My buddy Bill Siwicki of http://healthcareitnews.com (well, I know him because I've been reading his posts forever. Maybe he will return the favor) posts a softball from the Mayo Clinic titled "Gone phishin': Mayo Clinic shares tips for fending off attacks" detailing how they keep hackers from quite literally hacking users of Health IT software or phishing.
Yes, it's about training and repetition and giving positive feedback when an employee identifies and reports a (fake) phishing attack. We can't help you with that. We are socially awkward geeks, so take Dr. Mark Parkulo's advice on the social side of security. Conspicuous by its absence is what Mayo thinks about security on the data itself. I think that phishing is about a tenth as prevalent as direct attacks because hacking software is what hackers do. Phishing requires the hacker to step outside the shadowy computer world that has definite rules into the social world of people where you have to convince them to do something you want them to do.
So why did Dr. Parkulo and Mayo decide to ignore 90% of cyber security? My guess is that they don't know much about it. Most practices don't. On Dec. 28, 2015, on the same site http://healthcareitnews.com, Bernie Monegain posted a list of the "10 most recent HIPAA breaches" that ALL happened in the first part of December. Even worse, at the bottom of the article there is a slideshow detailing all the big data breaches for 2015 and after that a list of all 1683 known HIPAA data breaches for 2015 according to U.S. Department of Health and Human Services
Office for Civil Rights (OCR).
Clearly Doctors focus on the human side, as they should. I keep crowing about security here, and have stated numerous times that nobody is getting into my database that doesn't shave my face in the morning (barbers don't generally shave me in the morning). I assumed this would taunt hackers into finding some kind of hole they could exploit, but as I suspected, they can't. Our sister company Sentia Health has securely published medical records to the internet in our Software as a Service (SaaS) Electronic Medical Records System (EMR) since 2009 and have never had a breach. Our database uses its very structure to limit the records an authorized user can see to only the ones belonging to patients who call their location primary. There are universal searches as practitioners may need to see records outside of their particular practice but that's only for practitioners with the oddball patient needing attention.
Each time a practitioner (or a patient) logs in he or she is issued a globally unique identifier (GUID) that is unique in the universe and identifies the confluence of that user and that user's session. When the user logs out or gets timed out, that GUID is deleted. The GUID must be supplied for every call to the database and the user is authenticated each time. Even if the User ID and Password were somehow stolen and used to hack into the database, the hacker could only see the names of stored procedures, not even the table names, and wouldn't be able to execute those procedures and/or get any data. I'm tempted to publish the User ID and Password here and let them try. They still won't get anywhere.
As for why Mayo and Dr. Parkulo didn't mention the other 90% of security, it's probably because they have had a couple of data breaches in recent memory as reported by the OCR. Go to the link above (or here), click "Show Advanced Options" and type "Mayo" into "CE / BA Name Search" text box. You'll see what I mean.
I'm positive that if I tried to "doctor" that there would be great gnashing of teeth in the land and I would probably end up in prison. So Doctors, leave the software to us programmers.
No comments:
Post a Comment