Our panel was only one of a number of discussions of mobile security at the conference. In his Thursday keynote, Dr. Kai Rannenberg spoke to the need for hardware roots of trust. Pamela Dingle presented the authentication and authorization token models in OpenID. Craig Burton introduced a UK-based company that has automated the creation of open APIs consumable by mobile devices. There were sessions on VDI and mobile security, SSO and mobile security, and trust frameworks and mobile security: lots of information, across many important and interesting topics.

But in looking back on the various discussions of mobile security at the conference, what strikes me most of all is the fragmented nature of the discussion. Perhaps there were, among the keynotes and sessions I missed, some that gave a more complete picture of where we stand in terms of mobile security. But that was not something I heard or could derive across sessions. Moreover, despite the breadth of discussion, there were nonetheless a number of topics related to mobile security that I didn’t see at the conference, perhaps most strikingly the critical role that analytics, both in risk-based identity management and in threat response, should play in mobile security.

In fairness to the EIC conference, understanding of mobile security seems fragmented across the industry. Developing a comprehensive and comprehensible view of mobile security should be a concern for all of us engaged in the practice of cybersecurity.

The RSA FirstWatch team uses a number of techniques to detect emergent threats and trends.  Much of the output of the analysis process becomes inputs for the RSA FirstWatch Feeds and new rules to detect botnet variants, malicious user-agent strings, and suspicious queries that would be strong indicators of compromise.  One unique executable that was downloaded caught our eye today:

This filename, called “_load.exe” seemed to be downloaded as part of a large Zbot/Tepfir infection package.  Here is the screenshot, from RSA Security Analytics, summarizing the alert types seen post-infection in the sandbox:

But what really got our attention was the falsified manufacturer’s name and author’s name.  In CFF Explorer, we see this:

Of course, given the way the file was downloaded, we knew this wasn’t a legitimate Mandiant binary, but a piece of malware with planted meta-data to use Mandiant’s name.  According to VirusTotal, it had been seen 15 hours earlier and only ESET identifies the file as a malicious downloader.  You can see the VT report here:

https://www.virustotal.com/en/file/2714253ae4686360b45acd3fb2658966b6f61957a0b42d93cccad4a098b0a9da/analysis/

Digging Further

With a bit of further digging, we see that this sample was a secondary download of an initial sample hash of 1aee6a5859ecb9b43cc752244be5bec6.  This hash has been observed in the past multiple times with a filename of:

FedEx Shipment Notification.PDF.exe

This file was first observed on May 5, 2013, also with a fairly low antivirus detection rate at the time of detection (5 out of 46) but is fairly well detected now:

https://www.virustotal.com/en/file/eab3ee7c0c843dec8f6c41193465c6ff93ae914606520bb1a1dfd1e26a8862f0/analysis/

The submitted filename makes this sample highly likely to have been distributed via a “Shipment Notification” mass spam campaign.  This infection vector that has been highly effective over the past few years for spreading cybercrime malware and has garnered the attention of FedEx, who has a warning page warning its customers of this type of attack: http://www.fedex.com/dm/fraud/virusalert.html

Interestingly, both samples appear to be “downloader” malware, which only serve to download other malware on an infected machine.  These types of Trojans are commonly used in Pay-Per-Install campaigns, where criminals pay the owner of an existing botnet to have their infected machines push a piece of malware belonging to the buyer.  This approach significantly simplifies the process of building a new botnet for the buyer.

Further malware analysis reveals that the observed second-stage malware has no built-in persistence mechanism, meaning that a simple reboot clears the malware from memory.  This is somewhat unusual, but may indicate a “single-use” methodology for subsequent infection.  At this time, the RSA FirstWatch team has not observed a third-stage download occur with this sample.

Network Artifacts

Sample 1 – 1aee6a5859ecb9b43cc752244be5bec6 1aee6a5859ecb9b43cc752244be5bec6 has been observed connecting to the following locations for C2, which is known to be a malicious server: hxxp://asdacbxn34.us//area/la.php

and these locations for second-stage downloads were to a religious institution website, which appears to have been compromised, and another site known to host malware:

Hxxp://www.***.uk/_load.exe

hxxp://178.208.82.164/_load.exe

Passive DNS analysis indicates that the following domains have also resided on the C2 IP, all of which are known to be malicious domains:

mesalk.ru

houselle.ru  

davalki-tut.ru

nationalconstruction.ru

Sample 2 – bcadffb2117751fb89a4bb8768681030 – “Mandiant Malware”

This sample, downloaded as noted above as:

Hxxp://www.***.uk/_load.exe

hxxp://178.208.82.164/_load.exe

Connects to the following ip (address known to be associated with cybercrime) to check for additional malware to download:

94.23.234.36

This IP has mapped to the following known malicious domain names:

lamodaesbarata.es

ovh66m.exclust.com

ks307892.kimsufi.com

tusvestidos.com

Detection in RSA Netwitness Security Analytics:

 These particular malware connections can be located in an RSA Security Analytics infrastructure with a number of simple pivots on known infrastructure:

alias.host = asdacbxn34.us, mesalk.ru, houselle.ru, davalki-tut.ru, nationalconstruction.ru, 178.208.82.164, lamodaesbarata.es, ovh66m.exclust.com, ks307892.kimsufi.com, tusvestidos.com

and

ip.dst = 178.208.82.164,94.23.234.36

Generically, suspicious behavior involving executable downloads such as these can be detected by creatively combining observed extension meta data with known filetypes.   In this case:

Extension = exe && filetype != windows executable

Summary

In this particular case, we see a common cybercrime attack methodology, mass spam, a social engineering hook and a downloader Trojan, crossing over into APT space, likely due to all of the recent press coverage of Mandiant and other APT-related investigations.   This is further evidence of the constant evolution of online attacks based on current events.

Happy Hunting!

Alex Cox, MSIA, CISSP, GPEN, GSEC is a Senior Consultant and Security Researcher with RSA FirstWatch team responsible for advanced threat intelligence research. Alex has worked more than a decade in IT with a background in desktop architecture, emerging threat research, network forensics and behavioral malware analysis.

The initial inspiration of my “Groove Theory of GRC” was Rocco Prestia, the bass player for the funk band Tower of Power.  His definition, or lack thereof, of the term groove started my thought process on how very important things can exist without exact scientific explanation.   In my last blog, I talked about combining Musicality and Performance to create a special musical experience and how GRC should strive for this powerful combination through Visibility and Accountability to result in Performance Optimization.  Now I want to explore the complexities of any musical endeavor.  While solo performances can be captivating, a full orchestra performing in perfect concert together is one of the highest forms of human collaboration and expression.  So on to postulate #2.

Postulate #2:  The more pieces of the business involved; the more complex the challenge but the greater the value.

Across the spectrum of GRC activities, multiple pieces of the business need to pick up their instruments and build to the crescendo of a well-oiled organization.  This may be a flowery way of putting it to fit my running analogy so let’s cut to brass tacks:  Everybody needs to play nice in the sand box.  Not as dramatic but that is the bottom line.  Organizations that build walls, foster politically motivated cultures, enable kingdom building and all of the bad behavior we saw on the playground in kindergarten will struggle with making the right decisions and eventually face a serious business breakdown.

GRC is one of those avenues to break down the barriers between parts of the business.  If an organization can rally around a significant regulatory compliance challenge (as many companies faced with Sarbanes Oxley) or unite to respond to a major calamity (as organizations experienced during recent natural disasters), then the organization should be able to  band together to operationalize risk and compliance processes.   Domains of the business such as Information Technology, Finance, Audit, Legal, Compliance and others are necessary to build the right fabric across the organization.  A common strategy, with defined objectives and executive buy-in, will go a long way.

Each domain, or department will at times seek to build its own GRC approach.  This is completely understandable as each domain has its own drivers and needs.  Information Technology may utilize GRC to improve IT service responsiveness, reduce security risks and maintain compliance to data protection standards.  Finance may focus GRC on financial reporting processes, look to reduce capital, market or liquidity risk and maintain compliance to accounting practices.  G, R and C mean different things to different operational elements.  However, the organization can begin to bring those together into a more concerted, complimentary approach through an enterprise strategy.

Back to my Groove Theory:  Most organizations will start with a string quartet or jazz trio or folk singing duo.  The goal is then to bring more and more instruments into the ensemble until a full orchestra is making music together from the same song sheet.   Obviously that singular score, if its parts are written with harmony and based on solid music theory, can enable the movements, counter-melodies and dynamics that make for a beautiful symphony.   It is at this point where the organization transitions from singular players into a larger, more complex performance.   The result:  Opus # 9 in GRC sharp.

* I had to include a link to this video showing “Tower of Power” from 1973 – 2011.  A band as tight and funky as can get even after 38 years of creating music.  Now THAT is the type of sustainable collaboration we all hope we could foster in our organizations.

Today, Norman and Shadowserver released a paper that revealed a large attack infrastructure in which they detailed an ongoing campaign, running as far back as September 2010.  This campaign, reportedly run out of India, used spear-phishing attacks and multiple strains of malware to breach targets of interest and extract data.

The details of this case can be researched in the following paper:

http://blogs.norman.com/2013/security-research/the-hangover-report

Due to our industry ties the RSA FirstWatch team was able to obtain an advanced copy of the paper, and doing so we were able to collect over 700 of the detailed malware samples referenced in the report for analysis.

This analysis, focused almost exclusively on network behavior, allowed us to detail effective ways of detecting this malware on the network in real-time.

As a general rule, the RSA Security Analytics / RSA NetWitness approach to network analysis for these types of threats has always been a three-part process which is circular in nature:

1. Identify expected network behavior
2. Examine outliers
3. Link intelligence

Detection of Identifying User-Agents

In many APT malware cases, a non-standard user agent is observed as part of the command and control communication sequence and this case is no different. There are several case-related user-agent strings detailed in the paper:

EMSCBVDFRT
EMSFRTCBVD
FMBVDFRESCT
DSMBVCTFRE
MBESCVDFRT
MBVDFRESCT
TCBFRVDEMS
DEMOMAKE
DEMO
UPHTTP
sendFile

Additionally, the following user-agent strings are also present:

wininetget/0.1
file
test
vbusers
folderwin
smaal
simple
nento
bugmaal

When these user-agent strings are turned into a Security Analytics application rule they would look like the rule below and would allow a quick pivot on hangover-related malware traffic:

Client = emscbvdfrt,emsfrtcbvd,fmbvdfresct,dsmbvctfre,
mbescvdfrt,mbvdfresct,tcbfrvdems, demomake,demo,
uphttp,sendFile,wininetget/0.1,file, test,vbusers,folderwin,
smaal,simple,nento,bugmaal

This particular pivot, where we identify meta elements that we don’t expect to exist in our environment, is a very common way of detecting both malware and unwanted applications on the network.

Identifying Information in Query Parameters

While not as clear cut as identification of unique user-agents, many malware samples, especially Remote Access Trojans (RATs) used by APT attackers, commonly transmit identifying information as part of command and control check-in traffic.

In this case, we see similar behavior in which the computer name of the analysis environment “RemotePC” as well as the logged in user “admin” is identified in plaintext during the C2 check-in of many of the identified samples:

(click on the image below and zoom to see detail)

Identifying C2 domains

Lastly, establishing domain intelligence by using malware analysis and existing known compromise, plus online research, passive DNS and other methods, we are able to build a large feed of domains which identify suspect traffic.

In this case, RSA FirstWatch added specific domain intelligence related to the hangover intrusion set on 4/30/13.    Historic hits to these domains can be located with the following custom drill:

threat.category = research && threat.desc = apt-domain-a-cow_star, apt-domain-a-hanove, apt-domain-a-trojan.apt.snowtime, apt-domain-a-backdoor.apt.anke, apt-domain-a-backdoor.apt.vbupload, apt-domain-a-dragoneyemini_ smackdown, apt-domain-a-smackdown, apt-domain-a-hanove2, apt-domain-a-appinbot, apt-domain-a-hanovelarge

These three detection methodologies can be applied to this and future incidents for proactive detection of advanced threats.

Special thanks to the researchers at FireEye and Dell Secureworks for their assistance in malware analysis and classification tasks.

Happy Hunting!

Alex Cox, MSIA, CISSP, GPEN, GSEC is a Senior Consultant and Security Researcher with RSA FirstWatch team responsible for advanced threat intelligence research. Alex has worked more than a decade in IT with a background in desktop architecture, emerging threat research, network forensics and behavioral malware analysis.

This blog discusses five of the high level missteps common to organizations that have experienced needlessly prolonged negative effects of cyber security incidents.

1) No security team

A fair percentage of clients that I have provided incident response services to over the last 12 months are operating without security or oversight on the Internet, meaning not a single person employed at that organization is solely dedicated to working on security issues. While this is common for small companies and startups, these clients matured over the years to the point where they had hundreds or thousands of employees and even more computing devices on the network. What had not occurred, however, was the investment in security commensurate with the growth of the company.

When a company consists of 10 people operating on a shoestring budget and an idea, realistically it’s hard to justify spending money on anything that doesn’t have a tangible ROI. When those companies grow, however, the potential losses in intellectual property or corporate reputation began to justify expenditure towards a comprehensive security program. Add to that potential regulatory compliance requirements and most successful companies should have no problems demonstrating a true business need for security implementation.

2) No budget for enterprise level security tools

These companies are slightly better off than the organizations with no security team at all. What I typically observe at these clients is a dedicated though undersized staff that spends a lot of time trying to convince management of the necessity of enterprise security tools. At least that’s how they start out on the job. By the time I am called in to consult, I typically find that the IT managers accept as fact that executive leadership will not dedicate funds towards the purchase of enterprise security tools. Often these managers hope that the single biggest result of a breach is that executive leadership will finally see the true value of implementing these tools.

3) No management support for an information security program

Both of the previously mentioned conditions can be summed up by this one condition. That being said, I have still occasionally seen organizations that are reasonably staffed and tooled, but end up not implementing security properly because of the perceived negative impact to the business. For example, take a company that has an intelligent web proxy up and running on the network. Since executive management does not champion network security, creating exceptions to the policy is relatively easy. Before long, that company will have entire pockets of personnel whose web traffic bypasses the proxy. If a company has adequate security in place, but lacks management support, users will often find a way to bypass that security.

4) Over-reliance on tools; under-reliance on skills training

At these organizations, what I have found to be the common denominator is that tools and security staff are both implemented, but the weak link in the chain is the capability of the personnel that are hired to deal with incidents. Consider a case where a critical client system was compromised via targeted email attack. Two users clicked on a URL in similar LinkedIn phishing emails, starting the chain of infection that ultimately led to an attempted payroll theft months after the initial infection. Multiple opportunities existed for this client to detect and remove the threat from the network prior to the attacker trying to steal money; original emails were still present in the gateway storage, both compromised systems were beaconing to a known bad IP address, both hosts had AV alerts that fed into a central server, both users created help desk tickets as a result of their computers acting strangely, and this exact attack had been sufficiently blogged about for a security analyst to gather information and perform discovery in their own network. On the surface, this organization appeared ready to be able to efficiently handle any network security issues that came up. The reality, however, was that though there was an extensive trail of evidence that could have easily been queried and analyzed, there were no truly qualified personnel on staff that could put the pieces of the puzzle together.

5) Sysadmins assigned to remediate AV alerts, end up running scan tools that don’t wipe out the threat

I understand the motivation of the sysadmin who sees an AV alert and responds by running eradication tools like Malwarebytes. More often than not I find that in targeted attacks, at best these tools only kill the portion of the malware that was causing the AV alerts. For the motivated but untrained sysadmin, no more AV alerts means no more compromise, situation resolved. Incomplete remediation is a dangerous situation, since the possibility now exists that the host is still compromised but no longer alerting anybody about it. In a corporate environment, AV alerts should be treated as a notification to rebuild the system in any case where a thorough forensic examination cannot rule out persistent compromise.

 Mike McGrew is an Advisory Practice Consultant within RSA’s Incident Response practice. Mike provides network and host-based incident response services for intrusions involving sophisticated adversaries that target intellectual property and other critically sensitive data. Mike has been a CISSP for over 10 years and was previously a Navy cryptologist supporting the National Security Agency (NSA).

It’s time to understand the differences between corporate secrets and custodial data.

Secrets refer to information that the enterprise creates and wishes to keep under wraps. They tend to be messily and abstractly described in Word documents, embedded in presentations, and enshrined in application-specific formats like CAD. Secrets that have intrinsic value to the firm are  almost always specific to the enterprise’s business context — where an interested party could cause long-term competitive harm if this information is obtained. Keeping proprietary knowledge away from competitors is essential to maintaining market advantage.

Typically, companies in knowledge-intensive industries such as aerospace and defense, electronics, and consulting generate large amounts of confidential intellectual property that present barriers to entry for competitors. Unlike with toxic data spills, failures to protect secrets are almost never made public.

By contrast, legislation, regulation, and contracts compel enterprises to protect custodial data. Mandates that oblige enterprises to be good custodians include contractual obligations like the Payment Card Industry Data Security Standard (PCI-DSS) and data breach and privacy laws. Custodial data has little intrinsic value in and of itself, but  when it is obtained by an unauthorized party, misused, lost or stolen, it changes state.Data that is ordinarily benign transforms into something harmful.

When custodial data is spilled, it becomes “toxic” and poisons the enterprise’s air in terms of press headlines, fines, and customer complaints. Outsiders, such as organized criminals, value custodial data because they can make money with it. Custodial data also accrues indirect value to the enterprise based on the costs of fines, lawsuits, and adverse publicity. Examples of custodial data include customer personally identifiable information (PII) attributes like name, address, email, and phone number; government identifiers; payment card details like credit card numbers and expiry dates; and medical records and government identifiers like passport numbers. Many well-known companies have graced the front pages of major newspapers with toxic data spills.

Interestingly, enterprises in highly knowledge-intensive industries like manufacturing, information services, professional, scientific and technical services, and transportation have between 70-80% of their information portfolio value from secrets while healthcare firms and governmental entities are nearly exactly the opposite, most of the value of their information assets are custodial data assets.

Data security incidents related to accidental losses and mistakes are common but cause little quantifiable damage. By contrast, employee theft of sensitive information is costlier on a per-incident basis than any single incident caused by accidents.

Unfortunately, compliance drives spending on security for all companies and smaller ones have a difficult choice to make.  “Compliance” in all its forms has helped CISO’s buy more gear, but it has distracted IT security from its traditional focus, keeping company secrets secure. All companies, large and small really need to do a better job of understanding the value of their corporate secrets.

Read my next blog for some recommendations on achieving the right balance.

ATMs (otherwise known as a Cash Points, Money Machines, Cashlines or sometimes even Holes in the Wall), are a staple of modern life. To the everyday consumer, they are seen as a convenient way to access our bank accounts, even when the branch is closed.  (I remember standing in line at the bank as a child on Saturday mornings with my father so that he could withdrawal the funds our family needed for the week – talk about advanced planning!)  ATMs enable us to get our cash on demand, for those of us who still use cash, and have come a long way since the first machines in the 1960s which dispersed a set amount of funds and sent back the bank card at a later date.

Convenient to consumers, yes – but to fraudsters, ATMs are seen as a way to get their hands on currency that isn’t theirs and unlike an online transaction can be harder to trace.   As a cash-out point for many scams, fraudulent crimes and cyber-attacks the ATM has seen its fair share of unfriendly withdrawals.

Underground Card Marketplace (Source: RSA Anti-Fraud Command Center)

Fraudsters will typically purchase cards and PINs in the underground or recreate plastic cards using the stolen data from card skimmers (Krebs on Security has some great information on ATM Skimmers).  They will then recruit mules who are the feet on the street that take a cut of every withdrawal they make with the stolen data from ATMs.  Mule recruitment is pretty easy as there are plenty of people looking for quick cash, especially when the unemployment rate is high.

There is an entire ecosystem of criminals who specialize in one or more areas of the carders market.  Mules are recruited by Mule Herders who provide forged plastic cards from Forgers who bought credit card credentials from Traders who bought the compromised credentials from a Fraudster who specializes in hacking into payment systems or social engineering schemes such as phishing.  Each criminal makes money from some point of the chain and continues to feed into the underground economy with their specialty.  Kevin Poulsen’s King Pin describes one Hacker’s (Max Butler) plan to rule the black market in stolen credit cards before his crime ring was taken down by the FBI in 2007.

Source: WIRED

Last week the US Department of Justice published an indictment of a cybercriminal gang who used the ATM as the cash out point for a massive global heist – ultimately draining $45M from around the world.  The attackers used “sophisticated intrusion techniques” to hack into the information systems of payment processors and global financial institutions, steal prepaid debit card information and modify withdrawal limits.  The hacked prepaid debit card numbers and pins were distributed to fraudsters in 26 countries who encoded magnetic stripe cards with the compromised card data and withdrew cash from ATMs on a massive scale across the globe.

It is important to note that the prepaid cards used in this attack are typically pre-loaded with a limited amount and are not associated with a specific user account.  These cards lack transaction history and individual behavior patterns which most organizations leverage to monitor fraud.  This is one of the reasons these criminals targeted prepaid cards – they understand the payment ecosystem and exploit areas of weakness. For example if a mule went from ATM to ATM with a stolen genuine debit card associated to an account a transaction monitoring system could have flagged that activity as fraud.  However, with a prepaid card there is no association, transaction or behavioral history.

This latest heist is a reminder that old tried and true attacks will continue to occur without the correct cross channel risk based, intelligent security in place.  Yes, processers need to better protect themselves from breaches and understand the threats their networks face – before an attack occurs, not only after the fact.  But banks need to better understand the transactions that occur at the ATM, online and via their mobile banking to monitor risk and look for anomalous behavior across all channels. For example, if there is an anomaly in withdrawal amount or a large velocity of ATM activity over a short period of time, a risk based authentication system should flag the activity as high risk and create for further investigation.  (It remains to be seen how the roll out of CHIP /PIN based on the EMV protocol will affect card fraud in the US – where ~ 80% of all ATM fraud occurs – but that is a discussion for another day).

RSA Adaptive Authentication ATM Module enables organizations to analyze transactions in the ATM channel using Risk Based Authentication and cross channel fraud detection.  Fraudsters will continue to use the ATM channel to get their hands on cash, and we will continue to stay on top of the attack vectors in this space to provide intelligent controls to protect the end user.

Amy Blackshaw is a Principal Product Marketing Manager within RSA’s Identity and Data Protection Group. In her role, Amy is responsible for the go-to-market strategy for the RSA Adaptive Authentication solution which provides protection against advanced threats in the enterprise and online. Prior to joining RSA, Amy worked in the Energy Industry bringing secure technology solutions for sustainable energy businesses. Amy holds her undergraduate degree from the University of Massachusetts, Amherst, her MBA from Simmons College, and is a CISSP.

http://rsa.edgeboss.net/download/rsa/2013/130411_sos_podcast.mp3

Miles Davis is an easy example of this.  On one hand, you have an intense musical genius that fueled scores of jazz standards and inspired countless musicians across the globe.  On the other hand, you have an individual who later in his career performed quite literally with his back to the audience facing the other musicians and at times seemed oblivious that an audience was even present (Check out this video of his classic song Tutu).   Unfortunately I never got to see Miles Davis in person so I can’t weigh in on the feeling of being physically at one of his performances.  I am sure the power of the musicality was overwhelming but the performance may have left some feeling disconnected from the artist.   My point is that in some cases, you can have one without the other – great musicality without a grand performance or engaging entertainment without a deep, complex musical experience.

How does this fit into my “Groove Theory of GRC”?

Postulate #1:  Optimizing Business Performance is the end goal; Visibility and Accountability is the method.

The end goal of any GRC program should be Performance Optimization.  If GRC were a concert, the performance matters.  I am not talking about lasers and smoke machines.  I am talking about the substantive effect one feels at the end of a great performance – whether it is music, or theatre or a sporting event.  Management and the Board of Directors need to make decisions that are more certain to result in desired outcomes thus optimizing the performance of the business.   The GRC program should set this as the fundamental objective and impact the organization positively.   But great musical performances just don’t happen.  All the lasers and smoke machines in the world cannot make up for a truly awful band.   A talented set of musicians who know their own role, are dedicated to their craft and are communicating together can bring a musicality that transcends the individual members of the band.  This is the magic that makes the performance great.    The strength of the Performance is through the Visibility and Accountability the band members have with each other, the music and the audience.

To make it simple using my analogy, you have to have Musicality AND Performance to completely capture an audience.  Artists such as Michael Jackson, Prince, Frank Sinatra and many others have epitomized this unique blend of talent, personality and commitment.  GRC needs both Performance Optimization as a goal with Visibility and Accountability enabling the performance.  The program must be absolutely concerned about the positive impact to its audience AND based on a collaborative, connected ecosystem of contributors.

What are your organization’s end goals for GRC?  How do your GRC musicians connect, share and keep the audience engaged and entertained?  Do you feel your organization is bringing both performance (focus on business optimization) and musicality (visibility and accountability) to the concert hall?

In light of the recent events I’ve reflected on how valuable electronic health records (EHR) and health information exchange (HIE) participation can be in a time of crisis to immediately access critical life saving data on impacted victims.  EHRs not only allow for first responders to quickly access victims’ healthcare information, but also allows for more accurate ambulatory, ER and clinical decision making in life or death situations.

Accompanying the increase of business efficiency and convenience delivered with EHRs, organizations must also maintain concern about privacy, secure access, fraud and the growing cost of security breaches. However, too often in the mix of the chaos we tend to forget how important it is to secure electronic health information during these types of incidents to mitigate the potential risk of theft and non compliance to relevant regulatory requirements. Healthcare (and law enforcement) organizations need to ensure that all first responders, staff members – and volunteers who have access to patient information must be educated and in compliance with their security and privacy policies so that it is not inappropriately leaked to media and even worse used by fraudsters looking to capitalize on a tragedy.

The Healthcare Information Security Today survey, sponsored by RSA, highlights what healthcare organizations are taking into consideration to comply with the HIPAA Omnibus Rule.  The survey shows that most organization’s top security priorities are preventing and detecting breaches, improving regulatory compliance and improving security training.    Also, it reveals that one of the biggest perceived security threats for healthcare organizations is the growing use of mobile devices and business associates taking inadequate security precautions; only 32% of survey respondents expressed confidence in security controls of their BAs and as you can see on the HHS “wall of shame”, a majority of breaches were caused by lost or stolen devices or misplaced laptops.

Yet surprisingly, implementing multi-factor authentication is not one of the top five priorities for technology investments this year. Only 16% are currently using some type of one time password with two-factor authentication and over 89% are just using user name and password to guard against inappropriate access to EHRs.

Source: Healthcare Information Security Today

The survey also shows 27% of organizations already offer a personal health record (PHR) portal and 35% have something in the works. The growth in adoption of consumer personal health record (PHR) portals really drives the need for why traditional authentication needs to make way for more dynamic and risk-based authentication.  The financial and online retail verticals have had to rely on such advanced authentication for multimillion user consumer bases.  The time has come for the healthcare industry to adopt these notions as well and deploy an adaptive intelligent framework which can morph as the threats do.  Transparent risk based authentication allows for instant, but secure, access to records in both patient and physician portals which is necessary to expedite emergency situations.  For example, if someone is accessing a patient record in an ER type of situation they need to quickly access data and do not want to be interrupted in their login workflow.  However, if someone is accessing clinical trial information remotely via a mobile device, you may want to require additional or stronger authentication requirements.  The level of authentication should be aligned to the level of risk. Integrating risk-based authentication with access management and identity federation helps organizations establish this balance because the data in a healthcare environment ranges in risk and value (e.g., credit card data for billing to PHI to appointment schedules) and multiple people across multiple functions and entitlements are accessing it.

Source: Healthcare Information Security Today

During a time of crisis organizations do not need to be more vulnerable to medical identity theft and fraud.  Advanced security solutions have provided the opportunity to help balance the risk, cost and convenience across all aspects of the healthcare ecosystem mitigating against threats while at the same time taking advantage of the benefits of easier information sharing.

Bottom line – this means improved patient care safety, streamlined business processes, physician productivity, cost efficiencies and most important – saved lives.

Angel Grant is a Senior Manager for RSA’s Authentication and Anti-Fraud solutions. She is responsible for a variety of initiatives which protect organizations against fraud and identity theft.  She has more than 20 years of experience in the security and financial services industries.