Health IT
HIPAA Threat Categories Rationalized
If you peruse IBM's X-Force Exchange and realize the number of Threat Vectors that exist in the wild, you would soon despair of ever producing a rigorous Risk Assessment. However, there is no need to despair because these millions of vectors can be organized into Threat Categories that effectively rationalize the space. This does not mean that IBM's research is not necessary, quite the opposite, sooner or later you will need to have enough detail on a particular vector to implement a Control that "plugs it."
However, at the time of producing a Risk Assessment knowing the Threat Category is more than sufficient. For example, one of our Threat Categories is "Social Engineering or Intrusion." When you are performing a Risk Assessment you don't need to know the million and one ways that the "bad guys" can penetrate your network; what you need to know is how much exposure you have. For example, if the bad guys penetrated and deleted your data could you recover it promptly, or at all?
If the bad buys used a Phishing Scheme to penetrate your network, it is important to educate your workforce on this particular scheme or Phishing in general (i.e. so that your workforce can recognize the patterns).
Below we list definitions of the Threat Categories that we use for HIPAA, and now for GDPR and other compliance regimes as well. This is not a definitive/exhaustive set. That's the whole point. We have rationalized the space to make it easier for our customers to manage.
Threat Categories Rationalized!
1. Power outage:
Describes the potential for loss of electricity to exploit one or more vulnerabilities (usually more). However, as with almost all the Threat categories described herein, your thinking needs to be broader than the loss of electricity at your main facility. The loss of electricity at the principal locations of key partners will almost certainly have a negative impact on your operational environment.
2. Denial of service:
A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The intent is to cripple the targeted computing system.
3. Workforce Exfiltration:
Workforce Exfiltration is similar to data exfiltration but broader; data exfiltration, also called data extrusion, is the unauthorized transfer of data from a computer within an organization to one outside of it. However, data exfiltration is too narrowly defined to cover all potential use cases. Many times data walks out the door with a human being as the transfer agent. Such a transfer may be manual and carried out by someone with physical access to a computer, or it may be automated and carried out through malicious programming over a network. Exfiltration may be acute at a certain time, such as when an employee leaves their current employment - voluntarily or involuntarily. This is especially true if the employee left on bad terms. However, one of the worst exfiltrations in the history of the CIA was carried out by Aldrich Ames, who was an employee in good standing right up to the time he was caught.
4. Fire:
Describes the potential of a Fire to your Facility (or other assets) that may (probably will) exploit one or more vulnerabilities within your operational environment. However, Fire could impact you in many more ways that are not readily apparent on their face. For example, a Fire at your cloud storage provider is likely to have a significant impact on your operational environment. The same holds true for Fires at the facilities of other key partners.
5. Media:
Media is physical storage of data that should be encrypted and securely stored. Impairments to Media (e.g. hard drives) is generally the primary cause for essential computing equipment to fail (e.g. servers).
6. Personnel:
Consider how Personnel may exploit lack of regulatory compliance. Generally, exploitations by Personnel come in two forms: (1) intentional; and (2) negligent. It is nearly impossible to prevent intentional bad conduct by trusted Personnel. However, the impact of said conduct can be reduced dramatically by following best practices as dictated by the Security Rule. Further, negligent conduct is suspect to being virtually eliminated with the proper training and organizational commitment.
7. Weather or Natural Disaster:
Consider how weather or natural disaster may exploit lack of regulatory compliance. Weather is notorious for finding vulnerabilities to exploit. At its worst, Weather is capable of eliminating all redundancies and leaving us at its mercy. However, with the advent of cloud computing, most of the egregious negative impacts that Weather may have on an organization's operational environment may be minimized, if not eliminated. Consider how easy it is to mirror cloud-based data on two remote locations, unlikely to experience weather events at the same time. If all your apps and data live on the Cloud, then you need to get key Personnel out of harm's way and into locations where their access devices will function (e.g. phones, laptops, pads, etc.).
8. Theft or Lost Device:
Consider how theft or a lost device may exploit lack of regulatory compliance. Devices are lost or stolen all the time. Human proclivities for losing and misplacing things have caused a significant number of non-trivial breaches. Given the amount of data that a thumb drive can now hold provides insight into the magnitude of potential breaches of PHI that can occur using portable devices. Mobile devices should be limited to access only tools, and by exception, when used to store PHI the latter should be encrypted. Portable devices should NEVER be used as permanent storage devices for PHI. On an exception basis and for temporary use (e.g. data analytics), they should be deployed carefully and then "wiped" after the temporary use is no longer required.
9. Direct Access Attack:
A direct attack by hackers to access your network, computers or software. This is what the lay public usually refers to as "hacking." It may come as a surprise that "hacking" attacks are not your organization's largest source of Risk. Although it is becoming easier by the day to "hack" (i.e. with dozens of "rootkits" available on the Internet) you can look elsewhere for the low-hanging fruit that will help you achieve the most bang-for-the-buck. There is a consensus in the security community that the "perimeter is dead;" which translates into - you have to assume that your perimeter defenses can be compromised and rely on such strategies as minimizing "dwell time" to Reduce Risk.
10. Identity Theft:
Consider how identity theft may exploit lack of regulatory compliance. Identity theft has become a multibillion-dollar industry with the end (or flattening) of growth nowhere in sight. Widespread use of two-factor authentication is emerging as a viable option for curbing its growth. As the name implies, two-factor authentication requires at least two factors: (1) something you know (e.g. user id and password); and (2) something you have (e.g. a smartphone). Because smartphones are ubiquitous among computer users, they have become the de facto "something you have" factor. Although, two-factor authentication is highly recommended (understatement) it, like any other control, is not foolproof. Two-factor authentication can be hacked, BUT it requires a very sophisticated hack usually incorporating a social engineering phishing attack to achieve its objective.
11. Social Engineering or Intrusion:
Social Engineering or Intrusion deals with inappropriate access to your network or computers through some form of psychological manipulation. Consider how social engineering or intrusion may exploit lack of regulatory compliance. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for information gathering, fraud, or system access, it differs from a traditional "con" as it is often one of many steps in a more complex fraud scheme. The term "social engineering" as an act of psychological manipulation of a human, is also associated with the social sciences, but its usage has caught on among computer and information security professionals. We aggregate Social Engineering with Intrusion to exploit vulnerabilities. It matters little how the "bad guys" were able to penetrate your perimeter. What really matters is that they "got in." There are literally millions of vectors for penetrating a perimeter. A number so large that it makes little sense to attempt to attack a wicked problem such as regulatory compliance by dealing with millions of variables.
CONCLUSION
The problem needs to be "rationalized" before it can be managed. There are no perfect solutions. Moreover, the law does not require perfection. Generally doing what is "reasonable and appropriate" is sufficient. Unfortunately, too many in the healthcare industry have elected the "Ostrich Strategy" instead of making a good faith attempt at compliance. I will clue you in on a little secret: "Complaining to HHS about not having enough HIPAA education from them is NOT going to help a scintilla next time a Breach occurs in your organization.
|
HOW TO COMPLY WITH HIPAA?
|
At 3Lions Publishing, Inc. our mission is to provide clients with:
- Premium Compliance Products,
- Education,
- Free Monthly Webinars,
- Newsletter Articles on HIPAA and regulatory topics, as well as
-
"High Touch" LIVE assistance with Products for Risk Assessment and Remediation.
We do NOT charge extra for compliance support like many of our competitors, the cost for your LIVE assistance is included in your Subscription purchase.
A full 360-degree circle of Risk Assessment and Remediation products are provided in 3Lions Publishing Inc.'s
The Subscription Plan includes
Expresso®, the Risk Assessment "SaaS" based software, over 30+ compliance and remediation products, and training videos that help Covered Entities and Business Associates understand how to implement the necessary Controls to be in compliance with HIPAA regulations. Our LIVE "High Touch" Assistance helps you "get it done" fast!Our many Training products describe various aspects of the regulations as well as demonstrations of how to use Expresso and associated compliance tools. As part of the Subscription Plan we also provide certification for clients seeking designation as HIPAA Certified Professional ("HCP").
A "Crosswalk" between Expresso Risks and Remediation tools provides easy access to model policies, procedures and tracking mechanisms for compliance.
FREE Monthly newsletters and webinars provide education on topics of regulatory concern. Missed one? Webinars and articles are posted to the HIPAA Survival Guide Store Website for future reference.
Questions? Please call or write using the contact information below.
Email: Support@3LionsPublishing.com
Phone: (800) 516-7903
GDPR FOR 2018!
With the recent European Union (EU) enforcement of the General Data Protection Regulation ("GDPR") effective May 25, 2018, we now provide you with GDPR Personal Data Assessment within Expresso along with compliance tools. If you intend to conduct business with EU users, customers or businesses, you need to learn how to comply with these requirements.
View the GDPR Subscription and products on the HIPAA Survival Guide Store:
Get your GDPR products or Subscription Now!
 |
EXPRESSO RELEASE 2.0 COMING SOON!!
We are complimenting Expresso with access to:
1) A fully encrypted web-based Compliance Repository and
2) Direct Access to HIPAA Survival Guide Products for Subscription clients.
Your web-based repository will enable you to upload and save your final Visible Demonstrable Evidence of Compliance ("VDE") to secure and encrypted folders. Direct access to HIPAA Survival Guide Products makes it easy for Subscription Customers to get products and compliance information from a single site.
So, why are we sharing this information in our Newsletter? Education, Education, Education. Stay tuned not only for Product updates but also for new capabilities and value offered to our elite group of clients. Save time and money with our high quality, bargain Subscription Plan!
Expresso® now handles GDPR Personal Data Assessments!
If you anticipate or are currently transacting commerce with EU consumers, you will need the ability to perform a Personal Data Risk Assessment with Expresso.
HIPAA Survival Guide Subscription customers may purchase GDPR with Expresso as an ADD-ON for a one-time cost of $495.95 with no increase to your renewal fees.
Click here for more information and to purchase GDPR with Expresso ADD-ON.
Non-subscription clients may purchase Expresso with GDPR Subscription that includes GDPR Products for $1,295.95.
Click here for more information and to purchase Expresso with GDPR Subscription.
If you have any questions, please contact us at support@3lionspublishing.com or call (800) 516-7903
Expresso® was designed to manage more than one compliance regime. We are now delivering on that promise. Our competitors' products were narrowly focused on HIPAA and they have no easy path to migrate their offerings to other regimes. This includes smaller competitors and those that come with a more hefty price tag. None are delivering the kind of innovation that Expresso® represents.
We have rationalized the GDPR risk assessment in a more streamlined manner because GDPR is even less prescriptive than HIPAA. Our decade of experience provides you with a foundational list of 10 Essential Controls that any compliance regime requires. We introduced the Compliance Stack™ as a way to explain this groundbreaking innovation to the marketplace.
An introduction to the GDPR's 10 Essential Controls that are included in Expresso follows:
1. Risk Management: This Control encompasses the entirety of an entities Risk Management program ("Program"), including Risk Assessments and implementing additional Security Controls ("Controls") that reduce Risks to levels that are "reasonable and appropriate."
2. Incident Management: There can be no effective Risk Management Program, including but not limited to Breach Notification, of security incidents are not tracked.
3. Inventory (Security Objects): Controls are applied to Security Objects (e.g. most think in terms of an asset inventory but the term encompasses much more than that).
4. Administrative: Compliance is a multi-disciplinary subject matter domain that requires a skillset far greater than technical acumen.
5. Authentication: The ubiquitous nature of smart phones has led to widespread use of two-factor authentication by most large organizations including banks, brokerages, and of course all the major technology firms.
6. Breach Notification: Breach notification, under every compliance regime where it is applicable, has become the 800-Pound-Gorilla that drives enforcement. Such is the case for HIPAA and we expect this same Gorilla to dominate GDPR enforcement. Large Breaches attract the attention of regulators.
7. Disaster Recovery: Disaster Recovery is yet another meta-control because it encompasses much more that data backups. Of course, backing up your protected data, and all your data for that matter, is mission critical.
8. Audits: Measurement against a baseline of a compliance regime's requirements is the only level of granularity that matters during an audit.
9. Technical Controls: This is another meta-control that of necessity must be treated as such because it is where the most innovation is currently occurring in cybersecurity defenses (i.e. for the moment we are discounting the importance of process innovations because they are so little understood). What we enumerate here as sub-controls are the basics, the most important of which is encryption.
10. Physical Controls: Physical Controls are such a no-brainer that they often go overlooked because of our obsession with technology.
GDPR PRODUCTS AND SUBSCRIPTION
GDPR Products are available on the HIPAA Survival Guide Store. They include:
- GDPR ADD-ON for Existing Clients;
- GDPR with Expresso Subscription Plan;
- GDPR Overview and 10 Step Implementation Training;
- GDPR Breach Notification;
- GDPR Model Security Policy;
- GDPR Privacy Policies;
- GDPR Model Notice of Privacy Practices; and
- GDPR Combo Package.
GDPR products can be purchased as a subscription or individually (including the Combo Package).
We recommend that you have at least four basic policies in place: (1) a Notice of Privacy Practices (outward facing); (2) a Privacy Policy; (3) a Security Policy; and (4) a Breach Notification Policy (collectively "Policies").
NOTICE OF PRIVACY PRACTICES ("NOPP")
Your GDPR NOPP is similar to covered entities NOPP under HIPAA, except you need to provide access to it in places where Data Subjects would expect to see it.
Your Privacy Policy is an internal facing document and contains your organization's intentions vis-a-vis protecting the confidentiality of Personal Data. It should contain information about your Data Protection Officer (or Representative) and how you intend to resource this position.
Surprisingly there is only one Article in the GDPR (Article 32) that deals directly with security. It's not that security is not important under the GDPR, it obviously is; rather, it's that the emphasis on Privacy dominates.
The GDPR introduces Breach Notification into the EU for the first time. Given what we have witnessed under HIPAA (post the HITECH Act) Breach Notification will also emerge as the GDPR's 800-pound Gorilla.
If you have any additional questions regarding GDPR Compliance, please contact us via email at support@3lionspublishing.com or by telephone at 800-516-7913.
FREE HIPAA Implementation Detailed Project Plan
This Post contains access to the new HIPAA Implementation Detailed
Project Plan.
The HIPAA Implementation Project Plan is organized by Chunks/Sprints
to support rapid completion your HIPAA Compliance Initiative ("HCI").
High-Level Tracks include:
1. Disseminate Model Policies (Track = "Foundational")
2. Training & Awareness (Track = "Foundational")
3. Compliance Repository (Track = "Foundational")
4. Risk Assessment (Track = "Foundational")
5. Business Associates (Track = "Foundational")
6. Incident Tracking & Reporting (Track = "Foundational")
7. Risk Management Program (Track = "Core")
8. Disaster Recovery (Track = "Core")
9. Intrusion Detection (Track = "Core")
10. Cloud (Track = "As Required")
11. Social Media (Track = "As Required")
12. Breach Notification (Track = "Core")
13. Mobile (Track = "Essential")
14. Patient's Bill of Rights (Track = "Essential")
EXPRESSO® Compliance Video
CLICK HERE TO WATCH THE EXPRESSO® COMPLIANCE EQUATION VIDEO.
This short video provides an explanation of how EXPRESSO® uses its Compliance Equation to perform a HIPAA Risk Assessment. In addition, the video describes HIPAA Survival Guide products, education, and tools that you can customize and use in your organization.
One of the key HIPAA Survival Guide tools are our Scorecards that not only provide descriptions of HIPAA Implementation Specifications or Controls, but also point you to HIPAA Survival Guide Remediation products, which provide customizable examples of proposed organizational policies, processes, tracking mechanisms and an assortment of compliance tools and education for covered entities and business associates.
Scorecards based on specific requirements are the only way to measure the progress of your compliance initiative (i.e. by definition, if you are in compliance with all the requirements of a regulatory regime then you are in compliance).EXPRESSO® and the HIPAA Survival Guide works in tandem to guide your efforts in becoming HIPAA Compliant.
Please note that we offer a 15-DAY FREE TEST DRIVE of EXPRESSO®! Why not give it a try? Just click on the link below!
Expresso® 15-day FREE Test Drive
To try EXPRESSO®, just click on the above link and fill out your contact information. Our Customer Service Staff will set up your Free 15 Day EXPRESSO® Test Drive and arrange a "Go To Meeting" session to review how you can do your HIPAA Risk Assessment in 3 hours or less.
EXPRESSO® is an easy to use Risk Assessment software that allows you to detect risks, threats, security objects, and vulnerabilities to PHI and identify impacts and assign controls at a glance! It allows you to do a Baseline Risk Assessment in 3 Hours or less!
Our "Quick Start Guide" gets you off and running to complete your first Risk Assessment. EXPRESSO® comes pre-populated with all the Risks, Threats, Vulnerabilities and Impacts necessary to a complete a Baseline Risk Assessment.
With Expresso® You Can:
1) Perform a Baseline Risk Assessment in a matter of hours,
2) Bulk import Security Objects: people, places, assets, processes to apply Security Controls,
3) Track the results of the Controls applied, and
4) Retain instances of past Risk Assessments for reporting or audit purposes.
If you have any questions, you may reach me at dleyva@3lionspublishing.com
The Origins of Expresso®, The Risk Assessment Express
Who doesn’t like coffee? Well maybe there are a few who don’t, but I’m a morning coffee person. It helps get my day started. When there are complex challenges to overcome, I need all the help I can get. Expresso® is that “jolt of coffee” that enables users to quickly and accurately perform their first HIPAA Risk Assessment. Customers claim it is “a smooth process”. The ability to use Expresso® Risk Assessment software enables HIPAA Security Rule implementation specifications via Controls to associate Threats, Vulnerabilities and Risks. This facilitates "having the tools to get an onerous, difficult, but necessary job done." There is no need to answer over 30 questions and then begin Risk Mitigation without a plan. The HIPAA Survival Guide not only has Expresso® to identify risks but also a HIPAA Implementation Plan and over 30 tools to mitigate risks.
Nevertheless, a Risk Assessment is only the first step toward compliance, and it’s important because this is where the “real fun” starts. Once risks are identified, organizations develop their Risk Mitigation processes, procedures, and tracking mechanisms to guard against the impact of unprotected risks. The HIPAA Survival Guide has over 30 products, training, videos, and webinars for customers, with monthly newsletters and FAQ documentation to climb the learning curve rapidly. Just by watching the videos and participating in webinars, one customer said it was like receiving a “college education” in Regulatory Compliance. “Webinars are outstanding!” One can even become a HIPAA Certified Professional (HCP), sponsored by 3Lions Publishing, Inc. and the HIPAA Survival Guide.
Yes, HIPAA compliance is a complex topic. However, before you begin to assess and mitigate risks, it makes sense to obtain a basic understanding of what is required. Once you identify the objective, it is certainly easier to achieve the desired outcome. One customer said, “Expresso® and the HIPAA Survival Guide’s products are a complete deal – the whole package.” We claim that clients can produce a Risk Assessment in 3 hours or less, and it is true! Once you understand where you’re going, and are in possession of an easy to read map and a guide you'll get there fast. “ Expresso®’s documentation was so easy to read that I could report my progress right away. For me, that is worth a lot.”
Another important fact is that Expresso®, and the many products on the HIPAA Survival Guide website, were designed and developed by Carlos Leyva, Esq. from the Digital Business Law Group, P.A., a renown HIPAA knowledgeable lawyer. Carlos dove into the HIPAA Regulations to develop products for HIPAA Compliance and to design Expresso® to support Covered Entities and Business Associates.
As a bonus to Expresso® and the HIPAA Survival Guide Risk Mitigation products, a number of customers have retained Carlos Leyva, Esq. as legal counsel to help guide their HIPAA compliance mission with his fixed fee HIPAA Jumpstart offering. There are very few consultants with a lawyer’s level of HIPAA regulatory knowledge. Our customers say this has given them greater confidence as they develop their HIPAA compliance repository. Shirleen Sando, a HIPAA Survival Guide customer, says “If you want to learn, it’s there… the whole package; from Risk Assessment to Risk Mitigation with educational steps along the way. I recommend Expresso® and the HIPAA Survival Guide’s Risk Mitigation products to anyone.”
Contact support@3lionspublishing.com for more information.
WannaCry Webinar Re-Broadcast
Chris Saah CEO of TecFac (Technology Facilitators) joined Carlos Leyva and the team for a discussion of the recent the ransomware attack and how to prevent ransomware from penetrating your organization in addition to discussing HHS' methodology implications.
Looking for a simplified way to keep up with HIPAA? For a limited time, we are making available our "Showing HHS Visible, Demonstrable, Evidence" webinar when you sign up for our FREE monthly newsletter.
Get a Jumpstart on your HIPAA Compliance with legal advice!
Recently, the Digital Business Law Group P.A., Carlos Leyva, Esq., began providing legal assistance to customers of the HIPAA Survival Guide.
Search
Healthcare Blogroll
- Dr. Bobbs Blog
- e-CareManagement blog
Chronic Disease Management • Technology • Strategy • Issues and Trends - EMR and HIPAA
An open forum on topics covering EMR, EHR, HIPAA and Healthcare - Health Care Law Blog
Thoughts and comments on the health care industry, privacy, security, technology written by Bob Coffield. - Health Populi
Jane Sarasohn-Kahn is a health economist and management consultant that serves clients at the intersection of health and technology. - Healthcare Technology News
Health Wonk Review - Healthcare Technology News
Advancing Performance in Healthcare - HIT Sphere
- Internet Lawyer
Digital Business Law Group provides legal services covering areas such as copyright, trademark infringement, privacy issues, and more regarding use of the internet. - Patient Centric Healthcare
George Van Antwerp's thoughts about healthcare and related topics. - The Health Care Blog
THCB - Everything you wanted to know about the Health Care system ... but were afraid to ask. - The Healthcare IT Guy
- The Value of the Internet for Healthcare
An essay on the value of the Internet: Improving Healthcare for Older Adults - Yasnoff on eHealth
Commentary and Blog on eHealth by William A. Yasnoff, MD, PhD Managing Partner of NHII Advisors
Categories
- Accountable Care Organizations (34)
- Current Affairs (43)
- GDPR (1)
- Health IT (139)
- Health Reform (103)
- Healthcare (118)
- HITECH / HIPAA (95)
- Information Technology for Healthcare (EHR/EMR) (145)
- Internet Resources (35)
- Knowledge Management (30)
- Podcasts (1)
- Population Health (14)
- Web/Tech (7)
- Webinars (23)
- Weblogs (3)
Most Popular Posts
- Advantages of an EHR
- Bloomberg/Businessweek Webcast: Telemedicine Hot or Not?
- Criteria for EHR "meaningful use"
- EHR Adoption Under the ARRA HITECH Stimulus Act
- HITECH / HIPAA Compliance is a Wicked Problem
- HITECH Act: HIPAA Survival Guide
- Part 1: The Value of the Internet for Improving Health Care
- Part 2: Online Healthcare Information
- Part 3: The Internet and Access to Quality Healthcare Information
- Part 4: The Technology "e-bilities": Reliability, Secure-ability, Useability, Read-ability & Accessibility
Healthcare News & Links
- ACO Survival Guide Store
- HIPAA Training
- HITECH Act
- HIPAA Security Rule
- HIPAA Privacy Rule
- HIPAA Survival Guide (online)
Practical advice for health care practitioners in light of regulations for the HITECH Act and HIPAA. - HIPAA Requirements
- Links to sites of interest at the intersection of Healthcare & Technology
