HIPAA has specific requirements for reporting breaches of Protected Health Information. How do you identify a breach, and how do you know whether you need to report a breach? Protected Health Information Asset Management You should have a list of all places that protected health information resides within your office, your network, and your systems – and any business associates you work with. Ideally, you should also know which records are located where, so that when it does come time for notification, you’re ready. If there is a loss, theft, or attack, you know if that system had PHI on it or not, and can act appropriately. Being able to identify a breach becomes easier when you have all of[…]
The Dreaded Call Daniel Seward awoke to his cell phone vibrating on his nightstand. Groggily he rolled over and looked at the phone. It was just after 5am and he didn’t recognize the 800 number, but angrily answered it ready to give the telemarketer a piece of his mind. “Do you realize what time it is?” “Mr. Seward, this is Ross Spears with the fraud prevention unit of Haneysville National Bank. We have detected activity within your account that we suspect may be fraudulent. Did you attempt a wire transfer of $73,500 to an account at 6:15am on Tuesday?” Immediately, Daniel sat up in bed, his heart racing. “No, I did not. Who was the wire made to?” “We cannot[…]
What is the bare minimum amount of work that can be done that can be considered making a system more secure? What items must all individuals, all organizations, and all systems address in order to improve security? I often tell people that security is not one-size-fits-all, but what is the one-size-fits-most equivalent? What is the 20% of minimum viable security implementation that will address 80% of vulnerabilities? In 2006, NIST released special publication 800-69, Guidance for Securing Microsoft Windows XP Home Edition, a series of recommendations on how individuals could secure their home computers. Weighing in at 175 pages, it was not for the faint of heart. If you stick with it until Appendix A, you’ll find this interesting quote: Appendix A contains step-by-step instructions for implementing the[…]
Here it is, the last day of 2013. It has been a rough year for me, both personally and professionally. So for the first time in a long time, I’m very much looking forward to speeding off into the new year without even glancing in the rear-view at 2013. And it is the time for those dreaded New Year’s resolutions – I’ll exercise more, eat less, and write more thank-you notes. Most of these resolutions don’t even last as long as the glitter found from those sparkly New Year’s hats will be found in your carpet. This year, I’d like to suggest a different New Year’s resolution to my fellow information security industry professionals. Let’s focus 2014 on security awareness. To[…]
One of the things that caught my eye in PWC’s most recent The Global State of Information Security® Survey 2014 report was the bits and pieces of information shared about the importance of evaluating the security of third parties. As data proliferates and is shared among more partners, suppliers, contractors, and customers, it is increasingly critical that businesses understand the risks associated with sharing data with third parties. What’s more, organizations should ensure that third parties meet or beat their requirements for data security. This is a refrain I have been using for years, even having presented about it at the 2009 Drug Information Association Annual Meeting in San Diego, as well as the 2010 Pharma Outsourcing Congress in Munich. Unfortunately, the[…]
Earlier this year, we submitted a bug to Google for the Google Authenticator app on Android. Basically, the bug we submitted is that the secret key (the private code that when combined with an accurate source of time creates the one-time-use codes for use with Google’s open-sourced two factor authentication) is stored in the clear on Android devices. Google’s response was that this was behaving by design, and that not the system controls around the filesystem are sufficient to protect this information. We humbly disagree. Rooted devices get around these system controls that protect these secret keys. So would any malware that performed a privilege escalation exploit. And most importantly, backups of the phone (using a tool such as Titanium Backup) contains these secret[…]