The HHS Office of Civil Rights is gearing up for round two of HIPAA compliance audits. What should security leaders expect, and how should they prepare? David Holtzman of CynergisTek and Geoff Bibby of Zix offer insights and advice.

To start with, covered entities should recognize that their odds of being audited are far greater than they were in round one, and OCR has made no bones about what it expects to examine for compliance.

"It will be sort of like an open-book examination at school," says Holtzman, a former senior advisor at OCR. "You know what the questions are going to be before they're even asked."

Entities need to be prepared to present information about their risk assessments, risk management plans, privacy programs, breach notification plans - and especially about their business associate relationships, Holtzman says.

"I urge folks to prepare themselves not just for the questions they will be asked ... but also how they're going to be prepared to provide this information about their business associates," he says.

A key component of security is to ensure that any email correspondence that contains personal health information - whether in correspondence with a patient, caregiver or third-party - is encrypted.

"Adding email encryption is really rather simple," says Bibby, VP of Marketing at Zix. "You can have a policy gateway at the perimeter of your network that will scan messages as they leave and enter the enterprise, look for sensitive information, and as soon as it detects that there is PHI within the message, it will immediately trigger encryption."

In an interview about preparing for round 2 of the HIPAA audits, Holtzman and Bibby discuss:

Holtzman joined the information security consulting firm CynergisTek in 2013, where he serves as vice president of privacy and security compliance services. Previously, the attorney was a senior adviser at the Department of Health and Human Services' Office for Civil Rights, where he played key roles in planning and developing policy and guidance issued under HIPAA and HITECH Act regulations. Earlier, Holtzman served as the privacy and security officer for Kaiser Permanente's Mid-Atlantic region.

Bibby joined Zix in September 2003 and serves as Vice President of Marketing. He has more than 15 years of experience in high tech marketing. Prior to Zix, he spent six years at Entrust Inc., an internet security vendor, where he served in various management roles, including Marketing Director for Entrust European operations.

Encryption , Fraud , Technology

Australian entrepreneur Craig Wright claimed to be the secret father of bitcoin known only as "Satoshi Nakamoto" (see Police Raid Suspected Bitcoin Founder's House). But his claims have been dismantled in spectacular fashion by several security experts, who report that Wright's math didn't add up.

See Also: How to Illuminate Data Risk to Avoid Financial Shocks

All of that prompted Dan Kaminsky, chief scientist at anti-malware firm WhiteOps, to dismiss Wright as being "the world's first cryptographically provable con artist."

Wright's shell game involved using a passage of text from French philosopher Jean-Paul Sartre, which he claimed to have signed using a private key tied to very early blocks of bitcoins that were known to have been generated - or mined - by Nakamoto. Signing that block of text would have generated a hash, which could theoretically be used to verify that Nakamoto's key had, indeed, been used, without revealing the private key itself.

"These are the blocks used to send 10 bitcoins to Hal Finney in January [2009] as the first bitcoin transaction," Wright said during a meeting with the BBC. Wright also claimed that Finney had helped him translate his cryptocurrency ideas into bitcoin reality. "I was the main part of it, but other people helped me," he said.

Gavin Andresen, chief scientist at the Bitcoin Foundation, said that he "was flown to London" recently to meet Wright, where he watched him sign a message using what he believed to be a key "that only Satoshi should possess." As a result, he said that he was "convinced beyond a reasonable doubt" that Wright was Nakamoto, and that "even before I witnessed the keys signed and then verified on a clean computer that could not have been tampered with, I was reasonably certain I was sitting next to the father of bitcoin."

Multiple media outlets quickly proclaimed that Wright created bitcoins, and Wright issued a blog post, saying that since launching bitcoin, "I have been silent, but I have not been absent," and adding that "I have been engaged with an exceptional group and look forward to sharing our remarkable work when they are ready."

Who is Craig Wright?

But Wright's move to seize the Nakamoto mantle quickly fell apart as security experts attempted to verify his claims.

The complexity of Wright's attempt to prove he was Satoshi is part of what immediately triggered alarms, many security experts say. For example, the tongue-in-cheek Twitter user known only as "Swift on Security" asked why - rather than attempting to sign a file containing a passage from a French philosopher - Wright didn't just move some of the bitcoins known to have been held only by Nakamoto, at a pre-announced time and place?

To prove you are Satoshi, please transfer 100 Bitcoin from the original blocks into my MtGox account

Shell Game Revealed

In short order, Kaminsky and other security experts found that they could duplicate what Wright had done by recovering part of a bitcoin transaction that Nakamoto signed, and which was still associated with the relevant transaction in the blockchain, which is the public ledger of all bitcoin transactions.

"Unknown to us, [Wright] grabbed a transaction from the real Satoshi and grabbed the initial hash. He then claimed that his 'Sartre' file had that same hash," Robert David Graham, who heads research firm Errata Security, says in a blog post.

Meanwhile, Kaminsky blogged: "Of course the blockchain is totally public and of course has signatures from Satoshi, so Wright being able to lift a signature from here isn't surprising at all."

Andresen subsequently told the BBC that he believes he made a "mistake" to believe Wright. He also told Kaminsky: "Of course [Wright] should just publish a signed message or (equivalently) move some btc [bitcoins] through the key associated with an early block," rather than claiming to have signed a Sartre extract.

In the face of that criticism, Wright issued a new blog post, saying "extraordinary claims require extraordinary proof," and promised to back up his claims. "You should be skeptical. You should question. I would," he said. "I will present what I believe to be 'extraordinary proof' and ask only that it be independently validated."

Rather than delivering on that promise, however, Wright then, instead, erased his website, leaving only a 148-word message that begins with, "I'm sorry," and claiming that he didn't have the courage to "put the years of anonymity and hiding behind me," but not denying his claims to be Nakamoto.

One Wright, All Wrong

Following questions over his claim to have been bitcoin founder Satoshi Nakamoto, Craig Wright erased his website, leaving only this message.

Security experts have been scathing in their analysis of what many say was a scam. "The complexity of the trick proves it wasn't an idle mistake, but a deliberate attempt to defraud everyone," says Graham, whose blog post provides an in-depth explanation of exactly how Wright's deception worked.

It was a really good trick. It would've worked against me. It didn't work against the fact there are so many talented people out there.

"He probably would have gotten away with it if the signature itself wasn't googlable by Redditors," Kaminsky said, referencing Reddit users who tested every aspect of Wright's claims before finding that they unraveled.

"It's not actually surprising that somebody would claim to be the creator of Bitcoin. Whoever 'Satoshi Nakamoto' is, is worth several hundred million dollars," Kaminsky says. At the very least, Wright might have commanded millions of dollars in book deals and speaking fees.

But for now, the true identity of the individual - or perhaps group - known as "Satoshi Nakamoto" remains a mystery.

DDoS , Risk Management

Anonymous claims it has unleashed "Operation Icarus" against the "global banking cartel," commencing with a May 3 distributed denial-of-service attack against the central bank of Greece's website, followed by several other bank website attacks. But so far, the impact of the interruptions apparently has been minimal, continuing Anonymous' track record for attacks that fail to pack much of a punch.

See Also: Proactive Malware Hunting

Nevertheless, security experts warn banks that it's time to double-check their DDoS defenses to minimize risks.

The anti-bank DDoS campaign, which the hacktivist collective claims is set to run for 30 days, is just the latest of many Anonymous has launched against targets that its members dislike. But it's unclear what - if any - effect the group's DDoS attacks have had, except to get Anonymous into the news.

Indeed, the Bank of Greece reports that the Anonymous DDoS attack disrupted its website for only a few minutes (see Anonymous Threatens Bank DDoS Disruptions). And Anonymous is taking credit for DDoS attacks against about nine other banks around the world, although the impact of the interruptions appears to have been relatively minimal, according to International Business Times.

Over the years, none of the organizations or individuals Anonymous has targeted with DDoS attacks appear to have been heavily inconvenienced. Among the long list of Anonymous' past targets are PayPal, MasterCard, Visa the FBI and trade associations, including the Recording Industry Association of America and the Motion Picture Association of America. Another target was Westboro Baptist Church, an independent group that self-identifies as a church and which is known for picketing the funeral of members of the armed services.

And in March, Anonymous declared "total war" against Republican presidential candidate Donald Trump, and on April 1 temporarily disrupted several of Trump's websites, The Hill reports. "Dear Donald Trump, how do you plan to protect the world if you can't even protect something as simple as your websites?" the group asked in a video posted to YouTube.

Despite suffering the slings and arrows of anonymous hacktivists, Trump is now the presumptive Republican nominee for November's U.S. presidential elections.

Who's Behind the Mask?

Every year on Nov. 5 - Guy Fawkes Day - some branch of Anonymous or other threatens to destroy something or other, such as Facebook, which went on to post $5.8 billion in 2015 revenue (see Hacktivism: An Affair to Remember).

Of course, anyone can don the proverbial Guy Fawkes mask - the group's icon, drawn from the film "V for Vendetta" - and claim to speak on behalf of the collective. But Anonymous is not a single organization, nor based in a single geography. Investigations into the collective - such as Parmy Olson's 2012 We Are Anonymous - show there's an ever-evolving cast of Anonymous chat-room moderators as well as regular "Anons" who participate in related efforts.

Of course, if everyone is Anonymous, who's to know what agendas might lurk in Anonymous chat rooms? After "Operation Trump" first launched in December 2015, for example, the administrator behind the Twitter account YourAnonCentral, which since 2006 has coordinated Anonymous-related communications, claimed to the Guardian that both the Trump campaign and the campaign of Democratic presidential contender Bernie Sanders had been "actively attempting to subvert and misuse Anonymous for their own gains."

An emerging Anonymous faction argued that Op Trump violated the anarchist collective's ethos of never backing any particular political party. "We are feeling deeply concerned about an operation that was launched in our name - the so-called Operation Trump," according to a March 15 video delivered in the typical Anonymous style, replete with robotic voice. "We - Anonymous - are warning you about the lies and deceits pushed under our banner," the voice continues.

Several of Op Trump's organizers fired back, claiming that their effort had only been an April Fool's Day ploy. "By announcing a DDoS against media darling Donald Trump, the media, enraptured by any coverage of him, gave us a platform to address the American public," they said in a post to text-sharing site Ghostbin.

Despite the bluster, some Anonymous collective members' forays into DDoS technology have failed spectacularly. In 2010, for example, the group began urging people to take up digital arms against MasterCard, PayPal and Visa as part of "Operation Payback," in part by downloading and running the free DDoS tool Low-Orbit Ion Canon, or LOIC.

What many LOIC users failed to appreciate, however, is that the software didn't mask their IP addresses by default. In due course, PayPal and other victims shared packet-capture logs with authorities, who then began tracing back and arresting alleged LOIC users.

Better Dox Success

Where Anonymous has arguably had a bigger impact, however, is when it comes to leaking data from organizations that run afoul of the collective's agenda.

In 2014, for example, an Anonymous-affiliated Twitter account declared "full-scale cyber war" against ISIS - a.k.a. ISIL or Daesh - promising that "Operation Ice #ISIS" would shut down the group's social media influence. Efforts by an Anonymous affiliate that calls itself GhostSec, which says it targets "Islamic extremist content" from "websites, blogs, videos, and social media accounts," have generated intelligence that has been passed to the FBI and apparently helped thwart at least one attack in Tunisia, The Atlantic reports (see Report: U.S. "Dropping Cyber Bombs" Against ISIS).

In December 2015, an Anonymous-branded effort - "Operation KKK" - also leaked the identities of 350 alleged Ku Klux Klan members.

Banks: Be Prepared

Although the history of Anonymous is littered with failed DDoS attacks, multiple security experts have told me that banks should still take the group's most recent threat seriously.

"As with all threats, organizations should review the information available to determine what steps they need to take, if any," information security consultant Brian Honan stresses. As a result, he says, now is a great time for banks to ensure they are reviewing and updating "all of their defense plans," on a regular basis.

But if banks have appropriate DDoS defenses in place, they likely will not feel much Anonymous-delivered DDoS pain.

Anti-Money Laundering (AML) , Breach Response , Compliance

SWIFT has issued its first-ever information security guidance to banks, telling them to get their act together.

See Also: Unlocking Software Innovation with Secure Data as a Service

The guidance was issued as finger-pointing has intensified over who's responsible for the failures that led to the theft of $81 million from the Bangladesh central bank's New York Federal Reserve account in February.

Bangladeshi police have publicly blamed Brussels-based SWIFT, a bank-owned cooperative founded in 1973, for introducing vulnerabilities into its IT infrastructure that attackers later exploited. But SWIFT, which stands for the Society for Worldwide Interbank Financial Telecommunication, says in a statement that those are "baseless allegations" and that the bank is responsible for the security of all systems that interface with its network, "starting with basic password protection practices."

As part of the audacious online heist - one of the largest in history - hackers attempted to transfer $1 billion out of Bangladesh Bank's account at the Federal Reserve Bank of New York and successfully transferred about $100 million. Most of that money was then laundered via casinos in the Philippines and disappeared, investigators say, although about $20 million has since been recovered.

SWIFT Guidance

In the wake of the theft, SWIFT acknowledged that Bangladesh Bank wasn't the first user to be targeted with malware that was designed to subvert the cooperative's messaging platform (see SWIFT Confirms Repeat Hack Attacks).

And for the first time in the cooperative's history, earlier this month SWIFT issued information security guidance to all of its users, urging them to review their security policies and procedures, Reuters reports. "SWIFT is not, and cannot, be responsible for your decision to select, implement (and maintain) firewalls, nor the proper segregation of your internal networks," according to a copy of the letter, dated May 3, and shared by a bank with Reuters for review on May 10.

"As a SWIFT user you are responsible for the security of your own systems interfacing with the SWIFT network and your related environments," the letter says. "We urge you to take all precautions."

SWIFT confirmed the authenticity of that report but declined to share a copy of the letter.

Greater Cooperation Pledged

Bangladesh officials had previously stated that they believe that the New York Fed and SWIFT share at least some responsibility for the February attacks. Of 35 transfer orders created by the hackers and submitted to the New York Fed, the Fed stopped most for being suspicious, but did let five through.

But on May 10, representatives from SWIFT met with the Bangladesh Bank, including its governor, and the New York Fed, including its president, to discuss the February attack, and they agreed to work more closely together. "The parties also agreed to pursue jointly certain common goals: to recover the entire proceeds of the fraud and bring the perpetrators to justice, and protect the global financial system from these types of attacks," the three parties said in a jointly issued statement.

FBI investigators now suspect that at least one bank employee acted as an accomplice, The Wall Street Journal reports, but Bangladesh Bank officials say they have received no related intelligence from the bureau.

Meanwhile, an investigation by digital forensic investigation firm FireEye, which was hired by the bank to investigate the breach, found evidence that three different hacking groups had penetrated the bank's system, Bloomberg reports. Two of those groups have suspected ties to nation states - one to North Korea, the other to Pakistan - but FireEye said it suspects that a third, as yet unidentified group of hackers committed the heist.

FireEye didn't immediately respond to a request for comment about that report.

Police Probe Blames SWIFT

The May 10 meeting followed remarks made by Mohammad Shah Alam, the head of the criminal investigation department of the Bangladesh police, to Reuters, saying that its probe discovered that a SWIFT technician had not followed standard operating procedures when connecting the bank's first-ever real-time gross settlement system to SWIFT, three months prior to the cyber heist, thus leaving "loopholes" that compromised the bank's security (see Study: Banks See Surge in Cyber Fraud).

An unidentified bank official told Reuters that access to the SWIFT messaging system had been left easily accessible, that it lacked even a firewall for protection, and only required a simple password, even for remote access. "It was the responsibility of SWIFT to check for weaknesses once they had set up the system. But it does not appear to have been done," the official said.

SWIFT Rebuttal

But SWIFT quickly dismissed those allegations. "The accusations have no basis in fact," SWIFT said in a May 9 statement. "SWIFT was not responsible for any of the issues cited by the officials, or party to the related decisions."

SWIFT added that when it comes to information security, the buck stops with users, while also getting in a dig about poor password practices at the institution. "As a SWIFT user like any other, Bangladesh Bank is responsible for the security of its own systems interfacing with the SWIFT network and their related environment - starting with basic password protection practices - in much the same way as they are responsible for their other internal security considerations," it said (see Why Are We So Stupid About Passwords?).

"We stand by our investigation," Alam told Reuters in response, adding that he didn't want to debate the matter, but rather help catch the criminals involved.