Here’s another heart-stopper. The latest Ponemon Institute study reveals 60% of healthcare providers had more than 2 security breaches in the last year with the average breach costing them $2 million. Whoa! It then goes on to state that 70% of hospitals say protecting patient data is not a priority.

Healthcare providers in the Ponemon study also say they lack resources, trained personnel, policies and procedures to safeguard patient records. 58% claim they have little or no confidence in their ability to protect records in their possession. Forget WikiLeaks, as a hacker, this is music to my ears.

So what this really means for healthcare is that something has got to change. Specifically, the mindset that data security is not a priority and that all I have to be is HIPAA compliant to be secure. Well, I hate to be the bearer of bad news but I can’t tell you how many times I’ve hacked HIPAA compliant healthcare providers but I guess telling your patients, personnel and anyone else affected by the data breach that “I was HIPAA compliant” is better than “Data security isn’t a priority” but I’m guessing that will still go over like a lead balloon.

So the real question here should be: How am I going to improve data security? The answer (and read carefully): SECURITY. Did you get it? When it comes to improving data security, U R IT.

From an ethical hacker’s perspective (thought it was time to add “ethical” so you could breathe a little easier), security is two-fold – Internal and External. So let’s start with some internal security measures.

Background Checks for Employment

Knowing who you are hiring can help mitigate security risks. Organizations need to ensure they work better to screen those who will be handling sensitive data.

Case & Point: University of Texas Medical Branch

Using a stolen identity to gain employment at UTMD’s medical biller, MedAssets, Katina Rochelle Candrick helped herself to up to 2,400 UTMD patient records.

Access & Permissions

Unless an employee needs access to sensitive data to successfully complete their job function, they shouldn’t have access. Levels of access controls need to be implemented. Meaning, a receptionist/front desk person should have not have the same access permissions to patient data or any other sensitive data that a doctor would have access to.

Case & Point: Community Hospital of San Bernardino

Community Hospital of San Bernardino, failed to prevent unauthorized access of 204 patients’ medical information by one employee. The same hospital also failed to prevent unauthorized access of three patients’ medical information by one employee in a separate incident.

Physical Security

Physical Security is just as important as electronic security. You need a gate keeper. In fact, all employees at your healthcare organization need to be gate keepers. Don’t let just anyone wander into the office; question why they are there; do not leave laptops or any other mobile device for that matter unattended so that they grow legs; and create and put into place physical security measures to protect your fort.

Case & Point: AvMed Health Plan

More than 200,000 AvMed Health Plan subscribers’ sensitive personal information fell into the wrong hands after a pair of laptops were stolen from a conference room at the company’s corporate headquarters. The laptops contained current and former subscribers’ names, addresses, Social Security numbers and health information.

Creating & Enforcing Policies & Procedures

Creating security policies and procedures is necessary and all employees need to be made aware of what these policies and procedures are. Once that happens, it is essential to ensure these policies and procedures are adhered to, otherwise it’s a waste of time and paper if they are not enforced.

Case & Point: Cardinal Health

The buyer of a laptop sold on eBay contacted Cardinal Health to tell them the used laptop that he/she purchased online contained company information. According to Cardinal Health’s policies, data on decommissioned computers are to be securely deleted by their IT department and then securely destroyed by a vendor. Rather, an employee in their IT department said he had not properly destroyed the data nor did he send it to a third-party to destroy and, in fact, had sold it on eBay.

End-User Security Awareness Training

Common sense isn’t so common anymore. Training employees on what sensitive data is and what it isn’t is a start but training them on what can and can’t leave the premise and when it can, how it can, is another story.

Case & Point: Keystone Mercy Health Plan & AmeriHealth Mercy Health Plan

A flash drive was taken to a community health fair by an employee of the two affiliated Philadelphia companies, Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan which then turns up missing. On this flash drive – 280,000 Medicaid recipients’ information including names, addresses, personal health information and even social security numbers.

IT Staff Security Training:

Sorry to burst everyone’s bubble but IT doesn’t know everything. If they did, these back-up tapes and disks would never have left the premise let alone been left unattended in the IT guy’s car. Proper IT staff security training is essential to better lock down networks, wireless, mobile devices and more. These people can help or harm your data security just as the typical end-user can.

Case & Point: Providence Home Services, a Division of Providence Health System

An IT employee was fired in connection with the theft of backup computer tapes and disks containing personal information and medical records on about 365,000 hospice and home health care patients. A Providence Home Services IT department worker took backup tapes and disks home as part of the home health care division’s backup protocol. The disks and tapes were stolen after they were left in the employee’s car overnight. The information on the disks and tapes included names, addresses, dates of birth, physicians’ names, insurance data, diagnoses, prescriptions, lab results, social security numbers and patient financial information.

Vendor Due Diligence

Just because a vendor can do something doesn’t mean they should. Again, knowing who you do business with is important because even though you are using a third-party, they do not assume complete liability for a security breach. You do. (U R IT)

Case & Point: South Shore Hospital & Archive Data Solutions

800,000 records containing sensitive, personal health and financial information were compromised when South Shore’s data management company, Archive Data Solutions, lost backup tapes containing copies of the hospital’s most sensitive databases created between 2006 and early 2010. On these tapes were: names, addresses, phone numbers, birth dates, social security numbers, patient health information and bank account data.

Destruction of Medical Records

Anyone heard of shredding? How about HIPAA compliance? When you are dealing with sensitive data proper disposal of data files – electronic or paper – has to occur. You are ultimately responsible for that data.

Case & Point: Avalon Center

An Erie County worker tossing garbage into a dumpster discovers odd boxes filled with files containing Avalon patient medical records. Files included full names, addresses, social security numbers and diagnosis information left in the trash for anyone to access.

External Security Controls

Penetration Testing

Knowing your weaknesses and remediating them is better when discovered before a hack instead of after. Even your best IT people can leave a hole in network security on a bad day and/or because they are fighting the functionality vs. security battle. Regardless, identifying your weaknesses by emulating a real-world hack with a penetration test and fixing them before disaster strikes is better than becoming the next media headline.

Case & Point: Express Scripts

Express Scripts disclosed unauthorized persons gained access to personal and medical information of 50 million people. Express Scripts received an anonymous letter containing names of 75 or so clients showing their birth dates, social security numbers and prescriptions. These extortionists threatened to disclose personal and prescription information if the company failed to meet payment demands.

Website Security Assessment

Remember, your website is like a billboard in cyber space advertising “Look at me. Look at me.” When the visitor wants to take it step farther, make sure it’s locked down. A simple website security assessment can show you the vulnerabilities that hackers take advantage of to deface your site, access to your network and so on.

Case & Point: Virginia Health Professionals

Hackers broke into a Virginia state website used by pharmacists to track prescription drug abuse and deleted the records of 8+ million patients plus 35,548,087 prescriptions. They then defaced the site’s homepage with a ransom note demanding $10 million for the return of the records.

Social Engineering

Social Engineering is where you hack the people. By manipulating the target, you gain admission to the sensitive data you wish to access. This is excellent if you want to see if your policies and procedures are in place and where human error can play a part in a security breach. This can be done onsite or remotely and really is telling of how easy it is to be the victim of a security breach. Here, hackers were able to manipulate an email request from those legitimately working on a computer security upgrade on UCSF systems.

Case & Point: UCSF Doctor

A faculty doc at UC San Francisco fell for an email phishing scam, opening up access to personal information on some 600 patients and others to hackers. The physician replied to a scam email seeking user name and password information. The request was named to look like it had come from UCSF workers who were involved with upgrading security on UCSF’s computer system.

While this is only the tip of the iceberg when it comes to information security measures, I hope that when it comes to security one thing is clear: SECURITY

Today, banks providing internet banking facilities are looking for implementing or have already implemented two factor authentications. This has been done by either identifying risks by the banks themselves or has been mandated by the regulatory authorities. Whatever has initiated this, it is more important to understand what a two factor authentication is, what are the business requirements and how is it going to impact the customers.

What are the threats that we are trying to protect by implementing a two factor authentication solution..? phishing attack, Man-in-the-middle-attack, Password sharing etc…

Two factor authentication means that you need to have two factors of authentication (to your online banking website) involved in either the initial login process and/or in further carrying out critical transactions or just while carrying out critical transactions.

So what are the factors that are involved in authentication..?

1. What you know – password, pin number, answers to security questions, security image
2. What you have – One time password (in various ways), ATM cards
3. What you are – Bio-metric solutions

There are many organizations that use any one of the above more than once. Like for example, using user ID and password while logging in to the online banking and answering some security questions while carrying out a critical transaction and claim to be implementing two-factor authentication. Whereas, in reality it is just one factor (what you know) used multiple times.

Using a combination of any of the two above is termed as two-factor authentication. A simple example would be using your ATM card and PIN number at an ATM machine. The ATM card is something that you have and the PIN number is something that you know. So two factors are used to authenticate and carry out your requirements on the ATM machine.

The password and PIN are very commonly used parameters and implementing bio-metric solution (one that authenticates by using finger scan or retina scan etc) are very expensive and does not justify the cost. There are different methods and solutions available for implementing two factor authentications, of which OTP (One Time Password) seems to be much safer from different threats. Let us see some of those solutions.

A Grid on the ATM card – Some organizations has implemented the second factor by forming a grid which is printed onto the back of an ATM card making it convenient to the customers. The login will be using a user ID and password and the next step will be to key in a combination number based on the grid values asked in the online application. The user keys in the value and the access is permitted. This same authentication factor can be used for making an online transaction.

Disadvantages:

• The card is used in many places and since it is an ATM card, it can be given to others for swiping on purchases. The grid behind the card can be easily memorized, though most do not agree with me, I am sure that I can remember and re-collect at least one card’s grid.
• If someone gets their hand to this card through any means, they can also take a photocopy of the card, the grid and use it whenever and wherever required.

A random number generating token – There are many vendors providing tokens or key fobs (known in different names) which generates random numbers and those numbers will be valid for just about 10 seconds (one form of OTP – One Time Password). This means that a new random number using some algorithm is generated every 10 seconds. Very good!

These are wireless tokens and there is a related component (server) that sits at the organization’s environment for validating the numbers generated on the tokens. Both, the server and token work on the same algorithm and is based on time stamps. So the server can understand what will be the number in the token during a particular time.

The user logs-in by providing a user ID and password along with a randomly generated number which will be keyed into the application. The application internally validates this number and allows access.

Disadvantages:

• The burden is in procuring these tokens, distributing it to customers, maintaining, customers losing these tokens etc.
• This solution is prone to Man-in-the-browser attack, which is similar to Man-in-the-middle attack

SMS on your mobile – A much better solution is using SMS as the second factor authentication (another form of OTP – One Time Password). Though it has some draw backs. Here the user logs in into the application using a user ID and password and no second factor is applied in the initial login. The screens available using this process is limited and information such as account number is limited to last 4 digits, customer name is not available, etc it is just your masked account number, the balance and a maximum of 10 previous transactions or you could customize the first page to provide very minimal information. There will be no access to the customer profile page as well.

When the customer requires to make any profile change or make online transactions, the user will be sent a onetime PIN number SMSed to the users registered mobile number which has to be keyed in using a virtual keyboard and that authorizes the transaction/change.

This second factor can be implemented for various transactions viz, adding beneficiaries, profile change, online transfers, changes to transaction amount limits, password change on lockout, statement above 10 transactions etc. The main advantage of this solution is that the customer is not bothered to carry any additional device for this purpose, and this cannot be compromised unless the mobile phone is timely compromised to obtain the PIN and also carry out the transaction. Since unique PIN numbers are used to carry out different transactions/changes, it also mitigates the man-in-the-browser attack to a great extent.

Disadvantages:

1. SMS sent is delayed in transit.
2. SMS sent does not reach the customer due to various reasons
3. Cost implications – payment to be made to the ISP’s for sending SMS’s
4. Customer out of the country and does not have roaming facility
5. ISP’s prioritizing private SMS’s over the SMS’s from the banks

I would prefer the last option, though it lists more disadvantages than the others. Let’s try and justify the disadvantages listed. Frauds that happen and result in financial loss are global issues and I think that all relevant stakeholders should come together for a solution to work and the government should be the enforcer and the regulatory bodies should be the initiators of this cause.

If the government, the ISP, the banks and the regulatory bodies come together, it would solve the disadvantages 1, 3, and 5. Point number 2 can be left as a risk in any business, if there is nothing we can do about it and point number 4, why is a customer trying to do a critical change or transaction while the customer is out of the country..? If it is a corporate account then it is a different scenario.

Your thoughts.

It is important for every organization to constantly carry out risk assessment in their organizations to ensure that they are protected from new threats. Today terrorism has become a major threat for organizations as well and hence it is definitely required for organizations to include terrorism as a threat in their risk assessment exercise.

A constant risk assessment exercise does not only help in identifying and protecting against the latest threats, but also looks into the processes and controls that was defined and implemented years ago. Though the processes and controls might be working well, it might not include the risks due to the latest threats and if risk assessments are not conducted on a regular basis, these new threats might go unnoticed.

Hence organization are encouraged to have the risk assessment exercise as an annual activity and also when there is a major change within the organization. It is also important to keep a tab on the new threats that need to be included in their risk assessment exercise.

Now the next arising question is, what are the risks of having these armed CISF securities in the campus?