Understanding the HIPAA Application of Firewalls

Like a security guard, firewalls control what goes in, and what comes out.

Tod Ferran, Security Analyst
By: Tod Ferran
Many smaller healthcare entities and business associates struggle to understand how HIPAA requirements translate into specifics for their environment. HIPAA requirement §164.312(c)(1) for example. 

It’s true this HIPAA regulation never mentions the word ‘firewall.’ But, to truly be HIPAA compliant, anytime your entity has a connection to the Internet, you must have a physical firewall device in addition to any software firewalls enabled on your systems. 

The most common concern I find with small covered entities and business associates is that they don’t know anything about firewalls. Worse, they think the little box their ISP (Internet Service Provider) gave them to connect to the Internet is a firewall, so they feel a false sense of security. 

Social Engineering – It’s OK To Be a Little Paranoid

After all, gullible employees lead to security breaches.

Brand Barney, CISSP
By: Brand Barney
Humans want to trust other humans. If I struck up a conversation with a gentleman in a suit at the bus stop who explained his life story, why would I distrust him? We all have a natural tendency to believe what trustworthy-looking people tell us. And that’s what gets us in trouble. 

What is social engineering?

Social engineering is a way of manipulating people socially so that they trust the social engineer and eventually provide some sort of useable data. For instance, instead of trying to find software vulnerabilities to exploit for sensitive data, a social engineer might try to trick someone into divulging an administrative password without realizing it.

Have you ever seen the crime drama Catch Me If You Can? Frank Abagnale, the main character, is a master of social engineering. He convinces people he’s an airline pilot, doctor, and attorney by forging documents and acting like he belongs. The scary thing is, it’s a true story.

What’s the problem with social engineering?


Here are some common ways social engineers try to socially engineer us 

  • Steal badges and credentials in unlocked cars
  • Go to the local donation store and buy old company T-shirts
  • Pose as janitorial staff to get into a building
  • “Can you hold the door for me? I don’t have my badge.”
  • Pose as an IT person that needs to fix the network
  • Try unlocked doors around the backside of buildings 
  • Pose as law enforcement conducting an inspection 
  • Dumpster dive for sensitive documents

Here’s what happens when I try to socially engineer someone.


How to avoid being a victim of social engineering

The best way to avoid being socially engineered is by educating yourself and your employees. Here are some points you should touch on during training:
  • You should be slightly paranoid (better to be safe than sorry)
  • Social engineers don’t sneak around. They’re confident and friendly. They look like they belong. Don’t be pressured by their convincing ways.
  • Never give out your username/password, badge, PIN, ID number, credit card, or schedule. In essence, never give out sensitive information about you or your company.
  • Ask for a contact to verify why the person needs the information they’re asking for
  • Don’t hold secure doors open for people you don’t know

The only way to identify if your employees have soaked in all that social engineering knowledge is to test them. You can don a disguise and test them yourself, or enlist the help of a social engineering professional (also called a pen tester), to come onsite and test your employees, experiment with your physical security, and see what interesting information they can find in your trash cans.

Have a business security question? Tweet me and you may see your question answered on the next SecurityQ.

Brand Barney, CISSP, is the Security Support Director at SecurityMetrics and has over 10 years of compliance, data security, and database management experience.
Infographic - 63% of businesses don’t encrypt credit cards

Lack of payment card security continues to plague the business world.

During onsite audits and forensic investigations, SecurityMetrics security experts consistently find unencrypted card data ‘lying around’ at business locations. Unencrypted card data is that 16-digit sequence on the front of credit cards, also known as the primary account number (PAN). It made us start to wonder…just how many businesses do this?

This is our third study on stored, unencrypted card data. When compared to last year, the storage has actually decreased. Instead of 71%, 63.86% of businesses store PAN.

Auditing Archives: The Case of the Overly Helpful Front Desk Clerk

Just because you can get on the Internet, doesn’t mean you should.

Gary Glover, Director of Security Assessment
By: Gary Glover
The following post is a segment in the Auditing Archives series. Hopefully the security failures I’ve seen while auditing businesses will help inspire better practices to ensure your own business security.

Font desk clerks are friendly…sometimes to a fault, but friendly doesn’t necessarily equal secure. A front desk clerk that helps you print off your afternoon boarding pass on the same computer that was just used to run your credit card violates a serious security protocol. Unfortunately, the problem is pervasive. I’ve seen this issue in virtually every hotel I’ve ever stayed at.

Fire, Shred, Pulp: How to Properly Destroy Sensitive Documents

Dumping medical records in an alley dumpster is a sure way to end up on the HHS Wall of Shame.

Tod Ferran, Security Analyst
By: Tod Ferran
Did you hear about the Texas hospital fined for their PHI-filled microfiche found in a park dumpster? What about Eureka Internal Medicine’s janitorial service that mixed recycled papers containing PHI with the regular trash? 

Or the four pathology groups in Massachusetts forced to pay $140,000 because their business associate abandoned thousands of medical records at the dump?

Making sure PHI is correctly disposed seems like a no brainer, but I wouldn’t be blogging about it if it weren’t a serious issue.