HITECH Act - Security Testing towards HITECH Compliance
Why is HITECH accelerating security programs in the healthcare industry?
- It applies not only to all HIPAA regulated entities but also their business associates
- Breaches of any “unsecured protected health information” need to be notified to affected individuals, HHS Secretary and media
- Business Associates need to notify the covered entity
- Cost of notification by mail and email are very high. Cost of maintaining a toll free number and staff to address concerns of affected individuals are very high
- State Attorneys General can bring a civil action on behalf of the affected residents of the state in a US district court
What all data is Protected Health Information (PHI)?
Protected Health Information is a combination of the following identifiers that constitute information about health status, provision of health care, or payment for health care that can be linked to a specific individual.
- Postal address information, other than town or city, State, and zip code;
- Phone numbers
- Fax numbers
- Electronic mail addresses
- Social Security Numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers;
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger, retinal and voice prints
- Full face photographic images and any comparable images
- Dates directly related to an individual, including birth date, admission date, discharge date, date of death
How should PHI be secured as per HIPAA and HITECH?
- By encryption or destruction.
- The HITECH rule states that though HIPAA does not mandate encryption, to avoid breach notification, the covered entity and business associates would need to employ encryption technologies as recommended by NIST.
- If unprotected PHI has been breached then notification would be required.
Role of Security Testing in complying with the HITECH Act?
- PHI Enterprise wide Data Analysis - Assess where in your organization is electronic PHI data in transit or data at rest in an unencrypted (unsecured) format.
- Verify if the encryption mechanisms in force are as per recommended NIST standards.
- Discover holes in internal and web applications which may expose PHI to unauthorized users by doing penetration tests and code reviews
- Verify the strength of your networks access controls in force through internal and external network penetration tests
- Conduct periodic testing programs to achieve long term sustainable compliance to HIPAA and HITECH requirements.
How to test applications to identify “unsecured PHI”?
As mentioned above, PHI refers to a combination of a lot of information relating to a person. Applications and databases that it communicates with contain a wealth of such information.
To test applications for “unsecured PHI”, the following test cases can be performed:
- SQL Injection
- Cross-Site Scripting
- Parameter Manipulation
- Sensitive content in browser cache
- SSL enabled application
- Password Stealing
- Session Hijacking
These test cases cover the most possible attack vectors that an attacker might use to obtain unauthorized access to PHI.
How to test networks to identify “unsecured PHI”?
To test networks for “unsecured PHI”, the following test cases can be performed:
- Unrestricted remote shares
- Default users/passwords
- Remotely exploitable vulnerabilities
- Anonymous FTP access
- Insecure services
- Insecure mail relay
How to conduct an Enterprise wide PHI Data Discovery and Analysis?
PHI can reside anywhere within an Enterprise including database tables, application servers, browser memory, etc. An enterprise wide data discovery will have to look for PHI at its entry points, during transmission, storage, retrieval, distribution and destruction. An analysis of the same should result in a flow diagram that presents the flow of PHI from entry to destruction. Each of the entities in this flow diagram needs to be reviewed to ensure that appropriate protective measures have been implemented.
Some of the protective measures include establishing security awareness among data entry operators, hardening of workstations, servers & databases, securing applications, enabling logging, implementing strong access controls, authorizing distribution and using safe destruction techniques.
How SIEM (Security Incident & Event Management) plays a role in breach discovery and avoiding breaches?
An SIEM system monitors the network traffic for attack patterns and raises alerts whenever there is an attempted breach into the network. This ensures that attacks are detected in real-time and appropriate protective measures can be put in place to avoid potential breaches. In case of a successful breach, the SIEM system can be used to identify the incident and the events that led to such a breach. It also provides indicators on what information was likely compromised. The SIEM system can also be used to identify the root cause of the breach, which helps in determining the steps to implement the fix and the procedure to follow for breach notification.
Plynt provides penetration testing and code review services to clients worldwide. If you are interested, please contact us for a quote. We’ll get back to you within one working day.Add yours.closed for this post.
- February 2011
- July 2010
- June 2010
- May 2010
- April 2010
- November 2009
- October 2009
- June 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- May 2008
- April 2008
- March 2008
- January 2008
- December 2007
- November 2007
- April 2007
- March 2007
- February 2007
- January 2007
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
You can read full entries of Palisade Blog using an RSS reader. Use this link —