The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) are national standards put into place to: 1) protect the privacy of personally identifiable heath information, 2) secure personally identifiable health information stored and/or transmitted electronically, and 3) promote the meaningful use of health information technology. As of September 23, 2013, compliance with these standards will be mandatory for all applicable healthcare entities AND their third-party vendors. Failure to comply with these standards can result in both civil and criminal penalties.

Do you know if you and your third-party vendors are HIPAA compliant? Do you need some help finding out?

Thankfully, RJS Smart Security provides healthcare organizations and their business associates with a comprehensive evaluation of their protected health information and data environment with a HIPAA assessment. RJS follows the emerging Penetration Test Execution Standard (PTES) as the model for these assessments.

HIPAA Compliance with RJS Smart Security

Our HIPAA assessment focuses on HIPAA regulations for companies who may or may not be facing an audit. During this engagement, we look at the following:

Compliance is not the same as security. Compliance defines the bare minimum needed to protect specific data types or industries. This engagement identifies lean ways to meet HIPAA requirements so that your business still has resources for security.

Strategy is perhaps the most critical security task, as well as the least used. A strategy engagement identifies what HIPAA compliance pieces you already have, what you need and how to get there. Several risk assessment methodologies are available to guide us in crafting a security plan that ideally fits your health care business.

Policies and Procedures review the body of written controls that are currently in use and assess how well they are being followed. Policies often age as technology improves and procedures are followed poorly as they lose applicability.

And, depending on the scope of your engagement, we also examine:

Network Vulnerability involves scanning your network to identify the operating systems and applications in use. Older applications are a common vector in successful attacks, but these flaws can only be addressed if you know they exist.

Web Vulnerability focuses on the many common problems found in web applications, such as SQL injections looking to steal or alter data, scripting to exploit users or weak configurations.

Data Analysis identifies the documents and databases an organization is storing and the risks resulting from possible data leakage. This analysis helps you determine ways to centralize storage and eliminate the unnecessary.

A Success Story

Healthcare Services Provider*

A medical services company had grown by acquisition and upon examination of their network infrastructure, an increasing number of legacy applications were cause for mounting concern. With fewer people on staff who knew how they functioned, it was increasingly difficult to maintain their security and comply with the regulations of HIPAA and HITECH.

To help simplify the process of application management while working within a tight budget, the company hired RJS to review one legacy application each quarter. In the short term, this approach helps the firm meet their Business Associate requirements. In the long term, the newly-built applications can be maintained at a lower cost.

* The company name has been kept anonymous due to the sensitivity of the work performed.

Several people have been asking me lately if I still prefer Sophos technology. After all, they recently released a bad update and Tavis Ormandy’s recent paper illustrated some design flaws in the product.

There’s spin on both sides. Unsurprisingly, Sophos is downplaying the issue and Tavis Ormandy’s tone in his second paper is much like that of his first. So I thought it would be good to explore the issues more fully.

I am disappointed in Sophos’s recent fumbles, but not disheartened. I still think that, for a great many companies, they have the best solution available.

There are two core problems here. The first is that of scaling. As companies grow bigger, they often become slower to react. Sometimes, they fail to adjust to their new reality. Sometimes, however, they get through it and become incredible companies. There are indications that Sophos is beginning the turnaround.

The second problem is industry-wide and has to do with market-splintering. Today, we are facing a splintering security vendor space and reports like the ones from Tavis are a symptom. Reports we’ve been getting for the past few years about AV and IDS being “dead” is yet another symptom.  There’s nothing wrong with these reports and it’s good that people are thinking about the issues. But unfortunately, they’re missing the big picture.

In a splintering space, there is an increasing deviation between what a product actually does and how it is branded. This continues until the vendors wake up and pivot their branding to better match what they actually do. This always takes longer than we’d like, because employees of a company are driven by their brand even more than their customers.

As I see it, the AV vendor space is breaking apart into four chunks:

• Traditional AV – Focused on being lightweight and supplementing the protections built into an operating system.
• Anti-Malware – Focused on monitoring and responding to bad and potentially bad things that can happen to an operating system.
• Application Whitelisting – Focused on locking down an operating system to only allow known applications to run.
• Malware Analytics – Focused on providing detailed data about events so human analysts can make appropriate decisions.

We are also seeing the attack space splintering as well. Specifically, we’re seeing a tiered structure emerging:

• Background Radiation – A constant stream of trivial attacks, legacy viruses and worms that float about the internet.
• Industry-focused Asset Attack – Attacks that focus on specific industries aiming to steal monetary assets. These often rotate between industries, “campaign” style. At present, Western banks are in vogue. Indications are that these attacks are run by organized criminal groups. If you have above average protection in this space, you gain significant competitive advantage as attacks are driven to those that do not.
• State-sponsored IP Attack – Attacks that also focus on specific industries, but are run by better-organized groups suspected of being funded by state agencies. They aim to steal intellectual property. You get significant benefit from being above-average here too.
• Industrial Espionage – Attacks focus on specific companies and likely come from other specific companies. There is no benefit to be gained from being above-average in defense, as that just creates rapid escalation in an arms-race pattern of growth.

The third splintering effect is familiar to those of you who have heard my talks or read my comic book.

In the defense space, we have two primary trends emerging based on complexity. Both are valid, but they are completely incompatible with one another (at least on the large scale).

• Simplification – This trend involves firms who outsource much of their operations and infrastructure to managed SOC providers, cloud providers, SAAS providers, etc. The idea is that by focusing on their core business and finding trustworthy partners, they can become more nimble and therefore, more profitable.
• Complexification – This trend involves firms who increasingly centralize their infrastructure through virtualization, log management, analytics, etc. The idea is by taking more control, you can better analyze the business and find regions of improvement.

So after this rather long diversion, what does it mean for Sophos? Well, their core strength is offering administrators a solution to rapidly and consistently provide a reasonable level of protection that gives early indicators of attack. This means they’re a great fit for anti-malware up to and including the State-sponsored IP attack tier and work best in simpler environments or in simpler subsets of complex environments.

I do not think that they’re the best solution for highly-targeted complex companies, as they are not an analytics tool. They’re also not the best solution for extremely simple firms that want “set it and forget it” technologies. Security takes work and if you put the work in, you get better security. You should pick a solution that allows you to put in more work than you currently do, but does not require that additional work for the product to still be effective.

Many of the critiques of Sophos tend to be at the edges. And Sophos doesn’t help these concerns by marketing as if they fit everywhere for everyone. I think they’ll eventually reach this goal, but they’re not there today.

If you’re in a highly complex environment that is facing constant incursion from well-funded foreign governments, Sophos better not be your only tool. You need Analytics, too.

If you want the cheapest solution out there that you can install and ignore, Sophos won’t work well for you either. That’s where Traditional AV and the ability to wipe and reload when it fails comes in.

Operationally, you need to figure out what sort of attack and defense space you’re in, so you can select the tool(s) that will provide the best protection for your business. If you overlap spaces, you’re going to need multiple tools. One of the biggest reasons I really like Sophos is because of their flexibility to play in overlapping spaces. They layer quite well with other security products, which is a great benefit for their customers.

Just remember: We live in a complex world. There are no magic bullets. Security requires thought.

We’re all familiar with old school consultants. These are people hired at $20/hr and rented out for $150/hr. It’s good business, if you can get it. All too often, however, the work is neither enjoyable for the consultant nor useful to the client. After years of trying and failing to make the old model work, I decided it was time to throw it out and start over. Thankfully, RJS agreed. As of today, we are one year into the process of reinventing security consulting.

The fundamental difference is that we’ve fully embraced the fact that the idea of 100% security is a trap. You can never be completely secure, so why base a security project around the idea that you can be? Instead, we focus on achieving a measurable improvement over “today.” Different businesses have vastly different security needs, so once you shift the goal away from “find and fix all the problems” to “strike a balance between defense and response,” myriad solutions become available.

Having a large number of solutions is great, as we can select the one that fits your company’s unique situation the best. But remember, it’s not perfect and will need constant attention to avoid “analysis paralysis” and to stay current with new security trends. To combat this, we look at the second key difference: time-bound tasks, or as we call them, security sprints.

With anything you do, there is one resource that completely vanishes — time. Other consulting approaches focus on minimizing either money or an amorphous concept of risk. The catch with those is to clearly pre-identify “risk reduced” or “money saved,” time is required. Since time is billed, it can cost a significant amount of money to identify how much money you’re saving!

Want to know how much more secure a project will make you? Pick a small project that can be done in a week or two, do the project, then measure. There’s no guess-work, no scope-creep and most importantly, no spending more money than required to improve your defenses.

This process affords another advantage we did not anticipate. In many cases, security fails because the people put it in place to manage it are often not those responsible for maintaining it. Since security tends to weaken over time as attackers constantly improve, it is imperative that people explore alerts, identify what they mean to the business and take appropriate action. When the people who must manage the systems are not involved with the initial configuration, they tend to lose a lot of time tracking false alerts or worse, missing legitimate issues.

Since our consulting process is time-bound and focused on helping improve security after we leave, we work on a lot of small projects. These projects are designed so that, when done, they can be absorbed into the business’s existing operations. We then come back for iterative tuning engagements and, over time, help maximize the business’s use of technology. This avoids the common problem of security being “someone else’s” issue, while minimizing the disruption that new technologies can cause.

In the end, after a year’s experimentation, we’ve found that a cyclical short-project consulting model has given our clients a level of security far greater than the traditional defense-only approach. While this didn’t surprise us (after all, that’s why we did it), we were surprised to find that these engagements generally came in 25% to 50% lower in cost than the traditional model. We’ve done security assessments, implementations and strategy planning sessions and, in every case, have achieved better security at a lower cost.

Please contact us if you’d like to learn more about our sprint model and how it can help you achieve a better state of security at a fraction of the price.

Whether embracing the 80×5 rule or learning how to effectively solicit outside advice, there’s a way to make your security strategy work smarter, not harder. Perfect security is a pipedream. So use what you have and learn from what works.

Follow the principles and strategy detailed in our very own “Lean Security 101″ comic book and you can build your own lean security model within your organization!

Follow this link to download Lean Security 101: The Comic Book.

And don’t forget … you can get a lean security review for free, just by requesting one here.

We update our security blog a couple times a week, however, we simply cannot cover every data breach or malware attack. Luckily, there are several really good blogs we read that help fill in the gaps. If you scan down the right-side of our blog, you’ll see our “blogroll” which includes nine sites we read on a near-daily basis.

Our Senior Security Engineer, Josh More, is a big fan of SANS’ Internet Storm Center and WiKIDBlog. The SANS Internet Storm Center is a collective of security professionals who provide “ a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers.” The writers at WiKIDBlog tend to think outside of the box and often have some unique solutions to common security problems. They also champion two-factor authentication “without the hassle factor!”

Our blogroll also contains some of our partners, including Bit9, Barrier1, Smoothwall, Sourcefire, Sophos and Zix. Bit9, Sourcefire and Sophos update their blogs quite often and have very informative posts. And if you’re not reading Sophos’ Naked Security on a daily basis, you are really missing out. Graham Cluley and Chester Wisniewski do a phenomenal job of keeping tabs on virtually every major threat wreaking havoc in cyberspace. Their blog is oftentimes rather humorous, contains insightful videos and has won numerous awards. For your money’s worth, you won’t find a better security blog.

Our blogroll contains just a few of our favorites, but there’s room to grow. Do you have any recommendations for us?