[ Thursday, January 27, 2005 ]
Yet more seminar blogging: Sorry for the days delay, but I didn't get a chance to post any more of mythe second day notes on Tuesday, and spent most of the day yesterday trying to catch up on what had piled up on the 2.5 days I was out previously. Anyhoo, here are the rest of my notes from Tuesday:
Firewall issues: keep it current; check it at least yearly. Use a proxy server for incoming and outgoing access, rather than using a server inside your firewall. You need to do activity logs and intrusion detection; it is cheap but you get lots of information, and the hardest thing is correlation of the information. Clean up your firewall rules: no any-any rules, and an overriding clean-up rule. Block out common virus vectors: SNMP, Telnet, FTP, instant messaging, peer-to-peer networks, etc.
Nessus (www.nessus.org): a good freeware for inventorying, scanning and looking for vulnerabilities of your system and access points. UPDATE: it requires Linux.
Disable services on your server that you don’t need. Patches: every system needs patches now and them. Keep up with it.
Don’t forget to take physical steps to prevent people from accessing your network. Lock up hard-line ports. Look for wireless access (an employee might’ve set up a wireless hub for himself for the “cool” factor), and if you’re really using wireless access (and if you’re not, you probably will be: I personally think it’s probably a bad idea, but the tech guys say it’s just going to happen), see where you can get in and try to limit the footprint. Also, audit your neighbor’s signal strength to keep your own employees from inadvertently accessing someone else’s network.
More wireless: most have no encryption. Those that do have WEP, which is not equivalent at all. Most have poorly tuned footprints. SSID is access point identifier, and it will usually say who is providing it and what the system is. If yours is bleeding over, does it have your name on it? Make it secure so an unintended casual person hitting the network doesn’t know what they’ve got. You need wireless intrusion detection. Cisco says wireless technologies have a 90-day lifecycle. Wireless is very, very evolutionary now.
80211G: Bob Neid’s choice for wireless encryption. WEP may be good for a little while, but it’ll be broken.
Filter using MAC addresses: you must have a restriction so only recognized devices can get on the wireless network. Strong authentication – secure ID cards, smart cards, MAC address protection; on top of it, do strong passwords, etc.
Disable supplicants talking to each other. Laptops can talk peer-to-peer if they both have wireless access and are allowed to. Turn that off, to keep someone’s laptop from accessing your network through a legitimate user’s laptop. Look for rogue access points.
Avoid wireless network for mission critical applications. You just don’t need wireless for that.
Access control: who has access to what? The receptionist doesn’t need access to clinical information. Least Privileged Access (LPA) means you only get access to what you need to have access to. Used to mean you got to a login screen that you had to get past to get in; now, even getting to the login screen mean you got too far. Most applications allow you to limit access; most devices also have the limiting ability. But you need access control at data base, at application, and at operating system, and you need them to all be robust. If I can’t get into application but I can get into database, I can still get the information.
I haven’t a clue what I’m talking about.
US DOE CIAC: do Google search on computer incident advisory commission to get there. From there, get warning banners.
How to get access control: by role, by group, by job, etc. Paper trail to show who gets access, when, how. Periodically review to make sure people still need access to what they have access to, and revoke access where applicable. Especially revoke access to employees who quit, were fired, or died.
Everyone should have a unique login, even administrators.
Password protection: if the person is unmarried, the password is the dog’s name, plus digits such as month and year. If the person is married but childless, it’s the spouse, and if the person has kids, it’s the oldest kid. Make better passwords: the longer and more random, the better. If you can take a phrase that has letters and numbers in it, like “My 14 year old son hates to do homework,” and take the initials and numbers to result in a password such as “M14yoshtdh.”
Password expiration policy should be necessary, probably every 30 days. Must change password at first log-in. No reuse of at least the last 3 passwords. Don’t base it off of the user’s social security number.
User name policy: most everyone uses first initial last name (jdrummond, for example); maybe you should use random generator, but let the person keep the same user name forever. One thing to watch out for: printers may generate the user name on a separation sheet when more than one user uses the same printer, and you may need to make sure those pages get shredded.
Remote access: home PCs are much more likely to be infected. A policy that says you can’t access from a home PC unless it is only used for access and nothing else is probably unworkable. You should have a policy that requires virus protection and that allows you the right to review and approve any home or laptop PC before it accesses your network. You should also have policies that work PCs can only have work info and programs on them; don’t let your employees’ kids play games on your notebooks..
Use IPSec or SSL based VPNs, not PPTP. Don’t use PCAnywhere, at least not without MAC number correlation. Have remote access come into a specific firewall interface and scrutinize those highly. Hard intrusion detection on those, hard logins etc.
Don’t allow access to your network from wireless connections. Keep your employees from logging onto the network from the airport’s wifi, for example, because of the supplicant problem.
Always keep in mind that cost is a built-in component of the risk analysis and the determination of what you must do and what you should do under HIPAA security. Don’t let the perfect be the enemy of the good, and realize that some things that would be good to have just aren’t cost-effective.
Honey-pots and honey-tokens: putting out phony devices or phony PHI on your system with high intrusion detection on it. Call the device “payroll server.” Then see who tries to get into it. See who accesses the improper PHI, and see if it’s accidental or intentional. Fire the employee and make an “object example” out of them.
Encryption: probably best to encrypt email over the internet. Do I agree? Not really. My 2 analogies are catching an arrow out of the air, and locking your doors while you’re on the freeway but not being that concerned while your car is sitting in the driveway.
Encryption is not required by the Security Rule. It is addressable. That means it is not required. You have to consider it, but it just isn’t required. So there.
For encryption, Tumbleweed is a possibility. Zixmail is another. One of the best things to do, if you send keyed encrypted information, is to send the password in a different medium. For example, send the email encrypted and call by phone to give the password.
1% of laptops will be stolen. 15% of the stolen ones are stolen for the data on them, not for the cost or value of the laptop itself.
Encryption of data in place: consider it for your laptops or other portables.
Media controls (flash drives and the like): consider encrypting the data on there. And set up policies and procedures to control when and how PHI can be put on flash drives, etc.
Consider disabling USB drives and similar functionality on laptops; take away functionality if it’s not really needed. Set up policies and procedures to do so.
Finally, note that portable devices are the most common vector of infection these days. The bug gets behind the firewall via a portable device that plugs into the network.
Auditing: what is a reasonable percentage of devices you should be auditing? 10%.
Look at www.sans.org/top20
for top 20 areas for audit. There are lots of vulnerability resources
Jeff [11:56 AM]
Blogger: HIPAA Blog - Edit your Template