At the HIT Summit in Beverly Hills, a Focus on IT Security Basics | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

At the HIT Summit in Beverly Hills, a Focus on IT Security Basics

November 10, 2016
by Mark Hagland
| Reprints
Nailing down the IT security fundamentals while looking at advanced strategies, will be important

In a bracing discussion on Thursday morning in Los Angeles at the Health IT Summit-Beverly Hills, sponsored by Healthcare Informatics, the focus returned over and over again to some of the fundamentals of IT security strategy. The first panel discussion of the HIT Summit, which is being held at the Sofitel Hotel Los Angeles at Beverly Hills, focused largely on the major gap between available strategies and technologies and their actual implementation in patient care organizations across the U.S.

Ryan McDaniel, vice president of security and technology at the HCI Group consulting firm, moderated the panel. He was joined by Richard Greenberg, the information security officer at Los Angeles County Public Health; Gary A. Gooden, chief information security officer and director of IT at the Center for Personalized Medicine at Children’s Hospital Los Angeles; and Chris W. Jeorg, chief information security officer (CISO) at Cedars-Sinai Health System—all three IT security leaders local to the conference.

Framing the broad statistics around data security—and insecurity—in the U.S. healthcare system, McDaniel noted early on in his introduction of the panel discussion, that “We’re looking at approximately 118 million records that have been breached, which means that over one-third of the population of the U.S. has potentially been breached. And we should look at the most relevant updates from 2016. Over the next 24 months, any healthcare location has a 26-percent chance of being meaningfully breached,” he noted. “So certainly, this is an important topic we’re discussing.”

Turning to his fellow panelists, McDaniel asked, “What scares you, what is the one problem keeps you up at night? For me, what keeps me up at night as I work with different organizations, is the category of threats that can be described by the phrase ‘unknown unknowns,’ including insider threats.”

“I’ve been in IT for 25 years, and things are rapidly growing today,” Greenberg said, “And one of the big concerns I have is that the hackers are taking on all sizes, shapes, and forms, but they’re well-organized,” in fact, better-organized than ever. “And they’re sharing information on the dark side. They’re putting kits out there. It’s a multi-billion-dollar industry that’s underground. And each of us is trying to fight that with our little pockets. And we have a disconnect around laws that make it harder to share corporate information. You might recall a few years ago, President Obama asked for more data-sharing, and that’s what he had in mind.”

Webinar

Components of Strong Cybersecurity Program - A Closer Look at Endpoint Security Best Practices

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of...

“To echo what Richard mentioned,” Gooden said, “while patients want to own their data, security is a multi-billion-dollar issue; at the same time, per what Richard said, the hacker today is not the hacker yesterday—this notion of some kid in somebody’s basement. This is a multi-billion-dollar business. And they don’t care about any of the rules or regulations; they care about gathering data to monetize it. And that’s only going to get worse. The rate of change of the technology, the mathematical models being generated to create these ransomware packages, is only going to get more prevalent.”

In addition, Gooden said, “What I found interesting is that several years ago, most healthcare organizations didn’t have CISOs. And upwards of 70 percent of healthcare organizations are already being compromised. And if their environment is hacked, the typical gap in time between the actual hack and its being discovered is 200 days. So what keeps me up at night is what I don’t know. And the second thing is the race to prevent biomedical devices from being compromised. And that’s a whole different level from the concern over ransomware. For instance, a lot of these biomedical devices are relatively primitive, in terms of their data architecture.”

“Information security is a big focus for us at Cedars-Sinai,” Jeorg said. “What keeps me up at night is what is sometimes referred to as ‘rogue IT,’ where users circumvent security controls to use their own devices. How do we prevent that, and address it in a meaningful way when it’s going on? The other piece for me is data loss because of a breach, and data loss that culminates in the eventual loss of patient trust. If someone’s data or privacy is breached through the fault of a healthcare provider, that is a very big problem.”

“Health data is worth more and is more easily accessible,” McDaniel said. “So let’s ask why healthcare is a primary target. Is it the monetary value of a patient record?”

“It’s the monetary value, and also, it’s a soft target, basically,” Jeorg replied. “If you go to a bank or a credit card company, they’re focusing on information security in a much more mature way. So it’s a lack of maturity in the focus in healthcare security. We need to protect the confidentiality, integrity, and availability of information.”

“Your patient record is worth $50” to hackers, Gooden said, “but in terms of the total capitalized cost—it’s worth more than $250. And healthcare is a softer target. I was here at this conference last year, and there was a panel discussion with CISOs, and one of the questions I was asked was, do you think the CISO should report to the CIO? And of the four panelists, including the moderator, they all said the CISO should not report to the CIO. At that time, a year ago, I wasn’t at the time a CISO. This is my first journey into healthcare, and I was shocked at the low level of maturity of technology when I came into the industry. So when I heard that said last year, I said, I don’t understand: if the rate of change in the level of attacks against healthcare organizations is growing exponentially… And why wouldn’t you want your security team to be part of your overall IT team? Because you need to be on a war footing; this is a war. I think this issue gets back to the issue of checkbox compliance for security. This isn’t a checkbox; it’s real. We just finished a PCI segmentation project. And if we focus on compliance, we can’t get to where we need to.”

“That’s right,” Greenberg said. “Many of the healthcare companies that have been breached were all compliant with regulations. And one of the reasons we’re a target is that the value of credit card information is miniscule. Hackers get credit cards, but they’re changed immediately. And the credit card companies have a great model for monitoring activity, and they call you. And your card gets changed immediately. In contrast, the life cycle for a breached medical record is very long. Medical records are worth a lot more, because it’s hard to immediately pinpoint a breach. If your ID is breached, you can go to a federal website, and they have a whole process to follow. If you’re breached in your medical records, there isn’t an obvious path. It’s incredibly difficult for people. We’re focused on being caregivers, and aren’t doing a good enough job of taking care of the security of the data of our patients. And we’re causing critical stress and doing a great disservice to our patients, if we’re not protecting the security of their data. It’s causing a lack of trust among patients.”

One of the core challenges goes back to end-users in healthcare, McDaniel noted. “You have a population that’s incredibly skilled at providing care and incredibly well-intentioned. But they may not have the sophistication around data security,” he pointed out. “Healthcare organizations lack both the budget and the defined processes needed in this area. So what do we do?”

“The insider threat remains a major one,” Greenberg insisted. “We take seriously educating our workforce. We can put in great firewalls, write great rules, deny access to certain sites, we can secure mobile devices with a tool that will allow us to remotely wipe them, we can push updates to users; we can put websites within security parameters. But the best-laid plans, infrastructure, and technological controls, can all be undermined by a single click, per phishing. HIPAA does require security training; it’s kind of vague on how often and what type. So it’s up to you to push for more required training; it’s a bit of a pain for end-users, but it’s very important. So we go out and do a road show, and we train people. And we’ve got hundreds of tablets being taken around. So we’ve encrypted all of our portable devices. HIPAA does say that if you have a lost device and it’s breached, you have to report it. But if the device was encrypted, you’re in a safe harbor. We also do awareness training, and we focus on phishing attacks. A URL zero-write. There are fake sites where you think you’re on the right site. But we have a tool that checks to see if a site is legitimate or not, and filters you out if it isn’t a legitimate site. That has great potential.

“I agree with Richard,” Gooden said. “And we’re trying to catch up strategically with our own roadmap. And there is typically a disconnect in most organizations between the infrastructure team and the data security team. Most of the initiatives ongoing, the data security people wouldn’t know they’re actually happening. So we’re looking at infrastructure security technologies; and also we’re doing behavioral monitoring. You have to do data analytics behind your security measures. We do 24/7/365 monitoring of our environment. And every single thing that’s being stood up in your environment has to be examined” from a data security standpoint. “And the monitoring has to be ongoing.”

Another element that Gooden says as an issue is the routine way in which end-user education is presented in patient care organizations. “We have to make the end-user training programs more interesting—they’re boring as hell! And because they’re so boring, they lack stickiness. Your brain becomes disconnected. It’s checkbox-writing. So we’ve been doing social engineering for some time, but we have to step up our game.” What’s more, he said, “You also have to look at things like identity-based access control. And that involves a multi-year process of change in your organizational culture. Because you cannot keep up with the mathematics involved in these hacker attacks in a static way. You have to combine strategies, and you have to implement social engineering at a much higher level. And look at your data security as a very high priority in your organization.”

McDaniel conducted a brief text-based poll of the audience, asking audience members which IT security strategies they were pursuing. That instant poll revealed that, while 73 percent are implementing antivirus protection, only 18 percent are engaged in developing advanced firewall protection strategies, and only 9 percent are engaging in behavioral analytics strategies and tactics—fairly low levels of engagement in advanced strategies.

With regard to those results, Gooden noted that “Next-generation firewall protection is leading-edge. And we’re looking at putting in advanced monitoring protections at the outside edge. We already have data loss prevention techniques in place, but we’re going to expand those. And it’s that balance between providing enough security to ensure the integrity of the environment, while allowing the end-users to participate in clinical or research work.”

Further, McDaniel emphasized, “The reality of risk in a clinical environment requires an integrated approach to security.

“The general understanding now,” Greenberg said, “is that it’s not a question any longer of if you will be attacked and breached, but when. And if that’s the case, you can’t just sit back and pour millions of dollars more into technical controls. One of the most important things an organization can do is to put into place really good incident awareness and response systems,” he emphasized. “The average period of time between a breach and its discover is 200 days. So that’s 200 days during which your data is being exfiltrated. And you cannot just have security involved; you have to have the business side involved, too, and your communications and public relations team—the press is going to come and visit you. So you have to test these incident response systems and capabilities. And over 90 percent of these breaches are not that sophisticated.”

 

 


The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


/article/cybersecurity/hit-summit-beverly-hills-focus-it-security-basics
/news-item/cybersecurity/ocr-fines-providers-hipaa-violations-failure-follow-basic-security

Florida Provider Pays $500K to Settle Potential HIPAA Violations

December 12, 2018
by Heather Landi, Associate Editor
| Reprints

Florida-based Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 to the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) to settle potential HIPAA compliance failures, including sharing protected health information with an unknown vendor without a business associate agreement.

ACH provides contracted internal medicine physicians to hospitals and nursing homes in west central Florida. ACH provided services to more than 20,000 patients annually and employed between 39 and 46 individuals during the relevant timeframe, according to OCR officials.

Between November 2011 and June 2012, ACH engaged the services of an individual that claimed to be a representative of a company named Doctor’s First Choice Billings, Inc. (First Choice). The individual provided medical billing services to ACH using First Choice’s name and website, but allegedly without the knowledge or permission of First Choice’s owner, according to OCR officials in a press release published last week.

A local hospital contacted ACH on February 11, 2014 and notified the organization that patient information was viewable on the First Choice website, including names, dates of birth and social security numbers. In response, ACH was able to identify at least 400 affected individuals and asked First Choice to remove the protected health information from its website. ACH filed a breach notification report with OCR on April 11, 2014, stating that 400 individuals were affected; however, after further investigation, ACH filed a supplemental breach report stating that an additional 8,855 patients could have been affected.

According to OCR’s investigation, ACH never entered into a business associate agreement with the individual providing medical billing services to ACH, as required by the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, and failed to adopt any policy requiring business associate agreements until April 2014. 

“Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014. The HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of an entity’s electronic protected health information,” OCR officials stated in a press release.

In a statement, OCR Director Roger Severino said, “This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the internet after it failed to follow basic security requirements under HIPAA.”

In addition to the monetary settlement, ACH will undertake a robust corrective action plan that includes the adoption of business associate agreements, a complete enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules. 

In a separate case announced this week, a Colorado-based hospital, Pagosa Springs Medical Center, will pay OCR $111,400 to settle potential HIPAA violations after the hospital failed to terminate a former employee’s access to electronic protected health information (PHI).

Pagosa Springs Medical Center (PSMC) is a critical access hospital, that at the time of OCR’s investigation, provided more than 17,000 hospital and clinic visits annually and employs more than 175 individuals.

The settlement resolves a complaint alleging that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic protected health information (ePHI), after separation of employment, according to OCR.

OCR’s investigation revealed that PSMC impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a HIPAA required business associate agreement in place. 

The hospital also agreed to adopt a substantial corrective action plan as part of the settlement, and, as part of that plan, PSMC has agreed to update its security management and business associate agreement, policies and procedures, and train its workforce members regarding the same.

“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” Severino said in a statement. “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

Covered entities that do not have or follow procedures to terminate information access privileges upon employee separation risk a HIPAA enforcement action. Covered entities must also evaluate relationships with vendors to ensure that business associate agreements are in place with all business associates before disclosing protected health information. 

 

More From Healthcare Informatics

/news-item/cybersecurity/eye-center-california-switches-ehr-vendor-following-ransomware-incident

Eye Center in California Switches EHR Vendor Following Ransomware Incident

December 11, 2018
by Rajiv Leventhal, Managing Editor
| Reprints

Redwood Eye Center, an ophthalmology practice in Vallejo, Calif., has notified more than 16,000 patients that its EHR (electronic health record) hosting vendor experienced a ransomware attack in September.

In the notification to the impacted patients, the center’s officials explained that the third-party vendor that hosts and stores Redwood’s electronic patient records, Illinois-based IT Lighthouse, experienced a data security incident which affected records pertaining to Redwood patients. Officials also said that IT Lighthouse hired a computer forensics company to help them after the ransomware attack, and Redwood worked with the vendor to restore access to our patient information.

Redwood’s investigation determined that the incident may have involved patient information, including patient names, addresses, dates of birth, health insurance information, and medical treatment information.

Notably, Redwood will be changing its EMR hosting vendor, according to its officials. Per the notice, “Redwood has taken affirmative steps to prevent a similar situation from arising in the future. These steps include changing medical records hosting vendors and enhancing the security of patient information.”

Ransomware attacks in the healthcare sector continue to be a problem, but at the same time, they have diminished substantially compared to the same time period last year, as cyber attackers move on to more profitable activities, such as cryptojacking, according to a recent report from cybersecurity firm Cryptonite.

Related Insights For: Cybersecurity

/news-item/cybersecurity/report-30-percent-healthcare-databases-exposed-online

Report: 30 Percent of Healthcare Databases Exposed Online

December 10, 2018
by Heather Landi, Associate Editor
| Reprints

Hackers are using the Dark Web to buy and sell personally identifiable information (PII) stolen from healthcare organizations, and exposed databases are a vulnerable attack surface for healthcare organizations, according to a new cybersecurity research report.

A research report from IntSights, “Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry,” gives an account of how hackers are tracking down healthcare personally identifiable information (PII) data on the Dark Web and where in the attack surface healthcare organizations are most vulnerable.

The report explores a key area of the healthcare attack surface, which is often the easiest to avoid—exposed databases. It’s not only old or outdated databases that get breached, but also newly established platforms that are vulnerable due to misconfiguration and/or open access, the report authors note.

Healthcare organizations have been increasingly targeted by threat actors over the past few years and their most sought-after asset is their data. As healthcare organizations attempt to move data online and increase accessibility for authorized users, they’ve dramatically increased their attack surface, providing cybercriminals with new vectors to steal personally identifiable information (PII), according to the report. Yet, these organizations have not prioritized investments in cybersecurity tools or procedures.

Healthcare budgets are tight, the report authors note, and if there’s an opportunity to purchase a new MRI machine versus make a new IT or cybersecurity hire, the new MRI machine often wins out. Healthcare organizations need to carefully balance accessibility and protection.

In this report, cyber researchers set out to show that the healthcare industry as a whole is vulnerable, not due to a specific product or system, but due to lack of process, training and cybersecurity best practices. “While many other industries suffer from similar deficiencies, healthcare organizations are particularly at risk because of the sensitivity of PII and medical data,” the report states.

The researchers chose a couple of popular technologies for handling medical records, including known and widely used commercial databases, legacy services still in use today, and new sites or protocols that try to mitigate some of the vulnerabilities of past methods. The purpose of the research was to demonstrate that hackers can easily find access to sensitive data in each state: at rest, in transit or in use.

The researchers note that the tactics used were pretty simple: Google searches, reading technical documentation of the aforementioned technologies, subdomain enumeration, and some educated guessing about the combination of sites, systems and data. “All of the examples presented here were freely accessible, and required no intrusive methods to obtain. Simply knowing where to look (like the IP address, name or protocol of the service used) was often enough to access the data,” the report authors wrote.

The researchers spent 90 hours researching and evaluated 50 database. Among the findings outlined in the report, 15 databases were found exposed, so the researchers estimate about 30 percent of databases are exposed. The researchers found 1.5 million patient records exposed, at a rate of about 16,687 medical records discovered per hour.

The estimated black-market price per medical record is $1 per record. The researchers concluded that hackers can find a large number of records in just a few hours of work, and this data can be used to make money in a variety of ways. If a hacker can find records at a rate of 16,687 per hour and works 40 hours a week, that hacker can make an annual salary of $33 million, according to the researchers.

“It’s also important to note that PII and medical data is harder to make money with compared to other data, like credit card info. Cybercriminals tend to be lazy, and it’s much quicker to try using a stolen credit card to make a fraudulent purchase than to buy PII data and run a phishing or extortion campaign. This may lessen the value of PII data in the eyes of some cybercriminals; however, PII data has a longer shelf-life and can be used for more sophisticated and more successful campaigns,” IntSights security researcher and report author Ariel Ainhoren wrote.

The researchers used an example of hospital using a FTP server. “FTP is a very old and known way to share files across the Internet. It is also a scarcely protected protocol that has no encryption built in, and only asks you for a username and password combination, which can be brute forced or sniffed

by network scanners very easily,” Ainhoren wrote. “Here we found a hospital in the U.S. that has its FTP server exposed. FTP’s usually hold records and backup data, and are kept open to enable backup to a remote site. It could be a neglected backup procedure left open by IT that the hospital doesn’t even know exists.”

According to the report, hackers have three main motivations for targeting healthcare organizations and medical data:

  • State-Sponsored APTs Targeting Critical Infrastructure: APTs are more sophisticated and are usually more difficult to stop. They will attempt to infiltrate a network to test tools and techniques to set the stage for a larger, future attack, or to obtain information on a specific individual’s medical condition.
  • Attackers Seeking Personal Data: Attackers seeking personal data can use it in multiple ways. They can create and sell PII lists, they can blackmail individuals or organizations in exchange for the data, or they can use it as a basis for further fraud, like phishing, Smishing, or scam calls.
  • Attackers Taking Control of Medical Devices for Ransom: Attackers targeting vulnerable infrastructure won’t usually target healthcare databases, but will target medical IT equipment and infrastructure to spread malware that exploits specific vulnerabilities and demands a ransom to release the infected devices. Since medical devices tend to be updated infrequently (or not at all), this provides a relatively easy target for hackers to take control.

The report also offers a few general best practices for evaluating if a healthcare organization’s data is exposed and/or at risk:

  • Use Multi-Factor Authentication for Web Applications: If you’re using a system that only needs a username and password to login, you’re making it significantly easier to access. Make sure you have MFA setup to reduce unauthorized access.
  • Tighter Access Control to Resources: Limit the number of credentials to each party accessing the database. Additionally, limit specific parties’ access to only the information they need. This will minimize your chance of being exploited through a 3rd party, and if you are, will limit the damage of that breach.
  • Monitor for Big or Unusual Database Reads: These may be an indication that a hacker or unauthorized party is stealing information. It’s a good idea to setup limits on database reads and make sure requests for big database reads involve some sort of manual review or confirmation.
  • Limit Database Access to Specific IP Ranges: Mapping out the organizations that need access to your data is not an easy task. But it will give you tighter control on who’s accessing your data and enable you to track and identify anomalous activity. You can even tie specific credentials to specific IP ranges to further limit access and track strange behavior more closely.

 

See more on Cybersecurity

betebet sohbet hattı betebet bahis siteleringsbahis