HIPAA | Bach Seat

Tag Archive for HIPAA

RB | June 14, 2012

Got Cyber Insurance?

Network World says that standard business insurance does not cover data breaches or almost any other loss involving data. Standard insurance covers tangible losses and damage. Data isn’t tangible. This is causing many firms to investigate cyber insurance.

The decision that data is not tangible goes back to a 2000 ruling by a U.S. District Court. The ruling arose from an Arizona case, American Guarantee & Liability Insurance Co. vs. Ingram Micro Inc.. In that case, the court said that a computer outage caused by a power problem constituted physical damage within the meaning of the policy Ingram Micro (IM) had purchased from American Guarantee.

“After that, the insurance firms changed their policies to state that data is not considered tangible property,” Kevin Kalinich, national managing director for network risk at insurance vendor Aon Risk Solutions told Network World. The upshot is that an enterprise needs special cyber insurance to cover data-related issues. The problem is that the field is new and there is no such thing as standard coverage with a standard price.

Buyers push back

The resulting complexity is a major source of push-back by potential buyers. According to Larry Ponemon, chairman of the Ponemon Institute, a research organization focused on information security and protection, “The policies have limitations and constraints similar to home policies with act-of-God provisions, and that has created a lot of uncertainty about what is covered, and what the risks are,” Mr. Ponemon told Network World. “Those who are nevertheless purchasing cyber insurance are typically very selective about what coverage they want,” he adds.

Cyber insurance coverages available

Data breach coverage: This pays for expenses that result from a data breach. Covered expenses typically include notification of the victims, setting up a call center. They also cover credit monitoring, and credit restoration services for the victims, and other crisis management services. Ken Goldstein, vice president at insurer Chubb Group told Network World. “You might want to hire forensic experts, independent attorneys for guidance concerning the multiple state (data breach notification) laws, and public relations experts,” he says.

Regulatory civil action coverage: Pays in cases where the insured is facing fines from a state attorney general after a data breach. It also covers fines from the federal government after a violation of the Health Insurance Portability and Accountability Act (HIPAA) or similar regulations. Some policies only cover the cost of defending against the action. While others may pay the fine as well, says Steven Haase, head of INSUREtrust, an Atlanta-based specialty insurance provider.

Cyber extortion coverage: For cases where a hacker steals data from the policyholder and then tries to sell it back, or someone plants a logic bomb in the policy holder’s system and demands payment to disable it. Among other things, the policy should cover the cost of a negotiator, and the cost of offering a reward leading to the arrest of the perpetrator, Goldstein says.

Virus liability: Pays in cases where the policyholder is sued by someone who claims to have gotten a virus from the policy holder’s system.

Content liability: Covers lawsuits filed by people angered over something posted on the Web site of the policyholder. Such coverage should also cover copyright claims and domain name disputes, Haase says.

Loss coverages

Lost income coverage: Replaces revenue lost while the policy holder’s computer system or Web site is down. But Kalinich notes that insurers often apply minimum downtimes of 12 or 24 hours, or require proof of actual losses. “They’ll say that, after all, the customers who did not get through (during the outage) could have come back later,” he says.

Loss of data coverage: Pays for the cost of replacing the policy holder’s data in case of loss. “Backup policies are not always effective, and accidents and sabotage happen,” Haase says.

Errors and omissions coverage: Otherwise known as O&M policies, this type of coverage predates cyber insurance, but is increasingly added to cyber policies to cover alleged failures by the policy holder’s software, Haase says.

rb-

Seems that interest is growing in cyber insurance. I wrote about cyber insurance here.

Would your company’s insurance cover a cyberattack? (corporateinsuranceblog.com)
Hacking blitz drives cyberinsurance demand (theglobeandmail.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2012, Business, Data breach, HIPAA, Insurance, Lawsuit, Ponemon Institute

RB | June 30, 2010

Comments Off

Copiers Get Politicized

Copiers Get Politicized The politicians in Washington have politicized the data breach threats posed by copiers. The FTC claims it is reviewing concerns that digital copy machines retain sensitive information and the Commission is reaching out to retailers and government agencies to safeguard users’ private data.

FTC Chairman Jon Leibowitz recently said in a letter (PDF) to Rep. Ed Markey (D-MA) that the agency has launched an education campaign around informing users of copy machines. The FTC will try to educate users that copier hard drives keep critical information such as financial and health data. Unless this data is dealt with correctly, it creates a regulatory threat (SOX and HIPAA). Identity thieves can access the data kept on the machines, particularly as copiers are resold without wiping clean hard drives.

“Like you, we also are concerned that personal information can be so easily retrieved by copiers, making it vulnerable to misuse by identity thieves,” Leibowtiz wrote.

The privacy implications of digital copy machines stem from a report by CBS that showed copiers were essentially acting like computers, with hard drives data being circulated among several parties as copiers were resold. Markey had called for an investigation into the issue.

rb-

I know I feel better about this risk now that the politicians and a federal bureaucracy are looking after my best interests. </snark>

Category: Uncategorized | Tags: 2010, Copiers, Data breach, HIPAA, PII, Security

RB | June 15, 2005

One comment

The Secret Life of Copiers

-Updated – 05-11-2007- Most digital copiers manufactured in the past five years have disk drives to reproduce documents. As a result, the seemingly harmless machines that are commonly used to spit out copies of sensitive information can retain the data being scanned.

Digital copier manufacturer Sharp issued a warning about photocopier vulnerabilities in conjunction with tax season. The company warned that it isn’t just people who make copies of their tax returns who are at risk.

A few years ago Sharp was among the first to offer a security kit for its machines. The security kit would encrypt and overwrite the images being scanned. Overwriting the data ensures it isn’t stored on the hard disks indefinitely.

In many cases, a central administrative or IT department monitors an entire fleet of copiers using each machine’s Internet Protocol (IP) address. What they forget is that, because the copiers are managed remotely, other people could get access to them. Firms can take action in several ways.

One option is to close IP ports. When a copier is being installed, the IT staff should close IP ports to ensure there is only one access point to the machine. Another option would be to use media access control (MAC) filtering. MAC filtering sets rules to accept commands only from specified MAC addresses such as the help desk, restricting outsiders.

The Secret Life of Copiers, CFO Magazine May 01, 2004

Last fall, reports began circulating that a large university in the Northeast had uncovered an illegal music-file-swapping service on campus. The music files were stored in a spot nobody would ever think to look: a copy machine. The students were actually transferring MP3s to and from a hard drive on a copier, The machine’s hard drive was designed to capture and store scanned documents. Apparently, a member of the school’s IT department stumbled on the plot after noticing a remarkable amount of traffic going to and from the networked copier.

While the technology for making copies has changed little in the past 50 years, most copiers are now full-blown IT devices, with network and E-mail server connectivity. employees typically have unfettered access to copiers — and thus any information stored on them. This makes copy machines perfect targets for hackers or, since the drives are usually removable, thieves.

Enterprise appliance security could prove to be of real importance in the new era of privacy (for example, the Health Insurance Portability and Accountability Act of 1996, or HIPAA) and document management (the Sarbanes-Oxley Act of 2002). That’s doubly true if a company uses copiers to scan sensitive personal documents such as medical records, birth certificates, or financial forms. Louis E. Slawetsky, president of Rochester, N.Y.-based research firm Industry Analysts Inc said, “People don’t think of copiers as a vulnerability … That’s a problem since they have hard drives and can store whatever has been copied for an indefinite period of time.”

This creates a potential security problem: customers have access to a machine connected to the bank’s network. mitigates the danger by placing the machine behind two firewalls and making the copier password-protected. Security consultants say potential buyers of new copiers should almost always look for machines with encryption or overwriting capabilities.

Hard-copy security is also an issue — you don’t want the wrong person picking up someone else’s copy job. Hence, experts advise prospective buyers to stick to machines that come with password protection. That way, says Larry Kovnat, systems security program manager for Xerox’s office group in Rochester, N.Y., “no one can inadvertently see documents or pick them up.”

Despite the improvements in copier-machine defenses, one security hole still has not been addressed: E-mail. Although copiers generally can keep track of who is E-mailing a document (through passwords), it is nigh impossible to put limits on what can be sent or where the E-mails can be sent. This could change, however, as copier hard drives and network connections become more sophisticated.

The Fed Single-Handedly Keeps Xerox And HP Alive (zerohedge.com)

Category: Uncategorized | Tags: 2005, Copiers, Fax, HIPAA, MAC address, Photocopier, Printer, Risk, Security, Sharp, SOX, Xerox

RB | June 3, 2005

Comments Off

Network Security Layering

Most companies are prepared for threats to their networks from the outside world. However, security breaches from within the corporation often pose the biggest concern. In this post-Enron world of increased corporate governance, IT managers must deal with both technical and human challenges to meet their companies’ security requirements. New legislative mandates, such as the Sarbanes-Oxley Act, the Health Insurance Portability and Accountability Act, and the Graham-Leach-Bliley Act, also exist.

When considering securing a network, it’s essential to take a holistic approach, from the physical layer to the application layer. Thorough security policies, appropriate authentication mechanisms, and effective user education must complement the technologies implemented within the network.

The security-layering concept allows for variable-depth security. Variable-depth security occurs when each security level builds upon the capabilities of the layer below, resulting in more stringent security moving up through the layers. This can help protect organizations from security breaches that may come from within, as layering provides multiple measures of security controls.

The first security layer: VLANs

At the first layer, essential network compartmentalization and segmentation can be provided by virtual LANs. This allows various business functions to be contained and segmented into private LANs. Traffic from other VLAN segments is strictly controlled or prohibited. Several benefits may be derived from deploying VLANs for small to midsize businesses across the company’s multiple sites. These include the use of VLAN “tags.” VLAN tags allow traffic segregation into specific groups, such as finance, human resources, and engineering. It also prevents the separation of data without “leakage” between VLANs as a required element for security.

The second layer: Firewalls

The second layer of security can be achieved with perimeter defense and distributed firewall-filtering capabilities at strategic points within the network. The firewall layer allows the network to be further segmented into smaller areas, monitors it, and protects against harmful traffic from the public network. In addition, an authentication capability for incoming or outgoing users can be provided. The use of firewalls provides an extra layer of protection that’s useful for access control. The application of policy-based access allows the customization of access based on business needs. Using a distributed firewall approach affords the added benefit of scalability as enterprise needs evolve.

The third security layer: VPNs

Virtual private networks, which offer a finer detail of user access control and personalization, can be added as a third layer of security. VPNs offer fine-grain security down to the personal user level and enable secure access for remote sites and business partners. With VPNs, dedicated pipes aren’t required since the use of dynamic routing over secure tunnels over the Internet provides a highly secure, reliable, and scalable solution. VPNs with VLANs and firewalls allow the network administrator to limit access by a user or user group based on policy criteria and business needs. VPNs give more robust assurance of data integrity and confidentiality, and strong data encryption can be enacted at this layer to provide more security.

The fourth layer: Solid security practices

Best practices by the IT security team are yet another level in a layered network security strategy. This can be achieved by ensuring that operating systems are protected against known threats. (This can be accomplished by consulting with the operating system manufacturer to get the latest systems-hardening patches and procedures.) In addition, steps must be followed to ensure all installed software is virus-free.

Securing network management traffic is essential to ensuring the network. To protect HTTP traffic, it’s preferable to encrypt all management traffic at all times using the IPsec or Secure Sockets Layer protocol. Encryption is a must even if traffic travels on the local-area network.

Category: Uncategorized | Tags: 2005, Best practices, Encryption, Firewall, HIPAA, IPsec, LAN, RADIUS, Risk, Security, SNMP, SOX, SSL, VLAN, VPN

S	M	T	W	T	F	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30

Bach Seat