HIMSS, the healthcare industry’s standard bearer for the promotion of information technology (IT), held its 13th annual conference in New Orleans last month. Nearly 35,000 people attended the event including former president Bill Clinton, fellow politicos James Carville and Karl Rove, and bow-tied Dr. Farzad Mostashari, HHS’s National Coordinator for Health Information Technology.

Interoperability and exchange were the hot topics of the week, further jazzed by the recently announced CommonWell Health Alliance – a 6-party partnership between Cerner, McKesson, Allscripts, athenahealth, Greenway Medical Technologies and RelayHealth. Notably absent from the Gang of 6 is Epic, the undisputed EHR market heavyweight. Depending on who you ask, Epic was either not invited to join CommonWell or chose not to participate. Epic’s CEO, Judy Faulkner, said that the alliance is less about interoperability and more about competition. “It appears on the surface to be used as a competitive weapon and that’s just wrong. It’s wrong for the country.” When asked to referee, ONC’s Dr. Mostashari said he didn’t want to get into a “he-said, she-said.” The dust-up made the Karl Rove – James Carville debate look tame by comparison.

While interoperability and exchange are important topics, I would have liked to see more focus on PHI privacy and security. At the HIMSS Update on the federal government’s Health Information Privacy Enforcement and Audit Program, David Holtzman of OCR reported some surprise that 60% of the findings from the115 pilot program audits related to security issues. It really shouldn’t be that surprising given that 556 breaches affecting 21.7 million individuals have been reported over the past 3 years.

As we’ve said many times, compliance is necessary but not sufficient. The abysmal track record in PHI breaches is a direct result of a lack of focus on effective IT security measures and a dearth of qualified security experts in the industry. OCR’s audit program created more anxiety than action. As a result, compliance consultants wrote white papers, conducted webinars, and even led HIMSS sessions on “How to Prepare for an OCR Audit.” We don’t blame them – it is what they know. But for real world, practical advice on combating IT security threats, I cordially invite you to Redspin’s upcoming webinar. More information and registration link here: http://www.healthcareinfosecurity.com/webinars.php?webinarID=326&rf=Redspin_042013

A few months ago, IDC identified the major challenges facing HIE vendors. High on the list were “privacy and security risks that worry providers as more patient information is transferred from paper charts to electronic health records and made accessible both inside and outside the organization via HIEs and mobile devices.”Achieving EHR interoperability and facilitating exchange though HIEs, alliances, or both, will introduce even more risk of breach. We need to get our EHR houses in order first. Unlike the financial industry, healthcare does not have a uniform transaction model. The industry is at best a multi-tenant model with diverse information needs, at worst a multi-headed hydra. Overlay varying levels of privacy and confidentiality; make the whole system interoperable and interconnected and the task gets even infinitesimally harder.

At HIMSS14, forget Rove-Carville. Let’s have a debate about CommonWell Health Alliance’s comprehensive security strategy.

I recently presented the case for covered entities to be more proactive in regard to their business associate’s IT security posture. The audience included over 50 healthcare CISOs. Most of them agreed that the risk of PHI breach among their business associates was “an unknown,” or “very hard to measure” or even “likely to be very high.”

After my talk, one CISO said to me “My organization has dozens of business associates. What is the ROI of conducting a risk analysis on our exposure in relation to them?” This is the essence of the issue. Put another way, how does a covered entity justify spending time, money, and resources on evaluating its third-party vendors IT security?

First, let’s establish some facts. This is no small problem. From September 2009 to the end of 2011, 59% of all large breaches involved a business associate. Large breaches are defined under the Breach Rule as those affecting 500 or more patient records and some of more egregious single incidents involved hundreds of thousands and even millions of individuals.

HIPAA regulations require a covered entity (CE) to have business associate agreements (BAAs) in place before they disclose any protected health information. So, right off the bat, I can tell you one thing – as a covered entity, if one of your business associates has a PHI data breach and you did not have a BAA in place, the legal and financial consequences will be very severe. Even with a BAA, you are likely to feel some pain but at least you won’t be accused of “willful neglect.”

Second, it should be obvious that maintaining all business associate agreements in a centralized location is good business practice. If, and more likely, when a business associate reports a PHI data breach, you shouldn’t have to scramble just to find a copy of their contract. Yet, a surprising number of hospitals don’t do this, particularly if different functional groups or business units within the covered entity have the autonomy to sign their own vendor contracts. This is often another point of lax oversight in and of itself – if different groups can sign vendor agreements, who then determines whether a BAA should be required as opposed to some other type of contract?

Third, covered entities should use the BAA as an opportunity to set specific ground rules and conditions for establishing who investigates the cause of the breach and who bears the costs of the investigation and response. Having these provisions specified and agreed upon beforehand can save an enormous amount of time, money, and aggravation. I’d call that ROI.

Lastly, the OCR has been empowered to enforce HIPAA through resolution agreements and civil monetary penalties. These penalties can run as high as $1.5 million in any calendar year – a high cost under any circumstances and particularly painful if the breach actually resulted from poor IT security at a business associate.

But it’s not just the costs of investigations, brand damage, and financial penalties that justify proactive business associate risk management. There are also the costs (often hidden) of the operational disruption to your organization. By their very nature, business associates perform significant functions for a covered entity including claims processing, administration, data analysis, billing, benefits management, etc. Immediately following a report of a BA breach, the CE is forbidden from continuing to disclose PHI to the BA until the issue has been investigated and resolved. This may mean transferring the particular function performed by that BA to another partner or temporarily bringing it in-house.

Redspin now offers a Business Associate Risk Analysis service that helps hospitals and other covered entities understand where their highest BA risk lies so that they can take preventive measures and/or implement contingency plans to mitigate that risk. Here are some of the areas that our expert security and compliance analysts guide you through:

• Is there a central repository of all BA agreements?
• Are they updated? Is there a master schedule for renewals?
• How critical is the BA to the CE? Are there operational contingencies should the BA no longer be able to perform their service? Risk to the operational disruption should always be a factor.
• Are BAs prioritized by the amount of PHI data that is typically stored, transmitted, or in use by that BA? PHI data sets vary in quantity, scope, and depth, and thus some present a greater degree of risk than others.
• Has the BA provided any evidence of IT security protections, testing, audits, etc.?

And here’s an example of one of the sections from our assessment report:

Safeguarding PHI data is an important responsibility and all relevant parties must take their stewardship seriously. The HITECH Act raised the stakes for business associates by directly requiring them to be HIPAA compliant. Direct civil liability and penalties will also be levied directly on offending BAs in 2013. Redspin’s Business Associate IT Security Risk Assessment is an effective, mutually-beneficial process that will enable more fruitful discussions between CEs and BAs, and ultimately result in lower risk for both parties.

Cyber insurance provides an opportunity to address residual risk in your information security program to offset the costs due to a data breach of ePHI. However, individuals polices, coverage and exclusions are highly variable, so just like any security control it’s important to understand your security risk profile before an appropriate security insurance policy can be defined. An assessment, such as a HIPAA Security Risk Analysis should be the first step in any insurance policy strategy. Here’s why:

You’ll have to do one anyway. The most important factor in most enterprise cyber insurance rates is the state of your current security controls and your revenue. So not only is a security risk analysis an essential part of any robust information security program that you should be doing anyway, but this will be a factor in your rates and likely a requirement before you secure a policy.

The safest approach is to avoid a breach in the first place. Most policies will require substantial out-of-pocket expenses to be paid by the insured regardless of your coverage. No insurance can fully replace lost productivity and brand damage due to a breach. A recent study released by Carnegie Mellon University (and others), “An Empirical Analysis of Data Breach Litigation,”notes that “the odds of a settlement are found to be 10 times greater when the breach is caused by a cyber-attack, relative to lost or stolen hardware, and the compromise of medical data increases the probability of settlement by 31%.” Thus, insure against theft but still spend money on locks for your doors!

Your risk profile will enable a better tailored policy. Cyber insurance policy coverage is highly variable and configurable. Policy buyers need to be aware of what is covered and that distinct coverage, limits, and deductibles may apply for individual risk categories. In order to ensure that a policy is tailored for your individual risk profile it’s important to understand where your risk lies. Areas that can be insured typically include regulatory fines and penalties, claims and lawsuits and response costs such as breach notification for affected customers, credit monitoring, forensic analysis, legal fees, and public relations outreach.

Do you really know where your risk is? A key area of risk that a security risk analysis illuminates can be the extent that Business Associates (BA) factor into your overall risk. Our experience is that BAs often pose more risk than might be expected in terms of the amount of ePHI that they access and/or host because their security controls are not always on par with that of the healthcare organization that provided the data despite the Business Associate Agreement that is in place. This is particularly relevant when the BA is a cloud provider. A security risk analysis should clarify the extent of cloud-based and BA risk so that this critical part of the policy can be defined appropriately.

Cyber insurance can prove to be an effective tool for mitigating the fiscal impact of an ePHI data breach. With proper policy review and selection, guided by an informed view of your risk profile, it’s more likely that such a policy can achieve your objectives and be accurately scoped.

The New York Times reported this weekend on a potentially serious breach at the International Monetary Fund (I.M.F.). The Times reports that the breach occurred perhaps several months ago, yet the fund only disclosed this to internal staff and board members on Wednesday. Other than the report from the Times, there is not a lot of available information about the incident. The I.M.F. itself has made no public statement about the breach. Surprising for an organization that is capable of a half-dozen news releases in a single day.

The Times mentions spear phishing, but this is only speculation at this point. While spear phishing might be top-of-mind considering that it was the keystone attack vector in the RSA breach, we have not yet seen any specific reports on the attack vector.

What’s astounding is the seemingly endless acceleration of the breach incidents this year. Sony (I lost count at a dozen incidents), Lockheed Martin, RSA, Citigroup, …

It will be interesting to see how this story develops.

In a new and revised format, SANS along with MITRE has published the latest list of the highest risk software security vulnerabilities; the revision to the list is based on the CWE, CWSS and CWRAF security standards. The announcement leverages and highlights these new standards and collaboration efforts among the security community (including corporate, non-profit and government entities). As this announcement publicizes some new standards efforts that many of us will undoubtedly hear a lot about in the coming months, I thought it made sense to leverage the CWE/SANS Top 25 Most Dangerous Software Errors list to put these other standards in context.

First, let’s summarize the standards.

CVE List

Before diving into these other standards, it’s perhaps best to start with the CVE list. The Common Vulnerabilities and Exposures (CVE) List was started by the MITRE Corporation, a non-profit think tank, in 1999. The CVE List is free (http://cve.mitre.org) and publicly available and creates a standardized set of identifiers for common vulnerabilities and exposures. The List provides common identifiers so automated tools, such as vulnerability scanners and patch management systems can exchange vulnerability data using unique identifiers. You can think of the CVE List as the master set of security vulnerabilities. CVE numbers have become the interoperability standard amongst security vendors.

CWE List

Where the CWE list is a complete list of individual vulnerabilities, the Common Weakness Enumeration (CWE) provides a categorical view describing classifications of risk. The CWE List can be thought of as a taxonomy of vulnerability categories such that unique vulnerabilities in various software systems can be categorized. As such there are many more unique software vulnerabilities than categories that classify them. For example, the CVE List has almost 50,000 entries while the CWE List  has only 870.

Common Weakness Scoring System (CWSS)

The CWSS provides a consistent method by which vulnerabilities can be scored. This would potentially address, for example, (at least in theory) a big problem with automated vulnerability scanners: they tend to create reams of output without any context as to what is important in a given environment. Given that every environment is unique, its difficult for automated software processes to programmatically determine the relevance of a particular instance of a vulnerability. The CWSS would provide a repeatable approach to determine the relevance of risk as well as provide a way to quantifiably measure unaddressed vulnerabilities.

Common Weakness Risk Analysis Framework (CWRAF)

The CWRAF provides a method for organizations to customize the application of the CWSS to account for their particular business and technology environments. So as the CWSS provides a repeatable process to score vulnerabilities, the CWRAF provides a repeatable way for organizations to apply the CWSS to their own unique business environments.

So what’s all this got to do with the CWE/SANS Top 25?

Well, perhaps nothing. The list itself is a prioritized list of the top 25 security weaknesses in software as a function of prevalence, probability of exploitation, and importance. The list is a great resource for any IT or security professional that wants to focus their efforts on the most important issues. Considering that every organization has security risk (an often plenty of it) and IT resources are limited, keeping focused on the important issues is incredibly important in a structured risk management program. But what about CVE, CWE, CWSS, CWRAF….? So it’s not the CWE/SANS Top 25 list that has to do with these standards, its more that this alphabet soup of standards is how the Top 25 list was created. SANS worked with MITRE along with security experts worldwide to compile the list. While experts in the field often work with individual CVE identifiers, the TOP 25 list is based on CWE categories. The list is prioritized based on the scores that were calculated based on the CWSS. Specific industries and organizations could customize the scoring using the CWRAF.

Below is the current CWE/SANS Top 25 Most Dangerous Software Errors list. Notice how CWE categories are referenced as opposed to CVE numbers or ad hoc categories, and the CWSS score is used for prioritization.

1. 93.8 CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
2. 83.3 CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
3. 79.0 CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
4. 77.7 CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
5. 76.9 CWE-306 Missing Authentication for Critical Function
6. 76.8 CWE-862 Missing Authorization
7. 75.0 CWE-798 Use of Hard-coded Credentials
8. 75.0 CWE-311 Missing Encryption of Sensitive Data
9. 74.0 CWE-434 Unrestricted Upload of File with Dangerous Type
10. 73.8 CWE-807 Reliance on Untrusted Inputs in a Security Decision
11. 73.1 CWE-250 Execution with Unnecessary Privileges
12. 70.1 CWE-352 Cross-Site Request Forgery (CSRF)
13. 69.3 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
14. 68.5 CWE-494 Download of Code Without Integrity Check
15. 67.8 CWE-863 Incorrect Authorization
16. 66.0 CWE-829 Inclusion of Functionality from Untrusted Control Sphere
17. 65.5 CWE-732 Incorrect Permission Assignment for Critical Resource
18. 64.6 CWE-676 Use of Potentially Dangerous Function
19. 64.1 CWE-327 Use of a Broken or Risky Cryptographic Algorithm
20. 62.4 CWE-131 Incorrect Calculation of Buffer Size
21. 61.5 CWE-307 Improper Restriction of Excessive Authentication Attempts
22. 61.1 CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’)
23. 61.0 CWE-134 Uncontrolled Format String
24. 60.3 CWE-190 Integer Overflow or Wraparound
25. 59.9 CWE-759 Use of a One-Way Hash without a Salt

Overall, we applaud this effort; both the list and the accompanying standards. Any effort that prioritizes risk and provides a systematic and repeatable process to do so is a big boost for enterprise security. In the short term, the value of these methodologies will surely be a function of the capabilities and dedication of those that use them (the garbage in – garbage out rule will still apply), but any methodology that adds some structure to security risk analysis is a worthy effort.

Many security vendors publish “top 10″ or “top 5″ lists of terrible things that can happen to you as a pretext for then telling you how their products or services help you avoid such a fate. It’s classic marketing – and actually an well-know debate strategy – define the problem for your prospect and then describe how you alone can solve it. While perhaps an effective marketing hook, its a bit disingenuous. A top 5 list implies a value calculation has been made – but usually, they are just statements of fact that support buying that vendors wares. From now on, think of those lists are simply features of the seller’s offering.

Now at Redspin, we’re not as pure as driven snow, but we are grounded in objectivity.  We have no products or services to sell or up-sell. We view IT security assessments as a series of true or false conditions. When we find vulnerabilities, we list them in risk-adjusted order depending on the criticality of the data or systems that may be impacted and the likelihood that such a breach may occur. Our “Top 5″ therefore is truly in context, relative to your specific environment.

In any complex, cross-functional business challenge, responsibility and authority must be distributed intelligently while at the same time prove a process of internal dispute resolutions. An information security program is one such complex and multifarious business necessity. At its heart, information security is a method of managing risk to information and information systems, and reducing uncertainty relative to organizational objectives; it is a balance.

But the success of an information security program depends upon the ability of an organization to establish a set of controls based on a thoughtful and consistent design that was developed against carefully analyzed internal and external requirements. Relatively few companies approach the problem this way, so we thought we’d offer some guidance based on Redspin’s 10+ years of IT security experience.

The following describes an accountability-driven and risk-based approach to address the information security expectations of leaders, customers, citizens, partners, and investors.

Creating an environment where operational units coordinate to achieve consistent and appropriate information security controls helps to ensure that the operation and security objectives of the organization are met. One way to do this is to assign accountability and responsibilities in a way that makes internal parties accountable to one another, with guidance and input from subject matter experts. The following mutual accountability can be used to drive decisions that align with your organization’s mission and goals:

A Data Steward is a single person accountable for establishing policies for internal uses and conditions of internal and external disclosure. There is one steward for each domain of data across the entire organization. Domains are generally broad and easily identifiable, organizations having on average between 10 to 15 core domains.

A Process Owner is a single person accountable for general processes (such as workforce acquisition and termination). These individuals establish the minimum process control requirements, which may then be implemented in a centralized or decentralized manner. Each implementer is responsible for meeting the process owner’s control requirements and one or more data steward’s control requirements.

System Sponsors are assigned to each application and system, from the department specific applications to general utility applications such as email. These system sponsors are responsible for meeting the availability and processing quality requirements of the process owners (e.g. up time and stability), and the data confidentiality and integrity requirements of the data stewards (e.g. patching and access controls). They are also responsible for justifying the continued existence of an application or system.

Data Gatekeepers are accountable for disclosures to a particular audience. Some of these roles are historically well established. For example, the senior public-relations official is accountable for responding to inquiries from the public and the press, and the senior legal official is accountable for addressing inquires from the courts and, depending on the organization, perhaps for inquiries from regulators and governments. Extending this concept to each unique audience creates internal accountability. Audiences may include consumers, vendors, business customers, partners, local and foreign governments, and law enforcement and intelligence agencies. The data gatekeeper is answerable to one or more data stewards.

Let’s run this through an example to see how it works. USB thumb drives are prevalent, with organizations taking stances that range from very loose to very tight. Policies commonly ban the devices, don’t mention them, or put IT in the role of deciding who gets one. The first two positions generally fail to serve the organization, and the last requires IT to make a business operations decision. To address this let’s step back to ask ourselves a few questions. Which process do the USB drives support and are the USB drives inherently required by those processes? Will the USB drive contain controlled information and are the data stewards requirements met?

Sales might use thumb drives to display presentations on client’s equipment. This is clearly a sales process, and would be under the purview of the most senior sales management position, perhaps a VP of Sales. The VP of Sales could responsibly and reasonably take a position that USB drives are required for external sales presentations. So long as that drive contains only sales information, then the data in question is also under the purview of the VP of Sales.

Changing the scenario for a moment, let’s say a salesperson wants to include very sensitive discount information. In this case, the VP of Sales may have a policy that discount data is only shared with key members of the client decision team. The VP of Sales in a process owner role still approves the use of USB thumb drives for sales presentations, but the VP of Sales in a data steward role requires that the data be distributed in a limited and controlled manner.

Changing the scenario even further, let’s say that the client requests key financial information. Again the use of USB drives is already approved by the VP of Sales. However, in this scenario the data in question is subject to the policies of the CFO, who has the requirement that key financial data be stored only on company owned equipment and be encrypted at all times when not within company facilities. In this case, the sales person must use a company owned and encrypted laptop for the presentation. If the VP of Sales doesn’t like this and still wants to use USB drives, the issue is not between Sales and IT, it’s between Sales and Finance. We are effectively taking IT out of  the middle, to a role where IT implements the decision of the parties who have the greatest stake in the decision.

IT organizations in the healthcare industry are being asked to make increasingly complex and subtle decisions. IT everywhere is being asked to do more and be responsible for more. Enabling the business to meaningfully engage IT, and creating a way that provides the businesses with the right information to make decisions is key to the perceived and actual success of an IT department. The road to engaging all parts of the business is difficult, but it has also been shown to be a hallmark of successful organizations.

IT has been put in the role of making business decisions, because organizations lack a framework for making data and system decisions. Providing a framework for decision making can become a key value that IT can provide. Even if your organization is not ready to formally adopt these concepts the thinking process, and the line of questions that result, will help you facilitate better security decision making within your organization.

Every IT department faces the challenge of having to apply limited resources (headcount, technology, 3^rd party assessments) against a plethora of potential security risks. Choosing wisely is often the difference between an effective security strategy and an ineffective one. With that in mind and a number of possible assessment approaches available, what benefits can be gained from an internal penetration test?

First, since security terminology is often misunderstood, let’s first define internal penetration testing. An internal pen test is a very specific scope of work where a security engineer connects to your internal network, or portion thereof, and with nothing other than an internal network connection, attempts to gain access to sensitive organizational resources. In an internal pen test the security engineer is network level connected but has no other credentials, such as a user account on the domain or on a corporate software application. Such a test can be conducted on-site with the engineer working from a conference room with an Ethernet drop, or done remotely via VPN connection. It is from this restricted vantage point that the engineer attempts to gain unauthorized access to internal systems and data.

The results of an internal penetration test typically demonstrate what information or other assets might be exposed to an unauthorized user who has network level access to your corporate IT environment. Extrapolating further, it also shows what a hacker could access if they were to compromise your gateway. But, an internal pen test is not designed simply to expose risk from external hackers. There are a number of internal risks as well. Here are some other important considerations:

• What confidential info might an employee obtain by gaining access to your internal HR database

• What about vendors or visitors who are allowed on your internal network by an employee, and/or they are left alone in a conference room where they plug into a live Ethernet port?

• What information could a rogue employee exploit?

• Can partner companies that have network level connectivity access more internal resources than you intended?

An internal penetration test can help answer these questions and educate others in your organization about this kind of risk. With limited resources to work with, it’s important to clarify what your organization wants to accomplish as you embark on any type of security assessment. We hope we’ve clarified above the most important benefits of an internal penetration test.

At first read, the security risk analysis (SRA) provisions of the proposed Stage 2 “meaningful use” regulations appear to have changed only slightly from those in Stage 1. The language in the draft rule is nearly identical to Stage 1, with one notable addition highlighted below:

“Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.

Covered entities and eligible providers must now address the issue of encryption of “data at rest” as part of their security risk analysis process. This shines a spotlight on the existing encryption references within the HIPAA Security Rule. Encryption of ePHI is specifically covered under 45 CFR 164.312(a)(2)(iv) which reads; “Implement a mechanism to encrypt and decrypt electronic protected health information.” However, since it is categorized as an “addressable control,” it is not specifically mandated.

As part of Stage 2 Meaningful Use, encryption of “data at rest” must be considered as an addressable control. As such, providers need a process by which they evaluate whether the control is “reasonable and appropriate” and would likely contribute to protecting its health information.   If the control is deemed “reasonable and appropriate,” then it must be implemented.

However, if the provider decides “encryption of data at rest” is not reasonable and appropriate, then it must 1) document why it is not reasonable and appropriate, and 2) Implement an equivalent alternative measure if reasonable and appropriate. Despite a little remaining wiggle room, it has become increasingly difficult to justify not encrypting ePHI under the “reasonable and appropriate” caveat.

Turning to the new rules for EHR software certification, Stage 2 also requires the main software application ‘to be able to demonstrate the capacity to encrypt [data on] mobile devices in circumstances where the EHR technology manages the data flow on the mobile device,”

In our view, these provisions stop just short of a mandate. Determining reasonableness is not just about the cost of hardware and software or the complexity of implementation. It is more about whether or not the organization can execute the requirement consistently and effectively.

Given that the majority of significant breaches to date have been the result of lost or stolen devices containing unencrypted data, and the increasing mobility of data itself, it will be difficult to find “equivalent alternative measures.” That said, Redspin can provide a framework for considering the issue within our overall SRA roadmap and expert guidance on how to reasonably and effectively protect patient information.