- Details
- Category: Security News
Data Breach , Fraud , ID Theft
Prosecutors Are Not Pursuing HIPAA Criminal Charges
A former administrative worker at a Florida-based pediatric practice has been indicted in federal court along with two others for alleged identity theft and fraud crimes involving stolen patient information. But no HIPAA-related criminal charges were filed in the case.
See Also: 2016 Annual Worldwide Infrastructure Security Update
The 23-count indictment filed on July 26 in a U.S. district court in Tampa, Fla. alleges that Anthony Michael Harris, a former administrative employee in the Tampa office of Pediatric Gastroenterology, Hepatology & Nutrition of Florida, conspired with two other individuals, Larry Chance Cox and Maurice Rahmaan, to commit tax, mail, wire and access device fraud, as well as identity theft, court documents say.
"It was a part of the conspiracy that the conspirators and others would, and did, steal and obtain stolen personally identifiable information from Pediatric Gastroenterology, Hepatology & Nutrition of Florida, among other sources. This stolen PII included names, dates of birth, and Social Security numbers, among other things, of the medical practice's current and former patients, patients' parents and patients' guardians," an indictment document notes.
Federal prosecutors say the conspirators, using the stole PII, electronically applied "for credit cards and lines of credit to Discover, Capital One, and other financial services firms," and then used or attempted to use the unauthorized credit cards to purchase items from retailers and withdraw cash from ATMs.
Additionally, prosecutors allege that the stolen PII was used to file fraudulent federal income tax returns in an attempt to obtain tax refunds. Court documents do not indicate the total dollar amount involved in the alleged tax and other fraud crimes.
Court records indicate that Harris and Rahmaan were arrested and each released on $50,000 bond, while Cox was released on $75,000 bond. No trial date has been set.
An attorney representing Harris did not immediately respond to an ISMG inquiry about the case.
Breach Investigation
The Department of Health and Human Services' Office for Civil Rights appears to have closed an investigation into the Pediatric Gastroenterology incident, which is listed on its "wall of shame" tally of major breaches as affecting 13,000.
The listing notes that on June 25, 2015, the Tampa Police Department notified the clinic that paper printouts from the facility were found during a criminal investigation. "An employee of the CE [HIPAA covered entity] removed appointment sheets containing the names, Social Security numbers, dates of birth and account numbers of 13,000 patients from the premises without authorization," OCR notes.
In addition to the covered entity providing breach notification to OCR and affected individuals and setting up a toll free number to answer questions, Pediatric Gastroenterology took a number of other steps to bolster security and privacy in the wake of the incident, OCR notes.
"Following the breach, the CE reviewed its policies and retrained staff on its HIPAA privacy and security policies ... [and] implemented physical security procedures to reduce the risk of unauthorized access to printed documents and implemented role based access procedures to limit access to electronic PHI," OCR says. "The CE also improved administrative safeguards by requiring random background checks on its employees throughout the duration of their employment. The CE also terminated the involved employee's employment. The employee was criminally investigated for actions related to this breach."
Pediatric Gastroenterology did not immediately respond to an ISMG request for comment.
No HIPAA-Related Charges
Despite the multiple counts of fraud-related crimes involving protected health information in the case, court documents indicate that neither Harris nor his alleged co-conspirators were indicted for any criminal HIPAA violations.
A spokeswoman for the U.S. Attorney's Office in the Middle District of Florida declined to comment on why prosecutors did not pursue any HIPAA-related charges.
While criminal HIPAA cases are rare, there have been some notable prosecutions over the last few years. That includes a recent case involving a former Tampa General Hospital worker who was sentenced on Aug. 3 to 37 months in federal prison on HIPAA violations and tax fraud charges (see HIPAA Criminal Prosecutions on Rise).
"Prosecutors have lots of choices on how to pursue these cases and often just do what they are used to doing from previous cases," notes privacy attorney Kirk Nahra of the law firm Wiley Rein.
The factors prosecutors weigh in deciding whether to pursue HIPAA violations in fraud cases involving patient information can vary based on a number of considerations, notes privacy attorney David Holtzman, vice president of compliance at the security consultancy CynergisTek.
"First, the elements of the crimes of identity theft and fraud may be easier to prove, are more familiar to judges and juries that are the triers of fact, are punishable with longer prison sentences and fines, as well as allow the government to seek forfeiture of assets obtained through the performance of the fraud or ID theft," he says. "In addition, it may be easier to prove these crimes because the evidence are in the records maintained by the credit card companies and banks that lost money through these schemes."
The Insider Threat
The Pediatric Gastroenterology case highlights the threats that insiders can pose.
"Studies have shown a persistent threat from unauthorized disclosure of PHI by insiders, whether it be stalking, snooping or like here using patient financial information for financial crimes," Holtzman says.
He advises organizations to "take action to perform a background investigation of workforce members who have access to PHI and financial information. Use software applications to monitor activity of those who have access to patient records, including contractors and outsiders given access to your organization's information systems."
Nahra adds: "I make the point to every company I work with that employees that have access to sensitive data are a significant risk. You need to have a plan to control access as best you can, educate staff on rules and sanctions and then monitor and enforce reasonably but aggressively."
- Details
- Category: Security News
The National Institute of Standards and Technology is moving ahead with an initiative to create standards for cryptographic algorithms for small computing devices, such as those found in automobiles, control systems, smart grids and the Internet of Things.
See Also: A Smarter Approach to Third-Party Vendor Risk: A Case Study
NIST last month issued a draft report, Interagency Report 8114: Report on Lightweight Cryptography, which provides an overview of its lightweight cryptography project and describes plans to standardize these algorithms.
Cryptographic algorithms designed to secure large computer devices - servers, desktops, tablets and smart phones - don't necessarily scale downward to function effectively on smaller devices - think embedded systems, radio frequency identification devices, sensor networks and thousands upon thousands of devices that make up the Internet of Things.
Vulnerability Anxieties
Experts have expressed some anxiety about the vulnerabilities created by the lack of encryption for smaller devices. "Everyone who understands cryptography standards and their applications shares the same feeling," says Lily Chen, NIST's acting group leader for cryptographic technology. "We have seen too many lightweight cryptography primitives [low-level algorithms used to build cryptographic protocols for computer security systems] broken. In order to achieve lightweight metrics, special design methodologies are applied. Some of the methodologies are less understood about the security impacts. Even for well-designed lightweight cryptography primitives, misuse could lead to security mishaps."
As smaller computing devices become ubiquitous, NIST is exploring ways to develop tailored algorithms to encrypt them. NIST, in 2013, initiated the lightweight cryptography project to study the performance of the existing NIST-approved cryptographic standards on these so-called constrained devices, understand the need for dedicated lightweight cryptographic standards and, if necessary, design a transparent process for standardization.
Constrained Environments
"We're talking about some very constrained devices, 8-bit processors [with] little memory, low speed, low power," says cryptographer and IT security author Bruce Schneier. He sees the lightweight cryptography project as important because "a lot of the algorithms we have just aren't suitable for these constrained environments. ... We want good algorithms for constrained devices."
NIST plans to create a portfolio of lightweight primitives through an open process, in which submitters describe physical, performance and security characteristics of these algorithms. NIST used a similar process to develop its portfolio of block cipher modes of operations. A block cipher mode is an algorithm that provides an information service, such as confidentiality or authentication.
Power Limits
Because many small computing devices have power and/or bandwidth constraints, lightweight cryptographic solutions must be designed, in many instances, for specific types of devices. For example, some RFID devices draw power from nearby sources to function. That lack of internal power places limits on how the devices can be encrypted.
"The guidance has to be very specific for each application environment," NIST's Chen says. "It is a different approach compared to our general purpose cryptography standards. For lightweight cryptography, to be specific is the key to make sure the guidance can be effective to avoid introducing security flaws."
- Details
- Category: Security News
Greg Temm, the first chief information risk officer at the Financial Services Information Sharing and Analysis Center, says he'll focus on helping members analyze cyberthreats and expand global threat intelligence sharing.
In an interview with Information Security Media Group, Temm says his position was created to help ensure that the FS-ISAC continues to help its 7,000 member firms support the resilience and continuity of the global financial-services infrastructure.
"We continue to take security seriously, as a fundamental component to the value proposition of the FS-ISAC," he says. "Many of our board members are chief information security officers or chief risk officers of their organizations, so they have a keen sense of what is needed from the FS-ISAC to protect their organizations, and this position will further solidify those high-level goals."
Temm will serve as an adviser to FS-ISAC members, leading the organization's global intelligence and risk management programs. He says he'll work to analyze "cyberthreat information that we have at our disposal and glean insight from it to inform our stakeholders about what it might mean to them. They can then use that intelligence to feed into their own risk management practices to help them further mitigate risk."
The new FS-ISAC chief information risk officer says his experience at MasterCard, where he led various components of the card association's security program, helped prepare him to take on the role of disseminating meaningful threat information to FS-ISAC members.
"With recent reports estimating that cybercrime damages alone will top $6 trillion in the next five years, there's a tremendous amount of opportunity to reduce those potential risks by developing programs and partnerships that help our member organizations avoid these losses," he says.
In this interview (see audio link below photo), Temm also discusses:
Why ransomware attacks are a growing concern for the global financial community; How the merging of physical threats and cyberthreats is changing how organizations fight cybercrime; and Steps the FS-ISAC is taking to expand global intelligence sharing.Temm brings 18 years of experience in cybersecurity and risk management to the FS-ISAC. Most recently, he led MasterCard's Intelligence & Public Private Partnership program for cyber and physical threats. In previous roles at MasterCard, Temm led cybersecurity, network operations and debit operations. He was instrumental in the creation of MasterCard's first security operations center. Temm has served as an officer and director for FS-ISAC.
- Details
- Category: Security News
After a significant 2003 cyberattack against the company, defense contractor Lockheed Martin spent 10 years developing a cyber defense strategy taking into account the lessons it learned.
Key elements of that strategy that others can put to use include diligently gathering threat intelligence internally to support development of an effective mitigation strategy. Another important step is the use of the company's seven-step "cyber kill chain framework" to guide the process, says Chris Coryea, cyber intelligence services manager for Leidos' cyber intelligence practice in Europe, the Middle East and Africa. Leidos acquired Lockheed Martin's information systems and global solutions cyber business in August.
"Post the attack, we wanted an effective strategy or a framework that helped us derive intelligence from the data and footprints left by the attackers," Coryea explains in an interview with Information Security Media Group conducted at the recent 2016 RSA Conference Asia Pacific & Japan in Singapore.
"To derive the intelligence and understand the gaps in people, process and technology so as to evaluate portfolio of products and technologies against real attacks, we [created our] cyber kill chain framework to build defense strategies."
Leadership Continuity
To build an effective security strategy, however, requires continuity in leadership, Coryea says. "Frequent changes in leadership, such as having a new CISO every two years, breaks the long haul of building a security culture and consistency in building effective defenses as each new professional would like to try something different, discarding the earlier efforts," he says.
In this interview (see audio player below photo), he also offers insights on:
Using a systematic and pragmatic approach to building a network defense; Creating an actionable threat intelligence program; Taking advantage of information sharing to help mitigate threats.In this role at Leidos, Coryea oversees its UK Security Intelligence Centre and is responsible for leading a team of cyber intelligence, open-source intelligence and information assurance analysts.
Principal correspondent Varun Haran contributed to this report.
- Details
- Category: Security News
The ISMG Security Report leads with a report on Federal CIO Tony Scott partly blaming the way Congress funds agencies for the 2015 breach of computers at the Office of Management and Budget that exposed 21.5 million records.
In the report (click on player beneath image to listen), you'll also hear:
The ISMG Security Report appears on this and other ISMG websites on Tuesdays and Fridays. Be sure to check out our Aug. 30 and Sept. 2 reports, which respectively analyze an FBI warning to state election officials that their IT systems could be hacked and a conversation with internet co-founder Vint Cerf. The next ISMG Security Report will be Friday, Sept. 8.
Theme music for the ISMG Security Report is by Ithaca Audio under the Creative Commons license.
More Articles …
Page 3494 of 3546