Wednesday, 20 December 2017

A "HIPPA Extortion" case hit the news

Following my recent article where I tried to explain the concept of "GDPR Extortion", a data breach of a Health IT provider hit the news early this week, and the case of "HIPPA Extortion" became a sad reality.

For those of you who are not familiar with HIPAA (Health Insurance Portability and Accountability Act of 1996), is a United States legislation that provides data privacy and security provisions for safeguarding medical information, and in this case it applies to the Health IT provider that was breached.

The Nashville-based company (Medhost) is being asked by the cyber-criminals to pay 2 Bitcoins (BTC) which at the moment is approximately $35K (USD), otherwise they will sell the data they managed to steal. What is however very interesting in this story, is that they try to make their case by saying that they will do:
" ..a media release regarding the lack of security in a HIPPA environment. "
The screenshot is from Google's cache*, as the website of the breach company appeared on 19/Dec 2017 at 20:02 GMT. 


The cybercriminals are trying to engage is some sort of HIPPA Extortion with the company they allegedly (as it is not yet confirmed at this stage if they indeed managed to steal regulated information) managed to breach. This is a case where the cyber criminals are trying to force the company to pay the extortion money, by threatening them with what would be the consequences under HIPPA.

What you need to know about HIPPA is that unlike PCI compliance for Card Data Environments and Card Holder Data, there is no one that can "certify" that an organization has a HIPAA Compliance Certification. Consequently, in order to meet HIPAA compliance software requirements companies need to ensure they're meeting the four main requirements of the HIPAA law. The main requirements of the HIPAA Compliance Checklist are:

  • Administrative Safeguards: Regarding policies and procedures in place to ensure the proper employee management, training and oversight for staff that come into contact or manage protected health information.
  • Technical Safeguards: These safeguards include things like encryption and decryption, audit controls, emergency access procedures, HIPAA file storage and more.
  • Physical Safeguards: These safeguards refer to the security of the data. 

This case is a reminder that such extortion cases might start appearing more ofter, especially with regulations such as the GDPR, which will be in effect in May/2018. As security professionals we must try think ahead and make sure that such cases won't become a money making opportunity for cyber criminals.



* (Google Cache link at the time of writing the blogpost: http://webcache.googleusercontent.com/search?q=cache:pg24bBkCCTEJ:medhost.com/+&cd=1&hl=en&ct=clnk)

No comments:

Post a Comment