Archive by Author
LOGO-CIO

One Cheap and Easy Thing All Companies Can Do to Boost Security

July 26, 2012 by Stephanie Crabb 0 Comments

Event logs are the basic text of what happens in your corporate systems. So why do so many companies ignore them?

We love this blog post by Constantine von Hoffman - http://advice.cio.com/security/17256/one-cheap-and-easy-thing-all-companies-can-do-boost-security which we have reposted below.

In fact, we had a vibrant discussion about this very topic internally yesterday.  We might take a bit of exception to the assertion that log review is “cheap and easy.”  I mean, if it were so cheap and easy, wouldn’t most organizations be doing it?

What we find in healthcare is that the logs are so voluminous because there are so many disparate systems and devices in play.  Most organizations report to us that it is simply impossible, based on the way they are resourced, to have any kind of meaningful log review and log management program.  Further, it is hard to translate for the “non-techies” in risk management how this process is vital to enterprise risk management.  So what happens?

Higher performing organizations are collecting and archiving the logs from most of their systems so that they have them “handy” in the event that they need them to support an investigation or incident response.  Maybe a few of those high performers review logs for their high value/high risk systems routinely.  The highest performers have dedicated the resources required – through the internal investment in tools and/or staff or via outsourcing to an MSSP – to implement an operationally-relevant and compliance-aware log management program.

That said, more often than not, we encounter organizations that don’t know what they are collecting, how they have auditing capabilities enabled in their systems, and have no log review or log management program in place.

The operational relevance is obvious, but in healthcare, we have that little regulation better know as the HIPAA Security Rule that specifically culls out “user activity monitoring” as an implementation specification.  An effective log management program goes a long way to meeting this compliance requirement.

Based on the recent summary report from the first 20 OCR audits,  what was the single greatest deficiency or area of non-compliance vis-a-vis the HIPAA Security Rule?  You guessed it (and if you are a regular reader, you’ve read it here before)…User Activity Monitoring.

In our discussions with OCR, it is clear that this facet of an organization’s information security program is going to continue to be carefully reviewed and scrutinized.  So, whether via a formal audit, breach or complaint investigation, be prepared to have your log management program under the microscope.

It is our belief, from our 10+ years of experience and service to the healthcare industry, that few organizations are on a trajectory for IT security staffing to effectively implement an organic log management program.  After all, your core business is healthcare and your team should be focused on the enablement of care.  As we have mused in previous posts, maybe this is the time for organizations to make an active choice to engage security experts to support their security functional requirements, particularly those that really lend themselves well to outsourcing, like log monitoring and management.

Of course, at CynergisTek, we have a solution for this and we would be happy to talk with you more about what we are doing and how we have chosen to help our clients address this gap.  But what we really hope this post compels, is a change in the conversation that you are having internally.  Does it really make sense to build an information security empire within your healthcare organization or does it make better sense to be a healthcare center of excellence that practices good security?  That is a strategy and tactical discussion that we would love to support you with if our experience can be of help.

Make it a good day!

 

————————————————————————————————————————————–

The business equivalent to the personal -security sin of using the word “PASSWORD” as your password: Not collecting and reviewing the data from all your system logs. Chances are you’re not doing that. And you should feel guilty about it. But you can take some comfort in knowing you’re not alone.

“Relatively few do it,” says Sherri Davidoff, co-author of the startlingly well-written new book Network Forensics: Tracking Hackers Through Cyberspace. “Mostly it’s companies in the financial sector which are at risk of losing money directly from being attacked.”

The truth is most companies don’t know when they’ve been hacked. That’s not just Davidoff’s opinion. I’ve been told the same thing by folks in the security industry and in law enforcement. One agent from the FBI said he stopped counting the number of times he told IT execs about attacks that they knew nothing about.

Why does this happen? Companies don’t regularly review their event logs to see what’s going on in their own systems.

It astounds me that checking event logs is so uncommon. It’s kind of like checking to make sure you didn’t leave the key in your door lock, folks. You’re probably wagging your head in disbelief, too, because no CIO.com reader could be that clueless…could they?

Just in case you decide to pass this post along to someone who works at one of those other companies, I will explain why event logs matter:

  • They contain lots of info directly relating to your network, like DHCP lease histories and/or network stats.
  • They include records of network activity including remote login histories.
  • Because they have been transmitted over your network they create network activity.

If you want to find anomalies or unauthorized/unexpected users, the information is all there in event logs.

What is even more baffling about the fact that these logs so frequently go unreviewed is that companies don’t have to check logs manually. They don’t have to sort through all the different log formats to figure this stuff out. There are a lot of programs that will do all of this. All you have to do is read the report.

“You want to make sure you’re not the lowest fruit on the tree; that you’re not the most vulnerable,” says Davidoff. “Fortunately or unfortunately, that’s not that hard to do.”

PS: I read a lot of computer-related books. In most cases I would rather try to read machine code. That is why I have to point out that Network Forensics is actually well-written. It is a text book that you can read and really learn things from. You probably went to college, so I don’t have to tell you how rare that is.

Articles
, , , , , , ,
LOGO-EHR Incentive Program

It’s Official…CMS Audits of Meaningful Users Commence

July 24, 2012 by Stephanie Crabb 0 Comments

From Ober Kaler’s Health Law Alert Newsletter, 2012: Issue 12 – Focus on HIPAA/Privacy we learn from James B. Wieland and Joshua J. Freemire that it is “unofficially official” – audits of meaningful users have begun.

Are Mandatory 14/15 the chink in a meaningful user’s armor?  After all, the other core measures are explicit and require daily measurement.  Most meaningful users have cracked the code on such measurement and reporting.  But what is the measurement to demonstrate that your organization is “protecting electronic health information” with the same vigilance and accountability as you perform against the other core measures?

Did you perform or review a risk analysis consistent with the ONC’s published guidance?  A real risk analysis?

Do you have a documented plan to remediate any deficiencies or unacceptable risks? 

How do you document your performance against that plan?  It is probably unrealistic, impractical or of little value to measure daily, but can we agree that a monthly “status” is reasonable?  If so, is your organization performing to that level?

Do not let the simplicity of the “check box” for Mandatory 14/15 on the attestation profile fool you into a false sense of security (no pun intended) about your organization’s performance.  In fact, in its simplicity it may represent the greatest risk to your organization in the event of an audit.

The cost/benefit analysis here is really a no-brainer when you consider the penalty for a fraudulent attestation could be as much as 3x the stimulus your organization has received.  If there is any doubt in your organization’s mind that you have met the requirement of Mandatory 14/15, now is the time to take action.

Wieland and Freemire write:

A number of health care providers that attested to Meaningful Use for Stage 1 have received a letter from an Figloiozzi and Company, acting as CMS’s auditor for the EHR Incentive Program (the “Program” or “Meaningful Use Program”), requesting certain records related to the attestation. CMS has not, as of this writing, made any announcement of this audit initiative or of the engagement of Figloiozzi and Company. While it is always good policy to confirm the identity and authority of any entity claiming a right to review or audit records, these letters are legitimate. Citing its statutory authority under the American Recovery and Reinvestment Act (ARRA), and without any fanfare, CMS has begun to audit the attestation materials.

The letters from Figloiozzi and Company, as the Department of Health and Human Services (HHS) Secretary’s designee, request four categories of information:

  • Audited entities are asked to produce a copy of their certification from the HHS Office of the National Coordinator for Health Information Technology for the technology they used to meet Program requirements. Presumably, this documentation will be used to demonstrate that the entity “possesses” a certified Electric Health Record technology system as required under Program rules.
  • Audited entities are asked to provide documentation to support the method (observation services or all emergency department visits) they chose to report emergency department admissions. This distinction plays a large role in several of the Program requirements as it determines which patients were included in the denominators of certain meaningful use core and menu items.
  • Audited entities are asked to supply supporting documentation with regard to their completion of the attestation module responses as to core set objectives and measures. While the audit letter’s request is not specific, it would appear that this request is intended to solicit information beyond that already provided to CMS as part of the attestation process. A hospital might consider, for instance, producing reports substantiating the encounters that gave rise to the calculation relied upon to successfully attest. Such reports should be deidentified.
  • Audited entities are asked to supply supporting documentation with regard to their completion of the attestation module responses as to “menu set” or voluntary, objectives and measures. Again, the information request appears to solicit a level of information beyond that provided in the attestation documents themselves.

Based on questions from recipients, an amended version of the audit letter has been sent out, adding “(i.e., a report from your EHR system that ties to your attestation)” to the latter two categories of requested documentation. This clarifies that the audit letters seek additional detailed information but are not, at this time, requesting identifiable or detailed patient records.

The audit letters do not provide audited entities much time to respond – a short, two-week response time is specified. Unfortunately, it is also unclear how audit candidates are selected, so hospitals and professionals will not be able to “plan ahead” for an audit they can be certain is coming.

You may also appreciate an article on FierceEMR today by Marla Durben Hirsch on this topic:  CMS starts Meaningful Use attestation audits – FierceEMR http://www.fierceemr.com/story/cms-meaningful-use-attestation-audits-providers/2012-07-23#ixzz21VMMAsFc

To learn more:
- here’s some general information from CMS
- read the GAO report
- check out the FAQ

Articles
, ,
LOGO-2012 Most Wired

Hospitals & Health Networks Releases 2012 “Most Wired” Survey

July 11, 2012 by Stephanie Crabb 0 Comments

2012 Survey Dives Deeper into Information Security and Data Protection Practices 

With a little nudge and some suggestions from CynergisTek, and an active and interested listener in Suzanna Hoppszallern from H&HN, the 2012 Most Wired Survey included its most robust information security question set to date.

In recent years, and particularly with the rise of the EHR and information exchange, we found ourselves asking, “Can a health system really be considered or consider itself ‘most wired’ if it does not have a high-performing security controls environment worthy of the moniker?”  So, rather than ask ourselves that question for another year, we approached Suzanna Hoppszallern who was extremely interested in our thoughts and thought process.  The result was a revised and more detailed set of information security and data protection related questions in the 2012 survey.

So, what were the findings?  As conveyed in the featured cover article in H&HN this month:

Most Wired hospitals are more prepared than their counterparts for security breaches and employ more advanced security tools to protect patient data. Ninety-three percent of Most Wired hospitals employ intrusion detection systems compared with 77 percent of the total respondents. “Half of risk mitigation is knowing what is going on in your enterprise,” says Mac McMillan, CEO, CynergisTek Inc., and former chair of a Healthcare Information and Management Systems Society’s security working group. “Most Wired hospitals are implementing more sophisticated IT security architectures and are better informed.” Many organizations still do not perform risk analyses and penetration testing on a regular basis. “What it tells us is that we still have relatively immature risk management for the most part in the industry,” McMillan says.

Here are a couple of excerpts from the survey data:

Annual testing and risk assessments

Security measures hospitals use for authorized users


Over 200 hospitals and health system earned the 2012 “Most Wired’ designation and their commitment to information security, patient privacy and data protection as reflected in the more rigorous survey process is to be commended.

For the full H&HN article visit: http://digital.hhnmostwired.com/DigitalAnywhere/viewer.aspx?id=2&pageId=1

Articles
, , , ,
LOGO-HHS

Alaska DHSS settles HIPAA security case for $1,700,000

July 5, 2012 by Stephanie Crabb 0 Comments

The $1.7M fine levied on the Alaska Department of Health and Social Services should peak the interest of compliance officers and risk managers across the healthcare industry.

One stolen USB storage drive.  501 Medicare beneficiaries.  A mandatory report to OCR with its customary investigation. A $1.7M fine. A Resolution Agreement. A Corrective Action Plan.   Three years of independent monitoring of its compliance.

These are the new stakes associated with data breaches. In looking specifically to the Corrective Action Plan documented for the Alaska DHSS, its obligations include:

1.  Remediation, Update and Dissemination of Policies and Procedures

2. Workforce Training

3. Risk Analysis and Risk Management Process Remediation

4. Designation of an Independent Monitory for a period of 3 Years

Visit http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html for the detail on the OCR’s enforcement in this case.

Would a reported breach open a Pandora’s Box in your organization?  Most of you that we speak with have a fair amount of anxiety about the health of your HIPAA/HITECH privacy and security compliance posture, but continue to struggle to get executive sponsorship and budget for activities that you consider essential and fundamental to your operations and compliance mission.

The circumstances of this breach provide you the “conversation starter” that you may need to engage or re-engage your leadership around HIPAA/HITECH compliance.  Further, the comments offered by OCR affirm what we have learned through the HIPAA Audit Program about our industry’s opportunities for improvement and compliance program priorities.

Contact us if we can be of assistance.

 

 

Articles
, , , , , , , ,
Shield Over Business Symbols

Where is your ePHI hiding? A data discovery/data loss risk assessment will tell you

June 27, 2012 by Stephanie Crabb 0 Comments

One of the most recent cases of a data breach comes from what, on the surface, may appear to be an unlikely source – powerpoint charts derived from ePHI-rich source data, embedded in a professional presentation, posted on the websites of two medical associations, by one of the world’s leading cancer centers, Memorial-Sloan Kettering.  See the full story here:  http://www.healthcareinfosecurity.com/powerpoint-charts-led-to-breaches-a-4868.

While that may seem like a complicated “it cannot happen to us” scenario, think again.  How many of your esteemed clinicians conduct research, present, and publish?  Not so many?  Let’s try another scenario then.  How many of your employees create, access, use, manipulate, analyze, or transmit ePHI to perform their duties? Have you implemented technical controls that prohibit your employees from moving ePHI from what may be fortified assets to less fortified assets, like a USB drive or workstation hard drive?  In our ten years, we have not met a client yet that is not struggling to understand just how distributed ePHI has become in their environment and gain control over it.

The HIPAA Security Rule is clear – Covered Entities need to have control of their ePHI and safeguard it appropriately.  To gain control, one has to know where it is first.  For many, the challenge lies within unstructured data on employee workstations, file shares, portable media – documents, spreadsheets, databases that employees have created.  Such is the story with Memorial-Sloan Kettering.  But it could very likely be your organization’s story too.

Manual efforts to locate ePHI across the enterprise are fraught with inefficiency and inaccuracy.  As introduced in this follow up article, http://www.healthcareinfosecurity.com/how-to-avoid-exposing-patient-data-a-4891,  Data Loss Prevention (DLP) solutions cannot only help organizations effectively discover ePHI across the enterprise but enforce rules and policies to prevent data loss and data leakage.

For nearly three years, CynergisTek has offered clients a structured and affordable way to discovery ePHI across the enterprise and measure data loss/data breach risk by monitoring data-in-motion for a defined period of time.  Contact us  http://blog.cynergistek.com/about/contact-us/ for more information or to request a quote for this service.


Articles
, , , , , , , ,
LOGO-healthcareinfosecurity

WEBINAR – Dept. of Health & Human Services HIPAA Audits: How to Prepare

June 27, 2012 by Stephanie Crabb 0 Comments

Our thanks to the team at healthcareinfosecurity.com for asking CynergisTek to share its firsthand experience with the OCR HIPAA Audit Program.

Friday – June 29, 2012  3:30 PM Eastern (12:30 PM Pacific)Duration: 90 Minutes

Wednesday – July 11, 2012  1:00 PM Eastern (10:00 AM Pacific)Duration: 90 Minutes

 A good way to prepare for federal HIPAA compliance audits is to learn from the experiences of the first organizations audited earlier this year.

This webinar will feature timely insights from a consultant who observed first-hand an audit at a hospital that was one of the 20 initial sites audited under the Department of Health and Human Services’ Office for Civil Rights’ new program. Another 95 sites will be audited by year’s end, and most have yet to be notified.

Join us for this exclusive session, when you’ll gain a clear understanding of:

  • The audit process and protocol and how to prepare for the experience;
  • The level of rigor in the audit process and the expectations of the auditors;
  • The essential steps to take to prepare staff, including insights on how to successfully interact with the auditors.

Background

The HITECH Act called for HIPAA compliance audits as part of an effort to help ensure compliance with its privacy and security provisions. The HHS Office for Civil Rights has completed the first 20 pilot audits, and it plans to complete another 95 by the end of this year.

Those to be audited will be notified in phases in months ahead. How can you help ensure your organization is well-prepared if it’s selected? By learning from the experiences of those who’ve been through the audit experience.

This webinar will feature timely insights from an experienced consultant who aided a client with its audit, from start to finish.

The protocol for these assessments presents a rigorous audit experience that emphasizes the need for readiness, consultant Mac McMillan stresses.

McMillan’s experience advising a client who was audited provided valuable direct visibility into how these audits are conducted, the expectations of the auditors and the process. This session is designed to chronicle that experience and provide insights into how to improve your readiness posture.

In this webinar, you’ll learn:

  • What the audit process looks like and what to expect;
  • How to prepare for the document request requirements;
  • How to prepare your staff for successful interaction with the auditors;
  • How to prepare all your departments for the audit process;
  • How to review your information security program to understand weaknesses;
  • How to prepare your response.
Events
, , , , , , , ,
Older Entries

%d bloggers like this: