security and your users top 5 user pitfalls and how to avoid them
TRANSCRIPT
Security and Your UsersSecurity and Your Users
Top 5 user pitfalls and how to Top 5 user pitfalls and how to avoid them avoid them
GoalsGoalsSecurity is never a popular topic with users. Security is never a popular topic with users. The goal is to make data secure without burdening staff with stuff that The goal is to make data secure without burdening staff with stuff that interferes with business processes.interferes with business processes.Its not just about HIPAA!Its not just about HIPAA!We should treat personal electronic data with the same care and We should treat personal electronic data with the same care and respect as weapons-grade plutonium -- it is dangerous, long-lasting respect as weapons-grade plutonium -- it is dangerous, long-lasting and once it has leaked there's no getting it back. -- Corey Doctorow and once it has leaked there's no getting it back. -- Corey Doctorow
FBI study…FBI study…
50% of security incidents are 50% of security incidents are caused by caused by insidersinsiders
These are people that you trusted These are people that you trusted enough to hire.enough to hire.
Or manage security
Top 5 user pitfalls and how to react Top 5 user pitfalls and how to react to themto them
Users are curious and gossip.Users are curious and gossip.Users don’t take data security seriously.Users don’t take data security seriously.Passwords are a pain.Passwords are a pain.Adding and deleting users must be taken Adding and deleting users must be taken seriously.seriously.Don’t neglect physical security. (So much Don’t neglect physical security. (So much hardware, so easy to walk.)hardware, so easy to walk.)This is my opinion and is in sort of random This is my opinion and is in sort of random order, no scientific process has been usedorder, no scientific process has been used
Users are curious and they gossipUsers are curious and they gossip
They want to know They want to know what is happening what is happening around themaround themCelebrities do show Celebrities do show up-local or otherwiseup-local or otherwiseThere are always There are always friends and neighbors friends and neighbors or ex’s or ex’s
For example:For example:
George ClooneyGeorge Clooney
NEW YORK (CNN)NEW YORK (CNN) -- More than two -- More than two dozen employees at Palisades Medical dozen employees at Palisades Medical Center have been suspended after Center have been suspended after accessing the personal medical records of accessing the personal medical records of actor George Clooney, who was taken to actor George Clooney, who was taken to the North Bergen, N.J., hospital last month the North Bergen, N.J., hospital last month after a motorcycle accident.after a motorcycle accident.http://www.cnn.com/2007/SHOWBIZ/http://www.cnn.com/2007/SHOWBIZ/10/10/clooney.records/index.html10/10/clooney.records/index.html
And of course, Britney:And of course, Britney:
UCLA Medical Center is taking steps to fire at least 13 UCLA Medical Center is taking steps to fire at least 13 employees and has suspended at least six others for employees and has suspended at least six others for snooping in the confidential medical records of pop star snooping in the confidential medical records of pop star Britney Spears during her recent hospitalization in its Britney Spears during her recent hospitalization in its psychiatric unit, a person familiar with the matter said psychiatric unit, a person familiar with the matter said Friday.Friday.
In addition, six physicians face discipline for peeking at In addition, six physicians face discipline for peeking at her computerized records, the person said.her computerized records, the person said.
http://www.latimes.com/news/local/la-me-britney15mar15http://www.latimes.com/news/local/la-me-britney15mar15,0,1421107.story,0,1421107.story
MLO Online 12/13/07MLO Online 12/13/07
Privacy a problem Down UnderPrivacy a problem Down UnderCelebrity patientsCelebrity patients in New Zealand may be lodging in New Zealand may be lodging complaints with the country's Privacy Commissioner complaints with the country's Privacy Commissioner since several health workers were found snooping since several health workers were found snooping through the private medical records of patients, including through the private medical records of patients, including those of several celebrities. those of several celebrities. One health worker was One health worker was dismissed and up to 20 others disciplineddismissed and up to 20 others disciplined, including , including doctors, nurses, and other clinicians. The staff members doctors, nurses, and other clinicians. The staff members have been using what was referred to as a have been using what was referred to as a "revolutionary” "revolutionary” electronic records system to access electronic records system to access informationinformation, which includes patients' medical notes, X-, which includes patients' medical notes, X-ray result, and laboratory-test results and community lab ray result, and laboratory-test results and community lab tests. tests.
MLO Online 12/13/07MLO Online 12/13/07
These breaches were picked up in seconds by These breaches were picked up in seconds by electronic audits, which were run regularly after electronic audits, which were run regularly after celebrities had stayed in the hospital to see who celebrities had stayed in the hospital to see who had accessed their records. had accessed their records. Random auditsRandom audits were also run on individual staff to check their were also run on individual staff to check their use of the system. Staff has been warned since use of the system. Staff has been warned since the incident that looking up patients under their the incident that looking up patients under their care, including neighbors, friends, relatives, their care, including neighbors, friends, relatives, their own children, or themselves, is not acceptable. own children, or themselves, is not acceptable. One healthcare official said that although the One healthcare official said that although the EMR system had the potential to allow more EMR system had the potential to allow more access, access, it also allows for access to be traced it also allows for access to be traced better than the old paper records system.better than the old paper records system.
Users check their own recordsUsers check their own records
family’s recordsfamily’s records
neighbor’s recordsneighbor’s records
friend’s recordsfriend’s records
ex’s records ex’s records (this gets to be a legal problem)(this gets to be a legal problem)
and so on…and so on…
More frequently…More frequently…
Prevention…Prevention…
Remind user’s periodically that there is a Remind user’s periodically that there is a proper procedure to follow to get access to proper procedure to follow to get access to records.records.Make that procedure reasonably painlessMake that procedure reasonably painless– But follow state lawBut follow state law
Deny access when access not appropriateDeny access when access not appropriateAudit accesses and follow upAudit accesses and follow up– Public flogging might be useful but probably is Public flogging might be useful but probably is
not constitutional…not constitutional…
Curiosity is good, snooping Curiosity is good, snooping BADBAD
Random audits find random problemsRandom audits find random problems– They are hard to do accurately.They are hard to do accurately.– They are virtually impossible to do without software to They are virtually impossible to do without software to
manage documentation and provide queries.manage documentation and provide queries.
Targeted audits are good when someone tells us Targeted audits are good when someone tells us about a problem or when celebrities show up.about a problem or when celebrities show up.
Just knowing that you do audit cuts down on Just knowing that you do audit cuts down on violations.violations.
This gets tricky when:This gets tricky when:
Last names are not the same, especially Last names are not the same, especially with ex’s.with ex’s.The organization gets big enough so that The organization gets big enough so that no one knows everybody. no one knows everybody. Neighbors live around the corner so street Neighbors live around the corner so street names are not a tip off.names are not a tip off.– Do we load Google Maps into the User Do we load Google Maps into the User
Audits? Audits? (Thanks to John Sharpe for that idea.)(Thanks to John Sharpe for that idea.)
Automation is the only way to go.Automation is the only way to go.
How do you fix human nature?How do you fix human nature?
Short answer: Short answer: you don’t.you don’t.
Longer answer:Longer answer:– Audit-periodically, frequently, or when asked Audit-periodically, frequently, or when asked
forfor– Tell your staff that you auditTell your staff that you audit– Act on the audit and discipline when problem Act on the audit and discipline when problem
foundfound– Automate the process as much as is possibleAutomate the process as much as is possible
In summary…In summary…
Anyone you hire should be reasonably Anyone you hire should be reasonably teachableteachable
Make your expectations know at Make your expectations know at orientation orientation
Follow up periodicallyFollow up periodically
MOST will meet expectationsMOST will meet expectations
Get rid of those who don’t…Get rid of those who don’t…
Users don’t take data security Users don’t take data security seriouslyseriously
Most work sites, nursing units, and such Most work sites, nursing units, and such are like swamps with alligatorsare like swamps with alligators
You know what your highest priority is and You know what your highest priority is and it is NOT data security.it is NOT data security.
Users ignore security policiesUsers ignore security policiesSecurity Policies Often Go Unheeded (December 6, 2007) Security Policies Often Go Unheeded (December 6, 2007) A survey of A survey of nearly 900 IT security professionals conducted by the Ponemon Institute nearly 900 IT security professionals conducted by the Ponemon Institute found that many workers do not abide by established security policiesfound that many workers do not abide by established security policies, , either because they are either because they are unawareunaware of the policies or because they find them of the policies or because they find them inconvenientinconvenient. More than half of respondents admitted to having copied . More than half of respondents admitted to having copied confidential company data onto USB drives although 87 percent said they confidential company data onto USB drives although 87 percent said they knew the practice violated company policy.knew the practice violated company policy.Nearly half of respondents said they share passwordsNearly half of respondents said they share passwords with colleagues; with colleagues; two-thirds said sharing passwords violates policytwo-thirds said sharing passwords violates policy at their organizations. at their organizations. One-third of respondents said they had sent work documents as One-third of respondents said they had sent work documents as attachments; almost half of respondents were unsure whether doing so attachments; almost half of respondents were unsure whether doing so violated their companies' policies. Sixty percent of respondents said their violated their companies' policies. Sixty percent of respondents said their companies had no formal policy that prohibits installation of personal companies had no formal policy that prohibits installation of personal software on work machines. Almost half said they had downloaded software on work machines. Almost half said they had downloaded software, including P2P programs, onto company computers.software, including P2P programs, onto company computers.http://www.computerworld.com/action/article.do?command=viewArticleBasichttp://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9051483&source=rss_topic17&articleId=9051483&source=rss_topic17
Even IS contractors don’t think Even IS contractors don’t think securely…securely…
----Stolen Laptop Holds Patient DataStolen Laptop Holds Patient Data; Contractor Violated Policy ; Contractor Violated Policy (December 10, 2007) Approximately 45,000 patients who were (December 10, 2007) Approximately 45,000 patients who were treated at Sutter Lakeside Hospital in Lakeport, California have treated at Sutter Lakeside Hospital in Lakeport, California have been notified by letter that their personal information has been been notified by letter that their personal information has been compromised. compromised. The data were being transferred from one secure system to another The data were being transferred from one secure system to another during an equipment upgrade; during an equipment upgrade; a contractor violated hospital a contractor violated hospital policy by downloading the data to a laptop computer that was policy by downloading the data to a laptop computer that was later stolen.later stolen. The hospital has terminated its relationship with the contractor, who The hospital has terminated its relationship with the contractor, who had been hired for a special IT project. The compromised data had been hired for a special IT project. The compromised data include names, addresses, dates of birth, Social Security numbers include names, addresses, dates of birth, Social Security numbers (SSNs), and in some cases billing and diagnosis information.(SSNs), and in some cases billing and diagnosis information.http://www.record-bee.com/local/ci_7687954http://www.record-bee.com/local/ci_7687954
Why wasn’t the laptop encrypted???Why wasn’t the laptop encrypted???
Lost Flash DriveLost Flash Drive
http://wcco.com/local/doctor.patient.informhttp://wcco.com/local/doctor.patient.information.2.642107.htmlation.2.642107.html
A provider had a flash drive with over 3000 A provider had a flash drive with over 3000 patient histories on it.patient histories on it.
Policy said it should be encrypted – It was Policy said it should be encrypted – It was notnot
It got lost…It got lost…
This was a fertility clinic, need I say more?This was a fertility clinic, need I say more?
Backups…Backups…
We all agree that our systems need some We all agree that our systems need some sort of backupsort of backup
What happens when we apply that to our What happens when we apply that to our personal hard drives and home based personal hard drives and home based systems?systems?
How many of us have our systems fully How many of us have our systems fully backed up in case they fail?backed up in case they fail?
From Sans Newsbytes From Sans Newsbytes
Backups are really important:Backups are really important:
People keep telling me backups on People keep telling me backups on laptops, backups on the local drive are the laptops, backups on the local drive are the user's responsibility. However, in all my user's responsibility. However, in all my days, days, I haven't yet met a responsible userI haven't yet met a responsible user, , so I don't see making it the users' so I don't see making it the users' responsibility makes senseresponsibility makes sense..
12/7/0712/7/07
This was sent from someone’s e-This was sent from someone’s e-mail because they walked away still mail because they walked away still
logged in…logged in…
Be sure you log out or things like this may happen to you. I
received this, I did not actually send it!
Panic post to HIPAAlivePanic post to HIPAAlive
An office manager got this message: An office manager got this message: Apparently Apparently one of your employees went on to a P2P music one of your employees went on to a P2P music file sharing site, and accidentally published the file sharing site, and accidentally published the my documents folder. You will want to locate the my documents folder. You will want to locate the computer in question, and have the P2P computer in question, and have the P2P program removed. program removed.
I heard about this vulnerability months ago on I heard about this vulnerability months ago on WTMJ radio with the news guy calling people WTMJ radio with the news guy calling people whose SSN was viewable on line. whose SSN was viewable on line. Not exactly a security geek thing…Not exactly a security geek thing…
So, what do you do about it?So, what do you do about it?
I don’t have a good answerI don’t have a good answer
Training, but balance too little vs too muchTraining, but balance too little vs too much– Remember the boy that cried wolfRemember the boy that cried wolf– You do want people to pay attentionYou do want people to pay attention
RemindersReminders– Be careful about frequency (see above)Be careful about frequency (see above)– Nothing gets attention better than a nearby Nothing gets attention better than a nearby
horror story…horror story…
What to do…What to do…
Remind users about security when they log in, Remind users about security when they log in, expect that most will tune you out.expect that most will tune you out.Be sure you have policies about system use Be sure you have policies about system use written clearly and easily available even if no written clearly and easily available even if no one actually reads them.one actually reads them.There is no reason for P2P file sharing in our There is no reason for P2P file sharing in our workplaces. Enforce that!workplaces. Enforce that!Do security rounds and point out problems that Do security rounds and point out problems that you see.you see.Be sure that security policies are Be sure that security policies are practical and practical and enforceableenforceable..
Passwords are a pain.Passwords are a pain.
I was told a story about an IRS auditor.I was told a story about an IRS auditor.Their stuff needs to be really secure, Their stuff needs to be really secure, obviouslyobviously..Each application has different user ID and Each application has different user ID and password. So far that is password. So far that is clumsy, but not badclumsy, but not bad..So that they did not get forgotten, he kept a So that they did not get forgotten, he kept a notebook of all passwords in his briefcase. The notebook of all passwords in his briefcase. The laptop was also in the briefcase.laptop was also in the briefcase.
As the person who told this said, this was secure As the person who told this said, this was secure until the brief case got lost or stolen and found until the brief case got lost or stolen and found be someone with a crow bar.be someone with a crow bar.
Password auditPassword audit
I did an audit of the I did an audit of the passwords used in passwords used in our Meditech system. our Meditech system. I can print a report I can print a report that lists them without that lists them without user ID’s so nothing user ID’s so nothing really gets really gets compromised.compromised.
Our minimum length Our minimum length is 5 characters. is 5 characters.
Length
Count
Percent
5 446 28.30
6 474 30.08
7 274 17.39
8 220 13.96
9 103 6.54
10 35 2.22
11 13 0.82
12 5 0.32
13 3 0.19
14 3 0.19
Password auditPassword audit
Dictionary Words: 17Dictionary Words: 17Names: 39Names: 39Word and single digit: 13Word and single digit: 13All same character: 3All same character: 3All Digits: 6All Digits: 6Better than the above: 27 (does not mean Better than the above: 27 (does not mean good)good)
This is the first two pages of a list of passwords This is the first two pages of a list of passwords from our system. I think our users are no less from our system. I think our users are no less creative than anyone else.creative than anyone else.
My favorite…My favorite…
From the list that I looked at my favorite “good” From the list that I looked at my favorite “good” password was 2MT2Cpassword was 2MT2C
It could be longer but…It could be longer but…– It would be hard to guessIt would be hard to guess– It would be easy to rememberIt would be easy to remember– It would be hard for a password cracking program to It would be hard for a password cracking program to
figure outfigure out
It also gives no hint about the person’s user IDIt also gives no hint about the person’s user ID
It expired by the time you see this…It expired by the time you see this…
How long should they last?How long should they last?
30, 60, 90, 120, 180, 30, 60, 90, 120, 180, 270270, 365 days, 365 daysNever expireNever expire– Think about the PIN for your ATMThink about the PIN for your ATM
Think about the risks of shoulder surfing or Think about the risks of shoulder surfing or other password stealing schemesother password stealing schemesThink about the pain of frequent password Think about the pain of frequent password changeschangesBalance it all together and pick a number Balance it all together and pick a number that your organization is comfortable with.that your organization is comfortable with.
ProblemsProblems
Most users will not pick good passwordsMost users will not pick good passwords
Some users will forget their passwordSome users will forget their password
Some users will write their password down Some users will write their password down where it can get foundwhere it can get found– Ban Post-it notes (I know its not possible)Ban Post-it notes (I know its not possible)– Check under mouse padsCheck under mouse pads
Password cracking programs are easily Password cracking programs are easily available to those who want themavailable to those who want them
So what do you do about this?So what do you do about this?
Keep your training positiveKeep your training positive– Wrong:Wrong: If you make bad passwords, the If you make bad passwords, the
HIPAA police will get youHIPAA police will get you– Right:Right: Good passwords protect your privacy Good passwords protect your privacy
as well as your patient’s privacyas well as your patient’s privacy– Wrong:Wrong: Bad passwords lead to bad care Bad passwords lead to bad care– Right:Right: Good security is good patient care Good security is good patient care
Concept blatantly stolen from Concept blatantly stolen from Tom Tom Walsh’sWalsh’s recent HIMSS presentation recent HIMSS presentation
So what do you do about this?So what do you do about this?
AlternativesAlternatives– RFID proximity devicesRFID proximity devices– Finger print readersFinger print readers– Iris scannersIris scanners– Palm scannersPalm scanners– Secure Roaming (my current favorite)Secure Roaming (my current favorite)
If you must use passwords, train users If you must use passwords, train users about good onesabout good ones
Cool new product…Cool new product…
BioPasswordBioPassword– Works by carefully measuring how individuals Works by carefully measuring how individuals
type their passwordtype their password– Vendor offered cash to anyone who could Vendor offered cash to anyone who could
type his password, no one could…type his password, no one could…– Based on concept developed in WWII to Based on concept developed in WWII to
monitor where Morse Code operators had monitor where Morse Code operators had moved tomoved to
Adding and deleting users must be Adding and deleting users must be taken seriously.taken seriously.
People change jobsPeople change jobs– How’s that for stating the obvious?How’s that for stating the obvious?
When they start a new job they need accessWhen they start a new job they need access
When they move within the organization they When they move within the organization they need changed accessneed changed access
When they leave, access needs to go awayWhen they leave, access needs to go away
If not done right, there can be problems…If not done right, there can be problems…
Recently…Recently…
(August 27, 2007) A federal jury has convicted (August 27, 2007) A federal jury has convicted Jon Paul Olson of intentionally damaging Jon Paul Olson of intentionally damaging protected computers. Olson left his job at the protected computers. Olson left his job at the Council of Community Health Clinics (CCC) in Council of Community Health Clinics (CCC) in San Diego after he received what he believed to San Diego after he received what he believed to be a negative performance evaluation.be a negative performance evaluation.Several months after his resignationSeveral months after his resignation, Olson , Olson deleted patient data that belonged to the North deleted patient data that belonged to the North County Health Services (NCHS) clinic, causing County Health Services (NCHS) clinic, causing financial losses at both CCC and NCHS. Olson financial losses at both CCC and NCHS. Olson had worked for CCC as a network engineer and had worked for CCC as a network engineer and technical services manager.technical services manager.
My editorial commentsMy editorial comments
This happened months after he left, This happened months after he left, his his access should have been long goneaccess should have been long gone..We had We had auditors and JCAHOauditors and JCAHO inspectors inspectors specifically ask about our procedures for specifically ask about our procedures for inactivating employees who have left us.inactivating employees who have left us.Get this done right!Get this done right!To do that you need a process and some To do that you need a process and some formsforms
Our new user formOur new user form
Signature
required!
Copy existing
staff carefully!
Date when
completed
End Date
if neede
d
ProblemsProblems
Directors do not know what their staff has Directors do not know what their staff has access to.access to.– Probably shouldProbably should– Don’t reallyDon’t really
Then there are those users who stay Then there are those users who stay casual in their old department and IS has casual in their old department and IS has to figure out how to combine their old job to figure out how to combine their old job with the new onewith the new one– Talk about time wasters…Talk about time wasters…
ProblemsProblems
People’s job functions change even if their job People’s job functions change even if their job description does notdescription does not– I get calls from directors asking for additional routines I get calls from directors asking for additional routines
for users all the timefor users all the time– I tell them to get it to me in writing (usually Outlook I tell them to get it to me in writing (usually Outlook
mail)mail)
This creates problems when they tell you to copy This creates problems when they tell you to copy into new user. Does this new person really need into new user. Does this new person really need the same special routines? Sometimes yes, the same special routines? Sometimes yes, others no.others no.
Generic User TemplatesGeneric User Templates
We discussed setting up inactive model users We discussed setting up inactive model users for copying to new ones.for copying to new ones.
We decided not to do thisWe decided not to do this– Too many job descriptions to be maintainedToo many job descriptions to be maintained– Difficult to keep up to dateDifficult to keep up to date– Not enough time to devote to the set up of Not enough time to devote to the set up of
thesethese
YMMVYMMV
If this might work for you, great!If this might work for you, great!
Non-employees with accessNon-employees with access
Nursing Home staffNursing Home staff– We give nursing home staff very limited access. They We give nursing home staff very limited access. They
can only see their own patients. can only see their own patients.– In stead of the form they can either fax me their In stead of the form they can either fax me their
employees full name on their letterhead oremployees full name on their letterhead or– E-mail me the detail using their business addressE-mail me the detail using their business address
Twice each year I list all their users and send a copy to Twice each year I list all their users and send a copy to the nurse director to verify that they are still employed the nurse director to verify that they are still employed therethere
Others…Others…
Contract employeesContract employees
StudentsStudents
TempsTemps
We require the same form as all others to We require the same form as all others to get them into our systems.get them into our systems.
No standard way to make sure they get No standard way to make sure they get terminatedterminated
ProblemsProblems
Since temps, contract employees, and students Since temps, contract employees, and students are not in PP, they do not automatically show upare not in PP, they do not automatically show upWe do ask anticipated last date on the form We do ask anticipated last date on the form requesting accessrequesting accessI put a task in Outlook to pop up and remind me I put a task in Outlook to pop up and remind me to follow up on these.to follow up on these.We have a separate spreadsheet to track themWe have a separate spreadsheet to track themGetting directors to remember is a challengeGetting directors to remember is a challenge
Removing accessRemoving access
Employees leaveEmployees leave– They get better jobsThey get better jobs– They retire They retire (best job of all…)(best job of all…)– They have children and can’t work outside the They have children and can’t work outside the
home home (working hard enough there)(working hard enough there)– They get downsizedThey get downsized– They get firedThey get fired– They get outsourced They get outsourced (I know from (I know from
experience)experience)
You need a process hereYou need a process here
Do Do NOTNOT trust director to tell you someone trust director to tell you someone leavesleaves
When someone resigns, the director When someone resigns, the director usually wants a replacementusually wants a replacement
For that they need to talk with HRFor that they need to talk with HR
When someone is fired, outsourced, or When someone is fired, outsourced, or laid off HR needs to be involvedlaid off HR needs to be involved
HR loves paper…HR loves paper…
Our processOur process
Each MIS area has manual procedures to Each MIS area has manual procedures to inactivate access for terminated usersinactivate access for terminated usersI would like to automate the whole process. I I would like to automate the whole process. I think I can do it with a scriptthink I can do it with a scriptExample of spreadsheet is belowExample of spreadsheet is below
Eff. Date Name Dept Network ID Meditech MisysHFMD
OM webMD qs1Mestamed
24-Mar-07 Employee,Leaving Employee Assistance UserID MT Mnemonic na na na na
Unfriendly terminationUnfriendly termination
Sometimes this process is not fast enoughSometimes this process is not fast enoughEmployees get fired for a variety of reasonsEmployees get fired for a variety of reasons– We have terminated employees for viewing records We have terminated employees for viewing records
that they did not need to see and did not have that they did not need to see and did not have authorization to viewauthorization to view
When that happens HR is required to give the When that happens HR is required to give the MIS director a call to inactivate all access.MIS director a call to inactivate all access.– If not available the call goes to our network managerIf not available the call goes to our network manager
There cannot be a delay…There cannot be a delay…
Our systemOur system
To make this work we combine features of:To make this work we combine features of:– Meditech PP moduleMeditech PP module– KronosKronos– Shams Data RepositoryShams Data Repository– Microsoft ExcelMicrosoft Excel– Microsoft OutlookMicrosoft Outlook
And the programming skills of our DBAAnd the programming skills of our DBA– Don’t ask me the detail…Don’t ask me the detail…
Our processOur process
If someone resignsIf someone resigns– HR gets a paper resignationHR gets a paper resignation– Their status in Meditech PP is changed to “pre-Their status in Meditech PP is changed to “pre-
terminated”terminated”– This generates an Outlook message noting the This generates an Outlook message noting the
change and puts the name in our resignation change and puts the name in our resignation spreadsheetspreadsheet
– A last date is listed alsoA last date is listed also
The day after the last date, an e-mail (Outlook) The day after the last date, an e-mail (Outlook) is generated that states that the employee’s is generated that states that the employee’s active directory entry has been terminatedactive directory entry has been terminated
FailsafeFailsafe
Our system works great most of the timeOur system works great most of the time
Some resignations get missedSome resignations get missed– Director doesn’t send paperwork to HR until after the Director doesn’t send paperwork to HR until after the
person is goneperson is gone– Casual employees just sort of get droppedCasual employees just sort of get dropped
As a failsafe we get a paper list of all employee As a failsafe we get a paper list of all employee changes from HRchanges from HR
It is late, but at least it gets everyoneIt is late, but at least it gets everyone
Physical Security: Don’t forget Physical Security: Don’t forget about it!about it!
Stolen Laptop Had 268,000 Stolen Laptop Had 268,000 Social Security NumbersSocial Security Numbers
ST. PAUL (AP) ― A Twin Cities blood bank says ST. PAUL (AP) ― A Twin Cities blood bank says a laptop computer with 268,000 names and a laptop computer with 268,000 names and Social Security numbers has been stolen.Social Security numbers has been stolen.Memorial Blood Centers said Wednesday it has Memorial Blood Centers said Wednesday it has begun notifying blood donors of the theft, but begun notifying blood donors of the theft, but they should monitor their financial accounts as a they should monitor their financial accounts as a precaution. The laptop computer was taken on precaution. The laptop computer was taken on Nov. 28 in downtown Minneapolis during Nov. 28 in downtown Minneapolis during preparations for a blood drive.preparations for a blood drive.Dec 5, 2007Dec 5, 2007
--Hospital Server Room Overheats, --Hospital Server Room Overheats, Destroys EquipmentDestroys Equipment
Internal auditors are conducting an investigation at St. James HospitalInternal auditors are conducting an investigation at St. James Hospitalin Leeds to discover the reasons a server room overheated, permanentlyin Leeds to discover the reasons a server room overheated, permanentlydamaging GBP 1 million (US $2.04 million) worth of equipment. Thedamaging GBP 1 million (US $2.04 million) worth of equipment. Thesystem in the room was designed to store patient x-rays but had not yetsystem in the room was designed to store patient x-rays but had not yetgone live, so patient care was not affected by the incident.gone live, so patient care was not affected by the incident.http://www.theregister.co.uk/2007/09/27/leeds_server_overheat/print.htmlhttp://www.theregister.co.uk/2007/09/27/leeds_server_overheat/print.html[Editor's Note (Grefer): Whenever feasible, build in redundancy in your[Editor's Note (Grefer): Whenever feasible, build in redundancy in yourA/C setup. Operating a single A/C unit at full power reduces its lifeA/C setup. Operating a single A/C unit at full power reduces its lifeexpectancy and creates a single point of failure. In case such a setupexpectancy and creates a single point of failure. In case such a setupis not feasible, at least invest in heat sensors and a system thatis not feasible, at least invest in heat sensors and a system thatallows for automatic shutdown of non-critical systems early on as wellallows for automatic shutdown of non-critical systems early on as wellas automatic shutdown of critical systems at the last minute.]as automatic shutdown of critical systems at the last minute.]
(September 27, 2007) Sans Newsbytes(September 27, 2007) Sans Newsbytes
BlackBerriesBlackBerriesQ:Q:Ask the expert: Is it appropriate for caregivers, such as nurses and Ask the expert: Is it appropriate for caregivers, such as nurses and physicians, to use Blackberries to e-mail patient data? physicians, to use Blackberries to e-mail patient data?
A:A: The answer is an easy one-most definitely not. Blackberries generally The answer is an easy one-most definitely not. Blackberries generally transmit messages via mobile services, such as Verizon and AT&T, for transmit messages via mobile services, such as Verizon and AT&T, for example. Messages sent via cell phone, Blackberries, or smart phones are example. Messages sent via cell phone, Blackberries, or smart phones are not secure. Someone knowledgeable can easily intercept messages. Unless not secure. Someone knowledgeable can easily intercept messages. Unless an organization contracts with a mobile service provider that offers an an organization contracts with a mobile service provider that offers an encrypted channel-and most do not-sending patient information via a encrypted channel-and most do not-sending patient information via a Blackberry is almost worse than sending an unencrypted e-mail or instant Blackberry is almost worse than sending an unencrypted e-mail or instant message. message.
This Q&A was adapted from the December 2007 issue of This Q&A was adapted from the December 2007 issue of Briefings on Briefings on HIPAA.HIPAA.
Again, remember the physical security of your Again, remember the physical security of your devices.devices.
Flash Drives…Flash Drives…
--Flash Drive Left in Swedish Library Holds --Flash Drive Left in Swedish Library Holds Sensitive Military Data (January 4, 2008)Sensitive Military Data (January 4, 2008)
That person could face up to six months in That person could face up to six months in prison.prison.
The Security Work Group just posted a The Security Work Group just posted a white paper on portable media.white paper on portable media.
This may be stating the obvious,, This may be stating the obvious,, but…but…
Back up everything. Store it securelyBack up everything. Store it securely
If it has PHI and portable, encrypt it.If it has PHI and portable, encrypt it.
Keep a copy of everything important off Keep a copy of everything important off sitesite
Lock your server room doorsLock your server room doors
Log out or lock your PC when away from itLog out or lock your PC when away from it
Securely dispose of old data devicesSecurely dispose of old data devices
Train your users that:Train your users that:
-computers belong to the healthcare organization-computers belong to the healthcare organization-anything produced or accessed on the computer -anything produced or accessed on the computer belongs to the healthcare organizationbelongs to the healthcare organization-there is no expectation of privacy for anything on the -there is no expectation of privacy for anything on the computerscomputers-all computers and all users may be subject to routine -all computers and all users may be subject to routine audits and when necessary, investigations, performed audits and when necessary, investigations, performed without their permissions, but always with a supervisor’s without their permissions, but always with a supervisor’s oversightoversight
Stolen from: Greg Young, CHP, Mammoth HospitalStolen from: Greg Young, CHP, Mammoth Hospital
In conclusion…In conclusion…
Hire carefullyHire carefully– Not always easy to doNot always easy to do
Have clear readable policies and live by Have clear readable policies and live by themthem
Train carefullyTrain carefully
AuditAudit
Retrain/reinforce trainingRetrain/reinforce training
Thanks to:Thanks to:– Caretech Solutions (my bosses) for letting me Caretech Solutions (my bosses) for letting me
come herecome here– Microsoft for clip artMicrosoft for clip art– SANS, MLO, HIPAAlive, and others for news SANS, MLO, HIPAAlive, and others for news
itemsitems– All of you for listening to meAll of you for listening to me
Questions…Questions…