HITECH Act - Security Testing towards HITECH Compliance

By balaji

July 14, 2010

Why is HITECH accelerating security programs in the healthcare industry?

  • It applies not only to all HIPAA regulated entities but also their business associates
  • Breaches of any "unsecured protected health information" need to be notified to affected individuals, HHS Secretary and media
  • Business Associates need to notify the covered entity
  • Cost of notification by mail and email are very high. Cost of maintaining a toll free number and staff to address concerns of affected individuals are very high
  • State Attorneys General can bring a civil action on behalf of the affected residents of the state in a US district court

What all data is Protected Health Information (PHI)?

Protected Health Information is a combination of the following identifiers that constitute information about health status, provision of health care, or payment for health care that can be linked to a specific individual.

  • Names
  • Postal address information, other than town or city, State, and zip code;
  • Phone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social Security Numbers
  • Medical record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers;
  • Device identifiers and serial numbers;
  • Web Uniform Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers, including finger, retinal and voice prints
  • Full face photographic images and any comparable images
  • Dates directly related to an individual, including birth date, admission date, discharge date, date of death

How should PHI be secured as per HIPAA and HITECH?

  • By encryption or destruction.
  • The HITECH rule states that though HIPAA does not mandate encryption, to avoid breach notification, the covered entity and business associates would need to employ encryption technologies as recommended by NIST.
  • If unprotected PHI has been breached then notification would be required.

Role of Security Testing in complying with the HITECH Act?

  • PHI Enterprise wide Data Analysis - Assess where in your organization is electronic PHI data in transit or data at rest in an unencrypted (unsecured) format.
  • Verify if the encryption mechanisms in force are as per recommended NIST standards.
  • Discover holes in internal and web applications which may expose PHI to unauthorized users by doing penetration tests and code reviews
  • Verify the strength of your networks access controls in force through internal and external network penetration tests
  • Conduct periodic testing programs to achieve long term sustainable compliance to HIPAA and HITECH requirements.

How to test applications to identify "unsecured PHI"?

As mentioned above, PHI refers to a combination of a lot of information relating to a person. Applications and databases that it communicates with contain a wealth of such information.

To test applications for "unsecured PHI", the following test cases can be performed:

  • SQL Injection
  • Cross-Site Scripting
  • Parameter Manipulation
  • Sensitive content in browser cache
  • SSL enabled application
  • Password Stealing
  • Session Hijacking

These test cases cover the most possible attack vectors that an attacker might use to obtain unauthorized access to PHI.

How to test networks to identify "unsecured PHI"?

To test networks for "unsecured PHI", the following test cases can be performed:

  • Unrestricted remote shares
  • Default users/passwords
  • Remotely exploitable vulnerabilities
  • Anonymous FTP access
  • Insecure services
  • Insecure mail relay

How to conduct an Enterprise wide PHI Data Discovery and Analysis?

PHI can reside anywhere within an Enterprise including database tables, application servers, browser memory, etc. An enterprise wide data discovery will have to look for PHI at its entry points, during transmission, storage, retrieval, distribution and destruction. An analysis of the same should result in a flow diagram that presents the flow of PHI from entry to destruction. Each of the entities in this flow diagram needs to be reviewed to ensure that appropriate protective measures have been implemented.

Some of the protective measures include establishing security awareness among data entry operators, hardening of workstations, servers & databases, securing applications, enabling logging, implementing strong access controls, authorizing distribution and using safe destruction techniques.

How SIEM (Security Incident & Event Management) plays a role in breach discovery and avoiding breaches?

An SIEM system monitors the network traffic for attack patterns and raises alerts whenever there is an attempted breach into the network. This ensures that attacks are detected in real-time and appropriate protective measures can be put in place to avoid potential breaches. In case of a successful breach, the SIEM system can be used to identify the incident and the events that led to such a breach. It also provides indicators on what information was likely compromised. The SIEM system can also be used to identify the root cause of the breach, which helps in determining the steps to implement the fix and the procedure to follow for breach notification.

Tags: Uncategorized