Monthly Archives: April 2011

Sony’s PlayStation Network Hacked — Credit Card Data Likely Compromised

Posted on April 26, 2011 by Mark Marshall in Main | 1 Comment

Sony’s PlayStation Network (PSN) online gaming network has been compromised in what Sony is calling an “illegal and unauthorized intrusion”. Some 77 million users subscribe to this service and it sounds like they’ve all had their information stolen. Information about PSN subscribers that Sony has confirmed to have been compromised includes: Name Address Country Email address PSN password and login name What Sony has not released yet (and this is the big one) is whether credit card numbers and expiration dates have …

PCI DSS Merchant Levels – Tell me again…Who needs a QSA?

Posted on April 26, 2011 by mmarshall in Main | Leave a comment

We regularly are asked to explain the PCI merchant levels to customers.  The merchant levels are a pretty straightforward grouping of merchants by credit card transaction volume.  Each of the Cardbrands (Visa, Mastercard, American Express, Discover and JCB) list the transaction volumes for the different merchant levels on their websites.  While all companies that store, process or transmit Card Holder data are required to comply with the entire Data Security Standard, how the merchant is required to validate that compliance …

HIPAA Security Risk Analysis: How to Achieve Both Security and Compliance

Posted on April 26, 2011 by John Abraham in Main | 1 Comment

Lets review different viewpoints driving why healthcare organizations implement a HIPAA Security Risk Analysis. The purpose of exploring these different perspectives is to show that the primary objectives for doing a HIPAA Security Risk Analysis can be categorically defined as either security or compliance – and that both of these objectives can be achieved if a practical approach to the analysis is utilized. Here I use the term security as the goal of safeguarding electronic protected health information (ePHI) and …

Preparing for a HIPAA Security Risk Analysis: ePHI & Critical Applications

Posted on April 19, 2011 by John Abraham in Main | 1 Comment

We are often asked: “How do we prepare for a HIPAA Security Risk Analysis?” The short answer is: “It’s easy!” It’s actually better to be under-prepared than to delay the process in the hopes of having your IT environment stabilized and your documentation completed – both are dynamic, always in flux and will never be “done”. Its better to get the risk analysis completed as it will prioritize important issues and drive limited organizational and IT resources to focus on …

MidState Medical Center Breach – The Business Associate Loses PHI, The Covered Entity…. in the news

Posted on April 9, 2011 by John Abraham in Main | Leave a comment

In another classic case of – the business associate is at fault, but the covered entity takes the wrap – the latest breach disclosed by MidState Medical Center in Connecticut  is a classic case. The breach itself is indicative of a pretty vanilla data-loss vector. While few details have been released, the hospital’s own news release indicates that data had been copied to an external drive by a worker who wanted to use the data to work at home. The drive was …

RSA Breach – What it says about healthcare security strategy

Posted on April 6, 2011 by John Abraham in Main | Leave a comment

RSA’s release of additional information about their security breach (impacting their SecurID multi-factor authentication system) highlights important elements of an information security program. These elements are particularly important in a healthcare IT environment. To understand why, lets first review a rough outline of some widely reported details of the RSA attack: Step 1: Attacker sends email to some RSA employees with an attachment entitled ’2011 Recruitment Plan’ Step 2: Some uninformed-but-probably-not-malintentioned RSA employee downloads attachment, which includes an Adobe Flash …

Epsilon Breach

Posted on April 5, 2011 by John Abraham in Main | Leave a comment

The latest big security breach to hit the news is an important reminder about a couple of key aspect of security. While few details are available as to the nature of the breach, some general security principals apply. Here are a couple that come to mind. The existence of a security control is not the same as the effectiveness of a control Here is yet another reminder that security is all about the details. The existence of a security control …

A Primer on HITRUST, EHNAC, Meaningful Use, HITECH, and Their Relationship with the HIPAA Security Rule

Posted on April 4, 2011 by perlbot in Main | Leave a comment

At the risk of over simplifying the role each of these groups play in the healthcare industry, the essence is the same – different people trying to figure out the best way to securely use electronic protected health information (ePHI) and supporting technology. However, without a single, industry-developed and accepted approach to securing ePHI, we are left with a federal statute, the HIPAA Security Rule, to drive the information security programs of our payers, providers, and business associates. Unfortunately, as …

To Audit Or Not To Audit: If A Business Associate Is In Violation Of The HIPAA Security Rule And No One Knows, Does It Matter?

Posted on April 1, 2011 by John Abraham in Main | Leave a comment

There has been some debate as to the extent that a covered entity (CE) should audit a business associate (BA) to ensure that they are compliant with the HIPAA Security Rule and adequately safeguarding customer PHI. While I don’t offer up the answer to that question, I thought it made sense to explore some of the surrounding issues. Some of the key factors that come to mind are: Monetary Penalties The HITECH Act creates “several categories of violations that reflect increasing …