“If
you know the enemy and know yourself, you need not fear any battle…if you know
neither the enemy nor yourself, you will succumb in every battle” Gen. Sun Tzu
“Once
we know our weaknesses, they cease to do us any harm” Georg Christoph
In order for the healthcare delivery
system to reduce risk to information asset, it needs know itself (strength) and
its enemy (threats/weaknesses/vulnerabilities). It also has to identify what constitutes
organization’s resources and how information asset is processed, stored, and
transmitted. This process of knowing the enemy is essentially referred to as
risk management. It involves “identifying, examining, and understanding the
threats facing” the healthcare delivery system (Whitman, E. M., & Mattord, J. H., 2014). The identification and
assessment of these various levels of risk in the healthcare delivery system
can be termed, risk analysis, which is a major component of risk management. A
Threat is any “potential danger that is associated with the exploitation of a
vulnerability. The threat is that someone or something, will identify a
specific vulnerability and use it against the healthcare delivery system. The
someone or something that exploits or takes advantage of the weakness or lapses
in the system is the threat agent” (Harris, S., 2013). A Vulnerability is a
“lack of a countermeasure or a weakness in a countermeasure that is in place.
It can be a hardware, software, or procedural or human weakness that can be
exploited. It may be a service running on a server, unpatched applications or
operating systems, an unrestricted wireless access point, an open port on a
firewall, lax physical security that allows anyone to enter a server room, or
unenforced password management on servers and workstations.” (Harris, S.,
2013). Exploit relates to a technique or mechanism employed by a threat agent
to access the vulnerability of a healthcare delivery system and compromise the confidentiality,
integrity, and availability of the healthcare delivery system information
asset.
In
recent researches, the major information security threats facing the healthcare
delivery system include, but not limited to: Mobile devices – ubiquitous in
number, types, and Apps used by physicians, pharmacists, nurses, clinicians, specialists,
administrators and employees, patients and visitors that help provide 24/7 anytime/anywhere
access to networks for quality patient service delivery. Threat to these
devices can be mitigated by network access control techniques and mechanism; Embedded
connectivity devices – for example, medication scanners, patient monitoring
systems, imaging devices, WAN and Wi-Fi devices that makes tracking, monitoring
and enterprise IT solutions easier are prone to exploitation by software
compromise. The information security control measure to be used is to identify
vulnerabilities and weaknesses, then provide security control; Virtualization
from desktops to servers – this has to do with running more than one
application on one server using a virtualization software with attendant advantages
of cost reduction, flexibility and reduced carbon footprint. This also
introduces threats and vulnerabilities as more users are introduced to the
network. Information security education, training and awareness will help
mitigate data compromise; Virus spreading through social media – with the
constant migration to mobile devices and social media platforms as Instagram,
Google, YouTube, Facebook, Twitter, LinkedIn, healthcare delivery system faces more
threat and exploitations from malware attack through these networks To guard
against malware intrusion from these platforms requires having and keeping
up-to-date network firm wall, firewall, and anti-hacking techniques and
ensuring critical electronic Patients Health Information are adequately
protected (ePHI). IT becoming consumer
friendly – Increasing security threats as more Physicians and healthcare staff
adopt personal devices for professional use in the healthcare delivery system.
The need of training to enforce such private devices are equally protected
(Molly Merrill, healthcareitnews.com). Other major threats are password
stealing: “Stealing
passwords is now a big business, and healthcare facilities need to take this
upward data breach trend seriously. Not only are there monetary consequences
from data breaches in the form of HIPAA violations and fines, but there is also the possibility
of tainted brand reputation in national media headlines and criminal charges. This
was the case for an east Texas hospital. Joshua Hippler, a hospital employee,
pled guilty in August 2014 to charges filed by the U.S. Department of Justice
for “wrongful disclosure of individual identifiable health information, with
the intent to sell, transfer and use for personal gain. Hippler faces up to 10
years in a federal prison. HIPAA is still reviewing the case and deciding the
facility’s degree of penalty” (David Bisson, tripwire.com). “Although a strong
password will not prevent all attackers from trying to gain access, it can slow
the velocity of attacks and discourage attackers from seeing attacks through.
Rotating complex passwords, when combined with effective access controls, such
as two-factor authentication and real-time monitoring of privileged account activity,
can help to prevent patient information from falling into the wrong hands” (David
Bisson, tripwire.com).
Moreover. from a
new study in the area of vulnerability/weakness to assess enterprise software
security development, the study revealed that the healthcare industry is
lagging significantly behind other sectors, including financial services, consumer
electronics and independent software vendors (Santillan, Maritza, 2015). In
another study carried out by KPMG, among some healthcare organizations that
have been the victims of major breaches in the past year it “can be inferred
that hackers understand the utility of patient information stolen from
organizations in the healthcare sector. Attackers know that they can leverage
stolen health records to commit financial fraud and medical insurance fraud, as
well as hack vulnerable medical devices, like older drug infusion pumps made
by Hospira. Additionally, as these
organizations continue to grapple with security weaknesses in the
workplace–such as outdated technology and insecure medical devices–and new
advancements in technology–including the use of digital patient records–hackers
will no doubt continue to target the healthcare industry as a whole for years
to come. Given these threats, it is important to examine how healthcare executives
view information security and on what security challenges in particular they
place the greatest emphasis. Fortunately, KPMG has published a survey entitled Health Care
and Cyber Security: Increasing Threats Require Increased Capabilities that responds to those exact observations” (Bisson,
David, 2015).
“A global network of firms providing tax, audit, and advisory
services, KPMG collaborated with Forbes Insight to survey 223
healthcare executives about their views on security. These individuals
currently work for 161 different provider organizations and 101 different
health plans, all of which make more than $500 million, according to an article published by iHealthBeat” (Bisson,
David, 2015).
“The major findings of the survey are broken down into two main
subsections: Top Threats and Discrepancies/Challenges. Top Threats only would
be considered here.
Top Threats
Sixty-five percent of respondents named external actors the top
vulnerability in data security. Third parties followed this vulnerability
category at 48%, which further illustrates healthcare executives’ concern with
threats that originate outside of the organization. Meanwhile, employee
breaches and wireless computing tied at 35%, with inadequate firewalls coming
in last at just above a quarter of respondents (27%).
As for information security concerns, malware came in first at
67%, with HIPAA violations close behind at 57%. The three major subsequent
infosec concerns–internal vulnerabilities, medical device security, and aging
IT hardware–all came in at less than or equal to two-fifths of the respondents.
(40%, 32%, and 31%, respectively.)
<img
class="wp-image-34349 "
src="http://www.tripwire.com/state-of-security/wp-content/uploads/Screen-Shot-2015-09-03-at-8.28.57-AM.png"
alt="kpmg healthcare survey 1" width="601"
height="381" />Source: KPMG (Fig. 1.0 Greatest vulnerabilities/top information security
concerns)
“The richness of the information means that the cyber security
threat to healthcare has increased,” says Michael Ebert, KPMG partner and
healthcare leader at the firm’s Cyber Practice. “The magnitude of the threat
against healthcare information has grown exponentially, but the intention or
spend in securing that information has not always followed.” (Bisson, David,
2015)
In a study
carried out by Raytheon|Websense,
“a security firm dedicated to protecting organizations against targeted attacks
and data theft, recently announced the publication of 2015 Industry Drill-Down Report – Healthcare. In it, Websense explains why healthcare delivery system
are four times more likely to be impacted by advanced malware than other
industries:
“The rapid digitization of the healthcare industry, when
combined with the value of the data at hand, has led to a massive increase in the number of targeted
attacks against the sector,” said Carl Leonard, Raytheon|Websense principal
security analyst. “While the finance and
retail sectors have long honed their cyber defenses, our research illustrates
that healthcare organizations must quickly advance their security posture to
meet the challenges inherent in the digital economy – before it becomes the
primary source of stolen personal information.” (Bisson, David, 2015)
Information
security threats and vulnerabilities place federal agencies at risks as the
following studies show: “Cyber
threats to federal information systems and cyber-based critical infrastructures
are evolving and growing. These threats can be unintentional and intentional,
targeted or nontargeted, and can come from a variety of sources, such as
foreign nations engaged in espionage and information warfare, criminals,
hackers, virus writers, and disgruntled employees and contractors working
within an organization. Moreover, these groups and individuals have a variety
of attack techniques at their disposal, and cyber exploitation activity has
grown more sophisticated, more targeted, and more serious. As government, private
sector, and personal activities continue to move to networked operations, as
digital systems add ever more capabilities, as wireless systems become more
ubiquitous, and as the design, manufacture, and service of information
technology have moved overseas, the threat will continue to grow. In the
absence of robust security programs, agencies have experienced a wide range of
incidents involving data loss or theft, computer intrusions, and privacy
breaches, underscoring the need for improved security practices. These
developments have led government officials to become increasingly concerned
about the potential for a cyber-attack. According to GAO reports and annual
security reporting, federal systems are not sufficiently protected to
consistently thwart cyber threats. Serious and widespread information security
control deficiencies continue to place federal assets at risk of inadvertent or
deliberate misuse, financial information at risk of unauthorized modification
or destruction, sensitive information at risk of inappropriate disclosure, and
critical operations at risk of disruption. For example, over the last several
years, most agencies have not implemented controls to sufficiently prevent,
limit, or detect access to computer networks, systems, and information, and
weaknesses were reported in such controls at 23 of 24 major agencies for fiscal
year 2008. Agencies also did not always configure network devices and service
properly, segregate incompatible duties, or ensure that continuity of
operations plans contained all essential information. An underlying cause for
these weaknesses is that agencies have not yet fully or effectively implemented
key elements of their agencywide information security programs. To improve
information security, efforts have been initiated that are intended to
strengthen the protection of federal information and information systems. For
example, the Comprehensive National Cybersecurity Initiative was launched in
January 2008 and is intended to improve federal efforts to protect against
intrusion attempts and anticipate future threats. Until such opportunities are
seized and fully exploited and GAO recommendations to mitigate identified
control deficiencies and implement agencywide information security programs are
fully and effectively implemented, federal information and systems will remain
vulnerable.
Cybersecurity threats and vulnerabilities in federal agencies:
Pervasive and sustained cyber-attacks
against the United States could have a potentially devastating impact on
federal and nonfederal systems, disrupting the operations of governments and
businesses and the lives of private individuals.
The increasing dependency upon
information technology systems and networked operations pervades nearly every
aspect of our society. While bringing significant benefits, this dependency can
also create vulnerabilities to cyber-based threats. Underscoring the importance
of safeguarding critical information and information systems and weaknesses in
such efforts, federal information security and protecting computerized systems
supporting our nation’s critical infrastructure are designated a high-risk
area.
Federal agencies have significant
weaknesses in information security controls that continue to threaten the
confidentiality, integrity, and availability of critical information and
information systems used to support their operations, assets, and personnel.
For example, in their performance and accountability reports and annual
financial reports for fiscal year 2014, 17 of 24 major federal agencies
indicated that inadequate information security controls were either material
weaknesses or significant deficiencies.
In addition, most major federal
agencies have weaknesses in most of the five major categories of information
system controls:
- access controls, which ensure that only authorized individuals can read, alter, or delete data;
- configuration management controls, which provide assurance that only authorized software programs are implemented;
- segregation of duties, which reduces the risk that one individual can independently perform inappropriate actions without detection;
- continuity of operations planning, which helps avoid significant disruptions in computer-dependent operations; and
- agency wide information security programs, which provide a framework for ensuring that risks are understood and that effective controls are selected and implemented.Figure 1.1 shows the number of agencies that had vulnerabilities in these five information security control categories during fiscal year 2014.Figure 1.1: Information Security Weaknesses at 24 Major Federal Agencies in Fiscal Year 2014
Critical infrastructures are systems
and assets, whether physical or virtual, so vital to our nation that their
incapacity or destruction would have a debilitating impact on national
security, economic well-being or public health or safety. Critical
infrastructure includes, among other things, banking and financial
institutions, telecommunications networks, and energy production and
transmission facilities, most of which are owned by the private sector. As
these critical infrastructures have become increasingly dependent on computer
systems and networks, the interconnectivity between information systems, the
Internet, and other infrastructures creates opportunities for attackers to
disrupt critical systems, with potentially harmful effects.
The federal government has taken a
number of steps aimed at addressing cyber threats to critical infrastructure.
Despite the actions taken by several successive administrations and the
executive branch agencies, significant challenges remain to enhancing the
protection of cyber-reliant critical infrastructures, such as
- implementing a strategy to address cyber risks to federal building and access control systems;
- improving federal efforts to implement cybersecurity in the maritime port environment; and
- enhancing cybersecurity for air traffic control systems.Other challenges that need to be addressed include
- developing and implementing procedures to help protect national security-related agencies’ systems from information technology (IT) supply chain risk;
- enhancing the oversight of contractors providing IT services;
- improving security incident response practices;
- implementing security programs at small agencies;
- implementing programs to protect the privacy of personally identifiable information (PII) and responding to breaches of PII; and
- protecting the privacy of mobile device location data” (Wilshusen, C., Gregory, & Barkakati N, 2016)in conclusion, with the threats, vulnerabilities and exploits witnessed in the healthcare delivery system, one would want to ask; Do healthcare breaches undermine trust? Kaveh Safavi (M.D., J.D. and managing director of Accenture’s global healthcare business) answered it this way, “What most health systems don’t realize is that many patients will suffer financial loss as a result of cyber-attacks on medical information,” “If healthcare providers are complacent to safeguarding personal information, they’ll risk losing substantial revenues and patients as a result of medical identity theft.” (Bisson, David, 2015). Further, in its first ever 2015 Protected Health Information Data Breach Report (PHIDBR), Verizon wireless reported 90% of industries have experienced a PHI breach.ReferencesWhitman, E. M., & Mattord, J. H., (2014). Management of Information Security. 4th ed.Boston: Cengage LearningHarris, S. (2013) CISSP All-In-One Exam Guide. 6th ed. New York. Mc Graw HillEducationMolly Merrill. Top 5 Security Threats in Healthcare. (2011-6-28). Retrieved (2016-2-7).David Bisson. The State of security: Passwords are the new data: ProtectingHealthcare’s First Line of defense. (2014-12-16). Retrieved (2016-2-6). http://www.tripwire.com/state-of-security/regulatory-compliance/hipaa/passwords-are-the-new-data-protecting-healthcares-first-line-of-defense/Santillan, Maritza. The State of security: Healthcare’s Software Security Trails BehindOther Sectors, Says New Study. (2015-10-26). Retrieved (2015-2-6). http://www.tripwire.com/state-of-security/latest-security-news/healthcares-software-security-trails-behind-other-sectors-says-new-study/David Bisson. The state of security: Healthcare organizations Not Effectively Mitigatingsecurity risks, Finds KPMG. (2015-9-3). Retrieved (2016-2-6). http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/healthcare-organizations-not-effectively-mitigating-security-risks-finds-kpmg/David Bisson. The State of security: Healthcare Industry Is Four Times More Likely toBe Impacted by Advanced Malware than Other Industries. (2015-9-24). http://www.tripwire.com/state-of-security/latest-security-news/healthcare-industry-is-four-times-more-likely-to-be-impacted-by-advanced-malware-than-other-industries/Wilshusen, C., Gregory, & Barkakati N. Healthcare.gov: Actions Needed to AddressWeaknesses in Information Security and Privacy Controls. (2014-9-16),Retrieved (2016-2-6). http://www.gao.gov/products/GAO-14-730Information Security: Cyber Threats and Vulnerabilities Place Federal Systems at Risk.(2009-5-5). Retrieved (2016-6-2). http://www.gao.gov/products/GAO-09-661TKey Issues: Cybersecurity. Retrieved (2016-2-6) http://www.gao.gov/key_issues/cybersecurity/issue_summaryDavid Bisson. The state of security: Do Healthcare Breaches Undermine Trust? (2015-12-25). Retrieved (2016-2-6). http://www.tripwire.com/state-of-security/security-data-protection/do-healthcare-breaches-undermine-trust/
No comments:
Post a Comment