Preventing Stolen Patient Data Through Remote Access Security
Don’t give attackers the keys to your kingdom.
By: Gary Glover |
Marianne Kolbasuk McGee: Gary, what sorts of remote access applications are generally used in the healthcare sector?
Gary Glover: There’s a lot of ways to get remote access. Some of the most common include LogMeIn, pcAnywhere. They allow you to get access to an office computer from home or somewhere on the road. There are also VPN (virtual private network) connections, usually set up by IT departments.
Marianne Kolbasuk McGee: In the healthcare sector, remote access could potentially give someone unauthorized access to patient data?
Gary Glover: Yes, patient names, addresses, and all the way up to Social Security Numbers. I was in the waiting room at my doctor’s office not too long ago. I was working on my computer, and got on their wireless network (there was no password).
While I was there I decided to look around to see how secure they were. Their server was exposed. The server password was ‘null’ (in other words, you didn’t need to enter a password). I was quickly in to the backside, and could see files that might contain credit card numbers. I quickly got out and talked to the doctor after my appointment. When I asked if he needed any help with his security, he said, “No, my brother does it.”
Wireless is a very simple way attackers (or curious people) can get into your network. Once inside, depending on the type of connection, and depending on the type of computer privileges they have on the network, they can potentially attack other systems and see if they have bad/no passwords. If they get access to the backend server, they basically have the keys to the kingdom. They’re a super user.
SEE ALSO: A Hacking Scenario: How Hackers Choose Their Victims
Marianne Kolbasuk McGee: In the healthcare sector, who is at most at risk? Smaller doctors, offices, or hospitals?
Gary Glover: I don’t think it matters if you’re big or small. It all depends on how you configured and set up your systems. There are small organizations that have their network set up by neighbors, relatives, friends, or a small IT company. And there are really large organizations that have poor security practices on their perimeter, or edge of their Internet.
Some of the biggest healthcare organizations with fancy IT departments may not be thinking about security. Perhaps their IT guys believe the network is secure, but they might only use one level of authentication (all that’s required is a password).
When you have remote access technology that goes deep into systems, you must use two factor authentication to remain secure.
Marianne Kolbasuk McGee: You mentioned multi-factor authentication. What else can healthcare do to better secure these applications?
Gary Glover: There are a couple things. Setting strong passwords is probably the first line of defense. Employees need to set strong, long passwords with upper and lower case letters, numbers, and symbols. Perhaps the first letter of each word of your favorite song phrase. It needs to be something that is not searchable or contained in the dictionary.
The second line of defense is training workforce members to not give out passwords to people who shouldn’t have them. Social engineering attacks are very common and successful in healthcare. People pose as HR or IT, convince employees there’s a problem with their password, and offer to help reset it. Train people to be wary and confirm that the person they’re talking to has the right to know that information.
SEE ALSO: Social Engineering Training: What Your Employees Should Know
The highest level remote access security would be requiring a second factor of authentication above and beyond a password. A username does not count as a factor of authentication.
A password counts as one layer, and that’s something you know in your head. The second layer is typically something you have, or something unique to you as a person. Only you should have possession of it. It could be a fingerprint, or a token in your pocket, a card with electronically changing numbers, or an app that changes numbers every 60 seconds. There are hundreds of ways of doing that second factor of authentication.
Once you have two factor authentication for your remote access, you should feel confident (if you’ve set up strong passwords and are keeping them safe) in your direct network access security. It really comes down to strong passwords, and not using ones that are guessable by a person or a computer program.
Hackers use things called rainbow tables to do brute force attacks on remote access passwords. These programs have precomputed every combination of letters, numbers, and symbols, and hit the remote access application with each of these possible passwords. It may take them a long time. Maybe the application times out after so many passwords. But computers and hackers have plenty of time.
Most of the compromises we’re seeing are due to bad remote access security that could have been prevented by stronger passwords.Marianne Kolbasuk McGee: What are the biggest risks posed by having insecure remote access? You mentioned it would provide the keys to the kingdom. What is the next layer of security if someone does get in, to prevent extensive damage?
Gary Glover: When you see a physically secure facility, you notice different layers of controls as you get closer to a facility. There’s a fence a ways out. There’s an open grass space. Then a barbed wire fence, guards, dogs, etc. That same kind of structure should be built inside your network. Your
firewall is your first layer of defense, etc.
Typically hackers don’t come into a network as a root super user. They start by getting into your workstation within your corporate environment. Then, they sniff around and escalate privileges. They do the same attack from your computer to a main backend server at the hospital to see if they can crack a password there. Or they look to see if there’s a vulnerability in an application exposed inside.
Tripwires are another layer of defense that should be set up within the network. Intrusion detection software helps you notice if weird things, like an internal brute force attack, happen in your network. In a large organization, an IT department should be in charge of setting up intrusion detection. In a small organization, there are fairly cheap software intrusion detection packages.
The hard part is monitoring. Even if you have all this tripwire software installed, if nobody is looking at the indicators, then hackers can still do whatever they want. It’s an awareness thing.
But boy, if you’re inside a network and time is on your side, you can pretty much get anywhere and do anything.
Marianne Kolbasuk McGee: There have been a number of large breaches in healthcare sector revealed over the last few months. In many cases, the breaches went undetected for quite a while. What is the #1 lesson we can learn from that?
Gary Glover: Not detecting a breach for a long period of time is very common in almost any type of data breach. People can get in and hang out for a long time looking for things, and nobody notices it. What does this mean? Nobody is trying to notice it. Nobody set up the controls and they’re not worrying about security. They figure that the front door is strong enough.
You can’t have the mentality, “We have a big strong firewall, so we’re ok.” Or, “Comcast has me covered! They put a firewall in front of my network.”
We often think other people have us covered. When a breach happens, fingers get pointed in all directions. In reality, it’s the corporation’s job to secure patient data, from HR creating policies, down to IT thinking of how data is exposed on the network.
The lesson corporate America needs to learn is: electronic data is at risk. Unless you know where it is, and how people could get access to it, unless you pay for security and institute a culture of security from the top down, you’re going to lose it.
Often, executives think they are secure because, “Our IT guys are in charge of that!” It’s really hard to push security from the bottom. IT doesn’t have enough budget or time for training. Security really has to be an enabled program from the top levels of any type of organization to work. It has to be supported from the top, through funding, training, etc.
My advice? Decide to take security seriously. It’s a problem, and will continue to remain a problem as long as we store data electronically, which will pretty much be for the next millennia or so.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.