Thursday, October 09, 2008

Blue Suit, Red Cape and Red Boots

No doubt about it, things are getting tighter. Even with the volume off, the TV has a streaming litany of financial woe in a never ending flow from left to right at the bottom of the screen. And you don't need Jim Cramer to remind you, your customers are letting you know, as well as your screaming bottom line


At the same time your work day and productivity is being strangled by more regulation, more rules and more requirements for security. Even beyond the regulatory considerations, you really do want your clients' data as safe as you can make it. It is part of the reason you got into this business, along with the Truth, Justice and American way stuff. But how to catch that speeding locomotive with all these chains around your ankles?


The first step is to develop the security mindset. Like so many other things, security is not a destination, it is a way of thinking. The same instincts and habits that make you rattle the back door after locking up can serve you with many information and data security issues as well. You are not locking the back door because you expect an intruder. You are prudently making it a little more difficult for the eventual intruder that someday will check your back door. Similarly, you are not protecting your data against a specific bad guy, but instead building an array of defenses so as to make your operation as unattractive to data and identity thieves as possible.


Make certain that your employees have a grasp of the basics and are incorporating them into the work day. Passwords should be routinely changed, and not written on post-it notes or shared. Callers who ask for information about internal systems should be clearly identified, or better yet referred to a designated person. That designated person should be the office go to person for all basic security questions, and well-briefed as to possible vulnerabilities and how an exploitation might present itself.


New and even more stringent regulations are on the way. How you keep your client's data safe is going to be a problem that rests on your shoulders. You can spend a fortune building new, secure systems, or you can temper that spending with better training and looking at alternate ways of handling your data, such as on-line hosting, where the back-end security is handled for you. This combination can be a cost-effective way of providing improved security without having to leap any tall buildings.

Friday, September 19, 2008

Tuesday, May 13, 2008

Ah, Sweet Mystery

Is your data secure? How do you know?

Here is yet another example of data exposed by carelessness and a simple error, and not noticed or reported for quite a long time.

From the San Francisco Chronicle:


Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft, The Chronicle has learned.

The information accessible online included names and addresses of patients along with names of the departments where medical care was provided. Some patient medical record numbers and the names of the patients' physicians also were available online.

The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later.


Over 6000 patients' information exposed on the internet for over 3 months! The sad and sorry part is not that the persons effected weren't then notified when it was caught--- that part is simply crummy behavior, and as heinous as that is is out of our scope. The real issue is that learning that you are exposed is often times way too late. In this case it was a careless data-mining company, which should have been under a Business Associate's agreement under the HIPAA rules, and been monitored by the Hospital's compliance officer.

Doing a vanity search on Google and finding your own medical records must be quite a shock. Imagine having one of your customers find something like that... something like, say last year's quarterlies conveniently displayed for the world to peruse.

So is there a bullet-proof way of making certain that your stuff stays secure? Not really but there are a number of ways you can protect yourself. For big companies the options are legion, but for smaller companies one of the best is to consolidate your data so that access is generally made through a single source. Online hosting ensures that professional and vigilent care is taken of your data. Like the common cold, there is no cure for idiocy, but knowing that your information is in the hands of people who make it thier business to keep it safe, secure, and accessable to only the right people is priceless.

Friday, April 18, 2008

Baby One More Time

Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!

Fire 'em all.

Really. I am sick of this, because if it happens to celebrities and they catch this many, it means that the rest of us are pretty close to being on public display.

String 'em up, it'll teach 'em a lesson.

Over and over

So many times, companies think of the audit process as a needed evil, something to endure then forget. No retailer would think that about inventory, but somehow we tend to think of our data as less valuable, perhaps because it is intangible. It isn't--- your data is your business. Here is what Brian Cote in SC magazine has to say:

Businesses need to consider data security as a whole, not merely as part of the audit process. This approach not only helps reduce the overall length of the audit process, it eliminates unnecessary vulnerability in the organization—providing a far greater reward than merely passing the audit. After all, if an organization suffers an exploit of security vulnerability, they'll face a far more costly and disruptive scenario than any compliance audit could cause. Without having a holistic approach to data security, organizations are doomed to reinvent the wheel.


An unchecked and unmonitored sytem is a vulnerable one. Regular reviews, tests and audits help keep the safeguards you have in place effective.

Monday, March 10, 2008

My Way

I wanted to say something about Google Health.
I have been watching for some time the various schemes to centralize healthcare records, from Hillary Clinton and Bill Frist's unlikely alliance a couple of years ago to Washington State's efforts (my wife is on the Governor's HISPC Advisory Board, so I have gotten to watch some of the sausage-making close up) and in general I think that it is not only a good idea in theory but that there is a certain practical inevitablity to it.
Still, when prominent health organizations start considering placing PHI in the hands of the world's largest search engine company, I am a little less enthusiastic. For starters there is no accountibilty at this point. Google is certainly not a covered entity and for all of their massive and admirable ability to keep, sort and provide information to millions of users across the globe they, like any other company who does business internationally are susceptable to the whims of the governments of the countries where they do business.
Is my PHI a matter of national security? Of course not, and mine is especially boring; I have enjoyed good health for decades and have suffered from none of the things that might be of concern to anyone. But different countries have different privacy standards, different countries have different legal systems, and I have at least the expectation of privacy, as flimsy as that might be.
As far as I am concerned, the song goes like this: "Not covered by HIPAA? Then you don't get my PHI." Period.

Time After Time

Its about time:

OKLAHOMA CITY (AP) - Federal prosecutors have accused an Oklahoma City woman of violating a federal health privacy law as part of an identity theft scheme.

An indictment alleges Leslie A. Howell violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

U.S. Attorney for the Western District of Oklahoma spokesman Bob Troester says the Feb. 15 indictment was the first in the district for violating HIPAA.


First in the district? More like nearly the first in the country! Is this part of a new pattern, or just another case of an acorn dropping into the sleeping sow's mouth?

It Wasn't Me

Oh, please...

When Team 4 got certain records, the HIPAA enforcement office was supposed to block out the names of all patients who filed the complaints. But when Team 4's Paul Van Osdol examined the records, he found nine cases where patient names were disclosed. So, it appears the people in charge of enforcing the medical privacy law failed to follow their own rules.

Teresa Dimichelle is one of those patients whose names were disclosed. She agreed to talk about it.

Van Osdol: "The fact that the government failed to protect you, the same government agency that enforces HIPAA laws, what does that tell you?"

Dimichelle: "That it's all a joke to them. It was about my health care and the way I was being treated. I didn't think it needed go to whoever, Joe Schmoe down the street."

"That's alarming, and you should be commended for doing that request and uncovering that, because that's something we definitely need to address," said Altmire.

A spokesman for the Department of Health and Human Services said its disclosure of patient names is not a violation of HIPAA. That's because the government agency is not covered by the HIPAA law.


No, not a violation of HIPAA, just a violation of at least one other privacy law, and common sense, common decency, and especially the public's ability to swallow the lame excuse.

Tuesday, February 12, 2008

Secret Love

I have been beating this drum for a long time, about how important it is to make every part of your security and compliance plan workable not just for us geeks, but for every user. Here is another thought about classifying information that has occured to me, but I haven't gotten around to writing about. Now I don't have to:

Chief information officers need to take a leading role in setting up formal information classification schemes to stop them over-engineering them to comply with security regulations, according to a report from the Information Security Forum (ISF).

The ISFsaid that information classification systems were overly complex. "As a result they rarely deliver business benefits and are often simply ignored," it said.


Now me and all my geeky friends just love us some multi-layered processes and classification schemes that look like flow-charts of Merovingian Dynasties, but you know, most people don't. Stange as it may seem, most folks just want to do their jobs, and if you make it too difficult for them, they will bypass your marvelous system, or in the case of data classification, underclassify it to avoid hassling with additional layers of crap. Make it easier for them to do the right thing, will ya?

Secret Meetings

Outsourced Enforcement? We have seen how well outsourcing has worked with things like disaster relief, so why not take a whack at compliance?

But I know how much a good PWC auditor costs, and I know how much the average civil service auditor makes. I guarantee the latter costs less, unless PWC itself is outsourcing this work to India or someplace.

And would it be too much to ask for the public, or at least the industry, to get a gander at that contract? On what basis is PWC being paid? What is their incentive? Is it a fixed price per audit, is it hourly, or is it based on the fines they collect?

The folks at iHealthBeat have another concern. What if PWC has to audit one of its own clients? The government says the company will recuse themselves. Does that mean the audit is then off? Better call PWC, then.


I don't always agree with Dana Blankenhorn, but in this case he is spot on. This raises far too many questions, and simply cannot be cost-efficient.

Thursday, January 10, 2008

Hot Rod Lincoln

Passed along without comment:

Mayo Clinic announced Friday that Hansen was no longer practicing at the clinic but would not say whether he resigned or was fired.

Hansen acknowledged to Mayo administrators that he snapped the picture of Sean Dubowik's penis, which is tattooed with the words "Hot Rod," Mayo said.

The picture was taken Dec. 11 when Hansen catheterized Dubowik before gallbladder surgery.

After Hansen told him of the picture, Dubowik, 37, said he "felt betrayed, violated and disgusted."

Every Girl's Crazy 'Bout a Sharp-Dressed Man

More Golden Hippo goodness! HIPAA, the only act in the history of the US to cover every public official posterior everywhere!

The American Civil Liberties Union of Middle Tennessee (ACLU-TN) should soon receive the information it has requested to monitor Metro Nashville Public Schools’ standard school attire policy, according to an attorney with the Metro legal department.

The information request was received by Metro Nashville Public Schools Oct. 15, and ACLU-TN requested a response within 30 days. Metro legal responded on Thursday of last week. Mary Johnston, the Metro legal department attorney heading up the legal side of the response, said the information should be ready for ACLU-TN by next week.

“We are now awaiting the [information], so all is fine,” said ACLU-TN Executive Director Hedy Weinberg in an e-mail interview.

Metro Schools spokesperson Woody McMillin said fulfilling school-related public information requests can be time-consuming, given legal restrictions including the Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA) that add time to public information requests.


So now even dress code compliance records are considered PHI! Whatta rule!

Gone Fishin'

While you are carefully guarding the front gates, don't forget you have an enemy who will cheerfully come in through the trash chute:
As long as enterprises rely on ad hoc solutions for disposing of retired IT assets, systems are going to end up in closets and warehouses wasting space until someone decides to get rid of them, often in a dumpster. To ensure proper management of old technology, enterprises must work with established IT asset recovery providers that handle the end-to-end process – reverse logistics, software asset inventory analysis and reporting, thorough data destruction, device refurbishment and resale, and finally, recycling.

We like a bulk erase and five holes through old hard drives. Tapes, paper, and floppies should be shredded. You know the drill :)