Perimeter
11/19/2012
09:45 AM
Connect Directly
RSS
E-Mail
50%
50%

Take Two Aspirin And Steal My Data

HIPAA and information security aren't suggestions. They're the law

When I am in a doctor's office, either as a patient or along with a family member, I can't help but think about HIPAA compliance and information security. It's my chance to be a secret shopper or -- in this case, a covert observer of the operating environment of another organization.

Naturally, I've signed my share of HIPAA-related patient forms. What surprises me is how much other blatant behavior I see that is not HIPAA-compliant. OK, surprise is not the right word, as I now sadly expect to see these problems. Let's say I'm continually amazed.

Anyway, signing a long-winded legal document does not let the organization off the hook for being sloppy with my patient data, or yours. I've heard receptionists call across a crowded waiting room, "John Smith, what is your Social Security number?" How many, I wonder, made some identity thief's day?

I've seen patient sign-in sheets that requested full name, Social Security number, date of birth, insurance provider, and phone number. Wow, long before that sheet is filled it's a treasure trove for an identity criminal and as easy to steal as a candy bar. Even easier, an identity thief can take a picture of that sign-in sheet with a smartphone camera, so the staff won't even know the patient data is stolen.

I've left exam rooms to go to the restroom and along the way have seen medical charts placed outside exam rooms so carelessly that I could read confidential information about the patients simply by walking past slowly enough. With no special effort, I've heard detailed discussions from adjacent examination rooms, including information the patient assumed was private and, by both ethical and legal standards, should have been.

I've seen closets turned into computer server rooms, but with the door left wide open to keep the computers from overheating. And I've seen staff casually fax detailed medical and financial records that might be going to a secure fax device, but might be landing in exactly the wrong hands.

When I've seen medical practices with obvious compliance and security issues, it has been clear to me that the management involved believes HIPAA is only a suggestion they can ignore, not a law they must follow.

Now, I get that regulations can be a pain. I even agree that many regulations cost businesses a great deal of time and money and don't have a lot to show for it. I will even go so far as to say that we've become oversensitive as a society to every little opportunity for a mistake. Life happens, and you can't legislate or regulate away every risk.

At the same time, I've personally encountered plenty of clear examples as to why many organizations need regulations to guide them and hold them accountable. Poor business practices, poor management, faulty business processes, and outdated habits are not good reasons for noncompliance. Just because it is inconvenient to break years of bad business habits does not make it permissible.

While it might seem I'm picking on doctors I know, medical practices certainly don't comprise the largest group of businesses with a casual or sloppy approach to compliance and data security. Doctors happen to be easy to observe; most organizations appear more compliant because their employees' behavior is relatively hidden, not only from the public, but also even from their own management.

Obvious reminders can help us remember to focus on less obvious issues. And observing the compliance and security efforts of other organizations is a great way to practice observing your own operations. Take that same scrutiny back to your own organization, and you'll be amazed what your diagnosis will be.

Glenn S. Phillips, like you, knows bad habits present difficult challenges. He is the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks within. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio