Things have been seriously chaotic around me for the last couple of months and my writing has taken a back seat.  For the first time in weeks I have a chance to sit down and write.  It feels great because there is so much going on that I have wanted to review.  Now, I must decide what to pick first.  Great problem to have, I suppose.

The latest news on the Target breach is just too ripe to pass on at this time.  How does the Target breach relate to HIPAA?  We will start with 3, but there are many more if you get into the details.

1. Your office could have easily been part of it.
2. A technical security breach is a breach.  Every company with a networked device should be learning from what has occurred here.
3. Regulations for all industries will eventually reflect updates due to what has occurred in this breach.

Before I explain the 3 reasons further let’s look at what happened briefly.

The latest news reports indicate the breach was accomplished by first hacking into a HVAC vendor for Target.  Yes, a HVAC company had the ability to log into the Target network.  They were a business partner managing a lot of services for the stores in the area that includes PA, WV, VA, OH and MD.  Not the whole country but their access managed to effect the whole country.  They used their access to the network for billing, contract submissions and project management.

Once the HVAC vendor was hacked they followed their information into the Target networks and over to their Point-of-Sale (POS) devices. The criminals then sat back and waited for the cash to roll in.  The more successful the hack became, the more they spread it throughout the network of POS devices.

To prevent other tools in the network from stopping their stolen information from getting back out to them, they hacked other companies to receive the info for them as drop sites.  Reports mention one small business in Miami, FL and another business in Brazil have been identified so far as “drop sites”.  There could be even more identified.

Based on current information, they made off with 40 million American’s debit and credit cards PLUS 70 million American’s personal data (address, phone, etc).

All the evidence so far indicates the thieves are in Eastern Europe and/or Russia.  Good luck catching them but the FBI, Secret Service, et al are certainly trying.

Now, let’s review the three reasons it matters to HIPAA Businesses:

1. Your office could have easily been part of it.  I hear people tell me all the time their office / business / network / systems are so small and don’t have the information that hackers are after so they don’t need to worry so much about security.  Some act as if HIPAA is just another regulation sucking their time and money away from where it “really matters”.

Do you think the HVAC vendor would give anything right now if they had been required to follow HIPAA security standards?  Were their systems monitored for problems and had plans and reviews in place to make sure security was a priority for their business?  Many HIPAA CEs and BAs are supposed to be doing so and aren’t.  The vendor says their security met “industry practices”.  Doesn’t say what industry, though.

What about the small business in Miami, FL?  They haven’t mentioned yet any details of that business.  What if that business is a doctor’s office or medical billing service?  Not only were they hacked and they didn’t know it but their server became complicit in one of the largest computer hacking incidents in history.  Any small business can be hacked for simply the use of their resources in a larger crime.  Of course, if they are in the network they will steal anything they can from that network before they get rolling on the bigger crime.

What if it was you?  The HVAC office had no idea what was going on until the Secret Service showed up at their door and started going through their systems.

2.  A technical security breach is a breach.  Every company with a networked device should be learning from what has occurred here.  Target has a massive network and should have done a lot more work to segment their networks to prevent this kind of invasion of their systems.  Plenty of large enterprises with expansive networks will be checking out their internal stopgap measures and making changes.  That does not mean that small and medium businesses (SMB) should just write it off to something the “big” guys should be worrying about.

Most security experts will tell you not to plan your network security concentrating on keeping the bad guys out.  You should have layers of security in place.  You do everything you can to keep them out.  Then, assume they will still get into your network and systems.  If and when they do get in, what are you doing to minimize the damage they can possibly do?  You want to do your best to block them from the really good stuff you have using as many methods as possible in your environment.

HIPAA rules provide a great deal of flexibility to allow for entities of all sizes to find a reasonable and appropriate response to the requirements for their environment.  The larger environments should be locked down using the bigger more expensive approaches but the smaller ones should still find a way to do it for their network and systems.  If you were one of the small businesses the hackers used as a drop off site for their stolen data could you say you followed all the industry standards for a HIPAA CE or BA?  It isn’t just about breaking in for your PHI anymore but you do have requirements that should be followed to protect your systems that could prevent you being the stooges in a scam.

3. Regulations for all industries will eventually reflect updates due to what has occurred in this breach.  As this investigation spreads you can bet there will be more regulations to protect financial and personal privacy coming out of every nook and cranny.  A company with the resources and connections of Target didn’t take effective precautions to prevent this level of attack even though they were supposed to be doing so under the PCI-DSS standard.  That standard requires merchants to use a list of standards to protect their customer’s identity and credit card information when a purchase is made.

PCI security standards sound familiar?  Maybe something like protecting PHI under HIPAA Security Rule standards?  The PCI standards are not exactly like HIPAA.  In fact, many security experts believe they are actually more strict than HIPAA Security standards.

Much of what has been published about this breach seems to indicate that Target was lax about following their legally binding security measures.  Clearly, something went wrong in their systems protections even if they were making a solid effort to follow the standards.  Either way, it is obvious that more needs to be done across all industries when you look at how many different hacks were used to accomplish this major break-in.

1. HVAC network hacked
2. Target network initially hacked
3. Target network point-of-sale network hacked
4. Miami business hacked
5. Brazil business hacked

And they aren’t done tracking it all yet…….

It is good to be back!

 

Filed under: HIPAA Tagged: Breach Case, Business Associates, HIPAA, Security, Security Rule