Have you read your regulations?

Don't assume everything you're told is true when it comes to compliance specifics -- do your homework and find out what's legit and what's bull

I overheard a long-time hospital client talking to another support vendor today. The hospital’s patient accounting department was attempting to send patient financial and billing data to a third-party biller. The vendor’s normal Web site was down, and they were trying to come up with an emergency fix.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

The pressing problem of the moment was how to securely transmit the data from the hospital to the third party. There are, of course, myriad options. The hospital clerk asked if she could e-mail the data file to the third-party vendor using a password-protected and encrypted Winzip file. The vendor’s response was an emphatic and swift rejection. "Winzip encryption is not covered under HIPAA (Healthcare Insurance Portability Accountability Act) guidelines," said the vendor.

The week before, I heard a similar conversation with a national computer support person telling another client of mine that WEP wireless security isn’t covered under the PCI (Payment Card Industry) Data Security Standard.

I wonder if either vendor ever read the source documents they were referring to? While I can think of better, more secure transport methods than an encrypted Winzip file -- and WEP has certainly been proven to be easily broken -- neither the HIPAA nor PCI standards forbid the use of either technology. With the huge exception of the government's FIPS (Federal Information Processing Standards) rules that nonmilitary government agencies and subcontractors must follow, I rarely see a particular technology specified or singled out in any general regulation.

Unless you’ve read the source documents, you might believe that HIPAA says that a hospital must use 256-bit AES encryption or that WPA2 with smart cards are required to meet PCI wireless standards. Nothing could be further than the truth. If you are a security officer and your company falls under an industry or legislative regulatory guideline, I appeal to you to read it before vendors start quoting bogus information.

For example, many companies are still forced to use (admittedly poor) WEP wireless protection because of incompatible hardware or software. Until they upgrade the necessary components, they're stuck with it. The current PCI DSS specification 1.1 says, and I quote: "Enable WiFi protected access (WPA and WPA2) technology for encryption and authentication when WPA-capable." A previous sentence recommends that card merchants change their WEP encryption keys from their defaults (see PCI DDS section 2.1.1). Clearly, the PCI DSS standard is promoting WPA but understands that some merchants aren't yet in the position to upgrade.

I heard another IT guy talking about how the PCI standard forbids the storage of credit card numbers and how all the vendors storing credit card numbers are "in violation of the act"” First of all, it's a merchant card program requirement, not an act. Acts are generally codified regulatory compliance laws.

As for the standard, a merchant not meeting PCI DSS standards -- and there appears to be a lot of them these days -- might lose their ability to participate in merchant card programs. In today's near-cashless society, that would be a heavy blow. Merchants not meeting the PCI DSS standard could also be subject to a merchant card program fine if they wanted to stay in the program, and not following the recommended standards could be considered evidence of a lack of "due care" and lead to civil damages. But it's not against the law.

Second, the PCI DSS standard doesn't prevent the storage of credit card numbers. In fact, it specifically says it's all right to store that information, along with the cardholder’s name and card expiration date, as long as all information that's stored or transmitted is protected. What can't be stored? All the information on the card’s magnetic stripe and the three or four digit "verification" numbers on the back of the card (i.e. CVC2, CVV2, or CID codes).

HIPAA doesn't have any specific technology requirements. As with PCI, all the recommendations are general in nature. Although many people, including myself, could argue that this lack of specificity means security problems will keep occurring, the reality is that there are so many ways to protect computer data that no single recommendation would ever be complete enough.

Suppose a standard required the use of 10-character or longer complex passwords. Sounds good, right? Well, yeah, if everything else is up to spec. No single recommendation can be considered in a vacuum; the entire system must be securely configured and maintained. For example, with the 10-character password requirement, how frequently must the password be changed? Who assigns the password? Does any other user (such as an administrator) know the user’s password? Are users forbidden from writing them down? How well does the underlying system protect the password in transit? Does the password authentication protocol use challenge-response, plaintext, or token substitution? Does the system have account lockout for n number of invalid password attempts? Is account logon auditing turned on? Does anyone ever review the logs?

Instead of getting into these kinds of specifics, standards like PCI DSS or HIPAA say something like, "...secure passwords must be used." The idea is to pass along a general recommendation that the average person or administrator would take (or should take) in the normal course of business. If data gets compromised, the injured parties can point to the lack of "due care" taken in implementing the standard. Of course, general standards are also why vendors, who continue to allow other people's personal data to get stolen, keep escaping meaningful prosecution. It's a dual-edged sword.

For the most part, if you follow normal network security best practices, you will meet most of the various regulations' requirements. I've been involved in auditing merchant card vendors for PCI compliance; the only requirements I consistently see merchants not meeting by default these days is writing their wireless logon logs to a server location on the internal LAN and changing their WEP keys (if they use WEP) at least quarterly.

It can never hurt to read the source documents that regulate your industry, even if they are boring and dry. You'll seem a whole lot more intelligent to your boss, your co-workers, and know-it-all vendors.

(And yes, password-protected, encrypted .zip files are accepted by HIPAA as a secure transmission method as long as the password is not passed in plaintext.)