.st0{fill:#FFFFFF;}

Podcast

Why You Need Asset Inventories – Ep 337 

 January 7, 2022

By  Donna Grindle

Share0
Tweet0
Share0

asset inventories

The unknown is the most dangerous. It’s a saying that should be taken into account when protecting your most valuable asset – your data. Today we talk about why creating asset inventories of your hardware, software and data is an important first step to being able to protect it.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Why You Need Asset Inventories – Ep 337

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The HIPAA Boot Camp

2-22-22 thru 2-24-22

Save the Date:

First Ever

PriSec Boot Camp

Sept 12-15, 2022

Louisville, KY

Great idea! Share Help Me With HIPAA with one person this week!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

HIPAA Say What!?!

[09:25] Oregon Anesthesiology Group published on their https://www.oaginformation.com/ website a Notice of Data Breach from early Dec 2021. This notice was very confusing to me and brought, of course, I have a lot of questions. But there is a lesson to learn here too. Below are a few excerpts with details about what happened. Interesting to note, they spun up this domain name that only has the notice on it. No link to their website at all. SEO anyone?

Oregon Anesthesiology Group, P.C. (OAG) experienced a cyberattack on July 11, after which we were briefly locked out of our servers. We were able to respond quickly to restore our systems from off-site backups, after which we began the process of rebuilding our IT infrastructure from the ground up. We also engaged the services of a cyber forensics firm, which started an investigation shortly after the attack.

Ok, there are a couple things to note in this one paragraph. It appears that they had a major ransomware attack. If they were “rebuilding our IT infrastructure from the ground up,” it must have been really bad. Then they say they started the forensic investigation shortly after the attack. Hmm… We always tell people that you don’t start restoring until the forensics folks have gotten their information because if you restore, you destroy evidence. Forensic teams will want to make copies of the servers byte by byte and there usually is huge terabytes worth of data that have to be copied, saved to an external device and gotten to forensic folks. But if they were “briefly locked out of our servers,” it doesn’t seem like that step happened.

On October 21, the FBI notified OAG that it had seized an account belonging to HelloKitty, a Ukrainian hacking group, which contained OAG patient and employee files. The FBI believes HelloKitty exploited a vulnerability in our third-party firewall, enabling the hackers to gain entry to the network. According to the cyber forensics report obtained by OAG in late November, the cybercriminals, once inside, were able to data-mine the administrator’s credentials and access OAG’s encrypted data.

Now, three months later OAG gets notified by the FBI. The fact that the FBI points out that the hackers exploited a vulnerability in a firewall, tells me that there was an unpatched firewall because there were no zero day vulnerabilities in firewalls going around during that time. Then, OAG didn’t get their forensics report until November? Huh? I digress.

The forensics report showed that the criminals were able to get admin credentials that they used to access OAG’s encrypted data. As we’ve mentioned before, if you can log in, the data is no longer encrypted.

Following the July attack but before we were notified of the account seizure by the FBI, we reevaluated and updated our network access control policies, replaced our third-party firewall and expanded the use of multifactor authentication. OAG also contracted with a third-party vendor for 24/7 real time security monitoring with live response, security system architecture advising, additional compartmentalization of sensitive data and increased use of cloud-based infrastructure.

It is interesting that they seem to have gone from 0 to 100 with the updates to the security safeguards and massive security monitoring and moving to a more cloud based infrastructure. So, now they are relying more on third parties to protect them, but that still doesn’t eliminate their risk. It just shifts what risks they need to worry about.

The data breach potentially impacted about 750,000 patients and 522 current and former OAG employees. Although OAG has no evidence to suggest actual or attempted misuse of information as a result of this incident, we are notifying individuals who may have been affected.

I’m just gonna let you sit with that last paragraph.

There are so many things here that don’t make sense:

  1. They aren’t on the OCR portal for over 500 patient breaches yet. 750,000 patients and 522 employees.
  2. Briefly locked out of servers?
  3. Rebuilt IT infrastructure from the ground up?
  4. The FBI seized a Ukrainian hacking group’s accounts?
  5. The FBI thought the attack was through the firewall?
  6. They get their cyber forensics report in late November from a July 11 attack?

Hopefully, it is just communications issues and managing the legal language, etc. This is a reminder that reporting to HHS within 60 days matters. We know this will be years before we see any public action from OCR, if there is any. We just had a Kardon Club special Q&A webinar with our local OCR investigator. She specifically discussed this problem of timely reporting. Don’t wait until you get those forensics back.

Here is the bottom line: Assuming there was an attack on July 11 and you got forensics involved immediately, it takes time to do those forensics properly. I haven’t seen it take close to 5 months, but it does take time. Go ahead and report a potential breach to HHS and amend it later.

Why You Need Asset Inventories

[30:30] When we ask for inventories of software and hardware along with data maps and network diagrams, there is often a groan, eye roll, or pushback from someone. Many times we hear something like “We don’t have time to keep up with these things!”

Larger groups say they have too many moving parts to track all of their IT assets. Small groups say they don’t have resources and it isn’t worth spending them on tracking all these things. And, of course, everyone says IT does it, but IT does not handle everything that should be included in the inventory unless you have a very organized internal IT department.

We hear all of this regularly but we have no choice but to dig in and hold our ground. There are many reasons these things are needed. There is a reason they are included in every recommendation, framework or regulation we reference. For example:

HIPAA

  • 164.310(d)(2)(iii) Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

HICP – Small and Medium: Asset Management

  • 5.S.A Inventory – Conduct and manage an inventory of IT Assets
  • 5.S.B Procurement Keep asset inventory up to date with procurement of new devices
  • 5.S.C Decommissioning – Securely remove devices from the circulation
  • 5.M.A Inventory of Endpoints and Servers Establish an asset management inventory database and roll out
  • 5.M.B Procurement Keep asset inventory up to date with procurement of new devices
  • 5.M.C Secure Storage for Inactive Devices Ensure unused devices are physically secure
  • 5.M.D Decommissioning Assets -Securely remove devices from the circulation

HIC SCRiM Assessment: Asset and Change Management

  • Do you maintain a detailed inventory of hardware/software assets used by your company and refresh it at least annually?
  • Is ownership assigned for information assets?
  • Are information assets classified according to their business value or risk?
  • Are there procedures for information asset labeling and handling in accordance with the classification scheme?

NIST CSF: Identify Function

  • Asset Management (ID.AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization’s risk strategy

Why, oh why, is it everywhere?

[40:24] A great explanation of that is in NIST Special Publication 1800-5: IT Asset Management. It states that this “Cybersecurity IT Asset Management Practice Guide is a proof-of-concept solution” to help show how inventories can be done.

The introduction section explains the benefits of doing this work. It gives us a perfect perspective on the answer to why it is important.

Our example solution has the following benefits:

  • enables faster responses to security alerts by revealing the location, configuration, and owner of a device
  • increases cybersecurity resilience: you can focus attention on the most valuable assets
  • provides detailed system information to auditors
  • determines how many software licenses are actually used in relation to how many have been paid for
  • reduces help desk response times: staff will know what is installed and the latest pertinent errors and alerts
  • reduces the attack surface of each device by ensuring that software is correctly patched

Really, it goes back to the same position we have to work from on a daily basis.

“You don’t know what you don’t know.”

Examples in the wild today

[47:03] Here are a couple of examples of threats and vulnerabilities running around in the wild today that you should be protecting your devices and data from. Hence, the reason you need to know what you have in order to protect it.

Log4Shell, log4j, logjam – No matter what name you call it has created a massive problem for information security professionals all over the world. This vulnerability is deep deep deep in the guts of many devices, but it is very easy to exploit. So, your IT folks need to evaluate all your systems.

Windows 11 system requirements – For those who don’t know Microsoft’s Windows 10 operating system will reach its end of life in Oct 2025. Windows 11 was released in Q4 2021, but not all computers can be upgraded to Windows 11. For instance, my computer passes every test to see if it can be upgraded. But, because the actual processor module is not on the approved list for Microsoft, then it can’t run Windows 11 now. Ugh!

Evaluate your systems, folks! IT can help but more than likely they don’t know and aren’t monitoring all of your hardware, software and data assets.

Go to top

Having a thorough asset inventory is crucial. You have to know what your assets are and where your data lives if you have any hope to protect it.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: