Covered entities and their business associates must conduct periodic HIPAA risk assessments (aka: HIPAA risk analysis) under the HIPAA Security Rule and Omnibus Final Rule. For eligible covered entities, a HIPAA risk assessment is also a core requirement of their Stage 1 and Stage 2 attestations for the EHR Meaningful Use Incentive Program.
Both HHS’ Office of Civil Rights (OCR) and Center for Medicare Services (CMS) have conducted hundreds of HIPAA audits over the past 18 months. OCR, the lead [ Read More ]
There are many HIPAA consultants, law firms, software companies, cloud service providers, and others who will happily provide you with a quote for a HIPAA security risk analysis. Neither the HIPAA Security Rule nor the respective references in Meaningful Use prescribe the exact form or format of a HIPAA Security Risk Analysis. So it is not surprising that so many enterprising professionals will offer their “version” of how a third-party firm can address this scope of work.
What is surprising [ Read More ]
Ethical hacking sounds like an oxymoron. If you are someone who is responsible for the confidentiality, integrity, and availability of data on your network, isn’t getting hacked the last thing you would want? Don’t worry! Ethical hacking projects (or assessments) don’t involve doing any damage to your network. Sometimes, though, the best way to understand exactly how a real hacker would attack your assets is to simulate a real-world attack. Think of the pain that Target and its customers might [ Read More ]
UPDATE January 12, 2013:
House of Representatives Passes Bill Requiring Additional Security Requirments on the administration of HealthCare.gov
Last week, it was reported that House Majority Leader Eric Cantor (Rep – VA) intends to draft legislation early in 2014 that would strengthen the IT security requirements of the Obama Administration in regard to the HealthCare.gov website. With more than 2 million Americans now enrolled in health plans through HealthCare.gov, Cantor believes that a [ Read More ]
A recent interview with Dan Berger, President and CEO, Redspin Inc.
Q. You mention that there is “more focus on the EHR in stage 2”. What kinds of things do you think CMS is really looking for?
A. What I think has happened, in comparison to stage 1 where the onus was really basically on a provider using a certified EHR system in order to be even eligible for an incentive program, I think the onus has moved on to one step deeper in stage 2, and now there looking for, not so much that the [ Read More ]
All organizations regulated by HIPAA must now document and report security incidents. The path from investigation to notification begins with discovery and initial investigation of the security incident, followed by a determination as to whether there was a security breach and a subsequent privacy breach, followed by breach notification. Most simply: first the security investigation, next the privacy investigation and lastly breach notification. In a perfect world…
There are many ways that a [ Read More ]
Gordon Lyon, better known by his online alias of Fyodor and as the creator of the very popular (and awesome) tool Nmap has released the results of the Nmap 2010 User Survey which he performs every couple of years. The survey is filled out by members of the Nmap-Hackers mailing list, one of several mailing lists that Fyodor maintains which is made up of many smart minds in the security world. The 2010 survey had more than 3000 participants throw their vote in for the most popular security tools in [ Read More ]
At Redspin we are often asked to perform wireless security assessments for organizations that have recently deployed or upgraded their wireless infrastructure with top-of-the-line access points (APs), controllers and wireless intrusion detection systems (WIDS). Many deployments are to support inter-office mobility – a need that has gone from a rising tide to a tsunami in parallel with the mass adoption of mobile devices such as smart phones and Apple iPads. Virtually every CIO and CSO that I meet [ Read More ]
As required by section 13402(e) (4) of the HITECH Act, the HHS Secretary must post a list of breaches of protected health information (PHI) impacting 500 or more individuals. In the past 2 years, over 11.8 million Americans have been affected in nearly 330 separate incidents. This information is contained in a publicly searchable and downloadable database. Thus many organizations (including Redspin) have published “PHI breach reports” which summarize the data and offer conclusions based on [ Read More ]
I wasn’t the only one celebrating a birthday last week. It’s been exactly two years since the breach notification rule, mandated by the HITECH Act, took effect. Since then, 330 major health information breaches affecting 11.8 million individuals have been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). And while major breaches are those that impact the largest number of Americans (500 or more per incident), it is worth noting that another 30,500 smaller incidents [ Read More ]
Want a quick way to see what GPO’s are applied to your local system, just using built in utilities? Using the GUI to manually view what settings are applied is awkward and slow. Use the following commands to see what policies are being handed down to the system you’re on and what they’re enforcing. This info can be incredibly handy during a pentest in order to find out the limitations being imposed on a specific system you’ve compromised. It can also be very valuable during a vulnerability assessment [ Read More ]
I haven’t seen a Windows worm in the wild in a long time. The last time a major worm infestation took place was in 2003 in the days of Blaster which spread via an unpatched flaw in RPC. That same year was Slammer, and Code Red a few years before in 2001.
This new worm code named ‘Morto’ has been seen in the wild and is accounting for a spike in RDP traffic on 3389/tcp as it spreads. Users are reporting infections of systems on Microsoft’s Technet website.
Morto appears to be a dumb worm and [ Read More ]
As security guys (and Linux/GNU fanboys), we tend to do absolutely everything possible via the commandline. This is pretty easy in Linux/Unix OS’s, but unfortunately we deal with a lot of Windows boxen in our line of work, where it is less than easy at times.
One common scenario we need to undertake is exporting all the GPO’s in a certain domain or forest for later analysis. For a small place this isn’t a big deal as there may only be a half dozen or so GPO’s applied, which equals out to several [ Read More ]
In July, the HHS’ Office of Civil Rights (OCR) announced that they had appointed consulting firm KPMG to conduct up to 150 HIPAA audits of covered entities and business associates by the end of 2012. The implementation of the audit program fulfills a compliance enforcement mandate of the 2009 HITECH Act.
The KPMG contract enables OCR to put “feet on the street,” while retaining an oversight role in the process. Sue McAndrew, OCR’s deputy director for health information privacy, confirms [ Read More ]
Today Apple released OSX 10.7 Lion the latest version of their desktop and server OS. A number of new security features have been introduced with Lion which are very welcome, as well as a bunch of new usability tweaks and other generally cool things. I upgraded my i7 Macbook Pro to it a few hours ago and have a few quick observations:
It’s only available as a download via the App store. No going to the Apple store and picking up a DVD. Gotta download the whole 3.5 gig thing, which is going to [ Read More ]
The FFIEC (Federal Financial Institutions Examination Council), the banking interagency body that creates unified standards across the various regulatory agencies, recently issued new guidance on managing risks in user authentication for online transactions. The guidance is practical and has relevance for any industry in which sensitive transactions are conducted online. Categorically this applies to banks (of course) but also to healthcare organizations. As more and more electronic protected health [ Read More ]
Certain types of computer dysfunction are analogous to disease, at least in a descriptive sense. For example, we say that a PC can get “infected” by a computer “virus.” The recent rash of hacker attacks makes me wonder if we’re on the verge of a data breach “epidemic?”
True epidemics occur when new human cases of a certain disease substantially exceed what is expected over a period of time. Epidemic diseases need not be communicable; they occur when there are an accelerating number [ Read More ]
In a new and revised format, SANS along with MITRE has published the latest list of the highest risk software security vulnerabilities; the revision to the list is based on the CWE, CWSS and CWRAF security standards. The announcement leverages and highlights these new standards and collaboration efforts among the security community (including corporate, non-profit and government entities). As this announcement publicizes some new standards efforts that many of us will undoubtedly hear a lot about [ Read More ]
Over the weekend the Lulz Security guys called it quits. Their last release came on the 50th day since they started their escapades. It isn’t clear if they had intended from the start to only exist for 50 days, but after DDOS’ing cia.gov they had escalated their wanted status to critical and it was likely only a matter of time before they were going to be caught.
They leave in their wake a trail of destruction which includes some huge players such as Sony, Nintendo, PBS and others.
The business [ Read More ]
The New York Times reported this weekend on a potentially serious breach at the International Monetary Fund (I.M.F.). The Times reports that the breach occurred perhaps several months ago, yet the fund only disclosed this to internal staff and board members on Wednesday. Other than the report from the Times, there is not a lot of available information about the incident. The I.M.F. itself has made no public statement about the breach. Surprising for an organization that is capable of a half-dozen [ Read More ]
To qualify for Meaningful Use an organization must use an approved EHR application. The standards that EHR technology must meet to be approved for Meaningful Use are defined in 45 CFR 170.302.
We are often asked if our HIPAA Risk Analysis covers Certification of their EHR Technology to 45 CFR 170.302 (General certification criteria for Complete EHRs or EHR Modules). The short answer is no. That scope of work has already been completed. Here is how the EHR Technology certification process [ Read More ]
The RSA Breach, their initial reaction, and their follow-up communication regarding the Lockheed Martin attack (which they are admitting is related to the initial RSA breach) makes us question their priorities.
Revenue and brand come first. Customer security is second.
Of course both of these are inter-related: you surely can’t build a robust security brand given security incidents like this and RSA’s brand is forever tarnished with this breach.
Nonetheless, in the short term RSA’s reaction [ Read More ]
A recent report suggests that nearly 40% of data breaches of protected health information occur at third party companies entrusted by health care providers with sensitive data. A striking statistic particularly since HIPAA and HITECH mandate that healthcare providers ensure privacy and security among such “business associates.” While providers generally insist these obligations be included in their contracts with outside vendors, the 40% breach statistic shows just how ineffective such agreements [ Read More ]
The OIG (the Office of Inspector General – the audit arm of the Department of Health& Human Services) recently released their report on the CMS’s (Centers for Medicare & Medicaid Services) oversight and enforcement regarding hospitals’ HIPAA Security Rule implementation. In the scathing report* the OIG clearly characterizes the current regulatory compliance efforts by the CMS as lax. While the report is full of interesting statistics about the extent that the hospitals it audited as part [ Read More ]
Security vs Compliance
As an independent provider of security assessments, we are keenly aware of the 2 primary drivers of an objective security assessment – security or compliance. Roughly, these two views of risk management can be thought of as follows:
Security: For organizations in this camp, ensuring that ePHI is protected is mission critical to the business. Any impact to data security would be viewed as negatively impacting business value: whether it be monetary, brand value or customer [ Read More ]
Account takeover fraud remains a major problem for financial institutions and small businesses that are impacted. The FBI recently warned about increased Wire Transfer Fraud to Chinese Companies. Typically the hackers compromise the workstation of an employee who has the ability to initiate wire-transfers. Once the user logs on to their online banking the hackers steal the credentials and or take over the users session. Now that the hackers control the workstation and the account [ Read More ]
We wouldn’t be so bold as to say “I told you so,” but for months Redspin has been publicly calling on the ONC to beef up the security controls and measures in the “meaningful use” EHR incentive plan, the Federal Strategic Health IT Plan, and the HIPAA Security Rule itself. In fact just two weeks ago, we offered the following public comments on the Strategic Plan:
“Next, the “security risk analysis” identified as Core Measure 15 should be defined as more than compliance with the HIPAA security [ Read More ]
Last Monday night, I boarded a “red-eye” flight from LAX to Dulles to attend the OCR/NIST HIPAA Security Conference. I landed at 6:15AM, did a quick change into my business attire, grabbed some coffee, rented a car, and found my way to the Ronald Reagan Building at 1600 Pennsylvania Avenue, 3 blocks from The White House. I thankfully arrived just before the breakfast buffet ended and took a seat at the back of the conference ballroom.
The room was packed with 400+ attendees – literally [ Read More ]
One of the ONC’s key responsibilities is to provide strategic leadership to the public and private sector. Mandated under the HITECH Act of 2009, the ONC must publish and update its strategic plan for improving healthcare through the use of information technology.
The Federal Health IT Strategic Plan, 2011-2015, first released in draft form in March 2011, paints a rapidly evolving health IT landscape. It sets 5 overriding goals for “unlocking the vast promise of electronic health information [ Read More ]
There is lots of buzz based on the congressional testimony on how lax the security was on the Sony PlayStation Network. Since there were no sources cited in the testimony we wondered if there is publicly available info to corroborate that view point. A bit of digging in some of the public forums turned up some interesting information. It turns out users periodically have reported getting errors when trying to access the Playstation Network. While the fact that they were unable to access [ Read More ]
If you are an eligible hospital or eligible professional then meaningful use incentives and qualifying for them is likely top on your mind. If you are a vendor of EHR technology you have been working to get your software certified for meaningful use so your customers can qualify for the incentives.
Many organizations are in the midst of a tremendous amount of work to meet meaningful use and qualify for the incentives. Based on our conversations most organizations have not yet applied, and [ Read More ]
In a press conference late last week, Sony PlayStation Network executives confirmed that the recent hacking incident that exposed personally identifiable information and credit card numbers of all or part of the user database, was an exploit of a known vulnerability – just not one known to Sony.
The “external intrusion” has left 77 million PlayStation Network and Qrirocity users without access to the services or their personal data stored there for the past 10 days. In the press conference, [ Read More ]
We regularly are asked to explain the PCI merchant levels to customers. The merchant levels are a pretty straightforward grouping of merchants by credit card transaction volume. Each of the Cardbrands (Visa, Mastercard, American Express, Discover and JCB) list the transaction volumes for the different merchant levels on their websites. While all companies that store, process or transmit Card Holder data are required to comply with the entire Data Security Standard, how the merchant is required [ Read More ]