Thursday, October 16, 2014

HIPAA and Communications Methods

So we were doing some research in the office today and we stumbled upon this chart. Being that we deal with this every single day we thought we would expound a bit on what this chart means to us.

HIPAA Chart from Answer Excellence (
Method Security Level Primary vulnerability
FAX Generally considered secure FAX being picked up from recipient machine by unauthorized party (physical security)
Voice phone call Generally considered secure Eavesdropping (especially in a wireless or cordless environment)
Text messaging via secure mobile option Generally considered secure Access to recipient’s device by unauthorized individual
Alpha Pager (TAP modem protocol) Generally considered reasonably secure Interception by specialized radio equipment during the broadcast from tower to pager.
E-mail message to secure server & client combination Generally considered reasonably secure Hacking of e-mail account
SMS Text Message to cell phone Generally considered insecure Exposure of clear-text message on the internet or wireless network, loss or theft of phone
E-mail message to public server / client combination (Hotmail, Yahoo, etc.) Generally considered insecure Exposure of clear-text message on the public internet, hacking of e-mail account

After reading through the chart we realized that this must be dated. Faxes are NOT secure even though they show up in the green zone in the chart. Faxes after all are sound and carriers route faxes over VOIP (networks) these days that are very insecure. The traditional telephone system is not much better. Voice phone calls also are not secure. It doesn't matter how many times we tell clients this they still think that if they are talking on a landline that the communications is secure end to end.

Rather than waste time going through this chart I will just say that ALL of the listed items in this chart should be red. As a TSCM professional for over 20 years none of the methods identified are in any way considered secure.

When we created a transcription service for a client we realized right up front that we had to make the system secure but easy to use. This required us to write our very own encryption for the customer. In our opinion everything should be encrypted whether you value the data or not. Too often these days we are seeing lax security controls in many systems including everything from misdirected text message and emails to plain out HIPAA violations in which companies don't care. The only time they seem to care is when it hits their bottom line. Instead of taking recommendations they take on the stance that if they don't know about it that it must not be happening. Keep thinking like that and hackers are sure to find a way to make you pucker.

This is why 95% of our clients fail their initial audit and 85% fail their second audit. Even when we spell out the procedures, policies, threats, mitigation and remediation to prevent issues it seems that as soon as we leave they typically go right back to their old habits unless we have followed up with policies and training. I can't even tell you the number of times I have found passwords written on sticky notes at a desk or keys to safes stored in unlocked drawers during an audit.

If you want your business audited right and want to pass your compliance audits with regulators we are definitely the firm you should hire. We perform the audit, compliance checks, documentation, training and follow up to ensure a long lasting compliance program that will work for your organization. We identify the threats and minimize them. We look at your people assets and train as well as check them to ensure they are not the source of liabilities. If they don't know what the correct procedures are they will continue to make mistakes that could cost your business. If you don't have written polities you have no way to enforce the use of the correct procedures and no way to ensure that controls that are in use are working effectively if your people are not trained in proper monitoring, reporting and remediation of issues. The goal is to get your staff to be able to effectively protect your organization instead of relying on software, network controls, auditing and logging (all of which can and will fail you).

It's a game plan that needs to happen in many of these companies. Too often management says to us "it's the way we have always done it" even if our suggestions are cheaper more secure alternatives. Let's get out there and secure the vulnerabilities today before you have another incident tomorrow.

If we all followed the chart this site provided we would definitely be in grave danger. The threat from foreign intelligence agencies, spies, hackers and organized crime is increasing and it's not going away. In the end the people that suffer are the consumers that have to pay higher fee's for cheaper products due to knock offs, illegally duplicated products (counterfeit), higher prices due to the cost of conducting secure transactions for the business, unneeded regulation imposed due to data theft and other issues that arise out of plain old fashioned laziness or ignorance of a topic. If you are unsure about something find somebody that is sure.

No comments:

Post a Comment