Keeping Data Safe & Sound

May 12, 2014 at 11:40 am by Staff


If asked what would be most attractive to thieves, chances are prescription drugs would be the first response of those involved with a medical practice. While that answer is probably true, the reality is the street value of their data is likely greater … and frankly much easier to attain.

Medicines are kept under lock and key, but as the SANS Cyberthreat article demonstrated, healthcare providers often leave the ‘back door’ to data standing wide open. The white paper’s author advised, “Think like an attacker … and if you can’t do it, get someone who can.” That’s where Thomas Lewis comes into the picture.

Lewis is the partner that heads up LBMC Security & Risk Services, part of the Lattimore Black Morgan & Cain family of companies. Offering a range of compliance, consulting and managed security services, the team has helped guide federal healthcare security requirements and has a deep understanding of how to implement complex security frameworks. In other words … they are good guys who are really good at thinking like bad ones.

“The bad guys go where the data is, and there’s some very sensitive data in healthcare,” said Lewis. “It’s really the crown jewels.”

He added that healthcare data repositories typically include credit and debit card information, personal health information (PHI) and personal identifiable information (PII) including Social Security numbers and full contact information.

“Identities are great business,” Lewis said. “They go from about $10 to maybe $100-$150 for a good identity. When you steal a database with 5,000 or 50,000 or 100,000 names, that’s a lot of revenue.”

Interestingly, he noted, data theft is the new target of organized crime. It’s much cleaner with a lower risk and higher return than running prostitution and drug rings. Russia and China are two epicenters of such activity. In Russia, Lewis noted, it is most often organized crime. In China, it might also be motivated by corporate espionage, and the target could be research and other intellectual property, as well as identities.

Traditionally, cyberattacks came from breaking through a firewall or external connection, but Lewis said people are beginning to get wise to that route. “What we’re seeing now is a direct attack through the end user … an employee’s workstation or mobile device.” Rather than going straight for the server, cyberthieves enter through a back door and then making a beeline to the server. “They’re going to the weakest link,” Lewis pointed out.

Unlike drug seekers, this type of thief is smart and calculating. Lewis said they now “create their malware polymorphically so it’s constantly changing its state.” He added antivirus software, which mostly works off of a signature-based analysis, has been rendered almost useless.

Another entry point is to hide in plain sight. While most employees are savvy enough not to fall for emails that begin ‘my beloved’ or to click on a link from someone they don’t know, the more sophisticated cybercriminals are embedding malware in emails purportedly coming from well-known companies like LinkedIn or requesting personal information through a fake employee benefits survey.

“It’s really hard to detect a legitimate request from a malicious one,” Lewis said, adding the easiest way not to get hooked by a phishing expedition is to circumvent the link and go directly to the source. Rather than click on the ‘accept’ button in the email, actually go to the LinkedIn site. If it’s a legitimate request, the invitation will be in your inbox. Similarly, most companies announce when they are doing surveys or updating benefit plans. Pick up the phone and call the HR department if unsure about a request.

Lewis added you could also let your cursor hover over the link without actually clicking to see the address where you are being redirected. Even that, though, could be tricky because some of the more sophisticated scammers make the malicious address look very much like a genuine one by using a 1 instead of an “i” or a 0 instead of an “o.” The best advice, Lewis said, is “be a little untrusting of links. When in doubt, don’t click on the link.”

Although it might seem like there are an overwhelming number of ways for data to be breached, Lewis said some relatively simple steps go a long way toward protecting your company information and patient records. The first, he noted, is to have a great level of awareness among providers and staff about cyberthreats. Talk about the types of schemes out there and the dangers of clicking on links without truly knowing the source.

Lewis continued, “Knowing where all of your sensitive data is located is critical … and knowing it down to the application and server level is absolutely critical so you can protect it.”

Practices and facilities often secure the server but are much less aware of peripheral equipment. Items like printers that are connected to the network provide an entry point to the main server. “You really have to put everything that resides on your network through a strong configuration process,” Lewis stressed.

He added an overlooked feature of printers, fax machines and copiers is that they have a hard drive. Sensitive data is copied or faxed on a regular basis. When the equipment needs to be replaced, it is typically just tossed out. “You have to make sure that storage goes through a secure delete … a secure erase process,” he said before throwing it away.

No matter how much you educate users, Lewis said criminals are often one step ahead. “Everyone is chasing a silver bullet that doesn’t exist. As long as humans are involved, there are going to be vulnerabilities.” He added, “That’s why monitoring of your outbound communication is absolutely critical.”

Using a device placed on the network, an in-house cybersecurity team or hired consultants can monitor inbound and outbound activity. “We can see what’s going on. We can see what types of attacks are happening, and we can push out countermeasures,” Lewis explained. He added such monitoring requires very specific expertise and must occur 24 hours a day to truly be effective.

In addition to concentrated attacks, a lot of data is still lost through a laptop being lost or stolen. It doesn’t matter if the thief was looking for PHI or not, once that laptop is gone, it must be reported per HIPAA requirements.

“One of the best ways to avoid being on the Wall of Shame and having to send out all those breach notifications is to securely encrypt your data. Encryption solves a lot of your ills and shortcomings,” Lewis said. He added encryption used to be expensive and difficult to do, but there are now a number of programs that are effective and cost efficient. “The federal government has an encryption certification FIPS 140-2,” he continued, noting you should look for software with that compliance designation.

Lewis certainly sympathizes with healthcare clients who aren’t as protected as they should be. “It’s hard because at the end of the day, all they want to do is run their business and take care of patients. I completely understand that, but the risk is real. It’s not a question of whether or not a breach will happen … they are going to happen … it’s just preparing yourself to reduce the likelihood, reduce the damage and reduce the cost,” he concluded.

Sections: Archives