Monthly Archives: March 2011

The Federal Health IT Strategic Plan and the Final Four

Posted on March 28, 2011 by Dan Berger in Main | Leave a comment

I just finished reading the ONC’s (Office of the National Coordinator for Health Information Technology) draft document The Federal Health IT Strategic Plan (“the Plan”) while watching the Butler-Florida game in the quarterfinals the 2011 NCAA Championships. One of the ONC’s key responsibilities is to provide strategic leadership to the public and private sector. Mandated under the HITECH Act of 2009, the ONC is must publish and update its strategic plan for improving healthcare through the use of information technology. …

RSA Breach – What Can Be Learned

Posted on March 20, 2011 by John Abraham in Main | Leave a comment

It’s big news that RSA’s infrastructure around their SecureID solution has been compromised. While information around this attack and its impact on customers is lacking (RSA is citing an ongoing investigation as a reason to limit public disclosure) a couple of lessons about general security management can be learned. The first lesson is around vendor management.  As a security assessment company, we get to hear a lot of people at organizations around the world describe their state of security. One …

A “Reasonable” Approach to HIPAA Risk Analysis

Posted on March 17, 2011 by Dan Berger in Main | Leave a comment

The Office of Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule (45 C.F.R. §§ 164.302 – 318.). But with so much recent interest in IT security driven by the “meaningful use” incentive program, we want to share some our observations and perspectives from recent Redspin client engagements in the healthcare industry. All electronic protected health information (ePHI) created, received, maintained or transmitted by an organization is subject to the Security Rule. …

Get a Meterpreter Shell Using SMB Credentials

Posted on March 15, 2011 by Mark Marshall in Main | 1 Comment

The Meterpreter shell in Metasploit is a fantastic way to interact with a compromised box. It runs entirely in memory and leaves no trace of itself after you disconnect, allowing you to pillage and plunder cleanly without leaving any tracks. I find myself using it fairly frequently against Windows machines that I’ve already gotten credentials for via some other means. In those cases it doesn’t make sense to use an actual exploit to get a Meterpreter shell going. Use the …

HIPAA Enforcement Training for State Attorneys General – Is this a good thing or bad?

Posted on March 10, 2011 by John Abraham in Main | 1 Comment

I received an email notification about State Attorneys General HIPAA enforcement training posted by Joseph Conn at ModernHealthcare.com. The HITECH Act gave authority for state attorneys general to bring civil actions to obtain monetary damages for residents in their state for HIPAA Security Rule and Privacy Rule. What might it mean that the Office of Civil Rights (OCR) has scheduled enforcement seminars open only to State Attorneys General and their staff? The OCR has four of these 2-day seminars scheduled between April …

A Systematic Approach to Managing Business Associate Risk

Posted on March 9, 2011 by John Abraham in Main | Leave a comment

Here we discuss the need for, and an approach for developing, a structured Business Associate oversight program for data security risk management. HIPAA and the HITECH Act have highlighted the importance of Business Associate (BA) security. Covered Entities (CEs) need to effectively manage Business Associates security risk, and BAs need to understand their compliance requirements and liability under HIPAA and HITECH regarding protecting protected health information (PHI). The entire supply chain of PHI from CEs to BAs to BA subcontractors …

Charleston Area Medical Center (CAMC) Data Breach – What Can Be Learned?

Posted on March 8, 2011 by John Abraham in Main | Leave a comment

It’s always educational to review a data security breach to see what can be learned. In the case of the Charleston Area Medical Center (CAMC) last month a number of lessons can be learned. First lets review what we know (and don’t know) about the data breach which happened at CAMC subsidiary CAMC Health Education Research Institute (CHERI). What Happened It was a pretty straight forward breach. Last month someone doing an online search for an address found that the …

Managing HIPAA / HITECH Act Risk in ePHI Supply Chain

Posted on March 7, 2011 by John Abraham in Main | 1 Comment

HITECH and the notice of proposed rule making (NPRM) published in the Federal Register July 14, 2010 significantly impact how Covered Entities (CEs) and Business Associates (BAs) manage health IT security risk under HIPAA. It has, in effect, created an ePHI supply chain in which everyone on the chain needs to worry about the security controls of everyone else in the chain. Here’s why: Business Associates: the definition of a BA is expanded to include data transmission services such as HIEs …

Managing Windows User Accounts via the Commandline

Posted on March 3, 2011 by Mark Marshall in Main | Leave a comment

Just hacked a box on a penetration test but can’t get a Meterpreter shell on it for some reason? Add yourself a new account quickly with these easy commands. Works on all current versions of Windows (assuming you’ve got an admin-level account). Add local account of goat with password of  T@styHay! net user /add goat T@styHay! Now add the goat account to the local administrators group net localgroup administrators /add goat View members of the local administrators group and make …