In my previous post Risk does not walk alone – I noted both the importance and often ignored lack of relevance of internal audit and corporate risk management to the business of cyber security.
Medical devices, mobile apps, Web applications – storing data in the cloud, sharing with hospitals and doctors. How do I comply with HIPAA? What applies to me – the Security Rule, the Privacy Rule or both?
Consider a common use case these days – you’re a medical device vendor and your device stores health information in the cloud. You have a web and/or mobile application that enable doctors/hospitals to access the data from my device as part of their healthcare services. If you operate in the United States, what HIPAA regulations apply ? Do I need to comply with the Privacy Rule, the Security Rule or both?
There is a good deal of confusion regarding the HIPAA Privacy and Security Rules and how things work. In this article, we will examine the original content of the HIPAA regulation and explain who needs to do what.
What is the Privacy Rule?
The HIPAA Final Rule (enacted in Jan 2013) has 2 pieces – the Privacy Rule and the Security Rule.
The Privacy Rule establishes standards for the protection of health information. The Security Rule establishes security standards for protecting health information that is held or transferred in electronic form. The Privacy Rule broadly defines ‘‘protected health information’’ as individually identifiable health information maintained or transmitted by a covered entity in any form or medium. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.
Who needs to comply with the Privacy Rule?
By law, the HIPAA Privacy Rule applies only to covered entities – health plans, health care clearinghouses, and certain health care providers. However, most health care providers and health plans do not carry out all of their health care activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses – and transfer/exchange health information in electronic form to use these services. These “persons or businesses” are called “business associates”; defined in 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e) 45 CFR § 160.102, 164.500.
What is the Security Rule?
The Security Rule operationalizes the Privacy Rule by addressing the technical and non-technical safeguards that the “covered entities” and their business associates must implement in order to secure individuals’ “electronic protected health information” (EPHI). The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.
Who needs to comply with the Security Rule?
Since its an operational requirement, the Security Rule (by law) applies to covered entities, business associates and their sub-contractors. While the Privacy Rule applies to protected health information in all forms, the Security Rule applies only to electronic health information systems that maintain or transmit individually identifiable health information. Safeguards for protected health information in oral, written, or other non-electronic forms are unaffected by the Security Rule.
Business associate liability
Section 13404 of the HITECH Act creates direct liability for impermissible uses and disclosures of protected health information by a business associate of a covered entity “that obtains or creates” protected health information “pursuant to a written contract or other arrangement described in § 164.502(e)(2)” and for compliance with the other privacy provisions in the HITECH Act.
Section 13404 does not create direct liability for business associates with regard to compliance with all requirements under the Privacy Rule (i.e., does not treat them as covered entities). Therefore, under the final rule, a business associate is directly liable under the Privacy Rule for uses and disclosures of protected health information that are not in accord with its business associate agreement or the Privacy Rule.
Permitted use of EPHI by a business associate
While a business associate does not have health care operations, it is permitted by § 164.504(e)(2)(i)(A) to use and disclose protected health information as necessary for its own management and administration if the business associate agreement permits such activities, or to carry out its legal responsibilities. Other than the exceptions for the business associate’s management and administration and for data aggregation services relating to the health care operations of the covered entity, the business associate may not use or disclose protected health information in a manner that would not be permissible if done by the covered entity (even if such a use or disclosure is permitted by the business associate agreement).
Taken from the Federal Register
See § 160.103 for HIPAA general definitions used by the law – definitions of business associates, protected health information and more.
- The Privacy Rule establishes standards for the protection of health information.
- The Security Rule establishes operational security standards for protecting health information that is held or transferred in electronic form.
- The Security Rule applies only to electronic health information systems that maintain or transmit individually identifiable health information. Safeguards for protected health information in oral, written, or other non-electronic forms are unaffected by the Security Rule.
- Business associates do not have direct liability with regard to compliance with all requirements under the Privacy Rule (i.e., does not treat them as covered entities). A business associate is directly liable under the Privacy Rule for uses and disclosures of protected health information that are not in accord with its business associate agreement or the Privacy Rule.
Dealing with DLP and privacy
It’s a long hot summer here in the Middle East and with 2/3 of the office out on vacation, you have some time to reflect on data security. Or on the humidity. Or on a cold beer.
Maybe you are working on building a business case for DLP technology like Websense or Symantec or Verdasys, or Mcafee or Fidelis in your organization. Or maybe you already purchased DLP technology and you’re embroiled in turf wars that have put your DLP implementation at a standstill as one of your colleagues is claiming that there are employee privacy issues with DLP and you’re trying to figure out how to get the project back on track after people get back from their work and play vacations in Estonia and brushing up on their hacking skills.
Unlike firewall/IPS, DLP is content-centric. It is technology that drives straight to the core of business asset protection and business process. This frequently generates opposition from people who own business assets and manage business process. They may have legitimate concerns regarding the cost-effectiveness of DLP as a data security countermeasure.
But – people who oppose DLP on grounds of potential employee privacy violations might be selling sturm and drang to further a political agenda. If you’re not sure about this – ask them what they’ve done recently to prevent cyber-stalking and sexual harassment in the workplace.
For sure, there are countries such as France and Germany where any network or endpoint monitoring that touches employees is verboten or interdit as the case may be; but if you are in Israel, the US or the UK, you will want to read on.
What is DLP and what are the privacy concerns?
DLP (data loss prevention) is a solution for monitoring/preventing sensitive outbound content not activity at an endpoint. This is the primary mission. DLP is often a misnomer, as DLP is more often than not, DLD – data loss detection but whatever…Network DLP solutions intercept content from the network and endpoint DLP agents intercept content by hooking into Windows operating system events. Most of the DLP vendors offer an integrated network DLP and endpoint DLP solution in order to control removable devices in addition to content leaving network egress points. A central command console analyzes the intercepted content and generates security events, visualizes them and stores forensics as part of generating actionable intelligence. Data that is not part of the DLP forensics package is discarded.
In other words, DLP is not about reading your employees email on their PC. It’s about keeping the good stuff inside the company. If you want to mount surveillance on your users, you have plenty of other (far cheaper) options like browser history capturer or key loggers. Your mileage will vary and this blog does not provide legal guidance but technically – it’s not a problem.
DLP rules and policies are content-centric not user-centric.
A DLP implementation will involve writing custom content signatures (for example to detect top-secret projects by keyword, IP or source code) or selecting canned content signatures from a library (for example credit cards).
The signatures are then combined into a policy which maps to the company’s data governance policy – for example “Protect top-secret documents from leaking to the competition”.
One often combines server endpoints and Web services to make a more specific policy like “Alert if top-secret documents from Sharepoint servers are not sent via encrypted channels to authorized server destinations“.
In 13 DLP installations in 3 countries, I never saw a policy that targeted a specific user endpoint. The reason for this is that it is far easier using DLP content detection to pickup endpoint violations then to white list and black list endpoints which in a large organization with lots of wireless and mobile devices is an exercise in futility.
We often hear privacy concerns from people who come from the traditional firewall/IPS world but the firewall/IPS paradigm breaks when you have a lot of rules and endpoint IP addresses and that is why none of the firewall vendors like Checkpoint ever succeeded in selling the internal firewall concept.
It is important to emphasize again, that DLP is an alert generation and management technology not a general purpose network traffic recording tool – which you can do for free using a Netoptics tap and Wireshark.
Any content interception technology can be abused when in the wrong hands or in the right hands and wrong mission. Witness NSA.
Making your data governance policy work for your employees
Many companies, (Israeli companies in particular) don’t have a data governance policy but if they do, it should cover the entire space of protecting employees in the workplace from cyber-threats.
An example of using DLP to protect employees are the threat scenarios of cyber-stalking, sexual harassment or drug trafficking in the workplace where DLP can be used to quickly (as in real-time) create very specific content rules and then refined to include specific endpoints to catch forensics and offenders in real-time. Just like inCSI New York New York.
There are 3 key use cases for DLP in the context of privacy:
- Privacy compliance (for example PCI, HIPAA, US State and EU privacy laws) can be a trigger for installing DLP. This requires appropriate content rules that key to identifying PHI or PII.
- Enforcement of your corporate data governance and compliance policies where privacy is an ancillary concern. This requires appropriate content rules for IP, suppliers and sensitive projects. So long as you do not target endpoints in your DLP rules, you will be generating security events and collecting forensics that do not infringe on employee privacy. In some countries like France and Germany this may still be an issue. Ask your lawyer.
- Employee workplace protection – DLP can be an outstanding tool for mitigating and investigating cyber threats in the workplace and at the very least a great tool for security awareness and education. Ask your lawyer.
If you liked this or better yet hated it, contact me. I am a professional security analyst specializing in HIPAA compliance and medical device security and I’m based in Israel and always looking for interesting and challenging projects.
Idea for the post prompted by Ariel Evans.
Picking Your Way Through the Mime Field
We’re a professional software security consultancy and experienced software developers. Almost 10 years, one of our partners proposed that we develop a utility to encrypt Microsoft Outlook email messages. A prototype was developed – but an interesting thing happened when we started talking to potential beta customers – lawyers who had sensitive client information and technology development companies who have valuable intellectual property that they need to protect.
When we asked senior executives what they thought about encrypted email – the answer was universally – “We don’t really care”
Today – encrypted email is an option you must consider.
Google Does What?
Online security in particular email security just got a whole lot more interesting with Google’s revelation that it does read emails it handles. Apparently Google have stated this fact in their submissions to hopefully dismiss a class action lawsuit that accuses them of breaking wire tap laws. I have always maintained that writing to someone via email is akin to writing them a postcard. The content of the email just like a postcard can be read on route. Now it’s a bit of a stretch of the imagination to think of the Post Office having someone read all of our postcards that we send but we still would not write to a friend of colleague about private matters on a postcard. We would seal it in an envelope.
Google in their defense of their position regarding the reading of our emails say; “Just as a sender of a letter to a business colleague cannot be surprised that the recipient’s assistant opens the letter, people who use web-based email today cannot be surprised if their communications are processed by the recipient’s ECS (electronic communications service) provider in the course of delivery.” Using this analogy fails to acknowledge the fact that when an assistant opens their bosses mail they do so with the prior consent of their boss and they are subject to confidentiality agreements, if not specific most certainly implied by their position. Google on the other hand can make no such claim, because they explicitly then share that scanned information with the National Security Agency’s (NSA) under the provisions of the Patriot Act. Privacy does not exist when communicating by email, if this is news to you and you want to do something about it today read on.
Sealing Your Email
If you want to continue using email to send your private communications via any web-based communication service you are going to have to make use of encryption. Now this isn’t the time to stop reading because you think I can’t be asked to learn all about that malarkey. Modern email encryption can be extremely easy take a look at Egress Switch. It’s not like back in the day, when both sender and recipient needed to have bought into the same product, nowadays you can send a friend an encrypted email without having to have previously set the whole thing up!
Where Do I Sign-up?
Software Associates are an experienced IT security consultancy with top flight consultants and has been operating since 2003 serving large publicly traded companies and small startups with the same care and highest level of attention to providing cost-effective security countermeasures.if you don’t mind corporate America and big brother reading all of your mail do nothing, however if that’s not how you want things to play out you need to adopt email encryption right now!
I have always been amused by calculations of the cost of identify theft and data breaches as I have written here, here, here and here. Not surprisingly, security product and service vendors like Symantec, Mcafee and Websense are quick to present statistics regarding the damage to companies due to data breaches of personal information as a means of justifying purchase of DLP, anti-virus and other end-point security products.
However, the real damage is not for companies but for consumers like you and me.
It is highly arguable that companies actually suffer significant financial damage from data breaches (outside of a handful of high-profile cases like CVS and Hannaford). In fact – the lion’s share of damage from a data breach that leads to identity theft is not borne by the merchant or online web site but by the consumer.
Identity theft is a major challenge in America. The 2012 Identity Theft Report conducted by Javelin Strategy and Research revealed that there was one new identity theft victim every three seconds in 2012. That alarming statistic translates to 12.6 million victims affected in 2012, with losses totaling over $21 Billion. Once a person’s personal information was breached, thieves used their information for 48 days on average (in 2012). Though the amount of time identity thieves have had to use information obtained has fallen (from an average of 55 days in 2011 and from an average of 95 days in 2010), victims should still move as quickly as possible if a breach is suspected. If you or a loved one have been victimized, here are a few steps to help you clear your good name and rebuild your credit:
Alerting The Social Security Administration
Identity theft involving a victim’s Social Security number can be more damaging than you could imagine. If you suspect that someone has obtained your social security number for fraudulent purposes, contact the Social Security Administration as soon as possible at 800-269-0271. By doing so, you place officials at the SSA on alert so that activity involving your social security number can be appropriately monitored and, if necessary, deflected.
Alter Any Accounts Affected
If you login to any online accounts or review statements from your bank and find that you have indeed fallen victim to identity theft, alert those businesses as soon as possible. Close the affected accounts and re-open under a new account.
Often, when accounts are established, you are asked to create a new personal identification number (or PIN) as well as a new password. While you may have established a habit of using certain numbers, if a breach has happened, you will want to avoid using anything that may have also been revealed during the breach. Passwords including the last four digits of your social security number or consecutive numbers (such as 1, 2, 3, 4, etc.) should be avoided. You should also avoid using the name of your spouse or children, your mother’s maiden name as well as easily obtained data such as your date of birth or telephone number. Make your passwords as difficult as possible to guess, When possible, use numbers or punctuation marks in odd places within the password. This may help prevent fraudulent access to your accounts in the future.
Take Steps to Protect Yourself in the Future
One of the leading methods thieves use to get information about potential victims is through “dumpster diving” or sorting through your trash to find identifying information. While many consumers routinely shred their bank statements or other financial documents, many fail to shred the envelopes those statements come in. According to Paige Hansen, Manager of Educational Programs at Life Lock, failing to shred your documents makes the job of a would-be thief easier, as it practically hands them a piece of your identification puzzle. Hansen advises consumers to not only shred, but to be sure they utilize cross-cut shredding techniques which make piecing together those documents virtually impossible.
הפרדיגמה הצבאית קונבנציונלית אינה מתאימה לאבטחת סייבר
אסטרטגיה התקפית ללוחמה ב-cyber terror תוך שימוש בטכניקות לוחמה בטרור כדי לפרק תשתיות טרור ומרקמים חברתיים היא אלטרנטיבה אפקטיבית יותר לעומת האסטרטגיה המתגוננת.
רשתות חברתיות של האקרים כמטרה להתקפה
תקיפת הרשתות החברתיות של אלה המפתחים ומפיצים תוכנות זדוניות מחייבת הסתננות למחתרת ההאקרים, מעצר האקרים בגין עבירות פליליות וסגירת עסקאות בתמורה למודיעין יישומי.
בהתחשב בכך שהתקפות cyber על ישראל הן צורה של טרור, אני מאמין שאסטרטגיה זו יכולה להיות יעילה מכיוון שהיא נוגעת ישירות בשורש הבעיה ויש לה הפוטנציאל לקחת מההאקרים את המניע הגדול ביותר – תגמול חברתי.
אמנם הרעיון נשמע מבטיח אך המחסום העיקרי לאסטרטגיה זו הוא החדירה למעוזי ההאקרים וגיוס גורמי אכיפה מקומיים.
אין ספק ששיתוף פעולה בין מדינות ובין שותפים שונים במדינת ישראל ומחוצה לה הוא גורם קריטי להצלחה של אסטרטגיית cyber
גיוס כוחות כללי
נציגים של מטה הסייבר שהוקם לאחרונה חייבים לעבוד בשיתוף פעולה הדוק עם התעשייה ולחלוק איתה מידע הנוגע לאיומים ונקודות תורפה. גופים ממשלתיים וצבאיים אמנם מחזיקים במודיעין איכותי יותר אך ברוב המקרים אנליסטים ומפתחי טכנולוגיות אבטחה מהמגזר העסקי מחזיקים בידע עדכני יותר.
המאמץ להגן על ישראל מפני מתקפת cyber יצליח רק אם יעשה בתיאום בין גופים ממשלתיים וצבאיים שונים, בשיתוף עם בעלי ברית ושותפים מהסקטור העסקי ובשילוב מודיעין באיכות גבוהה, הבנה מעמיקה של איומים עתידיים וביקורת מאוזנת של אמצעי האבטחה.
יליד וושינגטון, חי בישראל. בעל תואר שני בפיזיקה של מצב מוצק, אנליסט אבטחת תוכנה במקצועו, נגן סקסופון חובבן אך רציני ורוכב שטח.
Is cyber security and mobile device management important in the healthcare industry?
Healthcare and technology go hand in glove more than almost any other sector in today’s business world. This statement is true today and will remain so into the future. Patient records form just one element of the vast mountain of data that is stored and processed everyday by all healthcare providers be they a local GP’s surgery or a teaching hospital. These records are some of the most sensitive data there is, protecting this data from accidental or malicious access is becoming increasingly difficult.
Just think of the many and varied mobile devices there are today designed to either plug-in, wirelessly connect or Bluetooth connect to your network or computer system. Can we police and manage these connections? After all when access is required, by bona fide healthcare professionals, this ease of connection and access is a very desirable requirement. But the security of this access is paramount not least because there is a legally enforceable duty of care to protect this sensitive data.
In an ideal world the holder of any sensitive data would be able to control and audit the sharing of that data throughout its lifetime. That touches on another valid concern, that of when is data irrecoverably deleted, we should look at this issue in another blog. If we accept the premise that no amount of added security can be totally full proof what we need is away of mitigating the risk. The use of encryption technology seems to be the answer. If data is encrypted when at rest or during transportation between two points it is less lightly to be compromised.
At this point we should consider the implications for the individual data user. Any security system that alters the users normal working practices will be resisted and subverted wherever possible. Human nature is not normally predisposed to thinking security. The average user in the course of their normal day’s work will access many different data sources, may transfer data between differing media devices and share that data with other users, all quite legitimately. If at every stage of this data interaction they are challenged or required to do something extra that takes time, thought or additional actions the system will not be adopted or accepted.
The latest generation of security systems has taken note of this human response to security. It has acknowledged the fact that we as users are quite willing to pay lip service to the need for robust security providing it doesn’t affect our daily lives in an obtrusive way. In just the same way as you would expect your passage to be controlled within a secure building so your access to data will be, according to your personal privileges, the key being your authentication at the front door or access point. Once inside your set of privileges dictates your access to and actions that can be performed to the data. All of this will be audited for later analysis. These personal privileges should, in a well designed system, be dynamic. By this I mean that your privileges can be modified in real time, what you can do today you might not be able to do tomorrow. Keeping data available on a need to have access basis help limit the possibility of compromise.
And what of that data that you shared? Where is it now and is it still being controlled securely? Just because it has left your system has it suddenly become less sensitive? Unlikely! The system should be capable of extending it’s security to that data that has been shared beyond the network. Email or thumb drives are just two easy routes for the leaking of sensitive data. Be sure the system you consider has taken this into account.
I hope this very brief blog has shed some light on the various issues that confront those responsible for the security of the data they hold. You can find out more about cyber security here
Danny Lieberman suggests that a demand-side strategy with peer-review may work best for cyber-security.
A conventional military paradigm does not work for cyber-security
Government cyber security policy, molded by the military; traditionally frames cyber-security in the context of a defensive strategy based on intelligence gathering, threat analysis, modeling and monitoring with deployment of defensive network security technologies such as firewalls, DDOS protection, intrusion prevention and honey-pots.
The problem with a defensive cyber-security strategy is that it does not address the root cause of threats.
Combating cyber-terror with offensive strategies by using anti-terror techniques to dismantle terrorist infrastructures and social fabrics is a highly effective alternative to a defensive strategy.
Attacking social networks of hackers
Although there are offensive alternatives such as mounting systematic DDos attacks on the attackers or developing targeted spyware such as Stuxnet, even more intriguing is the notion of using a demand-side strategy to reduce the social value of being a hacker. We can learn from the counter terror success of the Italians in the late 60s with dismantling the Brigatisti. The Italian government infiltrated the Red Brigades – bred mistrust and quickly rolled up the organization.
Attacking the social networks of people who develop and distribute malware would involve infiltrating the hacker underground, arresting hackers for criminal activity and cutting deals in return for actionable intelligence.
Since cyber attacks on Israel is a form of terrorism – I believe that this strategy could be effective since it goes directly to the source and potentially denies a key hacker benefit – the social gratification.
While an interesting idea – the key barrier to this strategy is deploying it where hackers operate and obtaining the cooperation of local law enforcement.
It’s clear that cooperation with other countries and a variety of partners inside and outside the Israeli government is a critical success factor for an offensive cyber-security strategy.
Getting more eyeballs on the problem
A cyber-security strategy that is not reviewed by outside people cannot correctly evaluate the economic effectiveness of cyber-security measures since political considerations will always override common sense.
The effort to defend Israel in cyberspace will only succeed if it is coordinated across the government, with allies, and with partners in the commercial sector combining high-quality intelligence with deep understanding of evolving threats and peer review of the security measures.
The Symantec Internet Security Threat Report is a good example of sturm und drung marketing endemic in the information security industry.
Vendors like Symantec sell fear, not security products, when they report on “Rises on Data Theft, Data Leakage, and Targeted Attacks Leading to Hackers’ Financial Gain”, without suggesting cost-effective security countermeasures.
1. Lumps consumers and enterprises together
“End users, whether consumers or enterprises, need to ensure proper security measures to prevent an attacker from gaining access to their confidential information, causing financial loss, harming valuable customers, or damaging their own reputation.”
Since when do consumers have customers…Consumers are insured for credit card theft and PCI DSS certified merchants are protected from chargeback exposure with the acquiring bank. What financial losses do consumers and enterprises have in common?
2. Incorrectly classifies assets, incorrectly uses legal terms
“Symantec tracked the trade of stolen confidential information and captured data frequently sold on underground economy servers. These servers are often used by hackers and criminal organizations to sell stolen information, including social security numbers, credit cards, and e-mail address lists”.
Social security numbers are classified as PII (personally identifiable information) not confidential information. If Symantec is uncertain how to classify this asset, they should read the US State privacy laws and PCI DSS specification. As a matter of fact, the law does not protect confidential information – it protects a confidence relationship. Once the information is disclosed (and Social security numbers are frequently disclosed), a third party is not prevented from independently duplicating and using the information. See the Wikipedia.
3. Provides misleading data
“Increase in Data Breaches Help Facilitate Identity Theft”
By not quantifying the threat probability, Symantec deliberately misleads the reader into thinking that cyber threats are the main attack on PII.
Au contraire. The FTC says that most identify theft cases are caused by offline methods such as dumpster diving, stealing and pretexting. According to Applied Cybersecurity Research, “Internet-related identity theft accounted for about 9 percent of all ID thefts in the United States in 2005”.
4. Cites vulnerability stats without suggesting countermeasures
“Symantec documented 12 zero-day vulnerabilities during the second half of 2006”
What is the point of a threat model without security countermeasures?
a. What were the vulnerabilities, and do consumer PCs have the same vulnerabilities as corporate servers behind a Checkpoint firewall?
b. What are the most cost-effective security countermeasures?
c. Does Symantec recommend that consumers use the same security countermeasures and risk assessment procedures as business enterprises?
We specialize in cyber-security and privacy compliance for medical device vendors in Israel like you.
We’ve assissted dozens of Israeli software medical device that use Web, mobile, cloud and hospital IT networks achieve cost-effective HIPAA compliance and meet FDA guidance on Premarket Submissions for Management of Cybersecurity in Medical Devices.
As part of our service to our trusted clients, we provide the popular PTA threat modeling tool, free of charge – with 12 months maintenance included and unlimited threat models.
If you’re not a client – contact us now for a free phone consultation.
Software Associates threat models are used by thousands of professional security analysts all over the world who use PTA Professional in their risk and compliance practice.
Download the free risk assessment software now.
What you get with the PTA Software:
- It’s quantitative: enables business decision makers to state asset values, risk profile and controls in familiar monetary values. This takes security decisions out of the realm of qualitative risk discussion and into the realm of business justification.
- It’s robust: enables analysts to preserve data integrity of complex multi-dimensional risk models versus Excel spreadsheets that tend to be unwieldy, unstable and difficult to maintain.
- It’s versatile: enables organizations to reuse existing threat libraries in new business situations and perform continuous risk assessment and what-if analysis on control scenarios without jeopardizing the integrity of the data.
- It’s effective: helps determine the most effective security countermeasures and their order of implementation, saving you money.
- It’s databased: based on a robust threat data model with the 4 dimensions of threats, assets, vulnerabilities and countermeasures
- It’s management level: with a few clicks, you can product VaR reports and be a peer in the boardroom instead of staffer waiting in the hall.