Protecting HIPAA-Compliant Online Forms

Protecting HIPAA-Compliant Online Forms

THE SITUATION

As a cloud-based, client management software service provider serving the healthcare sector, storing and protecting Public Health Information (PHI) is an ongoing concern. As such, HIPAA compliance is mandatory. And as part of this compliance, experts must configure and operate advanced tools to alert, defend and log all system activity.

The client management software service provider purchased and with the vendor’s assistance, deployed a Web Application Firewall (WAF). After launch, the platform was handed over to the operations team. Within one week the helpdesk received calls from physicians complaining that legitimate form uploads (false positives) were being blocked. Further investigation revealed that the WAF had indeed blocked the traffic by mistake. The WAF was therefore moved into alerting-only mode until the correct tuning was determined.

After months of effort and intensive training, false positives were still being observed. The WAF still could not be moved into protection mode. The company kicked off a search for external assistance and a range of cloud WAF vendors, system integrators, and RedShield were considered.

A key HIPAA requirement was that no 3rd party system would store or have access to customer PHI in the event of a false positive. System integrators proposed resources deployed time and materials. Cloud WAF vendors offered solutions whereby unskilled customer operators could “use a slider approach to easily tune out false positives” by swapping them for false negatives. In other words, not blocking some categories of threat.

 

OUR SOLUTION

RedShield presented several shielding options including both private and shared cloud nodes, with masked and chained SIEMs for logging, as a managed service. During the proof of concept phase, RedShield reviewed the security audit report and discovered that the web form itself wasn’t susceptible to standard injection attacks after all; protecting the form from these types of malicious techniques did not make the forms any more secure.

Turning focus to areas that mattered, RedShield provided 3 options to meet HIPAA / PHI requirements:

• Sensitive data masking straight from the RedShield node to the RedShield SIEM. (Knowing that on false positive, the blocked traffic cannot be recovered).
• Normal data logging from the RedShield node to a customer SIEM then masking from the customer SIEM to the RedShield SIEM. This offers a method for the customer to recover data on a false positive. But it too has several downsides including; cost and the customer requirement to manage the SIEM.
• Minimum false positive deployment with normal connection through to the RedShield SIEM, with an overlay of monthly data purging process to limit the storage of PHI information. RedShield also proposed business logic transformation shields to address logic flaws within the application, including idle timeout and parameter tampering.

“A couple of stubborn security issues came close to derailing our whole project. Being forced to upgrade the whole platform would have caused huge disruption, cost and delays, but appeared to be our only option. With RedShield we were able to address just those discovered issues and keep the project on track.”

 

THE RESULT

After a 2-week trial, RedShield presented the results through to the evaluation committee; zero false positive results and a clean pen test. Once it was revealed that RedShield was significantly more cost effective than other options, a decision was made to pilot RedShield in production.

Within days of starting the pilot, RedShield standard reporting revealed that along with generic protocol and fair-use noncompliance, an attack targeting specific weaknesses in the application had been alerted. Emergency change control was invoked and blocking introduced early.

The pilot continued for a month and after a zero-false-positive-count, they transitioned to the RedShield commercial service. HIPAA compliance with appropriate controls was achieved. A pragmatic solution to sourcing the required skills and data treatment was delivered. Application specific logic flaws were addressed.

May 21, 2020