SONY HIPAA covered? Looks Like It! -update-

Sony Entertainment’s cyber breach reveal of massive health related information of their employees struck a new, major chord. But are they covered by HIPAA?  Opinions by respected legal authorities are all over the map.  (UPDATE: they appear to be self-insured, therefore a HIPAA CE… let’s see what the day brings on this ever-changing story.)

Let’s review: a HIPAA “covered entity” is a provider of healthcare, a payer of healthcare (i.e., the insurance company), or a processor of healthcare information (clearinghouse, data storage, and now, health exchanges) … or a business associate, in a recen0[1]t, sweeping change in the law.  “Employers” are not, simply by virtue of sponsoring health insurance, covered entities, and aren’t traditionally liable under HIPAA unless they are also practitioners providing their own health care, or are large enough to be self-insuring  which may be the case with Sony.  Their letter, linked above, apparently admits as much, referencing “SPE health plans.”  (And a more recently found link to the SPE Health Plan privacy notification would seem to confirm it. – thank you,!)

But raw stupidity is rampant in this case. Many companies make assumptions that they are covered entities when indeed, they are not … and assuming Sony’s breach letter writer didn’t accidentally redefine their lawful role is pouring a lot of confidence in a mighty leaky pitcher. ‘Twere written as a movie script, it would get laughed out Sony Pictures offices!

At the same time, clarity isn’t yet assured… a quick morning review shows YeaNay; and most important, Maybe … “While the industry debates whether Sony and all other employers are covered entities under HIPAA…” (emphasis mine).

This would be the most mind-blowing of all aspects.  Employers being considered “covered entities” would be a tectonic shift across all businesses. Also pertinent is the recent Connecticut SC decision to allow HIPAA negligence standards to serve as the standard for private right of action.

Keep watching the sky on this story … fallout is only just beginning.


Posted in Awareness and Alerts, Services and Training | Tagged , , , , , , | Leave a comment

Food & Bev Next Big Target for PoS Malware

Restaurants and credit cards have been closely wed since Diner’s Club ushered in pay-with-plastic in 1950. Surveys show that if given the choice, restaurateurs would sooner give up the cash drawer than the swipe pad. But with credit card theft threatening the food-and-beverage sector, marriage counseling is in order.

“Crooks are now going downstream for smaller retailers,” said Pat Belcher, Director of Security Analytics for Invincea, network security specialists. With mega-retailers like Home Depot and Target strengthening defenses, he puts foodservice at the top of the target list. “We’re already seeing it,” he said, pointing to recent Dairy Queen and Jimmy John’s breaches. Those chains alone account for more than 600 recent breaches.

Size is irrelevant. There is no security in obscurity, as OTTO Pizzeria, El Agave Mexican Restaurant, and Mizado Cocina found out just this summer, and Beef O’Brady in September. Cybertheives simply spin the wheel, looking for weaknesses.

Like at a Spicy Pickle restaurant a few years back, where crooks exploited Windows’ Remote Access Tools (RATs) to insert themselves deeply in the computer, harvesting all data. The Pickle shut down a few months later, soured by the breach.  

As the owner discovered, repairing a breach only begins with money and time. This year the cost rose 15% to $3.5-million according to a recent IBM study. Then, credit card companies inflict penalties and higher surcharges for noncompliance with security standards. Data loss isn’t limited to credit card information. The most recent malware culprit, “BackOff,” does key logging along with memory scraping. So every keystroke made on the network goes back to the crooks, including passwords for logging into banks and business partner sites. Every aspect of the business is open to plunder, and trust needs to be rebuilt in all relationships from customers back up the supply chain.

            What’s a restaurateur to do? Belcher, who has studied “BackOff” code and followed its destructive path, sees three commonalities that together created a welcome environment for the threat in its victims: Windows operating systems; weak antiviral software; non-encrypted credit card Mag Stripe Reader. So,

  • Make sure you use up-to-date security solutions to protect all networks, separating and limiting access to the PoS system (and if it’s on the same network as the dining room Wi-Fi… shut off the Wi-Fi, now! That’s just plain wrong!)
  • Install encrypting credit card readers – you owe it to your customers and yourself;
  • Personal cyber-hygiene for you and the staff is critical. “BackOff” launches its own phishing expedition on your company employees to gain access to passwords. If you and the staff can’t recognize a phishing email, sit down with one of the many YouTube videos on the subject.

It’s also a good time to change default and staff passwords controlling access to key payment systems and applications, upgrading to strong passphrases. For a deeper dive, review recommendations by Department of Homeland Security ( with an IT professional and see where your risk is greatest.

The threat will only get worse, warns Invincea, which offers advanced endpoint protection for businesses large and small. Whether a white cloth restaurant, casual dining franchise, or Mom & Pop Taqueria, reliance on credit cards requires increased vigilance to keep that marriage working.

Posted in Awareness and Alerts | Tagged , , , , , | Leave a comment

50 Hats 50! The Weaver’s Autumn Service Project, Knitting for the Homeless

HATS for the Homeless from David Schulz on Vimeo.

Posted in Uncategorized | Leave a comment