Secure Data Deletion: Permanently Deleting PHI in Healthcare

Learn how to dispose of sensitive data securely.

Ryan Marshall, SecurityMetrics,
By: Ryan Marshall
HIPAA Fulfillment Manager
HCISPP
Did you know hackers can often find data that you’ve “deleted,” and exploit it?

 Not properly deleting data on devices can lead to a serious breach. For example, an organization returned a leased photocopier that had medical info on 344,579 patients. By returning the device that still had sensitive data, the organization was in violation of HIPAA and was fined 1.2 million.

A common mistake many organizations make is to simply delete the data on a drive and leave it at that. Unfortunately, erasing media only removes a link to the data, and the data remains on the drive. To protect your PHI, you need to permanently delete old sensitive data.

One of the biggest problems with secure data deletion is knowing what data to destroy, when to destroy, and who’s in charge of it. It may be easy If it’s not necessary, get rid of it.
Here are some things to remember when it comes to permanently deleting PHI.
SEE ALSO: How to Permanently Delete Files with Sensitive Data

Determine the life cycle of data

secure data deletionThe first step to managing/deleting old data is to decide how long the data needs to be kept and when it should be deleted.

Your organization should establish a data lifecycle for all types of data you store. Some parameters should include:
  • How long data should be stored for regulatory purposes
  • How long you need the data
The mandate for healthcare data is that you only need to keep the data for 7 years. If you keep data after 7 years, you will need to protect it for 50 years after the patient has died.

Remember that part of data retention is not just about sensitive data; you have also different types of data, like logs, that should be determined how long they should be kept.

Keep in mind that if you delete certain data too soon, you may not have the records to go back and investigate a potential breach. It's a good idea to keep incident logs for a year and have logs within 3 months easy to access for analysis.

Know secure deletion techniques

Permanently deleting data may require a few different techniques, depending on how you want it done and whether you want to reuse the media where the data is stored. Here are a few techniques to securely delete your data.

Overriding/clearing
permanently deleting PHIOverriding data runs over the data with a sequence of 1’s (some methods use a different set of binary sequences to ensure all the data has been overwritten). There still could be some type of recoverable data on the media, so this method may not be the most secure.

Degaussing
This method is useful if you have magnet tapes and hard drives. Degaussing uses a powerful magnet to erase data on magnetic media. This method is particularly helpful if you want to reuse the media.

Physical destruction
This is one of the most secure methods to permanently delete data. If you don’t plan to use the media again, it’s highly recommended you physically destroy it. You can go to companies that have industrial-sized shredders to dispose of larger hardware.

Some types of media require physical destruction for secure data deletion. Solid state drives (SSD) and optical media like DVDs and CDs generally must be destroyed physically.

Note: some SSDs include a built-in erase commands that “sanitize,” but they haven’t been proven to be as effective. You can use it, but it’s a risk.

Don’t forget about data on mobile devices

With stored data, one of the bigger threats is theft of the physical device. Managing data on mobile
devices is a bit tricky since they can more easily be lost or stolen.  If your organization stores a lot of PHI on mobile devices, it may be a good idea to use mobile management device software to control the data.

For example, remote wipe is a software that makes sure the data is removed remotely, should a device get lost/stolen. Some remote wipes will override or purge the data, while others will wipe out the encryption keys that makes the keys useless. I recommend that you use a mobile device management software that uses remote wipe, so the management of data is centralized.

SEE ALSO: 5 Tips to HIPAA Compliant Mobile Devices

Additional tips

Here are some more tips to ensure secure data deletion:
  • Go through and delete data at least annually: depending on how much data you process, you may want to do it more often
  • Set someone in charge of data disposal: have someone who knows the lifecycle of data, the policies behind deletion and how it’s managed
  • Set up policies: document the process for secure data deletion, what should be done, when it should be done, and who’s responsible for it
  • Train employees: make sure your employees are aware of the policies behind data deletion
Need help with HIPAA compliance? Talk to us!

Ryan Marshall (HCISPP) is the HIPAA Fulfillment Manager at SecurityMetrics. He has worked in data security for eight years, and specialized in HIPAA, healthcare reliance, and HIPAA regulations for three years.

SecurityMetrics Guide to HIPAA Compliance
6 Phases in the Incident Response Plan

Learn the 6 phases to managing a data breach. 

David Ellis, SecurityMetrics, QSA, CISSP, PFI
By: David Ellis
Director of Forensic Investigations
QSA, CISSP, PFI
An incident response plan should be set up to address a suspected data breach in a series of phases. Within each phase, there are specific areas of need that should be considered.

The incident response phases are:
  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned
Let’s look at each phase in more depth and point out the items that you need to address.

SEE ALSO: 6 Steps to Making an Incident Response Plan

1. Preparation

incident response plan, This phase will be the work horse of your incident response planning, and in the end, the most crucial phase to protect your business. Part of this phase includes:
  • Ensure your employees are properly trained regarding their incident response roles and responsibilities in the event of data breach
  • Develop incident response drill scenarios and regularly conduct mock data breaches to evaluate your incident response plan.
  • Ensure that all aspects of your incident response plan (training, execution, hardware and software resources, etc.) are approved and funded in advance
Your response plan should be well documented, thoroughly explaining everyone’s roles and responsibilities.  Then the plan must be tested in order to assure that your employees will perform as they were trained.  The more prepared your employees are, the less likely they’ll make critical mistakes.

Questions to address
  • Has everyone been trained on security policies?
  • Have your security policies and incident response plan been approved by appropriate management?
  • Does the Incident Response Team know their roles and the required notifications to make?
  • Have all Incident Response Team members participated in mock drills?
SEE ALSO: 5 Things Your Incident Response Plan Needs

2. Identification

This is the process where you determine whether you’ve been breached. A breach, or incident, could originate from many different areas.
It’s important to discover the breach quickly, where it’s coming from, and what it has affected.
Questions to address
  • When did the event happen?
  • How was it discovered?
  • Who discovered it?
  • Have any other areas been impacted?
  • What is the scope of the compromise?
  • Does it affect operations?
  • Has the source (point of entry) of the event been discovered?

3. Containment

When a breach is first discovered, your initial instinct may be to securely delete everything so you can just get rid of it. However, that will likely hurt you in the long run since you’ll be destroying valuable evidence that you need to determine where the breach started and devise a plan to prevent it from happening again.

Instead, contain the breach so it doesn’t spread and cause further damage to your business. If you can, disconnect affected devices from the Internet. Have short-term and long-term containment strategies ready. It’s also good to have a redundant system back-up to help restore business operations. That way, any compromised data isn’t lost forever.

This is also a good time to update and patch your systems, review your remote access protocols (requiring mandatory multi-factor authentication), change all user and administrative access credentials and harden all passwords.

Questions to address
  • What’s been done to contain the breach short term?
  • What’s been done to contain the breach long term?
  • Has any discovered malware been quarantined from the rest of the environment?
  • What sort of backups are in place?
  • Does your remote access require true multi-factor authentication?
  • Have all access credentials been reviewed for legitimacy, hardened and changed?
  • Have you applied all recent security patches and updates?
SEE ALSO: How to Manage a Data Breach: 5 Steps to Keep Your Business Safe

4. Eradication

Once you’ve contained the issue, you need to find and eliminate the root cause of the breach. This means all malware should be securely removed, systems should again be hardened and patched, and updates should be applied.

Whether you do this yourself, or hire a third party to do it, you need to be thorough. If any trace of malware or security issues remain in your systems, you may still be losing valuable data, and your liability could increase.

Questions to address
  • Have artifacts/malware from the attacker been securely removed?
  • Has the system be hardened, patched, and updates applied?
  • Can the system be re-imaged?

5. Recovery

This is the process of restoring and returning affected systems and devices back into your business environment. During this time, it’s important to get your systems and business operations up and running again without the fear of another breach.
incident response plan phases
Questions to address
  • When can systems be returned to production?
  • Have systems been patched, hardened and tested?
  • Can the system be restored from a trusted back-up?
  • How long will the affected systems be monitored and what will you look for when monitoring?
  • What tools will ensure similar attacks will not reoccur? (File integrity monitoring, intrusion detection/protection, etc)

6. Lessons Learned

Once the investigation is complete, hold an after-action meeting with all Incident Response Team members and discuss what you’ve learned from the data breach.  This is where you will analyze and document everything about the breach.  Determine what worked well in your response plan, and where there were some holes. Lessons learned from both mock and real events will help strengthen your systems against the future attacks.

Questions to address
  • What changes need to be made to the security?
  • How should employee be trained differently?
  • What weakness did the breach exploit?
  • How will you ensure a similar breach doesn’t happen again?
No one wants to go through a data breach, but it’s essential to plan for one. Prepare for it, know what to do when it happens, and learn all that you can afterwards.

Need help with a data breach? Talk to one of our Forensic Investigators!

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.

SecurityMetrics Guide to PCI DSS Compliance
PCI Requirement 4: Securing Your Networks

Learn how to protect stored and transmitted card data. 

By: George Mateaki
Security Analyst
CISSP, QSA
What do you do with your card data once you receive it? How is it transmitted to other areas? Are you securing these areas?

These are all questions that can be related to PCI Requirement 4.

This requirement covers secure data transmission, especially when doing it over open and public networks. Businesses should be aware of how their card data is transmitted and through which networks.
Here are some things to keep in mind when fulfilling PCI Requirement 4.

Keep track of your PAN

You need to identify where you send cardholder data. Information like Primary Account Numbers (PAN) and magnetic stripe data should be stored securely and encrypted. Some common places PAN is sent include:
  • Processors
  • Backup servers
  • Third parties that store/handle PAN
  • Outsourced management of systems
  • Corporate offices
SEE ALSO: How Much Credit Card Data do You Store? (It’s More Than You Think.)

Stop using SSL/TLS where possible

The PCI SSC released a policy that states you should transition from SSL to early TLS to secure versions of TLS by June 30, 2018.

If your business is using SSL/TLS, you should stop and update as soon as possible. These latest versions of web coding have several vulnerabilities. You should contact your terminal providers, gateways, service providers, and acquiring bank to see if the applications and devices you use have this encryption protocol. Applications that use SSL/TLS may include:
  • Virtual payment terminals
  • Back-office servers
  • Web/application servers
If you need to keep using SSL/TLS, here are a few tips to protect your data:
  • Upgrade to a current, secure version of TLS configured not to accept fallback to SSL or early TLS 

  • Encrypt data with strong cryptography before sending over SSL/early TLS (i.e., use field-level or application-level encryption to encrypt data prior to transmission) 

  • Set up a strongly-encrypted session first (e.g., IPsec tunnel), then send data over SSL within the secure tunnel 

  • Check firewall configurations to see if SSL can be blocked 

  • Check that all application and system patches are up-to-date 

  • Check and monitor systems to ID suspicious activity that may indicate a security issue 

If you have existing implementations of SSL and early TLS, you need to have a Risk Mitigation and Migration Plan in place. This document will help you detail your plans for migrating to a secure protocol and the controls you have in place to reduce the risk.

SEE ALSO: DROWN Attack and SSL: What You Need to Know

Additional tips

Here are a few other things to consider when fulfilling Requirement 4:
  • Secure wireless network: make sure not just anyone can get into your wireless and make sure all endpoints are secure
  • Update keys and certificates: make sure your security certificates are up to date and your encryption keys are also properly protected
  • Work with your service providers: you want to ensure they are also following proper procedures to make sure your data is safe
  • Train employees: make sure your employees are aware of what should be updated and what types of web encryption shouldn’t be used anymore
It’s important to keep your data safe while your storing and transmitting it. Make sure your web encryption is updated and all possible vulnerabilities are mitigated is one way to ensure data protection.

Need help getting PCI compliant? Let’s see how you’re doing so far!

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.

How Healthcare Security Complacency is Killing Your Organization

Healthcare is in serious security trouble if something isn’t done soon. 

Brand Barney, SecurityMetrics, CISSP, QSA
By: Brand Barney
Security Analyst
CISSP, QSA
When you think of the biggest threat to healthcare security, what do you picture? Do you picture hackers? Do you picture malware? Employees?

Yes, those are all important issues, but a common problem I’ve seen recently isn’t just the threat of data breaches, or even the lack of proper security. The biggest problem with healthcare data security and HIPAA is complacency.

SEE ALSO: A Snapshot of the 2017 SecurityMetrics Guide to HIPAA Compliance: The Status of Healthcare Security

When it comes to the security aspect of HIPAA, many healthcare organizations are complacent, thinking a data breach won’t happen. As a result, far too many organizations are losing data and they don’t even know it.
Here are some reasons why complacency in data security hurts your organization.

Your data can be stolen way too easily

healthcare securityPeople love the idea that stealing data is a really technical and complicated process, like an Oceans 11 movie or an episode of Mr. Robot. In reality, stealing data from some organizations is often embarrassingly easy.

Many organizations don’t realize how easy it is for someone to walk in, take something with valuable data on it, and walk out. Social engineers can easily install malware and steal data from healthcare systems due to inadequate employee training and security.

SEE ALSO: Physical Security: What You Aren’t Thinking About

Don’t believe me? Target’s breach was super technical when they got into the network, but how they got into the network was not technical at all.  In any breach, there are a series of items that companies overlooked and ultimately lead to breach(s). The same can be said for Target. Targets HVAC vendor had insecure passwords and remote access into Targets networks. Attackers obtained those weak passwords and essentially “walked” right into the network. That’s when the more complicated and technical attacks began.

Your IT security people will get frustrated

In most cases, your IT people do care about security. But if the rest of your organization doesn’t care, your security people are going to quickly get frustrated and then eventually stop caring.

Here’s an example: a service provider wants to have IT open up an insecure port/protocol so a doctor can gain access to the network from home. The IT people say no, and then the doctor goes to the higher up and complains. Most organizations wish to keep providers happy, so they make the IT people do it.

Security people can make money anywhere, but having a secure organization is all about culture. If the providers don’t care about security, IT people are often going to go somewhere else.

It won’t be a matter of if, but when you get breached

There’s a lot of talk about financial institutions as the top organizations getting breached. In reality, it’s healthcare. Personal information and healthcare records run for much more on the black market versus card data.

Nearly 90 percent of healthcare organizations have been breached in the past 2 years.  These breaches have exposed over 112 million records and cost the healthcare industry $5.6 billion annually. Most, if not all of these breaches could have been prevented if the organization had followed more secure practices.

Basically, if you don’t secure your data, you will get breached.

When you experience a data breach, you’re screwed

security complacencyMany organizations may think that dealing with a breach will be less damaging than having to deal with security. This is patently false. If you are breached no one can bail you out, and you haven’t and won’t be able to protect your patients. If data gets stolen, you’re screwed.

Not only are you putting your patients at risk, but also your reputation. Breached organizations often lose 40% of their clients.

Basically, a data breach will cost you a lot more than you think. There’s the cost of legal fees, HHS fines, and handling patient data loss. Also remember that while a credit card can be easily replaced, a social security number can’t. Essentially, if you’re handling patient data (and not just social security numbers), you have much more to lose.

SEE ALSO: How Much Does a Data Breach Cost Your Organization?

Why are we failing at security?

So why are we so bad at security? To put it simply, many higher ups don’t care. No one understands security and HIPAA, and because they don’t understand it, they push it to the side and hope it goes away or never causes any “real” issues. Because the top people are complacent about security, the rest of the organization generally follows suit.

It’s important for C-suites to be aware of their organization’s security needs and promote a culture of security and HIPAA compliance. They should know where their networks may be vulnerable and what is being done to address those vulnerabilities.

So what should we do?

You need to promote the culture of data security and HIPAA in your organization. Employees should be trained in security procedures and handling issues like social engineering. There should be security policies set in place and employees need to follow them.

We need to start treating health data like it’s as valuable as it really is, and we need to start this process today!

It’s also important to maintain your security and compliance. Just because you’re secure today, that doesn’t mean tomorrow will be the same. It’s like maintaining your body. While your body may be healthy today, if you take care of the essentials, you may not be healthy tomorrow.

Have a continuous cycle of security improvement. Here are a few tips to maintain security and HIPAA compliance:
  • Perform regular vulnerability scans: find any vulnerabilities before they are exploited
  • Review and update policies annually: things may change in your organization that require change to your security policies
  • Train employees quarterly, if not monthly: people learn best by repetition; consistent training helps employees keep security on the brain
  • Document everything: having all policies documented will help with training and keep everybody on the same page
Need help with HIPAA compliance? Talk to us!

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

SecurityMetrics Guide to HIPAA Compliance 2017
SAQ B: What Your Business Needs to Do

Learn who qualifies for the SAQ B, and tips to filling it out.  

By: George Mateaki
Security Analyst
CISSP, QSA
SAQ B was developed to address requirements for merchants who process cardholder data through imprint machines or standalone, dial-out terminals. SAQ B merchants can either be card-present, or card-not-present merchants, but they do not store cardholder data on any computer system.

SEE ALSO: Updating PCI DSS SAQs to 3.2: The Changes You Should Know
Here are some things to know about SAQ B.

Who is required to fill out SAQ B?

Here's what qualifies your business to fill out SAQ B:
    SAQ B
  • Your company uses only an imprint machine and/or uses only standalone, dial-out terminals (connected via a phone line to your processor) to take your customers’ payment card information;  
  • The standalone, dial-out terminals are not connected to any other systems within your environment; 
  • The standalone, dial-out terminals are not connected to the Internet; 
  • Your company does not transmit cardholder data over a network (either an internal network or the Internet); 
  • Any cardholder data your company retains is on paper (for example, printed reports or receipts), and these documents are not received electronically; and 
  • Your company does not store cardholder data in electronic format.
Note: this SAQ isn’t applicable to e-commerce channels, since merchants that qualify for it must not store or transmit cardholder data in electronic format. 

SEE ALSO: PCI Standards: Which PCI SAQ is Right for My Business?

What PCI Requirements are included in SAQ B?

SAQ B requirementsHere are the requirements included in this SAQ:
  • Requirement 3: protect stored cardholder data
  • Requirement 4: encrypt transmission of cardholder data across open, public networks
  • Requirement 7: Restrict access to cardholder data by business need to know
  • Requirement 9: restrict physical access to cardholder data
  • Requirement 12: maintain a policy that addresses information security for all personnel
Note: While you only attest to five of the 12 sections of PCI-DSS for the SAQ B, you are still required to adhere to all applicable PCI-DSS requirements.

SEE ALSO: Top Ten PCI Requirement Failures: Where is Your Business Struggling?

Example questions to address

Here are just a few questions you’ll answer as part of this SAQ:
  • Is sensitive authentication data deleted/rendered unrecoverable upon completion of authorization process?
  • Are policies in place that state unprotected PANs are not to be sent through end-user messaging technologies? 
  • The personal identification number or the encrypted PIN block isn’t stored after authorization?
  • Is access to system components and cardholder data limited to only individuals whose jobs require access? 
  • Is media sent by secured courier or other delivery methods that can be accurately tracked?
  • Are hardcopy materials cross-cut shredded, incinerated or pulped? 
  • Is a list of service providers maintained? 

Additional tips

Here are a few more things to remember when filling out SAQ B
  • Update security policies: make sure all your policies are updated and accessible to your employees. 
  • Boost your physical security: protect areas of your business that process or store sensitive data, by limited access
  • Train employees: Make sure your employees understand your security policies and implement them
Need help getting PCI compliant? Talk to us! 

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.

SecurityMetrics Guide to PCI DSS Compliance