Healthcare Industry Under Siege

Increasingly sophisticated cyberattacks are compromising healthcare organizations, and many remain unaware that their network is already compromised.

Much of the focus in recent news is on attacks on retailers and the financial industry. It is easy to see the results of these money-motivated attacks in the form of large thefts of money or credit cards.

As a result, it may surprise you to know your health care information is under attack. You are mistaken if you think that HIPAA’s data security protections are working to protect it. Health care organizations are not meeting the security table stakes. By rushing to implement electronic health records without minimum viable security, health care organizations are leaving the door wide open for criminals.

How Bad Is It?

A recent study by the Ponemon institute revealed that 94% of medical institutions have been victims of a cyber attack. So it’s safe to assume that your records were at least targeted by an attack.

The data-driven Health Care Cyberthreat Report from SANS reveals news from the battlefront. They tracked at least 375 healthcare-related organizations in the US as they were attacked and compromised between September 2012 and October 2013. They identified nearly 50,000 malicious activities toward healthcare-related organizations during that period. Health care providers saw the lion’s share of malicious traffic – 72%, and business associates were second with almost 10%. Also affected were health plans, health care clearinghouses, and pharmaceutical organizations.

Why Isn’t HIPAA Helping?

HIPAA stands for the “Health Insurance Portability and Accountability Act.” It was not designed to be a standard for security. It has data security provisions, which we have detailed in a series of articles on our website.

Data security is only one small component of the laws around HIPAA. The HIPAA rules around data security aren’t as prescriptive as the rules for the payment card industry. They are more open-ended and subject to the interpretation of auditors. HIPAA’s one-size-fits-all approach means that not every possible data security control makes sense for every size and type of business. And many business associates are still struggling to meet their required compliance with HIPAA.

Lastly, HIPAA audits have generally been only of the largest organizations. The department of health and human services seeks to make examples out of companies that fail to protect patient information. Larger organizations generate larger fines and larger headlines. Smaller health care organizations are not likely to see a HIPAA audit anytime soon, and therefore may fail to see the need to implement HIPAA-required controls.

Areas For Improvement

The 6th Annual HIMSS Security Survey, sponsored by Experian® Data Breach Resolution revealed some interesting findings. The survey respondents were from organizations with electronic health records or document imaging systems. Respondents self-identified as being responsible for IT or security.

97.5% of respondents revealed that they have a firewall in place to protect their networks, which is good news. But the remaining 2.5% are really bad news. How can an organization entrusted with protecting health information fail to meet such a low level of security?

And in the context of this survey, 19% of respondents had suffered a security breach within the last 12 months. On average, they rated their security maturity as a 4.35 out of 7. Only about half employed someone whose full time job concerned data security.

Where to go from here?

As consumers, we should support businesses that treat us right. In the case of health care organizations, this doesn’t just mean being a competent and friendly physician. It also means protecting our health care information.

Consumers should ask what their health care providers are doing to protect their information. Yes, everyone has seen those HIPAA privacy practices forms you have to sign or acknowledge on every visit. Instead of the privacy practices, ask the provider about their security practices. Ask if they’ve had a third party assessment performed of their security, or if they have passed a HIPAA data security audit.

Health care providers need to start with the security table stakes which every business must meet to function in the information age. Then they need to understand what minimum viable security means to their organization. Finally, they need to implement their plan to take them at least up to minimum viable security, and beyond.

Want to learn more about security table stakes and minimum viable security? Sign up for our free training-by-email here.

Posted March 18 2014

Biggest Challenge to Security Awareness

Security awareness is about communication. Why do we make it the responsibility of technical experts?

At the RSA conference, I attended a panel discussion entitled “Changing User Behavior: The Science of Awareness.” The panel focused on explaining the failure of traditional awareness efforts, and made suggestions about what improved solutions might look like.

During the panel, surrounded by a room full of security professionals, it hit me: we are technologists trying to figure out how to solve a communication problem. Maybe security’s “people problem” is relying on the wrong people to solve this challenge.

Are People The Problem?

Classroom trainingOur industry is quick to put the blame on “users” when security problems occur. Whether it is the takeover of CNN and the AP’s twitter feeds, or a hack of Target’s HVAC contractor leading to their breach, people are the scapegoat. Despite many technological solutions and increased spending, we’re not getting any better. Why?

At the root of most current compromises and breaches are phishing attacks. Phishing attacks are getting more sophisticated and more effective all the time. Phishing attacks work because they convince people to bypass the hardware and software controls we’ve put in place to protect them. The only true defense against phishing is security awareness. And we tend as an industry, to do a poor job of security awareness. Even though almost every standard and regulation requires “awareness training”.

Better awareness will result in better security. Of that there is no doubt.

What Is Security Awareness?

When defining security awareness, I prefer to use the definition of awareness coined by Michael Santarcangelo, in his book Into The Breach. He reiterated the definition in this recent blog post on CSO Magazine:

Awareness: The individual realization of the consequences of an action, in their own context of intention and impact.

Security awareness for an organization, therefore, is just an expansion on this term to include security and the organization’s concerns. Security awareness is an individual’s realization of the security consequences of an action, and the corresponding impact on the organization.

When it comes to information security, the impacts to the organization from one security incident could fill a whole catalog. The loss of intellectual property is a pretty simple one to understand, your “secret sauce” is no longer a secret. The impact felt by breaching customer or employee private information is much more complicated. It reverberates through increased IT costs, increased legal costs, payment of fines and fees. It also creates an impact to the reputation, causing reduction in the value of the brand as a whole.

Security awareness is critical to the security of an organization. And thus, falls under the purview of the individuals in charge of security.

And that, I think, is where we’re going wrong.

Effective Communication is the Key

Awareness, especially security awareness, is essentially a communication problem. In order for me to be aware of something, it needs to be communicated to me. I am only working from the knowledgebase already stored within my brain. I don’t have my cybernetic implant (yet) that performs real-time queries to supplement my knowledge with the corpus provided by the Internet.

If I’m going to be aware of something, either I need to read it, or someone needs to tell me or show me. Those that know need to communicate it to those that don’t.

To be effective, this communication must result in two things:

  • I am aware of the consequences of my actions
  • My behaviors change as a result of my awareness

People Are the Solution – Just Not These People

Now, let’s get back to what I said above. Since security awareness is so critical to the security of an organization, it is often placed within the responsibility of those responsible for security.

Are security experts also experts at person-to-person communication? I don’t think so.

Sure, there are certainly outliers who are talented in both security and communication. I’m lucky enough to be friends with some of the true experts on this topic. I also know there are a bunch of people like me, who are knowledgeable about security and are decent communicators. I’m no expert, but can usually get my point across.

Communication experts know exactly how to craft a message to create value, reduce the friction in the communication, and change behavior. They are hard to come by, and well sought after.

Your typical CISO, or head of network security, probably is not an expert communicator. While they might be able to learn enough to become one, is that what you want? I think I’d rather my CISO be an expert with communicating with the business and setting strategic directions for the security organization. I’d want my head of network security to understand every bit of how to architect networks to defend against emerging threats.

It’s time to change the way we handle security awareness. The first step is to stop making it the responsibility of the security teams.

Let’s cultivate true communications experts to focus on security awareness. It is the only way we will get out of the current checkbox-checking mentality that “security awareness training” has become.

Posted March 7 2014

Are your doors really closed?

5pm on Friday and you're the last one out. You locked the door but are intruders still getting in?

As a small business owner, I often find myself having some of my most productive time on Friday afternoons. My clients have gone home for the weekend, my staff members are wrapping up their week’s work and completing their timesheets. I’ve got a few hours of time to myself to get things done. Dinner time rolls around and I’m inevitably the last one out of the office, shutting off the lights and locking the door behind me.

What a lot of people don’t realize is that even once they’ve turned out those lights and locked that door, strangers might still be coming into their place of business.

Network Connections Are Like Doors

Locking the front doorJust like a door, a network connection can let people into your business. If you have a firewall, your network connection probably looks more like a strong door with a mail slot. There’s a minimal amount of space open to the outside world, just to let a little bit of mail and web traffic in. Certainly not enough room for a person to fit through.

Unless that person is carrying a coat hanger. Unfold the coat hanger, reach it up to unlatch the deadbolt, pull the door handle, and now anyone can enter.

Likewise, your firewall isn’t enough to protect your network connection on its own. If there’s a vulnerability in that service you’ve exposed to the outside world through the “mail slot” – like your web server has some unpatched software, or your mail server is out dated – a person with the right tools can take advantage of that, and open up a door big enough to fit himself and all his friends inside your business.

Don’t think it’s realistic? After you finish reading this, run a quick internet search on the phrase “malware on my website”…

What About Doors You Didn’t Install?

Firewalls are an essential part of minimum viable security. Examples like this show that a firewall alone won’t protect a network. Even so, let’s assume you feel reasonably safe with your current network connections.

There are also the threats posed by network connections you don’t know about. I’m sure you’re asking how can I not know about a network connection? I’m paying for the only one.

First off, there’s the threat of rogue wireless access points. We’re working with a customer whose building is built so strongly, the wi-fi signal doesn’t work well in every office. The employees’ solution? Buy a $30 wireless access point, connect it to the ethernet cable in the conference room, and BAM! super fast wireless connectivity.

While it solved his immediate problem of no connectivity, his lack of experience with security created a new problem. There was no authentication or encryption on the hotspot, and now all the sensitive traffic shared in that conference room is being broadcast to people inside and outside the building.

There’s also the more advanced threat of devices such as the Pwn Plug. Looking like an innocent power adapter, anyone from a janitor to a florist could end up delivering one to your office, and exposing your inner-most secrets to the outside world.

Make Sure Those Doors Are Locked

If network connections are like doors, then it behooves you to have as few network connections as possible, and understand the connections very well.

Here are some actions that you can take by next Friday afternoon. The first two don’t take any special IT wizardry, but the second two might require some help from your IT or Security experts.

  • Do a sweep for rogue wireless hotspots in your office. There are free apps for Android-based phones and tablets that can help.
  • Google your company’s IP addresses – not names – to see if they appear in unsavory lists such as places to obtain malware or illegal credit cards.
  • Ensure that all openings in your firewall lead to systems and software that are up-to-date and fully patched.
  • Audit your network for other unauthorized connections that aren’t expected.

Then next Friday, you’ll be able to confidently enjoy your weekend, knowing the doors are safely locked up.

Posted February 7 2014

Don’t Startup on the Wrong Foot

Information security is just as important to startups as it is to established businesses

Some people said it was the biggest startup to come out of Stanford since Google. After securing some seed funding from professors, and then raising $25 million in a party round, Clinkle was destined for greatness among startups. Clinkle was designed to become the payment service all of us could use to manage credit cards, banks, and cash from our smartphones.

And yet, I’m guessing the majority of this blog’s readers have never heard of them. Why could that be?

The rise comes before…

Launched in 2011, Clinkle got a lot of hype. Big names like Richard Branson and Peter Thiel, and organizations like Intuit and Intel were among the investors. They were clearly excited about something. But Clinkle has remained in stealth mode, with only a leaked video showing what they’ve been up to. If so many luminaries are excited about this, why haven’t they come out, shown the product, and started picking up customers? Instead, late last year they announced significant layoffs.

It seems from an outsider perspective at least that Clinkle isn’t taking things seriously enough. Rumors of discontent with Clinkle’s 22 year old CEO have run rampant. It seems that they may have believed in their own hype too much, and just believed that they would succeed.

…the security breach.

bursting bubble, as security problems can cause a startup to failAnd then last week, Clinkle suffered a breach of security that is serious enough to make everyone wonder whether they will have a chance to break out of these personnel and business issues to be successful.

As reported by TechCrunch, 33 of Clinkle’s users, most of which seem to be Clinkle employees, had their information – names, user IDs, profile photos, and phone numbers – leaked for all to see.

According to the individual who leaked the information, this was not a complicated breach. The unauthenticated user obtained the information using app’s autocomplete capability. Since this was performed without authentication, there is no way for Clinkle to trace the user that breached the information.

Impacts of the breach

How bad of a security breach is this? It’s not terrible. Most of us have our names, photos, and phone numbers plastered all over the Internet already, and so those individuals are probably no more at risk than you or I from getting our identity stolen.

However, there are two really bad things about this for Clinkle.

First, for a company that is focused on finances and payments to have any sort of breach begs the question of whether security has truly been designed into the product. If it is possible to receive information about any user of the service without even being a user myself, how many other ways can information be leaked by this system?

Second, for a company that is already going through some growing pains, having a published list of your employees can be a problem. Corporate espionage is real, and now competing businesses have a list of their targets they should befriend to learn more about what Clinkle is doing – or people to hire away to directly compete.

Lessons Learned

Startups have a lot to worry about, between funding, personnel, and creating and marketing a product. Each of those things, if not done correctly, can reduce the startup’s chances of success.

Startups also need to worry about designing security in at an early stage. Especially if they are in regulated industries such as financial or healthcare. I contend that suffering a security breach before you’ve even released your product could mean certain doom for many startups.

Startups can’t afford to wait to worry about security.

Posted February 5 2014

Certified Social Media Hacker

What happens when your reputation comes under attack?

Recently, an article came to my attention about social networks being gamed in order to hurt the reputations of competitors and enemies.

Social Media BandwagonWith all the talk these days of search engine optimization, social media experts, and the “internet of things” we are looking to connect our information to as many people, and in as many ways, as possible. Have you considered the ways this might hurt you instead?

We are beginning to get a handle, as a society, on the minimum viable security that every organization needs in order to stay in business and not be destroyed by the constant noise of attacks facing us on the Internet.

But what happens when instead of facing a distributed denial of service (DDOS) attack, you face a distributed denial of social media (DDOSM) attack? When your enemies create tens of thousands of fake Twitter followers to overwhelm your social media team and distract them from the actual input of your customers?

What would happen if a thousand negative Yelp reviews, or reviews plagued your products or your place of business?

I’m not even talking about the well publicized cases of Twitter accounts being hacked causing a momentary shift of billions of dollars in the money markets or the founder of Facebook finding links he didn’t post appearing in his feed. Those are typical attacks, whether social engineering to obtain someone’s password, or exploiting a bug in software to take advantage of the situation. Those attacks are generally, and quite simply, illegal.

Social media attacks, on the other hand, play by the rules that we’ve set. They use the connections between the followers and the followed to infect the mindset of many.

Social media and mindshare are a new type of currency that is being traded every day. What are you doing to protect yours?

Posted January 31 2014

Making Things Easy is Hard

Was an IT simplification tool the key to the recent Target breach?

Today’s reading brought me to another article by Brian Krebs about his continuing research into the breach at Target. The lengthy article points to some newly uncovered clues, and provides some conjecture as to how the breach may have been exercised. A part of it definitely caught my eye, because it is closely related to some of the work we get called on to do on a regular basis.

That “Best1_user” account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas base (sic) BMC Software — includes administrator-level user account called “Best1_user.”

an easy button that reads "not easy at all"

It seems in this case, the attack vector may have been through this IT management software suite. Looking at BMC’s site, I looked at what seems to be the current version of that product, and one of the benefits listed is “Reduce administration time by up to 50% – freeing up staff for IT innovation.”

IT is Already Overwhelmed

It is no secret that the typical information technology organization is overloaded and overwhelmed. Scott Adams’ Dilbert comics poked fun at this decades ago, with Mordac, the Preventer of Information Services. A Canadian graduate school study uncovered that IT employees need help handling stress… in 2007. Follow that with seven straight years of increased technology demands, flat budgets, “work smarter, not harder”, and staff reductions, and you have created a recipe for disaster.

It’s hard enough for IT folks to get their day job done that automation tools have become a burgeoning market of their own. Gartner’s latest magic quadrant in this area lists 13 companies that generate at least $10M annual revenue from their automation tools. And in the wake of the Snowden affair, the NSA recently announced that it would begin the process of automating nearly 90 percent of its system administration duties.

Remain Ever Vigilant

System administration, by its very nature, requires administrative access to systems. Administrative access is what all attackers seek in order to take advantage of a system for their own purposes. So every IT automation tool that is used is essentially creating another potential opening into that system for attackers. The goal of information security professionals like me is to reduce the “attack surface” of a system, but tools like this increase it.

So, what to do?

The only possible path is vigilance, and unfortunately no solution will be perfect. However, my recommendations are as follows:

  1. Determine whether the increased risk to the system is worth the convenience of the IT automation tool.
  2. Assess the security of the IT automation tool or tools you are considering the use of, and allow security concerns to drive the purchase decision. If you aren’t convinced a tool can be secure, find a different one that can.
  3. Document the configuration and installation of the IT automation tool, in order to ensure it is installed in its most secure state. For example, configure it to only accept instructions that can be verified as having come from your organization.

If you have questions about how to assess the security of a piece of software, or need help figuring out the best or most secure configurations it offers, feel free to contact us.

Posted January 29 2014