Cybersecurity for Rural Telecom and Broadband Sites

Greetings and welcome back.  This week, we continue our series on Cyber and Physical Security for Remote Telecom sites with our blog: Cybersecurity for Rural Telecom and Broadband Sites.  In our last blog, we discussed the availability of open network ports that are used by cybercriminals as back doors to steal data and destroy your equipment.  This week, we look at the ability of hackers to penetrate the front door of your network to wreak havoc with your operations.

To begin with, its important to realize that, whether you have a rural or urban telecom site, you’re a key target of hackers and data thieves.  Hackers get paid for disrupting your operations and data thieves get paid by stealing your customer’s data and selling it on the black market.  All the data that passes from your customers to and then from the Internet flows through your remote sites and for this reason, the bad guys put high value on your sites.

How Hackers can Attack Rural Telecom Sites

To give you an example of how hackers can target your rural sites, please look at this article of a hacker who brought-down hundreds of thousands of Deutche Telecom customers.  In this case, a hacker was paid $10,000 by a middle eastern company in order to take down the DT customer network.  The hacker modified the Mirai Botnet to attack the port 7547 – the port for Simple Online Access Protocol (SOAP) which is used to remotely manage a number of routers.  By using this port to overload the routers and then the network, the hacker was able to bring down the DT network.  The key thing here is that there are always people willing to pay to harm companies or their customers and you must consider that you are a potential attack candidate.

In making a scan of rural telecom sites via the Shodan Search Engine, I found a significant number of routers that have open ports that could be used to bring down their networks.  For obvious reasons, the names of those organizations will not be named but, it is clear that rural telecom sites are vulnerable to similar and perhaps much more destructive attacks.

How Data Thieves can Steal Data at Rural Telecom Sites

Stealing of data through a remote site is surprisingly easy.  To do so, one only need gain physical or virtual access to any remote telecom site.  From there, permissions can be created to allow selected packets of information to be duplicated and then sent to a cyber-thief’s awaiting server.  For security reasons, the particulars of this hack will not be shared but, I can say that I was able to find innumerable rural telecom site network systems online using Shodan.  Thousands of sites presented the option to remotely configure a switch at these sites and, once done, a data thief would be in control of that network site. This leaves those sites wide open to data thieves and leaves open huge liability to the telecom service provider.

What Can be Done to Protect Rural Sites?

Its imperative that the open ports of these systems be secured.  In terms of remote management, simply placing a firewall on that port is of little value.  The reason for this is that the firewall must decide to let those whom it believes to be “good guys” to have access to the units.  The problem with this is that its all-too-easy to spoof a good guy and take over the site.

What needs to be done is to completely lock down all remote management ports and to send all data from those ports into a secure location, accessible only by privileged individuals.  This is exactly what our RackGuardian product does.  It creates a stealth shield around any device that it monitors while it sends all monitoring data with respect to that device to our secure cloud portal.  The result is that you can remotely monitor and manage your critical network equipment while keeping its presence hidden from all Internet traffic.

Please think about this and give us a call if you would like assistance at your remote sites.  We would be happy to have a confidential discussion with you about your security options.

Until Next Time,

Be Well!

 

 

Cyber and Physical Security for Rural Telecom Sites

Greetings and welcome back.  This week we begin a study of the Cyber and Physical Security for Rural Telecom Sites. If you are a provider of telecom and broadband services to rural areas, you know that cybersecurity and physical security are large and growing concerns.  The huge geographic areas that your network covers and the relatively few personnel to cover them makes for serious security challenges and we will address the cyber and physical challenges of these sites during this blog series.

To begin with, there are roughly 1000 companies in the United States who are classified as rural telecom providers.  Having spent a good deal of my life in rural country, I have an appreciation for the companies who serve these large areas of our country and understand that the growing threats of cybersecurity and continuing threats to physical security are likely to increase over time.  In fact, several cyberattacks on rural municipalities and utilities show that rural operations are increasingly becoming cyber targets.  When you add to that the damage from physical attacks – such as this highly destructive cable cutting in rural Northern California – its clear that bad guys are targeting rural utilities and that these are not isolated instances.

In this first part of the blog series, we’re going to look at cybersecurity backdoors in your remote plant and equipment as well as in your head-end sites.    If we want to address this subject in a practical way, we must first ask: “What network ports within my sites could be used by a hacker as a back door?”

Security for Rural Telecom

We have done a thorough scan of rural telecom and broadband sites throughout the U.S. to find out the correct answer to this question.  While we will not release the total number of ports involved for security reasons, we can say that open ports with minimal security on rural utility networks total in the hundreds of thousands. The avenues most commonly used in attacks by the bad guys are remote management ports which see little traffic but, which are most often left open for the convenience of the user.  The ports which we found to be open in large numbers in rural telecom sites are:

  • Port 21 – FTP – File Transfer Protocol: an unencrypted protocol used for downloading firmware and other updates
  • Port 22 – SSH – Secure Shell: a well-secured means for remote login and command-line system changes
  • Port 23 – Telnet – an unencrypted protocol used for remote login and command-line system changes
  • Port 69 – TFTP – Trivial File Transfer Protocol: an unencrypted and non-passworded protocol for updates
  • Port 80 – HTTP – Hyper Text Transfer Protocol: an unencrypted protocol used for web-page access and system changes
  • Port 161 – SNMP – Simple Network Management Protocol: a modestly encrypted protocol used for remote management
  • Port 443 – HTTPS – the encrypted version of HTTP that allows for the encrypted transmission of web-page access
  • Port 502 – Modbus – an unencrypted protocol designed for remote management of power and cooling systems
  • Port 47808 – BACnet – a lightly encrypted protocol designed for mechanical and electrical systems

Looking at this list, the first thing that comes to mind is: That’s a LOT of open ports and a LOT of options for hackers to target!  Granted, each device typically only has 2-4 ports open but, as the thief says: “I only need one…”

In studying open ports that can be seen directly on the Internet through the Shodan Search Engine, the most numerous systems on your network are NOT computers but, rather:

  • Routers
  • Network Switches
  • Power Distribution Units
  • Backup Power Systems
  • Telecom Systems

Because open ports on these systems have minimal security, they are not a challenge for even a hacker of modest skill to gain access.  Once a cybercriminal accesses one of these ports, they can then take control of that system and can then begin to hop from one system to the next until a value-rich-target system is penetrated.  When they arrive at their high-value target destination, they can then:

  • Harm, shutdown or destroy one or more of your systems directly
  • Place Malware into your systems that can constantly scan and steal interesting data over long periods of time
  • Place Ransomware on your system to force you to pay Ransom of his choosing and in his timing
  • Steal data immediately from a data source such as a server or desktop computer and then cover their steps

OK – that’s a lot of information to absorb for now so, at this point, its time to summarize this first blog about rural telecom security.  The first point is that your remote and local sites have many types of systems, each which likely has at least one open port with little or no security.   These systems are, therefore, easily penetrated by a cybercriminal and can be used to harm your systems and to steal data from your our customers.

The question to be asked is: “What can be done to stop this?”  Our RackGaurdian and CyberGuardian products are unique in this field because they block the cybercriminals from even be able to see your systems while, at the same time, allowing you to securely manage your systems from any location.  They create a stealth-shield around your systems making them invisible on a network but, provide you with a secure, encrypted channel of communications with those units.  All of this power is tied-together with our secure cloud-based system, meaning that there is no limit to the number of devices that you can protect and manage.

Please think about these things and, if you would like to have a confidential discussion about your security needs, please feel free to give us a call.  We’re here to help and we understand the needs of rural utility providers.

Until Next Time,

Be Well!

 

 

Secure, Unified Monitoring for All Your Network Closets

Many organizations have dozens, even hundreds of network closets, server labs and other small IT and Telecom rooms in their facility or campus.  All-too-often, these rooms have been monitored by multiple applications with a Network Management System (NMS) monitoring the SNMP devices, a Building Management System (BMS) monitoring the environmental and power conditions and a Security Management System (SMS) monitoring the entrance to these rooms.  RackGuardian is the first product built to provide Secure, Unified Monitoring for All Your Network Closets.  For the first time, you can monitor all your SNMP, Environmental, Power and Security Systems on a single, secure, cloud-based platform.

RackGuardian is a secure, cloud-based management appliance which you place in each of your network rooms.  It has a secure port from which to gather information from any SNMP, Modbus or other network device.  It also contains 4 environmental monitoring ports which can connect to temperature, humidity, water leak detection, fire alarm or other sensors. In addition, it also includes two Wiegand access control ports which can interface with most any card-access or biometric access system.  This gives you total scope monitoring capabilities for each room in which you place a RackGuardian.

As RackGuardian gathers data, it continuously monitors this data with self-learning analytics.  This allows the system to eliminate nuisance alarms from traditional high-low alarm set points by using its patent-pending alarm analytics.  The self-learning analytics literally learn the normal operating parameters of each device and each data-point within each device.  By doing this, you know that,  when the RackGuardian system does send you an alarm, a statistically significant event is near.

RackGuardian pushes all its statistical data to the AlphaGuardian secure cloud server once per minute – unless an alarm is spotted, in which case it pushes this data immediately to the cloud for alarm notification.  All data pushed to the cloud is done by secure 2048 bit encryption – Military grade protection.  In addition, the data is pushed because the RackGuardian acts as a data diode, one-way communication device.  It pushes data to the cloud securely but it will NOT allow any device to connect to itself or to any of the devices that it is protecting.  In fact, once a device is connected to the RackGuardian, it becomes stealth to your network.  No one can see the device or even knows that it exists.

Having a secure, cloud system that unifies all of your devices is a strategic advantage.  When you use different systems to monitor the same rooms, you have a potential for confusion and even disaster.  RackGuardian has a heirarchical, stratified access system that allows multiple departments and multiple levels within those departments to see only the items under their control.  In this way, the facilities department can securely see the environmental and power conditions, the network manager can see their servers, switches and other SNMP devices and the security officer can see when and by whom each room is accessed.

By eliminating multiple systems with a single, unified system, RackGuardian saves money both in the short and long term.  By offering all data in a secure, cloud-based platform, you have the ability to scale from a small number of rooms in one site to thousands of sites on a national or even global scale.  RackGuardian’s power can be seen in the diagram below which slows its security, simplicity and power.

a Secured, Unified Platform for Monitoring Your Network Closets

 

Until Next Time,

 

Be Well!

 

Network Closet Security Vulnerabilities – Physical Security

Greetings and welcome back.  In this blog, we take a close look at Network Closet Security Vulnerabilities – Physical Security.  This is the first in a new series on the key types of network closet security flaws.  This is a key topic, especially for all those of you who are covered under HIPAA, PCI-DSS, FERPA, Gramm Leach Bliley and other data security regulations.  The fact is, as more data shifts to the cloud, that means that more data is transported through your network closets to the various cloud providers that you employ.  Because cloud services tend to be well-fortressed, cyber criminals are turning to the easiest way to get to that data – your network closets.

To begin with, all of the key data security regulations require you to physically secure your data.  Here are some key provisions with which we should all take time to familiarize ourselves:

HIPAA Section 164.310: “Facility Access Controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.”

PCI-DSS Requirement 9.1: Verify the existence of physical security controls for each computer room, data center, and other physical areas with systems in the cardholder data environment. Without physical access controls, such as badge systems and door controls, unauthorized persons could potentially gain access to the facility to steal, disable, disrupt, or destroy critical systems and cardholder data. 

GRAMM LEACH BLILEY: “Management should deploy adequate physical security in a layered or zoned approach at every IT operations center commensurate with the value, confidentiality, and criticality of the data stored or accessible and the identified risks.”

Its clear from these sections of security codes that you need to provide a secure card-based access system in order to be compliant with major data security regulations.  What isn’t clear is which physical security system is the best for your application.  Fortunately, our RackGuardian system is one of the only systems that supports virtually any access card on the market.  That means that, if you are already using a card access system for your main door at your facility, chances are very good that RackGuardian can support that card on a plug-and-play basis.  If, on the other hand, you need a new access card system, then we also have you covered.

In the next 2 blogs, we plan to look at cybersecurity and also backup power and environmental security for your data.  Please take a good look at RackGuardian and we believe that you will find that its the most powerful security product for data security on the market.  We welcome you to contact us with any questions about your individual security needs.

Until next time,

Be Well!

Server & Telecom Racks and New York Cybersecurity Law

Greetings and welcome back!  Beginning this week, we are going to dovetail our discussions of the Federal Gramm Leach Bliley Act (GLBA) for financial services companies together with the New York Cybersecurity Regulations for Financial Services Companies.  Because New York is the home to many of the country’s financial services companies, it seems natural to address both the Federal Standards of GLBA with the State Standards for financial companies in one logical set of blogs.  So today, we begin this series by looking at Server & Telecom Racks and New York Cybersecurity Law.

The timing of beginning our discussion is centered around the enforcement of the New York Regulations, which began last week on August 27th.  The NY Cybersecurity regs are an extremely comprehensive set of requirements that cover all in-state and international operations for a financial entity of over $5 million in revenue.  While not having the power to regulate operations in other states, the Department of Financial Services (DFS) in New York makes it clear that any branch office in another state that impacts the operations of a New York office will be dealt with accordingly.  This is a polite way of saying that if security is truly needed in New York then it only makes sense to follow the same procedures for all locations, regardless of location.

To begin with, let’s talk about what the NY Regulations cover.  Specifically, the regulations require securing 6 different types of systems from affecting information stored by a covered entity in 3 different ways.  The 6 types of systems that must be protected are as follows:

500.01 (e) Information System means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.

The 3 types of coverage for the information that these systems support are as follows:

500.02 (a) Cybersecurity Program. Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.

When we combine these regulations, we see that  the integrity and availability of IT and Telecom systems must be protected by actively securing and monitoring backup power, cooling and physical security systems.  Any interruption in power or cooling to an IT or Telecom system can corrupt or destroy the data that is to be protected.  This means that the following systems must be protected in order to be in compliance with the law:

  • Uninterruptible Power Supply (UPS) and Power Distribution Units (PDU)
  • Cooling Systems for the Data, Network or Telecom Racks
  • Physical Access Systems

These regulations make it clear that your racks of servers and telecom systems together with their UPS, PDU, Cooling and Physical Access systems must be secured and monitored.  While protecting these types of systems in a large data center can be done in a more centralized fashion, the ability to protect distributed racks and support systems is a much more difficult task. These racks are found in places like:

  • Network Rooms and Closets including all IDF and MDF Rooms
  • Telecom Rooms and Closets including PBX and Telecom Switch Rooms
  • Small Server Rooms

Virtually all the systems in these server, network, telecom, power and cooling systems found in these rooms are rack-mounted systems.   Because of this, the security regulations require a rack-based system that is able to both secure and monitor all of these systems.  We designed RackGuardian do be a fully-enabled Smart Firewall unit that both provides integrated firewall security and analytic monitoring for any server, telecom system, UPS, PDU and cooling unit.

In coming blogs, we will discuss the specific ways in which UPS and PDU units have already been used to attack information systems.  We will also address attacks on telephone switching and PBX systems and how they have had disastrous effects on their owners.  In addition, we will take a look at how the GLBA regulations integrate with the New York State regulations and how complementary they are to one another.

If you would like to have a confidential discussion on protecting your server and telecom racks from cyber, physical and operational attacks, we would be happy to work with you to provide the protection and compliance you need for your company.

Until Next Time,

Be Well!

 

PCI-DSS Requirements for Backup Power Security

Greetings and welcome back!  In today’s blog we are going to look at a critical segment of PCI-DSS security that is often overlooked: PCI-DSS Requirements for Backup Power Security.  To begin with, PCI PIN Security Requirements and Testing Procedures require the use of an Uninterruptible Power Supply (UPS) as given in the following section:

32-5 All access-control and monitoring systems (including intrusion-detection systems) are powered through an uninterruptible power source (UPS).

This makes good sense because, in the event of a power failure, if security access control and monitoring systems are offline, someone could easily force their way into a network closet and your data rack and simply pick up the server and walk out with it.  Needless to say, you must have enough power to ride-through a significant power outage but, how much backup power is enough?  PCI-DSS standards do not say but, it is interesting to note that the FCC now requires telecom providers to supply 8 hours of backup power to any IP-based telephone system or line.  While that may seem like a long time, consider this: the loss of power for a utility customer in the US can average nearly 5 hours in length as this annual report from the US Energy Information Agency shows.

PCI-DSS Requirements for Backup Power Security

Let’s take a look at the detail of this chart.  The total time of an outage is broken down into “non major events” and “major events”.  Non major events tend to be local outages caused by such things as a blown transformer within a utility system.  Major events are normally related to weather such as significant thunderstorms.  As the graph shows, major events are always longer, on average, than are non-major events within a utility’s own system.  But, even the best performance for outages – from municipally owned utilities – shows a nearly one hour power outage for a system-caused problem and the municipal utility average for a major event was 2 hours.

The long and short of this is that, if you fall under PCI-DSS, you need to backup the security systems protecting your server’s data for a minimum of 2 hours.  If you are within an investor-owned utility’s service area, the average outage with a major event is 3.5 hours and with a co-op, its nearly 5 hours.  So, if you fail to provide the proper backup and someone simply walks in and steals your server, you would be liable under the “reasonable man” concept of law from any credit card lawsuits that result from this type of data loss.

In addition to purchasing a UPS with sufficient battery backup time, you also need to monitor that UPS and its battery time.  Why do you need to do this?  The answer is that batteries, whether in your car or in a UPS, degrade over time.  With each passing year they provide less and less ability to generate the power that you need.  In addition, batteries degrade with each cycle in which they are used.  So, if your site is located in an area where there are lots of power flickers, those sub-second flickers actually cause the UPS to go onto battery and will also affect the backup battery life.

Fortunately, most UPS system provide a serial or network port that allows you to monitor the battery conditions and ensure that you will have the necessary battery backup time if it is needed.  Our RackGuardian product was designed with securing a rack and protecting its power systems from physical, operational or cyber problems.  RackGuardian integrates with any type of card-key or biometric door locking system, allowing you to be fully compliant with PCI-DSS physical security requirements.  In addition, RackGuardian plugs into the network or serial port of your UPS as well as your Rack Power Distribution Unit (PDU) to secure these systems from a cyber or physical attack and to monitor their system integrity.  RackGuardian’s exclusive and patented power analytics will provide you with an early warning to any problem with your battery system, ensuring that you have the battery backup time available when you need it.

Think about these things a bit and, we would be more than happy to have a confidential discussion about protecting your data and your backup power systems.  In fact, our experts can actually help you choose the best power system for you from the numerous sources available to us.  So, until next time,

 

Be Well!

PCI-DSS Breaches and Data Rack Security

Greetings and welcome back!  In this week’s blog, we begin a new series on PCI-DSS Breaches and Data Rack Security.  Every retailer must keep their systems secure and PCI-DSS standards require strict control on the cyber, physical and operation security of data racks.  But as we shall see in today’s blog, there is a huge gap in what individual retailers believe suffices for PCI-DSS compliance and in actual compliance with these standards.

To begin with, there are 12 individual security requirement categories in PCI and each must be followed carefully to be in compliance.  If a user is in compliance will all 12, statistics show that they will be much less likely to have a breach.  In addition, if a breach does occur, the liability to the user is substantially less if all 12 requirements had been followed carefully.  Unfortunately, many organizations believe that they are complying with these 12 standards when in fact, they are not.

A great example of this comes from the most recent Verizon PCI Compliance Report.  In this report, all users were asked if they were in compliance with all 12 categories of PCI compliance.   Then, users who suffered a breach were asked to provide a post-breach assessment of their actual compliance levels.  It is an eye-opening report to say the least and one thing that jumped out to me was the overall compliance levels in Requirement 12 – Maintaining an Information Security Policy Standard.  As you can see from the chart below, while 65% of overall users had a 3rd party compliance certification for Requirement 12, only 10% of users that were breached were actually compliant in this area.  In other words, those who are relying on a mere certificate are taking enormous risks with their data.

PCI-DSS Data Rack Security Requirements

Let’s look at a couple of areas in Requirement 12 that have lead to some serious data breaches in the past few years.

“Malicious individuals may breach physical security and place their own devices on the network as a ‘back door.’ Personnel may also bypass procedures and install devices.”

It is all-too-common to have a data rack that is not physically secured and where any individual with the will to do so can open the rack door and place a device that can be used as a back-door into a credit card data server.  This type of attack is sometimes known as a Man-In-The-Middle (MitM) attack.  One way that this is done is for a user to place a router that is different from the existing Internet router as described in this excellent research article by Towson University’s computer science department.  By this simple procedure, anyone with even modest hacking skills can create a back door into a retailer’s credit card data servers and can essentially steal data at will.

Another item pointed out in the text of Requirement 12 is that data thieves can create back doors by using existing devices that provide remote access to systems within a data rack.  One way that this is being done is to use the networked Uninterruptible Power Supply (UPS) or Power Distribution Unit (PDU) to create a back door to the credit card server’s data.  Again, the text in Requirement 12 specifically addresses this issue as follows:

Remote-access technologies are frequent “back doors” to critical resources and cardholder data. By disconnecting remote-access technologies

This type of attack has been successfully carried out already in a recent attack that caused millions of dollars in losses as can be seen here.  Because PCI-DSS standards require the use of UPS systems to protect system data, all users should have a UPS and should have a remote monitoring package for their backup power to ensure that their backup systems are working.  However, any remote monitoring system for the UPS MUST be implemented in a way in which no one would have the ability to connect to the UPS without authorization.

Our RackGuardian system is a perfect answer to solving both the Physical Access Security issues that can be used to create a man in the middle attack and in protecting and securely monitoring your Uninterruptible Power Supply.  Please think about these things and, feel free to give us a call to have a confidential discussion about how we can help you become PCI compliant and greatly reduce your chances of having your credit card data stolen.

Until Next Time,

Be Well!

 

 

 

HIPAA Environmental Monitoring Standards

Greetings and welcome back!  This week we continue our series on the cyber, physical and operational security standards for HIPAA compliance.  Specifically, we take a look at HIPAA Environmental Monitoring Standards for the cooling and protection of the servers where your ePHI is stored.

SECURING ENVIRONMENTAL MONITORING AND CONTROL SYSTEMS

Medical records must be protected from more than just cyber or physical threats. HIPAA Security standards require that they must also be protected from destruction in the event of a natural or environmental event. This is specifically provided for in

HIPAA Section 164.304“Physical safeguards are physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards…

What are some of the environmental hazards that can cause the downtime, damage or data loss in the electronic information systems?  Here are a few that have been singled out in data environments:

  1. HVAC Cooling failure in server room or network closet resulting in overheated servers and downed ePHI systems
  2. Server cooling fan failure resulting in shutdown of ePHI server
  3. Water leak over servers or network equipment resulting in destruction of ePHI servers and data

All of these environmental problems are real problems that are often cited for failure of Information Systems equipment. As shown in this recent study of IT Systems Failure by the Uptime Institute, environmental-related failure is the 3rd largest cause of system downtime.  If you add “Weather Related” including water from heavy rains, etc, you get over one quarter of all IT system failure is due to environmental causes.

HIPAA Environmental Monitoring Standards

HIPAA requires all covered entities and business partners to have environmental monitoring for the rooms that contain their ePHI but, very few have taken this requirement seriously.  Because over a quarter of all ePHI system failure and data loss is related to environmental causes (and data loss is a HIPAA violation), it is penny-wise and dollar-foolish to fail to provide proper environmental monitoring for your server rooms.

Our RackGuardian system is purpose-built to provide cyber, physical and operational protection for all of your environmental control systems.  Please think about this and feel free to give us a call to confidentially discuss the protection of your critical server and network rooms.

Until Next Time,

Be Well!

 

HIPAA Backup Power Standards for Server Racks

Greetings and welcome back!  This week we continue our series on cyber, physical and operational security standards we take a look at HIPAA Backup Power Standards for Server Racks.  Many entities who are under HIPAA requirements are not unaware that there are exacting operational standards for backup power and environmental control of the servers which contain ePHI.  It is our hope that this blog will bring to light those standards in a way that compliance with these standards will be greatly enhanced.

Let’s focus on the Backup Power Standard and how to be in full compliance with its requirements.

Section 164.308(a)(7)(ii)(C) Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. When a covered entity is operating in emergency mode due to a technical failure or power outage, security processes to protect EPHI must be maintained.”

To begin with, while a small number of organizations find themselves on a power grid segment that rarely goes down, the simple fact is that most every facility has at least one power problem during the year.  Our local utility – PG&E – republished an excellent article entitled: “How to guard computers and sensitive electronic equipment from expensive downtime and unscheduled maintenance” Even though this article is nearly 20 years old, the fact is that power problems have not changed nor have the means needed to protect data from power problems.  The only change is the technology used in these data protection systems has been significantly upgraded in the past few years.

In this article, PG&E sites a number of power problems and solutions but, generally, the problems and solutions fall into 3 categories:

  1. Power outage or transient – requires and Uninterruptible Power Supply (UPS) and potentially a backup generator
  2. Power surge – requires a Power Distribution Unit (PDU) with a surge suppressor

A UPS can provide protection of your data from a power outage or a transient such as a power spike or dip.  However, only what is known as an “on-line” UPS can provide true protection from any type of outage or transient.  An on-line UPS uses what is known as “Double-conversion” technology where a rectifier converts the AC power wave into a DC signal and then an inverter creates a new and clean AC power wave from scratch.  A battery or string of batteries are included in the circuit to provide ride-through AC power during the transient or outage.

The bottom line is that a true on-line UPS can protect your data from improper destruction – a HIPAA requirement – and can provide continuous access to records during an emergency condition – also a HIPAA requirement. The one type of power disturbance that often seems to throw UPS units into fits is a power surge that can happen so quickly, the UPS simply can’t protect the load.  To protect against this problem, high-quality Rack PDU units can provide excellent surge suppression abilities.  While we won’t go into technology specifics here, there is a very good correlation between the price of a Rack PDU and its internal technology so, please don’t be penny wise and dollar foolish in purchasing a PDU.

Now, when you add a backup power and surge suppression system, you will also need to monitor these units to ensure that they are properly protecting your data.  For example, you need to know that the UPS’s battery is available and fully charged and you need to know when the UPS is on battery for a transient.   You also need to know when a power surge has hit your PDU units.  But, while you need to monitor your UPS and PDU’s to be HIPPA compliant, the communications protocol used for this monitoring – Simple Network Management Protocol (SNMP) – is actually non-compliant in-and-of-itself.  This well done university research paper shows just how insecure SNMP monitoring of a UPS and PDU is.  This, then, creates a huge dilemma: How do you monitor your power systems securely if their communications are insecure?

Fortunately, RackGuardian has you covered.  RackGuardian does monitor all UPS and PDU parameters but, it does so inside its CYBER-SAFE COMMUNICATIONS ENVELOPE.  The unit blocks ANY outside attempt to read data or interfere with the power systems while it securely monitors all operational parameters and sends all of its data via an encrypted, secure link to our fully compliant cloud system.  The cloud system uses the same technology that you use to connect with your online banking to ensure HIPAA compliance.  The combination of all these factors means that you can securely monitor and protect you power systems from any type of cyber, physical or operational harm.

In sum, HIPAA requires all covered entities and business associates to support ePHI systems with backup power and power distribution units.  This is requires to keep ePHI from being destroyed by a power problem and to keep ePHI data available during a power emergency.  You must monitor the health of your UPS and PDU systems but, you must do so in a way that does not expose these units to cyber, physical or operational attack.  RackGuardian is the only system that has been purposefully built to protect your UPS and PDU systems from all threats that could wreak havoc on your data.

Please think about your systems and we would be happy to have a confidential discussion about how you can protect your ePHI from all threats.

Until next time,

Be Well!

 

 

HIPAA Physical Security Standards for Server Racks

Greetings and welcome back.  This week we continue our blog series on the  Cyber/Physical/Operational standards for HIPAA and  this week we look at HIPAA Physical Security Standards for Server and Telecom Racks.  As we saw in our last blog, HIPAA breaches continue to grow in number and severity and one of the key reasons for this growth is very poor physical security of electronic Protected Health Information (ePHI).  Let’s use this blog to examine the key physical security standards for HIPAA in order to better understand the types of security that must be put in place to be HIPAA compliant and reduce your chances of a disastrous security breach.

To begin with, please realize that the physical security standards for HIPAA are fairly lengthy so we are posting the first section that deals specifically with the Physical Access Security to your server and telecom rack(s).

A covered entity or business associate must, in accordance with § 164.306:

(a)

(1)Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

The key provision of the HIPAA Physical Security Statute is Physical Access Controls.  These access controls must be implemented to limit access to the electronic information systems and to the facility or facilities in which they are housed.

HIPAA 164.310 requires physical access controls on every server and telecom rack that contains ePHI and on the room in which each is located

What type of access controls are required?  The covered entity or business associate must have a system that accomplishes 2 purposes:

Every HIPAA covered entity must:

  1. Restrict physical access to ePHI from those who do not have access authority
  2. Grant physical access only to those who have written access authority

Simply put, you must have a Physical Access Control System on every room containing ePHI and on the racks containing e-PHI.  Please note that e-PHI is stored in both Electronic Health Records (EHR) servers and on your IP-based phone system which stores messages from patients. If your telecom and EHR servers are located in separate racks, you must either locate them to the same rack within the same room or, insure that all separate racks and their rooms have their own Physical Access Control System.  Failure to safeguard both EHR and telecom servers is a common mistake that violates HIPAA rules.

Putting in a card or biometric access system in an existing server or telecom rack is not difficult and it takes only about 20 minutes to install each one.  The largest brand is resold by AlphaGuardian Networks with the RackGuardian system and all of its features are integrated into our product.   RackGuardian can integrate with a card-access or a biometric access system it controls access to each rack and room and it also logs entries and exits to a room and to each server and telecom rack.

Please remember that nearly half of all HIPAA breaches are physical in nature because there are very few organizations that employ access controls  both at the room-level and on the individual racks containing ePHI.  Also review this chart from last week’s blog to understand the severity of failing to cover yourself for physical breaches – which are now nearly half of all HIPAA violations.

HIPAA Physical Security for Server Racks

 

Now, recall also from last week that nearly half of all physical access and theft violations were from insiders.  If that alarms you, it should, but the facts are that ePHI is worth a lot of money on the open market.  The value in ePHI is both as raw records – worth around $10 per record, and in Ransomware – worth many thousands of dollars per rack.  As physical breaches grow, so do the number and total of HIPAA fines levied against healthcare providers and their business agents.

The Compliancy Group publishes all HIPAA fines levied and settled as of the latest week.  As you can see from the chart below, the total fines for HIPAA violations are skyrocketing and showing no signs of leveling-off.  At the present rate of fines, the total for 2017 will be $41 million and if trends continue, 2018 could approach $75 million.  Please bear in mind that this cost does NOT include the cost of legal settlements with individuals whose records have been breached.  Fines for HIPAA Violations

The long and short of this is that placing a Physical Access Security system on your server and telecom racks and on the room in which they are located is a very small price to be HIPAA compliant and avoid the enormous cost of fines and lawsuits.  Our patented RackGuardian unit is the only system on the market that integrates Physical Access Control for rooms and their server racks together with full Cyber and Operational security.  We would urge every reader to look carefully at this solution and we would be more than happy to have a confidential discussion about how to protect your ePHI from all threats.

Until Next Time,

Be Well!