Friday, February 26, 2016

Week 11: Insider Threat in the Healthcare Delivery System


What is a “Good” Healthcare system?

“A good health system delivers quality services to all people, when and where they need them,’’ (Consortium of Universities for Global Health) at an affordable cost with proactive best security control practices of e-PHI



Insider Threat or a malicious insider is “a current or former employee, contractor, or business partner who: has or had authorized access to an organization’s network, system, or data, and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organization’s information or information systems” (Cappel, D., Moore, A., Tizeciak, R., & Shimeall J., T. CERT). In the healthcare delivery system these occur when a healthcare provider employee intentionally and maliciously exfiltrate data or unintentionally violate e-PHI use policies, systems and networks, thereby compromising the confidentiality, integrity, and availability of such e-PHI. Insider users of a healthcare delivery system network resources and information are both the best defense and its foe. “The costs associated with losing, misusing, or abusing this information make insider threats one of the most dangerous (and most common) risks facing” healthcare organizations today (palantir.com).

How do you defend, prevent or protect e-PHI from insider threat? It starts by having an exact and full knowledge of what data or resources that the healthcare organization have, who have access to what and how they are used, stored and moved around the healthcare provider network. According to Sleeth, J., Bach P., & Summers, A., “health systems resources are the means that are available to a healthcare system for delivering services to the population. And to be effective and efficient, health system resources must be sufficient, appropriately utilized, managed,” and secured. There are four categories of healthcare systems resources; physical capital, consumables, human resources, and e-PHI. In this blog, we are concerned more with e-PHI resources.

With the rapid growth of malware and other cyber threats, you would expect that insider threat would be one of the least causes of data breach. Gartner reported that 70% of unauthorized access to data is committed by an organization’s own staff (Beaver, K. searchsecurity.techtarget.com). Cappel, D., Moore, A., Tizeciak, R., & Shimeall J., T. in their research findings observed three patterns and trends by type of malicious activity: insider IT sabotage, theft or modification for financial gain, and theft of information for business advantage (CERT). The study also proffered 16 best practices to mitigate (detect, defend, or prevent) these insider threats. It is appropriate to ask at this point, what are the most common insider threats faced by healthcare system providers and how can they be prevented? I shall be considering in this block a number of these insider threats that is prevalent in the health care delivery system:

1. IT sabotage: the use of IT by healthcare employee to cause a specific harm at the healthcare facility. Porter G., reported a security guard at a Texas based hospital used malware on dozen hospital computer systems and nurses’ workstation to access e-PHI. The insider also installed the remote access program LogMeIn on the hospital’s Windows controlled HVAC system. Although, this insider sabotage was prevented, but the need for proper background, credit, and security check, car insurance is necessary prior to hiring. Constant behavior monitoring of employee as allowed by federal, state and local laws and HIPAA regulations are imperative.

2. Theft or modification of e-PHI for financial gain: “Intern at a Florida based health care system used mobile device to take pictures of computer screens containing over 14,000 e-PHI (names, dates of birth, SSN, and more) with the intention to inevitably engage in criminal activity. Preventive measures, include, to consider threat from insiders and business associates, monitor and respond to suspicious or disruptive behavior, enforce separation of duties, and log, monitor, and audit employee online activities.

3. Sending out medical information via e-mail, instant messaging and mobile devices.  Patient health record, refill reminders, personal and financial information are sensitive e-PHI that are prune to insider threat. This threat can be prevented by the network administrator setting up policies and using network analyzer and filter keywords, specific attachments, client or server-based content filtering would catch or even block sensitive e-PHI from going out. Easier to manage perimeter-based or outsourced messaging security solutions, for example, behavior-blocking systems (BBS) that provide content filtering and blocking, could be deployed. The drawback in using any of these preventive measures is when message is encrypted they tend to function less effectively. In addition, a good firewall configuration will determine not only what is allowed in, also what is let out of the network (Beaver, K. searchsecurity.techtarget.com).

4. Exploiting e-PHI via remote access software. This means that insiders exploit e-PHI through the use of offsite software as Terminal Services (TS), GoToMyPC, and Citrix. There is less likelihood that such stealing of sensitive e-PHI would be caught. A worst scenario is if the remote access computer is left unattended, lost or stolen. An effective protective policy is to ensure “solid share and file permissions are critical, as is OS and application logging. Tighter security controls can also be achieved with many remote access solutions, on certain features and systems access, by monitoring employee usage and behavior in real-time and generating usage logs (Beaver, K. searchsecurity.techtarget.com).  A good system or network configuration to determine which features and audit trails can provide better management, reporting and provide better security controls is necessary. Some insider abuses take place after business hours, hence, the need to remote access to network by remote users. In the case of guessed logins, a strong, hard to crack password or passphrase and hard drive/network encryption may be considered, especially in the event of losing these systems or devices. The other consideration is when a healthcare employee is no longer in service, the security control preventive measure is to deactivate the employee account.

5. Insecure wireless network usage: This may be considered one of the most unintentional insider threat. With the growing availability of free unsecured Wi-Fi, Bluetooth usage on smartphones and PDAs, WLAN in healthcare facility, Public libraries, at airports, shopping malls, and hotels, critical e-PHI are put at risk of being compromised. The control of airwaves outside a healthcare delivery system premises is beyond the network administrator responsibility, however, secure hot spots can be enabled for Wi-Fi users as a matter of policy. For instance, “a VPN may be used for remote network connectivity, firewalls for PCs connecting to healthcare provider WLAN, and SSL/TLS for all IM (Webmail via HTTPS, POP3s, IMAPs and SMTPs)” (Beaver, K. searchsecurity.techtarget.com). In addition, for enhanced security of e-PHI, there is need to employ appropriate biometric controls, for example, encryption and authentication (better with WPA or WPA2) and logging. Another technology control is the use of directional antennae to drop down the power levels on the access points to ensure that wireless signals are kept within the building premises.

6. Cloud computing and Insider Threat in the healthcare delivery system. Cloud computing with mass of systems/complexity of processes can offer Inside Threat much coverage in criminal activity. The big data housing e-PHI presents ample potential for theft of information for business advantage. Network administrators can mitigate against insider fraud by deploying robust layered threat management program approach.

In conclusion, insiders are the most valuable defense measures for sensitive e-PHI; at the same time, they are the most vulnerable threat to critical e-PHI. In personnel security management, best practice is to seek to merge technology with business processes to reach a safe playing ground. This will for some time to come remain a continuum.   



References

Sleeth, J., Bach P., & Summers, A. Health Systems Resources and Resource Constraints.


Cappel, D., Moore, A., Tizeciak, R., & Shimeall J., T. Common Sense Guide to

Prevention and detection of insider Threats. CERT. Carnegie Mellon University. 3rd Ed. V3.1 (2009-1). Retrieved (2016-24-2) from https://cyberactive.bellevue.edu/bbcswebdav/pid-7726596-dt-content-rid-10880935_2/courses/CIS608-T302_2163_1/cert_common_sense_guide_to_prevention_and_detection_of_insider_threats.pdf

Whitman, E. M., & Mattord, J. H., (2014). Management of Information Security. 4th ed.

Boston: Cengage Learning

Insider Threat (2016). Retrieved (2016-26-2) from https://www.palantir.com/solutions/insider-threat/

Beaver, K. Five Common Insider Threats and How to Mitigate Them. (2016) (SIEM:


Porter, G. The Insider Threat: A Brief Overview. (2013-27-9). Retrieved (2016-26-2)

Posted by at No comments:

Saturday, February 20, 2016

Week 10 Biometric Access Control in the Healthcare Delivery System



In this blog, I’ll be examining some biometric access control measures or strategies put in place in the Healthcare Delivery System to monitor or mitigate against Electronic-Protected Health Information (e-PHI) compromise. Biometric Access Control is the measures put in place to regulate the admission of entities into trusted areas of the e-PHI. In other words, it is the process of authentication that evaluates something inherent in the user – something you are, you have, you know, or you produce (Whitman, M., E., & Mattord, H., J., 2014). It involves four processes – identification, authentication, authorization and accountability. In the healthcare delivery system biometric technology is being used to accurately identify patients, combination of different biometric access control mechanisms to authenticate patient’s credentials from any touchpoint (mobile) devices across the care continuum and from portals and mhealth apps. The essence is to provide identity platforms that deters medical identity theft and healthcare fraud. It is also to help prevent duplicate medical records, keep up-to-date and complete health information, ensure high levels of data integrity to optimize health deliverables, and increase patient safety, and with the ultimate purpose of ensuring access security and safeguarding personal health information or e-PHI. The patients experience a high level of customer satisfaction and trust. For example, RightPatient, delivers accurate, “selfie”, non-contact & hygienic, and high degree of acceptance Photo biometrics and an affordable, small form factor, easy to use, match 100 million prints/sec fingerprint system (see Fig. 1.0, rightpatient.com) to more than 900 sites that process over 36 million annual patients visits (rightpatient.com).

Easy-Scan-Pro

Fig. 1.0a Photo Biometrics (RightPatient.com)  Fig. 1.0b Fingerprint (RightPatient.com)

Specific to protecting the information stored in Electronic Health Records (EHRs), the HIPAA Security Rule requires that health care providers set up physical, administrative, and technical safeguards to protect electronic health information. Some safety measures that may be built in to EHR systems include:

  • ‘Biometric’ access controls like passwords and PIN numbers, to help limit access to (e-PH) information;

  • ‘Biometric’ access control -encrypting stored information. This means health information cannot be read or understood except by someone who can “decrypt” it, using a special “key” made available only to authorized individuals;

  • An audit trail, which records who accessed your information, what changes were made and when.
    In certain circumstances, if your e-PH data is seen by someone who should not see it, federal law requires doctors, hospitals, and other health care providers to notify you of a breach of your health information.  This requirement helps patients know if something has gone wrong with the protection of their information and helps keep providers accountable” (Rodriguez, Leon. Healthit.gov). It also helps entities whose e-PHI has been compromised to act fast as to reduce the impact of the incident.
                 The University of North Carolina is considered as a hybrid covered health care components (Student Health Services, Counselling Center, Disability Services, and Department of Athletics) involving the creation/receipt/maintenance/transmission of e-PHI that engage in HIPAA electronic transactions. It implemented biometric access control by segregating and protecting access to e-PHI from the general University server, and maintaining e-PHI on servers and/or drives separate from the network and made accessible only to authorized individuals at appropriately authorized locations and through appropriately authorized methods (biometric access controls), such as approved and individualized or controlled passwords, encryption, tokens in conjunction with a PIN, and automatic shutdowns or timeout re-authentication after 15 minutes.
    In another development, in February 7, 2016, in Florida, a bill requiring biometrics for patient identity verification raised concerns (Fig. 1.1).
    healthcare biometricshealthcare biometrics
    Fig. 1.1 Biometrics for patient identity verification (Mayhew Stephen, biometricupdate.com).
              Mayhew Stephen, writing from Florida said “a Florida House Bill 1299, sponsored by Rep. Dane Eagle, has a provision that would require Florida hospitals to install software that allows them to use biometrics and the state driver’s license database to verify Medicaid patients identification, according to a report by the St. Augustine Record. Medicaid is a social health care program for families and individuals with low income and limited resources. When the bill came up for a vote last month in the House Children, Families and Seniors Subcommittee, Rep. Amanda Murphy proposed an amendment that would have struck the requirement that hospitals use biometrics to confirm the identity of Medicaid patients and questioned why a simple barcode scan of a person’s identification card wasn’t acceptable. The amendment did not pass.
    The Florida Hospital Association and the Safety Net Hospital Alliance of Florida have also expressed concerns saying that hospitals already use a variety of systems to confirm patient identity and requiring software that ties into the state driver’s license database was too restrictive.
               University of Florida Health Jacksonville has an “elective admission” policy that allows patients to keep a copy of their photo identification in their medical records but current government regulations prevent hospitals from making patients show photo ID to be treated in the emergency room. “We have looked into biometric identification but there are several challenges, among them the cost and government regulations,” said UF Health spokesman Daniel Leveton (biometricupdate.com).
               Further, “according to the report, bill sponsor Eagle doesn’t know how much it will cost hospitals to implement the technology, if the state will help pay for this service and he doesn’t have information about how much stolen identities cost the $25 billion Medicaid program. The House bill needs to be approved by two more committees before it is ready for a floor vote” (biometricupdate.com).

    Wearable technology in the healthcare delivery system
             Biometric access control is evolving to include wearable technology. “Researchers at the new Automotive Wearables Experience laboratory located at the Ford Research and Innovation Center are exploring ways to connect crucial health information to in-vehicle technologies including sponsoring a challenge that encourages employees to submit app concepts that integrate vehicles and wearable devices(biometricupdate.com).
    Research vendors forecast growth of biometrics access control
               BCC Research analyst, Srinivasa Rajaram, author of  Biometrics: Technologies and Global Markets, examines the global and regional markets for biometric technologies and devices and forecasts that the global market for biometric technologies will grow at a 2.7% CAGR between 2015 and 2020. Mobile biometrics market to grow up-to $34.6B by 2020, predicts Acuity Market Intelligence report. (Justin Lee, biometricupdate.com)
                In another development, Suprema launched BioSign fingerprint authentication solution for smartphones. With the continued migration to mobile healthcare delivery services, for example, consultation and prescription refill, this device promises to enhance patients service delivery experience and ensure greater e-PHI security.
    smartphone-biometricssmartphone-biometrics
    Fig 1.2 BioSign Fingerprint Solution (biometricupdate.com).
    “Biometrics security solutions firm Suprema announced the launch of BioSign, a fingerprint authentication solution for smartphones that is designed to support small sensors. Suprema will showcase BioSign at the upcoming Mobile World Congress in Barcelona later this month. The company says BioSign is the mobile optimized iteration of world’s best fingerprint algorithm based on Suprema’s 15 years of expertise in fingerprint technology and offers the lowest FAR (false acceptance rate) in the market. The BioSign solution supports the world’s smallest used fingerprint sensor size of 16mm2 (4x4mm) and is able to support sensors that are 2/3 the size of the smallest sensor that is currently in use allowing for a reduction in manufacturing costs and a smaller form factor. ‘Evolution of mobile technology has transformed the way we interact with the world,’ said Dr. Brian Song, Vice President of Suprema. “Furthermore, the inclusion of biometrics technology into smartphones has brought a real change to the level of security and convenience on the devices by using what we know to who we are. ‘The latest market trend of growing demand for mid-range smartphones has significantly increased the needs for reduction in costs without sacrifice to performance or features. BioSign’s capability to work with smaller sensors will help with cost reduction efforts, and its small form factor offers versatile application options to other areas such as wearables, IoT and smartcards.” (biometricupdate.com). Wearable Biometric access controls are becoming popular in the e-PHI. protection mechanism.
                Samsung files patent application for contactless new non-touch method for fingerprint reader technology. According to Justin Lee (2015-02-6) users position their fingertip in front of a mobile device’s camera. The device then takes an image of the fingertip and searches for a positive match with a valid fingerprint image that is stored on the phone’s memory. The technology is able to automatically alter the camera’s focus until it secures a high quality capture of the fingerprint image. The system also features an on-screen guide that helps users accurately line up the fingertip with the camera. This contactless method is more accurate and potentially faster than full-contact fingerprint readers, as well as accounts for external factors that can affect accuracy, such as the dryness of a user’s hand or motion distortions in fingerprint pattern. This new non touch method is useful in the healthcare delivery system for biometric authentication of users e-PHI and medical practitioners access to e-PHI.
               In conclusion, in implementing HIPAA Security Rule that requires health care providers set up physical, administrative, and technical safeguards to protect electronic health information, healthcare organizations and government health department and agencies adopted biometrics access controls mechanism that best suit their business/occupational needs with a hindsight of e-PHI security and patient’s privacy requirements.  This position is supported in a Biometrics and Healthcare report by Biometrics Research Group, Inc. King, O’Neil Rawlson, the lead researcher “examines how biometric technology is applied to the health care industry, mainly in the United States. The report observed that ‘health care biometrics’ is utilized for access control, identification, workforce management or patient record storage. Biometrics in health care often takes two forms: providing access control ‘measures’ to resources and patient identification solutions. The growing demand for biometrics solutions is mainly driven by the need to combat fraud, along with the imperative to improve patient privacy along with health care safety. Biometrics are also increasingly being used for medical monitoring and mobile health care” (King, O’Neil, Rawlson, scribd.com)
    References
    Whitman, M., E., & Mattord, H., J., (2014). Management of Information Security. 4th ed.   Boston: Cengage Learning.
    The RightPatient biometric patient identification platform is used by health systems representing
    more than 900 sites that process over 36 million annual patient visits. Retrieved (2016=20-2) from http://www.rightpatient.com/
    University of North Carolina. University Policy 311.6, regulation on Security of
    Electronic Individually Identifiable Health Care Information under HIPAA (2005-30-5). Retrieved (2016-18-2) from http://legal.uncc.edu/policies/up-311.6
    Rodriguez, Leon. Privacy, Security, and Electronic Health Records. (2011-12-12).
    Mayhew, Stephen. Florida bill requiring biometrics for patient identity verification raises
    Lee, Justin. Mobile biometrics market to grow to $34.6B by 2020: Acuity Market
    Mayhew, Stephen. Suprema Launches BioSign fingerprint authentication solution for
    smartphones. (2016-16-2). Retrieved (2016-18-2) from
    King, O’Neil, Rawlson. Biometrics and Health. Biometrics Research Group, Inc. (2015). Retrieved (2016-20-2) from
http://www.scribd.com/doc/255979360/Biometrics-in-Healthcare#scribd
Posted by at No comments:

Saturday, February 13, 2016

Week 9 Blog Risk Management: Controlling information security risk in the healthcare delivery system through Layered Security Control



Information security (InfoSec) in the healthcare delivery system relates to the defense mechanism or risk control strategies, an aspect of risk management, employed to protect Protected health information (PHI) or Electronic-Protected health information (e-PHI) “from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction” (Wikipedia.org).

The control (defense) strategies adopted are more or less dependent on the type and nature of threats and vulnerabilities a particular PHI or e-PHI could be exposed to. In general, the following are common threats and defense strategies faced by PHI or e-PHI: Table 1.0 (adapted from Wikipedia.org, 2016)

Threats
Defenses
Computer crime
Vulnerability
Eavesdropping
Employees
Exploits
Out dated devices, equipment and applications
Trojans
Viruses and worms
Denial of service (DoS)
Malware
Payloads
Rootkits
Keyloggers
Access Control Systems
Application security:
     Antivirus
     Secure coding
     Secure architecture
     Secure Operating systems
     Secure Network
Authentication
     Multi-factor authentication
     Two-factor authentication
Authorization
Data-centric security
Firewall (computing)
Intrusion detection system
Intrusion prevention system
Mobile secure gateway
Security training, education and awareness program

            Layered Security Control: “the most common misconception is that a firewall will secure your computer facilities and additional steps don't need to be taken. A firewall is just one component of an effective security model. Additional components or layers should be added to provide an effective security model within (the particular healthcare delivery) organization. The security model that will protect your organization should be built upon the following layers:

  1. Security policy of your healthcare delivery organization
  2. Host system security
  3. Auditing
  4. Router security
  5. Firewalls
  6. Intrusion detection systems
  7. Incident response plan

Using multiple layers in a security model is the most effective method of deterring unauthorized use of computer systems and network services. Every layer provides some protection from intrusion, and the defeat of one layer may not lead to the compromise of the whole organization. Each layer has some inter-dependence on other layers. For example, the intrusion detection systems and the incident response plan have some interdependencies. Although they can be implemented independently, it's best when they're implemented together. Having an intrusion detection system that can alert you to unauthorized attempts on your system has little value unless an incident response plan is in place to deal with problems. The most important part of overall security organization is the security policy. You must know what you need to protect and to what degree. All other layers of the security model follow logically after the implementation of the organization security policy. The overall security integrity of your organization is dependent upon the implementation of all layers of the security model. The implementation of the layered approach to security should be undertaken in a logical and methodical manner for best results and to ensure the overall sanity of the security personnel” (Watson, Peter).

“Implementation of a Layered Security Architecture will address: People, Perimeter Entry Points, Connections between systems, information stores, and Exit Points. Perimeter Security would include – Firewalls, Router Access List, NAT, Encryption, Operating System Security, Patch Management, Automated Virus Checking and Updates, Spyware checking. Mail Security – Open Relay Prevention, Virus Checking, Content Blocking, Spam Control, Dial-in Security – Authentication, Placement Outside Firewall, Users – Education, Controlled Distribution of Access, VPN, Intrusion Detection and Prevention. Results: Reduced downtime, increased productivity, successful audits, satisfied users, satisfied management” (Mansur, Hasib) in the healthcare delivery system.

Effective risk management of PHI or e-PHI involves putting in place necessary administrative, logical and physical controls; in depth defense mechanism, information security classification and categorization, access control (identification, authentication, authorization), cryptography and information security training, education and awareness in a layered or structured manner, since no one information security control measure can effectively prevent or mitigate data breach. The overall goal is to ensure confidentiality, integrity, and availability of PHI or e-PHI.

In conclusion, “As the United States and other nations grapple with healthcare quality and unsustainable costs, health information exchanges, and collaborative care models, sensitive health information is becoming more vulnerable. Information that previously remained on paper and accessible only to the healthcare provider and staff who produced it will increasingly flow electronically among providers, within and outside a hospital’s walls, and between providers and other stakeholders, such as payers. Health Information Technology (HIT) creates fluid information, enabling more people to access and alter private health information and creating more issues for providers and payers in managing risks and compliance” (Frost & Sullivan), But, through proper and well-structured or Layered security control, the risk exposure to PHI and e-PHI are considerably controlled.





References

Information security. Wikipedia. (2016-11-2). Retrieved (2016-12-2).


Health Information Technology: The Imperative of Risk and Compliance Management in

the HITECH Age. Frost & Sullivan. (n.d.). Retrieved (2016-12-2). http://www.emc.com/collateral/analyst-reports/fs-health-information-technology-ar.pdf

Mansur Hasib. Combining Policy, Practice, and Technology to Architect Layered

Network Security at UMBI. (2005). Retrieved (2016-2-9). https://net.educause.edu/ir/library/pdf/MAC0504.pdf

Mansur Hasib. Example Incident Response Plan. Retrieved (2016-2-9) Example Incident Response Plan: http://www.umbi.umd.edu/~hasib/irp.pdf

Peter Watson. Intrusion Detection, Security Model, and Layered security control: (2016).


Multi-Layered Security Plan. (2016) Retrieved (2016-2-9)


Whitman, M., E., & Mattord, H., J., (2014). Management of Information Security. 4th ed. Boston: Cengage Learning.
Posted by at No comments:

Sunday, February 7, 2016

Wk 8: Threats, Vulnerabilities, and Exploits in the Healthcare Delivery System




“If you know the enemy and know yourself, you need not fear any battle…if you know neither the enemy nor yourself, you will succumb in every battle” Gen. Sun Tzu

“Once we know our weaknesses, they cease to do us any harm” Georg Christoph

            In order for the healthcare delivery system to reduce risk to information asset, it needs know itself (strength) and its enemy (threats/weaknesses/vulnerabilities). It also has to identify what constitutes organization’s resources and how information asset is processed, stored, and transmitted. This process of knowing the enemy is essentially referred to as risk management. It involves “identifying, examining, and understanding the threats facing” the healthcare delivery system (Whitman, E. M., & Mattord, J. H., 2014). The identification and assessment of these various levels of risk in the healthcare delivery system can be termed, risk analysis, which is a major component of risk management. A Threat is any “potential danger that is associated with the exploitation of a vulnerability. The threat is that someone or something, will identify a specific vulnerability and use it against the healthcare delivery system. The someone or something that exploits or takes advantage of the weakness or lapses in the system is the threat agent” (Harris, S., 2013). A Vulnerability is a “lack of a countermeasure or a weakness in a countermeasure that is in place. It can be a hardware, software, or procedural or human weakness that can be exploited. It may be a service running on a server, unpatched applications or operating systems, an unrestricted wireless access point, an open port on a firewall, lax physical security that allows anyone to enter a server room, or unenforced password management on servers and workstations.” (Harris, S., 2013). Exploit relates to a technique or mechanism employed by a threat agent to access the vulnerability of a healthcare delivery system and compromise the confidentiality, integrity, and availability of the healthcare delivery system information asset.

            In recent researches, the major information security threats facing the healthcare delivery system include, but not limited to: Mobile devices – ubiquitous in number, types, and Apps used by physicians, pharmacists, nurses, clinicians, specialists, administrators and employees, patients and visitors that help provide 24/7 anytime/anywhere access to networks for quality patient service delivery. Threat to these devices can be mitigated by network access control techniques and mechanism; Embedded connectivity devices – for example, medication scanners, patient monitoring systems, imaging devices, WAN and Wi-Fi devices that makes tracking, monitoring and enterprise IT solutions easier are prone to exploitation by software compromise. The information security control measure to be used is to identify vulnerabilities and weaknesses, then provide security control; Virtualization from desktops to servers – this has to do with running more than one application on one server using a virtualization software with attendant advantages of cost reduction, flexibility and reduced carbon footprint. This also introduces threats and vulnerabilities as more users are introduced to the network. Information security education, training and awareness will help mitigate data compromise; Virus spreading through social media – with the constant migration to mobile devices and social media platforms as Instagram, Google, YouTube, Facebook, Twitter, LinkedIn, healthcare delivery system faces more threat and exploitations from malware attack through these networks To guard against malware intrusion from these platforms requires having and keeping up-to-date network firm wall, firewall, and anti-hacking techniques and ensuring critical electronic Patients Health Information are adequately protected (ePHI).  IT becoming consumer friendly – Increasing security threats as more Physicians and healthcare staff adopt personal devices for professional use in the healthcare delivery system. The need of training to enforce such private devices are equally protected (Molly Merrill, healthcareitnews.com). Other major threats are password stealing: “Stealing passwords is now a big business, and healthcare facilities need to take this upward data breach trend seriously. Not only are there monetary consequences from data breaches in the form of HIPAA violations and fines, but there is also the possibility of tainted brand reputation in national media headlines and criminal charges. This was the case for an east Texas hospital. Joshua Hippler, a hospital employee, pled guilty in August 2014 to charges filed by the U.S. Department of Justice for “wrongful disclosure of individual identifiable health information, with the intent to sell, transfer and use for personal gain. Hippler faces up to 10 years in a federal prison. HIPAA is still reviewing the case and deciding the facility’s degree of penalty” (David Bisson, tripwire.com). “Although a strong password will not prevent all attackers from trying to gain access, it can slow the velocity of attacks and discourage attackers from seeing attacks through. Rotating complex passwords, when combined with effective access controls, such as two-factor authentication and real-time monitoring of privileged account activity, can help to prevent patient information from falling into the wrong hands” (David Bisson, tripwire.com).

            Moreover. from a new study in the area of vulnerability/weakness to assess enterprise software security development, the study revealed that the healthcare industry is lagging significantly behind other sectors, including financial services, consumer electronics and independent software vendors (Santillan, Maritza, 2015). In another study carried out by KPMG, among some healthcare organizations that have been the victims of major breaches in the past year it “can be inferred that hackers understand the utility of patient information stolen from organizations in the healthcare sector. Attackers know that they can leverage stolen health records to commit financial fraud and medical insurance fraud, as well as hack vulnerable medical devices, like older drug infusion pumps made by Hospira. Additionally, as these organizations continue to grapple with security weaknesses in the workplace–such as outdated technology and insecure medical devices–and new advancements in technology–including the use of digital patient records–hackers will no doubt continue to target the healthcare industry as a whole for years to come. Given these threats, it is important to examine how healthcare executives view information security and on what security challenges in particular they place the greatest emphasis. Fortunately, KPMG has published a survey entitled Health Care and Cyber Security: Increasing Threats Require Increased Capabilities that responds to those exact observations” (Bisson, David, 2015).

“A global network of firms providing tax, audit, and advisory services, KPMG collaborated with Forbes Insight to survey 223 healthcare executives about their views on security. These individuals currently work for 161 different provider organizations and 101 different health plans, all of which make more than $500 million, according to an article published by iHealthBeat(Bisson, David, 2015).

“The major findings of the survey are broken down into two main subsections: Top Threats and Discrepancies/Challenges. Top Threats only would be considered here.

Top Threats


Sixty-five percent of respondents named external actors the top vulnerability in data security. Third parties followed this vulnerability category at 48%, which further illustrates healthcare executives’ concern with threats that originate outside of the organization. Meanwhile, employee breaches and wireless computing tied at 35%, with inadequate firewalls coming in last at just above a quarter of respondents (27%).

As for information security concerns, malware came in first at 67%, with HIPAA violations close behind at 57%. The three major subsequent infosec concerns–internal vulnerabilities, medical device security, and aging IT hardware–all came in at less than or equal to two-fifths of the respondents. (40%, 32%, and 31%, respectively.)
kpmg healthcare survey 1



“The richness of the information means that the cyber security threat to healthcare has increased,” says Michael Ebert, KPMG partner and healthcare leader at the firm’s Cyber Practice. “The magnitude of the threat against healthcare information has grown exponentially, but the intention or spend in securing that information has not always followed.” (Bisson, David, 2015)

            In a study carried out by Raytheon|Websense, “a security firm dedicated to protecting organizations against targeted attacks and data theft, recently announced the publication of 2015 Industry Drill-Down Report – Healthcare. In it, Websense explains why healthcare delivery system are four times more likely to be impacted by advanced malware than other industries:

“The rapid digitization of the healthcare industry, when combined with the value of the data at hand, has led to a massive increase in the number of targeted attacks against the sector,” said Carl Leonard, Raytheon|Websense principal security analyst. “While the finance and retail sectors have long honed their cyber defenses, our research illustrates that healthcare organizations must quickly advance their security posture to meet the challenges inherent in the digital economy – before it becomes the primary source of stolen personal information.” (Bisson, David, 2015)

            Information security threats and vulnerabilities place federal agencies at risks as the following studies show: “Cyber threats to federal information systems and cyber-based critical infrastructures are evolving and growing. These threats can be unintentional and intentional, targeted or nontargeted, and can come from a variety of sources, such as foreign nations engaged in espionage and information warfare, criminals, hackers, virus writers, and disgruntled employees and contractors working within an organization. Moreover, these groups and individuals have a variety of attack techniques at their disposal, and cyber exploitation activity has grown more sophisticated, more targeted, and more serious. As government, private sector, and personal activities continue to move to networked operations, as digital systems add ever more capabilities, as wireless systems become more ubiquitous, and as the design, manufacture, and service of information technology have moved overseas, the threat will continue to grow. In the absence of robust security programs, agencies have experienced a wide range of incidents involving data loss or theft, computer intrusions, and privacy breaches, underscoring the need for improved security practices. These developments have led government officials to become increasingly concerned about the potential for a cyber-attack. According to GAO reports and annual security reporting, federal systems are not sufficiently protected to consistently thwart cyber threats. Serious and widespread information security control deficiencies continue to place federal assets at risk of inadvertent or deliberate misuse, financial information at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure, and critical operations at risk of disruption. For example, over the last several years, most agencies have not implemented controls to sufficiently prevent, limit, or detect access to computer networks, systems, and information, and weaknesses were reported in such controls at 23 of 24 major agencies for fiscal year 2008. Agencies also did not always configure network devices and service properly, segregate incompatible duties, or ensure that continuity of operations plans contained all essential information. An underlying cause for these weaknesses is that agencies have not yet fully or effectively implemented key elements of their agencywide information security programs. To improve information security, efforts have been initiated that are intended to strengthen the protection of federal information and information systems. For example, the Comprehensive National Cybersecurity Initiative was launched in January 2008 and is intended to improve federal efforts to protect against intrusion attempts and anticipate future threats. Until such opportunities are seized and fully exploited and GAO recommendations to mitigate identified control deficiencies and implement agencywide information security programs are fully and effectively implemented, federal information and systems will remain vulnerable.

Cybersecurity threats and vulnerabilities in federal agencies:

Pervasive and sustained cyber-attacks against the United States could have a potentially devastating impact on federal and nonfederal systems, disrupting the operations of governments and businesses and the lives of private individuals.

The increasing dependency upon information technology systems and networked operations pervades nearly every aspect of our society. While bringing significant benefits, this dependency can also create vulnerabilities to cyber-based threats. Underscoring the importance of safeguarding critical information and information systems and weaknesses in such efforts, federal information security and protecting computerized systems supporting our nation’s critical infrastructure are designated a high-risk area.

Federal agencies have significant weaknesses in information security controls that continue to threaten the confidentiality, integrity, and availability of critical information and information systems used to support their operations, assets, and personnel. For example, in their performance and accountability reports and annual financial reports for fiscal year 2014, 17 of 24 major federal agencies indicated that inadequate information security controls were either material weaknesses or significant deficiencies.

In addition, most major federal agencies have weaknesses in most of the five major categories of information system controls:

  • access controls, which ensure that only authorized individuals can read, alter, or delete data;
  • configuration management controls, which provide assurance that only authorized software programs are implemented;
  • segregation of duties, which reduces the risk that one individual can independently perform inappropriate actions without detection;
  • continuity of operations planning, which helps avoid significant disruptions in computer-dependent operations; and
  • agency wide information security programs, which provide a framework for ensuring that risks are understood and that effective controls are selected and implemented.
    Figure 1.1 shows the number of agencies that had vulnerabilities in these five information security control categories during fiscal year 2014.
    Figure 1.1: Information Security Weaknesses at 24 Major Federal Agencies in Fiscal Year 2014
Figure 1: Information Security Weaknesses at 24 Major Federal Agencies in Fiscal Year 2014
Critical infrastructures are systems and assets, whether physical or virtual, so vital to our nation that their incapacity or destruction would have a debilitating impact on national security, economic well-being or public health or safety. Critical infrastructure includes, among other things, banking and financial institutions, telecommunications networks, and energy production and transmission facilities, most of which are owned by the private sector. As these critical infrastructures have become increasingly dependent on computer systems and networks, the interconnectivity between information systems, the Internet, and other infrastructures creates opportunities for attackers to disrupt critical systems, with potentially harmful effects.
The federal government has taken a number of steps aimed at addressing cyber threats to critical infrastructure. Despite the actions taken by several successive administrations and the executive branch agencies, significant challenges remain to enhancing the protection of cyber-reliant critical infrastructures, such as

  • implementing a strategy to address cyber risks to federal building and access control systems;
  • improving federal efforts to implement cybersecurity in the maritime port environment; and
  • enhancing cybersecurity for air traffic control systems.
    Other challenges that need to be addressed include

Posted by at No comments:
Subscribe to: Posts (Atom)