Naval Air Station Attack: Cell Phone Privacy

The recent Pensacola Naval Air Station shooting left the FBI with the assailant’s locked iPhone. Apple has refused efforts to assist with bypassing the security features. Should legislation require Apple provide a back door to law enforcement? Hear more about the cell phone privacy debate between two noted cyber and privacy experts.

On Friday, December 6, an aviation student from Saudi Arabia opened fire in a classroom at the Pensacola Naval Air Station (NAS) killing three people in the attack and injuring eight others. Another Saudi student recorded the shooting events as it unfolded. The shooter was identified as Mohammed Saeed Alshamrani, an aviation student from Saudi Arabia. The assailant’s name doesn’t really matter because the question in these national security threats remains the same.

How does law enforcement obtain personal information off smart devices in a timely fashion?

What role does cell phone privacy play when it comes to terror attacks such as the most recent Naval Air Station attack?

Leading computer forensic expert Lee Neubecker, CEO & President of Enigma Forensics discusses with the Data Diva, Debbie Reynolds of Debbie Reynolds Consulting about the many technical tools in their arsenal that’ll offer solutions in these cases.

Lee Neubecker and Debbie Reynolds discuss cell phone privacy as it relates to national terrorist acts

Cell Phone Privacy: Naval Air Station Attack – Final Video of 4-part series

The transcript for Cell Phone Privacy – Naval Air Station Attack follows:

Lee Neubecker: Hi, I’m back again with Debbie Reynolds, the data diva. Thanks for being on the show again.

Debbie Reynolds: Thank you, Lee.

LN: So, we’re finishing up our multi-part series relating to cell phone forensics, as it relates to the FBI’s desire to get Apple and other information from the cell phone makers so that they can unlock their phones.

DR: Right, so there was a recent shooting, unfortunately, in Pensacola, at the Naval Air Station and because there were people who were recording the attack, they’re interested in being able to get information from those cell phones and this is renewed calls, as was the case with the San Bernardino attack in California in 2015, to have Apple help law enforcement unlock particular cell phones of folks.

LN: Yeah, as Debbie was saying, with the Pensacola Naval Air Station, what had been reported in the associated press was that a Saudi national student who was getting training out of the navy facility, which, our government trains foreign nationals and other militaries and has been doing that for a long time but some of the Saudi students had been watching, earlier that evening, they had been watching videos of mass shootings before the shooting took place. And during the shooting that she said, one of the students had been recording the events as they unfolded and likely has data on cell phones and other information.

DR: Right, I think the issue is, you know, is law enforcement able to get this information without accessing the cell phone and the chances are, possibly yes. But there are many different ways to get it.

LN: Yeah but this week they asked Apple for help to get in and they said they haven’t been able to get in the phone but like what happened with San Bernardino, it’s not entirely clear if they had fully used their capabilities, like their mobile access unit, had that unit exhausted their capabilities, had they reached out to third party vendors and computer forensic consultants and firms, like myself or others.

DR: That does this every day, yes.

LN: Or even the Israeli firm, called Cellebrite, which makes the equipment used by many forensic people, like myself, that was ultimately successful in unlocking the San Bernardino terrorist’s phone.

DR: Well, the one thing I will say is, in 2015, the phones have gotten a bit more advanced, the encryption is better but if, for example, people are taping things on cell phones, typically, they’re sharing it with other people so you may be able to get the information from another person’s phone, if the phone is backed up, you may be able to get the data from a backup, you may be able to get phone records about who they were calling or who they were texting, even though you may not get the actual footage, there are a lot of different ways to triangulate this information.

LN: And if they plugged their cell phone into their computer, a lot of times, it will automatically create a backup file but, in this case, I think the, you know, the FBI has a legitimate interest in wanting to know who were they texting right beforehand, were other people involved so I support that but I think that there are different means of how to accomplish their goal.

DR: Absolutely, absolutely. So, I think, the way that the story was told in the media, it makes it seem as though the only way the information can be gotten to is to have Apple or other cell phone makers create a vulnerability that anyone can use on any phone and I don’t think that that’s exactly true.

LN: No.

DR: Because we’ve not seen that in the field and many of us work with cell phones every day.

LN: Well, there was, recently disclosed, a vulnerability in every iPhone up to, not including, the very latest model but every iPhone relating to the Bootrom, where the phone can be, you know, basically, bootlegged and taken over until it’s rebooted, then it resets so I’m sure that there’s already bypass means on 95% of the iPhones out there, since most people aren’t running the latest model but again, the concern here is that it almost seems like there’s an effort to try to change the policy, you know, Director Comey, from the FBI, Former Director Comey had repeatedly stated that we need to be able to defeat encryption but by its nature, it’s like saying everyone should have weak locks on all their doors and companies shouldn’t lock their stuff up so that’s going to lead to problems in, you know, as I said, in the prior segment, a multi-key solution that has unlocked but specific to an individual user’s cell phone, with approval by the court, I think that is a much better solution than having a master key that can open up any phone.

DR: I think so and, I mean, we’ve seen in other cases, even though it’s not about terrorism, obviously, with the Jussie Smollett issue in Chicago, they were able to get a ton of information so they went to Uber, they had surveillance cameras, they had phones, I mean, the–

LN: They get GPS records on phones.

DR: Oh, all kinds of stuff.

LN: You can get cell phone tower records and then you have all these third-party apps like, you know, the secure Signal and WhatsApp, well, is it very secure if you get one of the two phones?

DR: Right.

LN: Not exactly because you can see all the messages.

DR: Oh, absolutely and I think Paul Manafort, unfortunately, found this out the hard way when he was using WhatsApp to chat with people about illegal dealings and the forensic folks were able to get the exact chat and all the texts because he had backed it up to his iPhone or his iCloud, I believe, so.

LN: It’s interesting now, you discover, these days, when things get involved with what was intent on a business deal gone wrong or was there fraud or misrepresentation, you know, getting, finding out what the text messages are and who was texting with which party and what did they say, that can be very important and litigation, still, it seems that text messages are just starting to come upon the attorney’s radar, for asking for that information.

DR: Well, it’s coming up on their radar ’cause people use many different means so someone may start with an email and then go to maybe Snapchat or go to texts, so.

LN: Or Slack.

DR: Or Slack so there are many different, yeah, right.

LN: You’ve got these other platforms that are just, that should be part of the discovery, that are getting ignored, unless you have an attorney or advisors, like us.

DR: Yes.

LN: Helping to make sure that you get that information.

DR: Exactly, exactly, it’s not easy because it’s not as linear as you think it would be but if you know that you have this information, that it’s out there, it’s possible to find ways to get it. Obviously, the cell phone would probably be the easiest way to at least be able to help you point to where things are but there are different ways to be able to get the information, not necessarily, so you do need the cell phone for the actual texts, the text message but.

LN: But sometimes people have that hooked up to their computer too.

DR: Yes, that’s true, right, that’s true.

LN: So their computer might have, you know, people who have an Apple laptop and running that, you might be able to get the messages off the laptop, which is yet another means of getting the data and then, you know, there are entities that do log the messages in between so you have the servers that they cascade through so there’s a lot of places that the information can be found and, you know, before a mass policy change is made to just by giving an open key, you know, people need to think this through because, you know, we had keys, master keys that open in the past, those keys have gotten leaked and it’s created a lot of problems.

DR: No, absolutely, I think that’s the villain in almost any little movie you could think of, someone who has a master bit of information that can rule the world so this is definitely something that needs to be thought through and we already know that there are, you know, other things that can be done that don’t require, currently, a master key.

LN: Yeah, well, one of the ways that all of you can show your appreciation if you like our videos, is click like, share the videos out and sign up for our blogs and check ’em out, thanks a bunch for being on the show again.

DR: Thank you, Lee, this was fantastic.

LN: Have a good day, everyone.

DR: Goodbye.

More about Cell Phone Privacy

Enigma Forensics can help gain access to locked personal devices. Choose an expert!

More on Naval Air Station: Cell Phone Privacy.

FBI says…Deceased Assailant’s Locked Phones a Hurdle for Investigators.

https://www.fbi.gov/news/stories/naval-air-station-pensacola-shooting-called-act-of-terrorism-011320

Rep. Gaetz: 12 Saudi cadets sent back home were stationed at NAS Pensacola

https://weartv.com/news/local/rep-gaetz-12-saudi-cadets-sent-back-home-were-stationed-at-nas-pensacola

Technical Solutions: Cell Phone Privacy

Is it necessary to have Apple provide a back door so that law enforcement can access a person’s cell phone? Computer Forensic Experts Lee Neubecker and Debbie Reynolds say there are technical solutions to use instead.

A law-abiding citizen or a criminal’s cell phone can be the largest piece of evidence in a criminal investigation. Once confiscated, cell phones are powerful tracking devices that can be used to infringe on an individual’s cell phone privacy. In this video, Data Diva, Debbie Reynolds of Debbie Reynolds Consulting’s and renowned Computer Forensics Expert Lee Neubecker, CEO & President of Enigma Forensics share their cell phone cracking technical solutions. Is the government’s desire to have a backdoor into all smartphones really necessary? No matter what security measures are placed on smart phone devices, there are many technical solutions available from the computer forensics experts to utilize when attempting to unlock a mobile smart cell phone. Check out this video to learn what technical solutions available that don’t require going back to the manufacturer and asking them to create a backdoor.

Experts discuss unique technical solutions available to retrieve cell phone information

Cell Phone Privacy: Part 3 of 4

Lee Neubecker: Hi, thanks for watching the show again, we’re now talking again about cell phone forensics as it relates to privacy issues and our government’s request to get information on specific cell phone users. I have Debbie Reynolds the data diva back on the show. Joining me again, and to help me elucidate some of the unique issues that relate to the current situation.

Debbie Reynolds: Right, so there are privacy issues obviously with being able to track, or be able to crack someone’s cell phone. In a law enforcement situation, time’s of the essence. They want to be able to get the information on the cell phone the best way that they can. The issue is, and especially with the Louden news reports, they aren’t exactly accurate about how this happened. So in order to do this cracking of certain cell phones, there are things that forensic folks, like Lee can do to actually do this that don’t require you going back to the manufacturer, asking them to create a backdoor. My opinion, and I think this is something that was echoed by Apple in their objection to this. Is that, you know, the iPhone or the cell phone is their invention. And the way that they do privacy for phones is kind of their unique, you know, secret sauce or special sauce so. Being able to, Having to try to do that is sort of the antithesis of what they’re doing, of their invention. And I’m not seeing any court cases where ever. Where someone had to literally create, invent something to sort of negate their own invention.

LN: And even then government, like, our US government has resources to have a lab where they can use equipment to actually replicate all the chips and storage devices. And then make a virtual machine where they can brute-force crack the device without worrying about the three false passwords that slow it down. Because if you virtualize, if you duplicate the embedded memory off the D-Ram, the various chips and storage, you can then set up a mass server farm of virtual machines to just pound away, trying combinations. And with quantum computing, it wouldn’t take much time, but that isn’t even necessary today. There are easier tools to get into the phones, but the real issue becomes if, it would much be like if the government said we want everyone to have one particular key-type for their home.

DR: Right.

LN: So that we have a key that we can take and we can get into any door without having to break down the door.

DR: Yeah.

LN: And the problem with that is, what happens when someone gets fired from the FBI and they copy that key? You know, then we got to lock change every house in America? And every business.

DR: Yeah, who’s to say, I mean not every person who has a phone is a criminal. So if you think let’s say you know 1% of everyone who has cell phones is doing a criminal activity, so should 99% of everyone else have these vulnerabilities that, you know, hackers love to have. They would love to be able to crack into your phone and do different things.

LN: That could actually you know lead to HIPAA violations, you know there are physicians and people that have some medical data as they connect to their work machines. and if there’s this weak backdoor key, that creates a problem. Now, I want to talk a little bit about how I think they could do it and it hasn’t been done yet.

DR: Okay.

LN: But if Apple were to issue, I mean if you have a multi-key solution where anyone key alone doesn’t work. But the FBI could make a request to the justice department, to the judiciary, a judge of some sort. The judge could issue a key unique to the cell phone IMEI identifier, and then that information could be a key that then goes to Apple or to Microsoft or whatever provider, who then generates a key that can unlock the phone. So you can have a multi-key solution, but it’s specific to the phone and that would preclude a situation where any one person’s key gets leaked and all phones are compromised. And, you know, if for instance the FBI’s key that they use to generate request keys, if that got compromised they would rotate that and going forward new keys would be used and they’d invalidate all the others. But you’d have a technical means to still get into the phone without necessarily meaning that every phone is totally open to one key.

DR: I think so, but I think, that’s actually a smart solution. But I also think companies like Apple, and I’m, we’re just picking on Apple ’cause the phone was an Apple phone that we’re talking about. But, you know, companies are in business to make money, and not to be law enforcement. So there’s probably not a lot of money in law enforcement stuff for them, so they may not be compelled, or feel like this is something they really want to invest a lot of time or energy in. Especially because there are smart people that do this for a living and can actually do this work.

LN: I support the idea that if there’s a terrorist out there, that we should have a system that does allow to get into that phone, but there’s got to be a check and balance, it can’t just be one person acting alone or else it inherently makes everything insecure.

DR: I agree, I agree. Yeah, it’s a tough issue, I feel like people get really, sort of, wound up about it. especially ’cause they’re thinking about sort of, patriotism and freedom and stuff like that. But you know there’s a way to solve this problem without creating problems for the whole world basically.

LN: Thanks for watching this segment, in our next segment we’ll talk about the more recent story regarding the Pensacola Naval Air Station terrorist attack, as they’re calling it. And the FBI’s renewed request of Apple to get into the cell phone.

DR: Thank you.

LN: Thanks

Watch the Next Segment on Cell Phone Privacy: Part 3 of 4 continued

Part One on our Series of Cell Phone Privacy as it relates to the user

National Institute of Standards and Technology for company cyber security

Here’s Apple’s stance on government requests for personal cell phones.

https://www.apple.com/privacy/government-information-requests/

What does the ACLU have to say about personal cell phone privacy?

https://www.aclu.org/issues/privacy-technology/location-tracking/cell-phone-privacy

Cell Phone Privacy: San Bernardino

Computer Forensic Experts Lee Neubecker and Debbie Reynolds discuss the problem that involves government versus cell phone privacy.

Cell phone privacy played an important role in the San Bernardino attacks. On December 2, 2015, Syed Rizwan Farook and his wife, Tashfeen Malik, open fired on San Bernardino County workers at a holiday party killing 14 and injuring 22 others. The FBI wanted Apple to give them access to the perpetrator’s phone.

Apple states, “We built strong security into the iPhone because people carry so much personal information on our phones today, and there are new data breaches every week affecting individuals, companies, and governments.” Apple continued…”We feel strongly that if we were to do what the government has asked of us — to create a backdoor to our products — not only is it unlawful, but it puts the vast majority of good and law-abiding citizens, who rely on iPhone to protect their most personal and important data, at risk.”

Leading computer forensics expert Lee Neubecker, CEO & President of Enigma Forensics discusses the issues relating to cell phone privacy and the government’s desire to have a back door into your smartphone with the Data Diva, Debbie Reynolds of Debbie Reynolds Consulting. These experts have an interesting perspective.

Cell Phone Privacy: Part 2 of 4

The Video Transcript follows.

Lee Neubecker (LN): Hi, I’m back again with Debbie Reynolds. Thanks again for being on the show.

Debbie Reynolds: Thank you, Lee.

LN: So, we’re continuing with this multi-part series talking about cell phone forensics.

DR: Right.

LN: It’s specifically, this section we’re going to talk about the San Bernardino 2015 December attacker that unleashed terror, Syed Farook, and at the time when that happened, the FBI went to Apple and claimed that they needed assistance with unlocking the phone.

DR: Right, so I remember this very well. This was maddening to me, because a lot of the news reports, I don’t think any of them correctly stated how cell phones actually work, and they sort of bungled the information about the cell phone. So, a lot of the articles were trying to say that the only way they could unlock the cell phone is with Apple’s help,

LN: That wasn’t true. We knew that wasn’t true.

DR: No, you know that wasn’t true.

LN: You know, I thought when they were doing that, that they might have said that to put out misinformation so that other people who were communicating with the terrorists might have thought that they were safe. I was wondering if they might have done that on purpose so that people would keep their phones so that they could track and follow other people.

DR: I don’t know, my feeling was that you know, the FBI or whoever was making this request was trying to create a precedent to be able to have people like Apple give them, create vulnerabilities in phones so they don’t have to do this one-on-one unlock feature, but why would Apple or any other company who’s in the business to make money create a vulnerability that possibly could be the antithesis of their invention. I wouldn’t use a cell phone if I thought it was unsafe, right, or insecure.

LN: Well, I just assume they’re all insecure.

DR: Well, as secure as it can be

LN: As secure as it can be, but you know, Microsoft, Apple, they issue patches and updates for security flaws every month, so there are still bugs out there that can be exploited, but when that happened right away, I was wondering why they didn’t call Cellebrite, and ultimately, Cellebrite, Israeli firm, they’re likely the ones who actually got the contract to unlock that phone.

DR: Yeah, right, exactly.

LN: But the whole notion of having a common key that law enforcement can quickly unlock any device without any judicial intervention, it’s a little concerning.

DR: It’s very much concerning. It’s like you’re trying to boil the ocean to solve one problem.

LN: Well, then if you have one key, someone in the FBI leaves, and they take that key with them, then they go and they link it on the Dark Web, and this is the type of thing that’s happened with contractors to various cyber agencies and the government, and these keys get out there, or weapons get out there, and everyone’s getting exploited, and it takes the government a long time to report it to Microsoft, to Apple, and everyone’s getting hacked in the meantime.

DR: Well, and there are a lot of other ways to get stuff off of a phone, so I think of a phone as a gateway to other things. You know, if even you do banking on your phone, if you lose your phone, that doesn’t mean that the information’s lost. You can go to the bank, companies can serve affidavits on different entities that have other information. If a person was communicating with someone else, you may be able to crack their phone, so there are a lot of different ways to solve this problem that don’t require creating a back door for a complete product.

LN: Yeah, and you know to your point about the issue when then-director Comey, James Comey, had testified seeing that they needed help, apparently the FBI’s own remote phone specialization group hadn’t been tasked with trying to get into the phones, so they hadn’t fully explored their own capabilities before they went to ask for Apple, because like you said, they wanted to establish precedent, and they wanted to change how it worked, and I think we’ve consistently seen and heard that the FBI wants full access anytime so that they can protect people, and there are some issues with that because if it’s simply full access, it’s going to make everyone less secure.

DR: Absolutely, absolutely, so I think all of us, there was quite a bit of eye-rolling when these reports were coming out about them not being able to do the cell phone, and it was like a lower version, too, so it wasn’t like the super– With every cell phone they get more secure, the OS–

LN: You know, it’s like give me the cell phone, DR: Exactly! LN: I’ll get into it. DR: Exactly!

DR: You know, even when they were interviewing people in the press, they weren’t really interviewing the forensic people who do this for a living, so I’m like who are they talking to?

LN: All the computer forensic people I know, we talked about this. The best plausible explanation I could think of, again, that they were trying to create a false narrative so that they could break up other people who were collaborating, but in fact, the Inspector General’s report from the FBI revealed that they just hadn’t fully done everything, and it sounds like it was two-part, it was part they wanted the power and the access, but second the operational component. What happens, you know, there’s a more recent case that we’ll talk about in a later series, and the question becomes then, again, have they used that most, their own internal resources fully before they’re going to Apple?

DR: Or even have they leveraged people like Lee, who do this for a living. It was funny, because when they were, when this case was going on, I had another case at the same time, had the same cell phone, and literally I sent it out and got it cracked like within a day. I couldn’t understand what the issue was, exactly.

LN: Hey, what can I say, I’m good.

DR: Exactly!

LN: Well, tune in for our next segment, where we’ll be talking more about some privacy issues related to having a back door, and some better solutions that if, you know, if Congress and Senate if they want to pass legislation, there are some ways that we can still allow the FBI to get in without having a common back door key that doesn’t undermine security.

DR: Exactly.

LN: Thanks for watching. DR: Thank you.

To review the first video in this series please read below.

Click here to view Apple’s comments.

https://www.apple.com/customer-letter/answers/

Cell Phone Privacy

One can’t overstate how much of our personal lives we reveal to our smartphones and that includes criminals too. Watch this three-part series to learn more.

Introduction of our four-part series on Mobile Phone Privacy and Security.

Cell phone privacy is a real concern for both individual users and law enforcement. Literally, everything you do on your smartphone or any other device is vulnerable and completely defenseless against criminals and sometimes the government. Think about what you have on your phone and how it’s used on a daily basis. All of your personal contacts, photos, videos, text messages, emails, online bank or other accounts, GPS locations data, basically, your history of who, what, where, when and how about yourself all exist on your smartphone. We can’t overstate how much of our personal lives are revealed and how much our cell phones are vulnerable if disclosed to unauthorized parties.

Guess what? Criminals have cell phones too, and their information can lead to not only solving a crime but saving lives. Law enforcement agencies continue to call for access to encrypted communications and devices, while tech companies warn that doing this would weaken the protection and allow potential criminals to take advantage of that same access. Leading computer forensics expert Lee Neubecker, CEO & President of Enigma Forensics discusses the issues relating to cell phone privacy and the government’s desire to have a back door into your smartphone with the Data Diva, Debbie Reynolds of Debbie Reynolds Consulting.

Cell Phone Privacy: Part 1 of 4

The video discussion transcript follows.

Lee Neubecker: Hi, it’s Lee Neubecker again, and I have “the Data Diva”, Debbie Reynolds back on my show again.

Debbie Reynolds: Hi!

LN: Thanks for being on.

DR: Thank you, Lee, for having me. I’m happy to be here.

LN: So we’re going to try something new. Instead of doing a big long eight to ten-minute video clip, we’re going to do a multi-part series, and this one’s going to be on the topic of…

DR: Cell phone forensics and recent incidents in the news having to do with the government asking private companies to unlock or create back doors to cell phones.

LN: Yeah, so cell phone privacy is an issue that many people are concerned about There’s a legitimate national interest in being able to investigate when terrorists use cell phones to conduct attacks. But there are also some concerns that every business should be concerned about if there’s a single back door key because we know the government can’t keep their keys in place. At least that’s what happened to the FBI, the NSA, then other agencies that were breached following the OPM breach.

DR: That’s right.

LN: So in the first segment of our four-video series, were going to be talking about what was reported by the Inspector General’s report from the FBI involving the San Bernardino terrorists when they wanted to get into the cell phone.

DR: Right. And next, we are going to talk about the privacy issues related to the FBI or possibly companies creating back doors, the court issues, the key solutions, and also the imperatives of organizations or companies not wanting to create these types of vulnerabilities in their inventions.

LN: Then you’ll get to hear us banter a little bit about what we think should happen

DR: That’s right.

LN: And then finally, in our last segment, the Pensacola Navy Yard station shooting that happened just this week. The FBI again approached Apple wanting help to get into the phone because they haven’t been able to get into the phone, and they’re wanting to know who else was involved, who they were texting with and whatnot so that they can help prevent other such attacks. So, that will be the wrap-up, and we welcome your comments on the website, your likes, and feel free to check out our video and share it.

DR: Thank you.

LN: Thanks a bunch.

Watch the Next Segment on Cell Phone Privacy: Part 2 of 4 continued

More to read about Cell Phone Vulnerabilities

Understanding EMR Audit Trails

Understanding EMR Audit Trails is important to any company dealing with (PHI). They must have all the necessary security measures in place and follow them to ensure HIPAA Compliance.

Understanding EMR Audit Trails is essential to a patient’s medical history In medical malpractice litigation. The Health Insurance Portability and Accountability Act (HIPAA) requires that the Electronic Medical Records (EMR) maintain an audit trail including all of the metadata. This EMR audit trail is a piece of highly relevant evidence as to who accessed what in the record, what entries were made and/or changed, by whom and when. Computer Forensic experts are key to effective electronic discovery during medical malpractice litigation.

How do hospitals record, protect, and store data? HIPAA sets the guidelines for the most highly sought after information by the world’s best technology hackers. Medical records are worth 4 times more than credit card information. Managing Personal Healthcare Information (PHI) places Healthcare facilities at risk of cyber attack 24/7, 365 days a year.

Check out this video with Enigma Forensics, President & CEO, Lee Neubecker, and John Blair, a noted Healthcare Industry Cyber Security Expert where they discuss the importance of protecting Personally Identifiable Information (PII).

Lee Neubecker and John Blair

Understanding EMR Audit Trails video transcript follows:

This is the third of the last video in the three-part series on Health Care Industry Cyber Threats:
Watch Part 1, Watch Part 2

Lee Neubecker: Hi, I have John Blair, a cyber security expert in the field of healthcare, and John is also involved with understanding patient medical, electronic medical record (EMR) audit trails, so I asked him to come on the show and talk a little bit about that with me. John, thanks for coming back on the show.

John Blair: Thanks, Lee. Glad to be back.

LN: So John, can you tell everyone a little bit about what HIPAA requires of healthcare organizations as it relates to tracking data of caregiving and the patients?

JB: Sure. Most of this is obviously directed at hospitals, but HIPAA also has things called business associates, and any interaction from any entity with, or any user with, PHI is going to be subject to these audit logging. Hospitals use systems called EMRs, so generally those, the audit trails are built into the EMRs by default, but obviously entities can turn those off if they so choose or configure them differently. HIPAA requires that you pretty much log any interaction, whether it’s read-only, view-only, edit, whatever that interaction might be. Identify the user, identify the time, what was done to the record, and that has to be maintained for several years. So it doesn’t matter what a user does with the record. Even if they just view it, that counts as a valid interaction and has to be logged and maintained.

LN: In fact, all of these hospital software systems out there have to be HIPAA compliant, or else the hospitals wouldn’t be able to use the software packages. Isn’t that true?

JB: Right, right. There’s a lot of federal regulations regarding that, that the standards that these systems have to meet in order to get refunds or rebates from the government.

LN: So Medicare funding, reimbursement, obviously is important.

JB: All of that stuff. And audit logs of user activity and interactions, or any interaction with PHI, is a critical component of that.

LN: You know, what I’ve seen is sometimes despite the software packages being EMR, audit trail compliant, that there’s the ability for the software that’s deployed to be altered so that the audit trails aren’t retained as long as required by law.

JB: Yeah, sometimes the storage of the audit logs, it can be overwhelming. So oftentimes they are archived offsite or inappropriate access is given to the audit log itself. And then it possibly can be changed, which ruins the integrity of the log, obviously, and that would be a very bad thing should something come up down the road and you needed that log.

LN: Yeah, and certainly, someone who has the master database administrator password to that back-end system, they could do whatever they wanted.

JB: Yup. But there’s supposed to be logs of that activity, as well, and reviews of those logs, but you’re absolutely right. If you’re an administrator, you can do a lot of damage.

LN: Yeah, I’ve assisted clients before involved in litigation, medical malpractice litigation, with just seeking the truth of what’s there in the records. Most of the time, they think many hospitals are compliant and do have those audit trail records.

JB: Absolutely.

LN: But, they don’t necessarily want to make that data readily available.

JB: No, they don’t. And it depends, it’s a case-by-case scenario, under the advice of counsel and things like that, but it’s very, very sensitive information, and obviously, it’s a public relations nightmare to have a breach of patient data, so they take those things very, very seriously.

LN: Absolutely. So can you tell everyone what PHI stands for?

JB: It’s Protected Health Information, as defined by HHS, there are 18 very specific fields that comprise PHI. PHI is a subset of PII, which is Personally Identifiable Information, but with respect to healthcare, it’s primarily PHI that we’re worried about and those 18 identifiable fields.

LN: Why would hackers want to target health care records?

JB: It’s far more valuable now than several years ago, it was credit card information, basically for year after year. Now, the credit card companies and technology with respect to how quickly a card can be replaced and deactivated. And so, just more money in it to steal medical information. And there’s more flexibility, as well. You can go get drugs, you can do a variety of things, whereas, with the credit card, it’s just money.

LN: If people wanted to launch a targeted scam on individuals, certainly having records that would enable them to filter patients that have Alzheimer’s, might give them an unfair advantage at duping people out of their savings.

JB: Absolutely. Because generally if you get someone’s entire record, you’re getting everything about them: their Soc number, their address, phone numbers, relatives, I mean, all this information is now at your disposal. And loans can be taken out in their names, it’s just a disaster waiting to happen.

LN: So Electronic Medical Records, known as EMR, represent an important target that hackers seek, because of the value of that information, and the uniqueness.

JB: Yup. The price of those records, per record, now varies, but I believe it’s in the $150, $200 range per record if it’s a breach now, and laptops can hold hundreds of thousands of records. So it can be very, very expensive.

LN: But it seems that this is a problem, too, that it isn’t just localized to any one area, it’s universal.

JB: Yeah, it’s across the board. Anyone dealing with PHI has this problem.

LN: How does the cost of a patient medical record compare to a credit card record, compare to the black market?

JB: Yeah, for the last several years, medical records have gained in value every year, while financial records, credit card information have devalued. And it’s to the point now where medical information’s worth four times as much as financial information. And that’s only increasing.

LN: So does that mean that people that work in the healthcare sector in IT and security are going to get paid four times as much as the people of the financial sector?

JB: I wish.

LN: Well, thanks again for being on the show, this was a lot of good stuff. I appreciate this.

JB: Thanks, Lee, appreciate it.

Other related stories about EMR Audit Trails

Other resources to learn more about EMR Audit Trails.

https://www.cdc.gov/phlp/publications/topic/hipaa.html

Keys to a Secure Supply Chain

The world is data-driven. Companies face an overwhelming barrage of big data. Neubecker and Blair discuss the certifications necessary to ensure constant data security.

Cyber Security is Crucial to Supply Chain

Companies face an overwhelming barrage of endless data that contains sensitive information and involves a variety of supply chain vendors. The world is data-driven and securing your supply chain will help minimize your risk of cyberattacks. Here are some keys ways to help you understand more about securing your data beginning with supply chain vendors.

Check out this video with Enigma Forensics, Lee Neubecker, President & CEO, and John Blair, noted Healthcare Industry Cyber Security Expert dissect big data and the certifications needed to understand how to secure your supply chain to help monitor the risks.

2nd video in a three-part series

This is the second video transcript of a three-part series.

Lee Neubecker: Hi, thank you for doing this show, John.

John Blair: No problem.

LN: I appreciate you coming back on.

JB: Thanks Lee, glad to have you here.

LN: So, we’re going to talk today a little bit about what organizations should be doing to monitor the risk associated with their supply chain.

JB: Okay.

LN: And John, if you can, give me an understanding of what are things that you look for when selecting a vendor or city that might be hosting your data.

JB: Right.

LN: Or running parts of your operation.

JB: Well, the world is data-driven, and so your evaluation of vendors is critical and should be focused on their interaction with your data, what their subcontractors are going to do, are you going to allow them to have subcontractors? Where are those subcontractors located? And by all means, get some sort of attestation, that their environment that you’re now relying on, has been audited, you know, the SOC 2’s, those types of things, go a very long way in giving you some level of comfort that they’re operating their controls effectively and that you can rely on ’em.

LN: Great, can you explain to our viewers what essentially a SOC 2 certification is, and why you care about that with a vendor?

JB: That one, the SOC 2, there are multiples ones, but a SOC 2 Type 2 is the standard. There are five Trust Principles associated with it. The biggest one used probably, 75 percent of the time is security. And that’s where you, the vendor would offer, whatever service you’re interested in, the SOC report would be scoped for that service, and then the auditors evaluate that service according to the security principle that’s defined by SOC.

LN: So, typically they’re looking at physical security measures, as well,

JB: Yep.

LN: that extend just beyond data,

JB: Right.

LN: but physical security measures that help to protect your data.

JB: Right, SOC defines objectives, and then the organization defines controls within those objectives, so the objectives are the boundaries, and then the organization defines the controls, but generally speaking, they are the IT basics, chain management, software development, life cycle, physical security, logical security, network security, data storage and security, transmission security, those types of things are almost always covered under the security principle.

LN: Isn’t it true that someone could have all the certs out there and still get compromised?

JB: Oh, absolutely. The certs are not a guarantee, by any stretch. They are just, you know, as we’ve said, they’re meant to give you a level of comfort in the control environment of the people you are now, basically trusting with your data.

LN: And so, as you go out, and you select vendors if you do this diligence and you find vendors that have a certain level of attestation, and various certs that you care about, that might help you if data breach happened, to show that you actually practiced good faith and due diligence, in selecting your vendors.

JB: No, absolutely, and HIPPA requires it, so if you did some sort of due diligence at least, at least you have a story to tell. If you don’t have a story to tell, then that’s where things start going off the rails almost immediately, because you didn’t do anything, and that’s never a good thing.

LN: Well, thanks for being on the show again.

JB: My pleasure, thank you.

More about cybersecurity

Information on HIPPA website for security professionals

https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

Iranian Cyber Threat Readiness

DHS has issued an advisory warning of potential cyber attacks by Iran against the U.S. Organizations should watch this short video detailing the top ways to protect yourself from Iranian Cyber Attacks.

D.H.S. Alert – Iran Cyber Threat Readiness

On January 4, 2020 Department of Homeland Security (DHS) has issued an advisory warning that Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out cyber attacks with temporary disruptive effects against critical infrastructure in the United States. Previous homeland-based plots have included, among other things, scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.- based targets. The Iranian Cyber Threat is real and warrants proactive measures to ensure cyber threat readiness and minimize the risk of a successful cyber attack.

Check out Enigma Forensics, Lee Neubecker, President & CEO, and John Blair, noted Healthcare Industry Cyber Security Expert to learn more about what can be done to deter such cyber-attacks and maximum readiness to an Iranian originated cyber attack.

Video Discussion on Iran Cyber Threat Readiness

1st Video in a three-part series with John Blair

This is the first video transcript of a three-part series.

Lee Neubecker (LN): So John, thank you for being on the show.

John Blair (JB): Thanks, Lee.

LN: John is a cybersecurity expert that focuses on the healthcare sector. Can you tell us a little bit about what organizations should be doing right now in response to concerns about potential Iranian cyber strikes on U.S. companies?

JB: Sure. I’m a pragmatist, so I think you should execute the basics first. Make sure your devices, it’s a border level of your network, and the devices are patched. You might want to start increasing your network monitoring for the next few weeks, to monitor the activity coming through, check your firewall rule sets, these types of things, just to make sure that you get a comfort level. I’m a firm believer in executing the basics solidly, and then monitoring. Because if you’re a target, and the people know what they’re doing, there’s not much you can do to prevent it anyway.

LN: So one of the things too, that I would add to that is, I think it’s important that people have a command of what’s on their network, which is basic inventory of your digital assets, so you know what your devices are.

JB: Yes, you do need to know your environment.

LN: Like you said, knowing what’s on your network, monitoring your log files and patching your devices, those three things go a very long way.

JB: A very long way. And they’re just good practice anyway. That’ll prevent most things from going bad.

LN: Great, well thanks for being on the show.

JB: Sure, thank you.

Articles & Resources Related to Cyber Threat Readiness

Resources on the Internet Related to Cyber Threat Readiness

Click here to view the DHS Iranian Cyber Threat Advisory.

Cyber Essentials: Building a Culture of Cyber Readiness– a guide for leaders of small businesses as well as leaders of small and local government agencies to develop an actionable understanding of where to start implementing organizational cybersecurity practices.
Department of Homeland Security

Cybersecurity for Small Business: The Fundamentals” – a set of training slides and speaker notes to help small business owners educate themselves and their employees about cybersecurity best practices and resources.
National Institute of Standards and Technology

Cyber Readiness Program  – The Cyber Readiness Program is designed to provide practical resources and tools to help organizations like yours take action to become cyber ready. Completing the Program will make your organization safer, more secure, and stronger in the face of cyber threats. (Note: account with login is required.)
Cyber Readiness Institute

Hospital Data Breached

Hospital Data Breach

Hackers will continue to pummel the sector with targeted attacks.

Have you heard the news about the most recent Chicago, Illinois area hospital data breach?  We’re referring to the article in the Chicago Tribune, By Lisa Schencker on December 31, 2019.  “Personal information of nearly 13,000 people may have been exposed in Sinai Health System data breach” Click here to view the article.

After reading this article many questions came to mind.  Who would hack a hospital system?  Are cyber attacks on hospitals becoming more frequent? Could a foreign hacker be targeting hospitals to conduct cyber warfare?  Could it be a disgruntled employee who maliciously wants to obtain patient electronic medical records (EMR) and target a particular patient?

It has been reported that 70% of hospital data breaches include sensitive demographic or financial information of that could lead to identity theft. The Sinai Health System data breach included 13,000 patients’ names, addresses, birth dates, Social Security numbers, health information or health insurance information were potentially exposed. 

One could easily assume that if a hacker was armed with this information, they could sell patient electronic medical records and financial data to the highest bidder. The potential for patient harm is exponential.

Data Breach Incident Response

What happens next? Computer Forensic Experts are called to initiate a data breach response. Experts start with immediately stopping the breach, accessing the damage, notifying those affected, conducting a security audit. Forensic experts create a recovery plan to prepare for future attacks.  Finally, Forensics experts train employees to protect the data and enforce strong passwords.

Computer Forensic Experts A.K.A. Cyber Security sleuths or electronic detectives are really excellent at detecting where and how the breach occurred and accessing the damage.  In cases of litigation due to a data breach or medical malpractice, Computer Forensics Experts are hired by law firms to serve as expert witnesses to help win the litigation. In addition, many hospitals hire Computer Forensic Experts to assist in auditing their records to prove their side of the case. 

Prepare a Data Breach Incident Response Plan

Looking forward to 2020. Cyber Forensic experts agree the entire sector needs to adjust its security approach to keep pace with hackers. The Department of Health and Services and many states may impose fines on those who are not following security guidelines. It’s vitally important to create a Data Breach Incident Response Plan.

Enigma Forensics are experts in Data Breach Incident Response. To learn more about Enigma Forensics read below.

If you think you have been breached…contact Enigma Forensics.com

Holiday Tech Gift Ideas

Holiday Tech Gift Ideas For the Technology Geek

Holiday Tech Gadgets for Power Grid Outage Survival

Enigma Forensics CEO & President Lee Neubecker along with Associate Sammy Macrito discuss holiday gift ideas for the tehnology geek on your list. Recently, California has been experiencing massive power grid outages and most people were not prepared because they simply didn’t think about what happens when you loose power. Techno gadgets will help you survive during a power grid outage. No matter how long it is! Tune is as our technology geeks, Lee and Sammy have some fun and share their favorite techno gadgets. These are great gift ideas for the technology geek on your holiday list.

Holiday Gift Ideas for the Technology Geek

The transcript of Holiday Gift Ideas follows:

Lee Neubecker: Hi, so today we’re going to talk a little bit about some of those techno gadgets that you might want to consider buying your loved one who might be concerned about losing power and not having their techno gadgets. So today I’ve got Sammy Macrito on with me, and we’re going to talk about some of those items that you can pick up. Many of them are available for under a $100 or even less online. We’ll have a link on our page that shows items if you’re interested in buying them. So the first one we have here is this flashlight which is a combination, it’s flashlight that you can crank up, you can turn on the light, and it’s powered both by manual energy, so you can get it powered up. It’s got a solar cell, and then it also has a convenient USB charging port so you can, if you had to, you could hand crank and recharge your tablet or smart phone to give you power if you’re in the darkness for a long period of time. And one of the most important things about it is that it’s got a FM/AM band on it, so if there were an emergency or outage you’d be able to get news and find out where resources are.

Sammy Macrito: Right, and something I feel is so important about this one is having the functionality of being able to crank it, as well as the solar, because let’s say the power grid is out, you can leave this outside all day with a phone next to it and get a charged phone at the end of the night.

Lee Neubecker: Or you can crank it all night. Or you can crank it all night.

Lee Neubecker: So we’ve got, speaking of solar, there’s a real neat gadget that if you wanted to make sure that you could power your laptop, this battery power system by Voltaic produces 20 watts, which is enough to charge some of the newer laptops, and there’s a cell that they, a battery pack they sell with this that you can charge up, which can really charge a good number of devices. This can even be strapped, you can tie it to your back when you’re hiking, and pick up…

Sammy Macrito: Exactly, yeah. And it’s super important to have one of these, especially if you have more than just a phone that you’re trying to recover, because you can basically just go with this solo thing and be able to charge not only your laptop, but also your phones. It’s always better to have more wattage, yeah.

Lee Neubecker: Now, those are great devices for the short term, but if the power is out for a while you’re going to want some other things. One of the things that most people are going to want is, they’re going to want the ability to start a fire, to cook food, to sterilize water, and whatnot. This device here is a USB chargeable electric lighter. I thought I hit it the wrong way. It produces an arc flame which is just electricity. And so using the battery cell, the radio, you could recharge it and you basically have unlimited abilities to start fires, and you don’t need matches. It can be, it makes a great torture device too.

Sammy Macrito: Yeah, and it’s windproof.

Lee Neubecker: Yeah, so that’s one, nice device. This is another device that’s pretty handy. It’s a flashlight. It can also be used for signaling. So if you’re trying to get help, it might be useful to be able to do that. It’s got a solar cell here. It also has this handy metal tip that can be used to shatter a car windshield, so it’s not a bad thing to keep hanging around in your glove box.

Sammy Macrito: Yeah, absolutely. And one thing that this is, can be commonly used for, you might ask, why would you want to break your car windshield? Let’s say you went off the road and are now in water, sinking with your car.

Lee Neubecker: Sinking, yup.

Sammy Macrito: You can pull this out of your glove box and be safe.

Lee Neubecker: It’s got some other things too, it’s got a magnetic tip so you can magnetize a paper clip if you needed to, to float it on water and get your direction to the North Pole. It’s also got a handy clip and it’s got a siren so if wildlife is approaching you, that might be enough to scare wildlife off, or an attacker. And this tip too, you could also use it to whack at something if it’s coming towards you.

Sammy Macrito: Absolutely.

Lee Neubecker: Pretty handy device. One of the most important things you probably need if you’re going to survive a long term power outage would be access to water and ability to have purified water. This device here is Portable Aqua Pure, it’s electrolytic water purifier. And how it works is you’re able to hook up hoses to pump water from one source into another source, so you need to have two water bottles with it ideally. But it has a solar cell on it and you add salt to it, and the salt gets converted into chlorine, so you can purify water and get rid of biohazards. So very handy. Pretty handy device.

Sammy Macrito: Awesome.

Lee Neubecker: And again, with your flashlight, or with your radio, you can recharge it and with very little salt you have virtually unlimited ability to purify water for quite a long time.

Sammy Macrito: And what do you do in the case that you don’t have power? How can you purify water without the ability to make fire, without the ability to use that device?

Lee Neubecker: That’s a good question, so if you have a clear bottle like this one, you can actually scoop water up out of a river or stream. Now you can’t do this with salt water. The sun has the ability to sterilize water biohazards, it’s not going to get rid of contaminants, chemical contaminants, but it could purify water. So having clear bottles, laying them out in the sun for a few hours, the sun will purify the water, so that’s another thing that could be useful. Well great, we hope these tech ideas are good last minute shopping gift items for your nerds at home. Talk to you soon.

Sammy Macrito: Thank you.

Holiday Tech Gift for Geeks: links associated with the gifts discussed.

Related Posts about Tech Gadgets & Power Outage Survival

FBI Warning: Smart TV’s may be spying on you.

Smart TV’s may be recording you or your children without your knowledge.

Enigma Forensics, CEO & President, Lee Neubecker talks about the FBI’s warning about Smart TV’s and other smart home devises that are not secure. Lee adds to that warning that a hacker can actually see through to your living space by using the built in camera on your Smart TV. They can also listen to you and record your conversations, or exploit your TV to show content that is not suitable for your children to watch. In fact, most of our smart devises don’t have any security at all. Fortunately, there are a few things you can do to strengthen your security. Tune in to engimaforensics.com to learn more.

The transcript on FBI Warning on Smart TV’s follows:

Lee Neubecker:

Hi, so all of you should be aware that FBI has issued an advisory and warning to consumers purchasing Smart TV’s for your homes.

Specifically, you should be on the lookout for TV’s that have cameras. It could be recording you or your children without your knowledge. One popular measure they recommend is using black electrical tape to cover the top of the camera. If the camera’s physically covered you can’t record.

However, you have to be aware that many of these TV’s are also listening to you and maybe taking up voice commands, recording your conversations and possibly even retransmitting that information to other parties. It’s also possible that a hacker could get into a TV and exploit your TV display inappropriate content that your children might see.

So for more tips on how to secure your home, check out our website, we have a link that gives advice on this and as it relates to your TV, you want to make sure you know what you’re buying and it’s best to buy a TV that doesn’t have a known camera in it if you’re concerned about not being recorded.

Related articles to keeping your home secure