220 likes | 330 Views
What’s New in Compliance?. New Compliance and Regulatory Requirements Yet more headaches?. But first a few questions…. Just a quick show of hands, how many of you work at a company: that has an HR department? that does work for companies in other states or has workers in other states?
E N D
What’s New in Compliance? New Compliance and Regulatory Requirements Yet more headaches?
But first a few questions… Just a quick show of hands, how many of you work at a company: • that has an HR department? • that does work for companies in other states or has workers in other states? • that has clients in the UK or EU? • where the IT department spends at least 10% of its time on security issues? • where there are dedicated team members whose primary job is seeing that intranet and Internet traffic for all servers is logged and the logs are forensically sound? • where logging is done but they are not systematically examined? • where there has been what you feel is an adequate security assessment in the last two years? Pac IT Pros - March 2nd 2010
Caution… • What we are talking about tonight is yesterday’s view of security and compliance. • Just because you are compliant does not mean you are secure. • New exploits and variations on old ones are not covered by today’s compliance regulations or the regulations soon to be introduced. Compliance keeps the Feds and other regulatory agencies off your back. It does not stop hackers, thieves or careless users. Pac IT Pros - March 2nd 2010
Be Careful… A large energy company that I recently was involved in auditing for security and compliance at had spent so much time, money, and staff resources on compliance to NERC-CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) that they hadn’t implemented basic network security such as password expiration, access rights controls, effective logging and review of logs, or deleting ex-employee’s accounts and access rights! You need to maintain a balance between security and compliance. Pac IT Pros - March 2nd 2010
New Federal Regulations: • HITECH Act / Breach Notification for Unsecured Protected Health Information • HITECH Act / Access to Medical Records • FTC - Red Flag Rules • FTC – Fines for Business Associates & Third Parties This is only a very brief gloss of just a few of the high points. Pac IT Pros - March 2nd 2010
HITECH Act: • By December 31, 2009 - HHS to issue additional guidelines regarding accounting for disclosures • Due within one year of enactment (by February 17, 2010) • HHS to provide guidance and rules on de-identification, opting out of fundraising solicitations • HHS and the Federal Trade Commission will report on privacy and security requirements for Personal Health Record (PHR) vendors and applications • February 17, 2010 • HHS to issue rules on which entities are required to be business associates • Business Associates directly subject to HIPAA regulation • HHS required to conduct periodic audits of entities covered by HIPAA • Individuals right to restrict disclosures to health plans for services paid for out of pocket • Right of electronic access of records by patients takes effect • Within 18 months of enactment (by August 17, 2010) • HHS to issue guidance on HIPAA minimum necessary rules • HHS to release regulations regarding prohibition of sale of data • January 1, 2011 - Initial Deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired after January 1, 2009 • January 1, 2014 - Initial deadline for complying with new accounting and disclosure rules for information kept in EHRs acquired before January 1, 2009 Pac IT Pros - March 2nd 2010
HITECH Act / Breach Notification for Unsecured Protected Health Information: Federal notification requirements apply to a breach of unsecured Protected Healthcare Information on or after September 23, 2009: • A Covered Entity (CE) must notify each individual whose unsecured PHI has been, or is reasonably believed by the CE to have been, accessed, acquired, used or disclosed as a result of such breach • A Business Associate (BA) of a CE must notify the CE of a breach of unsecured PHI, including the identification of each individual whose unsecured PHI has been, or is reasonably believed by the BA to have been, accessed, acquired, used or disclosed during the breach • Requirements include notification to the media and Department of Health and Human Services Pac IT Pros - March 2nd 2010
HITECH Act/HIPPA: Basically only two mechanisms will be accepted as safe harbors: • Encryption • The encryption processes identified below have been tested by the National Institute of Standards and Technology (NIST) and judged to meet this standard. • Valid encryption processes for data at rest are consistent with NIST Special Publication 800–111. • Valid encryption processes for data in motion are those which comply, as appropriate, with NIST Special Publications 800–52, 800–77, or 800-113. • To avoid a breach of the confidential process or key, the decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. • Destruction • The media on which the PHI is stored or recorded have been destroyed in one of the following ways: • Paper, film, or other hard copy media have been shredded or destroyed • Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication 800–88 Pac IT Pros - March 2nd 2010
HITECH - One of the requirements that might really bite: • HITECH Act, Section 13405 (e) Access to Certain Information in Electronic Format.— In applying section 164.524 of title 45, Code of Federal Regulations, in the case that a covered entity uses or maintains an electronic health record with respect to protected health information of an individual— • the individual shall have a right to obtain from such covered entity a copy of such information in an electronic format and, if the individual chooses, to direct the covered entity to transmit such copy directly to an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific; and • notwithstanding paragraph (c)(4) of such section, any fee that the covered entity may impose for providing such individual with a copy of such information (or a summary or explanation of such information) if such copy (or summary or explanation) is in an electronic form shall not be greater than the entity's labor costs in responding to the request for the copy (or summary or explanation). I don’t know about your parents, but my 89 year old mother had a stroke about six years ago and is very forgetful. How are you going to deliver her medical records securely and in a way that won’t compromise your company’s data security? Pac IT Pros - March 2nd 2010
FTC Red Flag Rules – Coming Soon • FTC Delays Enforcement of the Red Flags Rule Until June 1, 2010 • Are you complying with the Red Flags Rule? The Red Flags Rule requires many businesses and organizations to implement a written Identity Theft Prevention Program designed to detect the warning signs or "red flags“ of identity theft in their day-to-day operations. Are you covered by the Red Flags Rule? Read Fighting Fraud with the Red Flags Rule: A How-To Guide for Business to: • Find out if the rule applies to your business or organization; • Get practical tips on spotting the red flags of identity theft, taking steps to prevent the crime, and mitigating the damage it inflicts; and • Learn how to put in place your written Identity Theft Prevention Program. • By identifying red flags in advance, you'll be better equipped to spot suspicious patterns when they arise and take steps to prevent a red flag from escalating into a costly episode of identity theft. Take advantage of other resources on this site to educate your employees and colleagues about complying with the Red Flags Rule. Pac IT Pros - March 2nd 2010
FTC – Fines for Business Associates& Third Parties I can’t find an exact section of HITECH or ARRA but it is easy to see from the following that the FTC will play a part. CVS Caremark Corp. has agreed to pay $2.25 million to settle a federal investigation into allegations that it violated HIPAA privacy regulations when pharmacy employees threw items such as pill bottles with patient information into the trash. The settlement, announced Wednesday, follows a joint investigation by the Department of Health and Human Services and the Federal Trade Commission after media reports in 2006 that workers at CVS pharmacies were improperly disposing of sensitive patient and employee data. Employees allegedly tossed pill bottles with labels containing patient information into open Dumpsters, along with medication instruction sheets, pharmacy order information, employment applications, payroll data, and credit card and insurance card information. According to the FTC, CVS Caremark violated federal laws by failing to implement reasonable and appropriate procedures for handling personal information about customers and employees and did not adequately train employees on secure disposal of personal information. In addition to paying HHS $2.25 million, the company's more than 6,000 retail pharmacies must establish and implement policies and procedures for disposing of protected health information, implement a training program, conduct internal monitoring and hire an outside assessor to evaluate compliance for three years. Source: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1348446,00.html Pac IT Pros - March 2nd 2010
Convincing your bosses: Feeling like a one armed paperhanger? Here is a chart that shows it will cost less if they hire an outside consultant. Source: Ponemon Institute, 2009 Annual Study: Cost of a Data Breach Pac IT Pros - March 2nd 2010
What does the future hold? Threats that have not yet been addressed by regulation. Pac IT Pros - March 2nd 2010
ACH and Wire Transfer Transaction Fraud: ACH (Automatic Clearing House - Electronic Check Payments) • Small to medium size companies for the moment but very likely to spread to larger institutions as it is very poorly understood. A prime example of how poorly understood is that Cynxsure, an IT consultancy firm based in New Hampshire may well have gotten hit this way. Another victim may have been Sign Designs Inc., an electric-sign maker in Modesto, Calif. The first sign of trouble was a morning phone call from their Bank about a suspious transaction. Still another may have been Fan Bao and his wife, Cathy Huang, and their small import-export business called ZICO USA. When he needed to wire money one of them would walk a few blocks to Bank of America’s Highland Park, Calif., branch and execute the transfer in person. Then they got introduced to online banking…. Pac IT Pros - March 2nd 2010
Cell Phone Voice Interception Fraud: A survey released today (at RSA) by the Ponemon Institute on behalf of Cellcrypt, reveals that large and medium businesses are putting themselves at risk as a result of cell phone voice call interception.According to a survey of seventy five companies and 107 senior executives in the United States, it costs U.S. corporations on average $1.3M each time a corporate secret is revealed to unauthorized parties. 18% of respondents estimate such losses to occur weekly or more frequently, 61% at least monthly and 90% at least annually. Source: http://www.net-security.org/secworld.php?id=8958 Pac IT Pros - March 2nd 2010
IBM Knows: Hackers follow the money! Are we forgetting to do what we once did? Pac IT Pros - March 2nd 2010
IBM Knows: Hackers follow the money! Are we forgetting what we once knew? Pac IT Pros - March 2nd 2010
In the News Tommorrow? All news for March 1, 201022:49The Register: IE code execution bug can bite older Windows machines 22:38The Register:Wiseguys net $25m in ticket scalping racket 22:29HNS: Malware and vulnerability testing for business websites 22:01ZDNet:Googler ships exploit to defeat ASLR+DEP 21:59HNS: Top 7 threats to cloud computing 21:41HNS: Free service for malware detection on websites 20:59ZDNet: Zero-days flaws surface in Apple Safari 20:55HNS: Inspect your encrypted communications 18:22The Register:Openistas squish security bugs twice as fast 18:15HNS: Message and web cloud-based security services 17:54HNS: A 184% increase of malicious websites 16:21ZDNet: Microsoft investigating new IE browser vulnerability 15:24HNS: Severe IE vulnerability threatens Windows XP users 15:09The Register: Hackers go on Tory-bothering spree 14:25The Register: Fatal System Error: Watching the miscreants 13:56HNS: Automated defense against industrialized cyber attacks 13:29HNS:Waledac disruption only the beginning, says Microsoft 13:01The Register:DarkMarket founder jailed for five years 12:45HNS: 58 percent of software vulnerable to security breaches 11:51HNS: Fake Virustotal serves malware 10:42HNS: Q&A: Malware analysis 08:35The Register: Most resistance to 'Aurora' hack attacks futile, says report 07:18HNS: Rugged and secure portable drive 07:10HNS: Introducing SOURCE Conference Boston 07:05HNS: Protect every asset in the cloud infrastructure 07:00HNS: Week in review: Twitter phishing, rogue software and Waledacbotnet takedown Source: http://softsecurity.com/news_D0_high.html Pac IT Pros - March 2nd 2010
One thing you can be sure of… Legislators may be very slow on the uptake but when enough constituents complain, they will act and create more laws. Then the bureaucracy WILL create new regulations. Pac IT Pros - March 2nd 2010
Common Terms: • Threat (pluralthreats) • an expression of intent to injure or punish another; an indication of imminentdanger. • a person or object that is regarded as a danger; a menace. Threats usually include natural events, a person, organization, or thing • Vulnerability (pluralvulnerabilities) • The state of being weak, susceptible to attack or injury; being not well defended. Vulnerabilities usually specify a weakness of an object, system, process, or control point. • Exposure (countable and uncountable; plural exposures). Potential for damages • (uncountable) The condition of being exposed, uncovered, or unprotected. • Limit your exposure to harsh chemicals. Exposure usually is quantifiable, such as: the number of laptops belonging to an organization • Risk (plural risks) • A possible, usuallynegative, outcome, e.g., a danger. • (Formal use in business, engineering, etc.) The potential (conventionally negative) impact of an event, determined by combining the likelihood of the event occurring with the impact should it occur. Risks are usually expressed by : Threat * Vulnerability * Exposure * Opportunity (Likelihood) Risks are usually rated as: Severe, High, Medium, Low, or Slight There is no such thing as “No Risk” • Opportunity (pluralopportunities) • a chance for advancement, progress or profit • a favorablecircumstance or occasion Opportunities are usually the favorable circumstance where the financial or personal profit is significant enough that a breach, attack, or malicious event would likely to occur Pac IT Pros - March 2nd 2010
Suggested Resources: • http://www.net-security.org/ • http://www.net-security.org/malware_center.php • http://www.net-security.org/secworld_main.php • http://softsecurity.com/news_D0_high.html Interesting list of news from a variety of sources There are lots more on the security side but not much that is readable on the compliance side. Sorry, I don’t have a recommended site. If you know of one, let me know. Pac IT Pros - March 2nd 2010
Thanks!Write if you get work and don’t forget, I’m looking too. Pac IT Pros - March 2nd 2010