Wednesday, November 21, 2012

HIPAA and reverse incentives

Last week I visited ISA New Englands November member meeting and one of the talks was by Karen Borton about HIPAA. Really good walk through of a complex subject.

Major HIPAA breaches (500+ affected users) are published by the NHS on their website. If you look at the list you can see that most breaches still are "forgot laptop on the bus" kind. Is this because that is the most common attack vector or just because that issue is easy to discover?

Most companies that are covered entities do encrypt all laptops in order to ensure that a lost laptop does not result in a potential breach and notification but it is still quite uncommon that all PII and PHI is encrypted at rest. In contract it is quite common that the same companies encrypts credit card data as PCI more or less requires encryption.

In one recent breach the state of South Carolina PII was stolen as well as credit card data. The end result was that PII will now be encrypted within the organization.

Given the current state of regulation perhaps it takes an attack on that specific organization to raise executive awareness to actually start moving on this issue? On the other hand clearly the laptop encryption issue did somehow get noticed and actioned on throughout the industry so perhaps there is still hope.

Saturday, November 3, 2012

Compliance and security in different verticals

I attended a very interesting healthcare round table last week organized by RSA. One of the things that we discussed was how different verticals handle their respective compliance legislation.

There was a lot of consensus around the fact that finance has a very mature security stance. This is probably partly due to the fact that the compliance legislation (SOX) is rather mature and well defined. The consequences of non compliance can be very painful for very important people in the company which usually results in a lot of attention. There has also been a number of very big events in finance where insiders have gained elevated privileges in order to hide trading losses

If you move on to retail you have PCI which is very detailed and specifies exactly what you need to do and what happens if you don't. Again there has also been a number of cases of insiders stealing credit card data where improved security systems clearly could have lead to at least earlier detection and smaller losses.

In healthcare on the other hand we have HIPAA and HiTech. HIPAA is very high level and doesn't have any real teeth. There were some talk about HiTech fixing this but this far there has been very few cases where HiTech has been really brought to bear against health care or payer organizations.

Another aspect is that the information handled by healthcare organizations is harder to fence. Financial organizations tends to handle cash which certainly is very easy to fence. Credit card data isn't pure cash but thanks to organized crime there essentially are underground exchange where credit card data can be sold in wholesale quantities.

Healthcare and healthcare insurance information is harder to capitalize on as it is much easier to pose as a person with a credit care to a merchant than to pose as a healthcare provider to a healthcare payer. On the other hand the potential payouts could be very substantial so I wouldn't be surprised if we see a "TJ Max" like case very soon in the healthcare sector. The PI aspect of the PHI is another potentially interesting attack target as it often is possible to perform identity theft using the data in the insurance information.

The consensus in the meeting was that healthcare in general is relatively immature but that there are a lot of things that points to a change in culture over the next few years. One clear possibility is that the enforcement of HiTech may be stepped up and there may also be enough embarrassment generated by a couple of big data loss cases that actual change will happen in the industry.

BCBS Tennesse is one very famous example on what can be done if an organization decides to tackle a specific aspect of security (data at rest in this case). It should be noted that the cost of just providing data at rest encryption for a mid size payer organization is $6 million so lifting the overall security posture of the industry clearly won't be cheap.