I received my digital version of InfoSecurity magazine this morning, and it got me thinking (it hurt because I usually don’t start thinking until the afternoon). The article was about Australian computer crime statistics and how their computer crime was about money more and more and less and less about bragging rights. They made this statement in the article:
Attacks that use trojans and rootkits rose to 21% of all attacks, says the report. Many are able to switch off computer defences and evade detection. In addition, 60% were undetected by current defensive software until discovered “in the wildâ€. This means actual infection rates may be much higher.
You would think that my mind would move in the direction of computer crime and how the rate of mass-mailing worms has gone down so much since last year and the year before, and blah blah blah. However, if you have read my blog for any length of time, you know my mind works in strange and distorted ways. So it actually made me start thinking about compliance of all things!
So, after making you read all that (and I am assuming someone out there is still reading my post at this point), I’ll let you in on where my warped brain went.
The quote above said that 60% of the malware was not detected by current defensive software until they were discovered in the wild. Here is my scenario:
- You are a security manager in healthcare (just like me)
- Some PC’s on your network become infected by a trojan and information is stolen
ID theft occurs due to the breach - You do some investigation and find the trojan, but it turns out it was unknown (not find in the wild) and was targeted specifically at your organization
- You report the incident and follow incident-handling procedures and clean the trojan and any other malware found
- You report the trojan to your anti-malware vendor, who disseminates the info and writes signatures along with everyone else
- Because of the breach and the subsequent ID theft, your hospital has a HIPAA complaint filed against it
- The HIPAA police come out (not likely to happen, but you never know) and find out that you have some problems with your HIPAA compliance, but nothing that is directly related to this incident
My question is: do they still prosecute, slap fines, etc? In other words, during the course of the investigation, they find problems in another area of you HIPAA compliance that is not directly related to the incident. They conclude that you had proper policies, procedures, and safeguards in place for this incident (your safeguards simply couldn’t pick this up because it was not know in the wild). Can they still hold you liable for the problem they did find?
Maybe that is spelled out in the rule, but I haven’t seen it in my research. And since HIPAA has not really been tested in court (and who knows when it will be tested), I don’t know if / when we will get an answer to this or any other hypothetical question regarding this legislation.
Vet
