Healthcare Data Today: In Motion or Out of Control?

Posted: 28th October 2014 by VPN Haus in IT policy, VPN
Tags: ,

The healthcare industry alone is responsible for 900 major network security breaches since 2009. And it’s not hard to see why – healthcare data is far more valuable to hackers than data stolen from retailers or financial providers. Find out how, even in this hostile environment, one hospice provider has been able to secure its data in motion.

From October 2009 through the present day, one industry alone has reported 900 different breaches. And none of those 900 were limited in their scope – in each, at least 500 individuals were affected. Who knows how many other smaller breaches happened, without public knowledge.

The industry we’re describing probably isn’t any of the ones you might guess – maybe retail or financial services – it’s the healthcare industry. And we can be absolutely certain that the numbers really are this high because the healthcare providers are required by law to disclose any breach affecting 500 or more individuals.

Since the HITECH Act of 2009, the U.S. has been grappling with how best to adopt new technology like electronic health records and telemedicine tools. The challenge is always to walk the line between improving patient care, without jeopardizing patient privacy.

For that reason, the Department of Health and Human Services is now responsible for reporting breaches to the public. It doesn’t matter whether the breach is the result of negligence involving an inadequate remote access policy or the theft of a laptop – all major incidents are reported. Healthcare information is particularly valuable to attackers because it can lead to even more lucrative data, such as bank account information or prescriptions that can be used to obtain controlled substances.

Yet, these incidents involving healthcare providers aren’t the ones making national headlines. Usually, widespread public panic involving network security is reserved for high-profile breaches of retailers and financial providers instead.

The silver lining is that every time another Target or Home Depot is attacked, retailers are again reminded that they could be next in the crosshairs. Their response is to reinforce their defenses. And as we know, hackers are persistent, but they’re still governed by human nature. They will aim for the path of least resistance – there’s little reason for them to try, and potentially fail, to attack an on-notice retailer, if an unaware, vulnerable healthcare provider is also in the picture.

That’s why the FBI put healthcare providers on notice back in April, with a warning that they could be especially vulnerable to cyberattacks. The FBI said that the healthcare industry is not as “resilient” to cyberattacks, despite how much damage they could cause.

That’s in part why three government agencies – the U.S. Food and Drug Administration, and the Departments of Health and Human Services and Homeland Security – hosted a public workshop on October 21-22 to “catalyze collaboration,” as a means to improve medical device cybersecurity.

That information session helped bring these issues to the forefront, but ultimately, when it comes to healthcare network security and keeping “data in motion” safe, the responsibility rests primarily with individual providers.

Healthy Patients, Healthy Network Security

One such provider is American Hospice, which calls a secure communications environment a “cornerstone” of its mission to care for patients. For a national care provider like American Hospice, whose 180 home healthcare workers treat more than 1,500 patients, secure remote access is essential.

American Hospice employees need to be able to safely and quickly update files while on the road. It’s not just about meeting HIPAA requirements involving privacy – it’s about improving worker productivity (by removing manual, paper-based processes), reducing operating costs and protecting sensitive patient information, as well as its own IT system integrity.

In May 2010, American Hospice turned to a Secure Enterprise VPN solution and gained all of these benefits. Workers are now able to safely and remotely access the network through secure mobile devices, allowing them to keep the main office updated, in near real-time.

The goal of all healthcare providers ought to be safer care for patients and peace of mind for their families, and thanks to its secure remote access capabilities, American Hospice has finally reached that point.


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now

It’s no longer enough to use “123456” for all your passwords. As attacks against major companies have shown, there are just too many threats to network security for consumers to feel safe with a “set it and forget about it” password management strategy. That’s where two-factor authentication – combining something you know with something you have – will protect you.

In August, it happened again: a headline-grabbing warning that 1.2 billion passwords had been stolen by a Russian cyber gang, dubbed CyberVor, caused quite a stir. While questions were raised about the legitimacy of the CyberVor report and the scant details surrounding it, wh

In the past, these types of events did not even make it into specialized magazines and news services, much less major news outlets. And if they did, superlatives were required to capture anyone’s attention. However, just because password theft may not always garner a big news report, it doesn’t mean it isn’t happening all the time.

On the contrary, and especially during the past year, quite a few companies have admitted to being victimized by data breaches and losing control of large amounts of data. Big retail chains Home Depot and Target experienced security breaches that culled information from more than 100 million cards combined, while 233 million eBay users were put at risk of identity theft after an online security breach. 

Going forward, we have to be prepared for the possibility that private information provided to a third party, like a merchant or a public agency, will be stolen. What does this mean for the security of user passwords? “Set it and forget about it” password security simply does not exist anymore. Passwords today can only be regarded as a temporary security measure that should be limited in both time of use and number of accounts.

Nevertheless, experience shows that users recycle the same password for many or all of their accounts. For many, it’s just not feasible to memorize dozens of unique passwords that are sufficiently strong.

Users can avoid this problem and improve their data security by implementing a secure password safe, such as 1Password or KeePass, on their end devices and by using a really strong password to secure it. The safe contains the passwords of all accounts and automatically applies them during the login procedure.

Two-factor authentication is equally as safe. In addition to a password, the user is required to have a second component for verification. With this method, the user has to combine knowledge (password) and ownership (mobile phone, token).

Two-factor authentication has long been a standard for safety-critical applications. For example, it has been possible for years to secure VPN remote access using a second authentication factor. In the past, the “something you have” component of two-factor authentication consisted of a small token displaying a number necessary for login. The user had to enter this one-time password (OTP) in addition to the password. Now, other solutions are available that do not require the use of tokens. Select VPN solutions with Secure Enterprise Management (SEM) capabilities, for example, allow for use of OTP with mobile phones or smartphones.

With the exception of online banking providers, websites have rarely offered two-factor authentication. However, due to the increasing frequency of data theft, more sites are offering it. For example, Microsoft (OneDrive, Word.com, etc.) and Facebook now offer two-factor authentication, and Dropbox can also be secured with a second login factor. This added layer of security helps reduce the risk of data theft even if a user could not resist picking his pet’s name for a password, or if he decided to pick the most popular password worldwide: “123456.” 


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now

 

Although it’s long been possible to securely implement remote access, sloppy work and carelessness have increasingly created critical vulnerabilities. As convenient as it would be for businesses to have all their IT service providers working on-site, just down the hall, that’s not always possible. That’s why secure remote access is a component frequently found in the digital toolboxes of service providers that offer maintenance, troubleshooting and support from locations other than where the product or system is being used.

This arrangement makes sense: It saves enterprises time and money.

Yet, that doesn’t mean remote access is always foolproof. Although it’s long been possible to securely implement remote access, sloppy work and carelessness have increasingly created critical vulnerabilities.

In April 2013, for example, it became possible to damage Vaillant Group ecoPower 1.0 heating systems by exploiting a highly critical security hole in the remote maintenance module. The vendor advised customers to simply pull the network plug and wait for the visit of a service technician.

About one year later, AVM, the maker of the Fritz!Box router, also suffered a security vulnerability. For a time, it was possible to gain remote access to routers and, via the phone port functionality, to make phone calls that were sometimes extremely expensive. Only remote access users were affected.

Then, in August 2014, Synology, a network attached storage (NAS) supplier, was affected. In this case, it was possible to gain control over the entire NAS server data through a remote access point.

Finally, at this year’s Black Hat conference in August, two security researchers revealed that up to 2 billion smartphones could be easily attacked through security gaps in software.

It’s clear that these attacks and vulnerabilities are all part of a trend – and they speak to the importance of businesses eliminating remote access security gaps.

Who is Responsible for Securing Remote Access?

There’s no doubt that remote access is an important network feature. IT support speed and troubleshooting capability would be greatly hampered without remote access. It is also needed for mobile workers to establish connections to their corporate networks via a VPN.

VPNs by design are secure and when users implement, maintain and utilize them properly, the technology works perfectly. However, security lapses may occur in cases where a user is unaware that secure remote access has been provided, i.e. it’s more or less a hidden feature, or he does not show any interest in it.

In the Fritz!Box case, the critical issue of increasing digitization in private environments could be seen very clearly. Despite the problem being reported by numerous media outlets and the vendor quickly releasing a firmware update, tens of thousands of routers were still affected, many of them weeks later.

Unfortunately for IT administrators responsible for network security, not every Internet user reads computer magazines and stays up-to-date with information from various news services. Not every router owner has the tech savvy or feels comfortable updating device firmware. They may do the bare minimum – understand the purpose of a VPN and comply with the necessary security policies – but what if they don’t? Or what if they aren’t even aware of security measures?

The value of VPN solutions is that they provide a layer of security protection, for when users unknowingly create security vulnerabilities. This means IT administrators are responsible for improving the security of remote access, by using up-to-date, approved technology and implementing automated update procedures that fix reported bugs quickly and without user intervention.


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now

For the last 30 years, a common line of code found in a piece of software has quietly been a dormant security vulnerability – but now, news of the exploit has gone public, sending the network security community into reaction mode.For the last 30 years, a common line of code found in a piece of software has quietly been a dormant security vulnerability – but now, news of the exploit has gone public, sending the network security community into reaction mode.

The Shellshock vulnerability can be traced back to Bash, a command shell that is commonly used across the Internet on Linux and UNIX platforms. Bash translates user commands into language a computer can understand and then act upon. In the case of Shellshock, hackers could exploit Bash by issuing arbitrary software commands, potentially allowing them to control systems.

In the immediate aftermath of Shellshock’s discovery, security experts claimed the exploit had surpassed last spring’s Heartbleed as the worst software vulnerability of all time. One reason is that Shellshock’s reach could be even greater than the Heartbleed vulnerability, which only affected software using the OpenSSL encryption protocol. Shellshock’s reach could even extend to Internet of Things devices, since their software is built on Bash script.

For the last few weeks, website administrators have been making the necessary updates to protect users. Within a week of the vulnerability going public, Amazon, Google and Apple responded with patches and internal server updates.

Even so, it will take some time for the fallout from Shellshock to subside.

The Year of the Cyberattack Continues

This year has not been kind to the network security community. Although the Target breach occurred in 2013, the fallout has continued well into this year. Then came attacks at Neiman Marcus, eBay and, just last month, Home Depot. And, of course, Heartbleed and Shellshock.

Even in the last few weeks, news broke that more than 200 stores in the Jimmy John’s sandwich chain were breached by a remote hacker who stole customer credit and debit card information. And just like in the Target breach, where hackers infiltrated the network through an HVAC contractor, a third party of Jimmy John’s was also to blame – attackers gained network access and login credentials from a point-of-sale vendor.

The Jimmy John’s attack provides yet another example of why network security isn’t as straightforward as guarding against attacks just on the immediate network. Every network endpoint is a potential attack vector, whether it’s part of the direct network or operated by a third party who only accesses the network occasionally. This is why it’s so critical for network administrators to implement secure VPNs, as part of a comprehensive, layered, defense in-depth approach to network security.

Now, there have been reports that some VPNs could be vulnerable to attacks launched through the Shellshock exploit, but it’s important to note that these remote attacks only apply to servers rooted in OpenVPN. VPNs using the proven IPsec standard, on the other hand, ensure privacy, shield remote users from a range of malicious attacks, and serve as another line of defense.

And in the fight against Shellshock, users need every defense mechanism they can get their hands on.


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now

The world of IT is going through the same transition, away from the traditional support of "marathoning" to meet goals. Technology has evolved to the point where it's often pure speed – not slow-moving, deliberate execution – that IT departments need to thrive.The crack of the starting gun has very different meanings for runners, depending on the distance of their race. To marathoners, it means to start conserving their energy as they take the first step in their 26.2-mile journey. To sprinters, the starting gun is a signal to channel all of their physical and mental ability toward completing one goal that is only seconds and a handful of meters away.

Perhaps that’s why we always hear “it’s a marathon, not a sprint” – most goals are far away, and they require focus to be met. But maybe this is unfair to sprinters. After all, if the average person were asked to name a runner, he or she would be more likely to say Usain Bolt – the fastest man in the world and, by the way, a short-distance runner – than the most recent winners of the Boston Marathon.

The world of IT is going through the same transition, away from the traditional support of “marathoning” to meet goals. Technology has evolved to the point where it’s often pure speed – not slow-moving, deliberate execution – that IT departments need to thrive. David Wright, CIO of McGraw-Hill Education, has seen the transition first-hand. He said that the “innovation tempo” has increased for his company as the market has changed.

Although Wright’s comments are generally about IT as it relates to product development and other customer-facing activities, the takeaways extend into other realms of IT, including network security.

Learning to Jump Hurdles

For CIOs, network security isn’t so much about the speed vs. distance analogy. A CIO really needs the best traits of both – the endurance of a marathoner to steer a consistent network security vision and always anticipate the next threat, as well as the speed and adaptability of a sprinter to consistently fend off new attacks.

A better comparison between network security and running is probably any event that involves hurdles. In a marathon or a sprint, runners go into the event with a plan. Yes, there are other competitors out on the track, but in many ways, it’s more of a race against the clock. But in hurdling events, there’s a much greater likelihood of a runner getting tripped up – clipping a foot on a hurdle or stumbling over a fallen competitor, for example. The unexpected should always be expected.

In much the same way, today’s cyber attackers move from threat to threat quickly, putting up hurdles everywhere and always keeping CIOs on their toes. If one attack vector doesn’t work, attackers will persist and just move on to the next one.  They’ll somehow find holes in the network security infrastructure, just as they did with a vulnerable HVAC provider in the Target breach.

So, what can CIOs do?

Just as attackers constantly leave hurdles in the paths of IT departments, CIOs can build hurdles of their own to ward off attackers. A defense in-depth approach is built on redundancy. It uses different “hurdles” – including VPNs with central management functionality and firewalls – to make it harder for attackers to anticipate what might be around the next bend in the track. Even if an attacker is able to clear every network security hurdle, defense in-depth ensures that a network administrator is able to isolate an attack before its effects are able to spread.

Defense in-depth is just the strategy network administrators need to win the race against cyber attackers.

To learn more about the rapidly changing network security space, including mobile security and BYOD best practices, please join us at Interop New York, October 1-2, where we’ll be presenting at Booth #613.

Read More:

The Workplace of the Future and What it Means for Network Security


Want to learn more about remote access VPN?

Remote Access VPNs For Dummies

In Remote Access VPN For Dummies, we cover:

- The full VPN landscape, including hybrid IPsec/SSL VPN solutions
- The evolution of remote access VPN
- How to provide users with secure remote access
- How to simplify remote access VPN and reduce costs

Download Now