Upload
andrew-kozma
View
155
Download
6
Tags:
Embed Size (px)
Citation preview
Infosec Management In Healthcare Or
why security blankets and Johnny shirts don’t cover your backside
HTCIA Atlantic Chapter Annual Conference
October 22, 2013
About me
• Sr. Security Analyst for Capital District Health Authority – The information presented here is my own opinion and not related in anyway
whatsoever with my employer
• Co-founder of The Atlantic Security Conference www.atlseccon.com
• Co-founder of the Halifax Area Security Klatch www.thehask.com
• Big time fan of Bruce Lee and blues music!
Healthcare & The Law
• There is no Canadian federal law requiring health care providers to
disclose details regarding data loss and breaches.
• Bill C-475 seeks to update PIPEDA to include mandatory breach
notification and consequences for security breaches
• Nova Scotia’s Personal Health information Act has been effective since
June 1, 2013
• The only Canadian jurisdiction that currently has made security breach
notification mandatory is Alberta
Diagnosis
• The United States has federal legislation requiring healthcare providers
to inform the public of breaches. The Health Information Technology for
Economic and Clinical Health (HITECH) effective since 2009
• Top 5 PHI Breaches, 2012 (redspin breach report)
Diagnosis
• 538 breaches of protected health information (PHI)
• 21,408,505 patient health records affected
• 21.5% increase in # of large breaches in 2012 over 2011 but… a 77%
decrease in # of patient records impacted
• 67% of all breaches have been the result of theft or loss
• 57% of all patient records breached involved a business associate
• 5X historically, breaches at business associates have impacted 5 times
as many patient records as those at a covered entity
Diagnosis
• 38% of incidents were as a result of an unencrypted laptop or other
portable electronic device
• 63.9% percent of total records breached in 2012 resulted from the 5
largest incidents
• 780,000 number of records breached in the single largest incident of
2012
Only In Canada eh!
Why they want it…
• Healthcare records combined
with other personal information
creates an identity portfolio
• These portfolios or “kitz” can be
used for multiple fraud types
• “kitz” can sell on the
underground market for up to
$1300.00
Prognosis
• There is an epidemic of data loss for healthcare
• We pretty much stink at handling PHI
• Things are getting better but there is still lots of room for
improvement
Managing Data
• Confidentiality refers to
preventing the disclosure of
information to unauthorized
individuals or systems
• Integrity is maintaining and
assuring the accuracy and
consistency of data
• For any information system to
serve its purpose, the
information must be available
when it is needed.
In the News
Hacking Medical Devices
• We miss you Barnaby Jack
A day in the life... (The mostly boring underbelly of infosec)
Browse to Host
Looking For The Obvious
Great Success!
Raising Awareness…
Keeping a watchful eye
• Network Monitoring – Establish a baseline
– Identify anomalies and problem areas
– Identify root cause
– Historical reporting to help trend and scale services
Keeping a watchful eye
Network Access Control
• Knowing who and what is on the network
• Access policies based upon role/requirement
• Process for poorly behaving computers (Threats)
A day in the life of infosec... continued
• Endpoint Protection
A day in the life of infosec... continued
• What is significant in this list
regarding Risk?
• Most infections and threats
appear to be Trojans…
• Key loggers, downloaders,
remote administration, screen
scrapers
A day in the life of infosec... continued
• Security Incident Event Management – Monitor activity between client-server, client-client and server-server
– Monitored 24x7 365 days a year by Systems Operations Centre
– CDHA Support staff are notified when there is traffic of interest
Portals Here…Portals There… Portals Everywhere
• XSS – Cross Site Scripting
• On OWASP top 10 list for 2013
XSS Quick Demo
• Joe McCray from Strategic Sec has an online site for practicing XSS
(Thanks Joe... I owe you a rum and coke)
http://199.204.214.176/xss_practice/
• A quick test for an XSS vulnerability - <script>alert('XSS alert')</script> – This will open a popup alert window with the message XSS Alert
• This script will have much more impact to the “C” level folks – <br><br>Your session has expired please login to continue:<form
action="destination.asp"><table><tr><td>Login:</td><td><input type=text length=20
name=login></td></tr><tr><td>Password:</td><td><input type=text length=20
name=password></td></tr></table><input type=submit value=LOGIN></form>
•
RISK
• Infosec is really about RISK…. The sooner we all realize that the better
RISK Management Basics
• Qualify - What is the attack surface? What is exposed? Confirmed and
potential
• Quantify - What is the likelihood and the impact? How does it compare
to other exposures
• Correct - What measures should we take to Avoid, Accept, Reduce and
or Transfer RISK
• Stop and ask what is the level of RISK the organization can/will assume
What we don't want to do
• Security Theater is a term that describes security countermeasures
intended to provide the feeling of improved security while doing little or
nothing to actually improve security
What we should be doing
• Security should be baked in... reach out to your Project Managers, let
them know what you can do
• Be an enabler and help them to introduce new services that are secure
• Look at your environment with filters – Classify your data - In healthcare we filter by public, administrative and clinical
– Identify systems and applications and rate them by criticality (low, medium, high)
• Identify vulnerabilities and gaps in these systems and applications
• Apply some RISK management basics to avoid, accept, reduce and/or
transfer RISK
Security Lifecycle
• Balancing security requirements
with business needs can be
challenging
• Strive for continuous
improvement
• Security is a process not a
product
The answer...
• Why don't security blankets and Johnny shirts cover your backside?
– Johnny shirts are designed so that a patient does not have to pull the shirt over their
head , it can be put on lying down and of course so they can easily use the washroom.
– No single solution can mitigate every threat.... there is always an exposure
Thank you
• Twitter Handle – @k0z1can
• Linkedin Profile – http://ca.linkedin.com/in/andrewkozma
• Parting thoughts – “Absorb what is useful, discard what is not, add what is uniquely your own.” ~
Bruce Lee
– See you all at the next Atlantic Security Conference March 27th and 28th, 2014