Hospital network security..or lack of.

[sh0tzy]

I work for a non-profit hospital in NE Ohio. We are quite far behind on security and other matters of infrastructure protection. With the looming implemenatation of HIPAA, I have a question...or more like a scenario...I don't know call it what you will.

We have a fairly large network, probably around 2,500 devices on the network, mixture of NT 4.0, Win2K servers, Novell and some Unix. You know what we have in place for security of the whole place? I PIX Firewall. That is it, no IDS, nothing. To make matters worse we have one network admin who is too busy to read any logs or look for any suspicious activity. He claims that a PIX Firewall has never been hacked, which I find hard to believe!

I am just becoming interested in network security, but I can already see that we seem to be ripe for a serious hack, but no one seems too worried about it!

Just wanted to get some others opinions on this.

Thanks,

 

[PerryMc]

'Nice' hackers wouldn't damage a Hospital computer network, 'nasty' hackers wouldn't see any profit in it. I'd think you would be the least likely people to be harmfully hacked. Privacy issues would be another story. I wouldn't expect anything to be necessarily confidential if it's on your system. Big thumbs up to paper and ink. Any form of security requires monitoring to even approach being effective.

Smile anyway,
Perry.

 

[Psychoid]

Hi there.
First of all, don't feel like you're alone; I've seen some serious problems with security in health care organizations. At least you HAVE a firewall.

The PIX is a good firewall and I'm sure that it isn't your weak link. Hence the reason why some people feel that they're protected if they have a firewall. Unfortunately, they are wrong. The discerning person wouldn't try to crack your firewall; he would look for other avenues of entry, such as a modem bank, RAS servers, etc.

If I was in your shoes, I'd have a talk with management about the lack of security and that you need to invest a little more in peace of mind. I know that security costs, but HIPAA violations carry jail sentences.

On a technological level, there are a few things that you can do right now to help yourself:
1) Unplug any modems, RAS devices, Shiva boxes, etc as soon as possible. Since you have a PIX, everybody should be using a VPN to gain access remotely.
2) Audit your NDS or domains for users with admin-equivalant access. I bet you'd be surprised to find out how many users are admins or domain admins.
3) IDS is a great idea, budget permitting
4) Make a concerted effort to look over your logs as much as possible.

Really, though, there is only so much that technology can do. Security really comes as a result of conscientiousness and must be decreed at the upper levels of management. Therefore, your biggest challenge will be to help ingrain security into the minds of the decision makers.

Good luck
------------
Bill
Consultant / Network Engineer
CNE, CCNA

 

[SgtB]

Here's a book. Its a big one, but its good. It covers a lot of the basics of security, and then goes in depth for each. If you want a place to start, then this is it.
*Link below

Like Psychoid said, talk to management. Create a plan to secure you're network, and approach them with it. Find some vulnerabilites, and tell them the worst consequences of someone exploliting it. We're more than happy to help. If there is a setup you think might be a problem, but are unsure of, just post and we'll do the best we can!

Off the top of my head, you might want to get all your mission critical servers together, and surround them with IDSs, ensure ACLs are inplace and correctly configured, and make sure all servers are up to date with patches. Examine your PIX firewall, and make sure the config is proper (there's nothing more dangerous than an incorrectly configured firewall).

Psychoid touched on the "weak-link" theory as well. Your security is only as strong as your weakest link. You can have the best firewall, have some super consultant configure it, and have one web server that isnt patched and and boom...network is compromised.

Security is a full time job, and I wish you the best of luck. Again, any problems, just give a post!


Book Link =

http://www.amazon.com/exec/obidos/tg/detail/-/0735712328/qid=1048084544/

sr=8-2/ref=sr_8_2/104-5203731-9275102?v=glance&s=books&n=507846


________________________________________
Check out

http://www.security-forums.com

 

[sh0tzy]

Thanks for everyone's replie. What I must point out here is that I am customer service tech with an eye on security as a future career (starting in on Security+ right now), so I have no responsibility or authority to do much of anything. I just find it so frustrating that everyone seems to have a blind eye towards security here. We got shut down 3 days over the SQL Slammer! I mean I knew about the patch and I don't even run SQL Servers, but our network admin got caught with his pants down, 3 seperate days.

Weak links? Yup, we got plenty. I am constantly seeing people with a modem setup on their pc that we don't know about and many of them with PC Anywhere configured so they can dial in from home, completely circumeventing IS all together to get access. RAS, yes it is use. We do have VPN through our Cisco equipment, but a very small % of people use it as high-speed is not widely adopted around here.

Enough of my rambling. Thanks for the ideas and links. My thoughts are that we have more than likely been comprimised and we don't even know it and when HIPAA goes into affect we are going to in BIG trouble.

I am hoping to get up to speed on Security, although I know that is a daunting task, so that if they decide they do need someone to start paying attention to security I can be the go to person. I currently have my A+ & Network+. I want to get the Security+, Server+ and CCNA as soon as I can manage them, then go on to more advanced security training! I need out of customer service hell!

Late!

 

[SgtB]

Good luck! It seems like you're on the right track to a promising career. Keep working on those certs!
One thing though....
Talk about these issues with management!!! Let them make the choice not to focus on security! That way they can't come back to you all pissed off they got slammed by the HIPAA or little Bobby the script kiddie.
________________________________________
Check out

http://www.security-forums.com

 

[jrjuiliano]

HIPAA all comes down to POLICY.

As long as you read 45 CFR parts 160 and 164 you will get the gist of the regulations. Note that this is only the gist. With only weeks until implementation no one has adequately described what "reasonable precautions" are. Also the OCR web site has some press good "legalese to English" documentation to help you prepare.

So, it makes sense for now that POLICY says not to dial in from home. Harden any system that contains Patient Health Information (medical records, billing, first reports, etc.). Build a site security policy and make it ENFORCEABLE throughout the company and its networks. Find out where your documents are going, who has them, and what kind of accounting for tracking you have on it. And it goes way beyond the computer systems, as we've already mentioned.

And your admin has to understand that a firewall is PART of a security plan or infrastructure; not the end of it. His assumption that because he's never heard of a PIX being hacked is, at best, dangerous. Nothing will kill your company (non-profit or not) faster than litigation, and believe me this HIPAA thing is going to be all about litigation.

Oh, one more thing. Consider that HIPAA is not just one implementation, but close to TEN. Upcoming deadlines are for the Privacy Standards. You still have some time for the Electronic Standards, but not much!

Good luck. Good for you to take an interest in this and try to make a positive contribution to your non-profit. J.R.

 

[sh0tzy]

Thanks. I have been contemplating going to my manager and explaining that we are pretty far behind the curve, the problem with that is that she seems to have every bit of confidence in the network admin. If he says we are secure, well then, we must be. Plus she is non-technical, so I don't really think she has much of an understanding of the multiple ways we are open to attack. I really believe it is going to take a breach, and for patient information to get in the wrong hand before this place will take anything seriously.

Along the lines of my career; I have a question for everyone. I am a father of two, two incomes. Not poor, but not rich either, we make it. I have been contemplating taking a personal loan to pay for some training to get the

http://www.giac.org/

GIAC cert. I feel that this would really help me embark on a career in the security field. I also belive that this field is going to continue to grow and there will be great opportunities in the futre. What is the general opinion on this idea? I figure I'd need to take about $3,500.00. $2,500.00 for the training and $1,000.00 to purchase a laptop which I currently don't own. All of the training seems to require you have your own laptop with you.

Thanks,

 

[shannanl]

Shotzy,

I know your post is quite old now but I was wondering how you were doing now on security. I also work in a hospital and I was in a similar situation when I started here. We have made great strides in security and still have a long ways to go. So far (fingers crossed) we have not had a virus or worm or a hacker get in since I started. Before we were having lots of problems. I don't want to make it sound like I have fixed it but it just took someone caring about what was going on. I know how you feel when you say your I.T. guys think that if it has not happened it never will. I have to say that I don't think those guys are very competent at their jobs. I hope they change before something major happens and brings their little sheltered worlds crashing down, but then maybe again that is what it will take. The bottom line is "CYA".

Shannan

 

[MichealC4]

I'm probably going to end up repeating some things that have been said already, but anywho. As far as the PIX goes, there have been numerous vulnerabilities related to just the FOS.

I hate to say this, but hospitals are a target. Perhaps not as big as the education sector is right now (which is where I work), but think about it. I am guessing you guys store patient files at least for a little while on the computer before either archiving, sending them up to whomever, or however you guys operate. Patient files that contain medical history, social security numbers, billing information, and a slew of readily available information to the attacker should they succeed in compromising your network/servers.

This is what I personally would do if I were in your shoes. Don't go outside of where you have access, but just take notes of things you see, be it network cable hanging out of the ceiling (which would be easy for someone to accidentally or purposefully yank on), unlocked doors, employees with modems that aren't supposed to have them, and so on. Present it to the Network Admin. If he doesn't care, take it higher up. Stress that you don't want to see anybody fired, but this is the health industry with a lot of "customer's" lives at risk. Okay, perhaps a bit overdramatic, but you get what I mean.

----------------------------
"Security is like an onion" - Unknown

 

[HD101]

Good stuff to think about, but the greatest weakness in your hospital is indifference, or ignorance, by upper management. Hospital are nortorius for not understanding what it takes to properly operate a good network, little lone a secure network.
I'm a network admin in small rural hospital with less than 500 users, 200 pc's, and 14 servers. We have 4 people in my shop including the director, 2 network admins and a full time programmer who also takes care of our web site. We are so busy putting out fires around the hospital we barely have time to do any kind of planning.
And don't even think about training or education.

 

[jrjuiliano]

A couple of weeks ago I attended one of those "lots of stuff to worry about, little-to-no information" seminars about the HIPAA security rule. This seminar had a few doctors in attendance too.

Now remember, this is the Security Rule portion of it.

The doctors were still discussing stuff about the Privacy Rule that should have been taken care of months, if not years ago. One doctor even asked why it should be his responsibility to do this.

It may be a pain, but the doctors are the ones you have to get motivated to get the rest of the team onboard. So training, education, continual improvement are going to have to become mandatory (we've gone so far as having people sign off as to receiving and understanding documents).

This is a weird field. I'm working in a billing office for a group of ER doctors, and I'm glad to say that the doctors, the PA's and our own staff take this stuff very seriously. There are others out there, like HD101 mentioned, where indifference and ignorance and even RESISTANCE to change are going to become problems. Especially now where IT is concerned.

I'm done ranting!

J.R.

 

[eyec]

i recently read a paper that should scare security types more than HIPPA compliance.

software vendors of critical proprietary programs will not certify or gaurantee their exisitng programs if the hospital applies patches or upgrades of Windows or other operating systems files.

that leaves the IT folks vulnerable to all of the bugs going around from out of date versions and versions with known security holes.

if this is your situation it is best to start working on a test/certification process with your software vendors as soon as possible to prevent impending catastrophic problems.

sorry to rain on the security issues but this should be included in securing your IT system.

 

[g8orade]

Also keep in mind that the ones doing the IP port scans do not care whether its a hospital, bank, or government. When a hole is found I would think their goal is to milk as much and whatever they can out of it. I would think that a hospital would be a ripe grape from an information standpoint for malicious hackers.

 

[Coty]

I work for a company that specializes in security and we support several healthcare facilities so we are somewhat familiar with this scenario.

The facet that hasn't been mentioned yet is probably your biggest threat...internal based attacks. Think about it: Most folks spend what energy/funds/resources they have on protecting from the outside then do *nothing* to protect from inside. From my experience most facilites are going to EMRs (electronic medical records) and a patients chart that used to be in a 6 inch thick binder is now a 20MB file which can easily be ftped or emailed out of the system, stored on a USB drive and stolen, etc, etc. I would be willing to bet your firewall is configured to let everthing outbound go without even logging it....

I agree with the fellow earlier...it is largely about making comprehensive policies then enforcing them.

Maybe if you could convince the folks where you work to spring for an external company to do a security audit it might jar them into reality when they get the findings...plus it will show they are "trying" to become HIPAA compliant by testing for weakness...

Good luck!

 

[Coty]

I work for a company that specializes in security and we support several healthcare facilities. Unfortunately the story you told is not uncommon. Usually the folks responsible for IT are overworked and can barely keep things running much less focus on securing the network even if they do have the ability. Not to mention the resistance the ego-inflated docs put up...

One thing I noticed that had not been mentioned was the huge threat of attack from *inside* the network which is where a large percentage of attacks originate. If your firewall is configured the way most end up any outbound traffic is allowed which means anyone on the inside could ftp data out, or email it somewhere or use a host of other methods to whisk your confidential data out of your hands.

For example most facilites are going to EMRs (electronic medical records) so now a patient's chart which used to be 6 inches thick in a binder is now a 20MB file on the network. Many folks must have access to the file to do their jobs...so you have to figure out how to make sure they do not take/send them offsite. USB thumb drives, ftp, email, etc can all be methods of loss.

I agree fully with the fellow earlier about policies. You absolutely must form policies that the higher ups agree with then enforce them....

Good luck