Taking On A Security DilemmaBy Larry Barrett | Posted 2005-05-04 Email Print
The distributor wanted to make sure flu vaccines reached only the pharmacies and clinics that ordered them. So it raised the security on drugs it distributed.
Taking On A Security Dilemma
Work on FFF Enterprises' system started long before the FDA and California decided to mandate systems-based tracking of drugs. But rolling out a system with details such as the numbers on each package of albumin and the names and addresses of individual patients meant that even more security was needed for the company's Web-based transactional system.
Here's how the system works: Once a doctor, pharmacist or other customer receives a shipment of vaccines or plasma products, he or she logs on to the application through any Web browser and enters the lot number. If there's a match in the FFF database, the customer can determine where and when the product was manufactured, when it arrived at FFF, and where and when it was destined.
"At any point in the process, we can tell a customer or a manufacturer where that product has been," Coates says.
In the event of a recall, health-care providers and manufacturers can quickly track down either the source of the contamination or the location of the contaminated products.
Having this elaborate tracking system in place may satisfy the FDA and state regulators, but it also creates an information-systems dilemma. Being the first adopter of anything puts a bull's-eye on your network.
"This is highly sensitive data that a lot of people have [tried], and continue to try, to get at," Coates says. "We needed a way to secure our entire network to protect both our manufacturers and customers."
According to the World Health Organization, counterfeit and diverted pharmaceutical products—everything from Viagra to Tylenol—costs the industry in excess of $20 billion a year.
But the real problem, according to Coates and others in the industry, resides in the confidence that physicians and, ultimately, patients have in the quality and safety of the products.
"Patient safety is the priority," Coates says. "The other [business] stuff is important but that's secondary."
Once FFF committed to the tracking system in 2003, Coates and his team knew the basic firewall software they were using wasn't going to cut it anymore.
In March, the company began installing the SecureSphere Dynamic Profiling Firewall software from Imperva. By the time it was ready to announce the VEP system in June, the SecureSphere implementation was complete. Coates declines to disclose how much the company spent on the VEP system or the SecureSphere implementation.
Imperva, founded by Shlomo Kramer, who also started Check Point Software Technologies, makes what it calls second-generation firewalls.
Unlike traditional firewalls, which are essentially physical gateways that limit access between networks, this second-stage firewall learns how an organization's applications work by observing the network traffic and applications.
"The challenge is that you need to move from the infrastructure world, a very simple world that a basic firewall is suited for, to the application world where there are tens of thousands or millions of elements," Kramer says. "[Web addresses, database] queries and cookies are all very dynamic and change every week. You can't use manual configuration and static policy approaches."
The SecureSphere firewall resides between the traditional firewalls and virtual private networks, and the application and Web servers. Internal groups and users also must pass through the SecureSphere firewall, limiting the possibility of employees either intentionally or accidentally accessing data that's supposed to be off limits.
SecureSphere learns the structure of the applications being used. In FFF Enterprises' case, it would determine how customers access the Web site to place orders and verify the pedigree of the drugs they've received. It builds a profile of what areas of information are accessed legitimately and notices any new or unusual database inquiries that are made.
One of the most daunting challenges facing Coates and other information-technology managers is protecting networks from coding errors made by programmers who developed the applications they use, creating a buffer overflow.
A buffer overflow occurs when a program tries to store more data in a temporary storage area than it was intended to hold. Since these temporary storage areas are created to store a finite amount of data, the extra information overflows into adjacent buffers and overwrites the valid data that was originally programmed. This extra data may contain codes that can erase valid data or change the data or disclose confidential information.
Intruders are notorious for using buffer overflows to access critical data and, in some cases, initiate commands within the server.
"SecureSphere is basically a memory firewall," says Jim Slaby, an analyst at Boston-based Yankee Group. "The attacks are embedded in what looks like normal traffic that a normal firewall wouldn't detect. SecureSphere notices these variations and immediately denies access to the server."
Once SecureSphere was installed, Coates and his team were surprised to see how often the system was being attacked. In the first week of March alone the system detected three separate attacks.
"You can't overstate how serious security is for these companies," Slaby says. "These products are needed to keep people alive, and the bad guys might want to redirect them for nefarious purposes. People want to get their hands on the pharmaceuticals so they can either steal them or resell them. Sometimes, it's just a disgruntled former employee who would love nothing more than to take down the company's servers."
When the firewall detects an attack, it immediately denies access to the Internet Protocol (IP) address querying the server and sends e-mail to FFF's network administrator. The alert tells the network administrator the time of the attack, the type of attack and the source IP address.
Had Palm Beach County, Fla., installed this second-level firewall, it likely would have prevented the employee who accidentally attached the list of AIDS and HIV patients to his e-mail from distributing it; SecureSphere would have blocked access to this sensitive data before the file was even opened.
About 10 minutes after the e-mail was sent, the worker realized he had goofed. By then, 15 co-workers had opened the file. None of the recipients who opened the file forwarded or copied any of the information, says Tim O'Connor, a spokesman for the Palm Beach County Health Department.
O'Connor says that along with investigating this incident, the department is reviewing its information system and looking for new software to provide an electronic barrier that prevents sensitive information from being accessed, intentionally or not.
"The bottom line is, we need multiple levels of security in the future," O'Connor says. "We're going to look at all of our systems as well as re-evaluate some of our personnel."
But for Coates, the threat of intentional or accidental corruption of the FFF system no longer keeps him awake at night.
"My view is that as long as they're not hacking into my system, I don't care where they go," Coates says. "I just know that I have peace of mind."
Source: Drug Enforcement Administration, March 2003