» data breach

Healthcare Web Applications – The Security Achilles Heel (Part 2)

Posted on January 27, 2011 by Dan Berger in Main | Leave a comment

Last June, one of my colleagues at Redspin blogged about his concern that security flaws in software applications that house ePHI (electronic protected health information) represent a big threat. We had just completed a security assessment for a client and had found it relatively easy to access their customer portal using a common SQL injection technique. ePHI  records represent tempting targets for cyber crime as they typically include a wealth of personal info (name and address, SSN’s, credit card numbers, DOB and more).

The healthcare industry is currently very motivated to deploy EHR systems, increase interconnectivity via HIE’s, and launch new web applications. As data is made more accessible to more audiences, the risk of a breach increases too. The scope of a HIPAA Risk Analysis should include software applications but be sure to hire a company with specific application penetration testing expertise. Make sure your provider is competent, has relevant experience and applies best practices, starting with the Top 10 Web Application Vulnerabilities list as outlined by the Open Web Application Security Project (OWASP).

Another area of focus should be your internal patch management process. Effective maintenance of your current day-to-day IT operating systems and applications is essential but be sure to conduct an inventory of older applications as well. They may have been developed by people who are no longer with your organization.  Some may perform tasks that are very mundane, highly specialized and/or are rarely used. At Redspin we often uncover these “out-of-sight, out-of-mind” applications in our HIPAA Risk Analysis process. Fortunately we have an application penetration testing methodology that is applicable to both web applications and non-web applications

Lessons from the McDonald’s, Walgreens and other recent data breaches

Posted on December 27, 2010 by mmarshall in Main | Leave a comment

Designing an effective Information Security Program is a process that requires a thorough knowledge of your assets (what you’re protecting) and the threat sources (the type of entity that might try to get it). Understanding these two factors is foundational to building an Infosec program. Based on the results of this characterization you will have an idea of the level of security you need. For example some workplaces have snacks in their lunch room that rely on the honor system. Take a cookie, put 50 cents in the jar. This may be acceptable given the asset (a cookie) is pretty low value, and the threat sources (employees) are likely somewhat trustworthy. However, I have never seen a bank rely on the honor system. A large pile of cash in the lobby would be a bank robbers dream. Instead, video surveillance, guards, and sometimes mantraps are the norm. Cash is a very valuable asset and the bank robbers (threat sources) are highly motivated.

Most businesses fall somewhere in between. Their assets are more valuable than cookies. Often the regulated industries such as healthcare(HIPAA), merchants (PCI), and Financial Institutions (FFIEC) have instutionalized the assets (EPHI, Cardholder Data, Account Information) and prescribed some of the types of controls and testing these firms should undergo. This does (or at least should) result in comprehensive security controls and regular testing via security assessments and penetration testing.

Many other firms have a challenging time understanding the value of their assets. It is easy to fall into the trap of thinking that you are safe because you don’t have PCI or financial data, but in this slow economy cybercrooks are likely to be more creative in their money making endeavors. A couple of breaches over the last few weeks have caught my eye as examples of hackers targeting assets that have not traditionally been viewed as high value.

Email addresses: McDonald’s, Walgreens, Garnet Hill and possibly hundreds of others had their email lists stolen. Silverpop (the email marketing vendor) likely didn’t have sophisticated security controls.  They probably viewed themselves as a low risk target. After all, who would want to steal just email addresses?

Twitter Accounts: Compromised Twitter accounts (possibly from the Gawker breach) were used to promote Acaia Berry (as well as get rich quick and other scams).

Google Page Rank: The site www.aintitcool.com was recently hacked to insert hidden links for blackhat SEO purposes. The goal was to use the links to trick Google into ranking the hackers web sites higher in the search results.

How can you protect your organization? Your internal team has the best understanding of your assets. Take a few minutes and think through the misuse cases. What assets do you have that are valuable to an outside attacker? Make sure you know your risk and allocate your limited security resources optimally.

Healthcare Web Applications – The Security Achilles Heel

Posted on June 24, 2010 by mmarshall in Main | 1 Comment

At Redspin we have a unique view of the security space, given that we are hired to perform security assessments of customer web applications all the time. Our clients want to know if a hacker can access their Electronically Protected Health Records. The answer, sadly, is often yes. Many times it is dreadfully easy. This week we accessed a customer portal chock full of EPHI using the classic ‘or 1=1;– trick (SQL injection). For those not technically inclined, this string is usually entered into the username field. It tricks the application so that instead of checking whether the username and password are valid, it checks to see if the username and password are valid or if 1=1. Since 1=1 is always true, a poorly coded application will log the nefarious hacker in (often as the global administrator or system user).

It’s unfortunate that the healthcare space is subject to these flaws, as most of these applications house thousands of EPHI records. These systems commonly have SSN’s, Credit Card Numbers, addresses, DOB’s, essentially everything a nefarious bad guy would need to steal many identities. In addition many people consider their medical information to be their most private data.

Another example is an advisory we just published on Cross-Site Scripting Vulnerabilities and database access in OpenEMR an open source healthcare records application.

It’s not just the small players either, Anthem Blue Cross recently disclosed that over 200,000 records were potentially breached on their website. Many security problems we see are obvious and with basic effort, an organization can be much more secure. According to the report attorneys looking for information for a class action lawsuit against Anthem were able to gain access to the EPHI. This implies that the breach and the flaw were not complicated and didn’t require world class hacking skills. Given that the California Department of Public Health is starting to dole out fines (Healthcare Breach Fines), it will be interesting to see if they hit Anthem with the maximum fine.

The bottom line: if you have EPHI accessible via your Internet facing web applications, perform your due diligence. At Redspin we always recommend starting with the best practices that the Open Web Application Security Project (OWASP) has outlined in their Top 10 Web Application Vulnerabilities list.

Identity Theft Check Up: Electronic Medical Records are the New Credit Cards

Posted on March 3, 2010 by David Bailey 12 Comments

As credit card fraud prevention measures have made it tougher on identity thieves, identity thieves have found a new target, healthcare identities. And healthcare information systems are nowhere near ready to withstand the onslaught. A recent survey by Chicago-based HIMSS (Healthcare Information and Management Systems Society) found that most hospitals spend less than 3% of their IT budget on security, a level Lisa Gallagher, senior director for privacy and security at HIMSS, calls inadequate.

According to the New York Times, a single credit card number was going for as much as $100 on the black market in 2005. The black market has gone through turmoil similar to the stock market and the same number today sells for about $6 dollars to as little as $0.40 cents per number. The market has become flooded with numbers and banks are able to detect fraud more quickly because of online banking and increased awareness. The amount of attention focused on credit card fraud, coupled with the loss of profitability for thieves, has made it tough for criminals so their interest is shifting to healthcare identities.

Enter electronic medical records (EMR). EMRs are essentially an identity plus medical information. In 2007, an identity typically sold for $14 to $18 dollars. An EMR will usually contain a name, address, Social Security Number, date of birth, prescription information, medical history, and possibly a picture of a driver’s license. A single hospital would retain this information for every person who has ever checked in and this is all the information an identity thief would need. Patients with recent birth or death events would be perfect candidates for identity theft as no one is usually monitoring their credit. Medical records that were previously boxed up in the basement are now ripe for the picking as hospitals make the move to digitize EMRs and are slow to adopt the processes and technology needed to protect this information.

Identity theft is only half the picture. A trend is emerging with thieves targeting patient records for the medical information contained within them. These data breaches started with simple hostage/ransom demands of large record holders. In October 2008, Express Scripts was notified by an attacker that records of millions of their customers would be released into the public if ransom was not paid. In a similar April 2009 incident, an attacker hijacked the Virginia Prescription Monitoring Program web site and posted a message demanding a $10 million ransom from the state.

A shift has started where attackers are starting to sell the actual electronic medical and health insurance information. In October 2009, it was discovered that a company in India was selling British medical records. The seller told undercover investigators “I have 30,000 files to give you today, right now. I’ve around 140 diseases here. You just tell me which disease you’re looking out for – I can give you anything”. This data breach was blamed on the British hospital outsourcing its medical record transcription to a third-party business associate who in turn outsourced it to another company in India. These records were fetching £4 ($6.24) each, but the World Privacy Forum claims these records can get upwards of $50 dollars per record.

It is only a matter of time before these stolen records are regularly used for social engineering attacks against patients. Also, people desperate for medical care will begin looking to the black market to buy an insurance identity to file fraudulent claims. Several of these cases, dating back to 2005, are documented by the World Privacy Forum along with many other patient record thefts. They also note an increase in medical identity theft victims from 86,168 in 2001 to 255,565 in 2005, and this number is still increasing. Only time will tell what new crimes come with the theft of electronic medical records.

How Can an Information Security Program help?

As with most technological challenges, there are no quick fixes or easy solutions, however, there are steps you can take to mitigate data breaches. Medical records and health insurance information need to be available to those who require access and secured from thieves trying to steal the data. One cannot just say “those records are encrypted” and think they’re set, the company must demonstrate a true commitment to a complete Information Security Program (ISP). Safeguarding EMRs requires management and implementation tasks that range across the entire business enterprise.

The following recommendations can help a healthcare organization get on the right track:

  1. Demonstrate a true commitment to information security across the entire enterprise – not just within the IT arena. The most effective Information Security Program takes a risk-based approach, balancing potential risks against the convenience and expense to mitigate identified risks.
  2. View IT Security as a Competitive Advantage as companies that experience IT security breaches are subject to damaging consequences such as:
    • Large monetary penalties from regulators
    • Loss of mission-critical IT systems including web applications, business associate networks and internal networks
    • Breach notifications to customers/patients and the media
    • Legal action by affected customers/business associates/vendors
    • Theft and/or misuse of data
  3. Implement and follow well-documented security policies and procedures. Periodically review and adjust these and monitor and measure compliance to industry best practices.
  4. Collaborate with business associates on the implementation of EMR security programs.
  5. Conduct independent security assessments. HIPAA law requires covered entities to conduct routine evaluations of the effectiveness of EMR security programs, policies and procedures. It is also important to evaluate business associates with whom health data is exchanged.

As with any new regulated law, it is important to take a step back and fully understand how this impacts your organization. There are no “cookie-cutter” solutions however understanding the current infrastructure by taking a holistic, risk-based approach and balancing potential risks against the convenience and expense to mitigate identified risks are the recipe for success. Strong leadership, organizational competency, risk classification, collaboration and continuous process improvements are the benchmarks for best practices in healthcare information security and compliance.

Web Application Trends and Predictions from Breach Security

Posted on February 19, 2010 by Nathan Drier Leave a comment

Here is an interesting recap of some of the top web incidents of 2009, along with some projections for 2010.  It’s done by one of the guys at Breach Security.  It includes a recap and some technical details on the TJX hack, Time’s ‘Most Influential Person’ poll abuse, fun with Twitter, and more.  A good read and some good perspective.  You need to disclose some info to download – but its worth it.

http://www.breach.com/resources/whitepapers/top-web-incidents-2009.html

More Cyber Criminal Activity

Posted on February 18, 2010 by John Reno in Main | Leave a comment

This morning the Washington Post once again reported a widespread and ongoing set of attacks sponsored by a cybercriminal organization based in Eastern Europe. Amit Yoran of Netwitness was quoted as saying, “The traditional security approaches of intrusion-detection systems and anti-virus software are by definition inadequate for these types of sophisticated threats,” Yoran said. “The things that we — industry — have been doing for the past 20 years are ineffective with attacks like this. That’s the story.” I have worked with Amit both at Riptech (now Symantec) and when he was National Cyber Security Division director within the United States Department of Homeland Security. We should take note. More sophisticated attacks are coming and perimeter oriented, signature-based defenses are inadequate.
What should be done? I would invest rapidly in two particular areas:

• Social engineering and security awareness
• Risk management

Social engineering and security awareness can be thought of your new front line of defense, your users. They need to be cognizant of the attacks that are being directed at them and the role they play in defending the organization and corporate assets.

Risk management can be implemented by following the process depicted above. From the standpoint of defending against cyber crime, the process helps identify the areas that are of highest impact to your business, and organizes controls to defend against the threats. Another important benefit is that business unit leaders and executive management are drawn into the process, and thus gain an understanding of the security issues and risks. Furthermore, implemented properly, risk management just becomes part of running the business similar in nature to the way the financial organization closes the books every month.

Here at Redspin we can help you understand your risks, educate your workforce and modernize your defenses.

« Previous   1 2