Wednesday, December 28, 2005

Save Me From Being Alone

This article is a good example of why I subscribe to

Everyone knows users are the soft spot in security programs. They've even confessed in recent surveys that they take more risks at work -- opening strange email attachments, clicking bizarre IM links and downloading dubious programs -- because they can. Phish scams and spyware, the two major malware trends in 2005, will continue to proliferate with the aid of increased technical proficiency and sophisticated social engineering. Already we've quickly gone from phony financial Web sites to human-resource e-mails to fake jury duty notices and false subscriber notifications. That means security must continue to save us from ourselves. Just be aware some of the biggest offenders are probably sitting in the boardroom.

This is an excellent round-up of the security issues of the last year, including compliance issues, and identity theft, both of which should be of interest to readers here.

Tuesday, December 20, 2005

21 and Invincible

From comes an outstanding six step plan for securing PHI:

Certainly this "reasonable safeguards" benchmark is open to interpretation. The good news is this benchmark accounts for the fact that no security system is invincible. The bad news is that if you've failed to review how your benefits office handles PII, identify risks, mitigate those risks, educate your employees, etc., a reasonable individual will find that you did not put in place reasonable safeguards to secure PII. Doing nothing is not an option.

As the writer points out, most information loss comes from humans, not faulty machines, and most of that is non-malicious, just plain old human error.

Tuesday, December 13, 2005

You Can Demand

Here is a on-demand webinar from Citrix about GoToMyPC. It is an extended commercial, of course, but there is a ton of info, and one of the speakers is Ross McKenzie, Director of Information Systems at Johns Hopkins Bloomberg School of Public Health.

As a healthcare industry professional responsible for complying with HIPAA standards regulating patient information, you need to know about Citrix® GoToMyPC® Corporate, a managed remote-access solution that that can help your organization meet HIPAA compliance guidelines while improving patient care, increasing speed of service and reducing IT costs. Join us for a 30-minute interactive Webinar to learn how Johns Hopkins Bloomberg School of Public Health has provided its faculty and staff with secure, easy-to-use remote access. Plus, discover how GoToMyPC Corporate can provide your organization with instant, secure remote access to email, files, applications and network resources in real time. Key benefits of GoToMyPC Corporate:
Highly secure, 128-bit encryption, security time-outs and strong passwords
Supports compliance with HIPAA provisions
No up-front costs or hardware to manage
No training required
Who should watch the on-demand Webinar?
Managers who need the highest level of security and control over remote workers
Budget owners who need to manage costs of implementing IT solutions
Network administrators who need to ensure compatibility with existing architecture
Those responsible for ensuring HIPAA compliance

Some of our regular visitors to this site are from Johns Hopkins, so it is nice to be able to send a referral back that way, however indirect :)

Charles Atlas

Outstanding article from TechWorld on the conflict between IT securtiy and regulatory compliance:

This is the biggest flaw in compliance – that a network that has been audited as meeting its legal obligations is seen as somehow acceptably secure. No network ever will be secure in this sense. Procedures can be laid down in black and white but they will never be followed correctly at all times. Mistakes will be made and unforeseen threats will emerge.

Regulations, by their nature, are static, while IT security is dynamic, reacting to new threats, anticipating future attacks, working to shore up previous weaknesses and new vulnerabilities. HIPAA tried to address this dichotomy by making the regulations non-technology specific, and to some extent it worked. But there is still that dynamic tension between the 97 pound weakling of your IT budget and the bully who is kicking regulatory sand in his face.

Hi Heel Sneakers

3Com wants to hack your sytem, but unlike Sony, they are on your side. Ethical hacking has been around for a long time, and invasive security audits are nothing new--- a very amusing movie was built around the concept a few years ago. "Sneakers" had Robert Redford, Dan Acroyd, and hacking banks--- what could be more fun?
NetworkWorld has this to say about it--- the 3Com thing, not Robert Redford:

In three days or more of onsite testing, the experts would run a variety of tests and assessment tasks, including network mapping, scanning and password cracking. They would attempt to gain access to machines and move up the hierarchy of system privileges on corporate servers - from guest to admin to root access. Emulation of blended attacks on the customer network, penetration testing and evasion techniques are also used.

For a few thousand dollars, you can know for certain if you are Security Rule compliant. Might be worth it.

Friday, December 02, 2005

Take Out the Crime

Now this is really juicy! A HIPAA compliance officer, whose former employers are saying is unreliable, is claiming that HIPAA required her to sit in on interviews of a shooting victim. Her testimony conflicts with everyone else's, including the hospital administrators who seem to be puzzled that she would have been involved.

Chartraw said her job responsibilities included ensuring a patient could submit to an interview and sitting through interviews with law enforcement officers to monitor patients' conditions throughout the interview. All three witnesses said no hospital policy required a HIPAA officer to sit through interviews or monitor patient conditions. The prosecution presented a letter from the hospital's attorney dated prior to Hilde's admittance that reiterated that HIPAA has no such requirement.

HIPAA is so wonderful! It means so many different things to so many different people. In this case, it seems to mean that a compliance officer can insert herself into a real life version of CSI. Or so she would seemingly have us believe.

Driving with the Brakes On

As we move closer to a national health records system, it is important to remember that our consumer is probably going to push back. This recent survey reported in SHRM Online found that 67 percent of Americans are concerned about the privacy of their personal health information and are largely unaware of their rights. And a major concern was that employers would use medical information to discriminate against workers.

Though there is no evidence of massive disregard for the privacy rules, fear of job repercussions is not entirely unfounded.

In 1998, for example, an Atlanta truck driver lost his job when his employer learned from his insurance company that he had sought treatment for a drinking problem, according to one of scores of stories about privacy breeches posted on the Health Privacy Project’s web site.

“The fear of disclosure, the fear of loss of benefits, the fear that people will be adversely affected in their jobs continues,” project director Janlori Goldman told HR News.

The most concerned? Minorities and those with on-going health problems.

Two Dice and a Silent Disguise

Unintentional Truth Department---- from TMCnet:

The scramble to comply with legislated security initiatives such as the Final Rule of the Health Insurance Potability and Accountability Act...

Yes, many of us find parts of HIPAA hard to swallow.

Over all, though shot through with annoying typos, this article provides a pretty good overview of many of the issues of compliance and enforcement of the Security Rule, including many of the reasons many of us are less than fully compliant.
Here is the money quote:

According to Amith Viswanathan, a healthcare industry analyst at Frost and Sullivan, private practices “rely heavily on their venders to be complaint” ... as opposed to actively pursuing compliance themselves.

Relying on your vendors to make you compliant is like driving without insurance, and hoping if you do get in an accident, that the other driver is covered.