Securing Network Closets in Healthcare Facilities

Greetings and welcome back.  In today’s blog we look at a subject that is all-too-often overlooked in hospitals, doctors offices, and other medical facilities: Securing Network Closets in Healthcare Facilities.  The fact is, healthcare records have the largest value of any type of record in the black market for Personally Identifiable Information (PII).  Because of this, healthcare facilities will always be prime targets for data thieves and network closets are one of the most poorly secured part of most healthcare facilities.

In a study of all network closets in a large university, this excellent paper published by East Tennessee State University by Nathan Timbs shows that there were, on average, more than 1 threat, hazard or vulnerability for each of the 82 network closets surveyed.  Not surprisingly, data thieves have become very accomplished at using vulnerabilities in the cyber/physical security of wiring closets to steal large quantities of valuable data.  Another excellent paper published online by Towson State University shows how easily a person can gain physical access to a network closet to place an eavesdropping device into most any network.  This device – which can be a simple switch that is converted to their own nefarious purposes – then sends data offsite to their data capture system, completing the theft process.

This process, known as a man-in-the-middle attack system, is surprisingly fast and easy to add to any network closet.  In fact, some of the largest data thefts recorded have been accomplished by cyber/physical man-in-the-middle attacks such as those discussed by these two excellent papers.   This creates a significant challenge to healthcare facilities because HIPAA requires security of all your Physical, Cyber and Operational assets as is shown in the following graphic and, network closets are definitely a key to being secure and HIPAA Compliant.

Securing Network Closets in Healthcare Facilities

 

Because of these issues, it is vital that Physical, Cyber and Operational security need to be addressed in the network closet, preferably with a single unified solution.  RackGuardian was build from the ground-up to be a system that provides full physical and cybersecurity to your network closets and all of the equipment within them.

RackGuardian does all the following:

  • Interfaces and securely manages any Wiegand-Based Access Card System
  • Interfaces and protects any SNMP-based computer, network or power system
  • Provides full physical and operational monitoring of the network closet

Please think about this and take a look at RackGuardian.  We would be happy to confidentially discuss the security of your network closets for your facility.

Until Next Time,

Be Well!

Network Closet Vulnerabilities – Cybersecurity

Greetings and welcome back!  In today’s blog we will look at the problem of cybersecurity in network closets and small server rooms.  This is of particular importance to those who fall under the requirements of HIPAA, PCI-DSS or Gramm Leach Bliley as they make no distinction in where the data is located or the size of the data room.  In fact, while larger data centers often have layers of physical and cybersecurity, smaller network closets and server rooms have little, and in some cases no meaningful physical or cybersecurity.

There are a large group of smaller network rooms whose only cybersecurity is an inexpensive firewall box, which is easily evaded by a hacker.  Hackers or professional cyber criminals do not like to leave a trail to follow so, once they enter a network they often look for a device in which to hide-out while they explore the network and look for targets from which to steal data.  We have found that a favorite place to hide for these criminals in inside the network card of a Rack UPS or Power Distribution Unit (PDU).  In fact, one of the most spectacular data thefts in the past couple of years was executed through the Rack PDU of a cloud service provider.  This excellent article shows how the Rack PDU’s were used as a jumping-off-point into the servers in order to steal data.

In addition to using a Rack UPS or PDU as a hiding place from which to launch an attack on the servers within that rack, these networked power units can also be used to shut down servers and even to destroy the data in the servers.  The widely-publicized Ukrainian Power Plant hack was an excellent example of how a UPS system can be used to shut down and then wreak havoc on servers.  In this case, Malware was used to program two UPS units to shut down at exactly the same time, cutting power to all critical servers and desk tops in the power plant.

If your systems are covered under security regulations, they must have backup power systems and, if they have backup power systems, they also must be protected from hackers.  It is wishful thinking to assume all cyberattacks on a server will be from the front-door.  In today’s world of increasingly sophisticated bad guys, back doors to servers – such as those offered by UPS and PDU systems – make perfect cover for a data thief.

Fortunately, RackGuardian was designed from the ground-up to both monitor your network/server room power and environment and to provide full firewall protection at the same time.  That’s because RackGuardian includes a private network port on which to query any SNMP or Modbus system securely in its own cyber-safe envelope.  The RackGuardian seals-off all units that it monitors because its second network port pushes data to the cloud but it will not accept ANY attempts to connect with it.  All of your SNMP and Modbus systems that are being monitored by RackGuardian are invisible to the outside world because there is no way to get through the RackGuardian to see them.

If you have network closets and server rooms that need to be protected, please don’t just protect the front-door of your servers, protect the back door of your UPS and PDU units and keep the bad-guys at bay!

Until Next Time,

Be Well!

 

Network Closet Security Vulnerabilities – Physical Security

Greetings and welcome back.  In this blog, we take a close look at Network Closet Security Vulnerabilities – Physical Security.  This is the first in a new series on the key types of network closet security flaws.  This is a key topic, especially for all those of you who are covered under HIPAA, PCI-DSS, FERPA, Gramm Leach Bliley and other data security regulations.  The fact is, as more data shifts to the cloud, that means that more data is transported through your network closets to the various cloud providers that you employ.  Because cloud services tend to be well-fortressed, cyber criminals are turning to the easiest way to get to that data – your network closets.

To begin with, all of the key data security regulations require you to physically secure your data.  Here are some key provisions with which we should all take time to familiarize ourselves:

HIPAA Section 164.310: “Facility Access Controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”

PCI-DSS Requirement 9.1: Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment. Without physical access controls, such as badge systems and door controls, unauthorized persons could potentially gain access to the facility to steal, disable, disrupt, or destroy critical systems and cardholder data. 

GRAMM LEACH BLILEY: “Management should deploy adequate physical security in a layered or zoned approach at every IT operations center commensurate with the value, confidentiality, and criticality of the data stored or accessible and the identified risks.”

Its clear from these sections of security codes that you need to provide a secure card-based access system in order to be compliant with major data security regulations.  What isn’t clear is which physical security system is the best for your application.  Fortunately, our RackGuardian system is one of the only systems that supports virtually any access card on the market.  That means that, if you are already using a card access system for your main door at your facility, chances are very good that RackGuardian can support that card on a plug-and-play basis.  If, on the other hand, you need a new access card system, then we also have you covered.

In the next 2 blogs, we plan to look at cybersecurity and also backup power and environmental security for your data.  Please take a good look at RackGuardian and we believe that you will find that its the most powerful security product for data security on the market.  We welcome you to contact us with any questions about your individual security needs.

Until next time,

Be Well!

HIPAA Physical Security Standards for Server Racks

Greetings and welcome back.  This week we continue our blog series on the  Cyber/Physical/Operational standards for HIPAA and  this week we look at HIPAA Physical Security Standards for Server and Telecom Racks.  As we saw in our last blog, HIPAA breaches continue to grow in number and severity and one of the key reasons for this growth is very poor physical security of electronic Protected Health Information (ePHI).  Let’s use this blog to examine the key physical security standards for HIPAA in order to better understand the types of security that must be put in place to be HIPAA compliant and reduce your chances of a disastrous security breach.

To begin with, please realize that the physical security standards for HIPAA are fairly lengthy so we are posting the first section that deals specifically with the Physical Access Security to your server and telecom rack(s).

A covered entity or business associate must, in accordance with § 164.306:

(a)

(1)Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

The key provision of the HIPAA Physical Security Statute is Physical Access Controls.  These access controls must be implemented to limit access to the electronic information systems and to the facility or facilities in which they are housed.

HIPAA 164.310 requires physical access controls on every server and telecom rack that contains ePHI and on the room in which each is located

What type of access controls are required?  The covered entity or business associate must have a system that accomplishes 2 purposes:

Every HIPAA covered entity must:

  1. Restrict physical access to ePHI from those who do not have access authority
  2. Grant physical access only to those who have written access authority

Simply put, you must have a Physical Access Control System on every room containing ePHI and on the racks containing e-PHI.  Please note that e-PHI is stored in both Electronic Health Records (EHR) servers and on your IP-based phone system which stores messages from patients. If your telecom and EHR servers are located in separate racks, you must either locate them to the same rack within the same room or, insure that all separate racks and their rooms have their own Physical Access Control System.  Failure to safeguard both EHR and telecom servers is a common mistake that violates HIPAA rules.

Putting in a card or biometric access system in an existing server or telecom rack is not difficult and it takes only about 20 minutes to install each one.  The largest brand is resold by AlphaGuardian Networks with the RackGuardian system and all of its features are integrated into our product.   RackGuardian can integrate with a card-access or a biometric access system it controls access to each rack and room and it also logs entries and exits to a room and to each server and telecom rack.

Please remember that nearly half of all HIPAA breaches are physical in nature because there are very few organizations that employ access controls  both at the room-level and on the individual racks containing ePHI.  Also review this chart from last week’s blog to understand the severity of failing to cover yourself for physical breaches – which are now nearly half of all HIPAA violations.

HIPAA Physical Security for Server Racks

 

Now, recall also from last week that nearly half of all physical access and theft violations were from insiders.  If that alarms you, it should, but the facts are that ePHI is worth a lot of money on the open market.  The value in ePHI is both as raw records – worth around $10 per record, and in Ransomware – worth many thousands of dollars per rack.  As physical breaches grow, so do the number and total of HIPAA fines levied against healthcare providers and their business agents.

The Compliancy Group publishes all HIPAA fines levied and settled as of the latest week.  As you can see from the chart below, the total fines for HIPAA violations are skyrocketing and showing no signs of leveling-off.  At the present rate of fines, the total for 2017 will be $41 million and if trends continue, 2018 could approach $75 million.  Please bear in mind that this cost does NOT include the cost of legal settlements with individuals whose records have been breached.  Fines for HIPAA Violations

The long and short of this is that placing a Physical Access Security system on your server and telecom racks and on the room in which they are located is a very small price to be HIPAA compliant and avoid the enormous cost of fines and lawsuits.  Our patented RackGuardian unit is the only system on the market that integrates Physical Access Control for rooms and their server racks together with full Cyber and Operational security.  We would urge every reader to look carefully at this solution and we would be more than happy to have a confidential discussion about how to protect your ePHI from all threats.

Until Next Time,

Be Well!

 

 

HIPAA Breaches and Data Rack Security

Greetings and welcome back!  This week, we begin a look at HIPAA Cyber/Physical/Operational security, specifically addressing the HIPAA Breaches and Data Rack Security.  This last week, the Federal Government’s Health Care Industry Cybersecurity Task Force released a stinging report on the continuing rise in HIPAA breaches and the failure of cyber/physical/operational security solutions being employed.  Over the next few weeks, we hope to address some key points of data protection that are largely ignored by the large companies servicing the HIPAA marketplace.  We will begin this week with an overview of the 3 key aspects of HIPAA security:

  • Cybersecurity
  • Physical Access Security
  • Operational Security

The cyber security, physical security and operational security of your electronic Protected Health Information (ePHI) is all covered by HIPAA and the HITECH Act – where the penalties for HIPAA and there violations receive their teeth.  And as the following graph shows, the actual data breaches reported during 2016 by Health and Human Services reflected a broad variety of indigents from each of these three areas.   As you look at this graph – several things may strike you as surprising:

  1. Unauthorized Physical Access (this means by a person who has been given access to the physical data) and Physical Theft comprise more than 1/3rd of all HIPAA violations.
  2. Unauthorized Cyber Access (again, meaning network access by someone who has been given access to the data) is nearly 1/5th of all HIPAA violations.
  3. Operational Incidents – where data is destroyed or lost accounts for a significant amount of HIPAA violations

HIPAA Regulations for Your Data Rack

 

Thinking about these facts for a minute, let’s now dive one step deeper to seeing exactly where these data breaches have come from. research from Protenus shows, insiders actually accounted for more than 40% of all data breaches!  These are the unauthorized cyber and physical access and part of the physical theft and operation incidents.

Let’s digest all of this information for a minute.  We know from the new government report that HIPAA breaches despite companies spending more money on cybersecurity.  What we have learned from the actual breaches reported last year is the following:

  • 43% of all HIPAA Breaches were Physical or Operational Incidents
  • Most all of these Physical and Operational Breaches were related to Insiders

These facts make it very clear that looking purely at cybersecurity firewalls to protect your organization against data breaches is literally only covering about half of the problem.  The data in your system is largely located at rest and in transit through your data rack in your network room and anyone who can gain access to that rack can steal data at will.  This is exactly the reason that we built RackGuardian – to protect from ALL threats – cyber as well as Physical and Operational.  We encourage the reader to look deeply at the full-spectrum of security protection offered by RackGuardian and we are always more than happy to confidentially chat with you about your own security needs.

Until next time,

Be Well!