How should we protect our site from hackers?
A hacker's attack against your system involves a complicated sequence of activities. The best protection is achieved by disrupting each of these activities. In that way, the defense against the attacker is not dependent on the success of any single protection measure. This is an important security principle is known as defense in depth. Hackers follow a routine set of activities when attempting to compromise a system:
Reconnaissance. The hacker seeks information about your systems, your organization and your staff. Some of this information may be provided by your systems as feedback to anyone attempting to connect to them, some through publication of your resources in Internet directories, some through mention of you organization in trade publications, mailing lists, blogs and the like. Hackers use this information, collectively referred to as a 'footprint' to focus their attacks against your systems.
What you can do to reduce reconnaissance: Instruct your vendors and technical support staff to configure systems that only information required to support authorized protocols is displayed.
Scan for Vulnerabilities. The hacker will use automated tools to find known vulnerabilities in your system. Security research has shown that instances of poor design, logic error, and program code faults can be found in all kinds in operating systems, database platforms, applications and software utilities. System vendors publish software 'patches' or 'security updates' to correct many types of vulnerabilities. Even so hackers continue to develop new means of exploiting known and newly discovered vulnerabilities in order to steal confidential information, disrupt system operations or get the system to execute the hacker's commands.
What you can do to reduce vulnerabilities: 1) Eliminate the known vulnerabilities in your systems. Ensure your technical support group subscribes to the 'notification service' of each of your vendors to ensure the 'patches' are installed in a timely fashion. Patching should occur on any system that feeds or is necessary to the proper operations of the EHR system, including operating systems, web servers, and databases. 2) Use hacker tools to scan your own systems. Have your technical support staff routinely conduct external 'vulnerability scans' . This will give you a hacker's view of your system and allow you to identify areas of high risk.
Exploit the vulnerability. Once vulnerabilities have been identified, the hacker will execute a collection of exploits to accomplish the goal of acquiring confidential information, corrupting or otherwise gaining control of your systems. Executing these exploits takes time and thus provides a window of opportunity for disruption.
What you can do to stop exploits: Configure the 'intrusion detection' aspects of your systems to 'alert' your technical support staff of unusual system activity that may indicate an ongoing exploit of your systems. Intrusion detection monitors are built into most systems. For example, the Windows operating system provides an alert whenever a large number of failed logins occurs, which indicates there may be an automated process attempting to gain access using default or very simple passwords. Additional specific intrusion detection products can be used to observe target traffic (or messages) that are evidence of well know exploits. [Intrusion detection, SNORT]
Cover tracks. To escape responsibility, the hacker will attempt to erase or otherwise obscure evidence of the attack.
What you can do to ensure accountability. System logs are critical to identifying the attack source and associating it with specific system events. Audit logging should be enabled for all relevant systems with storage sufficient to maintain adequate storage for later use. Systems should be configured so that special privileges are required to modify or delete the audit logs. Furthermore to ensure accountability, always use the strongest practical methods to authenticate users, network connections and systems.
Resources - Reconnaissance
Resources - Vulnerabilities
Resources - Intrusion Detection
Resources - Audit Logging
E-mail the HealthIT e-mail box: email@example.com