Wednesday, January 24, 2007

Dead And Bloated

A timely and timeless piece on "privilege bloat":

Large organizations have to manage high staff mobility and turnover. Access requirements of employees and contractors change rapidly as they are re-assigned from one position to another. When users try to access something that they need to do their job, and get an 'access denied' error message, they call the help desk, figure out what's missing, and get it fixed. In other words, processes for granting new privileges to users may not be friendly or timely, but they are always reliable.

The same cannot be said of privilege deactivation. When was the last time a user in your organization called the security administration desk and asked that an old ID or group membership be removed? In reality, users may forget that they have the old privilege, may not understand the security infrastructure or may simply hoard old privileges "just in case."

The net result of unreliable and/or untimely access termination processes is that users accumulate inappropriate security rights.

I often go into a small to medium organization and find an entire archaeology of former employees and changed current employees subsumed into the system. My favorite is when an employee is signing on to the "Assistant's" account, with the same password and username as the last five holders of that position. In small and medium organizations, a hired gun like me can ask a few questions and clean it up. In a large company, there may not be anyone who knows for certain about required rights and privileges, or even a current master list of users.
I know, you are asking yourself---"How can this be? Is there really any organization that is so careless that there are such gaping holes in their security?"
Well Timmy, here is the sad answer: There are a lot of them. And they have your personal information, lurking right there on their insanely insecure systems, just begging to be accessed by an unauthorized and ethically-challenged user.

The Young Offender's Mum

It has to be an election year in Allenstown New Hampshire:

Allenstown Police Chief Shaun Mulholland on Monday warned residents to beware of a "sexually dangerous" person who had moved into town. If Mulholland revealed the person's name, he would be violating federal law.

The vague warning has caused widespread fear throughout the small town of 5,000, as Mulholland has said he knew it would. But the chief has also said he felt the option of remaining silent was unacceptable.

"I had to weigh the risks of the fear that would be created with the fear that somebody would get hurt," Mulholland told the New Hampshire Union Leader earlier this week. "And I had to take that risk. If I did nothing and, God forbid, something happened to one of our residents, that would (be) intolerable."

This, of course, is fear-mongering plain and simple. Sex offender notices are regularly sent out in nearly every state. HIPAA is very clear when it comes to public safety disclosures.
In the same article, an official comments to the effect that this whole privacy thing may have gone too far. This, and a police levy are most likely the real impetus behind this ridiculous piece of drivel.

Band Aid Covers the Bullet Hole

The post below is from a response to this piece from the blogs on ComputerWorld:

When I see PCI or HIPAA programs, the motivating factor seems to be CYA tied to executive or market accountability. That is, if there is a breach, affected parties want to know that the organization took every reasonable precaution. That’s when compliance with specific sections of PCI or HIPAA comes in handy.

We are now on the threshold of more regulations. It is very clear that governments cannot mandate how organizations secure confidential information. The attacks and defense technologies just change too rapidly for any such regulations to be effective for long (like PCI requiring an IDS). New statutes for such things as data encryption or identity theft should use executive and market accountability as the enforcement hammers. Let the businesses adapt and innovate over time as threats and risks evolve. Anything else is doomed to be unproductive without improving security one iota.

CYA? Damn Skippy! What little HIPAA compliance I see is entirely the result of CYA; in fact, it is a large part of my consulting pitch. And while we have gone through a long period of lax or non-existant enforcement, the pendulum is clearly swinging back. Best we all be thinking about C'ing our A's.

Cut Hands Has The Solution

Hard to argue with this:

When I evaluate a "solution", I am thinking circles around the vendor because information security is a complicated, multi-layered beast. If a vendor came in, who was very well versed in the legislation, and in the security arena, and understood what their solution actually did as a part of the total solution, I would listen. So far, I've just not been that impressed and maybe that is why compliance vendors are wondering "how little market demand there is for HIPAA and PCI compliance solutions".

Compliance is a subset of security. And Michael's New Rule of Security is this: "It's A Strategy, Not Just A Policy." Or a piece of software.

Tuesday, January 09, 2007

It Wasn't Me

Oh sure. Now not only can you use HIPAA to excuse just about anything you can torture into congruence, you can torture HIPAA itself to prove that you are not actually responsible for any actual violation, and of course without enforcement, who is to say you are wrong? From the Wall Street Journal, via --

The Journal profiled attorney Patricia Galvin, who was denied disability benefits after her health insurer, UnumProvident, accessed notes from psychotherapy sessions at Stanford Hospital & Clinics. According to the Journal, UnumProvident said the notes indicated that Galvin was not "too injured to work" after she was involved in a car accident and applied for long-term disability leave. UnumProvident had asked Galvin to sign a broad release to access her basic medical records, which included some of the psychotherapist's notes about Galvin that Stanford had scanned into its computer records system. Galvin has filed a lawsuit against Stanford and UnumProvident for violating medical privacy laws, among other issues, under the federal Health Insurance Portability and Accountability Act. HIPAA includes added protection for mental health records, but Stanford in court papers said that "psychotherapy notes that are kept together with the patient's other medical records are not defined as 'psychotherapy' notes under HIPAA."

Live and Let Die

A chilling and sobering report from

Financial identity theft might wound your wallet, but medical identity theft can kill you.

Medical identity theft occurs when criminals obtain information such as a health insurance identification or Social Security number and use it to get health care or to obtain reimbursement from insurers and others for false claims. That means your medical history and health care records can include someone else's information. This can be life threatening: for example, causing a transfusion of the wrong blood type.

"People can die from this crime," says Pam Dixon, executive director of the World Privacy Forum, a privacy rights group. "It is a potentially huge issue. It's an incredibly intransigent problem and victims are finding that they have to sue health care providers to have their records corrected."

Pay attention--- you are not just exposing yourself to legal liability by sloppy record handling, you could cost someone their life.