3 questions your CIO needs to answer to set your offsite backup strategy

There are a number of options for offsite backup, including tape backup shipped offsite, backing up to a simple cloud storage like Amazon, or an enterprise-grade offsite backup and recovery solution.

Mike Klein
Online Tech

Before any detailed conversation takes place around the technical and business considerations impacting your backup strategy — such as compliance, confidentiality of the data, security requirements and recovery targets — there are three questions your CIO needs to answer prior to researching solutions for your offsite backup and recovery plan.

Question 1: How important is your data?

If you lost an important file or all of your servers to a disaster, what kind of impact does it have on your business? Backup and recovery is basically an insurance policy. Your insurance can provide system-level recovery in case of a major disaster or file level recovery to restore lost files for minor disasters as well.

This first question is important to ask because it gives you a framework on how to think about the type of “insurance” you want to buy with backup. If your data is critically important to the success of your business, your CIO will most likely want a higher coverage, faster response insurance policy than if your data could be completely recreated from paper records.

Question 2: How much data can you afford to lose?

Once you know how valuable your data is to the business, you need to understand the recovery point objective (RPO) that your CIO wants for the different applications.

The RPO dictates how often you capture your data and send it offsite – weekly, daily, hourly or instantly. If you can survive with weeks-old data without an impact to your business, it drives a different set of decisions than if you need to recover the latest up-to-the minute customer transactions.

Question 3: How fast do you need to recover your data and be operational again?

This is your recovery time objective (RTO). Some applications may not need to be back up for weeks while others need immediate failover. Many mid-size businesses look at a 4- to 24-hour range as reasonable targets for recovery on their applications.

In my experience, once you have the answers to these three strategic questions, you’re ready to dive into the technical and business drivers for your backup and recovery strategy, as you start researching solutions to meet your goals.

Data is money: Just as money belongs in a bank, data belongs in a data center
Don’t strand your data
Data protection and the cloud

Posted in CEO Voices, Cloud Computing, Disaster Recovery | Tagged , , | Leave a comment

Largest HIPAA breach ever: Hackers steal data on 4.5 million Community Health Systems patients

There’s a new leader on the U.S. Department of Health & Human Services’ Wall of Shame.

A hacking group known as “APT 18” is suspected of stealing names, Social Security numbers, addresses, birthdays and telephone numbers from 4.5 million patients of Community Health Systems, a network of 206 hospitals across 29 states (see map at right). Credit card numbers and medical records were not accessed.

It’s the largest attack involving patient information since the HHS started tracking HIPAA breaches in 2009, passing a Montana Department of Public Health breach that affected roughly 1 million people.

Patients who were referred or received services from doctors affiliated with Community Health Systems in the last five years were affected, the company reported in a regulatory filing on Monday. The sophisticated malware attacks occurred in April and June.

According to numerous news reports, security experts said the hacker group may have links to the Chinese government. Charles Carmakal, managing director of the Mandiant forensics unit, hired by the hospital group to consult on the hack, told Reuters that “APT 18” typically targets companies in the aerospace and defense, construction and engineering, technology, financial services and healthcare industry.

In an Online Tech webinar titled Why is it So Hard to Secure a Company,” security expert Adam Goslin discussed how the past decade has seen “a continuous and steady increase in attempts by specifically the Chinese attempting to gain intellectual property.”

According to a CNN report, Mandiant and federal investigators told the hospital network that the hacking group has previously conducted corporate espionage to target information about medical devices. This time, however, the bounty was patient data.

Community Health Systems stated in a release: “Our organization believes the intruder was a foreign-based group out of China that was likely looking for intellectual property. The intruder used highly sophisticated methods to bypass security systems. The intruder has been eradicated and applications have been deployed to protect against future attacks.”

In his aforementioned webinar, Goslin, the CEO of Total Compliance Tracking, detailed examples of the value of intellectual property theft:

One of the stories that the FBI was bringing up was the Chinese were trying to get into a manufacturing facility to get a sample of a rinse solution for some type of a glass manufacture. It was a coating for glass and they couldn’t figure how they were doing it. So, the Chinese were trying to get a hold this of this rinse solution in the manufacturing setting. …

There was a story of an organization that had spent some number of years developing a patent. They were just about to file it and found that they have gotten hacked by the Chinese. The Chinese filed for the patent. Because the organization’s entire business revolved around this work, they literally had to pay royalties to the Chinese just to use the patent that they developed themselves that got hacked out from under them.

The value of personal information is clear: Hackers can sell the information to those looking to steal identities. And hospital networks are becoming a hotbed for finding that information.

Michael “Mac” McMillan, CEO of security consulting firm CynergisTek, told Modern Healthcare that hospitals are “going to become a bigger and bigger target as the hacking community figures out it’s easier to hack a hospital than it is to hack a bank and you get the same information. I’m not sure healthcare is listening yet.”

McMillan told the website there has been a spike in hacking activity directed at hospitals this year:

“I know at least a half a dozen or so hacks against hospitals we work with where the data wasn’t transferred, but it still caused a lot of disruption,” McMillan said. “But it wasn’t a HIPAA issue, so it didn’t get reported.”

Download HIPAA Hosting White PaperRELATED CONTENT
Defense in depth

What took so long? How data breaches can go months without being detected

Data breaches ending careers “right to the top” of C-suite

Online Tech webinar: Why Is It So Hard to Secure a Company?
Modern Healthcare: Chinese hackers hit Community Health Systems; others vulnerable
Reuters: Community Health says data stolen in cyber attack from China
CNN: Hospital network hacked, 4.5 million records stolen


Posted in Encryption, HIPAA Compliance | Tagged , , , , | Leave a comment

U.S. internet connection speed lacking overall, Michigan among top 10 fastest states

How fast is your internet connection? Chances are, if you’re in the United States, it could be faster.

In Akamai Technologies’ recently released State of the Internet Report, the U.S. isn’t among the top 10 of countries or regions in the rankings of the global average connection speeds. Using data collected in the first quarter of 2014, here are the top average connection speeds in megabits per second, according to the study:

  1. South Korea (23.6 mbps)
  2. Japan (14.6 mbps)
  3. Hong Kong (13.3 mbps)
  4. Switzerland (12.7 mbps)
  5. Netherlands (12.4 mbps)
  6. Latvia (12.0 mbps)
  7. Sweden (11.6 mbps)
  8. Czech Republic (11.2 mbps)
  9. Finland (10.7 mbps)
  10. Ireland (10.7 mbps)

So why isn’t the U.S. – the birthplace of the internet – on the top 10 list? Akamai points to the variation in high broadband connectivity. Just 36 percent of Americans have high-speed broadband connectivity that delivers more than 10 Mbps compared to 77 percent of South Koreans.

In its coverage of the report, TechInsider.net explains the reason:

The reason behind the large difference in high speed internet access is believed to be the Telecommunications Act, which was enacted in the U.S. in 1996. This legislature has allowed large firms, such as Verizon Communications, Comcast Corporation, Time Warner and AT&T to divide up the market among themselves, and thus not be exposed to competition. In South Korea, on the other hand, the fierce competition amongst telecommunications companies has led to heavy investments in infrastructure, and ultimately, far better connectivity speeds.

Obviously the United States is a much larger land mass than any of the countries in the top 10. Sweden, the largest country on the list by area, is the 56th-largest country in the world at 173,860 square miles. The United States is 22 times larger (3,794,100 square miles).

Nearly half (22 states, plus the District of Columbia) of the United States would be among the top 10 global list if broken into states – and much of the northeast region of the country would be near the top of the list.

As illustrated by a map created by Broadview Networks using the Akamai’s data (at right), speeds fizzle in the middle of the country. Idaho, Louisiana, Missouri, New Mexico, Mississippi, West Virginia, Montana, Kentucky, Arkansas and Alaska all have speeds less than 8 mbps.

Online Tech’s home of Michigan has an average mbps of 11.8, the eighth-fastest state in the country and the fastest of the 12 Midwestern states. Here is Broadview Networks’ breakdown of the top 10 internet speeds by state. Find the complete list here.

1. Virginia (13.7 mbps)
2. Delaware (13.1 mbps)
2. Massachusetts (13.1 mbps)
4. Rhode Island (12.9 mbps)
5. District of Columbia (12.8 mbps)
6. Washington (12.5 mbps)
7. New Hampshire (12.3 mbps)
8. Utah (12.1 mbps)
9. Michigan (11.8 mbps)
10. Connecticut (11.7 mbps)
10. North Dakota (11.7 mbps)
10. Oregon (11.7 mbps)

Online Tech ready to meet Metro Detroit’s growing IT infrastructure demand
Data is money: Just as money belongs in a bank, data belongs in a data center

Akamai’s State of the Internet Report
TechInsider.net: U.S. Lagging in Terms of Internet Connection Speed
Broadview Networks: Internet Speeds by State: MAP

Posted in Cloud Computing, Information Technology Tips | Leave a comment

Improving security on the ‘Internet of Things’

Mark Stanislav’s title is “Security Evangelist.” Online Tech has previously provided him a virtual pulpit from which to preach and his barnstorming tour continued last week in Las Vegas, where he spoke at the recently concluded DEF CON 22 Hacker Conference.

Stanislav and Duo Security colleague Zach Lanier presented “The Internet of Fails: Where IoT Has Gone Wrong and How We’re Making it Right,” described as a dive into research, outcomes and recommendations regarding information security for the “Internet of Things,” or IoT.

IoT refers to the interconnection of computing devices – everything from heart monitor implants to remote home thermostats – that transfer data without human-to-human or human-to-computer interaction. Essentially, anything that can be assigned an IP address and given the ability to transfer data over a network is part of the IoT.

Last year, Stanislav co-hosted two sessions in a three-part Online Tech webinar series on encryption, participating in both the Encryption at the Software Level and Encryption at the Hardware and Storage Level presentations.

In Las Vegas, Stanislav and Lanier’s presentation was about the rapid – and sometimes haphazard – growth of the IoT and the security risks associated with it. ABI Research estimates 30 billion devices connected to IoT by 2020.

The presentation drew the interest of the folks at Dark Reading, who featured the duo’s new security resource, BuildItSecure.ly, which was launched in February. After struggling with their approach to smaller technology vendors with bugs and trying to handle coordinated disclosure, Stanislav and Lanier decided to change the process and dialog that was occurring into one that is inclusive, friendly and researcher-centric.

The loose organization of security-minded vendors, partners and researchers is focusing on “improving information security for bootstapped/crowd-funded IoT products and platforms” that may be tempted to choose a quick launch and profits over security.

When launched at BSides San Francisco earlier this year, the mission of BuildItSecure.ly was defined as:

Provide the information, resources, guidance, and community necessary to help small commercial and independent developers, makers, and inventors of hyperconnected, pervasive computing devices make security-conscious design decisions. Additionally, incentivize independent security research and reporting/coordinated disclosure of vulnerabilities/flaws in those very same devices.

Five more researchers have joined the Duo Security colleagues to populate BuildItSecure.ly with links to presentations and technical guidance on web application security, mobile application security, cloud security, network security and industry standards.

“All the researchers basically are doing this — one, because they want to help some people; two, because they are getting research done and not being sued for it,” Stanislav told Dark Reading. “They already have opt-in from these vendors.”

“We’re going to have researchers looking at pre-production hardware, doing assessments against them… and actually making the device better before they go to people’s hands rather than after.”

Vendors, researchers and content creators are encouraged to get involved with BuildItSecure.ly’s efforts to enhance IoT security.

Download Mobile Security White PaperRelated content:
Mobile Security: Are Most Apps Safe?
Webinar: Encryption at the Software Level
Webinar: Encryption at the Hardware and Storage Level

Dark Resources: Small IoT Firms Get a Security Assist
Duo Security: BSides San Francisco: Announcing BuildItSecure.ly

Posted in Cloud Computing, Mobile Security | Tagged , | Leave a comment

Russian hackers steal more than 1 billion passwords in record-breaking data breach

Hold Security, a firm credited with uncovering significant data breaches – such as the one at Adobe Systems in October 2013 – has uncovered a record-breaking hack of 1.2 billion username and passwords from multiple websites.

From the Hold Security website:

After more than seven months of research, Hold Security identified a Russian cyber gang which is currently in possession of the largest cache of stolen data. While the gang did not have a name, we dubbed it “CyberVor” (“vor” meaning “thief” in Russian).

The CyberVor gang amassed over 4.5 billion records, mostly consisting of stolen credentials. 1.2 billion of these credentials appear to be unique, belonging to over half a billion e-mail addresses. To get such an impressive number of credentials, the CyberVors robbed over 420,000 web and FTP sites.

Hold Security is not naming the victims – made up of large and small sites from industries across the world – because of non-disclosure agreements and a reluctance to publicize companies that may remain vulnerable.

The New York Times has reported that it asked another security expert to analyze the database of stolen credentials and it has been confirmed as authentic. Another computer crime expert told The New York Times that some “big companies” are aware that their records are among the stolen information.

Hold Security explains how the theft played out:

Initially, the gang acquired databases of stolen credentials from fellow hackers on the black market. These databases were used to attack e-mail providers, social media, and other websites to distribute spam to victims and install malicious redirections on legitimate systems. Earlier this year, the hackers altered their approach. Through the underground black market, the CyberVors got access to data from botnet networks (a large group of virus-infected computers controlled by one criminal system). These botnets used victims’ systems to identify SQL vulnerabilities on the sites they visited. The botnet conducted possibly the largest security audit ever. Over 400,000 sites were identified to be potentially vulnerable to SQL injection flaws alone. The CyberVors used these vulnerabilities to steal data from these sites’ databases. To the best of our knowledge, they mostly focused on stealing credentials, eventually ending up with the largest cache of stolen personal information, totaling over 1.2 billion unique sets of e-mails and passwords.

The San Jose Mercury News notes the scale of this attack – combined with multiple recent reports of cyber assaults – “raises significant questions about the security practices of thousands of companies around the globe and puts at risk the financial and personal information of a significant fraction of the planet’s population.”

Mark Bower from Voltage Security told the newspaper: “This sounds all too familiar – weakly secured sites, preventable vulnerabilities that aren’t patched. Yet more evidence the bad guys are winning big at consumers’ expense.”

Whether brought to the point of security awareness kicking and screaming, companies will come to face the dilemma of wanting as much information about consumers as they can store without losing the trust of the very audience they aim to serve by inadvertently losing it to cybercriminals. Defense in depth protections may require more consumer inconvenience with mandating things like two-factor login authentication, but more importantly will have to layer up their infrastructure on the back end and make sure they have the monitoring tools in place to detect nefarious activity quickly.

This is an arms race with sophisticated cybercriminals who realize that stealthy camouflage on a server with a trickle of captured information can mean a long-lasting goldmine of sensitive information. When you pull a whole server down, the changes of discovery and eradication are much higher. All part of the reason it can take so long to detect an issue.

Hold Security:
You Have Been Hacked!
New York Times: Russian Hackers Amass Over a Billion Passwords
San Jose Mercury News: Record-breaking data breach highlights widespread security flaws

Encryption: perspective on privacy, security & compliance
Defense in depth
What took so long? How data breaches can go months without being detected
Data breaches ending careers “right to the top” of C-suite

Posted in HIPAA Compliance, Information Technology Tips, PCI Compliance | Tagged , , , , | Leave a comment

Data breach reporting: A job killer or business saver?

There’s quite a brouhaha bubbling up Down Under.

It all stems from a Sydney Morning Herald opinion piece written by the CEO of the Association of Data Driven Marketing and Advertising opposing the mandatory data breach reporting law introduced to the Australian Parliament by federal attorney general Mark Dreyfus.

The CEO, Jodie Sangster, raised some eyebrows (and generated plenty of pro and con internet content) by referring to a mandatory data breach reporting law as “Luddite thinking” that would be “an innovation killer and the extra compliance red tape will strangle technology-related organizations throughout the economy.”

Sangster’s biggest problem with the legislation is a clear definition of “serious harm,” a term introduced by Dreyfus in his own previous opinion piece. In it, he writes that “(b)usinesses will not be unfairly burdened by the proposed laws because the notification requirement will apply only to serious data breaches that may cause harm to individuals.”

Here’s what Sangster believes is the end result of a law without a clear definition of “serious harm”:

… will likely cause organizations to adopt the most risk-averse internal policy setting. This, in turn, will lead to the over-reporting of relatively minor data errors, as compliance managers act to protect their organization from prosecution.

It will also tend to penalize those with the most sophisticated data management systems, since they are the ones more likely to pick up on data errors. Small to medium businesses will likely take a “see no evil, hear no evil” approach; they will put off investments in data-driven technology for fear it will come back to bite them.

The costs will fall relatively more heavily on smaller entities – the innovators of the Australian digital economy – who don’t have sufficient internal resources dedicated to compliance. They will find themselves spending more time managing the reporting process and less on managing the right outcome for customers.

Interesting points, for sure. But regardless of what an organization is required to do by law, many security experts would still suggest that it notify customers of any data breach itself before somebody else does.

Last month, we wrote a blog post entitled “Experts: Be fast and forthcoming with details of a data breach.” It excerpted a Dallas Morning News story, with these quotes from Javelin Security & Research senior analyst Al Pascual:

“Release clear, descriptive, and prompt notifications,” Javelin said. “Notifications that describe in detail how a breach occurred can bolster an organization’s claims that they have corrected the security vulnerability … restoring some degree of confidence among consumers.”

Shutting down about information is the worst thing a business can do in a data breach.

“To avoid having a breach event’s narrative hijacked by the media or by adversarial organizations, prompt disclosure is imperative,” Javelin said. “A loss of control can imperil an organization’s reputation, diminishing the trust of business partners, consumers, and shareholders.”

In the same post, we pointed out an article by Healthcare IT News associate editor Erin McCann has strikingly similar advice from Gerry Hinkley, a partner at the Pillsbury Winthrop Shaw Pittman law firm who spoke at a HIMSS Media and Healthcare IT News Privacy and Security Forum.

Hinkley’s message: “Don’t give in to individuals who want to sugar coat this. … You do much better really saying what happened up front.” He said proper breach response can help limit cost, avoid litigation and help retain the integrity of the organization.

Let the debate continue.


Sydney Morning Herald: Data breach law a jobs killer

Sydney Morning Herald: Online privacy breaches a concern for us all


Experts: Be fast and forthcoming with details of a data breach

Americans agree government must do more to protect data, but can the government act?

Another U.S. retailer discovers the real cost of card holder data theft: customer loyalty

Posted in HIPAA Compliance, Information Technology Tips, PCI Compliance | Tagged | Leave a comment

The next big retail fraud? Jimmy John’s investigating possible data breach

Unauthorized activity on credit cards recently used at Jimmy John’s locations has led the sandwich chain to work with authorities on an investigation of a potential data breach.

KrebsOnSecurity.com first reported on the issue Thursday, stating the chain “did not return calls seeking comment for two days” (not Freaky Fast) before issuing an email statement that it is “investigating the situation” and will provide an update “as soon as we have additional information.”

Financial institutions contacted by KrebsOnSecurity.com witnessed “card-present” fraud that allowed criminals to create copies of credit cards.

Beyond ATM skimmers, the most prevalent sources of card-present fraud are payment terminals in retail stores that have been compromised by malicious software. This was the case with mass compromises at previous nationwide retailers including Target, Neiman Marcus, Michaels, White Lodging, P.F. Chang’s, Sally Beauty and Goodwill Industries.

Jimmy John’s has more than 1,900 stores across the United States.

Sandwich Chain Jimmy John’s Investigating Breach Claims


What took so long? How data breaches can go months without being detected

Data breaches ending careers “right to the top” of C-suite

Posted in Information Technology Tips, PCI Compliance | Tagged , | Leave a comment

Potential for undetected breaches is CFOs’ biggest cybersecurity concern

Ever wonder what your company’s CFO is most worried about when it comes to cybersecurity? We may have your answer.

Dig deep down through Grant Thornton LLP’s bi-annual survey of CFOs and other senior financial executives for a pretty good hint. Right there on page 23 of the 28-page report:

What are your business’s top cybersecurity and data privacy concerns?

59% — Potential for undetected breaches
54% — Customer/client data privacy
50% — Unknown and identified risks
42% — Employee and workplace data privacy
32% — Compliance with data security laws

(Respondents were able to select more than one answer.)

More from the report: “Forty-two percent of chief audit executives listed data security/privacy as a risk area that has the potential to impact growth, and 70% include this risk in their internal audit plan. More than 40% of in-house counsel claim that the risk of a cybersecurity/data privacy breach has increased in the past year, but 17% are unsure what was being done to deal with these risks in their organization.”

(Oh, and here’s some good news from that same report: Sixty-eight percent of CFOs expect an increase in the average per-employee salary over the next year!)

Grant Thornton Spring 2014 CFO Survey


What took so long? How data breaches can go months without being detected

Data protection and the cloud

Data is money: Just as money belongs in a bank, data belongs in a data center

Posted in Information Technology Tips | Tagged , | Leave a comment

Up your HIPAA IQ with a little HIPAA FAQ

Are you wondering what all the HIPAA fuss is about? Here are a few basics go get you started, along with some reference to in-depth videos along the way.

What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996 that specifies laws for the protection and use of Personal (or Protected) Health Information (PHI) which is essentially your medical record. HIPAA was intended to ease the sharing of Personal Health Information (PHI) between entities that have a need to know while maintaining an acceptable and reasonable level of privacy to the individual whose information is at stake.

What is HITECH?
In 2010, the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed in order to update HIPAA rules and provided federal funds for deploying electronic medical records (EMR), also referred to as electronic health records (EHR). HITECH upgraded HIPAA because medical records were now in digital form, and as a result, they needed new rules for protection and availability.

What does HIPAA cover?

HIPAA covers the Privacy, Security and Enforcement rules of PHI. The Privacy and Security rules contain information on how one must treat PHI (whether it’s electronic or not). The enforcement rules specify what happens if you don’t (the penalties).

The 3 pillars of HIPAA are:

  1. Integrity of information – the medical record must be accurate
  2. Confidentiality – The medical record should only be seen by those with a need to know and all uses of that data should be knowable by the individual.
  3. Availability – The medical record must be available, in essence, no reasonably avoidable downtime.

Download HIPAA Hosting White PaperWho’s the Boss for these rules? Are the HIPAA police real?
The Acts are administered by the Department of Health and Human Services (HHS) in the Office of Civil Rights (OCR). It is the OCR which has the right to enforce, audit, fine and charge companies and individuals for violations of the Act. They interpret the law in the Act and write the rules and regulations.

What are the rules and regulations?
The rules and regulations are documented in the Code of Federal Regulations (CFR). Parts 160 and 164 of the CFR are the two that pertain to HIPAA. When someone says they adhere to HIPAA rules, it means they adhere to the paragraphs in the Parts. For example, one of the paragraphs says:

Paragraph 164.308(a)(1)(i) Standard: Security Management Practices – Implement policies and procedures to prevent, detect, contain, and correct security violations.

We are then required to do precisely what it says – prevent, detect, contain and correct security violations. At Online Tech, we have such a written policy and in that documented policy we reference this paragraph number. Note that these rules say nothing about how you achieve these objectives – that is what we decide and document in our policies.

What do the rules say we must do (and not do)?

  • Protect the Availability, Integrity and Confidentiality of PHI
  • Have Business Associates Agreements with any vendors that touch protected health information (PHI)
  • Report any violations of PHI misuse to the OCR (yes, we actually must snitch if we see violations to the statutes).

They do not specify any specific technology platform or design, just that you must secure the data. There are industry best practices that they assume you would use, such as NIST for protecting data, or they would likely consider you negligent.

What are all these “safeguards” about?

The requisite safeguards in the HIPAA Privacy and Security rules are divided into three different sections: Administrative, Physical, and Technical.

  • Administrative safeguards are things like security training for all employees, or policies to never access client data.
  • Physical security includes things like requiring two forms of authentication in order to open the doors in our data center. It might be a combination of a badge, fingerprint, pin code, or key fob – anything that requires at least 2 things to prove you are who you say you are.
  • Technical security includes things like making sure that anti-virus software is on your server or using 2-factor authentication for remote VPN connections to a server.

What are the penalties for violating HIPAA?
The penalties for violating HIPAA rules are severe and range from $100 to $50,000 per violation (or per record) up to a maximum of $1,500,000 per year and can carry criminal charges which could result in jail time. They are incurred if PHI (or ePHI, Electronic Personal Health Information) is released to the public in unencrypted form of more than 500 records.

Serious stuff. The fines and charges are broken down into 2 major categories: “Reasonable Cause” and “Willful Neglect”.

  • Reasonable Cause ranges from $100 to $50,000 per incident (release of 500 medical records) and does not involve any jail time.
  • Willful Neglect ranges from $10,000 to $50,000 for each incident and can result in criminal charges.

What does it mean to have a HIPAA audit?
A HIPAA audit means that you have performed a diligent risk assessment against the latest OCR HIPAA Audit Protocol. Let’s be honest: none of us can truly, objectively assess ourselves. Get an independent, third-party opinion or if you are working with a Business Associate and sharing protected health information (PHI), make sure to ask them for a copy of their independent assessment report. Then read it! You should see evidence of strong administrative, physical, and technical safeguards that protect patient information.

What is a Business Associate (BA)?
There are three types of entities described in the statute. The first is the patient. That’s easy. The second is the Covered Entity (CE) and the third is the Business Associate (BA). The CE performs medical services on the patient and has the most trusted access of the information. A hospital or an insurance company is a CE.

A BA is someone contracted by a CE for services that involve the exchange of patient information (PHI). to perform the contracted service. A traditional BA is a bill processing company that sends medical invoices and processes payments. They have and need access to the patient information (name, address) and the medical record (diagnosis code, charge etc.) to perform the work for the CE.

Is my business considered a Business Associate?
If your company comes into contact with patient information, you are considered a Business Associate. At first, not everyone was convinced if cloud providers were indeed Business Associates until David S. Holtzman of the Health Information Privacy Division of OCR during a speech at the Health Care Compliance Association’s 16th Annual Compliance Institute clarified:

“If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service”

Another point they make is that business associates must also adhere to the Breach Notification Rule – including the subcontractors of business associates. Covered entities and business associates should take note – the document also states that “these proposed changes would make covered entities and business associates liable under § 160.402(c) for the acts of their business associate agents, in accordance 61 with the Federal common law of agency, regardless of whether the covered entity has a compliant business associate agreement in place.”

When is a BAA required?

A Business Associate Agreement is required whenever a client is storing, processing or transmitting protected health information (PHI).

Does choosing a HIPAA compliant Business Associate make your business HIPAA compliant?

No. Every company must do their own risk assessment and mitigation planning that is specific to their own processes and procedures. That said, if you are working with a vendor who has performed the same level of due diligence, it saves you from having to spend a lot of time and money researching and detailing their protective practices to protect patient information. In our case, we provide all of our clients with our complete, independent HIPAA audit report. In turn, they can share this with their auditors to save time and money during their own audit.

What about Encryption, is it required?

Yes and no. Encryption is listed as “addressable” in the technical safeguards, instead of “required”. Why? The healthcare information ecosystem is wildly diverse, and there are many different ways of protecting patient information. The easiest way to prove you meet this requirement, is to use AES 256 bit encryption on all data to the NIST standard. If you have adequately encrypted the data, then you are NOT required to report a data breach as long as the encryption keys have not been jeopardized and patient information remains safely encrypted.

If you opt not to use the recommended AES 256 encryption, it’s on you to prove that your method is as good as, or better, than the NIST standard. If you can’t prove that your protections meet or beat the NIST standard, you may be liable for penalties that fall into the expensive “negligent” category.

What are some other HIPAA best practices?

There are a few things that clients should do as it will help with their audit:

  • Document data management, security, training and notification plans
  • Client should use a Password policy for their access
  • Encrypt PHI data whether it’s in a database or in files on the server
  • Do not use public FTP. Use other methods to move files
  • Only use VPN access for remote access
  • Login retry protection in their application
  • Document a disaster recovery plan

What other questions do you have about HIPAA? Leave them below, and we’ll answer them in future posts.

Posted in Cloud Computing, HIPAA Compliance | Tagged , , , , , | Leave a comment

Converge conference in Detroit: Before finding data breach solution, be sure your business is ready to receive it

More from the Converge information security conference in Detroit, this time recapping Enterprise Security Back to Basics presented by Joel Cardella, the director of information security, IT security, governance, risk and compliance at Holcim US.

(Also see a recap of Thursday’s The Challenge of Natural Security Systems.)

Why this back to basics talk? Cardella feels we’re being beguiled by all these large breaches that push people to a solution they aren’t yet ready to receive. He holds that the importance of this talk is getting organizations mature enough to be ready to buy what vendors are selling. It’s about asking if your company is sure you need what is being offered.

The goal for security is being able to become proactive from the normally reactive InfoSec environment. Each single record lost is worth $145 in a data breach. That’s up 15% this year from last year. When breaches affect thousands, or even millions, of records the cost is incredible.

Cardella defines risk as:

Threats x Vulnerabilities x Time = Risk

Threats are not something we can control. Vulnerabilities are things we can control and influence, both directly and indirectly. Time is also in our control. Taking care of something quickly can help drive the risk down. The point: Do what you can to secure your company as quickly as possible to immediately lower risk within your organization.


  • Security requires resources, you must invest in order to get a return
  • Act/think like an adversary.
  • Find and understand what’s happening in your network. Find your baselines.
  • Document everything. Especially if you deal with audits, you want to have everything written down.
  • Make a plan. Write that plan down. Even if it’s simple, write it down, and then flesh it out over time.
  • Keep your scope small.
  • Go back and do it all again. Verify, and find the things you missed.

Cardella says that in IT, it’s important to understand your business, and how the IT infrastructure supports that business. Knowing how your business uses the infrastructure means you can create and change it to be more effective and secure in the future.

Another really important basic is network segmentation. Not allowing systems to talk to each other within a network means that an attacker cannot break into one section because they have access to a different section. He admits that this takes a lot of time, and it’s important to seek out an expert who can help with firewall implementation. You also need to test to be sure that your network is actually segmented, not just that they should be segmented.

Managing the accounts that are on your system is incredibly important, and goes back to understanding how your company works, and who needs what access. Restrict access to employees and vendors to a need to know. Set up a classification scheme in order to determine the sensitivity of data, and thus what access is necessary for certain users in order to get to the information they need.

At the end of the day, Cardella explains that there is no magic bullet. InfoSec is multi-layered and multi-disciplinary. It costs time, money and resources. Focus on the implementation, not just the technology – that’s where much of the problem is.

Humans are the weakest link, so you can’t take for granted that a great technology is implemented correctly. Always ask “Are you sure?”, and prove that you’re secure through trials, testing, changing and repeating.


Converge conference in Detroit: InfoSec organizations must learn, modify and adapt like organisms

Online Tech opens its doors to fast-growing tech hub of Metro Detroit

Posted in Information Technology Tips | Tagged , | Leave a comment