Transcript Slide 1

What’s New in
Compliance?
New Compliance and Regulatory Requirements
Yet more headaches?
But first a few questions…
Just a quick show of hands, how many of you work at a
company:
• that has an HR department?
• that does work for companies in other states or has workers in
other states?
• that has clients in the UK or EU?
• where the IT department spends at least 10% of its time on
security issues?
• where there are dedicated team members whose primary job is
seeing that intranet and Internet traffic for all servers is logged
and the logs are forensically sound?
• where logging is done but they are not systematically examined?
• where there has been what you feel is an adequate security
assessment in the last two years?
Pac IT Pros - March 2nd 2010
2
Caution…

What we are talking about tonight is yesterday’s view of
security and compliance.

Just because you are compliant does not mean you are
secure.

New exploits and variations on old ones are not covered by
today’s compliance regulations or the regulations soon to
be introduced.
Compliance keeps the Feds and other regulatory
agencies off your back.
It does not stop hackers, thieves or careless users.
Pac IT Pros - March 2nd 2010
3
Be Careful…
A large energy company that I recently was
involved in auditing for security and compliance
at had spent so much time, money, and staff
resources on compliance to NERC-CIP (North
American Electric Reliability Corporation
Critical Infrastructure Protection) that they hadn’t
implemented basic network security such as
password expiration, access rights controls,
effective logging and review of logs, or deleting
ex-employee’s accounts and access rights!
You need to maintain a balance between
security and compliance.
Pac IT Pros - March 2nd 2010
4
New Federal Regulations:
HITECH Act / Breach Notification for
Unsecured Protected Health Information
 HITECH Act / Access to Medical Records
 FTC - Red Flag Rules
 FTC – Fines for Business Associates &
Third Parties

This is only a very brief gloss of just a few
of the high points.
Pac IT Pros - March 2nd 2010
5
HITECH Act:

By December 31, 2009 - HHS to issue additional guidelines regarding accounting for disclosures

Due within one year of enactment (by February 17, 2010)
•
HHS to provide guidance and rules on de-identification, opting out of fundraising solicitations
•
HHS and the Federal Trade Commission will report on privacy and security requirements for Personal
Health Record (PHR) vendors and applications

February 17, 2010
•
HHS to issue rules on which entities are required to be business associates
•
Business Associates directly subject to HIPAA regulation
•
HHS required to conduct periodic audits of entities covered by HIPAA
•
Individuals right to restrict disclosures to health plans for services paid for out of pocket
•
Right of electronic access of records by patients takes effect

Within 18 months of enactment (by August 17, 2010)
•
HHS to issue guidance on HIPAA minimum necessary rules
•
HHS to release regulations regarding prohibition of sale of data

January 1, 2011 - Initial Deadline for complying with new accounting and disclosure rules for
information kept in EHRs acquired after January 1, 2009

January 1, 2014 - Initial deadline for complying with new accounting and disclosure rules for
information kept in EHRs acquired before January 1, 2009
Pac IT Pros - March 2nd 2010
6
HITECH Act / Breach Notification for
Unsecured Protected Health Information:
Federal notification requirements apply to a breach of
unsecured Protected Healthcare Information on or after
September 23, 2009:
• A Covered Entity (CE) must notify each individual whose unsecured PHI has
been, or is reasonably believed by the CE to have been, accessed, acquired,
used or disclosed as a result of such breach
• A Business Associate (BA) of a CE must notify the CE of a breach of unsecured
PHI, including the identification of each individual whose unsecured PHI has
been, or is reasonably believed by the BA to have been, accessed, acquired,
used or disclosed during the breach
• Requirements include notification to the media and Department of Health and
Human Services
Pac IT Pros - March 2nd 2010
7
HITECH Act/HIPPA:
Basically only two mechanisms will be accepted as safe harbors:

Encryption
• The encryption processes identified below have been tested by the
National Institute of Standards and Technology (NIST) and judged to
meet this standard.


Valid encryption processes for data at rest are consistent with NIST Special
Publication 800–111.
Valid encryption processes for data in motion are those which comply, as
appropriate, with NIST Special Publications 800–52, 800–77, or 800-113.
• To avoid a breach of the confidential process or key, the decryption tools
should be stored on a device or at a location separate from the data they
are used to encrypt or decrypt.

Destruction
• The media on which the PHI is stored or recorded have been destroyed
in one of the following ways:


Paper, film, or other hard copy media have been shredded or destroyed
Electronic media have been cleared, purged, or destroyed consistent with
NIST Special Publication 800–88
Pac IT Pros - March 2nd 2010
8
HITECH - One of the requirements
that might really bite:

HITECH Act, Section 13405
(e) Access to Certain Information in Electronic Format.— In applying
section 164.524 of title 45, Code of Federal Regulations, in the case that a
covered entity uses or maintains an electronic health record with respect
to protected health information of an individual—
(1) the individual shall have a right to obtain from such covered entity a copy of
such information in an electronic format and, if the individual chooses, to
direct the covered entity to transmit such copy directly to an entity or person
designated by the individual, provided that any such choice is clear,
conspicuous, and specific; and
(2) notwithstanding paragraph (c)(4) of such section, any fee that the covered
entity may impose for providing such individual with a copy of such
information (or a summary or explanation of such information) if such copy
(or summary or explanation) is in an electronic form shall not be greater
than the entity's labor costs in responding to the request for the copy (or
summary or explanation).
I don’t know about your parents, but my 89 year old mother had a stroke about
six years ago and is very forgetful. How are you going to deliver her medical
records securely and in a way that won’t compromise your company’s data
security?
Pac IT Pros - March 2nd 2010
9
FTC Red Flag Rules – Coming Soon

FTC Delays Enforcement of the Red Flags Rule Until June 1, 2010

Are you complying with the Red Flags Rule?
The Red Flags Rule requires many businesses and organizations to
implement a written Identity Theft Prevention Program designed to detect
the warning signs or "red flags“ of identity theft in their day-to-day
operations. Are you covered by the Red Flags Rule? Read Fighting Fraud
with the Red Flags Rule: A How-To Guide for Business to:
• Find out if the rule applies to your business or organization;
• Get practical tips on spotting the red flags of identity theft, taking steps to
prevent the crime, and mitigating the damage it inflicts; and
• Learn how to put in place your written Identity Theft Prevention Program.
• By identifying red flags in advance, you'll be better equipped to spot suspicious
patterns when they arise and take steps to prevent a red flag from escalating into
a costly episode of identity theft. Take advantage of other resources on this site to
educate your employees and colleagues about complying with the Red Flags
Rule.
Pac IT Pros - March 2nd 2010
10
FTC – Fines for Business Associates
& Third Parties
I can’t find an exact section of HITECH or ARRA but it is easy to
see from the following that the FTC will play a part.
CVS Caremark Corp. has agreed to pay $2.25 million to settle a federal investigation into
allegations that it violated HIPAA privacy regulations when pharmacy employees threw
items such as pill bottles with patient information into the trash.
The settlement, announced Wednesday, follows a joint investigation by the Department of
Health and Human Services and the Federal Trade Commission after media reports in
2006 that workers at CVS pharmacies were improperly disposing of sensitive patient and
employee data.
Employees allegedly tossed pill bottles with labels containing patient information into
open Dumpsters, along with medication instruction sheets, pharmacy order information,
employment applications, payroll data, and credit card and insurance card information.
According to the FTC, CVS Caremark violated federal laws by failing to implement
reasonable and appropriate procedures for handling personal information about
customers and employees and did not adequately train employees on secure disposal of
personal information.
In addition to paying HHS $2.25 million, the company's more than 6,000 retail pharmacies
must establish and implement policies and procedures for disposing of protected health
information, implement a training program, conduct internal monitoring and hire an
outside assessor to evaluate compliance for three years.
Source: http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1348446,00.html
Pac IT Pros - March 2nd 2010
11
Convincing your bosses:
Feeling like a one armed paperhanger? Here is a chart that
shows it will cost less if they hire an outside consultant.
Source: Ponemon Institute, 2009 Annual Study: Cost of a Data Breach
Pac IT Pros - March 2nd 2010
12
What does the future hold?
Threats that have not yet been addressed by regulation.
Pac IT Pros - March 2nd 2010
13
ACH and Wire Transfer
Transaction Fraud:
ACH (Automatic Clearing House - Electronic Check Payments)
• Small to medium size companies for the moment but very likely to spread to
larger institutions as it is very poorly understood.
A prime example of how poorly understood is that Cynxsure, an IT
consultancy firm based in New Hampshire may well have gotten hit this
way.
Another victim may have been Sign Designs Inc., an electric-sign
maker in Modesto, Calif. The first sign of trouble was a morning phone
call from their Bank about a suspious transaction.
Still another may have been Fan Bao and his wife, Cathy Huang, and
their small import-export business called ZICO USA. When he needed
to wire money one of them would walk a few blocks to Bank of
America’s Highland Park, Calif., branch and execute the transfer in
person. Then they got introduced to online banking….
Pac IT Pros - March 2nd 2010
14
Cell Phone Voice Interception Fraud:
A survey released today (at RSA) by the Ponemon
Institute on behalf of Cellcrypt, reveals that large
and medium businesses are putting themselves at
risk as a result of cell phone voice call interception.
According to a survey of seventy five companies
and 107 senior executives in the United States, it
costs U.S. corporations on average $1.3M each time
a corporate secret is revealed to unauthorized
parties. 18% of respondents estimate such losses to
occur weekly or more frequently, 61% at least
monthly and 90% at least annually.
Source: http://www.net-security.org/secworld.php?id=8958
Pac IT Pros - March 2nd 2010
15
IBM Knows: Hackers follow the money!
Are we forgetting to do what we once did?
Pac IT Pros - March 2nd 2010
16
IBM Knows: Hackers follow the money!
Are we forgetting what we once knew?
Pac IT Pros - March 2nd 2010
17
In the News Tommorrow?
All news for March 1, 2010
22:49 The Register: IE code execution bug can bite older Windows machines
22:38 The Register: Wiseguys net $25m in ticket scalping racket
22:29 HNS: Malware and vulnerability testing for business websites
22:01 ZDNet: Googler ships exploit to defeat ASLR+DEP
21:59 HNS: Top 7 threats to cloud computing
21:41 HNS: Free service for malware detection on websites
20:59 ZDNet: Zero-days flaws surface in Apple Safari
20:55 HNS: Inspect your encrypted communications
18:22 The Register: Openistas squish security bugs twice as fast
18:15 HNS: Message and web cloud-based security services
17:54 HNS: A 184% increase of malicious websites
16:21 ZDNet: Microsoft investigating new IE browser vulnerability
15:24 HNS: Severe IE vulnerability threatens Windows XP users
15:09 The Register: Hackers go on Tory-bothering spree
14:25 The Register: Fatal System Error: Watching the miscreants
13:56 HNS: Automated defense against industrialized cyber attacks
13:29 HNS: Waledac disruption only the beginning, says Microsoft
13:01 The Register: DarkMarket founder jailed for five years
12:45 HNS: 58 percent of software vulnerable to security breaches
11:51 HNS: Fake Virustotal serves malware
10:42 HNS: Q&A: Malware analysis
08:35 The Register: Most resistance to 'Aurora' hack attacks futile, says report
07:18 HNS: Rugged and secure portable drive
07:10 HNS: Introducing SOURCE Conference Boston
07:05 HNS: Protect every asset in the cloud infrastructure
07:00 HNS: Week in review: Twitter phishing, rogue software and Waledac botnet takedown
Source: http://softsecurity.com/news_D0_high.html
Pac IT Pros - March 2nd 2010
18
One thing you can be sure of…
Legislators may be very slow on
the uptake but when enough
constituents complain, they will
act and create more laws. Then
the bureaucracy WILL create
new regulations.
Pac IT Pros - March 2nd 2010
19
Common Terms:

Threat (plural threats)
• an expression of intent to injure or punish another; an indication of imminent danger.
• a person or object that is regarded as a danger; a menace.
Threats usually include natural events, a person, organization, or thing

Vulnerability (plural vulnerabilities)
• The state of being weak, susceptible to attack or injury; being not well defended.
Vulnerabilities usually specify a weakness of an object, system, process, or control point.

Exposure (countable and uncountable; plural exposures). Potential for damages
• (uncountable) The condition of being exposed, uncovered, or unprotected.
• Limit your exposure to harsh chemicals.
Exposure usually is quantifiable, such as: the number of laptops belonging to an organization

Risk (plural risks)
• A possible, usually negative, outcome, e.g., a danger.
• (Formal use in business, engineering, etc.) The potential (conventionally negative) impact of an event,
determined by combining the likelihood of the event occurring with the impact should it occur.
Risks are usually expressed by :
Threat * Vulnerability * Exposure * Opportunity (Likelihood)
Risks are usually rated as: Severe, High, Medium, Low, or Slight
There is no such thing as “No Risk”

Opportunity (plural opportunities)
• a chance for advancement, progress or profit
• a favorable circumstance or occasion
Opportunities are usually the favorable circumstance where the financial or personal profit is
significant enough that a breach, attack, or malicious event would likely to occur
Pac IT Pros - March 2nd 2010
20
Suggested Resources:

http://www.net-security.org/
• http://www.net-security.org/malware_center.php
• http://www.net-security.org/secworld_main.php

http://softsecurity.com/news_D0_high.html
Interesting list of news from a variety of sources
There are lots more on the security side but not much
that is readable on the compliance side. Sorry, I don’t
have a recommended site. If you know of one, let me
know.
Pac IT Pros - March 2nd 2010
21
Thanks!
Write if you get work and don’t forget,
I’m looking too.
P
a
c
I
T
P
r
o
s
M
a