Motivation
Theft of services
Identity theft
Fraud
Embarrassment
Harm
Denial of Services
6Jean Pawluk
Costs of Medical Identity Theft 2010
Data courtesy of Ponemon Institute• 2010 Benchmark Study on Patient Privacy and Data Security•Second Annual Survey on Medical Identity Theft •2010 Annual Study: U.S. Cost of a Data Breach
$214 per healthcare record
$20,663 average cost to victim
$2 Million per healthcare data breach
7Jean Pawluk
Security is About
• People
• Process
• Technology
It’s everyone businessand it is your business in healthcare
11Jean Pawluk
Lots of Healthcare Rules
• HIPAA
• HiTech
• HL7
• ISO/CEN
• Non-US Healthcare
– EU, Canada, Australia, Singapore
12Jean Pawluk
Sensitive Health Information
individual’s past, present or future physical or mental health or condition,
provision of health care to the individual, or past, present, or future payment for the provision of
health care to the individual
“Individually identifiable health information” is information, including demographic data, that relates to:
13Jean Pawluk
Electronic Protected Health Information
• Name
• Address (all geographic subdivisions smaller than state, including street address, city, county, zip code)
• All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death and exact age)
• Telephone numbers
• Fax number
• Email address
• Social Security number
• Medical record number
• Health plan beneficiary number
• Account number
• Certificate/license number
• Any vehicle or other device serial number
• Medical device identifiers or serial numbers on implants
• Finger or voice prints
• Photographic images
• Passport number
• State ID card
• Any other characteristic that could uniquely identify the individual
14Jean Pawluk
Gramm-Leach-Bliley Act (GLBA)
Provided to obtain (or in connection with) a financial product or service
Results from any transaction involving a financial product or service between you and a customer
Examples of customer private personal information include but are not limited to:
• Social Security Number
• Credit Card Number
• Account Numbers
• Account Balances
• Any Financial Transactions
• Tax Return Information
• Driver’s License Number
• Date/Location of Birth 15Jean Pawluk
Even More Rules
• PCI
• SOX (public)
• FISMA
• Privacy Rules
– EU
– Canada
– Australia
16Jean Pawluk
Health Technology Challenges
• Heterogeneous devices• Laptops, portable devices, backup media, and wireless infrastructure• Portable devices• Medical Devices• Complexity • Boundaries are not fixed
18Jean Pawluk
General Security Standards
200+
Standards for Internet and Information Systems
Authentication
• Identification
• Signature
•Non-repudiation
Data Integrity
•Encryption
•Data Integrity Process
•Permanence
System Security
•Communication
•Processing
•Storage
Internet Security
•Personal Health Records
•Secure Internet Services
Healthcare Security Standards
20
Key Areas of ISO 17799
Security Policy
Security Organization
Asset Classification
Personnel security
System Development &
Maintenance
Communication & Operations
ComplianceBusiness
Continuity Planning
AccessControl
Physical security
Incident Handling
DATA
IntegrityConfidentiality
Availability
21Jean Pawluk
ISO 27799
Security management in health using ISO
• Personal health information• Pseudo- Anonymous data derived from personal health information• Statistical and research data derived by removal of personally identifying
data• Clinical / medical knowledge not related to specific patients (e.g., data on
adverse drug reactions)• Data on health professionals and staff• Information related to public health surveillance• Audit trail data that are produced by health information systems containing
personal health information or data about the actions of users in regard to personal health information
• System security data, e.g.: access control data and other security related system configuration data for health information systems
22
ISO 27799 2008 Healthcare
• Threats to health information security
• How to carry out the tasks of the Healthcare Information Security Management System described in ISO 17799
23
Healthcare Security Steps
1. Identify Systems At RiskSystems containing sensitive healthcare, financial and IP data and/or having a high
business risk
2. Information Gathering and PlanningPartner with subject matter experts to gather information to identify system exposures
3. Evaluate Risk & VulnerabilityRisk is the expectation of damage given the probability of attack
4. Identify Possible Solutions (Controls / Mitigation)Processes, tools & procedures that reduce the probability of a exposure being exploitedLeverage common security architecture & processes
5. Determine Feasibility & Acceptable RiskFeasibility based on key dependencies, technological know-how and business readinessMay decide to accept lower risk factors based on feasibility
6. Roadmap Prioritization Putting it all together
7. Execute the Plan
8 . Repeat 24Jean Pawluk
2010 CWE/SANS Top 25 Programming Errors
1. CWE-79 XSS
2. CWE-89 SQL Injection
3. CWE-120 Classic Buffer Overflow
4. CWE-352 CSRF
5. CWE-285 Improper Authorization
6. CWE-807 Reliance on Untrusted Inputs in Security Decision
7. CWE-22 Path Traversal
8. CWE-434 File Upload
9. CWE-78 OS Command Injection
10. CWE-311 Missing Encryption
11. CWE-798 Hard-coded Credentials
12. CWE-805 Incorrect Length Value in Buffer Access
13. CWE-98 PHP Remote File Inclusion
14. CWE-129 Uncontrolled Array Index
15. CWE-754 Improper Check for Exceptional Conditions
16. CWE-209 Error Message Infoleak
17. CWE-190 Integer Overflow/Wrap
18. CWE-131 Incorrect Buffer Size Calculation
19. CWE-306 Missing Authentication
20. CWE-494 Download of Code Without Integrity Check
21. CWE-732 Insecure Permissions
22. CWE-770 Allocation of Resources Without Limits or Throttling
23. CWE-601 Open Redirect
24. CWE-327 Broken Crypto
25. CWE-362 Race Condition
http://www.sans.org/top25-software-errors/26Jean Pawluk
Summary
• Health Risk Management means You are Liable
• Use Compensating Controls
• Plan for Failure
• Trust but Verify
• Web Services Security is a oxymoron because technology is dynamic and browsers are frail
• Good security = Compliance
but Compliance ≠ Good Security
34
Resources NIST Intro Guide to test HIPAA security
http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf
NIST Health IT Standards and Testing program
http://healthcare.nist.gov/
PCI DSS Quick Reference Guide https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf
Cloud Security Alliance
http://www.cloudsecurityalliance.org/
JERICHO Forumhttp://www.opengroup.org/jericho/
HIPAA & HiTechhttp://www.sharedassessments.org/
ISO 27799:2008 Healthcare
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=41298
ISO/TS 21091:2005 Directory services for security, communications and identification of professionals and patients
• Open Web Application Security Project http://www.owasp.org/index.php?title=Category:OWASP_Guide_Project&redirect=no
37Jean Pawluk