Hi Mimi!

I think we have all done the same thing.  Maybe a verification dialog
box needs to pop up before the e-mail gets sent with a confirmation
required.

Darcy P. Otis
Director of Business Solutions
SimplicEDI
"Healthcare Solutions Simplified"
6165 NW 86th Street
Johnston, IA 50131
p (515) 727 1710
f (515) 278 4631


-----Original Message-----
From: Mimi Hart [mailto:[EMAIL PROTECTED]] 
Sent: Friday, September 20, 2002 11:22 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: More Deep Thoughts RE: 'Integrity Control' vs
'MessageAuthentication'

I just learned this lesson today...forwarding an incorrect
email..luckily it had no PHI in it..but it was definately a lesson worth
learning. It is scary to think how many items are misdirected..etc.
MIMI

Mimi Hart Ó¿Õ*
Research Analyst, HIPAA
Iowa Health System
319-369-7767 (phone)
319-369-8365 (fax)
319-490-0637 (pager)
[EMAIL PROTECTED]

>>> "William J. Kammerer" <[EMAIL PROTECTED]> 09/20/02 08:43AM >>>
Tim:

A lot of this technical stuff discussed in the various 'Integrity
Control' vs 'Message Authentication' threads went over my head.  But
you
can do IP sourcing, MD5 Checksums, Message authentication, and stamp
every "packet" till the cows come home, and it probably will do little
good until the "people" issues are addressed.

I emphatically agree with you that "the major risks are mostly
internal.
These represent the disgruntled employee, or just the lazy employee.
Either way, these are more likely to result in Privacy abuses...and
create security vulnerabilities. These are the ones that will have to
be
defended in civil litigation."

A good illustration is the dozen or so postings addressed to the
Privacy
listserve asking to "add me to the PHI mapflow list."  Surely these
weren't meant to be sent to entire listserve, but certainly point out
the risks of e-mail within HCOs.  Admittedly, these e-mails are so
low-risk that the extra seconds to confirm the recipient may not seem
worth it (to the sender, that is;  I would certainly appreciate not
being inundated with this stuff each and every day!).  But isn't it
prudent to always be in the habit of checking -  and double-checking -
the recipients in any outbound e-mail, so that it becomes second
nature,
avoiding the inadvertent release of PHI to unintended recipients?

I see that more and more people append these ubiquitous IMPORTANT
NOTICEs at the tail of their e-mails;  do these really work?  Once the
cat has been let out of the bag, what good does it do to admonish the
(unintended) recipient to forget what's she's just seen?  Isn't it
better to just be super careful with EVERY e-mail, especially if
you've
ever handled PHI before?

A habit that I've found useful is to double-click on each recipient
(in
the To:, Cc: and Bcc: boxes) to ensure the correct underlying e-mail
address appears, forcing me to evaluate the appropriateness of that
recipient. And with Outlook Express, I have the options set to NOT
send
e-mail immediately, nor to SEND/RECEIVE on an interval basis,
preventing
the sending of mail if I  accidentally push the "Send" button: an
explicit "Send/Receive" must be done, instead - this gives me even
more
chances to mull over the contents of the "Outbox" and the message
recipients.   Further, I have the option set to always encrypt:  yet
one
more chance (at "Send") to see my list of recipients, since I'll be
presented with a dialog box of all those for whom I have no digital
ID.

These few simple habits have kept me from sending to the wrong
recipients.  To this day, I don't think I've ever made a single
mistake
in disseminating an e-mail to an unintended recipient.  Of course,
this
provides no protection at all from saying stupid things I'll later
regret to INTENDED recipients!!

William J. Kammerer
Novannet, LLC.
Columbus, US-OH 43221-3859
+1 (614) 487-0320

----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; "Bill Pankey"
<[EMAIL PROTECTED]>; "Chris Riley" <[EMAIL PROTECTED]>; "Anthony
Mercaldi" <[EMAIL PROTECTED]>
Sent: Tuesday, 17 September, 2002 12:53 PM
Subject: More Deep Thoughts RE: 'Integrity Control' vs 'Message
Authentication'

But let's look at this from an institutional risk perspective.

1) it is possible to reasonably defend your infrastructure using:
network firewalls, active intrusion detection monitoring, antiviral
appliances, desktop firewalls and antiviral software, spyware
checkers,
solid security policies properly followed and audited. Nothing is
perfect, but properly implemented, with constant attention to patches
and upgrades, you can be "reasonably secure". In short, the whole
BS7799
package on steroids (as my grandma used to say).

2) IP sourcing is not 100% reliable unless you know ALL of the
potential
servers your business partners will use, and have reporting mechanisms
in place to track their changes. I do agree (an use this method myself
to control spam) that vast blocks of IP space should be "blacked out".
Most US HCOs have no business receiving packets from Asia or Africa
for
example, and these are notorious as points of attack. But there is
little, from an IP perspective, you can do the black out in advance
the
teen down the street, except use your firewall to block because he/she
is most likely using a DHCP assigned IP for that session, that next
time
around may be used by a doctor or a patient.

3) it is impractical to require sever AND client keys. Even VeriSign
client certificates are problematic in actual practice unless you
rigidly control both sides of the connection and the physical
machines.
You can even go so far as to be your own certificate authority, but in
the end, with lesser skilled individuals, the overhead drowns you. I
have deployed client AND server certificates in apps that I have
designed in the past, and deployed world wide - it can be done
economically - but you have to eliminate extraneous systems to control
the help desk issues. Help desk issues are a major factor in whatever
you do - PGP implementations have produced numerous horror stories
about

the end user support requirements.

4) where real security is required, you use "Trusted" services. There
are a small number of vendors who provide real trusted networks for
the
big boys at CIA and NSA. Here is one such, and it's free! www.lok.com 

The bottom line from my perspective is that you do it by the numbers
and
be thorough. If you have a properly layered defense against internet
attacks, properly maintained and monitored, I would argue that your
real
risks from the outside are low - in other words it will take a
determined attacker to get through - which they will anyway. At least
with layering of protections, including full intrusion monitoring, at
least you can constrain the attack, and do something about it
(hopefully
in time).

I am a big fan of managed services that will be there 24/7 - their
cost
is relatively low compared to your own time in managing the same
activity. An example of this were stats given by my personal favorite
CounterPane, where they flagged 100,000 problematic events - their
automated screening system tossed out all but 50, which were passed to
a
human for analysis, of which only 5 were serious enough to call the IT
staff. That's 5 wake up calls vs. 100,000. In my opinion, tools by any
vendor, be it ISS, CounterPane, or others, extend your protections in
depth and are essential in real security (mythic though that may
actually be). And remember, external consultants that do assessments
are
great for a snap shot, but only work where their recommendations are
implemented, but a single vendor is a bad idea - they all have their
unique and sometimes conflicting agendas, not to mention skill sets
(myself included) - always layer! When in doubt, pile it higher and
deeper (the Ph.D. philosophy!).

For those that are focused on the external, I suggest subscribing to a
monthly external penetration testing service. They are as cheap as $25
a
month now. They at least tell you if your firewall is solid.

My contention is that the major risks are mostly internal. These
represent the disgruntled employee, or just the lazy employee. Either
way, these are more likely to result in Privacy abuses in my opinion,
and create security vulnerabilities. These are the ones that will have
to be defended in civil litigation.

For example, with web-based apps proliferating, how many of you
actually

have a policy to control the browser cache? There is a major point of
privacy vulnerability at the very least!

Deep Thoughts quote of the day "Broken promises don't upset me. I just
think, why did they believe me?" :) Nudge nudge, wink wink, say no
more!
I promise!

Tim McGuinness, Ph.D.
Consulting Specialist in Privacy and Security
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>

President,
HIPAA Help Now Inc.
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
www.hipaahelpnow.com <http://www.hipaahelpnow.com/>

Executive Co-Chairman for Privacy,
HIPAA Conformance Certification Organization (HCCO)
www.hipaacertification.org <http://www.hipaacertification.org>

__________________________________________________________________
Phone:   727-787-3901   Cell: 305-753-4149    Fax: 240-525-1149
Instant Messengers:  ICQ# 22396626 - MSN IM: [EMAIL PROTECTED]
-
Yahoo IM  timmcguinness - AOL IM:   mcguinnesstim
__________________________________________________________________


========================================================================
===


IMPORTANT NOTICE: This communication, including any attachment,
contains
information that may be confidential or privileged, and is intended
solely for the entity or individual to whom it is addressed. If you
are
not the intended recipient, please notify the sender at once, and you
should delete this message and are hereby notified that any
disclosure,
copying, or distribution of this message is strictly prohibited.
Nothing
in this email, including any attachment, is intended to be a legally
binding signature.



To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=Security 
and enter your email address.

<P>The WEDI SNIP listserv to which you are subscribed is not moderated.
 The
discussions on this listserv therefore represent the views of the
individual
participants, and do not necessarily represent the views of the WEDI
Board of
Directors nor WEDI SNIP.  If you wish to receive an official opinion,
post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.

        *********************************************

This message and accompanying documents are covered by the Electronic
Communications Privacy Act, 18 U.S.C. §§ 2510-2521, and contain
information intended for the specified individual(s) only. This
information is confidential. If you are not the intended recipient or an
agent responsible for delivering it to the intended recipient, you are
hereby notified that you have received this document in error and that
any review, dissemination, copying, or the taking of any action based on
the contents of this information is strictly prohibited. If you have
received this communication in error, please notify us immediately by
e-mail, and delete the original message.

        *********************************************


To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.

<P>The WEDI SNIP listserv to which you are subscribed is not moderated.
The
discussions on this listserv therefore represent the views of the
individual
participants, and do not necessarily represent the views of the WEDI
Board of
Directors nor WEDI SNIP.  If you wish to receive an official opinion,
post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.



To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=Security
and enter your email address.

<P>The WEDI SNIP listserv to which you are subscribed is not moderated.  The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP.  If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.

Reply via email to