800-810-1885
Home > Blog > Compliance

Category Archives: Compliance

Global Payments Credit Card Data Breach

By Adrian Sanabria | Published: April 3, 2012
Adrian Sanabria, PCI QSA

Adrian Sanabria, PCI Qualified Security Assessor at Sword & Shield

On Sunday, card processor Global Payments announced that data from 1.5 million credit/debit card accounts had been “exported.” It isn’t so much the size of this breach that is significant, but the fact that the company breached is one of the world’s largest payment processors.

Visa has allowed them to continue processing credit cards, but dropped them off their service provider registry (which is a BIG deal). The breach only affects North American merchants and cardholders. To give you an idea of how bad a breach at a large credit card processor can be, if a month’s worth of the transactions they handle were exposed, it is entirely possible that more than 90% of all cardholders in the US would need new credit/debit cards.

This doesn’t happen often. I only know of two other cases where a payment processor was hit by a breach. CardSystems Services, as a business, was literally destroyed by their breach. VISA and AMEX revoked processing rights, forcing CardSystems to have to shut down operations and sell off assets almost overnight. Heartland Payment Systems is the most recent case, and the second largest breach ever at 130 million. They were also stripped from the registry, but managed to recover, regain PCI compliance, and get back onto the registry within a year.

Global Payments had a public conference call at 8AM this morning that I didn’t have time to attend, but which has resulted in an explosion of news stories on the breach.

The worst thing I’ve been able to determine from the details so far, is that it seems Global Payments was storing Track Data – information swiped from the magnetic stripe on the back of the card. The PCI DSS explicitly forbids storing track data (requirement 3.2.1), and PCI considers the storage of sensitive data to be one of the most serious PCI violations. CardSystems was effectively shut down for a lesser violation, though their breach was much larger.

It will be interesting to see if any of the details of the breach are released. These details are essential for the rest of the industry to learn from Global’s mistakes. I’d like to see:

  • The attack vectors used, and the level of sophistication necessary to breach Global.
  • How long the attackers had access to systems
  • If track data really was stored, and what Global’s excuse for such a violation is
  • Why the breach was limited to only 1.5 million accounts in North America. A large processor like Global might process 1.5 million transactions in just a few days. Why weren’t more accounts stolen? Why only North America? Perhaps some effective segmentation was in place? That would be good news the PCI Council would be happy to point out.
  • And of course, we’ll hopefully eventually find out who the perps were, and their level of hacking expertise.

Time will tell.

Adrian Sanabria is a security consultant and PCI Qualified Security Assessor for Sword & Shield Enterprise Security. He draws on years of security experience in financial institutions to help large and small companies solve complex compliance and security problems. He is skilled with both high-level design as a system and security architect, and detailed analysis with a background in penetration testing, forensics and incident response. His blog is averysawaba.blogspot.com, and you can reach him on Twitter @sawaba.

Also posted in PCI, Security News | Leave a comment

PCI Compliance Expert to Address Petroleum Retail Industry

By Lara Bergman | Published: January 20, 2012

Sword & Shield Principal Risk & Compliance Consultant Penny Walton will be a keynote luncheon speaker at the Petroleum Convenience Alliance for Technology Standards (PCATS) annual conference Jan. 23-26 in Tucson, AZ.

Walton will address the issues surrounding PCI compliance in the convenience store and petroleum retail industries at Monday’s session.

PCATS is  a non-profit organization devoted to the development, maintenance and implementation of standards, education and best practices for the convenience store and petroleum retail segments.

Walton has more than 25 years experience in the technical field in roles such as software engineering, database design & administration, network engineering, enterprise information security management, risk management and compliance oversight.   Additionally, she has extensive business experience in utilizing technology to increase the bottom line and reduce risks while controlling cost.   She possesses many technical certifications including the CRISC (Certified in Risk & Information System Controls), CISM (Certified Information System Manager), CISSP (Certified Information Systems Security Professional), CEH (Certified Ethical Hacker), CIW (Certified Internet Web Master), PCI – QSA (Payment Card Industry Qualified Security Assessor) and HiTrust Security Assessor (Health Information Trust Alliance).

Also posted in Company News, Events, PCI | Leave a comment

Sword & Shield to Exhibit, Present at NetSmart Convention in Orlando

By Lara Bergman | Published: May 2, 2011

How important is conducting  the right kind of Meaningful Use security risk assessment if your healthcare organization plans to apply for incentives to upgrade to electronic record-keeping?

Sword & Shield Principal Consultant Brian Bradley will explain the necessities of satisfying the Meaningful Use security requirements for protecting electronic patient records to NetSmart CONNECTIONS2011 conference-goers later this month in Orlando at the group’s annual conference.

The NetSmart conference, which runs May 16-19, will feature information and sessions to help attendees understand how to qualify for Medicaid and Medicare incentive funds for the Meaningful Use of an Electronic Health Record (EHR) and demonstrations of the NetSmart solutions that will help them meet all Stage 1 Meaningful Use criteria.

Bradley’s session also will explain how companies should use due diligence to understand the risks associated with healthcare partners and associated companies with whom they share protected healthcare information and he will present information on a common framework that could be implemented to manage Meaningful Use and other governance and risk/compliance-related processes. Read More »

Also posted in Company News, Events | Tagged , | Leave a comment

Viagra, Money Mules, Credit Cards – Oh My!

By Lara Bergman | Published: April 14, 2011

What do Viagra, Money Mules and credit cards have to do with information security?

Plenty – as evidenced by recent security-incident cases that Sword & Shield’s Bowe Hoy and Brian Bradley will discuss at the Northwest Information Systems Security Association (ISSA) Symposium in Portland, OR on April 21. More than 1,500 business and technology professionals will converge at the Oregon Convention Center for the event.

Hoy and Bradley will present an overview of several internal and external attack case studies. The presentation also will offer insight into the threat landscape and the do’s and dont’s of security incident response and digital forensics. The pair will be available at the Sword & Shield booth to discuss our forensics and security-incident service offerings.

Hoy is an enterprise security consultant for Sword & Shield and has 14 years of experience information technology security professional and consulting industry. He provides strategic business development and security solution consultation to enterprises of all size and industries. He supports Sword & Shield customers throughout the entire information security engagement life-cycle, specializing in governance, risk & compliance (PCI, EI3PA, HIPAA, FFIEC/GLBA, NIST, NERC-CIP, FISMA, and others); assessments (network vulnerability assessment / penetration testing, application security testing, security policy, social engineering, and others); digital forensics / incident response, and electronic discovery.

Bradley serves as a principal consultant for Sword & Shield and has more than 15 years of IT  and security experience, specializing in governance, risk, and compliance (GRC) consulting and assessments. He provides consultative services to commercial organizations in the creation and development of security plans, policies & procedures, and compliance remediation, specializing in HIPAA / HITRUST, PCI / EI3PA, FTC Red Flags Rule, GLB, NIST, ISO and others. He currently holds CISA, CHSS, CISSP and INFOSEC certifications and is a PCI Qualified Security Assessor (QSA) and HITRUST professional assessor.

Also posted in Events | Tagged , , , | Leave a comment

SoCal HIMSS Healthcare IT Conference Highlights Growing Need for Security and Compliance

By Bowe Hoy | Published: March 16, 2011

The topic of  managing an increasing volume of electronic data securely, while keeping up with regulatory compliance requirements  dominatedthe recent 2011 Southern California HiMSS Chapter’s Second Annual Healthcare IT Conference,  Healthcare Reform: Driving to 2015 and Beyond.

That title may give the appearance of a conference agenda driven by healthcare policies and politics. While there was a certain amount of discussion surrounding those topics, the underlying tone of the event was less about policies and politics and more about the practical implications of the exploding growth of healthcare electronic data, and the associating compliance demands that come with it.  In other words, the concerns of the conference attendees aligns with Sword & Shield’s  mission of supporting healthcare organizations’ information security and compliance challenges and requirements.

The pains of managing electronic data is felt the most by healthcare executives from covered entities such as hospitals. Two of those executives, Thomas Priselac, president & CEO of Cedars-Sinai Health System and Dr. Sajjad Yacoob, chief medical information officer and physician from Children’s Hospital of Los Angeles,  provided unique, but similar, perspectives on the issue of healthcare information security and compliance.

Consistent with the conference’s theme, Priselac focused on the state of healthcare reform, including industry progress. He also shared his thoughts on key factors for the future of healthcare reform. Not surprisingly one of the key factors is uncertainty – there are no guarantees that the current healthcare law will remain in its current form. In fact, there is a high likelihood that parts of it or even the entire law could change in the short or long term.

The ever-changing healthcare information technology landscape and the security and compliance challenges presented with it was the focus of Yacoob’s presentation as well.  Yacoob offered an interesting paradox: the healthcare industry is completely dependent on information technology, which changes at a rapid rate. However, IT users, especially doctors, are very slow to adapt to technological changes. One of the unintended consequences of this paradox is greater potential for security breaches and vulnerabilities. Resisting technological change often means resisting crucial security best practices once the change is adopted. Backing up that notion is a recently released study by the Ponemon Institute, which found that the leading cause of breaches is negligence, accounting for 41 percent, up slightly from 40 percent in 2009. The cost of these breaches averaged $196 per record, up 27 percent from 2009, according to the study.

The growing cost of breaches underscores the importance of healthcare organizations securing electronic protected health information (ePHI), along with addressing risks, specifically in regard to information privacy and security.  Alongside that requirement is the need to implement the appropriate safeguards for managing and controlling those risks. Sword & Shield is uniqqualified to help healthcare organizations secure ePHI while helping them become and remain compliant with regulations such as uely HIPAA, HITECH, and Meaningful Use.

Speaking of Meaningful Use, today’s healthcare IT conference would not be complete without including that topic on the agenda. And on that note, the SoCal HIMSS Heathcare IT Conference  delivered by offering a Meaningful Use panel, featuring presentations from a number of experts. Among them was Lori Hack, who serves as the chair of the board of directors for the California eHealth Collaborative.

Hack’s presentation, Finding Meaning in Meaningful Use,offered insightful information about Meaningful Use while providing practical advice on approaches to meeting the requirements. Even more impressive was Hack’s coverage of the Meaningful Use risk assessment requirement. The context of her message – that the Meaningful Use process should not be just about getting funds, but should be done with security and risk management in mind – was refreshing to hear.  And it was another indication that this conference was much more than about healthcare policies and politics.

Bowe Hoy is an Enterprise Security Consultant for Sword & Shield. If you need more information regarding HIPAA, HITECH, and Meaningful Use risk assessment and compliance, please contact him via our website or by phone at 865-244-3521.


Also posted in Uncategorized | Tagged , , , , | Leave a comment

The Big Star of the Big HIMSS11 Show: Meaningful Use

By Bowe Hoy | Published: March 2, 2011

Everything about the 11th Annual Healthcare Information and Management Systems Society (HIMSS) conference was big: big exhibits, big conference hall, big crowds and big name speakers.

But the biggest run-away hit on the agenda was the issue of Meaningful Use (MU),  a critical level for the use of electronic health records (EHR) and related technology within a healthcare organization that, if achieved by 2011, will offer incentive payments. However, the lack of focus on the fact that a company attempting to achieve MU MUST have a risk assessment to qualify for any incentive was perplexing – and this is where Sword & Shield stepped in to fill the void.

By HIMSS’s own admission, the conference would be big. The numbers plastered on the HIMSS11 website is staggering:

  • 5 days
  • 400+ sessions
  • 500 speakers
  • 900+ exhibits
  • 29,000+ professionals, decision makers, thought leaders…

To their credit, HIMSS did not exaggerate one bit. The large scale impact of HIMSS11 could be felt almost immediately upon arriving in Orlando. The many hotels within the Walt Disney Resort area that housed the majority of the more than 29,000 attendees were ubiquitous with HIMSS11 signs, banners, and placards. Numerous tour buses, each wrapped from front to back, top to bottom with HIMSS11 sponsorship advertising, ran back and forth between the hotels and the Orange County Convention Center (OCCC), picking up and dropping off the many HIMSS11 participants throughout the day.

Read More »

Also posted in Uncategorized | Tagged , , , , , , | 1 Comment

HITRUST Establishes New Group to Develop PHI Leak Policy

By Bowe Hoy | Published: February 4, 2011

The Health Information Trust Alliance (HITRUST) is establishing a new working group to provide guidance on policies for securing protected health information (PHI) from leakage and is seeking participants for the group.

In its invitation, HITRUST officials said, “HIPAA provides guidance on what constitutes protected health information (PHI); however, a healthcare organization faces a considerable challenge in accurately identifying PHI within the various data sets stored or transmitted by the organization. This challenge, coupled with the increasing number of ways data is accessed and disseminated (e.g., emails and documents stored on USB devices), makes it all but impossible to adequately protect PHI in a manner that doesn’t impede business operations and user functions.

Content monitoring and control solution providers such as Symantec, McAfee, RSA and Sophos, have worked with healthcare customers to define product specific policies and rules for PHI. However, these actions introduce complexity for both healthcare organizations and security vendors due to each organization’s unique, proprietary interpretation of what constitutes PHI and covered information, resulting in a lack of assurance that adequate protection is in place.”

Those interested in participating in the Content Definition Development Working Group should contact HITRUST at workgroup@hitrustalliance.net.

Sword & Shield Enterprise Security in one of only a handful of companies that has been designated as a HITRUST  CSF Assessor. CSF Assessors are those organizations that have been approved by HITRUST for performing assessment and services associated with the CSF Assurance Program and the Common Security Framework (CSF), a comprehensive security framework that incorporates the existing security requirements of health care organizations.

For more information about how the HITRUST CSF Assurance Program delivers simplified compliance assessment and reporting for HIPAA, HITECH and Meaningful Use,  please contact Sword & Shield via this website or call an enterprise security consultant at 865-244-3500.

Also posted in Security News | Tagged , , , , | Leave a comment

Study: It Pays to be in Compliance with Information Security Standards and Regulations

By Bowe Hoy | Published: February 3, 2011

Organizations that have to comply with industry and/or government issued information security standards and regulations inevitably ask the same question: What is the cost of complying? A related question is just as important: What is the cost of not complying?

But, at the heart of the matter is value: What is the business value for an organization to become and remain compliant?

A new study conducted by the Ponemon Institute and sponsored by security solutions provider Tripwire provides some pretty enlightening – if not surprising – answers. The study, a review of security investments made over a 12-month period at 46 global companies, found that organizations that regularly review and maintain compliance with leading industry security standards and regulations spend about three times less annually than organizations that fall out of compliance. Most compliant organizations spend an average of $3.5 million annually on security while non-compliant organizations spend an average of $9.4 million.

In an interview with Infosecurity, Rekha Shenoy, vice president of strategy at Tripwire made the following observation, “Having good security actually helps you in lowering your noncompliance costs. Everyone is spending more money on compliance, but the ones that are getting more secure actually do reap business benefits and save the company money in the context of noncompliance costs. We thought this was really important, especially for [chief information officers, chief information security officers], and other security champions who are trying to prove to the business that investing in security is good for the company.”

Shenoy’s analysis is backed up by the key findings of the study:

  • Data protection and enforcement activities ranked among the most expensive compliance activities, and business disruption and loss of productivity were found to be the most significant expenses for companies that did not achieve or maintain compliance.
  • Total cost of compliance varies by industry, ranging from $6.8 million for education and research to more than $24 million for the energy sector. The cost of compliance versus noncompliance also varies by industry, with energy showing the smallest difference at ($2 million) and technology showing the largest ($9.4 million).
  • While security effectiveness is unrelated to compliance cost, a higher percentage of compliance spending relative to the overall IT budget indicates that investment in compliance reduces the negative consequences and costs associated with noncompliance.
  • The most-often focused on standard, across the board, is the Payment Card Industry Data Security Standard (PCI DSS).
  • 28% of those surveyed did not conduct internal compliance audits, and only 11% conducted more than five internal audits each year. Organizations that conduct three to five internal compliance audits each year have the lowest per capita compliance cost ($154), while those that did not conduct internal audits had the highest compliance cost ($341)

Read More »

Also posted in Security News | Tagged , , , , , , | Leave a comment

Sword & Shield Recognized as a HITRUST CSF Assessor

By Lara Bergman | Published: January 31, 2011

KNOXVILLE, TN – Sword & Shield Enterprise Security, Inc., a Knoxville TN-based IT security company, today announced it has been designated by the Health Information Trust Alliance (HITRUST) as a  Common Security Framework (CSF) Assessor – one of only a select few companies nationwide to achieve this recognition.

The HITRUST CSF is the first information technology security control framework developed explicitly for the protection of healthcare information. CSF Assessors are organizations approved by HITRUST to perform assessment and/or certification services associated with the CSF, including services delivered through the CSF Assurance program. In becoming a CSF Assessor, organizations must go through a rigorous due diligence process and demonstrate that they have a strong information security practice and leadership, experience delivering information security solutions to healthcare organizations, and a dedicated group of practitioners that can deliver CSF-related services to organizations.

“We are pleased to announce the designation as a HITRUST CSF Assessor. With the HITRUST approach, risk management and compliance are addressed within context of the specifics of the healthcare industry,” said Sword & Shield President and CEO John McNeely. “This comprehensive and unique security framework provides a very effective way of dealing with security risks and in meeting regulatory requirements such as HIPAA and the HITECH Act.”

Read More »

Also posted in Company News | Tagged , , , | Leave a comment

Experian announces new authentication requirements for EI3PA compliance

By Bowe Hoy | Published: January 24, 2011

If you are a company processing, storing or transmitting credit information provided by Experian, you may be required to have your systems assessed to determine how you are protecting this information, both externally and internally, from unauthorized users. Experian Independent Third Party Assessment (EI3PA) is an adaptation of the PCI DSS process. However, instead of credit card numbers, EI3PA requires an audit of how securely you are protecting Experian’s credit information.

Experian has recently announced a new requirement for EI3PA compliance: Multi-Factor Authentication (MFA).  EI3PA now requires the use of MFA to add additional layers of authentication of users accessing Experian information beyond a simple password. The deadline for implementation is July 15, 2011.

In a letter to its resellers, Experian explained the rationale for this new requirement as a means ”to address new concerns and improve data security.” Experian noted that its own implementation of a MFA system is underway and will be complete by the end of February 2011 for those accessing information directly from Experian via its eSolutions portal.

At the foundation of MFA are the following factors:

  • Something a person knows (such as a PIN or password)
  • Something a person has (such as a token, cell phone, or digital certificates).
  • Something a person is (biometrics such as fingerprints, retina pattern, or voice pattern)

For more information about EI3PA audits, please visit Sword Shield’s website. Sword Shield also offers MFA products through its ecommerce site.

Bowe Hoy is an Enterprise Security Consultant for Sword & Shield. If you need more information regarding EI3PA compliance, please contact him via our website or by phone at 865-244-3521.

Also posted in Security News | 1 Comment