health care information security risks · • client side attacks – visibility - provides...
TRANSCRIPT
Health Care Information Security: Threat & Vulnerability Landscape
HIPAA Summit Greg Porter
Allegheny Digital 03/10/2011
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Agenda
• Introduction • Health Care Threat Landscape • Common Technical Vulnerabilities • Defensive Considerations • Conclusion
2
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Introduction • Greg Porter • Information Security Consultant, ~ 10 years • Primarily “Big 4” consulting
– Health Care Security Governance & Regulatory Compliance – Vulnerability Assessments – Penetration Testing – Incident Handling
• Visiting Scientist, SEI-CERT • Adjunct Faculty, Heinz College – Carnegie Mellon University • Founder, Allegheny Digital
3
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
This Presentation
• Based on technical and non-technical health care security assessment observations ~ 8 years
• Experience with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH)
• Trying to get a feel for health care security trends, as well as general infosec developments, that I’ve observed during this time
• Intent is to simply provide an overview and perhaps provide some important considerations for organizations, health care based and otherwise
4
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Agenda
• Introduction • Health Care Threat Landscape • Common Technical Vulnerabilities • Defensive Considerations • Conclusion
5
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Current State
6
• Where are we today? – 15 years after the passage of HIPAA – Nearly 6 years since Covered Entities had to be compliant with the HIPAA
Security Rule
• The HITECH Act and Business Associate compliance demands – 18 months since the breach notification requirements (IFR)
• Meaningful use & electronic health records (EHR) • > 1 Million Covered Entities and Business Associates • Yet…we continue to see health care organizations struggle
with the governance and security of electronic protected health information (ePHI)
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Malware Proliferation
• By all indications, the proliferation of malware isn’t slowing • 2010 the biggest year ever for total malware production • At least 20 million new pieces of malware observed in 2010 alone • 55,000 new instances of malware/day1
• There is now more malicious code being created today, worldwide, than there is legitimate software2
7
1. Source: McAfee 2. Source: Symantec
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
The Unbounded Enterprise
8
• Data Anywhere ≠ Data Everywhere • More endpoints, more mobile devices add to the challenge of
protecting health information – A general lack of security awareness among mobile users – Limited offerings and maturity of mobile safeguards, widespread non-secure
apps
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Attack the Apps
• Third party applications under assault • Many still perceive the Microsoft OS and other Microsoft products to
be the primary attack vector • A typical end-user PC with 50 programs installed
– (26 Microsoft, 24 third-party) – Had 3.5-times more vulnerabilities in the third-party programs than in the Microsoft
programs1
• Client side attacks – Visibility - Provides attacker with a foothold to exploit other internal systems
• Despite other security measures (e.g. A/V, OS patching) end users incur the risk of being compromised by cybercriminals via application exploitation
9
1. Source: Aberdeen Group Research
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Malware Delivery Client Side Exploitation – An Example
• Adobe PDF (Portable Document Format) • Making substantial progress with Reader X and Flash sandboxing • Yet malicious PDF’s continue to proliferate targeting older, widely
deployed version of Adobe • It’s an ISO Standard, ISO 32000-1, Document management –
Portable document format – Part 1: PDF 1.7 – Highly useful, highly exploitable software – Offers a well leveraged vehicle for client side attacks and inevitably compromising
health care targets – Why? Well we can all embed music, movies, 3D artwork complete with JavaScript,
submit-form action (submit the data you input directly to a server somewhere on the Internet)(
– Executable Files!
10
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Anti-Virus Isn’t Enough • This doesn’t mean that you do away with A/V • Highly utilized and proven…but relies on a known signature in the
A/V database • Free, high quality software such as the Metasploit framework
provides a platform for developing malicious PDF’s – Attackers create new signatures by encoding their malicious code to scramble the
executable and evade detection
• Executable file can then be uploaded – for free – to a site such as Virust Total to validate detection…or not
• Goal is to ensure the malicious payload evades detection in your environment
11
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
So Easy a Caveman Can Do It? • Malware kits available
– Prices range from $40 to several thousand dollars1
• Can encrypt malware so that signature detection systems and static analysis processes are rendered ineffective
– Add anti-debugging features to thwart discovery by security professionals and automated sandbox analysis technologies
• Adaptable business practices – Based on feature demand and support desired – Maintenance & installation offered
• Malware is passed through multiple A/V
12
1. Source: Symantec 2. Images provided by Secunia
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Social Engineering • The act of manipulating a person to take an action that may or
may not be in the “target’s” best interest1
• Excellent resource: www.social-engineer.org • Commonly used attack vector…only growing in terms of its
sophistication, adoption, and ease of use • Enter the Social Engineering Toolkit (SET)
– Hack by numbers software developed by Dave Kennedy – www.secmaniac.com – Available in BackTrack 4
• Enables the crafting of PDF’s, ability to send e-mails with embedded malicious code
– Spear Phishing and Much More
• Also contains an “infectious media generator” to develop malicious USB’s, DVD’s, and CD’s
13
1. Hadnagy, Christopher , “Social Engineering: The Art of Human Hacking”, 2010
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
SET Example
14
Select Attack
Malicious PDF Payload Created
Reverse Shell Obtained Against
Target
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Malware – Client Side Delivery • Malicious PDF files under the guise of H1N1
– When the PDF is opened, exploits Adobe Reader, drops a backdoor, and shows a file referring to H1N1 flu
– The exploit drops a malicious file called "AcrRd32.exe" into the computer's temp folder
– The malicious file connects to three IP addresses in order to "call home". These addresses were in Texas (207.200.45.12), Budapest (89.223.181.93) and Hyderabad (202.53.69.130)
• Anybody who controls that IP will gain access to the infected computer and the company network.
– It’s reasonable to believe that similar attacks are occurring daily against health care entities
– Adobe X, sandboxing in protected mode by default – Disable Javascript
• Edit -> Preferences -> Uncheck “Enable Acrobat Javascript”
15
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Health Care Data For Sale
• A cybercriminal seeking data that will enable him to file false medical claims
16
1. Source: RSA
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Health Care Data For Sale
• A post in the underground seeking buyers for the medical records of over 6,500 patients
17
1. Source: RSA
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Motivation • Organized crime
– While a hacker might get $1 - $5 for a stolen credit card number, a stolen medical identity could fetch a premium of $14 to $18
• Medical identity theft – Patient pretends to be someone else so they won't have to pay for
their own medical bills (e.g. treatment, prescriptions, surgery) – Use the data to order prescriptions at multiple pharmacies and then
attempt to resell the medicine online – Organized thieves working as receptionists, janitors, and accountants
within the health care field itself • Insider Threat (http://www.cert.org/insider_threat/)
• Health care entities have valuable assets – Like electronic medical records on most of us – Highly available networks – Information rich environments, not just ePHI and PII, also financial
data, R&D information, academic studies – Equipment (e.g. laptops, PDA’s, mobile phones, robots)
18
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Health Care Targeting
• Hacker Attacks Targeting Healthcare Organizations Doubled in the 4th Quarter of 2009
– SecureWorks Data
• Attempted attacks increased from an average of 6,500 per healthcare client per day in the first nine months of 2009 to an average of 13,400 per client per day in the last three months of 2009
• Attempted attacks against other types of organizations, protected by SecureWorks, did not increase in the fourth quarter
• Possible correlation?
19
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Insider Threat • Who is the Malicious Insider? • Current or former employee, contractor, or other business
partner who: – has or had authorized access to an organization’s network, system or data – and intentionally exceeded or misused that access in a manner that – negatively affected the confidentiality, integrity, or availability of the organization’s
information or information systems
• Walking among us? • A security guard at a U.S. hospital, after submitting resignation
notice, obtained physical access to computer rooms – Installed malicious code on hospital computers controlling the organizations HVAC
systems, accessed patient medical records
• For additional information: http://www.cert.org/insider_threat/
20
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Impact • Breach of ePHI
– Damage to reputation – Regulatory consequence and financial penalties – Jail time, criminal penalties for willful neglect
• Loss of human life? • While many concerns focus on a data breach, some
vulnerabilities can be more severe – Pacemakers and implantable cardiac defibrillators susceptible to RF
manipulation and attack1
– Consider the implications of previously mentioned DDoS attack and availability of WiFi equipped IV infusion pumps, “smart pumps”
– Wireless networks are playing an increasingly-important role in patient care, yet few CE’s have evaluated the impact of a DoS attack against such deployments
21
1. Feder, Barnaby, “A Heart Device Is Found Vulnerable to Hacker Attacks”, New York Times, March, 2008, http://www.futurecrimes.com/biological-human-genome-crime/hacking-the-human-heart-medical-devices-found-subject-to-technical-attack/
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
IPv6
• IPv4 address space has been exhausted • IPv6 is the successor to IPv4 • The IPv6 protocol is enabled by default in many Operating Systems,
namely the majority of modern Windows systems, Mac OS X, Linux and Solaris
• Running “dual stack” network services…unknowingly? • Security devices, such as firewalls or IDSs, or network management
tools may not be capable or configured to analyze IPv6 data • Malicious communications could be established from and to network
computers supporting IPv6 – For example, a system can be attacked using IPv4, IPv6 or a combination of both,
using IPv4 to detect the computer and using IPv6 as covert communication channel
22
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Agenda
• Introduction • Health Care Threat Landscape • Common Technical Vulnerabilities • Defensive Considerations • Conclusion
23
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Common Technical Vulnerabilities • The next several slides convey technical vulnerabilities observed
across covered entities • CE’s assessed included health care Providers, Payers, and Business
Associates • Assessment activities were initiated to gain an understanding of
potential HIPAA Security related vulnerabilities and exposures and what may need to be done, if anything, to mitigate identified risks to ePHI
• Assessment activities included a diagnostic review of the target’s HIPAA Security posture against the regulations as well as internal /external vulnerability assessments and controlled penetration testing
24
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Network & System Configuration • Assessed CE’s and BA’s place an acute focus on availability • Security zones via network segmentation often lacking • Network services and installed operating systems lack security
baselines and configuration hardening prior to production deployment
• Default installations are common among: – OS (Windows, Linux/Unix) – Network Infrastructure (Firewalls, Routers, Switches) – Databases (Oracle, MySQL, MSSQL) – Multi-function Printers (Open File Sharing, GB/TB Drives) – Applications (HVAC, Customer Facing) – Modems
• Deprecated OS’s • Sensitive information is everywhere & its location often not well
understood – Exists in structured areas such as databases, but also unstructured areas such as text files,
Word/Excel, etc.
27
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
But Wait…There’s More
28
• Inadequate Password Controls – Password Re-use & Sharing – OS, Network Devices, Databases, Custom
& Commercial Applications
• Poor and/or Inconsistent Patch Management
– OS, Databases, Network Devices, and Applications
• Lack of Network Logging, Monitoring and Alerting, and Awareness
• Active patient / customer data being used in Test and Development environments
• Poor User Account Management Controls
– Inactive / Terminated Users & Rogues – Badge Reclamation
• Web Application Vulnerabilities • Clear Text Protocols Transmitting
Sensitive Information such as User Credentials and ePHI
– FTP, HTTP, Telnet
• Lack of Encryption – Laptops, Workstations, Endpoints
• Clean Desk / Clear Screen Policy not observed / enforced
– Confidential Data, Hard Drives, Removable Media Left on Desks, Unprotected
• Security Software Installed – Nessus, L0phtCrack, MetaSploit
• “Unauthorized” Software – AOL Clients, Peer to Peer File Sharing,
BitTorrent Clients, MythTV, WoW
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Breach Data & Hacking
29
610
31700
2000
29857
708 2300
26064
410493 400157
0
50000
100000
150000
200000
250000
300000
350000
400000
450000
Hacking/IT Incident
Individuals Affected
1. Source: Department of Health and Human Services
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
The Reality • Health care systems and data are under assault like never
before • Hacking and digital attacks are occurring and will continue • CE’s and BA’s often lack the resources and expertise needed
to detect health information loss • “Set and forget it” compliance mindset • Focus is often placed too heavily on meeting regulatory
objectives and not on visibility, detection, and response • For reasons such as this, many Hacking/IT Incidents against
health care organizations likely go unnoticed and therefore unreported
30
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
The Challenge • Asymmetric issue, many :one
– CE’s must identify and then defend against (many) potential attack vectors within their environment, and then vigilantly monitor
– Bad guys only need to find a single weakness to exploit
• Automated attack tools and packaged exploits make this challenge all the more difficult to defend against
• It’s not a matter of whether you’re paranoid…
31
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Agenda
• Introduction • Current State • Threat Landscape • Common Technical Vulnerabilities • Defensive Considerations • Conclusion
32
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
HIPAA Security Drivers
33
• As required by HIPAA’s Administrative Safeguard Standard §164.308(a)(8), Evaluation • Perform a periodic technical and nontechnical evaluation
that establishes the extent to which a given CE’s policies and procedures meet the intent of the HIPAA Security provisions
– Work with General Counsel to ensure that your current HIPAA Security posture is compliant with the legislations intent
– Conduct an accurate and thorough risk assessment to identify, define, and prioritize risks to ePHI, should also encompass ePHI brokered to business associates
– If reasonable and appropriate, conduct penetration testing and vulnerability assessments (internal and external) against information assets storing or processing ePHI
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Defensive Considerations • The threat landscape is highly dynamic • Talk to your network/system administrators. What are they seeing? • Baseline network traffic, focus on visibility and defining what’s
normal? • Baseline Your Networks
– Necessary ports & services – SANS Consensus Audit Guideline (CAG): http://www.sans.org/critical-security-controls/
• Lock down outbound ports and services based on business justification
– Do all users need access to Telnet, FTP, SSH, RDP, etc., • Conduct an accurate and thorough risk assessment to identify,
define, and prioritize risks to your mission critical assets
34
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Baseline Your Systems • Baseline Your Systems
– Current User’s, System Processes, Dynamic Link Libraries (DLL’s) for critical applications
– What’s “normal”? Create a known frame of reference
• Configuration Guidelines • Centers for Internet Security: http://cisecurity.org/en-us/?route=default • National Security Agency:
http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml
• Defense Information Systems Agency Security Technical Implementation Guides (STIGS) and Supporting Documents:
http://iase.disa.mil/stigs/ • Microsoft Security Compliance Manager: http://technet.microsoft.com/en-us/library/cc677002.aspx
35
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Monitor Your System Baselines • Many health care organizations often don’t have the budget for
“high-end” security software, but high-quality, low-cost options are available
• Yet, numerous commercial products often resemble open community tools…coincidence?
• Patching: – Belarc Advisor http://www.belarc.com/free_download.html – Secunia Personal Software Inspector (PSI) http://secunia.com/vulnerability_scanning/personal/
• Anti-X • Microsoft Security Essentials, Clam-AV, ThreatFire
36
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Monitor Your System, Network Baselines, and Information
• Open NMS – http://www.opennms.org/ – Open-source network monitoring platform
• OpenDLP – Free and open source, agent-based, centrally-managed, massively distributable
data loss prevention tool released under the GPL. – http://code.google.com/p/opendlp/
• Nagios – http://www.nagios.org/
• Open Source Host-based Intrusion Detection System (OSSEC) – http://www.ossec.net/
• Open Source Security Information Management (OSSIM) – Open Source SIEM is a complete Security Management
37
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Governance Models
• Consider frameworks such as the CERT Resilience Management Model (CERT-RMM)
• Check out the Health Information Trust Alliance (HITRUST) – Excellent source for health care related security controls – Based off of the ISO 27000 family of standards – Offer certification
• Education – Emphasize the lack of anonymity social networks actually provide – Use real-world attacks and scams as examples – Realize you are representing your employer, act as such – Encourage paranoia
• Consider how your data is managed from entrance to exit
38
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Agenda
• Introduction • Current State • Threat Landscape • Common Technical Vulnerabilities • Defensive Considerations • Conclusion
39
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Conclusion • Data breaches are costing covered entities millions of dollars • Detecting and mitigating digital intrusions means that visibility and
response is an absolute must! • Don’t let a patient / customer be your first notification that something
is amiss within your current data protection and compliance program • Make data protection a priority…it can be achieved on a budget • It is the responsibility of assigned organizational management to take
reasonable and appropriate measures to safeguard sensitive information in line with regulatory demands and consumer expectations
40
ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED
Questions?
ALLEGHENY DIGITAL
THANK YOU! www.alleghenydigital.com
1.877.234.0001