Category Archives: Identity Theft

What Happens if OCR Shows up – Asking about your HIPAA Compliance?

With only 2 weeks (15 days) left to meet the HIPAA Omnibus Rule, let’s say you have
done everything you could 
possibly do, to be in full compliance with every part of HIPAA:

1.  Finish a current HIPAA Risk Analysis – CHECK
2.  Rewrite Business Associate agreements – CHECK
2.  Rewrite Policies & Procedures – CHECK
3.  Get PHI off the office copiers – CHECK
4.  Gather Documentation in one place – CHECK
5.  Start HIPAA Security Awareness Program – CHECK
6.  Update HR Sanctions Policies – CHECK
7.  Finalize Contingency Plans – CHECK
8.  Add more encryption – CHECK
9.  Implement Plan for Smartphones & Mobile  Devices – CHECK
10. Have staff sign new affirmation Agreements – CHECK

And in spite of your careful preparation, you walk into work on Monday, and the regulators from
OCR are sitting in the Lobby, and they’ve been there since 7:00 AM!

No matter what else you have done, or started, and have not done, your insurance policy is to be
able to pull out your most current (in months, not years) HIPAA Risk Analysis and then pull out all
your supporting documentation including:

1. All information, including network diagrams, on where the PHI is on your network, and the automated
network controls you have implemented.

2.  A record of every application, every database, etc. that hold PHI, are used to create, manage, or
share PHI, in both electronic and paper form.

2.  Rosters going back 3 years of everyone in the organization who’s taken HIPAA training.

3.  A copy of the Policies and Procedures, and Security Plans, printed out and labeled in 3-ring

4.  List of all HIPAA controls that are currently in place and verification documents.

5.  Copies of all Business partners agreements and contracts

6.  A notarized statement signed by the Board Director, CEO or Administrator re-stating
the organization’s Commitment to HIPAA Security & Privacy & Omnibus Rules..

7.  Copies of recent employee surveys validating their stated compliance with all HIPAA
Security,  Privacy, and Omnibus rules.

All of these elements should be printed in their most current versions and put in D-Ring
binders, which you will pull out of a cabinet designed for high security.  Nothing thrills a regulator
or auditor more than getting everything you ask for in a neatly labeled, giant 3-ring binder.

It says “PREPARED”  in a way that having files on the network never will.

And, BTW, you HAVE completed all these steps – right?





Outlook on Risk & Security Compliance in 2012 – What to Expect.

This New Year’s Eve, I thought at times my neighbors were using a rocket launcher and several assault rifles to shoot up the New Year.  Lucky for me,  I spent the awake time to contemplate the outlook for risk, threat and security issues for 2012 and here’s what I see for 2012.

1.  Government-Mandated Compliance Is Here to Stay for the Healthcare Industry.

I remember when the IT departments are many hospitals thought George W. was going to revoke the HIPAA Security Rule.  It never happened, and this year, for the first time, there is a regulatory body in place that is intent on REAL ENFORCEMENT.

The Dept. of Health & Human Services, Office of Civil Rights,  has expanded HIPAA Security and Privacy Rules to include “Business Associates” including lawyers working in healthcare, and the infamous “3rd Party Providers” who do everything from warehouse data to taking over the IT function of a hospital, and this trend will continue as pressure builds from consumers who’s medical and financial data continues to be compromised.

2.  Workplace Violence Prevention will become an OSHA mandate, if not in 2012, at least by 2015.  Based on the slug-like pace of OSHA, who only recently provided directives for high risk industries, and the pressure from the more than 30 states who have passed their own regulations,  the pressure to stop the number of incidents and to lower their intensities will increase and management will be forced to address it as a major corporate issue.

3.  Pressure on the financial industry to protect consumer information will increase.
  Like many other areas, pressure is increasing to prevent the enormous data breaches we saw in 2011, like Tricare, the recent Stratfor hack by Anonymous, Wikileaks and HealthNet breaches.  Consumers are the squeaky wheel and they want the convenience of plastic and internet use, and they will not tolerate breaches, and they are all registered voters!

The FFIEC has already tightened up on both risk assessment standards, as well as
authentication guidelines for all financial institutions.


There will be a increase in requirements for risk assessment as an accountability feature to force managers to maintain better security in all areas of their organizations. 

Accountability means that individual managers will be held responsible for the decisions they make regarding other people’s:

1.  Financial Data

2.  Medical Records

3.  Safety from both Violence & Bullying in their workplaces.

Budgets can be cut, and staff can be reduced but consumers are demanding protection of their information, and themselves, and the regulators will make sure they get it in 2012!

Did you know that Organized Crime now Runs Most Identity Theft rings and That They Already Have Your Personal CC Information?

A recent CNNMoney article looks at why cybercrime has gotten so pervasive and concluded that you have probably already been hacked!

Cybercrime and theft of personal identity elements like credit cards, bank accounts, passwords, etc. has moved from a kitchen industry populated by techy college students in countries like Bulgaria and Romania, to a dependable source of income for organized crime.

Similar to the way Russian crime gangs have infiltrated the shipping-port business, identity theft has become a commodity and they are stealing BILLIONS of dollars every year, including from the world’s largest corporations like Sony and Citigroup.

According to CNN Money, “These aren’t petty thieves. They’re committing breaches like the Sony attack that stole credit card information from 77 million customers and the Citigroup hack that stole $2.7 million from about 3,400 accounts in May. They’re organized, smart, and loaded with time and resources.

“It’s not like the Mafia, it is a Mafia running these operations,” said Karim Hijazi, CEO of botnet  monitoring company Unveillance. “The Russian Mafia are the most prolific cybercriminals in the world.”

The Russian mob is incredibly talented for a reason: After the Iron Curtain lifted in the 1990s, a number of ex-KGB cyberspies realized they could use their expert skills and training to make money off of the hacked information they had previously been retrieving for government espionage purposes. Former spies grouped together to form the Russian Business Network, a criminal enterprise that is capable of some truly scary attacks. It’s just one of many organized cybercriminal organizations, but it’s one of the oldest and the largest.

“The Russians have everyone nailed cold in terms of technical ability,” said Greg Hoglund, CEO of cybersecurity company HBGary. “The Russian crime guys have a ridiculous toolkit. They’re targeting end users in many cases, so they have to be sophisticated.”

Though credit cards continue to be a source of revenue for organized crime syndicates, there’s not much money in credit card theft, so crime rings go after large corporations and sensitive information that can be sold or used for blackmail.

Globally, data breaches are expected to account for $130.1 billion in corporate losses this year, according to the Ponemon Institute. Historically, about 30% of that total cost has been direct losses attributable to the breaches, which would mean about $39 billion will stolen in 2011.

Using a Project Plan for your HIPAA Risk Analysis

When HIPAA first became a law, at the end of 1997, most healthcare organizations were so sure that it would be repealed or rescinded when Bush came into office, that they never quite got around to doing that first risk analysis.

Later, the risk analysis requirement got harder and tougher, when the Office of Civil Rights (OCR) added their guidance document in May 2010, and suggested that in addition to HIPAA Security and HIPAA Privacy, and the HITECH ACT, that organizations should also use NIST Special Publication 800-66 as a reference guide for the risk analysis and the protection of electronic Protected Health Information (ePHI).

The risk analysis has gotten more complicated, by the tightening of requirements, and by the need to include business associates, third party vendors, and an all-hazards threat approach.

Using a detailed project plan as you start the risk analysis is a good way to not only deal with the technical requirements, but also to inform management and stakeholders in the organization what a risk analysis includes, and to outline their potential participation.

There are different roles including IT users who will answer questions related to HIPAA control standards, management who will provide financial data and approve different values, and department managers, who will supervise their own staff and make sure they answer the surveys and cooperate with the analyst in a timely manner.

After the roles have been assigned, the data gathered, the reports approved, the project plan can be used to create the mitigation activites, a corrective action plan, and used to manage and track the new controls that are implemented.

If you’d like to see a HIPAA Project Plan, just email me at









How your health records are safer — or at least you’ll know about all the disclosures now….

Well – it wasn’t a billion dollar bailout and it wasn’t a new ‘public option’, but it was, on September 23rd, the official STARTING DAY of the new HIPAA breach disclosure rule, another tangible effect of the American Recovery and Reinvestment Act of 2009.

The breach disclosure rule is a little unusual in the way it dictates how healthcare entities have to behave if there is a disclosure of YOUR PHI (i.e. Protected Health Information). Your PHI could be interesting little tidbits of information like:

– detailed health info on 1000 Hollywood celebrities, probably all about face lifts, nose jobs and liposuction.

– Details on whose tubes got tied

– Embarrassing information on warts and other disgusting physical problems
– Just info you don’t want everyone to know about.

The new Breach Disclosure rules protect you. Here are some of the details about what the organization that leaked your sensitive info has to do…

If the breach involved less than 500 individuals’ information, then you must be notified within sixty days and “without reasonable delay”. If more than 500 individuals’ information is breached, then the organization has to not only notify the Department of Health and Human Services, but also has to send out a press release and notify the media — film at eleven.

Covered organizations (covered entities) will not be penalized until February 22, 2010. So for now, organizations should make sure they have these disclosure guidelines in place and practice them, including training and awareness exercises, so they will be ready by February.

Organizations must also do an individual RISK ASSESSMENT on each breach to calculate the harm that the breach may do to an individual. For example, whether the breach would affect their health insurance, or their relationship!
There are additional considerations about whether the breach was done in error and actual disclosure was limited; or whether it was malicious disclosure – done on purpose, or for financial gain.

The breach notification rule, in my opinion, is just another manifestation of how serious the government has become about protecting personal information, whether it is protected health information, or personal financial information.

The FTC reported that identity theft is the one number consumer complaint and so protection of your information has moved up to the top of the list. Lucky us

The Latest Risk – Data Center Theft

In November of 2007, a co-location data center with state-of-the-art technological controls in place on all of its equipment was broken into for the fourth time. The burglars simply took a masonry saw and cut out a section of the concrete wall. According to a letter from officials — the night manager was repeatedly tazered and struck with a blunt instrument. After violently attacking the manager, the intruders stole equipment belonging to the data center and its customers and at least 20 data servers were stolen.

So does this mean that we have crossed the threshold where the information is more important than the equipment on which it resides? Even more amazing is that this particular co-location center has experienced more than FOUR break-ins! That’s certainly some kind of record.

My theory is that whenever the economy takes a downturn, robbery, burglary and other petty crimes start going up. White collar crime also starts to increase as employees start feeling that their job may not be secure as they thought – and start helping themselves to whatever the company has given them access to, maybe paperclips, maybe something more interesting.

There’s so much talk about “convergence”, the fusion of physical and information security. I think it is still typical in most companies to handle these two types of security completely separately and when the crime rate is increasing, that’s when you have to make sure that the correct physical controls are in place. In the same vein, the background checks on key personnel should be done more often and certainly should be done for all new employees.

A time-honored mantra for security people has always been “the insider threat is always worse than the outsider threat”. You can see the logic in this immediately, because the trusted insider has access to lots of information and with the use of a thumb drive or memory stick, its easy to get information out of a facility. Many organization ban thumb drives for this reason, but they are also not searching the purses, gym bags and other paraphernalia an employee may bring to work.

Data breaches disclosed by Hannaford Bros Supermarket Chain, GE Money, and Georgetown University are just some of the 167 breaches reported during the first quarter of 2008, up 1/3 over the previous quarter, according to the non-profit Identity Theft Resource Center (ITRC). This is more double the first quarter of 2007 (which was 76 breaches). It is an easy theft with a big upside and you can just sell the information to a sort of electronic fence so you don’t have to do much yourself.

Many of the investigations I have been involved with have uncovered employees doing another kind of theft – capacity theft. They are running their own businesses on the organizations boxes, basically stealing capacity and storage, plus the loss of their time and energy while they are engaging in these practices. This can extend from running sex rings which we have seen in state government data centers as well as a recent incident with Congress, to taking the client lists and selling them to spammers.

So with the external environment making lots of people think they could use a few extra bucks, it is probably a good time for improving access control systems, doing background checks on a more frequent basis, and generally improving the facilities security of your data center. Of course, it goes without saying that you should be doing your risk assessments on a more frequent basis.

Besides doing the security checks, a side benefit is that if you publicize the fact that you are doing an assessment, employees will back off their extracurricular activities on your systems. Once again — the risk assessment is a win-win.

Visit for more Information

Assessing PCI Compliance — World’s Biggest Standard

Everyone has a credit card these days.  Ever take it out and take a good look at that little magnetic strip on the back of a credit card?  It’s only about 2 1/2 inches long and quite thin.  That little strip contains all the personal information about you — your name, address, password, mother’s maiden name, perhaps your social security number and your financial account number and even more information about your account.

Who wrote the program that ended up on that magnetic strip? Are there copies of that magnetic strip information stored somewhere?  And this is only ONE card; you probably have a wallet full of them.

These payment cards (PC= Payment Card Industry) are the biggest deal in information security these days because of a new standard call the PCI-DSS standard (Payment Card Industry- Data Security Standard).  The PCI Security Standards Council, which created the standard, was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.

Credit card companies want you to charge it and they know that concerns about identity theft might possibly slow down your card use — so it is in their best interests to make sure that a solid security standard is in place to protect you.  The standard has turned into a requirement for everyone who takes a credit card and that turns out to be literally millions of grocers, retailers, online retail outlets, government agencies, convenience stores, utilities — almost everyone.  So the PCI-DSS standard may be the most widely applied information (data) security standard in the world.

With such a widespread and critical standard, there is confusion about how to meet the standard because just doing a self-assessment isn’t enough — you are also required to do penetration tests on your systems that handle and transmit this electronic customer information and ATTEST that you use the standard in your information systems.  

This includes having strong firewalls that protect cardholder data and making sure to remove
the generic vendor-supplied passwords; using good storage devices for sensitive customer information and encrypting data that flows over your network.  In addition, the card manager has to use anti-virus software, and also build secure systems.  Once proper controls are in place, these controls need to be monitored and tested. 

Doing a full compliance and vulnerability assessment annually is the best way to make sure that you can prove you have done all the specific activities required in the PCI-DSS standard.  The assessment actually breaks the entire standard down into smaller, manageable chunks and then each one is monitored, or validated, with an audit trail, so that is easy to prove that you have evaluated your organization’s compliance with the PCI-DSS standard.

The PCI-DSS standard is actually mild, as information security standards go, and not as far-reaching or intrusive as, for example, the HIPAA standard (Healthcare Insurance Portability and Accountability Act) which has completely revised the way healthcare organizations do business.  Nor is it as complicated as the BSA (Bank Secrecy Act) or the International Standards Organization’s 27001 standard (ISO 27001 and 27002).  

After the infamous TJMAXX identify theft incident — consumers should welcome the PCI standard and retailers and others affected by it should be grateful that is just another way of encouraging good information security practices.

Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security