Monthly Archives: February 2011

Report on Data Privacy and Security in Health Care Industry

Posted on February 28, 2011 by perlbot in Main | Leave a comment

A report recently released by Deloitte performs a nice literature review including industry white papers and surveys, congressional testimony, and related journals. Interesting results include: 71% of HHS-reported information breaches are from Health Care Providers. The impact of a data breach over a two-year period is approximately $2 million per organization and the lifetime value of a lost patient is $107,580. Approximately one third of data breaches result in medical identity theft. Nearly 85 percent of hospitals are NOT in …

Increased Penalties for Healthcare Privacy and Security Violations? Batten Down the Hatches!

Posted on February 23, 2011 by Dan Berger in Main | 1 Comment

The 2009 HITECH Act authorized the Health and Human Resources Office for Civil Rights (HHS OCR) to add teeth to existing security and privacy regulations, and they’ve obviously taken the responsibility seriously. On the same day that HHS OCR imposed a whopping $4.3 million dollar fine on Maryland-based Cignet Health for violating a provision of the HIPAA Privacy Rule, we also learned that HHS OCR intends to tighten healthcare data breach regulations further and to increase financial penalties across the …

8 “Simple” Rules for Protecting PHI

Posted on February 19, 2011 by Dan Berger in Main | 1 Comment

In the popular TV series: “8 Simple Rules for Dating My Teenage Daughter,” the rules may have been a bit exaggerated but they sure made their point. (Rule #1: Use your hands on my daughter and you’ll lose them after). Likewise, my “8 Simple Rules for Protecting PHI” strike a similar chord – no threats to bodily harm, but certain transgressions may be bad enough to result in personnel sanctions or even loss of employment. This is serious stuff. And …

Correction…8 million and counting

Posted on February 18, 2011 by perlbot in Main | 2 Comments

Since our 2010 Protected Health Information Breach Report was released, we have been asked a lot about trends in the industry. Well, just in the last couple weeks, a number of breaches have been released that occurred at the end of 2010.  This includes 16 incidents, over half the result of theft and involving some type of portable media. The worst case involved 1.7 million records compromised as a result of 1) unencrypted backup tapes and 2) business associate leaves …

Cloud Computing Security

Posted on February 17, 2011 by mmarshall in Main | Leave a comment

Cloud computing seems to be on the forefront of everyone’s mind.  The promise of increased performance and reduced costs is a compelling story.   A major challenge is determining if or how cloud computing can be done securely.  To that end NIST recently released two useful documents.  Cloud security best practices and a definition of cloud computing.  It seems everyone has a different meaning when discussing cloud computing, so it’s nice to see NIST taking a stab at defining it. …

Practical Business Associate Risk Management

Posted on February 14, 2011 by mmarshall in Main | Leave a comment

As any reasonably sized covered entity will attest, it is not unusual to have hundreds of Business Associates (partners who have access to ePHI).  While your own security may be adequate to protect your ePHI, a breach by a Business Associate will result in substantial impact and the data breach is required to be disclosed.  The process of ensuring they are protecting your ePHI is a bit easier since the HITECH act mandated that Business Associates must be HIPAA compliant. …

6 Million and Counting

Posted on February 9, 2011 by perlbot in Main | Leave a comment

Redspin just released their annual report of protected health information breaches that occurred from late 2009 through the end of 2010. Over 200 breaches affecting 6,067,751 individuals have been recorded since August 2009 when the interim final breach notification regulation was issued as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act. However, this number only includes breaches that affected more than 500 individuals. The number of breaches that affected less than 500 individuals must also …

Nasdaq Breach – What it says about what a company says about their security

Posted on February 6, 2011 by John Abraham in Main | Leave a comment

The breach on Nasdaq’s Directors Desk application provides an interesting opportunity to analyze their actual state of security with their advertised state of security. According to the Directors Desk website: “Directors Desk has taken extreme measures to protect user information against unauthorized access.” Given the confidential nature of public company board meetings – what they discuss can move markets – it’s natural that Nasdaq’s Directors Desk service would need to discuss security. And if what a company says about security …

Nasdaq Systems Breached

Posted on February 5, 2011 by mmarshall in Main | Leave a comment

Nasdaq has acknowledged that suspicious files were found on some of its systems. The files were apparently a result of hackers gaining access to at least one of their servers.

Disable Storage of the LM Hash

Posted on February 1, 2011 by Mark Marshall in Main | Leave a comment

The LM hash is a horrifying relic left over from the dark ages of Windows 95. Also known as the LanMan, or LAN Manager hash, it is enabled by default on all Windows client and server versions up to Windows Server 2008 where it was finally turned off by default (thank you Microsoft). So what’s wrong with the LM hash? Lets look at exactly how the LM hash is computed, via Wikipedia: The user’s ASCII password is converted to uppercase. …