What every organization should know about HIPAA

What Is The HIPAA Privacy Rule? Accoprding to, "The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically." In other words, the privacy rule sets forth standards to protect health related information specifically controlled by organizations that handle electronic forms of medical records. What is the HIPAA Security Rule? Also according to, "The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or [...]

By | 2014-09-30T08:25:37-05:00 September 30th, 2014|Compliance, Data Breach, HIPPA, Information Security, Research|0 Comments

Shellshock, What Does It Mean For Your Organization?

Updated: Added information about Macs and some additional reference links. This new vulnerability is much easier to exploit than heartbleed and can have a huge negative impact to your organization.  Windows Server environments are not immune either.  We have been waiting for the dust to settle before jumping on the media hype about all of this, and we wanted to make sure that information was gethered from multiple sources, official security organizations had made their opinions public, and that we weren't just posting information to try and gather web hits. According to Errata Security What is ShellShock? Shellshock is a vulnerability [...]

By | 2014-09-30T08:23:03-05:00 September 29th, 2014|Compliance, Information Security, Research|0 Comments

HHS Enforces Penalties for Losing Less Than 500 Patient Records

The Hospice of Northern Idaho (HONI) has agreed to pay the U.S. Department of Health and Human Services (HHS) $50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.  Source: HONI reported that an unencrypted laptop was stolen in 2010 and that it contained 441 patient records.  HHS began an investigation and discovered that HONI had not performed a risk analysis to safeguard their PHI nor did it have any policies or procedures in place regarding mobile device security which is required by HIPAA. The HITECH breach notification rule requires covered entities [...]

By | 2014-09-17T08:59:20-05:00 September 16th, 2014|Compliance, Data Breach, HIPPA, Information Security|0 Comments

Is the healthcare industry a target?

Many of the clients we work with are either a medical service provider or a vendor to medical service providers.  If they are creating, transmitting or storing patient data, then they are a covered entity and therefore liable for compliance to HIPAA.  What we often find is that clients are under the impression that HIPAA provides a set of specific instructions for how to secure a network and protect data.  What they find out is there isn't a yellow brick road leading to compliance.  HIPAA lays out the results of information security efforts that are expected, but the clients are [...]

By | 2014-09-18T12:57:21-05:00 September 10th, 2014|Compliance, HIPPA, Information Security|0 Comments

Budgeting For Security

Security budgeting is a layered approach Security is important, for an organization, and its customers. However, there is often a misconception that security costs are included in the IT budget. Security best practices follow a layered approach, and budgeting is no different. There is no such thing as being 100% secure and mistakes can happen anywhere. Where should you focus your efforts? Cover the Basics first Before you look at some of the newest security solutions, it is important to make sure the basics are covered. Here are a few items to consider: Review your security policy Ensure security patches [...]

By | 2014-09-04T09:55:41-05:00 August 15th, 2014|Compliance, Information Security, Research|0 Comments

Ebola: Is Your Organization Prepared?

All organizations should have a business continuity plan.  I know that many do not.  How will your business respond if: Your building burns down A flood destroys facilities A tornado takes out a primary distributor and disrupts a supply chain A pandemic infection affects any key component of your business A pandemic plan addresses this specific scenario within a business continuity plan.  Do we have remote access capabilities that allow everyone to perform their job?  What happens if the whole IT department is sick?  If accounting is sick, who will send invoices and pay bills?  If our distributor's source in a foreign [...]

By | 2014-10-03T08:44:35-05:00 August 6th, 2014|Compliance, Research|0 Comments

Phishing and FIFA

I have some friends staying with me right now from Brazil.  They arrived a few days ago, and said that, due to the world cup, the level of excitement in Brazil is very high, and that there are many foreigners that have arrived in the country to see the games.  The World Cup is all over everything in the country right now.  Apparel, food, merchandise, etc. is all branded with the World Cup (similar to how the U.S. advertises items for the World Series or the Super Bowl).  The World Cup is one of the largest sporting events in the [...]

Trustwave Global Security Report 2014: An Overview

The Trustwave Global Security Report for 2014 was recently released.  There are a number of very useful and insightful statistics in this report, which we can corroborate, based on our assessments of numerous organizations' networks.  We wanted to highlight a few of these statistics below: Top 10 Internal Network Penetration Test Vulnerabilities - which include weak passwords, shared accounts, and unencrypted storage [av_hr class='short' height='50' shadow='no-shadow' position='center'] Top 10 External Network Penetration Test Vulnerabilities - which include default SNMP strings and weak passwords: [av_hr class='short' height='50' shadow='no-shadow' position='center'] Top 10 Web Application Vulnerabilities - including path traversal, authentication bypass, SQL injection, unencrypted pages [...]

eBay Asking Users To Change Passwords

Ebay will be forcing users to change their passwords later today, according to their announcement.  According to the announcement, employee credentials were stolen and used to access internal databases containing "customers' name, encrypted password, email address, physical address, phone number and date of birth."  The theft was not discovered until a couple of weeks ago even though it took place nearly 2 months ago.  This is another example of why proactive log monitoring and correlation is essential for organizations with any type of sensitive data.  As the data breaches continue, Target is quickly finding itself among company. Ebay says that passwords were [...]

Study: Cost of Data Breaches Increasing

A study published by Ponemon Institute, and sponsored by IBM, purported that the average total cost of data breaches increased 15% in the last year to $3.5 million, or $145 per record containing protected information.  The study included participants from 314 companies in at least 10 countries.  There are a number of key facts that the study shows regarding reduction factors in the cost of a breach, as well as factors that increase the cost.  The study found that appointing CISO, maintaining a business continuity management program, and developing an incident response program can reduce the cost per record of a [...]