Security Musings Blog
HHS has announced a plan to survey 1200 covered entities and business associates in preparation for audits
After the 2013 HIPAA Omnibus rules went into effect, there was a delay as the Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR) brought their auditing program in line with the new requirements. Based on last month’s announcement in the Federal Register, it seems like they are about ready to start auditing organizations again.
I suppose most healthcare covered entities and business associates don’t read the Federal Register regularly, so here are the pertinent details. OCR is planning an information collection (survey) effort, targeting 1,200 covered entities (typically health plans, health care clearinghouses, and health care providers) as well as business associates. The announced goal of the survey is:
to determine suitability for the Office for Civil Rights (OCR) HIPAA Audit Program. The survey will gather information about respondents to enable OCR to assess the size, complexity, and fitness of a respondent for an audit. Information collected includes, among other things, recent data about the number of patient visits or insured lives, use of electronic information, revenue, and business locations
The impact of this is clear. The HHS is required to perform periodic audits as part of the HITECH and subsequent HIPAA Omnibus changes announced last year. This survey is the first step in preparing to perform audits. HHS wants to understand if the organizations it is targeting are even ready for an audit. Based on the words being used to describe it, this HHS survey seems like a pre-audit exercise.
The surveys will not come until at least after the call for comments ends on April 25, 2014, so you have a limited amount of time to prepare for the survey.
Don’t be unprepared!
Our fixed-price information protection assessment can let you know exactly where you’ll stand regarding in advance of the HIPAA pre-audit, or an eventual HIPAA audit. Now would be a great time to contact us to learn more.
Increasingly sophisticated cyberattacks are compromising healthcare organizations, and many remain unaware that their network is already compromised.
Much of the focus in recent news is on attacks on retailers and the financial industry. It is easy to see the results of these money-motivated attacks in the form of large thefts of money or credit cards.
As a result, it may surprise you to know your health care information is under attack. You are mistaken if you think that HIPAA’s data security protections are working to protect it. Health care organizations are not meeting the security table stakes. By rushing to implement electronic health records without minimum viable security, health care organizations are leaving the door wide open for criminals.
How Bad Is It?
A recent study by the Ponemon institute revealed that 94% of medical institutions have been victims of a cyber attack. So it’s safe to assume that your records were at least targeted by an attack.
The data-driven Health Care Cyberthreat Report from SANS reveals news from the battlefront. They tracked at least 375 healthcare-related organizations in the US as they were attacked and compromised between September 2012 and October 2013. They identified nearly 50,000 malicious activities toward healthcare-related organizations during that period. Health care providers saw the lion’s share of malicious traffic – 72%, and business associates were second with almost 10%. Also affected were health plans, health care clearinghouses, and pharmaceutical organizations.
Why Isn’t HIPAA Helping?
HIPAA stands for the “Health Insurance Portability and Accountability Act.” It was not designed to be a standard for security. It has data security provisions, which we have detailed in a series of articles on our website.
Data security is only one small component of the laws around HIPAA. The HIPAA rules around data security aren’t as prescriptive as the rules for the payment card industry. They are more open-ended and subject to the interpretation of auditors. HIPAA’s one-size-fits-all approach means that not every possible data security control makes sense for every size and type of business. And many business associates are still struggling to meet their required compliance with HIPAA.
Lastly, HIPAA audits have generally been only of the largest organizations. The department of health and human services seeks to make examples out of companies that fail to protect patient information. Larger organizations generate larger fines and larger headlines. Smaller health care organizations are not likely to see a HIPAA audit anytime soon, and therefore may fail to see the need to implement HIPAA-required controls.
Areas For Improvement
The 6th Annual HIMSS Security Survey, sponsored by Experian® Data Breach Resolution revealed some interesting findings. The survey respondents were from organizations with electronic health records or document imaging systems. Respondents self-identified as being responsible for IT or security.
97.5% of respondents revealed that they have a firewall in place to protect their networks, which is good news. But the remaining 2.5% are really bad news. How can an organization entrusted with protecting health information fail to meet such a low level of security?
And in the context of this survey, 19% of respondents had suffered a security breach within the last 12 months. On average, they rated their security maturity as a 4.35 out of 7. Only about half employed someone whose full time job concerned data security.
Where to go from here?
As consumers, we should support businesses that treat us right. In the case of health care organizations, this doesn’t just mean being a competent and friendly physician. It also means protecting our health care information.
Consumers should ask what their health care providers are doing to protect their information. Yes, everyone has seen those HIPAA privacy practices forms you have to sign or acknowledge on every visit. Instead of the privacy practices, ask the provider about their security practices. Ask if they’ve had a third party assessment performed of their security, or if they have passed a HIPAA data security audit.
Health care providers need to start with the security table stakes which every business must meet to function in the information age. Then they need to understand what minimum viable security means to their organization. Finally, they need to implement their plan to take them at least up to minimum viable security, and beyond.
Want to learn more about security table stakes and minimum viable security? Sign up for our free training-by-email here.
Why it is important to think about the concept of risk the right way
I have spent my day in a forum dedicated to the security of classified information. Individuals attending are facility security officers, defense security service employees, and others caught in the orbit of U.S. Government classified information. One of the speakers made a comment that made me immediately jump to post something on Twitter:
"I want you to walk away from this presentation with one thing you can do to prevent risk." <- I don't think you understand risk.
— Peter Hesse (@pmhesse) March 14, 2014
Why did I say that the esteemed gentlemen who was presenting didn’t understand risk? Let’s break it down.
The Definition of Risk
Risk can be either a noun or a verb. Consider these definitions found by a Google search:
(n) a situation involving exposure to danger.
“flouting the law was too much of a risk”
(v) expose (someone or something valued) to danger, harm, or loss.
“he risked his life to save his dog”
The way that the presenter phrased it, he was definitely using it in the form of a noun, indicating a situation that exposes one to danger. This is a common usage in the information security industry. We discuss the risks to information, personnel, and physical assets on a regular basis.
So what was wrong?
The unfortunate reality is that risk is not something that can be prevented.
We will always be presented with situations that expose us to danger. When I walk outside of this hotel, I have the risk of being attacked by a mugger. When I get into my car, I have the risk that my car won’t start and I’ll be stranded. Once I start driving home, I have the risk of getting into an accident and becoming injured.
How can I prevent these risks? I cannot. I can stay in bed all day, but then I run other risks – health risks of laying down all day, financial risks of not showing up to work, etc.
There is no situation that can prevent risk.
Risk is something that needs to be managed, or mitigated. In order to manage the risk of being mugged I will walk in well-lit areas and keep aware of my surroundings. To manage the risk of my car not starting, I have it regularly serviced. To manage the risk of injury in a car accident, I wear a seatbelt, drive defensively, and keep my phone out of my hands while driving.
The next time you are thinking about risk, don’t think about preventing it. Think about understanding risk and the measures you can take to reduce, manage, or mitigate your exposure to danger.
Risk is necessary. A business without risk is a business without opportunity. Understanding risk, and talking about it properly, is the first step.
Recent events demonstrate that security is no longer optional. What is the minimum ante to even get into the game?
Business leaders and gamblers know risk. Success means managing risks effectively. The better they do, the better the returns.
Often overlooked is another similarity: table stakes. Gamblers have to pay to play, certain games have minimum table stakes you must ante to participate. For business, the ante is investing enough time, money, and effort in efforts. That applies to security, too. In fact, businesses must meet the security table stakes before implementing even minimum viable security.
This article addresses the six things every organization needs, regardless of size, industry, and budget. To be clear, this is not the one-size-fits-all prescription for security. These are the common barriers that prevent minimum viable security. For many, these represent the barrier to entry. If you are not addressing these six items, you should stop reading and start working immediately.
A firewall represents the first barrier of protection between a system and its surroundings. Each system should have its own software firewall which protects it from threats on its local network. Each local network should have a firewall which protects it from the Internet. Firewalls should disallow all but known, expected, and desired traffic.
Patching and Updates
All software systems have flaws, and many of these can result in a security vulnerability. Manufacturers are constantly at work trying to address these flaws and correct them. The information system must be regularly updated and patched to take advantage of these changes made by the vendor. Update and patch each information system should as frequently as possible. These updates must include the operating system and all install software packages as well. (For example, apply updates not just to Microsoft Windows, but also to Microsoft Office, Adobe Acrobat, and Java.)
Anti-virus and anti-spyware solutions exist in many forms and many capability sets. The most important thing is to scan all incoming files and emails for known threats. Anti-malware solutions will not solve every problem. It is trivial to create new malware that is not immediately detected, but as the malware is recognized, defenses against it will improve. Note: as with the above, anti-malware solutions also need regular patching and updating. Anti-malware definitions should receive daily updates.
A core concept of most information systems is to have both a privileged and a non-privileged mode. Non-privileged processes cannot do things like overwrite system files, or kill system processes. Avecto recently published a study that indicates removing administrator rights would mitigate a whopping 92% of critical vulnerabilities. While it may result in some inconvenience, it is hard to argue with a 92% reduction in attack surface.
Information security is not just about making sure other people don’t get your information. It is also about making sure you can still access your information in a reliable, trustworthy way. You might lose information because of a system failure, the hijacking of your account, malware such as CryptoLocker, or many other means. The only defense against information loss is to have reliable backups. Backups should be tested regularly, secured, and stored in a different physical location.
Incident Response Plan
The reality is that despite taking the five steps above, (and perhaps many others as a part of your minimum viable security program,) you will encounter an incident. You will suffer a breach and lose confidential information. Your system will crash, or your site will shut down due to a denial of service attack. When the inevitable happens, it is critical to understand what to do next. Who should I contact first? What actions should I take such as filing police reports or contacting the internet service provider? What evidence must I secure? When do I call the lawyer? A plan – even if it is a one page emergency contact list – can save time when it is most needed.
Ante up: How to meet the security table stakes
This is the evolution of minimum viable security. From the small retail shop to the startup and even larger enterprises… these are the security table stakes. In many cases, implementing these might take a few hours. It’s the start of a new approach. It’s the way to protect what matters.
The six components that make up security table stakes – firewalls, patching and updates, anti-malware, unprivileged accounts, backups, and an incident response plan – need to be part of every information system. Only after addressing these can you get on with the business of understanding minimum viable security for your organization. Address these basic controls, or risk wasting any other efforts you might put toward security.
We are creating a training course that will discuss security table stakes and minimum viable security in more detail. The course will include examples of each of these specific topics, and stories about their success and failure. The course will also provide other helpful information about implementing your own security program. Sign up for the course here: http://eepurl.com/QapC9
Security awareness is about communication. Why do we make it the responsibility of technical experts?
At the RSA conference, I attended a panel discussion entitled “Changing User Behavior: The Science of Awareness.” The panel focused on explaining the failure of traditional awareness efforts, and made suggestions about what improved solutions might look like.
During the panel, surrounded by a room full of security professionals, it hit me: we are technologists trying to figure out how to solve a communication problem. Maybe security’s “people problem” is relying on the wrong people to solve this challenge.
Are People The Problem?
Our industry is quick to put the blame on “users” when security problems occur. Whether it is the takeover of CNN and the AP’s twitter feeds, or a hack of Target’s HVAC contractor leading to their breach, people are the scapegoat. Despite many technological solutions and increased spending, we’re not getting any better. Why?
At the root of most current compromises and breaches are phishing attacks. Phishing attacks are getting more sophisticated and more effective all the time. Phishing attacks work because they convince people to bypass the hardware and software controls we’ve put in place to protect them. The only true defense against phishing is security awareness. And we tend as an industry, to do a poor job of security awareness. Even though almost every standard and regulation requires “awareness training”.
Better awareness will result in better security. Of that there is no doubt.
What Is Security Awareness?
When defining security awareness, I prefer to use the definition of awareness coined by Michael Santarcangelo, in his book Into The Breach. He reiterated the definition in this recent blog post on CSO Magazine:
Awareness: The individual realization of the consequences of an action, in their own context of intention and impact.
Security awareness for an organization, therefore, is just an expansion on this term to include security and the organization’s concerns. Security awareness is an individual’s realization of the security consequences of an action, and the corresponding impact on the organization.
When it comes to information security, the impacts to the organization from one security incident could fill a whole catalog. The loss of intellectual property is a pretty simple one to understand, your “secret sauce” is no longer a secret. The impact felt by breaching customer or employee private information is much more complicated. It reverberates through increased IT costs, increased legal costs, payment of fines and fees. It also creates an impact to the reputation, causing reduction in the value of the brand as a whole.
Security awareness is critical to the security of an organization. And thus, falls under the purview of the individuals in charge of security.
And that, I think, is where we’re going wrong.
Effective Communication is the Key
Awareness, especially security awareness, is essentially a communication problem. In order for me to be aware of something, it needs to be communicated to me. I am only working from the knowledgebase already stored within my brain. I don’t have my cybernetic implant (yet) that performs real-time queries to supplement my knowledge with the corpus provided by the Internet.
If I’m going to be aware of something, either I need to read it, or someone needs to tell me or show me. Those that know need to communicate it to those that don’t.
To be effective, this communication must result in two things:
- I am aware of the consequences of my actions
- My behaviors change as a result of my awareness
People Are the Solution – Just Not These People
Now, let’s get back to what I said above. Since security awareness is so critical to the security of an organization, it is often placed within the responsibility of those responsible for security.
Are security experts also experts at person-to-person communication? I don’t think so.
Sure, there are certainly outliers who are talented in both security and communication. I’m lucky enough to be friends with some of the true experts on this topic. I also know there are a bunch of people like me, who are knowledgeable about security and are decent communicators. I’m no expert, but can usually get my point across.
Communication experts know exactly how to craft a message to create value, reduce the friction in the communication, and change behavior. They are hard to come by, and well sought after.
Your typical CISO, or head of network security, probably is not an expert communicator. While they might be able to learn enough to become one, is that what you want? I think I’d rather my CISO be an expert with communicating with the business and setting strategic directions for the security organization. I’d want my head of network security to understand every bit of how to architect networks to defend against emerging threats.
It’s time to change the way we handle security awareness. The first step is to stop making it the responsibility of the security teams.
Let’s cultivate true communications experts to focus on security awareness. It is the only way we will get out of the current checkbox-checking mentality that “security awareness training” has become.
Entrepreneurs need to think like investors when it comes to security
How do you buy groceries? Do you buy based on brand, what you know? Do you consider the price? Or do you have someone else handle it for you?
Making An Investment
While routine, groceries aren’t expensive. When we consider larger investments, however, the calculus changes. Most hesitate a bit when buying a new computer or tablet. We’d want to make sure the system meets our requirements and we’re not paying too much. Since they are a commodity item, you can shop around without difficulty.
Buying a car or a house requires more time to be spent in the due diligence process. At some point it becomes less about “buying” and more about “making an investment”.
Smart entrepreneurs consider their exit. And that means asking one vital question: What due diligence will an investor require before investing in me?
Think Like an Investor
Seasoned investors seek not only profits and revenue, but typically are driven by one of these three reasons.
- Control the intellectual property (the “secret sauce”) – by owning the process or the patents. (e.g. Google’s acquisition of Motorola Mobility)
- Obtain the customer base – to offer a more complete solution to a wider audience. (e.g. Facebook’s acquisition of Instagram)
- Obtain the talent – hire valuable engineers, leaders, and/or a whole team en masse. (e.g. Salesforce.com’s acquisition of Thinkfuse)
Investors are making a calculated risk decision when they make an investment. They consider the likelihood of continued success over failure. Your valuation will depend on both how much investors might make, and how much they might lose. Investors are primarily worried about two things when they think about failure.
- The Intellectual Property – Is the “secret sauce” still a secret? And are there patents and other protections in place to ensure the IP is truly part of the purchase?
- The Time Bomb – What is already in place at the company that we don’t know about? What are the risks and liabilities that can end up shutting the business down before we get started? What might end up causing reputation damage that will make it a bad company to have our name attached to?
Invest In Security
So how do you prepare yourself to talk to potential investors? How do you calm their fears so that you can get the highest valuation? The best answer is to invest in security.
A startup with a proper information security and risk management program is well prepared to answer questions about their intellectual property. “Yes, we’re confident our secret sauce is still a secret, because we took the steps necessary to protect it, monitor it, and handle incident response.”
This program also needs to protect intellectual property, including legal considerations. It should also address how you manage vendors – to ensure that your partners don’t end up causing you issues or weaknesses. (Reports show that a third party was at the root of the recent Target breach).
Great investors hire security experts to perform security assessments before acquiring companies. Knowing about a startup’s information security program can put the investors at ease. It can erase concerns over devaluation of the intellectual property. It can also erase ticking time bomb concerns, knowing lax security isn’t going to cause disclosure of customer information or reputation damage. We’ve provided this part of due diligence for corporate acquisitions totaling over $23 billion.
Great customers do this too. We do these assessments for larger companies when they look to buy products or services that will access their confidential information. They want to ensure working with a startup isn’t going to put their company’s information or brand at risk. And they’re often willing to work with the more expensive option if they present better security capabilities.
So make sure that you’re prepared when the truly great investor or great customer comes knocking. Invest in security as early as possible in your startup. It will be one of the few investments you can make with guaranteed positive returns.