Back to Newsletter Archive

Having trouble seeing this email. View it online.
Sword & Shield - Intelligent Security
Security Solutions for Peace of MindDecember 2016
Beginning Your Secure Future
Expect the FTC to Focus on Data Privacy and Security in 2017
If you're a healthcare organization or the business associate of one, you're probably well aware of HIPAA and know you're under the authority of the Department of Health and Human Services Office for Civil Rights (OCR).

However, you may not know that your for-profit company is also subject to the Federal Trade Commission (FTC) Act. This act states that companies cannot engage in deceptive or unfair acts.

The FTC Act has been around since 1914, but recent litigation involving companies the agency says failed to protect consumers personal information spurred the 2015 Privacy & Data Security Update.

This update means that every covered entity that uses or discloses consumer health information for commercial activities other than treatment, payment or healthcare operations must first get written permission from the client through a valid HIPAA authorization. In 2017, expect the FTC to focus more on applying the privacy and data security update to covered entities.

These entities must make sure all of their statements to consumers don't create a deceptive or misleading impression, the guidance warns. Even if you believe your authorization meets all the elements required by the HIPAA Privacy Rule, if the information surrounding the authorization is deceptive or misleading, that's a violation of the FTC Act.

While the election of Donald J. Trump may signal a reduction in many types of regulatory authority, experts believe the push to implement the privacy and data security standard will continue. Trump's pick to run the FTC transition team, Dr. Joshua D. Wright, has written extensively on how the FTC should beef up its role in helping businesses understand the economics of privacy policy.

To comply with the FTC Act, covered entities and business associates should:
  • Review the user interface of their HIPAA authorizations for disclosures of consumer health data for commercial activities.
  • Consider the various devices consumers may use to view these disclosure claims.
  • Remember the same requirements apply to paper disclosures.
HIPAA compliance experts warn healthcare organizations not to become complacent. Your organization could be compliant with one regulation, but not with the other.

Sword & Shield Enterprise Security offers a variety of HIPAA compliance solutions. For more information, please call us at 865-244-3500, email us at, or fill out a consultation request.
Begin the New Year with a New Knoxville Cyber Sessions on Cloud Security
Sword & Shield Managing Consultant for Enterprise Security Solutions Scott Partelow will start 2017 with a discussion on Cloud security at the next Knoxville Cyber Sessions Thursday, Jan. 19 from 11:30 a.m. to 1 p.m.

In "Migrating your Data to the Cloud - How to Decide," Partelow will discuss the pros and cons of migration.

Register now to join the discussion on solutions to Cloud migration issues.

Lunch is provided and will feature Southern BBQ.
Be Instantly Notified of New Remote Access Agent Check-In via Slack
By Russel Van Tuyl
I really, really, really like shells. Nothing is better than that feeling you get when a shell comes in. There are many ways to get a shell, but some of them take a while to produce. A phishing campaign that leverages malicious payloads is a good example where there might be delayed gratification on receiving a shell. The emails might be sent at eight in the morning, but who knows what time of day a victim will read the email and open the malicious attachment in such a manner that causes the payload to execute? Another example is a malicious USB device. It could be configured with a malicious payload and dispersed in a work area or parking lot, but who knows how long it will take for one to be plugged in?

I wanted a way to instantly be notified when a shell came in so I could drop everything I'm doing and immediately do a pwn dance. There are many ways this can be done, but I decided to leverage Slack for notification. I chose Slack because it can be installed on your mobile phone, your computer, or run in a web browser. The options are numerous. There is a solid chance I always have my phone with me, so I really like the idea of notifications on my phone.

This notification system relies on Slack's incoming WebHooks custom integrations. To create a new WebHook, click on the Add Configuration button for a Slack channel you control and start populating the integration settings. Figure 2 shows how I have my ShellBot integration configured. We will need the channel name, Webhook URL, username, and custom emoji (if used) to configure SlackShellBot later.

Read more →
In the News
Van Tuyl Talks with WATE About the Latest Yahoo! Breach
Sword & Shield Managing Consultant of Security Assessments Russel Van Tuyl talks with WATE News 6 about how to protect yourself after the latest Yahoo! breach.

Yahoo says it believes hackers stole data from more than one billion user accounts in August 2013.

The California company says it's a different breach from the one it disclosed in September, when it said 500 million accounts were exposed. This new hack revelation raises questions about whether Verizon will try to change the terms of its $4.8 billion proposed acquisition of Yahoo.