Friday, July 8, 2011

UCLA Health System Settles Potential HIPAA Privacy and Security Violations

The Department of Health and Humans Services reached it third settlement this year with a healthcare organization for violations of the HIPAA regulations when UCLA agreed to pay $865,000 to resolve charges that employees were inappropriately snooping into the records of celebrity patients.

In the previous settlements of 2011, Massachusetts General agreed to pay a fine of $1,000,o00 and Cignet Health of Prince George's County agreed to a fine of $4,300,000. Clearly HHS is taking these violations much more seriously than had been done in the first 14 years of HIPAA's existence.

Organizations that deal with PHI need to have clearly defined policies and procedures to protect patient data, training to make sure that employees are aware of the rules, and most importantly methods that can be used to monitor that the policies are being followed. If you are the CISO of a healthcare organization you should be asking yourself questions such as:

  • Are all of the laptops that access our systems encrypted?

  • How do I validate that they are encrypted?

  • Are we monitoring access to patient information?

  • How do we detect inappropriate access to PHI?
The stakes are being raised and the privacy groups within Healthcare organizations have to respond accordingly.

Monday, July 4, 2011

Zero Day by Mark Russinovich

Of course you can tell by reading this blog that I am not a storyteller; and certainly not a novelist. Therefore I preface this review with that caveat that I could not have written Zero Day as well as Mark Russinovich. Zero Day is a thriller surrounding the release of a set of extremely destructive computer viruses. We track the progress of Jeff Aiken, a private security consultant, and Darryl Haugen, a PhD. Computer scientist from MIT working for the Department of Homeland Security, as they try to identify the viruses, determine a solution, and track down the perpetrators. The main flaws of the novel is that the characters are on dimensional and the book is hitting us over the head with a hammer to indicate the potential devastation that society could face as result of a cadre of determined evildoers exploiting the weaknesses of the Internet and computer systems.

As a technical expert, Mark Russinovich is world famous. He is known to us in the security world as one of the cofounders of Sysinternals; which is one of the key solutions available to Windows administrators everywhere. With this technical background, Zero Day describes how a set of evil actors could technically wreck havoc on the computer systems of America and Europe.
The story is engaging and suspenseful and as someone in the security field, I was interested to see where the story led us. Without the importance of the subject matter, the risks to our cyber infrastructure, the book would not be that interesting. The storytelling and actors is too shallow. We have “obligatory” love scenes and one of the “usual suspects,” a Russian cybercriminal, involved. There is limited character development in the story and the bureaucrat that Daryl reports to is as helpful as our stereotypes of bureaucrats would lead us to believe. That being said, I believe like Mark does that the risks we face are severe and the more coverage that they get the better. With that as a backdrop I would recommend this book.

In my opinion, to learn more about the security implications and the deep impact of the Internet on our society, I would first read Daniel Suarez’s two novel set, Daemon and Freedom (TM). These provide a much more nuanced look at the good and bad associated with the Internet and our dependence on it.