HIPAA
Featuring 22 Papers as of September 26, 2017
-
Cyber Security and Data Integrity Problems Within the GAMP 5 Validation Process by Jason Young - September 26, 2017
When addressing the pharmaceutical industry's computerized systems risk within manufacturing, the International Society for Pharmaceutical Engineering (ISPE) has created the Good Automated Manufacturing Process (GAMP) as a leading industry standard. It is a validation process based on user requirements and product quality that applies information security through its computer systems validation (CSV) guidance. Problems arise due to information security roles, methodologies and technical controls not being clearly defined within GAMP guidance. These gaps within the CSV process are further exacerbated by cultural issues within the quality unit because they manage all aspects of information security and do not apply industry best business practices used in other industries. Finally, these gaps result in systems which do not incorporate the most basic protections for systems and data that should be expected from this industry. When compared to other industries like the Payment Card Industry (PCI), the security measures are woefully inadequate given the criticality of information processed by these life science systems. Because the production of pharmaceuticals is drastically different than other industries due the level of regulation on activities outside of computerized systems, relying on the International Standards Organization (ISO) or the United States National Institute of Science and Technology (NIST) as recommended by the ISPE is not adequate. Specialized guidance on how information security principles must be modified to fit within this model must be explored to provide relevance to the CSV process.
-
HL7 Data Interfaces in Medical Environments: Understanding the Fundamental Flaw in Healthcare STI Graduate Student Research
by Dallas Haselhorst - September 12, 2017Ask healthcare IT professionals where the sensitive data resides and most will inevitably direct attention to a hardened server or database with large amounts of protected health information (PHI). The respondent might even know details about data storage, backup plans, etc. Asked the same question, a penetration tester or security expert may provide a similar answer before discussing database or operating system vulnerabilities. Fortunately, there is likely nothing wrong with the data at that point in its lifetime. It potentially sits on a fully encrypted disk protected by usernames, passwords, and it might have audit-level tracking enabled. The server may also have some level of segmentation from non-critical servers or access restrictions based on source IP addresses. But how did those bits and bytes of healthcare data get to that hardened server? Typically, in a way no one would ever expect... 100% unencrypted and unverified. HL7 is the fundamentally flawed, insecure standard used throughout healthcare for nearly all system-to-system communications. This research examines the HL7 standard, potential attacks on the standard, and why medical records require better protection than current efforts provide.
-
HL7 Data Interfaces in Medical Environments: Attacking and Defending the Achille's Heel of Healthcare STI Graduate Student Research
by Dallas Haselhorst - September 12, 2017On any given day, a hospital operating room can be chaotic. The atmosphere can make one’s head spin with split-second decisions. In the same hospital environment, medical data also whizzes around, albeit virtually. Beyond the headlines involving medical device insecurities and hospital breaches, healthcare communication standards are equally as insecure. This fundamental design flaw places patient data at risk in nearly every hospital worldwide. Without protections in place, a hospital visit today could become a patient’s worst nightmare tomorrow. Could an attacker collect the data and sell it to the highest bidder for credit card or tax fraud? Or perhaps they have far more malicious plans such as causing bodily harm? Regardless of their intentions, healthcare data is under attack and it is highly vulnerable. This research focuses on attacking and defending HL7, the unencrypted and unverified data standard used in healthcare for nearly all system-to-system communications.
-
Medical Data Sharing: Establishing Trust in Health Information Exchange STI Graduate Student Research
by Barbara Filkins - March 1, 2017Health information exchange (HIE) "allows doctors, nurses, pharmacists, other health care providers and patients to appropriately access and securely share a patient's vital medical information electronically--improving the speed, quality, safety and cost of patient care" (HealthIT.gov, 2014). The greatest gain in the use of HIE is the ability to achieve interoperability across providers that, except for the care of a given patient, are unrelated. But, by its very nature, HIE also raises concern around the protection and integrity of shared, sensitive data. Trust is a major barrier to interoperability.
-
Healthcare Provider Breaches and Risk Management Road Maps: Results of the SANS Survey on Information Security Practices in the Healthcare Industry Analyst Paper (requires membership in SANS.org community)
by Barbara Filkins - July 19, 2016- Associated Webcasts: Health Care Provider Breaches and Risk Management Roadmaps: Part 2 - Health Care Security from the Top Down
- Sponsored By: ForeScout Technologies WhiteHat Security Carbon Black Trend Micro Inc. Anomali Great Bay Software
The number of attack surfaces continues to rise as the use of mobile medical- and health-related apps grows and as electronic health records (EHR) become ever more embedded in clinical settings. As this survey shows, many attacks stem from insiders with access, whether through simple negligence, malicious intent or just plain curiosity. To get the specifics, read on …
-
Breach Control: Best Practices in Health Care Application Security STI Graduate Student Research
by Brian Quick - February 25, 2016Data breaches in the health care industry have surged in the past few years. The health care industry is currently the largest attack surface of the critical infrastructure.
-
eAUDIT: Designing a generic tool to review entitlements STI Graduate Student Research
by Francois Begin - June 22, 2015In a perfect world, identity and access management would be handled in a fully automated way.
-
The What, Where and How of Protecting Healthcare Data by Kelli Tarala and James Tarala - April 6, 2015
Mitigating healthcare data-loss risk by understanding the What, Where, and How of Protecting Healthcare Data.
-
Inaugural Health Care Survey Analyst Paper (requires membership in SANS.org community)
by Barbara Filkins - October 30, 2013- Associated Webcasts: The SANS Survey of IT Security in Health Care
- Sponsored By: Tenable Network Security Oracle Trend Micro Inc. Redspin
This survey reveals aspects of security in the health care arena from the perspective of IT security staff—managers, analysts, and executives.
-
Electronic Medical Records: Success Requires an Information Security Culture by Thomas Roberts - June 5, 2013
The increased use of electronic medical records (EMR's) is certainly impacting the world of healthcare.
-
Incident Handling in the Healthcare Cloud: Liquid Data and the Need for Adaptive Patient Consent Management STI Graduate Student Research
by Barbara Filkins - October 18, 2012The increasing use of electronic health record (EHR) systems, health information exchange (HIE) networks, and cloud computing significantly increases the exposure of sensitive medical information to loss of confidentiality, integrity, and availability due to data-related attacks, such as medical identity theft or insider threats (Ponemon Institute, 2011).
-
Cloudy with a Chance of Better Health Care: Security and Compliance Fundamentals for Protecting e-Health Data Analyst Paper (requires membership in SANS.org community)
by Barbara Filkins - September 6, 2011- Sponsored By: ArcSight, an HP Company Ping Identity, Inc.
This paper explores challenges and considerations for the use of cloud computing in health care, paying particular attention to security and compliance issues related to cloud computing.
-
Risk Analysis for HIPAA Compliancy by Chris Ralph - March 9, 2005
This document describes the policy and procedure established by a small hospital, GIAC Health, for meeting the Risk Analysis Administrative Safeguard requirement for HIPAA compliancy.
-
Security Awareness and Training: Security Reminders by Kevin Sackett - January 17, 2005
Although an organization may have the means to purchase the best firewall technology, deploy the hardest encryption standards, and implement multi-factor authentication schemes, it still needs the complement of enlightened workforce members who understand what measures they can take to help reduce security risks.
-
A Small Business Search for HIPAA Compliant E-mail Security by Dayle Alsbury - July 25, 2004
This case study is of a small insurance business providing both health and non-health related products which are separated by divisions. HIPAA regulations impact approximately half of the user base in the business.
-
Developing & Implementing an Information Security Policy and Standard Framework by Peni Smith - June 9, 2004
Attacks against computers, in both home and business environments, have grown steadily over the past several years.
-
The Shift to Security Implementation in a HealthCare facility by Sean Mulch - June 8, 2004
There are a number of challenges presented to healthcare facilities as they begin the shift to implementing Information Security. One of these is that they have often been among the first to adopt new technologies.
-
Disaster Recovery in Healthcare Organizations: The Impact of HIPAA Security by James Murphy - March 4, 2004
Healthcare organizations are facing increasing regulatory burdens, and the latest to demand response is HIPAA Security. One major aspect of HIPAA Security is the disaster recovery plan, which seeks to restore appropriate access to information after a major calamity.
-
HIPAA Security Compliance Project - Identification of Logging and Auditing Requirements by Kurt Patti - October 10, 2003
This discussion will outline a project "plan of attack" for a covered entity to identify and address the electronic logging and auditing requirements within the Final HIPAA Security Rule.
-
Getting Started: The Impacts of Privacy and Security Under HIPAA - A Case Study STI Graduate Student Research
by Barbara Filkins - September 26, 2003The paper describes how the Agency established an on-going, cost-effective security program integrated with current Agency business practices.
-
Case Study in Implementing Security for HIPAA Privacy Compliance by Ellen Robinson - August 22, 2003
The Health Insurance Portability and Accountability Act of 1996, otherwise known as HIPAA, set forth new standards for the privacy and security of protected health information (PHI).
-
HIPAA-compliant configuration guidelines for Information Security in a Medical Center environment by Robert Grenert - March 12, 2003
This paper will show that information security is an on-going project and encompasses more than just a few pieces of hardware plugged into a network.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.
STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.
