Trade Law Daily is a service of Warren Communications News.
Subscriber Login

Cyberattackers Eye Medical Data, HIPAA Conference Hears

January 17, 2008 |Miscellaneous

The government isn’t sure how attractive or vulnerable health care data are to cyberattackers, Mark Walker, a threat analyst at the Department of Homeland Security said Wednesday at a National Institute of Standards & Technology conference. Agencies protecting infrastructure are studying the chances of health care data hacks, but understanding of the risk is “really vague,” Walker said at the conference on Health Insurance Portability & Accountability Act compliance.

Sign up for a free preview to unlock the rest of this article

Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.

Start My Free Preview

Agencies lack detailed incident information, frustrating analysis, Walker said. Except for episodes involving Department of Veterans Affairs data, agency reporting of cyberthreats to healthcare data is “scarce,” a gap worsened by “very limited” insight from business, he said. “What we really want is constant information, we want to make sure we classify the different threats,” he said.

But with the information his office does have, it and the U.S. Computer Emergency Readiness Team are studying trends in the risk of theft of personal health information. Poor security practices and hacking by employees into sensitive networks and databases could make data vulnerable to theft, he said. Other threats are “nation-state” and “mercenary” cyberattackers trying to penetrate Defense Department and other sensitive systems, he said. Business faces similar risks, he said.

Health-data breaches, both unintentional and malicious, are multiplying, Walker said. In 2007, a Pentagon contractor’s error compromised details on as many as 500,000 members of the U.S. military and relatives, Walker said. The contractor sent the health data with Social Security numbers, addresses, and birth dates over the Internet unencrypted, he said. A former system administrator at a health care company admitted last year salting its network with malware. He pleaded guilty in September to transmitting code that could damage a protected computer system and awaits sentencing. In another instance cited by Walker, a cyberintruder, probably an industrial spy working for Russia, China or another country, penetrated servers at Tricare Management Activity, the military’s health care plan, gaining access to personal data, he said. And a Centers for Disease Control site was hacked, affecting the systems of computers accessing it, according to Walker.

To deal with threats of this kind, DHS is hiring analysts like Walker who specialize in subjects such as water, dams and major power systems, he said. For now, Walker works with others on health care. His office is developing a product line to be used to alert non-tech executives to threats, he said. -- Alexis Fabbri

NIST HIPAA Conference Notebook…

Remote access simplifies everyone’s jobs -- including hackers’, said Karen Scarfone, computer scientist, NIST Computer Security Division. And a variety of remote access devices, including cellphones, PDAs and even wireless-enabled video game systems, often are outside an organization’s control, she said. With wireless access almost everywhere, employees may use these devices even in “hostile” environments, heavy with risk of unauthorized access, she said. Most if these devices have weaker protection than standard ones, she said. Many aren’t managed by the organization itself, and they lack enterprise firewalls, antivirus and physical controls, she said. Any security solution for remote access should include encryption, wireless protection, testing and other tools, she said. Free NIST publications deal with many security matters -- csrc.nist.gov/publications/PubsTC.html.

----

Public Key Infrastructure, a type of cryptography, might be the best security for HIPAA and other “brave new world” health care applications, but it’s expensive and unwieldy, said Tim Polk, computer scientist, NIST Computer Security Division. Unlike Secret Symmetric Cryptography, in which the sender and receiver use the same key, PKI uses one key to encrypt and another to decrypt, he said. The prevailing wisdom, at NIST at least, is that “security should be commensurate with need,” so PKI might be considered “overkill” for HIPAA, he said. “It’s something we could look at in the next ten years,” he said.

----

NIST is promoting Security Content Automation Protocol to help agencies juggling multiple security mandates. From Sarbanes-Oxley to HIPAA, “more and more [is] ending up on our shoulders,” but the hope is for SCAP-driven automation to increase efficiency, said Matt Barrett, NIST SCAP deputy program manager. The program draws on NIST’s National Vulnerability Database, the most-viewed NIST Web page after the institute’s Internet Time Service, he said. The database -- which receives tips from security vendors, agency staffers and others and registers about 20 new vulnerabilities daily - - gets 70 million hits yearly. It records software flaws from US-CERT and MITRE repositories, producing an XML feed linkable to specific mandates and guidelines. About 10 percent of Federal Information Security Management Act controls can be automated fully through SCAP and 24 percent can be partly automated, he said. SCAP matters because merger and acquisition and other collaborative activities are “dependent upon trust in each other’s computer systems,” he said. That’s possible when everyone knows of the same vulnerabilities, he said. - AF