Posted on Mon, Apr 26, 2010 @ 07:21 PM
Authored by Mike Gargiullo, Sr. Security Consultant at Pivot Point Security.
A few months back my wife and I were in our doctor's waiting room together. We were just chatting and enjoying each other's company. (We have three young kids... so this might have constituted a date!) We were looking at the trees outside and happened to notice someone rolling a cart to the dumpster in the parking lot with what appeared to be computers and LCD monitors.
After our appointments, we strolled over to take a look. Another company in the doctor's office complex had thrown away 5 Dell Optiplex machines complete with 15" LCD monitors. Well, of course I backed the truck up and tossed them in! Worst case, I thought they could be repurposed or used for parts. (Ask my wife, I have parts everywhere...you never know when you'll need something.)
Once home, I noted that they were all 1Ghz Pentium 4 boxes with a Gig of RAM... Not too shabby. I also noted that they booted into Windows NT (Yeah Windows NT in 2010) with a domain name of "Joe's Hospital Billing"...Ok, not really Joe's Hospital, but a well known and respected University Hospital System. I then booted them with a Knoppix Live CD to take a look at the hard drives. I noted that while they were only 20G drives, they were packed with years' worth of medical billing records and patient information.
Well, since I had no interest in knowing that Shirley So and So has such and such a medical issue or that her SSN is 123-45-6789, I shut down the machines and zeroed the drives. I also sent a nice letter to Joe's Hospital addressing both the Legal and IT departments explaining what I found and how I found it. I explained I had zeroed the drives and even offered to drop them off to them if they wanted. I got a nice reply from the IT department explaining they had outsourced the upgrades and thanking me for letting them know.
It turned out that one of the IT staff there was someone I knew, so I found out later that the hospital in question has since changed its upgrade practice. The IT team still uses an external company, but this company wipes the drives before they go to the recycler and not the dumpster. While it's somewhat comforting to know the hospital has changed policy, it's also scary to think that people's personal information is so easily "trashed". What would have happened if I hadn't found those machines? (I am an "ethical hacker" by trade, after all...) So while HIPAA supposedly "protects" our data, like anything else, it's only as "secure" as the humans and processes handling it!
Posted on Tue, Apr 20, 2010 @ 07:21 PM
Authored by Mosi Platt, Sr. Audit Consultant, Pivot Point Security
Our Principal Enterprise Security Consultant, John Verry, said he needed to know how the HIPAA Security Rule compared to ISO 27002 in order to put together a proposal for a prospective client. You can see the result of my investigation described in the table below. Based on my estimation, 65 of the 134 controls in ISO 27002 map to the HIPAA Security Rule's safeguards. The only HIPAA standard that is not addressed by ISO 27002 is section 164.308(b)(1), "Business Associate Contracts and Other Arrangement."
As you can tell from our website, Pivot Point is a big supporter of ISO 27001 and ISO 27002 and I think this analysis provides a good justification. If an organization has multiple compliance requirements like HIPAA, PCI-DSS, GLBA, etc., then ISO 27001 and ISO 27002 can centralize and simplify those compliance efforts. As the table below shows, an organization only has to implement less than half of the ISO 27001 security controls and it achieves compliance with a significant set of regulations. I think this is why the Shared Assessments Program, which was founded by America's leading financial institutions and accounting firms to establish a single standard for managing vendor security risks, decided to expand its membership to include healthcare organizations. The Shared Assessments Program is based on ISO 27001 and provides a simple way for vendors to reduce their compliance costs and manage their security risks. If you're interested in a more detailed analysis of using ISO 27001 to address HIPAA compliance, see the Shared Assessments Program's detailed mapping.
Table 1 - Mapping HIPAA to ISO 27002 Security Controls
Posted on Thu, Apr 01, 2010 @ 08:30 AM
Authored by Mike Gargiullo, Sr. Security Consultant at Pivot Point Security.
In my last article I detailed a discussion I had with my parents about using an Ubuntu Live USB Drive to do their banking. I realized that it may be helpful to show the steps involved in creating one. It doesn't take long at all. So as a follow up to my previous article "Banking With Live CDs", here's "How to Create a USB Live Drive for Banking"
A few notes before we get started. Older computers won't allow you to boot from a USB drive so you will have to use the CD method instead. For the Live CD visit http://www.ubuntu.com, download, burn and enjoy. Something else I've notice is older Dell computers may have issues with networking. There are fixes available, but they are beyond this article.
UNetbootin is the program that makes creating a USB Live Drive quick and simple. It allows you to create a USB key from which you can boot your computer with Ubuntu. To get started, point your browser to: http://unetbootin.sourceforge.net
This program allows for a lot of nice customizations, but we're going for a straight setup. Since I'm on my Windows computer (and I assume you are as well), download the Windows Version.
Insert an empty USB key into your computer and note the Drive letter Windows assigns it. Launch UNetbootin once it has finished downloading. In the left-hand dropdown, scroll to the bottom and select Ubuntu. The right-hand dropdown should automatically pick the latest version. At the bottom, select the drive letter of the USB drive. This will allow the tool to automatically download Ubuntu and install it to the selected USB drive.
Click OK. The tool will then start the process.
Depending on your internet connection speed it may take a while. For instance, my download took 20 minutes on a good sized cable modem.
Ok, the USB drive is ready. You should choose "Reboot Now" if you'd like to test your USB Live Drive.
Most computers have a method of selecting the medium to boot from. My Thinkpad uses F12. Holding the F12 key while booting brings up a menu.
Select the USB Drive you just created.
A few seconds later you will see the boot screen. Select Default and hit Enter.
In a few moments you will see the Ubuntu desktop. You can see that it immediately saw our wireless network and asked me if I would like to connect.
Since the all the files live on the USB disk the configuration changes you make should be saved.
You can now safely visit your bank online using the Firefox icon on the top menu bar without fear of the current generation of Malware that targets Windows computers.
(ONE NOTE OF CAUTION: After using the USB loaded with Ubuntu, be sure to check your computer's clock after restarting in Windows. There have been some incidences where the clock has reset after starting in Ubuntu. It's an easy "fix" in the Accessories.)