Posted on Mon, Apr 26, 2010 @ 07:21 PM
Authored by Mike Gargiullo, Sr. Security Consultant at Pivot Point Security.
A few months back my wife and I were in our doctor's waiting room together. We were just chatting and enjoying each other's company. (We have three young kids... so this might have constituted a date!) We were looking at the trees outside and happened to notice someone rolling a cart to the dumpster in the parking lot with what appeared to be computers and LCD monitors.
After our appointments, we strolled over to take a look. Another company in the doctor's office complex had thrown away 5 Dell Optiplex machines complete with 15" LCD monitors. Well, of course I backed the truck up and tossed them in! Worst case, I thought they could be repurposed or used for parts. (Ask my wife, I have parts everywhere...you never know when you'll need something.)
Once home, I noted that they were all 1Ghz Pentium 4 boxes with a Gig of RAM... Not too shabby. I also noted that they booted into Windows NT (Yeah Windows NT in 2010) with a domain name of "Joe's Hospital Billing"...Ok, not really Joe's Hospital, but a well known and respected University Hospital System. I then booted them with a Knoppix Live CD to take a look at the hard drives. I noted that while they were only 20G drives, they were packed with years' worth of medical billing records and patient information.
Well, since I had no interest in knowing that Shirley So and So has such and such a medical issue or that her SSN is 123-45-6789, I shut down the machines and zeroed the drives. I also sent a nice letter to Joe's Hospital addressing both the Legal and IT departments explaining what I found and how I found it. I explained I had zeroed the drives and even offered to drop them off to them if they wanted. I got a nice reply from the IT department explaining they had outsourced the upgrades and thanking me for letting them know.
It turned out that one of the IT staff there was someone I knew, so I found out later that the hospital in question has since changed its upgrade practice. The IT team still uses an external company, but this company wipes the drives before they go to the recycler and not the dumpster. While it's somewhat comforting to know the hospital has changed policy, it's also scary to think that people's personal information is so easily "trashed". What would have happened if I hadn't found those machines? (I am an "ethical hacker" by trade, after all...) So while HIPAA supposedly "protects" our data, like anything else, it's only as "secure" as the humans and processes handling it!
Posted on Tue, Apr 20, 2010 @ 07:21 PM
Authored by Mosi Platt, Sr. Audit Consultant, Pivot Point Security
Our Principal Enterprise Security Consultant, John Verry, said he needed to know how the HIPAA Security Rule compared to ISO 27002 in order to put together a proposal for a prospective client. You can see the result of my investigation described in the table below. Based on my estimation, 65 of the 134 controls in ISO 27002 map to the HIPAA Security Rule's safeguards. The only HIPAA standard that is not addressed by ISO 27002 is section 164.308(b)(1), "Business Associate Contracts and Other Arrangement."
As you can tell from our website, Pivot Point is a big supporter of ISO 27001 and ISO 27002 and I think this analysis provides a good justification. If an organization has multiple compliance requirements like HIPAA, PCI-DSS, GLBA, etc., then ISO 27001 and ISO 27002 can centralize and simplify those compliance efforts. As the table below shows, an organization only has to implement less than half of the ISO 27001 security controls and it achieves compliance with a significant set of regulations. I think this is why the Shared Assessments Program, which was founded by America's leading financial institutions and accounting firms to establish a single standard for managing vendor security risks, decided to expand its membership to include healthcare organizations. The Shared Assessments Program is based on ISO 27001 and provides a simple way for vendors to reduce their compliance costs and manage their security risks. If you're interested in a more detailed analysis of using ISO 27001 to address HIPAA compliance, see the Shared Assessments Program's detailed mapping.
Table 1 - Mapping HIPAA to ISO 27002 Security Controls
