Checkbox Security Fails Again

April 4, 2012 by · Leave a Comment

Regulatory compliance is often a confusing mess.  Rattling off the alphabet of compliance can often result in dizziness, headaches, and for some, a bad case of nausea.   PCI-DSS, HIPAA, HITECH, GLB, SOX, and heck, might as well throw in some state data breach notification laws as well.  Congress doesn’t want to stop there as they continue their efforts to add even more to this list of rules to live by.

Don’t get me wrong.  The rules are there for a reason (though often they arise from knee-jerk reactions to events so that our Representatives can appear to be doing something useful).  The problem is, with so many different regulations with varying definitions and requirements attempts at compliance start to resemble the traffic signal depicted to the right.   The cure for one bout of “alphabetitis” doesn’t necessarily vaccinate you for the others.  In the meantime, while you’re running around creating paperwork for compliance and checking off boxes, your ongoing security efforts essentially fall into the “to do” bucket.

Unfortunately, it has been proven time and time again that point-in-time, checkbox security is ineffective.  Unless you live in a spider hole like a Doomsday Prepper you may have noticed a recent breach of credit card data.   If you are a “prepper”, here’s a quick catch-you-up article from ABC News, April 2 -  “Experts Say Global Payments’ Breach May Not Be Only One“.

But wait!!  How could this have happened in the era of PCI Compliance? 

To be blunt, building an information security program around compliance is an approach steeped in failure.  The desire is very strong to have a favorable audit report but once that is over, the focus tends to shift away from the continuous protection of sensitive information.   As we continue to see breaches impacting organizations that have been engaged in and satisfying compliance requirements, you have to think about where the real problem lies.

Michael Mimoso was quite clear in an article “Global Payments credit card security breach exposes PCI shortcomings” where he said:

Clearly, PCI DSS continues to be a joke and a money pit that isn’t about security, but at a minimum, point-in-time compliance.

With that in mind, how do we step away from the point-in-time compliance effort and focus strictly on security.  As is often the case, let’s look at something entirely basic.  In order to protect something you have to know what it is.  Regulators and legislators aren’t helping in this regard.  Protected information is defined differently depending on the flavor of legislation you’re working with.  Wouldn’t it make sense to have a single definition of sensitive or protected information and then set in motion the defenses necessary to protect and monitor that data on an ongoing basis? If you store, process or transmit data under this one definition then you have to protect it regardless if you’re in healthcare, finance, or any industry vertical that uses such information.

I don’t think we can rely on government to help in this regard.  So, create your own matrix of sensitive information (maybe I’ll take that on as a project and post it) and then apply the SANS 20 Critical Controls or use some other framework to build a year-round, continuous information security program that protects that data all the time rather than playing the mark and erase checkbox game of compliance.  If you have deployed a solid information security program then compliance audits should, quite frankly, be a simple verification process.

 

_________________________________

Photo Credit: Stuart Miles at Freedigitalphotos
Illustration Credit: digitalart at Freedigitalphotos

Filed Under: Business and Security, National and State Privacy/Security Law · Tagged With: , , , , , , , ,

Nevada’s step into electronic health information exchange

June 29, 2011 by · Leave a Comment

Governor Sandoval signed Senate Bill 43 to move forward with the State Health Information Technology Strategic and Operational Plan using federal stimulus funds.  This essentially gets the ball rolling for the development of a statewide system for the electronic exchange of health information.  The intent is to improve health care quality, prevent medical errors and reduce medical costs.

The new law appears to pull from HIPAA and HITECH in regards to data security and privacy.  Interesting that Texas, also driving forward on stimulus funding for electronic health records,  just enacted tougher protections because of the perceived weakness and lack of enforcement in the federal laws.   From the June 28, 2011 article “Texas Enacts Health Privacy Law” at govinfosecurity.com:

“…she was frustrated by the lack of HIPAA enforcement at the federal level and wanted to pave the way for ramped up enforcement of healthcare privacy rights at the state level.”  – Sponsor of the Texas law Lois Kolkhorst.

” The federal attempt to stop the sale of protected health information without consent in the HITECH Act appears to have been weakened so much that it’s not going to have any noticeable effect.”   – Privacy advocate Deborah Peel, M.D., founder of Patient Privacy Rights.

While Texas has defined broader protections, Nevada seems much more in line with HIPAA and places the design of standards in the hands of the Director of Health and Human Services.   Two different approaches with hopefully good results in relation to protected health information.  Time will tell if the expected outcome of of privacy and security required in this new electronic health information exchange will match the desired benefits to quality of care and reduced costs.

 

Photo credit: Tabitha Kaylee Hawk

Filed Under: National and State Privacy/Security Law · Tagged With: , , ,

Lawsuit, breaches and bashing… oh my!

January 19, 2010 by · Leave a Comment

Though it seems obvious that corporations have an obligation to protect the sensitive information they use for business it still amazes me that corporate behavior in this regard is still quite dismissive.  Lawsuits and public embarrassment seem to be the only catalyst for action for many organizations.  That is kind of sad.  Not only is information not being adequately protected by companies are ill-prepared for dealing with crisis.

As a recent example, in Connecticut, the Attorney General is suing Health Net for failure to protect medical records of over 450,000 patients.  The information was stored on a portable disk drive that “disappeared” from an office.   The information on that drive wasn’t encrypted.  Add to this the fact that the organization took six months to send notification to Connecticut residents whose information may have been compromised.  This is a failure on many levels but certainly a failure in leadership and crisis management.

What should we be asking ourselves?

  1. We need to understand the information that we use and how we use it.  How is information accessed, transmitted and stored?  What is our legal (and moral) obligation to protect this information?
  2. There is no such thing as 100% security.  If/when there is a breach, are we prepared to act swiftly and appropriately to mitigate the damage for our customers and ourselves?
  3. Do we have a communication plan in place so that we can effectively provide notification internally and externally?
  4. When examining other breaches, do we practice the same way?  Are we at risk of compromise?  How do we change this?

Part of information security isn’t just applying best practices and being vigilent.  Unfortunately, there is a need to be prepared for an incident or crisis.  I believe that one of the best recoveries from a crisis has to be credited to Tylenol in 1982.  Another example would be the handling of a Southwest airlines crash at Midway airport in 2005.  Neither one of these are information security incidents but certainly the lessons learned from their handling of a major crisis can be applied.  Just do a search and look at the response from a corporate point of view.  It’s really quite educational.

I hope we reach a time when breaches, lawsuits and embarrassment are not the motivators for applying sound information security practices and incident response plans.  I’m afraid I may be waiting for awhile.

Filed Under: Business and Security, National and State Privacy/Security Law, Should Have Known Better · Tagged With: , , , , , ,

Failures in Leadership, Ethics, and Security

November 25, 2009 by · 1 Comment

A breach of patient personal information at University Medical Center has all the makings of a made for TV movie or at least provides an opportunity to examine issues in security, leadership, ethics, and even the knee-jerk reaction of ignorant politicians trying to use the opportunity to score some free publicity.  The story “FBI looking at UMC records leak” ran this past Saturday in the Las Vegas Sun.

Security – The Insider Threat

The FBI said Friday it may investigate a breach of patient privacy laws at University Medical Center, where hospital officials are reeling with the realization that at least one of their employees has leaked confidential names, birth dates and Social Security numbers.

The breach clearly demonstrates the difficulty in dealing with insider threats.  We hire employees and give them access to sensitive information in order to perform their job duties.  We certainly have a need to control and monitor access in order to achieve and enforce the practice of least privilege.  Even the best of controls however, can be circumvented by a trusted insider with an intent to do harm.  In this case, it is alleged that hard copy face sheets were taken outside the facility and sold to an unethical breed of attorney.  I’m not sure it would be reasonable for the organization to setup exit searches of their employees every day to make sure they weren’t sneaking out these documents.  Heck, would you look in a fellow employee’s underwear to make sure they didn’t have a face sheet stuffed in there?  The ACLU would be all over this “violation” of privacy.

While not a cure for this type of insider threat, UMC may want to consider both criminal and financial background checks of new hires.  I know it’s like profiling but when protecting consumer information, corpoarte finances and reputation, having an indicator of potential behavior issues can help.   However, in these economic times, a squeaky clean person may engage in this type of behavior out of desperation.  UMC could also consider physical controls for documents, especially those that should remain with a patient’s chart.   Having face sheets printed only in one place and logging who printed them may be useful.  Of course, using electronic records rather than paper records may prevent the physical face sheet from being used at all.

Information security is more than the bits and bytes that are transmitted and stored.  Information security also involves the printed document and how it is handled.

Leadership

Until Thursday, they doubted there had been any leak and had conducted only a cursory probe into rumors of the breach. Silver was warned by sources this summer about patient records being obtained illegally. She took a quick look at which attorneys were requesting records, and then dismissed it as a “nonissue.”

Hospital leadership just blew off reports suggesting something was terribly wrong.  A cursory probe and dismissal of something that could have major repurcussions to patients and the organization is completely unacceptable.  This is fairly common though.  This smells of the “we haven’t been breached so why worry about it” attitude that is prevalent among so-called leaders.   Chasing phantoms can be a nuisance but to do nothing is irresponsible.

Ethics

The nurse told the Sun she was taken to lunch by members of a personal injury law firm several years ago. They offered to pay her for “referrals” but she refused, saying it was illegal and a violation of her nursing license.

I’m a big fan of finding the root cause of a problem and eliminating it.  While it is easy to point a finger at UMC and their poor decisions or the employee who is alleged to have stolen the documents, essentially the problem is on the “demand” side.  Unethical attorneys who are practicing in this manner should be disbarred, period.  Eliminate the demand for sensitive information, eliminate the problem.  I’m not naive enough to believe that there won’t be others lined up to fill the spot but you have to start somewhere.  We should expect more from “professionals” and if they can’t behave ethically they shouldn’t be allowed to practice.

Politicians

Earlier Friday, Clark County Commission Chairman Rory Reid called for a Metro Police investigation, demanding that the hospital do what is necessary to stop what appeared to be a “criminal offense.”

Headline grabbing, clueless politician.  The only way to “stop” this criminal offense is to stop taking patients or don’t hire employees.  Politicians are famous for taking an incident and then causing tremendous havoc with their knee-jerk reactions.   Most politicians believe the “as seen on TV” ads or marketing slicks that claim 100% security and then they go down the path of making ridiculous comments or worse, ridiculously impossible (and thus ineffective) legislation.  There is no such thing as 100% security.  It’s a process of reducing risk while allowing the business to function.

Last Thoughts

There are several lessons from this particular story.  Take security threats seriously.  Reduce risk where possible.  Know that there are unethical professionals and other business people out there who have no problem violating the public trust in order to make a buck.  Take politician’s comments with a grain of salt.  Most are looking to make a headline splash yet have very little knowledge of the topic at hand.

Ultimately, leadership failed at UMC.   They chose to ignore a potential threat rather than investigate it.  While it wouldn’t have prevented the breach, they may have discovered it sooner or reduced the damage to both their finances and their reputation.

Filed Under: Business and Security, Ethics, Should Have Known Better · Tagged With: , , , , ,

Learning From Someone Else’s Breach

November 20, 2009 by · Leave a Comment

A subsidiary of manged health care provider Health Net Inc, just reported the loss of personal information for 1.5 million customers that occurred six months ago according to a ComputerWorld article.  Without knowing all the details of the situation, I can only speculate as to some of the security controls and thoughts of the Health Net leadership during this incident so take that into account.  Hopefully there are some lessons learned for other organizations both in the management of sensitive information and the leadership response to an incident.

From the article:

The device containing the data was an external, portable hard drive. The data had not been encrypted.

So, let me get this straight.  You work in an environment where the protection of information is highly regulated yet you are putting seven year’s worth of personally identifiable information on a portable hard drive unencrypted.  They may need to reconsider their processes that allow this type of information to be stored in such a manner.  If this is for backup, certainly there are better options available.  The controls surrounding the physical handling of devices with personally identifiable information appear to be too loose and need to be examined.  Securing that device when not in use and logging the device in and out of its secure storage location would be a good start.

In Nevada come January, organizations will need to pay special attention to personal information being stored on removable media, especially if the portable devices leave the confines of the facility.  See my article Nevada’s New Data Security Law for more information on this new bit of legislation.

“Protecting the privacy of our members is extremely important to us,” Health Net said. “We apologize for any inconvenience or concern this may cause our members.”

A pretty standard response for a breach but the delayed timing of this sounds like there was no incident response plan in place in the best case scenario.  In the worst case, one has to ask if their leadership were dragging their feet hoping the problem would simply go away if they ignored it long enough.  I’m going to assume the former in that they simply did not have a plan for dealing with this type of disclosure which is really not acceptable.  If you’re business maintains sensitive information about customers then you need to be prepared for the possibility of a breach.

The six-month delay in reporting this is also a huge issue.  Data breach notification laws have been in place in most states for several years and they were put there to prevent this type of “keep it quiet” behavior that had been common place in business.  The AG is attacking Health Net on this very issue and rightfully so.

“We will demand identity theft insurance and reimbursement for credit freezes as well as credit monitoring for at least two years for all 446,000 consumers” in Connecticut whose data is at risk.

I blogged before about the cost of a breach.  This is a great example of the cost of poor security controls surrounding personally identifiable information.  Let’s just assume the monitoring service costs $20 per person (a discount for the volume here).  In addition to the cost of notification, the loss of this hard drive with unencrypted sensitive data could cost the company just under $9 million dollars to provide the fraud and monitoring service.  That’s some real money.

While we can’t be certain what really happened or what the exact cost of this breach will be to Health Net, I think it’s certainly easy to identify some potential mistakes that are duplicated in many other organizations.  Understanding all of your business processes surrounding the use, transmission, and storage of sensitive information is hugely important.  Adopting sensible controls and finding appropriate alternatives to risky processes is essential.  Last, detailing and practicing a response to a data breach incident may seem like a lot of wasted time…. that is, until you experience a breach.

Filed Under: Business and Security, Should Have Known Better · Tagged With: , , , , , ,

Ex-Lover Busted, But Not Totally to Blame

September 21, 2009 by · Leave a Comment

A 38-year-old Avon Lake, Ohio man is set to plead guilty to federal charges after spyware he allegedly meant to install on the computer of a woman he’d had a relationship with ended up infecting computers at Akron Children’s Hospital.   (Misdirected spyware infects Ohio hospital.  McMillan, Robert. 17 September 2009. ComputerWorld.)

Graham certainly gets what is coming to him.  Sending spyware to your ex is more than a little creepy.  However, it seems to me the hospital is culpable in the release of protected health information (PHI) due to poor security practices.   The hospital has an obligation to protect this information yet they allow an employee to not only access personal e-mail but also download and install an application.  In this case it turns out to be spyware.

Unfortunately, this is a common occurance.  Employees use business assets as their personal playground, downloading and installing all types of applications that have no business being on the PC.  I’m not talking about pictures of Grandma Edith and the new puppy, rather peer-to-peer file sharing and communication applications, games, and other programs of amusement.  This places companies at risk for the accidental release of personal information or compromise of systems.

With more regulatory pressure being placed on organizations to protect personally identifiable information, companies are going to need to make a decision if they are running a business or a playpen.  It may be safer (and less expensive) to put in a foosball table and pinball machine than suffer the consequences of a breach.

Filed Under: Business and Security, Should Have Known Better, Workstation Security · Tagged With: , , ,