HIPAA Auditors Cause Breach

This happens far too often. I’ve had to investigate other auditors many times in my career. Both insiders and outsiders can be a problem. Once it was a team of young auditors who bought a wireless router on their way to the client site and connected it into their client network so they could share audit files more easily…audit files that said no one could connect a wireless router into the network without being detected. That was a fun one.

Another time I found auditors who dumped sensitive files into public folders for review. I got the usual “how did you find that?”

It begs the question of what enforcement there is to reduce the number of auditors who put their customers at risk. We also could discuss whether auditors should follow their own advice, but that is actually a logical fallacy. Just as doctors do not have to take the medicine they prescribe, auditors are under no obligation to use controls not relevant to their work. It is the issue of malpractice rather than hypocrisy.

The largest firms seem to be the ones most prone to hire large numbers of inexperienced staff, which means they have the highest likelihood for rudimentary failures. To be fair, they are being asked to perform a giant assessment that requires a lot of moving parts and people gathering data, but that still is no excuse for basic operational weaknesses based on very well-known vulnerabilities.

KPMG, which won OCR’s $9.2 million contract for HITECH-required HIPAA audits in June 2011, told the Saint Barnabas Health Care System of West Orange, NJ, in June 2010 that a KPMG employee lost an unencrypted flash drive that may have contained a list with some patient names and information about their care, Saint Barnabas reported on its website.

The potential breach affected individuals at two facilities—3,630 patients at Saint Barnabas Medical Center in Livingston, NJ, and 956 patients at Newark Beth Israel Medical Center in Newark, NJ—according to a report on the OCR breach notification website. The website lists entities reporting breaches affecting 500 or more individuals, a HITECH requirement that went live in February 2010.

At the end of the day I see failure from an audit firm to use caution and care in their treatment of a client. Automation is a common argument to resolve errors like this during the data collection phase, but that is a dangerous practice on its own. Process and procedures have to be understood better and fixed prior to accelerating or formalizing them.

Why Risk Predictions Fail

Interesting study from the LSE on the economics and psychology of choice:

Standard economics works on the assumption that the things we want most are the things that we will enjoy best and that our imaginations are good forecasters of the impact of future events. In contrast, behavioural economics incorporates the lessons of psychology into the laws of economics and demonstrates that this isn’t always so.

Dolan explains: “It’s all about ‘attention’. The issues that we think about when we forecast our happiness and well-being are not actually the things that we pay attention to as we live our lives. And that can lead us to miscalculate the effect of events on our well-being.

“If you ask someone, for example, how much pleasure they get from driving their car on a scale of 1 to 10 and then correlate that with their car’s value, you’ll find a correlation of about 0.4. So, according to this, people who have more expensive cars get more pleasure out of driving their cars.

“Except, if you ask the question, ‘How much pleasure did you get the last time you drove your car?’ and correlate that with the value of the car, the correlation is zero. And that’s because of attention. When you are actually driving your car you are thinking about the idiot in front of you or arguing with your kids or your husband or wife – you are thinking about all those other things that are nothing to do with how flash your car is.”

So the solution is to live on a quiet road, have no kids, and stay single…then a “flash” car will achieve its expected value. Makes sense to me, actually, but not as economics. Easier to look at this study through a risk management lens and from an anthropological view.

A flash car value requires it to be displayed as the owner intends; it has to be driven or parked as a flashy object. That only happens when undesirable risks — things that diminish the appearance of flash — are kept under control.

Loss of control means lost flash. I think most could predict that basic equation yet still chose to buy a flash car to achieve happiness. That is because they will do a poor job predicting why or when they will lose control. The question thus is not whether people vote for something to make them happy but that does not, but rather why they fail to accurately predict risks to what can make them happy.

Operation Swiper: Thieves Buy Apple to Sell, Launder Credit

In the early 1990s I remember a bank heist in London where the robbers physically breached a large building but did not steal any money or information. Instead they removed every memory chip from every computer.

I can’t find the exact story now but the police were quoted saying something like a bag full of memory was not only worth more on the street than other stolen goods or even drugs but it was legal to trade in the open.

A similar story popped up today, but there is an additional step involved. A criminal operation was setup to skim credit cards and identity information. They then bought luxury goods like Apple computers to convert the credit into goods and sell for cash.

Bosses of each crime ring received blank credit cards from suppliers in Russia, Libya, Lebanon and China.

The bosses then hired “skimmers” who posed for jobs such as waiters and retail shop workers so they could use electronic devices to steal information from customer credit cards. That information was then sent to a “manufacturer” who programed the information into the magnetic strips of blank credit cards.

The crime rings also used card printing machines to forge credit cards and state drivers licenses to match them.

“They can actually make a license from any state in the union, print credit cards of any color and even put the holograms on there,” said NYPD deputy inspector Gregory Antonsen.

Police then said “shoppers” in the crime rings would use the forged credit cards and IDs to go on weekly shopping sprees around the U.S. at retailers such as Nordstrom’s, Macy’s, Gucci and Best Buy and sell those items mostly to people overseas.

But by far, Antonsen said, thieves spent the most time buying computer products from Apple.

“This is primarily an Apple case,” Antonsen said. “Apple is a big ticket item and a very easy sell.”

An interesting point to the takedown of this $13 million crime ring is that the PCI DSS controls again seem to be having an effect on the threats. Attackers would not have to pose for jobs taking cards if they were still able to get the cards from the back-end systems and databases or if they could install and walk away from skimmers.