Encrypting PHI On Your Server And In-Transit

Perhaps one of the most significant changes to the HIPAA Security Rules is the requirement for HIPAA Covered Entities and their Business Associates to provide notification in the event of any breach/exposure of unsecured/unprotected personal health information (PHI).  Who has to be notified?  Well, of course, you'll need to notify the affected individual(s) and the HHS, but you may also have to notify the police/authorities . . . and depending upon the size of the breach even the media and no one wants that kind of publicity!

HIPAA guidelines recommend all PHI should be encrypted "while in motion and at rest". 

What's PHI "In Motion"?
Simply put, if you send an e-mail (in motion) with PHI, it must be encrypted so that only the recipient can read it.  The same holds true for texting and IMing.  When you get any electronic communication, it should be stored in encrypted format or on an encrypted device.  Transferring PHI information from one location to another electronically?  Yes, indeed!  Moving data around on a Flash Drive?  Yup, encrypt it!  Notebooks with PHI should have the hard drives encrypted or at least the PHI files should be.  Un-protected notebooks with PHI exposed seem to be a leading point of exposure.  (Remember, statistically 1 in 10 notebooks are stolen each year.)

I was working with a C-Level executive at an extended care facility who, when I brought up texting as PHI in motion and the risks in a meeting said "Oh, we don't do that!" and his Director of Nursing corrected him saying "Oh, the nursing staff passes messages to each other all of the time that way!"  Don't just assume your staff doesn't pass PHI via text, e-mail or IMing.  Check first.  You may be surprised.

Let's talk about PHI data on your server.  (Data at Rest)
What about my server, you ask?  Servers can't be encrypted, can they?  The answer is a straightforward Yes, although your tech guys may be resistant because they've never done it before.  Most major data base programs like Microsoft SQL, MySQL and so forth have the built in capability to encrypt your data stored.  Current versions of Microsoft Server software also have the ability to encrypt the server hard drives or certain partitions of it that can store your PHI at a very high level that meets or exceeds HIPAA standards.

If I'm not absolutely required to encrypt my data bases on my servers, why should I bother?  The answer is spelled out very clearly in the HIPAA compliance requirements.  If you have a breach and it's "unprotected" by encryption, you're subject to all of the reporting requirements of the ACT(s) AND are subject to potentially significant fines.  If your breached data is "protected" by encryption, your not.   Seems like a pretty easy decision, doesn't it?

Would you like more information on this topic?  Here's a link to a nice article by the AMA:
http://www.ama-assn.org/resources/doc/psa/hipaa-phi-encryption.pdf

Read More

WARNING - File Servers Don't Last Forever!

Recently our area had some severe weather.  After 25 years in business, we've been conditioned to expect a flood of calls from businesses whose servers have failed the next morning as a result.  Sometimes the failure was caused by water damage, sometimes a power surge caused it to fail but many times it's just a matter of an old server that  has been kept in service too long and the environmental issues caused by the storm just tipped an already wobbly server into a full-fledged failure. 

I don't know why but some business owners who conscientiously change out vehicles and other equipment on a regular replacement schedule for some reason expect their network servers to last 10 years or more. 

Ladies and Gentleman, it's time for a reality check.  Servers aren't expected to last that long!  When you push a server beyond its useful life you risk the lifeblood of your business (your data).  Don't tempt fate.  Resist the urge to get "one more year" out of your server.  If you do, eventually it will fail and the recovery consequences could be much more expensive than keeping your server infrastructure up-to-date in the first place.

A recent example was a client that called us because their in-house IT tech announced that their server had died and he couldn't get any usable data from its hard drives.  To compound the problem, the tech also revealed that he just discovered that their tape backup had not worked correctly in months so there was no usable backup.  They wanted to know if we could possibly recover their data from the drives and then re-build their server.  They were poised to send the drives to a very expensive national recovery service that was going to charge between $8,000 - $10,000 to TRY to recover their data.

I don't have enough space to itemize all of the failures that led to this catastrophe so I won't belabor that point. That tech feels bad enough, I'm sure.

The bottom line was they had trusted all of their critical business data to a 10 year old server and the on-board disk drive controller hadn't just failed.  It had started scrambling all of the data well before it finally gave up in a puff of smoke.

Fortunately, we asked for and received 24 hours to see if our recovery center could resurrect their data from the scrambled hard drives and we got about 90% of their data back for a tiny fraction of what that national company was going to charge.  But, 10% was still totally trashed and beyond repair.  That data will have to be recreated clerically from scratch at who knows what cost.

Servers have an expected useful life.  After that time, the risk of something going wrong grows exponentially every year your server is kept in service.  How long is the useful life of a server?  The replacement rule of thumb to use is the manufacturers warranty period plus 1 or 2 years.  If the manufacturer warranty is 3 years, you're pushing your luck if you take your server beyond the age of 5.  If your manufacturer only offers a 1 year warranty, that should send up a red flag on how long they expect that server to last. 

If you try to stretch server life beyond its useful life, you increase the risk of failure dramatically but perhaps just as importantly you risk not being able to find replacement parts for your server.  Don't expect to find a ready supply of parts for your old server.  Technology changes too quickly to count on finding a replacement for your 7 year old hard drive.  At best you might find a used part of questionable quality from a computer scrapper on e-bay. 

I have a better chance of finding replacement parts for my 48 year old Ford Mustang than you have of finding parts for your 7 year old server.

The risk grows even greater if you bought a home-made server which are frequently called "white box" servers.  Unlike branded servers from  companies like Hewlett Packard or Dell, white box servers are almost always a mix of parts from different manufacturers who each have different warranty and replacement part policies. Getting parts will be a pain in the  neck! 

Here's an example of a recent white box server failure.  ACT was recently asked to resurrect 2 failed white box servers that were about 7 years old.  The power supplies in both had failed.  The motherboards required a special power plug connector that only one power supply company made.  After a few years,  that supplier discontinued that power supply and none of their current models had a matching plug. All attempts to find matching power supplies failed and the client was faced with the real possibility of never getting those servers running again for lack of that one part.  Transplanting the hard drives to another server was not viable for technical reasons. Some fancy solder work by our tech staff to 
jury-rig another power supply to match the motherboard plug got the servers up long enough to retrieve their data.  (We don't recommend this as a long term fix.) 

Name brand server makers like Dell and HP do a marginally better job of keeping replacement components for their equipment but because technology turns over so fast in our industry even they have problems with parts availability after a few years.

Take my advice, check the purchase date of your server.  Check its warranty expiration.  If your server is over 2 years older than the warranty, start shopping for a new server now before it's too late.

Here's a tip for all of you server buyers.  Remember the old adage "Buy what appreciates and lease what depreciates."  Nothing depreciates faster than computers.  Lease financing rates are extraordinarily low now and leasing your servers takes the hassle of coming up with a big chunk of cash for a new server every 4 or 5 years.  It also puts you into a nice easy monthly payment plan that will keep your servers up-to-date with regular replacements on a regular schedule.  For example, a well-provisioned HP Proliant server with Windows Server 2012 including installation can be leased for about $100 per month with no end-of-lease buyout fee.

Need help recovering data from a dead server or PC, contact ACT Network Solutions at (847) 639-7000 or by e-mail at support@act4networks.com.  ACT can also replace your old server with a new HP Proliant tower or rack server using HP direct pricing.

Read More

What The Heck Is Rootkit Malware?

What the Heck is Rootkit Malware?

Essentially a Rootkit Malware is a rogue program that insinuates itself deep into your computer either in the operating system or an even deeper level such as the KERNEL or Master Boot Record (MBR) structure of your computer in order to hide itself from traditional virus removal techniques.  Rootkits are different than traditional malware because regular malware tries to pass as "just another program" on your computer while the Rootkits try to pass themselves off as part of the operating system or a component of your hardware and that's tougher to detect.

Rootkits employ a variety of techniques to gain control of a system.  Here are a few of the major areas they target:

·        The O/S Kernel– the core of your operating system

·        Hardware/Firmware – the embedded codes that drive the hardware components in your PC

·        The Master Boot Record (MBR) – the area which defines how your hard drives are structured and loaded

Once installed, a rootkit works to obscure its presence within your computer through subversion or evasion of the standard security tools used for detection. Rootkits do this by modifying the behavior of core parts of your system.   The fundamental problem with rootkit detection is that once the operating system has been compromised, it can’t be trusted to find unauthorized modifications to itself or its components.

Antivirus products rarely catch all rootkits even though security vendors incorporate rootkit detection into their products.  Some attackers even use counterattack mechanisms that can turn off or disable antivirus programs.  Signature-based detection methods can be effective against well-published rootkits, but will fail against more well written rootkits or those recently introduced that haven’t “made the list” yet.

How to remove a Rootkit

Manual removal of a rootkit is often too difficult for a typical computer user.  There are experts who believe that the only reliable way to remove them is to re-install the operating system from scratch.  Don’t give up hope, though.  Booting from trusted media can sometimes allow an infected system volume to be mounted without the malware starting up and potentially then can safely be cleaned and critical data can be copied off.

Defending your computer

System hardening represents one of the first layers of defense to keep a Rootkit from entering your system in the first place.   Applying security patches, reducing the attack surface and installing antivirus software are some standard security best practices. Once these steps are in place, routine monitoring is still required.

A final word of caution

If you’re not familiar with detecting and removing malware, it’s a good idea to turn your computer over to a professional who is.  Not all computer technicians are proficient in this area and you don’t want anyone “experimenting” on your system.  Some tech’s take the attitude of “screw it, let’s just reformat this sucker!” and you’ll lose potentially recoverable data.  Others may dramatically over-charge and only sometimes are effective at getting the job done.  For example, the standard flat fee from The Geek Squad at Best Buy is usually between $250-$300 while our carry-in fee is usually about half of that and we guarantee our work.

Unfortunately, there is no single Silver Bullet that will clean your system in one pass.  ACT technicians use a cocktail of many different tools in a blend that removes malware and saves your data about 95% of the time.  That blend of tools changes frequently as threats morph and different packages prove more or less effective on new threats.  Fighting malware is a constantly changing environment.  Gone are the days when we fought 6,000 to 7,000 new threats each year.  Kaspersky Labs reported that by the end of 2012 the proliferation of new malware reached an average of 200,000 new threats each day!

If you need help disinfecting your computer or server, contact ACT for help from an experienced security professional by calling (847) 639-7000 or emailing support@act4networks.com

Read More