Security and Your Users
Security and Your Users
Description:
Security
and Your Users
Top 5
user pitfalls and how to avoid them
Goals
Security
is never a popular topic with users.
The goal is
to make data secure without burdening staff with stuff that interferes
with business processes.
Its
not just about HIPAA!
We should
treat personal electronic data with the same care and respect as weapons-grade
plutonium -- it is dangerous, long-lasting and once it has leaked there's
no getting it back. -- Corey Doctorow
FBI studyâ¦
50% of security
incidents are caused by insiders
These are
people that you trusted enough to hire.
Or manage
security
Top 5
user pitfalls and how to react to them
Users are
curious and gossip.
Users donât
take data security seriously.
Passwords
are a pain.
Adding and
deleting users must be taken seriously.
Donât neglect
physical security. (So much hardware, so easy to walk.)
This is
my opinion and is in sort of random order, no scientific process has
been used
Users
are curious and they gossip
They want
to know what is happening around them
Celebrities
do show up-local or otherwise
There are
always friends and neighbors or exâs
For example:
George
Clooney
NEW YORK
(CNN) -- More than two dozen employees at Palisades Medical Center
have been suspended after accessing the personal medical records of
actor George Clooney, who was taken to the North Bergen, N.J., hospital
last month after a motorcycle accident.
http://www.cnn.com/2007/SHOWBIZ/10/10/clooney.records/index.html
And of
course, Britney:
UCLA Medical
Center is taking steps to fire at least 13 employees and has suspended
at least six others for snooping in the confidential medical records
of pop star Britney Spears during her recent hospitalization in its
psychiatric unit, a person familiar with the matter said Friday.
In addition, six physicians face discipline for peeking at her computerized
records, the person said.
http://www.latimes.com/news/local/la-me-britney15mar15,0,1421107.story
MLO Online
12/13/07
Privacy
a problem Down Under
Celebrity patients in New Zealand may be lodging
complaints with the country's Privacy Commissioner since several health
workers were found snooping through the private medical records of patients,
including those of several celebrities. One
health worker was dismissed and up to 20 others disciplined, including doctors, nurses,
and other clinicians. The staff members have been using what was referred
to as a "revolutionaryâ electronic
records system to access information,
which includes patients' medical notes, X-ray result, and laboratory-test
results and community lab tests.
MLO Online
12/13/07
These breaches
were picked up in seconds by electronic audits, which were run regularly
after celebrities had stayed in the hospital to see who had accessed
their records. Random
audits were
also run on individual staff to check their use of the system. Staff
has been warned since the incident that looking up patients under their
care, including neighbors, friends, relatives, their own children, or
themselves, is not acceptable. One healthcare official said that although
the EMR system had the potential to allow more access, it
also allows for access to be traced better than the old paper records
system.
Users check
their own records
familyâs records
neighborâs records
friendâs records
exâs records
(this gets to be a legal problem)
and so onâ¦
More frequentlyâ¦
Preventionâ¦
Remind userâs
periodically that there is a proper procedure to follow to get access
to records.
Make that
procedure reasonably painless
But follow
state law
Deny access
when access not appropriate
Audit accesses
and follow up
Public
flogging might be useful but probably is not constitutionalâ¦
Curiosity
is good, snooping BAD
Random audits
find random problems
They are
hard to do accurately.
They are virtually
impossible to do without software to manage documentation and provide
queries.
Targeted audits
are good when someone tells us about a problem or when celebrities show
up.
Just knowing
that you do audit cuts down on violations.
This gets
tricky when:
Last names
are not the same, especially with exâs.
The organization
gets big enough so that no one knows everybody.
Neighbors
live around the corner so street names are not a tip off.
Do we load
Google Maps into the User Audits? (Thanks to John Sharpe for that
idea.)
Automation
is the only way to go.
How do
you fix human nature?
Short answer:
you donât.
Longer answer:
Audit-periodically,
frequently, or when asked for
Tell your
staff that you audit
Act on the
audit and discipline when problem found
Automate the
process as much as is possible
In summaryâ¦
Anyone you
hire should be reasonably teachable
Make your
expectations know at orientation
Follow up
periodically
MOST will
meet expectations
Get rid of
those who donâtâ¦
Users
donât take data security seriously
Most work
sites, nursing units, and such are like swamps with alligators
You know what
your highest priority is and it is NOT data security.
Users
ignore security policies
Security Policies
Often Go Unheeded (December 6, 2007) A
survey of nearly 900 IT security professionals conducted by the Ponemon
Institute found that many workers do not abide by established security
policies, either
because they are unaware of the policies or because they
find them inconvenient. More than half of respondents
admitted to having copied confidential company data onto USB drives
although 87 percent said they knew the practice violated company policy.
Nearly
half of respondents said they share passwords
with colleagues; two-thirds
said sharing passwords violates policy
at their organizations. One-third of respondents said they had
sent work documents as attachments; almost half of respondents were
unsure whether doing so violated their companies' policies. Sixty
percent of respondents said their companies had no formal policy that
prohibits installation of personal software on work machines.
Almost half said they had downloaded software, including P2P programs,
onto company computers.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9051483&source=rss_topic17
Even IS
contractors donât think securelyâ¦
--Stolen Laptop Holds Patient
Data; Contractor
Violated Policy (December 10, 2007) Approximately 45,000 patients who
were treated at Sutter Lakeside Hospital in Lakeport, California have
been notified by letter that their personal information has been compromised.
The data were
being transferred from one secure system to another during an equipment
upgrade; a
contractor violated hospital policy by downloading the data to a laptop
computer that was later stolen.
The hospital
has terminated its relationship with the contractor, who had been hired
for a special IT project. The compromised data include names,
addresses, dates of birth, Social Security numbers (SSNs), and in some
cases billing and diagnosis information.
http://www.record-bee.com/local/ci_7687954
Why
wasnât the laptop encrypted???
Lost Flash
Drive
http://wcco.com/local/doctor.patient.information.2.642107.html
A provider
had a flash drive with over 3000 patient histories on it.
Policy said
it should be encrypted â It was not
It got lostâ¦
This was a
fertility clinic, need I say more?
Backupsâ¦
We all agree
that our systems need some sort of backup
What happens
when we apply that to our personal hard drives and home based systems?
How many of
us have our systems fully backed up in case they fail?
From Sans
Newsbytes
Backups are
really important:
People keep
telling me backups on laptops, backups on the local drive are the user's
responsibility. However, in all my days, I
haven't yet met a responsible user, so I don't see making it the
users' responsibility makes sense.
12/7/07
This was
sent from someoneâs e-mail because they walked away still logged inâ¦
Be sure
you log out or things like this may happen to you. I received
this, I did not actually send it!
Panic
post to HIPAAlive
An office
manager got this message: Apparently
one of your employees went on to a P2P music file sharing site, and
accidentally published the my documents folder. You will want to locate
the computer in question, and have the P2P program removed.
I heard about
this vulnerability months ago on WTMJ radio with the news guy calling
people whose SSN was viewable on line.
Not exactly
a security geek thingâ¦
So, what
do you do about it?
I donât
have a good answer
Training,
but balance too little vs too much
Remember
the boy that cried wolf
You do want
people to pay attention
Reminders
Be careful
about frequency (see above)
Nothing gets
attention better than a nearby horror storyâ¦
What to
doâ¦
Remind users
about security when they log in, expect that most will tune you out.
Be sure you
have policies about system use written clearly and easily available
even if no one actually reads them.
There is no
reason for P2P file sharing in our workplaces. Enforce that!
Do security
rounds and point out problems that you see.
Be sure that
security policies are practical
and enforceable.
Passwords
are a pain.
I was told
a story about an IRS auditor.
Their stuff
needs to be really secure, obviously.
Each application
has different user ID and password. So far that is clumsy, but not bad.
So that they
did not get forgotten, he kept a notebook of all passwords in his briefcase.
The laptop was also in the briefcase.
As the person
who told this said, this was secure until the brief case got lost or
stolen and found be someone with a crow bar.
Password
audit
I did an audit
of the passwords used in our Meditech system. I can print a report
that lists them without user IDâs so nothing really gets compromised.
Our minimum
length is 5 characters.
0.19
3
14
0.19
3
13
0.32
5
12
0.82
13
11
2.22
35
10
6.54
103
9
13.96
220
8
17.39
274
7
30.08
474
6
28.30
446
5
Percent
Count
Length
Password
audit
Dictionary
Words: 17
Names:
39
Word and single
digit: 13
All same character:
3
All Digits:
6
Better than
the above: 27 (does not mean good)
This is
the first two pages of a list of passwords from our system. I
think our users are no less creative than anyone else.
My favoriteâ¦
From the list
that I looked at my favorite âgoodâ password was 2MT2C
It could be
longer butâ¦
It would
be hard to guess
It would be
easy to remember
It would be
hard for a password cracking program to figure out
It also gives
no hint about the personâs user ID
It expired
by the time you see thisâ¦
How long
should they last?
30, 60, 90,
120, 180, 270, 365 days
Never expire
Think
about the PIN for your ATM
Think about
the risks of shoulder surfing or other password stealing schemes
Think about
the pain of frequent password changes
Balance it
all together and pick a number that your organization is comfortable
with.
Problems
Most users
will not pick good passwords
Some users
will forget their password
Some users
will write their password down where it can get found
Ban Post-it
notes (I know its not possible)
Check under
mouse pads
Password cracking
programs are easily available to those who want them
So what
do you do about this?
Keep your
training positive
Wrong: If you make bad passwords, the
HIPAA police will get you
Right: Good passwords protect your
privacy as well as your patientâs privacy
Wrong: Bad passwords lead to bad care
Right: Good security is good patient
care
Concept blatantly
stolen from Tom Walshâs recent HIMSS presentation
So what
do you do about this?
Alternatives
RFID proximity
devices
Finger print
readers
Iris scanners
Palm scanners
Secure Roaming
(my current favorite)
If you must
use passwords, train users about good ones
Cool new
productâ¦
BioPassword
Works by carefully
measuring how individuals type their password
Vendor offered
cash to anyone who could type his password, no one couldâ¦
Based on concept
developed in WWII to monitor where Morse Code operators had moved to
Adding
and deleting users must be taken seriously.
People change
jobs
Howâs
that for stating the obvious?
When they
start a new job they need access
When they
move within the organization they need changed access
When they
leave, access needs to go away
If not done
right, there can be problemsâ¦
Recentlyâ¦
(August 27,
2007) A federal jury has convicted Jon Paul Olson of intentionally damaging
protected computers. Olson left his job at the Council of Community
Health Clinics (CCC) in San Diego after he received what he believed
to be a negative performance evaluation.
Several
months after his resignation,
Olson deleted patient data that belonged to the North County Health
Services (NCHS) clinic, causing financial losses at both CCC and NCHS.
Olson had worked for CCC as a network engineer and technical services
manager.
My editorial
comments
This happened
months after he left, his
access should have been long gone.
We had auditors and JCAHO inspectors specifically ask
about our procedures for inactivating employees who have left us.
Get
this done right!
To do that
you need a process and some forms
Our new
user form
Signature
required!
Copy
existing staff carefully!
Date
when completed
End
Date if needed
Problems
Directors
do not know what their staff has access to.
Probably
should
Donât really
Then there
are those users who stay casual in their old department and IS has to
figure out how to combine their old job with the new one
Talk about
time wastersâ¦
Problems
Peopleâs
job functions change even if their job description does not
I get calls
from directors asking for additional routines for users all the time
I tell them
to get it to me in writing (usually Outlook mail)
This creates
problems when they tell you to copy into new user. Does this new
person really need the same special routines? Sometimes yes, others
no.
Generic
User Templates
We discussed
setting up inactive model users for copying to new ones.
We decided
not to do this
Too many
job descriptions to be maintained
Difficult
to keep up to date
Not enough
time to devote to the set up of these
YMMV
If this might
work for you, great!
Non-employees
with access
Nursing Home
staff
We give
nursing home staff very limited access. They can only see
their own patients.
In stead of
the form they can either fax me their employees full name on their letterhead
or
E-mail me
the detail using their business address
Twice each
year I list all their users and send a copy to the nurse director to
verify that they are still employed there
Othersâ¦
Contract employees
Students
Temps
We require
the same form as all others to get them into our systems.
No standard
way to make sure they get terminated
Problems
Since temps,
contract employees, and students are not in PP, they do not automatically
show up
We do ask
anticipated last date on the form requesting access
I put a task
in Outlook to pop up and remind me to follow up on these.
We have a
separate spreadsheet to track them
Getting directors
to remember is a challenge
Removing
access
Employees
leave
They get
better jobs
They retire (best job of allâ¦)
They have
children and canât work outside the home (working
hard enough there)
They get downsized
They get fired
They get outsourced (I know from experience)
You need
a process here
Do NOT trust director to tell you someone
leaves
When someone
resigns, the director usually wants a replacement
For that they
need to talk with HR
When someone
is fired, outsourced, or laid off HR needs to be involved
HR loves
paperâ¦
Our process
Each MIS area
has manual procedures to inactivate access for terminated users
I would like
to automate the whole process. I think I can do it with a script
Example of
spreadsheet is below
na
na
na
na
MT
Mnemonic
UserID
Employee
Assistance
Employee,Leaving
24-Mar-07
Mestamed
qs1
webMD
HFMDOM
Misys
Meditech
Network
ID
Dept
Name
Eff.
Date
Unfriendly
termination
Sometimes
this process is not fast enough
Employees
get fired for a variety of reasons
We have
terminated employees for viewing records that they did not need to see
and did not have authorization to view
When that
happens HR is required to give the MIS director a call to inactivate
all access.
If not
available the call goes to our network manager
There
cannot be a delayâ¦
Our system
To make this
work we combine features of:
Meditech
PP module
Kronos
Shams Data
Repository
Microsoft
Excel
Microsoft
Outlook
And the programming
skills of our DBA
Donât ask
me the detailâ¦
Our process
If someone
resigns
HR gets a
paper resignation
Their status
in Meditech PP is changed to âpre-terminatedâ
This generates
an Outlook message noting the change and puts the name in our resignation
spreadsheet
A last date
is listed also
The day after
the last date, an e-mail (Outlook) is generated that states that the
employeeâs active directory entry has been terminated
Failsafe
Our system
works great most of the time
Some resignations
get missed
Director
doesnât send paperwork to HR until after the person is gone
Casual employees
just sort of get dropped
As a failsafe
we get a paper list of all employee changes from HR
It is late,
but at least it gets everyone
Physical
Security: Donât forget about it!
Stolen
Laptop Had 268,000 Social Security Numbers
ST. PAUL (AP)
â A Twin Cities blood bank says a laptop computer with 268,000 names
and Social Security numbers has been stolen.
Memorial Blood
Centers said Wednesday it has begun notifying blood donors of the theft,
but they should monitor their financial accounts as a precaution. The
laptop computer was taken on Nov. 28 in downtown Minneapolis during
preparations for a blood drive.
Dec 5, 2007
--Hospital
Server Room Overheats, Destroys Equipment
Internal auditors
are conducting an investigation at St. James Hospital
in Leeds to discover
the reasons a server room overheated, permanently
damaging GBP 1
million (US $2.04 million) worth of equipment. The
system in the
room was designed to store patient x-rays but had not yet
gone live, so
patient care was not affected by the incident.
http://www.theregister.co.uk/2007/09/27/leeds_server_overheat/print.html
[Editor's Note
(Grefer): Whenever feasible, build in redundancy in your
A/C setup. Operating
a single A/C unit at full power reduces its life
expectancy and
creates a single point of failure. In case such a setup
is not feasible,
at least invest in heat sensors and a system that
allows for automatic
shutdown of non-critical systems early on as well
as automatic shutdown
of critical systems at the last minute.]
(September
27, 2007) Sans Newsbytes
BlackBerries
Q:Ask
the expert: Is it appropriate for caregivers, such as nurses and physicians,
to use Blackberries to e-mail patient data?
A:
The answer is an easy one-most definitely not. Blackberries generally
transmit messages via mobile services, such as Verizon and AT&T,
for example. Messages sent via cell phone, Blackberries, or smart phones
are not secure. Someone knowledgeable can easily intercept messages.
Unless an organization contracts with a mobile service provider that
offers an encrypted channel-and most do not-sending patient information
via a Blackberry is almost worse than sending an unencrypted e-mail
or instant message.
This Q&A
was adapted from the December 2007 issue of Briefings on HIPAA.
Again,
remember the physical security of your devices.
Flash
Drivesâ¦
--Flash Drive
Left in Swedish Library Holds Sensitive Military Data (January 4, 2008)
That person
could face up to six months in prison.
The Security
Work Group just posted a white paper on portable media.
This may
be stating the obvious,, butâ¦
Back up everything.
Store it securely
If it has
PHI and portable, encrypt it.
Keep a copy
of everything important off site
Lock your
server room doors
Log out or
lock your PC when away from it
Securely dispose
of old data devices
Train
your users that:
-computers
belong to the healthcare organization
-anything
produced or accessed on the computer belongs to the healthcare organization
-there is
no expectation of privacy for anything on the computers
-all computers
and all users may be subject to routine audits and when necessary, investigations,
performed without their permissions, but always with a supervisorâs
oversight
Stolen from:
Greg Young, CHP, Mammoth Hospital
In conclusionâ¦
Hire carefully
Not always
easy to do
Have clear
readable policies and live by them
Train carefully
Audit
Retrain/reinforce
training
Thanks to:
Caretech
Solutions (my bosses) for letting me come here
Microsoft
for clip art
SANS, MLO,
HIPAAlive, and others for news items
All of you
for listening to me
Questionsâ¦
Security
and Your Users
Top 5
user pitfalls and how to avoid them
Goals
Security
is never a popular topic with users.
The goal is
to make data secure without burdening staff with stuff that interferes
with business processes.
Its
not just about HIPAA!
We should
treat personal electronic data with the same care and respect as weapons-grade
plutonium -- it is dangerous, long-lasting and once it has leaked there's
no getting it back. -- Corey Doctorow
FBI studyâ¦
50% of security
incidents are caused by insiders
These are
people that you trusted enough to hire.
Or manage
security
Top 5
user pitfalls and how to react to them
Users are
curious and gossip.
Users donât
take data security seriously.
Passwords
are a pain.
Adding and
deleting users must be taken seriously.
Donât neglect
physical security. (So much hardware, so easy to walk.)
This is
my opinion and is in sort of random order, no scientific process has
been used
Users
are curious and they gossip
They want
to know what is happening around them
Celebrities
do show up-local or otherwise
There are
always friends and neighbors or exâs
For example:
George
Clooney
NEW YORK
(CNN) -- More than two dozen employees at Palisades Medical Center
have been suspended after accessing the personal medical records of
actor George Clooney, who was taken to the North Bergen, N.J., hospital
last month after a motorcycle accident.
http://www.cnn.com/2007/SHOWBIZ/10/10/clooney.records/index.html
And of
course, Britney:
UCLA Medical
Center is taking steps to fire at least 13 employees and has suspended
at least six others for snooping in the confidential medical records
of pop star Britney Spears during her recent hospitalization in its
psychiatric unit, a person familiar with the matter said Friday.
In addition, six physicians face discipline for peeking at her computerized
records, the person said.
http://www.latimes.com/news/local/la-me-britney15mar15,0,1421107.story
MLO Online
12/13/07
Privacy
a problem Down Under
Celebrity patients in New Zealand may be lodging
complaints with the country's Privacy Commissioner since several health
workers were found snooping through the private medical records of patients,
including those of several celebrities. One
health worker was dismissed and up to 20 others disciplined, including doctors, nurses,
and other clinicians. The staff members have been using what was referred
to as a "revolutionaryâ electronic
records system to access information,
which includes patients' medical notes, X-ray result, and laboratory-test
results and community lab tests.
MLO Online
12/13/07
These breaches
were picked up in seconds by electronic audits, which were run regularly
after celebrities had stayed in the hospital to see who had accessed
their records. Random
audits were
also run on individual staff to check their use of the system. Staff
has been warned since the incident that looking up patients under their
care, including neighbors, friends, relatives, their own children, or
themselves, is not acceptable. One healthcare official said that although
the EMR system had the potential to allow more access, it
also allows for access to be traced better than the old paper records
system.
Users check
their own records
familyâs records
neighborâs records
friendâs records
exâs records
(this gets to be a legal problem)
and so onâ¦
More frequentlyâ¦
Preventionâ¦
Remind userâs
periodically that there is a proper procedure to follow to get access
to records.
Make that
procedure reasonably painless
But follow
state law
Deny access
when access not appropriate
Audit accesses
and follow up
Public
flogging might be useful but probably is not constitutionalâ¦
Curiosity
is good, snooping BAD
Random audits
find random problems
They are
hard to do accurately.
They are virtually
impossible to do without software to manage documentation and provide
queries.
Targeted audits
are good when someone tells us about a problem or when celebrities show
up.
Just knowing
that you do audit cuts down on violations.
This gets
tricky when:
Last names
are not the same, especially with exâs.
The organization
gets big enough so that no one knows everybody.
Neighbors
live around the corner so street names are not a tip off.
Do we load
Google Maps into the User Audits? (Thanks to John Sharpe for that
idea.)
Automation
is the only way to go.
How do
you fix human nature?
Short answer:
you donât.
Longer answer:
Audit-periodically,
frequently, or when asked for
Tell your
staff that you audit
Act on the
audit and discipline when problem found
Automate the
process as much as is possible
In summaryâ¦
Anyone you
hire should be reasonably teachable
Make your
expectations know at orientation
Follow up
periodically
MOST will
meet expectations
Get rid of
those who donâtâ¦
Users
donât take data security seriously
Most work
sites, nursing units, and such are like swamps with alligators
You know what
your highest priority is and it is NOT data security.
Users
ignore security policies
Security Policies
Often Go Unheeded (December 6, 2007) A
survey of nearly 900 IT security professionals conducted by the Ponemon
Institute found that many workers do not abide by established security
policies, either
because they are unaware of the policies or because they
find them inconvenient. More than half of respondents
admitted to having copied confidential company data onto USB drives
although 87 percent said they knew the practice violated company policy.
Nearly
half of respondents said they share passwords
with colleagues; two-thirds
said sharing passwords violates policy
at their organizations. One-third of respondents said they had
sent work documents as attachments; almost half of respondents were
unsure whether doing so violated their companies' policies. Sixty
percent of respondents said their companies had no formal policy that
prohibits installation of personal software on work machines.
Almost half said they had downloaded software, including P2P programs,
onto company computers.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9051483&source=rss_topic17
Even IS
contractors donât think securelyâ¦
--Stolen Laptop Holds Patient
Data; Contractor
Violated Policy (December 10, 2007) Approximately 45,000 patients who
were treated at Sutter Lakeside Hospital in Lakeport, California have
been notified by letter that their personal information has been compromised.
The data were
being transferred from one secure system to another during an equipment
upgrade; a
contractor violated hospital policy by downloading the data to a laptop
computer that was later stolen.
The hospital
has terminated its relationship with the contractor, who had been hired
for a special IT project. The compromised data include names,
addresses, dates of birth, Social Security numbers (SSNs), and in some
cases billing and diagnosis information.
http://www.record-bee.com/local/ci_7687954
Why
wasnât the laptop encrypted???
Lost Flash
Drive
http://wcco.com/local/doctor.patient.information.2.642107.html
A provider
had a flash drive with over 3000 patient histories on it.
Policy said
it should be encrypted â It was not
It got lostâ¦
This was a
fertility clinic, need I say more?
Backupsâ¦
We all agree
that our systems need some sort of backup
What happens
when we apply that to our personal hard drives and home based systems?
How many of
us have our systems fully backed up in case they fail?
From Sans
Newsbytes
Backups are
really important:
People keep
telling me backups on laptops, backups on the local drive are the user's
responsibility. However, in all my days, I
haven't yet met a responsible user, so I don't see making it the
users' responsibility makes sense.
12/7/07
This was
sent from someoneâs e-mail because they walked away still logged inâ¦
Be sure
you log out or things like this may happen to you. I received
this, I did not actually send it!
Panic
post to HIPAAlive
An office
manager got this message: Apparently
one of your employees went on to a P2P music file sharing site, and
accidentally published the my documents folder. You will want to locate
the computer in question, and have the P2P program removed.
I heard about
this vulnerability months ago on WTMJ radio with the news guy calling
people whose SSN was viewable on line.
Not exactly
a security geek thingâ¦
So, what
do you do about it?
I donât
have a good answer
Training,
but balance too little vs too much
Remember
the boy that cried wolf
You do want
people to pay attention
Reminders
Be careful
about frequency (see above)
Nothing gets
attention better than a nearby horror storyâ¦
What to
doâ¦
Remind users
about security when they log in, expect that most will tune you out.
Be sure you
have policies about system use written clearly and easily available
even if no one actually reads them.
There is no
reason for P2P file sharing in our workplaces. Enforce that!
Do security
rounds and point out problems that you see.
Be sure that
security policies are practical
and enforceable.
Passwords
are a pain.
I was told
a story about an IRS auditor.
Their stuff
needs to be really secure, obviously.
Each application
has different user ID and password. So far that is clumsy, but not bad.
So that they
did not get forgotten, he kept a notebook of all passwords in his briefcase.
The laptop was also in the briefcase.
As the person
who told this said, this was secure until the brief case got lost or
stolen and found be someone with a crow bar.
Password
audit
I did an audit
of the passwords used in our Meditech system. I can print a report
that lists them without user IDâs so nothing really gets compromised.
Our minimum
length is 5 characters.
0.19
3
14
0.19
3
13
0.32
5
12
0.82
13
11
2.22
35
10
6.54
103
9
13.96
220
8
17.39
274
7
30.08
474
6
28.30
446
5
Percent
Count
Length
Password
audit
Dictionary
Words: 17
Names:
39
Word and single
digit: 13
All same character:
3
All Digits:
6
Better than
the above: 27 (does not mean good)
This is
the first two pages of a list of passwords from our system. I
think our users are no less creative than anyone else.
My favoriteâ¦
From the list
that I looked at my favorite âgoodâ password was 2MT2C
It could be
longer butâ¦
It would
be hard to guess
It would be
easy to remember
It would be
hard for a password cracking program to figure out
It also gives
no hint about the personâs user ID
It expired
by the time you see thisâ¦
How long
should they last?
30, 60, 90,
120, 180, 270, 365 days
Never expire
Think
about the PIN for your ATM
Think about
the risks of shoulder surfing or other password stealing schemes
Think about
the pain of frequent password changes
Balance it
all together and pick a number that your organization is comfortable
with.
Problems
Most users
will not pick good passwords
Some users
will forget their password
Some users
will write their password down where it can get found
Ban Post-it
notes (I know its not possible)
Check under
mouse pads
Password cracking
programs are easily available to those who want them
So what
do you do about this?
Keep your
training positive
Wrong: If you make bad passwords, the
HIPAA police will get you
Right: Good passwords protect your
privacy as well as your patientâs privacy
Wrong: Bad passwords lead to bad care
Right: Good security is good patient
care
Concept blatantly
stolen from Tom Walshâs recent HIMSS presentation
So what
do you do about this?
Alternatives
RFID proximity
devices
Finger print
readers
Iris scanners
Palm scanners
Secure Roaming
(my current favorite)
If you must
use passwords, train users about good ones
Cool new
productâ¦
BioPassword
Works by carefully
measuring how individuals type their password
Vendor offered
cash to anyone who could type his password, no one couldâ¦
Based on concept
developed in WWII to monitor where Morse Code operators had moved to
Adding
and deleting users must be taken seriously.
People change
jobs
Howâs
that for stating the obvious?
When they
start a new job they need access
When they
move within the organization they need changed access
When they
leave, access needs to go away
If not done
right, there can be problemsâ¦
Recentlyâ¦
(August 27,
2007) A federal jury has convicted Jon Paul Olson of intentionally damaging
protected computers. Olson left his job at the Council of Community
Health Clinics (CCC) in San Diego after he received what he believed
to be a negative performance evaluation.
Several
months after his resignation,
Olson deleted patient data that belonged to the North County Health
Services (NCHS) clinic, causing financial losses at both CCC and NCHS.
Olson had worked for CCC as a network engineer and technical services
manager.
My editorial
comments
This happened
months after he left, his
access should have been long gone.
We had auditors and JCAHO inspectors specifically ask
about our procedures for inactivating employees who have left us.
Get
this done right!
To do that
you need a process and some forms
Our new
user form
Signature
required!
Copy
existing staff carefully!
Date
when completed
End
Date if needed
Problems
Directors
do not know what their staff has access to.
Probably
should
Donât really
Then there
are those users who stay casual in their old department and IS has to
figure out how to combine their old job with the new one
Talk about
time wastersâ¦
Problems
Peopleâs
job functions change even if their job description does not
I get calls
from directors asking for additional routines for users all the time
I tell them
to get it to me in writing (usually Outlook mail)
This creates
problems when they tell you to copy into new user. Does this new
person really need the same special routines? Sometimes yes, others
no.
Generic
User Templates
We discussed
setting up inactive model users for copying to new ones.
We decided
not to do this
Too many
job descriptions to be maintained
Difficult
to keep up to date
Not enough
time to devote to the set up of these
YMMV
If this might
work for you, great!
Non-employees
with access
Nursing Home
staff
We give
nursing home staff very limited access. They can only see
their own patients.
In stead of
the form they can either fax me their employees full name on their letterhead
or
E-mail me
the detail using their business address
Twice each
year I list all their users and send a copy to the nurse director to
verify that they are still employed there
Othersâ¦
Contract employees
Students
Temps
We require
the same form as all others to get them into our systems.
No standard
way to make sure they get terminated
Problems
Since temps,
contract employees, and students are not in PP, they do not automatically
show up
We do ask
anticipated last date on the form requesting access
I put a task
in Outlook to pop up and remind me to follow up on these.
We have a
separate spreadsheet to track them
Getting directors
to remember is a challenge
Removing
access
Employees
leave
They get
better jobs
They retire (best job of allâ¦)
They have
children and canât work outside the home (working
hard enough there)
They get downsized
They get fired
They get outsourced (I know from experience)
You need
a process here
Do NOT trust director to tell you someone
leaves
When someone
resigns, the director usually wants a replacement
For that they
need to talk with HR
When someone
is fired, outsourced, or laid off HR needs to be involved
HR loves
paperâ¦
Our process
Each MIS area
has manual procedures to inactivate access for terminated users
I would like
to automate the whole process. I think I can do it with a script
Example of
spreadsheet is below
na
na
na
na
MT
Mnemonic
UserID
Employee
Assistance
Employee,Leaving
24-Mar-07
Mestamed
qs1
webMD
HFMDOM
Misys
Meditech
Network
ID
Dept
Name
Eff.
Date
Unfriendly
termination
Sometimes
this process is not fast enough
Employees
get fired for a variety of reasons
We have
terminated employees for viewing records that they did not need to see
and did not have authorization to view
When that
happens HR is required to give the MIS director a call to inactivate
all access.
If not
available the call goes to our network manager
There
cannot be a delayâ¦
Our system
To make this
work we combine features of:
Meditech
PP module
Kronos
Shams Data
Repository
Microsoft
Excel
Microsoft
Outlook
And the programming
skills of our DBA
Donât ask
me the detailâ¦
Our process
If someone
resigns
HR gets a
paper resignation
Their status
in Meditech PP is changed to âpre-terminatedâ
This generates
an Outlook message noting the change and puts the name in our resignation
spreadsheet
A last date
is listed also
The day after
the last date, an e-mail (Outlook) is generated that states that the
employeeâs active directory entry has been terminated
Failsafe
Our system
works great most of the time
Some resignations
get missed
Director
doesnât send paperwork to HR until after the person is gone
Casual employees
just sort of get dropped
As a failsafe
we get a paper list of all employee changes from HR
It is late,
but at least it gets everyone
Physical
Security: Donât forget about it!
Stolen
Laptop Had 268,000 Social Security Numbers
ST. PAUL (AP)
â A Twin Cities blood bank says a laptop computer with 268,000 names
and Social Security numbers has been stolen.
Memorial Blood
Centers said Wednesday it has begun notifying blood donors of the theft,
but they should monitor their financial accounts as a precaution. The
laptop computer was taken on Nov. 28 in downtown Minneapolis during
preparations for a blood drive.
Dec 5, 2007
--Hospital
Server Room Overheats, Destroys Equipment
Internal auditors
are conducting an investigation at St. James Hospital
in Leeds to discover
the reasons a server room overheated, permanently
damaging GBP 1
million (US $2.04 million) worth of equipment. The
system in the
room was designed to store patient x-rays but had not yet
gone live, so
patient care was not affected by the incident.
http://www.theregister.co.uk/2007/09/27/leeds_server_overheat/print.html
[Editor's Note
(Grefer): Whenever feasible, build in redundancy in your
A/C setup. Operating
a single A/C unit at full power reduces its life
expectancy and
creates a single point of failure. In case such a setup
is not feasible,
at least invest in heat sensors and a system that
allows for automatic
shutdown of non-critical systems early on as well
as automatic shutdown
of critical systems at the last minute.]
(September
27, 2007) Sans Newsbytes
BlackBerries
Q:Ask
the expert: Is it appropriate for caregivers, such as nurses and physicians,
to use Blackberries to e-mail patient data?
A:
The answer is an easy one-most definitely not. Blackberries generally
transmit messages via mobile services, such as Verizon and AT&T,
for example. Messages sent via cell phone, Blackberries, or smart phones
are not secure. Someone knowledgeable can easily intercept messages.
Unless an organization contracts with a mobile service provider that
offers an encrypted channel-and most do not-sending patient information
via a Blackberry is almost worse than sending an unencrypted e-mail
or instant message.
This Q&A
was adapted from the December 2007 issue of Briefings on HIPAA.
Again,
remember the physical security of your devices.
Flash
Drivesâ¦
--Flash Drive
Left in Swedish Library Holds Sensitive Military Data (January 4, 2008)
That person
could face up to six months in prison.
The Security
Work Group just posted a white paper on portable media.
This may
be stating the obvious,, butâ¦
Back up everything.
Store it securely
If it has
PHI and portable, encrypt it.
Keep a copy
of everything important off site
Lock your
server room doors
Log out or
lock your PC when away from it
Securely dispose
of old data devices
Train
your users that:
-computers
belong to the healthcare organization
-anything
produced or accessed on the computer belongs to the healthcare organization
-there is
no expectation of privacy for anything on the computers
-all computers
and all users may be subject to routine audits and when necessary, investigations,
performed without their permissions, but always with a supervisorâs
oversight
Stolen from:
Greg Young, CHP, Mammoth Hospital
In conclusionâ¦
Hire carefully
Not always
easy to do
Have clear
readable policies and live by them
Train carefully
Audit
Retrain/reinforce
training
Thanks to:
Caretech
Solutions (my bosses) for letting me come here
Microsoft
for clip art
SANS, MLO,
HIPAAlive, and others for news items
All of you
for listening to me
Questionsâ¦
- file type: ppt
- file time: 2010-01-09
- Direct Download
-
hot pdf files:
- Traditional Gardening in Alaska
- Course Description Template
- Total Thoracic Stomach
- ACCORD D’ÉCHANGE D’INFORMATION CONFIDENTIELLE
- Xilinx XtremeDSP Design Considerations user guide
- Vida silvestre: o estreito limiar entre preservação e destruição
- Ambulatory Care Nursing Training & Technical Assistance
- Errata
- Metric Design for the Burdekin Competitive Tender
- Gerber Collision & Glass Gerber National Glass Services
- UNIVERSITY OF NORTHERN IOWA SPORTS MEDICINE DEPARTMENT
- Poster Presentation Schedule
- NATIONAL SEROLOGY REFERENCE LABORATORY, AUSTRALIA
- 001
- Accountancy – January 2008
- THE LITTLE-KNOWN SPEECHWRITING SECRETS THAT WON GEORGE W BUSH THE US ...
- 11192008 Microsoft Annual Shareholders Meeting
- Formal and informal feedback | 8.1
- Attachment B
- www.oft.state.ny.us
Direct Download
- Hot Searches