Encryption Prescription

encryptions and hipaa

Regardless of the actual legitimacy of the HIMSS Study, it raises an important discussion point regarding encryption. So, with due respect to the pundits advocating caution, I will presume it to be reliable.  When viewed as reliable, the HIMSS Study presents compelling statistics with immediate impact to the healthcare industry.

The Numbers Regarding Encryption.

According to the HIMMS Study, approximately 32% of hospitals and 52% of non-acute providers do not encrypt data in transit.  Further, 39% of acute providers and 52% of non-acute providers do not encrypt data at rest.   The overarching gist of the HIMMS Study is that a significant percentage of healthcare organizations (“HCOs”) do not encrypt data, either at rest or in transit.  But, what’s the big deal?

The Rules Regarding Encryption.

HIPAA does not necessarily require encryption.  However, encryption is an addressable implementation specification.  See 45 CFR 164.312(a)(2)(iv).   Importantly, “addressable” does not mean “optional.”  Instead, “addressable” means that a covered entity must “[i]mplement the implementation specification if reasonable and appropriate” under the circumstances for that covered entity.  See 45 CFR 164.306(d)(3).  If a covered entity determines that an addressable item is not reasonable and appropriate, it must document why and implement an equivalent measure, if the substitute measure is reasonable and appropriate.  Clearly, if encryption is reasonable and appropriate for a covered entity, failure to implement encryption violates HIPAA’s Security Rule.  Thus, the operative question is whether encryption is reasonable and appropriate.

In 2016, encryption tools are readily available and there is no excuse for failing to encrypt data at rest.   For example, Windows OS includes BitLocker Drive Encryption onboard.  Further, there are numerous affordable encryption options for Windows.[v]   Mac offers FireVault 2 encryption standard with OS X.  Firevault 2 encrypts not only the hard drive, but removable drives as well.  FireVault is a respectably robust encryption tool, especially for individuals or small business.  Mac users also have additional options for encryption.[vi]

Data in transit is a bit more technical.  I do not claim to be a CISSP – my knowledge base is in the law, not hardware and software.  So, for purposes of this article, let’s just consider that “data in transit” entails methods with which we are all familiar – email, fax, and text.  All of these transmissions may be encrypted by employing various programs, services, and technology, many of which are readily available and affordable.

People will undoubtedly argue about the viability of, and protection afforded by, these encryption tools.  For example, you can Google numerous articles discussing the security flaws in Firevault 2 and BitLocker.  Encryption options for faxing and texting usually fare no better.

The good news is that HIPAA does not demand that the encryption WORK – but only that covered entities “[i]mplement a mechanism to encrypt and decrypt” ePHI.  See 45 CFR 164.312(a)(2)(iv).   HIPAA defines encryption as “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key.”  See 45 CFR 164.304.  So, the mere fact that a covered entity implements encryption methods meeting technical requirements[vii] satisfies HIPAA’s basic requirement.  Of course, covered entities must also keep safeguards up to date and monitor overall effectiveness in protecting information assets.

Finally, it should be stated that encrypting data relieves a covered entity from data breach notification requirements in many states, including Ohio.  In Ohio, data breaches exposing “personal information” must, under certain circumstances, be reported to the individuals.  See R.C. 1349.19(B)(1).  Information is only “personal information” “when the data elements are not encrypted, redacted, or altered by any method or technology[.]”  R.C. 1349.19(A)(7)(a).

In closing, it is arguable that encryption is currently reasonable and appropriate for 100% of covered entities.  Under that postulation, then, according to the HIMSS Study, between 32% to 52% of HCOs are violating HIPAA and perhaps do not even realize they are doing so.  While HIPAA’s Privacy and Security Rules go far beyond encryption, perhaps it is a good, objective starting point for covered entities.  Stakeholders in covered entities (and business associates) should ask:

  • Do we store data? If so, do we encrypt that data?

  • Do we transmit data? If so, how?  Email, fax, or text?

  • Do we encrypt the data we transmit? How?

  • Is encryption reasonable and appropriate for our organization?

  • If not, do we have the justifications documented?

Based on this self-analysis, covered entities should contact an information security lawyer to help them: (1) conduct a thorough and confidential analysis of existing information security policies and procedures; and (2) develop and implement an information security regimen tailored to foster an organizational culture of security.

[i] http://www.itworld.com/article/3110506/healthcare-it/many-hospitals-transmit-your-health-records-unencrypted.html

[ii] outpatient clinics, rehabilitation facilities and physicians’ offices.  See note iv, infra.

[iii] 2016 HIMSS Cybersecurity Survey, available at: http://www.himss.org/sites/himssorg/files/2016-cybersecurity-report.pdf

[iv] For example, the HIMSS Study was sponsored by FairWarning.  FairWarning is a provider of information security services and has a considerable market in … you guessed it … the healthcare industry.  Sure, it seem convenient that a study exposing a lack of information security in healthcare is sponsored by a seller of information security to healthcare. In fact, the lawyer in me demands the injection of a healthy dose of skepticism.

However, in fairness, as an information security attorney, I could be accused of the same sort of fear-mongering designed to scare people into hiring me.  But, I know this to be patently untrue.  No reasonable person would consider identification of critical issues and application of sound legal advice to mitigate those issues as “fear mongering.”  It is no different that advising a business owner to incorporate to avoid the risk of exposing personal assets to creditors.  So, because I know my motives are pure, I am inclined to extend the benefit of doubt to others.

[v] http://www.toptenreviews.com/software/security/best-encryption-software/

[vi] http://www.toptenreviews.com/software/security/best-mac-encryption-software/

[vii] HHS has issued guidance on encryption standards, namely referring to NIST guidelines.  For example, encryption for data at rest must be consistent with NIST Special Publication 800-111.  Encryption for data in transit must comply with other specifications, including NIST Special Publications 800-52,

 

Keep it Like a Secret

TRADE SECRET

With the passage of the Defend Trade Secrets Act (DTSA), the federal government handed businesses a lethal new weapon to protect trade secrets in federal court. There should be champagne popping in boardrooms everywhere. Why, you ask?

Access to federal courts in and of itself is a major boon for businesses. Any seasoned litigator knows that in federal court, deadlines and dates are set quickly and are firm. Further, federal courts have more judges, more resources, and less cluttered dockets. Accordingly, federal litigation customarily moves at lightning speed compared to state court. Also, anecdotally speaking, the federal judiciary and its staff are the cream of the legal crop. Federal judges aren’t encumbered with running for re-election (as in Ohio), they take the time to understand complex legal issues and have the wherewithal to deal with those issues. Their staff attorneys are usually enjoy digging into the meat of legal issues and complex fact patterns. This isn’t to say that state court judges and staffs are substandard. More so, state courts generally lack the resources and time to put together a stellar legal team to review your case. Thus, when dealing with a complicated trade secrets cases, federal courts will be a welcome arbiter for practitioners and clients alike.

But … there is always a but … if one seeks to enforce trade secret rights in federal court, one must bring her or his “A” game. A federal court will expect a party to be able to prove their case and motion practice is more effective. To provide an example, the “trade secret” had better be a trade secret. At first blush, that seems an obvious statement. However, beneath the obvious is the point I am driving at: if you have a trade secret you better keep it like a secret. Let me explain.

The DTSA adopts the Economic Espionage Act’s (EEA) definition of a trade secret. According to the EEA, a trade secret is defined as follows:

“[A]ll forms and types of financial, business, scientific, technical, economic or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing.”

But that’s not all. To qualify as a trade secret, the owner must: (1) have “taken reasonable measures” to keep the information secret; and (2) “derive independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by, the public.” See 18 U.S.C. § 1839(3).

Reasonable measures? Sounds like another way of saying “gray area.” What are the federal courts likely to do with such gray area? I predict the federal courts will paint it with the many splendored colors of information security. Simply put, federal courts will look to set quantifiable standards for the reasonability of measures to protect trade secrets. I believe the easiest method to judge the reasonability of a plaintiff’s security measures is to view them through the lens of information security. Because many organizations still lack adequate information security, proving the existence of a trade secret trade secret in federal court will become increasingly problematic. Although scant at this juncture, federal case law seemingly bears this theory out.

In US v. Shiah, No. SA CR 06-92 DOC (C.D. Cal. Feb. 19, 2008), a case addressing trade secrets under the EEA, the defendant copied 4,700 computer files belonging to his employer, Broadcom, to an external hard drive shortly before leaving to start a new job with a competitor. In Shiah, the district court engaged in a lengthy discussion of the “reasonable measures” requirement. The measures taken by Broadcom to maintain the confidentiality of its secrets included confidentiality agreements signed by its employees that explained the value placed on confidentiality and attempted to indicate which documents were considered confidential. The confidentiality agreement also prohibited employees from taking confidential information with them upon their departure. The court noted Broadcom’s use of IT-managed firewalls, file transfer protocols, intrusion detection software, passwords to access the company’s intranet, a layer of protection between its intranet and the Internet, and selective storage of files. Broadcom further required non-disclosure agreements, tracked sharing through a program called DocSafe, and marked documents as confidential. Finally, Broadcom maintained a high security physical facility. Seems pretty good, huh?

Despite Broadcom’s security measures the court found them “barely sufficient” to qualify as reasonable under the EEA. The court opined that Broadcom should have provided education, training or guidance to employees regarding the information it considered confidential. The court stated that the training should have been “regular” and included methods for ensuring information remained protected. The court also noted that if Broadcom had a “comprehensive system in place designating which documents were and were not confidential”, it would have been easier for employees to identify confidential information. Regarding the confidentiality agreement signed by Shiah, the court stated that it was overly broad in designating nearly all information as confidential, making it difficult for employees to understand what information was actually confidential.

The court also criticized Broadcom’s off-boarding process with Shiah. The court indicated that Broadcom was overly concerned about “sending a message” as opposed to actually protecting its information. The court indicted that Broadcom should have had Shiah’s supervisor present to thoroughly explain the terms of the confidentiality agreement, identify the information the company determined to be particularly sensitive, and inquire as to what information he was taking with him. The court also stated that Broadcom should have taken steps to inspect Shiah’s computer to determine what information Shiah had accessed and when. The court indicated that had Broadcom simply inspected Shiah’s computer, it would have learned that Shiah copied thousands of files and would have been able to investigate immediately.

Lastly, what I find most interesting about the Shiah case is the court’s dicta regarding “reasonable measures”. The court presciently stated:

“The Court is also basing its determination on what would have been considered reasonable at the time, in 2003; the Court notes that the reasonableness standard will become more and more stringent as time passes. Over time, there will and have been improvements in technology, information, and knowledge pertaining to data secrecy[.]”

The controversy in Shiah happened 13 years ago. In terms of information technology, 13 years is an eternity. The threats to information are more formidable and pervasive than ever. Furthermore, with the development of various forums on the “Deep Web” and the rise of crypto currency, it has never been easier to sell information such as trade secrets to willing buyers and to do so anonymously. A comprehensive information security regime that emphasizes trade secret management will be the best prescription for protection in this new age of federal trade secret litigation.

Read Menzies Aviation v. Wilcox, 978 F.Supp.2d 983 (D.Minn. 2013) for a more recent take on federal trade secret litigation as it relates to the consideration of “reasonable measures”. In Wilcox, the U.S. District Court of Minnesota held that the trade secret owner failed to employ reasonable measures when the employer was aware that the subject employee used personal email and a personal computer for work matters, and that much of the confidential information was shared with another third-party vendor.

Does the employer in Wilcox sound like your organization? Do you allow employees to access their personal email or use a work computer for personal matters? Conversely, do you allow employees to use personal computers or devices (phones or tablets) for work matters? Does your organization even meet the security standard set by Broadcom, which was ultimately determined to be insufficient? If your answers are yes, it seems that you may be unwittingly undermining your own ability to enforce your trade secrets rights in federal court.


ICKES \ HOLT is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security and governance. Information is the DNA of modern organizations and ICKES \ HOLT is dedicated to advising clients on how to protect its information. Please contact us to discuss establishing or improving the information governance policies for your organization.

The ADA’s Dental Debacle

ADA dental debacle

Talk about the ever-changing world of information security and data privacy. Literally, something new, interesting, or terrible occurs daily.

The latest giant balloon in the “parade of horribles” is the American Dental Association (“ADA”) providing its members with a free, electronic copy of the 2016 Dental Procedure Codes – with one small catch.  The handy, searchable PDF was stored on malware-laced USB drives.  Woops.

In other words:  Ransomware.So to recap:  one benefit of a paid membership in the ADA is a potential malware infection.  According to Krebs on Security, “Mike” (presumably a dentist) was suspicious of the USB drive and took a look at the code.  Mike discovered that one of the files on the USB drive tried to open a well-known malware distribution website.  Apparently, this website “is used by crooks to infect visitors with malware that lets the attackers gain full control of the infected Windows computer.”

On the surface, the ADA’s idea is merely just a bad idea.  If one looks deeper, however, there is a next level disconnect about protecting PHI.  Think about it.  According to the ADA’s instructions, a covered entity is supposed to: (1) “flip out” a USB drive obtained in the mail; (2) “plug [it] into the USB port” on their computer; and (3) “open … the file on your computer.”  WHAT?   A dental office’s computer contains PHI (and likely other provider specific sensitive information).  While “reasonable safeguards” under HIPAA is up for interpretation, I am pretty sure that it does not include plugging random USB drives into computers and networks containing PHI.

Let’s think about this.  HIPAA’s Privacy Rule requires “reasonable and appropriate administrative, technical, and physical safeguards.”  Covered entities must ensure the confidentiality and integrity of PHI, as well as “identify and protect against reasonably anticipated threats to the security or integrity of the information.”  HIPAA’s Security Rule mandates that the information is not made available or disclosed to unauthorized persons.  While the Security Rule does not dictate measures, covered entities must consider certain things, most notably: the likelihood and possible impact of potential risks.

It seems that “Mike” considered the “likelihood and possible impact” of inserting an unknown USB drive and opening unknown files.  But I am willing to bet that many or most would not, either from ignorance, inattention, or explicit faith in the ADA.  In the current landscape, none of these are acceptable reasons for failing to consider the likelihood and possible impact.  Covered entities, and all organizations in general, must build an organizational culture of security where, like “Mike”, a natural suspicion arises when faced with a seemingly harmless, but unknown, situation.   Please be like Mike.  Trust or do not trust.  But always verify.

One more thing.  The approximately 37,000 USB drives were “manufactured in China by a subcontractor of an ADA vendor[.]” [Insert forehead slap here].  So, let’s get this straight.  The ADA: (1) unknowingly sent malware laced USB drives to its members; (2) provided them specific instructions to potentially infect their computers with ransomware; (3) failed to include in those instructions anything resembling steps to securely access the USB; and (4) obtained those USB drives from a subcontractor of a vendor in China.  If you’re keeping score at home, that’s strikes 1, 2, 3 and 4.  But the ADA didn’t stop there.

In an email statement, the ADA exacerbated the problem by committing the cardinal sin of incident response:  failing to take ownership of the problem and downplaying the threat:

“Upon investigation, the ADA concluded that only a small percentage of the manufactured USB devices were infected … Of note it is speculated that one of several duplicating machines in use at the manufacturer had become infected during a production run for another customer. That infected machine infected our clean image during one of our three production runs. Our random quality assurance testing did not catch any infected devices. Since this incident, the ADA has begun to review whether to continue to use physical media to distribute products ….  Your anti-virus software should detect the malware if it is present.”

Seems pretty specific for “speculation.”

In this statement the ADA essentially acted like its mistake was no big deal.  Further, it not so subtly transferred responsibility to the members.  Did you catch it?  “Your anti-virus software should detect the malware if it is present.”  Translation:  if you have proper cyber security in place our mistake won’t hurt you.  If you don’t have proper cyber security in place, our mistake is your fault for not having proper cyber security.

Not only is this a peevish and puerile response to a serious screw-up, it is also not accurate.  According to Krebs on Security:

“It’s not clear how the ADA could make a statement that anti-virus should detect the malware, since presently only some of the many antivirus tools out there will flag the malware link as malicious.”

Nice job, ADA [golf clap].

What’s even more curious about the ADA’s post-incident position is that cheap USB drives manufactured in China containing malware are not a new threat.  They are, in fact, a very common threat.  According to one security consultant, this fact “… is why the ADA’s decision to use them is so disconcerting[.]”   The point is, that in 2016, use of untested USB drives should always be suspicious – and therefore, connecting them to information systems should warrant consideration of the “likelihood and possible impact[.]”  In fact, according to that same consultant “connecting untested thumb drives to information systems containing sensitive data like personal health information violates the most fundamental rules of InfoSec[.]”

Now, you might be saying … “well, the ADA didn’t violate any rule.”  Perhaps this is true.  However, the ADA’s dental debacle clearly demonstrates the great divide between where we are and where we should be related to information security.  To say that the ADA does not have any culpability is ludicrous.  The ADA has a responsibility to its paying members.  At the very least the ADA shouldn’t contribute to the immense threats that its members already face.[[i]][[ii]]

Ickes Holt is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security and governance. Information is the DNA of modern organizations and Ickes Holt is dedicated to advising clients on how to protect its information. Please contact us to discuss establishing or improving the information governance policies for your organization.

[i]   http://krebsonsecurity.com/2016/04/dental-assn-mails-malware-to-members/;
[ii] http://www.healthcareitnews.com/news/american-dental-association-sends-malware-infected-usb-drives-its-members

Internet of Things Institute: Day One Takeaways

computer scientists

Day 1 of the ABA Internet of Things Institute:  So, come to find out, the Internet of Things (“IoT”) is not the precursor to SkyNet or a rampant abuse of power by Big Brother.  It is fascinating, and yes, slightly frightening.  The simple fact is, the IoT is just like any other rapid advance in technology – it is power that can be used for good or ill.  It provides safer cars, more productive businesses, and cleaner, more efficient energy grids.  It also provides more pervasive avenues for malefactors to hack into our daily lives.  But the bottom line is, the IoT is not going away, so it is imperative to understand it and implement sound security practices.

Some takeaways from Day 1: 

  • The IoT is a broad term for a world where everyday objects are connected, have software and are networked.
  • Computer scientists predicted the IoT in the 1980’s.
  • The most commonly known examples of the IoT are consumer goods like thermostats and light bulbs with sensors to monitor how many people are in a room at a given time and software to interpret that data to more efficiently allocate energy consumption.
  • Consumer products are just the beginning:  more necessary and beneficial uses include smart energy grids, smart water solutions, smart cities and infrastructure, autonomous cars, agricultural improvements, and medical products like medicine pumps, defribulators, and monitoring devices for the aged (which will double in population by 2050).
  • We need to understand that connected devices are nothing more than computers, and computers can be programmed to do whatever you want.  So yes, that smart refrigerator can be hacked to send out malicious emails.
  • Because of this threat, we need to rely on sound engineering principles and strong encryption when developing IoT devices.
  • Manufacturers of IoT devices need to remember that they are actually developing software and not just cool gadgets.
  • Consumer protection must always be at the forefront of development.
  • Computer scientists were able to convert first generation electronic voting machines into Pac-Man games.
  • Industry cannot rely on Congress to legislate IoT security.  We have to rely on Industry sector regulation and consumer protection laws.
  • You cannot regulate what you can’t define.  According to one U.S. Senator, the IoT is moving too fast, its too big, and it changes every day.
  • The IoT is currently a $2 Trillion economy and will grow to $11 Trillion by 2025.
  • Don’t fear autonomous cars – 95% of auto accidents are due to driver error.  Autonomous vehicles will make roads safer, including not only individual vehicles, but the trucking industry as well.
  • The IoT is expected to create a 10-25% savings in energy consumption and manufacturing processes for industry.  Business will have to implement IoT devices to remain competitive.
  • The IoT is the 4th industrial revolution and will fundamentally change organizational behavior, as well as perceptions of privacy, security, ownership and interpersonal relationships.
  • Good with the Bad:  the IoT will also unquestionably create difficult societal, business, and ethical problems, such as job loss or restructuring, privacy and security issues, cyber-terrorism threats, cross-border data flow issues, data ownership issues, and dangerous digital divides (access, literacy, and acceptance of IoT).
  • Abuses and abusers will evolve.  Bad actors will remain bad actors.  The IoT will not change human behavior, but will give bad actors new tools to be bad actors.
  • There will be an estimated 30 billion IoT devices by 2030.
  • The raw cost of utilizing encryption is approximately 2 cents per device.
  • HIPAA and HITECH require healthcare providers to encrypt patient personal health information.
  • Cloud computing raises significant legal and ethical issues for every organization that uses the Internet.
  • The key to safely navigating the IoT and protecting your organizational information and the information of those you serve is security by design and front end engineering.
  • Cyber liability insurance is a good idea, but not the cure – coverage is not always sufficient, insurance companies may seek to deny coverage, and insurance does not fix the problems caused by a breach or recover the information lost.
  • The value in the IoT is the aggregation of data that by itself is useless.
  • Privacy concern and policy discussions must be viewed in context with the beneficial uses of the IoT.
  • 42% of consumers believe that privacy concerns outweigh the benefits of the IoT because the focus is on the consumer products, not the societal benefits.
  • IoT devices are increasingly becoming threat vectors.
  • IoT devices and software that utilize the collected data could be protectable intellectual property even though the data itself is not.

One thing is certain.  The IoT presents the greatest potential for human connectedness and technological advances in history while simultaneously presenting the greatest potential for security and privacy abuses.  The idea of a global community where information flows freely for the betterment of humanity is an exciting one.  However, we must temper that laudable goal with the stark reality that the same technology that frees us can also be used by bad actors to compromise that freedom.

In the immortal words of Peter Parker’s Uncle Ben:  with great power comes great responsibility.  Attorneys and other professionals specializing in information security and privacy must be at the forefront of the IoT.  So too must others (traditional attorneys, healthcare providers, financial services professionals, business owners, and governmental leaders) understand the benefits and threats posed by the IoT and seek advice from people best equipped to shepherd them through this new age.

Ickes Holt is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security and governance. Information is the DNA of modern organizations and Ickes Holt is dedicated to advising clients on how to protect its information. Please contact us to discuss establishing or improving the information governance policies for your organization.

Information Security and Privacy Round-Up: Memphis Neurology & Fazio Mechanical

identity theft in memphis

Information security and privacy is an incredibly broad and pervasive topic.  It spans across industries, relates to private and public sectors, affects small business to publicly traded companies, is governed by federal and state legislation, is enforced by regulators and courts, and incorporates IT and legal solutions.  Information is the DNA of the modern world.  It is everywhere – our computers, our phones, our cars, our homes, our businesses, the cloud.  We have unprecedented access to each other, and as a result, other people have unprecedented access to our information. The boundaries of information security are continually being stretched by the dramatic leaps in technology and ever shifting societal norms.

Events in the information security realm occur so quickly that it is difficult, even for privacy professionals, to keep current.  This article will provide an overview of some recent information security cases, both which illustrate the concept that small to mid-sized business are the most vulnerable to, and least equipped to prevent, information security attacks.

Memphis Neurology Case:  In February, the U.S. Attorneys’ office indicted Jeremy Jones on charges of identity theft, fraud, and conspiracy.  Jones is accused of conspiring to steal the identities of more that 145 patients of Memphis Neurology, as well as customers of car dealerships and other people he knew.  Jones used the stolen identities to apply for loans and credit cards, and to open banks accounts in the victims’ names.   The estimated loss to the defrauded financial institutions is $1,660,587.30.

The Memphis Neurology case presents significant information security concerns, namely, insider threats and access controls.  Memphis Neurology is a regional, private neurological practice with five locations.[i]  The practice has been in business since the 1970’s.  Jones allegedly conspired with an employee of Memphis Neurology to steal patient information from the practice’s database.[ii]   The scheme allegedly began in 2011 and continued through 2015.[iii]

This case underscores the importance of: (1) training employees about information security: (2) clearly communicating to employees the consequences for intentional and unintentional security breaches; (3) properly screening potential employees during the hiring process; (4) conducting periodic audits of information security practices for efficacy and potential breaches; and (5) ensuring access to patient information is properly limited to authorized employees, including organizational and physical security.  These items are crucial components to an overall information security governance program, which is required by HIPAA and the FTC Act, as well as necessitated by the modern world in which small to mid-sized medical practices operate.

Jeremy Jones is facing criminal charges.  The financial institutions are facing the loss of $1,660,587.30.  But, what about Memphis Neurology?  What are the potential consequences to the practice?  First, they almost certainly lost existing and future customers.  Second, they face potential investigation and enforcement by the Federal Trade Commission and/or the Department of Health and Human Services.  An investigation and enforcement action will cost Memphis Neurology significantly in legal fees and lost productivity.  Further, the FTC and HHS are not averse to levying heavy financial penalties for violations.  Finally, while neither the FTC Act or HIPAA provide a private right of action, there is an increasing trend of state courts adopting federal statutory/regulatory frameworks as the “standard of care” in common law negligence actions.[iv]  This trend could expose Memphis Neurology to state court negligence lawsuits brought by the patient victims.

Target Breach-Fazio Mechanical.  Most people are aware of the Target breach in 2013.  In fact, most people probably held their breath waiting for notice from the retail giant that their information had been compromised.  The fallout from the Target breach has been staggering:

  • 110 million customers’ information exposed
  • Immediate 50% drop in profits at the time of the breach from the previous year
  • Consumer and media backlash
  • Approximately $252 million spent to manage the breach
  • An escrow account of $10 million set aside for compromised customers
  • Ongoing litigation and regulatory action
  • Target CEO ousted
  • Potential personal exposure to fines and monetary damages for Target executives[v]

What is not commonly known is the source of the hack leading to the Target breach.  According to Krebs on Security, hackers gained access to Target’s network via one of its vendors, Fazio Mechanical, a Pennsylvania based refrigeration company.[vi]  According to investigators, the Target breach “traces back to network credentials” issued to Fazio by Target.   Fazio has stated that its data connection to Target “was exclusively for electronic billing, contract submission and project management[.]”[vii]

It appears that Target’s network credentials were stolen by means of email “phishing” attack sent to employees at Fazio.  Facts indicate that one or more Fazio employees opened the phishing email, thus infecting Fazio’s system and delivering Target’s network credentials to the hackers.  The hackers then planted malware on Target’s system and began stealing credit card data from thousands of Target’s registers nationwide.

Target receives and retains an immense amount of customer information.  As the recipient of this information, Target had a duty to ensure that the third party vendors with which it works have adequate security controls.  There is no question that Target should have done a better job of auditing Fazio’s information security controls and ultimately bears responsibility for the breach.   However, while Target is certainly culpable for the breach (namely failing to timely act on the breach[viii] and sending out inadequate data breach notifications[ix]), it was undoubtedly prepared for the possibility of an attack.  Six months prior to the breach, the retailer had started installation of a $1.6 million malware detection tool designed by FireEye.  FireEye is a leading cyber security firm who provides services to the CIA and the Pentagon.  Target employed a security squad in Bangalore to monitor its system 24/7.[x]  Despite these measures and obscene financial resources, Target was hacked and is now facing reputational damage, lawsuits, and regulatory enforcement.

And it is, in large part, Fazio’s fault.

True, if it wasn’t Fazio, it likely would have been another vendor.  Or perhaps, malefactors could have penetrated Target’s system directly.  However, the facts surrounding the Target breach point blame directly to an unremarkable, “mom and pop” business lacking any information security policies and practices.  In stark contrast to Target’s measures, Fazio primarily relied on the free version of Malwarebytes Anti-Malware (“MBytes”) to detect malicious software on its systems.[xi]  It is unknown if Fazio employed any actual information security protocols, but based on their use of MBytes, it seems likely that they did not.

What is more inexplicable was Fazio’s response to its role in the Target breach.  In a press release, Fazio stated it was “the victim of a sophisticated cyber attack operation,” and further that its “IT system and security measures are in full compliance with industry practices.”[xii]  Clearly, Fazio was out of its depths concerning the technical aspects of information security as well as willfully or unintentionally ignorant of its duties under applicable state and federal law.

First, phishing attacks are not “sophisticated.” Phishing attacks are common.  They are not targeted, but instead use a “blast” approach to distribute the poison pill email as widely as possible.  In fact, email phishing attacks are so unsophisticated that they can be defeated by simply ignoring and deleting the email.[xiii]

Second, while MBytes is a reputable malware program, it is seriously limited.  The free version is an on-demand scan and kill program, which means a user must actually run the scanner or set it to run at scheduled times.  Also, the free version of Mbytes does not offer real-time protection against threats.  Real-time protection means that the software actually blocks or stops malware that is actively trying to infect a system.  Imagine a pop-up blocker, which is a real-time protector.  A pop-up blocker that did not protect in real-time would effectively allow the pop-up to appear, and then only remove the pop-up when the user prompts it to do so.  Essentially, a non-real time malware program is ineffective to prevent malware infections.

Third, Fazio clearly was not in compliance with industry practices.  We have already discussed the limited capabilities of free MBytes above.  Further, the free version of Mbytes is made explicitly for individual users and its license prohibits corporate use.[xiv]  Fazio violated this license, which is definitely not an industry standard. Finally, there is no evidence that Fazio employed any reasonable information security policies and procedures, let alone a written program including preventative measures, training, incident response strategy, and data breach notification plan.  Thus, Fazio quite literally failed to meet the requirements of state and federal information security laws, which ARE the industry standard.[xv]

Information security is not a problem for “big” companies.  Information security is not IT’s problem.  Information security is everyone’s problem.  Do you think your organization is somehow protected from phishing attacks?  It happened to Fazio Mechanical.  Fazio’s role in the Target breach proves that the “little guys” cannot ignore their place in the global marketplace.   According to the Privacy Rights Clearinghouse, 621,955,664 records have been breached in the U.S. since state data breach notifications laws went into effect in 2005.  Those are only the ones that have been reported—experts think the figure is actually much larger.[xvi]

In this modern age, it is best practice to assume that your organization has already been breached or will be breached in the future.  The only way to prevent a breach is to put solid information security policies and procedures into place, train your employees, and regularly test your network security.

Ickes Holt is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security and governance. Information is the DNA of modern organizations and Ickes Holt is dedicated to advising clients on how to protect its information. Please contact us to discuss establishing or improving the information governance policies for your organization.


 

[i]       http://www.memphisneurology.com/

[ii]      http://www.commercialappeal.com/blogs/news/on-the-docket/Memphis-man-indicted-for-allegedly-using-stolen-identities–369166781.html

[iii]      http://www.hipaajournal.com/man-indicted-for-5-year-identity-theft-spree-used-memphis-neurology-data-8321/

[iv]      http://www.thompsonhine.com/publications/de-facto-private-right-of-action-under-hipaa-is-ohio-next

[v]      http://www.huffingtonpost.com/eric-dezenhall/a-look-back-at-the-target_b_7000816.htmlhttps://www.privacyandsecuritymatters.com/2015/02/target-data-breach-price-tag-252-million-and-counting/; http://www.usatoday.com/story/money/business/2014/05/05/target-ceo-steps-down/8713847/

[vi]      http://krebsonsecurity.com/tag/fazio-mechanical-services/

[vii]     https://ickesholt.com/old/wp-content/uploads/2016/03/Target-Breach-Statement.pdf

[viii]     http://www.bloomberg.com/news/articles/2014-03-13/target-missed-warnings-in-epic-hack-of-credit-card-datahttp://www.huffingtonpost.com/eric-dezenhall/a-look-back-at-the-target_b_7000816.html;

[ix]      http://www.pcworld.com/article/2089104/target-breach-notifications-are-a-perfect-example-of-what-not-to-do.html

[x]      http://www.bloomberg.com/news/articles/2014-03-13/target-missed-warnings-in-epic-hack-of-credit-card-data

[xi]      http://krebsonsecurity.com/tag/fazio-mechanical-services/

[xii]     https://ickesholt.com/old/wp-content/uploads/2016/03/Target-Breach-Statement.pdf;  http://krebsonsecurity.com/tag/fazio-mechanical-services/

[xiii]     http://krebsonsecurity.com/tag/fazio-mechanical-services/

[xiv]     http://krebsonsecurity.com/tag/fazio-mechanical-services/

[xv]     See http://krebsonsecurity.com/tag/fazio-mechanical-services/

[xvi]     http://www.cnbc.com/2013/12/19/why-did-target-take-so-long-to-report-the-breach.html

Information Governance: Culture of Security vs. Culture of Compliance

information security threats

Organizations can, and often do, make the mistake of classifying information security as only a compliance matter. Much like taxes, workplace safety, and human resources, information security is governed by a complex set of statutes and regulatory rules. However, unlike the aforementioned areas, information security cannot adequately be solely addressed as a compliance matter.

This is attributed to many factors, including: (1) the inherently valuable and essential nature of an organization’s information; (2) the ever-evolving nature of threats; (3) the relative lack of awareness of information security issues and overall inability of organizations to effectively control and protect its information; (4) the persistent existence of intentional or unintentional insider threats; and (5) the rapidly changing national and global legal and regulatory landscape. Information security cannot be relegated to IT or delegated to one specific person or department without oversight. Information security simply must be addressed from the executive level and must be a persistent, holistic, and synergistic aspect of an organization’s overall governance.

The best practice is to change the organizational mindset from a culture of compliance to a culture of security. The first step in changing the organizational mindset is to stop thinking of information security as an item to “check” to meet minimum compliance requirements and to start thinking of it as an overarching organizational governance goal. Information is the DNA of modern organizations, and information security must be thought in terms of how the organization is run. All of the organization’s departments and employees must fall under the umbrella of information governance and must work together to achieve the common goal. The organization’s leadership must deliver a clear and concise vision, communicate expectations, and expect results

Changing an organizational mindset requires executive level buy-in and a commitment to initiate, develop, and implement an information security program. It requires the bravery and dedication to allocate resources (financial and personnel) to pursuing a culture of security. It requires the fortitude to stick with a culture of security in the face of inevitable setbacks and recalibrations.

Ultimately, changing the organizational mindset to a culture of security is a simple matter of saying “yes.” In doing so, organization will reap the benefits of increased productivity, greater security, and the peace of mind of its employees, vendors, and customers. In doing so, the organization will also not only meet compliance standards, but will in all likelihood, exceed compliance standards.