Perimeter

11/19/2012
09:45 AM
50%
50%

Take Two Aspirin And Steal My Data

HIPAA and information security aren't suggestions. They're the law

When I am in a doctor's office, either as a patient or along with a family member, I can't help but think about HIPAA compliance and information security. It's my chance to be a secret shopper or -- in this case, a covert observer of the operating environment of another organization.

Naturally, I've signed my share of HIPAA-related patient forms. What surprises me is how much other blatant behavior I see that is not HIPAA-compliant. OK, surprise is not the right word, as I now sadly expect to see these problems. Let's say I'm continually amazed.

Anyway, signing a long-winded legal document does not let the organization off the hook for being sloppy with my patient data, or yours. I've heard receptionists call across a crowded waiting room, "John Smith, what is your Social Security number?" How many, I wonder, made some identity thief's day?

I've seen patient sign-in sheets that requested full name, Social Security number, date of birth, insurance provider, and phone number. Wow, long before that sheet is filled it's a treasure trove for an identity criminal and as easy to steal as a candy bar. Even easier, an identity thief can take a picture of that sign-in sheet with a smartphone camera, so the staff won't even know the patient data is stolen.

I've left exam rooms to go to the restroom and along the way have seen medical charts placed outside exam rooms so carelessly that I could read confidential information about the patients simply by walking past slowly enough. With no special effort, I've heard detailed discussions from adjacent examination rooms, including information the patient assumed was private and, by both ethical and legal standards, should have been.

I've seen closets turned into computer server rooms, but with the door left wide open to keep the computers from overheating. And I've seen staff casually fax detailed medical and financial records that might be going to a secure fax device, but might be landing in exactly the wrong hands.

When I've seen medical practices with obvious compliance and security issues, it has been clear to me that the management involved believes HIPAA is only a suggestion they can ignore, not a law they must follow.

Now, I get that regulations can be a pain. I even agree that many regulations cost businesses a great deal of time and money and don't have a lot to show for it. I will even go so far as to say that we've become oversensitive as a society to every little opportunity for a mistake. Life happens, and you can't legislate or regulate away every risk.

At the same time, I've personally encountered plenty of clear examples as to why many organizations need regulations to guide them and hold them accountable. Poor business practices, poor management, faulty business processes, and outdated habits are not good reasons for noncompliance. Just because it is inconvenient to break years of bad business habits does not make it permissible.

While it might seem I'm picking on doctors I know, medical practices certainly don't comprise the largest group of businesses with a casual or sloppy approach to compliance and data security. Doctors happen to be easy to observe; most organizations appear more compliant because their employees' behavior is relatively hidden, not only from the public, but also even from their own management.

Obvious reminders can help us remember to focus on less obvious issues. And observing the compliance and security efforts of other organizations is a great way to practice observing your own operations. Take that same scrutiny back to your own organization, and you'll be amazed what your diagnosis will be.

Glenn S. Phillips, like you, knows bad habits present difficult challenges. He is the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks within. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.