Medical Marijuana Dispensaries: Take Care of Patient Health Information or Pay The Price

Medical marijuana, like any controlled substance, requires a strong system of identifying patients properly. As the industry matures, the federal government has increasingly been more involved in enforcing ever more stringent laws and regulations on medical marijuana dispensaries.

While it is easy to dismiss this if you’re running your business on a strictly cash-only basis, the future could change and possibly require you to do this. Why not prepare now, so that you can avoid possible problems down the road?

Dispensaries use computerized systems to process and verify patient health information (PHI). This can pose certain risks, including security breaches. These systems are subject to the Health Insurance of Portability and Accountability Act of 1996 (also referred to as HIPAA). Under this law, medical marijuana is treated in a similar way as prescription drugs.

Due to its reputation, the medical marijuana industry is very keen on staying within the parameters of the federal law. Patient verification systems are crucial in this endeavor. They often contain a variety of protected health information (PHI), including patient contact information, medical record numbers, diagnoses, driver’s license, and other personal information.


Key Factors that signal you are serious about compliance

The most obvious signal that you are compliant is to have a Secure Socket Layer (SSL) certificate on your website. What is an SSL certificate? Sites with SSL certificates will indicate a lock in the address bar and/or be green to signal that the site’s traffic is securely encrypted. If you don’t already have this and want to see an example, visit some of your competitors’ websites and look for their SLL certificate signals to see this first hand.


Only Use a HIPAA-compliant hosting data center

Pay close attention to this crucial point, as keeping patient data on-site or on a typical server location can land you in a lot of deep trouble. For one thing, it is considered a serious crime and more often than not, violators have to pay hefty fines to the tune of tens of thousands of dollars. You’ll want to fully understand the differences between what is considered HIPAA compliant hosting and traditional web hosting. The following checklist will help you find the right HIPAA compliant data center for you. Remember, this is not about shopping for the best company who can work with you for a cheap price. HIPAA compliant hosting companies are more expensive than traditional ones, and for good reason.


HIPAA compliant checklist to use for hosting companies:

1. Signed business associate agreement
This is to cover yourself, as well as to experience peace of mind. You want your host to understand and accept the risks of hosting patient health information.

2. Multiple vulnerability scans of your servers on a monthly basis
Ask for the reports, the  hosting companies will gladly provide them for you.

3. Mitigating discovered vulnerabilities
HIPAA-compliant hosting companies should provide remediation services to fix the vulnerabilities.

4. Server hardening
Request copies for your hosting company’s server hardening steps. This will detail the process of how they apply their measures for security to your servers.

5. Regular off-site backup
Ask if they provide backups and how far away the backups are physically from your hosting company. Ideally, you want them at least 50 miles apart, to factor in the possibility of a local storm or some other unforeseen natural disaster, that could take out both your server and backup.

6. Keep a six year log retention
After you’re finished using a server, hard drives should not be used again, until they have had several passes of clean swipes. This is to be sure that PHI cannot be read again. Inquire as to what kind of process they use to wipe the hard drives clean and how many passes they make.

Medical marijuana dispensaries are by law required to keep confidential all of the patient health information aggregated during patient transactions. This starts from the very first time a patient provides information to qualify for a medical marijuana card. This, as well as any future patient health information, is covered under HIPAA federal law. It cannot be released to anyone without first obtaining the patient’s written consent or a court ordered subpoena.

Accidents in handling patient information will still result in a HIPAA violation and could result in a fine. This poses a problem, especially when credit cards are used to make medical marijuana purchases from a dispensary. It is not possible to completely restrict the transaction information. This is probably why Mastercard and Visa have been hesitant to allow medical marijuana purchases. In some instances, where the purchases were allowed, high per-transaction fees essentially eliminated any feasibility to accepting credit cards.


Here’s the simple, but crucial, part

The laws and rules concerning medical marijuana are almost exactly the same as the laws for traditional medical prescriptions and treatments. Your patients’ health information is protected under these laws. This doesn’t just include data storage, but also employees and business associates that handle PHI. It is necessary for you to get a signed business associate agreement from any associates that may be handling sensitive PHI.



This article was originally posted on Cannabis Business Executive >

What NIST’s Cybersecurity Framework is and why it matters

Practical advice to help you build a solid InfoSec plan

The risk of your business falling victim to cybercrime has never been higher. Despite a seemingly endless parade of high profile data breaches, ransomware attacks, and phishing scams, many organizations still lack the necessary defenses to identify, prevent, or recover from an attack. The trouble is that it has become increasingly easy for would-be attackers. Anyone can hire a botnet or buy off-the-shelf malware, complete with technical support. New mobile devices, along with the ever-expanding Internet of Things, offer a wide range of insecure access points.

Although 61% of CEOs are concerned about cybersecurity, only 37% have a cyber incident response plan in place, according to PwC research.

If you acknowledge the scale of the threat and want to act, you may wonder where to start. The National Institute of Standards and Technology (NIST) has compiled a document called the Cybersecurity Framework that’s just for you.


NIST’s Cybersecurity Framework Explained

The idea behind the Cybersecurity Framework is to encourage all kinds of organizations to pool their knowledge and work together. Originally envisioned by the U.S. government as a voluntary framework to keep critical infrastructure safe, these guidelines have since been adopted by a very wide range of different organizations from retail chains and banks to small businesses. It’s a comprehensive document that organizes best practices and security principles into a guide that’s constantly evolving to help you stay one step ahead of the cybercriminals.

“The NIST Cybersecurity Framework should be the cornerstone of your cybersecurity strategy,” says George Wrenn, CEO of CyberSaint. “It’s time to run cybersecurity as a business function with clear objectives and measures based on the gold standard national framework.”

Common standards for collaboration

At the heart of the Cybersecurity Framework is the idea of creating a common language. It should be easy for everyone to share their experiences, discuss new tactics, and sketch out new strategies. To that end, the framework offers a holistic set of reference points that are accessible enough for anyone to employ. Executives, IT departments, and InfoSec professionals can work together towards a common security goal.

One of the great things about NIST’s framework is that you can use it to take the temperature of your current cybersecurity efforts and immediately see if your strategy is healthy or if it needs some emergency treatment. The framework is a great base to help you establish new targets and identify areas that need improvement.

In just two years NIST’s Cybersecurity Framework reached 30% adoption and that’s set to grow to 50% by 2020, according to Gartner. The more organizations adopt the framework and share their successes and failures, the stronger the collective grows. Widespread adoption also sparks the creation of automated tools and processes.


Flexible approach you can measure

Because cybercriminals are constantly working on new avenues of attack, it’s vital to continually improve your defensive efforts. That’s why the constantly evolving framework takes a risk-based approach that’s focused on general principles.

The Framework Core addresses five functions: Identify, Protect, Detect, Respond, and Recover. This isn’t a list to tick off as you work through it, but rather a set of functions that should be continually and concurrently addressed for a healthy cybersecurity strategy.

There are four Framework Implementation Tiers that are designed to aid organizations in moving from general reactive responses to threats to a more risk-informed strategy. This involves careful consideration of probable threats, legal and regulatory requirements, organizational constraints, and business goals.

The incredibly useful Framework Profile enables companies to uncover the differences between their current approach and their target goals for security. Once fully configured, it can accommodate an organizations goals for security balanced against their business needs and cost effectiveness.

This is just a brief overview, but you can see that the framework is easily adaptable to any industry. It offers a real opportunity to gain a big picture of your cybersecurity efforts, work towards improving them, and assess your success as you go. The battle against cybercrime is more of a race. You can’t implement a set of security guidelines and be done, you need to be proactive and work with others to ensure you stay out in front and that’s exactly what NIST’s Cybersecurity Framework is all about.


This article was originally featured in Cyber Defense Magazine >

Tips to Protect Your Business From Ransomware

Over the last few years we’ve observed the steady rise of ransomware with some trepidation. It is fast becoming a multi-million dollar business, and it’s getting surprisingly sophisticated. The ransomware industry is continually innovating, offering cybercriminals new technology, various business models, and all the support they need to conduct successful attacks on unsuspecting individuals and companies.

Changing face of ransomware

Ransomware has come full circle since it first appeared on the scene in 2005. Early crypto ransomware soon gave way to misleading apps, fake antivirus tools, and lockers. But it’s back now, it’s mature, and it’s here to stay, according to Symantec’s Evolution of Ransomware report.

In the early days of ransomware, attackers would use misleading apps and fake AV tools to alarm victims and then ask for fees to fix the fake problems. Or they might flash up bogus FBI warnings, threatening prosecution unless money was paid. Eventually they began to lock down systems, blocking access to specific apps or the whole system until the ransom was met.

The main threat today is crypto ransomware, where files are securely encrypted and victims have to pay to secure the key and unlock their own files, and it’s very tough to beat.

“The ransomware is that good,” said Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in Boston talking to The Security Locker. “To be honest, we often advise people just to pay the ransom.”

Cost of ransomware

There are lots of different ransomware packages out there. Just looking at one of the most popular examples, CryptoWall, the FBI’s Internet Crime Complaint Center (IC3) received 992 related complaints between April 2014 and June 2015, with victims reporting losses of more than $18 million. That’s just what was reported.

The Cyber Threat Alliance put together a report profiling the CryptoWall v3 threat and suggested that it had afflicted hundreds of thousands of users worldwide and caused damages in the region to the tune of $325 million.

Services for cybercriminals

In McAfee Labs 2016 Threats Predictions report ransomware features prominently, and the report makes special mention of the success of the ransomware-as-a-service business model. Experienced cybercriminals are offering high quality ransomware to would-be attackers with little or no technical knowledge or skills in return for a cut of the extortion profits. The ransomware is typically hosted on the Tor network and payment is made almost untraceable with virtual currencies like Bitcoin.

Users of these ransomware services can expect to get helpdesk support, and it’s in the interests of the extorters to ensure that data is returned to those who pay. The service providers will skim anywhere from 5 percent to 20 percent of each ransom, so they aim to make it as easy as possible for the cybercriminals who sign up.

What can you do?

Just like any other malware, you have to install ransomware before it can encrypt your files, so there are some simple precautionary steps that everyone can take to drastically reduce the risks:

  • Make sure you have updated AV software running.
  • Don’t open attachments in emails, unless you know what it is.
  • Don’t follow links in emails, close the email and go directly to the website in your browser.
  • Use strong passwords, and don’t reuse the same passwords.
  • Make sure all of your system software and browsers are patched automatically with security updates.
  • You should apply all of these rules to whatever device you’re using. Smartphones, tablets, and Macs are not immune to ransomware.

You can also mitigate the risk of ransomware by having a robust and regular backup routine. If your files are backed up and you can access them, there’s no need to pay to unlock them, but it may still require some serious effort to rid yourself of the ransomware once your system is infected.

Ransomware is sure to be an even bigger issue in 2017, so it’s very important that you take steps to prevent infection. If you do fall prey to something like CryptoWall v3, there’s no way around it. Your only realistic prospect of getting the files back is to pay the ransom.

When it comes to ransomware the old saying, “an ounce of prevention is worth a pound of cure,” could not be more fitting.


This article was originally posted in Cannabis Business Executive