Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

11/19/2012
09:45 AM
50%
50%

Take Two Aspirin And Steal My Data

HIPAA and information security aren't suggestions. They're the law

When I am in a doctor's office, either as a patient or along with a family member, I can't help but think about HIPAA compliance and information security. It's my chance to be a secret shopper or -- in this case, a covert observer of the operating environment of another organization.

Naturally, I've signed my share of HIPAA-related patient forms. What surprises me is how much other blatant behavior I see that is not HIPAA-compliant. OK, surprise is not the right word, as I now sadly expect to see these problems. Let's say I'm continually amazed.

Anyway, signing a long-winded legal document does not let the organization off the hook for being sloppy with my patient data, or yours. I've heard receptionists call across a crowded waiting room, "John Smith, what is your Social Security number?" How many, I wonder, made some identity thief's day?

I've seen patient sign-in sheets that requested full name, Social Security number, date of birth, insurance provider, and phone number. Wow, long before that sheet is filled it's a treasure trove for an identity criminal and as easy to steal as a candy bar. Even easier, an identity thief can take a picture of that sign-in sheet with a smartphone camera, so the staff won't even know the patient data is stolen.

I've left exam rooms to go to the restroom and along the way have seen medical charts placed outside exam rooms so carelessly that I could read confidential information about the patients simply by walking past slowly enough. With no special effort, I've heard detailed discussions from adjacent examination rooms, including information the patient assumed was private and, by both ethical and legal standards, should have been.

I've seen closets turned into computer server rooms, but with the door left wide open to keep the computers from overheating. And I've seen staff casually fax detailed medical and financial records that might be going to a secure fax device, but might be landing in exactly the wrong hands.

When I've seen medical practices with obvious compliance and security issues, it has been clear to me that the management involved believes HIPAA is only a suggestion they can ignore, not a law they must follow.

Now, I get that regulations can be a pain. I even agree that many regulations cost businesses a great deal of time and money and don't have a lot to show for it. I will even go so far as to say that we've become oversensitive as a society to every little opportunity for a mistake. Life happens, and you can't legislate or regulate away every risk.

At the same time, I've personally encountered plenty of clear examples as to why many organizations need regulations to guide them and hold them accountable. Poor business practices, poor management, faulty business processes, and outdated habits are not good reasons for noncompliance. Just because it is inconvenient to break years of bad business habits does not make it permissible.

While it might seem I'm picking on doctors I know, medical practices certainly don't comprise the largest group of businesses with a casual or sloppy approach to compliance and data security. Doctors happen to be easy to observe; most organizations appear more compliant because their employees' behavior is relatively hidden, not only from the public, but also even from their own management.

Obvious reminders can help us remember to focus on less obvious issues. And observing the compliance and security efforts of other organizations is a great way to practice observing your own operations. Take that same scrutiny back to your own organization, and you'll be amazed what your diagnosis will be.

Glenn S. Phillips, like you, knows bad habits present difficult challenges. He is the president of Forte' Incorporated where he works with business leaders who want to leverage technology and understand the often hidden risks within. Glenn is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish. Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5252
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
CVE-2019-5235
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
CVE-2019-5264
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
CVE-2019-5277
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
CVE-2019-5254
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...