One simple way to ensure the integrity of Health IT

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cio.com/article/2982964/cloud-security/one-simple-way-to-ensure-the-integrity-of-health-it.html

Several times a year, seven Guardians of the Internet check to make sure
the “root zone” of this network of networks has not been violated.
Together they unlock a safe deposit box, take out a smartcard, and verify
the integrity of the names, numbers and protocol parameters that reside in
this root zone of the Internet’s Logical Infrastructure upon which the
Internet critically depends.

This ritual, conducted under the direction of ICANN (the Internet
Corporation for the Assigned Names and Numbers), underscores the incredible
value of old-school security. Short of locking up patient data in the
nether regions of a bank, what can Health IT do to better protect
information? An answer is sorely needed.

In May CareFirst BlueCross BlueShield announced that hackers had gotten
away with personal information on more than a million patients.  It was the
third major break-in reported in 2015. Others involved Premera Blue Cross
affecting potentially 11 million patients and Anthem, a case in which as
many as 80 million records may have been compromised.

Two months later, UCLA reported a cyberattack that exposed data for more
than four million people.  According to the LA Times, UCLA hadn’t so much
as encrypted the patient data.

Hackers can get treasure troves of data by breaking into Health IT. Medical
identification information can be used to make fraudulent charges that
translate into tens, even hundreds of thousands of dollars: a woman billed
for the amputation of a foot even though she still has both; identity theft
that paid for the penis enlargements of a perpetrator and his friend; a
physician who wrote prescriptions for drugs he then sold.

Underscoring the laxity of the situation is the failure of victims to even
know they have been victimized. The BlueCross BlueShield hack occurred June
19, 2014, yet almost a year passed before it was detected.  It was another
month passed the hack was publicly reported.

Exemplified by ICANN is the value of security that not only protects core
data but allows periodic surveillance to check on their integrity. Might
digital keys be handed electronically to those who need access to the
data?  Could a system using such keys be put in place to check that data
have not been stolen?

In his July 5 column, the WSJ’s L. Gordon Crovotz floats the idea of using
such keys in a realm outside Health IT.  All would have to use their keys
for any to gain access to the data, much like the seven ICANN guardians of
the Internet.

In health IT, two keys would suffice, substantially increasing the
difficulty of unwanted entry.  Doing so, however, would require buy-in from
data users.  Such a system would be cumbersome.  Many homeowners – and
renters – for example, lock just one of the two locks on their front
doors.  Some don’t lock either.  (The desire for convenience wins out even
in the design of the locks. Go to any hardware store and you will find bolt
and knob locks packaged together and designed to be opened with the same
key.)

Facing the currently growing threat, IT professionals, however, might well
take advantage of the added security much as an apartment dweller in a
high-crime district of the city.  Perhaps more to the point, consider the
company with a building or storage yard in an economically depressed area.
We’re talking razor wire, roaming dogs –  and a well-secured gate.

No matter where they physically reside, health IT data exist in a “tough
neighborhood.” Hacks are as likely to come from the Black Vine gang of
China as the homeland of Boko Haram.

Absolutely, the basics of data protection must be taken. Cutting the shrubs
in front of the windows of Health IT might dissuade some would-be robbers
and expose the more brazen to scrutiny.  But only fortifying the premises
will stop the determined, just as regular patrols are needed to uncover
break-ins.

Might as well start with the front door.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!