“How to Hack Healthcare” presentation by Alluvien Information Security experts:
Aaron Hayden, MBA
Software Development / Ethnics & Compliance
Alex Haslach, GSEC, CEH
System Administration / IT Control Analyst
June 25, 2015
This webcast hosted by HIMSS covered ‘recent’ healthcare entities that have been hacked (Anthem, Premera, CHS, etc.), how the hackers got into their systems and what safeguards (cover risk) could have been put into place to avoid these intrusions. Later in the webcast Alex covered HIPPA requirements; Administrative, Physical, Technical (Access, Audit, Intergrity and Transmission). Thoughtful and useful advice was given to the audience on the best actions for healthcare, etc. to take to avoid hacks.
As mentioned in the slides, over the last decade healthcare providers account for 26.8% of data breaches (about 1200), however not every sector has mandatory reporting, healthcare is overrepresented. Both Anthem (2010) and Premera (2014) were hacked via spear phishing. A fake website was created with very similar web address; an employee went to this website and gave away their credentials. Aaron goes into detail of why hackers preform these ‘mega breaches’, citing the main reason is because there is a huge black market for data, and the suspicion is that hackers assemble a database about individuals and can use this protected information to target same group of people in the future by using better ‘crafted’ phishing emails; federal employees are usually main target. Another hypothesis is that this is illicit market research, used to generate new and better uses of healthcare products. This is the ‘positive’ spin on things, I applaud your efforts Aaron, but I am VERY doubtful! Aaron also talked about the Community Health Systems (CHS) hack of more than 200 healthcare facilities somewhere between April and June 2014. This was a far more sophisticated attack utilizing malformed requests (hackers asked for encrypted sessions with the webserver) and a OpenSSL Heartbleed vulnerability reportedly resulted in a VPN session hijack.
So are governmental mandates enough to help prevent such attacks? If an organization is compliant with HIPPA, it “…does not mean it is secure in any way”. One huge downfall that was a common theme with Premera, Anthem and other attacks, was the length of time hackers had access to data before it was even noticed by anyone due to the lack of monitoring and the strong compliance beyond just HIPPA. Protection systems like Intrusion Detective System (IDS), Intrusion Prevention System (IPS) and Security information and event management (SIEM) System need to be in place. A useful source mentioned was a non-profit cooperative research and education organization called SANS that has a comprehensive list of top 20 Critical Security Controls that mitigate and prevent security breach; organizations that have implemented these security controls have an 85% less likely chance of a breach.
The slides that go into HIPPA are in the link below for your reading pleasure! I don’t want this to become a blog about the subject (easily done due to the vastness), but please read their slides because they do a wonderful job of summing it up. Instead I want my next point to be about my question asked. I wrote in asking Aaron and Alex their opinion on utilizing Amazon Web Services (what Wellpepper uses), to store PHI data etc. and what they believed the pros and cons to be. Aarons opinion was the bigger the company the better… they have solid safeguards to protect PHI data and can easily present their policies to clients, but as a customer if you have a security request that is in conflict with their efficiently organized architecture, they are not going accommodate. Alex agreed adding that it is a matter risk of transference; will Amazon do a better job of protecting our data by taking the risk for us? Yes, because Amazon maintains class one data centers all around the world that have very good security controls, they have resources to invest in the highest level of protection available with an entire team to do so. With that coming from Alluvien security professionals, it is nice to be reassured that PHI data that Wellpepper utilizes is well protected.
The webcast is available here after a short ‘registration’ process. The on demand webcast expires at the end of July.