10 Technology Tips to Avoid HIPAA Violations – Guest Author at Newegg Business

This week I wrote a guest article for Newegg’s Business blog, Hardboiled. I walked through my 10 Technology Tips on How to Avoid HIPAA Violations.

Take a read!

/s/ HH @LegalLevity

Why Compliance Matters to You; or it Should.

Not long ago I got into an argument with an information security (“infosec”) person about that dirty word we all love to hate, compliance <shudder>. This person’s position was that compliance does not matter and does not advance the state of security “at all.” Sadly, these anti-compliance opinions are remarkably commonplace and often have the inverse effect of what the individual really wants, buy-in from decision makers. The impact of anti-comp opinions on our organizations is pervasive, invasive, and overwhelming.

Non-techies are Technology Empaths

The organizations we work for echo our opinions on tech and infosec. So, if you espouse an anti-comp opinion, the employees around you, as well as those you support and train will begin to hold those same beliefs. For a large majority of the workplace, the infosec team operates with borderline magical abilities, which means that those who are not technically inclined will adopt the team’s opinions.  Put simply, ask yourself a question: if you ran a company and your infosec team did not believe that compliance advanced the state of security, how much would you invest in data security; training; or infosec infrastructure? The answer is as little as possible, because if compliance does not matter to my infosec team, then why should it matter to me?

Data Breaches in 2015:

How many of you received a letter from AnthemPremera, or Carefirst regarding the theft of your PHI from an unencrypted server? These three BCBS company breaches saw the loss of ~93million PHI records in the span of six months. In tandem with BCBS, the Office of Personnel Management (“OPM”) discovered catastrophic on-going breaches resulting in ~22 million stolen records, many of which were from top secret security clearance applications. From OPM to BCBS, over 105 million people have had their data stolen this year. The inevitable lawsuits stemming from those breaches will revolve around two primary questions: whether the entities failed to meet industry standards and whether they violated the law; a.k.a. compliance.

Audits and investigations:

Investigations are coming. If you had any doubts or questions about whether the federal government was committed to enforcement actions and audits, read my article on the New Normal of HIPAA breaches, audits, and enforcement. Quickly, the OCR is out there and coming for you whether or not a breach or theft occurs. The OCR plans on auditing 10% of every covered entity and 5% of every business associate, regardless of whether a breach occurred. Add to this ramped up investigatory presence the expanding range of penalties, both company and personal, and the case for compliance begins to crystalize. These efforts are not limited to the HIPAA sector either, the FTC recently released its “Start with Security: Guide for Business” that promises to be a foundation of the FTC’s legal efforts against companies who fail to meet the minimum thresholds of these guidelines.  Simply put, no matter what sector you are in, government efforts and spending are ramping up, often at exponential rates, to ensure that organizations with data are in compliance with the law.

Compliance is your friend

Compliance is no longer a four-letter word relegated to the low rung on the budgetary spreadsheet next to birthday cakes and dry erase markers. Compliance departments are becoming larger, more robust, and increasingly well funded every year. What many anti-compliance advocates do not realize is that compliance does advance the state of security because it gives you a toolbox of legal authority to grab attention and justify spending on what matters to you: advancing information security within your organization.  Not only is an anti-comp attitude unproductive, but it can literally impact your ability to do your job or even keep your job. Compliance means you, as an infosec professional, can get that buy-in on that project, tech upgrade, or conference you need to do your job. If you aren’t advocating for compliance in your organization, you should be, because its advocating for yourself.

It’s simple – advocate now, or pay later.

/s/ HH @LegalLevity

By the Numbers: 2009-2015 HIPAA Breaches

Here we are six months into 2015 and its time for the midway report on what has happened in the world of HIPAA breaches. It bears mentioning that the numbers below are ONLY representative of events impacting 500 or more individuals and reflects reporting up to June 23, 2015. All of the research below is my own and derives from publicly available data.

2015 Breaches: 1/1/15 – 6/23/15

The first numbers below are a breakdown of the sources of breaches in 2015. The percentage after the number shows what proportion of the overall 2015 breaches are attributable to that source. You will note that the numbers listed below do not equal the total sum, this is because OCR allows for an “other” designation when no other description fits.

Total number of Breaches in 2015: 93,963,272

Number of Breaches Since 1/1/2015 Attributable to:

Paper: 155,729 (0.1%)

Laptops, Desktops, and Portable Electronics: 295,655 (0.3%)

EMR: 22,203 (0.02%)

Email: 515,901 (0.5%)

Network Server: 92,672,601 (75%)

The numbers of 2015 are clearly skewed towards the BCBS, affiliates, and subsidiaries (“BCBS”). The breaches of BCBS account for a tremendous number of impacted individuals. Given the tremendous weight and skewing associated with the BCBS breach, I decided to control for those numbers and run the same report without the two huge BCBS breaches, a total of 89,800,000.

TOTAL NUMBER OF BREACHES IN 2015 (sans BCBS): 4,163,272

Paper: 155,7289 (3.7%)

Laptops, Desktops, and Portable Electronics: 295,655 (7.1%)

EMR: 22,203 (0.5%)

Email: 515,901 (12.4%)

Network Server: 2,872,601 (68.9%)

Whats intriguing is that the numbers are still heavily skewed towards loss attributable to a network server. Even controlling for the huge BCBS numbers, nearly 7 out of 10 stolen PHI records stolen came hacked network servers.

Historical look at the data on breaches

After running through the numbers for 2015, I decided to do a retrospective and look back at the data since reporting began. Here are the total breach numbers and their sources since reporting began in 2009.

Total Number of Breaches Since 2009: 134,870,039

Number of Breaches Since 2009 Attributable to:

Paper: 1,866,133 (1.4%)

Laptops, Desktops, and Portable Electronics: 13,760,826 (10.2%)

EMR: 2,840,852 (2.1%)

Email: 1,399,920 (1.0%)

Network Server: 102,420,230 (75%)

Once again, these numbers skew heavily towards the most recent 2015 mega BCBS breaches. Once again controlling for those number and subtracting them from the report, we get the following percentages.

TOTAL NUMBER OF BREACHES SINCE 2009 (sans bcbs): 34,070,039

Paper: 1,866,133 (5.4%)

Laptops, Desktops, and Portable Electronics: 13,760,826 (40.3%)

EMR: 2,840,852 (8.3%)

Email: 1,399,920 (4.1%)

Network Server: 12,620,230 (37%)

Amazing how once we control for the 2015 BCBS breaches, the numbers seem to almost normalize in a pattern with roughly 2 out of 5 stolen records coming from Laptops, Desktops and Portable Electronics; and 2 out of 5 stolen records coming from breached network servers. This means that approximately 80% of all of the breaches come from those two sources. These numbers really give weight to the idea that encryption and heavily investing in network architecture pays off in the end. This is only highlighted by the recent OPM breaches that were a product of legacy server infrastructure and unencrypted data.

Tarred and Feathered: BCBS, subsidiaries and affiliates

One of the most amazing things I am across in this research was the amazing number of breaches attributable to one organization: BCBS. Of the all time largest breaches, BCBS is responsible the number 1 and number 2 spots, and 6 of top 20 spots.

Total Number of Breaches Attributable to BCBS: 92,803,208

This number represents 68.8% of all breaches since HIPAA reporting began. In full disclosure, my information was stolen in one of their breaches. Even more amazing is the attitude that these breaches are not impacting the individuals who had their data stolen. On the dark web, PHI records often fetch 10-15 times as much money as a credit record and are often much more expensive to fix. According to the recent Medical Identity Fraud Alliance report the average cost to the individuals who have their information stolen and used is $13,500.

Now is the time for change.

/s/ HH @legallevity

BSides San Francisco 2015 – Recap

On April 19-20 the BSides organization held the 6th Annual BSides San Francisco event. The event was amazing. The range of people, topics, and interactions were incredible. If you have not read up on BSides, take a quick peek now. This organization is doing #infosec right – BSides 

I was very fortunate to be asked by BSides to speak on Day 2 about HIPAA.

Among the many amazing people there I got to meet the infamous @banasidhe

The facilities provided by @OpenDNS were fantastic. They provided an great venue in a great location. If you are not familiar with OpenDNS, take a quick peek over at their website and learn about the great work they do. OpenDNS

Turning to my presentation, things started off well and generated a lot of questions.

Also amazing was the live art during presentations. While I spoke, @kellykingman drew out my words:

The art was courtesy of @tripwireinc and organized by @joepetitt2

Before wrapping up and heading back to the real world there were several questions I promised some attendees I would follow up on, here they are.

1) Third Party Security/HIPAA Gap Analysis: On the web at Parameter Security and twitter @ParameterHacker

2) Third Party HIPAA Compliance: On the web at HIPAATrek and twitter @HIPAATrek

3) Post Regarding 60 Minute Notification Requirements for HIPAA Breach in Texas

4) More information regarding the Alaska Thumb Drive HIPAA Breach

5) Info on the HHS Security Risk Analysis Tool

6) Information on NIST HIPAA Compliance ToolKit

7) Information on what HIPAA requires for Encryption

Thank you again to BSides for an amazing opportunity and thank you for reading my blog. Up next week, I will do a review and walkthrough of HIPAATrek compliance tool!

/s/ HH @legallevity