When the Auditor is Tricking Your Business

Dashrender

@scottalanmiller said in When the Auditor is Tricking Your Business:

So the original thread.... an auditor is threatening to fail a medical practice on an audit if they don't do something pointless, expensive and potentially bad for their customers all because the auditor (a lawyer) doesn't understand the technology and is scamming the business in question by doing an "audit" without knowing what he is auditing.

So the issue at hand is that a security audit is being done by someone who has already tricked someone into the business to hire him when he's not qualified even to discuss what they are doing. So this poses some issues.... someone hired someone totally unqualified and that person got in the door based on tricking them that they were qualified. Now if this wasn't a security audit, things would be a little different. But as a security audit, this is especially troublesome that the auditor managed to get in through a security vulnerability... we presume. Namely someone hiring security people who can easily be manipulated.

This is a horrible assumption!

The OCR is launching audits of medical practices/hospitals, etc. So this is non-voluntary audits, the practice won't be the ones hiring someone.

Dashrender

An example, we are audited by Medicare every 3 years. They are checking things against check boxes you love so much. Do they understand why a power strip that was completely fine last year is suddenly not fine this year simply because a new UR code isn't stamped on the box, oh... because the code didn't exist last year when the strip was purchased.. of course not.

The same goes for any of these typical non IT personal doing the audits for OCR.

TAHIN

There was a reddit article a while back about a completely legit HIPAA auditor demanding domain logons and passwords for every user in the company to prove that IT kept track of the stuff. So they went through this guy's company directory, found his boss, and talked to him. The auditor in question was 'confused' and rescinded the demand.

I'm starting to wonder if security audits are conducted like house appraisals..... "I have no idea what the rules are so I'll just do what the guy next to me did".

scottalanmiller

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

So the original thread.... an auditor is threatening to fail a medical practice on an audit if they don't do something pointless, expensive and potentially bad for their customers all because the auditor (a lawyer) doesn't understand the technology and is scamming the business in question by doing an "audit" without knowing what he is auditing.

So the issue at hand is that a security audit is being done by someone who has already tricked someone into the business to hire him when he's not qualified even to discuss what they are doing. So this poses some issues.... someone hired someone totally unqualified and that person got in the door based on tricking them that they were qualified. Now if this wasn't a security audit, things would be a little different. But as a security audit, this is especially troublesome that the auditor managed to get in through a security vulnerability... we presume. Namely someone hiring security people who can easily be manipulated.

This is a horrible assumption!

The OCR is launching audits of medical practices/hospitals, etc. So this is non-voluntary audits, the practice won't be the ones hiring someone.

The basics still remain, though, you have a security concern in your midst and it sounds like the OCR is a security problem as well. Why would they force someone unqualified on you?

scottalanmiller

@Dashrender said in When the Auditor is Tricking Your Business:

The same goes for any of these typical non IT personal doing the audits for OCR.

All you are saying is that the audit is fake. But that we already knew. That's actually the issue, not an excuse for it, right?

Dashrender

@TAHIN exactly right - and we end up with the problems that my other thread was there to resolve.

Auditors for the OCR are the ones that basically get to decide if you are guilty or not. The appeal process for most of these situations are horrible at best, impossible at worse.

My friend worked for a publicly traded company - oddly enough, Sarbanes Oxly require that companies perform their own audits. I'm not sure how this really works, but I'll tell you what his company did.

They hired Deloitte and Touche to do a pre-audit, they would then fix all of those things. This was their 100-lb gorilla. Then they would hire a middle of the road, basically no name, but still authorized Sarbanes Oxly compliant auditing firm to audit them. If that second company found that the company in question had any violations, the company would first run them by D&T - if D&T felt the auditing company was just being pushy, they'd push back with the might of D&T, and that was usually the end of it.

For this flexibility, they paid over $1 million a year.

Now of course, one might think that the company was basically finding ways to skate by, but I do believe that my friend (who was in charge) was trying to do the right thing, and was having D&T do a real and complete audit in the first place.

scottalanmiller

@TAHIN said in When the Auditor is Tricking Your Business:

There was a reddit article a while back about a completely legit HIPAA auditor demanding domain logons and passwords for every user in the company to prove that IT kept track of the stuff. So they went through this guy's company directory, found his boss, and talked to him. The auditor in question was 'confused' and rescinded the demand.

How does "legit" and that go together? That his boss was able to cover doesn't make it legit. Could someone be confused to that degree? Maybe. Was it likely? not very.

scottalanmiller

@TAHIN said in When the Auditor is Tricking Your Business:

I'm starting to wonder if security audits are conducted like house appraisals..... "I have no idea what the rules are so I'll just do what the guy next to me did".

I truly believe that nearly all are scams. Some are scams just to take your money for not doing the audit that they promised to do. but a lot could be a lot worse. Using the audit as a means of stealing data. I mean look at this case in point... once the OCR and this auditor are willing to do something unethical to force money from the medical practices, why stop there? What ethical situation causes them to be willing to pressure practices to go through a fake audit but would not be willing to steal PHI if the opportunity presented itself?

scottalanmiller

@Dashrender said in When the Auditor is Tricking Your Business:

Auditors for the OCR are the ones that basically get to decide if you are guilty or not. The appeal process for most of these situations are horrible at best, impossible at worse.

Is that really true? If you sue the auditor I bet you'd find otherwise. Especially if this goes much farther to the point of social engineering, like the one requesting logins. If someone does that, you don't call the OCR, you call the FBI. Let the FBI talk to the OCR about it.

scottalanmiller

Having worked under HIPAA, SARBOX, PCI and others, one of the big lessons that was drilled into us was that we, not the auditors, were the security line of defence. Sure, auditors could cause problems, but at the end of they day an auditor would be like anyone else, if they pressured us to violate security (not quite the case here, but it could turn into that easily) we had to take legal action and in the US social engineering includes just pressuring people to violate security and that's a serious federal charge.

Dashrender

@scottalanmiller said in When the Auditor is Tricking Your Business:

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

So the original thread.... an auditor is threatening to fail a medical practice on an audit if they don't do something pointless, expensive and potentially bad for their customers all because the auditor (a lawyer) doesn't understand the technology and is scamming the business in question by doing an "audit" without knowing what he is auditing.

So the issue at hand is that a security audit is being done by someone who has already tricked someone into the business to hire him when he's not qualified even to discuss what they are doing. So this poses some issues.... someone hired someone totally unqualified and that person got in the door based on tricking them that they were qualified. Now if this wasn't a security audit, things would be a little different. But as a security audit, this is especially troublesome that the auditor managed to get in through a security vulnerability... we presume. Namely someone hiring security people who can easily be manipulated.

This is a horrible assumption!

The OCR is launching audits of medical practices/hospitals, etc. So this is non-voluntary audits, the practice won't be the ones hiring someone.

The basics still remain, though, you have a security concern in your midst and it sounds like the OCR is a security problem as well. Why would they force someone unqualified on you?

Why does any government agency force an unqualified auditor upon you? your guess is as good as mine.

scottalanmiller

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

So the original thread.... an auditor is threatening to fail a medical practice on an audit if they don't do something pointless, expensive and potentially bad for their customers all because the auditor (a lawyer) doesn't understand the technology and is scamming the business in question by doing an "audit" without knowing what he is auditing.

So the issue at hand is that a security audit is being done by someone who has already tricked someone into the business to hire him when he's not qualified even to discuss what they are doing. So this poses some issues.... someone hired someone totally unqualified and that person got in the door based on tricking them that they were qualified. Now if this wasn't a security audit, things would be a little different. But as a security audit, this is especially troublesome that the auditor managed to get in through a security vulnerability... we presume. Namely someone hiring security people who can easily be manipulated.

This is a horrible assumption!

The OCR is launching audits of medical practices/hospitals, etc. So this is non-voluntary audits, the practice won't be the ones hiring someone.

The basics still remain, though, you have a security concern in your midst and it sounds like the OCR is a security problem as well. Why would they force someone unqualified on you?

Why does any government agency force an unqualified auditor upon you? your guess is as good as mine.

Corruption. Is there really no published process for letting the OCR know that something is amiss?

Dashrender

@scottalanmiller said in When the Auditor is Tricking Your Business:

Having worked under HIPAA, SARBOX, PCI and others, one of the big lessons that was drilled into us was that we, not the auditors, were the security line of defence. Sure, auditors could cause problems, but at the end of they day an auditor would be like anyone else, if they pressured us to violate security (not quite the case here, but it could turn into that easily) we had to take legal action and in the US social engineering includes just pressuring people to violate security and that's a serious federal charge.

Agreed!!

Dashrender

@scottalanmiller said in When the Auditor is Tricking Your Business:

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

So the original thread.... an auditor is threatening to fail a medical practice on an audit if they don't do something pointless, expensive and potentially bad for their customers all because the auditor (a lawyer) doesn't understand the technology and is scamming the business in question by doing an "audit" without knowing what he is auditing.

So the issue at hand is that a security audit is being done by someone who has already tricked someone into the business to hire him when he's not qualified even to discuss what they are doing. So this poses some issues.... someone hired someone totally unqualified and that person got in the door based on tricking them that they were qualified. Now if this wasn't a security audit, things would be a little different. But as a security audit, this is especially troublesome that the auditor managed to get in through a security vulnerability... we presume. Namely someone hiring security people who can easily be manipulated.

This is a horrible assumption!

The OCR is launching audits of medical practices/hospitals, etc. So this is non-voluntary audits, the practice won't be the ones hiring someone.

The basics still remain, though, you have a security concern in your midst and it sounds like the OCR is a security problem as well. Why would they force someone unqualified on you?

Why does any government agency force an unqualified auditor upon you? your guess is as good as mine.

Corruption. Is there really no published process for letting the OCR know that something is amiss?

I haven't had to deal with the OCR about this, so I don't know.. but was have had to deal with Medicare audits, every three years. They made us replace several pieces of gear because the old gear didn't have the new that year UL codes on them. The equipment was fine last year, suddenly not fine this year.

scottalanmiller

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

So the original thread.... an auditor is threatening to fail a medical practice on an audit if they don't do something pointless, expensive and potentially bad for their customers all because the auditor (a lawyer) doesn't understand the technology and is scamming the business in question by doing an "audit" without knowing what he is auditing.

So the issue at hand is that a security audit is being done by someone who has already tricked someone into the business to hire him when he's not qualified even to discuss what they are doing. So this poses some issues.... someone hired someone totally unqualified and that person got in the door based on tricking them that they were qualified. Now if this wasn't a security audit, things would be a little different. But as a security audit, this is especially troublesome that the auditor managed to get in through a security vulnerability... we presume. Namely someone hiring security people who can easily be manipulated.

This is a horrible assumption!

The OCR is launching audits of medical practices/hospitals, etc. So this is non-voluntary audits, the practice won't be the ones hiring someone.

The basics still remain, though, you have a security concern in your midst and it sounds like the OCR is a security problem as well. Why would they force someone unqualified on you?

Why does any government agency force an unqualified auditor upon you? your guess is as good as mine.

Corruption. Is there really no published process for letting the OCR know that something is amiss?

I haven't had to deal with the OCR about this, so I don't know.. but was have had to deal with Medicare audits, every three years. They made us replace several pieces of gear because the old gear didn't have the new that year UL codes on them. The equipment was fine last year, suddenly not fine this year.

That stuff is different. Ridiculous, of course, but not a security violation. And this isn't technically either, but gets pretty close. But basically you have an auditor threatening to fail you based on criteria that he can't state AND he has access to your systems when he can't be trusted. Checking out extension cords doesn't compromise security.

Dashrender

@scottalanmiller said in When the Auditor is Tricking Your Business:

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

@Dashrender said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

So the original thread.... an auditor is threatening to fail a medical practice on an audit if they don't do something pointless, expensive and potentially bad for their customers all because the auditor (a lawyer) doesn't understand the technology and is scamming the business in question by doing an "audit" without knowing what he is auditing.

So the issue at hand is that a security audit is being done by someone who has already tricked someone into the business to hire him when he's not qualified even to discuss what they are doing. So this poses some issues.... someone hired someone totally unqualified and that person got in the door based on tricking them that they were qualified. Now if this wasn't a security audit, things would be a little different. But as a security audit, this is especially troublesome that the auditor managed to get in through a security vulnerability... we presume. Namely someone hiring security people who can easily be manipulated.

This is a horrible assumption!

The OCR is launching audits of medical practices/hospitals, etc. So this is non-voluntary audits, the practice won't be the ones hiring someone.

The basics still remain, though, you have a security concern in your midst and it sounds like the OCR is a security problem as well. Why would they force someone unqualified on you?

Why does any government agency force an unqualified auditor upon you? your guess is as good as mine.

Corruption. Is there really no published process for letting the OCR know that something is amiss?

I haven't had to deal with the OCR about this, so I don't know.. but was have had to deal with Medicare audits, every three years. They made us replace several pieces of gear because the old gear didn't have the new that year UL codes on them. The equipment was fine last year, suddenly not fine this year.

That stuff is different. Ridiculous, of course, but not a security violation. And this isn't technically either, but gets pretty close. But basically you have an auditor threatening to fail you based on criteria that he can't state AND he has access to your systems when he can't be trusted. Checking out extension cords doesn't compromise security.

that wasn't about security specifically, it was about all aspects of the business, up to and including security - but their check sheet currently doesn't have much on it for IT security, so they don't ask much there.

TAHIN

@scottalanmiller said in When the Auditor is Tricking Your Business:

How does "legit" and that go together? That his boss was able to cover doesn't make it legit. Could someone be confused to that degree? Maybe. Was it likely? not very.

By legit I meant not a social engineer. He represented a legit company, though he was not reputable himself. Maybe he wanted it so he could sell it later, who knows

TAHIN

@scottalanmiller said in When the Auditor is Tricking Your Business:

I truly believe that nearly all are scams. Some are scams just to take your money for not doing the audit that they promised to do.

Or to take your money by threatening an audit and hoping you'll compensate by over-licensing to death. We just went through our MS SQL true-up. Good god. When Microsoft can prove to me at the binary level that one thread from a VM is able to schedule two hyper-threaded siblings from the same core at the same time, contradicting all of their other documentation, THEN I'll pay for twice the SQL licensing just because I have hyper-threading turned on on my host. Friggin thieves.

scottalanmiller

@TAHIN said in When the Auditor is Tricking Your Business:

@scottalanmiller said in When the Auditor is Tricking Your Business:

How does "legit" and that go together? That his boss was able to cover doesn't make it legit. Could someone be confused to that degree? Maybe. Was it likely? not very.

By legit I meant not a social engineer. He represented a legit company, though he was not reputable himself. Maybe he wanted it so he could sell it later, who knows

How do you know that he wasn't a social engineer? What he did is exactly what a social engineer would do when caught. How did you determine that he wasn't trying to trick you and that he was only incompetent?