Health Care Information Security Risks · • Client side attacks – Visibility - Provides attacker with a foothold to exploit other internal systems • Despite other security measures

Health Care Information Security: Threat & Vulnerability Landscape

HIPAA Summit Greg Porter

Allegheny Digital 03/10/2011

ALLEGHENY DIGITAL © 2011, ALL RIGHTS RESERVED

Agenda

• Introduction • Health Care Threat Landscape • Common Technical Vulnerabilities • Defensive Considerations • Conclusion

2


Introduction • Greg Porter • Information Security Consultant, ~ 10 years • Primarily “Big 4” consulting

– Health Care Security Governance & Regulatory Compliance – Vulnerability Assessments – Penetration Testing – Incident Handling

• Visiting Scientist, SEI-CERT • Adjunct Faculty, Heinz College – Carnegie Mellon University • Founder, Allegheny Digital

3


This Presentation

• Based on technical and non-technical health care security assessment observations ~ 8 years

• Experience with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH)

• Trying to get a feel for health care security trends, as well as general infosec developments, that I’ve observed during this time

• Intent is to simply provide an overview and perhaps provide some important considerations for organizations, health care based and otherwise

4


Agenda


5


Current State

6

• Where are we today? – 15 years after the passage of HIPAA – Nearly 6 years since Covered Entities had to be compliant with the HIPAA

Security Rule

• The HITECH Act and Business Associate compliance demands – 18 months since the breach notification requirements (IFR)

• Meaningful use & electronic health records (EHR) • > 1 Million Covered Entities and Business Associates • Yet…we continue to see health care organizations struggle

with the governance and security of electronic protected health information (ePHI)


Malware Proliferation

• By all indications, the proliferation of malware isn’t slowing • 2010 the biggest year ever for total malware production • At least 20 million new pieces of malware observed in 2010 alone • 55,000 new instances of malware/day1

• There is now more malicious code being created today, worldwide, than there is legitimate software2

7

1. Source: McAfee 2. Source: Symantec


The Unbounded Enterprise

8

• Data Anywhere ≠ Data Everywhere • More endpoints, more mobile devices add to the challenge of

protecting health information – A general lack of security awareness among mobile users – Limited offerings and maturity of mobile safeguards, widespread non-secure

apps


Attack the Apps

• Third party applications under assault • Many still perceive the Microsoft OS and other Microsoft products to

be the primary attack vector • A typical end-user PC with 50 programs installed

– (26 Microsoft, 24 third-party) – Had 3.5-times more vulnerabilities in the third-party programs than in the Microsoft

programs1

• Client side attacks – Visibility - Provides attacker with a foothold to exploit other internal systems

• Despite other security measures (e.g. A/V, OS patching) end users incur the risk of being compromised by cybercriminals via application exploitation

9

1. Source: Aberdeen Group Research


Malware Delivery Client Side Exploitation – An Example

• Adobe PDF (Portable Document Format) • Making substantial progress with Reader X and Flash sandboxing • Yet malicious PDF’s continue to proliferate targeting older, widely

deployed version of Adobe • It’s an ISO Standard, ISO 32000-1, Document management –

Portable document format – Part 1: PDF 1.7 – Highly useful, highly exploitable software – Offers a well leveraged vehicle for client side attacks and inevitably compromising

health care targets – Why? Well we can all embed music, movies, 3D artwork complete with JavaScript,

submit-form action (submit the data you input directly to a server somewhere on the Internet)(

– Executable Files!

10


Anti-Virus Isn’t Enough • This doesn’t mean that you do away with A/V • Highly utilized and proven…but relies on a known signature in the

A/V database • Free, high quality software such as the Metasploit framework

provides a platform for developing malicious PDF’s – Attackers create new signatures by encoding their malicious code to scramble the

executable and evade detection

• Executable file can then be uploaded – for free – to a site such as Virust Total to validate detection…or not

• Goal is to ensure the malicious payload evades detection in your environment

11


So Easy a Caveman Can Do It? • Malware kits available

– Prices range from $40 to several thousand dollars1

• Can encrypt malware so that signature detection systems and static analysis processes are rendered ineffective

– Add anti-debugging features to thwart discovery by security professionals and automated sandbox analysis technologies

• Adaptable business practices – Based on feature demand and support desired – Maintenance & installation offered

• Malware is passed through multiple A/V

12

1. Source: Symantec 2. Images provided by Secunia


Social Engineering • The act of manipulating a person to take an action that may or

may not be in the “target’s” best interest1

• Excellent resource: www.social-engineer.org • Commonly used attack vector…only growing in terms of its

sophistication, adoption, and ease of use • Enter the Social Engineering Toolkit (SET)

– Hack by numbers software developed by Dave Kennedy – www.secmaniac.com – Available in BackTrack 4

• Enables the crafting of PDF’s, ability to send e-mails with embedded malicious code

– Spear Phishing and Much More

• Also contains an “infectious media generator” to develop malicious USB’s, DVD’s, and CD’s

13

1. Hadnagy, Christopher , “Social Engineering: The Art of Human Hacking”, 2010


SET Example

14

Select Attack

Malicious PDF Payload Created

Reverse Shell Obtained Against

Target


Malware – Client Side Delivery • Malicious PDF files under the guise of H1N1

– When the PDF is opened, exploits Adobe Reader, drops a backdoor, and shows a file referring to H1N1 flu

– The exploit drops a malicious file called "AcrRd32.exe" into the computer's temp folder

– The malicious file connects to three IP addresses in order to "call home". These addresses were in Texas (207.200.45.12), Budapest (89.223.181.93) and Hyderabad (202.53.69.130)

• Anybody who controls that IP will gain access to the infected computer and the company network.

– It’s reasonable to believe that similar attacks are occurring daily against health care entities

– Adobe X, sandboxing in protected mode by default – Disable Javascript

• Edit -> Preferences -> Uncheck “Enable Acrobat Javascript”

15


Health Care Data For Sale

• A cybercriminal seeking data that will enable him to file false medical claims

16

1. Source: RSA


Health Care Data For Sale

• A post in the underground seeking buyers for the medical records of over 6,500 patients

17

1. Source: RSA


Motivation • Organized crime

– While a hacker might get $1 - $5 for a stolen credit card number, a stolen medical identity could fetch a premium of $14 to $18

• Medical identity theft – Patient pretends to be someone else so they won't have to pay for

their own medical bills (e.g. treatment, prescriptions, surgery) – Use the data to order prescriptions at multiple pharmacies and then

attempt to resell the medicine online – Organized thieves working as receptionists, janitors, and accountants

within the health care field itself • Insider Threat (http://www.cert.org/insider_threat/)

• Health care entities have valuable assets – Like electronic medical records on most of us – Highly available networks – Information rich environments, not just ePHI and PII, also financial

data, R&D information, academic studies – Equipment (e.g. laptops, PDA’s, mobile phones, robots)

18


Health Care Targeting

• Hacker Attacks Targeting Healthcare Organizations Doubled in the 4th Quarter of 2009

– SecureWorks Data

• Attempted attacks increased from an average of 6,500 per healthcare client per day in the first nine months of 2009 to an average of 13,400 per client per day in the last three months of 2009

• Attempted attacks against other types of organizations, protected by SecureWorks, did not increase in the fourth quarter

• Possible correlation?

19


Insider Threat • Who is the Malicious Insider? • Current or former employee, contractor, or other business

partner who: – has or had authorized access to an organization’s network, system or data – and intentionally exceeded or misused that access in a manner that – negatively affected the confidentiality, integrity, or availability of the organization’s

information or information systems

• Walking among us? • A security guard at a U.S. hospital, after submitting resignation

notice, obtained physical access to computer rooms – Installed malicious code on hospital computers controlling the organizations HVAC

systems, accessed patient medical records

• For additional information: http://www.cert.org/insider_threat/

20


Impact • Breach of ePHI

– Damage to reputation – Regulatory consequence and financial penalties – Jail time, criminal penalties for willful neglect

• Loss of human life? • While many concerns focus on a data breach, some

vulnerabilities can be more severe – Pacemakers and implantable cardiac defibrillators susceptible to RF

manipulation and attack1

– Consider the implications of previously mentioned DDoS attack and availability of WiFi equipped IV infusion pumps, “smart pumps”

– Wireless networks are playing an increasingly-important role in patient care, yet few CE’s have evaluated the impact of a DoS attack against such deployments

21

1. Feder, Barnaby, “A Heart Device Is Found Vulnerable to Hacker Attacks”, New York Times, March, 2008, http://www.futurecrimes.com/biological-human-genome-crime/hacking-the-human-heart-medical-devices-found-subject-to-technical-attack/


IPv6

• IPv4 address space has been exhausted • IPv6 is the successor to IPv4 • The IPv6 protocol is enabled by default in many Operating Systems,

namely the majority of modern Windows systems, Mac OS X, Linux and Solaris

• Running “dual stack” network services…unknowingly? • Security devices, such as firewalls or IDSs, or network management

tools may not be capable or configured to analyze IPv6 data • Malicious communications could be established from and to network

computers supporting IPv6 – For example, a system can be attacked using IPv4, IPv6 or a combination of both,

using IPv4 to detect the computer and using IPv6 as covert communication channel

22


Agenda


23


Common Technical Vulnerabilities • The next several slides convey technical vulnerabilities observed

across covered entities • CE’s assessed included health care Providers, Payers, and Business

Associates • Assessment activities were initiated to gain an understanding of

potential HIPAA Security related vulnerabilities and exposures and what may need to be done, if anything, to mitigate identified risks to ePHI

• Assessment activities included a diagnostic review of the target’s HIPAA Security posture against the regulations as well as internal /external vulnerability assessments and controlled penetration testing

24


Health Care Grade Network

25


Non-Hardened Architecture

26


Network & System Configuration • Assessed CE’s and BA’s place an acute focus on availability • Security zones via network segmentation often lacking • Network services and installed operating systems lack security

baselines and configuration hardening prior to production deployment

• Default installations are common among: – OS (Windows, Linux/Unix) – Network Infrastructure (Firewalls, Routers, Switches) – Databases (Oracle, MySQL, MSSQL) – Multi-function Printers (Open File Sharing, GB/TB Drives) – Applications (HVAC, Customer Facing) – Modems

• Deprecated OS’s • Sensitive information is everywhere & its location often not well

understood – Exists in structured areas such as databases, but also unstructured areas such as text files,

Word/Excel, etc.

27


But Wait…There’s More

28

• Inadequate Password Controls – Password Re-use & Sharing – OS, Network Devices, Databases, Custom

& Commercial Applications

• Poor and/or Inconsistent Patch Management

– OS, Databases, Network Devices, and Applications

• Lack of Network Logging, Monitoring and Alerting, and Awareness

• Active patient / customer data being used in Test and Development environments

• Poor User Account Management Controls

– Inactive / Terminated Users & Rogues – Badge Reclamation

• Web Application Vulnerabilities • Clear Text Protocols Transmitting

Sensitive Information such as User Credentials and ePHI

– FTP, HTTP, Telnet

• Lack of Encryption – Laptops, Workstations, Endpoints

• Clean Desk / Clear Screen Policy not observed / enforced

– Confidential Data, Hard Drives, Removable Media Left on Desks, Unprotected

• Security Software Installed – Nessus, L0phtCrack, MetaSploit

• “Unauthorized” Software – AOL Clients, Peer to Peer File Sharing,

BitTorrent Clients, MythTV, WoW


Breach Data & Hacking

29

610

31700

2000

29857

708 2300

26064

410493 400157

0

50000

100000

150000

200000

250000

300000

350000

400000

450000

Hacking/IT Incident

Individuals Affected

1. Source: Department of Health and Human Services


The Reality • Health care systems and data are under assault like never

before • Hacking and digital attacks are occurring and will continue • CE’s and BA’s often lack the resources and expertise needed

to detect health information loss • “Set and forget it” compliance mindset • Focus is often placed too heavily on meeting regulatory

objectives and not on visibility, detection, and response • For reasons such as this, many Hacking/IT Incidents against

health care organizations likely go unnoticed and therefore unreported

30


The Challenge • Asymmetric issue, many :one

– CE’s must identify and then defend against (many) potential attack vectors within their environment, and then vigilantly monitor

– Bad guys only need to find a single weakness to exploit

• Automated attack tools and packaged exploits make this challenge all the more difficult to defend against

• It’s not a matter of whether you’re paranoid…

31


Agenda

• Introduction • Current State • Threat Landscape • Common Technical Vulnerabilities • Defensive Considerations • Conclusion

32


HIPAA Security Drivers

33

• As required by HIPAA’s Administrative Safeguard Standard §164.308(a)(8), Evaluation • Perform a periodic technical and nontechnical evaluation

that establishes the extent to which a given CE’s policies and procedures meet the intent of the HIPAA Security provisions

– Work with General Counsel to ensure that your current HIPAA Security posture is compliant with the legislations intent

– Conduct an accurate and thorough risk assessment to identify, define, and prioritize risks to ePHI, should also encompass ePHI brokered to business associates

– If reasonable and appropriate, conduct penetration testing and vulnerability assessments (internal and external) against information assets storing or processing ePHI


Defensive Considerations • The threat landscape is highly dynamic • Talk to your network/system administrators. What are they seeing? • Baseline network traffic, focus on visibility and defining what’s

normal? • Baseline Your Networks

– Necessary ports & services – SANS Consensus Audit Guideline (CAG): http://www.sans.org/critical-security-controls/

• Lock down outbound ports and services based on business justification

– Do all users need access to Telnet, FTP, SSH, RDP, etc., • Conduct an accurate and thorough risk assessment to identify,

define, and prioritize risks to your mission critical assets

34


Baseline Your Systems • Baseline Your Systems

– Current User’s, System Processes, Dynamic Link Libraries (DLL’s) for critical applications

– What’s “normal”? Create a known frame of reference

• Configuration Guidelines • Centers for Internet Security: http://cisecurity.org/en-us/?route=default • National Security Agency:

http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems.shtml

• Defense Information Systems Agency Security Technical Implementation Guides (STIGS) and Supporting Documents:

http://iase.disa.mil/stigs/ • Microsoft Security Compliance Manager: http://technet.microsoft.com/en-us/library/cc677002.aspx

35


Monitor Your System Baselines • Many health care organizations often don’t have the budget for

“high-end” security software, but high-quality, low-cost options are available

• Yet, numerous commercial products often resemble open community tools…coincidence?

• Patching: – Belarc Advisor http://www.belarc.com/free_download.html – Secunia Personal Software Inspector (PSI) http://secunia.com/vulnerability_scanning/personal/

• Anti-X • Microsoft Security Essentials, Clam-AV, ThreatFire

36


Monitor Your System, Network Baselines, and Information

• Open NMS – http://www.opennms.org/ – Open-source network monitoring platform

• OpenDLP – Free and open source, agent-based, centrally-managed, massively distributable

data loss prevention tool released under the GPL. – http://code.google.com/p/opendlp/

• Nagios – http://www.nagios.org/

• Open Source Host-based Intrusion Detection System (OSSEC) – http://www.ossec.net/

• Open Source Security Information Management (OSSIM) – Open Source SIEM is a complete Security Management

37


Governance Models

• Consider frameworks such as the CERT Resilience Management Model (CERT-RMM)

• Check out the Health Information Trust Alliance (HITRUST) – Excellent source for health care related security controls – Based off of the ISO 27000 family of standards – Offer certification

• Education – Emphasize the lack of anonymity social networks actually provide – Use real-world attacks and scams as examples – Realize you are representing your employer, act as such – Encourage paranoia

• Consider how your data is managed from entrance to exit

38


Agenda

• Introduction • Current State • Threat Landscape • Common Technical Vulnerabilities • Defensive Considerations • Conclusion

39


Conclusion • Data breaches are costing covered entities millions of dollars • Detecting and mitigating digital intrusions means that visibility and

response is an absolute must! • Don’t let a patient / customer be your first notification that something

is amiss within your current data protection and compliance program • Make data protection a priority…it can be achieved on a budget • It is the responsibility of assigned organizational management to take

reasonable and appropriate measures to safeguard sensitive information in line with regulatory demands and consumer expectations

40


Questions?

ALLEGHENY DIGITAL

THANK YOU! www.alleghenydigital.com

1.877.234.0001


Allegheny Digital

• Allegheny Digital – Consulting – Managed Monitoring – Training & Education

• Western PA based • Customers

– Health Care – Energy – Manufacturing – Finance

42