" zero trust Archives - LuxSci

Posts Tagged ‘zero trust’

Infrastructure Requirements for HIPAA Compliance

Thursday, December 1st, 2022

If you are building a new environment that must comply with HIPAA, you may be surprised to find that the infrastructure requirements for HIPAA compliance do not require the use of any specific technology. This provides a lot of flexibility for developers and architects but can also introduce risk if you are unfamiliar with the requirements. This article outlines a few considerations to keep in mind as you build a HIPAA-compliant infrastructure or application.

infrastructure hipaa requirements

Dedicated Servers and Data Isolation

Reliability and data security are two of the most important considerations when building a healthcare application. Building an infrastructure in a dedicated server environment is the best way to achieve these aims. Let’s look at both.

Reliability

Hosting your application in a dedicated environment means you never have to share server resources with anyone else, and it can be configured to meet your needs exactly. This may also include high-availability configurations to ensure you never have to deal with unexpected downtime. For many healthcare applications, unexpected downtime can have serious consequences. 

Security

A dedicated environment isolates your data from others, providing an added security layer. Segmentation and isolation are crucial components of the Zero Trust security stance, and using a dedicated environment helps keep bad actors out. Hosting your application in a public cloud could put sensitive data at risk if another customer falls victim to a cyberattack or suffers a security incident.

HIPAA does not require the use of dedicated servers. Still, any host you choose must follow the HIPAA requirements associated with access controls, documentation, physical security, backups and archival, and encryption. Review our checklist for more details about HIPAA’s security requirements.

Encryption

It’s worth spending a minute discussing encryption because it’s an often misunderstood topic. Encryption is listed as an “Addressable” standard under HIPAA. Because it is not “Required,” this leads many to think that it is optional. The Rule states: “Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.” So, while HIPAA does not state that covered entities must use encryption, it does say that they need to ensure the confidentiality of any ePHI that is created, received, maintained, or transmitted.

The confusion arises because HIPAA is technology-neutral and does not specify how exactly to protect ePHI. Encryption is unnecessary if your organization can devise another way to protect sensitive data. However, practically speaking, there aren’t many alternatives other than not storing or transmitting the data at all. Encryption is the easiest and most secure way to protect electronic data in transmission and at rest.

At-Rest Encryption

HIPAA does not require at-rest encryption, though it is recommended to decrease risk and potential liability in some situations. Suppose your risk assessment determines that storage encryption is necessary. In that case, you must ensure that all collected and stored protected health information is encrypted and can only be accessed and decrypted by people with the appropriate keys. This makes backups secure, protects data from access by unauthorized people, and generally protects the data no matter what happens (unless the keys are stolen). Storage encryption is essential in any scenario where the data may be backed up or placed in locations out of your control. 

Transmission Encryption

If protected health information is transmitted outside of the database or application, encryption must also be used to protect the data in transmission. At a minimum, TLS encryption (with the appropriate ciphers) is secure enough to meet HIPAA guidelines. However, TLS alone may not be appropriate for your use cases.

  • Consider using a portal pickup method, PGP, or S/MIME encryption when transmitting highly sensitive information to end users.

Backup Infrastructure Requirements for HIPAA Compliance

Backups and archival are often an afterthought regarding HIPAA compliance, but they are essential. HIPAA requires that organizations “Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.” You must be sure that all ePHI stored or collected by your application is backed up and can be recovered in case of an emergency or accidental deletion. If your application sends information elsewhere (for example, via email), those messages must also be backed up or archived. HIPAA-compliant backups are robust, available, and accessible only by authorized people.

Under HIPAA Omnibus, organizations must keep electronic records of PHI disclosures for up to three years. Some states and company policies may require a longer record of disclosures; some states require up to ten years. When building a HIPAA-compliant infrastructure from scratch, it’s also essential to build backups.

Conclusion

If it is your first time dealing with infrastructure requirements for HIPAA compliance, be sure to ask the right questions and work only with vendors who thoroughly understand the risks involved. It can be overwhelming, but by selecting the right partners, you can achieve your goals without violating the law. 

Implementing Zero Trust Architecture

Tuesday, March 8th, 2022

The US Government has released its zero trust strategy to help government agencies implement zero trust architectures. It requires federal agencies to meet certain standards before the end of the 2024 fiscal year.

zero trust architecture

The zero trust strategy aims to improve the nation’s security posture and reduce the potential harms from cyber attacks. It assumes that attackers cannot be kept outside of network perimeters and sensitive data should be protected at all times.

The move toward zero trust architecture is a significant undertaking for the federal government, and this strategy aims to outline a common path for agencies to take, as well as limit uncertainty about transitioning.

It will require agency heads to partner with IT leadership in a joint commitment to overhaul the current security architecture and move toward a zero trust model. The strategy encourages agencies to assist each other as they work to implement zero trust architecture, exchanging information and even staff where necessary. Ultimately, the zero trust strategy aims to make the federal agencies stronger and more resilient against cyber attacks.

What Does The Zero Trust Architecture Strategy Include?

The Cybersecurity and Infrastructure Security Agency (CISA) created a zero trust maturity model to guide the strategy. The model contains five pillars including:

  • Identity
  • Devices
  • Networks
  • Applications and Workloads
  • Data

There are also three themes that cut through each of these areas:

  • Visibility and Analytics
  • Automation and Orchestration
  • Governance

Identity

First, the strategy includes a number of identity-related goals. Federal agencies must establish centralized identity-management systems for their employees. These systems must integrate with common platforms and applications.

Another core goal is for agencies to use strong multi-factor authentication throughout the organization. However, it must be enforced at the application layer rather than at the network layer. Password policies no longer require the use of special characters or frequent password changes.

The new strategy will also require that user authorization also incorporates at least one device-level signal. This could include confirming the device is authorized to access the application and has up-to-date security patches.

Devices

Under the Devices pillar, federal agencies must participate in CISA’s Continuous Diagnostics and Mitigation (CDM) program. This allows them to create reliable asset inventories. The other major goal is for each agency’s Endpoint Detection and Response (EDR) tools to be deployed widely and to meet CISA’s technical requirements.

Networks

Among the network-related measures, agencies need to use encrypted DNS to resolve DNS queries wherever it is technically supported. They must also force HTTPS for all web and API traffic. On top of this, agencies also need to submit a zero trust architecture plan that includes their approach to environmental isolation to the Office of Management and Budget.

Applications and Workloads

In addition, there are a number of application and workload-related goals for agencies, including:

  • Operating dedicated application security testing programs.
  • Undergoing third-party application security evaluations.
  • Running a public vulnerability disclosure program.
  • Working toward deploying services that employ immutable workloads.

Data

When it comes to data, agencies must follow a zero trust data security guide created by a joint committee made up of Federal Chief Data Officers and Chief Information Security Officers. Agencies must also automate data categorization and security responses, with a focus on tagging and managing access to sensitive documents. They must also audit any access to encrypted data in commercial cloud services. Another goal is for agencies to work alongside CISA to implement logging and information sharing capabilities.

Zero Trust Architecture and the Future

The federal government isn’t just pushing toward a zero trust architecture model as a fun new hobby. Instead, it is a response to the increasing sophistication of cyber attacks, especially those originating from nation-state level groups.

These complex and well-resourced cyber attacks aren’t only a threat to government agencies. Other organizations face similar threats in the ever-changing threat landscape. The reality is that businesses also need to move toward the zero trust model in order to effectively defend themselves in the future.

LuxSci can help your organization make the change through services such as our zero trust email options, or our zero trust dedicated servers. Contact our team to find out how LuxSci can help your organization prepare for a zero trust future.

5 New Year’s Resolutions to Improve Your Cybersecurity

Tuesday, January 4th, 2022

Happy New Year! Start the year off by making a New Year’s resolution to improve your cybersecurity. Here is LuxSci’s list of what your organization needs to do to prepare for the new year.

cybersecurity new year’s resolution

Read the rest of this post »

2021 Year in Review

Tuesday, December 21st, 2021

As the year draws to a close, it’s a good time to take a look back. In this 2021 Year in Review, we analyze the most important developments in cybersecurity, as well as the major information security threats.

2021 year in review

2021 Year In Review: The Impact Of Coronavirus

As we entered year two of the coronavirus pandemic, we are still dealing with the fallout. The work-from-home model spurred on by COVID-19 presented a significant shift for the workplace and the way we use technology. The emergence of the Delta and Omicron variants wreaked havoc with plans to return to the office. As a result, many roles permanently shifted to full-time remote work. Still, other companies returned to the office and are managing a hybrid model. There are far more work-from-home opportunities than were available in the pre-pandemic world.

This has significantly altered the threat landscape. Organizations need to acknowledge that remote work is here to stay. As a result, they should update their security plans and invest in the equipment needed to enable secure remote work.

In addition, there have been a host of COVID-19-related threats that we have had to remain vigilant against. These have ranged from fake COVID-19 medication websites that suck up sensitive data, to malware loaders that use pandemic-related topics as a smokescreen. The most effective threats often utilize social engineering and the anxiety caused by COVID-19 is a benefit to cybercriminals.

The good news is that these threats seem to be going down, with Trend Micro finding about half the number of COVID-19-related threats in the first half of 2021 as they did in the beginning of 2020. However, this does not mean that overall cyberthreat levels are decreasing. Instead, it’s likely that attackers are simply moving on to other deception techniques.

2021 Year In Review: Ransomware

Trend Micro reported that ransomware detections have halved from 14 million in the first 6 months of 2020, to 7 million between January and June in 2021. However, it doesn’t mean that the threat is going away. The company’s report finds that attackers are adopting a targeted approach that aims for high rewards, as opposed to pursuing as many victims as possible. Indeed, we saw attacks on critical infrastructure this year that garnered national attention. The Colonial Pipeline, JBS Foods, and the Kayesa ransomware attacks were just a few that made headlines in 2021.

Figures from Palo Alto Networks show that ransomware payouts are rising. The average ransomware payment rose from $312,000 in the first six months of 2020 to $570,000 in the first half of 2021. The FBI was able to recover some ransomware payments from cryptocurrency wallets this year, but only in a small fraction of cases.

Trend Micro also noticed an increase in modern ransomware attacks that involve more sophisticated methods of infection. As ransomware threats get more sophisticated, make sure your cybersecurity program is keeping up. Annual reviews, training, and investment in cybersecurity are crucial to keep your business protected.

2021 Year In Review: Zero Trust Architecture

One of the more positive developments in cybersecurity has been the move to Zero Trust Architecture. This approach was spurred on by a government initiative that aimed to boost America’s cyberthreat resilience. The initiative also included plans to modernize the federal cybersecurity environment.

Under the plan, each agency head was required to develop plans for implementing Zero Trust Architecture according to guidelines set out by the National Institute of Standards and Technology (NIST). The government is continuing to invest more in cybersecurity as a part of America’s national defense. It’s likely we will see increased funding for such initiatives in 2022.

Zero Trust Architecture quickly caught on across all industries. It is an approach that assumes an organization’s own network is not safe from cyberthreats. This security model accepts that attackers may already be inside the network and involves creating trust zones of access which are as small as possible. The approach reduces the potential impacts of an attack. Limited trust zones prevent bad actors from accessing all of a network’s systems and data.

Stay Safe in the Future With LuxSci

The last 12 months have brought a lot of changes to the cyber landscape. One thing that always stays consistent is the tenacity of attackers in coming up with new ways to circumvent cyberdefenses.

Amid our ever-changing tech environment and the constant wave of novel attacks, the only way for companies to effectively defend themselves is with a cybersecurity partner like LuxSci. Contact us now to find out how our services can help to protect your organization from threats in 2022 and beyond.

Should your web site database have its own dedicated server?

Tuesday, August 24th, 2021

Should you have separate dedicate servers or clusters for your web site and database? It comes down to your security and reliability needs. What are the pros and cons of each scenario? Is it worth the expense? We shall delve into these business-critical questions in this article.

 dedicated web site database

Let’s look at the security and reliability impact of the various common configuration choices.

Read the rest of this post »