BreachExchange mailing list archives
How anticipating a health data breach can boost security
From: Erica Absetz <erica () riskbasedsecurity com>
Date: Tue, 21 May 2013 09:23:35 -0500
http://healthitsecurity.com/2013/05/20/how-anticipating-a-health-data-breach-can-boost-security/ A healthcare chief information officer (CIO) saying that he expects to experience a healthdata breach is not only unusual, but may produce shock and awe in some parts of the healthcare industry. However, having this type of outlook, regardless of whether the CIO ends up having to deal with a breach or not, can prepare organizations for the worst types of viruses and help ensure that there are security policies in place as well. At the Institute for Health Technology Transformation (iHT2) Health IT Summit a few weeks ago, Chuck Podesta, SVP and CIO of Fletcher Allen Heathcare, explained to HealthITSecurity.com why he falls under the category of fully anticipating a breach of some sort and being ready when one does come along. The value of taking a proactive approach was further established a few years ago when Podesta and his IT staff were up for 42 hours straights after going through a breach scare a few years ago. Fletcher Allen’s email server was penetrated by a big virus that used algorithms to look for information and Podesta walked us through what happened and how the organization was able to manage the situation because it had put the work and time into its security measures before the virus came into play. What were some of your first steps in handling the virus? All of our applications still worked, but it was still going through our system. A nearby hospital a few weeks later got the same thing, but they didn’t realize it because it didn’t shut anything down and they were in a breach situation. We had McAfee’s central hub that manages all your devices and keeps the anti-virus software updated – we realized that there were about 1,000 devices that weren’t connected based on organic growth as well as other areas we had to shore up. We were able to contain it quickly and didn’t get into a breach situation, but scared the hell out of us. We had a command center and it cost us about $250,000-300,000 to remediate over a 2-3 week period because we found a lot of holes in our system. How did you pick the virus up so quickly and what were some barriers? Our network guy was a hero – he has a lot of tools within the network and just happened to be monitoring the network and saw something that was weird. The first thing he did was secure the perimeter – he shut off Port 80 (the port that Hypertext Transfer Protocol (HTTP) uses in Web server communication), Internet access – so even though the virus was collecting information, there was no way it could go out. The other interesting thing was that we found it was using Port 80 as a command and control back to its home server, so when he closed the perimeter, the virus recognized that we were trying to fight it. So it phoned home to its server and mutated. After turning off Port 80, that got rid of the mutation so it was just us against the virus. We had to manually secure those 1,000 devices that weren’t managed centrally at 20 minutes per device and 800 laptops. It took us a about three weeks to resolve it and over that period of time we had a program running that showed us how many new infections were popping up. What did you change after the breach? So right after going to through that process, I brought in a Chief Information Security Officer (CISO). We started a formal program with data loss prevention (DLP) and we have a SIM tool for logging and clicking and an intrusion detection system (IDS). We encrypt everything, including flash technology, and we’ve done all of it in the past two years. It still keeps me up, but I feel like if the Office for Civil Rights (OCR) ever came in for an audit that we have the policies, procedures and education in place. We do expect to have a breach; we have the mindset of “Eventually, you’re going to have one and someone is going to do something stupid.” We have a compliance group, privacy officer and CISO. They talk about how they’d react to a hypothetical breach, which includes public relations strategy, and we go through all those scenarios. I even talk it up in public circles that we expect to have one. People say “What do you mean?” But we’re trying to get the public to understand that, like credit card companies, it’s not 100 percent. What we want to do is be able to react quickly and protect the patients when it does happen. That’s fine if people say they’re doing all these things to prevent a breach, but they are going to have one at some point. We also have a pretty big physical security program because there’s a lot of theft in that area – such as people leave offices open. We have a big awareness project going on right now that requires you to either take the device with you or lock your door behind you. It’s educational, but we have been making rounds where we look for unprotected devices. It’s just never-ending. What are some of the challenges when managing security? Right now, our network gets pinged – whether it’s a spam or virus email – about 6-8 times every second. In one 24-hour period, 162,000 emails from the outside came in and only about 49,000 were legitimate and 10,000 had viruses and the rest were spam. Unless you have the tools that tell you this, it’s hard. And a lot of the smaller hospitals don’t have that and may have protected health information (PHI) flying out the door. I think if you went into many of these healthcare organizations, especially the small hospitals, don’t have a lot of these tools necessary [to handle technical security]. I bet some of them have viruses now that are packaging up data and sending them to China or somewhere else. _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges.
Current thread:
- How anticipating a health data breach can boost security Erica Absetz (May 21)