January 28 is a good day to recognize how quickly the privacy industry is growing. It’s a day to celebrate you or your staff for helping keeping people’s data safe. It’s a day where you can take the opportunity to educate your staff about why privacy matters, and it’s about connecting with other privacy pros to network, to engage, ask questions, and party like a privacy pro.
Tell us how you’re celebrating Data Privacy Day using #DataPrivacyDay2019 or share photos and topics from your #PrivacyAfterHours2019 events.
Join us in making 2019 a record year for the LEAST number data breaches, security incidents, and other events that negatively impact privacy.
I had the distinct honor of being able to visit the Auschwitz I and Auschwitz II Birkenau camps near Oświęcim, Poland in 2010. With some Jewish ancestry through my father, I had the responsibility to pay my respects. I’m not sure where, when, or how, but this atrocity claimed the lives of a number of my family.
I’m lucky to be here today.
“For ever let this place be a cry of despair and a warning to humanity, where the Nazis murdered about one and a half million men, women, and children, mainly Jews, from various countries of Europe.”
I distinctly remember an inexplicable feeling of terror and sorrow; the air was heavy and it felt as though the weight of the world was on my shoulders. On visiting the Auschwitz I camp, we were greeted by the infamous sign: Arbeit macht frei, meaning “work makes you free”. The tour guide informed us that the sign we were viewing that day was a temporary replacement, as the original had recently been stolen from the property and desecrated.
I remember the mountain of confiscated shoes, stolen eyeglasses, and other personal belongings that were on display. Like these possessions, the Jews that entered this forsaken ground were also robbed of their lives.
Then we saw the hair. The Nazis had removed the hair of the Jews as they were processed into the camp. And it was here, on display for the world to see. It was there to force the world to remember. And we shall never forget.
Google is good, Google is bad, just like Microsoft, just like Apple. I’m more inclined to suggest that Google is more like Apple in that they’re trying to build an entire ecosystem. Microsoft may have tried, but who has a Windows phone anymore? Apple has done it very successfully, and many consumers thrive on the Apple ecosystem (iPhone, iPod, iPad, Mac Book, etc.). Tying all these things together can provide a cohesive user experience.
Now that I’ve got my bias out of the way, something I’ve been considering more and more frequently lately is an alternative search engine. As you can already tell, I can appreciate a Google product. But what if I want to ensure privacy in my web searches? What if I’m not interesting in selling my soul (and search history) to Google so they can re-market to me on other sites? Is there anything that truly protects my privacy on the web?
I’ve been looking into my Google analytics lately for users that visit Aligned Risk Management and have found a surprising amount of traffic coming in from DuckDuckGo. Initially, I thought it must be some kind of troll or someone playing a practical joke. I’d never heard of them before.
I did some digging and found that it was a legitimate search engine. And a search engine that places a top priority on privacy.
Officially, they’re an internet search engine that emphasizes protecting searchers’ privacy and avoiding the filter bubble of personalized search results. DuckDuckGo distinguishes itself from other search engines by not profiling its users and by showing all users the same search results for a given search term, and emphasizes returning the best results, rather than the most results, generating those results from over 400 individual sources, including crowdsourced sites such as Wikipedia, and other search engines like Bing, Yahoo!, and Yandex.
Did you receive an email this morning informing you that your personal information was exposed in a data breach called Collection #1? You’re not alone, and it’s a reminder to take precautions like enabling two-factor authentication and signing up for a password manager. And it might also be time to reset your password.
Security researcher Troy Hunt, who runs breach notification site Have I Been Pwned (HIBP), first reported the Collection #1 exposure. The massive trove of leaked data, which was posted to a hacking forum, includes some 772,904,991 unique email addresses and 21,222,975 unique passwords, Hunt said.
“Collection #1 is a set of email addresses and passwords totaling 2,692,818,238 rows,” Hunt explained in a Thursday blog post. “It’s made up of many different individual data breaches from literally thousands of different sources.”
Hunt said he first caught wind of the breach last week when several people pointed him to a suspicious collection of files on the cloud service Mega. The 87GB collection, which contained more than 12,000 files, has since been removed from Mega, but found its way to a “popular hacking forum,” he wrote.
“My own personal data is in there and it’s accurate; right email address and a password I used many years ago,” Hunt wrote. “If you’re in this breach, one or more passwords you’ve previously used are floating around for others to see.”
That tool won’t tell you which, if any, of your passwords leaked, but Hunt does offer a feature that lets you manually check your current passwords against a list of known breached ones. On the HIBP site, click “Passwords” at the top, then enter the password you’re concerned about it (HIBP won’t see your actual password, according to Hunt).
Security experts have discovered what very well could be one of the largest data breach of all time, a collection of 772,904,991 unique emails and 21,222,975 unique passwords.
Called “Collection #1,” the breach was initially reported by Troy Hunt and seemingly comes from many different sources, not a single corporate entity. And it’s an especially dangerous one as he says it creates 1.16 billion “unique combinations of email addresses and passwords”.
People can check to see if their accounts and passwords were compromised at Hunt’s “Have I Been pwned?” Website.
The sheer volume of the data was contained in 12,000 separate files clocking in at 87 GB of data on hacking forums. What’s especially troubling to security experts is the files contain “dehashed” passwords, meaning hackers were able to circumvent methods used to scramble those passwords into unreadable strings and expose them.
After that, you’re on your own; you won’t get updates or security fixes.
If you still use Windows 7, it may be time to consider an upgrade.
Starting January 14, 2020, exactly one year from Monday, Microsoft will no longer support Windows 7. That means no more updates or security fixes for the operating system.
“Changes and upgrades in technology are inevitable,” said Brad Anderson, corporate vice president for Microsoft 365, in a blog. “And there’s never been a better time to start putting in motion the things you need to do to shift your organization to a modern desktop with Microsoft 365.”
Microsoft will continue to provide security updates for Windows 7 to business customers that pay for support, according to ZDNet, but not individual users.
Windows 7 was released in 2009 and is still one of the most widely used desktop operating systems. Windows 10 finally overtook Windows 7 in the desktop market at the end of last year, according to ZDNet. NetMarketShare’s December 2018 report showed that 39.2 percent of the machines they collect data from used Windows 10, while 36.9 percent used Windows 7, according to ZDNet.
In 2012, the software giant decided to extend five more years of support for all editions of Windows 7 for individual users.
A Risk Management Plan is the part of your compliance approach that plans, identifies, and analyzes risks.
Parts of a Risk Management Plan
Risk Response Plans
Risk is defined by the Project Management Institute as an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives. Risk management is the process of identifying, analyzing, mitigating, and communicating risks.
All systems have vulnerabilities. The US Department of Health and Human Services defines a vulnerability as:
[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
The US Department of Health and Human Services defines a risk as:
The net mission impact considering the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular vulnerability and the resulting impact if this should occur.
Risks arise from legal liability or mission loss due to:
Unauthorized (malicious or accidental) disclosure, modification, or destruction of information; Unintentional errors and omissions; IT disruptions due to natural or man-made disasters; Failure to exercise due care and diligence in the implementation and operation of the IT system.
When a risk event occurs, it is no longer uncertain. It becomes an issue.
Risk is a function of the likelihood of a given threat exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization, mitigated by controls. The relationship among these five concepts forms the basis of our risk assessment approach, which can be thought of as a formula:
The risk level is calculated using three underlying components:
Likelihood: The probability of the event happening. How likely is it that a threat acts on the vulnerability?
Impact: The consequences of the risk event. What happens if the threat acts on the vulnerability?
Effectiveness of Existing Controls: Existing controls and their effectiveness at mitigating risk. What is being actively done to mitigate the effects of a risk?
Likelihood × Impact − Controls ⇒ Risk Level
To illustrate, a plane crashing into your office has a high impact, but a low probability. In fact the probability is so low that the overall risk is probably insignificant. On the opposite end of the scale, a road construction project getting delayed due to rain is an event with a low impact but a high probability of occurrence. Thus, it is a significant risk.
What projects have been completed in the past and what unexpected issues occurred?
What was the response of the organization?
What permanent changes were made? Were they justified?
Did the response cause a corresponding loss of business?
Did the response cause a corresponding loss of future projects?
Another part of the risk planning portion of the Risk Management Plan is the definition of risk levels. Here is an example:
Very Low: The event is highly unlikely to occur under regular circumstances.
Low: The event is unlikely but should be noted by the project team.
Medium: The event has a normal chance of occurring and the project team should be aware of it.
High: The event has a reasonable chance of occurring. It should be regularly discussed and mitigation actions taken.
Very High: The occurrence of the event should be actively managed and mitigation actions taken.
Aligned Risk Management breaks down risk levels into four categories: Negligible, Marginal, Serious, and Critical.
Theoretical risk. Unlikely to be a serious concern.
Vulnerability is very unlikely to be exercised, OR
Existing controls are highly effective at mitigating the risk, OR
Potential impact on security, privacy and availability of ePHI is low
Unlikely to be an immediate concern, especially in light of other, more severe risks.
Some likelihood that vulnerability could be exercised
Existing controls provide some effective mitigation of risk
Potential for significant impact on operations. Effective Risk Management or reasonable plan for such recommended in near future.
Vulnerability is likely to be exercised
Existing controls provide inadequate mitigation of risk
Potential for significant impact on security, privacy or availability of ePHI
Failure to implement controls required by HIPAA. Potential liability and exposure to penalties. Potential for malicious exploitation. Exercise of vulnerability could cause mission-critical damage to business operations. Prompt intervention strongly recommended.
Vulnerability is very likely to be exercised or is currently being exercised
Existing controls provide little effective mitigation of risk
Potential for high or even catastrophic impact on security, privacy or availability of ePHI
A good brainstorming tool is to consider the assumptions made by the project. Most projects have disclaimers in their underlying contracts absolving the performing party of various obvious risks, but what about the next most obvious ones?
What assumptions has the project budget made?
What assumptions has the project schedule made (completion date, milestones, etc.)?
What expertise or prior experience does the company have in this work? How long ago was this experience? What areas require additional training?
Which relationships are being assumed to be strong that are not necessarily (owner, sponsor, client, contractor, consultant)?
How many previous projects with similar components have been completed successfully? What were the project issues?
Stay tuned for Part 2 of Aligned Risk Management’s series, Critical Parts of a Quality Risk Management Plan.
Aligned Risk Management helps healthcare organizations streamline and simplify HIPAA compliance efforts so that you can get back to providing the critical services your patients need. Our expert consulting staff works with you to ensure the privacy, security, and integrity of your systems. This specialized knowledge makes us the leading consulting firm for HIPAA compliance and healthcare risk management.
We’ll play defense so you don’t have to…
Defense of protected health information and the security of your systems is important to the safety of your patients. But it is also critical to the success of your practice. Data privacy concerns make headlines every day, and healthcare companies are especially vulnerable to the effects of unaddressed risk. Patient concern is growing. Regulations are poised to become more demanding. You want to concentrate on better serving your patients, and we make that possible.
…but our process doesn’t stop with just a risk assessment.
It doesn’t stop there. Risk management is a process, so our program includes regular follow-ups to make sure that you are successful. We assist in implementing recommendations and in documenting your efforts to ensure your success in case of an audit. Together, we’ll find high-value solutions that really matter, instead of wasting resources on unnecessary tools or time-consuming procedures that do not fit the way your organization operates.
Compliance with HIPAA can feel overwhelming. The most frequent question we hear is “Where do I start?” Start right here with Aligned Risk Management, and put yourself ahead of the curve.
HIPAA fines are up. Audits by the Department of Health and Human Services are up. 2019 is shaping up to be a rather tumultuous and dangerous year for healthcare providers as they ramp up to address their HIPAA privacy obligations.
And here are four steps to start out ahead this year….
1. Do SOMETHING.
There are so many different ways to start tackling another aspect of HIPAA. Are you wanting to make some headway in implementing technical safeguards? Great! Two-factor authentication. What about administrative safeguards? Awesome. Update your workforce sanctions policy and make sure it’s realistic. What about physical safeguards? Get those contingency operations plans updated. Whatever you decide to do, you’ll have to start somewhere.
“When eating an elephant take one bite at a time.”
Creighton Williams Abrams Jr.
I never said that eating the HIPAA elephant was going to be easy. But since you have to, you might as well start with one bite at a time. Approach HIPAA like you would an elephant and you’ll be surprised at just how much you can accomplish in a short period of time.
2. Business Associate Agreements
I’ve seen a lot of embarrassingly insufficient business associate agreements (BAA). As a recap, a “business associate” is likely a vendor to a healthcare provider, other than a member of the workforce of a covered entity, who provides certain services to a covered entity. Remember, this service directly involves access by the business associate to protected health information (PHI).
Among other confusing relationships that can exist between entities, a covered entity can be a business associate to another covered entity.
As part of your approach to HIPAA in 2019, perhaps it’s time to evaluate the relationship between yourself and your vendors, or between yourself and your clients. Are you a covered entity? Are you a business associate? Do you have business associates?
Once you’ve done some review of those relationships and you’ve identified all your vendors and business associates, it’s time to review those business associate agreements.
Cookie cutter policies aren’t going to cut it. In this industry, so highly regulated by HHS, it’s highly unlikely that you’ll get away with taking any shortcuts. Let’s tackle your policies and procedures and how they relate to the realistic operations of your organization.
Are they accurate? I mean, do your policies accurately reflect how your workforce carries out their day-to-day operations? If you’re documenting in your policies that your workforce implements rigorous access revocation procedures upon employee termination, but this isn’t being practiced regularly by your IT staff, that’s not good. You’re saying that you’re doing this, but if that can’t be proven and is likely to be disproved by the dozens of former employee accounts that haven’t been deactivated, HHS will certainly have a field day. At your expense.
Don’t let that happen. Get on top of your policies and procedures. Make sure they’re honest and truthful. Maybe it’s time to actually change some operations and procedures to better protect patient privacy. Maybe you’ll learn something about your own organization. It’s another bite you can take out of the HIPAA elephant. It’s getting smaller!
4. Risk Assessment
Calling in the experts can be totally nerve-racking. You’re inviting others into the sensitive operations of your organization, exposing your internal practices to a stranger. We’re not the bad guys. We’re here to help you.
Updating your risk assessment can give you invaluable insight into modern best-practices that you weren’t aware of. It can make you aware of problematic business operations that really ought to be corrected and streamlined.
And best of all, you’ll get a great plan for continuous improvement: a plan consisting of the best actionable steps you can take to make the most impact in mitigating risk at your organization.