Why is HITECH accelerating security programs in the healthcare industry?

• It applies not only to all HIPAA regulated entities but also their business associates
• Breaches of any “unsecured protected health information” need to be notified to affected individuals, HHS Secretary and media
• Business Associates need to notify the covered entity
• Cost of notification by mail and email are very high. Cost of maintaining a toll free number and staff to address concerns of affected individuals are very high
• State Attorneys General can bring a civil action on behalf of the affected residents of the state in a US district court

What all data is Protected Health Information (PHI)?

Protected Health Information is a combination of the following identifiers that constitute information about health status, provision of health care, or payment for health care that can be linked to a specific individual.

• Names
• Postal address information, other than town or city, State, and zip code;
• Phone numbers
• Fax numbers
• Electronic mail addresses
• Social Security Numbers
• Medical record numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers;
• Device identifiers and serial numbers;
• Web Uniform Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger, retinal and voice prints
• Full face photographic images and any comparable images
• Dates directly related to an individual, including birth date, admission date, discharge date, date of death

How should PHI be secured as per HIPAA and HITECH?

• By encryption or destruction.
• The HITECH rule states that though HIPAA does not mandate encryption, to avoid breach notification, the covered entity and business associates would need to employ encryption technologies as recommended by NIST.
• If unprotected PHI has been breached then notification would be required.

Role of Security Testing in complying with the HITECH Act?

• PHI Enterprise wide Data Analysis - Assess where in your organization is electronic PHI data in transit or data at rest in an unencrypted (unsecured) format.
• Verify if the encryption mechanisms in force are as per recommended NIST standards.
• Discover holes in internal and web applications which may expose PHI to unauthorized users by doing penetration tests and code reviews
• Verify the strength of your networks access controls in force through internal and external network penetration tests
• Conduct periodic testing programs to achieve long term sustainable compliance to HIPAA and HITECH requirements.

How to test applications to identify “unsecured PHI”?

As mentioned above, PHI refers to a combination of a lot of information relating to a person. Applications and databases that it communicates with contain a wealth of such information.

To test applications for “unsecured PHI”, the following test cases can be performed:

• SQL Injection
• Cross-Site Scripting
• Parameter Manipulation
• Sensitive content in browser cache
• SSL enabled application
• Password Stealing
• Session Hijacking

These test cases cover the most possible attack vectors that an attacker might use to obtain unauthorized access to PHI.

How to test networks to identify “unsecured PHI”?

To test networks for “unsecured PHI”, the following test cases can be performed:

• Unrestricted remote shares
• Default users/passwords
• Remotely exploitable vulnerabilities
• Anonymous FTP access
• Insecure services
• Insecure mail relay

How to conduct an Enterprise wide PHI Data Discovery and Analysis?

PHI can reside anywhere within an Enterprise including database tables, application servers, browser memory, etc. An enterprise wide data discovery will have to look for PHI at its entry points, during transmission, storage, retrieval, distribution and destruction. An analysis of the same should result in a flow diagram that presents the flow of PHI from entry to destruction. Each of the entities in this flow diagram needs to be reviewed to ensure that appropriate protective measures have been implemented.

Some of the protective measures include establishing security awareness among data entry operators, hardening of workstations, servers & databases, securing applications, enabling logging, implementing strong access controls, authorizing distribution and using safe destruction techniques.

How SIEM (Security Incident & Event Management) plays a role in breach discovery and avoiding breaches?

An SIEM system monitors the network traffic for attack patterns and raises alerts whenever there is an attempted breach into the network. This ensures that attacks are detected in real-time and appropriate protective measures can be put in place to avoid potential breaches. In case of a successful breach, the SIEM system can be used to identify the incident and the events that led to such a breach. It also provides indicators on what information was likely compromised. The SIEM system can also be used to identify the root cause of the breach, which helps in determining the steps to implement the fix and the procedure to follow for breach notification.

Penetration Testing

Penetration Testing is usually referred to testing by an ethical hacker to break into a target network with limited information about the said network. It is also called a network (layer) penetration test or a black box test. It requires the bare minimum information about the targets, usually just the IP addresses of the systems to be tested. The testing is performed using a penetration testing tool kit which comprises of well over 25 custom, commercial and open source tools. The testing, though leverages tools, has a very high involvement of a well trained and experienced security tester. The results of a penetration test will usually be free of false positives and on request the tester will also conduct exploits and chained exploits on the target systems. Variations include conducting the penetration testing on internal networks; between inter connected LANS and VLANS, on wireless networks, and penetration through social engineering techniques. Penetration Testing plays an important role in securing enterprises by verifying the efficacy of existing security programs and mimicking real world network and application layer attacks to your systems.

Vulnerability Scanning

Vulnerability scanning is usually referred to running an automated vulnerability scanner against a block of IP addresses. The manual component is limited to the coordination and scheduling of the scanner and delivery of the automated report. The reports are very detailed and long, but are not free of false positives. The extent of false positives would depend on the accuracy of the selected vulnerability scanner. The scanning process is very quick and generally can be conducted at a pretty low cost. The scanners are sold as perpetual licenses and on subscription in a software-as-a-service model. Vulnerability Scanners play an important role in securing organizations as a key component of security vulnerability management programs.

Working at Paladion has always been a pleasure for all of us. The varied learning we get here, across domains is amazing. I’d like to share with you a few such experiences I was part of.

The client was a big organization in India and various teams of Paladion worked here in tandem to meet our client’s expectations.. I belong to a team called Sectest. My team is responsible here for conducting Source Code Reviews, Application Security Tests, Network Penetration Tests, Host Configuration Assessments and Secure Network Architecture Reviews.

The other teams in Paladion are Consulting; responsible for Process Audits, Ensuring Compliance with various standards, Creating customized Policies and Guidelines for various clients among others.

Another important team working here is our Managed Risk Services (MRS) team; they are responsible for monitoring the client network for the security risks. Apart from helping client in management of security devices like Firewalls and IDS, they also do real time monitoring of security events through remote SOC (Security Operations Center), located in Bangalore. This team operates round the clock to ensure that our clients are always ready to face the latest threats.

For client, these are not three different teams but they just belong to one team called Paladion. The work coordination between these teams is an example for others. I’d like to quote a few such examples:

• Suspected hacking activities via SQL Injection. The team comprising of people from various Paladion teams coordinated to arrive at the root cause. Sectest did the detailed technical analysis of the attack, MRS performed log correlation using logs & other relevant data available with them. The Consulting Team researched on the history of such attacks and steps for future prevention. The entire team after sitting together concluded that a malicious intruder invoked xp_cmdshell, installed netcat via a SQL Injection vulnerability on a public form and escalated privileges.
• Backdoor/Trojan Alert on a critical server in the client DMZ raised the alarm for team Paladion. The team worked together in unison, did a thorough log analysis, cleaned the backdoor, found that no damage was done to the server and finally provided valuable suggestions to ensure such incidents did not reoccur in the future.
• Mock Drill - One member from each internal team was allotted for this activity. Sectest & Consulting team members jointly setup the pre-test environment, hardening and patching a vulnerable Vmware image installed in the client network. The MRS team continuously monitored all the attacks targetted at the VMWare image and notified the other teams on anything that might have been missed. They together did the incident response; their combined efforts were greatly appreciated by the client.
• Numerous other medium & small activities where they coordinate. Any small project here requires the involvement of atleast 2 internal teams.

The amazing coordination seen here is what makes every project unique for all of us. On one hand, Paladion as a company can be proud of this. While on the other, employees of a particular team are also happy as they get to learn things beyond their normal team activities. A sectest guy gets to do log analysis, incident handling and malware analysis and a MRS team member learns how to perform an application security test and a network pentest.

The fact that there is always exciting work at Paladion and that there is always 100% co-operation between teams is the best part about working here; I for one love working here :)

We continuously do a lot of Internal Network Penetration Tests for our clients. Many a time we’re given permission to put a machine into their network and test the attack surface area from that machine. During these times its extremely helpful to understand the other valid network ranges that are present. With the help of a combination of many open source tools its definitely possible to do the same. However doing so and correlating the output of all of those tools is at times..time consuming.

So we thought of writing a small tool to automate the same. Since there’s nothing proprietary that we used at all , we thought it’d be a good idea to get feedback from the Open Source community about how we can improve it. With that in mind we’ve hosted the tool on Sourceforge.

Do try it out and let us know how we can improve. All types of feedback is most welcome.

Earlier Posts

• Plynt Certification Criteria Version 3.0 Released | 26 Apr 2010
• Budget options to secure your Killer Applications | 26 Nov 2009
• Why Application Owners love Security Code Reviews? | 17 Oct 2009
• Best Practices for Protecting Banking Sites | 16 Jun 2009
• How frequently should an Application be tested? | 22 Apr 2009