New Survey Finds that Healthcare IT Pros Most Concerned About Electronic Data Breach

Healthcare IT News recently asked its readers about the healthcare data breaches that worries them the most. Not surprisingly, the vast majority (80 percent) of respondents said electronic data breach/hack, while only 13% worried about hardware theft, followed by 7% concerned about the theft or loss of paper records. This trend is warranted. For instance, a recent article in the Fort Worth Star Telegram highlighted the growing trend of doctors using smartphones, tablets to access medical data. According to the story, hospitals in North America spent $7.4 billion on electronic records in 2010 – and the 2009 stimulus act has earmarked $50 billion to help government and private healthcare providers offer EHRs over the next five years. So what does this look like? Here’s an anecdote from the piece: If a patient of Arlington physician Ignacio Nuñez shows up at the emergency room when the doctor is not at the hospital, he doesn’t have to wait long to start investigating what might be wrong. The obstetrician/gynecologist can call up an expectant mother’s medical records on his iPhone, or even watch the fetus’s heartbeat on the device once the woman is connected to a hospital monitor, wherever he might be at the time. … According to AirStrip, the San Antonio software company that developed the app Nuñez uses, there is only a three- to five-second lag to get information to the physician’s mobile device. AirStrip also makes a version for cardiologists and has an upcoming version that will monitor other critical data in intensive care units and emergency rooms. Groundbreaking, indeed. But what about from a security perspective? We’d like...

New Survey: Employees Complain About IT Security Policies

You know the scenario, you implement your organization’s security policy, and then within minutes can hear employees groaning and mumbling about IT. According to a new survey, employees don’t just complain to each other – they are now complaining directly to IT. Four in 10 CIOs interviewed for the Robert Half Technology survey said that it’s at least “somewhat common for employees to complain about security measures that limit which websites or networks they can visit at the office.” IT professionals have long grappled with being the organization’s “bad guys,” limiting access and denying service to frustrated employees. To dodge outright mutiny, IT professionals can help employees better understand why we have to restrict and monitor what they do. To do this, we’ve turned the survey’s suggestions for employees confronting IT administrators on its head to make the list for IT professionals. Be Open to Questions. Nobody likes to be told policies exist “just because.” If an employee wants to know why a certain site or network is restricted, tell them why. And if they’re not super tech-savvy, do so in laymen’s terms. The answer can be simple, but fostering this dialogue will make employees more comfortable with restrictions. Listen to Business Cases. IT professionals are sometimes so far removed from the rest of the organization, they don’t understand why blocking certain sites and networks is detrimental to business. When employees are making legitimate business cases to change the IT policy, listen. We’ve heard stories of IT departments blocking social media channels at news organizations, leaving reporters scrambling on their mobile devices to catch up on breaking news stories....

PCI Security: Q&A with Anton Chuvakin, PCI Compliance Expert, PART 2

In the second of a two-part series, VPN Haus talks to PCI compliance expert Anton Chuvakin about cloud compliance and the prevalence of the “it won’t happen to my company” attitude. Last week, we spoke to Chuvakin about the way the industry has misunderstood – and undervalued – PCI standards. VPN Haus: You’ve mentioned that some companies take a “nobody wants to hack us” attitude to compliance. What kinds of companies tend to take this approach? What kinds of companies tend to be most vigilant – ones that have already had a breach? Chuvakin: While many in the security community would quip that only stupid companies would say that “nobody wants to hack us,” reality is slightly more complicated. Perception of electronic and digital risks does not come naturally to people – and IT managers and directors are people too. So many organizations will severely underestimate computer risks and, sadly some would pay with their very existence for this mistake… In regards to more vigilant organizations, you are correct: breached companies are indeed more the vigilant – but only for a certain time. Some say a breach gives a boost to security awareness elevated vigilance for about a year. VPN Haus: Are the consequences of a security breach for PCI companies enough of a deterrent? Chuvakin: Apparently not. Just look at all the companies that only pay lip service to security and PCI compliance, and then get upset after they are breached. Don’t get upset — the breach is a natural result of your own behavior, please learn to take the responsibility. VPN Haus: How would you describe PCI’s...

PCI Security: Q&A with Anton Chuvakin, PCI Compliance Expert, PART 2

In the second of a two-part series, VPN Haus talks to PCI compliance expert Anton Chuvakin about cloud compliance and the prevalence of the “it won’t happen to my company” attitude. Last week, we spoke to Chuvakin about the way the industry has misunderstood – and undervalued – PCI standards. VPN Haus: You’ve mentioned that some companies take a “nobody wants to hack us” attitude to compliance. What kinds of companies tend to take this approach? What kinds of companies tend to be most vigilant – ones that have already had a breach? Chuvakin: While many in the security community would quip that only stupid companies would say that “nobody wants to hack us,” reality is slightly more complicated. Perception of electronic and digital risks does not come naturally to people – and IT managers and directors are people too. So many organizations will severely underestimate computer risks and, sadly some would pay with their very existence for this mistake… In regards to more vigilant organizations, you are correct: breached companies are indeed more the vigilant – but only for a certain time. Some say a breach gives a boost to security awareness elevated vigilance for about a year. VPN Haus: Are the consequences of a security breach for PCI companies enough of a deterrent? Chuvakin: Apparently not. Just look at all the companies that only pay lip service to security and PCI compliance, and then get upset after they are breached. Don’t get upset — the breach is a natural result of your own behavior, please learn to take the responsibility. VPN Haus: How would you describe PCI’s...

Internal Security Policy and the “Wild” Web 2.0 Frontier

By David Torre Guest Contributor Internal information security policies have existed within the enterprise since the dawn of the information technology era. Viewed by many as a necessary evil and simply a check box compliance item, the overall value of a well-written internal security policy has become, perhaps ironically, now more important than ever in a world saturated with digital information. Traditionally, internal policies were developed to demonstrate an organization’s commitment to information security, and to provide clear and consistent computing guidelines for which all employees must abide by. Even today, such time-honored objectives still remain relevant. Yet as mobile and cloud computing continue to shape the information technology landscape, it has become increasingly difficult for information-wielding knowledge workers to protect the organization’s most cherished asset: intellectual property. As if protecting trade secrets from peering outsiders weren’t challenging enough, security professionals are also faced with threats that originate from within the enterprise. While tales of malicious insiders or corporate espionage make for intriguing conversation, most of us working from the trenches have discovered that perhaps the most significant risk to the organization is that of the naive end-user; one who cannot easily discern between safe and unsafe information handling practices. Consequently, this presents a dilemma of where to draw the line of acceptable levels of security aptitude. Take for example a cloud-based solution which is blatantly advertised as being “enterprise-friendly,” or a consumer smart phone that ships with a “Connect to Exchange Mail Server” icon on the home screen. It’s easy to see how users may become perplexed when attempting to determine where the corporate IT boundary ends, and...