Well, the royal family’s security could be compromised, for one. If you missed it, Heathrow Airport, one of the busiest airports and Britain’s largest, is scrambling to understand how a memory stick (aka thumb drive) with extremely sensitive information ended up on a busy west London street. The documents on the unencrypted drive detailed airport security measures and plans, including the routes typically used for Her Majesty’s route to and from the airport.
The documents were all marked “confidential” or “restricted.” Yet the thumb drive had no encryption and was just lying on the street, available for anyone to pick up and use. The scariest part? This could happen to anyone, to any business, at any time.
How do you prevent this type of blatant risk to sensitive information? Ask yourself the following about your security and privacy policies and procedures:
- What have we done – or can we do – to assure our sensitive data’s security isn’t compromised like this?
- How well does our own senior leadership follow the same strict security measures as line staff?
- Do we allow sensitive data to be stored, or even temporarily used for transport, on unencrypted drives?
- Who is allowed to access sensitive data and in what way can they interact with it? Should they even be able to?
Frightening as this event is, it’s also far too unsurprising. Before you decide that portable media is fine for transporting or storage of your sensitive data, think twice, then think again. Convenience should not override the need for data protection.
Apgar and Associates’ HIPAA privacy, information security, HITECH and regulatory compliance consulting services support the health care industry and the vendors that work with them. The firm works across industry sectors to help businesses prepare for ISO, SOC II and HITRUST certifications, as well.
By now, you’ve heard of the KRACK WPA2 infiltration of WiFi. Basically, a vulnerability in the WPA2, the standard for most WiFi communications between your mobile phone, computer and anything else that connects to a wireless access point, is a wide-open door for cyber attackers. When a cyber attacker exploits the WiFi vulnerability, they can intercept any device using the WiFi network. It affects everyone.
This kind of widespread WiFi vulnerability serves as a good reminder that we need to be especially careful using public WiFi, like that at your local coffee shop, or when traveling – at airports, hotels. As our virtual CIO / IT vendor recommends, “If you can use a Virtual Private Network (VPN) vs public WiFi, that’s a better option to help secure your communications.”
Over the weekend, we received several communiques from various IT vendors with whom we work. A partner of ours, Convergence Networks, forwarded a great eletter to me that shared the following excellent tips.
Who does the KRACK infiltration affect?
If you use WPA2 encryption to secure your WiFi communications (and you likely do), you’re probably affected. That said, Android devices are the most widely exploited.
Does this mean someone can get my Wi-Fi password?
No. The WiFi vulnerability could allow an attacker to intercept Wi-Fi communications between a device and a wireless access point, but doesn’t compromise your Wi-Fi password.
How is the KRACK vulnerability being fixed?
Vendors are working on or have already released patches to fix the vulnerability:
- Microsoft has released patches for supported Windows operating systems (Windows 7 and higher).
- Apple is working on a patch for MacOS and iOS devices, expected to be released in November.
- Android vendors manage their own patching schedules. Google Pixel devices will receive updates by November 6. Other Android vendors are expected to release patches later.
- Fortinet firewall and wireless access point vendor has shown very limited exposure to this attack, but vendors are gathering information on any devices affected.
- Cisco has already released a patch for its Meraki wireless access points.
What should I do?
If you have an IT vendor for your information systems support, check with them on their patch schedule for Windows systems. They should automatically patch during the next maintenance window if not sooner.
As an individual, it’s strongly recommended that you immediately apply software and security updates to your mobile devices – particularly Android devices. Do so as soon as you’re notified that an update is available – don’t swipe the notification away!
For businesses using off-the-shelf consumer level WiFi like Linksys or Netgear, look into business-class wireless. You’ll get better timing on security updates.
Home-based WiFi? Call your ISP provider or the company that makes your wireless access point (router, firewall, etc.) to see when they are updating the firmware.
This is an excellent time to be sure that your wireless devices are updated, too. If your devices are so old that there’s no fix available, it’s time to part ways.
Particularly check your IoT devices – don’t forget wireless home security cameras!
Should I not use WiFi?
Good question. Convergence Networks had this advice: “While the KRACK WiFi vulnerability is serious, it requires an attacker to be in range of your wireless device to execute it, it requires time, and is not yet an easy vulnerability to exploit. While the vulnerability affects most Wi-Fi devices, the overall risk to a device is not high, and in most cases Wi-Fi can still be safely used. If you’re an Android user, consider disabling Wi-Fi on the device, limiting connectivity to cellular service, until the November patch has been applied to your device.”
We’ve been working with a number of clients lately who are trying to wrap their arms – and IT policies – around cloud computing and file sharing. You may remember last year when OHSU was fined $2.7 million for “widespread HIPAA vulnerabilities.” Well, part of those vulnerabilities came about because of improper use of cloud-based file sharing services.
Healthcare organizations or not, use of cloud computing to store or share sensitive information comes with risks. OCR regularly reminds covered entities and their business associates of the potential risks, as well as how to use them yet remain in compliance.
Often, human error is at the root of the breaches. All electronically based protections, firewalls, anti-malware programs and so forth may be in order, but one person accessing information without authorization skews everything. Flawed setup of services is another risk, and one usually not detected until it’s too late.
We like to start with the security risk analysis to detect any potential service misconfiguration or un-needful access of sensitive data. The security risk analysis, when combined with IT vulnerability scans, penetration tests and mock phishing exercises, helps organizations identify and address security gaps like missed security patches and software that’s out of date, as well as detecting the most likely potential for human error. (Of course, the security risk analysis is also a HIPAA Rules requirement – but you knew that.)
Check that you’re in compliance with OCR Guidance on cloud computing, particularly around storing ePHI in the cloud, the proper policies and procedures, and the appropriate Business Associate Agreements.
Remember: Cloud computing and file sharing isn’t prohibited by OCR, but you must have appropriate measures in place to secure sensitive data and assure compliance. If you’re not sure whether your use of the services is secure, or your security risk analysis is up to date, then stop and call us!
Our HIPAA privacy, information security, HITECH and regulatory compliance consulting services support the health care industry and the vendors that work with them. We work across industry sectors to help businesses prepare for ISO, SOC II and HITRUST certifications, as well. You can reach Apgar & Associates at 877-376-1981.
Although the HHS HIPAA Breach Reporting Tool (HBRT) has been out since 2009, the revised and updated web tool is head and shoulders above the original. You can look for information on reported data breaches in your industry sector, what kinds of data breaches took place and the status as relates to HHS / OCR.
The tool is also educational, letting you see what actions OCR investigations initiated to resolve the vulnerabilities that let the breach happen in the first place. The hope is that the industry will use this information to help strengthen organizational security.
HBRT’s new features include:
- Breaches reported in last 24 hours
- Breaches currently under investigation
- Archive of breach resolution
- Better navigation to get to more breach information
- Consumer Help links if you think your privacy’s been breached
According to HHS, the updated and enhanced HBRT tool will continue to expand and improve. The HBRT encourages transparency to the general public and between organizations covered by HIPAA requirements. Its use helps emphasize how the privacy and security of our sensitive health information must remain at the forefront of covered entity and business associate operations.
Apgar and Associates, LLC helps you on your compliance journey, including helping you implement and improve your privacy, information security and cybersecurity programs. Let’s begin with a security risk analysis to see where your risks lie. Call 503-384-2538 to get started.
First published as an eblast, July 2017.
Recently, I was asked to share my thoughts on cloud computing. Industry experts have varying perspectives, and I encourage you to read all of our insights as published in the post “Ask the Thought Leaders: What’s the Future of Cloud Data Integration?” Here’s my contribution, as published:
“In 10 to 15 years, it is likely that cloud computing will have moved beyond what we call server-based computing. We’re already there with services offered by Amazon and Microsoft applications and processes can be run without the need to be concerned about servers that need to be configured and maintained. We’re looking at a world where unstructured and structured data reside in a virtual world where it’s feasible to create what I would call virtual artificial intelligence where thoughts may be turned into code or a process to interrogate vast amounts of data and perform precise functions such as what’s the best approach for advanced disease management and how to isolate genes that may be altered to combat cancer and chronic diseases. We’re looking at an environment where computing is at such an advanced state that data manipulation and advanced technological advances will occur at such a rapid pace that is impossible to believe today.
This all sounds like science fiction, but we’re already moving that direction at a rapid pace and it may turn out that my predictions are much more conservative than the reality of cloud computing in a decade. Now personal privacy and information security will be a concern as those vast amounts of data become even more of a tool to direct consumer engagement. We may be facing the potential of losing a fair amount of the privacy we have left.”
(segment from article by Nick Hastreiter published July 17, 2017 at http://www.futureofeverything.io/)