The Wolf Is Always at the (Hospital) Door: Reducing Information Security Risks for Health Care Organizations

    By: Der'ly Gutierrez, III on Dec 15, 2016

    The Wolf Is Always at the (Hospital) Door: Reducing Information Security Risks for Health Care Organizations

    By Der’ly M. Gutierrez III  ◾  Jim Czuprynski, Editor

    A discussion about security between Der’ly M. Gutierrez, OnX Enterprise Solution’s strategic security solutions architect lead, and Jim Czuprynski, OnX’s resident Oracle ACE director. 

    The two experts talk recent high-profile security exploits that have targeted major health care providers and how IT professionals must respond proactively to forestall similar events from plaguing their own organizations.

    Jim Czuprynski: I just finished reading through Verizon’s latest Data Breach Investigations Report (DBIR) and, frankly, it’s some of the most disheartening and frightening stuff I’ve read lately. The biggest surprise for me is that hackers have significantly increased the number of attacks aimed at hospitals and medical care providers in the United States in 2016.

    Der’ly Gutierrez: Unfortunately, this is nothing new. If you work in IT and are responsible for handling protected health information (PHI), you probably have heard about the recent Hollywood Presbyterian Hospital incident, one of the most severe medical information systems breaches ever reported. Hackers held that organization’s medical records and electronic communications; the organization was forced to pay $3.6 million to have their data returned and to allow the hospital to operate as normal again. The hospital was reduced to communicating either in person or by fax with the FBI and local authorities as it attempted to locate the perpetrator.

    And if you think this kind of incident is rare, especially in the health care industry, you are sorely mistaken. In fact, the Washington Post recently reviewed U.S. Department of Health and Human Services data and concluded that there have been more than 120 million PHI records compromised in more than 1,100 separate breaches at organizations handling protected health data since 2009. Aside from the human toll, the resulting productivity loss during a public breach is severe — as much as 23 percent of an organization’s annual revenue in the United States alone. Imagine what the cost of this kind of hack could do to your organization. The grim truth is that if you work in a health care organization or any organization that handles PHI data, it would be seriously self-deceptive to believe that your organization is not at risk.

    And we haven’t even discussed the risk to patients’ lives in these situations! Not being able to access patient health records could result in fatal errors and almost certainly lead to litigation. Unfortunately, the World Wide Web today is just like the American Wild West, with hackers acting as the modern-day bank robbers and bandits and PHI organizations playing the roles of 1880s small banks in the middle of nowhere Texas border towns that are just begging to be robbed. Many organizations are being breached, but organizations that handle PHI — mostly medical providers, hospitals or health insurance companies — are continuously failing their customers. Most of these organizations haven’t implemented even basic best practices or modern security technology; in fact, globally we spend an average of less than six percent of our IT budgets on security. While most PHI organizations have sufficient financial resources to implement sound security strategies, many have failed to do so. That’s why these organizations have caused as much as one-third of U.S. citizens’ PHI or other personally identifiable information (PII) to be compromised. And at an average of $50 per PHI record stolen, it’s a great way for a digital bandit to make money.

    Jim: These sound like supremely serious threats, Der’ly. So what should IT organizations do about them?

    Der’ly: I’d recommend that IT organizations should concentrate on four priorities: business continuity of operations; well-defined identity and access management; sound cyber-hygiene; and increased situational awareness. 

    Having a plan on how to respond to disasters is crucial, but IT organizations that think their disaster recovery (DR) plan is identical to a business continuity plan (BC) will be sadly mistaken. A DR plan handles recovery of an organization’s IT infrastructure and business operations when a crisis arises, but it’s just one part of an organization’s BC plan, which focuses on the continuity of operations of your entire business. A good BC plan will take into account exactly how an organization’s manufacturing, sales, network and business operations, HR and finance sections operate so it’s still possible to generate revenue after a disaster.In my experience, IT organizations simply don’t pay enough attention to Identity and Access Management (IAM). A key point to understand about IAM is that Microsoft Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) can certainly fulfill the requirements for managing your IAM directories, but they’re not really complete IAM solutions in themselves. 

    I’ve also observed that organizations using IAM often fail to leverage them effectively to enforce best practices; often, key feature sets like single sign-on (SSO) with recommended minimum password strengths and password change frequencies, multi-factor authentication, time of day or location login and so forth are often implemented incompletely (if at all). IAM doesn’t make your network harder to breach if you don’t encrypt crucial system credentials, especially the passwords for your administrator and user accounts. Additionally, not hardening the IAM system access via encryption, separation of duties, auditing and strict administration controls will almost certainly lead to a compromised IAM system.

    Jim: It’s something that Oracle DBAs need to be concerned about, too. When I talk to my customers’ DBAs, I always ask how concerned they are about security, and the answers I’ve gotten range from “Absolutely!” to “Not at all. Our InfoSec (information security) guys have assured us they won’t let any unauthorized users into our databases.” From what you are saying, it sounds like we’ve got quite a bit of educating to do here because if someone should slip in through the front door, they could quite literally have the keys to the database kingdom. So once IAM is in place, what’s next?

    Der’ly: Once IAM is implemented and secured, protecting your data comes next. The best way to protect your organization is by encrypting it. Even so, just as with BC and IAM, organizations continuously fail to implement this key feature for protecting sensitive information, especially in the health care industry. The major hacks that have occurred during the past 10 years came from PHI organizations that were mostly HIPAA, HITECH and HITRUST compliant. So even when an IT organization tells me that they assiduously protect their PHI, I always ask, “Where? And how?” The response is usually at least one full minute of dead silence. Nine times out of 10, once I have investigated further, I’ve found out that most critical assets are actually not encrypted — neither at rest, nor in-transit — 100 percent of the time.

    Even though IT organizations prove they are compliant via encryption of data, they sometimes take shortcuts, make changes to their computing platforms and environments without taking security into consideration or don’t truly protect all of their data throughout its lifecycle because of inexperience. Personally, I recommend that at a minimum, every IT organization should outsource a review of their data security plan and verify encryption is protecting their critical data end-to-end.

    Jim: The good news here is that from an Oracle Database perspective — especially if you’re already running Oracle 12c Release 1 (12cR1) — it isn’t that hard to enable end-to-end encryption. Oracle DBAs have several tools on our database security tool belts. For starters, we can use Transparent Data Encryption (TDE) to encrypt all of our data at either the column or tablespace level with AES 256 bit encryption. We can also use 12cR1’s new Oracle Data Redaction (ODR) features to redact sensitive data for all but whitelisted users based on easy-to-implement data redaction policies … all without having to change one line of your application code. By the way, ODR has been back-ported to Oracle Database Release, so you don’t necessarily have to upgrade to 12cR1 to take advantage of that feature set.

    I noticed that after several recent hacker exploits were reported, there were interesting discussions among security professionals that the revealed data appeared to be quite old; there was even speculation that it may have actually come from non-production sources, maybe even from a QA or DevOps database. And that tells me that Oracle DBAs also need to be concerned about non-production data sources, too. Fortunately, as part of the Data Masking and Subsetting Pack, Oracle also provides some pretty powerful data masking and subsetting tools that makes it quite simple to securely “jumble” and/or capture only selected subsets of production data while it’s being loaded into a non-production target without ever changing the underlying production data at the source.

    Der’ly: If IT organizations adopt a proper security posture using these Oracle Database toolsets, then so far, so good! Unfortunately, they are still only halfway to a proper defensive stance. 

    As outlined by the Center for Internet Security (CIS), good “cyber hygiene” focuses on defending and preserving information systems and implementing cybersecurity best practices. When worthy cyber hygiene planning is constructed within an organization’s continuous monitoring framework, an IT organization can extensively track its security posture and improve its defenses against advanced cyberattacks. Cyber hygiene refers to the steps that an organization takes to improve its cybersecurity and better protect itself through continuous security posture improvements and monitoring. 

    I find it helps IT organizations to think about cyber hygiene like preventive dental care: There’s simply no way to avoid gum disease or cavities if you brush your teeth only twice a week. Likewise, it’s unreasonable to expect to prevent a cyberattack without making any effort to improve your organization’s security posture. But like brushing daily, cyber hygiene won’t do anything about the cavities you already have … so the next part is to assume you already have at least one. 

    From a security perspective, this philosophy is called assuming the breach. It’s been a core Department of Defense (DoD) cyber methodology for a few years now that is just starting to make headway within the technology, software, telecommunication and cloud security community. If your organization is at a maturity level where it already has a network operations center (NOC) or security operations center (SOC), then it is probably well past the time to invest in these types of tools. If you feel that your organization is not mature enough, then look into getting the same capabilities out of Security-as-a-Service.

    Jim: Again, there is some good news here for Oracle DBAs who are already leveraging Oracle Database 12cR1 for their databases, but especially production. Oracle significantly revamped database security, making it easier to implement in-depth auditing including, for the first time, a read-only audit trail. Also, DBAs can now audit for other suspicious activity — for example, an authorized actor performing a DataPump Export or RMAN backup operation when none should have occurred. And DBAs can now perform in-depth privilege analysis to identify users who’ve been granted extremely high levels of system or object privileges (e.g., SELECT ANY TABLE) even if an authorized actor hasn’t used those privileges yet.

    You’ve given us a lot to think about, Der’ly. Can you recommend a plan of attack for Oracle DBAs and their IT organizations?

    Der’ly: Yes, I know it seems an overwhelming task! Any organization will almost certainly encounter significant political and business issues when it attempts to improve its security posture. So it’s important to recognize that security is a business operations issue even more so than just a series of technical solutions. So when you decide to improve your organization’s security stance, I’ve found it best to keep it simple:Get buy-in from senior management. The key stakeholders must understand just how serious information security risks are within their IT organization so that they will willingly provide the necessary funding to secure your organization’s systems completely.

    Prioritize what’s most important, and realize that even though your organization is at risk, you’re not going to fix it overnight, so start by focusing on your most crucial vulnerabilities first and overcome them as quickly as possible, and then “lather, rinse and repeat.”Get your entire IT organization involved so that everyone recognizes the risks, from the occasional end user all the way up to senior management. This means you won’t have to train your entire IT staff to become vigilant “cyber cowboys,” but you should certainly plan interactions with security experts who clearly and cogently explain the vulnerabilities involved with each department in your organization.
    IT organizations need to monitor for potential breaches continuously and take security policies seriously to ensure compliance. Regular audits can discover new threat vectors before they become a major issue.

    Leverage the gap analysis results from your organization’s ongoing audits as part of a plan for continuous improvements to your overall security plan, and be sure to document carefully all of the improvements you have made.

    Of course, reducing your IT organization’s security risks is never easy, but the effort is certainly justified. You need to maintain endless vigilance, because just like the bacteria that cause tooth decay, hackers are continuously evolving and figuring out new attack vectors. Though they don’t come cheap, it helps to employ cybersecurity professionals who fully understand proper security implementation to ensure your organization is covered end-to-end.  

    Released: December 15, 2016, 12:41 pm | Updated: April 3, 2019, 12:42 pm
    Keywords: Feature | SELECT Journal | SELECT | SELECT Journal

    Copyright © 2019 Communication Center. All Rights Reserved
    All material, files, logos and trademarks within this site are properties of their respective organizations.
    Terms of Service - Privacy Policy - Contact

    Independent Oracle Users Group
    330 N. Wabash Ave., Suite 2000, Chicago, IL 60611
    phone: 312-245-1579 | email:

    IOUG Logo

    Copyright © 1993-2019 by the Independent Oracle Users Group
    Terms of Use | Privacy Policy