Healthcare Reception Desks: Breeding Ground for HIPAA Compromise

healthcare reception

What can patients see on your reception desk?

Brand Barney, Security Analyst at SecurityMetrics
By: Brand Barney
Your reception desk might be one of the most vulnerable locations in your entire organization. Why? Every patient you treat walks up to the reception desk and discusses their visit with the receptionist for at least a minute or two. What do they see when their eyes wander around that reception desk? What do they hear? What can they grab? Take a photo of?

SEE ALSO: Snapshot of HIPAA and Healthcare Data Security

Check out this video for a 90-second summary of this reception desk HIPAA problem.

HIPAA violations on reception desks

healthcare receptionI’ve seen some pretty wild HIPAA violations from the viewpoint of both auditor and patient. The most common violations I see at reception desks are things like:
  • Seeing the receptionists’ open computer with the day’s schedule, complete with full patient names
  • Computer, EHR, and Wi-Fi passwords written on sticky notes, stuck to a computer monitor (in plain view to the public!)
  • Patient records on clipboards by the keyboard and easily viewable
  • Keys (probably to a back office) within arm’s reach
  • Bulletin boards with new patient names and notes about patients
  • Unopened charts which still identify name and address of patients
  • Patient messages for the doctor written on a pad of paper next to the phone on the reception desk, and in full view
  • Recently received faxes of health insurance data left in plain view on the desk
  • Recently printed scripts left sitting on the desk in plain view
  • Unshredded patient records thrown in a trashcan shared by receptionists and waiting room patients
  • Patient charts placed in clear door chart holders, clearly viewable to anyone walking by
Each situation I described above is either a HIPAA Privacy Rule or HIPAA Security Rule violation. All it takes is one patient or workforce member to report a single one of those violations and get you on the Office for Civil Rights’ (OCR) audit radar.

subscribe for more healthcare security articles

Even worse, what if someone with malicious intentions saw your Wi-Fi password so conveniently displayed on your desk, and decided to hack in and steal patient data? Do you have the technical measures in place to know if this has happened, or is happening?

Stopping reception desk HIPAA violations

Receptionists have tried to convince me that as long as the information is upside down to the patient, it’s not a HIPAA violation. That is false, and truthfully ridiculous. A quick picture of that upside down patient data can quickly be turned right side up, or even snatched right off the desk.
You can do a lot to mitigate the risk that your reception desk fosters, but the most important is employee training.
Receptionists, doctors, and nurses won’t leave patient information in plain view on reception desks if they have extensive training explaining why. I truly believe that healthcare professionals care about the data that they are working with, but I don’t think that they understand how they impact the security of that sensitive data.
Here are some more ideas that will help you keep your reception desk free and clear.
  • Stand where your customers check in, walk the path they walk, and see if you can see any sensitive information, in any form.
  • Stand at the reception desk and try to locate any administrative information that might assist a hacker to gain access to your system (like your EHR password)
  • If you ever write something on paper, immediately turn it over, or place it in a locked drawer
  • Pull out your phone, put in on the desk. What can you take photos of? I always recommend that you have a no phone policy at the front desk policy.
Many HIPAA impermissible disclosures are related to human error, and occur by accident. However, that also means most instances are avoidable. With the right procedures and training in place, you should be able to make sure your reception desk area is violation-free and HIPAA compliant.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

HIPAA Learning Center
SecurityMetrics Vulnerability Scanning FAQ

SecurityMetrics PCI Compliance

The most commonly asked customer questions about vulnerability scanning.

As you may expect, we get a lot of the same questions from customers about their vulnerability scanning. The following is a list of the most common questions we hear.

SecurityMetrics PCI Compliance
SEE ALSO: Picking Your Vulnerability Scanner: The Questions You should Ask

What are you scanning, and what are you scanning for?

We scan your external IP address or domain name. The scan identifies what ports are open and responding to public traffic. The scan then tests for weaknesses in your network.

How often will SecurityMetrics scan my network?

The scans run automatically every 90 days, or whenever a scan is manually initiated by you. Keep in mind, it’s a PCI DSS requirement that you run a new scan if your environment changes in any way.

SEE ALSO: 10 Qualities to Look For When Selecting an Approved Scanning Vendor

What should I do before running a vulnerability scan?

If you have an intrusion detection system or intrusion prevention system protecting your network, you may need to add our scanner's IP range to a white-list or exclusion-list for the scan to complete accurately.

What does the CVSS on my vulnerability scan test results mean?

The scores are pulled from an industry standard Common Vulnerability Scoring System (CVSS). As per PCI requirements a single score of 4 or greater results in a failed scan.

How long will it take for my vulnerability scan to complete?

There are many variables that determine how long a scan takes. Average scan completion time ranges between 3 and 4 hours. However, scans running for longer than 4 hours are not uncommon. If your scan has been running for more than 24 hours, please contact our Support Department at 801.705.5700 or

How do I manually start my own vulnerability scan?

You can start a scan on any IP you have set up on your account. In the Scan Overview tab, look at the target you want to scan, and click the Scan Now button.

How/When can I put the "SecurityMetrics PCI DSS Validated" logo on my site?

Only customers who are enrolled in a PCI compliance service may put the SecurityMetrics PCI DSS Validated logo on their website. Instructions are provided inside passing test results of each vulnerability scan.

If you have any additional questions about vulnerability scanning that weren’t answered in this blog post, feel free to contact our 24/7 support team at: 801.705.5700 or  (UK: +44 33 0808 0832)

Follow SecurityMetrics' blog
Network Inventory, Configuration Management, and Security

What’s on your network? 

 Assistant Professor Cybersecurity Program Director
 By: Robert Jorgensen
In the last couple of years, security vulnerabilities have gone from obscure bulletins and esoteric CVE numbers to a marketer’s dream with catchy names, clever logos, and extensive news coverage.While this level of cybersecurity awareness promotes a more secure society, it is applying greater pressure than ever to IT managers and their teams.

Executives and management are suddenly aware of vulnerabilities blissfully ignored in the past. This awareness brings questions to IT staff, the most common being “Does this impact us?”

(SEE ALSO: LogjamShellshockGhost)

Unfortunately, this question is often met with silence, a Magic 8 Ball “ask again later” response, or a non-committal “I don’t know”. Those are answers no one wants to give when asked about a widely reported vulnerability.

Even worse, those are sometimes the answers to the question not asked enough:

“What is actually on our network, and how is it configured?”

Security Metrics subscribe

Network Inventory

Around the turn of the millennium, there was a widely reported story about a particular server at a university that lived a solitary life in a server closet walled in a number of years earlier. While nostalgic administrators often tout this tale as a fictitious example of how they built operating systems in the good old days, imagine that scenario now. You have a server on your network. You can see it. You can talk to it. You might even think you control it. But you have no idea where it is.

As a security professional, the wistful daydream of the system administrator quickly turns into something that keeps you awake at night.

Confidentiality, integrity, availability
Security professionals are tasked with three goals for information systems: confidentiality, integrity, and availability. Using the extreme example mentioned above, it is pretty easy to see how each of these is compromised.

If the physical location is unknown, there is no way to know if someone is tapping or viewing the data (confidentiality), modifying the data or the system directly (integrity), or if the server has reliable power, fire suppression, or theft prevention (availability).

Fortunately, most organizations do not run into an example this extreme. But many organizations struggle with maintaining an up-to-date list of software and hardware throughout the network, especially when it comes to systems that aren’t in production.

It’s not uncommon for organizations to have a pretty good idea of what’s in production for asset tracking and licensing reasons. Many IT departments track production configurations and follow a baseline as servers are deployed. In both cases, when development and test environments are involved, things often get a bit less clear. While certain development licenses and site licenses may reduce the need for granular license tracking and older depreciated hardware used in such environments may appear to reduce the need to track, there still should be concerns about the security of these systems.

While staging and QA servers often mirror the configuration of production devices, development and test servers often sport basic configurations. Default passwords and simplified configurations abound. Hardening is typically reserved for “real” environments.  Whatever the reason, these machines remain vulnerable. Naturally, no one expects them to be accessible to the outside world, but it happens.

Take the State of Utah Medicaid breach in 2012, for example.  More than 700,000 records were breached. The remediation went into the millions of dollars. What happened?

"The server was a test server and when it was put into production there was a misconfiguration. Processes were not followed and the password was very weak," Stephanie Weiss, spokesperson for DTS, told InformationWeek Healthcare.

Yikes!  If regular inventory scans of devices on the production network had been completed, someone could have noticed this machine and remediated the situation.

Configuration management

Network Inventory Organizations commonly monitor critical systems using a variety of software packages. Too often this falls into a pattern of, “Server X is critical for application Y, so we should monitor it” rather than, “We should monitor the network itself for new devices.” Most monitoring software has scan and discovery modes, but how often are they run? Likewise, software inventory and configuration management tools can pull or push information about installed software and configurations. How often does this happen?

So, what is actually on your network and how is it configured?

Having a complete and up-to-date inventory of the devices and software on your network makes answering this much easier. A master software list showing each software package and version installed on servers and workstations can be used to quickly identify potential problem areas. Being able to check configurations regularly will help identify problems sooner.

Some vulnerabilities make answering this question more complicated. For example, the Heartbleed vulnerability affected OpenSSL. None of your systems administrators might remember explicitly installing OpenSSL, but it is used by many software projects to provide TLS support for their applications. While having a complete list of software and versions at hand may not instantly identify all affected software, it will speed up the process as vendors and projects update their user base with new information.

Where to start?
The first step is finding out if your records match reality. Sure, that spreadsheet shows 15 machines on that subnet with 22 total IP addresses, but what is actually there? How many switch ports are active? How many virtual machines are being hosted on that blade server? Identifying everything may seem an overwhelming task at first, but it gets easier in subsequent iterations.

The same goes for installed software and configurations. Pull the information and check against your baseline. It’s amazing how far a little tweak here and there on a server can cause individual instances to diverge over time. Perhaps some debugging tools have been left there from a previous troubleshooting session. How about former system administrator Joe’s account? Was it disabled everywhere?

Once you have this information, it’s a good time to verify patch levels.

The 2015 Verizon Data Breach Incident Report found “99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.” Let that one sink in. Does your organization have a vulnerability that is a year or more old? It simply is not possible to know without up-to-date information. Just because something is stable doesn’t mean it is secure.


Once you have established that your records reflect reality, it is time to monitor to ensure they are accurate. How often will depend on your organization’s overall security posture, but frequent and regularly scheduled updates will go a long way to ensure you have the best view of your systems.

A quick network scan a couple times a day will have little impact on performance, but may reveal the development workstation that just inadvertently bridged the production and test networks. More intensive tools should wait until off-peak hours.

When scheduled changes are made, check to see they reflect what was planned. Some things are overlooked and, occasionally, someone slips in an extra change during that maintenance window. As they say, trust but verify.

Finally, remember this is an iterative process subject to constant improvement. As the concept of network, system, and software inventory and configuration management moves from asset tracking and compliance to part of your operational security plan, things will become more efficient.
The confidence of having regular, updated information about your environment will change the entire tone of that inevitable “are we vulnerable” meeting.
Instead of delaying and waffling, you can look everyone in the eye and speak with authority. It may not be the answer they want to hear, but it is the correct answer and your organization can then move forward with remediation as necessary.

Robert Jorgensen is a cybersecurity professional and educator with over 20 years of experience in various technology roles. He holds multiple information security certifications, including CISSP, CISA, GCIA, GCIH, GPEN, and GXPN, as well as networking and systems certifications from Microsoft, Novell, and Cisco. A Utah native, Robert received his Master of Science in Information Systems from the University of Utah. Robert is on the faculty of Utah Valley University as as Assistant Professor and the Cybersecurity Program Director. He is currently building a cyber security academic program at UVU under a $3 million federal grant.

SecurityMetrics Data Security Learning Center

SecurityMetrics Support FAQ

The most commonly asked questions about our PCI compliance product.

As you may expect, we get a lot of the same questions from customers about their PCI DSS compliance product. We thought we’d post the most common as an easy go-to source for those with questions.
PCI DSS FAQ, SecurityMetrics PCI Compliance

Why am I receiving emails that say I'm not currently PCI compliant?

We send out reminder emails informing you of your non-compliant status. By logging into your SecurityMetrics account using your email and password, you'll have access to an intuitive web interface where you can review your requirements for PCI compliance. You can then complete the PCI DSS requirements that apply to you.


My account screen says I'm PCI compliant, how do I notify my merchant processor of my compliant status?

If your merchant processor is partnered with us, they have immediate access to your PCI compliant status, and no action is required on your part. If not, we have reporting tools available to send your compliance status to an email address of your choice.

What if I want a certificate to show that I'm a PCI compliant merchant?

Once you're compliant, you can print a certificate of compliance by clicking on the Reports tab on the dashboard. Click on ‘show additional reports’ and then download your Merchant PCI Certificate.

To login to my account, it asks for my email address, what's my email address and how do I change it?

Your email is the email address used to create your account. If you would like to update your email address, please contact our Support Department at 801.705.5700.

I tried using the "Forgot Password" option, but I still can't login. How do I reset my password?

Contact our Support Department at 801.705.5700 for help with resetting your password.

When I login to my account it says I'm not PCI compliant, what should I do?

On the PCI dashboard you will find a To Do list of actions you must take to become PCI compliant. Click on any step to begin working towards a compliant status.

When I try to login, it just takes me right back to the login page, what should I do?

Clear your browser's cache and cookies. If that doesn't work, try logging into your account using another browser, such as Google Chrome or Mozilla Firefox.

Does the service SecurityMetrics provides cost anything?

All questions regarding charges or payments can be answered through our Compliance Department. Contact them by phone at 801.705.5665 or via email at


What does support cost?

SecurityMetrics provides 24x7 support for its customers by phone or email at no additional cost. Call the Support Department for assistance at any time at 801.705.5700 or email support@securitymetrics.

I have multiple methods of processing credit cards. Do I have to complete a separate Self-Assessment Questionnaire (SAQ) for each of them?

SecurityMetrics offers a combination SAQ for merchants with multiple processing methods. This will automatically be identified through your scoping process. If you have questions about what applies to your business, contact our Compliance Department at 801.705.5665 or

I answered a lot of questions when I signed up for your services, but my account says I haven't completed the Self-Assessment Questionnaire. Why?

You may be thinking about the questions we ask determine your SAQ type, but those questions don’t necessarily complete the Self-Assessment Questionnaire.

The Self-Assessment Questionnaire mentions "Point of Sale Terminal/Software". What does this mean?

Point of Sale Terminal refers to a physical machine used to process credit cards. The make and model of your device can typically be found somewhere on the device itself. Point of Sale Software refers to a program on your computer used to process card transactions.

My Self-Assessment Questionnaire is failing. What should I do now?

To reach a passing SAQ, you must be in compliance with all the requirements. If there’s something you don’t understand or you are unable to mark ‘yes’ to, contact the Support Department by phone at 801.705.5700 or To revisit the sections you put no to simply click on the section name.

Some of the questions on the Self-Assessment Questionnaire do not apply to me. What should I do?

If a standard isn't currently applicable, the PCI Council wants to make sure you understand it, and would meet that standard if it ever applies. If you agree you would meet the standard if it should apply to your business in the future, you should mark "yes".

My account says my Self-Assessment Questionnaire is "expiring soon" or "expired". What should I do?

Completing the PCI Self-Assessment Questionnaire is an annual requirement. Re-take the Self-Assessment Questionnaire until you pass.

If you have any additional questions about vulnerability scanning that weren’t answered in this blog post, feel free to contact our 24/7 support team at: 801.705.5700 or  (UK: +44 33 0808 0832)

Subscribe to more data security articles
Healthcare: Recognize Social Engineering Techniques

social engineering definition

Don’t let human hackers disorient your employees.

Brand Barney, Security Analyst at Security Metrics
By: Brand Barney
Not all hackers or data breaches exist on the Internet. Some happen in person. I’m not talking about theft. I’m talking about human hacking.

A social engineer is basically a hacker that exploits workforce members (your employees). They use their charismatic personalities and wit to gain access to sensitive areas or data (like patient data and administrative credentials) that they shouldn’t have access to.

social engineering definitionSocial engineering often gets bypassed as part of a security strategy, because it’s not something that can be fixed through a new technology or a more secure password. The only way to protect against social engineering is employee training with frequent refreshers.

Get a great 2-minute summary on social engineering in a HIPAA-context by watching this video.

Personality traits of social engineers

One of the reasons social engineers are so successful is because of their personalities. Because they are trying to hack humans into telling them the information they want to know, they are expert flirters, charismatic suck-ups, and confident intimidators.

It takes only a few moments with an employee over the phone, via email, or in person to determine that they are not properly trained to protect the business and sensitive data against a social engineering attack. Then the social engineer flips the proverbial switch and the attack begins (charm, whit, questioning, leading the attackee, and more...)

SEE ALSO: 9 Ways to Social Engineer a Hospital

Social engineers act and look like they belong in whatever situation they find themselves in. They don’t suspiciously sneak around, they smile and greet employees in corridors.  They don’t timidly ask front desk staff to lead them to the server room, they simply barge past the front desk like they already know their way. When things aren’t going their way, social engineers are great at intimidating employees to just give them what they want because of falsified time constraints or convenient name-dropping. With a little research, they will be able to answer questions, making it seem like they are supposed to be there.

Follow for more healthcare security articles

Why is social engineering such a problem in healthcare?

Social engineering is hard to identify, especially in larger organizations where workforce members don’t always know their fellow coworkers (especially everyone in IT, or janitorial, or maybe outsourced third party vendors). Here are some other reasons social engineers love healthcare employees:
    Social engineering techniques,
  • You are naturally trusting. Humans have an “innocent until proven guilty” type of tendency to naturally trust each other. They don’t question others because they don’t want to seem rude. Sometimes this trusting human quality is exactly what a social engineer needs to slip past a few employees who could have otherwise easily stopped him.
  • You have a desire to be helpful. Good people look out for each other, especially in the healthcare environment. Why wouldn’t you help someone who has a quick question, or open the door for someone who forgot their ID badge? [Enter social engineer.]
  • You don’t want to look stupid. If you work in a large healthcare environment, you probably don’t even know half the staff’s names, let alone what they look like, or where they should and shouldn’t have access. If a social engineer walked by you in scrubs, but without a badge, would you have the courage to stop and ask him for it? What if they looked and acted like a physician? What if they do have badge, and ID, scrubs, and they are walking out with equipment, like an iPad? Does that raise your suspicion? What about a laptop, or desktop? If you stop the “provider” and they say that IT told them to bring the computer down for troubleshooting because it could no longer connect remotely...what do you do? Most don’t say anything at all, because they don’t want to look stupid.
  • You don’t want to get into trouble. Nobody wants to get in trouble with superiors because ID verification took too long, or you offended someone. Social engineers rely on natural human fear of getting in trouble when trying to access sensitive information.
  • You cut corners. Be honest, sometimes we all get lazy. We don’t follow HIPAA security policies, our employee training, or the security tip we got in our inbox yesterday. We post passwords on sticky notes because it’s more convenient. We don’t wear our ID badge because we don’t like our picture, or we left our badge at home or in the car. We don’t worry about the semi-suspicious man we just passed in the hall because ‘someone else will worry about it.’
SEE ALSO: What Is Social Engineering? Social Engineering Examples

These ‘human flaws’ are some of the most challenging aspects when training employees on detecting social engineering. You are literally trying to train people out of the way they naturally think.

Examples of social engineers in healthcare

Let me run through a couple social engineering scenarios that could easily happen, if it hasn’t already, in healthcare.
  1. Fake nurse. A social engineer purchases some scrubs online and creates a fake ID tag. She walks in and smiles at everyone. Nobody stops her at the front desk and she is able to mingle at the nurse’s station and pretends to text while really taking pictures of patient files without being questioned, she may even give less than secure passwords posted on sticky notes, or freely given out by others.
  2. IT poser. A social engineer flashes a fake ID tag at the front desk and says he’s here to fix an Internet problem. He says the hospital IT department sent him down. He is led to the router, no questions asked, and he’s able to install malware onto the entire healthcare network.
  3. Tailgating. A social engineer shows up at the employee entrance carrying an armful of donut boxes. A clueless but helpful employee holds the door open for him, and then follows him to the elevator to ask which floor he needs (all the while not even noticing he doesn’t have an employee badge).
  4. Threatening. A social engineer calls in, acting as the secretary of one of the hospital’s most important doctors. His boss is having problems accessing the system and he demands to know why. Acting rushed and annoyed, he demands access into the system.
  5. New hire. A social engineer sidles up to one of the staff members and says, “Hi! I’m a new hire here. Dr. Brown said I’d be able to shadow you today.” Now the social engineer gets a complete tour of the office with no questions asked. What information is he going to get on that tour?
SEE ALSO: 5 Tips to Boost Your Business’s Physical Security

How to defend against social engineers

Because social engineering is basically hacking a human, there’s no security mechanism or tool one could employ that would prevent this.
Employee training is truly the only way to defend against social engineers.
Here are my recommendations for preventing a social engineer attack at your organization. In your social engineering policy, teach employees to:
  • Not to be afraid of challenging strangers.
  • Watch for questions that don’t match the person you’re talking to.
  • Verify before trusting people at their word. If “Dr. Brown told me to….”, verify with Dr. Brown before giving them information.
  • Not to be afraid to get the manager involved.
  • Not to reveal organization or patient information unless they have verified the identify of the person and validity of the request.
  • Not to use USB thumb drives they find around the premises, or anywhere for that matter. They might contain malware.
  • Never to give out sensitive information over the phone, especially if they received (rather than placed) the call.
  • Always wear their badge. If the ID badge policy is laid-back, all a social engineer would have to do is say they forgot their ID badge.
SEE ALSO: Social Engineering Training: What Your Employees Should Know

Lastly, and this goes for all things HIPAA, train your staff regularly. Get them excited about protecting PHI, rather than bored about regulation. Don’t let them fear the social engineer. Your staff are your greatest asset, and can help you protect your sensitive data and achieve your HIPAA compliance goals.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

PHI: It’s Literally Everywhere [Infographic]

Unsecured PHI is everywhere

Healthcare still needs to learn how to protect patient data.

Brand Barney, HIPAA Security Analyst
By: Brand Barney
One of the best things a business can do to protect credit card data is segmentation, or, reducing the places that can touch card data during and after card processing. The fewer places card data touches, the fewer places protection is needed.

But that doesn’t work for healthcare. You can’t segment Protected Health Information (PHI) within a healthcare environment. In truth, it needs to be everywhere to enhance patient healthcare.

Unsecured PHI is everywhere
The real security hiccup in healthcare HIPAA security is, healthcare organizations don’t think about all the places PHI is. Because they don’t think about where the data is, they don’t know what vulnerabilities put that data at risk. And because they don’t know the vulnerabilities that put their PHI at risk, they can’t and don’t protect their PHI.

You’ve got to take a giant step back and think, “Where is all our patient data?” Let me give you a hint. It’s not all in your EHR.

Which organizations have PHI?

Think of organizations that likely have access to your health information. Three entities probably come to mind: a doctor’s office, hospital, and health plan.

But there are so many more entities that fall under the gargantuan umbrella of those who access PHI. And if they have access to PHI, that means they must also comply with HIPAA. Let me give you just one true example of an entity who has no idea they’re a covered entity under HIPAA regulations.

PHI at summer camp
A troubled child who needs special attention gets sent to a summer camp to receive social therapy. As part of the summer camp, the youth counselor must provide feedback to parents. So, he takes pictures (via his smartphone) of kids having fun and uploads the photos, along with his medical notes and the child’s name, on an unsecured portal that doesn’t require a login to access.

The therapist regularly meets with the child to discuss how he’s doing. He takes rigorous notes on a notepad about drug abuse history, what medications the child is taking, how he’s feeling, who he gets along with, etc. The therapist keeps the notepad in his truck, and at the end of the day he enters the data into his EHR at home. He keeps the physical notepads in his basement/attic when he’s finished.

Whoa, what just happened in this example?
  1. This organization definitely collects PHI about the child
  2. They take pictures on an unsecured smartphone
  3. They upload the child’s name, medical data, and pictures (all PHI) onto an unsecured site
  4. They allow PHI to be stored inside an employee’s unlocked truck
  5. They allow PHI to be stored in an employee’s basement/attic! (Is that paper PHI secure, and how long is going to be stored?)
This may seem like an extreme example of total insecurity, but it’s not. I see situations like this almost every time I audit healthcare organizations.

Where is PHI within an organization?

So now that we know many organizations store PHI, how are they storing it at their organization? Let me give you a few true scenarios.

Receptionists and nurses don’t interrupt the doctor with messages from patients who call in. They take messages on notepads, sticky notes, and copy paper. Typically, that info (including PHI) is given to the doctor later. Usually, the doctor takes his notes in his office, follows up with them, but DOES NOT secure the data.

In the doctor’s office desk drawer, chock full to the brim, are those notes containing PHI. Patient notes, phone numbers, questions about pills, etc. The desk isn’t even secured with a key (there usually is a key, but it’s not in use.) I estimate most doctors’ offices have a drawer/closet/area full of mail and PHI ranging back a few years.

Why does this happen? To put it as gently as possible, the provider is usually too busy or too lazy (doesn’t see the security risk, threats and vulnerabilities to PHI) to walk around the corner to the cross-cut shredder, or follow office/company policy.

Test environments
When entities develop a product, many use test environments to check the product is performing correctly. For some reason, healthcare always uses live production data in their test environments. Why they would use real patient data is beyond me. If an individual can access the test environment, that means they could also steal the live data off that environment. My recommendation is to use test data only.

On computers
Patients get left inside exams room to take surveys on open computers all the time. Many of those computers also have access to the EHR. If they merely minimized the survey and opened the EHR, or access your shared network drive that isn’t protected, they could plug in a USB and copy the data without anyone knowing. Especially if you don’t have the proper systems in place to alert you that any of this took place.

Check out the infographic below for a list of places most healthcare organizations store PHI.

If I was a hacker… (example)

If I was a hacker, here’s how I would steal your PHI.
I would get hired on as part of your janitorial staff. They have keys to everything, and it’s not hard to get a job as a janitor (no offense to janitors). You would never know I stole your data, because I would just take pictures of it with my phone. Most healthcare entities don’t do background checks on their janitorial staff, so even if I had a previous record, I could probably still get a job.

If I didn’t want to start as a janitor, I could start as another member of your organization … even with a criminal background.

Subscribe to

Most organizations don’t run background checks on employees hired internally. If I wanted to, I could start in the marketing department (typically no background check) and eventually move to a different department (like IT). As a system administrator, I would have total database access. All I would have to do is select everything inside the database and download it to a café network so the feds can’t trace it back to me.

Piece of cake. (Well maybe not quite a piece of cake, but you get the idea)

SEE ALSO: HIPAA Security vs. EHR Security

Hacker’s don’t just care about your EHR

It’s important to understand how a hacker thinks. Hackers want all of your data, all of your PHI, all of the time. If they can get into your EHR, they will and they will take that data too. However, there are a million other easier ways to get that data that doesn’t involve cracking into your EHR.

Besides an EHR, here are easier places hackers can access if they want to steal PHI:

It’s on exam room computers
Many healthcare entities enter PHI data on workstation computers (in exam rooms, in the pharmacy, etc.), and then copy that information to their EHR. Usually, these computers only have one username and one password. Usually the username is easily guessable, such as Exam1.
Patient data security is everywhere
If a hacker can access that exam room computer by cracking an easily guessable password, he doesn’t need the EHR. The data is all right on that computer. But if he really wants to get into the EHR, all he needs to do is download keylogger malware that records the EHR password as it’s being typed.

It’s on passwordless network shares
When data is entered on workstation computers, it’s typically also uploaded to some sort of network share accessible to the entire healthcare network. That way, billing and other departments can pull the data off the network share instead of access the data via the EHR. While this is extremely convenient for healthcare, it also makes a hacker’s job easier.

Typically, everyone in that healthcare environment has access to the network share, because the organization doesn’t use role-based access control. In addition, practically no healthcare network shares have passwords.

It’s unencrypted and in your Downloads folder
What happens when you download something from a network share? Well, it goes straight into whatever folder your computer has configured for downloads, which is usually some sort of Downloads or My Documents folder. Remember, this sensitive patient data is UNENCRYPTED.

Now… how long does the data remain in that folder? And how long does it remain in your trash folder after you delete it? And when you finally delete stuff out of your trash or recycle bin, do you use a secure delete method?

It’s on your home network
If the doctor uses unprotected remote access to access patient files from home, he probably pulls the data from the healthcare network. He may also be using email for business purposes on his home computer and saving files locally with PHI in them. If the hacker can simply break into the doctor’s home Wi-Fi, he now has even easier access to the PHI.

Why is unprotected PHI so dangerous?

Patient health information, like Social Security Numbers, are not like credit card information. The credit card brands know every card that’s assigned to every individual. When a business begins to lose data from a credit card breach, the card brand can quickly flag that trend and report a data breach.

Flagging potential medical identify theft just doesn’t happen in healthcare. And maybe that’s a good thing. Americans don’t necessarily want Big Brother looking over their shoulder and knowing all their medical data. But how else can we track medical fraud?

Here’s another scary thought.

Credit cards are disposable. If your card is compromised, you immediately have it canceled and they send one with new numbers in two to three days. Healthcare data is not disposable. You can’t just send your Social Security Number in to have it replaced every year. Because healthcare data is valuable for the foreseeable future, a hacker could steal your PHI and sit on it for 20 years without it degrading in value.

Because of its value, medical fraud is a lot less forgiving than credit card fraud.

Fixing the unprotected PHI problem

No Big Brother is looking out for healthcare entities, so you’ve got to look out for the security at your own organization. The unprotected PHI problem is easy to fix, but it must start with you. Remember these tips.

Get a free HIPAA compliance dashboard demo.
  • Be noisy when you see problems in your organization. You are responsible for the data that you interact with, collect, transmit, maintain, and by golly you’d better protect that data. If your CFO effectively says, “We don’t protect PHI because we don’t have the budget,” harp him until you get the budget.
  • Don’t let your doctor (or hospital admin, or IT director) hold you back on security. If you see your doctor shoving yet another patient note in his unlocked drawer, tell him no!
  • Sit down in a meeting with your staff and admit your organization has problems. Ask your staff to identify those problems, because I guarantee they’ve seen them.
  • Engage a security professional to identify your risks for you. Be active in the health of your security because that’s an active role.
Group mentality is slowly killing healthcare’s PHI security. Don’t be the fish that thinks the shark can’t get him because he’s one of a million other fish. What he doesn’t realize is, the fish right next to him is stealing all his data right under his cute little flipper.

Don’t forget to check out the infographic below for a condensed list of places most healthcare organizations store PHI.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

HIPAA PHI Protection
Two Factor Authentication – Security Beyond Passwords

Two Factor Authentication - Security Beyond Passwords

Successful multi factor authentication includes three possible factors.

Gary Glover, Director of Security Assessments at SecurityMetrics
By: Gary Glover
Passwords alone have been shown to provide poor protection to our sensitive data, especially over the past few years. Many reasons contribute to this, but the biggest is probably the attacker’s growing ability to test and retest different passwords over and over until succeeding. This is known as brute-force password cracking.
two factor authentication
According to Fast Company, brute-force password-hacking methods can churn through billions to hundreds of billions of passwords per second.

August 2014 revealed that Russian hackers stole 1.2 billion passwords. In September 2014, 5 million usernames and passwords were leaked on a Russian Bitcoin forum. In February 2015, 10 million passwords were released by a security researcher to show how easy it is to gain access to stolen credentials. How many of you use the same password for multiple accounts?

So…if hackers have a giant online bank of passwords, how are we supposed to keep our information safe through username and password authentication? Luckily the technology to assist us already exists.  It’s called two factor authentication.

SEE ALSO: 2 Things You Should Know about PCI 3.2 Multi-Factor Authentication Updates

What is two factor authentication? 

Two factor authentication, also abbreviated as TFA or 2fa, is an extra layer of security during the authentication process. Two independent methods of authentication are required to access an application, network, or computer. This ensures you (and only you) gets access to sensitive information.

subscribe to for more data security articles

Without two factor authentication, you are required only to enter a username and password. The password is the only factor of authentication, and as we know, passwords are just waiting to be hacked.

To qualify, 2fa must contain two of the following factors:
    what is two factor authentication
  • Something you know. This means some sort of memorized information, such as a password or answer to a secret question. (FYI - A username doesn’t count.)
  • Something you have. You must have in your possession a unique item containing secret information, such as a bar code, RSA token, or cell phone, which gives you a new code for each login. The major drawback here is that you have to carry this physical token around all the time. 
  • Something you are. This means you must have a physical trait converted to digital information using specialized hardware, such as fingerprint, voice recording, typing patterns, finger lengths, iris scan, etc.
Multi Factor Authentication

Here are three real-world applications:
  • At the gas pump: When you use your credit card at a gas pump, it often asks for your ZIP code to authenticate. This example uses the “something you have” [your credit card] and “something you know” [your ZIP code] factors.
  • At the ATM: To withdraw money from the ATM, you have to insert your card AND enter your 4-digit PIN. This example uses the “something you have” [your debit card] and “something you know” [your PIN] factors.
  • At work: An employee must scan his ID badge, and his fingerprint to gain access to sensitive areas of a data center. This example uses the “something you have” [employee ID badge] and “something you are” [employee fingerprint] factors.

Learn how to enable two-factor authentication online.

Examples of two factor authentication in practice

  • You enter your username and password to a third party remote access service and call in to the onsite location IT department to have them also login and grant you one time access (often requires them to give you a PIN verbally to receive access). They verify your identity, and you are authorized for access.
  • You enter a password and then the remote access application sends your cell phone a unique PIN that expires in 60 seconds. You enter the PIN into the remote access application and gain access.
  • You enter your username and password, and the system prompts you for a unique dynamic number found on an electronic device in your possession (key fob, Google authenticator on smart phone, etc.)
  • You enter your username and password, and the system prompts you for a biometric value (like a fingerprint), and you touch the fingerprint reader.

Two factor authentication myths

There are a lot of problems people run into when configuring two-factor authentication.
Here are the top three myths I see when helping people configure multi factor authentication at their business.
1. We’ll just use two separate passwords for our two factors. That will be extra secure!
FALSE! More of the same factor does not automatically create two factor authentication, or extra security. You can’t use two passwords as your two factors. You can’t use a password and a security question as your two factors. You can’t use two SMS text codes as your two factors. You must configure two different factors of authentication (see list of possible factors above) to qualify as two factor authentication.

2. If I turn on two-factor authentication, I’m unhackable.
FALSE! Multi factor authentication improves security in a huge way, but it doesn’t make your business invincible. For example: Say you use a password and SMS text as your two factors. What if a hacker steals your phone and knows your password? What if your factor relies on a third party security? Remember when RSA tokens were breached in 2011? Security is never perfect.

3. Two factor authentication isn’t worth it.
FALSE! Yes, two-factor authentication makes it a bit more inconvenient to login, and it’s not impenetrable. But…it also bumps up the security. It’s also important to note that two-factor authentication is a PCI DSS requirement. (Requirement 8.3) If you use a two-factor authentication, a hacker has to obtain two forms of authentication, instead of just your password. Data is useless to an attacker without the second factor.
Two-factor authentication

Applications that should use two-factor authentication

Not all your online accounts, hardware, and software will have the ability to be configured for two-factor authentication, but many do. The following is a list of applications that (if possible) should be configured with two-factor authentication where possible:
  • Remote access technologies
  • Cloud storage used for sensitive documents
  • Email accounts
  • Social media (Twitter, Facebook, etc.)
  • Bank login
  • Cloud computing administration interfaces
  • Hosting services
  • Password management tools
  • Anything else with sensitive data you want to protect….
Some sites that use two-factor will also alert you via email or text message if someone tries to log into your account using a device they don’t recognize, or when an incorrect password is entered.

Here’s a list of sites that support two factor authentication.

SEE ALSO: INFOGRAPHIC: Cybercriminals Love When You Use Remote Access

The future of authentication

Is two-factor authentication perfect? No, but it does make a hacker’s job more difficult. It is a necessary layer of protection for your data.

In the future, multi factor authentication will make single-factor passwords obsolete. In addition, many more second factor options will be available for authentication, such as vein scanners and microchip implants.

Perhaps attackers will become so advanced in the future that three-factor authentication will be the new norm. But for now, two steps is a small effort businesses can and should take for greater security.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.

Securitymetrics data security learning center
Free HIPAA Compliance Software Demo

HIPAA risk assessment software by SecurityMetrics

How a HIPAA compliance program dashboard will save your sanity.

Most healthcare providers know about HIPAA, but don’t know where to start. And for good reason. HIPAA has 157 requirements, and most aren’t written in plain-speak, don’t have decent explanations, and don’t provide examples on how to comply.

Free HIPAA compliance software demo

Another problem providers have is keeping track of their HIPAA compliance program. With so many requirements, polices, and security implementations, it’s difficult to record HIPAA progress, know next steps, or feel even minimally accomplished.
HIPAA risk assessment software by SecurityMetrics

The good news is, although HIPAA compliance solutions are limited, there are some great ‘HIPAA compliance all in one place’ software options out there. First, let’s review what’s needed for true HIPAA compliance.

What does HIPAA include?

HIPAA probably includes a lot more than you think. Like most healthcare entities, you’ve probably mastered the Privacy Rule side of HIPAA. Maybe you even have your Breach Notification Rules down pat. But I bet you’re not even close to mastering the Security Rule side. Don’t be too alarmed, most of the healthcare industry is failing on this front.

The Security Rule plays a crucial part in protecting patient medical data. Here are just a few examples of the implementation and documentation involved:
    HIPAA Compliance Software by SecurityMetrics
  • Wi-Fi security
  • Role-based access control
  • Documentation of unique organizational risks
  • Remote access security protocols
  • Networked medical device security policies
  • Patient portal security
  • Risk analysis documentation
  • Employee phishing training
  • Etc…
Unfortunately, the list goes on and on.

For more great information on what is included in HIPAA compliance, depth on the HIPAA breakdown, and how to make HIPAA a little more realistic for you, check out this blog.

Don’t you give up!

We don’t want you to feel like you’re drowning in HIPAA requirements, or give up on your important patient data security processes.

That’s why the SecurityMetrics HIPAA Dashboard helps compliance officers, risk managers, office managers, and healthcare practitioners keep track of all-things-HIPAA.
This HIPAA compliance software is easy to update and doubles as a documentation tool.
Free HIPAA compliance demo

Important HIPAA elements in HIPAA compliance software

Here are some of the most important parts of HIPAA compliance that are included in SecurityMetrics’ HIPAA compliance software dashboard.

"HIPAA can be so difficult to understand. Thanks to SecurityMetrics I now know what I need to do to become compliant. They walk you through it. SecurityMetrics HIPAA Dashboard makes it so easy to locate information I need. I could not do this without SecurityMetrics."

-Cela Keeton at Nicholas W. Feldman, DDS

Tracking next steps
As we mentioned before, most healthcare providers aren’t sure what they have left to do with HIPAA and miss critical security implementations. The Dashboard simplifies the HIPAA compliance process into straightforward, actionable to-dos that prompt you on next-step items for compliance.

You can even assign specific to-dos to employees within your compliance department, or across the organization.

HIPAA compliance program software

HIPAA Risk Analysis
A risk analysis is a way to assess the potential vulnerabilities, threats, and risks to protected health information (PHI) at your organization. The HIPAA risk analysis software guides you through how to properly conduct a Risk Analysis and documents your progress. In a nutshell, it shows you where you are most vulnerable, and then through the Risk Management Plan helps resolve those vulnerabilities.

HIPAA Compliance Solutions

Where exactly does all your protected health information flow? That’s a question practically no healthcare entity, or even their IT department, knows the answer to. If you don’t know where your patient data is stored, transmitted, or accessed…how can you protect it?

Learn more about where your PHI may reside in this infographic.

A PHI map is crucial to securing all patient information within a healthcare environment.

HIPAA Risk Analysis Software

HIPAA Risk Management Plan
The Risk Management Plan is the compliance step that works through issues discovered in the risk analysis and provides a documented instance proving your active acknowledgement (and correction) of PHI risks and HIPAA requirements.

In this section, recording comments and notes are paramount to showing how you plan to correct certain security issues within your environment.

HIPAA Risk Management Plan Software

Privacy policies and procedures
Healthcare organizations are required by HIPAA to implement privacy and security policies/procedures unique to their organization. As part of the SecurityMetrics HIPAA Dashboard, you can document exactly when policies are implemented and keep all policies in an easy to access location.

Document HIPAA policies and procedures with HIPAA compliance program

Workforce training
Did you know your greatest liability and security challenge are your own employees? Employees are forgetful. Workforce member training helps them remember important security practices. Via the SecurityMetrics HIPAA Dashboard, you can track which employees have undergone training and which need to be trained again.

Document workforce member training

Business associates
The HIPAA Final Omnibus Rule requires covered entities to implement or update a business associate agreement (BAA) for all relationships wherein the business associate creates, receives, maintains, or transmits electronic patient information. However, many companies have a hard time even knowing who their business associates are. The SecurityMetrics HIPAA Dashboard helps document business associate agreements and keeps track of all your business associates.

Keep track of business associates

Prepare for a HIPAA audit
If the OCR came to your door and asked for your HIPAA documentation, (like they did to this organization), would you be prepared? As part of the SecurityMetrics HIPAA Dashboard, users can download all the information contained in the Dashboard, like their Risk Analysis and Risk Management Plan, as a report for audit preparation.

Prepare for HIPAA audit with documentation

Look like a pretty awesome way to establish your organization’s HIPAA compliance? Well, what are you waiting for? Get your free HIPAA Dashboard demo and check it out for yourself.

Free HIPAA Risk Assessment Software