A HIPAA violation story for you…

A few months back my wife and I were in our doctor’s waiting room together. We were just chatting and enjoying each other’s company. (We have three young kids… so this might have constituted a date!) We were looking at the trees outside and happened to notice someone rolling a cart to the dumpster in the parking lot with what appeared to be computers and LCD monitors.

After our appointments, we strolled over to take a look. Another company in the doctor’s office complex had thrown away 5 Dell Optiplex machines complete with 15″ LCD monitors. Well, of course I backed the truck up and tossed them in! Worst case, I thought they could be repurposed or used for parts. (Ask my wife, I have parts everywhere…you never know when you’ll need something.)

Once home, I noted that they were all 1Ghz Pentium 4 boxes with a Gig of RAM… Not too shabby. I also noted that they booted into Windows NT (Yeah Windows NT in 2010) with a domain name of “Joe’s Hospital Billing”…Ok, not really Joe’s Hospital, but a well known and respected University Hospital System. I then booted them with a Knoppix Live CD to take a look at the hard drives. I noted that while they were only 20G drives, they were packed with years’ worth of medical billing records and patient information.

Well, since I had no interest in knowing that Shirley So and So has such and such a medical issue or that her SSN is 123-45-6789, I shut down the machines and zeroed the drives. I also sent a nice letter to Joe’s Hospital addressing both the Legal and IT departments explaining what I found and how I found it. I explained I had zeroed the drives and even offered to drop them off to them if they wanted. I got a nice reply from the IT department explaining they had outsourced the upgrades and thanking me for letting them know.

It turned out that one of the IT staff there was someone I knew, so I found out later that the hospital in question has since changed its upgrade practice. The IT team still uses an external company, but this company wipes the drives before they go to the recycler and not the dumpster. While it’s somewhat comforting to know the hospital has changed policy, it’s also scary to think that people’s personal information is so easily “trashed”. What would have happened if I hadn’t found those machines? (I am an “ethical hacker” by trade, after all…) So while HIPAA supposedly “protects” our data, like anything else, it’s only as “secure” as the humans and processes handling it!

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

• How to deal with increasing threats
• How to manage multiple regulatory requirements
• How to handle client requests for attestation
• To validate that significant changes did not have unanticipated results

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

• Substantiate the net effectiveness of a mature control environment
• Prove to a third party that an environment is secure/trustworthy
• Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
• To validate that significant changes did not have unanticipated results

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Whitepaper: Five Best Practices for SIEM

The promise of SIEM is the consolidation of all relevant Security Event Logs from disparate sources into a single unified and normalized data store.

• Simplify compliance monitoring/reporting
• Vastly improve Incident Detection & Incident Response
• Contextualize event information with other business relevant information

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.