Category: BAI Security Blog

A random audit program to gauge Phase 2 HIPAA compliance is expected to be underway soon. This round will target business associates, including financial institutions that are typically exempted from HIPAA compliance when they provide what are considered to be typical banking services such as payment processing and credit/loans. But financial institutions that “create, receive, maintain, or transmit” protected health information may now have direct obligations under HIPAA. This round will include both on-site and off-site reviews. Off-Site Audits Off-site audits focus on documentation reviews. These audits typically focus on one of the three main HIPAA provisions – breach notification, security, and data privacy protocols. Documentation cannot be created after you receive the audit request, so review your policies and procedural

The number of claims filed under the Health Insurance Portability and Accountability Act (HIPAA) have spiked recently. The latest figures from the U.S. Department of Health and Human Services (DHS) show that the government is increasing its enforcement efforts regarding the federal privacy law. The U.S. Office of Civil Rights (OCR) has reported that it has received over 115,929 HIPAA complaints and initiated over 1,216 compliance reviews since the final HIPAA Privacy Rule was enacted in 2003. 23,580 of those reviews have required businesses to make changes to their privacy practices or otherwise face corrective actions. Additionally the OCR has, to date, imposed nearly $26.4 million in fines for HIPAA privacy, security, and breach notification violations. According to the recent

It has now been over a month since the Payment Card Industry Data Security Standard (PCI DSS) 3.0 as officially retired on June 30. In part 1 of this series on PCI DSS 3.1 migration, we noted that version 3.1 was swiftly introduced in April 2015 as a response to major security flaws discovered in open source SSL, and the exploits –  including Heartbleed, Shellshock and POODLE – that targeted the vulnerabilities. The flaws enable man-in-the-middle attacks and enabled attackers to read supposedly secure,  authenticated encrypted communications. Consequently, the PCI Council branded SSL and TLS 1.0 as “vulnerable protocols” in the new version of its security standard. Those who are required to comply with PCI DSS have a grace period of

It’s nearing a month since the Payment Card Industry Data Security Standard (PCI DSS) 3.0 as officially retired on June 30. PCI DSS 3.1 was swiftly introduced in April 2015 as a response to major security flaws discovered in open source SSL, and the exploits –  including Heartbleed, Shellshock and POODLE – that targeted the vulnerabilities. The flaws enables man-in-the-middle attacks and enabled attackers to read supposedly secure, authenticated encrypted communications. Consequently, the PCI Council branded SSL and TLS 1.0 as “vulnerable protocols” in the new version of its security standard. Those who are required to comply with PCI DSS have a grace period of June 30 2016, but any new deployments that utilize SSL or early versions of TLS

Recently, the PCI Security Standards Council issued Payment Card Industry Data Security Standards (PCI DSS) version 3.1 (PCI DSS v3.1), with “minor updates and clarifications” to PCI DSS v3.0, which went into effect on January 1, 2015. The most significant change: PCI DSS v3.1 prohibits the use of any version of SSL for any PCI DSS standard requiring “strong cryptography.” This is effective immediately with respect to new security implementations. Otherwise affected organizations must have a formal risk mitigation and migration plan in place to move away from SSL and must stop using SSL in existing implementations by June 30, 2016. As a result of the publication of v3.1, PCI DSS v3.0 will be retired on June 30, 2015. As

A new report released today from the software security firm Veracode contained alarming news about the data security practices of many federal agencies. Veracode’s business is auditing the source code of applications for security vulnerabilities. The report documents 208,670 application scans conducted over 18 months for the company’s private and government customers. An analysis of the prevalence of security issues within software code, the application’s compliance with basic best security standards, and how frequently customers updated or fixed flawed applications are included in the report. The study found that Web applications in use by federal agencies failed to comply with security standards 76 percent of the time. By contrast, financial service companies are in compliance a comforting-only-by-comparison 42 percent of

On Monday, LastPass announced that it had been the target of a successful data breach.  Here’s what you need to know and do now, if you relied on this extremely popular service to secure and manage your passwords. When was the breach discovered? On Friday, June 12, the the LastPass team discovered and blocked suspicious activity on their network. What damage was done? LastPass says “In our investigation, we have not found evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.” I have a LastPass account, should I be worried? LastPass says the