Start Secure. Stay Secure.TM Web Application Security and HIPAA Compliance Are your web applications vulnerable? By Kevin Beaver and Caleb Sima Start Secure. Stay Secure.TM Web Application Security and HIPAA Compliance Table of Contents Introduction Overview of HIPAA Securing Web Applications Software Products That Can Help Conclusion About the Authors The Business Case for Application Security About SPI Labs About SPI Dynamics About the WebInspect Product Line Contact Information 1 1 3 5 6 7 8 8 9 Error! Bookmark not defined. 9 © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. ii Start Secure. Stay Secure.TM Web Application Security and HIPAA Compliance Introduction In our age of increased information privacy and security requirements, organizations working in the healthcare industry must secure their Web applications to protect the confidential healthcare information that they store, transmit, and receive. This isn't just good business practice. It is being federally mandated in the U.S. through the Health Insurance Portability and Accountability Act (HIPAA). HIPAA, among other things, mandates the privacy and security of protected health information (PHI) from the various threats and vulnerabilities associated with healthcare information management. As it relates to Web application security, the HIPAA security requirements are a set of information security best practices that cover determining risks, implementing the proper controls, and performing ongoing assessments to ensure information is continuously protected. Achieving HIPAA compliance is not impossible, but but a few key elements are necessary to achieve and maintain it. Organizations must implement the proper information access controls and possess the appropriate tools to ensure that information is kept secure. These, combined with practical security policies and processes, will go a long way toward keeping NPI secure and will also provide value well beyond HIPAA compliance. Overview of HIPAA The 1HIPAA legislation, which falls under the umbrella of the U.S. Department of Health and Human Services, was enacted in 1996 under President Bill Clinton. The intent of HIPAA is not simply to ensure the privacy and security Department of Health and Human Services, Office of the Secretary, Security Standards; Final Rule. Federal Register document 45 CFR Parts 160, 162, and 164, February 20, 2003. (http://www.cms.hhs.gov/SecurityStandard/Downloads/securityfinalrule.pdf) 1 © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 1 Start Secure. Stay Secure.TM Web Application Security and HIPAA Compliance of PHI. Its overall goals are to provide insurance portability for employees who change jobs, help combat health insurance fraud, and to ease the burgeoning administrative and financial burdens in the healthcare industry. Much to the disbelief of many organizations in the healthcare industry that are currently caught up in the compliance whirlwind, HIPAA does offer longterm business value in the form of streamlined electronic transactions for payments, less paperwork, increased trust of patients knowing that their private information is being handled properly, and more. The HIPAA Security Standard ­ which is the section that's applicable to Web application security ­ recommends information security best practices. The compliance date for this rule was April 21, 2005 (April 21, 2006 for small health plans). The goal of the Security Standard is to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI). For those organizations that already have even the slightest information security infrastructure in place, there should be no surprises when it comes to implementing its requirements. These requirements are very straightforward as long as the covered entities have the proper information security expertise and tools. It focuses on what needs to be secured, not how to secure it, and allows a great amount of flexibility for covered entities. From the start, the Security Standard was designed to be scalable, flexible, technology-neutral, and comprehensive regardless of the size or ability of the HIPAA-covered entity. These factors have helped considerably to ease the implementation burden of the Security Standard. It covers every aspect of a solid information and physical security program ­ from a risk analysis to security policies to security training to ongoing auditing of healthcare information systems. © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 2 Start Secure. Stay Secure.TM Web Application Security and HIPAA Compliance HIPAA-covered entities must comply with the HIPAA rules now and on an ongoing basis to effectively protect PHI and avoid legal liabilities. In addition, any business associates of covered entities must have adequate safeguards in place to protect PHI while it is in their possession. Securing Web Applications From a fundamental information security and controls perspective, it is clear that Web application security is crucial to HIPAA compliance. The requirements for HIPAA compliance apply to any system that processes or maintains ePHI. Given that a growing number of healthcare records are stored, accessed, and maintained in electronic format that often have Webbased components, there is a significant correlation between this information and Web applications. In addition, there are system monitoring components required for HIPAA compliance that tie into Web applications. Web servers, database servers, and often the applications themselves have a logging function that creates audit trails for tracking who, what, and when. These trails not only provide the details necessary for system monitoring and troubleshooting but are often used in a forensics capacity to investigate attacks against Web applications. Audit trails can also assist with and provide documented proof that ongoing Web application security assessments and audits required to achieve HIPAA compliance are taking place. As with most information security initiatives, the requirements for HIPAA compliance are policy-driven in areas such as: · · · User authentication Password management Access controls © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 3 Start Secure. Stay Secure.TM Web Application Security and HIPAA Compliance · · · · · · · · · · · Input validation Exception handling Secure data storage and transmission Logging Monitoring and alerting System hardening Change management Application development Incident response Business continuity Periodic security assessments and audits If security policies designed to maintain HIPAA compliance are not in place and enforced with adequate business processes and technical controls, Web applications can easily expose healthcare systems and ePHI to unauthorized users. Beyond implementing the necessary policies and processes, another important element of HIPAA compliance is to focus on detecting vulnerabilities in the software lab so they can be fixed before they are discovered and exploited in the field. An information risk assessment looks at all aspects of the information security infrastructure and determines specific information threats, vulnerabilities, and risks. This is not only essential for determining which controls to implement but it is also a requirement for HIPAA compliance. Analyzing Web applications that are critical front ends to many of today's healthcare information systems is a critical part of this assessment, and the ongoing evaluations required for HIPAA compliance validate that Web © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 4 Start Secure. Stay Secure.TM Web Application Security and HIPAA Compliance application security is where it needs to be to protect the confidentiality, integrity, and availability of ePHI. Software Products That Can Help Healthcare organizations and other companies that must comply with HIPAA have many technological options for supporting the various internal controls needed to achieve HIPAA compliance and protect sensitive systems. However, the problem with relying on traditional network security products such as firewalls, intrusion detection systems, and encryption to ensure HIPAA compliance is that most Web-based attacks can still occur without being detected or responded to effectively. Attackers can be prevented from accessing the network altogether by performing proactive Web application vulnerability assessments. There are various methods and tools that can be used to assess the security controls of Web applications. The first option ­ manual testing ­ is a valuable way to find contextual vulnerabilities that only a human would be able to reasonably spot. However, testing for every possible Web application vulnerability could take weeks, months, or an indefinite amount of time to uncover if searched for manually. That assumes the person doing the testing knows of everything to check for and can keep abreast of the latest web application vulnerabilities. A variety of software tools can help application developers fulfill the testing requirements mandated by GLBA. These tools can be used to identify initial risks in source code and production systems, as well as to perform preventative testing for HIPAA compliance during the software development lifecycle and post-deployment phases. With these tools, Web developers, QA analysts, penetration testers, and security auditors can run full, partial, or © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 5 Start Secure. Stay Secure.TM Web Application Security and HIPAA Compliance customized scans on Web applications or Web services on hosts throughout the enterprise that are associated with ePHI to ensure HIPAA compliance. In addition, these tools can be used as a starting point for the creation or revision of security standards, policies, and processes that are necessary for HIPAA compliance. This will help ensure that all the initial time, money, and effort spent to establish HIPAA compliance are smart investments. When searching for Web application security software tools to help with HIPAA compliance, it's important to consider the following features: · · · · · · · · · Overall ease of use Testing flexibility (e.g., manual stepping, automated crawling, or input variations) Customizable security policies Automatic updates and application patches for new Web vulnerabilities Prioritization of discovered Web security vulnerabilities Level of reporting (e.g., executive, technical, QA) Support for specific software platforms and development languages Vendor or open source team reputation and long-term viability Costs related to acquiring, using, and supporting the tool Conclusion The bottom line is that HIPAA compliance and information security are not one-time events. Organizations must work diligently and consistently to ensure that Web application weaknesses are found and threats are defended against as quickly as possible. This can only be done effectively with minimal costs by using powerful, integrated design, static analysis, and Web application vulnerability assessment tools. There is no more flexible or useful © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 6 Start Secure. Stay Secure.TM Web Application Security and HIPAA Compliance way of performing security assessments and ongoing audits on Web applications to help prepare the organization for HIPAA compliance than by utilizing the right software tools. It is critical to remember that the HIPAA Security Standard and HIPAA compliance are just a piece of the overall puzzle; IT departments will not (nor should they) control or drive all HIPAA compliance initiatives. However, they can certainly help the cause of HIPAA compliance by deploying technologies that automate and enforce the necessary internal controls for healthcare information systems. About the Authors Kevin Beaver, CISSP, is an independent information security consultant, author, and speaker with Atlanta, GA-based Principle Logic, LLC. He has nearly two decades of experience in IT and specializes in performing information security assessments. Mr. Beaver has written six books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley), The Definitive Guide to Email Management and Security (Realtimepublishers.com), and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). Caleb Sima is a co-founder of SPI Dynamics, a Web application security products company. He currently serves as the CTO and director of SPI Labs, SPI Dynamics' research and development security team. Prior to co-founding SPI Dynamics, Mr. Sima was a member of the elite X-Force R&D team at Internet Security Systems, and worked as a security engineer for S1 Corporation. Mr. Sima is a regular speaker and press resource on Web application security testing methods, has contributed to (IN)Secure Magazine and Baseline Magazine, and has been featured in the Associated Press. © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 7 Start Secure. Stay Secure.TM Web Application Security and HIPAA Compliance DISCLAIMER: The authors have used their best efforts in the preparation of this whitepaper. The information and opinions provided in this whitepaper do not constitute or substitute for legal or other professional advice. Readers should consult their own legal or other professional advisors for individualized guidance regarding the application of HIPAA to their particular situations and in connection with other compliance-related concerns. The Business Case for Application Security Whether a security breach is made public or confined internally, the fact that a hacker has accessed your sensitive data should be a huge concern to your company, your shareholders and, most importantly, your customers. SPI Dynamics has found that the majority of companies that are vigilant and proactive in their approach to application security are better protected. In the long run, these companies enjoy a higher return on investment for their ebusiness ventures. About SPI Labs SPI Labs is the dedicated application security research and testing team of SPI Dynamics. Composed of some of the industry's top security experts, SPI Labs is focused specifically on researching security vulnerabilities at the web application layer. The SPI Labs mission is to provide objective research to the security community and all organizations concerned with their security practices. SPI Dynamics uses direct research from SPI Labs to provide daily updates to WebInspect, the leading Web application security assessment software. SPI Labs engineers comply with the standards proposed by the Internet Engineering Task Force (IETF) for responsible security vulnerability disclosure. SPI Labs policies and procedures for disclosure are outlined on the SPI Dynamics web site at: http://www.spidynamics.com/spilabs.html. © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 8 Start Secure. Stay Secure.TM Web Application Security and HIPAA Compliance About SPI Dynamics SPI Dynamics, the expert in web application security assessment, provides software and services to help enterprises protect against the loss of confidential data through the web application layer. The company's flagship product line, WebInspect, assesses the security of an organization's applications and web services, the most vulnerable yet least secure IT infrastructure component. Since its inception, SPI Dynamics has focused exclusively on web application security. SPI Labs, the internal research group of SPI Dynamics, is recognized as the industry's foremost authority in this area. Software developers, quality assurance professionals, corporate security auditors and security practitioners use WebInspect products throughout the application lifecycle to identify security vulnerabilities that would otherwise go undetected by traditional measures. The security assurance provided by WebInspect helps Fortune 500 companies and organizations in regulated industries -- including financial services, health care and government -- protect their sensitive data and comply with legal mandates and regulations regarding privacy and information security. SPI Dynamics is privately held with headquarters in Atlanta, Georgia. Contact Information SPI Dynamics 115 Perimeter Center Place Suite 1100 Atlanta, GA 30346 Telephone: (678) 781-4800 Fax: (678) 781-4850 Email: info@spidynamics.com Web: www.spidynamics.com © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 9 Start Secure. Stay Secure.TM Web Application Security and HIPAA Compliance © 2006 SPI Dynamics, Inc. All Rights Reserved. No reproduction or redistribution without written permission. 10