Categories
Information Security>Data Breach|Compliance>HIPPA|Research

What every organization should know about HIPAA

What Is The HIPAA Privacy Rule?

Accoprding to HHS.gov, “The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.”

In other words, the privacy rule sets forth standards to protect health related information specifically controlled by organizations that handle electronic forms of medical records.

What is the HIPAA Security Rule?

Also according to HHS.gov, “The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. ”

The Security rule sets forth the specific things that an organization is expected to do to protect healthcare data.  It also describes who is expected to protect health data and liable for its loss.

What Is A Covered Entity and Who Qualifies?

A covered entity is any health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form.  However, the application of HIPAA does not end there.  Business Associates are a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.   In other words, any organization who does work for a covered entity and has regular access to health records is responsible for complying with parts of HIPAA. 

What Data Is Protected?

According to the Summary of the HIPAA privacy rule:

HIPAA protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).” OCR Privacy Rule Summary 4 Last Revised 05/03 “Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual, 

and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

In other words, any data that can be used to identify a person or even closely identify a person.

What Is The Breach Notification Rule?

According to HHS.gov, “The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.”  For the loss of less than 500 records annual notification is required, but more than requires notification within 60 days.

What Are The Risks For Non-Compliance? or in other words Why Is This Important To Me?

There are a number of factors to consider such as the number of records lost and how much neglect is invovled.  None of the specifications in the HIPAA rules are optional, some called addressable, just mean that you have freedom in how you implement them.  The Federal Register provides a wealth of information and estimations for the average costs of breaches.  Penalties are only a portion of the costs.  Costs to consider include:

  • Cost to notify individuals
  • Cost to provide a toll free number and subsequent call charges
  • Cost to investigate the breach
  • Cost to notify individuals with new privacy notices
  • Costs of civil penalties
  • Potential jail time

All of these costs add up to equal the total costs to an organization in the event of a breach.  The civil penalties are outlined in the following table from the Federal Register:

[av_table purpose=’tabular’ caption=’Categories of Violations and Respective Penalty Amounts Available, Source: The Federal Register’ responsive_styling=’avia_responsive_table’] [av_row row_style=”][av_cell col_style=”]Violation Category[/av_cell][av_cell col_style=”]Each Violation[/av_cell][av_cell col_style=”]All such violations of an identical provision in a calendar year[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”](A) Did Not Know[/av_cell][av_cell col_style=”]$100-$50,000[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”](B) Reasonable Cause[/av_cell][av_cell col_style=”]$1,000-$50,000[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”](C)(i) Willful Neglect-Corrected[/av_cell][av_cell col_style=”]$10000-$50000[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”](C)(ii) Willful Neglect-Not Corrected[/av_cell][av_cell col_style=”]$50000[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [/av_table]

 

As the costs add up, healthcare organizations need to realize that the costs required to become compliant can be well below that of a large breach.  In a previous post we talk about the general areas with which an organization needs to focus in order to become compliant with most standards.  For a detailed breakdown of controls that should be considered for HIPAA here is a good post.  Here are a few of the recent breaches and examples from HHS (these don’t include any Business Associates, but we will probably start seeing those this year or next):

[av_table purpose=’tabular’ caption=’Case Examples and Resolution Agreements, Source: HHS.gov’ responsive_styling=’avia_responsive_table’] [av_row row_style=”][av_cell col_style=”]Organization[/av_cell][av_cell col_style=”]Cause of Breach[/av_cell][av_cell col_style=”]Penalty[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]New York and Presbyterian Hospital[/av_cell][av_cell col_style=”]Web server misconfiguration[/av_cell][av_cell col_style=”]$3,300,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Concentra[/av_cell][av_cell col_style=”]Stolen, unencrypted laptop[/av_cell][av_cell col_style=”]$1,725,220[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Alaska DHSS[/av_cell][av_cell col_style=”]Stolen, unencrypted USB drive, inadequate policies and procedures, failure to complete risk analysis, employee training, device and media controls or encryption[/av_cell][av_cell col_style=”]$1,700,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]WellPoint[/av_cell][av_cell col_style=”]Application database misconfiguration, failure to perform risk analysis, inadequate policies and procedure[/av_cell][av_cell col_style=”]$1,700,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Massachusetts Eye and Ear Infirmary[/av_cell][av_cell col_style=”]Unecrypted personal laptop, management was aware of the Security rule, but failed to take necessary action[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Columbia Univeristy[/av_cell][av_cell col_style=”]Failed to perform risk analysis or provide policies and procedures governing IT[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]BCBST[/av_cell][av_cell col_style=”]Stolen unecrypted hard drives[/av_cell][av_cell col_style=”]$1,500,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]Shasta Regional Medical Center[/av_cell][av_cell col_style=”]Failure to attain written authorization to disclose PHI[/av_cell][av_cell col_style=”]$275,000[/av_cell][/av_row] [av_row row_style=”][av_cell col_style=”]QCA[/av_cell][av_cell col_style=”]Failed to perform risk analysis and to provide physical safeguards for workstations[/av_cell][av_cell col_style=”]$250,000[/av_cell][/av_row] [/av_table]

 

Categories
Compliance|Information Security|Research

Shellshock, What Does It Mean For Your Organization?

Updated: Added information about Macs and some additional reference links.

This new vulnerability is much easier to exploit than heartbleed and can have a huge negative impact to your organization.  Windows Server environments are not immune either.  We have been waiting for the dust to settle before jumping on the media hype about all of this, and we wanted to make sure that information was gethered from multiple sources, official security organizations had made their opinions public, and that we weren’t just posting information to try and gather web hits.

According to Errata Security

What is ShellShock?

Shellshock is a vulnerability in a shell within Linux called Bash.  This shell is available on much of the web; at least 35% of all web servers are running Apache which doesn’t necessarily mean those servers have Bash installed, but many if not most of them will.

For a comprehensive and technical overview of the bug, visit TroyHunt’s post about it.  We are not going to dig into the details; we want to make sure you have the information you need to make a decision for your organization.

Why should my organization be concerned?

This vulnerability can allow an attacker from the outside without access to anything, but a public facing webpage to gain access to a shell.  In the best case scenario, we don’t anyone gaining a shell on an internal system because they would have the potential to perform any command they want.  Now, there are commands that require elevated priveleges to execute, but I have found more than my fair share of web servers running sites as root or similar.  The attacks also don’t have to come from the web.  Early proofs of concept have shown vulnerabilities from SSH and DHCP as well as other protocols as well.  This vulnerability is a perfect candidate for a wide spread worm.

According to Robert Graham at Errata Security, the issue is much more widespread than we think, and the vulnerability is already being exploited and attacked in the wild.

To summarize, this vulnearbility could potentially provide someone full control of a server with minimal effort(look how easily the vulnearbility was exploited here by just browsing to a web page or here by setting up a DHCP server).   Think about it, if a DHCP server can exploit, and Macs are vulnerable, what is the risk of using a Mac on public wifi now? That is why the CVSS score is as bad as it gets:

CVSS Severity (version 2.0):

CVSS v2 Base Score: 10.0 (HIGH)
Impact Subscore: 10.0
Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service
Source: NIST

How do I know if I am vulnerable?

On a linux machine (this can be devices with embedded linux as well such as phones, routers, switches, etc) run the following command:

env x='() { :;}; echo this machine is vulnerable' bash -c "echo testing"

If the output of this command contains ‘this machine is vulnerable’, then it is.

Macs are vulnerable as well, but there is a little more effort to test.  Additionally, users are dependent upon Apple to push out the updates.

What do we do?

That one is tough because not all systems have updates.  For those that do have updates, it can be completed with minimal effort (though standard change control procedures should be used).  Many linux distributions have released updates, but as some researchers have noted not all fixes have worked.

Here is the processes we suggest taking within your network:

  1. Don’t panic, most of your primary systems are not vulnerable.
  2. Identify all systems that may be running bash which includes Macs (giving priority to any with public facing websites or even services such as Telnet, FTP, SSH, etc)
  3. First, if you have public facing Telnet or SSH turn it off. If you have public facing FTP, it should at least be running SFTP or FTPS.
  4. Contact vendor support or vendor resources and determine if patches are available (here is a good starting point for vendor information)
  5. Deploy patches, and retest
  6. For devices where patches are unavailable, consider the risk to the organization, if the risk outweighs the benefit consider options including shutting down the device
    1. Is the device public facing?
    2. Does it have direct access to important information?
    3. What would the impact to the business be if this device went down?
    4. Is this device necessary?

If you need assistance performing any of the services please contact us at info@securit360.com or call us at 205-202-4233.

Categories
Information Security>Data Breach|Compliance>HIPPA

HHS Enforces Penalties for Losing Less Than 500 Patient Records

The Hospice of Northern Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/honi-agreement.html

HONI reported that an unencrypted laptop was stolen in 2010 and that it contained 441 patient records.  HHS began an investigation and discovered that HONI had not performed a risk analysis to safeguard their PHI nor did it have any policies or procedures in place regarding mobile device security which is required by HIPAA.

The HITECH breach notification rule requires covered entities to report loss of 500 or more records to HHS and the media within 60 days, but also requires that smaller breaches be reported on an annual basis.

According to the agreement between HHS and HONI the official reasons for the fine were:

  • HONI did not conduct an accurate and thorough analysis of the risk to the confidentiality of ePHI on an on-going basis as part of its security management process.
  • HONI did not adequately adopt or implement security measures sufficient to ensure the confidentiality of ePHI that it created, maintained, and transmitted using portable devices to a reasonable and appropriate level.

In a recent blog post we discussed how many health care organizations are still focused on protecting their organization from themselves, and they are not prepared to face the threat of malicious attacks from the outside.  This is another example of where basic and simple information security practices (encrypting a laptop) would have prevented significant fines and court costs.  Has your organization reviewed your standard security practices?  Would you be protected if someone lost a laptop?  What if someone actively targeted your records?

Categories
Compliance>HIPPA|Information Security

Is the healthcare industry a target?

Many of the clients we work with are either a medical service provider or a vendor to medical service providers.  If they are creating, transmitting or storing patient data, then they are a covered entity and therefore liable for compliance to HIPAA.  What we often find is that clients are under the impression that HIPAA provides a set of specific instructions for how to secure a network and protect data.  What they find out is there isn’t a yellow brick road leading to compliance.  HIPAA lays out the results of information security efforts that are expected, but the clients are required to build the road to those results.

Many times the mindset is, we aren’t really a target like the financial industry or retailers, so we just need to make sure we don’t do something stupid and lose our data.  This can no longer be the mindset.  A recent CNN article sheds some light on why the healthcare industry and specifically medical records may become much more lucrative for data exfiltration.  According to many sources, credit card numbers typically fetch about a $1-$2 but sometimes up to $100 on the black market depending on the metadata that is included.  Many times they are unreliable and it can take hundreds or thousands of them in order to see any profits.  On the other hand, medical records are fetching around $50 per record, according to Med Page Today.  To put it in perspective, Target lost approximately 40 million credit card records in the initial breach.  Based on the price on the black market, the data stolen could be worth up to $40 million.  It won’t be quite that much because there will be duplicate records, expired credit cards, fraud protections in place and other factors that would reduce the total value of the data.  Additionally, there are many systems in place to protect the use of that data as well as track down anyone who attempts to use it.

Why are medical records worth so much?  What information can you gain from them?  According to CNN and other sources, they can be used to maliciously bill organizations like medicare, and they can be used to impersonate patients so that attackers can obtain prescriptions to sell.

Let’s take a fictitious scenario where medical records are stolen from an exchange of hospitals.  It would only take 800,000 records (compared to 40 million) to reach a potential $40 million in value.  Additionally, those records will be more reliable because they can be used to exploit an industry that has yet to fully utilize modern security practices or checks.  Not only can those records be used to defraud the government, according to the CNN article, they can be used to make patients liable for charges.  Where credit card companies will forgive debts for fraudulent charges, there are not protections like this in place for patients and these situations could get quite complicated.

Time and time again, we find that healthcare organizations are behind on even using standard security practices.  Gone are the days when the healthcare industry only needs protection from itself;  the healthcare industry is seeing a real threat from malicious actors.  They now have very valuable information, and if controls aren’t put into place to protect it, organizations could quickly see themselves becoming further and further behind the curve of protecting their information and their patients.  Do you know where your organization stands when it comes to IT security and compliance?