Presentation Transcript

1. Virginia Prescription Monitoring Program (PMP)-Information Database Hacked4/30/09

   Presenter: Tinashe Mubvumbi Risk Management IA 612 12/9/10
2. Agenda Introduction Virginia Prescription Monitoring Program (PMP) Incident Impact to Society Impact to Company Demonstrate inherent risks in e-Health through the Vulnerabilities of Virginia PMP incident Analyse the ramification of I.T Vulnerabilities for the push toward e-Health Conclusion & Recommendation on the Virginia PMP hacking
3. Why Database was Created To prevent the misuse of prescription drugs Used to correlate data on narcotic prescriptions to make sure citizens are not “doctor shopping” getting extra meds from different doctors. Right or wrong ? Similar bodies will be setup with online, government controlled electronic healthcare records.
4. What’s in the database? The Prescription Monitoring Program database contains records of all prescriptions of certain federally controlled drugs dispensed by Virginia pharmacies since 2006. Vicodin and Oxycontin had the most tries with fake prescriptions Until it was shut down in the wake of the hacker attack, the system allowed doctors and pharmacists to track those prescriptions and watch for patterns of abuse. More than 38 States have similar monitoring programs
5. Who has access ? 1. A prescribing practitioner in connection with the patient 2. A dispenser in connection with the dispensing of a monitored prescription drug; 3. Federal, State, and local law enforcement 4. Certain health care regulatory boards (Physicians, Pharmacy, Nursing, Dental, Podiatric) 5. Secretary for reporting to the Governor, the President of the Senate and the Leader of the House 6. To individual patients whose data has been submitted to the data base.
6. Incident Contd. Hacker broke into a Virginia state Web site used by pharmacists to track prescription drug abuse. 8,257,378 patient records and a total of 35,548,087 prescriptions Made an encrypted backup of all the records They deleted records on more than 8 million patients including backups Replaced the site's homepage with a ransom note demanding $10 million for the return of the records
7. Data That Is Collected Each time a covered drug is dispensed, the following data is collected: Patient's name and address Patient's date of birth Covered substance dispensed Quantity of the covered substance dispensed Date of dispensing Prescriber's identifier number Dispenser's identifier number Prescription number Customer identification number, which could be a Social Security number.
8. Virginia PMP Website Defaced
9. Ransom Note "I have your [expletive] In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :(For $10 million, I will gladly send along the password.“ == hackingforprofit@yahoo.com
10. Incident Contd. State discovered the intrusion on April 30, 2009 Shut down Web site access to dozens of pages serving the Department of Health Professions. State temporarily discontinued e-mail to and from the department pending outcome of a security audit PMP staff had processed requests manually from the end of June until the system became available for 24/7 access on October 1, 2009. PMP program processed greater than 1,000 requests during one twenty-four hour period for the first time.
11. Timeline of Incident
12. Incident Contd. The breach also affected approximately 1,400 registered database users, largely pharmacists and physicians June 4, 2009 The state of Virginia is notifying 530,000 people by mail that their Social Security numbers (SSNs) may have been compromised in a computer security breach
13. Analysis of Incident Hacker definitely managed to compromise the web site because the front end web page was modified. Indicates that several protection layers failed at the VPMP. Web Server running IIS on Windows 2003, better options available (maybe the hacker got access through a different vulnerability) According to the message left by the hacker, he also deleted the backups (?? Any decent backup system will only allow you to backup the data or read it Only the backup administrator should be able to delete the backups
14. Analysis of Incident Companies offering remote access to their employees Convenient for their employees to work remotely by making data accessible via the web. But this often serves as an invitation to criminals, who can launch attacks, such as SQL injection, to gain access to web server database contents.
15. Analysis of the Incident Contd. Northrup Grumman awarded $2 Billion, 10-year contract http://www.northropgrumman.com Statement from former I.T Employee “The IT infrastructure in Va. is being taken over by Northrup Grumman who are converting everything to their "vision" of a unified network, and cutting corners security-wise and equipment-wise in order to make additional profit. While I was there I saw them continually overcharging for equipment, and doing the least work possible in to adhere to the letter of their contract. The worst part is that Northrup Grumman has managed to build an organization, staffed by its own employees, that has the authority to override state employees who won't sign off on bad infrastructure designs. I saw several cases where state employees would refuse to approve a network design because of security, and/or scalability problems, only to have the project go forward because a Northrup Grumman employee was allowed to sign off in the place of the state employee. Since I left just about everyone that I worked with has left for a better job. While I was there, the contractors had real problems getting anyone to staff the security team, and based on a quick check of open infosec jobs around the Va. datacenter, it looks like they still haven't managed to fully staff the security team there.”
16. Impact to Society Have you ever told your doctor something private that you wouldn't want your friends and neighbors or a tabloid paper to know? Have you ever received a medical test result that you wouldn't want shared with your employer? Some patients have been unable to get their prescriptions for painkillers or other medications filled because access to the database has not yet been fully restored even though pharmacists are still required to use it. Database was still offline until 1 October Identity theft e.g., Credit cards maybe criminally opened and abused Information may be sold on the black market
17. Impact to Society Contd. Medical identity thief could contact the pharmacist and initiate a refill of that medication These are highly sought-after drugs, easily converted to cash on the street in sales to addicts If patients records are used for illicit refills, it could make it difficult for them to get legitimate refills. Insurance carriers also affected
18. Impact to Society Contd. Hackers have ability to steal records, alter information, or simply deny access.  Imagine if the database that was taken down had the real time medication data for a patient arriving at an emergency room in extreme distress.  How much could you be compelled to pay if a hacker had your life in the balance?  Or the lives of hundreds of thousands of patients? to extort untold sums of money
19. Impact to Company Company might be sued – consumer class lawsuits Loss of goodwill Information might be altered and the whole purpose of this database defeated instead of aiding legitimate people, it will be used as a tool for illegitimate reasons This is supposed to be HIPAA protected information, only available through official channels or authorization by patient
20. Impact Contd. Recent attacks demonstrate that your most private healthcare information is seriously at risk. Risks set to grow exponentially if there negligence continues Healthcare plan is heavily focused on the use of electronic health records to help modernize our nation's healthcare system. Recent stimulus package provides $19 billion for the next two years for the use of health information technology and an additional $50 billion total over the next five years. The benefits of "e-Health" are substantial and this is a policy direction our nation should be taking
21. Security Glitches: Backup Issues Hacker erased 3 separate backup Accessed the main database via a backup server to erase data Storage media for backup should not be connected to network except at time of making backup Only admin should be able to delete backup Backup tapes , Off Site backup, air gapped backup, tapes on shelf
22. Security Glitches: Backup Issues Disaster management department(DMD) is doing what, before the incidence? They have not maintained a single isolated backup copy of the whole database. From a Maryland Recommendation The Virginia data was stored in a data base that did not deploy the latest security protections, which are fundamental to the statewide HIE. What occurred in Virginia serves as an important reminder of the vulnerability of a PDMP that uses a client-server model where security protections are often insufficient to protect the data
23. Security Glitches Contd. Problem with application developers leaving a hole ? Did they allocate $ to test application Is system administrator monitoring and blocking range of problem ip’s Infection might have been from one hijacked pc Or infection from one of their employee workstations Executives accused of lack of proper I.T Skills and there are a lot of incompetent I.T people in the department
24. Cyber Security Issues for Health Information How safe are your medical records? May 2003, A Colorado medical office had 6,500 patients’ records stolen by a hacker. In addition to the compromise of the records, billing stopped and scheduling was jammed. October 2008, hackers infiltrated 20 separate databases on a server at the health services center at UC Berkeley and stole social security numbers and birth dates. May 2009, hackers took control of the Virginia Prescription Monitoring Program, demanding a $10 million ransom for the return of 8 million patient records and 35 million prescription records. July 2009, A former security guard for a Dallas Hospital was arrested for allegedly breaking into the confidential information computer system. He posted the videos of his hacks and encouraged other hackers to help launch massive attacks
25. Medical Cyber Security-Who does it affect? Hospitals Doctor’s Offices Patients Pharmaceutical Companies Insurance Companies
26. Growing increase for Medical Cyber Security The federal government has set a goal of universal adoption of Electronic Medical Records (EMRs) by 2014. The belief is that EMRs will bring benefits to the industry and patients, allowing doctors to be more accurate, provide speedier care and lower costs. “An EMR is a collection of medical information in a digital format that can be accessed on a computer and shared by numerous medical providers treating a patient” (http://californiahia.org). EMRs include a patient’s medical history, prescription history, test results and personally identifiable information. Presently, there is not a secure network for EMR software and security protocols vary widely among medical providers.
27. Threats Threat presented by hacking is principle behind not moving to e-Health Who’s out there? Hackers Criminals “Script Kiddies” Terrorists Previous and/or Disgruntled Employees
28. What are they after? Data: Intellectual property Financial/Identity information Communications content Resources: Communications functions Bandwidth Conducting business: Day to day operations Disaster/emergency response
29. Methods and Tools Types of attacks: Social engineering Phishing Malware Intrusions Denial of service
30. Vulnerability Network vulnerability Inadequate oversight by health care providers Defects in the health information systems and vendors that fail to disclose the defects. Health information systems are as critical as banking systems, however banking systems have more elaborate security measures in place.
31. Security Mindset For proper implementation leaders and security professionals should strive for better practices so as to have a medical cyber security mindset. Perimeter defense against hacking becomes irrelevant when many of the applications are Web-facing and many employees have access.
32. Security Best Practices Knowledge update: Know the security systems you run Read security bulletins from the vendors System and console-physical security: Install systems in a secure location where only authorized personnel have access User passwords: Use strong passwords with upper and lower case, punctuations and symbols Require periodic password changes
33. Security Best Practices User Education: System administrators should educate users on basic security practices Keep Systems up to Date: Security patches from vendors can close known security holes Vulnerability Testing: Consider periodically scanning systems with appropriate tools or contracted services to identify risks
34. Security Best Practices Monitor Systems: Maintain system logs for a reasonable period of time Analysis could identify suspicious activity Backup and disaster recovery: Reliable backup and recovery procedures will help mitigate the damage of a failure or outside influences.
35. Risk Management in e-Health Risk management: understand what information is being stored and where, what are the requirements (confidentiality, availability, integrity), what are the vulnerabilities, and how to control. In addition to general security policies, organizations offering remote access should: Provide effective user training and awareness. Define and communicate a sanction policy in the event of a loss, breach, or violation Implement, test, and maintain a security incident response program including identification, containment, response, reporting, and recovery.
36. Risk Management in e-Health Contd. Access 2 factor authentication for remote access Authorization procedures to validate business need prior to granting access Role-based access control based on job function Automatic session and terminal time-out Storage Inventory of assets with records of employee property Encrypt data at rest Device locks Regular data backup and archival Acceptable use policies for public and remote access Transmission Secure connections with strong cryptography Malicious code protection (AV and Firewall)
37. Conclusion As more healthcare data is exchanged online the threat of cyber-criminals accessing this data increases Robust well tested systems should be put in place for systems supporting this information preferably the National Security Agency and NIST Formulate external backup policy and always test DR procedures It seems there is a rush to quickly put electronic health records online, companies are not doing the right things to make sure they're secure.
38. References http://californiahia.org/Content/ul/8693//Harmon_Medical_Cyber_Security.pdf http://news.cnet.com/8301-1009_3-10233348-83.html#ixzz17YbOWeGR http://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia_he.html
39. Questions?