7 Steps to Win Your HIPAA Security Marathon

Whipping healthcare’s patient data security into shape.

Brand Barney, Security Analyst, SecurityMetrics
By: Brand Barney
Most people trying to get in shape don’t like looking in the mirror because all they see is an impossible task ahead of them. Some don’t even bother making weight loss plans because getting in shape seems like an unattainable task.
In the same way, healthcare entities don’t like thinking about HIPAA security. They stress when thinking about all the security to do’s they have yet to accomplish. It’s true, most healthcare entities have a long way to go before their patient data is truly secure. But it is possible. 

In fact, getting HIPAA compliant is kind of like training to run a marathon.

Step 1: Change Your Mindset

HIPAA compliance is like running a marathon

To successfully run that whopping 26.2 miles, you must change your mindset about getting in shape. You’ve got to start somewhere, and beating yourself up about being too fat or slow doesn’t help. 

Oftentimes the focus in HIPAA compliance is not on security, but on HIPAA privacy. Healthcare employees must transition their mindset to patient data security, or HIPAA compliance will never happen. 
  • Understand you aren’t compliant. You may be compliant with HIPAA Privacy rules, but literally no healthcare organization I have ever analyzed is compliant with all HIPAA security aspects. The sooner you realize your failures, the sooner you can correct them.
  • Understand the landscape is changing. The HHS is starting to follow the successful trends of other compliance mandates in other industries. Penalties for noncompliance and data breaches are ramping up. 
  • Understand HIPAA is coming, whether you start now or later. It will be a lot easier to get through HIPAA compliance if you’ve already run a few 10k races, than if you’re forced to run your HIPAA marathon out of shape. If you don’t start now, you’ll be behind the curve.
Nobody believes HIPAA compliance is fun, but even an, ‘I don’t like it, but I’ll do it’ mentality is a start. 

Step 2: Realize it will take time

HIPAA will take time

You can’t wake up one morning and decide to run a marathon. It takes 12-20 weeks to adequately train, build endurance, and gradually increase the pace.

The time it takes your organization to get to HIPAA compliance depends on what shape you’re in right now. For some organizations, reaching full HIPAA compliance can take over a year and large investments of money.

This fact disheartens a lot of compliance and security people. 

“Are you telling me this could take years?”
How much money will this take?”

Being afraid of time and money is like fearing you’ll never get fit, then eating a box of donuts because you’re depressed…which makes you even more depressed. Stop the downward spiral! Be realistic. You can do it! 

Step 3: Start slowly and get into a routine

HIPAA compliance should not be a Jillian MIchaels fitness routine
Don't treat HIPAA compliance like Jillian Michaels treats fitness
Marathon trainees don’t run a 10k the first day. They start walking fast on an incline. The next week, they start running in one-minute bursts. The next week, they run faster, and so on. Good marathon runners don’t train every other weekend, but train at least 5 times per week in a regular routine.

Don’t treat your HIPAA compliance like a Jillian Michaels routine. It will kick your butt. If you can only devote 10 minutes per day to HIPAA compliance, that’s great! Do what you can.  

Luckily, and unlike other compliance mandates, you aren’t required to prove your compliance to the HHS. You just need to be working towards it. 

Step 4: Remember your motivation

HIPAA compliance is like running a marathon

As I’ve gotten older, I devote more time than ever to working out. What am I trying to achieve? Well, if I’m not healthy, I’ll get sick. If I’m sick, I can’t go to work. If I can’t go to work, I don’t make money. If I don’t make money, I can’t take care of my family. When I think about how much I hate working out, I try to think about how much I love my family. I’m staying healthy for them.

Hopefully your patients’ safety is all the motivation you need to start working on HIPAA security. However, if it ultimately comes down to that bottom line, think of this: If you’re not protecting patient data, you get breached (or audited). If you are breached, patients won’t want to do business with you anymore. If patients don’t want to do business with you anymore, you lose money. Lots of money

In fact, if you undergo a data breach, 40% of your patients will find a new provider.

You’re trying to avoid a data breach. You’re trying to protect your patients. You’re trying to remain financially stable. Whatever it takes: Remember why you’re doing this.

Step 5: Get an advisor

You need help securing your HIPAA patient data

Before starting any strenuous activity, it’s always advisable to see a doctor first. A doctor can see any potential problems, then advise you how to fix them. Why do we trust doctors? Well, they went to medical school, they’ve seen patients for 10+ years, they’re willing to visit with you one-on-one for specific advice, and they’re your advocates.

You should feel that same trust with the partner you choose to help you get HIPAA compliant. Just as your doctor gives you advice on how to stay healthy, HIPAA advisors help you in the areas of your business security you need to improve. 

It’s like having a good friend who really cares about you and sees what you don’t or can’t. 

Step 6: Make it part of your regular lifestyle

Make HIPAA part of your normal lifestyle

The first few weeks of an exercise program are always the best. You feel great, you lose a few pounds, and can visualize your end result. But then you stop because it hurts, or because you hit a weight loss wall, or because you let other things get in the way.

Healthcare professionals get really excited about HIPAA during seminars. Compliance officers take awesome notes and then…do nothing with them. HIPAA is a rinse, repeat kind of mandate. It needs to be part of your regular lifestyle.

Healthcare in general is very proud of knowing the Privacy Rule backwards and forwards. Their privacy practices are posted throughout the office/hospital. Patients are required to fill out HIPAA privacy documents, and NPPs are sent out regularly. But why aren’t healthcare as excited or knowledgeable about security?

Here’s a sad, but true story. The news reported my doctor’s office had a breach of 31,000 patients. When I asked them about it the next week, the front office staff replied, “What? We weren’t aware of that….” 
HIPAA security should be part of your regular lifecycle, just like HIPAA privacy!Tweet: HIPAA security should be part of your regular lifecycle, just like HIPAA privacy! http://bit.ly/1LOvAv1Tweet

Step 7: Track your progress

Keep track of your HIPAA compliance progress

I find before/after weight loss pictures extremely inspiring. If you aren’t keeping track of your weight along the process, it’s difficult to know exactly how far you’ve come.

This idea of tracking and documenting also improves the HIPAA compliance process. If no documentation on HIPAA compliance progress happens, and workforce members leave, new employees will have to start from scratch. 

It sounds like a stupid problem, but I’ve seen it countless times during my HIPAA audits. The problem is, if you are breached and get audited by the HHS/OCR, and you have no documentation to prove you’ve been working on HIPAA, you’re in for a world of hurt. 

Subscribe to blog.securitymetrics.com

Winning the HIPAA compliance marathon

HIPAA compliance is like running a marathon

Studies always show that magic weight loss diets and pills just don’t work. But people still buy them because they are hoping for a miracle.

There’s no magic checklist for HIPAA either. 

Instead of treating HIPAA as a checklist, ask, ”What’s my next step?” That’s how we grow! Do you know why the FitBit Activity Tracker is so successful? Because users are only required to take tiny steps every day! Tiny steps are the key to becoming HIPAA compliant and secure. 

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.
How to Leverage HIPAA for Meaningful Use ebook
What To Do When You Get Hacked, Step-By-Step

The step-by-step process if you suspect a breach.

David Ellis, Director of Forensic Investigations, PFI
By: David Ellis
You will typically learn you’ve been breached in one of three ways. You find out about it internally (via IDS logs, event logs, alerting systems, system anomalies, or antivirus scan malware alerts), your bank tells you about it, or a customer complains to you because your business was the last place they used their card before it began racking up a load of fraudulent charges.

So you’ve been breached. What do you do? Before we get any further, please remember one thing…
Don't panic if you suspect a data compromise

Don’t destroy the evidence!

When a merchant becomes aware of a possible breach, it is understandably in their nature to want to fix it, immediately. However, without taking the proper steps and involving the right people, you could inadvertently destroy valuable forensic data, which could cost you in the long run. That data helps a forensic analyst determine how and when the breach occurred, and what to recommend when properly securing the network against similar future attacks. 

Your primary concern right now should be stopping data loss. 
Here’s what to do when you get hacked.Tweet: Step by step: Here’s what to do when you get hacked. http://bit.ly/19F8buZTweet

What to do when you get hacked

  1. Disconnect from the Internet by pulling the network cable from the router to stop the bleeding of data. 
  2. Document all network changes, notification/detection dates, and people/agencies involved in the breach (e.g., payment processor, payment software vendor, gateway provider, law enforcement, legal staff). If you haven’t already, contact your merchant processing bank and let them know what’s happened.
  3. Segregate all hardware devices in the payment process, or devices suspected of being compromised (if possible) from other business critical devices. Reallocate these devices to a separate network subnet (Your IT folks will know what I’m talking about).  Don’t turn off your devices! Keep them powered on to preserve volatile data, and make sure employees don’t access, use, or change them.
  4. Quarantine instead of deleting. If an anti-virus scan has identified malware on your system, do not “remove” (delete) the detected files—quarantine them in order to maintain the findings for analysis and evidence. 
  5. Preserve firewall settings and firewall logs (take screenshots if necessary). Preserve all system and security logs.
  6. Restrict Internet traffic to only business critical servers and ports outside of the credit card processing environment. If business needs dictate that you must reconnect to the Internet before a PCI forensic investigator (PFI) comes onsite, segregate (remove) your credit card processing environment from any devices that must have Internet connectivity. Obtain dial-up point-of-sale (POS) terminals from your card processor or merchant bank, and process all credit card transactions via the dial terminals until the suspected compromise had been thoroughly remediated. This is critical to prevent further loss of credit card data.
  7. Disable (do not delete) remote access capability and wireless access points. Change all account passwords and disable (not delete) non-critical accounts. Remember to change passwords on routers and document your old passwords for later analysis.
  8. Call a PFI. Once the breach is contained by steps 1-7, consult with a forensic PFI to plan a compromise analysis. Because of the delicate nature of stolen payment card data, fraud, and identify theft, when an investigation is mandated by one of the card brands, a PFI is required. When a breached merchant calls SecurityMetrics, we arrive onsite, obtain forensic copies of the card data environment, and analyze that data in our lab back in Utah. Then, we create a report that includes what happened and our recommendations to avoid future compromise. 
SEE ALSO:  PCI - You Don't Have To Be Perfect

If you MUST keep systems running…

Often merchants will keep running payments systems during and after an active compromise in order to keep business running as normal. While this isn’t optimal, if this is what you choose to do, there are a few things you can do to reduce potential loss and preserve the evidence for later analysis. 

What to do when you get hacked (the bare minimum)

  1. Change passwords immediately on all systems and routers.
  2. Disable remote access.
  3. Preserve firewall logs and current settings. Then restrict traffic to business critical servers and ports. Systems that process credit card data for authorization and settlement (either back office server or point of sale systems) should be restricted to only communicate outside with the payment gateway. 
  4. If an ecommerce site is breached, preserve any altered pages.
  5. Update your antivirus tools and run malware scans on all devices in the card data environment. (Quarantine any findings—do not delete)
  6. Save log files.
  7. Save a copy of malware and malware log files on a quarantined external drive (if discovered).
  8. On Linux systems, copy as much of the bash_history files for all accounts as possible.
  9. Under the direction of a PFI, and only if you have the IT skill, make a forensic image of the system before wiping and installing a new system.
  10. Document all changes with the date and a description of the actions taken.
  11. If you re-image your systems or switch to new devices, only install software from known “clean” images. 
  12. Engage a security consultant (preferably a PFI or QSA) to preserve the compromised environment for future data breach review.
subscribe to blog.securitymetrics.com

If you feel a little more prepared for a compromise, please share this post!

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.

Current hacking trends ebook

Elevate Your Data Security at TRANSACT15!

Win a mini-quadcopter, get a sweet t-shirt, and get questions answered by our security experts!

Who’s excited for TRANSACT this year? SecurityMetrics is! You’re probably all wondering what crazy game to expect from us this year. Well, at the last few TRANSACT conferences we received a lot of requests to bring 2012’s helicopter game back. But, same is lame. We decided instead to go bigger and better. 
smallest quadcopter in the world at TRANSACT15
Well, not bigger……

That’s right, this year we’re offering a chance to win the smallest quadcopter in the world! No worries about getting this little guy home in your suitcase. 

Seriously, these things are teeny. 

How to win a SecurityMetrics mini-quadcopter

First, head on over to booth 1317 at TRANSACT15. Then, prepare your digits with some finger exercises. You’ll be handling a miniature remote control paddle. Any gamers out there? You can probably fly these things with your eyes closed.

Here’s how the game is played
Each participant must fly a mini-quadcopter from its starting pedestal into a 12” bowl a few feet away. The trick is, you’ve got to land the little drone in the allotted time. Sounds easy, right? Well, these things are squirrelier than they look.

If you manage to land your quadcopter into the bowl, you are its proud new owner! 

Try as many times as you’d like, and come back every day. We estimate one out of every five attendees who try, will win! Oh, and since you’re already planning on dropping by our booth for the game, why don’t you pick up one of our limited edition TRANSACT T-shirts as well?
Elevate your data security at TRANSACT15

Elevate your security!
Just like our mini-quadcopters aren’t bound by heights, neither is your data security. You have the power to elevate your security to whatever heights you want. You’re in control, and we want to help you reach your security goals.

Come to booth 1317 to discuss how you can elevate your portfolio’s PCI program to reduce merchant frustration. Or come talk to us about how to elevate your own organization’s security through penetration testing, PCI audits, or security training. Or, if you simply have questions about EMV, encryption, hacking, or the future of the industry, our experts are ready to answer your questions. 

Golf tournament

Every year, we sponsor the TRANSACT golf tournament. Last year, attendees had a beautiful day on the Revere Concord Golf Course in Las Vegas.

Revere Concord Golf Course in Las Vegas

This year, it’s on March 31 at the Presidio Golf Course. Isn’t this place beautiful? Check out that view! 
Presidio Golf Course
Image via presidiogolf.com

We can’t wait to meet you at booth 1317!

Workload Overlap Between HIPAA and Meaningful Use

Can you kill two birds with one stone?

This article is an excerpt from our downloadable ebook, How to Leverage HIPAA for Meaningful Use.

As most of you know, covered entities that handle protected health information (PHI) are required to comply with the Health Insurance Portability and Accountability Act (HIPAA). Many healthcare professionals like you and the entities you work for also participate in Medicare and Medicaid EHR Incentive Programs. 

Feel like watching a webinar about how the Meaningful Use security risk analysis relates to HIPAA instead?

This ebook covers the overlap between HIPAA and Meaningful Use, including two important security protocols to help protect patient data. The goal of this ebook is to help you save time, money, and other resources by leveraging your HIPAA compliance requirements for Meaningful Use attestation.

Ebook: how to leverage HIPAA for meaningful use

Meaningful Use and HIPAA Overlap

Will your Meaningful Use attestation count 100% for HIPAA compliance? No. Will HIPAA compliance count 100% for Meaningful Use attestation? No. There is no complete overlap between Meaningful Use and HIPAA.

However, there is enough overlap to make a significant impact.

Meaningful Use and HIPAA overlapA risk analysis is one main requirement that applies to both Meaningful Use and HIPAA.Tweet: A risk analysis is one main requirement that applies to both Meaningful Use and HIPAA. http://bit.ly/1xsjHPmTweet
Check out this blog for an additional take on Meaningful Use vs HIPAA.

Common Risk Analysis Questions

Both HIPAA and Meaningful Use require a risk analysis. All stages of Meaningful Use include some element of a risk analysis and data security.

Will your Meaningful Use risk analysis cover your HIPAA risk analysis? Unfortunately too often the answer is, no. Entities get hung up on thinking that Meaningful Use is focused just on the certified EHR technology (CEHRT).  

Will your HIPAA risk analysis cover your Meaningful Use risk analysis? Normally yes, as long as you’ve done a complete and thorough analysis. The HIPAA risk analysis encompasses the CEHRT, as well as all PHI including paper records, emails, calendars, other systems, etc. Because the risk analysis includes the CEHRT, it also counts for Meaningful Use measures.

Download the How to Leverage HIPAA for Meaningful Use ebook to dive deeper into how a HIPAA Risk Analysis can qualify for Meaningful Use requirements.  

How to leverage HIPAA for meaningful use ebook

Memory Scrapers, Keyloggers, and Sniffers Oh My!

All sorts of malware cause all sorts of trouble.

Brand Barney, Security Analyst
By: Brand Barney
Malware is any type of software that tries to gather your sensitive data or maliciously gain complete access. There are all sorts of malware that steal data in many creative ways. Some malware can morph into newer versions to avoid detection or even automatically reinstall in different locations if deleted. 

For example, a tunneling virus will attempt to install itself under your antivirus. If the virus is able to put it’s sneaky self between your OS and antivirus, when your antivirus sends out systems checks (looking to see if your system is healthy) the tunneling virus will catch the request and respond with a false “everything is healthy and working...no infection here” response. Tricky tricky.

In late 2013, criminals installed malware on point of sale devices in the checkout lines at Target stores. Using this malware, they were able to capture magnetic stripe data the instant cards were swiped at the terminal. As you probably know, this malware enabled the million-card heist that forced Target into the public spotlight for months.

How Hackers Got Into Target (Bloomberg Businessweek)
Let’s explore some of the most common malware that affects small businesses.Tweet: Some of the most common malware that affects small businesses. http://bit.ly/1AvO5K9Tweet

Memory Scraper

A memory scraper is designed to capture, or ‘scrape’ sensitive information from system memory (RAM) and return it back to the attacker. They rose to popularity in the past few years because they’re very effective at grabbing data in a system that doesn’t encrypt at swipe. 

As Gary Glover, an esteemed colleague of mine pointed out,

“…Most POS devices encrypt card data at some point after a card is swiped, but most take their sweet time, delaying encryption for millisecond, a second, ten seconds…or longer. To a business owner, ten seconds ‘til encryption sounds pretty safe, but to a criminal, that few seconds is plenty of time to snag card data from a computers memory or capture it from a hacker modified card swipe device. 

“Hackers can easily install memory scraping software that captures card swipe data during the delay from right under your nose, save it in a carefully coded database filled with thousands of other credit card numbers, and never alert you to their conniving presence. Who knows how long that could go on without a merchant finding out about it.

“There’s only one way to avoid leaving ten-second holes in security. Encrypt card data at the exact millisecond of collection.”

Luckily for us, Point-to-Point Encryption (P2PE) is the answer to that problem. Unfortunately, getting merchants around the world to implement P2PE-validated payment terminals is harder than it seems.

SEE ALSO: 5 P2PE Trends in 2015


How creepy would it be if someone knew everything you were doing on your computer? Well, that’s what keyloggers are. They are the type of malware that secretly records every keystroke a user makes on a computer or mobile device. 

In such a way, malware authors can easily harvest typed information like passwords, bank account numbers, messages to friends, or credit cards typed on payment pages. Most are software-based, run in the background of your computer, and record everything you type. Some keyloggers can even take screenshots. 

Check out this article on a 5-year keylogger called NightHunter.

Once a keylogger is installed on your system, it’s very difficult to detect. However, if the malware program is designed poorly, you might see some of the following symptoms:
  • Delays when using the keyboard or performing simple tasks
  • Excessive hard drive activity
  • Entered text is incorrect (backwards, weird icons)
  • Blinking network lights when you aren’t typing
  • Repeated unauthorized access to password-protected accounts or email hacking
Pretty much the only way to get rid of keylogger is to download and run anti-malware software. I recommend Malwarebytes, Symantec, or McAfee for Windows and ESET Cyber Security for Mac. See your IT professional for further guidance on recommended products for your environment.

SEE ALSO: The Ineffectiveness of Antivirus

Packet Sniffer

Just as bloodhounds are able to scrutinize different scents to track a specific animal for its owner, packet sniffers decode and analyze sensitive data (like card data), reporting it back to their owner.

This software (used by malicious people) intercepts potentially unencrypted incoming and outgoing network traffic during transit. The sniffer is able to decide if the information is a credit card or some other sort of sensitive data. If the information is valuable, the sniffer copies it. 

Depending on where it’s installed, a packet sniffer could see your emails, credit card information, which websites you visit, the audio you’re streaming, and anything you download.


Rootkits are very difficult to detect because they live in the system’s kernel (or deepest) level. I like to think of rootkits as a wolf in sheep’s clothing because their programming allows a cybercriminal to get admin-level access to a computer by executing certain programs in a ‘kit’. One of the first things they do once they have access is open up a back door, which allows for them to come in any time they wish without authenticating. 

These kits allow the installation of hidden files, alteration of security processes, and hidden user accounts. A rootkit can eavesdrop to get data from network connections, keyboard strokes, and terminals. Some can reinstall themselves each time the computer restarts, even if the original was removed by an anti-malware program.

One of the most famous (though not malicious) rootkits was Sony BMG’s attempt at digital rights management. They placed software on CDs that, when installed on home computers, prevented CD copying. The (illegal) software was so good, not one anti-virus application could detect it. Unfortunately for Sony, the software also created new vulnerabilities that affected the security of user’s computers.

Depending on the rootkit they can be very difficult to detect. Remember, prevention is definitely the best medicine in this instance. Stay safe by installing both a software and hardware firewall in your network! Keep your antimalware up-to-date, properly configured, and in use. 

If you liked this post, please share!

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.