Healthcare Security Vulnerabilities

Healthcare Security Vulnerabilities

June 19, 2012 2:00 pm

(Save to cal)


Adam Goslin of High Bit Security presented the webinar, Healthcare Security Vulnerabilities, on Tuesday, June 19.

Many (if not all) healthcare and related companies have vulnerabilities. This webinar will review several REAL healthcare related security engagements, provide an overview of the IT Security world today, provide insight into the hacking community, discuss several proactive methodologies for mitigation of security vulnerabilities and explain the shortcomings of some security testing methodologies.

If you work for a healthcare provider, medical practitioner, or work at a company that provides support services to the healthcare industry – this webinar is a must. This webinar will be geared to the healthcare industry, but if your organization stores sensitive data (customer records, employee records, financial information, intellectual property) – this webinar content will also be directly applicable.




View Online Tech's slides (PDF).

View High Bit Security's slides (PDF).

April Sage: Hi, everyone and thanks for joining us today. This is April Sage from Online Tech. Our webinar today is “Healthcare Security Vulnerabilities,” and we’re joined by Adam Goslin from HighBit Security. Adam, thanks for joining us today.

Adam Goslin: Thank you very much for having me.


April: We’re going to get started here for a quick overview of the healthcare and breach landscape, to set the context, and then Adam is going to fill us in with his extensive amount of technical and security expertise to give an idea where the best places are to start when we’re trying to assess and improve healthcare security. Those of you who are familiar with the healthcare industry know that there is increasing visibility and awareness and concern with the breach of sensitive healthcare information, it’s value on the black market, it’s sensitivity to patients, it’s visibility when it ends up online, are all bringing this into high focus.

Since the Department Health and Human Services began posting all of the breaches that affected more than 500 patients we’ve had 425 roughly to date that affect over 500 patients. Even though, perhaps, the greatest concern is about the breaches that happened because of IT reasons, we’re still seeing that a majority are affected by stolen devices, maybe that could be backup tapes, maybe it’s laptops. The increasing number of mobile devices is certainly adding to the risk and the reality that loss happens of the protected information very readily.

It’s an issue that faces not only the healthcare providers, but all of the vendors and people that support the healthcare community. These folks are often referred to as business associates. It seems like we’re still seeing a little bit of a gap, Adam. Maybe in your experience, I don’t know if you’ve noticed that there still remains a gap in understanding of business associates and their responsibilities and how they need to support the covered entities.

Adam: Most certainly there seems an increased awareness out there; however, a lot of organizations have gotten behind the curve, if you will, in terms of getting up to speed with all of their responsibilities surrounding HIPAA.

April: I think we’re seeing that reflected in the data. Many of you are familiar with the recent study by the Ponemon Institute showing that not only are the number of breaches increasing, year over year still, but the vast majority of 62% by our February calculations involve the business associate. The cost to the industry, to the covered entities, I daresay to the tax payers, is steadily increasing. These are part of the drivers and the reasons why this area is coming into focus.

There was a recent report put out by the Office of Civil Rights and David Holtzman brought attention to the fact that the gap in understanding of business associates is a contributor to some of these breaches. Of course, I’m bringing out that quote that’s near and dear to our hearts at Online Tech, but if you can abstract his quote here saying if you use a cloud service it should be your business associates, let’s just ignore the facts for a moment that he’s speaking to cloud. I think what he’s really bringing up here is that almost any business associate really needs to be aware of their responsibilities. They need to understand what a business associate agreement and they need to find one. If not, the direct recommendation here is that you simply don’t use that business associate. Hopefully, we’ll start to see some more business associates starting to understand their responsibilities and these covered entities that are raising the bar and are going to hold business associates to a high standard of security and awareness about HIPAA takes.

I just pulled an example here. I know at Adam’s going to provide us with more examples as we go on here. An example of a situation where a covered entity was engaging a vendor who did not sign a business associate agreement was a physician practice who ended up, unfortunately, posting some protected health information to an online calendar. This was discovered by a patient doing a Google search for their name and realizing that information about their appointment was readily available to anyone. When the OCR did an audit, the discovered a systematic failure to implement security and lacked privacy protection. I think this is an area that Adam’s really going to bring home to us today pointing some of the areas where we really need to take a look at what’s going on within our four walls and also what’s going on with our business associates so that we’re not being found at fault for sheer negligence as far as responsibility to be HIPAA compliant.

In this case, they did find that the application provider was not a business associate of practice. The fine in this case was fairly light compared to some of the steeper fines that we’re seeing, only $100,000, and then they had to develop a corrective action plan. For a smaller physician practice, $100,000 isn’t exactly pennies.

Of course, we have the whole emergence of mobile health, I’m going to call them opportunities. We see that patients are thirsty to engage using mobile devices, that physicians indicate that they can find efficiencies and cost savings by using them, and we certainly see that the global trends in mobile health overall are making the mobile area for healthcare inevitable but it’s also going to be very significant. The problem when we come into the security area is that it gives us endless endpoints. We just pulled here a recent bulletin from the National Cyber Security Communication and Integration Center trying to educate people and bring awareness to all of the different points of entry and risks that we’re facing with the new proliferation of mobile devices entering the market.

Then, we’re faced with the question we know that it’s scary. We know that we need to pay attention to the breaches. We know that as covered entities and business associates we need to understand and embrace HIPAA compliance and deliver on that promise to patients that we’re going to protect their sensitive information. I think the big question on everyone’s mind, Adam, is that we’re looking forward to your answer to today is where do we start? We certainly look towards the security rule and then try to understand how they’re breaking out the administrative, physical, and technical safeguards, but then we need to look to a security expert to figure out how we’re actually going to assess where we’re vulnerable, what those risks are, and what our management plan is, and what we should do to improve security. With that, I’m going to turn you over to security expert, Adam Goslin. We’re going to shift over presentations here. One moment, Adam.

Adam: As I said before, thanks very much for having us out here. It’s always fun to increase the education and the awareness of folks out there about IT security. It’s obviously an arena that is near and dear to our hearts. We like being able to enhance the education of those around us. Without further ado, I think we can get right into it.

For the webinar overview, these are the types of things that we’re going to be talking about today, is IT security and data loss, some of the breach sources and some additional information about breaches, recent medical loss and breach statistics, and then talk about some of the various ways to perform security assessments of organizations. We’ll talk about vulnerability scanning. We’ll talk about penetration testing as well as an example. We’ll talk about social engineering which is a relatively new field that’s been blowing up in the security arena, and then we’ll end up with some ways to generally improve healthcare security.

April: Great. Let me also add quickly we get asked this question every webinar. We will be posting copies of these slides and the presentation online and we’ll email out a link to everyone who has registered for the webinar today. Hold tight if you’re looking for a refresher once we get through it. We’ll have that for you.

Adam: To talk a little bit about generally speaking what’s going on out from an IT security and data loss perspective, is that there is an increase in small scale breaches. Cyber criminals have really hammered away at the large corporate entities with large volumes of data fairly substantially. Those organizations have been pretty much forced to improve their game, enhance their security, etcetera. The criminals are looking for smaller targets, small to midsized businesses, small midsized facilities. That’s really where they’re starting to pay attention because they haven’t had the same level of investment in their security, in their security stance, they aren’t as vigilant etcetera. Lost and stolen devices are really becoming prevalent as far as breaches go out in the security space. Your iPhones has a plethora of information. iPads, laptops, things that people have left in the backs of taxicabs, at airports. You hear all sorts of stories about ...

April: McDonald’s is famous for a whole new reason now, right?

Adam: Yes, exactly. Social networking is another realm of exposure for businesses. Most people have a Facebook page, using a wide of social networking sites, and the exposure that that provides to the business itself.

The fact that data encryption is not a security silver bullet. Many organizations will look at data encryption as their be-all, end-all. If the data’s encrypted we must be fine. The problem is that the data has get there. There’s data in transit. There’s data in transition. There’s data that is on its way back out of your environment. Data in use, etcetera. There’s a large arena where even if you have the actual physical data is encrypted there are a lot of manners and mechanisms by which the information can be exposed.

The data breach notification regulations are absolutely on the rise. We’re seeing it in the healthcare arena with a lot of the latest legislation that’s been going through. They’re required to, they’re state level requirements. There’re compliance level requirements, etcetera. At some point in the game will there be a Federal breach notification regulation? Probably, but they seem to be moving a little bit slower in that side of things.

Mobile threats. We already talked about mobile devices, etcetera. Really, what’s getting a lot of exposure these days is critical infrastructure. The gas, the electricity, the water, really, hospitals, those would be included in there. Critical infrastructure is really coming under a lot closer scrutiny these days. You mentioned earlier, April, the Pondimin Institute. It’s the same organization, it’s actually a research group that’s up in Traverse City, Michigan. They do a couple of different studies, one of which is their annual breach cost study that they do.

The 2012 statistics for their latest and greatest data is that a breach costs an organization approximately $194 per record. That is across the organization’s efforts for detection, escalation, notification, resolution of any security issues, after-the-fact responses, etcetera. There’re a lot of factors that go into that. That’s based on real data. This is real live data from organizations that have been breached, what did they really spend? That number, $194 a record, doesn’t sound that bad when you’re just looking at I lost $194 a record. You start thinking about it, what organization today has less than 2,000 records? Very few. In some cases, these breaches are in a magnitude up into the millions. When you run $194 a record at 2,000 records which is darn near anybody that’s in business, you’re talking about numbers that are closing in on $400,000.

April: Just as a start, and then you can just add zero, zero, zero.

Adam: Yes. It gets expensive and it gets expensive fast. I think we’re ready to move on to the next arena which is really some information around breached sources and some miscellaneous information. This is just really for educating those out there about different aspects of security. As an example, there was a recent study done, University of Toronto in Canada, where they found that less than 10% of developers and network administrators are documenting security considerations or formulating the solution. That’s an important fact in that developers know how to develop. Network administrators know how to administer a network, but very few of those functions truly know the impact and the implications from a security perspective.

That’s a lot of the reason why it’s not taken into account when they do their planning documentation for projects, etcetera, but it’s just something that developers and network administrators truthfully are behind the eight ball and security is a specialty. Invariably, you’ll hear the comment, someone will go back to their developer, their network administrator, “Are we secure?”

April: Sure.

Adam: Of course, they are. They struggle to be able to answer that with the right context and that’s where some of the security testing we’re going to talk about really applies some visibility to the entire organization. The cool part about that type of an endeavor is the developers or a network administrators ultimately are better off for it because they’ll learn things as they go through that experience. The person having the testing done or the entity having the testing done will be able to quickly put in place corrections to security vulnerabilities that exist.

April: I think that this is indicative of one of the issues that we see throughout the healthcare industry is a gap in communication. You have perhaps the compliance officer, hopefully the CIO who understands what HIPAA compliance is, what’s required to meet it, perhaps a file breach notification, if God forbid, a breach happens, but we’re still missing that holistic understanding to the people who are actually in the trenches writing the code or administrating the server. We’re still not doing what we need to communication at every level.

Adam: Most certainly. When we talk about insider threat, this is a for instance, terminating an IT employee that happens to know about unresolved vulnerabilities in your system, this could then get exploited. The U.S. government, as an example, is building a hacking monitoring facility. Really what it is they’re dropping nodes all across the Internet and going to be basically taking copies of the information and shipping it to a facility in Salt Lake.

April: Adam, can you speak a little bit, I know that you live and breathe this every day, but for those of us who aren’t as close to the security world, tell us a little bit about why there’s such a focus and they feel the need to build this type of huge facility that’s dedicated to just monitoring hacking activity?

Adam: Sure. It comes in a number of different flavors. Obviously, you have just general hacking incidents as one. Another is cyber warfare. The recent releases in the news lately about the fact the U.S. and Israel were joined at the hip in terms of making a virus that would infect the Iranian nuclear program. The Russian and the Chinese are regularly in the news with having state sponsored hacking activities against the United States. The level of exposure and the level of information that the U.S. government desires to have because of activity going on in the real world is steadily increasing. They’re dropping these nodes all across the Internet, going to be basically taking copies of information, bring it to that facility so that they can do a statistical analysis, look at information about hacking incidents, look at the type of traffic that they’re seeing from foreign threats, etcetera. They’re going to be using it for a large volume of purposes, but it’s going to be a pretty extensive facility they’re building up there.

April: It sounds like hackers have some particular interest in healthcare data. Why is that?

Adam: The breach of healthcare information if you think about it this way in most cases you’re going to get the person’s name and their address. You’re very likely going to get social security numbers. You’re going to know information about their medical information. In some cases, you’re getting other pieces of personally identifiable information. They can take that data and that information, sell it on the black market and use it for identity theft, opening up lines of credit, opening up credit cards, then spending the money unbeknownst to the person that’s in this position, etcetera. That’s one potential rote for it, but there’s a lot of different potential rotes for it.

Once you’ve hacked that data information that’s one realm. Another realm is taking, for instance, the email address of all the people that you’ve not gotten, and then handing that off to another group that’s interested in doing phishing attacks, exercising malware against these individuals to try to steal their information. There’re a lot of potential uses for the data.

While we’re into hacking, we talked a little bit about that for the Russians, the Chinese, etcetera. There’re state sponsored hacking. I don’t know if you remember back in the day when you had an unlisted phone number and all of a sudden your phone number would ring and it just, “Who got my number?” Somebody’s sitting there going 1 1 1, 1 1 1, 1 1 1, 1 1 2, 1 1 3, 1 1 4. They do the same thing with the IP address which is a unique address for each computer and server, etcetera that’s publicly exposed on the Internet. They’re just randomly running through those and look to see what’s alive. Once they find something that’s alive they start scratching at it.

April: It’s a special mark, right?

Adam: Yeah, exactly. Once they find something that’s alive they’ll actually pass it to a secondary team. The secondary team will find out what all they can do with this box, if it has this piece of functionality or that, they’ll hand that off to secondary teams. We’ve actually experienced this in almost live fashion with a customer of ours who had a device that they set up on the Internet. They stood it up and within 12 seconds the hackers had already randomly hit that IP address and were already starting their analysis. It was 30 seconds later there was a new round of IP addresses that were trying to hammer the box, and another 45 seconds...

April: This is not just some bored hacker with some aberrant happenstances getting the connections. This is a highly organized collaborative system.

Adam: Wildly profitable. I’m sorry, the head of put out an awesome statement. This was actually a monthInterpol , month and a half ago, saying that presently the value of cyber criminal activity has now surpassed the total global sales of cocaine, heroin, and marijuana combined. It’s unimaginably lucrative. They don’t have the same exposure. They don’t have to grow anything, transport anything, they don’t have to go anywhere. They can be stimulating within their own facilities or traveling around and do their activity from wherever they like.

April: A whole new global economy.

Adam: Yup, you got it. It’s out there. The fact that consumers will leave or avoid companies that suffer a security breach is another item. Lastly, 86% of the breach cases were originating from hacking with 92% of those being carried out by some type of external agent. Bottom line is that for data breaches the vast majority of them are happening from external activity and it’s real.

Let’s talk about recent medical breach and loss. We took a look at the May 2012, i.e., the month we just had. is actually a great resource for folks to go, take a look at, see what’s going on in the security world. It is an aggregated and summarized version of what’s going on out there. There were 16 different reported breaches. Of the 16 reported breaches, there were four where they didn’t yet have record counts against those. The breach sources came across a wide variety of arenas. Breach via the web; a hospital network that was actually breached; physical breach, i.e., there were broken into; somebody lost a device; another one had an Internet exposure, inadvertent Internet exposure; another one had some inappropriate employee access to the information that shouldn’t have been accessing. The sources were coming from a myriad of arenas, if you will. The total records was 103,500.

Now with the per record charge that I was talking about earlier with the $194, literally, that equals a dart throw of 20 million dollars worth of cost to these organizations. The average record in one of these breaches was 6,500, so it was 1.2 million dollars per at the $194 a record. This is really happening. That’s something that just generally speaking businesses, organizations, healthcare, finance, education, legal, accounting firms, everybody needs to really get it. This is real. It’s really happening. The notion of not doing anything about it proactively is something that ultimately is going to bite these organizations.

April: I think part of the issue is that it’s rather invisible. It’s not like there’s a trail of broken glass in most cases that’s going to cut our feet when they walk in in the morning.

Adam: That’s part of the reason why I underline the reported breaches. The bottom line is there are organizations that get breached every day that don’t have any idea it’s happened. The hacker is gaining access to the system. Seriously, what better way to just continue to get a stream of data? You find a vulnerability that you exploit. You get in there, you pull the data that you want, on your way out the door you go ahead and wipe off all the fingerprints and everything like that, and you walk away. Then, you come back another two months later, three months later, when there’s some more data and go do it again. There are many organizations just because of their internal vigilance or lack thereof that don’t even know that they’ve been breached.

April: If you’re not actively monitoring, making sure your security’s up to date, then what you don’t know is probably a lot scarier than what do you know.

Adam: What you don’t know is going to hurt you, yes. Let’s talk about security testing, different ways of doing security testing. We’re going to start with vulnerability scanning. Vulnerability scanning is a relatively inexpensive process to undertake. I always relate vulnerability scanning is real similar to on your PC you have antivirus software sitting on there.

April: A first step that everyone thinks of when they’re talking about protecting their IT, right?

Adam: Sure, yup. The way an antivirus works on your machine is it pulls in a data file that looks for patterns on your machine that equal virus patterns. If it sees one of those patterns either on your disc when it does a scan or on information coming or going from your system, it’ll flag it and say, “I think you might have a virus here.”

The vulnerability scan works in a similar fashion. It’s a preconfigured list of vulnerabilities.

April: Things that are known about already.

Adam: Correct, and it’ll go ahead and it’ll scan the system for things that it’s configured to look for. If it finds something that looks like it’s a pattern match, then it’ll go ahead and flag and it’ll show up on your report, typically run against the external network layer, providing cursory website coverage. There are vulnerability scanners that will run for websites, but in order for those to be effective they have to be customized. You have to customize those scanners, so it’s a more intensive process to be able to get the scanner to work appropriately with the web application.

April: And not drive your support team nuts, right?

Adam: Exactly. It won’t evaluate any custom code. It won’t look for logical faults in the code. In other words, let’s say you have a user name and a password and I go ahead and I log in with that user name and password. Behind the scenes it just puts a certain unique value in my URL. It is the way that it validates that I’ve been authenticated. Now when I sit and maybe it issues a token as well. If I’m then on this internal pages and I condition my URL correctly and I can fake out a token I must have authenticated then. It’s that type of thing. That’s an example of a logical fault in the code that a vulnerability scanner just wouldn’t catch.

This automated report will contain false positives and the most important thing. As an example, had a company contact us and saying they needed some help. They’d run a vulnerability scan. When they ran the vulnerability scan they came up with 1,500 pages of vulnerabilities. They didn’t know which way to go, which way to turn, what to look at. Everything under the sun was up on this report. A lot of that was false positive, but a lot of it was all related to a couple or core security issues that the organization really had. That’s example, though, of some of the challenge that you’ll see with a vulnerability scanner.

It is better than no testing at all, but it does provide a false sense of security. The backdrop you have to keep in mind is that the vast majority of testing that High Bit does, as an example, is done on the PCI compliance arena, payment card industry, doing testing for them. It’s required on an annual basis for larger organizations to have this testing done. We do the testing every year. These organizations are required also to have vulnerability scanning. Every single year with organizations that are running vulnerability scanners we haven’t run a test yet and found nothing. The vulnerability scanner is providing some coverage but not total.

April: It sounds like even if you have an automated well configured system you still have to have the human behind it who can dissect the results, who can understand that this particular alert really is safe and it’s not something we need to worry about but this one is a concern. It gives some level, but it doesn’t get us all the way there.

Adam: Right. The other thing that I wanted to bring up about vulnerability scanners is that they’ll categorize the results into let’s call it for the sake of this discussion highs, mediums, and lows. Most organizations will then go, “The highs we have to get fixed right now, mediums we’ll go ahead fix those too, but the lows just leave them. We don’t need to worry about those right now.”

I can’t even begin to tell you how many times we’ve taken two, three or those low vulnerabilities and depending on the customer’s system, take two or three of them, join them all together and poof we’ve created a critical vulnerability or created a high vulnerability, etcetera. It really takes some expertise to be able to navigate through those reports.

April: Then, if vulnerability scanning won’t get us all the way there, how’s penetration testing for them?

Adam: Penetration testing it’s more costly than vulnerability scanning, but provides expanded coverage. What a penetration test is it’s a security engagement done by a security engineer. One of the many tools that they use is usually multiple vulnerability scanners. They’ll run multiple vulnerability scanners as part of the input, but they will also do customized web vulnerability scans. They’ll run through the websites manually. They will look at all the ports and IP addresses, look to see what all’s open, and then what can they do with that information. They will take the summary of all of those inputs and start playing around with it.

Where I was talking about the two, three, low level vulnerabilities that look benign, they’ll take those. They’ll conjoin them. They’ll find faults there. They’ll find logical faults in websites. They will think outside of the box. They’re human beings that not only can think independently, but better yet are experienced security engineers that have done this many times before. They’re often able to do identify vulnerabilities that can’t be picked up otherwise.

April: Adam, is the penetration testing engagement limited to just IT or does it also sometimes involve other things about maybe the physical facilities or the staff policies that are in place?

Adam: Typically, it’s centered around the IT arena. It’s typically around the infrastructure, typically around the technical components of security. If you will, penetration testing is it is a point in time tester validation of the security of your web and network layers. It’s performed both externally and internally on the network. An external engagement is one where similar to we talked about the foreign hacking community, etcetera, that’d be an engagement similar to that. If I were somewhere else outside of your facility how could I get in?

There’s also one called an internal penetration test, which quite frankly, is one of the most valuable ways to go about doing the security assessment. What that does is it basically makes the assumption that in some way, shape, or form of the myriad of ways that an organization can be breached, that has breached, once I’m on the internal network now what can I do? It does things like looking at the network, the websites, printer/photocopiers/scanner/fax machines. I know when you were telling about some of the up front questions about what are the some areas that people typically miss from a security perspective. I have to tell you those printer/photocopier/scanners/fax machines, the all-in-ones, those things are a gold mine.

April: Good to know.

Adam: When they’re not appropriately configured, then every single one of them has a hard drive on it, and so it’ll store images of what’s been gone over the photocopier/scanner, etcetera, whether you’re faxing or what not, it doesn’t matter, it goes onto the internal hard drive. If that device is inappropriately locked down since most of them are networked, if I’m on the internal network and that’s not locked down I can get onto it. Once I’m onto it, I can go ahead and do things like pulling all the images that were on that device.

April: Because it’s stored the history of all the files that have been transmitted.

Adam: Yup. We were talking about lost and stolen devices, etcetera. That’s one of the things that organizations are starting to become aware of is the fact that if they jettison an old all-in-scanner you better make sure that you cleanse that drive that’s inside of there. The recommendation that we’ll make is we’re looking at an organization is that with the company that does their support for those devices that they require them that they wipe the device before it goes on to on any third party or it’s disposed of. In a lot of cases, they’ll use third party vendors for that arena. Back to the list, wireless systems. It’ll cover all your major developer languages. It’ll cover you whether you have a virtual, i.e., cloud environment, physical servers, or whether you’re using a hosting facility. It performs all of that.

We talked about what they do in terms of the engagement. It certifies what you should be looking for in a penetration testing organization is certified security engineers that have background checks, that are qualified to be doing what they do, etcetera. What you’re ultimately looking for in a good security engineer, one is experience. From the certification side of things, you want to have someone that is familiar with the web arena, i.e., development, multiple languages, multiple platforms, or worked across a wide a variety of types of systems, etcetera. You want to make sure that you have somebody that’s really has a good background experience.

The penetration test will go through all of those inputs that we talked about, the scans, they’ll look at the website, etcetera. They’ll take all of that as well as their manual exercise, etcetera, and they’ll put it into a report. The report will have typically some type of executive summary that gives you a high level overview of the types of things that were found during the engagement. It’ll also provide detailed prioritized findings on each of the vulnerabilities that was addressed. It’ll say this is the vulnerability that was found, here’s some examples of where we found it, here’s what it means, here’s how critical it is in your environment. The coolest part is how-to-fix-it specifics. It’s not it headed it in this general direction and go figure it out. It should be, for instance, you have a setting on a server that incorrect. It’s this setting, it’s located here, it’s currently set to this, you should set it to this.

April: You want to find someone who’s going to give you all the specifics that you need to address the issue. The other key I think you said here, Adam, was a prioritized list of findings because in your example of the clients who had 1,500 pages of results from a vulnerability scan I’m sure they didn’t know which ones were really serious and where to start. I think that in this environment when the compliance officers and the CIOs have their hands absolutely filled to the max trying to just meet compliance and meaningful use implementations they really need to know where to direct their resources which unfortunately are limited.

Adam: With a penetration testing style engagement and really for any organization that’s never really addressed security, and unfortunately there’re a lot of them out there, our recommendation is start with the penetration test. Make that your first step out of the gate because what it does it arms your internal staff, your developers, your network administrators. It arms them with the answers, not arms them with a 1,500-page report they have to figure out what’s real and not and it could be months before they figure it out.

In most cases, organizations that receive a penetration test report have the capability to take the report, go, take immediate action on real security vulnerabilities in and on their systems today. The typical turn time on that, depending on how urgently the client wants to get things closed up, it literally can be days. They can receive the report, go off, correct things.

The last and equally as important part of that engagement is doing what’s called remediation testing which is after the customer has addressed the issues, then the security company coming back and validating that not only did you close it, but did you close it correctly? Did you close it without opening any new vulnerabilities, etcetera? That’s an important part of that process. You want to make sure is you’re closing out these security issues, that you’re not opening up new ones by the way that you resolved them.

April: I don’t have legal expertise to draw on. We’d have to track down Tatiana for that, but it seems like as we look at the penalties that HHS has set forward that the penalties are extremely high if you are willfully negligent. Then, on the other side of the spectrum, if you’re showing due diligence by doing a risk assessment, by creating an action plan, and then showing that you have addressed those items, even when, I’m going to say when, you do have a breach at least you have the proof by an outside third party that you did your due diligence. You looked at what was wrong. You made your attempt to fix it, and you had someone validate that those changes worked.

Adam: Sure. It’s interesting for organizations that go down the path of doing a penetration test for the first time it’s, I don’t want to say fun, from our perspective it’s fun to see their eyes open, see them go, “Wow, we didn’t...”

April: That moment of panic.

Adam:If you will, it’s panic of holy moly we had this stuff, but in the same sense it’s this moment of relief that says, “Thankfully we can just go this stuff addressed.”

April: Instead of them not knowing.

Adam: Yeah, heck yeah. The bottom line is for the engagement, you said that there was that small organization that ended up getting their hand slapped with a $100,000 fine which is one of them, admittedly, the lighter ones out there.

April: Teeny tiny.

Adam: Penetration testing is a fraction, a fraction of the implications. Strongly recommend that people go get that piece done for their technology side.

April: Maybe we think of these healthcare providers as having endless budgets, but as they’re pressured to improve healthcare buck up costs. It’s not like there’s unlimited amount of funds to go towards penalties, but then when you look at the businesses associates that could clearly be the difference between them staying in business and being there to help clean up the mess at the end of it.

Adam: Yup, you got it. To bring this to reality, I like going through these examples. This is a sample of a medical facility that had a penetration test performed. This was a medical clinic. I’ll say it was about 20 or so doctors that were in there, fairly large facility as they go. They were leveraging one of the top nationally recognized electronic medical records companies as their EMR provider, but that same provider was the one that was providing their day-by-day support, doing the servers and workstations and firewalls and making sure that they were good. Basically, they had some questions about how secure they really were. We went in and did a test with them. It was a full coverage external and internal penetration test, so we coming in from the outside. We also pretended we had gotten in and we were on the inside. When all was said and done in terms of the results of it, several of vulnerabilities externally that were identified one of which allowed us external access to the internal network. In other words, anybody could’ve done this. It wasn’t anything special we did. It’s anybody could’ve done it from the outside.

Once inside, just because of a wide variety of vulnerabilities that were in internally on this network took over every server, every workstation. The firewall, we gained access to sensitive medical data prescriptions, full contact information for patients, social security numbers.

April: Gold mine.

Adam: Doctor’s signatures and their narcotics ID number. The bottom line is that had we been bad guys we very easily could’ve gone ahead and generated fake prescriptions, submitted them to the pharmacies, you name it, literally could’ve done everything. This is some of the examples of the implications of penetration testing engagement. Now they first got their report and went ahead and got everything addressed, but it was unimaginably eye opening for that customer to see that play out.

April: I imagine it’s going to be really difficult for vendors who are providing software to be able to self evaluate because you need that third party independent person to come in with a fresh perspective, a fresh pair of eyes. They’re going to be checking for things that if you’re close to the trees you just might not have on your horizon.

Adam: Sure. Next up, we’ll talk about social engineering. It’s a kind of new term that’s being used and thrown around out there. So far we’ve talked about vulnerability scanning. We talked about penetration testing. Those are really assessments of the technical infrastructure for an organization. Where social engineering it’s an engagement that’s taken on by a security company with specific objectives in mind, typically involves some type of a ruse where you’re coming in, you’re faking a story, or you’re pretending to be somebody that you’re not, etcetera. These tests are really intended to exercise the capabilities of the target organizations. As an example, let’s just say it’s a hospital setting. That type of an engagement would test things like policies and procedures that are estimated by the organization, how well they train their personnel on those policies and procedures. Once the personnel are trained, how well do they follow the policies and procedures? It really is the type of an engagement where a lot of things can be exercised and really more at an organizational level and looking at the peripheral elements of security that can support a secure infrastructure.

Some of the testing objectives may be physical security assessment, looking at the physical security of the facility itself. Can you get to the access to the things you shouldn’t...

April: Are the doors locked?

Adam: Doors locked, rear access, critical infrastructure in a hospital setting, etcetera. Can I get unauthorized access to the facilities or to the systems? Then, again, the assessment of the security awareness training. In many cases, organizations will choose to incorporate social engineering into their penetration testing as part of their penetration test. The way that they’ll do that is it comes in a number of forms. One, they want to know about the other elements. Two, they want to conjoin a social engineering exercise with penetration testing to mimic some type of a physical attempt, whether it’s physically on site or you’re calling in on the phone and creating a ruse that way. Can I get access to systems in that manner? Then, using inputs that you gain from social engineering exercise as inputs to the penetration test, just as additional inputs outside of whatever you could discover during the actual testing engagement itself.

Other organizations are conjoining the social engineering engagements after they’ve gone through an audit. As an example, a medical facility that goes through and gets their HIPAA certification and becomes HIPAA compliant, after they’ve gone through that exercise, they’ve done all the training, they’ve brought everybody up to speed and everything, great. Three months later, go ahead and have somebody come in and make some attempts to gain unauthorized access to your symptoms, etcetera. In many cases, the results are, again, eye opening for the organization. It really points them to areas of their capability or areas of opportunity for improvement whether it’s their policies, whether it’s their training, whether it’s adherence to training. It really gives them a real good idea of they stand, if you will.

April: Even though social engineering just by the word engineering sounds technical this is really the people aspect of the HIPAA compliance.

Adam: Right, absolutely.

April: The penetration testing is focused more on the IT infrastructure. The social engineering really focuses on how well you communicated what people have to do to follow HIPAA compliance and well they’re actually following those procedures on the day to day basis.

Adam: Yeah, absolutely. It’s the type of exercise where it’s just another tool in the toolbox for organizations to leverage as they continue to enhance their stance from a security perspective. We’ll go through an example of a social engagement.

It was a hospital in the United States. They were looking for a couple of difficult things. One, physical security assessment assessing where they stood for a physical security perspective, the doors locked and rear entry and things like that. They also wanted to assess of security awareness training that they provided for their personnel. They also wanted to see whether or not someone could access to technical resources through this endeavor or through this test.

The results of the test were that from a physical security perspective the testing engineer got direct access to the generator, the generator supply lines; direct access to their roof, boiler room, electrical room, water supply. The information that was provided to the customer allowed them to make a series of changes to how they did, what they did, how they secured different areas of the hospital in order to prevent this. That was that aspect of it.

From the data safety perspective, basically the security engineer got direct access to two different networks of the hospital. One was more the patient network, and one was the doctor network. The people at the hospital sat the security engineer down onto these systems to go ahead and gain access.

April: The social engineering in the works there.

Adam: Exactly. They allowed unescorted access to their administration building which ultimately led to the breach of one of the folks in IT, one of their machines as well. It was very eye opening. The net result of that was a lot of recommendations, a lot of suggestions for how to improve their policies and procedures, enhancements to their training policies. They obviously re-rolled out training to everybody. The interesting part was that through this experience it was something real and tangible that made sense to the staff of the hospital. They really got it. It really rang true with them and brought it home. Bottom line is that social engineering exercises are actually quite successful in almost every case because of that human nature. Human nature is to be trusting.

April: They’re health people, right? Good point.

Adam: Yes, it provides some examples to the hospital administrators and the staff that a little of cynicism could go a long way to protecting their information.

April: Adam, we’re going to wrap up here. I know you’ve put together a list for us of some of your top best practices to improve healthcare security. We’ll wrap up there. We’ll squeeze in a couple questions if we can. Feel free to put them in the question box if you have them. Be reassured we will be posting all of the slides and this recording within the next couple days and we’ll email that out to everybody.

Adam: You want me to go through this quick?

April: Let’s run through it.

Adam: All right. I’m not going to run through all of this. I see we have about six minutes left here. I’ll run through some key elements because some of these are fairly straightforward, if you will. Let me go over the big hitters from this list. From a firewall perspective, go and take a look at how your firewall’s configured, what it’s allowing in/out. Is it set correctly? Do you need everything that’s accessible there? Have you patched up your firewall? Those are all really good elements. The other is a lot of firewalls that has what’s called an intrusion prevention or intrusion detection system in many cases it’s just an add-on from the provider of the firewall. Go ahead and get it. It will ward off a fair amount of ugly traffic that you just don’t want or need to see and provide you with some protection.

Servers, workstations, the machine side of things, the biggest one, bar none, is get rid of software you don’t need. I can’t begin to tell you how many engagements we’ve done where we’ve had old stale software sitting on someone’s server that they don’t even use anymore. It’s just sitting there. We’ll be able to leverage that old unpatched software to be able to basically penetrate in an environment.

Wireless, just making absolutely sure that you have your guest network totally separate from your internal network. Our recommendation of best practice is set the wireless for guest in front of your corporate firewall. In many cases, you can logically segregate your guest wireless system from your corporate network. If you have the capability to just bolt it in outside of the firewall so it’s absolutely no question, then that will take one more element out of the mix.

Passwords and password handling, this is one that I love to go over it because it’s something that every single participant that’s on this line can benefit from and every single organization that they work at can benefit from. This is both personally and as a business, using a password manager, I have an IE of KeePpass. It’s freely available password manager that you can go download for free. KeePass for Windows, KeePass X for Mac. You go and you download for free. It’s basically a password manager. What the password manager is you make yourself one super ugly password.

April: Long phrase.

Adam: Really long ugly, number, letters, special characters and all that good stuff and the only place you ever, ever, ever use that password is on your password keeper. My suggestion to people is go create it, think about it, memorize it, play around with it, test yourself, do you know the password, the whole bit. Because you lose your password in your password keeper and you’re pretty much out of luck. Go in and get that. Then, what you can do is in the password keeper you can actually generate, randomly generate, passwords.

For instance, you have your Yahoo account or your Gmail account or your Facebook account. You go in and you typically what I’ll do is I’ll go look at how many characters will they allow me. They allow 60 some odd characters.

April: Sixty it is.

Adam: I’ll use sixty some odd characters. I’ll use letters, numbers, special characters. It’ll be ugly. Every single one of those passwords will be a random password, then I store them in the password keeper, and I use the password keeper to go ahead and get myself logged into systems.

April: You don’t use your birthdate for your passwords, Adam?

Adam: No.

April: No.

Adam: No. Actually, it was interesting that with a lot of the breaches that have been happening lately they take the breached accounts and they’re actually doing statistics on the passwords that are in there. It’s amazing how many people use the same password. I’m being silly, but ABC123. There’s people that have that password. Not just one person, many. Use a random password, make it difficult everywhere. The reason why that’s really important is when you hear the news story about LinkedIn, as an example, is a recent huge data breach that happened. It affected people in the business community. If your password for LinkedIn was the same as your Chase account where you have the capability to go ahead and do external transfers of money the hacker’s going to grab that password from the LinkedIn breach and they’re going to go over...

April: And your email address.

Adam: They’re going to go, try and take a couple cracks at your user name and password. In all likelihood they’re getting in. They’re going to do the same thing on other financial institutions, etcetera. You don’t want a breach in one location to mean everything that you have is breached. The password keeper is bar none the best way to go about handling that because you’ll have different passwords everywhere.

Let’s take a look here, the rest of it we’ve hammered away pretty well. Security testing, obviously, if an organization that has not done it, do it.

April: Wonderful. Adam, great information. Have a couple questions we’ll squeeze in here in the last 60 seconds. I’ve seen reports about breaches that were lost or stolen laptops, but I’ve not seen any regarding lost or stolen phones? Have you see any examples regarding lost phones as a breach?

Adam: Yeah, absolutely. The bottom line is I can go ahead and dig up some samples, shall we say? The problem with the phones is that they can be used for a wide variety of things. One, you think about it, your address and your contact list that are on the phone. If you don’t have the password to get on the phone, the phone’s immediately accessible, number one. Number two, there’re all your addresses and contacts in there. In most cases, people have it tied to their email accounts, so now I’m getting sensitive information about the organization itself. Oftentimes, the attachments to those emails are also on the device.

April: On the device.

Adam: I also have the capability to go ahead and take the documents that are on there and store them on the device. There’s a wide variety of things that can be done with those phones, not the least of which is many people will go ahead and put their own personal details into those phones and it becomes identify theft issue as well.

April: Double risk. Second question and then we’ll wrap things up, is there a high level body of information available that shows the percentage of growth revenue that a company should spend for the entire security stack? I’m guessing that might not be an easy answer.

Adam: Percentage of gross revenue … that is a huge question. I guess I’ll answer it in this way and that is is there some dart thrown number of what you should be spending or not? Not really. For every organization it’s going to be different. The bottom line is that there are a lot of elements of security. We talked about elements of security that relate to the technical infrastructure. We’ve talked about elements of security that relate to the organizational structure. There are things like policies and procedures. If you’re doing software development, as an example, developing the software in a secure manner, integrating security testing into your development process, doing regular testing of your systems, etcetera. There’re a lot of aspects to it. I guess to just sum it up at a high level, like I said before, the bottom line is that security testing is a fraction of the cost that an organization will undertake if they’re breached. Really, it’s getting to the point where it’s significantly more advantageous to just be proactive about your security about where you stand. A lot of organizations just want to know where they stand in the grand scheme of things. That’s a good thing.

April: Sounds like it’s going to be one of the easiest investments to justify.

Adam: Absolutely. We haven’t seen an organization yet that was disappointed they did it.

April: Great feedback. Thanks so much everyone who joined us today, stuck with us for the whole hour. I know we had a ton of awesome information from Adam. Adam and I will be getting back with anyone who has follow-up questions. Please feel free to contact us. You’ll see our email addresses are posted on the right. Please join us on July 17 or next Tuesday at Two webinar for “Overcoming Cloud-Based Mobility Challenges in Healthcare.” We’ll be talking with AnyPresence, a builder of mobile apps. August 14th, we’ll be talking with Tom Gomes from the TATE Organization, Transformations at the Edge, talking about his use of cloud to accomplish meaningful use on a zero dollar budget. If you’re going to be at the upcoming HIMMS shows, we look forward to seeing you there and please reach out to us anytime if you have any follow-up questions. Adam, thanks.

Adam: Thank you very much.


Adam GoslinAdam Goslin, COO, High Bit Security, LLC (

Adam has an IT career that spans almost two decades, recently leading the IT and Infrastructure teams of an E-Commerce Supply Chain Management company as the Vice-President of IT, including leading the company through achieving PCI DSS Compliance. Adam went on to found the full service security firm, High Bit Security, LLC., specializing in performing cost effective Penetration Testing and assisting companies looking to achieve or maintain their Payment Card Industry Data Security Standards (PCI-DSS) compliance. For more information about securing your systems, you can email Adam at

Webinars    |    Online

Get started now. Exceptional service awaits.