H-ISAC Hacking Healthcare 8-20-19 - Health-ISAC - Health Information Sharing and Analysis Center

TLP White: In this edition of Hacking Healthcare, we take a look at the BioStar breach and its potential repercussions for biometric data. We then detail the partnership between the Defense Information Systems Agency and (DISA) and The Department of Health and Human Services (HHS) in creating a behavioral-based identity technology. Finally, we look at how the ever expanding network landscape is impacting hospital security teams and why the increase in application threat hunting isn’t necessarily improving healthcare security.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

Hot Links –

1. BioStar, Biometrics, and Breaches.

The recent discovery by vpnMentor and a pair of Israeli researchers of a massive breach in BioStar 2, a “web-based biometric security smart lock platform,” has potentially exposed sensitive data of millions of individuals from hundreds to thousands of organizations across the globe.[1] Upon discovery on August 5^th, vpnMentor attempted to make contact with BioStar 2 but was repeatedly rebuffed.[2] Only after trying several times and by contacting different branches of the company was vpnMentor able to relay their information and have the breach closed by August 13^th.[3]

The BioStar 2 application is operated by Suprema, a major security company, and is in use globally to secure buildings and facilities through the use of biometrics. The application stores everything from fingerprint to facial recognition data and was recently integrated into access control system AEOS.[4] AEOS is used globally by over 5,700 organizations in both the public and private sector.[5] The team that discovered the breach announced that over 27.8 million records, including over 1 million fingerprints, totaling 23 gigabytes of data was available to anyone who happened across it.^[6] The data includes “admin panels, dashboards, fingerprint data, facial recognition data, face photos of users, unencrypted usernames and passwords, logs of facility access, security levels and clearance, and personal details of staff.”[7] The security researchers also outlined that “instead of saving a hash of the fingerprint (that can’t be reverse-engineered) they are saving people’s actual fingerprints that can be copied for malicious purposes.”[8]

What makes this breach different and potentially more damaging is the nature of the data that was breached. Traditional passwords can be reset, accounts can be deleted, and some PII like addresses, contact information, and even names can be changed but biometric data cannot. Your fingerprint is your fingerprint. Your face, your iris, anything biometric related, is uniquely you. It is because of that fact that biometric security is generally considered to be as good as it gets when it comes to authenticating an individual. The issue that this breach calls attention to is what happens when that data is stolen.

2. Behavioral-based Identity and Healthcare.

The Defense Information Systems Agency (DISA) and the Department of Health and Human Services (HHS) are working in partnership on a behavioral-based identity technology that could have far reaching impacts for the healthcare industry.[9] The system is being called Assured Identity, and once implemented it would hopefully allow healthcare providers and emergency responders to seamlessly log into critical systems and devices without having to stop to enter in a password or other information. While DISA’s application for the technology is likely more battlefield related, the combined resources of these two agencies suggests that development will at least be well funded.

The behavioral-based identity which underpins the Assured Identity system is based on 240 behavioral characteristics.[10] These characteristics can include everything from iris scans, fingerprints, an individual’s way of walking, heart rate, voice, and even keystroke patterns, to name just a few. A device embedded with this technology would then be able to quickly authenticate an individual without wasting potentially lifesaving seconds logging in and providing two-factor authentication. In essence, behavioral-based technology like this pilot program wants to turn all of our unique characteristics into a one of a kind password.

3. A Lack of Network Visibility and a Lack of Resources to Fix Application Vulnerabilities.

The push for healthcare modernization and the incorporation of new technologies is having a detrimental effect on the ability of hospital security teams to do their jobs. According to a new report from Fidelis, the introduction of new classes of devices, in addition to more devices generally, is straining security teams’ ability to maintain complete visibility into their networks. In fact, the report stated that nearly half of all respondents acknowledged that they did not have full visibility of their networks and were vulnerable as a result.[11]

In response to this problem, Fidelis’ CTO Craig Harbor urges organizations to consolidate stacks and find interoperability and unified platforms.[12] According to Healthcare IT News, Harbor further elaborated that “While there’s still a lot of work to be done, organizations need to take a terrain-based defense strategy – even in how they maintain and build their stacks – to ensure the increased context and visibility required to facilitate detections and overall security posture.”[13]

As the struggle for visibility continues, a different sort of struggle has emerged for application security within all industries, healthcare included. Increased awareness of the importance of cybersecurity security testing is revealing the ongoing, and disheartening, extent of vulnerabilities within our applications. According to a new report from WhiteHat Security, while the number of applications being tested for vulnerabilities rose by 20% over the previous year, the percentage of vulnerabilities that were remediated has fallen from last year.[14] Even worse is WhiteHat’s statistic that the average time to fix a critical application vulnerability stood at 148.6 days and that only 50.7% of all critical application vulnerabilities were remediated at all.[15]