How frustrating is it to lose a smartphone?

How frustrating is it to lose a smartphone?

How frustrating is it to lose a smartphone? $650,000 worth, if you are Catholic Health Care Services of the Archdiocese of Philadelphia. An employee of theirs lost an iPhone last year. It’s easy to do so – but the iPhone was not encrypted, was not password protected, and had extensive ePHI on it. Most workers would say that they don't store ePHI on their phone. They don't use it to access an EMR, open any spreadsheets, or take any notes on their phone. However, ePHI, like water, has a way of leaking out to unexpected places. If you get corporate email on your phone, then you've probably been CC'd on a message with an attached spreadsheet, which often has ePHI. If you've installed Dropbox, or a similar app, on your phone, the data is usually accessible, especially if you've got auto-login enabled - or if the app catches any data locally.

RANSOMWARE: THE EVIL THAT LURKS

RANSOMWARE: THE EVIL THAT LURKS

Ransomware is a malicious piece of software that encrypts a user or company’s ­files. Once encrypted by an attacker it is almost impossible for the victim to regain access to the files without a “decryption” key that is held by the attacker or “file kidnapper”. The “kidnapper” of the file(s) then demands a fee from the company to regain access to its own ­files. Typically, the attacker, sets a short time span -- usually 72 hours or less -- for the infected user or entity to fork over a ransom. (Attackers do not like to leave digital trails and use temporary servers to accomplish their illicit activity). The ransom is usually payable in Bitcoin – an anonymous currency increasingly popular with criminals. The hackers will display some sort of screen or webpage explaining how to pay to unlock the files.

All clouds are gray

All clouds are gray

“What’s our cloud strategy?” is a common question in IT these days. A somewhat lengthy answer is required. Few technologies have grown as fast as the cloud.  It is a profound shift to have your data – your precious, regulated data – stored not just out of your control, but out of your sight. This change provokes a wide range of responses, from “Never in a thousand years” to “Take my data, please”.  A better reaction might be “Yes, but.” As with many things in life, and certainly in healthcare, the extreme reaction is not the best one. 

IT Audits can be both lightweight and effective

IT Audits can be both lightweight and effective

In our last mailing, we wrote about how to talk to management about security.  This time, we will address what to tell them. 

It is easy to cloud the communication channels with too many details, the wrong details, or too much technical focus. Instead, concentrate on what management needs to know about the issue at hand, and what they should know in their capacity as organizational leaders. This will help them understand the problems you (and, by extension, they) are dealing with, and importantly, help you get the organizational support you need to solve them.

Case Study - What to Tell Your Management about Security.

Case Study - What to Tell Your Management about Security.

In our last mailing, we wrote about how to talk to management about security.  This time, we will address what to tell them. 

It is easy to cloud the communication channels with too many details, the wrong details, or too much technical focus. Instead, concentrate on what management needs to know about the issue at hand, and what they should know in their capacity as organizational leaders. This will help them understand the problems you (and, by extension, they) are dealing with, and importantly, help you get the organizational support you need to solve them.

Case Study - How to talk to your Board about security

Case Study - How to talk to your Board about security

The gap between IT and management can often be a chasm.  Nerds can’t talk to suits. In the Dilbert cartoon, this leads to laughs; in real life it leads to frustration, ignorance, and poor organizational performance. Some of this gap is the nature of the security topic.  It’s difficult to discuss security events, which by definition are abstract, future, and highly uncertain, in a clear and concise manner. Many managers are highly quantitative and numbers-oriented, and security is not yet a quantified body of knowledge. The “curse of knowledge” frustrates any attempt to communicate specialized information, as your physicians can tell you – it’s difficult to talk about topics that you know well to an audience that knows little.

Case Study - Managing Third Party Risk - Don't let someone else's iceberg sink you

Case Study - Managing Third Party Risk - Don't let someone else's iceberg sink you

Many of the entries on the “Wall of Shame” at CMS (the web page that lists mass data breaches) are there not due to their own actions, but those of a third party. Even the smallest healthcare company is likely to send its data out to many business associates, and to offer system access to many other third parties. Either of these options greatly increases the risk to that company. A Business Associate’s data breach rebounds to the responsibility of the Covered Entity, per HIPAA. And most organizations have excellent perimeter controls, but are far more vulnerable to an authenticated user, which means a compromised account of an external user will leave its partners very vulnerable to the same attacker. Managing the risks from both these types of third parties – Business Associates, who receive data, and External Users, who get system access – is essential to securing your own information.

Case Study - Biomedical Devices - Preventing harm from security weaknesses

Case Study - Biomedical Devices - Preventing harm from security weaknesses

PROBLEM

Biomedical devices are a major cause for concern in hospital environments because:

  1.  They are connected to the hospital or care-provider’s network thus vastly increasing the attack surface area for evil-doers.

  2. Patient safety is at considerable risk as demonstrated by recent remote wireless hacks of insulin pumps and other patient monitors.

  3. Many devices have not had their operating systems patched or migrated to newer versions for years. These devices are especially vulnerable to known and widespread attacks of unpatched software. A virus infecting an “old” OS on an infusion pump can propagate and infect every other device, crippling the entire hospital network in minutes.

  4. The mobile revolution has resulted in many new consumer oriented apps or devices that perform patient monitoring which then send information upstream or downstream for additional diagnostic actions. Tainting of this upstream or downstream data is very possible and adds to patient safety concerns.