HIPAA  Violations Have Real Teeth and Consequences

Health and Human Services (HHS) recently release the results of the settle agreement with Massachusetts Eye and Ear Infirmary (MEEI). MEEI has agreed to pay HHS $1.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  The next step is for MEEI to implement new security controls and policies to remedy the problems. (www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/meei-agreement.html

The key findings by HHS are probably prevelant in organizations that have not gone through a HIPAA Security and Privacy audit. The resuts in summary are:

1)A risk analysis was not conducted to understand dangers to EPHI

2)Data created, transmitted and maintained was not secure

3)Security incident managament did not have apprpriate policies and procedures in place

4)Portable device security was not in place

5) Portable device management was not in place

6)Access to portable devices with EPHI was not fully restricted

 As with so many government settlements, it wasn’t an admission of wrongdoing. That always seems strange when they findings were there, but that’s the agreement. Each of the findings is dangerous when it comes to protecting patient data and collectively the problem is compounded. It would have been much cheaper to conduct  the HIPAA Security and Privacy review, pay to implement new policies, procedures and software. It would been way under the $1.5 million in fines and ongoing audits and oversight. 

 Has your organization conducted a HIPAA Security review if necessary?

HIPAA Security

Enhanced by Zemanta

Eight BIG reasons why organizations need HIPAA audits

The Health Information Technology for Economic and Clinical Health Act (HITECH) requires the Secretary of the U.S. Department of Health & Human Services (HHS) to provide for periodic audits to ensure that covered entities (such as group health plans) and their business associates comply with the HIPAA privacy and security requirements.

HIPAA Privacy Provisions

HIPAA’s Privacy provisions became effective 04/14/2003 and 04/14/2004 for Large Plans and Small Plans respectively. For these purposes the same definitions as those used by the SBA apply. The Privacy provisions, when integrated with HIPAA’s Security provisions, require operational, document and educational performance. Adherence to Best Practice generally minimizes the possible considerable personal exposure of clients’ employees. HHS audit are now ongoing and companies need to understand the risks they now face.

The initial key reasons we see this pressing need for HIPAA audits include:

1) There is an ongoing national pilot HIPAA compliance audit project through the Office of Civil Rights (“OCR”) that could present a high level of risk. Audits by mail are also occurring and the industry expects all types of audits to increase. An unsuccessful audit can reflect negatively on a business brand and client confidence.

2) Covered Entities and Business Associates must stop doing business with an entity in Breach until such time as it can document that the Breach has been fixed. Although important all-around, this is especially important to those providing medical care and insurance-type services.

3) Corrective measures and business costs in the event of a Breach ranges from $90 to $305 per record with an average of $200 per record.

4) Individuals can be personally responsible.

5) There is a significantly increased level of risk and probability of failure in the absence of adequate compliance measures.

6) A Breach that impacts 500 or more individuals MUST be posted on a government website. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html

7) Civil monetary penalties (“CMP”) may apply to a Breach. The amounts are related to the severity of the Breach with categories of “Did not know” (a) through (d); “reasonable cause but not willful neglect” (b) through (d); and “willful neglect”(c) through (d).

a) $100 per violation not to exceed $25,000 per calendar year,

b) $1,000 per violation not to exceed $100,000 per calendar year,

c) $10,000 per violation not to exceed $250,000 per calendar year, and

d) $50,000 per violation not to exceed $1,500,000 per calendar year.

8) Criminal actions

a) Knowing violations of up to $50,000 and/or a year in prison

b) Misrepresentations (false pretenses) of up to $100,000 and/or five (5) years in prison

c) Intent to sell, distribute, etc. Up to $250,000 and/or 10 years in prison

Gary Bahadur

“Securing the Clicks: Network Security in the Age of Social Media”  

Are your protecting your WordPress website from attacks?

With the popularity of WordPress, and the support it gets from the development team, it’s easy to think that your installation of WordPress is secure. Since you didn’t code it from scratch, you might assume that it is hardened and you don’t have to do any further tinkering with security. Well, you may just want to put some effort into locking down your WordPress installation. There are several methods that are generally used in an attack on a website. First you have mis-configurations. This can mean everything from leaving the ‘wp-config’ file readable to the world to allowing any kind of file to be uploaded in a form to weak password security. The second type of access can usually be gained through bad coding techniques. If you add a Plugin or write your own code to add to the WordPress installation, this can possible allow and attacker to take advantage of bad code to break into your site. And lastly you have can lump other attacks into infrastructure attacks. Maybe you don’t have a firewall running, or intrusion prevention service running to stop attacks. Or you are hosting you website on a shared service like Godaddy or Hostgator and someone else’s website is vulnerable, leading to a compromise of the whole hosted server. For now, lets address some easy things you can do to reduce configuration weaknesses that could lead to a hacked website. 1) Password – no matter how many times you say it, people still use weak passwords that can be guessed or broken with brute force attacks. There are several free and paid login protection plugins you can use. Here is “Simple Login Lockdown” which can block access attempts after several failed attempts. wordpress login security 2) File Permissions – this is a bit trickier if you do not know how file permissions works. You can get an easy primer from the WordPress help file, http://codex.wordpress.org/Hardening_WordPress Its also provide a lots of details for the more technically savvy. Key directories that need to be locked down include: / /wp-admin/ /wp-includes/ /wp-content/ /wp-content/themes/ /wp-content/plugins/ Here is an example of a more robust tool that can do multiple things, including monitoring access and monitoring file changes, “Bulletproof” http://www.ait-pro.com/ bulletproof wordpress security   3) Monitoring – you should know what is going one with access attempts or changes in your files and configurations of your WordPress site. There are a number of tools you can search for monitoring and logging activity. Here is a tool that can help you with the file permissions, “Better Wp Security” from Bit51.com wordpress file security   wordpress file security 4) Security Testing – even if you have installed security plugins and have configured your website correctly, you should still periodically test the security for vulnerabilities. You can pay third party companies to do penetration testing or you can try some of the plugins on your own. Here is an example of a plugin that you might use, we do not validate how well these perform, but show you the options. This example is “Cloudsafe365” http://www.cloudsafe365.com/   cloudesafe365 wordpress security There are lots of different tools you can use to secure your site. The first step is to know that it will not stay secure without you actively implementing security measures. Gary Bahadur “Securing the Clicks: Network Security in the Age of Social Media”  
TrapWire: If You SEE Something SMASH Something!

TrapWire: If You SEE Something SMASH Something! (Photo credit: watchingfrogsboil)

Trapwire got you trapped?

A couple of stories have come out about Trapwire after it was was that there were documents on it in a Wikileaks release. Wikileaks is undergoing a Denial of Service attacks that couple be related to the release of this information. Wikeleaks also publised information on another surveillance intelligence company Stratfor. As Trapwire says on their website “TrapWire is a unique, predictive software system designed to detect patterns indicative of terrorist attacks or criminal operations. Utilizing a proprietary, rules-based engine, TrapWire detects, analyzes and alerts on suspicious events as they are  collected over periods of time and across multiple locations.”

Well the technology to monitor everything we do on the Internet has been available for a long time. How companies put that technology together is probably more secret sauce that any kind of patents they may have. The bxt execution of a product will usually win the day. So who should be concerned abut Trapwire? We are already being monitored by close circuit TV everywhere you go. That info can be imprted into facial recognition software easily enough. Facebook recently acquired Face.com, the facial recognition software company. How much more invasive do you think Facebook will be going forward? Should  you be more concerned with Facebook or Trapwire? Who knows. The whole thing is probably being overhyped; its just another in a long line of surveillance solutions we have to live with at this point.

That’s a depressing thought. If the government isnt actively monitoring as much activity as they can, you would probably call then incompetent. I think the government should outsource their monitoring needs to Facebook and “The Google”. Save the US tax payers some money. A Cloud model for invasion of privacy is probably more cost effective for the gobvernment!

 
Enhanced by Zemanta
  Write text here…
Enhanced by Zemanta