William, you raise a significant point, and one I have been struggling to get covered entities to understand. Privacy liability will mostly come from ignorance and carelessness in the workplace. You can't just train once, and have 400,000 page policies and expect to reduce liability. Also the nonsense about 4 paragraph privacy policies is just nuts! The whistleblowers will make a fortune if that mentality continues.
Your points about email at dead on, and much as I respect the average IT guy or gal, most don't understand these issues. Real workflows need to be understood, mapped, and reengineering to effectively change the liabilities of an organization. Working habits need to change through, not just policies, but through cultural change that requires not just training but education! Privacy offers need to understand that they are not just planners, and auditors, but also evangelists for change at every level of an organization. A privacy officer should spend 60% of their time walking the halls communicating! I think we have arrived at a point, where a white paper on email and electronic communications makes sense. This subject is full of bias and voodoo urban legends that have little to do with core business requirements and real-world workflow. I hope WEDI management will take notice, and I would like to volunteer to help author it. Perhaps we should title it "The Happy HIPAA and a Tale of Email!". Tim McGuinness, Ph.D. Consulting Specialist in Regulatory Privacy, Security, and Application Compliance (HIPAA/ASCA/FDA/CMS-HCFA/ICH/ADA 508c), [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> President, HIPAA Help Now [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> www.hipaahelpnow.com <http://www.hipaahelpnow.com/> Executive Co-Chairman for Privacy, HIPAA Conformance Certification Organization (HCCO) www.hipaacertification.org <http://www.hipaacertification.org> __________________________________________________________________ Phone: 727-787-3901 Cell: 305-753-4149 Fax: 240-525-1149 Instant Messengers: ICQ# 22396626 - MSN IM: [EMAIL PROTECTED] - Yahoo IM timmcguinness - AOL IM: mcguinnesstim __________________________________________________________________ =========================================================================== IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. -----Original Message----- From: William J. Kammerer [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 9:43 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: More Deep Thoughts RE: 'Integrity Control' vs 'Message Authentication' Tim: A lot of this technical stuff discussed in the various 'Integrity Control' vs 'Message Authentication' threads went over my head. But you can do IP sourcing, MD5 Checksums, Message authentication, and stamp every "packet" till the cows come home, and it probably will do little good until the "people" issues are addressed. I emphatically agree with you that "the major risks are mostly internal. These represent the disgruntled employee, or just the lazy employee. Either way, these are more likely to result in Privacy abuses...and create security vulnerabilities. These are the ones that will have to be defended in civil litigation." A good illustration is the dozen or so postings addressed to the Privacy listserve asking to "add me to the PHI mapflow list." Surely these weren't meant to be sent to entire listserve, but certainly point out the risks of e-mail within HCOs. Admittedly, these e-mails are so low-risk that the extra seconds to confirm the recipient may not seem worth it (to the sender, that is; I would certainly appreciate not being inundated with this stuff each and every day!). But isn't it prudent to always be in the habit of checking - and double-checking - the recipients in any outbound e-mail, so that it becomes second nature, avoiding the inadvertent release of PHI to unintended recipients? I see that more and more people append these ubiquitous IMPORTANT NOTICEs at the tail of their e-mails; do these really work? Once the cat has been let out of the bag, what good does it do to admonish the (unintended) recipient to forget what's she's just seen? Isn't it better to just be super careful with EVERY e-mail, especially if you've ever handled PHI before? A habit that I've found useful is to double-click on each recipient (in the To:, Cc: and Bcc: boxes) to ensure the correct underlying e-mail address appears, forcing me to evaluate the appropriateness of that recipient. And with Outlook Express, I have the options set to NOT send e-mail immediately, nor to SEND/RECEIVE on an interval basis, preventing the sending of mail if I accidentally push the "Send" button: an explicit "Send/Receive" must be done, instead - this gives me even more chances to mull over the contents of the "Outbox" and the message recipients. Further, I have the option set to always encrypt: yet one more chance (at "Send") to see my list of recipients, since I'll be presented with a dialog box of all those for whom I have no digital ID. These few simple habits have kept me from sending to the wrong recipients. To this day, I don't think I've ever made a single mistake in disseminating an e-mail to an unintended recipient. Of course, this provides no protection at all from saying stupid things I'll later regret to INTENDED recipients!! William J. Kammerer Novannet, LLC. Columbus, US-OH 43221-3859 +1 (614) 487-0320 ----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; "Bill Pankey" <[EMAIL PROTECTED]>; "Chris Riley" <[EMAIL PROTECTED]>; "Anthony Mercaldi" <[EMAIL PROTECTED]> Sent: Tuesday, 17 September, 2002 12:53 PM Subject: More Deep Thoughts RE: 'Integrity Control' vs 'Message Authentication' But let's look at this from an institutional risk perspective. 1) it is possible to reasonably defend your infrastructure using: network firewalls, active intrusion detection monitoring, antiviral appliances, desktop firewalls and antiviral software, spyware checkers, solid security policies properly followed and audited. Nothing is perfect, but properly implemented, with constant attention to patches and upgrades, you can be "reasonably secure". In short, the whole BS7799 package on steroids (as my grandma used to say). 2) IP sourcing is not 100% reliable unless you know ALL of the potential servers your business partners will use, and have reporting mechanisms in place to track their changes. I do agree (an use this method myself to control spam) that vast blocks of IP space should be "blacked out". Most US HCOs have no business receiving packets from Asia or Africa for example, and these are notorious as points of attack. But there is little, from an IP perspective, you can do the black out in advance the teen down the street, except use your firewall to block because he/she is most likely using a DHCP assigned IP for that session, that next time around may be used by a doctor or a patient. 3) it is impractical to require sever AND client keys. Even VeriSign client certificates are problematic in actual practice unless you rigidly control both sides of the connection and the physical machines. You can even go so far as to be your own certificate authority, but in the end, with lesser skilled individuals, the overhead drowns you. I have deployed client AND server certificates in apps that I have designed in the past, and deployed world wide - it can be done economically - but you have to eliminate extraneous systems to control the help desk issues. Help desk issues are a major factor in whatever you do - PGP implementations have produced numerous horror stories about the end user support requirements. 4) where real security is required, you use "Trusted" services. There are a small number of vendors who provide real trusted networks for the big boys at CIA and NSA. Here is one such, and it's free! www.lok.com The bottom line from my perspective is that you do it by the numbers and be thorough. If you have a properly layered defense against internet attacks, properly maintained and monitored, I would argue that your real risks from the outside are low - in other words it will take a determined attacker to get through - which they will anyway. At least with layering of protections, including full intrusion monitoring, at least you can constrain the attack, and do something about it (hopefully in time). I am a big fan of managed services that will be there 24/7 - their cost is relatively low compared to your own time in managing the same activity. An example of this were stats given by my personal favorite CounterPane, where they flagged 100,000 problematic events - their automated screening system tossed out all but 50, which were passed to a human for analysis, of which only 5 were serious enough to call the IT staff. That's 5 wake up calls vs. 100,000. In my opinion, tools by any vendor, be it ISS, CounterPane, or others, extend your protections in depth and are essential in real security (mythic though that may actually be). And remember, external consultants that do assessments are great for a snap shot, but only work where their recommendations are implemented, but a single vendor is a bad idea - they all have their unique and sometimes conflicting agendas, not to mention skill sets (myself included) - always layer! When in doubt, pile it higher and deeper (the Ph.D. philosophy!). For those that are focused on the external, I suggest subscribing to a monthly external penetration testing service. They are as cheap as $25 a month now. They at least tell you if your firewall is solid. My contention is that the major risks are mostly internal. These represent the disgruntled employee, or just the lazy employee. Either way, these are more likely to result in Privacy abuses in my opinion, and create security vulnerabilities. These are the ones that will have to be defended in civil litigation. For example, with web-based apps proliferating, how many of you actually have a policy to control the browser cache? There is a major point of privacy vulnerability at the very least! Deep Thoughts quote of the day "Broken promises don't upset me. I just think, why did they believe me?" :) Nudge nudge, wink wink, say no more! I promise! Tim McGuinness, Ph.D. Consulting Specialist in Privacy and Security [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> President, HIPAA Help Now Inc. [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> www.hipaahelpnow.com <http://www.hipaahelpnow.com/> Executive Co-Chairman for Privacy, HIPAA Conformance Certification Organization (HCCO) www.hipaacertification.org <http://www.hipaacertification.org> __________________________________________________________________ Phone: 727-787-3901 Cell: 305-753-4149 Fax: 240-525-1149 Instant Messengers: ICQ# 22396626 - MSN IM: [EMAIL PROTECTED] - Yahoo IM timmcguinness - AOL IM: mcguinnesstim __________________________________________________________________ ======================================================================== === IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, please notify the sender at once, and you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature. To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security and enter your email address. <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
BEGIN:VCARD VERSION:2.1 N:McGuinness;Tim;;;Ph. D. FN:Tim McGuinness Ph. D. ORG:HIPAA Help Now Inc. TITLE:President TEL;WORK;VOICE:(727) 787-3901 TEL;CELL;VOICE:(305) 753-4149 TEL;WORK;FAX:(240) 525-1149 ADR;WORK;ENCODING=QUOTED-PRINTABLE:;;Corporate Office:=0D=0A1920 East Hallandale Blvd., Suite 600,;Hallandale B= each;Florida;33009;United States of America LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Corporate Office:=0D=0A1920 East Hallandale Blvd., Suite 600,=0D=0AHallandal= e Beach, Florida 33009=0D=0AUnited States of America ADR;POSTAL;ENCODING=QUOTED-PRINTABLE:;;Tampa Bay Office:=0D=0A687 First Court;Palm Harbor;Florida;34684;United St= ates of America LABEL;POSTAL;ENCODING=QUOTED-PRINTABLE:Tampa Bay Office:=0D=0A687 First Court=0D=0APalm Harbor, Florida 34684=0D= =0AUnited States of America URL;WORK:http://www.hipaahelpnow.com EMAIL;PREF;INTERNET:[EMAIL PROTECTED] EMAIL;INTERNET:[EMAIL PROTECTED] REV:20020906T095704Z END:VCARD To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security and enter your email address. <P>The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
