Embed Size (px)
Citation preview
Introduction to Cybersecurity & Information Assurance for FQHCs
April 13, 2011
Amelia MuccioDirector of Emergency Management
Objectives
• Cybersecurity • Information assurance• FQHCs as target• Cyber threats/risks• Vulnerabilities • Countermeasures• Safeguarding • Promoting a culture of
security
.
Serious Threat
• Richard Clarke was famously heard to say, "If you spend more on coffee than on IT security, then you will be hacked. What's more, you deserve to be hacked.”
• The growing number of attacks on our cyber networks has become, in President Obama’s words, “one of the most serious economic and national security threats our nation faces.”
Who & What is At Risk?
• Economy• Defense• Transportation• Medical• Government• Telecommunications• Energy Sector• Critical Infrastructure• Computers/Cable
TV/Phones/MP3/Games
.
Fundamental Concepts of Information Assurance
• Confidentiality (privacy)• Integrity (quality, accuracy, relevance)• Availability (accessibility) • CIA triad
Internet
• In 1995, 16 million users (0.4%)• In 2010, 1.6 billion users (23.5%)• Unable to treat physical and cyber security
separately, they are intertwined.
How Does an Attack Happen?
• Identify the target• Gather information• Plan/Prepare the attack• Attack
Information Gathering
. .
Attack Trends
• Increasing sophistication• Decreasing costs• Increasing attack frequency • Difficulties in patching systems• Increasing network connections,
dependencies, and trust relationships
What Threatens Information?
• Misuse• Disasters• Data interception • Computer theft• Identify/Password theft• Malicious software• Data theft/corruption• Vandalism • Human error
Threats
• A threat is any potential danger to information and systems
• 3 levels of cyber threats • Unstructured• Structured• Highly structured
Unstructured Threats
• Individual/small group with little or no organization or funding
• Easily detectable information gathering • Exploitations based upon documented
flaws• Targets of opportunity • Gain control of machines• Motivated by bragging rights, thrills, access
to resources
Structured Threats
• Well organized, planned and funded• Specific targets and extensive information
gathering to choose avenue and means of attack
• Goal-data stored on machines or machines themselves
• Exploitation may rely on insider help of unknown flaw
• Target drives attack• Organized crime/black hat hackers
Highly Structured Threats
• Extensive organization, funding and planning over an extended time, with goal of having an effect beyond the data or machine being attacked
• Stealthy information gathering • Multiple attacks exploiting unknown flaws
or insider help• Coordinated efforts from multiple groups• “Cyber warfare”
Web as Weapon
• Infrastructure run by computers• Government SCADA system• Overflow dam, disrupt oil supply• Sewage plant in Australia overflowed due to
black hat hackers• Cyberterrorism (Bin Laden and Aum Shinrikyo)• Combined attack • Cause power outage and biological attack• EMS disruption and nuclear emergency • Next war fought with code & computers
Hackers and Crackers
• White hat hacker-curious, explore our own vulnerabilities, bragging rights/just did it.
• Black hat hacker/cracker-malicious intent, exploit vulnerabilities for monetary profit or gain or perpetrate a crime, organized crime.
• Gray hat hacker-helpful or ethical hacker, motivated by a sense of good. Cowboys.
• GHHs find vulnerabilities, notify company of them so they can be fixed and resolved.
Gray Hats
• Adrian Lamo• Find vulnerabilities, inform company• WorldCom, Google, NYTimes, Bank of America,
NASA• NYTimes used SSN # as passwords• Edited Yahoo Story• Robert Lyttle • DoD, Pentagon • Both got into trouble!
Early Days…Phone Phreaking
• 2600 Hz Tone• Captain Crunch Whistle & 4th E above Middle C• Long whistle reset line, then dial w/whistle• Tricked phone companies/tone dialing• Free long distance and international calls
Risk
• Threat + Vulnerability • Likelihood of an undesirable event
occurring combined with the magnitude of its impact?
• Natural• Manmade• Accidental or Intentional • People are the weakest link
Risk Management
• Identifying and assessing risk, reducing it to an acceptable level and implementing mechanisms to maintain that level
• Protect against:• Physical damage• Human error• Hardware failure• Program error• Cyber attack
Risk Handling Discussion
• Risk reduction (countermeasures, HVA)• Risk transference (insurance)• Risk acceptance (may happen)• Risk rejection (do nothing)• Security assessments are an important part
of risk management• Penetration testing• Identify all vulnerabilities and threats to
information, systems and networks
Contingency Planning Components
• How to handle disruption? • Business continuity• Disaster recovery• Incident response
Recovery Strategy
• A recovery strategy provides direction to restore IT operations quickly and effectively
• Backup methods• Alternate sites• Equipment replacement• Roles and responsibilities • Cost considerations
BCP
• A comprehensive written plan to maintain or resume business operations in the event of a disruption
• Continue critical business operations • Jeopardize normal operations• Most critical operations• May require alternate sites (hot, warm,
cold)• What do we need to KEEP going?
DRP
• A comprehensive written plan to return business operations to the pre-disruption state following a disruption
• Restore IT functions (prep and restore) • Jeopardize the normal operations• Includes all operations• RETURN TO NORMAL BUSINESS
OPERATIONS• WHAT DO WE NEED TO DO IN CASE
OF A DISASTER?
Plan Testing, Training and Exercising
• Testing is a critical to ensure a viable contingency capability
• Conduct plan exercises• TTXs are useful
Policies and Procedures
• Establish security culture• Establish best security practices• Define goals and structure of security
program• Educate personnel• Maintain compliance with any regulations • Ex: email policy, Internet usage, physical
security
Physical Security Countermeasures
• Property protection (door, locks, lightening) • Structural hardening (construction)• Physical access control (authorized users)• Intrusion detection (guards, monitoring)• Physical security procedures (escort visitors,
logs) • Contingency plans (generators, off site storage) • Physical security awareness training (training for
suspicious activities)
Personal Security
• Practices established to ensure the safety and security of personnel and other organizational assets
• It’s ALL about people• People are the weakest
link• Reduce vulnerability
to personnel based threats
.
Personal Security Threat Categories
• Insider threats-most common, difficult to recognize
• Includes sabotage and unauthorized disclosure of information
• Social engineering-multiple techniques are used to gain information from authorized employees and using that info in conjunction with an attack
• Not aware of the value of information
Social Engineering
• Being fooled into giving someone access when the person has no business having the information.
Dumpster Diving and Phishing
• DD-rummaging through company’s garbage for discarded documents
• Phishing-usually takes place through fraudulent emails requesting users to disclose personal or financial information
• Email appear to come from a legitimate organization (PayPal)
P & P
• Acceptable use policy-what actions users may perform while using computers
• Personnel controls-need to know, separation of duties
• Hiring and termination practices-background checks, orientation, exit interview, escorting procedure
Private Branch Exchange (PBX) Systems
• Toll fraud• Disclosure of information• Unauthorized access• Traffic analysis• Denial of Service (DoS)
PBX Threat Countermeasures
• Implement physical security• Inhibit maintenance of port access• Enable alarm/audit trails• Remove all default passwords• Review the configuration of your PBX
against known hacking techniques
Data Networks
• For computers to communicate• Less expensive to use same network• Modems designed to leverage this asset
Modem Threats
• Unauthorized and misconfigured modems• Authorized but misconfigured modems
Wardialing
• Hackers use a program that calls a range of telephone numbers until it connects to an unsecured modem and allows them dialup access
• Identify potential targets
Modem Threat Countermeasures
• Policy• Scanning• Administrative action• Passwords• Elimination of modem connections• Use a device to protect telephony-based
attacks and abuses
Voice Over Internet Protocol (VoIP)
• VoIP is a technology that allows someone to make voice calls using a broadband Internet connection instead of a regular (analog) phone line
VoIP Benefits and Threats
• Less expensive• Increased functionality• Flexibility and mobility• Service theft• Eavesdropping• Vishing• Call tampering
VoIP Threat Countermeasures
• Physical control• Authentication and encryption• Develop appropriate network architecture • Employ VoIP firewall and security devices
Data Networks
• Computers linked together• Hosts (computers, servers)• Switches and hubs• Routers
Common Network Terms
• Local Area Network (LAN)-network grouped in one geographic location
• Wide Area Network (WAN)-network that spreads over a larger geographic area
• Wireless LAN (WLAN)-is a LAN with wireless connections
Data Network Protocols
• Transmission Control Protocol (TCP)-moves data across networks with a connection oriented approach
• User Datagram Protocol (UDP)-moves info across networks with a connectionless oriented approach
• Internet Control Message Protocol (ICMP)-OS to send error messages across networks
• Hypertext Transfer Protocol (HTTP)-transfers web pages, hypermedia
Data Network Threats
• Information gathering • Denial of Service (DoS)• Disinformation• Man-in-the-middle• Session hijacking
Information Gathering Threats/Network Scanning
• What target is available?• Reduces time on wasted effort (attacker)• One of the most common pre-attack identification
techniques is called scanning• Scanning uses ICMP service “PING”• PING SWEEP-echo request to range of addresses
(provides list of potential targets)• Are you there? Yes, I am there.• Firewall should protect against
Sniffing
• A sniffer is a program that monitors and analyzes network traffic and is used legitimately or illegitimately to capture data transmitted on a network
Denial of Service (DoS)
• Degrade and prevent operations/functionality
• Distributed denial of service (DDoS) attack uses multiple attack machines simultaneously
• Vast number of ICMP echo request packets are sent to the target, overwhelming its capability to process all other traffic
Ping Flood/Ping of Death
• Ping flood-too much ping traffic drowns out all other communication
• Ping of Death-oversized or malformed ICMP packets cause target to reboot or crash
• Host cannot cope with ping packets• Ping of Death relies on a vulnerability of
buffer overflow• Buffer overflow-size of input exceeds the
size of storage intended to be received
Smurf Attack (Ping Flood)
• Large stream of spoofed Ping packets sent to a broadcast address
• Source address listed as the target’s IP address (spoofed)
• Broadcast host relays request to all hosts on network
• Hosts reply to victim with Ping responses• If multiple requests sent to broadcast host, target
gets overloaded with replies
DDOS with Zombies/Botnet
• Zombies-infected computers• Botnet-bunch of infected computers (same time)-
massive traffic• DDoS attack where a multitude of compromised
systems attack a single target• Flood of incoming messages to target system and
force a shut down• Google was target
Man-In-The-Middle Attacks
• Instead of shutting down target networks, attackers may want access
• Access information between authorizes parties and observes it
• Uses a sniffer and gains information• Digital wiretapping • Types of attacks• Eavesdropping• Session hijacking
Network Attack Countermeasures
• Countering the threats• Scans/Sniffing/Ping sweeps• DoS/DDoS• Smurf attack• Session hijacking• Eavesdropping
Ways to Recognize Scanning
• System log file analysis• Network traffic• Firewall and router logs • Intrusion Detection Systems (IDSs)
–NIDS “Snort” or HIDS “OSSEC”• Recognize as soon as possible• Perform regular monitoring
Defending Against Scanning-Use More than 1
• Block ports at routers and firewalls• Block ICMP, including echo• Segment your network properly• Hide private, internal IP addresses• Change default account settings and
remove or disable unnecessary services• Restrict permissions• Keep applications and operating systems
patched
Sniffing Countermeasures
• Strong physical security • Proper network segmentation• Communication encryption• To guard against sniffing, make sure
attacker cannot access a legitimate communication stream
DoS and DDoS Countermeasures
• Stop the attack before it happens • Block “marching orders”• Patch systems• Implement IDS• Harden TCP/IP• Avoid putting “all eggs in 1 basket”• Adjust state limits• Keep us from being targeted and lock down
assets
Snort (Network IDS)
• Snort’s open source network-based intrusion detection system has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks.
• Snort performs protocol analysis, content searching, and content matching.
• The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.
• FREE
Other Countermeasures
• Encrypted session negotiation (ensure handshake process)
• Repeating credential verification during the session (kick out hijackers)
• Partitions • User training (all personnel can understand
security)
Defense-In-Depth
• Defense-in-depth is an information assurance (IA) strategy in which multiple layers of defense are placed throughout an information technology (IT) system.
• It addresses security vulnerabilities in personnel, technology and operations for the duration of the system's life cycle.
Perimeter Defense Countermeasures
• Router security • Demilitarized Zone• Bastion host• Firewalls• Intrusion Detection Systems• Intrusion Prevention Systems• Virtual Private Network • (Defensive technologies)
Routers
• First line of perimeter defense• Connects external environment to internal
network• Securely configured• Audit regularly• Keep patched and updated
DMZ
• Machine or machines accessible by the Internet, but not located on the internal network or the Internet
• Web server• Email server• Should not contain much valuable data• IDS sensor to detect malicious traffic
Bastion Host “Harden/Locked Down”
• Highly exposed to attacks in DMZ • Web server• Email server• Locked down/hardened system• Unnecessary services disabled• No unnecessary applications• Fully patched• Unnecessary ports closed• Unnecessary accounts disabled
Firewalls
• Control connections from one network (or portion of network) to another (restrict Internet access)
• Enforce security policy• Hardware or software• Firewalls DO NOT monitor connections not
passing directly through it—not a magic bullet• Even perfectly configured is still vulnerable • Packet filtering• Proxies• Stateful inspection
Intrusion Detection System (IDS)
• Detects suspicious activity • Alerts upon discovery of possible compromise
attempts• Compromised of several components• Sensors• Analyzers• Administrator interfaces• IDS can search for attacks, terminate connections,
send real time alerts, protect system files, expose hacking techniques, illustrate vulnerabilities and even assist in tracking down hackers
Common Types of IDS
• Host based-mail server, web server or individual PC
• Network based-network itself,
Virtual Private Networks (VPN)
• A secure, private data connection through a non-secure public network
• Often through the Internet• Uses encryption and tunneling protocols
Wireless Technology
• Allows communication between multiple systems/devices without physical connection
• Much less expensive than wired solutions
• WLAN
.
Wireless Threats and Countermeasures
• Access point mapping• Service Set Identifier (SSID) broadcasting• Default SSID• Radio frequency management • Default settings• Authentication• Bluetooth security
Access Point Mapping
• WLAN version of wardialing
• An AP is a device connecting a wired network to wireless devices using radio frequency
• Software (net stumbler, air snort, void11)
• Warchalking (available access points)
.
Service Set Identifier (SSID) Broadcasting
• “Beaconing”-this is the continuous announcement by a Wi-Fi access point that it is available.
• SSID is name assigned to the wireless connection
• Default SSIDs poses a security risk even if the AP is not broadcasting b/c default names are widely known
Radio Frequency Management
• The signal should die out before it reaches the physical boundaries of the property
• This helps unauthorized users from driving by and intercepting confidential wireless signals
Default Settings
• Many access points arrive with no security mechanism in place
• Changing the default settings before deployment should be a matter of organizational practice
Authentication Issues
• Open system-SSID, subject to sniffing• Shared key-SSID plus WEP encrypted key
required, subject to man-in-the middle attacks
• Many wireless networks do not contain adequate authentication mechanisms
• Both Open and Shared are considered weak
Authentication Issues
• WEP standard proven insufficient
• Replaced with Wi-Fi Protected Access (WPA)
• WPA demonstrates its own weaknesses
• Replaced by WPA2 which is viewed as more secure
.
Bluetooth Security
• Popular short-range technology • Used for many personal electronic devices
including phones, music players, etc.
Threats• Bluejacking-sending unsolicited messages to
Bluetooth devices• Bluesnarfing-unauthorized access of information
from a wireless device through a Bluetooth connection
• Bluebugging-unauthorized control of Bluetooth assets
Operating System
• A program that acts as an intermediary between a computer user and the computer hardware
• “GUI” Graphical User Interface• Process management • Main memory management • File management• I/O system management • Secondary storage management • Network management • Protection system management • User interface management
Operating System Security
• Confidentiality: only let authorized entities access computer and information
• Integrity: only allow authorized changes to information
• Availability: manage resources to permit access to information and system at all required times
Authorization and Authentication
• WHO IS AUTHORIZED?• Authorized by policy of organization and
operational requirements• HOW DO WE KNOW?• Accounts (identification)• Known systems• Passwords• Secure communication channel
Access Control
• Verifying the identity of entities before granting access and restricting access
• Controls how users and systems communicate and interact with other systems and resources
• First line of defense • Authenticate before allowing access to
authorized resources • Policies, locks, passwords • Social media policies??
Auditing
• A trail to follow• Creation of logs• A log is a record of
events or activities that occur
• Detectable events• Collect and save in
secure information• Analyze results
.
Threats to OS
• The basic problem with OS and computers is that a system allows unauthorized users to compromise the system to gain unauthorized access to system resources
• Weak/Broken identification • Weak internal security structures• Programming errors in operating system
Once Identified, Authorize
• User accounts are the mechanism used to identify and authorize people
• Access control is based on identification• Most common authentication is a password• Password and account policies help
improve security
Implementing Policies
• The whole access control process is driven by policies and procedures
• One part of the implementation is policies is to implement a password policy that makes it less likely that an attacker can break into computer systems by compromising a password
Password Policy
• What makes a good password policy?
• New password• Reuse of old passwords• Length of validity• When can it be changed• Minimum length of
password• Complexity requirements• Should password be stored
.
Specific OS Attacks
• Dos: attack on availability, consume resources• Hack: exploit a vulnerability to gain unauthorized
access to the system• Backdoor: An access method that bypasses the
normal security of the system• Memory issues: Memory is not erased before
given to another program• Escalation of privileges: user exploits
vulnerability to gain unauthorized access• Default settings: most OS ship with simplest
configuration, security disabled
Securing Systems
• Perform system hardening• Find out what vulnerabilities are still
present• Fix them
Countermeasures: DoS
• Set network and host firewall filters for known bad traffic
• Apply OS patches for know vulnerabilities • Limit time and resources to processes• Monitor for threat activity on the network
and host using IDS• “Detect and block”
Countermeasures: Hack the System
• Use account and password policies • Change default accounts, settings,
passwords• Use restricted accounts for services • Apply OS patches for known
vulnerabilities • Turn off unnecessary services• Watch for social engineering
Countermeasures: Backdoor
• Backdoors are installed by the developer• Disable any unnecessary default accounts • Apply OS patches for known
vulnerabilities • Scan system periodically • Monitor system
Countermeasures: Memory Issues
• Memory management is an issues that has a severe impact on performance
• Apply OS patches for known vulnerabilities
• Turn on security features • Reclaim memory on process termination
Countermeasures: Escalation of Privileges
• Apply OS patches for known vulnerabilities
• Monitor system• Establish restricted accounts for services
(don’t run everything as administrator)
Countermeasures: Default Settings
• Disable unnecessary accounts and services • Apply OS patches for known
vulnerabilities • Follow lockdown procedures when
possible• Monitor the system
Common Application Security Threats
• Unauthorized access to applications: first line of defense is access control
• Cross-Site Scripting: browser allows code injection
• SQL injection: inserts independent queries into a database
• Buffer flow: input from a user exceeds the length or other characteristics of an expected input
• Arbitrary code execution: one of the common methods used by attackers to execute commands to take over or crash the targeted machine
Unauthorized Access Countermeasures
• Determines what object can access application• Can be implemented based on users, permissions,
and folder structures • UserID and password• Honeypot is a trap set to detect, deflect, or in
some manner counteract attempts at unauthorized use of information systems.
XSS Countermeasures
• Vulnerability in web applications • Web server owner should:• Keep web server updated• Scan for XSS vulnerabilities • Configure applications and servers properly• User should:• Keep web browser updated• Practice safe web surfing • Attend awareness training
SQL Injection Countermeasures
• Database vulnerability (credit card info/patient information)
• Input validation• Manual code review• Least privilege • When not required, disable privileges to stored
procedures, tables, etc.• Limit execution privileges to SELECT, UPDATE,
DELETE and user-stored procedures
Buffer Overflow Countermeasures
• Software vulnerability and programming (C and C++)
• Stack buffer overflow “Morris Worm”• Write secure code• Use compiler tools to detect unsafe instruction
sets in application• Have a limited number of processes running• Keep your application updated with latest patches
from software vendor • Control privilege
Arbitrary Code Execution Countermeasures
• Software bug• Install latest updates and Service Packs• Disable scripting and ActiveX (Drive by)• Configure application securely • Use alternate, safer applications
Drive by Download• Drive by Download is an unintended download of
computer software from the Internet:
1. Downloads which a person authorized but without understanding the consequences (e.g. downloads which install an unknown or counterfeit executable program, ActiveX component, or Java applet).
2. Any download that happens without a person's knowledge.
3. Download of spyware, a computer virus or any kind of malware that happens without a person's knowledge.
Personal Information Threats
• Unauthorized access to personal information
• Loss of personal information• Unauthorized disclosure of personal
information• Spoofing• Malicious software (Malware)
Unauthorized Access to Personal Information
• Commonly done by cracking user passwords
• Recovering passwords from data that has been stored in or transmitted by a computer system
• Password cracking methods• Dictionary • Hybrid• Brute force (every password WILL be
cracked)
Password Cracking (1-11) • andy• helen2008• Computer• Jonas_Puente• marykay• htimsnosaj• b1@nc@&l33• cold*beer• 020973• n1h0nj1n• *pdbmc12
Loss of Personal Information
• Human error, 32%• Software corruption, 25%• Virus attack (malware), 22%• Hardware failure, 13%• Sabotage, 6%• Natural disasters, 2%
Spoofing
• A situation in which a person/program successfully masquerades as another by presenting false information.
Malicious Software (Malware)
• Designed to damage/disrupt a system without the owner’s consent.
• Software that gets installed on your system and performs unwanted tasks.
• Pop ups to virus deployment.
Virus
• Individual programs that propagate by first infecting executable files or the system and then makes copies of itself.
• Can operate without your knowledge (visit website, you open attachment).
• WE OPEN IT
Worm
• Designed to replicate and spread from computer to computer (attach to file and run on their own)
• WE DON’T HAVE TO OPEN IT
Trojan Horse
• Designed and written like normal programs but have hidden code that can compromise your system from remote user/computer.
Logic/Time Bomb
• Program that lies dormant until it is activated by something (date, message).
Spyware
• Computer software that gathers information about a computer user and transmits it without your knowledge (benign or malignant, websites or credit card information).
Adware
• Advertising supported software in which advertisements are displayed while the program is running.
Malware Goals
• Malicious code threatens three primary security goals:• Confidentiality: Programs like spyware can capture
sensitive data while it is being created and pass it on to an outside source.
• Availability: Many viruses are designed to modify operating system and program files, leading to computer crashes. Internet worms have spread so widely and so quickly that they have overloaded Internet connections and email systems, leading to effective denial-of-service attacks.
• Integrity: Protecting information from unauthorized or inadvertent modification. For example, without integrity, your account information could be changed by someone else.
Personal Information Security Countermeasures
• Password policies • Backup• Cryptography• Spoofing countermeasures• Malware detection and prevention
Password Policies • History- 10 passwords• Max age- 120 days• Min age- 5 days or 0 for shoulder
surfing • Min length- 15 characters (at
least 8)• Complexity- enabled• Combo of upper & lower case &
special character & number• La2!xxxx• No dictionary words/patterns• No easily obtainable information
• No birthdays, pet names, fictional character, proper noun, etc
• Use of mnemonics
Backup
• Copying files to a second medium for later retrieval as a precaution in case the first medium fails
• Perform frequently• Keep in a separate location • 93% of companies that lost their data center for
10 days or more due to a disaster filed for bankruptcy within one year of the disaster
• 50% of businesses that found themselves without data management for this same period filed for bankruptcy immediately
Spoofing Countermeasures
• Practice safe email usage and web surfing • Attend security awareness training
Malware Countermeasures
• Only run software you can trust• Install antivirus software• Scan file attachments with antivirus
software before opening • Verify critical file integrity• BACKUP
Electronic Health/Medical Records
• An electronic health record (EHR) is an evolving concept defined as a systematic collection of electronic health information about individual patients or populations
• It is a record in digital format that is capable of being shared across different health care settings, by being embedded in network-connected enterprise-wide information systems
• Such records may include a whole range of data in comprehensive or summary form, including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal stats like age and weight, and billing information
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.
EHR
• Advantages• Reduction of cost• Improve quality of
care• Promote evidence-
based medicine• Record keeping and
mobility• Disadvantages• Costs• Time
.
Are EHRs Vulnerable? YES!
• Vulnerabilities discovered, reported to eHealth vendor and then patched
• Patches take A LOT of time to fix• 2,211 days (vendor) vs. 284 days
(Microsoft)• No one eHealth vendor in charge
Possible Issues
• Unauthorized users can compromise integrity and confidentiality
• Unauthorized access to computer networks• Password protection (hacks and policies)• Subversive software (malware) • Disaster
Privacy and Security Issues
• Data breaches• Theft• Lost devices• Social networking
Personally Identifiable Information (PII)• Information that permits the identity of an individual to be
inferred directly or indirectly• PII includes any information that is linked or linkable to
that individual, regardless of whether the individual is a U.S. citizen, a legal permanent resident, or a visitor to the United States
• Apply the "need to know" principle before disclosing PII to other personnel
• Challenge the need for the requested PII before sharing• Consider PII materials for official use only• Limit the collection of PII for authorized purposes only
Examples of PII
• Name • Date of birth• Biometrics • Mailing address• Phone #• Email address • Zip code• Account numbers• License information
• Social Security #• Place of birth• License plate• Photos
Sensitive Data
• Confidentiality of patient records• Mental health• Sexual health• Drug/alcohol• Minors• Intimate partner violence/sexual violence• Genetic information
Privacy and Security of EHR
• Security program components and regulatory requirements (HITECH, HIPAA, Breach Notification Laws, State Laws)
• Risk assessment and mitigation plans• Security program evaluation• Privacy and security awareness training for
all staff• Disclosure logs
Privacy and Security
• Security audit programs will be under the purview of the OCR (Office of Civil Rights) which is expected to begin with existing programs in 2011.
• CIA Triad
Data Segmentation
• Structured data fields• Common data definitions• Data entry• Locating data• Technology and codes• Building intelligence
Safeguarding PII• Store sensitive information in a room or area that has
access control measures to prevent unauthorized access by visitors or members of the public (e.g., locked desk drawers, offices, and file cabinets)
• Never email sensitive information to unauthorized individuals.
• Never leave sensitive information on community printers• Take precautions to avoid the loss or theft of computer
devices and removable storage media• Destroy all sensitive information by appropriate methods
(paper shredder) when it is no longer needed• Notify your immediate supervisor if you suspect or
confirm that a privacy incident has occurred
Security Vulnerabilities and Countermeasures
• Safeguard data• Monitor control on key systems and check
inadequate logging• Protect access control• Data encryption • Privacy awareness training • Create strong vendor management• Develop business continuity and incident
response plans
Security and Assurance Program• Protective measures to address potential cyber security
threats include:• Firewalls and virus protection systems• Password procedures• Information encryption software• Computer access control systems• Computer security staff background checks (at initial hire
and periodically)• Computer security staff training & 24/7 on-call technical
support• Computer system recovery and restoration plans• Intrusion detection systems• Redundant & backup systems, & offsite backup data
storage
In Summary…
• Identify vulnerabilities • Human error is biggest threat• Fix vulnerabilities (patches, etc.)• Have policies and procedures • Computer maintenance program• Educate staff• Stay informed of latest and greatest
References
• Voice & Data Security: An Introduction to Information Assurance (FEMA/DHS)
• IS 906: Workplace Security Awareness (FEMA)
• EHR PPT, Nina Robinson, NJPCA
