Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Healthcare Security Essentials jean pawluk april 28 2011


Published on

Data breaches continue to threaten patient privacy and leave medical service providers with a heavy financial burden. As companies plan their go-to-market strategy, the question that comes up more than any other is protection of the health data. We are faced with the challenge of how to protect the health data that we handle and be within the compliance defined by the HITECH Act, HIPAA, and related regulations.

This talk focused on the security challenges of health data \

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Healthcare Security Essentials jean pawluk april 28 2011

  1. 1. HealthcareSecurityEssentialsJean Pawluk, CISSP 1
  2. 2. A little bit of background Jean Pawluk 2
  3. 3. HealthcareHeadlines in the News Jean Pawluk 3
  4. 4. Cignet$ 4.2 Million Fine Violations of HIPAA Privacy Rule Jean Pawluk 4
  5. 5. Yep,“They really are out to get you” Jean Pawluk 5
  6. 6. MotivationTheft of servicesIdentity theftFraudEmbarrassmentHarmDenial of Services Jean Pawluk 6
  7. 7. Costs of Medical Identity Theft 2010 $214 per healthcare record $20,663 average cost to victim $2 Million per healthcare data breach Data courtesy of Ponemon Institute • 2010 Benchmark Study on Patient Privacy and Data Security Jean Pawluk •Second Annual Survey on Medical Identity Theft 7 •2010 Annual Study: U.S. Cost of a Data Breach
  8. 8. Rules Jean Pawluk 8
  9. 9. Lot’s of rules Jean Pawluk 9
  10. 10. Confused ?You Can………… You Can’t……...You Can……… You Can’t ……. Jean Pawluk 10
  11. 11. Security is About• People• Process• Technology It’s everyone business and it is your business in healthcare Jean Pawluk 11
  12. 12. Lots of Healthcare Rules• HIPAA• HiTech• HL7• ISO/CEN• Non-US Healthcare – EU, Canada, Australia, Singapore Jean Pawluk 12
  13. 13. Sensitive Health Information“Individually identifiable health information” is information, including demographic data, that relates to: individual’s past, present or future physical or mental health or condition, provision of health care to the individual, or past, present, or future payment for the provision of health care to the individual Jean Pawluk 13
  14. 14. Electronic Protected Health Information• Name • Health plan beneficiary number• Address (all geographic subdivisions • Account number smaller than state, including street • Certificate/license number address, city, county, zip code) • Any vehicle or other device serial• All elements (except years) of dates number related to an individual (including • Medical device identifiers or serial birth date, admission date, discharge numbers on implants date, date of death and exact age) • Finger or voice prints• Telephone numbers • Photographic images• Fax number • Passport number• Email address • State ID card• Social Security number • Any other characteristic that could• Medical record number uniquely identify the individual Jean Pawluk 14
  15. 15. Gramm-Leach-Bliley Act (GLBA)Provided to obtain (or in connection Examples of customer private with) a financial product or service personal information includeResults from any transaction involving a financial product or service between but are not limited to: you and a customer • Social Security Number • Credit Card Number • Account Numbers • Account Balances • Any Financial Transactions • Tax Return Information • Driver’s License Number • Date/Location of Birth Jean Pawluk 15
  16. 16. Even More Rules• PCI• SOX (public)• FISMA• Privacy Rules – EU – Canada – Australia Jean Pawluk 16
  17. 17. More Challenges Jean Pawluk 17
  18. 18. Health Technology Challenges• Heterogeneous devices• Laptops, portable devices, backup media, andwireless infrastructure• Portable devices• Medical Devices• Complexity• Boundaries are not fixed Jean Pawluk 18
  19. 19. Sources of Embarrassment ? 19
  20. 20. Healthcare Security Standards Data Integrity Internet SecurityAuthentication System Security • Encryption • Personal Health• Identification • Communication • Data Integrity Records• Signature Process • Processing • Secure Internet• Non-repudiation • Permanence • Storage Services General Security Standards 200+ Standards for Internet and Information Systems 20
  21. 21. Key Areas of ISO 17799 Business Continuity Compliance Security Policy Planning Incident Security Confidentiality Integrity Handling Organization DATACommunication Asset & Operations Classification Availability System Personnel Access Development & Physical security security Control Maintenance Jean Pawluk 21
  22. 22. ISO 27799Security management in health using ISO• Personal health information• Pseudo- Anonymous data derived from personal health information• Statistical and research data derived by removal of personally identifying data• Clinical / medical knowledge not related to specific patients (e.g., data on adverse drug reactions)• Data on health professionals and staff• Information related to public health surveillance• Audit trail data that are produced by health information systems containing personal health information or data about the actions of users in regard to personal health information• System security data, e.g.: access control data and other security related system configuration data for health information systems 22
  23. 23. ISO 27799 2008 Healthcare• Threats to health information security• How to carry out the tasks of the Healthcare Information Security Management System described in ISO 17799 23
  24. 24. Healthcare Security Steps1. Identify Systems At Risk Systems containing sensitive healthcare, financial and IP data and/or having a high business risk2. Information Gathering and Planning Partner with subject matter experts to gather information to identify system exposures3. Evaluate Risk & Vulnerability Risk is the expectation of damage given the probability of attack4. Identify Possible Solutions (Controls / Mitigation) Processes, tools & procedures that reduce the probability of a exposure being exploited Leverage common security architecture & processes5. Determine Feasibility & Acceptable Risk Feasibility based on key dependencies, technological know-how and business readiness May decide to accept lower risk factors based on feasibility6. Roadmap Prioritization Putting it all together7. Execute the Plan Jean Pawluk 248. Repeat
  25. 25. Information Security Jean Pawluk 25
  26. 26. 2010 CWE/SANS Top 25 Programming Errors1. CWE-79 XSS 14. CWE-129 Uncontrolled Array Index2. CWE-89 SQL Injection 15. CWE-754 Improper Check for Exceptional Conditions3. CWE-120 Classic Buffer Overflow 16. CWE-209 Error Message Infoleak4. CWE-352 CSRF 17. CWE-190 Integer Overflow/Wrap5. CWE-285 Improper Authorization 18. CWE-131 Incorrect Buffer Size Calculation6. CWE-807 Reliance on Untrusted Inputs in Security 19. CWE-306 Missing Authentication Decision 20. CWE-494 Download of Code Without Integrity7. CWE-22 Path Traversal Check8. CWE-434 File Upload 21. CWE-732 Insecure Permissions9. CWE-78 OS Command Injection 22. CWE-770 Allocation of Resources Without Limits or Throttling10. CWE-311 Missing Encryption 23. CWE-601 Open Redirect11. CWE-798 Hard-coded Credentials 24. CWE-327 Broken Crypto12. CWE-805 Incorrect Length Value in Buffer Access 25. CWE-362 Race Condition13. CWE-98 PHP Remote File Inclusion Jean Pawluk 26
  27. 27. Dark Side – Think about abuse Jean Pawluk 27
  28. 28. courtesy of 28
  29. 29. Knock, knock, whos there? Do you really know who has your data ? 29
  30. 30. Hard Lessons Learned 30
  31. 31. What they did 1 Jean Pawluk 31
  32. 32. What they did 2 32
  33. 33. What they did 3 Jean Pawluk 33
  34. 34. Summary• Health Risk Management means You are Liable• Use Compensating Controls• Plan for Failure• Trust but Verify• Web Services Security is a oxymoron because technology is dynamic and browsers are frail• Good security = Compliance but Compliance ≠ Good Security 34
  35. 35. Still Confused ? 35
  36. 36. Additional Information Jean Pawluk 36
  37. 37. Resources NIST Intro Guide to test HIPAA security NIST Health IT Standards and Testing program PCI DSS Quick Reference Guide Cloud Security Alliance JERICHO Forum HIPAA & HiTech ISO 27799:2008 Healthcare ISO/TS 21091:2005 Directory services for security, communications and identification of professionals and patients• Open Web Application Security Project Jean Pawluk 37
  38. 38. FinisJean Pawluk 38