NIST Special Publication 800-66 Rev 1 and How it Applies to HIPAA

             For this blog (#4), I decided to write about a National Institute of Standards and Technology (NIST) publication, in particular NIST Special Publication 800-66 Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, which can be found here: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-66r1.pdf. I have talked plenty about breaches to the health care industry in my past post, and why companies should follow HIPAA rules. I have also discussed the consequences and punishments for not following it. What I haven’t really discussed though is how companies should implement the HIPAA security rule. So, this is where this blog will focus on.

              The publication starts with a background. It states which entities does the Security Rule apply to. This includes health care providers, health plans, healthcare clearinghouses, and Medicare prescription drug card sponsors. It also discussed the NIST management framework (as shown below) and how it links to the Security Rule. It does this by providing a wonderful table that describes not only the phases and descriptions of the Risk Management Framework (RMF) steps, but also how it links to the Security Rule in particular. For example, in step one, categorize information systems, the link to the security rule is: “Identify assets and information systems that create, receive, transmit, or maintain EPHI”. 

Figure 1 NIST Risk Management Framework (NIST, 2008)

It then provides several different considerations when applying the HIPAA Security Rule. This is broken down into several sections: Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements and Policies and Procedures and Documentation Requirements. All of these sections are then broken into smaller sections. I will discuss a little about each section to provide an overview of what this document provides.

              The administrative safeguards include nine separate subjects with topics such as: security management process, assigned security responsibility, workforce security, contingency plan, etc. Each section has key activities that must be implemented to prevent, detect, contain, and correct security violations which is the HIPAA standard. One of the key activities in the security management process is to develop appropriate standard operating procedures. The description is to “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports” https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-66r1.pdf. The guide also provides sample questions to help implement these activities. Such as “How will exception reports or logs be reviewed”. All the remaining sections and subjects are broken into a table form that provide an easy way to ensure compliance. An example of the table is shown below.

Also, not that above each section, there is the specific HIPAA standard that the key activities correspond to. The above is from the Assigned Security Responsibility section. This entire document does this for all the HIPAA standards that must be followed.
              There are four physical safeguards that are mentioned in the document. One of the most important in my opinion is the facility access controls. Protecting physical access to information is just as important as technical access. Typically, when you go to a doctor’s office, they take all your information down and add it to your chart. Often, the nurses then put it outside for the doctor to grab before they come in. Now as I have never actually looked there, I could only imagine it could provide some usual information to someone who just went through taking them as they moved along. This is why controlling access to floors are wings is important. This is what this section does. One of the key tasks is to develop access control and validation procedures. Basically, how does an organization validate those who need access. The rest of the physical control section deals with workstation use and security as well as device and media controls.

              Finally, as far as controls are concerned there are the technical controls. There are five separate controls that should be implemented. One that I want to discuss is the audit controls section. The reason I mention this is because this document is very helpful to an organization in that it provides an auditing section which helps an organization actually audit their system. One key task is to develop appropriate standard operating procedures. This is made easier because a lot of these procedures can be made by using this NIST publication.

              The last two sections are the organizational requirements, which deal primarily with contracts and group health plans, and policies and procedures documentation requirements. This section is of particular importance because following policies and procedures is the way to ensure that these controls are being implemented and followed. The documentation is also proof that the organization is doing this. One of the most important aspect key activity to both of these subsections it the updating of the policies and procedures and documentation. It is completely useless to create a policy and procedure or document it and never look at it again.

This NIST SP is extremely useful to any health organization. The description of the key activities and associated sample questions can help any organization implement the HIPAA standards. It should also help when it comes to auditing to ensure that a company is following the guidelines because this is almost a checklist. It makes little sense for a company or organization not to follow these guidelines.

How to Apply Ethical Hacking to Healthcare

So for blog #3, I decided to write about ethical hacking since I took a boot camp and retrieved my certification just a week ago. The reason I am going to discuss this with regards to healthcare is specifically the vulnerabilities I have addressed in past blogs, and how ethical hacking could have been used to prevent this incident from happening. First I want to talk about the boot camp for Certified Ethical Hacker itself.

The class taught us first how to conduct open source intelligence collection. In other words it taught us how to look at websites for information that may be helpful to a pet tester. For example, the pen tester may find organization charts, or the email address format. They can search information on specific employees. For example, using myself as an example. If you search for my name, typically you find a lot of information that shows I am an avid runner, including race results and even pictures of me running. You can also see that I am a Cubs fan and a fisher, just off of pictures using a Google search. You can see my LinkedIn profile that shows my profession. There are also webpages that show I have supported a respiratory health charity. You can find that I am a Florida State Alum. All of this is information that can be used against me to attempt to send a spear phishing email to me. In fact this has been used against me.

A year or so ago, someone spoofed what appeared to be a friend’s email. The name that showed up appeared to be a family friend. Inside the email itself, was a link for information about a “race”. Even the wording was crafted quite well, and stated something along the lines of, “Hey Steve I know you love running in races, here is this one I just found, <link>”. It even made it appear to be a charity run. Thankfully, I knew better. This family friend never emails me, so that sent up a red flag right away. I hovered over the name and saw that it was not her email address. I then hovered over the link and showed that it wasn’t to the page it says it was. All of the information they found about me, the attacker tried to use against me.

Had I fallen for this, chances are there could be malware that could allow the attacker backdoor access to my system. They could use exploits that were pre-written from certain software platforms like Metasploit (discussed later). Once they had this access they could continue to scan my network for an internal network that might exist. They would scan for open ports and services to exploit. For example, EternalBlue which was used for WannaCry exploited an SMB vulnerability. For example, if I were to click on the link at work. They could then use open ports and services to traverse the internal network. At this point they would also want to establish persistence to ensure that even if I were to turn off my computer, when I turned it back on, the computer would call back to the attacker.

Since the attacker had access, they could have used that backdoor to install a key logger that could record ever keystroke I typed. Maybe from there they then retrieve my banking username and password. They could compromise the camera on my computer and watch what I do (which is a reason I cover the cameras on my systems). All of these attack vectors we performed against systems in a lab. We also exploited wireless devices. The detail is a little more complex here, but basically you can catch and intercept traffic. Of course a lot of medical devices now have wireless capabilities, so you can see how this could become a problem. So how could this skill affect the healthcare industry? This is where WannaCry comes in as an example.

WannaCry struck in May of 2017. It searched for and encrypted 176 different file types (https://www.symantec.com/blogs/threat-intelligence/wannacry-ransomware-attack). Then the attackers demanded a ransom on the order of US$300 in bitcoins to unlock the data. It especially affected the health care industry as evidence of Britain’s National Health Service. It specifically targeted Windows machines, in particular unpatched systems. It was known as EternalBlue which affected Windows systems from “XP to Windows 7 and various flavors of Windows Server 2003 and 2008” https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/.  An example of the code is show below:

The vulnerability was actually found a month before the attack began and a patch was created for it. Patches were even created for XP systems which were no longer supported by Microsoft. Yet, there were many companies and industries still using XP to conduct their work. Something else that I should point out, was this did not spread via phishing emails or social engineering campaigns. It directly exploited the vulnerability. In fact, below is a screen shot of the virus working.

As you can see the code sets up a back door into the system for the attacker to exploit.

            As an ethical hacker, someone can test these vulnerabilities directly. There are several tools to allow doing this. One of them we used in the boot camp quite a bit is the Metasploit Framework as discussed earlier. This tool has preloaded exploits that allow an attacker to “point and click”. For example, in the image below the user selected the external blue exploit, which was the exploit used in WannaCry, and did a show options. This shows the pen tester what information needs to be entered.

The only information the pen tester really needs to add is the receiving host IP address as the other information is typically default and works (unless the user modified things). All that needs to be done is fire the exploit. This exploit simply gives the attacker access to the system. From there they can do a lot of harmful malicious things. For a pen tester; however, this allows them to find these vulnerabilities to patch.

This boot camp offered me the opportunity to test vulnerabilities against a lab environment. It was interesting to see how easy attacks were to make against unpatched systems. It also showed us how hard it was to access patched and updated systems. In fact, some of the boxes, the only way we could exploit them was via phishing. Hence, as mentioned several times this is why the healthcare industry should hire pen testers to test their network and ensure they are patched. The boot camp was a week long and offered by ECCouncil. They provided a test voucher with the camp. I recommend it if you are interested in penetration testing.

             

            .