The Monthly “Steal” by David Steele
The Monthly “Steal” is a bit of relevant technology information intertwined with personal thoughts, opinions and some real life experiences. It is written by David “Steele” and is free, hence a “steal” from a “Steele”.
206 Hospitals in 29 States were hacked effecting 4.5 million patient records in 2015. According to an article recently published in the Washington Post in February, a Los Angeles hospital paid $17,000 in bitcoin ransom to unload computer records.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Hollywood Presbyterian Medical Center CEO Allen Stefanek said. “In the best interest of restoring normal operations, we did this.”
But hospitals are not the only target. JPMorgan Chase, Home Depot and Target were all victims of cyber-attacks in 2014. It is no secret that personal information is valuable; the FBI released an article that indicated that in 2013, over 2 million health care records were compromised which was 31% of all reported data breaches. Cyber criminals are selling the information on the black market at a rate of $50 for each partial electronic health record (EHR), compared to $1 for a stolen social security number or credit card number.
What’s amazing is that most companies still don’t take cyber security serious or value the importance of properly securing customer data. Companies install door access systems, alarm systems, locked server racks and camera systems all focused on physical security, but when asked how they are securing their customer data, there is often a lack of detail. Most IT companies and computer professionals practice “General Network Management” or “Best Practices”. There are general guidelines that, when followed correctly, produce safe and secure computer networks. Where most companies struggle is how to confirm that best practices are being followed, usage policies are enforced and employees, IT staff and vendors are trained and held accountable.
In 1996, the Federal Government created the Health Insurance Portability and Accountability Act –
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a critical piece of legislation in the United States aimed at protecting sensitive patient health information. Enacted in 1996, HIPAA established comprehensive standards for the privacy and security of medical data, ensuring that healthcare providers, insurers, and other related entities handle patient information responsibly. The Act sets national standards for electronic health care transactions and addresses the security and privacy of health data. It is essential for organizations handling health information to comply with HIPAA regulations to safeguard patient privacy and ensure the integrity and confidentiality of the data. https://www.hhs.gov/hipaa/index.html
. The primary goal of the law is to make it easier for people to keep health insurance, protect the confidentiality and security of healthcare information and help the healthcare industry control administrative costs. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a critical piece of legislation in the United States aimed at protecting sensitive patient health information. Enacted in 1996, HIPAA established comprehensive standards for the privacy and security of medical data, ensuring that healthcare providers, insurers, and other related entities handle patient information responsibly. The Act sets national standards for electronic health care transactions and addresses the security and privacy of health data. It is essential for organizations handling health information to comply with HIPAA regulations to safeguard patient privacy and ensure the integrity and confidentiality of the data. https://www.hhs.gov/hipaa/index.html
focuses mainly on medical and patient rights but the same requirements located under the
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a critical piece of legislation in the United States aimed at protecting sensitive patient health information. Enacted in 1996, HIPAA established comprehensive standards for the privacy and security of medical data, ensuring that healthcare providers, insurers, and other related entities handle patient information responsibly. The Act sets national standards for electronic health care transactions and addresses the security and privacy of health data. It is essential for organizations handling health information to comply with HIPAA regulations to safeguard patient privacy and ensure the integrity and confidentiality of the data. https://www.hhs.gov/hipaa/index.html
Security Rule provide a solid foundation and accountability to ensure “General Network Management” or “Best Practices” are valid and are providing a solid network environment. Before, IT companies would send a network technician and tell them to secure the network. Now, they send in a network technician and say this network needs to be
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a critical piece of legislation in the United States aimed at protecting sensitive patient health information. Enacted in 1996, HIPAA established comprehensive standards for the privacy and security of medical data, ensuring that healthcare providers, insurers, and other related entities handle patient information responsibly. The Act sets national standards for electronic health care transactions and addresses the security and privacy of health data. It is essential for organizations handling health information to comply with HIPAA regulations to safeguard patient privacy and ensure the integrity and confidentiality of the data. https://www.hhs.gov/hipaa/index.html
or Payment Card Industry (
PCI
The Payment Card Industry Data Security Standard (PCI DSS) is a framework established to ensure the security of credit, debit, and other payment card transactions and protect cardholders from misuse of their personal information. Developed by the Payment Card Industry Security Standards Council (PCI SSC), which was founded by major credit card companies including Visa, MasterCard, American Express, Discover, and JCB, PCI DSS provides a set of comprehensive data security requirements applicable to all entities involved in processing card payments.
The standard covers a broad array of security measures, including but not limited to managing network security, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy. By adhering to PCI DSS, organizations can significantly reduce the risk of data breaches and cyber attacks aimed at stealing payment card information.
Compliance with PCI DSS is mandatory for any organization that stores, processes, or transmits payment card data, regardless of size or number of transactions. The standard is divided into six major goals and 12 requirements, creating a structured approach to securing payment environments:
Build and Maintain a Secure Network and Systems
Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Protect all systems against malware and regularly update anti-virus software or programs.
Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Restrict access to cardholder data by business need-to-know.
Identify and authenticate access to system components.
Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
Maintain an Information Security Policy
Maintain a policy that addresses information security for all personnel.
Adhering to PCI DSS not only helps businesses protect sensitive data and foster customer trust but also aligns them with legal and regulatory requirements concerning data protection. Thus, the PCI DSS serves as a critical component in the overall cybersecurity strategy for any organization handling payment card transactions.
) compliant providing both the IT company and the customer with accountability.
Many companies may say, “but I don’t deal with medical so why do I need to be so secured. When IT companies are hired, they are trusted with financial information, personal information and company information. By applying a
HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) is a critical piece of legislation in the United States aimed at protecting sensitive patient health information. Enacted in 1996, HIPAA established comprehensive standards for the privacy and security of medical data, ensuring that healthcare providers, insurers, and other related entities handle patient information responsibly. The Act sets national standards for electronic health care transactions and addresses the security and privacy of health data. It is essential for organizations handling health information to comply with HIPAA regulations to safeguard patient privacy and ensure the integrity and confidentiality of the data. https://www.hhs.gov/hipaa/index.html
or
PCI
The Payment Card Industry Data Security Standard (PCI DSS) is a framework established to ensure the security of credit, debit, and other payment card transactions and protect cardholders from misuse of their personal information. Developed by the Payment Card Industry Security Standards Council (PCI SSC), which was founded by major credit card companies including Visa, MasterCard, American Express, Discover, and JCB, PCI DSS provides a set of comprehensive data security requirements applicable to all entities involved in processing card payments.
The standard covers a broad array of security measures, including but not limited to managing network security, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy. By adhering to PCI DSS, organizations can significantly reduce the risk of data breaches and cyber attacks aimed at stealing payment card information.
Compliance with PCI DSS is mandatory for any organization that stores, processes, or transmits payment card data, regardless of size or number of transactions. The standard is divided into six major goals and 12 requirements, creating a structured approach to securing payment environments:
Build and Maintain a Secure Network and Systems
Install and maintain a firewall configuration to protect cardholder data.
Do not use vendor-supplied defaults for system passwords and other security parameters.
Protect Cardholder Data
Protect stored cardholder data.
Encrypt transmission of cardholder data across open, public networks.
Maintain a Vulnerability Management Program
Protect all systems against malware and regularly update anti-virus software or programs.
Develop and maintain secure systems and applications.
Implement Strong Access Control Measures
Restrict access to cardholder data by business need-to-know.
Identify and authenticate access to system components.
Restrict physical access to cardholder data.
Regularly Monitor and Test Networks
Track and monitor all access to network resources and cardholder data.
Regularly test security systems and processes.
Maintain an Information Security Policy
Maintain a policy that addresses information security for all personnel.
Adhering to PCI DSS not only helps businesses protect sensitive data and foster customer trust but also aligns them with legal and regulatory requirements concerning data protection. Thus, the PCI DSS serves as a critical component in the overall cybersecurity strategy for any organization handling payment card transactions.
compliance requirement to your network will force vendors and staff to be more aware and involved in both the physical and function security of information. In most cases, the cost to properly secure and manage a network is a fraction of the cost associated with a data breach or privacy violation.

Resources:
The Washington Post - February 18, 2015
Cyber Attacks on U.S. Companies in 2014 - By Riley Walters - October 27, 2014
David Steele, Partner / Webmaster

djsteele@intradatech.com
570-321-7370
