Security and Your Users

1
Security and Your Users

• Top 5 user pitfalls and how to avoid them

2
Goals

• Security is never a popular topic with users.
• The goal is to make data secure without burdening
  staff with stuff that interferes with business
  processes.
• Its not just about HIPAA!
• We should treat personal electronic data with the
  same care and respect as weapons-grade plutonium
  -- it is dangerous, long-lasting and once it has
  leaked there's no getting it back. -- Corey
  Doctorow

3
FBI study

• 50 of security incidents are caused by insiders
• These are people that you trusted enough to hire.

Or manage security
4
Top 5 user pitfalls and how to react to them

• Users are curious and gossip.
• Users dont take data security seriously.
• Passwords are a pain.
• Adding and deleting users must be taken
  seriously.
• Dont neglect physical security. (So much
  hardware, so easy to walk.)
• This is my opinion and is in sort of random
  order, no scientific process has been used

5
Users are curious and they gossip

• They want to know what is happening around them
• Celebrities do show up-local or otherwise
• There are always friends and neighbors or exs
• For example

6
George Clooney

• NEW YORK (CNN) -- More than two dozen employees
  at Palisades Medical Center have been suspended
  after accessing the personal medical records of
  actor George Clooney, who was taken to the North
  Bergen, N.J., hospital last month after a
  motorcycle accident.
• http//www.cnn.com/2007/SHOWBIZ/10/10/clooney.reco
  rds/index.html

7
And of course, Britney

• UCLA Medical Center is taking steps to fire at
  least 13 employees and has suspended at least six
  others for snooping in the confidential medical
  records of pop star Britney Spears during her
  recent hospitalization in its psychiatric unit, a
  person familiar with the matter said Friday.In
  addition, six physicians face discipline for
  peeking at her computerized records, the person
  said.
• http//www.latimes.com/news/local/la-me-britney15m
  ar15,0,1421107.story

8
MLO Online 12/13/07

• Privacy a problem Down UnderCelebrity patients
  in New Zealand may be lodging complaints with the
  country's Privacy Commissioner since several
  health workers were found snooping through the
  private medical records of patients, including
  those of several celebrities. One health worker
  was dismissed and up to 20 others disciplined,
  including doctors, nurses, and other clinicians.
  The staff members have been using what was
  referred to as a "revolutionary electronic
  records system to access information, which
  includes patients' medical notes, X-ray result,
  and laboratory-test results and community lab
  tests.

9
MLO Online 12/13/07

• These breaches were picked up in seconds by
  electronic audits, which were run regularly after
  celebrities had stayed in the hospital to see who
  had accessed their records. Random audits were
  also run on individual staff to check their use
  of the system. Staff has been warned since the
  incident that looking up patients under their
  care, including neighbors, friends, relatives,
  their own children, or themselves, is not
  acceptable. One healthcare official said that
  although the EMR system had the potential to
  allow more access, it also allows for access to
  be traced better than the old paper records
  system.

10
More frequently

• Users check their own records
• familys records
• neighbors records
• friends records
• exs records
• (this gets to be a legal
  problem)
• and so on

11
Prevention

• Remind users periodically that there is a proper
  procedure to follow to get access to records.
• Make that procedure reasonably painless
• But follow state law
• Deny access when access not appropriate
• Audit accesses and follow up
• Public flogging might be useful but probably is
  not constitutional

12
Curiosity is good, snooping BAD

• Random audits find random problems
• They are hard to do accurately.
• They are virtually impossible to do without
  software to manage documentation and provide
  queries.
• Targeted audits are good when someone tells us
  about a problem or when celebrities show up.
• Just knowing that you do audit cuts down on
  violations.

13
This gets tricky when

• Last names are not the same, especially with
  exs.
• The organization gets big enough so that no one
  knows everybody.
• Neighbors live around the corner so street names
  are not a tip off.
• Do we load Google Maps into the User Audits?
  (Thanks to John Sharpe for that idea.)
• Automation is the only way to go.

14
How do you fix human nature?

• Short answer you dont.
• Longer answer
• Audit-periodically, frequently, or when asked
  for
• Tell your staff that you audit
• Act on the audit and discipline when problem
  found
• Automate the process as much as is possible

15
In summary

• Anyone you hire should be reasonably teachable
• Make your expectations know at orientation
• Follow up periodically
• MOST will meet expectations
• Get rid of those who dont

16
Users dont take data security seriously

• Most work sites, nursing units, and such are like
  swamps with alligators
• You know what your highest priority is and it is
  NOT data security.

17
Users ignore security policies

• Security Policies Often Go Unheeded (December 6,
  2007) A survey of nearly 900 IT security
  professionals conducted by the Ponemon Institute
  found that many workers do not abide by
  established security policies, either because
  they are unaware of the policies or because they
  find them inconvenient. More than half of
  respondents admitted to having copied
  confidential company data onto USB drives
  although 87 percent said they knew the practice
  violated company policy.
• Nearly half of respondents said they share
  passwords with colleagues two-thirds said
  sharing passwords violates policy at their
  organizations. One-third of respondents said
  they had sent work documents as attachments
  almost half of respondents were unsure whether
  doing so violated their companies' policies.
  Sixty percent of respondents said their companies
  had no formal policy that prohibits installation
  of personal software on work machines. Almost
  half said they had downloaded software, including
  P2P programs, onto company computers.
• http//www.computerworld.com/action/article.do?com
  mandviewArticleBasicarticleId9051483sourcerss
  _topic17

18
Even IS contractors dont think securely

• --Stolen Laptop Holds Patient Data Contractor
  Violated Policy (December 10, 2007) Approximately
  45,000 patients who were treated at Sutter
  Lakeside Hospital in Lakeport, California have
  been notified by letter that their personal
  information has been compromised.
• The data were being transferred from one secure
  system to another during an equipment upgrade a
  contractor violated hospital policy by
  downloading the data to a laptop computer that
  was later stolen.
• The hospital has terminated its relationship with
  the contractor, who had been hired for a special
  IT project. The compromised data include names,
  addresses, dates of birth, Social Security
  numbers (SSNs), and in some cases billing and
  diagnosis information.
• http//www.record-bee.com/local/ci_7687954
• Why wasnt the laptop encrypted???

19
Lost Flash Drive

• http//wcco.com/local/doctor.patient.information.2
  .642107.html
• A provider had a flash drive with over 3000
  patient histories on it.
• Policy said it should be encrypted It was not
• It got lost
• This was a fertility clinic, need I say more?

20
Backups

• We all agree that our systems need some sort of
  backup
• What happens when we apply that to our personal
  hard drives and home based systems?
• How many of us have our systems fully backed up
  in case they fail?

21
From Sans Newsbytes

• Backups are really important
• People keep telling me backups on laptops,
  backups on the local drive are the user's
  responsibility. However, in all my days, I
  haven't yet met a responsible user, so I don't
  see making it the users' responsibility makes
  sense.
• 12/7/07

22
This was sent from someones e-mail because they
walked away still logged in
Be sure you log out or things like this may
happen to you. I received this, I did not
actually send it!
23
Panic post to HIPAAlive

• An office manager got this message Apparently
  one of your employees went on to a P2P music file
  sharing site, and accidentally published the my
  documents folder. You will want to locate the
  computer in question, and have the P2P program
  removed.
• I heard about this vulnerability months ago on
  WTMJ radio with the news guy calling people whose
  SSN was viewable on line.
• Not exactly a security geek thing

24
So, what do you do about it?

• I dont have a good answer
• Training, but balance too little vs too much
• Remember the boy that cried wolf
• You do want people to pay attention
• Reminders
• Be careful about frequency (see above)
• Nothing gets attention better than a nearby
  horror story

25
What to do

• Remind users about security when they log in,
  expect that most will tune you out.
• Be sure you have policies about system use
  written clearly and easily available even if no
  one actually reads them.
• There is no reason for P2P file sharing in our
  workplaces. Enforce that!
• Do security rounds and point out problems that
  you see.
• Be sure that security policies are practical and
  enforceable.

26
Passwords are a pain.

• I was told a story about an IRS auditor.
• Their stuff needs to be really secure, obviously.
• Each application has different user ID and
  password. So far that is clumsy, but not bad.
• So that they did not get forgotten, he kept a
  notebook of all passwords in his briefcase. The
  laptop was also in the briefcase.
• As the person who told this said, this was secure
  until the brief case got lost or stolen and found
  be someone with a crow bar.

27
Password audit

• I did an audit of the passwords used in our
  Meditech system. I can print a report that lists
  them without user IDs so nothing really gets
  compromised.
• Our minimum length is 5 characters.

28
Password audit

• Dictionary Words 17
• Names 39
• Word and single digit 13
• All same character 3
• All Digits 6
• Better than the above 27 (does not mean
  good)
• This is the first two pages of a list of
  passwords from our system. I think our users are
  no less creative than anyone else.

29
My favorite

• From the list that I looked at my favorite good
  password was 2MT2C
• It could be longer but
• It would be hard to guess
• It would be easy to remember
• It would be hard for a password cracking program
  to figure out
• It also gives no hint about the persons user ID
• It expired by the time you see this

30
How long should they last?

• 30, 60, 90, 120, 180, 270, 365 days
• Never expire
• Think about the PIN for your ATM
• Think about the risks of shoulder surfing or
  other password stealing schemes
• Think about the pain of frequent password changes
• Balance it all together and pick a number that
  your organization is comfortable with.

31
Problems

• Most users will not pick good passwords
• Some users will forget their password
• Some users will write their password down where
  it can get found
• Ban Post-it notes (I know its not possible)
• Check under mouse pads
• Password cracking programs are easily available
  to those who want them

32
So what do you do about this?

• Keep your training positive
• Wrong If you make bad passwords, the HIPAA
  police will get you
• Right Good passwords protect your privacy as
  well as your patients privacy
• Wrong Bad passwords lead to bad care
• Right Good security is good patient care
• Concept blatantly stolen from Tom Walshs recent
  HIMSS presentation

33
So what do you do about this?

• Alternatives
• RFID proximity devices
• Finger print readers
• Iris scanners
• Palm scanners
• Secure Roaming (my current favorite)
• If you must use passwords, train users about good
  ones

34
Cool new product

• BioPassword
• Works by carefully measuring how individuals type
  their password
• Vendor offered cash to anyone who could type his
  password, no one could
• Based on concept developed in WWII to monitor
  where Morse Code operators had moved to

35
Adding and deleting users must be taken
seriously.

• People change jobs
• Hows that for stating the obvious?
• When they start a new job they need access
• When they move within the organization they need
  changed access
• When they leave, access needs to go away
• If not done right, there can be problems

36
Recently

• (August 27, 2007) A federal jury has convicted
  Jon Paul Olson of intentionally damaging
  protected computers. Olson left his job at the
  Council of Community Health Clinics (CCC) in San
  Diego after he received what he believed to be a
  negative performance evaluation.
• Several months after his resignation, Olson
  deleted patient data that belonged to the North
  County Health Services (NCHS) clinic, causing
  financial losses at both CCC and NCHS. Olson had
  worked for CCC as a network engineer and
  technical services manager.

37
My editorial comments

• This happened months after he left, his access
  should have been long gone.
• We had auditors and JCAHO inspectors specifically
  ask about our procedures for inactivating
  employees who have left us.
• Get this done right!
• To do that you need a process and some forms

38
Our new user form
Copy existing staff carefully!
End Date if needed
Signature required!
Date when completed
39
Problems

• Directors do not know what their staff has access
  to.
• Probably should
• Dont really
• Then there are those users who stay casual in
  their old department and IS has to figure out how
  to combine their old job with the new one
• Talk about time wasters

40
Problems

• Peoples job functions change even if their job
  description does not
• I get calls from directors asking for additional
  routines for users all the time
• I tell them to get it to me in writing (usually
  Outlook mail)
• This creates problems when they tell you to copy
  into new user. Does this new person really need
  the same special routines? Sometimes yes, others
  no.

41
Generic User Templates

• We discussed setting up inactive model users for
  copying to new ones.
• We decided not to do this
• Too many job descriptions to be maintained
• Difficult to keep up to date
• Not enough time to devote to the set up of these
• YMMV
• If this might work for you, great!

42
Non-employees with access

• Nursing Home staff
• We give nursing home staff very limited access.
  They can only see their own patients.
• In stead of the form they can either fax me their
  employees full name on their letterhead or
• E-mail me the detail using their business address
• Twice each year I list all their users and send a
  copy to the nurse director to verify that they
  are still employed there

43
Others

• Contract employees
• Students
• Temps
• We require the same form as all others to get
  them into our systems.
• No standard way to make sure they get terminated

44
Problems

• Since temps, contract employees, and students are
  not in PP, they do not automatically show up
• We do ask anticipated last date on the form
  requesting access
• I put a task in Outlook to pop up and remind me
  to follow up on these.
• We have a separate spreadsheet to track them
• Getting directors to remember is a challenge

45
Removing access

• Employees leave
• They get better jobs
• They retire (best job of all)
• They have children and cant work outside the
  home (working hard enough there)
• They get downsized
• They get fired
• They get outsourced (I know from experience)

46
You need a process here

• Do NOT trust director to tell you someone leaves
• When someone resigns, the director usually wants
  a replacement
• For that they need to talk with HR
• When someone is fired, outsourced, or laid off HR
  needs to be involved
• HR loves paper

47
Our process

• Each MIS area has manual procedures to inactivate
  access for terminated users
• I would like to automate the whole process. I
  think I can do it with a script
• Example of spreadsheet is below

48
Unfriendly termination

• Sometimes this process is not fast enough
• Employees get fired for a variety of reasons
• We have terminated employees for viewing records
  that they did not need to see and did not have
  authorization to view
• When that happens HR is required to give the MIS
  director a call to inactivate all access.
• If not available the call goes to our network
  manager
• There cannot be a delay

49
Our system

• To make this work we combine features of
• Meditech PP module
• Kronos
• Shams Data Repository
• Microsoft Excel
• Microsoft Outlook
• And the programming skills of our DBA
• Dont ask me the detail

50
Our process

• If someone resigns
• HR gets a paper resignation
• Their status in Meditech PP is changed to
  pre-terminated
• This generates an Outlook message noting the
  change and puts the name in our resignation
  spreadsheet
• A last date is listed also
• The day after the last date, an e-mail (Outlook)
  is generated that states that the employees
  active directory entry has been terminated

51
Failsafe

• Our system works great most of the time
• Some resignations get missed
• Director doesnt send paperwork to HR until after
  the person is gone
• Casual employees just sort of get dropped
• As a failsafe we get a paper list of all employee
  changes from HR
• It is late, but at least it gets everyone

52
Physical Security Dont forget about it!
53
Stolen Laptop Had 268,000 Social Security Numbers

• ST. PAUL (AP) ? A Twin Cities blood bank says a
  laptop computer with 268,000 names and Social
  Security numbers has been stolen.
• Memorial Blood Centers said Wednesday it has
  begun notifying blood donors of the theft, but
  they should monitor their financial accounts as a
  precaution. The laptop computer was taken on Nov.
  28 in downtown Minneapolis during preparations
  for a blood drive.
• Dec 5, 2007

54
--Hospital Server Room Overheats, Destroys
Equipment

• Internal auditors are conducting an investigation
  at St. James Hospital
• in Leeds to discover the reasons a server room
  overheated, permanently
• damaging GBP 1 million (US 2.04 million) worth
  of equipment. The
• system in the room was designed to store patient
  x-rays but had not yet
• gone live, so patient care was not affected by
  the incident.
• http//www.theregister.co.uk/2007/09/27/leeds_serv
  er_overheat/print.html
• Editor's Note (Grefer) Whenever feasible, build
  in redundancy in your
• A/C setup. Operating a single A/C unit at full
  power reduces its life
• expectancy and creates a single point of failure.
  In case such a setup
• is not feasible, at least invest in heat sensors
  and a system that
• allows for automatic shutdown of non-critical
  systems early on as well
• as automatic shutdown of critical systems at the
  last minute.
• (September 27, 2007) Sans Newsbytes

55
BlackBerries

• QAsk the expert Is it appropriate for
  caregivers, such as nurses and physicians, to use
  Blackberries to e-mail patient data?
• A The answer is an easy one-most definitely not.
  Blackberries generally transmit messages via
  mobile services, such as Verizon and ATT, for
  example. Messages sent via cell phone,
  Blackberries, or smart phones are not secure.
  Someone knowledgeable can easily intercept
  messages. Unless an organization contracts with a
  mobile service provider that offers an encrypted
  channel-and most do not-sending patient
  information via a Blackberry is almost worse than
  sending an unencrypted e-mail or instant message.
  
• This QA was adapted from the December 2007 issue
  of Briefings on HIPAA.
• Again, remember the physical security of your
  devices.

56
Flash Drives

• --Flash Drive Left in Swedish Library Holds
  Sensitive Military Data (January 4, 2008)
• That person could face up to six months in
  prison.
• The Security Work Group just posted a white paper
  on portable media.

57
This may be stating the obvious,, but

• Back up everything. Store it securely
• If it has PHI and portable, encrypt it.
• Keep a copy of everything important off site
• Lock your server room doors
• Log out or lock your PC when away from it
• Securely dispose of old data devices

58
Train your users that

• -computers belong to the healthcare organization
• -anything produced or accessed on the computer
  belongs to the healthcare organization
• -there is no expectation of privacy for anything
  on the computers
• -all computers and all users may be subject to
  routine audits and when necessary,
  investigations, performed without their
  permissions, but always with a supervisors
  oversight
• Stolen from Greg Young, CHP, Mammoth Hospital

59
In conclusion

• Hire carefully
• Not always easy to do
• Have clear readable policies and live by them
• Train carefully
• Audit
• Retrain/reinforce training

60
Questions

• Thanks to
• Caretech Solutions (my bosses) for letting me
  come here
• Microsoft for clip art
• SANS, MLO, HIPAAlive, and others for news items
• All of you for listening to me