In April, 2014, CVE-2014-0160 was released, better known as the Heartbleed bug. Heartbleed is devastating – it can reveal sensitive information not just of the user, but anything on the machine. In practice it has been used to export private keys for TLS/SSL certificates. These stolen private keys can then be used to impersonate a legitimate website for the purposes of stealing credentials, performing phishing attacks, and other malicious activity. It is hard to understate the potential damage that Heartbleed could create. When Heartbleed was first released, Robert Graham scanned 28 million machines across the Internet, and found over 615,000 of them were vulnerable to Heartbleed. As soon as the vulnerability was disclosed, web hosting providers, commercial software vendors, and even[…]

After a long hiatus, Security Musings is returning to its roots. This blog is going to be equal parts education and entertainment – you’ll learn some things, and you’ll learn some things that make me angry. I won’t follow a set frequency although I intend to post at least twice a month. The look and feel has changed, and I’m sure some older posts may not look right. I’m not going to dwell on that unless specific requests are made to get certain posts working again. It’s time to move forward.

After the 2013 HIPAA Omnibus rules went into effect, there was a delay as the Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR) brought their auditing program in line with the new requirements. Based on last month’s announcement in the Federal Register, it seems like they are about ready to start auditing organizations again. I suppose most healthcare covered entities and business associates don’t read the Federal Register regularly, so here are the pertinent details. OCR is planning an information collection (survey) effort, targeting 1,200 covered entities (typically health plans, health care clearinghouses, and health care providers) as well as business associates. The announced goal of the survey is: to determine suitability for the Office for[…]

Much of the focus in recent news is on attacks on retailers and the financial industry. It is easy to see the results of these money-motivated attacks in the form of large thefts of money or credit cards. As a result, it may surprise you to know your health care information is under attack. You are mistaken if you think that HIPAA’s data security protections are working to protect it. Health care organizations are not meeting the security table stakes. By rushing to implement electronic health records without minimum viable security, health care organizations are leaving the door wide open for criminals. How Bad Is It? A recent study by the Ponemon institute revealed that 94% of medical institutions have[…]

I have spent my day in a forum dedicated to the security of classified information. Individuals attending are facility security officers, defense security service employees, and others caught in the orbit of U.S. Government classified information. One of the speakers made a comment that made me immediately jump to post something on Twitter: "I want you to walk away from this presentation with one thing you can do to prevent risk." <- I don't think you understand risk. — Peter Hesse (@pmhesse) March 14, 2014 Why did I say that the esteemed gentlemen who was presenting didn’t understand risk? Let’s break it down. The Definition of Risk Risk can be either a noun or a verb. Consider these definitions found[…]