Monday, June 26, 2017

Medical Data Security


CYBER-650 Week 4

How Secure Is Your Medical Data? 2016 Annual Healthcare Industry Cybersecurity Report

Cybersecurity is among the top five concerns of the healthcare industry

(PricewaterHouseCoopers, 2016)

With the increasing interest of hackers on e-PHI (electronic-Protected Personal Health Information), the healthcare industry is becoming more vulnerable to malicious attacks. Medical records and important patients’ personal information (SSN, accounts and contact info) are often housed within the same DBMS. A recent report by intel security puts the digital underground trading value of e-PHI at $200,000 (Stone, J., 2016). Individual patient records (“fullz”) sold for between $15 and $65 in the underground market as reported by Dell SecureWorks (Lemos, R., 2016). In its 2016 Annual Healthcare Industry Cybersecurity Report, SecurityScorecard (a Google-backed online risk monitoring group) research shows that “unlike the financial industry, which knows it is targeted and has hence taken significant cybersecurity measures, the medical industry is still very largely vulnerable” (Goenka, H., 2016-4-11). The report was a one year survey (2015-8 – 2016-8) conducted on 700 organizations in the healthcare delivery sector, included hospitals, device manufacturers, and healthcare insurers.

The report found that malware infection in the entire healthcare delivery system was 75 percent. With device manufacturers being the worst performer at 88 percent; Medical treatment centers was second, having about 76 percent infection rate. Medical treatment centers recorded over 95 percent of the overall industry total, when the difference in the number of device manufacturers and hospitals are considered. Why do treatment centers have such high malware infection rates? One reason is that they house large number of IoT (Internet of Things) devices. These devices with wireless capabilities are lacking in appropriate security. The danger of IoT wireless devices in the treatment centers has the possibility of malfunctioning and potential of being a gateway for hackers to access the healthcare network and DBMS. There is also legacy infrastructure problem, such as patch and update management, especially for those facilities that have been in existence for a while.

The top 3 causes of health data breaches as reported in the Verizon 2015 Protected Health Information Data Breach Report: Lost or stolen assets (45%), privilege misuse (EoP) 20.3%, and miscellaneous errors (20.1%) (verizonenterprise.com, 2017).  

References

PWC Health Research Institutes. Top health industry issues in 2016. Thriving in the


Stone, J., Stolen medical data on the cheap after waves of healthcare hacks. (2016-26-


Lemos, R. All about your ‘fullz’ and how hackers turn your personal data into dollars.


Goenka, H. Is Your Medical Data Safe? Healthcare Industry, Most Hospitals Low On


Verizon. 2015 Protected Health Information Data Breach Report. (2017). Retrieved

Posted by at No comments:

Friday, June 23, 2017

2017 Cybersecurity Threats


Week 3

2017 Cybersecurity Threats

Cybersecurity trends and themes impacting healthcare delivery system remains the bane of C-suite mangers in the healthcare sector. In 2016, data compromise in the sector recorded one per day. On March 20, 2017, 1,300 e-PHI were compromised at UNC (University of North Carolina) Health Care System (Daitch, H., Identity Force, 2017). HealthCare Dive identified four main areas of vulnerabilities senior managers in the sector have to be concerned with:

§  Poor cybersecurity practices – some organizations not following best practices arising from poor information security awareness and education or lack of cultural attitude or cost of complying; poorly regulated healthcare cybersecurity with organization depending on regulations to direct them on what to do; varying levels of interest, lack of data encryption, poor password selection and protection. Banner Health, for example, had a major class action suit for being cybersecurity negligent, which resulted in 3.7 million people data compromised. In February 2017, Children’s Medical Center, Dallas, was fined $3.3 million by HHS’ OCR for privacy breaches

§  Insider threats – 43% of healthcare data breaches in 2016 resulted from insider threat – unintentional and malicious (Protenus, Health Care Dive, 2017). BYOD, USB and mobile devices were methods mostly used for the attack. However, cloud computing offers a safer means of data transmission or storage.

§  Medical devices – these provide back doors that can be exploited. In MEDJACK (medical device hijack) with the increasing introduction of medical devices into the IoT (“Internet of Things”), it becomes pertinent for medical device manufacturers to include security in the design and production of devices. Although, device manufacturers are not constrained by HIPAA security standards, but FDA has published guidelines for manufacturers to identify and address inherent device vulnerabilities. The FDA effort is already yielding results as St. Jude Medical had to recall its heart devices following identified vulnerability that is capable of being exploited against patients by malicious agents.

§  Ransomware – has been identified as a top threat facing the healthcare delivery system and is expected to increase in 2017.

            The data breach trend continues with Experian fourth annual 2017 report of data breach industry forecast anticipating the following data breach trends: “aftershock password breaches will expedite the death of the password; nation-state cyber-attacks moving from espionage to war; healthcare organizations will be the most targeted sector with new, sophisticated attacks emerging; criminals will focus on payment-based attacks despite the EMV shift taking place over a year ago, and; international data breaches will cause big headaches for multinational companies” (Experian, p.2, 2017).

            Healthcare delivery systems are the second most affected victims (18%) as reported in the 2017 Verizon Data Breaches Investigative Report (DBIR). The financial sector was the No. 1 victim (24%) of attack tactics of hacking (62%), malware (51%), stolen or weak passwords (81%), social engineering attacks (14%), and physical actions (8%) (Bisson, D. 2017). 75% of these attacks were perpetrated by outsiders, internal actors (25%), state-affiliated actors (18%), multiple parties (3%), partners (2%), and organized criminal groups (51%) (Bisson, D. 2017).

References

Daitch, H. 2017 Dat Breaches – The Worst So Far. (2017). Retrieved (2017-24-6) from


Healthcare Dive. 4 cybersecurity threats every hospital C-suite admin should be familiar


Experian. 2017 Fourth Annual Data Breach Industry Forecast. (2017). Retrieved (2017-


Bisson, D. 2017 Verizon DBIR Highlights: Analyzing the Latest Breach Data in 10 years

Posted by at 1 comment:

Thursday, June 15, 2017


Threat Process Model in the health care delivery system: Sources of information for threats, vulnerabilities, updates, and security news

Healthcare cybersecurity attacks rise 320% from 2015 to 2016

(Symantec’s 2017 Internet Security Threat Report - ISTR)

A good and effective approach to addressing threat that may affect information systems of an organization is the threat modeling process. A structured approach for a software-focused, or attacker-focused or asset-focused will decompose to four basic steps:

Step 1 – Decompose the application

Step 2 - Determine and rank threats

Step 3 – Identify vulnerabilities

Step 4 – Determine controls or countermeasures and mitigation

            The visioning of the security requirements and scenarios before building would help in identifying threats to the system being built or that has been built. It’s needful to analyze these threats, with Microsoft STRIDE, and rank the identified threats with DREAD, for example. Attack agents might exploit the vulnerabilities in the software, application or system. There is the need to also identify these vulnerabilities. Table 1.1 provides a list of some credible sources of information for threats, vulnerabilities, updates, and security news. This list is by no means exhaustive. It only represents members in this category. These sources are credible as they not only provide current information on threats, vulnerabilities, updates, and security news; but, are credible, accurate and reliable sources of information security that could be applied in many scenarios to mitigating information security risks. Symantec provides a monthly threat report.

Sources
Website
1.    Symantec 
-       Symantec internet security threat report 2017
-       Website security report 2016
2.    Verizon’s data breach investigations report (DBIR) - 2017
3.    Forbes
-       Top 2016 Cybersecurity reports from AT&T, Cisco, Dell, Google, IBM, McAfee, Symantec and Verizon
4.    Federal Communications Commission
5.    Health IT security
– Healthcare data security
   incidents in 2016
6.    John Schneier Blogs
7.    Security Wizardry Radar
8.    Homeland Security Cybersecurity
9.    CVE details
-       Security vulnerability data source
10. Microsoft Service and Update Center
11. Oracle Help Center
12. Homeland Security newswire
13. Tech News World
- Cybersecurity



http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/














http://www.technewsworld.com/perl/section/cyber-security/

Table 1.1 List of some credible sources of information for threats, vulnerabilities, updates, and security news.

            In the event of getting conflicting reports from some online sites, it is needful to cross check with some of these and some other credible cybersecurity news sites, CBS cybersecurity, Security Magazine Cyber Security News, HuffPost Cyber Security, Secure Works, and Tech Republic, for example.

References

Symantec Security Center. 2017 Internet Security Threat Report (ISTR). (2017).


Morgan, S. Top 2016 Cybersecurity Reports Out From AT&T, Cisco, Dell, Google, IBM,


Health IT Security. Healthcare Data Security Incidents Second Highest in 2016. (2017-

Posted by at No comments:

Wednesday, June 14, 2017


Threat Modeling healthcare delivery software and application: An introduction
The goal of any threat model process is to be able to determine as many threats that could exploit identified vulnerabilities of the organization’s information system. A software-focused threat model process seeks to identify and address the threats that would attack the company’s information system by exploiting the weaknesses or “vulnerabilities in the software components that are used by the application, the operative systems software that the application uses and the vulnerabilities of the underlying network and data infrastructure in which these applications operate” (Morana, M., M. & Ucedavelez, p.6, 2015). Threat modeling is a structured systematic approach that is either software-focused, attacker-focused, or asset-focused to understand how different threats could be realized by threat agents   It simulates how a successful compromise could take place. A threat agent is “an intruder accessing the network via port on the firewall, a process assessing data in a way that violates the security policy, a tornado wiping out a facility, or an employee making an unintentional mistake that could expose confidential information” (Harris, S., pp.1108, 26, 2013).

In the healthcare delivery sector, as a result of the criticality of e-PHI (electronic-protected patient health information) software vulnerabilities provide exploitable weaknesses (attack surface) for threat agents to launch attack to achieve specific goals, like stealing important personal or confidential patient information. This can be achieved by the attacker injecting malicious SQL codes in the healthcare delivery system application web pages after doing a vulnerability scan. The goal is to gain unauthorized access into the database storing e-PHI. It is, therefore, imperative to begin to address security risk issues during the SDLC of the software or application design and production. A good way of handling this is a structured, software-focused threat modeling approach. Fig. 1.1 is the DFD (Data Flow Diagram) that decomposes the threat modeling process steps involved in security design in the software development life cycle.

Step 1 – Decompose the application

Step 2 - Determine and rank threats

Step 3 – Identify vulnerabilities

Step 4 – Determine controls or countermeasures and mitigation,
       Fig. 1.1 Threat Model Process DFD

Software-focused threat model process that uses trust boundaries (“any place where various principals come together or where entities with different privileges interact” – Shostack, A, p.50, 2014) identifies appropriate, effective and timely countermeasures to deploy to mitigate attack on the healthcare delivery information system.  Why software-centric modeling approach? This provides a better security on assets, and strong defense against the attacker as security considerations are appropriately included in the software design or system being built. A good explicit threat model would document models of UML diagrams, APIs, and architecture. 

References

Morana, M., M. & Ucedavelez, T. Application Threat Modeling: Process for Attack

Simulation and Threat Analysis. Wiley-Blackwell. (2015-28-5).

Harris, S. CISSP All-in-one Exam Guide. 6th ed. McGraw Hill Education. (2013).

New York.

Shostack, A. Threat Modeling: Designing for Security. John Wiley & Sons, Inc. (2014).

Indianapolis.
Posted by at No comments:
Subscribe to: Posts (Atom)