Perimeter
11/19/2012
09:45 AM
50%
50%

Take Two Aspirin And Steal My Data

HIPAA and information security aren't suggestions. They're the law

When I am in a doctor's office, either as a patient or along with a family member, I can't help but think about HIPAA compliance and information security. It's my chance to be a secret shopper or -- in this case, a covert observer of the operating environment of another organization.

Naturally, I've signed my share of HIPAA-related patient forms. What surprises me is how much other blatant behavior I see that is not HIPAA-compliant. OK, surprise is not the right word, as I now sadly expect to see these problems. Let's say I'm continually amazed.

Anyway, signing a long-winded legal document does not let the organization off the hook for being sloppy with my patient data, or yours. I've heard receptionists call across a crowded waiting room, "John Smith, what is your Social Security number?" How many, I wonder, made some identity thief's day?

I've seen patient sign-in sheets that requested full name, Social Security number, date of birth, insurance provider, and phone number. Wow, long before that sheet is filled it's a treasure trove for an identity criminal and as easy to steal as a candy bar. Even easier, an identity thief can take a picture of that sign-in sheet with a smartphone camera, so the staff won't even know the patient data is stolen.

I've left exam rooms to go to the restroom and along the way have seen medical charts placed outside exam rooms so carelessly that I could read confidential information about the patients simply by walking past slowly enough. With no special effort, I've heard detailed discussions from adjacent examination rooms, including information the patient assumed was private and, by both ethical and legal standards, should have been.

I've seen closets turned into computer server rooms, but with the door left wide open to keep the computers from overheating. And I've seen staff casually fax detailed medical and financial records that might be going to a secure fax device, but might be landing in exactly the wrong hands.

When I've seen medical practices with obvious compliance and security issues, it has been clear to me that the management involved believes HIPAA is only a suggestion they can ignore, not a law they must follow.

Now, I get that regulations can be a pain. I even agree that many regulations cost businesses a great deal of time and money and don't have a lot to show for it. I will even go so far as to say that we've become oversensitive as a society to every little opportunity for a mistake. Life happens, and you can't legislate or regulate away every risk.

At the same time, I've personally encountered plenty of clear examples as to why many organizations need regulations to guide them and hold them accountable. Poor business practices, poor management, faulty business processes, and outdated habits are not good reasons for noncompliance. Just because it is inconvenient to break years of bad business habits does not make it permissible.

While it might seem I'm picking on doctors I know, medical practices certainly don't comprise the largest group of businesses with a casual or sloppy approach to compliance and data security. Doctors happen to be easy to observe; most organizations appear more compliant because their employees' behavior is relatively hidden, not only from the public, but also even from their own management.

Obvious reminders can help us remember to focus on less obvious issues. And observing the compliance and security efforts of other organizations is a great way to practice observing your own operations. Take that same scrutiny back to your own organization, and you'll be amazed what your diagnosis will be.

Glenn S. Phillips, like you, knows bad habits present difficult challenges. He is the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks within. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8891
Published: 2015-03-06
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to escape the Java sandbox and execute arbitrary code via unspecified vectors...

CVE-2014-8892
Published: 2015-03-06
Unspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to bypass intended access permissions and obtain sensitive information via un...

CVE-2015-1170
Published: 2015-03-06
The NVIDIA Display Driver R304 before 309.08, R340 before 341.44, R343 before 345.20, and R346 before 347.52 does not properly validate local client impersonation levels when performing a "kernel administrator check," which allows local users to gain administrator privileges via unspecified API call...

CVE-2015-1637
Published: 2015-03-06
Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for r...

CVE-2014-2130
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.