Infosec Management In Healthcare Or why security blankets and Johnny shirts don’t cover your backside HTCIA Atlantic Chapter Annual Conference October 22, 2013
Jul 13, 2015
Infosec Management In Healthcare Or
why security blankets and Johnny shirts don’t cover your backside
HTCIA Atlantic Chapter Annual Conference
October 22, 2013
About me
• Sr. Security Analyst for Capital District Health Authority – The information presented here is my own opinion and not related in anyway
whatsoever with my employer
• Co-founder of The Atlantic Security Conference www.atlseccon.com
• Co-founder of the Halifax Area Security Klatch www.thehask.com
• Big time fan of Bruce Lee and blues music!
Healthcare & The Law
• There is no Canadian federal law requiring health care providers to
disclose details regarding data loss and breaches.
• Bill C-475 seeks to update PIPEDA to include mandatory breach
notification and consequences for security breaches
• Nova Scotia’s Personal Health information Act has been effective since
June 1, 2013
• The only Canadian jurisdiction that currently has made security breach
notification mandatory is Alberta
Diagnosis
• The United States has federal legislation requiring healthcare providers
to inform the public of breaches. The Health Information Technology for
Economic and Clinical Health (HITECH) effective since 2009
• Top 5 PHI Breaches, 2012 (redspin breach report)
Diagnosis
• 538 breaches of protected health information (PHI)
• 21,408,505 patient health records affected
• 21.5% increase in # of large breaches in 2012 over 2011 but… a 77%
decrease in # of patient records impacted
• 67% of all breaches have been the result of theft or loss
• 57% of all patient records breached involved a business associate
• 5X historically, breaches at business associates have impacted 5 times
as many patient records as those at a covered entity
Diagnosis
• 38% of incidents were as a result of an unencrypted laptop or other
portable electronic device
• 63.9% percent of total records breached in 2012 resulted from the 5
largest incidents
• 780,000 number of records breached in the single largest incident of
2012
Only In Canada eh!
Why they want it…
• Healthcare records combined
with other personal information
creates an identity portfolio
• These portfolios or “kitz” can be
used for multiple fraud types
• “kitz” can sell on the
underground market for up to
$1300.00
Prognosis
• There is an epidemic of data loss for healthcare
• We pretty much stink at handling PHI
• Things are getting better but there is still lots of room for
improvement
Managing Data
• Confidentiality refers to
preventing the disclosure of
information to unauthorized
individuals or systems
• Integrity is maintaining and
assuring the accuracy and
consistency of data
• For any information system to
serve its purpose, the
information must be available
when it is needed.
In the News
Hacking Medical Devices
• We miss you Barnaby Jack
A day in the life... (The mostly boring underbelly of infosec)
Browse to Host
Looking For The Obvious
Great Success!
Raising Awareness…
Keeping a watchful eye
• Network Monitoring – Establish a baseline
– Identify anomalies and problem areas
– Identify root cause
– Historical reporting to help trend and scale services
Keeping a watchful eye
Network Access Control
• Knowing who and what is on the network
• Access policies based upon role/requirement
• Process for poorly behaving computers (Threats)
A day in the life of infosec... continued
• Endpoint Protection
A day in the life of infosec... continued
• What is significant in this list
regarding Risk?
• Most infections and threats
appear to be Trojans…
• Key loggers, downloaders,
remote administration, screen
scrapers
A day in the life of infosec... continued
• Security Incident Event Management – Monitor activity between client-server, client-client and server-server
– Monitored 24x7 365 days a year by Systems Operations Centre
– CDHA Support staff are notified when there is traffic of interest
Portals Here…Portals There… Portals Everywhere
• XSS – Cross Site Scripting
• On OWASP top 10 list for 2013
XSS Quick Demo
• Joe McCray from Strategic Sec has an online site for practicing XSS
(Thanks Joe... I owe you a rum and coke)
http://199.204.214.176/xss_practice/
• A quick test for an XSS vulnerability - <script>alert('XSS alert')</script> – This will open a popup alert window with the message XSS Alert
• This script will have much more impact to the “C” level folks – <br><br>Your session has expired please login to continue:<form
action="destination.asp"><table><tr><td>Login:</td><td><input type=text length=20
name=login></td></tr><tr><td>Password:</td><td><input type=text length=20
name=password></td></tr></table><input type=submit value=LOGIN></form>
•
RISK
• Infosec is really about RISK…. The sooner we all realize that the better
RISK Management Basics
• Qualify - What is the attack surface? What is exposed? Confirmed and
potential
• Quantify - What is the likelihood and the impact? How does it compare
to other exposures
• Correct - What measures should we take to Avoid, Accept, Reduce and
or Transfer RISK
• Stop and ask what is the level of RISK the organization can/will assume
What we don't want to do
• Security Theater is a term that describes security countermeasures
intended to provide the feeling of improved security while doing little or
nothing to actually improve security
What we should be doing
• Security should be baked in... reach out to your Project Managers, let
them know what you can do
• Be an enabler and help them to introduce new services that are secure
• Look at your environment with filters – Classify your data - In healthcare we filter by public, administrative and clinical
– Identify systems and applications and rate them by criticality (low, medium, high)
• Identify vulnerabilities and gaps in these systems and applications
• Apply some RISK management basics to avoid, accept, reduce and/or
transfer RISK
Security Lifecycle
• Balancing security requirements
with business needs can be
challenging
• Strive for continuous
improvement
• Security is a process not a
product
The answer...
• Why don't security blankets and Johnny shirts cover your backside?
– Johnny shirts are designed so that a patient does not have to pull the shirt over their
head , it can be put on lying down and of course so they can easily use the washroom.
– No single solution can mitigate every threat.... there is always an exposure
Thank you
• Twitter Handle – @k0z1can
• Linkedin Profile – http://ca.linkedin.com/in/andrewkozma
• Parting thoughts – “Absorb what is useful, discard what is not, add what is uniquely your own.” ~
Bruce Lee
– See you all at the next Atlantic Security Conference March 27th and 28th, 2014