Q&A: Upholding Security Standards in the Healthcare Industry

April 13, 2017 Chris Nelson

First, Do No Harm
Q&A: Upholding Security Standards in the Healthcare Industry

Healthcare institutions have increasingly become the target of cyberattacks over the last few years. In 2015, the healthcare industry was identified as the sector with the highest number of data breaches with over 110M healthcare records reportedly compromised by malicious threat actors. Fraudulent theft of personal account and electronic medical records are used by cybercriminals to steal identities for account takeover, payment card and medical insurance fraud. Furthermore, adversaries and aggregators also use web scraping bots to steal physician and provider directory content, pricing and insurance quote policy data.

With all these major security concerns in the healthcare industry, we took the opportunity at Distil Networks to chat one-on-one with Chris Nelson (Director of Security, Distil Networks) regarding the issues faced by healthcare organizations both large and small. At Distil, Chris leads the security and compliance initiatives across the organization by the use of policy, standards, audit and risk assessment. He works intimately with customers and partners to ensure solutions meet all legal, regulatory, contractual and security obligations. Prior to leading security initiatives at Distil Networks, Chris helped run information security, compliance and privacy for the Consumer Digital Division at Aetna and iTriage.

Q1: What are the top web application security concerns faced by healthcare institutions today?

There are the basics, which many healthcare organizations struggle to perform correctly due to limited resources, budget and timelines. Integrating security into your Software Development Life Cycle (SDLC) - it’s a difficult thing to do well, because so often security is seen at best as a speedbump, at worst a roadblock. This is an essential building block for your web application security.  

There are multiple security threats that institutions face on a daily basis. The healthcare industry in particular needs to be even more vigilant than most  due to the high stakes of securing medical protected health information (PHI). In healthcare, account takeover is a major concern. Malicious threat actors are taking credentials from one breached web property or even corporate systems, and using botnets to try those credentials across many other properties. People tend to be creatures of habit, and for many the passwords they use are duplicated across multiple accounts. While there are regulatory concerns for protecting PHI, and user accounts, healthcare by its very nature is about helping people. First, do no harm, right? This means most organizations in the healthcare space are, or should be, worried about that threat.

Q2: What is your definition of healthcare?

The term “healthcare” covers a broad category. For example, does WebMD.com count as a healthcare organization? I think it does, but they really don’t have Protected Health Information, PHI, act as a business associate, or interact with much regulated or “sensitive” data. What about Fitbit and other fitness or health tracking companies? The truth is that these organizations really need to be ahead of the curve  regarding customer privacy. For those that are in the business of interacting with PHI, protecting their infrastructure is critical. Healthcare related apps have been in the news lately with fines given to these app providers due to insufficient testing of their apps, misleading claims and deceptive privacy policy disclosures. In particular, how identifying information from users were not necessarily being protected and were being shared with third parties.

Q3: How important are APIs in healthcare security?

Many security practices have historically been delivered in the user interface and are now moving to API backends. The obvious business benefits of faster delivery and ease of integrations aside, there are some security benefits too.  Condensing the logic into the API, redirecting security controls such as input validation, into the backend actually helps address common UI related security issues. While APIs represent an additional attack surface, many of the same secure development best practices, when applied, can also protect API endpoints.  

Q4: What type of healthcare content can be scraped by bad bots?

Content scraping is a threat organizations face. If you are in the business of providing research related online content, for instance WebMD.com, to your consumers, this could be valuable to competitors or aggregators in the space that may seek to scrape and repurpose it. If you are presenting any type of pricing or quotes on your site, think health insurance, competitors could be scraping that data to either be able to beat your pricing, or build other business intelligence. Other content scraping threats may actually be able to provide an organization with indicators earlier in the kill chain.  For instance, if you detect content scraping against online company directories or “meet the team” pages, you can bet that you will soon be seeing targeted social engineering campaigns against the organization.

Q5: What are some of the considerations in dealing with healthcare deployments?

There are a few things to consider in dealing with web services or big cloud providers such as Amazon Web Services, Microsoft Azure and Google. For example, Amazon has particular requirements in dealing with healthcare systems that interact directly with patient records. The ability to perform comprehensive incident response decreases when an organization utilizes these services.  

Q6: How do you turn your security program into more than just a cost center?  

First, review the HITRUST CSF (Common Security Framework). If your business is purely healthcare, I would definitely recommend considering it. Second, many healthcare organizations, especially ones that deal with the Centers for Medicare and Medicaid Services (CMS), are familiar with the NIST 800-53R4 framework. This is known by the U.S. Government and is the core of their security programs. CMS also pushes that requirement down to partners. Ideally look at negotiating the more open 800-53 over the closed HITRUST CSF with your stakeholders and you will benefit in the long run.

Q7: Tell us more about the National Institute of Standards and Technology NIST 800-53 Revision 4 publication?

NIST is responsible for developing information security standards and guidelines. The latest publication of NIST, 800-53-R4, provides a comprehensive update and holistic approach to information security and risk management. NIST offers healthcare organizations a level of confidence via providing the breadth and depth of security controls necessary to fundamentally strengthen their information systems.

800-53-R4 is both flexible enough for your organization, and robust enough that it can map up to all the other ones. Nobody likes audits, unless you are an auditor, so the least amount you can get away with makes sense.  While larger organizations have entire teams that deal with audits, smaller ones really feel the pain. I personally use the NIST 800-53-R4 control framework, and then demonstrate how it lines up to others. I can answer a question about having a SOC2, and I can show the 800-53 audit results and a control matrix showing how 800-53 matches up (and far surpasses) the SOC2 controls. The same can be said for ISO 27001. Why undergo an audit for each one? We obviously have to do PCI, due to the nature of that governing body requirement language, but I don’t necessarily need to subject business and engineering resources to a barrage of interviews by auditors. It is easier to follow NIST 800-53-R4 than adopting all, or many of them.  

Q8: How can healthcare organizations develop an effective security posture?

Healthcare institutions need to start with the basics to safeguard their organization from the threats posed by malicious bots. Training, education and awareness for employees around social engineering and insider threats should definitely be a main focus for any healthcare company. A better understanding of the motivations of threat actors and what key assets they are looking for and then implement protection controls accordingly. Private patient medical records are more lucrative financially on the dark web than other forms of PII, so cybercriminals are motivated in targeting the healthcare industry. Cybercriminals can use compromised stolen medical records for personal data theft, payment card fraud, healthcare insurance fraud and can leverage bots to distribute ransomware, taking entire hospitals offline.

Healthcare organizations need to establish the necessary security audits, processes, procedures and compliance. These institutions need to make sure that they adopt the Open Web Application Security Project (OWASP) secure development guidelines. There are twenty OWASP Automated Threats (OATs), seven of which are cited as primary threats to the healthcare industry.

As long as you can affirmatively respond to “are we more secure today than yesterday?” you should feel like you are moving forward in the right direction with developing a more effective security posture.

For further information on how security IT Healthcare professionals can protect their websites from malicious attacks download our latest Healthcare eBook.


About the Author

Chris Nelson

Chris has a passion for security, especially building security programs and teams in incredibly dynamic organizations. Chris joins Distil Networks as the Director of Security, where he will continue to expand on experimenting with Permaculture in the design and implementation of security programs and controls. At the end of the day, it is the Permaculture ethic “Care for People” that drives him most. Throughout his career in every type of organization from government to Fortune 500 he has seen how focusing on that foundation drives better results, unless you are looking for spectacular failure, then it’s ok to ignore that ethic.

More Content by Chris Nelson
Previous Article
The 4 Things You Need to Know About Application Denial of Service (DOS attacks)
The 4 Things You Need to Know About Application Denial of Service (DOS attacks)

Protect your website from application denial of service attacks (app dos). Learn about dos protection and h...

Next Article
Don’t Be a Victim of Automated Payment Card Transaction Fraud
Don’t Be a Victim of Automated Payment Card Transaction Fraud

With automated payment card transaction fraud, thieves can steal your money & use your business as a testin...