DATA BREACHES IN HEALTHCAREBY CHUCK EASTTOM

WWW.CHUCKEASTTOM.COM

CHUCK@CHUCKEASTTOM.COM

ABOUT THE SPEAKER• 18 books (#19 in progress)

• 29 industry certifications

• 2 Masters degrees

• 6 Computer patents

• Over 20 years experience, over 15 years teaching/training

• Worked on EMR/EHR and medical billing software

• Frequent consultant/expert witness

www.chuckeasttom.com

chuck@chuckeasttom.com

WHAT IS THE SITUATION?

• Verizon's 2015 Data breach report lists

• 234 Healthcare incidents

• 95 with confirmed data loss

• Top four areas for the health care industry (from worst) are:

• Miscellaneous errors

• Privilege misuse

• Lost and Stolen Assets

• Web Applications

OUR TOPIC TODAY

• The flaws that affect Healthcare IT. We will discuss the flaw, the causes of the flaw, and remediation of the flaw.

• In some cases I will use real world case studies I have encountered that illustrate serious flaws in healthcare security. With the exception of well publicized cases, names of organizations involved and any hint as to their identities have been removed due to confidentiality issues.

REAL WORLD CASE STUDY• Small medical billing company that outsources their

IT. Their IT support company is very much entry level.

• Their billing personnel work from home.

• Both billing personnel and their IT support personnel use Remote Desktop to interact with the servers. They do not use a VPN

• Remote Desktop is very convenient, and highly insecure.

• Also no layered defense. Once you login via Remote Desktop to one server, you can immediately access all servers.

WHAT DOES THIS MEAN

• Secure connectivity is critical

• Proper use of VPN’s, remote access, and authentication is key.

• Vetting of remote users equipment.

REAL WORLD CASE STUDY• EMR producer

• Very good programming team. Security was only addressed in the most superficial manner:

• Using HTTPS (good!)

• Using user authentication (good!)

• Administration did not include enforcement of password policies (bad!)

• Did not filter user input (bad!)

• Did not store passwords as a hash (very bad!)

• Passwords too short (very bad!!)

• Did not separate user functionality (bad!)

WHAT DOES THIS MEAN

• Secure programming is needed.

• Security in design, development, and testing.

• My own experience is that all too often medical software lags in security.

REAL WORLD CASE STUDY• Healthcare portal

• The IT Team

• Reasonably competent programmers

• Relied heavily on outsourced teams

• Insistence on using latest programming design fad, even if not appropriate.

• No discussion of security in design or development meetings

• No discussion of security as part of testing

• Thought simply using SSL/TLS was enough

• What did this cause

• Poor authentication and authentication errors

• Vulnerability to common web attacks

• Unstable platform

WHAT DOES THIS MEAN

• Secure programming is needed.

• Security in design, development, and testing.

• My own experience is that all too often medical software lags in security.

• All of which requires a knowledge of security

ANTHEM STORY• “SAN FRANCISCO - As many as 80 million customers of the nation's second-

largest health insurance company, Anthem Inc., have had their account information stolen, the company said in a statement. The hackers gained access to Anthem's computer system and got information including names, birthdays, medical IDs, Social Security numbers, street addresses, e-mail addresses and employment information, including income data”

• Feb 2015 USA Today

Wall Street Journal reported that the attack appeared to be advanced, using customized tools rather that generic utilities downloaded from the web. Some experts claim China behind the attack.

An admin discovered the breach when he noticed data queries running with his ID that he did not initiate.

WHAT DOES THIS MEAN TO HEALTHCARE COMPANIES?

• “Premera Blue Cross failed to adequately protect its customers' personal information and notify them of a recent data breach in a timely manner” according to the latest class-action lawsuit filed Thursday against the insurer in federal court in Seattle

WHAT DOES THIS MEAN

• Obviously flawed auditing

• Poor access controls

• No standard security measures such as least priveleges

HEALTHCARE.GOV

• CIO magazine did an analysis and found

• Improper implementation of development methodology

• Inadequate testing

• No threat modeling

• One site submitted username and password in plain text

WHAT IS THE ISSUE?

• According to Information Week

• More than 41% of healthcare organizations do not use endpoint encryption, even though approximately one-third of employees work remotely at least once a week, according to Forrester Research.

• Sixty-eight percent of the industry's breaches since 2010 have occurred because files or devices were stolen, the Bitglass 2014 Healthcare Breach Report determined.

• Hacker attacks increased 600% in the first 10 months of 2014 versus the prior year, Websense Security Labs' Carl Leonard told TechNewsWorld.

COMMON HEALTHCARE IT PROBLEMS• No emphasis on secure programming

• No emphasis on security testing as opposed to functionality testing

• Poor implementation of security operations

• Employees poorly trained in security

• Security not a priority in software design

• Poor understanding of and implementation of cryptography as well as other security measures

• Poor authentication and auditing

THE SOLUTION• First and foremost training

• Emphasis on security throughout design and development

• Solid software engineering not buzzwords and fads

• Secure programming

• General security measures

• Security audits and penetration tests