Friday, July 28, 2006

Java Jive

It seems that every time I go to a coffee shop I see someone step away from their laptop. I guess I'm not the only one to notice this---- the bad guys see it too:

This month, the FBI and the Computer Security Institute (CSI) released the results of their most recent annual Computer Crime and Security Survey. And some of the findings should cause life science companies to re-examine their security procedures, software, and systems to make sure new threats are not hazardous to their organization's well being.
For instance, 47 percent of the 616 respondents said their organization had experienced laptop thefts within the last 12 months. This phenomenon is on the rise. For example, an April article in the San Francisco Chronicle noted that the number of laptops stolen in the city had nearly tripled from 2004 to last year and that thieves increasingly are staking out coffee shops to steal laptops when customers were distracted or stepped away from their table.

Boy, I am tired of reading about data theft that could be prevented with only the simplest safeguards. If you have to pee while tapping away at Starbucks, take your notebook with you. Or invest in a cheap cable lock. Or best of all, don't go tooling around with PHI or other sensitive data on your portable devices.

Friday, July 21, 2006

Slow Hand

Get on it!

Blue Cross and Blue Shield of North Carolina plans to make the required changes to its IT systems and business processes by September. However, the Durham-based company estimates that only 20% of the doctors and hospitals it works with have applied to the federal government and received their new ID numbers, according to Harry Reynolds, the insurer's vice president of information systems planning.

For many, adding the NPI number to records is pretty simple, but for others, modifing thousands of records is a very daunting task. Waiting until the last minute won't make it any smoother.

Thursday, July 13, 2006

Wipe Out

Some great tips on using a data disposal service to wipe and destroy hardrives and other storage media, including this nice little summary:

The Pros & Cons Using a disposal service can keep your data safe and keep you from running afoul of local, state, and national laws meant to protect the environment. It can also provide you with audit logs if HIPAA or Sarbox regulators demand them. But, as with all things, there are cons. First are cons in the oldest sense of the word, fly-by-night outfits that don’t follow intricate laws to the letter or tell you they’ll drill holes through your hard drives when they really plan to resell them. What’s the antidote? First, of course, is careful research—never give old equipment to a firm you don’t trust. Second is a rock-solid contract. Your disposal service should spell out its process in detail.

As I have mentioned before, I have worked with a company that uses a DoD wiping software and keeps a small drillpress at the tech bench. Five quarter-inch holes makes data recovery pretty discouraging.

No News Today

Here is an interesting disclaimer at the head of a newspaper report on a clinic that does methadone treatment:

Editors note: Due to the federal Health Insurance Portability and Accountability Act, or HIPAA, medical service providers are prohibited from releasing information about a patient without the patient’s prior consent. The Southern Indiana Treatment Center and its parent company, CRC Health Group, were cooperative with The Evening News and The Tribune in identifying sources for this story, but due to the privacy rights of the clinic’s patients, the newspapers have no way to verify whether the patients quoted in this story are representative of the clinic’s patients at-large.

I am constantly amazed at how useful HIPAA has become. It truly answers all needs for obsfucation.

What a Wonderful World

I don't know much biology, but I do know that the data security problems of universities is completely out of hand. I didn't realize that 1/3 of all data loss comes from acedemia:

WAKEUP CALL. It can sometimes take an incident like this to jolt you out of the theoretical. I've been in the network security industry for nearly two decades and am familiar with the latest technology, trends, and what-have-you. But this time, it's hitting home. And certainly not just for UT alumni: Data thieves are helping themselves to personal data at schools across the nation, as the recent penetration of three Ohio University servers holding the SSNs of 137,000 people, attests.

The writer of the article calls for new regulation, but we know that regulation won't protect your data--- you have to do that.

Monday, July 03, 2006

Old and in the Way

From the Pittsburgh Tribune-Review comes this headline:

Privacy law delayed responders at home

Reading down, of course, we discover that it was some idiot's mis-reading of the law that led to the delay. TPO, people. TPO. The EMS folks needed the info--- HIPAA covers the situation quite well. There seems to be a whole class of folks determined to make something simple as much of a hassle as humanly possible.


Why is there such poor compliance? Perhaps poor enforcement is a cause:

David Kibbe, director of the American Academy of Family Physicians' Center for Health Information Technology, said the results of the survey didn't surprise him. Family physicians are doing what they can to comply with HIPAA given all the other things they have to do, he said, but the lack of government enforcement removes the urgency to comply."If you knew a security breach in your family medical practice was going to cost you $150,000, you might see more concern," Kibbe said. "But there has been so little enforcement and so little outreach on the part of the federal government that it has been difficult for family physicians and others in small and medium-size practices to take this seriously."

What are the numbers? The survey quoted in the article linked says "...74% of payer-respondents said they were in compliance (up from a January survey total of 30%) compared with 43% of provider-respondents (up from 18% in January)."

Why is this?

In fact, when asked to rank their biggest obstacles to HIPAA compliance, respondents placed "no public relations or branding problems anticipated with noncompliance" and "no anticipated legal consequences to noncompliance" at the top of the list.