Hospitals and medical clinics were once places where patients were sheltered from the outer world and had the privacy they required for recovering safely. But with the Internet of Things (IoT) revolution in full swing and online health monitoring devices in abundance, the risks involving data leakage and privacy violation are rising exponentially. How safe is today’s healthcare ecosystem? Not very much, as the following article will show you.
Protected Health Information (PHI) has become a valuable commodity in today’s cybercrime and commercial espionage markets. According to Redspin’s 2013 Breach Report, around 7 million patient records were breached in 2013 alone, a 137.7% increase. Damages (legal/civil and technical) caused by these hackings have crossed the $5 billion mark annually.
Enhanced Functionality, But Security Risks Galore
More and more hospitals are transferring their medical records and information to the electronic medium. This makes it easier to access data on-demand and optimizes the treatment. Once stored in paper files and dusty archives, the patient’s information today is stored in the form of an Electronic Health Record (EHR). Unfortunately, insecure handling of these EHRs is “attracting” more and more hackers.
Data stored in EHRs typically includes demographic details, medical history, immunizations status, lab test results, radiology images, vital signs and also billing/credit card information.
Examples of breaches are many. One such incident occurred in 2013 when M2ComSys, business associate of Cogent Healthcare insecurely stored private data on its servers. This technical error resulted in a massive security breach that led to data theft. Medical information and private details of over 32,000 patients was exposed due to a misconfigured and/or disabled firewall.
Community Health Systems (CHS) also felt the heat when Chinese hackers exploited the catastrophic Heartbleed vulnerability to break into its systems and steal over 4.5 million patient records. They gained access to user credentials with high privileges via an unpatched Juniper device on the company’s network, a classic case of application security negligence.
While privacy violations can also be a result of physical laptop theft or “inside jobs”, more and more incidents are being caused by inadequate application layer security. The growing consensus is that data has to be stored securely, with the right provisions to deal with the commonly used hacking techniques such as the infamous SQL injection. The same goes for strong data encryption before being transmitted.
The Vulnerabilities Have Reached the Domestic Domain
The risks are no longer confined to the helms of hospitals and private clinics. With more and more smart-devices capable of measuring our heart-rates, blood pressure and other vital signs, risks have risen exponentially. Besides the current wave of smartwatches and smartphones, more and more “smart medical equipment” is being used to monitor chronically ill people at home.
“Criminals can also gain access to unprotected devices used in home health care, such as those used to collect and transmit personal monitoring data or time-dispense medicines,” the FBI recently stated. “Once criminals have breached such devices, they have access to any personal or medical information stored on the devices. These devices may be at risk if they are capable of long-range connectivity.””
USA’s domestic intelligence and security service also thinks that hackers can potentially tamper with the application code of the IoT devices to achieve their malicious goals.
Successful hackings can have serious implications – Altering of the recorded data to deliberately change the course of treatment, cutting off the device altogether and causing untimely deaths, harvesting of valuable medical data for commercial or criminal purposes and basically the exposure of private medical information without the patient’s approval/consent.
Since the modern IoT medical devices can work on-the-go to provide 24/7 monitoring, there are many safe practices that can be implemented in hospitals, clinics and homes alike.
- Be aware of the IoT devices you are using and the data that is transmitted.
- Disable the UPnP on the routers being used to connect to the network.
- Always keep your IoT devices updated with security/stability patches.
- Change the default passwords on the device and use secure WiFi networks.
- Try not to isolate IoT devices on their own protected wireless networks.
But even these protocols are not enough to get the job done if the software powering the IoT devices is not secure and the data transferred is not encrypted. Enter HIPAA.
The Anatomy of a Healthcare Data Breach. Courtesy: ClearDATA
Enforcing HIPAA with Secure Web and Mobile Application Development
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the US Congress and introduced by Bill Clinton in 1996. HIPAA is a comprehensive set of security measures and protocols meant to reduce cases of fraud/theft in the American healthcare sector. Some of the major highlights of HIPAA are application security, safe data storage and proper encryption.
Things that developers need to address for adhering to HIPAA compliance include:
- Implementing secure user authentication practices.
- Putting emphasis on proper input validation and exception handling.
- Planning applications with robust architecture and access control mechanisms.
- Making sure sensitive data is stored securely and encrypted before transmission.
- Ensuring high code integrity with minimal application layer vulnerabilities.
One of the most effective ways to ensure that all these guidelines are implemented is to create a secure Software Development Life Cycle (sSDLC). This means that the security solution is integrated into the developer environment and code is scanned in real-time. Vulnerabilities are treated like QA bugs and hence detected early, which helps speed up the remediation process.
The most recommended security solution today to create an sSDLC is Static Code Analysis (SCA). These SAST solutions are capable of finding a wide range of application layer vulnerabilities and coding errors, which provide organizations with good ROI since they don’t have to invest much in post-release maintenance (security patches and Pen Testing cycles).
While complete HIPAA compliance goes way beyond secure applications, high code integrity and proper data handling plays an integral part in creating a secure healthcare eco-cycle.
Protect Yourself and Secure Your Applications
A Ponemon survey from 2014 has revealed a worrying detail. 90% of healthcare providers admitted to having fallen prey to a breach in the span of the last two years.
The massive rise in cybercrime and the targeted attacks on the healthcare ecosystem has led to strict HIPAA enforcement. Healthcare organizations and operations that are not fully HIPAA-compliant can face a barrage of civil and criminal penalties. HIPAA penalties for willful neglect can start from $1,000 and go upto $50,000 million for a single violation.
Running vulnerability tests on web and mobile applications is a major way to get HIPPA compliant and fight cybercrime. The aforementioned Static Code Analysis (SCA) is being recommended by more and more InfoSec experts around the globe. This includes American IT research and advisory firm Gartner, which has even called SAST (SCA) testing “mandatory”.
It’s important to mention that no application is completely hack-proof and even SAST/SCA can’t completely eliminate all vulnerabilities. Coupling the scanning of code with Pen Testing prior to product release can help create a robust application that’s tough to exploit. A multi-layered approach to application security is the best way to enforce HIPAA compliance.
Make sure you are HIPAA compliant. Learn how CheckMarx can help you. Stay safe.