Wednesday, July 27, 2005

Searching for Artificial Happiness

"29% of companies purchased a solution for SarBox, 26% - for HIPAA by ZDNet's ZDNet -- More than 26% of customers surveyed by Network Intelligence are using the solution for HIPAA, 29% for Sarbanes-Oxley (SOX) and 5% for Payment Card Industry Standard (PCI). "

This is a vendor related study--- not much more than a press release, but it is interesting in that it shows that there are folks out there, like you, who are looking around for some sort of integrated solution to data handling and compliance.

The problem with this is always going to be that one size doesn't always fit all, and when you combine functions, the failure of one often causes the failure of all.

Tuesday, July 19, 2005

Two Rooms at the End of the World

So here it is, from RedNova--- the beginning of the apocolypse:

"Who could have ever imagined seeing former Speaker of the House Newt Gingrich standing side-by-side with former first lady and now senator from New York Hillary Rodham Clinton announcing their shared plan for the nation's healthcare system?
And yet there they were this past May, holding a joint press conference and describing how they would drag health care, kicking and screaming if need be, into a future filled with new IT and communication systems.
The Gingrich-Clinton announcement was not an isolated event. It was followed immediately by the introduction of the 21ist Century Health Information Act of 2005 in the House, jointly sponsored by Reps. Tim Murphy (R-Pa.) and Patrick Kennedy (D-R.I.). A companion Senate bill came a week later introduced by Sens. Mel Martinez (R- FIa.) and Clinton. "

Well, not really the apocolypse. Actually a logical next step, that properly done will make HIPAA compliance much easier, by further automation of the system.
More as I learn more.

Thursday, July 14, 2005

Knock Three Times

There has been a rash of reportings of data theft lately that has a very strange effect of causing many to become complacent about their data protection measures because, after all, their system is working.
The problem is that there is no way to know if your data is bulletproof. You can only be certain when it is not, and you have evidence that your security has been breached. The vast majority of data theft, including PHI, is undetectable, and unprosecutable, because unlike physical theft, the stolen data is still there. If someone sneaks into a museum in the dead of night, dressed in spandex and night googles, and makes off with a Bottecelli, in the morning there is a big square of unfaded wall, an empty nail, a light dusting of tracked-through laser-detection talcum powder, and no painting. The problem with stolen data is that most of the time there is no way to know that your system has been breached, or if it has been, that anything is missing because nothing is actually missing.
So what do you do to keep your data secure?
The threats come in three flavors, and there are steps that you can take to protect yourself from each one.
1. The Barbarians at the Gates. There are people out there who don't like you. There are people out there who don't care about you, but want what you have. And there are people out there who don't care about you, or what you have, but want inside just. because. they. can.
These are the folks that firewalls were invented to thwart, and I assume that y'all have covered this loophole. Firewalls, encryption, strong passwords, and some sort of Intrusion Detection System (IDS) cover you there. If you don't understand or like this stuff (hard for me to believe, but then again I went heavily into BetaMax, so what do I know) hire someone who does. A competent IT security consultant can set up most small practices in a few hours of system hardening. Do make sure that the contract includes some basic training for your users concerning the changes and best practices.
2. The Enemy Within. Far more likely to cause you grief is the viper cherished in your bosom. No one knows for sure, but I would guess that the retail model applies here--- 90% internal theft. After all, who else holds the keys to your kingdom? Training, monitoring, set usage policies, and careful terminal check-out procedures can help, but you never know. If you have 20 employees and they all seem perfectly content, either you are the shining example all other bosses should aspire to, or at least 5% of your workforce is adept at hiding their dissatisfaction. I know which one seems most likely to me.
3. Stupid is as Stupid Does. And Stupid seems to be doing more than his fair share lately. Data theft is the classic crime of opportunity. "It was just laying there, so I took it." Or "The web site was unsecured" (here) or "The safe was left open" (here) or -one that I recently was asked about- "I left the box of records in the back seat, and someone borrowed my car." I love consulting, but dang, please make it harder for me, will ya? No more post-it notes with passwords conveniently stuck to the monitor, or so cleverly stuck under the keyboard. No more backup tapes on a shelf behind your desk, or stacked on top of the server. No more shared passwords for the entire office.
Once again, if you don't know about this stuff, contract someone who does. It is so very much cheaper and less stressful to spend a few bucks and a few hours hardening your system and providing a few hours of common sense training for your crew than it is to learn about your PHI disclosure from the guy with good hair and too many teeth holding the mike and standing sideways in your lobby so his cameraman can get a good shot.

Wednesday, July 06, 2005

Unintended Lyrical Befuddlement

Here is a report from the First Amendment Center on a HIPAA conference in Nashville that reads like a laundry list of misconceptions about HIPAA-- reporters whining about the public's right to know (a wonderful thing, the first amendment, designed to protect individuals and groups from being silenced, and its corallary of the public right to know is to keep the big shots in control from hiding stuff from us-- NOT to make reporters jobs easier), a hacker named "Mudge" who boasts he could bring down the internet in 30 minutes, and an anti-HIPAA crusader from here in Washington State who claims that HIPAA is less about privacy than it is about discrimination.

I like this one a lot:
"James Hudnut-Beumler, dean of Vanderbilt Divinity School and an ordained Presbyterian minister, brought an often-overlooked effect of HIPAA to light: how hard it is has become for clergy to see members of their congregations in the hospital or even get any information about them. Churches must now be very careful what they reveal about patients to their congregations, particularly in church bulletins, he said.

“It has turned us (clergy) into social engineers,” Hudnut-Beumler said. “It gets hard to do the work that you are supposed to do and that the family expects you to do.” He proposed a “good Samaritan provision” to apply to HIPAA that would protect medical personnel in the case of “well-intended disclosure,” an idea many attendees received favorably."

Of course, we all know that Vanderbilt Divinity School is not a covered entity, and I sincerely doubt that most Presbyterian congregations need to worry about the HIPAA cops inspecting their church bulletins.

Man, I wish I was at that conference, sounds like it was a blast.

Protect Ya Neck

I hereby declare July as Security Compliance Month-- we'll have a parade, an award show, and a Security Rule Film Festival. While I work out the details, entertain yourself with this from Ramon Padilla Jr. at Tech Republic:
"However, as it is now, the temptation is there for others to gamble on not getting caught—and, in the process, to gamble with your career. When it comes time to request funding for HIPAA compliance, it might go like this: "Well Bob, I see your budget request for us to comply with the HIPAA security standards is pretty large. I'm afraid we can't handle that. "Do the best that you can."
But whose head will be on the chopping block once a security complaint is filed and it is leaked to the press? You can bet it won't be the person who denied your funding!"
Good points from Ramone--- remember, Ken Lay is still playing golf with his cronies while his Enron underlings are all residents at the Gray Bar Inn.

I've Just Seen a Face

A pretty good white paper in Information Week from Citrix about security compliance:
"...some of the common top-of-mind topics that CIOs in this industry face include:
  • Patient Safety.
  • Loss of cash flow from an inability to bill because the network is down.
  • Unauthorized release or use of PHI from external or internal threats.
  • Temporary unavailability of data to critical systems that impairs patient safety.
  • Growth in the number of users with wired and wireless access devices.
  • Installing the latest patch upgrades.
  • Integrating new systems with legacy systems.
  • Rapid identification and response to problems.
  • Monitoring patient data for early signs of potential terrorist or bio-terrorism events.
  • Interpreting and adopting new information technology compliance mandates."
Vendor white papers are usually about pushing their own product, so read between the lines. This one has some good info, though, so it is worth your scan.

Save the Population

A good general concept-level piece on data storage from IT Observer:

"Information Lifecycle Management (ILM) is one strategy for managing and storing data, according to its evolving business value and access requirements over time. Data must remain accessible on demand for compliance and audit inquiries."

Storage is going to be a very hot issue in the next little while, as folks begin to understand the ramifications of the security rule. Having a plan now is so much better than having an emergency later.