7 Questions with... Jim Stickley, CTO, TraceSecurity.
Describe some of the methods and techniques you use to acquire sensitive information. What do you look for once you have gained entry into a healthcare facility?
Social engineering [phishing, pretexting, and related techniques] is one remote way to obtain information, but it is not nearly as lucrative as physically going to and robbing healthcare facilities, which is actually easier than robbing financial institutions because their security is a lot more lax. Basically, our main goal is to gain access to the premises. We’ll do a lot of background research to figure out what it takes to get in, poke around outside for a few minutes, then walk in and tell them we’ve been hired by their management. When you’re in those kinds of environments, people generally trust what you’re saying.
Immediately we start going after anything that’s not nailed down. If it’s a computerized facility, we look for the back-up tapes. Smaller facilities will usually have the tapes sitting right by the computers. If it’s a quick job and we’ve got what we need, then we’ll start stealing people’s charts. It may seem like a no-brainer to not leave these out in the open in a folder stuck to an exam room door, but physicians’ offices and other healthcare facilities still do it all the time. It’s so easy to just walk by several doors and just take those patients’ charts. Even with HIPAA and other rules, security in the healthcare industry is just not where it needs to be.
Larger facilities are often just as vulnerable, for many of the same reasons. Again, even if you gain entry under false pretenses, once you get past that initial “sniff test,” you’re left to run around, often unsupervised. Staffers don’t want to stand around watching you. You would think people would want to keep an eye on us, so that even if we have a legitimate appointment, we don’t wander free. The minute we’re left to our own devices, if there’s anything confidential, we’re stealing it.
Have you ever been caught while infiltrating a facility during one of your tests?
Yes, but most of the time, it’s over something stupid and the exception to the rule. One time we were doing an OSHA inspection—that’s another good way to gain admittance; we say someone requested inspection and just show up—and it turned out the husband of a lady who worked there was an OSHA inspector, so of course she nailed us relatively quickly. I’ve done more than a thousand facilities myself, though. It’s rare that we get anybody to stop us or even question us. The worst thing for us is for someone in one of these facilities to actually do their job. People leave us alone most of the time.
What are some of the major differences between small- or medium-size practices vs. larger institutions regarding data security concerns and vulnerabilities?
Small offices are more difficult to physically steal sensitive information from because the staff is often right on top of each other, so it’s a lot harder to get away unnoticed by anybody working there; sometimes there is just nowhere to go and hide. With the large facilities, there’s so much chaos going on that most of the time nobody even questions you. You’ll be wandering around aimlessly for awhile before somebody even stops you. Not every place is like this, however. There are exceptions to the rule, but that is the exception.
When it comes to anti-virus software, firewalls, and intrusion detection, can a business ever have enough? What does TraceSecurity offer to ensure optimal protection against hackers?
HIPAA doesn’t really do anything. I thought its passage and implementation was going to get people to shape up, but I think it’s a paper dragon. If they are taking it more seriously, I’m not seeing a major difference.
TraceSecurity goes in and does testing compliance and training. Once we’ve helped people identify their weaknesses, we help them develop a policy to resolve those issues and get the proper training. We have what’s called the Compliance Manager—an online tool that has everything built into this one console, so they can understand what risks are out there, and even make specialized tests to be HIPAA compliant.
When it comes to back-up tapes, so many times people just put the tapes right next to or on top of their computer, out in the open. They may as well put a sign on it saying “steal me.” Nobody thinks twice about it, even though it has the exact same data as the computer it’s sitting next to. Taking tapes or disks home is also risky, especially if you stop on your way home and leave them in the car. You come out, your window’s broken, and your laptop is gone. Silly little things make such a huge difference.
How secure is Bluetooth technology?
Ear buds are extremely secure and difficult to track. Any of the cars older than 2005 that happen to have Bluetooth, those are very at risk and don’t even have the ability to use PINs; anybody can drive up beside you and listen to what you’re saying. The newer ones are in a lot better shape because they use PINs or at least require you to press a button to sync up with the device. Outside of that, Bluetooth is one of those technologies that can be very secure when the manufacturers create it properly, but sometimes they do it in a really poor way. You want to watch for things like the way you’re connecting with the device for the very first time, make sure that you actually have to tell it to allow the connection to come in. And if you have the ability to change your PIN, change it.
Do people take security concerns more seriously nowadays than they used to?
Security is definitely getting better, but there’s always a better mousetrap. No matter what you do, somebody always finds a way to get around it. It doesn’t matter if you spend $20,000 on the most secure network on the planet. You’re still doomed if you can’t get that one employee to make sure they validate who a person is. There’s a bumper sticker that says “the success of social engineering is a sign that the weakest link in malware defense is human stupidity.” That’s kind of the mentality: all it takes is one person. If they’re just not paying attention, they just ruined everything that facility is trying to do to make itself more secure.
What is, in your opinion, the number-one misconception people have about data security?
Most of the time people think that back-up tapes are encrypted. Ninety percent of all back-up tapes are not. Encryption costs a lot more in terms of time and money, and it’s a lot slower process, so people just don’t want to be bothered.