KRACK: Understanding the Vulnerability

KRACK: Understanding the Vulnerability

The KRACK WIFI vulnerability was announced by security researchers and the US-CERT today. This vulnerability can affect every modern WIFI network and has the potential to impact every device that connects to WIFI. If affected, KRACK could allow for any information sent over wifi to be stolen including passwords, credit card numbers, private emails, and so on. This vulnerability is a major problem for our enterprises and users. Vendors will be required to step up and provide fixes quickly and everyone throughout the organization to pitch in and follow the recommended remediation.

What is KRACK?

KRACK is a vulnerability in the most common security protocol, WPA2, used to authenticate WIFI connections to a secure network and is used by virtually every WIFI network. When this vulnerability is exploited, it permits an attacker to decrypt the session between a WIFI client (e.g. a mobile device) and the server (e.g. wireless router).  In certain cases, it would permit the alteration of content.  All versions of WPA2 are affected.

How serious is it for me?

KRACK is a very serious problem in the long run, but how concerned you should be in the short term depends upon analyzing your threats.  Threats of concern are those that are local (e.g. within range of your WIFI) and interested in compromising the confidentiality or integrity of your trusted network and the data it contains.  This means that it is not scalable to international actors such as crime cartels.  It can only be exploited by a local actor.

What actions should I be taking?

In the short term, we suggest revisiting your threat assessment and your staff training.  To assess if the threat is imminent, determine whether a local person (e.g.. disgruntled current or former staff)  who may be interested and capable of exploiting this vulnerability.  If this threat exists, a defensive strategy should be developed.

The specific strategy is very organization specific but should include working with law enforcement, upgrading monitoring and log analysis, changing of firewall rules or restructuring of trust zones. Staff should also be trained to pay close attention to HTTPS connections.  This protocol is a weak protection against exploitation, but if the user always checks the internal web resource is protected (e.g. lock icon or “https://” in the URL) the contents will still be encrypted as a  second line of defense. Users must be trained to pay attention to this as they may not receive alerts if it is missing.

Long-term, we recommend that you connect with all vendors of WIFI associated equipment that is used in your environment and determine their schedule for release of software patches and upgrades.  As soon as these are available, install and test each wireless device to ensure proper function.

What WIFI connections and activities are safe?

Bear in mind that “Safe” is a relative word in cybersecurity.  These are safer activities,

  • Use of SSL (HTTPS) connections encrypt data, but the user must pay close attention; and
  • Use of “Thinclients” (e.g. Citrix, VNC or other proprietary protocols) which allow connection to a data that is a picture of the data, rather than a copy of the data.
What WIFI connections are unsafe?

The following connections are not considered safe,

  • VPN connection assumed to be trusted and not using SSL (HTTPS);
  • Internal wireless connection where internal servers do not require SSL;
  • Home WIFI of remote users;
  • Anywhere that the login credentials to WIFI can be reused in another context (e.g. Active Directory);
  • Wherever WPA2 is used in any form to connect to a wireless access point.

To summarize, a new vulnerability has just come to light that impacts WIFI connections.  This vulnerability can only be carried out by a local actor, therefore you need to evaluate potential threats to staff and others.  If you determine an imminent threat, you should take action immediately.  Otherwise, install and test updates from WIFI associated equipment vendors to mitigate this vulnerability.  

For up-to-date information about the patches you need to secure your wifi, please visit ZD Net. 

QI Express to Present at 89th Annual AHIMA Convention

QI Express to Present at 89th Annual AHIMA Convention

The American Health Information Management Association (AHIMA) Convention and Exhibit is taking place this year in Los Angeles. This annual five-day conference brings together healthcare professionals to explore the vast world of information technology.

AHIMA American Health Information Management Association

The conference will examine the vital topics of health data analytics, informatics, security, and governance. As an increasing need for cyber solutions forms, conferences such as these become one of the main formats to discuss the changing climate of health technology. AHIMA allows presentations, panel discussions, and open forums to educate and advance the healthcare world.

QI Express is proud to announce, that Robert Zimmerman (C.E.O. and Founder) and Adam Bullian (Chief Operating Officer) will be presenting at the Privacy and Security Institute.

Robert Zimmerman, C.E.O.

Connect on LinkedIn

Robert will be kicking off the event early, co-presenting with Special Agent Boeing Shih of the FBI. Their discussion “Emerging Cybersecurity Threats In Small and Medium Sized Hospitals: A Conversation with the FBI Cybersecurity Task Force and Industry Experts” expects to draw a big turnout, as this issue is prevalent and growing in the industry. Robert and Boeing will provide insights into threats that can affect organizations, as well as provide guidance on the best practices on implementing prevention techniques. This panel will be on Saturday, October 7th at 9:15 am.

Adam Bullian, C.O.O.

Connect on Linkedin

Adam will be presenting later that day on “The Essentials of Auditing and Managing Business Associates.” This discussion will cover how healthcare organizations are growing more reliant on vendors to deliver critical business services. As more associates are added to the business chain, more vulnerabilities arise and the risk grows. Adam will provide practical steps that hospitals of all sizes can take to understand, evaluate, validate, and manage the safeguards our business associates are applying. Adam’s discussion will be on Saturday, October 7th at 1:45 pm.

QI Express’s solutions include Security Risk Assessments, Security Readiness for Small and Medium-Sized Businesses, Security Awareness Training, HIPAA HITRUST Audit and Certification, and Emergency Preparedness.

For more information on AHIMA please visit a schedule of AHIMA events please visit

We look forward to seeing you there! To request a demo or would like more information about our services, please fill out the form below. 

Your Name:*
Type the characters you see here:
Where In The Cloud Is Your PHI?

Where In The Cloud Is Your PHI?

Storing Protected Health Information (“PHI”) in the cloud can be a very useful thing for covered entities and business associates.  As we know, HIPAA does permit storing PHI in the cloud if the cloud storage provider executes a Business Associate Agreement.  However, do you know exactly where that PHI is stored by the cloud provider?  In some instances the cloud storage vendor might store, backup, or process the PHI in an overseas location.  How do you protect the PHI, and yourself, in such a situation?

HIPAA does not specifically forbid storing PHI in an offshore location (some states do forbid storing Medicaid data offshore), but it does create challenges.  First, you must determine where your cloud vendors will be storing the information, and whether it will be offshore or not.  If it is offshore, you need to determine the specific location and what local rules might apply to the PHI. Local laws in the international jurisdiction where PHI might be stored might actually allow for access to the data that would be in violation of HIPAA.  The duty is on you, as you contract with the cloud provider, to determine if the security efforts are sufficient or if the location of the data will pose any risks. Furthermore, offshore cloud providers might not be bound by HIPAA, but you – presumably operating in the United States – are.  If your international cloud provider is at fault for a breach but cannot be held accountable, you might determined to be liable even if the only action you took was selecting the wrong vendor.

Without question, storing PHI offshore brings unique challenges. Whether they are worth it or not can only be answered by you. However, if you are considering a vendor that will store PHI internationally, be sure to conduct a risk assessment to ensure you are not putting PHI in increased or unnecessary risk.

Emergency Preparedness Best Practices

Emergency Preparedness Best Practices

In the wake of two damaging hurricanes, the topic of emergency preparedness is at the top of mind for many Covered Entities and Business Associates. The goal of emergency preparedness is to ensure electronic protected health information (ePHI) is secure, and the confidentiality, integrity, and availability of ePHI is not jeopardized both during and after an emergency.

Effective emergency preparedness consists of having a contingency plan which includes a data backup plan, disaster recovery plan, and emergency mode operation plan.  The disaster recovery plan ensures that you have accurate backups of the ePHI, while the disaster recover plan is how you recover from those backups.  The emergency mode operation plan outlines how ePHI will remain secured during the course of the emergency.  While not specifically required, your organization should consider testing your contingency plan and revise it as necessary.

When thinking about putting you plan together, you can follow a seven step process,

  1. Assess your situation;

  2. Identify risks;

  3. Formulate an action plan;

  4. Decide if and when to activate your plan;

  5. Communicate the plan;

  6. Test the plan; and

  7. Treat the plan as an evolving process.

While this process is linear, these steps can take considerable time to finalize.  If you don’t have a contingency plan in place now, you should begin the process to develop and implement one as soon as possible.