Passwords

Hello takewanleap,

what should be the result of the discussion (not that I don't find the topic interesting, on the contrary)? This is a legal question - common sense won't help. Not knowing HIPAA in detail it's also hard to make reasonable comments.

Note: when talking about employees I refer specifically to medical personnel, not IT staff.

The first question that come to my mind is - does HIPAA assume that any data breach can be avoided or is data breach defined as avoidable (the what's the exact definition of avoidable) disclosure of data? Does it also apply if an employee is forced to hand over a password or data at gunpoint? Or - assuming a powerful and dedicated attacker  who just "outguns" your security?

Now to get to more common scenarios - policies have parts which can be directly enforced (such as password rules) and parts which can not (like "don't write down your password"). IMO just setting up complexity requirements without enforcing time (which is doable) falls - from a technical point of view - short. You shouldn't only forbid weak passwords but reject them. If you don't have the technical means to do that - what about the rest of security?

Furthermore (permit some simplification) - you can crack only passwords where you either have access to the encrypted data. the encrypted password or a means to verify the password by repeated try. The latter two cases should not be possible - if they are it is IMO clearly the responsibility of the organization, weak password or not. This leaves encrypted documents only - and here only those cases where the user also carries the decryption key - protected by a user-defined (one that can be chosen without validation) password - around. Dunno if this is permitted under HIPAA - I don't think it is necessary.

Thus I think that the technical state-of-the-art enables the organization to enforce password rules and an employee (as s/he should not be able to choose a "weak" password) should not be liable. Accidental or negligent disclosure is of course a different matter.

To summarize - a successful crack can only occur if data is leaked (primarily the organization's liability, the leak itself - say, of an encrypted document - might be the employee's fault), password hashes are exposed (organization), the system allows "unlimited" password attempts (clearly organization) or encryption keys can be stored externally by the employee and protected with an arbitrary password (IMO organization).   

But as said - the legal system likely has a different view.

Christian

Hi Christian,

Thanks for the response.  Great insight you have provided.  It is something I have thought about for a while.  I am an IT Department of one.  We have about 10 office sites and around 100 Users/PCs in our organization.  I don't have a lot of internal resources to be able to bounce off of people except for forums like this.

We are in the process of strengthening some of our policies and procedure along with strengthening our security practices.  I have implemented a password change policy for our organization.  Now I am in the process of creating and providing security and awareness training for our employees as well.

So I do give a spill about HIPAA liability.  I let the staff know in the staff meetings I attend in the different divisions and programs that according to certain HIPAA regulations in some aspects they as an employee can be held liable for certain actions.  The liability could be termination of employment.  It could be their licensing board revokes their license (they lose it).  They could be subject to fines and fees.

So we had a discussion about that topic.  Some of our employee are now aware knowing they can be held liable - depending on the circumstance.  That has been proven over and over again with certain HIPAA cases - documented - where they were held liable.

So they asked me about it and I gave them my view point.  Now, I am not legalese in nature either.  I am not an attorney, lawyer what not.  So I told them don't put a whole lot of chalk into what I say - to seek better advice and counsel.

Here is what I explained to them.  When it comes to a HIPAA violation - the policy and procedures would be examined to see if they are HIPAA compliant - if there is such a thing.  Then they will examine what the employee did.  If the employee violated the policy and procedure - then the employee would be held liable.  If the organization can prove they have proper and correct policy and procedures in place and have provided enough security and awareness training - then the organization would not be held liable - but the employee violating the policy and procedure would be held liable.

So I explained to them in our staff meetings - you want to be in full compliance with the organizations policy and procedures to keep your self safe from liability as an employee.  They now get that and understand that.

So the discussion came up with how do you determine how and where liability lies in certain scenarios.

I personally think there are unchartered waters in this area - where it has never been challenged in a court of law.  So I told them - make sure you read and understand policies and procedures and be compliant with them - just to be safe.

In the example of the network password policy.  If it is determined they have created a weak, dictionary type password and the organization finds this out through some sort of ethical means and audits, they would be subject to the disciplinary actions of the policy and procedure including and leading up to termination.  Beyond that - I told them I don't know what would happen.

So if it were by complete freak accident that an employee's password was cracked on the first guess due to a weak password and the password they constructed violates the policy and due to that weak password information was compromised - they questioned whether they  would be or could be held liable.

I told them the only thing I knew for sure - is they would be disciplined in some form - verbal, written or terminated.  But beyond that - I told them - I wasn't sure what would happen.

My whole point in talking with them is to get serious about security, get serious about their passwords, and understand the full weight and gravity of what information and the type of information they are protecting.  I don't think our users really get that.  I don't think they understand they are protecting information - that if compromised could put these clients at risk for identity theft.

I explained to them - not purposefully  - but they would tend to be very hypocritical.  For instance, if their personal information was breached - they would probably be irate and prosecute the offender to the fullest extent of the law possible.  But at the same time, they are protecting the exact same type of information and do not hold themselves to that same high level of scrutiny.  They kind of exempt themselves from that same high standard they would put on others to protect their information.  But when it comes to them protecting it - they will be doing the same weak practices.  Just trying to point out - don't have a hypocritcal double standard you hold others to that you do not apply to yourself.

They are taking it way to lightly.

I have randomly gone through our offices and have found their passwords taped to their monitor!  One employee even taped their username AND password to their monitor.

So it really came down to a discussion - if I can violate one policy and be held liable.  Then what about other policies - could they be held liable and license be at risk.  I told them I really don't know.  I don't think anyone has had a data breach due to a weak password being hacked and gone to court over it.  I told them - the best, safest thing is simply don't find out - be in compliance with our network password policy and password creation and take it seriously.  Don't be lax about it.  Grasp the full weight and gravity of what is at stake - your job, your license, your clients identity, your clients medical information, the organizations reputation, etc.

Wow.  What timing.  I guess I am a little late on receiving emails about the latest data security breaches.  But so far, 2012's largest data breach victim was the State of Utah's Department of Health.  The culprit:  a weak password.

Obviously there are other issues to address - not just weak password issues.  Obviously would be concerned with lost/stolen laptops, removable media devices, etc.  But thought it interesting that so far for 2012 - the largest data breach this year was specifically due to a weak password.

It will be interesting to see how it plays out.  I read where so far - just in contracts to deal with damage control blitz with outside aide (3 attempts so far) has cost them 1.3 million dollars.  That is not counting the costs of additional safeguards they will have to invest in nor the cost of identity theft protection services for one year.  They estimate it to cost them 10's of millions of dollars in the end.

A snippet from the top 10 data breach list:

1.Utah Department of Health. On March 30, approximately 780,000 Medicaid patients and recipients of the Children's Health Insurance Plan in Utah had personal information stolen after a hacker from Eastern Europe accessed the Utah Department of Technology Service's server. Initially, the number of those affected stood at 24,000, yet, according to UDOH, that number grew to 780,000, with Social Security numbers stolen from approximately 280,000 individuals and less-sensitive personal data stolen from approximately 500,000 others. The reason the hacker was able to access this information? Ultimately, it was due to a weak password.

Unless I've overlooked it it doesn't say where the data resided and whether the weak password was directly related to the (encrypted) data or used to gain access to the system. I also wonder - why was Utah's DOH "chosen"? Unless there was a specific reason for targeting this institution it could have been either by chance or (semi-)automated attack. Even if it was "manual by chance" - if the attack was "via the Internet" the hacker probably used some tools to apply the "password guessing". Shouldn't have been as easy as guessing an account/password combination, slipping in and then dumping hundreds of thousands records to some obscure location. You shouldn't be able to attack a password on-line - so while the attack was (allegedly) ultimately successful because of the weak password there was probably also more than one weakness "along the path".

If it is not a really determined attack and any single failure (like a weak password) shouldn't allow access to your data. You encrypt your data in case someone gets unauthorized access to the data on disk - but then the weak password shouldn't come into play. OTOH a single password shouldn't you get as far as hundreds of thousands of records. Consider the lock to your company's vault - even if it's easily pickable an occasional visitor shouldn't be able to get near it at all. But I know it's much easier said than done.

Christian

In case you don't follow NakedSecurity - take a look at Paul Ducklin's recent article: Data breaches aren't just about website insecurity and internet hacking.... (oh, and I strongly recommend viewing the embedded video, while it's almost an hour long it's not only really entertaining but also very informative).

Christian