Preventing Cybercrime

In the cyber crime world, there is no such thing as a bullet-proof defense. However, the risk of data-loss, unauthorized access, or other undesirable intrusions can be reduced or nearly eliminated by taking some basic precautions. Among them:

1. Ensure that all accounts have unique passwords. All passwords should be difficult to guess. A strong policy is like having a good lock on the front door. Passwords should not be a word found in the dictionary or a given name. Instead, passwords should be made of random upper- and lower-case letters, numbers and symbols. Each password should contain at least 3 of the four, and should be no shorter than eight characters. Passwords should be changed every three months, or if there is any reason to believe that a password has been compromised.

2. Update the network configuration as soon as vulnerabilities become known. Leaving a known vulnerability open is very foolish. Any incorrect or compromised network configuration needs to be corrected immediately, and care taken that new ones don’t arise. Proper change management procedures can mitigate this.

3. Apply upgrades and patches promptly. Applications and operating systems may contain hundreds of thousands, even million of lines of code. Vulnerabilities are discovered all the times. Even a mature, stable, tested and well-written application like QuickBooks 2010 had 13 revisions after its release. Operating systems may be released with hundreds of vulnerabilities that are not discovered until after release. Upgrades and patches must be applied as soon as the vulnerability is discovered and a patch for it released.

4. Check log files regularly to detect and trace intruders. Log files are useful for finding and patching holes, as well as detecting intrusion attempts and unauthorized use escalation. They can be used for mapping problems between account names and security IDs, finding incorrect permissions for performing tasks, problems with trust relationship between the primary domain and trusted domains and errors that may be caused by a number of different problems.

5. Train all employees to identify and avoid cyber crime attacks. Train all users to report any suspected phishing attempts or potential security beaches. Proper training in cyber crime prevention can help users to counter viruses, phishing attacks and computer-based identity theft. Nearly all fraud and identity theft happens at the user level. Proper training makes users aware and prepared.

Training, awareness and preparation can make an enormous difference in avoiding and preventing cyber crime.

3 I's

There's no avoiding it; there's a new sheriff in town. With the coming change of administration, and a congress far more open to the idea of regulation, spurred by the recent problems in the lending sector, there is little doubt that we will be seeing a spate of new regulations and regulatory bodies, as well as an increase in the enforcement of existing regulations, such as Sarbanes-Oxley, HIPAA, and GBLA.


The last few years have been full enough of regulatory landmines for the unsuspecting IT department. At the same time though, enforcement has been lax. For example, under HIPAA, which has a complaint-driven enforcement process, there have been over 32,000 complaints over the last five years, but fewer than a dozen prosecutions. In fact, according to Inspector General of HHS, the Center for Medicare and Medicaid, an enforcement entity, "had not implemented proactive compliance reviews and therefore had no effective way to determine whether covered entities were complying with HIPAA Security Rule provisions."


Look for this to change, perhaps dramatically. HHS has already started an audit program, and several statements by various heads of congressional committees have indicated that for regulatory slackers, the party is over.


So what does this mean for those poor souls charged with maintaining regulatory compliance in organizations which, up until now haven't really felt all that much pressure? For many it means changing the view they have had about compliance. Careful planning and fresh approaches will be the key to coping with new regulation as well as old regulations newly enforced.


Invisibility, Integration, and Integrity. These need to become our new watchwords as we move forward into the unknown territory of compliance. Most important is invisibility. No matter what systems, programs rules or processes we come up with, if they are not designed to impact the end user as little as possible, then they will be bypassed. History has shown us that as little as one extra step in a work sequence will cause end-users to find ways to bypass or ignore them, unless the user perceives the added step as needed to perform their primary work function. Nowhere is this more evident than in healthcare, where regulatory steps, especially HIPAA related, are seen by many as timewasters and barriers to providing care to patients. If the end user experience is not included in compliance planning, then whatever solutions chosen will inevitably fail.


Compliance solutions need to integrate with existing systems, including technical, organizational, and workflow systems. A tacked on compliance solution will be resource wasting, time wasting, and ultimately ignored. Email solutions, for example, should use existing systems for both secure and non-secure communications, instead of creating a new and separate system just to handle secure communication. Relying on end-users to judge which of two parallel systems to use leads to frustration at best. Systems should be chosen to maximize ease of integration with what already is in use.


Usually when IT security people talk about integrity, they are talking about keeping your data consistent, but in this case I am using it in the ethical sense. You cannot expect your end users to comply if you aren't. You can pretty much expect that any shortcut or bypass you use will be found and exploited by your users, too. Set that example, talk to your users and make certain that what you do is what they should be doing, too.


Three I's: invisibility, integration, and integrity. Keep these in mind as you plan, implement and administer your compliance solutions and you will find the entire journey to compliance land much, much smoother.

Blue Suit, Red Cape and Red Boots

No doubt about it, things are getting tighter. Even with the volume off, the TV has a streaming litany of financial woe in a never ending flow from left to right at the bottom of the screen. And you don't need Jim Cramer to remind you, your customers are letting you know, as well as your screaming bottom line


At the same time your work day and productivity is being strangled by more regulation, more rules and more requirements for security. Even beyond the regulatory considerations, you really do want your clients' data as safe as you can make it. It is part of the reason you got into this business, along with the Truth, Justice and American way stuff. But how to catch that speeding locomotive with all these chains around your ankles?


The first step is to develop the security mindset. Like so many other things, security is not a destination, it is a way of thinking. The same instincts and habits that make you rattle the back door after locking up can serve you with many information and data security issues as well. You are not locking the back door because you expect an intruder. You are prudently making it a little more difficult for the eventual intruder that someday will check your back door. Similarly, you are not protecting your data against a specific bad guy, but instead building an array of defenses so as to make your operation as unattractive to data and identity thieves as possible.


Make certain that your employees have a grasp of the basics and are incorporating them into the work day. Passwords should be routinely changed, and not written on post-it notes or shared. Callers who ask for information about internal systems should be clearly identified, or better yet referred to a designated person. That designated person should be the office go to person for all basic security questions, and well-briefed as to possible vulnerabilities and how an exploitation might present itself.


New and even more stringent regulations are on the way. How you keep your client's data safe is going to be a problem that rests on your shoulders. You can spend a fortune building new, secure systems, or you can temper that spending with better training and looking at alternate ways of handling your data, such as on-line hosting, where the back-end security is handled for you. This combination can be a cost-effective way of providing improved security without having to leap any tall buildings.

International Talk Like a Pirate Day!

Arrrgh!

Ah, Sweet Mystery

Is your data secure? How do you know?

Here is yet another example of data exposed by carelessness and a simple error, and not noticed or reported for quite a long time.

From the San Francisco Chronicle:

Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft, The Chronicle has learned.

The information accessible online included names and addresses of patients along with names of the departments where medical care was provided. Some patient medical record numbers and the names of the patients' physicians also were available online.

The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later.

Over 6000 patients' information exposed on the internet for over 3 months! The sad and sorry part is not that the persons effected weren't then notified when it was caught--- that part is simply crummy behavior, and as heinous as that is is out of our scope. The real issue is that learning that you are exposed is often times way too late. In this case it was a careless data-mining company, which should have been under a Business Associate's agreement under the HIPAA rules, and been monitored by the Hospital's compliance officer.

Doing a vanity search on Google and finding your own medical records must be quite a shock. Imagine having one of your customers find something like that... something like, say last year's quarterlies conveniently displayed for the world to peruse.

So is there a bullet-proof way of making certain that your stuff stays secure? Not really but there are a number of ways you can protect yourself. For big companies the options are legion, but for smaller companies one of the best is to consolidate your data so that access is generally made through a single source. Online hosting ensures that professional and vigilent care is taken of your data. Like the common cold, there is no cure for idiocy, but knowing that your information is in the hands of people who make it thier business to keep it safe, secure, and accessable to only the right people is priceless.

Baby One More Time

Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!

Fire 'em all.

Really. I am sick of this, because if it happens to celebrities and they catch this many, it means that the rest of us are pretty close to being on public display.

String 'em up, it'll teach 'em a lesson.

Over and over

So many times, companies think of the audit process as a needed evil, something to endure then forget. No retailer would think that about inventory, but somehow we tend to think of our data as less valuable, perhaps because it is intangible. It isn't--- your data is your business. Here is what Brian Cote in SC magazine has to say:

Businesses need to consider data security as a whole, not merely as part of the audit process. This approach not only helps reduce the overall length of the audit process, it eliminates unnecessary vulnerability in the organization—providing a far greater reward than merely passing the audit. After all, if an organization suffers an exploit of security vulnerability, they'll face a far more costly and disruptive scenario than any compliance audit could cause. Without having a holistic approach to data security, organizations are doomed to reinvent the wheel.

An unchecked and unmonitored sytem is a vulnerable one. Regular reviews, tests and audits help keep the safeguards you have in place effective.

My Way

I wanted to say something about Google Health.
I have been watching for some time the various schemes to centralize healthcare records, from Hillary Clinton and Bill Frist's unlikely alliance a couple of years ago to Washington State's efforts (my wife is on the Governor's HISPC Advisory Board, so I have gotten to watch some of the sausage-making close up) and in general I think that it is not only a good idea in theory but that there is a certain practical inevitablity to it.
Still, when prominent health organizations start considering placing PHI in the hands of the world's largest search engine company, I am a little less enthusiastic. For starters there is no accountibilty at this point. Google is certainly not a covered entity and for all of their massive and admirable ability to keep, sort and provide information to millions of users across the globe they, like any other company who does business internationally are susceptable to the whims of the governments of the countries where they do business.
Is my PHI a matter of national security? Of course not, and mine is especially boring; I have enjoyed good health for decades and have suffered from none of the things that might be of concern to anyone. But different countries have different privacy standards, different countries have different legal systems, and I have at least the expectation of privacy, as flimsy as that might be.
As far as I am concerned, the song goes like this: "Not covered by HIPAA? Then you don't get my PHI." Period.

Time After Time

Its about time:

OKLAHOMA CITY (AP) - Federal prosecutors have accused an Oklahoma City woman of violating a federal health privacy law as part of an identity theft scheme.

An indictment alleges Leslie A. Howell violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

U.S. Attorney for the Western District of Oklahoma spokesman Bob Troester says the Feb. 15 indictment was the first in the district for violating HIPAA.

First in the district? More like nearly the first in the country! Is this part of a new pattern, or just another case of an acorn dropping into the sleeping sow's mouth?

It Wasn't Me

Oh, please...

When Team 4 got certain records, the HIPAA enforcement office was supposed to block out the names of all patients who filed the complaints. But when Team 4's Paul Van Osdol examined the records, he found nine cases where patient names were disclosed. So, it appears the people in charge of enforcing the medical privacy law failed to follow their own rules.

Teresa Dimichelle is one of those patients whose names were disclosed. She agreed to talk about it.

Van Osdol: "The fact that the government failed to protect you, the same government agency that enforces HIPAA laws, what does that tell you?"

Dimichelle: "That it's all a joke to them. It was about my health care and the way I was being treated. I didn't think it needed go to whoever, Joe Schmoe down the street."

"That's alarming, and you should be commended for doing that request and uncovering that, because that's something we definitely need to address," said Altmire.

A spokesman for the Department of Health and Human Services said its disclosure of patient names is not a violation of HIPAA. That's because the government agency is not covered by the HIPAA law.

No, not a violation of HIPAA, just a violation of at least one other privacy law, and common sense, common decency, and especially the public's ability to swallow the lame excuse.