Krone: “There’s an awareness that trusting the IT department won’t hold up with regulators.”

Cyber Rules: What to Guard Against

October 28, 2015 | By Rayna Katz

NEW YORK CITY—As the world-at-large grows more aware of cyber security—which will be the topic of conversation at a conference here in December—new mandatory requirements from financial industry oversight organizations, as well as strongly worded advice, concerning preparedness and the means to address a breach are becoming more prevalent.

The rise in guidance, of course, would impact investment banks with commercial real estate divisions, and will likely trickle down to other types of companies. And while some companies leave the matter of cyber security in the hands of information technology departments, this increased crack down has led some executives to question that strategy.

“More and more, with company directors facing liability, there’s an awareness that trusting what the IT department is saying isn’t sufficient and it’s not going to hold up with regulators,” says cyber security expert Winston Krone, managing director of Kivu Consulting. “We’re getting more calls from general counsels who want a better investigation.”

Those corporate lawyers have reason to be paranoid, he notes. Earlier this year, the NYS Dept. of Financial Services issued a letter to CEOs, CIOs and general counsel officers stating that the organization “has expanded its information technology examination procedures to focus more attention on cyber security.”

The letter goes on to demand of each organization a 16-part detailed report that, in part, outlines specific systems in place to safeguard information, describes an entity’s ‘incident report program’ and even includes the job description or resume of the CIO or person overseeing cyber security.

Rules such as these likely will spread to more states, asserts Krone. “Other states will simply copy what New York is doing. Regulation only will increase, it’s not going to go down.”

Other oversight organizations, including the Financial Industry Regulatory Authority and the Securities and Exchange Commission, have been conducting surveys and—in reports issued throughout the year—are urging members to take numerous proactive steps to guard cyber security.

Meanwhile, in its annual survey of mid-market companies, Deloitte notes a hefty rise in both the cost of a cyber security breach and some concerning new cyber attack trends.

“The average cost of a data breach increased by 23% between 2013 and 2015, with an average price tag of nearly $3.8 million per breach,” the report says, citing data from Ponemon Institute. Further, Deloitte & Touche partner Adnan Amjad, who leads Deloitte’s cyber threat management practice, says in the report, “An issue of particular concern for mid-sized companies is enacting training to spot the types of attempts to get information.”

Hackers are becoming increasingly sophisticated with a number of techniques, he adds, “including personal details about employees that convince even the most skeptical employees within organizations to divulge proprietary information or even write a check.”

Also of note, according to the research, is an increased risk faced by firms that allow employees to access and send information remotely. “It’s relatively easy to exploit and harder to cope with from an IT perspective,” Amjad reveals. “Organizations are well-served if they have the ability to remotely delete files on devices that are lost or otherwise exit the company.”


Read the full article here

The misnomer of HIPAA compliant software is prevalent in the health care industry. Too often, HIPAA-regulated entities rely on vendor controls and claims of compliance as a substitute for their own HIPAA security programs. While the vendor software itself may meet the requirements of HIPAA compliance for the discrete functions it performs, the truth of the matter is that no software or system that handles Protected Health Information (PHI) is HIPAA compliant until it has undergone a risk assessment by the regulated entity to determine the efficacy of its security controls in the user’s environment.

Adherence to HIPAA required risk management processes and industry-best practices should protect organizations from attacks. HIPAA requires that both covered entities and business associates maintain a security management process to implement policies and procedures to prevent, detect, contain, and correct security violations. The foundational step in the security management process is the risk assessment, which requires regulated entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the entity.

HIPAA compliant risk assessment

NIST Special Publication 800-66 identifies a protocol organizations may use for conducting a HIPAA compliant risk assessment. 800-66 generally identifies nine steps an organization should take in this regard. Significantly, the first two steps of the risk assessment process should be read together to identify all information systems containing PHI and ensure that all PHI created, maintained, or transmitted by the system is being maintained appropriately and that security controls are applied.

In the context of third party software and systems, the risk assessment process should be used to identify hidden repositories of PHI where unintended business functions or improper implementation cause PHI to be located outside of an organization’s secure environment. If third party software and systems are not identified within the scope of a risk assessment, and a disclosure or audit occurs, the government may impose penalties for not conducting a thorough risk assessment. Additionally, there is potential for third party lawsuits if a disclosure results. In a data breach dispute, the argument usually boils down to whether the controls the organization had in place were reasonable to protect PHI. In many cases, the plaintiffs use HIPAA as a standard of care, so that if an organization was not in compliance, the plaintiffs will argue the organization did not take reasonable steps to protect PHI.

While not conducting an accurate and thorough risk assessment may result in regulatory enforcement or litigation risk, failing to identify hidden repositories of PHI may also result in other HIPAA violations. If data is stored outside of its intended repository, it is unlikely that an appropriate data classification and associated security controls have been applied to the hidden repository. The result is that it is unlikely the HIPAA regulated entity is meeting the required technical implementation specifications of the HIPAA Security Rule with regard to the information contained in the hidden repository. In such situations it is unlikely that an organization has appropriate access and audit controls in place on systems that are not intended to store PHI.

Common vulnerabilities in electronic medical record (EMR) software

Software is developed for a specific purpose, such as managing patient information or insurance billing. Software’s core functionality is created during the development cycle, and security may be incorporated into the development process, or it may be an afterthought. Security is optimal when it exists within a software application and the environment where the application is hosted.

  1. At the device level where the software is installed, software integrates with its host operating system, file system and network environment. The intersection between an application and its host environment could create significant PHI exposure risk.
  2. Software, particularly database software, is often vulnerable due to poor security upgrade practices and loose configurations.
  3. Even when security features are established, those features may be changed to appease users or to simplify IT tasks.
  4. Delayed software upgrades or improper upgrade installation may increase the potential for compromise.
  5. External communication channels are often incorporated into software applications to enable functionality, such as transmitting faxes/emails, or to allow access by outside administrative support. These communication channels are often left unsecured with default configuration settings and administrative credentials.
  6. Audit logs are typically developed to support a specific software application, but use of audit logs may be disabled or ignored.

A recent recent data breach investigation

In a recent data breach investigation, Kivu encountered an integrated EMR software solution that stored patient records, including social security numbers (“SSNs”), on a Windows server. While the EMR application had protected access with unique credentials assigned to users, the server itself was accessible to all employees with domain credentials. The EMR software offered complete practice management capability in a single offering (such as patient management, prescriptions ordering and tracking, patient communications and billing).

The EMR software and the server housing the EMR software lacked appropriate controls to secure PHI. The presence of EMR login credentials in text-searchable files potentially negated the use of encryption for the EMR database. Unsecured directories provided the opportunity for any user to browse the server and potentially locate files containing patient data.

The audit capabilities of the EMR software were limited to the EMR database. As a result, externally stored files with patient data were outside the reach of the EMR software. PHI could have been exfiltrated without leaving evidence of file activity. For example, on a Windows computer, a hacker could use a Robocopy command to copy files, and the use of this command would leave no evidence of file access.

Using sophisticated search tools employing data pattern recognition, Kivu was able to identify numerous instances of PHI on the compromised server. The client was surprised by the result because they believed the EMR system was secure and HIPPA compliant. This was a painful lesson in the numerous (and dangerous) ways that sensitive data can leak from an otherwise secure system.

Kivu is a nationwide technology firm specializing in the forensic response to data breaches and proactive IT security compliance. Headquartered in San Francisco with offices in Los Angeles, New York and Washington DC, Kivu handles assignments throughout the US and is a pre-approved cyber forensics vendor for leading North American insurance carriers.

For more information about HIPPA data leakage and HIPAA compliant risk assessments, please read the full paper: Forensic Analysis Reveals Data Leaks in HIPAA Compliant Software or contact Kivu.