By Eric Cowperthwaite, vice president of advanced security and strategy at Core Security
Considering you could easily spend days poring through the details of HIPAA, it’s surprising how little direct instruction it actually offers. If you want to cut through the fluff, you can pretty much boil HIPAA requirements down to the following: you must perform risk analysis, you must have administrative, physical and technical safeguards in place to manage that risk, and you must document how your program meets these first two requirements. In many ways, it’s up to you to decide what that looks like.
Of course, as HIPAA (and common sense) dictates, your security program should be commensurate with the scope and sophistication of your organization. A small practice with a few doctors, nurses and technicians will have a very different security program from a massive hospital network. But it’s safe to say that for any sizable organization, attack intelligence and validation are two critical parts of a HIPAA-ready security program.
Your organization has probably made substantial investments in security technology. In addition to network firewalls and endpoint protection products, you’ve likely deployed data encryption technology, intrusion detection and prevention systems, vulnerability scanners and log management software, to name a few solutions. Those tools are important, but are the IT security dollars you are spending today significantly reducing your exposure to risk? Will your current security controls convince auditors that your IT environment and EHR system have been adequately secured from inadvertent data loss or deliberate cyber intrusions? Simply running periodic vulnerability scans, monitoring security events, and tuning device configuration is not enough. In fact, the result is a mountain of data, requiring time and valuable resources to process. And in most cases, your teams are already strapped for time. You need a way to narrow your focus on the most vulnerable points of your network and applications.
You can (and should) take your security program a step further with attack intelligence. This requires looking at your organization through the eyes of an attacker. Understanding how real adversaries will behave in your environment is critical to understanding which vulnerabilities pose the greatest threat to your organization, so you can plan your defense strategy accordingly.
Think of it this way: if a vulnerability somewhere within your organization could lead an attacker only as far as last week’s lunch menu, is it a priority? Is it an area where you should be focusing your limited resources? Of course not. But if a vulnerability could lead an attacker all the way to the medical record application servers or the backend databases that hold ePHI, it must be addressed immediately. Attack intelligence enables you to cut through the noise, and focus on protecting the crown jewels.
So you’ve put technical safeguards in place to manage your risk. But how can you be sure those safeguards are really working?
You cannot simply assume that your safeguards and controls are effective – you must test and measure them, and you need documentation showing that you have done so. Penetration testing (attacking a system for the sake of identifying security weaknesses) is necessary to validate that your defenses are truly protecting your critical assets. There are a few ways to approach pen testing:
- Train internal vulnerability management staff to carry out pen testing: This is the most cost-effective option. Core Security’s penetration testing software, Core Impact Pro, can guide relative novices through the process with wizard-driven RPTs (Rapid Pen Tests) or can be driven by uber-pen-testers who want to use customized exploits to target systems. So again, assuming you’re not an extremely small practice, there’s really no excuse for skipping internal pen testing.
- External consulting services: There are two reasons to turn to an external consultant. 1) You’re starting from scratch and don’t yet have the internal resources to carry out pen tests on your own, or 2) you want to validate that your internal pen testing program is functioning effectively by bringing in a third party. These tests are very effective, but they can also be very expensive. I generally recommend bringing in an external consulting service once a year, augmented by weekly, monthly or quarterly internal testing.
- Build an internal red team that carries out ongoing pen testing: A lot of large (e.g. Fortune 100) organizations have a red team, or at least one person who is fully dedicated to ongoing pen testing.
If you’re looking for somewhere to start, remember that when it comes to healthcare records, at some point you’re providing some type of visibility to the patients. That usually involves a web application. Pen testers should target those applications first because they’re the most visible to people on the outside. Once you’re confident your web applications are secure, you can start looking for other points of entry like phishing attacks, other vulnerable systems that are near the target systems, etc.
For a step-by-step guide on incorporating attack intelligence and validation into your security program, download the Threat and Vulnerability Management Maturity Model white paper.
Eric Cowperthwaite is the vice president of advanced security and strategy at Core Security, a vulnerability management and penetration testing software and services company based in Boston, Massachusetts. Before joining the Core Security team, Eric Cowperthwaite was the System Director, Enterprise Security & CISO of Providence Health & Services – an organization with $12.5B in revenue, 32 hospitals and 65,000+ employees. You can find Eric on Twitter @e_cowperthwaite.