Perimeter
11/19/2012
09:45 AM
Connect Directly
RSS
E-Mail
50%
50%

Take Two Aspirin And Steal My Data

HIPAA and information security aren't suggestions. They're the law

When I am in a doctor's office, either as a patient or along with a family member, I can't help but think about HIPAA compliance and information security. It's my chance to be a secret shopper or -- in this case, a covert observer of the operating environment of another organization.

Naturally, I've signed my share of HIPAA-related patient forms. What surprises me is how much other blatant behavior I see that is not HIPAA-compliant. OK, surprise is not the right word, as I now sadly expect to see these problems. Let's say I'm continually amazed.

Anyway, signing a long-winded legal document does not let the organization off the hook for being sloppy with my patient data, or yours. I've heard receptionists call across a crowded waiting room, "John Smith, what is your Social Security number?" How many, I wonder, made some identity thief's day?

I've seen patient sign-in sheets that requested full name, Social Security number, date of birth, insurance provider, and phone number. Wow, long before that sheet is filled it's a treasure trove for an identity criminal and as easy to steal as a candy bar. Even easier, an identity thief can take a picture of that sign-in sheet with a smartphone camera, so the staff won't even know the patient data is stolen.

I've left exam rooms to go to the restroom and along the way have seen medical charts placed outside exam rooms so carelessly that I could read confidential information about the patients simply by walking past slowly enough. With no special effort, I've heard detailed discussions from adjacent examination rooms, including information the patient assumed was private and, by both ethical and legal standards, should have been.

I've seen closets turned into computer server rooms, but with the door left wide open to keep the computers from overheating. And I've seen staff casually fax detailed medical and financial records that might be going to a secure fax device, but might be landing in exactly the wrong hands.

When I've seen medical practices with obvious compliance and security issues, it has been clear to me that the management involved believes HIPAA is only a suggestion they can ignore, not a law they must follow.

Now, I get that regulations can be a pain. I even agree that many regulations cost businesses a great deal of time and money and don't have a lot to show for it. I will even go so far as to say that we've become oversensitive as a society to every little opportunity for a mistake. Life happens, and you can't legislate or regulate away every risk.

At the same time, I've personally encountered plenty of clear examples as to why many organizations need regulations to guide them and hold them accountable. Poor business practices, poor management, faulty business processes, and outdated habits are not good reasons for noncompliance. Just because it is inconvenient to break years of bad business habits does not make it permissible.

While it might seem I'm picking on doctors I know, medical practices certainly don't comprise the largest group of businesses with a casual or sloppy approach to compliance and data security. Doctors happen to be easy to observe; most organizations appear more compliant because their employees' behavior is relatively hidden, not only from the public, but also even from their own management.

Obvious reminders can help us remember to focus on less obvious issues. And observing the compliance and security efforts of other organizations is a great way to practice observing your own operations. Take that same scrutiny back to your own organization, and you'll be amazed what your diagnosis will be.

Glenn S. Phillips, like you, knows bad habits present difficult challenges. He is the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks within. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio