With over 10,000 magazines published in the US, I rarely have time to read all of them. But I do make an effort to set aside a few hundred hours each week to read as many of them as I can.
Reading the current 2008/2009 Physicians Practice Annual Tech Guide provided a good helping of security food for thought. As a former physician, I occasionally like to check on the lack of technological progress in the healthcare industry. However, after reading this publication, I was pleased to find that both the Internet, and the digital storage of information, have been discovered and incorporated into the doctor’s office. Unfortunately, the concept of information security has yet to be understood by our community of clinicians.
An article mistitled, Security: Protect Your Practice and Sleep Better, contained some surprising factual information and some information that was surprising to read as facts. I may be the last person to know that identity theft is surpassing drug trafficking as the No.1 crime in the US, but now I know. Furthermore, the article provided the interesting factoid that a laptop is stolen every 53 seconds. By my calculations, if we all engaged in laptop theft, after approximately 264 steals, one would have stolen back their own laptop. I like to call it… “The Circle of Theft.”
The unsettling information contained in this piece came from the scary statistical information provided and the rudimentary security advice prescribed to physician’s practices.
Courtesy of the Privacy Rights Clearinghouse, we are told that 20% of medical data breaches are due to “human/software incompetence”. This is a disturbing statistic. Remember, this type of data breach is not necessarily the kind associated with identity theft or financial fraud (possibly preferable to some) that can often be remediated by canceling credit cards and closing accounts (and often not, thus ruining your life), it is the kind that publicly discloses why and where you’re applying Podofilox and perhaps why you’ve been responding to your Viagra spam. It may be a close call for some, but I’d choose identity theft over people knowing that much about my true identity.
The fact that a breach of data with such highly sensitive content can be attributed to “human incompetence” is just, well, incompetent. Using some preventive medicine, this problem could be treated by using one of the “two T’s” of security policy….training or termination. They also claim that a Gartner research study reveals that 80% of computer crime is committed by “disgruntled employees”. What?! I guess I missed that study, and all the others demonstrating how the “disgruntled employee” is by far the largest cyber threat we face. I’ll be sure to update the buzzword developers that the online equivalent of going “postal” is now called going “disgruntled”. Regardless, this statistic is bothersome in the context of medical data. It appears that data loss in the medical practice setting is primarily from employees who hate their jobs or those who just don’t understand them.
The security recommendations dispensed were both comical and self-contradictory. For instance, the quote by Stephen Moulton, director of product development for Innovative Card Scanning, “Paper can be copied, stolen, and taken without you even knowing it…”, was very informative, but I’m pretty sure that those things can happen to digital data as well (I remember reading the proof of concept).
There is an “In Summary” section in the margin that simplifies the article into a number bullet points. Despite their best efforts, it clearly shows why information security publications shouldn’t (and don’t) dispense medical advice (unless it’s viral related) and why healthcare publications shouldn’t provide information security guidelines:
I left this article thinking, “Good intentions, bad advice”. My recommendations would at least contain the words…outsourcing, SaaS and HIPAA (in a bold 72 font size). Fortunately, being an android, my medical records are documentation from factory servicing and firmware updates.
Direct your disgruntled comments to:
With 20+ years of industry experience, Noah Schiffman is a former black-hat hacker turned security consultant. Coding at an early age, he developed one of the early text/graphic editing applications and started his first software company in 1980 when he was 11 years old. With the advent of networking technologies, he soon mastered the art of manipulating telco switching systems, known as "Phone Phreaking". This soon led to his career as a computer hacker, performing penetration testing, reverse engineering, cryptographic attacks, corporate espionage, digital surveillance and other ethically questionable projects.
His clients have consisted of Fortune 500 companies and various government agencies.
He has authored a number of articles for SearchSecurity.com, on topics ranging from kernel mode and metamorphic viruses to corporate data loss prevention.