functionality vs. security battle. Regardless, identifying your weaknesses by emulating a real-world hack with a penetration test and fixing them before disaster strikes is better than becoming the next media headline.

Case & Point: Express Scripts

Express Scripts disclosed unauthorized persons gained access to personal and medical information of 50 million people. Express Scripts received an anonymous letter containing names of 75 or so clients showing their birth dates, social security numbers and prescriptions. These extortionists threatened to disclose personal and prescription information if the company failed to meet payment demands.

Website Security Assessment

Remember, your website is like a billboard in cyber space advertising “Look at me. Look at me.” When the visitor wants to take it step farther, make sure it’s locked down. A simple website security assessment can show you the vulnerabilities that hackers take advantage of to deface your site, access to your network and so on.

Case & Point: Virginia Health Professionals

Hackers broke into a Virginia state website used by pharmacists to track prescription drug abuse and deleted the records of 8+ million patients plus 35,548,087 prescriptions. They then defaced the site’s homepage with a ransom note demanding $10 million for the return of the records.

Social Engineering

Social Engineering is where you hack the people. By manipulating the target, you gain admission to the sensitive data you wish to access. This is excellent if you want to see if your policies and procedures are in place and where human error can play a part in a security breach. This can be done onsite or remotely and really is telling of how easy it is to be the victim of a security breach. Here, hackers were able to manipulate an email request from those legitimately working on a computer security upgrade on UCSF systems.

Case & Point: UCSF Doctor

A faculty doc at UC San Francisco fell for an email phishing scam, opening up access to personal information on some 600 patients and others to hackers. The physician replied to a scam email seeking user name and password information. The request was named to look like it had come from UCSF workers who were involved with upgrading security on UCSF’s computer system.

While this is only the tip of the iceberg when it comes to information security measures, I hope that when it comes to security one thing is clear: SECURITY.

Cross-posted from The Hacker Diaries

Possibly Related Articles:
breaches HIPAA Privacy HITECH Healthcare Poneman
Post Rating I Like this!
P Portmanteau Let me get this out of the way first: the phrase Ms. Chronister is looking for is "case IN point." In other words, a case in which the point at issue is demonstrated.

Secondly, this article is a hodgepodge of scary stories written in a lurid style that, in the end, fails to prove anything.

The reason healthcare breaches get so much press is not because they are so much more common in healthcare than in other sectors: it's because reporting is required. If you put the information on a great big wall of shame at HHS, of COURSE it's going to make headlines.

At bottom, the author's recommendations are nothing but typical infosec pabulum and don't even adhere to a risk-based approach. It's more like a menu from a Chinese restaurant. "Pick five from column A."

In point of fact, healthcare is a complex, fragmented, heterogeneous sector. No one approach (especially one this simple-minded) is appropriate for all situations. One thing we who are actually employed as professionals in this realm know for certain: no solo practice doctor is ever going to train to become an expert on IT security. We expect them to turn to real experts.

I sincerely hope this author is not someone that they turn to because she has only the most superficial knowledge of what she is speaking about.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.