My colleague David Holtzman recently wrote a blog post on the OCR resolution agreement with the University of Massachusetts at Amherst (UMass). UMass designated itself as a hybrid entity but did not appropriately identify and designate all applicable functions that engaged in health care activities as inside the health care components (HCC) of its hybrid entity structure under HIPAA. Why might this not be as easy as it sounds?
Verify Your HIPAA Compliance and Test Your OCR Audit Readiness CynergisTek offers an OCR Mock Audit service designed to verify healthcare organizations’ compliance with HIPAA Privacy, Security and Breach Notification Rules, and test audit readiness. CynergisTek’s OCR Mock Audit service is engineered to simulate the actual experience of a random audit conducted by the Office of Civil Rights (OCR), and is administered with the same strict approach and document requests as OCR to ensure audit readiness.
The Office for Civil Rights (OCR) sent a notice that warns of a phishing email scam. The email is for an audit notification and appears to be legitimate at first glance, as it is on an HHS letterhead and includes Director Samuels' signature. Please read OCR's notice below to learn what to watch for if you receive this type of email.
The University of Massachusetts at Amherst (UMass) agreed to a settlement with the Office for Civil Rights (OCR) over allegations that it had violated the HIPAA Privacy and Security Rules after a 2013 incident that resulted in the unauthorized disclosure of patient information of 1,670 individuals. The settlement includes a $650,000 penalty and a two-year corrective action plan.
There are many important aspects to consider in any given penetration test. I have talked at length in other blog posts about many of these considerations. There is one important aspect I have not written much about. It is critically important to determine the amount of foreknowledge that the tester should get. This aspect has a plethora of names but is almost always referred to with the “box” descriptor. In college, I was taught white box, gray box, and black box as the three levels of disclosure related to a penetration test. Many, including CynergisTek, use the term “crystal” in place of “white”. Really, the names are just descriptors – the concept remains the same and that is what’s most crucial.
Our company has many ties to the military and veterans. CynergisTek’s co-founder and CEO Mac McMillan, himself a 21 year veteran of the Marine Corps and former Director of Defense for two Defense Agencies, recently told HealthLeaders Media that veterans often bring many strengths from their time of service to the private sector workforce. “…We look for … people that can operate independently, that are responsible, that we can trust, that we can expect to do the right thing. What we’ve witnessed with many former military folks is that they bring all those things that they learned in military with them to the private sector. The discipline, organization, the leadership, the commitment.” He also estimates that about 40% of our employees are veterans, and states that the other 60% of us learn a lot from the strengths that the veterans bring to the table.
Based on recent news and the headline of this article, you are likely expecting this will be a discussion of the irresponsible actions of the MedSec and Muddy Waters organizations that outed St. Jude Medical by disclosing vulnerabilities in the medical devices they make. Certainly this is not something I condone or support as the right path to an acceptable end, as it raised fears in the people using those devices, gave the criminal element harmful information and quite possibly caused irreparable financial harm to St. Jude before perhaps the issues identified were even verified. I would argue, however, that the fault for this situation has a much broader cast than the characters represented in this one episode.
Background Around 8:00 p.m. on September 20th hackers who were upset about being outed by Brian Krebs, a well-known security and IT journalist, attacked his website with what was then the largest Distributed Denial of Service (DDoS) attack in history. The attack against krebsonsecurity.com was perpetrated using a previously hypothesized piece of malware that takes control of Internet of Things (IoT) devices and uses them to create a powerful bot net (a network of infected systems that will do whatever the controlling party tells it to). This bot net is created using simple vulnerabilities that exist on a large portion of the world’s IoT devices.
Most corporate systems, whether end-user systems or core servers, are guarded by various malicious software protections. These usually present in the form of anti-virus (AV), data-loss protection (DLP), and host-based intrusion detection (HIDS). These protections are useful for the defenders as they help the systems to remain safe, secure, and free from malicious code. At the very least, the hard drive, or non-volatile memory, is typically kept safe.
Recently, in performing my daily due diligence to keep up with the latest news and changes in information security, one article in particular caught my attention. Its topic of SSL encryption, and the related research, are particularly fascinating and nascent to me as an offensive security professional. The first article was in Dark Reading, and while its title was a bit “click-bait like” it is still true: more than 40% of attacks abuse SSL encryption. This did not catch my attention because it was any sort of surprise, but more because it is actually true, and I know it is from personal experience.