Transcript Stuff for future security presentation

Security and Your Users
Top 5 user pitfalls and how to
avoid them
Goals
Security is never a popular topic with users.
The goal is to make data secure without burdening staff with stuff that
interferes with business processes.
Its not just about HIPAA!
We should treat personal electronic data with the same care and
respect as weapons-grade plutonium -- it is dangerous, long-lasting
and once it has leaked there's no getting it back. -- Corey Doctorow
FBI study…
50% of security incidents are
caused by insiders
These are people that you trusted
enough to hire.
Or
manage
security
Top 5 user pitfalls and how to react
to them
Users are curious and gossip.
Users don’t take data security seriously.
Passwords are a pain.
Adding and deleting users must be taken
seriously.
Don’t neglect physical security. (So much
hardware, so easy to walk.)
This is my opinion and is in sort of random
order, no scientific process has been used
Users are curious and they gossip
They want to know
what is happening
around them
Celebrities do show
up-local or otherwise
There are always
friends and neighbors
or ex’s
For example:
George Clooney
NEW YORK (CNN) -- More than two
dozen employees at Palisades Medical
Center have been suspended after
accessing the personal medical records of
actor George Clooney, who was taken to
the North Bergen, N.J., hospital last month
after a motorcycle accident.
http://www.cnn.com/2007/SHOWBIZ/10/10
/clooney.records/index.html
And of course, Britney:
UCLA Medical Center is taking steps to fire at least 13
employees and has suspended at least six others for
snooping in the confidential medical records of pop star
Britney Spears during her recent hospitalization in its
psychiatric unit, a person familiar with the matter said
Friday.
In addition, six physicians face discipline for peeking at
her computerized records, the person said.
http://www.latimes.com/news/local/la-mebritney15mar15,0,1421107.story
MLO Online 12/13/07
Privacy a problem Down Under
Celebrity patients in New Zealand may be lodging
complaints with the country's Privacy Commissioner
since several health workers were found snooping
through the private medical records of patients, including
those of several celebrities. One health worker was
dismissed and up to 20 others disciplined, including
doctors, nurses, and other clinicians. The staff members
have been using what was referred to as a
"revolutionary” electronic records system to access
information, which includes patients' medical notes, Xray result, and laboratory-test results and community lab
tests.
MLO Online 12/13/07
These breaches were picked up in seconds by
electronic audits, which were run regularly after
celebrities had stayed in the hospital to see who
had accessed their records. Random audits
were also run on individual staff to check their
use of the system. Staff has been warned since
the incident that looking up patients under their
care, including neighbors, friends, relatives, their
own children, or themselves, is not acceptable.
One healthcare official said that although the
EMR system had the potential to allow more
access, it also allows for access to be traced
better than the old paper records system.
More frequently…
Users check their own records
family’s records
neighbor’s records
friend’s records
ex’s records
(this gets to be a legal problem)
and so on…
Prevention…
Remind user’s periodically that there is a
proper procedure to follow to get access to
records.
Make that procedure reasonably painless
– But follow state law
Deny access when access not appropriate
Audit accesses and follow up
– Public flogging might be useful but probably is
not constitutional…
Curiosity is good, snooping BAD
Random audits find random problems
– They are hard to do accurately.
– They are virtually impossible to do without software to
manage documentation and provide queries.
Targeted audits are good when someone tells us
about a problem or when celebrities show up.
Just knowing that you do audit cuts down on
violations.
This gets tricky when:
Last names are not the same, especially
with ex’s.
The organization gets big enough so that
no one knows everybody.
Neighbors live around the corner so street
names are not a tip off.
– Do we load Google Maps into the User
Audits? (Thanks to John Sharpe for that idea.)
Automation is the only way to go.
How do you fix human nature?
Short answer: you don’t.
Longer answer:
– Audit-periodically, frequently, or when asked
for
– Tell your staff that you audit
– Act on the audit and discipline when problem
found
– Automate the process as much as is possible
In summary…
Anyone you hire should be reasonably
teachable
Make your expectations know at
orientation
Follow up periodically
MOST will meet expectations
Get rid of those who don’t…
Users don’t take data security
seriously
Most work sites, nursing units, and such
are like swamps with alligators
You know what your highest priority is and
it is NOT data security.
Users ignore security policies
Security Policies Often Go Unheeded (December 6, 2007) A survey of
nearly 900 IT security professionals conducted by the Ponemon Institute
found that many workers do not abide by established security policies,
either because they are unaware of the policies or because they find them
inconvenient. More than half of respondents admitted to having copied
confidential company data onto USB drives although 87 percent said they
knew the practice violated company policy.
Nearly half of respondents said they share passwords with colleagues;
two-thirds said sharing passwords violates policy at their organizations.
One-third of respondents said they had sent work documents as
attachments; almost half of respondents were unsure whether doing so
violated their companies' policies. Sixty percent of respondents said their
companies had no formal policy that prohibits installation of personal
software on work machines. Almost half said they had downloaded
software, including P2P programs, onto company computers.
http://www.computerworld.com/action/article.do?command=viewArticleBasic
&articleId=9051483&source=rss_topic17
Even IS contractors don’t think
securely…
--Stolen Laptop Holds Patient Data; Contractor Violated Policy
(December 10, 2007) Approximately 45,000 patients who were
treated at Sutter Lakeside Hospital in Lakeport, California have been
notified by letter that their personal information has been
compromised.
The data were being transferred from one secure system to another
during an equipment upgrade; a contractor violated hospital
policy by downloading the data to a laptop computer that was
later stolen.
The hospital has terminated its relationship with the contractor, who
had been hired for a special IT project. The compromised data
include names, addresses, dates of birth, Social Security numbers
(SSNs), and in some cases billing and diagnosis information.
http://www.record-bee.com/local/ci_7687954
Why wasn’t the laptop encrypted???
Lost Flash Drive
http://wcco.com/local/doctor.patient.inform
ation.2.642107.html
A provider had a flash drive with over 3000
patient histories on it.
Policy said it should be encrypted – It was
not
It got lost…
This was a fertility clinic, need I say more?
Backups…
We all agree that our systems need some
sort of backup
What happens when we apply that to our
personal hard drives and home based
systems?
How many of us have our systems fully
backed up in case they fail?
From Sans Newsbytes
Backups are really important:
People keep telling me backups on
laptops, backups on the local drive are the
user's responsibility. However, in all my
days, I haven't yet met a responsible user,
so I don't see making it the users'
responsibility makes sense.
12/7/07
This was sent from someone’s email because they walked away still
logged in…
Be sure you log out or
things like this may
happen to you. I
received this, I did not
actually send it!
Panic post to HIPAAlive
An office manager got this message: Apparently
one of your employees went on to a P2P music
file sharing site, and accidentally published the
my documents folder. You will want to locate the
computer in question, and have the P2P
program removed.
I heard about this vulnerability months ago on
WTMJ radio with the news guy calling people
whose SSN was viewable on line.
Not exactly a security geek thing…
So, what do you do about it?
I don’t have a good answer
Training, but balance too little vs too much
– Remember the boy that cried wolf
– You do want people to pay attention
Reminders
– Be careful about frequency (see above)
– Nothing gets attention better than a nearby
horror story…
What to do…
Remind users about security when they log in,
expect that most will tune you out.
Be sure you have policies about system use
written clearly and easily available even if no
one actually reads them.
There is no reason for P2P file sharing in our
workplaces. Enforce that!
Do security rounds and point out problems that
you see.
Be sure that security policies are practical and
enforceable.
Passwords are a pain.
I was told a story about an IRS auditor.
Their stuff needs to be really secure, obviously.
Each application has different user ID and
password. So far that is clumsy, but not bad.
So that they did not get forgotten, he kept a
notebook of all passwords in his briefcase. The
laptop was also in the briefcase.
As the person who told this said, this was secure
until the brief case got lost or stolen and found
be someone with a crow bar.
Password audit
I did an audit of the
passwords used in
our Meditech system.
I can print a report
that lists them without
user ID’s so nothing
really gets
compromised.
Our minimum length
is 5 characters.
Length
Count
Percent
5
446
28.30
6
474
30.08
7
274
17.39
8
220
13.96
9
103
6.54
10
35
2.22
11
13
0.82
12
5
0.32
13
3
0.19
14
3
0.19
Password audit
Dictionary Words:
Names:
Word and single digit:
All same character:
All Digits:
Better than the above:
good)
17
39
13
3
6
27 (does not mean
This is the first two pages of a list of passwords
from our system. I think our users are no less
creative than anyone else.
My favorite…
From the list that I looked at my favorite “good”
password was 2MT2C
It could be longer but…
– It would be hard to guess
– It would be easy to remember
– It would be hard for a password cracking program to
figure out
It also gives no hint about the person’s user ID
It expired by the time you see this…
How long should they last?
30, 60, 90, 120, 180, 270, 365 days
Never expire
– Think about the PIN for your ATM
Think about the risks of shoulder surfing or
other password stealing schemes
Think about the pain of frequent password
changes
Balance it all together and pick a number
that your organization is comfortable with.
Problems
Most users will not pick good passwords
Some users will forget their password
Some users will write their password down
where it can get found
– Ban Post-it notes (I know its not possible)
– Check under mouse pads
Password cracking programs are easily
available to those who want them
So what do you do about this?
Keep your training positive
– Wrong: If you make bad passwords, the
HIPAA police will get you
– Right: Good passwords protect your privacy
as well as your patient’s privacy
– Wrong: Bad passwords lead to bad care
– Right: Good security is good patient care
Concept blatantly stolen from Tom Walsh’s
recent HIMSS presentation
So what do you do about this?
Alternatives
– RFID proximity devices
– Finger print readers
– Iris scanners
– Palm scanners
– Secure Roaming (my current favorite)
If you must use passwords, train users
about good ones
Cool new product…
BioPassword
– Works by carefully measuring how individuals
type their password
– Vendor offered cash to anyone who could
type his password, no one could…
– Based on concept developed in WWII to
monitor where Morse Code operators had
moved to
Adding and deleting users must be
taken seriously.
People change jobs
– How’s that for stating the obvious?
When they start a new job they need access
When they move within the organization they
need changed access
When they leave, access needs to go away
If not done right, there can be problems…
Recently…
(August 27, 2007) A federal jury has convicted
Jon Paul Olson of intentionally damaging
protected computers. Olson left his job at the
Council of Community Health Clinics (CCC) in
San Diego after he received what he believed to
be a negative performance evaluation.
Several months after his resignation, Olson
deleted patient data that belonged to the North
County Health Services (NCHS) clinic, causing
financial losses at both CCC and NCHS. Olson
had worked for CCC as a network engineer and
technical services manager.
My editorial comments
This happened months after he left, his
access should have been long gone.
We had auditors and JCAHO inspectors
specifically ask about our procedures for
inactivating employees who have left us.
Get this done right!
To do that you need a process and some
forms
Our new user form
End
Date
if
neede
d
Copy
existing
staff
carefully!
Signatur
e
required!
Date
when
completed
Problems
Directors do not know what their staff has
access to.
– Probably should
– Don’t really
Then there are those users who stay
casual in their old department and IS has
to figure out how to combine their old job
with the new one
– Talk about time wasters…
Problems
People’s job functions change even if their job
description does not
– I get calls from directors asking for additional routines
for users all the time
– I tell them to get it to me in writing (usually Outlook
mail)
This creates problems when they tell you to copy
into new user. Does this new person really need
the same special routines? Sometimes yes,
others no.
Generic User Templates
We discussed setting up inactive model users
for copying to new ones.
We decided not to do this
– Too many job descriptions to be maintained
– Difficult to keep up to date
– Not enough time to devote to the set up of
these
YMMV
If this might work for you, great!
Non-employees with access
Nursing Home staff
– We give nursing home staff very limited access. They
can only see their own patients.
– In stead of the form they can either fax me their
employees full name on their letterhead or
– E-mail me the detail using their business address
Twice each year I list all their users and send a copy to
the nurse director to verify that they are still employed
there
Others…
Contract employees
Students
Temps
We require the same form as all others to
get them into our systems.
No standard way to make sure they get
terminated
Problems
Since temps, contract employees, and students
are not in PP, they do not automatically show up
We do ask anticipated last date on the form
requesting access
I put a task in Outlook to pop up and remind me
to follow up on these.
We have a separate spreadsheet to track them
Getting directors to remember is a challenge
Removing access
Employees leave
– They get better jobs
– They retire (best job of all…)
– They have children and can’t work outside the
home (working hard enough there)
– They get downsized
– They get fired
– They get outsourced (I know from
experience)
You need a process here
Do NOT trust director to tell you someone
leaves
When someone resigns, the director
usually wants a replacement
For that they need to talk with HR
When someone is fired, outsourced, or
laid off HR needs to be involved
HR loves paper…
Our process
Each MIS area has manual procedures to
inactivate access for terminated users
I would like to automate the whole process. I
think I can do it with a script
Example of spreadsheet is below
Eff. Date
24-Mar-07
Name
Employee,Leaving
Dept
Network ID
Meditech
Misys
Employee Assistance
UserID
MT Mnemonic
na
HFMD
OM
webMD
qs1
Mesta
med
na
na
na
Unfriendly termination
Sometimes this process is not fast enough
Employees get fired for a variety of reasons
– We have terminated employees for viewing records
that they did not need to see and did not have
authorization to view
When that happens HR is required to give the
MIS director a call to inactivate all access.
– If not available the call goes to our network manager
There cannot be a delay…
Our system
To make this work we combine features of:
– Meditech PP module
– Kronos
– Shams Data Repository
– Microsoft Excel
– Microsoft Outlook
And the programming skills of our DBA
– Don’t ask me the detail…
Our process
If someone resigns
– HR gets a paper resignation
– Their status in Meditech PP is changed to “preterminated”
– This generates an Outlook message noting the
change and puts the name in our resignation
spreadsheet
– A last date is listed also
The day after the last date, an e-mail (Outlook)
is generated that states that the employee’s
active directory entry has been terminated
Failsafe
Our system works great most of the time
Some resignations get missed
– Director doesn’t send paperwork to HR until after the
person is gone
– Casual employees just sort of get dropped
As a failsafe we get a paper list of all employee
changes from HR
It is late, but at least it gets everyone
Physical Security: Don’t forget
about it!
Stolen Laptop Had 268,000
Social Security Numbers
ST. PAUL (AP) ― A Twin Cities blood bank says
a laptop computer with 268,000 names and
Social Security numbers has been stolen.
Memorial Blood Centers said Wednesday it has
begun notifying blood donors of the theft, but
they should monitor their financial accounts as a
precaution. The laptop computer was taken on
Nov. 28 in downtown Minneapolis during
preparations for a blood drive.
Dec 5, 2007
--Hospital Server Room Overheats,
Destroys Equipment
Internal auditors are conducting an investigation at St. James Hospital
in Leeds to discover the reasons a server room overheated, permanently
damaging GBP 1 million (US $2.04 million) worth of equipment. The
system in the room was designed to store patient x-rays but had not yet
gone live, so patient care was not affected by the incident.
http://www.theregister.co.uk/2007/09/27/leeds_server_overheat/print.html
[Editor's Note (Grefer): Whenever feasible, build in redundancy in your
A/C setup. Operating a single A/C unit at full power reduces its life
expectancy and creates a single point of failure. In case such a setup
is not feasible, at least invest in heat sensors and a system that
allows for automatic shutdown of non-critical systems early on as well
as automatic shutdown of critical systems at the last minute.]
(September 27, 2007) Sans Newsbytes
BlackBerries
Q:Ask the expert: Is it appropriate for caregivers, such as nurses and
physicians, to use Blackberries to e-mail patient data?
A: The answer is an easy one-most definitely not. Blackberries generally
transmit messages via mobile services, such as Verizon and AT&T, for
example. Messages sent via cell phone, Blackberries, or smart phones are
not secure. Someone knowledgeable can easily intercept messages.
Unless an organization contracts with a mobile service provider that offers
an encrypted channel-and most do not-sending patient information via a
Blackberry is almost worse than sending an unencrypted e-mail or instant
message.
This Q&A was adapted from the December 2007 issue of Briefings on
HIPAA.
Again, remember the physical security of your
devices.
Flash Drives…
--Flash Drive Left in Swedish Library Holds
Sensitive Military Data (January 4, 2008)
That person could face up to six months in
prison.
The Security Work Group just posted a
white paper on portable media.
This may be stating the obvious,,
but…
Back up everything. Store it securely
If it has PHI and portable, encrypt it.
Keep a copy of everything important off
site
Lock your server room doors
Log out or lock your PC when away from it
Securely dispose of old data devices
Train your users that:
-computers belong to the healthcare organization
-anything produced or accessed on the computer
belongs to the healthcare organization
-there is no expectation of privacy for anything on the
computers
-all computers and all users may be subject to routine
audits and when necessary, investigations, performed
without their permissions, but always with a supervisor’s
oversight
Stolen from: Greg Young, CHP, Mammoth Hospital
In conclusion…
Hire carefully
– Not always easy to do
Have clear readable policies and live by
them
Train carefully
Audit
Retrain/reinforce training
Questions…
Thanks to:
– Caretech Solutions (my bosses) for letting me
come here
– Microsoft for clip art
– SANS, MLO, HIPAAlive, and others for news
items
– All of you for listening to me