A Brief Summary of “Risk Management for Replication Devices” (Draft NISTIR 8023) by the NIST Computer Security Division

Last month, the Computer Security Division of the National Institute of Standards and Technology (NIST) released a draft publication titled “Risk Management for Replication Devices” (Draft NISTIR 8023). The full draft publication is here (with an excellent security risk assessment table and flowchart at the end).  The draft is of particular interest to individuals who are responsible for the purchase, installation, configuration, maintenance, disposition, and security of replication devices (RDs), including acquisitions; system administration; information system and security control assessment and monitoring; and information security implementation and operations.

Here is a summary of the key provisions of the draft:

  • RDs include copiers, printers, three-dimensional (3D) printers, scanners, 3D scanners, and multifunction machines when used as a copier, printer, or scanner. Even today, many organizations may not have an accurate inventory of RDs or recognize what functionality each device possesses, especially with respect to information (data) storage, processing, and transmission. This publication provides guidance on protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted on RDs.  RDs are often connected to organizational networks, have central processing units that run common commercial operating systems, store information internally on nonvolatile storage media, and may even have internal servers or routers.
  • The publication advises that before placing RDs into operation, configure each RD securely and implement appropriate security controls. There are numerous secure installation and configuration practices to consider and implement. Each device may have unique capabilities and security options.

Some practices to consider (with associated NIST SP 800-53 security controls in parentheses) include:

  • Disable unused physical and network ports (CM-7).
    • Implement physical security, e.g., locks (PE-3).
    • Whitelist/blacklist specific MAC addresses, IP addresses/address ranges, or email addresses
      (AC-18, SC-7).
  • Disable unused physical and network ports (CM-7).
    • Implement physical security, e.g., locks (PE-3).
    • Whitelist/blacklist specific MAC addresses, IP addresses/address ranges, or email addresses
      (AC-18, SC-7).
  • Configure image overwrite capability.
    • Enable immediate image overwrite (MP-6).
    • Schedule regular off-hours overwrite with three-pass minimum (MP-6).

As for disposal of the RDs, sanitize RDs when they are no longer needed by an organization or will be repurposed or stored by doing the following (with associated NIST SP 800-53 security controls in parentheses):

  • Wipe/purge or destroy nonvolatile storage media (MP-6).
  • Change or reset passwords and other authentication information, e.g., user pins (IA-5).
  • Reset configurations to factory default settings (CM-6).

Organizations are encouraged to review the draft publication during the public comment period and to provide feedback to NIST no later than Oct. 17. Email comments to sec-cert@nist.gov, or mail the National Institute of Standards and Technology, Attn: Computer Security Division, Information Technology Laboratory, 100 Bureau Drive (Mail Stop 8930), Gaithersburg, MD 20899-8930.

California Hospital Defeats $500 Million Privacy Suit

The California 4th District Court of Appeal recently ruled that a hospital did not violate medical privacy statutes when a computer was stolen in 2011.  According to the court’s opinion in Eisenhower Medical Center v. Superior Court of Riverside County, the computer, which was stolen from the medical center, contained an index of over 500,000 patients at the hospital who had been assigned a clerical record number.  The index, which had data from as far back as the 1980s, included the person’s name, medical record number, age, date of birth and the last four digits of the person’s Social Security number.  Significant to this ruling was that the file was password-protected but not encrypted.

The proposed class-action lawsuit sought over $500 million in statutory damages, or $1,000 for each of the over 500,000 patients whose personal information was listed on the index.

Following the hospital’s appeal from a dispositive motion ruling, the California appeals court held that, under these circumstances, the hospital could not be liable for violating the Confidentiality of Medical Information Act (CMIA) because it never revealed “medical information” about the listed individuals. The court held that under the CMIA, a prohibited release by a health care provider must include more than individually identifiable information but must also include information relating to medical history, mental or physical condition, or treatment of the individual.

Although this ruling helps narrow damages arising from a data breach involving medical records under the CMIA, a health care provider should bear in mind that, pursuant to this ruling, to be liable under the act, individually identifiable information – such as a patient’s address, name and email address, plus information about a patient’s “medical history, diagnosis or care” – must have been released.

To read the May 21 opinion, click here.  This ruling is final since the California Supreme Court declined to review it.

Image courtesy of Flickr by Taber Andrew Bain