Cyber Security for Medical Facilities: Best Practice Test Criteria for Article 32 GDPR

Editor’s Note: As an extension of its worldwide data and legal discovery expertise, HaystackID’s Cybersecurity Consulting Practice provides organizations with a trusted partner and active participant in the assessment, implementation, and management of key discovery-centric digital security requirements. Led by  CISO and President of Forensics, John Wilson, HaystackID’s Cybersecurity Consulting Practice equips organizations with a highly trained team of data security and digital forensic security experts focused on helping develop, augment, and complement, cyber risk, information governance, and managed security initiatives. The Cybersecurity Consulting Practice is available immediately for engagement.

Developed and published by the Bavarian State Commissioner for Data Protection (BayLfD) and the Bavarian State Office for Data Protection Supervision (BayLDA), the following information (paper and translation) highlights important cybersecurity considerations around sixteen fundamental areas ranging from patch management and ransomware to remote maintenance and social engineering. Developed through the lens of medical facility cybersecurity, this paper may be beneficial for legal, business, and information technology professionals in the eDiscovery ecosystem as they seek to secure and protect sensitive data in both on-site and remote environments.

Cyber Security for Medical Facilities: Best Practice Test Criteria for Article 32 GDPR

Purpose and Content of This Paper

This handout provides an overview of some practical cybersecurity measures for medical facilities – including a thematic block, especially for laboratories – in accordance with the applicable legal data protection requirements. With the aim of targeted prevention, this should increase awareness of safety-related issues and actively support the trouble-free operation of these facilities.

The focus of the document is based on the availability of data or services regarding attacks from the Internet and less on their confidentiality and integrity, which, however, must also be observed from a data protection perspective. The measures listed are, of course, not to be regarded as conclusive, but represent a best practice approach that one can support effective protection against current cybersecurity threats. Due to the individual circumstances of each company, it is not absolutely necessary to implement every measure mentioned to comply with the data protection security requirements. If individual measures are not implemented, it must be checked how other (possibly existing) measures can offer a comparable, adequate level of protection.

This paper is an aid to quickly checking your own security with regard to the availability of your own data processing within the meaning of Art. 32 GDPR. The scope includes both the non-public as well as the public area.

The work was created in a collaboration between the Bavarian State Office for Data Protection Supervision (BayLDA) and the Bavarian State Commissioner for Data Protection (BayLfD).


Cybersecurity for Medical Facilities (PDF) Mouseover to Scroll

Cybersicherheit für medizinische Einrichtungen – 27 Mai 2020

Original Source: BayLDA


Checklist Extracts from English Translation of Paper*

Self-Check: Cybersecurity in Medical Facilities

Patch Management

Outdated software versions pose an increased risk of attack due to potential vulnerabilities. The software used must, therefore, be kept up to date through regular security updates.

+ Patch management concept in place (including an updated plan with an overview of the software used)
+ Regular evaluation of information on security gaps in the software used, such as operating systems, office software, specialist applications, and medical device environment (e.g., through email newsletters, manufacturer publications, trade media, security warnings)
+ Exclusive use of desktop operating systems, for which the manufacturer/maintainer has become aware of vulnerabilities provides security updates
+ Regulated process for the prompt import of server security updates
+ Automatic updates of the desktop operating systems (directly from the manufacturer or through central distribution)
+ Regulated process for browser updates (Recommendation: automatically, if possible)
+ Regulated process for updates of basic components like e.g., B. Java, PDF reader (Recommendation: automatically, if possible)

Malware Protection

Infection with malicious code often leads to a significant IT disruption. Through antivirus programs, not all malware variants were recognized, but many standard attacks intercepted. Effective anti-malware protection must, therefore, be used.

+ Endpoint Protection on every workstation
+ Daily automatic update of the antivirus signatures
+ Central recording of alarm messages by the IT administration
+ Clear instructions to employees on how to deal with alarm messages
+ IT administration schedule for malware infections
+ Antivirus solution with local configured as “high” heuristic detection
+ Sandboxing process or advanced endpoint protection and response (EDR) only under strict consideration data protection regulations

Ransomware Protection

Trojans that encrypt data in a targeted manner in order to extort ransom can bring the operating process to a standstill. Proactive measures to protect against encryption Trojans are essential to prevent impending negative effects at an early stage.

+ As far as possible no macros in office documents in everyday operations
+ Allow only signed Microsoft Office macros or (regular) information, e.g., once a year, to inform employees on risks of macro activation (e.g., in Microsoft Word)
+ Prevent automatic execution of downloaded programs (e.g., software restriction policy and sandboxing)
+ Deactivation of Windows Script Hosts (WSH) on clients (if not absolutely necessary)
+ Check whether the restriction of PowerShell scripts with the “ConstrainedLanguage Mode” on Windows clients is feasible
+ Use a web proxy with current (daily) blocked lists malicious code download sites (IOCs)
+ Emergency plan for dealing with encryption Trojans on paper
+ Review of the backup and recovery strategy (see Backups), which ensures that backups cannot be encrypted by the ransomware

Password Protection

Access to personal data of any kind, by unauthorized persons, especially cybercriminals, make appropriate measures more difficult. Strong passwords help protect the logins of employees.

+ Employee awareness of what strong passwords are and how to deal with them (e.g., no sticky notes at work, never pass on, …)
+ Default for applications to prevent selection very weak passwords (e.g., via guidelines or, as far as possible, technically enforced via the identity management system)
+ Minimum length of ten digits for used passwords
+ Recommendation to avoid easily guessable passwords or password components
+ Regulation for blocking and reassigning passwords after an incident
+ Strong passwords also according to password guidelines use internal systems if they are not already being enforced through the Identity Management System
+ Checking the rule that passwords must be changed after short periods (e.g., 60 days) – if the passwords are strong and long enough (e.g., at least twelve [characters], the password change interval can be significantly longer (e.g., once a year)

Note: Encryption is particularly necessary for personal medical data. However, this can cause the content not to be checked for malicious code in advance. Therefore, special care must be taken before or when opening medical data.

Two-factor Authentication

Safety-critical areas have long been the focus of attackers. In addition to classic passwords, additional access factors are required to adequately protect these access points that are particularly worth protecting to secure.

+ Two-factor protection for administrator access – at least for internet services (e.g., Cloud Mail Hosting)
+ Basic protection of encrypted VPN connections with cryptographic certificates or one-time passwords
+ If chip cards are used as employee ID cards, check whether this is for basic authentication (e.g., Windows login) can be used

Note: For laboratories and other medical facilities in Bavarian hospitals can use cloud hosting from medical data based on Art. 27 para. 4 Bavarian Hospital Act (BayKrG) may be inadmissible, see the common guidelines for order data processing of the BayLDA and BayLfD.

Email Security

Email traffic poses great security risks and is often the starting point for a successful attack. Company-wide regulations for email traffic help to counter these risks in good time.

+ Display emails in “plain text format” to make manipulated links visible
+ Use of a security component to link in check emails before calling
+ Checking incoming emails using anti-malware protection
+ Block dangerous attachments (e.g., .exe, .doc, .cmd)
+ Inform employees about the dangers encrypted email attachments (e.g., zip file with password)
+ Inform employees to identify counterfeit goods emails (e.g., sender addresses, abnormalities, embedded links)
+ Regularly inform current employees of email attack variants (e.g., Emotet, CEO fraud), e.g., B. once a year
+ Deactivate blanket forwarding rules at cloud hosting
+ Use of cryptographically signed emails (e.g., with S / MIME) for internal communication to recognize and check fake internal emails as part of an attempted attacks

Note: For laboratories and other medical facilities in Bavarian hospitals can use cloud hosting from medical data based on Art. 27 para. 4 Bavarian Hospital Act (BayKrG) may be inadmissible, see the common guidelines for order data processing of the BayLDA and BayLfD.

Backups

Failures of data carriers, be it due to malfunctions or cyber​​attacks can result in sustained damage and lead to the total failure of a company. Regular backups of important data are, therefore, a prerequisite to making an IT failure as harmless as possible to survive. It should be noted that Trojans depend on design and can also span backups.

+ The existence of a written backup concept
+ Carrying out backups according to the 3-2-1 rule: 3 data stores, 2 different backup media (also “offline” like tape backups) and 1 of them on one external location
+ Appropriate physical storage of backup media (e.g., safe, different fire compartments, risk of water damage, …)
+ Regular check for at least one backup is performed daily
+ Regular tests with all relevant data in the backup process and recovery included
+ At least one backup system is not malicious code encryptable (e.g., special data backup procedure such as pulling the backup system or air gap disconnected (offline) after the backup process is complete

Home Office

If employees move work into their own home, completely new security problems arise and can act as a gateway for far-reaching cyber attacks. The connection of employees in the home mode must, therefore, be well thought out and designed safely.

+ Overview of employees who have the opportunity to work in the home office
+ Overview of employees who currently use a home office
+ Overview of employees’ devices in the home office
+ Guaranteeing the accessibility of the employees in the home office via various communication channels in the event of an attack (e.g., dodging on the phone)
+ Hard disk encryption of mobile devices using strong cryptography (e.g., AES 256 bit) common guide to order data processing of the BayLDA and the BayLfD.
+ Securing home office access to the company network with VPN connections and one two-factor authentication
+ Regulations for the use of private devices in exceptional cases (e.g., only connections to terminal servers)
+ If necessary, container solutions to separate business and private areas
+ Information about dealing with video conferences
+ Regulations for taking away and disposing of sensitive paper documents (e.g., security concepts, policies, network plans, …)

External Access Option for Laboratory Results

Possibilities for online retrieval of laboratory results for senders, e.g., through a website, offer new attack areas based on accessibility via the Internet. Therefore, they can be the target for hacker attacks. Consequently, extensive protection measures are required to be used.

+ Appropriate security of access (e.g., SSL)
+ Secure and different for each submitter of accessed data
+ Regular update of the software used, in particular, the speedy closing of known vulnerabilities
+ Complete logging of access
+ Regular control of the logs
+ Security-related separation of access pages and internal IT systems
+ Regular (automatic) deletion of the provided data after retrieval by the senders
+ Regular penetration tests

Remote Maintenance

Provide opportunities for remote access to a system of new targets. When dealing with service providers who switch to systems via remote maintenance, well-established security processes are particularly important in operation.

+ Limitation of remote maintenance access only to the specific system to be maintained instead of complete network segments, if necessary additionally secured by a so-called “Jumpserver”
+ Activation of remote maintenance access only for specific purposes and duration
+ Deactivation of file transfers – if for remote maintenance is not required
+ Complete logging of remote maintenance access
+ Regular control of the protocols for remote maintenance
+ Cryptographically appropriate protection of the remote maintenance access (e.g., VPN, TLS)
+ Block or prevent remote maintenance access termination of a service contract

Administrators

Cybercriminals have an easy time of it when they are in possession of privileged user accounts. Even if the role of administrators with their far-reaching permissions in emergencies are particularly important, only use administrator accounts in a targeted manner.

+ Non-privileged standard accounts also for administrators for other work outside of the administrative activity
+ Regulation that does not have administrator rights on the Internet surfed or read/send emails
+ Very strong passwords for local admin accounts (e.g., min. 16 digits, complex and without usual word components and different for each PC)
+ As far as possible consistent use of procedures for two-factor authentication for applications that do this support especially for administrators
+ No dependency of the entire company on individuals or employees with administrator IDs
+ Ensure that in the event of a failure (e.g., illness), the ability of the company to work can be maintained by several IT administration employees
+ Appointment of an information security officer or of a person responsible for information security with clearly regulated allocation of competences

Emergency Concept

The availability of important medical devices, from communication programs and basic data, is essential for a smooth daily operation. An emergency concept is, therefore, relevant to be prepared in the event of a failure.

+ Existence of an emergency concept that is actually available for the relevant groups of people in paper form
+ Regular checking of the topicality of the emergency concept and adjustment if necessary
+ Enabling operations to be resumed by various, already planned and tested in advance process steps in the emergency plan
+ Presence of emergency reserve hardware to prevent failures to compensate (e.g., retired devices, replacement purchases)
+ Rapid creation of an alternative infrastructure (e.g., external servers, mobile communication, emergency email addresses)
+ Existence of a well structured and up to date network plan
+ Inform employees about the contact person or internal contact persons in the event of security incidents
+ Ensuring the accessibility of the internal contact person (s) for security incidents
+ Indication of the relevant competent authorities and reporting obligations in the emergency plan
+ Secure storage of central administration access data (e.g., in the safe) and access options in an emergency

Disconnection

Once attackers are in your private network, scan, among other things, for data, connected devices and ways of spreading. If the private IT networks, e.g., B. in the medical field, for administration and the Internet, strictly with network components are separated from each other, the impact of the attack is minimized.

+ Restrictive (physical) separation of medical networks of administrative networks (using firewall systems)
+ Operation of the servers accessible via the Internet in one demilitarized zone (DMZ) (e.g., email server, web server, VPN endpoints)
+ Regulated process for the correct configuration of the firewalls and regular reviews of the same (e.g., on the need for approvals)
+ Logging at firewall level to prevent unauthorized persons and determine and close access between the networks analyzed
+ Automatic notifications to IT administration if unauthorized processing is suspected

Firewall

Attempts to access your own company from the outside is unavoidable. It is important to do this as best as possible blocked by a firewall ruleset with logging in order to identify dangers and to design security measures as required.

+ Isolation of all internal servers, PCs and on the internal network-connected medical devices from the Internet through a firewall to the Internet;
+ “Air gap”, i.e. the separation from the network, should be implemented with critical systems, if possible
+ Regular review of the correct configuration of the firewall (e.g., using port scans for the own IP addresses from external and periodic pentests)
+ Use of adequately qualified personnel/service providers to configure the firewall
+ Monitoring to identify attempts to access

Data Protection Officer (DSB)

Poor security structures in an organization can endanger the operational process. It is important, therefore, to use existing skills and not only IT managers but also the DSB at integration and implementation of security issues.

+ Consistent involvement of the DPO in security issues
+ Sufficient professional qualification of the DSB for security-related questions and possibilities for training on this topic
+ Conduct regular audits by the DSB Art. 32 GDPR for the security of processing
+ Knowledge of the responsible data protection supervisory authority
+ Knowledge of the reporting obligations under Art. 33 and 34 GDPR (breach of security)
+ Support the cooperation of the DSB with the Information Security Officer (ISB) by the management (info: when selecting and implementing the technical-organizational measures according to Art. 32 GDPR can create synergies through the DSB and the ISB)

Social Engineering

Criminals sneak up through social engineering attacks to access important information for downstream cyber ​​attacks. Accordingly, it is important to everyone that the “human safety factor” is explained appropriately training.

+ Regular training of employees on current issues and more frequent cyber attacks (e.g., once a year)
+ Consistent instruction of new employees on the fair handling of IT components and behavior in social engineering attacks
+ Raising awareness of new employees about IT risks the start of data processing (e.g., also for temporary workers)
+ Presentation of the course of social engineering attacks to raise awareness among employees (e.g., the possibility of manipulating telephone numbers)
+ Information to employees about reporting channels (e.g., by the ISB or DSB) and responsibilities

Original Post

+ www.lda.bayern.de/best_practice_medizin
+ www.datenschutz-bayern.de/best_practice_medizin

Publishers

+ The Bavarian State Commissioner for Data Protection – www.datenschutz-bayern.de
+ Bavarian State Office for Data Protection Supervision – www.lda.bayern.de

*Original content translated via machine translation (Google) and ComplexDiscovery review.

About HaystackID

HaystackID is a specialized eDiscovery services firm that helps corporations and law firms find, listen to, and learn from data when they face complex, data-intensive investigations and litigation. With an earned reputation for mobilizing industry-leading computer forensics, eDiscovery, and attorney document review experts, our Forensics First, Early Case Insight, and ReviewRight services accelerate and deliver quality outcomes at a fair and predictable price.

HaystackID serves more than 500 of the world’s leading corporations and law firms from North American and European locations. Our combination of expertise and technical excellence, coupled with a culture of white glove customer service, makes us the alternative legal services provider that is big enough to matter but small enough to care. Learn more today at HaystackID.com. ​

Additional Reading

The Right Choice for Secure Remote Review? Considerations and Qualifications
Certifications: An Indicator of eDiscovery Excellence

Source: HaystackID