FTC’s Additonal Rules for HIPAA Security

Hipaa graphicThe Federal Trade Commission (FTC) recently issued a rule which gives more scope to the data breach notification rules as part of the Health Insurance Portability and Accountability Act (HIPAA). The addition targets companies that provide health info in an online storage facitlity. Things like Google Health or Healthvault would fall under this category. This seems like it should be an obvious thing to do. Why would you let any entity keep your health information without following strict regulatory requirements?  It is definitely a good thing to force companies that keep your health information to notify consumers following a data security breach if the breach involves more than 500 people or even 5 people. The question is how do you track down all these companies that store health information and force the the company notify customers? How do you know when a smaller companay has lost information? We still struggle with this question for the hospitals and healthcare organizations that currently have to comply with the HIPAA regulations or the Hipaa Security Rule. CVS recently had to pay $2.5 million in fines. I wonder what that is in comparison to the cost to consumers who have problems with their data being stolen. (I wouldn’t use the term “lost”) Part of the changes coming from the FTC is the utilization of mobile devices that capture, use, transmit and store data. What are the hospital security requirements of these devices? Does a mobile hand scanner or a mobile device that stores info have to have a built in firewall and antivirus as would a laptop? The only real way to deal with this is to conduct Hipaa Risk Assessment but how many companies actually do it properly? Have you seen the list of breaches on Privacyrights.org? I like this recent one in particular. You cant find such a list on the FTC site. ” July 31, 2009 Jackson Memorial Hospital: (Miami, FL) A Miami man was charged with buying confidential patient records from a Jackson Memorial Hospital employee over the past two years, and selling them to a lawyer suspected of soliciting the patients to file personal-injury claims.” Is every company required to do network security assessment and register their device if it captures, uses, transmits any kind of health information? Is any website that does the same required to register with the FTC?  But I wonder if you had such as database and hackers got into it, how much more trouble would we be in? Check out our HIPAA Top 5 Steps to Compliance for some fun reading. I do not think I came to any real conclusions with this post. Isn’t blogging wonderful?Gary Bahadur Gary Bahadur http://www.kraasecurity.com http://blog.kraasecurity.com http://twitter.com/kraasecurity Miami, Fl *Managed Security Services *Vulnerability Management *Compliance & Policy Development *PGP Security *Website Security Assessment
Miami is a fun place to live and work (there are actually people who work here). Its a great vacation spot, people enjoy the nightlife and now we have something else to crow about. The largest credit theft ring was based here! According to Bloomberg, “Albert Gonzalez, a 28-year-old Miami resident, and two hackers living “in or near Russia” were indicted yesterday by a federal grand jury in Newark, New Jersey, for stealing data from Heartland Payment Systems Inc., 7-Eleven Inc., Delhaize Group’s Hannaford Brothers Co. and two unidentified national retailers.” It always amazes me when really smart computer folks insist on hacking from the US. Why not just head down the the Caribbean and hack from there, let likely to get caught. My question about this is whats the value of regulations such as PCI or HIPAA.  A PCI Security Audit and Hipaa Security policy are supposed to prevent this type of thing when the companies being hacked usually come out after the fact and say they were compliant? Privacyrights.org has this list of breaches in the month of August alone. I wonder what the compliance or network security audit was like for these companies? I dont suppose there really is a good answer to what to do about compliant companies getting breached. They will just keep giving you a year of free credit monitoring I guess.
Aug. 1, 2009 Williams Cos. Inc. (Tulsa, OK) A laptop containing personal and compensation information for more than 4,400 current and former employees was stolen from a worker’s vehicle. The computer had names, birth dates, Social Security numbers and compensation data for every Williams employee since Jan. 1, 2007. 4,400
Aug. 3, 2009 National Finance Center (Washington DC) An employee with the National Finance Center mistakenly sent an Excel spreadsheet containing the employees’ personal information to a co-worker via e-mail in an unencrypted form. The names and Social Security numbers of at least 27,000 Commerce Department employees were exposed. 27,000
Aug. 4, 2009 New Hampshire Department of Corrections (Laconia,NH) A 64-page list containing the names and Social Security numbers of about 1,000 employees of the state Department of Corrections ended up under the mattress of a minimum security prisoner. The prison contracts with vendors to shred documents and investigators are trying to find out why documents were not destroyed. 1,000
Aug. 11, 2009 Bank of America Corp. (Charlotte, NC) Charlotte-based BofA (NYSE:BAC) and Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them that their account numbers may have been compromised. Account information from certain Bank of America debit cards may have been compromised at an undisclosed third-party location. Bank officials are not certain if this is a new breach or a previously disclosed one. Unknown
Aug. 11, 2009 Citigroup Inc. (New York City, NY) Citigroup (NYSE:C) each recently issued replacement cards to consumers, telling them that their account numbers may have been compromised. Citigroup told credit-card customers in Massachusetts “your account number may have been illegally obtained as a result of a merchant database compromise and could be at risk for unauthorized use.” Bank officials are not certain if this is a new breach or a previously disclosed one. Unknown
Aug. 11, 2009 University of California-Berkeley School of Journalism (Berkeley, CA) Campus officials discovered during a computer security check that a hacker had gained access to the journalism school’s primary Web server. The server contained much of the same material visible on the public face of the Web site. However, the server also contained a database with Social Security numbers and/or dates of birth belonging to 493 individuals who applied for admission to the journalism school between September 2007 and May 2009. 493
Aug. 13, 2009 National Guard Bureau (Arlington, VA) An Army contractor had a laptop stolen containing personal information on 131,000 soldiers. on the stolen laptop contained personal information on soldiers enrolled in the Army National Guard Bonus and Incentives Program. The data includes names, Social Security numbers, incentive payment amounts and payment dates. 131,000
Aug. 14, 2009 American Express (New York, NY) Some American Express card members’ accounts may have been compromised by an employee’s recent theft of data. The former employee has been arrested and the company is investigating how the data was obtained. American Express declined to disclose any more details about the incident. The company has put additional fraud monitoring and protection controls on the accounts at issue. Unknown
Aug. 14, 2009 Calhoun Area Career Center (Battle Creek, MI) Personal information from 455 students at Calhoun Area Career Center during the 2005-2006 school year was available online for more than three years. The information included names, Social Security numbers, 2006 addresses and telephone numbers, birth dates and school information. There were about 1,000 students at the career center during that time, but an investigation by the Calhoun County Intermediate School district found that information for 455 students was available. 455
Aug. 15, 2009 Northern Kentucky University (Highland Heights, KY) A Northern Kentucky University employee’s laptop computer – which contained personal information about some current and former students — was stolen from a restricted area. The personal information stored on the employee’s computer included Social Security numbers of at least 200 current and former students. 200
Gary Bahadur http://www.kraasecurity.com http://blog.kraasecurity.com http://twitter.com/kraasecurity *Managed Security Services *Vulnerability Management *Compliance & Policy Development *PGP Security *FREE Website Security Test
Reblog this post [with Zemanta]
Forget Information Security, someone work on airport delays My posts are all usually information security related. Some interesting things on web security, vulnerability assessment, risk assessment, all that good stuff. Well today I cannot blog about that. As much as I love it, get a probably un-natural excitement about it, I can’t do it. I have been sitting in BWI airport since 7pm. Its about 11pm and I am still waiting for the plane to get here. Or it might be here and we can’t get on, not v ery clear on that. So there was a light sprinkle of rain in the BWI area. All up and down the east coast there was storms. And Boston got whacked. When Boston has problems, everybody has problems. Something like the Regan trickly down theory. Its about 11:20pm now and I just heard the announcement that the flight landed from Portland and potentially I might get home to Miami sometime around 3am. I am not a newbie to travel and being stuck in an airport is old hat. I recall being stuck in Amsterdam on Thanksgiving in the airport for about 11 hours. Patience Grasshopper. So whats so new about this experience? Well I was thinking that the algorithims to route planes around the country were developed 30 or 40 years ago.  So think about all the changes, all the potential of planes these days and not updating how planes are handled. Or maybe I am wrong since I am not an airline expert and they have all new routing plans. Probably. But my view of the world, well I see it as really sucking. So I make the assumption that there needs to be a (cringe) “paradigm shift” in how planes are handled. Maybe we need an Airport Czar. My other problem with the waiting thing is that the Bar closed at 9:30pm!!!! My flight will not leave until about Midnight. When will the hurting stop?!!?!? This was obviously not of any value to anyone except me to channel my airport anger. I usually have a list of things in my posts. Here is my list which is pretty much of no value 1) when sitting in the bar in an airport that closes at 9:30, listen for last call 2) Never take the later flight out in the day if you can avoid it 3) Avoid BWI 4) Never believe the monitors about if your flight is on time 5) Actually speak to people at the bar, keeps things entertaining 6) Girls wearing short shorts shouldn’t lie down, knees akimbo at the airport 7) Never pass up a trip to Vegas to for a trip to Baltimore 8) The restaurants close early at BWI, eat early 9) BWI sucks 10) BWI sucks
In February, CVS was ordered to pay a fine of 2.5million dollars by the FTC. This fine was because their employees threw out personal information about patients. Who knew poor recycling programs could cost so much? HIPAA has been around for a number of years but not until recently did we see that it has teeth and companies are going to be held accountable.  CVS has to have an assessment every other year now for 20 years. And assessments are not cheap! Assessments based on the Security Rule cover many areas of technology controls such as Firewall protection, Antivirus, Encryption, Vulnerability Scanning and much more. I am sure conducting an assessment rather than getting fines would have been much cheaper for CVS. The definition of a Covered Entity for HIPAA compliance really reaches out to more companies than just hospitals and doctors offices. Not only companies like CVS will get fined but business partners of hopsitals and doctors offices storing patient data will be in trouble if they do not conduct Risk Assessments. There are a number of ways to conduct these assessments, make them practical and stay out of trouble with “The Man”. One company that is pretty helpful in this regard is RiskWatch, http://www.riskwatch.com  Their software allows you to conduct HIPAA, PCI, Red Flag Rule and other types of assessments. For security professional, these regululations provide a strong insentive for companies to get their act together regarding privacy and security of data. Its unfortunate they have to be fined first to get them to the ball rolling. But hopefully, more will take a proactive stance for compliance but also to get an ongoing security program in place. Regards Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Why did it takes us over 2 decades to really approach the cybersecurity topic. When I started in informatio security in in 1994, it was the wild west. People were creating processes, developing security frameworks and growing a whole new industry. I like to think I played some part in being on the early team at PriceWaterhouse and we had the first ever corporate “Hacking Lab” in NJ to test our clients security weaknesses. Those were Good time. Now we are just in Regular times. So what can we expect from the Czar? The White House must take the cybersecurity lead. The current approach to cybersecurity is untenable, said Hathaway at RSA in April. Well that was obvious. When you have hackers runing around American corporations and in and out of government agencies, I would agree that is “untenable”. Here is my plan for cybersecurity: 1) Put ME in charge of the whole thing. Good plan right? My point is you have to have someone with a practical approach. You to address this both straategically and tactically. Tactically in the short term and strategic in the long term. We know government cant get out of its own way, so let the private sector have more say in how this is done. Simple way to start: 1) Have a time line, say 2 year to have every government and quasi government computer defined in a risk classification scheme. 2) Conduct continuous vulnerability assessment of the High and Medium risk systems. 3) MUST have Patch management for all systems. 4) Encrypt any data leaving a secure internal system 5) Figure out what Data Loss Prevention means! 6) FUND Cybersecurity like its part of the Defense Budget. Baha – new Cybersecurity Czar http://www.kraasecurity.com http://blog.kraasecurity.com http://twitter.com/kraasecurity *Managed Security Services *Vulnerability Management *Compliance & Policy Development *PGP Security *FREE Website Security Test +++++++++++++++++++++++++++++++++++ BBC US President Barack Obama is to set out plans for securing American computer networks against cyber attacks. In a speech that follows a 60-day review, Mr Obama is expected to announce the creation of a cyber security office in the White House. Both US government and military bodies have reported repeated interference from hackers in recent years. In a separate development, the Pentagon is to create a new military command for cyber space, the New York Times said. Mr Obama will not discuss the Pentagon plan during Friday’s announcement, the newspaper said. But he is expected to sign a classified order to establish the military command in coming weeks, it reported, citing officials.