Infosec Management In Healthcare Or

why security blankets and Johnny shirts don’t cover your backside

HTCIA Atlantic Chapter Annual Conference

October 22, 2013

About me

• Sr. Security Analyst for Capital District Health Authority – The information presented here is my own opinion and not related in anyway

whatsoever with my employer

• Co-founder of The Atlantic Security Conference www.atlseccon.com

• Co-founder of the Halifax Area Security Klatch www.thehask.com

• Big time fan of Bruce Lee and blues music!

Healthcare & The Law

• There is no Canadian federal law requiring health care providers to

disclose details regarding data loss and breaches.

• Bill C-475 seeks to update PIPEDA to include mandatory breach

notification and consequences for security breaches

• Nova Scotia’s Personal Health information Act has been effective since

June 1, 2013

• The only Canadian jurisdiction that currently has made security breach

notification mandatory is Alberta

Diagnosis

• The United States has federal legislation requiring healthcare providers

to inform the public of breaches. The Health Information Technology for

Economic and Clinical Health (HITECH) effective since 2009

• Top 5 PHI Breaches, 2012 (redspin breach report)

Diagnosis

• 538 breaches of protected health information (PHI)

• 21,408,505 patient health records affected

• 21.5% increase in # of large breaches in 2012 over 2011 but… a 77%

decrease in # of patient records impacted

• 67% of all breaches have been the result of theft or loss

• 57% of all patient records breached involved a business associate

• 5X historically, breaches at business associates have impacted 5 times

as many patient records as those at a covered entity

Diagnosis

• 38% of incidents were as a result of an unencrypted laptop or other

portable electronic device

• 63.9% percent of total records breached in 2012 resulted from the 5

largest incidents

• 780,000 number of records breached in the single largest incident of

2012

Only In Canada eh!

Why they want it…

• Healthcare records combined

with other personal information

creates an identity portfolio

• These portfolios or “kitz” can be

used for multiple fraud types

• “kitz” can sell on the

underground market for up to

$1300.00

Prognosis

• There is an epidemic of data loss for healthcare

• We pretty much stink at handling PHI

• Things are getting better but there is still lots of room for

improvement

Managing Data

• Confidentiality refers to

preventing the disclosure of

information to unauthorized

individuals or systems

• Integrity is maintaining and

assuring the accuracy and

consistency of data

• For any information system to

serve its purpose, the

information must be available

when it is needed.

In the News

Hacking Medical Devices

• We miss you Barnaby Jack

A day in the life... (The mostly boring underbelly of infosec)

Browse to Host

Looking For The Obvious

Great Success!

Raising Awareness…

Keeping a watchful eye

• Network Monitoring – Establish a baseline

– Identify anomalies and problem areas

– Identify root cause

– Historical reporting to help trend and scale services

Keeping a watchful eye

Network Access Control

• Knowing who and what is on the network

• Access policies based upon role/requirement

• Process for poorly behaving computers (Threats)

A day in the life of infosec... continued

• Endpoint Protection

A day in the life of infosec... continued

• What is significant in this list

regarding Risk?

• Most infections and threats

appear to be Trojans…

• Key loggers, downloaders,

remote administration, screen

scrapers

A day in the life of infosec... continued

• Security Incident Event Management – Monitor activity between client-server, client-client and server-server

– Monitored 24x7 365 days a year by Systems Operations Centre

– CDHA Support staff are notified when there is traffic of interest

Portals Here…Portals There… Portals Everywhere

• XSS – Cross Site Scripting

• On OWASP top 10 list for 2013

XSS Quick Demo

• Joe McCray from Strategic Sec has an online site for practicing XSS

(Thanks Joe... I owe you a rum and coke)

http://199.204.214.176/xss_practice/

• A quick test for an XSS vulnerability - <script>alert('XSS alert')</script> – This will open a popup alert window with the message XSS Alert

• This script will have much more impact to the “C” level folks – <br><br>Your session has expired please login to continue:<form

action="destination.asp"><table><tr><td>Login:</td><td><input type=text length=20

name=login></td></tr><tr><td>Password:</td><td><input type=text length=20

name=password></td></tr></table><input type=submit value=LOGIN></form>

•

RISK

• Infosec is really about RISK…. The sooner we all realize that the better

RISK Management Basics

• Qualify - What is the attack surface? What is exposed? Confirmed and

potential

• Quantify - What is the likelihood and the impact? How does it compare

to other exposures

• Correct - What measures should we take to Avoid, Accept, Reduce and

or Transfer RISK

• Stop and ask what is the level of RISK the organization can/will assume

What we don't want to do

• Security Theater is a term that describes security countermeasures

intended to provide the feeling of improved security while doing little or

nothing to actually improve security

What we should be doing

• Security should be baked in... reach out to your Project Managers, let

them know what you can do

• Be an enabler and help them to introduce new services that are secure

• Look at your environment with filters – Classify your data - In healthcare we filter by public, administrative and clinical

– Identify systems and applications and rate them by criticality (low, medium, high)

• Identify vulnerabilities and gaps in these systems and applications

• Apply some RISK management basics to avoid, accept, reduce and/or

transfer RISK

Security Lifecycle

• Balancing security requirements

with business needs can be

challenging

• Strive for continuous

improvement

• Security is a process not a

product

The answer...

• Why don't security blankets and Johnny shirts cover your backside?

– Johnny shirts are designed so that a patient does not have to pull the shirt over their

head , it can be put on lying down and of course so they can easily use the washroom.

– No single solution can mitigate every threat.... there is always an exposure

Thank you

• Twitter Handle – @k0z1can

• Linkedin Profile – http://ca.linkedin.com/in/andrewkozma

• Parting thoughts – “Absorb what is useful, discard what is not, add what is uniquely your own.” ~

Bruce Lee

– See you all at the next Atlantic Security Conference March 27th and 28th, 2014