Skip to content

1

HIPAA compliance documents do not tell you exactly what to do in your network.

Instead they are a framework to fulfill, here is a link to the HHS information in case you are interested:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html   

HHS is the U.S. Department of Health & Human Services

But unfortunately the details of what should be done is opaque at best.

It is better to review the SANS website as it is a Teaching of Security organization. One of their documents has a good review of HIPAA compliance

hospitalshacked

An interesting sidenote (The Criminals do not care about compliance or security, just whether they can hack your network resources) check our blogpost: http://oversitesentry.com/website-files-ransomed-not-just-personal-files/ )

In the following standard review (from the SANS document) wireless devices were discussed:
HIPAA Standards
While the Final HIPAA rules do not necessarily deal directly with wireless or any specific network device, the regulations cover many separate areas that deal with PHI (Personal Health Information). In summary the document deals with 3 major areas:
1.  Administrative Safeguards
2. Physical Safeguards
3. Technical Safeguards.
The Administrative Safeguards section (164.308) provides regulation for the
management of healthcare organizations. Secondly, Physical safeguards
(section 164.310) regulate how physically secure the facility should be.
Finally Technical Safeguards (section 164.312) provide regulations for access control to the network, security and integrity of data/transmissions, auditing and authentication.
This section is most relevant to our situation.
In order to provide the highest
security to a wireless network, the relevant regulations need to be extracted from the HIPAA document and interpreted for use in the scenario presented. The following is a brief summary of the standards
that relate to our wireless scenario.
1. Access control (164.312(a)(1)) is simply what the name implies,
controlling who is granted access to the organization’s resources.
2. Auditing (164.312(b)) is maintaining logs of who accessed
a given resource at what time and where so that in the event of a security
compromise there will be an audit trail.
3. Integrity (164.312(c)(1)) consists of making sure that PHI is not
modified in any way by an unauthorized user during transmission
or storage.
4. Person authentication (164.312(d)) is authenticating that the person
the computer says they are is really the correct person. This could
be argued that it should be done at the server, but I think we can take it a step further and authorize the user when they transition from the wireless to the wired network.
5. Transmission security (164.312(e)(1)) is ensuring that the network
transmissions are kept private and since the media is the air this is
a high priority in wireless environments.

 

So in essence to protect PHI (Personal Health Information) as in medical data, one has to perform basic security practices. And this has to be documented for any potential audits.

Contact Us  as we help with compliance or documentation details.

Blogpost on HIPAA compliance from my blog:

http://oversitesentry.com/hipaa-enforcement-10-of-any-covered-entity-will-be-audited-says-office-for-civil-rights/  blogpost from June 2015

Notice the tidbit of 10% of all organizations will be audited by Office of Civil Rights and if they so choose they will do some serious social engineering on your org.

Always better to be pro-active. make sure you have a good security policy in place. Set up a methodology of security  not just a compliance checkbox policy.

 

Updated 01/31/2016

 

If you are not 100% certain?

Are you 95.5%?  that is 2 sigma(σ) if you want 99.9999% then that is 6 sigma(σ)

The attackers are coming

check this link:

http://oversitesentry.com/i-want-my-internet-247hackersknowthat/

The link explains what is obvious to all - we need the Internet and the criminal knows that so they will find any mistakes that you made/ are making.

evgeniybogachevfbimostwanted    Mr. Bogachev has a $3mil bounty on his head - why do you think that is?

 

The Criminals are working when you are sleeping in relatively lawless environments trying to find a way to make more money - your money.

Here is a link if you dare to check about the "Russian Carders Army"

http://carderinfo.nm.ru/cr1.swf

A video by McAfee and FBI explaining background of Russian attackers(criminals) http://bcove.me/vchfpcni

I don't know if you understand yet, if you have any problems in your defenses, the hackers will find it, and it is only a matter of time before your company will be hacked, your company will be extorted, your equipment will be used for the criminal ends.

This phenomenon is not new and will not stop.

riskmanagmenthackedmatrix

Risk management failed us - because the system that is not important may have mistakes, and once hacked allows the more important machines to be hacked as well. So risk management failed.

We can no longer make judgements with risk and say this machine is more important and can have less problems than others. ALL machines are important

 

We can help you MAKE sure that you are as close to 100% certain as possible.

 

I believe companies need to run a minimal set of vulnerability analysis

Which I explain here:

http://oversitesentry.com/tonyz/pubhtml/fixvirus/svapec/

The idea is to at least cover your basic vulnerabilities with a regular scan, because one has to be perfect, there are too many attacks heading our way for you not to test your defenses with outside help.

Of course you can (and should have a layered defense strategy) like in this link:

http://oversitesentry.com/2-steps-stops-all-cyberattacks/

 

Or with Six Sigma (σ)

we need Six Sigma Security

Six-Sigma-Certified-Image-4 (image from www.simplilearn.com)

 

And the only way to achieve it is with testing testing testing.

We perform the  (A – Σ – Ω) Solution

 

 

In QA that is how six sigma is performed to 99.9999% error free.

1

Good Security means doing good basic IT.

And sometimes it also means keeping up with new compliance initiatives by industry or government.

This year October 1, 2015 there is a new Payment Card Industry(PCI) rule going into effect. On October 1st the liability of a security breach will go to the merchant not the bank or processor.

Here is an article that discusses certain aspects of the http://news.investors.com/technology/032015-744412-latest-point-of-sale-endpoint-security-tackles-expensive-breaches.htm Point Of Sale system.

EMV (the Europay MasterCard Visa credit card standard) will come to the US by October 1st as well. And if you will get new machines anyway get ones which have point-to-point  encryption.

cardpresentvulnerabilitiesImage from visa.com
the problems in most small merchants are basic in nature. the PCI Industry has created a standard:
which is located in the following location: https://www.pcisecuritystandards.org/
  • Insecure remote access used by attackers
  • Weak or Default passwords and setting commonly used
  • Lack of network segmentation
  • Malware deployed to capture t card data.
  • Absence of antivirus tools to detect malware

 

If you add a firewall and Intrusion Prevention Systems  you will protect yourself even further.

http://oversitesentry.com/cyberwar-you-aint-seen-nothin-yet/

Then  add the Polliwall, now it will be almost impossible for the standard criminals to take your systems. None of us can defend against the nation states, but if we can defend against everyone else then we have created the defensive system for 2015.

What does PCI compliance really mean?

There are similarities with ISO27001, PCI compliance is set up as an audit of the IT department with a specific emphasis of credit card security as well. Whereas ISO27001 is more of an audit of the processes of a company. This makes sense in a manufacturing environment where it is important that your processes show what occurs in the manufacturing and delivery of a product. A product that has to be created can have errors introduced in the creation step. And this is where Six Sigma(Quality Assurance standard) has come into place.

Our blogpost(at Oversitesentry.com) where we say Six Sigma security is needed.

But as the title mentions, the real reason for PCI compliance adherence are legal liabilities as will be proved.

The 106 page pdf (plus 6 pages in appendix) document of the latest PCI standards (DSS3.0) by pcistandards.org at the following link: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

 

The document outlines many aspects of the Payment Card Industry (PCI) expectations of security. Which are security practices made up of common sense:

1. Implement a firewall, with good access control in all connections to the Internet - including DMZ (DeMilitarized Zone). If you have a single connection and single location it is straight forward, but if it is not, then the standard still tries to keep in mind the additional complexity without losing security aspects.

2. The network defense is not complete without a discussion of a personal firewall on the desktop, and later in the document an antivirus solution. The Microsoft Global Policy should also be discussed. (where all aspects of the desktop can be controlled if so desired.

3. A lot of points are made about changing default configurations and passwords in all systems, this is another good common sense item.

4. Any protocols so deemed "insecure" should be shored up as best as possible (there is a lot of latitude here, since there can be many different potential issues)

5. Using proper logs is important

6. Encrypt where necessary, as the credit card numbers should be encrypted over the Internet or wireless access points. And this has to be "verified". Again this is due to legal concerns.

Later in document - use an intrusion detection system so as to know what is being attacked and how you are attacked. Keeping the logs is important not just for reasons like finding out what is going on in your network, but it is important to reconstruct in case of legal liability. Whenever the document says "Verify" it means if you do not, then a lawyer will make you pay for it in the future.

How do I say this with certainty?

http://www.bankinfosecurity.com/retail-breach-compromised-millions-cards-a-5688/op-1 has a sentence in here of note:

"The company also pointed that as of its most recent audit, conducted in November 2012, it was compliance with the Payment Card Industry Data Security Standard."

How about this link?

https://www.paylinedata.com/payments/schnuck-markets-files-sealed-lawsuit-two-payment-processors-data-breach/

" In St. Louis Missouri, Schnuck Grocery store recently sued two payment processing companies. Currently the details of the lawsuit have not been released, but many can speculate that this is due to the recent breach of credit card data that impacted millions of customers at the the large grocery chain."

How could Schnucks end up suing the payment processors? if they had not done their due diligence in the PCI compliance audits as required by the industry. I believe this does not require the knowledge of the outcome.

So that is why we are confident in saying: PCI compliance has to do with legal liability.

What are you waiting for?  The ambulance attorneys will chase you when(not if) a breach occurs.

 

Contact Us as we can help you with the future audit and legal liabilities beckon.

 

In the end it is the criminals versus the legal liabilities that you must wrestle with

Kmart-logowithscales of justice I post this doctored image of Kmart's logo, as they were hacked as well - although I am not sure of their PCI compliance.

pcibestpractices


To be PCI compliant means there is a Security policy in place.

We can help with a security policy or with the documentation for PCI compliance -

There are a lot of items to check and verify.

 

Don't forget to check cloud services that you may have.

 

Contact us with any concerns of security policies and PCI compliance issues

NewsofDay: On CMS systems review from this post: http://securityintelligence.com/cms-hacking-2014-by-the-numbers/

Also for TipofDay: PCI compliance the new page created at Oversitesentry (My blog)

http://oversitesentry.com/pci-compliance/

Threatpost blog post: http://threatpost.com/microsoft-recalls-patch-tuesday-exchange-update/109844

about the exchange server patch rollback (uninstall).

 

The TipofDay is about PCI compliance - security policy must be created.

some parts of the PCI DSS3.0 standard is not very specific (since there are many different types of environments.

What is the reason one hires an independent CPA to check your financial books?

fixvirus-logo-small

Unfortunately even where employees are trustworthy and capable, it makes sense to periodically review their work.

Even the PCI Security Standards Council has the following as "Testing Procedures"

6.1.b Interview responsible personnel and observe processes to verify that:
 New security vulnerabilities are identified.
 A risk ranking is assigned to vulnerabilities that includes identification of all “high” risk and “critical” vulnerabilities.
 Processes to identify new security vulnerabilities include using reputable outside sources for security vulnerability information.

Are you really performing this function with internal personnel? Can you ensure that it is done with accuracy and efficiency over the long term?

For an independent review to occur by definition it must be "Independent"

That is why we have developed a basic Alpha Security scan  to give information to the IT department and management so they can run more efficiently and with higher security.

DARKReading has the highlights of the changes of v3.0 compared with v2.0

SearchSecurity also has a synopsis - with the 5 most important changes:

1. Pentesting (Penetration testing)

2. inventory system components

3. Vendor relationships

4. Antimalware

5. Physical access

All of the changes make sense in light of the Target breach which we will review in more detail on a separate post. the most important is the Pentesting and segmentation of networks from your vendors.  It is likely that one of the vendors at Target caused the breach, or at least helped the exfiltration of the Credit card data.

Here is a snapshot from the actual v3.0 PCI DSS doc

pcibestpractices

Have you checked wifi signals as to their effectiveness?

Is your wifi router/ access point using good encryption technology?

Wardriving: Peter Shipley coined the term "wardriving" the practice of deliberately searching a local area looking for wifi networking signals.

You do know that some wifi(WEP) encryption is easier to hack and break into than others(WPA2)

There are also other ways that people attack you and your information and resources.

Hackers use fake wifi access points to steal peoples logins. be careful where you accept a wifi connection, as unencrypted wifi can be very dangerous, at lest assume that all your network traffic can be stolen and analyzed.  I.e. do not enter userids and passwords on unencrypted wifi connections.

 

we can help you test and audit your wifi, including for PCI auditing purposes (has to be done quarterly