01101101ike

Michael Whaley – Seattle
From my March 17, 2015 publication on LinkedIn

I was giving my annual talk to the CISCO students at Seattle Central College a few months ago and my topic was “How to position yourself for a competitive job search once you finish the Network Administration program at SCCC.” In the Q&A I was asked by one of the students how I manage all the information that comes my way to stay current on my industry and technology. I fumbled my answer because I knew I had no way of managing the mass amounts of information the industry provides. I told the student I often find myself oversubscribing to email newsletters and I end up being too busy and deleting them in mass and was still searching for a way to organize my news sources.

Someone in my Information and Risk Management course mentioned Feedly as a good platform to organize newsfeeds. I signed up and then created a list of criteria I was looking for to add to a news feed. I ended up making three categories in Feedly: IT, IT Security, and Managed Service Providers (MSP’s).

My ultimate goal was to create a feed that is industry relevant and/or pertains to small to mid-sized business sizes as well as HIPPA, PCI, healthcare related IT, and IT Security sites. The news sites had to meet one of the following criteria; they were of broad interest and somewhat relevant to IT security, they were directly related to Healthcare IT security, it focused on Small to Mid-sized business security, and the security topic was broad and challenging. If the site was not Feedly compatible or too consumer related and only slightly relevant it was not included. Likewise if the site was too broad and too challenging, it was also not included.

Feeldy’s content search feature is helpful to get you started in finding news sources. As I read through other news sources over time, I add them to the newsfeed content. Feedly can be accessed on smartphones as well as on its web portal. The feature I like best about it is the Chrome plugin. If I find a topic for one of my security talks, I can tag it and reference it later on Feedly.

The final result ended up being a good overview of what is trending in the IT Security sector with specialty topics from multiple sources. For your reference below is my current news feed on Feedly:

michael whaley seattle

Mike Whaley – Seattle
from my May 2015 linkedin Pulse article
Managed service providers (MSPs) carry great responsibility for their clients above and beyond network uptime and security. Heavy reliance is brought upon them by their clients who need to comply with standards and regulations. Consider a MSP that focuses primarily on dental offices that need to be concerned with PCI and HIPAA compliance as well as having to keep an eye on enforcement by the FTC. With these combinations of security management frameworks, (HIPAA, PCI & FTC), the MSP needs a clear view of the regulatory framework to understand if the compliance needs to be tackled as a cookie cutter check list or understand that the standards scale to the scope of their client.

Below will explore these three frameworks in context to the MSP described above and categorize each framework as either a checklist, risk management framework, or a hybrid of the two.

Framework Classification

HIPAA’s hybrid approach:

Along with making sure that individuals will maintain healthcare in-between jobs, HIPAA’s second objective is protection of the individual’s private healthcare information. ” In addition, it mandates uniform standards for electronic data transmission of administrative and financial data relating to patient health information.”(1) HIPAA applies to health care providers and supporting entities that transmit patient data electronically.

The Security Rules of HIPAA provide a list of technical safeguards that an organization needs to follow. “The Rule allows a covered entity to use any security measures that allows it reasonably and appropriately to implement the standards and implementation specifications.”(2) This allows the organization at to scale IT needs based on the size and structure of the organization. The hybrid approach of listing the rules and allowing for scalability allows a MSP to research and implement individual client based solutions to meet their HIPAA compliance needs.

PCI’s checklist approach:

PCI was formed in 2004 by a consortium of credit card companies to address credit card data security. Since the initial PCI standards version 1.0 was released in 2004 later revisions have led to the current version 3.0 that will be active until 2017.

The PCI data security standard consists of 12 elements that are designed to keep digitally transmitted credit card data secure. These 12 elements are broken down into subcategories of requirements and testing procedures and guidance to meet the requirements. These are clearly set out in a checklist for entities that process credit card information, regardless of the entity size, structure, or specialty giving the MSP an opportunity to cookie cutter its networks to meet the compliance needs of their clients.

FTC’s risk management approach

The FTC is a relative new comer to bringing legal action against companies with poor cyber security practices. The FTCs primary goal is to protect consumer rights but it is “attempt[ing] to expand its authorities under Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive acts or practices.”(3) As of September 2014 it has engaged in its 50th enforcement against a company for a PII data leak.

When one reads through the Federal Trade Commission Act Section 5 there is nothing that mentions cyber security best practices, network security, or even expectations of a network with computers. Section 5 broadly prohibits unfair or deceptive acts or practices by a business to a customer. This broad approach leaves the network security to the IT professional to follow best practices in industry standards to protect PII without FTC guidelines or checklist items.

Examples for each framework

HIPAA:

Regulators chose a hybrid framework for HIPAA because healthcare data transverses a broad spectrum of health care providers, insurance companies, law firms, and clearinghouses. In regards to encryption of patient health information over email (164.312(e)(2)(ii) ); if regulators were to mandate a checklist item like “all data in HIPAA related industry must be encrypted in transit,” would not make sense for a law firm that has different practice areas. Though patient healthcare data could be stored on the law firms systems for their medical malpractice division, it would be a hindrance for their real estate attorneys to be required to send their emails encrypted just because the law firm holds an individual’s medical information.

With HIPAA’s current hybrid approach, a MSP can customize their approach to email encryption recommendations to their law firm client. The MSP can work with a vendor that allows the user to choose whether or not their email content contains patient healthcare information and if the user needs to send that particular email encrypted. The same MSP may be working with a dental office whose doctor insists that all email correspondence leaving his office be encrypted as to cover his or her bases with HIPAA compliance and the possibility of a breach in information. All email at the dental office could then be configured to send encrypted only. Both of these approaches allow scalability to remain compliant under HIPAA’s security standards.

PCI:

PCI is explicit that if credit card data is captured and send from a network, PCI compliance for the cardholder data environment must be followed. The challenge for the MSP is that sometimes credit card data is captured on a workstation that integrates the transition into the businesses database software. For example, a dentist may have a front desk computer that has a USB credit card swipe. The front desk staff checks out a patient by entering the patient management software on their computer and clicking on the patients ledger balance. This launches the integrated credit card capture software. The receptionist swipes the card, it is approved, and the ledger is updated to reflect the collected payment. While no credit card data is stored on the network, the full network in this case must be PCI compliant because of the practice management and payment software integration. This means that an operatory computer that is also in the dental office must follow the same PCI standards as the terminal that collects the payment because it too uses the same patient management software as the front desk computer.

This all or nothing checklist can be reflected in the example of the PCI’s outbound firewall rule 1.2.1.c. Since the full dental office needs to be PCI compliant, the full network must comply. This includes the outbound firewall rule for the router. All outbound traffic must be blocked unless it’s necessary for the cardholder environment. This means outbound traffic from the operatory computer follows the same rules as the reception computer that acts as the credit card terminal. This is cut and dry and no exceptions are made for different environments.

Regulators would choose this approach because different environments, whether it’s a dental office or a coffee shop, have a point of sale. How that point of sale is integrated into the environment varies but the PCI requirements for the network environment that transmits the data can be treated the same way across the board.

FTC:

Regulators are clearly pushing to have the FTC have more of an influence in cyber security breaches because of its role in protecting consumer rights. The open ended approach to having no guidelines but enforcing industry best practices most likely originates from two things; a lack of history with cyber security and testing the waters to legally see how far they can go with enforcing best practices.

The FTC v. Wyndham case is a good example of the FTC bringing up poor security practices by Wyndham such as lack of firewalls and storage of credit card information in clear text. These best practices are not noted anywhere in section 5 of the FTC Act but the FTC succeeded in convincing lawmakers not to dismiss the motion by Wyndham that would have dismissed the FTCs case against them.

Summary

As MSPs navigate the changing waters of compliance with their clients, a clear approach to meeting PCI, HIPAA or FTC standards must be set based on their clients compliance needs. While one company may need to comply with multiple standards such as HIPAA and PCI at a dentist office other companies may just need to work with a simple PCI checklist standard. With the process of onboarding the new client the MSP needs to assess the environment and client compliance needs and integrate the needs as they set up network security and infrastructure.

The University of Chicago Medical Center, (February 2010). Guidance. Retrieved from: http://hipaa.bsd.uchicago.edu/background.html
Department of Health and Human Services, (March 2007). HIPAA Security Series. Retrieved from: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf – page 2
Dan Verton, (September 16th 2014). The FTC’s expanding cybersecurity influence. Retrieved from: http://fedscoop.com/ftcs-expanding-cybersecurity-influence

01101101ike

Ingenico Skimmer safety

Ransomware and cloud based storage

Staying Current with Feedly

PCI Checklists versus HIPAA Risk Management Framework