New Survey Finds that Healthcare IT Pros Most Concerned About Electronic Data Breach

Healthcare IT News recently asked its readers about the healthcare data breaches that worries them the most. Not surprisingly, the vast majority (80 percent) of respondents said electronic data breach/hack, while only 13% worried about hardware theft, followed by 7% concerned about the theft or loss of paper records. This trend is warranted. For instance, a recent article in the Fort Worth Star Telegram highlighted the growing trend of doctors using smartphones, tablets to access medical data. According to the story, hospitals in North America spent $7.4 billion on electronic records in 2010 – and the 2009 stimulus act has earmarked $50 billion to help government and private healthcare providers offer EHRs over the next five years.

So what does this look like? Here’s an anecdote from the piece:

If a patient of Arlington physician Ignacio Nuñez shows up at the emergency room when the doctor is not at the hospital, he doesn’t have to wait long to start investigating what might be wrong.

The obstetrician/gynecologist can call up an expectant mother’s medical records on his iPhone, or even watch the fetus’s heartbeat on the device once the woman is connected to a hospital monitor, wherever he might be at the time.

…

According to AirStrip, the San Antonio software company that developed the app Nuñez uses, there is only a three- to five-second lag to get information to the physician’s mobile device. AirStrip also makes a version for cardiologists and has an upcoming version that will monitor other critical data in intensive care units and emergency rooms.

Groundbreaking, indeed. But what about from a security perspective? We’d like to hear from you if you work for a healthcare organization is using mobile devices this way.

New Survey: Employees Complain About IT Security Policies

You know the scenario, you implement your organization’s security policy, and then within minutes can hear employees groaning and mumbling about IT. According to a new survey, employees don’t just complain to each other – they are now complaining directly to IT.

Four in 10 CIOs interviewed for the Robert Half Technology survey said that it’s at least “somewhat common for employees to complain about security measures that limit which websites or networks they can visit at the office.”

IT professionals have long grappled with being the organization’s “bad guys,” limiting access and denying service to frustrated employees. To dodge outright mutiny, IT professionals can help employees better understand why we have to restrict and monitor what they do. To do this, we’ve turned the survey’s suggestions for employees confronting IT administrators on its head to make the list for IT professionals.

• Be Open to Questions. Nobody likes to be told policies exist “just because.” If an employee wants to know why a certain site or network is restricted, tell them why. And if they’re not super tech-savvy, do so in laymen’s terms. The answer can be simple, but fostering this dialogue will make employees more comfortable with restrictions.
• Listen to Business Cases. IT professionals are sometimes so far removed from the rest of the organization, they don’t understand why blocking certain sites and networks is detrimental to business. When employees are making legitimate business cases to change the IT policy, listen. We’ve heard stories of IT departments blocking social media channels at news organizations, leaving reporters scrambling on their mobile devices to catch up on breaking news stories.
• Explain Your Role. Let employees know that your job isn’t to deny them access to “fun” sites, it’s to protect the organization’s security. The better they understand your role, the more the policies will make sense.
• Be flexible. When possible, work with the employees. For example, set up one computer in the office that isn’t restricted so employees can occasionally access restricted sites. Compromises like this go a long way in helping employees make peace with IT security policies.

PCI Security: Q&A with Anton Chuvakin, PCI Compliance Expert, PART 2

In the second of a two-part series, VPN Haus talks to PCI compliance expert Anton Chuvakin about cloud compliance and the prevalence of the “it won’t happen to my company” attitude. Last week, we spoke to Chuvakin about the way the industry has misunderstood – and undervalued – PCI standards.

VPN Haus: You’ve mentioned that some companies take a “nobody wants to hack us” attitude to compliance. What kinds of companies tend to take this approach? What kinds of companies tend to be most vigilant – ones that have already had a breach?

Chuvakin: While many in the security community would quip that only stupid companies would say that “nobody wants to hack us,” reality is slightly more complicated. Perception of electronic and digital risks does not come naturally to people – and IT managers and directors are people too. So many organizations will severely underestimate computer risks and, sadly some would pay with their very existence for this mistake…

In regards to more vigilant organizations, you are correct: breached companies are indeed more the vigilant – but only for a certain time. Some say a breach gives a boost to security awareness elevated vigilance for about a year.

VPN Haus: Are the consequences of a security breach for PCI companies enough of a deterrent?

Chuvakin: Apparently not. Just look at all the companies that only pay lip service to security and PCI compliance, and then get upset after they are breached. Don’t get upset — the breach is a natural result of your own behavior, please learn to take the responsibility.

VPN Haus: How would you describe PCI’s approach to the cloud? Everyone seems to have an opinion on the cloud, but it seems like PCI has been quiet on this front.

Chuvakin: It is quiet [because] Requirement 12.8 that covers service providers addresses it just fine. [The requirement states,] “If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers …” No need to say anything new on the subject, for the most part.

VPN Haus: So basically, the PCI compliance applies to service providers or cloud providers if they have cardholder data?

Chuvakin: Yes, of course. PCI DSS has – and pretty much always had – a section about the responsibilities of a service provider.

VPN Haus: Is there anything that we haven’t covered that you think is relevant or that you’d like to discuss?

Chuvakin: Like we say in the PCI book, “The best way to protect the data from hackers is to delete it.” People should learn that the best approach to PCI is reducing the scope by eliminating card data storage and movement from their environments. If there is a way to change their business process to reduce handling of cardholder data, it should be taken first. Only then – after the data elimination/reduction step is taken – think of encryption, firewalls, application security and other security controls. Outsourcing data handling all together – if possible – is a good way to take this approach as well.

VPN Haus: Would outsourcing your data handling actually increase risks, as you can’t control a third-party vendor’s compliance but you can control your own?

Chuvakin: No, not at all –  because – pardon my French – that “you” mentioned in the above is typically an idiot – in regards to security. Their environments are “owned” and card data is being stolen every day. Think of outsourcing as “do you store a lot of CASH in your restaurant/hotel/business?” “No, you ‘outsource’ it to the bank” – “then WHY oh WHY do you insist on writing your own card processing software?” Check out this recent paper: http://www.rsa.com/innovation/docs/10990_CDS_BRF_0610.pdf. Most every PCI expert would agree that payment protocols just doesn’t belong inhouse.

Anton Chuvakin is a principal at Security Warrior Consulting, specializing in PCI DSS, SIEM and log management services for security vendors and enterprises. He also runs the Security Warrior blog and is based in San Francisco.

[tweetmeme source=”vpnhaus” only_single=false]

Internal Security Policy and the “Wild” Web 2.0 Frontier

By David Torre

Guest Contributor

Internal information security policies have existed within the enterprise since the dawn of the information technology era. Viewed by many as a necessary evil and simply a check box compliance item, the overall value of a well-written internal security policy has become, perhaps ironically, now more important than ever in a world saturated with digital information.

Traditionally, internal policies were developed to demonstrate an organization’s commitment to information security, and to provide clear and consistent computing guidelines for which all employees must abide by. Even today, such time-honored objectives still remain relevant. Yet as mobile and cloud computing continue to shape the information technology landscape, it has become increasingly difficult for information-wielding knowledge workers to protect the organization’s most cherished asset: intellectual property.

As if protecting trade secrets from peering outsiders weren’t challenging enough, security professionals are also faced with threats that originate from within the enterprise. While tales of malicious insiders or corporate espionage make for intriguing conversation, most of us working from the trenches have discovered that perhaps the most significant risk to the organization is that of the naive end-user; one who cannot easily discern between safe and unsafe information handling practices. Consequently, this presents a dilemma of where to draw the line of acceptable levels of security aptitude. Take for example a cloud-based solution which is blatantly advertised as being “enterprise-friendly,” or a consumer smart phone that ships with a “Connect to Exchange Mail Server” icon on the home screen. It’s easy to see how users may become perplexed when attempting to determine where the corporate IT boundary ends, and where the still somewhat “wild” Web 2.0 frontier begins.

Fortunately, a clearly defined security policy can forge the foundation needed to cope with present information challenges. Such internal policies can, and should, go beyond the traditional form of abstract language lurking deep within the dusty corners of the corporate Intranet and instead foster an environment of understanding and education. In essence, the function of an internal security policy is somewhat two-fold. On one hand, it legitimizes the importance of information security and provides security staff with the power of enforcement with documented repercussions for those who choose not to comply. Conversely, the very same policies are advantageous for the end-user as they provide clear-cut guidelines which not only aid in risk reduction, but may actually empower the user community to stay competitive by making intelligent information handling decisions that are congruent with overall corporate business strategy.

Of course, some internal policies are driven by legal or regulatory compliance obligations. Common areas include Payment Card Industry, HIPAA, and SOX to name only a few. Yet just because policy supports legal or regulatory requirements does not mean the policy itself needs to read like a legislative bill. Composing the policies in straight forward language everyone understands will ensure compliance is maintained.

In summary, strong internal security policies are the cornerstone of an information security management system. By providing unambiguous guidelines for corporate computing and information handling, such policies ultimately reduce risk, and increase employee awareness.

David Torre is a security consultant and CTO of Atomic Fission. He is based in the San Francisco Bay Area.

[tweetmeme source=”vpnhaus” only_single=false]