The HIPAA Implementation Newsletter - Issue #39 – Friday, August 9, 2002 --- Online Security

Online Security, a global provider of computer forensics and information technology risk mitigation since 1997

Go back

The HIPAA Implementation Newsletter - Issue #39 – Friday, August 9, 2002

The HIPAA Implementation Newsletter Issue #39 – Friday, August 9, 2002 | Security | Privacy Timelines | Internet | Lighter Side |
Posted: Aug 12 2002
Hal Amens

The HIPAA Implementation Newsletter
Issue #39 – Friday, August 9, 2002
| Security | Privacy Timelines | Internet | Lighter Side |

Security: Wireless Networks and Devices

“Wireless networks and devices are not as secure as the government needs them to be, and they won't be anytime soon … Existing standards — such as the IEEE 802.11 — do not provide enough security, and the stories of people accidentally or deliberately picking up signals transmitted by wireless devices are all too true, experts from government and the private sector said at a July 30 conference … ‘The word is getting out...that we do have a wireless security problem,’ Richard Clarke, President Bush's cyberspace security adviser and chairman of the Critical Infrastructure Protection (CIP) Board, said at the conference, co-sponsored by the Information Technology Association of America and the Center for Strategic and International Studies. “One of the crosscutting issues … is wireless security and the potential instability of the Internet as more and more Web-enabled wireless devices connect to it.” Katherine Burton, assistant deputy manager of the DOD National Communication System said … “the security and
priority concerns must be addressed at every portion of a wireless network, not just the end devices.”

www.fcw.com

Security: Wireless Lans

“Like it or not, wireless LANs based on IEEE 802.11 are worming their way into enterprise networks. Road warriors are taking advantage of wireless "hot spots" at airports and hotels. Teleworkers are dropping wireless gateways behind DSL and cable modems at home. Once employees get hooked on the convenience of high-speed wireless, they become advocates for WLAN access back at the office.

“Studies by Gartner Group and INT Media Research speculate that one in five enterprises have already been infiltrated by "rogue access points." Left unchecked, unauthorized WLANs can rip gaping holes in your network's security perimeter. Visitors and neighbors can unwittingly join your network … Corporate policies that prohibit WLAN access are shortsighted. WLANs can increase business efficiency by overcoming IT barriers. Access points can be dropped into hard-to-wire locations, providing instant, flexible network connectivity. Anecdotal evidence and research surveys demonstrate that authorized WLANs can be productive. The trick is to avoid unauthorized, unsecured WLANs.

“Start with a company policy that defines appropriate use of 802.11 wireless and provides guidance on secure deployment. [For tips and tools, follow the link below.]

“An INT Media Research survey asked WLAN users to identify security "anomalies" experienced by their company during the past year. About 17% of those surveyed reported at least one incident of involving rogue APs or wireless stations associating with the wrong AP. A similar percentage reported war driving or active intrusions on their WLAN. Every security incident -- whether induced by self-testing, a third-party audit, or an actual attacker -- should be a lesson learned. Combining a solid security policy with continuous improvement can help you make the best of this promising new WLAN technology.”

searchsecurity.techtarget.com

Security: Pocket PC’s

Microsoft has published a paper that looks at security threats related to mobile devices as well as the different features and applications that exist for Pocket PCs to counter those threats. It also looks at security policies and procedures for mobile devices, technologies for securing access to a device, encrypting data and communication links, and remotely managing volume deployments.

www.microsoft.com

Security: Policing Policies

“There is no standardized, sure-fire way to enforce user security policies. That leaves lots of room for creativity and even more room for error, according to Todd Lawson, president and CTO of NetVision, Inc., a security management software company. To help IT managers define goals and avoid common security enforcement mistakes, he offered these tips.

* Do focus on user activities. Policies must focus on user activities, particularly activities of authenticated users inside the firewall … Internal security holes are usually created by people, not technology.

* Do detect events in real-time. … Proactive, real-time detection identifies policy breaches in time to stop them before the damage is done.

* Do establish an ironclad policy breach response process. Being able to execute a pre-defined action in response to the policy breach is most critical.

* Do set up a three-phase policy enforcement process: correct, alert and audit. First, establish a way to quickly correct or restore what was changed by the policy violation. Then, set up a policy enforcement system that notifies both the user and management when a violation occurs. It must educate the user as to what policy was violated and how to comply in the future. Finally, be sure to log and audit the event to verify what happened, who did it, when it was done and what resulted. This creates awareness and future deterrent. It also documents a secure audit trail which can be used as forensic evidence in court if needed to prove that the event took place and when.

* Do customize event filtering. Internal security risks fall into three general categories: mistakes, intentional mischief and user ignorance ... Security policy breaches can range in seriousness from "innocent" to "suspicious" to "malicious. Set up a good policy management process for filtering and categorizing events as they are detected.”

searchsecurity.techtarget.com

Security: Trends in Viruses

“This year might seem like a summer break compared to last year's swarm of viruses, including Code Red and Nimda. But experts say that viruses and the mechanisms for spreading them continue to evolve. … virus writers continue to blend hacking techniques with worms and trojans -- hidden programs designed to open back doors into unprotected systems ... Virus technology is becoming more complex and difficult to spot, according to experts, who see malicious code working its way onto the Internet and, increasingly, onto …wireless networks.

“Senior director for Symantec Security Response Vincent Weafer … said that virus payloads are becoming more complex and that by using metamorphic or polymorphic abilities, viruses are able to change their signatures to avoid the fingerprint-type filtering that most antivirus applications employ. He also said that while there have not yet been many high-profile cases, viruses will likely have an impact on … wireless platforms. "We're going to see more of those as these devices become more popular around the world," Weafer said, referring to wireless worms that have emerged in Japan.

“McAfee.com virus research manager April Goostree … said that another troubling virus trend is the emergence of viruses that specifically target antivirus or other defensive security measures, pointing to the Yaha worm, which "disabled an awful lot of antivirus and firewalls" in June. "This shows how you have to think beyond antivirus to comprehensive security -- firewalls, authentication -- and a lot of it is policy," she said. "There is no one technology; you need a combination of these on your machine."

www.newsfactor.com

Project Contingency Planning: Privacy Timelines

The privacy regulations require policies on a number of topics related to the use and disclosure of PHI (protected health information). The regulations define and require the use of some specific terms so even the best privacy policies will require some tailoring. For most organizations, HIPAA requires new privacy policies in some or many areas. At a high level, writing policies and procedures is not particularly difficult, but there are devils in the details.

In any large organization, particularly large organizations where some employees are represented by unions or strong professional associations, it will take time to gain consensus and get formal approval for changes. After you have formal approval, you can begin to develop material to be used to train employees. And then, you need time to deliver the training.

“§ 164.530 Administrative requirements. (b)(1) Standard: training. A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart, as necessary and appropriate for the members of the workforce to carry out their function within the covered entity. (2) Implementation specifications: training. (i) A covered entity must provide training … To each member of the covered entity's workforce by no later than the compliance date for the covered entity;” i.e., April 14, 2003.

Eight months to develop policies and procedures, get them approved, develop training material and deliver the training – in that sequence -- is not a long time. Unless you are certain you can meet the compliance date, we recommend you prepare a schedule for each policy and procedure showing the time required for development, approval, training material and training delivery. Be realistic. This is an exercise to determine whether or not your organization has a problem and, if necessary begin to mitigate the risk associated with that problem.

If you haven’t already ranked the policies in terms of the risks associated with late implementation, do that now. Consider both impact on operations and legal impact. It would be a good idea to review your ranking with legal counsel. (See lpf.com) Now rearrange the way available resources are being used to address the most important policies first. Maximize compliance and minimize the risks of being late.

Internet: Physician Use, AMA

“A new study by the AMA revealed that almost half of physicians feel that the World Wide Web has had a major impact on the way they practice medicine. The rising influence of the Internet on clinical medicine has propelled an increase in the frequency and duration of Web use among the 78 percent of physicians who now make use of cyberspace. … 3 of 10 physicians using the Internet currently have a Web site; and an examination of medical specialists who use the Web reveals that Web site development has been most prevalent among physicians in obstetrics/gynecology and internal medicine.”

www.ama-assn.org

Privacy: Lighter Side

A little lady called the hospital. She said, “Hello, darling, I'd like to talk with the person who gives the information regarding your patients. But, I don't want to know if the patient is getting better, or doing like expected, or worse. I want to know all the information from top to bottom, from A to ZZZ” The voice on the other end of the line said, “That's a very unusual request. ...What is the patient's name and room number?” She said, “Yes, darling! I'd like to know the information about Sarah Finkel, in Room 302.” He said, “Finkel, Finkel. Let me see. Farber, Feinberg, Finkel. Oh, yes. Mrs. Finkel is doing very well. In fact, she's had two full meals, had a good bowel movement, her urine looks good, her blood pressure is fine, her blood work just came back as normal, she's going to be taken off the heart monitor in a couple of hours, pretty much tip top and if she continues this improvement, Dr. Cohen is going to send her home Tuesday at twelve o' clock.” The woman said, “Thank God! That's wonderful!
Oh, thank God! Her test came back normal, she's getting off the heart machine in a couple of hours you say. Oh! that's fantastic, darling! And she is being released tomorrow at twelve o'clock! I'm so happy to hear that! . . That's wonderful news! Thank you, young man, for your information!” The man on the phone said, “From your enthusiasm, I take it you must be a close family member or a very close friend!” She said, "What close family or friend? I AM Sarah Finkel in 302! Cohen, my doctor, tells me nothing.”

Updates

We have added a new category to the Privacy and Security page: Check Lists.

lpf.com

HIPAA Conferences

The HIPAA Colloquium at Harvard University, August 19 - 23, 2002 in Cambridge, MA, The HIPAA Colloquium is well known for it intensity and advanced approach. … this summer's Colloquium focuses on practical workshops to assist organizations in meeting HIPAA compliance deadlines. The Colloquium is also offering special registration rates for groups of three or more from an organization's HIPAA compliance team. www.HIPAAColloquium.com

The fifth National HIPAA Summit, October 30 - November 1, 2002 in Baltimore, MD, www.HIPAASummit.com

_
Go Top