Most Common HIPAA Gaps

It’s not uncommon for healthcare breaches to make the headlines these days. Whether it’s a major breach like Anthem’s $16 million breach or a smaller HIPAA violation such as improper disposal of secure records, healthcare organizations are falling victim to security breaches at an alarming rate. According to IBM Security’s 2019 Cost of a Data Breach Report, the highest industry average cost of $6.45 million is the healthcare industry. Do you have $6.45 million that you’re ready to use if your systems are breached? Are you prepared to spend years dealing with the OCR for failing to protect privacy rights? Of course not. One of the best ways to avoid these detrimental consequences is to make sure you’re compliant with HIPAA and start mitigating common HIPAA gaps now.

Missing the Mark with HIPAA Gaps

Maybe you’re preparing for a HIPAA audit and looking for the first step to compliance or you don’t know anything about HIPAA and you’re struggling to get started. Either way, you need to know about these common HIPAA gaps to avoid possible threats and hefty fines. What are HIPAA gaps that are most prominent vulnerabilities revealed in recent healthcare industry security breaches? Let’s discuss four common HIPAA gaps.

Non-Compliant Business Associate Agreements

A Business Associate Agreement, or BAA, is a document between a covered entity and business associate confirming that both entities will do their due diligence to protect PHI that is transferred between businesses. Not having a thorough written agreement in place to protect PHI is a violation of HIPAA. According to recent OCR findings, non-compliant BAAs are common HIPAA gaps that you should be working to mitigate. If you aren’t already practicing proper BAA procedures, you need to start now.

Missing Risk Analysis

How often should a risk analysis be performed? What should you do with your risk analysis findings? These are good questions to ask when mitigating common HIPAA gaps, as missing a risk analysis tends to be one of the first weaknesses found during a HIPAA audit. A risk analysis should be performed after any major changes in your organization and, at the very least, once annually. Once the risk analysis is performed, your organization should adjust and correct any vulnerabilities found. Don’t be a victim of this common HIPAA gap!

Physical Security Holes

Your physical security is one of the most important defense practices you can establish to protect valuable PHI. Without proper locking of secure documents, the use of security badges for access to secure areas, or proper desktop auto-locking procedures, you’re creating vulnerabilities that could be breached by malicious individuals. To comply with HIPPA, you have to be diligently working to mitigate common HIPAA gaps like holes in your physical security.

Lost or Insecure Devices

While it may seem obvious that all devices with PHI need to be protected against loss or theft, it’s still one of the most common HIPAA gaps found during the compliance journey. Encryption is a big piece of the puzzle, as all devices in your organization should be protected against malicious use in the case of loss or left. Taking the next step to back up your systems and encrypt those backups vital in mitigating any threats to your organization.

Learning to Close Common HIPAA Gaps

By mitigating these gaps early on, you’re setting your organization up to avoid costly fines and unexpected breaches. You can start your compliance journey by closing these common HIPAA gaps and implementing company-wide procedures that address vulnerabilities plaguing your systems. These practices will help you avoid becoming another number in common healthcare security statistics. Instead of joining the hundreds of other healthcare organizations that were victims to 466 security incidents in 2019, your organization can join the many KirkpatrickPrice clients who are satisfied with the expert-level, quality audits we perform. Contact us to start your journey to becoming more than an information security breach statistic!

More HIPAA Resources

Penetration Testing in Support of HIPAA

Dangers of XSS Attacks at Healthcare Organizations

Why is Information Security So Important in Healthcare

4 Reasons the Online Audit Manager is the Audit Tool You’ve Been Missing

When you choose an audit partner, there are certain qualities that you’re likely looking for such as experience, attention to detail, quality, audit tools, and the firm’s audit processes. We know that there’s a lot of audit firms out there, making the decision that much harder. If it’s your first time undergoing an audit or even if you are familiar with the processes, narrowing down the right partner for your organization can be difficult. At KirkpatrickPrice, we know and understand the fear and stresses associated with auditing – that’s why we created the Online Audit Manager, the innovative, proprietary tool included in our streamlined audit process.

The Online Audit Manager: An Innovative Audit Tool

The Online Audit Manager is a tool that was developed when we saw a need in the industry to streamline an audit through an online portal. It’s based on experienced information systems and senior-level security auditors’ expertise in auditing practices. The OAM connects you with your specialized audit team quickly, so you can begin to receive remote guidance early in the audit process. Your experienced auditor will work with you to complete 80% of the audit before they ever steps foot onsite. Within the OAM are free resources that are available to help you create the most effective policies and procedures, ensuring that you have the proper controls in place to demonstrate your compliance with various frameworks. The Online Audit Manager also gives you the flexibility to work on your engagement as you have the time and be able to easily divvy up the workload amongst appropriate personnel. Ultimately, throughout the engagement, you will have created an audit trail that will demonstrate how you continue to improve and mature your security practices.

4 Reasons the Online Audit Manager Makes Audit Engagements Easier

1. The OAM is Included in Your KirkpatrickPrice Engagement

Are you looking to partner with a firm that is upfront and transparent about their audit tools, processes, and fees? While most firms require their customers to pay an additional fee to use similar audit tools to the OAM, we’re committed to helping our clients get the most out of their audits – and that starts by giving our clients a tool that simplifies the audit process for them at no extra cost. When our clients engage with us, they’ll automatically receive access and training on how to use the Online Audit Manager. Not all audit tools are created equal. Perform your due diligence when considering audit firms and require a demo of how their tool works.  In fact, if your organization is considering a firm that says they have a similar portal, but they don’t allow you to demo it, you should automatically be suspicious of their quality and integrity.

2. Everything is All in One Place

Are you worried about how to manage your organization’s audit engagement? There are a lot of moving parts during an audit, requiring help from different departments, personnel, and organizations – making clear communication and documentation difficult. The OAM alleviates this issue by acting as the main hub for communication, documentation, and resources during the audit engagement. Our clients can upload required evidence and documentation, ask their auditor questions, and find resources if they’re confused on a specific framework requirement, plus auditors can submit their workpapers directly in the OAM.

3. Achieve Multiple Compliance Objectives

Is your organization required to comply with multiple legal requirements and/or frameworks? Does the thought of having to undergo more than one audit scare you? With an audit tool like the OAM, conquering multiple compliance objectives is possible. How? When you complete an audit with KirkpatrickPrice, your answers and evidence are saved in the portal. This means that when you engage in multiple audits with us, you won’t have to answer the same question more than once. Plus, you can compare how close you are to additional compliance achievements.

4. Track Your Progress

Are you worried about the project size of an audit? One of the biggest concerns we hear our clients express when it comes to an audit engagement is the time it takes to complete an audit. Completing an information security audit is a major accomplishment, but it is one that takes time to be done correctly. In the Online Audit Manager, however, organizations can track their audit engagement progress and issue alerts to keep members of the audit engagement on track.

Achieving multiple compliance goals can be a daunting task, but with an audit tool as innovative as KirkpatrickPrice’s Online Audit Manager, it’s more feasible thank you might think. If you’re wondering how you can meet all of your compliance goals, let us walk you through an Online Audit Manager demo and discuss your compliance plan.

More Assurance Resources

When Will You See the Benefit of an Audit?

5 Questions to Ask When Choosing Your Audit Partner

Choosing the Online Audit Manager: One Tool, Multiple Audits

Trends in Privacy, Breach Notification, Data Security Legislation in 2019

It’s hard to keep track of the different privacy, breach notification, and data security laws that exist in each state – but that’s the job of a thorough, expert auditor. Because of technology advancements and the implementation of GDPR, the momentum to update, amend, and create new legislation is elevated right now. Our mission is to educate you on the latest trends, legislation, and threats so that you can meet the requirements ahead of you.

Trends in Legislation

All 50 states now have breach notification laws, and many states are following suit for privacy and data security. In 2019, the trends in privacy, breach notification, and data security legislation revolved around three areas. How is your business addressing these trends?

Expanding the Definitions of Personal Information

Many states have amended their current laws to include a wider scope of what constitutes personal information. The definitions vary from state to state; for example, Maine’s LD 946 focuses on information derived from the customer’s use of the ISP services because the law specifically relates to ISPs. Many others have expanded to include biometric data, PII of children, health insurance information, financial information, or web browsing data.

Adjusting Timeframe for Data Breach and Security Incident Reporting

State legislation is enacting more stringent timelines for breach notification to the affected consumers and to regulatory bodies. Washington’s deadline is within 30 days of discovery, Maryland’s is within 45 days, and Texas’ is within 60 days. For vendors of businesses in the state of Oregon, though, the deadline to report to their covered entity is 10 days.

Reporting Requirements to the State Attorney General

A third trend from legislation in 2019 is involvement from state attorney generals. This regulatory notification provides businesses with more oversight and accountability at the state-level. While the notice requirements are different from state to state, businesses must generally include a detailed description of the data breach, information about how many consumers were impacted, steps taken so far to contain the breach in the present and future, and if law enforcement has been notified. For states like Oregon and Texas, this requirement begins when 250 residents are affected and in Washington, it’s not required unless 500 or more residents are affected.

State Legislation and Amendments in 2019

While the California Consumer Privacy Act has garnered the most attention in the industry, most states have enacted or amended their own laws to include the same information or trends as CCPA and GDPR. Do you do business in, collect data from, or a serve a vendor in the following states? You may need to consider how you’re tackling the privacy, breach notification, and data security laws at a state-level.

Proposed Federal Legislation in 2019

Considering that a number of states have adopted or amended data privacy legislation, it’s become clear that a federal privacy law is needed. Recognizing this and the dangers associated with ineffective privacy laws at the federal level, legislators in both the Senate and the House introduced federal privacy bills, including the following:

  • Mind Your Own Business Act: In October, Sen. Ron Wyden (D-OR) released his own privacy act that “protect Americans’ privacy, allows consumers to control the sale and sharing of their data, give the FTC the authority to be an effective cop on the beat, and spur a new market for privacy-protecting services.”
  • Online Privacy Act of 2019: On November 5th, two Silicon Valley Congresswomen, Congresswomen Anna Eshoo (CA-18) and Zoe Lofgren (CA-19), introduced this bill intended to create user rights, place clear obligations on companies, strengthen enforcement of privacy violations, and place clear obligations on businesses. What’s more, under this law, a new federal agency would be created to enforce privacy rights.
  • Consumer Online Privacy Rights Act (COPRA): On November 28th, U.S. Sen. Maria Cantwell (D-WA) introduced COPRA, a bill that gives citizens many of the same rights as CCPA, but takes it a bit further, stressing affirmative consent, rights to access and transparency, language, right to delete, and duty of loyalty.
  • United States Consumer Data Privacy Act of 2019: On December 4th, U.S. Sen. Roger Wicker (R-MS) introduced an opposing federal privacy bill to COPRA. In his federal privacy bill, the United States Consumer Data Privacy Act of 2019 would override many of the state laws listed above, like CCPA.

In 2020, we expect to see an even heavier focus on consumer privacy rights. Want to discuss what state-level legislation applies to your business? Need to know how close you are to gaining compliance? Let’s talk today so we can begin mapping your compliance journey.

More Resources

IAPP’s State Comprehensive-Privacy Law Map

4 Things to Know About the AG’s Proposed CCPA Regulations

GDPR: One Year In

Most Common PCI Gaps

In the payment card industry, our auditors come across the same vulnerabilities and gaps time and time again across different organizations. Even for a retailer as big as Macy’s, security gaps showed up in full force when their payment card systems were breached in 2018.  Did Macy’s security team take the time to mitigate the most common PCI gaps? Could they may have saved the millions of dollars by implementing best practices? To give your organization an advantage as you start your PCI audit process, we have gathered common PCI gaps that can be associated with each PCI DSS requirement. Let’s get a head start on your PCI compliance journey.

Where PCI Requirements Meet Common PCI Gaps

Requirement 1: Install and maintain a firewall and router configuration to protect cardholder data

It’s common for organizations to lack proper firewall management, but misconfigured firewalls have led to mega breaches. Although your organization may have properly installed a firewall, understanding its configurations (especially in AWS) and access points is vital to the security of your organization.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

In general, poor management of passwords or weak password requirements can be the gateway hackers need to access valuable information buried deep in your systems. Over 29% of breaches in 2019 involved the use of stolen credentials, according to Verizon’s 2019 Data Breach Investigations Report. Are you working to prevent the misuse of stolen passwords to access secure data in your systems?

Requirement 3: Protect stored cardholder data

How do you protect the stored cardholder data that is vital to your business? By implementing methods of encryption, truncation, masking, hashing, and more.

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Any transmission of cardholder data is a red flag in your security processes, but especially when it crosses misconfigured or weakened wireless networks. To gain compliance with PCI Requirement 4, cardholder data that your organization transmits over public networks must be encrypted.

Requirement 5: Use and regularly update anti-virus software or programs

While it’s impossible to keep your information secure for its entire lifetime, having updated anti-virus software is vital to making sure your systems are as secure as possible. During a PCI gap analysis and audit, you can expect an auditor to check that you’re regularly updating virus-protection software.

Requirement 6: Develop and maintain secure systems and applications

When you have an undetected vulnerability in an application or system, you’re setting your organization up for a data breach. This common PCI gap usually begins as early as the development stage, but can be remediated through vulnerability testing and penetration testing. In 2019, Verizon reported nearly 10% of all data breaches involved the action of exploiting vulnerabilities. By engaging in vulnerability scanning and penetration testing, you’re further ensuring your organization won’t be another number added into that statistic.

Requirement 7: Restrict access to cardholder data by business need to know

Should everyone in your organization have open access to your most sensitive data? Absolutely not. Cardholder data needs to be accessed only by those employees whose duties depend on that cardholder data.

Requirement 8: Identify and authenticate access to system components

How do you trace the actions of each user in your system? Are your user IDs and passwords secure? How do you know if your users are who they say they are? Does your staff know what to do if they suspect their account is at risk? Many PCI gaps stem from identification and authentication controls.

Requirement 9: Restrict physical access to cardholder data

Physical security is your first line of defense and is also an area where some of the most common PCI gaps are found. Whether in the form of a misuse of an ID access card or through an unlocked door, hackers can gain access to improperly disposed cardholder data if your physical security isn’t a priority.

Requirement 10: Track and monitor all access to network resources and cardholder data

How do you determine the cause of a security incident or data breach? By understanding your access controls and utilizing logging and monitoring tools. Implementing these mechanisms gives you the ability to track user activities and access, which is crucial in preventing, detecting, and minimizing a data breach.

Requirement 11: Regularly test security systems and processes

Performing tests like risk assessments, vulnerability scanning, and penetration testing to find and mitigate potential risks and vulnerabilities is extremely important to maintaining a secure environment for cardholder data. By ignoring this common PCI gap, you’re lacking an extremely important line of defense against hackers.

Requirement 12: Maintain a policy that addresses information security for all personnel

Your organization may think its information security policy covers all the necessary security requirements, but without regular updates and proper implementation, your policy is useless. Make sure you maintain written documentation for policies including an incident response policy, employee training policy, business continuity plan, data retention policy, and other security policies that might prove to be gaps in your environment. According to IBM Security’s 2019 Cost of a Data Breach Report, organizations that thoroughly tested their incident response plans had breaches with a total cost $1.23 million less than than those without proper incident response plans in place. Which side of that cost would you rather be on?

Set Your Organization Up for Security Success

If you want to make sure your security procedures are up to date, thorough, and adequately protect your systems, knowledge about common gaps is a great place to start. You don’t want to find yourself halfway through the PCI audit process only to realize your policies and procedures are inadequate or your physical security measures aren’t advanced enough to protect you against hackers. You especially don’t want to be sitting at your desk when you learn there’s been a major breach of cardholder data because you had a gap in the form of weak passwords. In the financial industry, alone, there were over 927 incidents in 2019. You don’t want to be an organization adding to that number in the next few years. Set you organization up for security success by mitigating these common PCI gaps early on in the audit process. Contact KirkpatrickPrice today if you’re ready to learn more about the PCI audit process.

More PCI Resources

What is a PCI Audit?

Guide to PCI Policy Requirements

6 Steps of a PCI Audit

November Breach Report

Every month there is headline after headline reporting about new data breaches. Whether it’s a ransomware attack, a negligent employee opening a phishing email, or a state-sponsored attack, millions of individuals are impacted by data breaches and security incidents on a regular basis. Let’s take a look at some of the top data breaches that occurred during November, how hackers compromised these organizations, and the lessons we can learn from them.

Twitter

What Happened?

According to a November 7th press release from the Department of Justice, two former Twitter employees and a Saudi National have been charged with acting as illegal agents of Saudi Arabia. The former Twitter employees accessed various account information, including user emails, phone numbers, IP address information, the types of devices used, user-provided biography information, logs that contained the user’s browser info and logs of all particular user’s actions on twitter platform at any time, and they specifically targeted critics of the Kingdom of Saudi Arabia and The Royal Family.

Lessons Learned

While organizations rightfully focus on making sure that outside threats don’t impact their company, insider threats are equally important to focus on. In a statement regarding the Twitter data breach, FBI Special Agent in Charge John F. Bennett said, “Insider threats pose a critical threat to American businesses and our national security.” This also points to the dangers of foreign government involvement in American tech companies – something that U.S. Senator Bob Mendez (D-NJ) raised concerns about in a letter to Twitter’s CEO and to the U.S. State Department.

Macy’s

What Happened?

On November 14th, Macy’s notified their macys.com customers that the website was impacted by a Magecart card-skimming attack. The notice explains that the hackers inserted malicious code onto the website’s “Checkout” and “My Wallet” pages between October 7th and 15th. The compromised data included first names, last names, addresses, cities, states, zip, phone numbers, email addresses, payment card numbers, security codes, and month/year of expiration. Investigations into the incident are still underway; however, Macy’s has contacted all customers believed to have been impacted by the data breach and are offering affected users free 12-month subscriptions to Experian IdentityWorks.

Lessons Learned

Online shopping, while much more convenient to do, poses many threats to consumers and businesses alike. For businesses that sell products and services online, implementing a robust information security program must be made a priority, because customers expect the businesses they buy products and services from to secure their personal data, especially with large retailers like Macy’s. But consumers cannot solely rely on businesses to protect them against cyber threats. Instead, consumers should follow these six best practices for shopping online.

PayMyTab

What Happened?

On November 19th, cybersecurity researchers from vpnMentor disclosed a massive data breach at PayMyTab, a supplier of card and mobile payment terminals for US restaurants. According to the researchers, the data breach was caused by an unsecure AWS S3 bucket and occurred between July 2, 2019 to November 2019. The exact size and impact of this data breach has yet to be determined, but we do know that malicious hackers compromised sensitive PII and partial financial details, including customer names, email addresses, telephone numbers, order details, restaurant visit information, and the last four digits of customer payment card numbers.

Lessons Learned

S3 buckets are a major component of using AWS, but they’re also a major security concern. McAfee reports that 5.5% of all AWS S3 buckets that are in use are misconfigured and publicly readable. Why? S3 buckets are extremely complex, and anything that is complex is harder to secure. Randy Bartels, Vice President of Security Services at KirkpatrickPrice, comments, “AWS has an obligation to make it less complex, and users have an obligation to understand the complexity and make sane choices in setting up policies.” Make sure your S3 buckets are protected and align with best practices for AWS security by following these guidelines.

Louisiana Government

What Happened?

Happening just four months after a malware attack impacted several Louisiana school districts and caused the governor to declare a state of emergency, on November 18th, Louisiana’s Office of Technology Services discovered a ransomware attack that impacted some of the state servers. Affected offices included the Office of Motor Vehicles, Department of Children and Family Services, Department of Health, the Secretary of State’s office, and the Public Service Commission. According to a series of tweets from Governor Edwards, many of the outages were due to the state immediately implementing its incident response plan and taking extra precautions to prevent the spread of malware by taking other servers offline. Governor Edwards also confirmed that the state did not pay a ransom, and at this time, there is no anticipated data loss.

Lessons Learned

Local governments are facing growing cybersecurity threats and cunning hackers. While creating a thorough incident response plan is necessary to have a robust information security program, it shouldn’t be the only focus. Instead, local governments must implement information and cybersecurity best practices at the foundation of their organizations. They should also invest in proactive measures like cybersecurity awareness training programs for citizens and elected officials, using forensic services after incidents and breaches, conducting cybersecurity exercises, and undergoing vulnerability scanning and penetration testing.

At KirkpatrickPrice, we know that data breaches are only a matter of when, not if, they’ll occur, no matter what industry you’re in or the size of your company. That’s why we’re committed to offering a variety of quality, thorough assurance services to help keep your organization protected against creative and cunning hackers. Want to learn more about our services and how they can help you mitigate the risk of experiencing a data breach? Contact us today.