Professional Documents
Culture Documents
We compare the
healthcare regulatory
environment to that
of financial services
regarding the handling
of customer confidential
information.
WHITE PAPER
800-721-9177
805-684-6858
TABLE OF CONTENTS
1 Executive Summary
2 Regulatory Parallels
3 A Very Brief Regulatory History and Comparison
4 Lessons Learned and Pitfalls to Avoid
5 A Framework for Improvement
6 Conclusion
Regulatory Parallels
The lessons learned by the financial due to regulatory reaction with breach
The healthcare services industry are important because notification laws after the inevitable data
their compliance requirements are on security breaches have occurred. This
industry has the similar paths regarding data security is something to have been expected
issues. Roughly, the experience has given the vast data stores of customer/
opportunity to evolved as follows: IT becomes more patient confidential data. Once these
integrated with business operations (for laws go into effect, the rate of breach
learn from financial both healthcare and financial services) notifications grows significantly.
service provider’s
mistakes.
A Very Brief Regulatory History and Comparison
In financial services a big regulatory milestone occurred in 2001 with section 501(b)
of the Gramm-Leach-Bliley Act (GLBA) which required financial service firms, amongst
others, to establish standards for protecting the security and confidentiality of customers’
non-public personal information. This got the financial services industry really thinking
about their information security program. In healthcare, The Health Insurance Portability
and Accountability Act (HIPAA) (specifically the Security Rule) was the significant
regulatory event that put information security on the industry’s radar.
However, what really got financial services acting on their security and taking their
information security programs seriously was the State of California breach notification
requirements that became effective July 1, 2003 with SB 1386. In that California
State Senate Bill any disclosure of a customer’s unencrypted confidential information
required the entity that lost the information to notify the customers whose data was
compromised. Knowing that sending out the “oops we lost your data” letters to a big list
of customers inevitably winds up in the news, this bill essentially shamed institutions into
taking their information security programs seriously. This was a California state based
law, but because most large customer databases (no matter where those companies
were headquartered) contained some California residents, the legislation affected most
companies nationwide. It also prompted most other states to follow suit with similar laws
– currently most states have similar breach notification laws.
The number of reported data breaches and lost records has grown significantly since
the enactment of SB 1386 and the similar laws enacted since then in most other states.
Now Governor Schwarzenegger has expanded California’s Breach notification law
with the passage of AB 1298, which became effective January 1, 2008. It expands the
definition of personal information in SB 1386 to include medical information and health
insurance information. In addition, the Health Information Technology for Economic and
Clinical Health Act (HITECH Act) of 2009 is meant to improve the quality and efficiency
Expect additional security breach incident news in the healthcare industry due to this
kind of legislation.
Of course it is not the number of breaches that grow due to breach notification
requirements, just our awareness of them, because security incidents that were otherwise
undisclosed are publicized. However, the business impact of a breach is magnified
when an incident hits the news. There have been hundreds of breaches disclosed due
to the notification requirements and a review of some of the high profile cases make it
clear the extent of the business impact.
the notification • CardSystems of Tucson, Arizona, June 16, 2005. 40,000,000 credit card
records were compromised when hackers broke into the credit card processor
and accessed unencrypted cardholder data. Visa and American Express
requirements... stopped processing transactions through them.
• Circuit City and Chase Card Services, a division of JP Morgan Chase
& Co. lost data on 2,600,000 customers as it mistakenly discarded backup
tapes on September 7, 2006.
• TJ stores (TJX) on January 17, 2007 reported that around 50,000,000
accounts were compromised in a security breach involving insecure wireless
data protocols. SQL injection was used to extract data from the application.
Breach costs are estimated to exceed $200,000,000 and 19 lawsuits have
been filed.
• Hannaford Bros. Supermarket chain (Portland, ME) reported on March 17,
2008 that credit and debit card information for 4,200,000 customers was
compromised. Class action lawsuits have been filed.
• Heartland Payment Systems (Princeton, NJ) on January 20, 2009
reported that hundreds of millions of debit and credit card numbers may have
been stolen in a data breach. 656 banks have reported associated card
compromises due to the breach. Thirty-one lawsuits have been filed to date.
Clearly, the healthcare industry would benefit from taking note of these incidents
and reacting by improving and placing strategic value in their information security
programs.
Heartland Payment Systems, Inc., CEO, Robert Carr highlights the risk very concisely in
a interview with CSO Magazine regarding their recent data breach involving over 100
million credit/debit card records: “The audits done by our QSAs (Qualified Security
Assessors – the auditors hired to verify compliance with the Payment Card Industry Data
Security Standard – PCI DSS) were of no value whatsoever. To the extent that they were
telling us we were secure beforehand, that we were PCI compliant...”
A risk-based security assessment should be utilized to identify risk, and while these efforts
may look and feel like a compliance audit, their scope may differ significantly – they
might be lighter in some areas, while requiring significantly more depth in others to
address potential risk.
Unfortunately for Heartland, they were not aware of the gap between compliance and
security risk until it was too late. Similarly, it would be foolish to assume that general
HIPAA Security Rule guidance applies equally across the board within healthcare
organizations. An appropriate security program involves a more holistic information
security process including: management leadership commitment and oversight, risk
assessment, technical controls, controls review, security assessment to evaluate risk and
also regulatory compliance. Compliance is a component of an information security
program – not an entire strategy.
Healthcare organizations should expect a similar evolution, and indeed this is evident in
the regulatory environment. The recent Health Information Technology for Economic and
Clinical Health (HITECH) Act of 2009, among other things, expanded the definition
of a HIPAA covered entity such that any vendor that transmits or has routine access to
protected health information (PHI) is subject to HIPAA Security Rule requirements.
Firewalls are common network devices used to monitor, control and block network
traffic between two networks, for example, the Internet and an organization’s corporate
headquarters, or one company and a vendor that have connected their networks as part
of a data processing arrangement. While these controls are often a critical component
of network security, more than half of the firewalls we have reviewed are deployed
with flawed configurations. While many of these flaws do not necessarily represent
critical vulnerabilities, it is frustrating to see the extent to which this critical first line (and
sometimes only line) of defense, is not configured properly.
Recently, one of our clients had us test the firewall that controls their access to a vendor –
a Fortune 500 company that hosts back-office services to many clients. We discovered
that from the client network we could access much of the Fortune 500 company’s data
center which stored confidential data for many other clients. Unfortunately, the firewall
was managed by the vendor and when we confronted them with this problem stating
that they only needed to allow each client with access to the few applications needed
for their service (and not hundreds of other ones!). The vendor disagreed, claiming that
it was not a security risk because they had a network security team, ran periodic scans
(which generated hundreds of pages of vulnerabilities) and... had a firewall in place.
Believe it or not, the vendor had to be convinced through communication with higher
levels of management that a firewall with no security rules configured, has no security
value. The vendor has since fixed the problem.
Clearly, the existence of security technology/control does not imply security – it is not
the existence of a control, it is the effectiveness of the control that matters. A key lesson
is that security is not about high technology equipment as much as attention to detail,
capable IT staff and operational integrity. For a security program to meet the needs
of the business, technology must be deployed carefully, peer reviewed, managed
with a process in an organization run by executives who are aware that the small
things matter.
However, in this case, there was little management motivation to fix the SQL Injection
issue due to the cost and operational challenges to upgrade the production site, we
were commissioned to do additional research on the bug. With some ingenuity and
programming we were able to prove that the SQL Injection flaw on the site would
yield confidential customer information. In this case, the odd characters on the screen
represented binary system memory. Our security engineer on the project noticed that the
error message would change each time the error occurred. We were able to automate
our attack, reverse characters in the cryptic error message, convert it to hex and after
thousands of requests over a period of about a week, we were able to download their
entire application and all of its data in an unencrypted format. As a result, this seemingly
innocuous error provided access to anyone on the Internet with the full contents of the
financial institution’s customer database.
Why had they not yet been hacked? This particular error was not easy to exploit and
required a focused effort by a talented hacker. However, as the industry as a whole
gets more sophisticated with its security defenses, there is less low-hanging fruit and
these types of flaws start to get targeted by hackers whose skills improve over time.
The good news of this story: this company was able to learn from a web application
security assessment that the flaw on their system was serious, as opposed to learning
from an incident.
Continually cycling through this process with a feedback loop that ensures the program
is relevant to the business operations and addresses the dynamic nature of the threat
environment will minimize the risk of a major security incident.
Conclusion
We hope that these observations of the parallel paths taken through the regulatory and
risk environment for healthcare and financial services, clarifies the need to learn from
the costly mistakes of the financial services industry. By taking a holistic view of security
and building it into an organization with an adequate information security program, and
concurrently integrating security into the application development life cycle, healthcare
leaders can significantly reduce the business risk associated with the mass storage of
EHI.
Redspin delivers the highest quality information security assessments through technical
expertise, business acumen and objectivity. Redspin customers include leading companies
in areas such as healthcare, financial services and hotels, casinos and resorts as well as
retailers and technology providers. Some of the largest communications providers and
commercial banks rely upon Redspin to provide an effective technical solution tailored to
their business context, allowing them to reduce risk, maintain compliance and increase
the value of their business unit and IT portfolios.