How anticipating a health data breach can boost security

[Erica Absetz <erica () riskbasedsecurity com>]

http://healthitsecurity.com/2013/05/20/how-anticipating-a-health-data-breach-can-boost-security/

A healthcare chief information officer (CIO) saying that he expects to
experience a healthdata breach is not only unusual, but may produce
shock and awe in some parts of the healthcare industry. However,
having this type of outlook, regardless of whether the CIO ends up
having to deal with a breach or not, can prepare organizations for the
worst types of viruses and help ensure that there are security
policies in place as well.

At the Institute for Health Technology Transformation (iHT2) Health IT
Summit a few weeks ago, Chuck Podesta, SVP and CIO of Fletcher Allen
Heathcare, explained to HealthITSecurity.com why he falls under the
category of fully anticipating a breach of some sort and being ready
when one does come along. The value of taking a proactive approach was
further established a few years ago when Podesta and his IT staff were
up for 42 hours straights after going through a breach scare a few
years ago. Fletcher Allen’s email server was penetrated by a big virus
that used algorithms to look for information and Podesta walked us
through what happened and how the organization was able to manage the
situation because it had put the work and time into its security
measures before the virus came into play.

What were some of your first steps in handling the virus?

All of our applications still worked, but it was still going through
our system. A nearby hospital a few weeks later got the same thing,
but they didn’t realize it because it didn’t shut anything down and
they were in a breach situation. We had McAfee’s central hub that
manages all your devices and keeps the anti-virus software updated –
we realized that there were about 1,000 devices that weren’t connected
based on organic growth as well as other areas we had to shore up.

We were able to contain it quickly and didn’t get into a breach
situation, but scared the hell out of us. We had a command center and
it cost us about $250,000-300,000 to remediate over a 2-3 week period
because we found a lot of holes in our system.

How did you pick the virus up so quickly and what were some barriers?

Our network guy was a hero – he has a lot of tools within the network
and just happened to be monitoring the network and saw something that
was weird. The first thing he did was secure the perimeter – he shut
off Port 80 (the port that Hypertext Transfer Protocol (HTTP) uses in
Web server communication), Internet access – so even though the virus
was collecting information, there was no way it could go out. The
other interesting thing was that we found it was using Port 80 as a
command and control back to its home server, so when he closed the
perimeter, the virus recognized that we were trying to fight it. So it
phoned home to its server and mutated. After turning off Port 80, that
got rid of the mutation so it was just us against the virus.

We had to manually secure those 1,000 devices that weren’t managed
centrally at 20 minutes per device and 800 laptops. It took us a about
three weeks to resolve it and over that period of time we had a
program running that showed us how many new infections were popping
up.

What did you change after the breach?

So right after going to through that process, I brought in a Chief
Information Security Officer (CISO). We started a formal program with
data loss prevention (DLP) and we have a SIM tool for logging and
clicking and an intrusion detection system (IDS). We encrypt
everything, including flash technology, and we’ve done all of it in
the past two years. It still keeps me up, but I feel like if the
Office for Civil Rights (OCR) ever came in for an audit that we have
the policies, procedures and education in place.

We do expect to have a breach; we have the mindset of “Eventually,
you’re going to have one and someone is going to do something stupid.”
We have a compliance group, privacy officer and CISO. They talk about
how they’d react to a hypothetical breach, which includes public
relations strategy, and we go through all those scenarios. I even talk
it up in public circles that we expect to have one. People say “What
do you mean?” But we’re trying to get the public to understand that,
like credit card companies, it’s not 100 percent. What we want to do
is be able to react quickly and protect the patients when it does
happen. That’s fine if people say they’re doing all these things to
prevent a breach, but they are going to have one at some point.

We also have a pretty big physical security program because there’s a
lot of theft in that area – such as people leave offices open. We have
a big awareness project going on right now that requires you to either
take the device with you or lock your door behind you. It’s
educational, but we have been making rounds where we look for
unprotected devices. It’s just never-ending.

What are some of the challenges when managing security?

Right now, our network gets pinged – whether it’s a spam or virus
email – about 6-8 times every second. In one 24-hour period, 162,000
emails from the outside came in and only about 49,000 were legitimate
and 10,000 had viruses and the rest were spam. Unless you have the
tools that tell you this, it’s hard. And a lot of the smaller
hospitals don’t have that and may have protected health information
(PHI) flying out the door.

I think if you went into many of these healthcare organizations,
especially the small hospitals, don’t have a lot of these tools
necessary [to handle technical security]. I bet some of them have
viruses now that are packaging up data and sending them to China or
somewhere else.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.