RE: Hospital INFOSEC?

[Neeper, Ralph]

I may be way out of line, here, but I just couldn't help jumping in.  Even with well-built hardware and software security, the first (and perhaps only) line of defense is the user of the input/output portals of the system.  My own example is from when my Dad was in the hospital for open-heart surgery.  While the rest of the family waited outside the operating room, in a waiting room next to the nurses station, I noticed that the nurse left without logging off her terminal.  Curious as to what the security system was like, I started "playing around" with the terminal and found that I could access the records of every patient in the hospital and, I seem to remember, there were options to get into the electrical system of the hospital and the medicines assigned to each patient.  Needless to say, I sent a message to the administrator of the network pointing out the deficiency in security and, the next day, the terminal had been logged off.     -----Original Message----- From: Filacchione, Alex (ISSAtlanta) [mailto:[EMAIL PROTECTED]] Sent: Friday, March 03, 2000 1:29 PM To: [EMAIL PROTECTED]; 'Barbara Chalef'; Chinnery Paul; 'Robert L. Fan'; 'Jeffery Stutzman' Subject: RE: Hospital INFOSEC? As far as I know there are not yet any set "Security Standards"   There is no open sharing of patient records.  What most Hosptials have is a closed DB system such as HBOCs products (can't remember the name off of the top of my head).  These are essentially "close circuit" databases, and are self-contained w/i the hospital.  They are all proprietary systems as well.   There are several bills in Congress relating to Medical information and privacy.   Some of them are outdated and/or never passed, and/or are just sitting there - I recommend going to the appropriate Senate of House site where they have bill status listed:   Anyway, some to look for are:   hr-1057 hr-1941 hr-2404 hr-2878 hr-358 s-1344 s-240 s-573 s-578 s-6 s-854   You should be albe to tell within the first page or two if this information is relevant.  It also lists the commitee memebers involved I believe, so if there is something that you see as drastically wrong, you can get in touch with the right person.   NONE of these (I've read or looked over most of them) have SPECIFIC security information.  It's more like guidelines like "Only caregivers with authentication from the patient will be allowed to view patient record information, and the subject of the record has to approve any additions" etc.  It describes who should access what, but not HOW this will happen.  Still, it gives you a basic view of what's down the pike and what the gov't is up to as far as their understanding of who should access what.  Personally from reading these I think that some of them are a little too restrictive for the doctor, and give the patient TOO MUCH access to alteration of medical records, etc. w/o adequate accountability of record alterations mandated ("Oh yeah, I swear that my doctor gave me demerol for my ingrown toenail - just look at my records!").   99% of the stuff that I have seen state that security should be in place, but do not discuss anything more than 'it should be there'.  I will certainly go over the 3Com doc.   Hope this helps,   Alex F -----Original Message----- From: Barbara Chalef [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 01, 2000 10:18 PM To: Chinnery Paul; 'Robert L. Fan'; 'Jeffery Stutzman'; [EMAIL PROTECTED] Subject: Re: Hospital INFOSEC? You might want to try some of the consulting firm sites as well. They deal with Medical/Hospital clients.   Barbara -----Original Message----- From: Chinnery Paul <[EMAIL PROTECTED]> To: 'Robert L. Fan' <[EMAIL PROTECTED]>; Chinnery Paul <[EMAIL PROTECTED]>; 'Jeffery Stutzman' <[EMAIL PROTECTED]>; [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Wednesday, March 01, 2000 1:48 PM Subject: RE: Hospital INFOSEC? It seems they've put permissions on it now.  Why, I don't know.  Try this:   http://www.3com.com/technology/tech_net/white_papers/503069.html -----Original Message----- From: Robert L. Fan [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 29, 2000 9:18 PM To: 'Chinnery Paul'; 'Jeffery Stutzman'; [EMAIL PROTECTED] Subject: RE: Hospital INFOSEC? That 3COM’s site says “You don't have permission to access /securitynet/hipaa on this server.” How can I get in?   Thanks     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chinnery Paul Sent: Monday, February 28, 2000 2:29 PM To: 'Jeffery Stutzman'; [EMAIL PROTECTED] Subject: RE: Hospital INFOSEC?   You might want to check 3Com's site (http://healthcare.3com.com/securitynet/hipaa).  HIPAA is going to be a set of standards protecting the privacy of patient information.  One article I read said that healthcare organizations will spend more $ meeting HIPAA standards than they did on Y2k. -----Original Message----- From: Jeffery Stutzman [mailto:[EMAIL PROTECTED]] Sent: Friday, February 25, 2000 8:05 PM To: [EMAIL PROTECTED] Subject: Hospital INFOSEC? I'm an MBA student looking for some information regarding the implementation of security services in hospitals and medical facilities. I'm interested in feedback concerning regulatory issues surrounding infosec in hospitals. Anyone on the forum have any insight in this area?   Thanks,     Jeff