Rapid7 Blog


UserInsight Helps Healthcare Providers Detect Intruders & Fulfill HIPAA Compliance

With Protected Health Information (PHI) records commanding the highest prices on the cybercrime market, it's no surprise that more and more healthcare organizations (66%) are experiencing a significant security incident1. Related Resource: Download our beginner's guide to User Behavior Analytics with UserInsight Toolkit Our intruder…

With Protected Health Information (PHI) records commanding the highest prices on the cybercrime market, it's no surprise that more and more healthcare organizations (66%) are experiencing a significant security incident1. Related Resource: Download our beginner's guide to User Behavior Analytics with UserInsight Toolkit Our intruder and user behavior analytics solution, UserInsight, can help you fulfill many of the obligations you have under the HIPAA Security Rule as well as put you on the path to discovering attacks you may be missing. To learn more, get a free guided demo. For policy gurus, the devil is in the details. Rapid7's UserInsight will help you comply with many of the specifications in the HIPAA Security Rule. Here are six examples: 1. Termination Procedures: §164.308(a)(3)(ii)(C) “Implement procedures for terminating access to electronic PHI when the employment of a workforce member ends…” Employees use a variety of accounts across corporate services and assets. If an employee leaves, have you terminated access on each of those accounts, including those shared with others? UserInsight exposes risky internal behavior such as shared accounts, unknown administrators, and suspicious cloud service activity. Cloud services are especially important as 69% of employees report they are still able to access corporate data via cloud services after leaving the organization2. UserInsight will alert you if a user whose account has been suspended is trying to access a corporate cloud service. 2. Protection From Malicious Software: §164.308(a)(5)(ii)(B) “Procedures for guarding against, detecting, and reporting malicious software.” UserInsight monitors each process on your endpoints and compares it to the results of over 50 virus scanners to find malicious processes. This allows you to detect malwarethat made it through because of a blind spot in a company's primary anti-virus solution. UserInsight ties in with third-party sandboxing solutions to provide malware alerts in the user context, enabling fast investigations and clean-up. 3. Log-In Monitoring: §164.308(a)(5)(ii)(C) “Procedures for monitoring log-in attempts and reporting discrepancies.” The number one attack vector behind breaches is compromised credentials3 – this is when attackers steal login information and impersonate as a company user. UserInsight monitors authentications from endpoint to cloud and applies behavior analytics to identify both intruders on the network and risky internal behavior. 4. Password Management: §164.308(a)(5)(ii)(D) “Procedures for creating, changing, and safeguarding passwords.” If your users are sharing the password for an account, it raises accountability issues and puts corporate data at risk if one of the users leaves the company. Through integrations with your existing security infrastructure, UserInsight also identifies accounts without a password expiration policy. This visibility helps you clean up your users' account settings and keep the company safe. However, monitoring your company isn't enough. Public data breaches often expose millions of usernames and passwords. As many users re-use passwords across systems, including your corporate accounts, this provides a way for intruders to get in. UserInsight monitors your user accounts against its threat intelligence feeds, and will automatically alert if a user's credentials have been leaked on the Internet. You can then immediately prompt the user to change their passwords. 5_._ Security Incident Procedures: §164.308(a)(6) “Implement policies and procedures to address security incidents.” Every day, your users generate millions of events from an array of on-premise assets, mobile devices, and an increasing amount of cloud services. Do you struggle with too many alerts, or with identifying the exact users affected by an incident? UserInsight connects to your existing network infrastructure, including a SIEM, advanced malware solution, or IDS/IPS. You'll receive only a handful of alerts each day, each identifying something you'll want to know about. If you need to investigate a security incident, piecing together what happened is often time consuming and labor intensive. If an intruder impersonates an internal user, you have to reconstruct that user's activity across IP's, assets, and services. With our visual search interface, you can greatly reduce the amount of time looking through logs – customers report UserInsight accelerates their incident investigations by up to twenty times. This also reduces the amount of required technical experience, allowing the entire security team to collaboratively investigate. 6. Access Control Standard: §164.312(a)(1) “Implement technical policies and procedures for electronic information systems that maintain PHI to allow access only to those persons or software programs that have been granted access rights…” Critical systems or assets can be tagged as “restricted assets” – you'll receive automatic alerts if unauthorized users attempt access. While your Electronic Health Records software may log the exact users accessing the software, attackers can infiltrate through the rear. If they steal company credentials, they can access patient databases and servers on the back-end undetected. Even without the shadowy threat of security incidents, daily incident investigations are slow and tedious. You may be struggling to identify risky internal behavior, which can range from negligent behavior to compromised partners to malicious insider threat. UserInsight helps detect attacks through behavior analytics, investigate incidents faster with user context, and expose risky behavior from endpoint to cloud. The User Entity and Behavior Analytics solution complements your infrastructure to identify stealthy attack methods, such as compromised credentials and lateral movement, with high confidence to eliminate alert fatigue. Unlike monitoring solutions that only look at network logs, UserInsight monitors endpoints, cloud services, and mobile devices, and sets traps for intruders. We currently provide services to many Covered Entities and Business Associates, and take the protection of PHI very seriously. If you have any questions on our ability to meet the contractual obligations of a Business Associate, please contact us!  Our product architecture does not require patient or medical records, and there are countermeasures to scrub any unintentional transfers to the UserInsight Analytics Cloud. If you're interested in detecting and investigating attackers going after protected health information in your organization, sign up for a free guided demo today! 1. 2015 HIMSS Cybersecurity Survey 2. 2014 Sailpoint Market Pulse Survey 3. 2015 Verizon Data Breach Report (Stolen credentials have been the number 1 attack vector for over five years now.)

Cyber Security Awareness Month: Data Custodianship

By now, you know that October is Cyber Security Awareness Month in the US and across the European Union. We know many SecurityStreet readers work in information security and are already “aware” - so this year we're equipping you for executive tier cyber…

By now, you know that October is Cyber Security Awareness Month in the US and across the European Union. We know many SecurityStreet readers work in information security and are already “aware” - so this year we're equipping you for executive tier cyber security discussions. We kicked this off last week with a piece on why security matters now. This post focuses on duty of custodianship, and in the coming weeks we will be posting on building security into the corporate culture through policies and user education; how organizations can make security into a strength and advantage; and crisis communications and response.For this week's topic, we're discussing data custodianship.When choosing to keep data, we have a legal and custodial responsibility, because we do not own that data. As a result, keeping data introduces an element of liability for your business, and protecting it is expensive and complex. . Inventorying and eliminating regulatory data reduces liability, saving time and money.Imagine hiring a babysitter for the first time, and they show up five minutes before you are scheduled to leave the house. No prior communication, no advanced information requested – and now you're worried you're going to be late.“Hey there, I'm here- have a good time tonight!” the sitter says walking in the door and sitting down on the couch.That's it!? “Do you care to know the number of, ages and names of our children? If there are any special needs, medical issues, habits, dietary restrictions, bed times, or the last time they ate? Do you need to know when we are coming home, or how much we are paying?”There is a very clear difference between the concerns and interests of a parent and this babysitter; those differences nicely illustrate the decisions companies make unintentionally when handling sensitive and regulatory data. Unlike babysitters, enterprises may have the luxury of choosing what responsibility we inherit.As corporate decision makers, we have the option of not storing data.The holy trinity of misunderstood data is PCI, PHI, and PII. PCI is information relating to the Payment Card Industry – think of credit and debit cards.PHI is Protected Health Information, as defined by the Health Insurance Portability and Accountability Act (HIPAA).PII is Personally Identifiable Information – also under HIPAA.Said again differently – companies are hesitant to destroy data, but retaining certain kinds of data involves expensive protection in the face of very real liability.  More often than not, a very expensive decision to retain regulatory data is made without knowing what is at stake, often at a business level unacquainted with the associated costs and risks.The current pervasive thinking is that gathering data creates “business intelligence,” which enables the business to operate more effectively and build new or stronger lines of revenue. Unfortunately, this data also attracts criminals who know they can turn a healthy profit for this stolen information on the black market. Defending against these attackers is time-consuming, expensive, and extremely challenging. Attackers cannot steal data you don't have, so eliminating specific data sets can massively lower your liability and reduce your expense.A solid business case review makes sense. Some data must be stored for a period of time. Some abstracted data can provide business and market intelligence. Custodianship drives us to make informed decisions and to be deliberate about the investment required to protect data the company does not own.By choosing to retain this data, we choose to retain risk and liability; your company will be held accountable for success or failure in safely caring for this data.Keep only what you really need. Make sure whatever you need to run your business is vigorously protected. And we strongly urge you to look into what liability protection you have around security threats.  You may think you're covered and actually find that you are not.If you like this series, check out last year's series of user awareness emails covering  phishing, mobile threats, basic password hygiene, avoiding cloud crises, and the value of vigilance.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More


Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now


Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now