WIXLIB

users’ actions. Security controls can be employed at different levels depending on the authenticationneed. A common example is a user ID and password.Security Patch Management is the process of updating software to reduce the risk of compromise toapplications, systems, and computers as a result of system flaws, thus it is more of a reactive response toa discovered vulnerability. Patching is a proactive risk management approach to system security. Thisaction protects systems from compromises from malfunctioning software and other programs. A patch,which is applied as an update to a system or software package, is code that is deployed into software tofix a bug or vulnerability. However, complicated medical devices designed to carry out complex healthrelated functions could be compromised as a result of improper patch application. Thus, experienced ITprofessionals should always be consulted in the application of security patches.Firewalls are the first line of defense against unwanted network intrusions. They enable a layeredsecurity approach and, to the extent possible, provide assurance that a system is protected frommalicious actors. There are several different types of firewalls; the necessity for level of protection willdepend on the complexity and sensitivity of the system it protects. Firewalls manage the traffic enteringand leaving a network by applying any of four different mechanisms to restrict traffic—packet filtering,circuit-level gateway, proxy server and application gateway. The packet filtering allows the firewall toperform packet inspections to ensure the data entering your infrastructure is safe. Organizations candevelop business rules to limit what is allowed in or out. Firewalls are best utilized either at theperimeter of the network or between the network infrastructure and the Internet.Encryption ensures that computers are not accesses by anyone other than a specific authorized user anddevices adequately maintain the integrity and reliability of electronic information. There are two typesof encryption: Storage—this type of encryption can be applied to mobile devices, electronic media, laptops,desktop, servers where sensitive data is stored, and USB drives File—it is possible to protect sensitive information by encrypting files and then transferring theencrypted file by posting to web sites, ftp servers, as e-mail attachments, or on transfer mediasuch as CD-ROM, DVD-ROM, or USB flash-ROM ("thumb drive") devices. When using thismethod, it is not necessary to use encrypted e-mail because the file remains encrypted whether ornot attached to the e-mail. Data Transmission – this type of encryption protects sensitive data as it passes over the publicInternet or over private intranet and local area networks.Policy and Procedures defines the organization’s requirements for managing safety, systemeffectiveness, and security. To ensure processes and actions intended to reduce the overall risk toorganizational assets and networks, implement industry accepted best practices and protocols within anorganization.Again, while this list cannot be considered exhaustive, each and every one of these measures is highlyrecommended for even the most basic user, system, or network. Employing none of the above measureswould be considered high risk behavior. Without any of these measures in place, a system or network issure to be at the highest level of risk and cannot be considered secure. The varied measures arenecessary to compensate for the threats and vulnerabilities that apply to the multiple types of cyber8

infrastructure in the healthcare sector. The former will be discussed in greater detail in the followingsection.3.0 Cyber Vulnerabilities and ThreatsIn July of 2009 the FBI arrested a 25 year old contract security guard at a hospital in Dallas, Texas, forhacking the hospital's computers and air conditioning system. According to court documents, hospitalofficials had experienced problems with their heating, ventilation and air-conditioning (HVAC) unitsand were perplexed why none of the system alarms had gone off as programmed. 6 The hacker hadposted videos showing him installing malware on hospital computers that made them part of a botnet heoperated remotely. The images showed the HVAC control window for the hospital's surgery unit wherean alarm setting was turned to "inactive." For many businesses, an attack on ventilation systems mightbe an inconvenience, but the threat could be much more serious for critical care patients in healthcarefacilities. The hacker’s intrusion into hospital systems was allegedly made in preparation for a largerdenial of service attack on July 4th.7Technological and security system advancements have led to more advanced and adaptive cyber attacks.Those adaptations include measures to bypass current technological countermeasures or take advantageof the human element of cybersecurity, such as using social engineering techniques and timing incidentsto occur when IT professionals are already distracted, such as during natural hazards and other events.8The risk also includes a rising number of zero-day vulnerabilities – flaws in software code discoveredbefore a fix or patch is available – combined with a steady increase in the number of individuals capableof exploiting the vulnerabilities and the near-static average time for developing security patches.9It is important to note that the information presented in this section is not intended to be acomprehensive depiction of all of the risks posed to your particular system; an individual riskassessment would be necessary to gain that level of insight. All readers are encouraged to put theirsystems through a rigorous risk assessment to determine an individual facility, network, or system’s risk.6Helmer, Gabriel M., Security, Privacy and the Law., Incident of the Week: FBI Arrests Hacker Posing as Security GuardWho Infiltrated Texas Hospital Days Before "Devil's Day" Attack, July 2, 2009, available rated-texas-hospitaldays-before-devils-day-attack, accessed March 8, 2010.7 Goodin, Dan., The Register, Feds: Hospital hacker's 'massive' DDoS averted: Arrest foils 'Devil's Day' scheme, July 1,2009, Available at http://www.theregister.co.uk/2009/07/01/hospital hacker arrested, accessed March 8, 2010.8 The SysAdmin, Audit, Network, Security (SANS) Institute, The Top Cyber Security Risks, September 2009, available mary.php, accessed June 27, 2010.According to the SANS Institute, “zero-day exploits in client-side applications [are] one of the most significant threats toyour network, and require that you put in place additional information security measures and controls to complement yourvulnerability assessment and remediation activities.” The Institute’s Web site includes more than 25 vulnerabilities ofmedium or high severity that were identified one year ago or more, yet still do not have a fix or patch in place.99

3.1 Common Cyber ThreatsWhen hacking first became a problem in the 1980’s and early 1990s, attackers had to be both skilledwith, and knowledgeable about, systems they went after. It was often the case that the required skill ofthe hacker had to be substantial even to develop rudimentary attacks. Defenses were simple, and thesoftware that hackers used for their attacks was not very sophisticated. Since the mid 90’s, the cyber“arms race” has drastically changed the complexity of attacks. Networks now face some of the mostcomplex code ever written. On top of that, attackers no longer have to be highly skilled because manyof the best tools have been packaged into simple plug-and-play programs.10The Department of Homeland Security’s Critical Infrastructure Protection Cyber Security (CIP CS)Program collaborates with critical infrastructure sectors to assist industry stakeholders in securing theircyber systems. Throughout sector-specific and cross-sector collaborations, CIP CS has identifiedspecific cyber threats that affect certain sectors, or have the potential to affect sectors in the future. Thetable below identifies some of the major cyber threats facing the HPH Sector. Keep in mind that thefollowing threats are neither restrictive nor comprehensive.ThreatDescription11ExampleInsider ThreatEmployees or trusted thirdparties who intentionally orunintentionallydamage/destroy a systemand/or steal dataAn office cleaner at HealthSouth RidgelakeHospital in Florida pled guilty in 2008 tofraud for ordering credit cards on the Internetwith stolen patient personal information.12Access Control Breaches(Physical Theft)Malicious actors manipulateor bypass access controlsystems or procedures togain unauthorized physicalaccess to information orrestricted/private sections ofa facilityIn April 2011, a laptop belonging to theOklahoma State Department of Health wasstolen from an employee’s car. The laptopcontained a database with hospital medicalrecords of 35,000 children, and more than133,000 patients were notified of thebreach.13MalwareMalware is employed toexploit sector cyber systemsto destroy/disable systemsUniversity Health Services of University ofMassachusetts-Amherst had to notifypatients in March 2011 of a potential breach10Anderson, Robert. Powerpoint Presentation., Cyber Threats to Special Nuclear Material (SNM) Sites. Presented October14-15, 2010. Idaho National Laboratory.11For further information on cyber threats, please refer to the US-CERT Cyber Threat Descriptions at http://www.uscert.gov/control systems/csthreats.html and the F-Secure Threat Types at http://www.f-secure.com/en n/threat-types.html.12Messmer, Ellen., PCWorld., Are healthcare organizations under cyberattack?, February 2007., available athttp://www.pcworld.com/article/142926/are healthcare organizations under cyberattack.html, Accessed June 27, 201013Anderson, Howard., Healthcare Info Security., Laptop stolen from car leads to breach. April 2011., available hp?art id 3541, Accessed April 30,201110

Network Breachesand/or steal dataof their health information. A UMassworkstation was inadvertently infected with amalware program in June 2010 and was notcorrected until October 2010.14Outside actors gainunauthorized access andmanipulate legitimateprograms or installmalicious ones to execute avariety of functionsA former security guard at a Dallas hospitalpled guilty in May 2010 to two counts oftransmitting malicious code for hacking intohis employer’s computers while working thenight shift, which was part of a modestbotnet intended to rival other hacker gangs.1514Oh, Jamie., Beckers Hospital Review., UMass Amherst data breach affects 942 patients. March 10, 2011 available athttp://www.beckershospitalreview.com, Accessed May 18, 201115Reeder, Kara., IT Business Edge., Security guard enters guilty plea after hacking employer’s computers. March 17, 2010.,available at ngemployers-computers/?cs 41199, Accessed June 27, 2010.11

3.2 Common Cyber Vulnerabilities & ConsequencesThere are numerous vulnerabilities in the cyber domain. These vulnerabilities span from the extremelybasic to the extremely technical. The table below shows common cyber vulnerabilities and theirassociated impacts.Security RisksThreatAvailability Loss Botnets Cross-Site Scripting Distributed Denial ofService (DDoS) Insider Natural disaster Power failure Terrorism SQL gConsequenceMitigation Lack of antivirusprotection Lack of intrusionprotection/ prevention Lack of redundancyand recoverability Patch management Loss of HPHservices Patient errors Unnecessaryduplication oftests, etc. Intrusion prevention/detection Anti-virus software Redundant / failoversystems Warm back up sites Multi-factorauthentication Data encryption Auditing Least privilege Backgroundinvestigations Hardware lock down Break glass mode Multi-factorAuthentication Identity management Data transportEncryption Auditing acrossdomainsConfidentialityLoss BotnetsHackingInsiderMalwarePhishingSQL Injection Inadequate Patchmanagement InadequateConfigurationmanagement Inadequate passwordmanagement Data loss Data TheftIntegrity Loss BotnetsBuffer OverflowsCross-Site ScriptingHackingInsiderMalware Inadequate Patchmanagement InadequateConfigurationmanagement Inadequate passwordmanagement Lack ofanti-virus software Softwarevulnerabilities Data destruction Data corruption Inability to usepatient data Patient errors RepudiationPrivacy Loss Accidental Disclosure Hacking Inappropriateauthorization basedon patient preference Insider Configuration Identity theftmanagement Leakage of Hosting PII andpersonallypersonal productivityidentifyingtools (email, IM) oninformationthe same system. Open USB ports Open DVD/CD R/W12drives Patch management Workstationconfiguration Financial lossesLoss of brand /reputationLoss of lifeBlackmailCivil SuitsFinancialinsolvency Financial theft Fraud Identity theft Loss of Brand Loss of life Loss of services RecoveryService fees Forensic servicefees Loss of Brandreputation Civil Suits Financialinsolvency Civil Suits Financialinsolvency Fraud (medicaland financial) Identity thefto Monetary losso Psychologicalo Social Loss of Brand Auditing across domainsData at rest encryptionIdentity managementMulti-factorauthentication Secure hash andsignatures Transport layerencryption Auditing Backgroundinvestigations Data encryption Hardware lock down Least privilege Multi-factorauthentication PII detection tools

4.0 Managing RiskThere are a number of measures that organization can implement to successfully manage risks. Asbriefly discussed in Chapter 2, commonly recognized security practices include, but are not limited to: Identification and Authentication; Security Patch Management; Firewalls; Encryption; and Standardized Policies and Procedures.This section further details these security practices, highlights any relevant regulatory requirements, andmaps each security practice to the kinds of risks each security practice is designed to impact. Again, theinformation presented here is not intended to be a comprehensive depiction of all of the riskmanagement techniques needed to secure every individual system; for that purpose individual riskassessments are recommended.Identification and AuthenticationIdentification and authentication techniques provide owners and operators with a mechanism to identifysystem users as well as confirm that information is from a trusted source. These techniques helpdistinguish between those who are approved to access your system versus those who may or may nothave malicious intentions. Identification and authentication can help prevent: intrusion into your cybersystems, loss of private information, and loss of availability of services.Robust identification and authentication techniques are especially important in healthcare and publichealth. In many fields, practitioners collect sensitive data from a variety of sources, including patients,vendors, laboratory networks and so on. In order to protectFigure A: Authentication Typesthat data a solid security policy should be in placerequiring those with access to authenticate their identities.Low Security – Single-factorFigure A details the varying types of authenticationauthentication: Users create an ID andtechniques that may be employed.PasswordHPH stakeholders should always be aware of the impactthe human threat element may have upon these securitypractices. For example, a Palmetto Florida woman hackedinto the Suncoast Community Health Centers causing 17,000 worth of damage.16 The woman, a formeremployee, hacked into the computer system and “deletedand moved files, changed administrative account namesand passwords, removed access to infrastructure systems,changed pay and accrued leave rates on the employeepayroll system and compromised the firewall used toprotect the health centers’ computer network.” Be awareof disgruntled employees, both past and present, bykeeping your systems updated. Require a password16Medium Security – Two-factorauthentication: Presentation of two typesof evidence, such as a password with asecure-ID tokenHigh Security – Multifactorauthentication: Presentation of at leastthree types of evidence, such as aSmartcard with a password and biometricevidence (such as fingerprints)High-security for application and systemtransactions such as a file transport—two- way SSLThe Bradenton Herald. Florida woman sentenced for hacking computer system. December 2010. Available at:http://securityinfowatch.com/nod/1318798, Accessed on May 24, 201113

change and change access codes frequently. This will make it harder for individuals to bypass yoursecurity methods.Relevant Regulation: Health Insurance and Portability and Accountability Act, Security Rule; Federal Information Security Management Act; The Office of Management and Budget (OMB) M-04-04,

evolving network with ever-changing threats and vulnerabilities to discover evaluate and manage. Thus, securing cyber space is quite a challenge. Threats are becoming even more sophisticated while security technology strives to keep the same pace. Much of this technology requires specialized training and co