introduction to cybersecurity & information assurance for fqhcs april 13, 2011 amelia muccio...

Introduction to Cybersecurity & Information Assurance for FQHCs

April 13, 2011

Amelia MuccioDirector of Emergency Management

amuccio@njpca.org

Objectives

• Cybersecurity • Information assurance• FQHCs as target• Cyber threats/risks• Vulnerabilities • Countermeasures• Safeguarding • Promoting a culture of

security

.

Serious Threat

• Richard Clarke was famously heard to say, "If you spend more on coffee than on IT security, then you will be hacked. What's more, you deserve to be hacked.”

• The growing number of attacks on our cyber networks has become, in President Obama’s words, “one of the most serious economic and national security threats our nation faces.”

Who & What is At Risk?

• Economy• Defense• Transportation• Medical• Government• Telecommunications• Energy Sector• Critical Infrastructure• Computers/Cable

TV/Phones/MP3/Games

.

Fundamental Concepts of Information Assurance

• Confidentiality (privacy)• Integrity (quality, accuracy, relevance)• Availability (accessibility) • CIA triad

Internet

• In 1995, 16 million users (0.4%)• In 2010, 1.6 billion users (23.5%)• Unable to treat physical and cyber security

separately, they are intertwined.

How Does an Attack Happen?

• Identify the target• Gather information• Plan/Prepare the attack• Attack

Information Gathering

. .

Attack Trends

• Increasing sophistication• Decreasing costs• Increasing attack frequency • Difficulties in patching systems• Increasing network connections,

dependencies, and trust relationships

What Threatens Information?

• Misuse• Disasters• Data interception • Computer theft• Identify/Password theft• Malicious software• Data theft/corruption• Vandalism • Human error

Threats

• A threat is any potential danger to information and systems

• 3 levels of cyber threats • Unstructured• Structured• Highly structured

Unstructured Threats

• Individual/small group with little or no organization or funding

• Easily detectable information gathering • Exploitations based upon documented

flaws• Targets of opportunity • Gain control of machines• Motivated by bragging rights, thrills, access

to resources

Structured Threats

• Well organized, planned and funded• Specific targets and extensive information

gathering to choose avenue and means of attack

• Goal-data stored on machines or machines themselves

• Exploitation may rely on insider help of unknown flaw

• Target drives attack• Organized crime/black hat hackers

Highly Structured Threats

• Extensive organization, funding and planning over an extended time, with goal of having an effect beyond the data or machine being attacked

• Stealthy information gathering • Multiple attacks exploiting unknown flaws

or insider help• Coordinated efforts from multiple groups• “Cyber warfare”

Web as Weapon

• Infrastructure run by computers• Government SCADA system• Overflow dam, disrupt oil supply• Sewage plant in Australia overflowed due to

black hat hackers• Cyberterrorism (Bin Laden and Aum Shinrikyo)• Combined attack • Cause power outage and biological attack• EMS disruption and nuclear emergency • Next war fought with code & computers

Hackers and Crackers

• White hat hacker-curious, explore our own vulnerabilities, bragging rights/just did it.

• Black hat hacker/cracker-malicious intent, exploit vulnerabilities for monetary profit or gain or perpetrate a crime, organized crime.

• Gray hat hacker-helpful or ethical hacker, motivated by a sense of good. Cowboys.

• GHHs find vulnerabilities, notify company of them so they can be fixed and resolved.

Gray Hats

• Adrian Lamo• Find vulnerabilities, inform company• WorldCom, Google, NYTimes, Bank of America,

NASA• NYTimes used SSN # as passwords• Edited Yahoo Story• Robert Lyttle • DoD, Pentagon • Both got into trouble!

Early Days…Phone Phreaking

• 2600 Hz Tone• Captain Crunch Whistle & 4th E above Middle C• Long whistle reset line, then dial w/whistle• Tricked phone companies/tone dialing• Free long distance and international calls

Risk

• Threat + Vulnerability • Likelihood of an undesirable event

occurring combined with the magnitude of its impact?

• Natural• Manmade• Accidental or Intentional • People are the weakest link

Risk Management

• Identifying and assessing risk, reducing it to an acceptable level and implementing mechanisms to maintain that level

• Protect against:• Physical damage• Human error• Hardware failure• Program error• Cyber attack

Risk Handling Discussion

• Risk reduction (countermeasures, HVA)• Risk transference (insurance)• Risk acceptance (may happen)• Risk rejection (do nothing)• Security assessments are an important part

of risk management• Penetration testing• Identify all vulnerabilities and threats to

information, systems and networks

Contingency Planning Components

• How to handle disruption? • Business continuity• Disaster recovery• Incident response

Recovery Strategy

• A recovery strategy provides direction to restore IT operations quickly and effectively

• Backup methods• Alternate sites• Equipment replacement• Roles and responsibilities • Cost considerations

BCP

• A comprehensive written plan to maintain or resume business operations in the event of a disruption

• Continue critical business operations • Jeopardize normal operations• Most critical operations• May require alternate sites (hot, warm,

cold)• What do we need to KEEP going?

DRP

• A comprehensive written plan to return business operations to the pre-disruption state following a disruption

• Restore IT functions (prep and restore) • Jeopardize the normal operations• Includes all operations• RETURN TO NORMAL BUSINESS

OPERATIONS• WHAT DO WE NEED TO DO IN CASE

OF A DISASTER?

Plan Testing, Training and Exercising

• Testing is a critical to ensure a viable contingency capability

• Conduct plan exercises• TTXs are useful

Policies and Procedures

• Establish security culture• Establish best security practices• Define goals and structure of security

program• Educate personnel• Maintain compliance with any regulations • Ex: email policy, Internet usage, physical

security

Physical Security Countermeasures

• Property protection (door, locks, lightening) • Structural hardening (construction)• Physical access control (authorized users)• Intrusion detection (guards, monitoring)• Physical security procedures (escort visitors,

logs) • Contingency plans (generators, off site storage) • Physical security awareness training (training for

suspicious activities)

Personal Security

• Practices established to ensure the safety and security of personnel and other organizational assets

• It’s ALL about people• People are the weakest

link• Reduce vulnerability

to personnel based threats

.

Personal Security Threat Categories

• Insider threats-most common, difficult to recognize

• Includes sabotage and unauthorized disclosure of information

• Social engineering-multiple techniques are used to gain information from authorized employees and using that info in conjunction with an attack

• Not aware of the value of information

Social Engineering

• Being fooled into giving someone access when the person has no business having the information.

Dumpster Diving and Phishing

• DD-rummaging through company’s garbage for discarded documents

• Phishing-usually takes place through fraudulent emails requesting users to disclose personal or financial information

• Email appear to come from a legitimate organization (PayPal)

P & P

• Acceptable use policy-what actions users may perform while using computers

• Personnel controls-need to know, separation of duties

• Hiring and termination practices-background checks, orientation, exit interview, escorting procedure

Private Branch Exchange (PBX) Systems

• Toll fraud• Disclosure of information• Unauthorized access• Traffic analysis• Denial of Service (DoS)

PBX Threat Countermeasures

• Implement physical security• Inhibit maintenance of port access• Enable alarm/audit trails• Remove all default passwords• Review the configuration of your PBX

against known hacking techniques

Data Networks

• For computers to communicate• Less expensive to use same network• Modems designed to leverage this asset

Modem Threats

• Unauthorized and misconfigured modems• Authorized but misconfigured modems

Wardialing

• Hackers use a program that calls a range of telephone numbers until it connects to an unsecured modem and allows them dialup access

• Identify potential targets

Modem Threat Countermeasures

• Policy• Scanning• Administrative action• Passwords• Elimination of modem connections• Use a device to protect telephony-based

attacks and abuses

Voice Over Internet Protocol (VoIP)

• VoIP is a technology that allows someone to make voice calls using a broadband Internet connection instead of a regular (analog) phone line

VoIP Benefits and Threats

• Less expensive• Increased functionality• Flexibility and mobility• Service theft• Eavesdropping• Vishing• Call tampering

VoIP Threat Countermeasures

• Physical control• Authentication and encryption• Develop appropriate network architecture • Employ VoIP firewall and security devices

Data Networks

• Computers linked together• Hosts (computers, servers)• Switches and hubs• Routers

Common Network Terms

• Local Area Network (LAN)-network grouped in one geographic location

• Wide Area Network (WAN)-network that spreads over a larger geographic area

• Wireless LAN (WLAN)-is a LAN with wireless connections

Data Network Protocols

• Transmission Control Protocol (TCP)-moves data across networks with a connection oriented approach

• User Datagram Protocol (UDP)-moves info across networks with a connectionless oriented approach

• Internet Control Message Protocol (ICMP)-OS to send error messages across networks

• Hypertext Transfer Protocol (HTTP)-transfers web pages, hypermedia

Data Network Threats

• Information gathering • Denial of Service (DoS)• Disinformation• Man-in-the-middle• Session hijacking

Information Gathering Threats/Network Scanning

• What target is available?• Reduces time on wasted effort (attacker)• One of the most common pre-attack identification

techniques is called scanning• Scanning uses ICMP service “PING”• PING SWEEP-echo request to range of addresses

(provides list of potential targets)• Are you there? Yes, I am there.• Firewall should protect against

Sniffing

• A sniffer is a program that monitors and analyzes network traffic and is used legitimately or illegitimately to capture data transmitted on a network

Denial of Service (DoS)

• Degrade and prevent operations/functionality

• Distributed denial of service (DDoS) attack uses multiple attack machines simultaneously

• Vast number of ICMP echo request packets are sent to the target, overwhelming its capability to process all other traffic

Ping Flood/Ping of Death

• Ping flood-too much ping traffic drowns out all other communication

• Ping of Death-oversized or malformed ICMP packets cause target to reboot or crash

• Host cannot cope with ping packets• Ping of Death relies on a vulnerability of

buffer overflow• Buffer overflow-size of input exceeds the

size of storage intended to be received

Smurf Attack (Ping Flood)

• Large stream of spoofed Ping packets sent to a broadcast address

• Source address listed as the target’s IP address (spoofed)

• Broadcast host relays request to all hosts on network

• Hosts reply to victim with Ping responses• If multiple requests sent to broadcast host, target

gets overloaded with replies

DDOS with Zombies/Botnet

• Zombies-infected computers• Botnet-bunch of infected computers (same time)-

massive traffic• DDoS attack where a multitude of compromised

systems attack a single target• Flood of incoming messages to target system and

force a shut down• Google was target

Man-In-The-Middle Attacks

• Instead of shutting down target networks, attackers may want access

• Access information between authorizes parties and observes it

• Uses a sniffer and gains information• Digital wiretapping • Types of attacks• Eavesdropping• Session hijacking

Network Attack Countermeasures

• Countering the threats• Scans/Sniffing/Ping sweeps• DoS/DDoS• Smurf attack• Session hijacking• Eavesdropping

Ways to Recognize Scanning

• System log file analysis• Network traffic• Firewall and router logs • Intrusion Detection Systems (IDSs)

–NIDS “Snort” or HIDS “OSSEC”• Recognize as soon as possible• Perform regular monitoring

Defending Against Scanning-Use More than 1

• Block ports at routers and firewalls• Block ICMP, including echo• Segment your network properly• Hide private, internal IP addresses• Change default account settings and

remove or disable unnecessary services• Restrict permissions• Keep applications and operating systems

patched

Sniffing Countermeasures

• Strong physical security • Proper network segmentation• Communication encryption• To guard against sniffing, make sure

attacker cannot access a legitimate communication stream

DoS and DDoS Countermeasures

• Stop the attack before it happens • Block “marching orders”• Patch systems• Implement IDS• Harden TCP/IP• Avoid putting “all eggs in 1 basket”• Adjust state limits• Keep us from being targeted and lock down

assets

Snort (Network IDS)

• Snort’s open source network-based intrusion detection system has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks.

• Snort performs protocol analysis, content searching, and content matching.

• The program can also be used to detect probes or attacks, including, but not limited to, operating system fingerprinting attempts, common gateway interface, buffer overflows, server message block probes, and stealth port scans.

• FREE

Other Countermeasures

• Encrypted session negotiation (ensure handshake process)

• Repeating credential verification during the session (kick out hijackers)

• Partitions • User training (all personnel can understand

security)

Defense-In-Depth

• Defense-in-depth is an information assurance (IA) strategy in which multiple layers of defense are placed throughout an information technology (IT) system.

• It addresses security vulnerabilities in personnel, technology and operations for the duration of the system's life cycle.

Perimeter Defense Countermeasures

• Router security • Demilitarized Zone• Bastion host• Firewalls• Intrusion Detection Systems• Intrusion Prevention Systems• Virtual Private Network • (Defensive technologies)

Routers

• First line of perimeter defense• Connects external environment to internal

network• Securely configured• Audit regularly• Keep patched and updated

DMZ

• Machine or machines accessible by the Internet, but not located on the internal network or the Internet

• Web server• Email server• Should not contain much valuable data• IDS sensor to detect malicious traffic

Bastion Host “Harden/Locked Down”

• Highly exposed to attacks in DMZ • Web server• Email server• Locked down/hardened system• Unnecessary services disabled• No unnecessary applications• Fully patched• Unnecessary ports closed• Unnecessary accounts disabled

Firewalls

• Control connections from one network (or portion of network) to another (restrict Internet access)

• Enforce security policy• Hardware or software• Firewalls DO NOT monitor connections not

passing directly through it—not a magic bullet• Even perfectly configured is still vulnerable • Packet filtering• Proxies• Stateful inspection

Intrusion Detection System (IDS)

• Detects suspicious activity • Alerts upon discovery of possible compromise

attempts• Compromised of several components• Sensors• Analyzers• Administrator interfaces• IDS can search for attacks, terminate connections,

send real time alerts, protect system files, expose hacking techniques, illustrate vulnerabilities and even assist in tracking down hackers

Common Types of IDS

• Host based-mail server, web server or individual PC

• Network based-network itself,

Virtual Private Networks (VPN)

• A secure, private data connection through a non-secure public network

• Often through the Internet• Uses encryption and tunneling protocols

Wireless Technology

• Allows communication between multiple systems/devices without physical connection

• Much less expensive than wired solutions

• WLAN

.

Wireless Threats and Countermeasures

• Access point mapping• Service Set Identifier (SSID) broadcasting• Default SSID• Radio frequency management • Default settings• Authentication• Bluetooth security

Access Point Mapping

• WLAN version of wardialing

• An AP is a device connecting a wired network to wireless devices using radio frequency

• Software (net stumbler, air snort, void11)

• Warchalking (available access points)

.

Service Set Identifier (SSID) Broadcasting

• “Beaconing”-this is the continuous announcement by a Wi-Fi access point that it is available.

• SSID is name assigned to the wireless connection

• Default SSIDs poses a security risk even if the AP is not broadcasting b/c default names are widely known

Radio Frequency Management

• The signal should die out before it reaches the physical boundaries of the property

• This helps unauthorized users from driving by and intercepting confidential wireless signals

Default Settings

• Many access points arrive with no security mechanism in place

• Changing the default settings before deployment should be a matter of organizational practice

Authentication Issues

• Open system-SSID, subject to sniffing• Shared key-SSID plus WEP encrypted key

required, subject to man-in-the middle attacks

• Many wireless networks do not contain adequate authentication mechanisms

• Both Open and Shared are considered weak

Authentication Issues

• WEP standard proven insufficient

• Replaced with Wi-Fi Protected Access (WPA)

• WPA demonstrates its own weaknesses

• Replaced by WPA2 which is viewed as more secure

.

Bluetooth Security

• Popular short-range technology • Used for many personal electronic devices

including phones, music players, etc.

Threats• Bluejacking-sending unsolicited messages to

Bluetooth devices• Bluesnarfing-unauthorized access of information

from a wireless device through a Bluetooth connection

• Bluebugging-unauthorized control of Bluetooth assets

Operating System

• A program that acts as an intermediary between a computer user and the computer hardware

• “GUI” Graphical User Interface• Process management • Main memory management • File management• I/O system management • Secondary storage management • Network management • Protection system management • User interface management

Operating System Security

• Confidentiality: only let authorized entities access computer and information

• Integrity: only allow authorized changes to information

• Availability: manage resources to permit access to information and system at all required times

Authorization and Authentication

• WHO IS AUTHORIZED?• Authorized by policy of organization and

operational requirements• HOW DO WE KNOW?• Accounts (identification)• Known systems• Passwords• Secure communication channel

Access Control

• Verifying the identity of entities before granting access and restricting access

• Controls how users and systems communicate and interact with other systems and resources

• First line of defense • Authenticate before allowing access to

authorized resources • Policies, locks, passwords • Social media policies??

Auditing

• A trail to follow• Creation of logs• A log is a record of

events or activities that occur

• Detectable events• Collect and save in

secure information• Analyze results

.

Threats to OS

• The basic problem with OS and computers is that a system allows unauthorized users to compromise the system to gain unauthorized access to system resources

• Weak/Broken identification • Weak internal security structures• Programming errors in operating system

Once Identified, Authorize

• User accounts are the mechanism used to identify and authorize people

• Access control is based on identification• Most common authentication is a password• Password and account policies help

improve security

Implementing Policies

• The whole access control process is driven by policies and procedures

• One part of the implementation is policies is to implement a password policy that makes it less likely that an attacker can break into computer systems by compromising a password

Password Policy

• What makes a good password policy?

• New password• Reuse of old passwords• Length of validity• When can it be changed• Minimum length of

password• Complexity requirements• Should password be stored

.

Specific OS Attacks

• Dos: attack on availability, consume resources• Hack: exploit a vulnerability to gain unauthorized

access to the system• Backdoor: An access method that bypasses the

normal security of the system• Memory issues: Memory is not erased before

given to another program• Escalation of privileges: user exploits

vulnerability to gain unauthorized access• Default settings: most OS ship with simplest

configuration, security disabled

Securing Systems

• Perform system hardening• Find out what vulnerabilities are still

present• Fix them

Countermeasures: DoS

• Set network and host firewall filters for known bad traffic

• Apply OS patches for know vulnerabilities • Limit time and resources to processes• Monitor for threat activity on the network

and host using IDS• “Detect and block”

Countermeasures: Hack the System

• Use account and password policies • Change default accounts, settings,

passwords• Use restricted accounts for services • Apply OS patches for known

vulnerabilities • Turn off unnecessary services• Watch for social engineering

Countermeasures: Backdoor

• Backdoors are installed by the developer• Disable any unnecessary default accounts • Apply OS patches for known

vulnerabilities • Scan system periodically • Monitor system

Countermeasures: Memory Issues

• Memory management is an issues that has a severe impact on performance

• Apply OS patches for known vulnerabilities

• Turn on security features • Reclaim memory on process termination

Countermeasures: Escalation of Privileges

• Apply OS patches for known vulnerabilities

• Monitor system• Establish restricted accounts for services

(don’t run everything as administrator)

Countermeasures: Default Settings

• Disable unnecessary accounts and services • Apply OS patches for known

vulnerabilities • Follow lockdown procedures when

possible• Monitor the system

Common Application Security Threats

• Unauthorized access to applications: first line of defense is access control

• Cross-Site Scripting: browser allows code injection

• SQL injection: inserts independent queries into a database

• Buffer flow: input from a user exceeds the length or other characteristics of an expected input

• Arbitrary code execution: one of the common methods used by attackers to execute commands to take over or crash the targeted machine

Unauthorized Access Countermeasures

• Determines what object can access application• Can be implemented based on users, permissions,

and folder structures • UserID and password• Honeypot is a trap set to detect, deflect, or in

some manner counteract attempts at unauthorized use of information systems.

XSS Countermeasures

• Vulnerability in web applications • Web server owner should:• Keep web server updated• Scan for XSS vulnerabilities • Configure applications and servers properly• User should:• Keep web browser updated• Practice safe web surfing • Attend awareness training

SQL Injection Countermeasures

• Database vulnerability (credit card info/patient information)

• Input validation• Manual code review• Least privilege • When not required, disable privileges to stored

procedures, tables, etc.• Limit execution privileges to SELECT, UPDATE,

DELETE and user-stored procedures

Buffer Overflow Countermeasures

• Software vulnerability and programming (C and C++)

• Stack buffer overflow “Morris Worm”• Write secure code• Use compiler tools to detect unsafe instruction

sets in application• Have a limited number of processes running• Keep your application updated with latest patches

from software vendor • Control privilege

Arbitrary Code Execution Countermeasures

• Software bug• Install latest updates and Service Packs• Disable scripting and ActiveX (Drive by)• Configure application securely • Use alternate, safer applications

Drive by Download• Drive by Download is an unintended download of

computer software from the Internet:

1. Downloads which a person authorized but without understanding the consequences (e.g. downloads which install an unknown or counterfeit executable program, ActiveX component, or Java applet).

2. Any download that happens without a person's knowledge.

3. Download of spyware, a computer virus or any kind of malware that happens without a person's knowledge.

Personal Information Threats

• Unauthorized access to personal information

• Loss of personal information• Unauthorized disclosure of personal

information• Spoofing• Malicious software (Malware)

Unauthorized Access to Personal Information

• Commonly done by cracking user passwords

• Recovering passwords from data that has been stored in or transmitted by a computer system

• Password cracking methods• Dictionary • Hybrid• Brute force (every password WILL be

cracked)

Password Cracking (1-11) • andy• helen2008• Computer• Jonas_Puente• marykay• htimsnosaj• b1@nc@&l33• cold*beer• 020973• n1h0nj1n• *pdbmc12

Loss of Personal Information

• Human error, 32%• Software corruption, 25%• Virus attack (malware), 22%• Hardware failure, 13%• Sabotage, 6%• Natural disasters, 2%

Spoofing

• A situation in which a person/program successfully masquerades as another by presenting false information.

Malicious Software (Malware)

• Designed to damage/disrupt a system without the owner’s consent.

• Software that gets installed on your system and performs unwanted tasks.

• Pop ups to virus deployment.

Virus

• Individual programs that propagate by first infecting executable files or the system and then makes copies of itself.

• Can operate without your knowledge (visit website, you open attachment).

• WE OPEN IT

Worm

• Designed to replicate and spread from computer to computer (attach to file and run on their own)

• WE DON’T HAVE TO OPEN IT

Trojan Horse

• Designed and written like normal programs but have hidden code that can compromise your system from remote user/computer.

Logic/Time Bomb

• Program that lies dormant until it is activated by something (date, message).

Spyware

• Computer software that gathers information about a computer user and transmits it without your knowledge (benign or malignant, websites or credit card information).

Adware

• Advertising supported software in which advertisements are displayed while the program is running.

Malware Goals

• Malicious code threatens three primary security goals:• Confidentiality: Programs like spyware can capture

sensitive data while it is being created and pass it on to an outside source.

• Availability: Many viruses are designed to modify operating system and program files, leading to computer crashes. Internet worms have spread so widely and so quickly that they have overloaded Internet connections and email systems, leading to effective denial-of-service attacks.

• Integrity: Protecting information from unauthorized or inadvertent modification. For example, without integrity, your account information could be changed by someone else.

Personal Information Security Countermeasures

• Password policies • Backup• Cryptography• Spoofing countermeasures• Malware detection and prevention

Password Policies • History- 10 passwords• Max age- 120 days• Min age- 5 days or 0 for shoulder

surfing • Min length- 15 characters (at

least 8)• Complexity- enabled• Combo of upper & lower case &

special character & number• La2!xxxx• No dictionary words/patterns• No easily obtainable information

• No birthdays, pet names, fictional character, proper noun, etc

• Use of mnemonics

Backup

• Copying files to a second medium for later retrieval as a precaution in case the first medium fails

• Perform frequently• Keep in a separate location • 93% of companies that lost their data center for

10 days or more due to a disaster filed for bankruptcy within one year of the disaster

• 50% of businesses that found themselves without data management for this same period filed for bankruptcy immediately

Spoofing Countermeasures

• Practice safe email usage and web surfing • Attend security awareness training

Malware Countermeasures

• Only run software you can trust• Install antivirus software• Scan file attachments with antivirus

software before opening • Verify critical file integrity• BACKUP

Electronic Health/Medical Records

• An electronic health record (EHR) is an evolving concept defined as a systematic collection of electronic health information about individual patients or populations

• It is a record in digital format that is capable of being shared across different health care settings, by being embedded in network-connected enterprise-wide information systems

• Such records may include a whole range of data in comprehensive or summary form, including demographics, medical history, medication and allergies, immunization status, laboratory test results, radiology images, vital signs, personal stats like age and weight, and billing information

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

• The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.

EHR

• Advantages• Reduction of cost• Improve quality of

care• Promote evidence-

based medicine• Record keeping and

mobility• Disadvantages• Costs• Time

.

Are EHRs Vulnerable? YES!

• Vulnerabilities discovered, reported to eHealth vendor and then patched

• Patches take A LOT of time to fix• 2,211 days (vendor) vs. 284 days

(Microsoft)• No one eHealth vendor in charge

Possible Issues

• Unauthorized users can compromise integrity and confidentiality

• Unauthorized access to computer networks• Password protection (hacks and policies)• Subversive software (malware) • Disaster

Privacy and Security Issues

• Data breaches• Theft• Lost devices• Social networking

Personally Identifiable Information (PII)• Information that permits the identity of an individual to be

inferred directly or indirectly• PII includes any information that is linked or linkable to

that individual, regardless of whether the individual is a U.S. citizen, a legal permanent resident, or a visitor to the United States

• Apply the "need to know" principle before disclosing PII to other personnel

• Challenge the need for the requested PII before sharing• Consider PII materials for official use only• Limit the collection of PII for authorized purposes only

Examples of PII

• Name • Date of birth• Biometrics • Mailing address• Phone #• Email address • Zip code• Account numbers• License information

• Social Security #• Place of birth• License plate• Photos

Sensitive Data

• Confidentiality of patient records• Mental health• Sexual health• Drug/alcohol• Minors• Intimate partner violence/sexual violence• Genetic information

Privacy and Security of EHR

• Security program components and regulatory requirements (HITECH, HIPAA, Breach Notification Laws, State Laws)

• Risk assessment and mitigation plans• Security program evaluation• Privacy and security awareness training for

all staff• Disclosure logs

Privacy and Security

• Security audit programs will be under the purview of the OCR (Office of Civil Rights) which is expected to begin with existing programs in 2011.

• CIA Triad

Data Segmentation

• Structured data fields• Common data definitions• Data entry• Locating data• Technology and codes• Building intelligence

Safeguarding PII• Store sensitive information in a room or area that has

access control measures to prevent unauthorized access by visitors or members of the public (e.g., locked desk drawers, offices, and file cabinets)

• Never email sensitive information to unauthorized individuals.

• Never leave sensitive information on community printers• Take precautions to avoid the loss or theft of computer

devices and removable storage media• Destroy all sensitive information by appropriate methods

(paper shredder) when it is no longer needed• Notify your immediate supervisor if you suspect or

confirm that a privacy incident has occurred

Security Vulnerabilities and Countermeasures

• Safeguard data• Monitor control on key systems and check

inadequate logging• Protect access control• Data encryption • Privacy awareness training • Create strong vendor management• Develop business continuity and incident

response plans

Security and Assurance Program• Protective measures to address potential cyber security

threats include:• Firewalls and virus protection systems• Password procedures• Information encryption software• Computer access control systems• Computer security staff background checks (at initial hire

and periodically)• Computer security staff training & 24/7 on-call technical

support• Computer system recovery and restoration plans• Intrusion detection systems• Redundant & backup systems, & offsite backup data

storage

In Summary…

• Identify vulnerabilities • Human error is biggest threat• Fix vulnerabilities (patches, etc.)• Have policies and procedures • Computer maintenance program• Educate staff• Stay informed of latest and greatest

References

• Voice & Data Security: An Introduction to Information Assurance (FEMA/DHS)

• IS 906: Workplace Security Awareness (FEMA)

• EHR PPT, Nina Robinson, NJPCA