Tuesday, September 3, 2013

The Collision of Privacy and the Digital Age

With so much to gripe about with the HITECH Act, I bet many people missed a real devil in its details.  Under the old HIPAA rules, a breach was considered an event that was defined as a disclosure that put an individual’s PHI at “significant” risk – gotta love  the specifics!  To make things a little clear, the HITECH Act alters the definition to a “presumption” that a breach of PHI has occurred if that PHI is improperly handled or disclosed.  This can be abated if the healthcare entity can prove that there was a “low risk” that the PHI was compromised.  Glad HHS cleared this up!

Technology in the healthcare sector is advancing rapidly.  Cloud, mobile, and other technologies are reducing costs, giving patients more options, and assisting healthcare providers in quickly identifying ailments.  As a security professional, I can attest that these technologies are not “low risk”.  The Act of simply transmitting data between vendors or simply being connected to the Internet is inherently risky. 

Large healthcare providers who have been dealing with HIPAA for years have a head start on HITECH compliance.  Mature security plans that safeguard data, IT teams, and dedicated security professionals are commonplace.  Because of this maturity, the larger organizations can leverage these new technologies and reduce healthcare costs putting them at a competitive advantage over the smaller service providers.  So what about the smaller providers?

All said the smaller healthcare providers have some unique advantages over their much larger counterparts.  For example, smaller service providers are less likely to have the volumes of patient data to manage, less network connections to protect, and a more intimate relationship with patients to help define the technologies that most benefit the patient and the provider.  Knowing the risk appetites for both the patient and the service provider are going to be crucial in how healthcare functions - a new dimension of the doctor-patient relationship.

To say the HITECH Act puts the business of smaller healthcare providers at risk may be an understatement.   The challenge will be leveraging new technologies yet keeping risks low enough to stay off HHS’s website for non-compliance – for sure a daunting challenge for the smaller service providers.  There will no doubt be a delicate balance between reducing costs and providing good service.  More importantly, as a new generation of connected patients comes of age, market forces will dictate that PHI be mobile and easily received.  Here are a few things to consider:

1)      Assess your current exposure.  Before you implement any new technologies, what new risks are you assuming by rolling out new technologies?  Map those new risks to your current risk mitigation plan and if you don’t have a plan, implement one!
2)      Transfer risk to your partners.  HITECH obligates a legal chain of accountability from one service provider to another.  Make sure you clearly understand the responsibilities of your partners, providers, and subcontractors if there is a breach.  Don’t get caught on this!
3)      Education.  Real security happens at the human level.  Educate your staff as well as patients to the implications of improperly using, transmitting, or handling PHI.  Humans are the weakest link in any security strategy but it is far better to have educated humans than those that “didn’t know” taking home a thumb drive with PHI on it was really bad!

With some forethought and planning, the future for small service providers is equally as bright as the large ones.  Wapack Labs knows the risks associated with technology and how those risks can be mitigated. We offer full security solutions for the small to medium service providers including HIPAA gap analysis, security architecture, digital forensics, and advance threat protection.   If you have any questions or comments, email me directly – rgamache@wapacklabs.com.


Rick Gamache is Partner and Managing Director of Wapack Labs.  Rick is a CISSP with over 25 years in the security sector and has served as an expert security auditor to the private and public sectors.

Monday, September 2, 2013

The Pocket Sized Attack



Back in July Reuters reported on warnings by a UN team regarding mobile device vulnerabilities.

Last week, I got an email notice from the Facebook gods that once again their policies were changing, among them some updates to language concerning what data you're sharing with mobile devices.

4 days prior to that, I saw this article in the New York Times about malicious software being installed by clicking on a video link.

And immediately prior to that, Red Sky and Wapack Labs came out with a Priority Incident Report in which it was stated:
"Kaspersky recently reported that five million Android devices have been infected with malware, through Google Cloud Messaging, which allows hackers to send update messages directly to applications installed on a device.[i] The malware is designed to steal the victims information including the phone’s contact list and is the most diffused agent in over 97 countries."

As I mentioned previously, one of the most common vectors that bad people use to get into the intellectual property of companies large and small is through you and your contacts.

Being able to hijack a contact list allows hackers to gain a treasure trove of information that otherwise would take multiple phishing attacks over long periods of time. Names, addresses, phone numbers, company info...all of which can be used in very specific social engineering.

I'm delivering a presentation in a few weeks to a group of concerned parents that are exactly the same as every other parent. They are concerned about their children and want to do everything they can to protect them. What makes this group intriguing is that they have extremely high net worth.

Does this make them any different than you and me? Not in the least.

Hackers will use any vector they can to get the information that they need. High net worth individuals tend to be in CXO type positions or have significant influence in their companies. If their children are not using safe online practices, it could expose the parent to attacks both physical and cyber.

These days, most parents will have their children listed as contacts and vice-versa (at least one would *think*). To the hacker, it's all about who is in your contact list and how that information can be exploited. They have no problem compromising a child's mobile device to gain access to home networks of powerful people.

For some reason, the folks that I speak to tend to believe that cyber attacks will only occur on their laptop or home computer or company network. They forget that the device that they hold in their hand is a 4 ounce key to their entire life, sometimes much more powerful and valuable than anything you may have on your daily PC.

Just because you can fit it in your pocket doesn't mean it is any less susceptible to compromise.

Stay vigilant, stay up to date with your security patches, and for goodness sake, don't click that sketchy Facebook video link on your phone.