This memo is in reference to the request raised for allowing a third party assessment of all our servers and applications that will contain Lunel employee record. The opportunity to serve Lunel as their primary health insurance provider is a great opportunity and their request for an onsite audit seems absolutely reasonable. However, following concerns are need to be addressed before accepting their request to undergo an external penetration test.
- We won’t have any visibility into the information which will be shared, the third party auditor will have access to all the data in our servers, essential and non-essential to Lunel which might be in a direct contradiction to the HIPAA rules which are extremely critical and must be followed here at MWJ.
- We don’t have any control over the fact which the third party will do the assessment, and won’t have any control over the information which is being shared with that third party. The question arises about who will select the auditor.
- The protocols which the third party might be using when they are testing our systems might just contradict with the ones we are using. All the calibrations and tweaks needed for this might lead to a significant down time.
- We won’t have any idea they might inject into our network as there have been increased instances of attacks like ransom wares or they can just sit in our system snooping the information.
- We have to consider the credibility of the organization doing the audit, their security standards and their susceptibility to foreign attacks, as hackers and data thieves may try to use them as the backdoor to Critical data in our system.
- We are currently using Software as a Service (SaaS) for storing patient’s medical and financial data. All this is in conformity with the provisions of the HIPPA security and privacy of patient data. Providing access to a third party would be a concern.
An elementary knowledge of the law is a necessity when dealing with information security, as it influences the organization to a great extent but there is not just 1 law which reigns over others and we need to take care of. There are a lot of technicalities and small legalities that are needed to be taken care of. An input from legal and compliance team will be greatly useful, especially considering the request to access the system and do a penetration testing which will give them an unprecedented access to all the information on our system. The information which is especially critical to our clients and have rulings like HIPAA covering it. There are several Civil, Criminal, Private and Public Laws to be considered. InfoSec laws are also needed to be taken care of.
The law team needs to make sure that the demands by Lunel are not breaking the HIPAA law in any way, as we will end up providing access to a third party to our server which has sensitive information, such as SSN, medical records, insurance details of our customers.
Compliance will play an important role in defining the baseline for the audit and making sure that the third party accessor is actually following the security details themselves and their system don’t provide a weak spot which can be used as a backdoor to our system and can exploit a weakness to access the critical data. They also need to make sure that none of these permissions still ensures compliance with all applicable laws, rules and regulations. They will also need to monitor the activities, preventing conflicts of interest and ensuring compliance. (Vivian Tero, “Data Center Security & Compliance, Information Security Group, Symantec Corp”).
The law and compliance team will also need to draft the legalities of the contract between us and the third party, craft a non-disclosure agreement which should be iron clad and make sure that our interests are safeguarded. Also, it is required that the business partner reveals the health information as determined in its agreement to fulfill a secured commitment concerning people’s solicitations for copying of their secure healthcare data. It should be made sure that the conscripted agreement authorizes termination of the contract by us if the third party violates any term of the contract. All the data points including cloud services must be covered in this contract.
Third Party assessment of a security especially InfoSec is fairly a usual deal like audits but, having no say about the person and team doing it is not advisable. Considering the fact that we have to deal with extra sensitive customer details and the rules such as The Health Insurance Portability and Accountability Act ensures extra caution that we need to take while involving any third party with the dealings of our company, let alone giving them an unrestricted access to our servers. Violations of the laws such as HIPAA may lead us to a loss of credibility as well as huge monetary fines of around $1.5 million (Chaput)
For any of the employees that will be used by the third party, we will need them to comply with the laws and make them sign an agreement. The rulings require us to make sure that, the contract between us and a business associate must: (1) establish the permitted and required uses and disclosures of protected health information by the business associate. (BUSINESS ASSOCIATE AGREEMENT PROVISIONS, “Secretary”, 2013). We need to make sure that the Third Party being involved is reliable and will uphold its word. It needs to be thoroughly audited and carefully selected and not just left on Lunel to be selected. A non-disclosure agreement must be signed by them to ensure that there is no breach of data even after the assessment is over.
A baseline must be determined before any kind of assessment starts, it is a must to identify how the servers will be tested, when will they be tested, the type of testing which is going to be dome. A contract must be planned to ensure that no data is lost, any vulnerabilities, if found, must be fully disclosed and not revealed to any other person except the party being involved. It must be made a requirement that the TPA will return or destroy all protected health information received from, or created or accessed by them during the assessment. Following plan must be followed to ensure a smooth transition during this process if it is decided that TPA is going to happen. Each of the steps must be thoroughly documented.
As per the agreement with Amazon’s cloud web services we reserve a right to conduct penetration testing. However, we need to fill out a form using the root credentials associated with the instances that are to be tested and specify that it is going to be a third party assessment for penetration testing to AWS resources. Once we get the approval we will have to notify the third party anointed by Lunel that the approval has been granted. However, only EC2 and RDS instances can be tested. However, we need to make sure that m1.small or t1.micro EC2 are not tested as it is against Amazon’s policy.
We need to make sure that the third party provides us an exact start date and time from which the testing will begin and how long will it last the exact end date and time to ensure compliance with the Amazon’s policy. It needs to be cleared to TPA that the end date of all the tests that they can conduct cannot extend more than 90 days from the start date. The third needs to provide us with
- Name of the third party
- Contact person
- Email address
- Phone Number
- Target DNS
- Features that they will be testing
- From where will the test be launched? (IP address of hosts)
- open source/ commercial tool that will be used
It must be made a point that the specifications given by the third party will be treated as a request and will need an approval from both MWJ and Amazon which hosts the cloud platform for MWJ Healthcare.
The USA PATRIOT act (“Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001”) was set to expire at the end of 2005, however, it was reauthorized in 2005 and then again by President Obama in 2011. This sunset act expired in 2015 due to lack of support. However, a new act called USA Freedom Act was passed in June 2015 which restored the expired parts of USA PATRIOT act till 2019(Jaeger, en et. al).
The titles of the patriot act which augmented the Secret Service’s role in probing fraud and other illegal activities related to computers are, Title I: Enhancing domestic security against terrorism and Title II: Surveillance procedures. As title 1 deals with the domestic aspect and title 2 with enhanced surveillance it increased the involvement of Secret Service in the unlawful activities related to computers. Section 105 also speaks about the U.S. Secret Service’s National Electronic Crime Task Force Initiative. They actively work towards blocking online attacks such as DDOs, DOS attacks on companies.
All these have increased the amount of information that is received by the government and provide a greater transparency. This, in turn, provides a greater capability to check on the frauds and help them keep an eye fraudsters that are aiming to harm the nation’s security either monetarily or by stealing the secret information which can be equally critical and may cause even more damage in the longer run. This act provides a security against the looming threat of critical data getting into wrong hands at least to some extent although some concerns about privacy might appear, as the government agencies end up having an access to a lot of personal information.
- Chaput, B. (n.d.). HIPAA Compliance Now Even More Critical for Third Party Administrators. Retrieved April 30, 2016, from https://clearwatercompliance.com/wp-content/uploads/2013/08/Whitepaper-HIPAA-TPA.pdf
- Secretary, H. O. (n.d.). Business Associate Contracts. Retrieved May 01, 2016, from http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
- Third Party Risk Assessment – Anitian. (n.d.). Retrieved May 01, 2016, from https://www.anitian.com/third-party-risk-assessment
- IT security auditing: Best practices for conducting audits. (n.d.). Retrieved May 01, 2016, from http://searchsecurity.techtarget.com/IT-security-auditing-Best-practices-for-conducting-audits
- Compliance Department Definition | Investopedia. (2003). Retrieved May 01, 2016, from http://www.investopedia.com/terms/c/compliancedepartment.asp
- Penetration Testing – Amazon Web Services (AWS). (n.d.). Retrieved April 30, 2016, from https://aws.amazon.com/security/penetration-testing/
- Yeh, B. T., & Doyle, C. (2006, December 21). USA PATRIOT Improvement and Reauthorization Act of 2005: A Legal Analysis. Retrieved May 1, 2016, from https://www.fas.org/sgp/crs/intel/RL33332.pdf
- Third-Party Vendor Risk Assessment: Why It Matters? (n.d.). Retrieved April 29, 2016, from http://www.symantec.com/connect/blogs/third-party-vendor-risk-assessment-why-it-matters
- Paul T. Jaeger, John Carlo Bertot, Charles R. McClure (2003). “The impact of the USA Patriot Act on collection and analysis of personal information under the Foreign Intelligence Surveillance Act” (PDF). Government Information Quarterly 20 (3): 295–314.
- Professor LeRoy Foster, Slides for Class, University of Illinois, Chicago, IL: IDS 520 Course Slides
- Whitman, M. E., & Mattord, H. J. (2004). Management of information security. Boston, MA: Thomson Course Technology.
- (n.d.). Cyber security Student Book. http://www.isaca.org/cyber.