Net Neutrality

Net Neutrality is a simple concept: the Internet should be a level playing field. Everyone and every company should get the same level of service. You should always be able to access any lawful content you want at any time. You do not expect to have to pay more for gasoline to drive to the mall than to drive to grandma’s house. You do not expect a policeman to stop you and, depending on your destination, inform you of a different speed limit, or prohibit you from even going there.

This might seem obvious to you, and you might think that competitive pressures on the companies providing the actual connection to the Internet to your home or company, the ISPs (Internet Service Providers), would make this not an issue. But you would be wrong.

There are just six telecommunication giants that control almost all Internet connections in the US: AT&T, Charter, Comcast, Cox, Time Warner, and Verizon. The few smaller local companies need to rely on one of these six to get outside their local area. In many areas, there is only one or two of these giants available, making them virtual if not actual monopolies. In my area, you have the choice of Comcast or Verizon.

These companies all have the technology to read your emails, social media messages, and anything else sent unencrypted over the Internet. And, in fact, they have done so, and taken action based on message content. AT&T jammed a rock star’s political protest, Comcast throttled online file-sharing through BitTorrent, and Verizon censored NARAL Pro-Choice America among a number of such actions.

On the surface, the giants claim to be all for Net Neutrality. Comcast has created a big ad campaign touting their commitment to “full net neutrality,” which they never define. What it seems to mean is their commitment to follow the 2010 FCC (Federal Communication Commission) rules, which include both no-blocking and anti-discrimination provisions. However, earlier this year a federal court overturned the FCC rule on a technicality. In any event, those rules expire in 2018. The reason for this ad campaign: so that regulators will not use Comcast’s anti-regulation attitude against them as they seek to merge with Time Warner Cable.

In my view, the solution is for the FCC to redefine broadband so it comes under the same rules of access and availability that cover traditional phones, which the federal court actually hinted they should do.

You might also check out the ACLU’s position.

The last word:

These giant ISPs need to be regulated. We have personally had really bad experiences with both Verizon and Comcast. We had a copper landline, which annoyed Verizon. They are trying to eliminate all copper connections, both to save money and to get out from under the FCC regulations they face with landlines, such as they must serve everyone. They offered all kinds of incentives to move us to FIOS. After our copper phone line was out for four days due to a FIOS failure, we abandoned our copper line and went to Comcast XFINITY. In the first 30 days with Comcast we have had two days with no phone, Internet or TV, plus numerous other “minor” outages with one or both TVs.

The merger of Comcast and Time Warner will bring a new level to customer service: both rank at the top of customer service complaints.

This is another occasion where I agree with President Obama.

Comments solicited.

Keep your sense of humor.


Security in the Cloud

I first posted about Cloud Security in a two consecutive postings four years ago here and here. I guess I was pretty optimistic about the future of security in the Cloud. I predicted that a number of cloud service providers would be offering comprehensive Security as a Service offerings providing a consistent cost-effective security solution for companies by 2012. While a number of companies do have offerings in this area, none have yet become a total security solution. Organizations are still responsible for a lot of their own planning and implementation. Solutions from companies like McAfee, CISCO, and Semantic are well worth looking at, but don’t expect to write one check and be done.

In the meantime, every organization is moving to the Cloud, often without knowing it. Every time they have a partner who performs some function for the organization where data is stored or moved outside of the control of your IT department, you are using the Cloud. You do this because it is less expensive and usually something you just don’t want to think about. If you use SalesForce, Google or Microsoft collaborative systems, let your Internet Service Provider handle your email, or use a third party to accept orders and payments, you are in the Cloud.

Over the past few weeks several people from different lines of business have asked me essentially the same question, “What’s different about security in the Cloud?” And they want the answer in less than two minutes.

So here goes.

Your security requirements in the Cloud are identical to those you had before. You still need to protect the same data to the same level. The Cloud can make meeting those requirements more difficult, or even impossible. Or it can make it easier and less expensive.

If you are not secure today, you will not be secure in the Cloud. You need to get secure in your current environment before you consider a move to the Cloud. This means you must have a security policy, and enforce it.

When you move to the Cloud you are adding new partners. Vet them the same way you would vet any other partner in terms of financial stability, reputation, past security problems, support capabilities, and general corporate vision.

You are often adding invisible partners. Your Cloud Service Provider (CSP) may, for example, use a company in Shanghai as their networks operation center. Find out who they use and how they vet and monitor them.

A good CSP will provide better security monitoring and keep your systems they control up to date on OS and attack protection software. Almost always their datacenter is more physically secure then yours is. Take advantage of every security capability they offer. Also consider utilizing their disaster recovery options. Because of their economy of scale, you will probably find a much better recovery environment then you have at a fraction of what it would cost you.

Make sure what your Cloud partners propose matches your security requirements and are consistent with your security policy. Get everything in writing. You may not find a single CSP that will meet all of your requirements for all of your workloads. Most of you will eventually end up with Hybrid Clouds, a mix of several different cloud models from very likely multiple CSPs.

The last word:

You also use the Cloud at home. If you store photos in the Cloud, buy music from iTunes, books from Amazon, pay with PayPal, access your bank and investments from your smart phone you are in the Cloud. Think about what you do where something of yours leaves your control. If that something has value to you, or could impact you if someone else had it, then you need to take the basic precautions.

  • Do not go to web sites you do not trust.
  • Do not click on a link in an email if you don’t really know who is it from. Check the sending email address to make sure it from the company it claims to represent.
  • Never give out passwords to someone in an email or phone call.
  • Use a different non-trivial password for each site.
  • Monitor often each financial account that you access online.
  • Consider an identity protection offering like LifeLock.

You don’t need anything like the same security for accounts that do not have your information. For example, if you have accounts at several news agencies, professional associations, other informational web sites it is fine to use the same user name and password across them.

Comments solicited.

Keep your sense of humor.


Password Managers

Over two years ago I wrote about The Password Conundrum. Unfortunately, things are getting worse, not better. The 2014 Data Breach Report includes weak passwords and the reuse of the same password for multiple purposes as among the reasons both companies and individuals get hacked.

Unless you have the memory of police detective Carrie Wells on the CBS TV Show “Unforgettable” or use some form of procedural memory mechanism, you need to write all of your passwords somewhere. Since you constantly refer to it, this list has to be close to you, especially when you travel. An alternative is to use one of the many password management programs that are out there. I recently reviewed two of these programs that take significantly different paths. I like each of them, and you will be well served by the programs and just as important the companies behind them.

I only deeply reviewed these two packages, so other packages may be suitable for you as well. At a minimum, the questions I asked and the reasons for selecting these two may help you make your own decision.


1Password from Agilebits makes it easy to manage all of you passwords across a variety of platforms (Macintosh, Windows, Android, and iOS). It will generate very strong unique passwords for each of your accounts. It can also securely store other critical and private information such as bank account and passport numbers, and those “sticky notes” of private information you stash around the office or home, and then never find when you need them. The information is stored on and automatically synchronized across all of your devices so everything is always with you. All you need to remember is the one password to get you into 1Password. If you forget it, Agilebits support will not ask you for something hundreds of people know like your favorite high school teacher or where you were married; they ask for information about the specific credit card you used when you purchased 1Password.

Your passwords and other information are never stored at Agilebits nor accessible by Agilebits support personnel. Agilebits is a Canadian company so it is significantly more difficult for the US National Security Agency to compel them to give any information such as your 1Password password.

Agilebits takes security seriously and have implemented 1Password to the current highest standards of encryption and best practices about what data they keep about you and the way it is stored and accessible. The weakest link in the whole process is the syncing of your data among your devices, which requires that the data pass through the Cloud. That data is, of course, strongly encrypted and these risks are insignificant. To protect against password guessing tools that can typically try hundreds of thousands of passwords a second, 1Password uses PBKDF2 to significantly slow down the password authentication process. You will not notice the additional fraction of a second as you enter your password, but it slows down the guessing process so that a guessing program may only be able to guess dozens of passwords a second making the process take a very long time (measured in centuries) to have a slim chance of guessing your password.

1Password allows you to create multiple vaults that can be shared with other individuals with automatic syncing.

1Password has a free option for iOS and Android. For the pro option with additional features, the license fee is less than US$10. A Macintosh or PC license runs about US$35. Agilebits licensing policy is very liberal: one Mac license can be shared across multiple Mac computers used by up to four family members, one Windows license works similarly for multiple Windows computers. One iOS or Android license can be shared across all of your iOS or Android devices.


SecureSafe from DSwiss AG also makes it easy to manage all of your passwords across a variety of platforms with a browser, with apps for Android and iOS. Unlike 1Password, the information is not stored on your device – it is kept, literally, in a former military bunker in Switzerland. It uses several redundant data centers in Switzerland, each of which is compliant with the security standards of the Swiss banking commission. You can securely access your passwords from any device anywhere with an Internet connection. The interface either through a browser or the specific applications is easy to use. It also will generate very strong unique passwords for each of your accounts. It can securely store documents as well.

SecureSafe provides two mechanisms for two-factor authentication. Two-factor authentication means that you need two things to get into your SecureSafe account: something you know and something you have. The something you know is your SecureSafe account password. The something you have is either a fingerprint or your cell phone. You can register a phone number, and when you try to sign in, DSwiss will within a couple of seconds send you a text message with a four character code. Enter that code in the logon screen and you are in.

If you forget your password and contact SecureSafe support, they can’t help you. They do not have the ability to recover your password or your data. However, when you set up the account, you receive an email with a 36-character recovery code that enables you to recover your account.

Secure Safe works well for the individual, but is also designed to support teams. It enables secure document storage and collaboration, and the easy management of access as people join and leave a team or as their role changes.

SecureSafe also provides inheritance, the ability for you to designate someone to receive some or all of the passwords and files in your account in the event of your death or incapacity. You designate someone as the activator, perhaps your lawyer. At the appropriate time, the activator uses a activation code. After a time frame you specified, SecureSafe sends information to each of your beneficiaries that describes how to access your information. At the time of activation, you will receive notification so you have time to cancel the activation if necessary.

DSwiss offers a free subscription to SecureSafe that supports up to 50 passwords, 100MB of storage, and one beneficiary. To use two-factor authentication or extend these limits they have three monthly rates starting at US$1.70 per month, although long-term contracts offer up to a 25% discount. All subscription rates are independent of the number of devices you have.

The last word:

I have been using SecureSafe for the past two months. I choose it over 1Password for four reasons:

  • Complete device independence.
  • Availability of two-factor authentication.
  • My data stored securely in Switzerland by a Swiss company.
  • The inheritance feature.

Of those, only the last was really critical in making my decision. I have long been concerned with Death in the Cloud. Can your loved ones or anyone cleaning up after you find where everything is on-line? I store my “Just in Case” document in SecureSafe so that my beneficiaries will have everything they need to find and access all of our financial and business accounts.

You choice could certainly be different.

Comments solicited.

Keep your sense of humor.



(This is another special posting by Suzy. I hope you enjoy it.)

One of the “mind candies” I enjoy each year is the Mindset List issued by Ron Nief and Tom McBride from the small liberal arts Beloit College in Wisconsin. Originally established to help their own faculty be aware of out of date references, it has now become a touchstone for many of us. We are a youth oriented society, so it is always good to see what the influences are on the current generation of young people, or what influenced you for which they lack any reference.

The current group of rising freshmen was born when our youngest son was preparing to go to college so I found this year’s list particularly poignant. Some of the items on their lists are a bit jarring while others are just a little evocative of our own benchmarks in life.

This incoming class was in kindergarten for the attack that caused the World Trade Center Towers to fall. They binge watch their TV shows generally on a devise other than TV. “Press pound” on the phone is now “hashtag.” Celebrity “selfies” are better than autographs. The water cooler is no longer the workplace social center; it’s the place to fill your water bottle. Women have always attended the Virginia Military Institute and the Citadel. Hong Kong has always been part of China. Students have always been able to dance at Baylor University. Bill Gates has always been the richest man in the U.S. If you wish to see this year’s complete list, or those of previous years, go to https://www.beloit.edu/mindset/2018/

As you read through the various lists for different years you can watch our societal norms shift. Electronics and how we use and depend on them is ever changing. The bit about binge watching TV was one of those. When we first married we didn’t bother to purchase a TV. Today’s young folks often make the same decision for a very different reason. We just had neither the intent nor time to watch any shows as we adjusted to our first year of marriage and full time jobs and graduate school all at the same time. Eventually, we got a television. It was color, but used vacuum tubes not solid-state electronics to put the picture on a large cathode ray tube. That is the large CRT screen most people sort of remember. Ours was a big nineteen inches diagonally on a rounded corner, dark taupe colored square. It lasted us well over a dozen years and only needed one repair because of the helpfulness of our oldest son when he was about four. One afternoon our home phone rang and I turned off the iron and ran upstairs to answer it. We had two phones, one in the kitchen and one in our bedroom, but they were both upstairs and hard-wired into the wall. Our son was watching Sesame Street while I was ironing in the downstairs family room. When I walked back downstairs from the phone call I noticed that the TV was quiet so asked him how long the sound had been off. I received one of those vague looks that children are so very good at giving you when they have no intention of answering. I tried another tact: had he turned the volume down and got a “no.” I then changed channels to see if it was just that one station, but there was no sound anywhere. Becoming somewhat suspicious due to the looks I was getting with no accompanying verbiage from our usually very voluble son, I asked him to recount exactly what had happened just before the sound when out. Seems he had taken my spray-bottle of water from the ironing board and attempted to “clean the TV” by putting the nozzle of the bottle to the very small hole in the center of the channel-changing knob. The cold water had reached one of the hot vacuum tubes. When Walt got home he turned the set around and saw which tube was out, and drove into town, purchased the correct tube, came back and fixed our set.

Ah, the societal changes in that one paragraph. Yes, we only had all of two telephones, that received calls to the house number and they were owned by ATT, which was affectionately known as Ma Bell. It was still a couple of years away from that monopoly being broken up and when we would be permitted to purchase our own phones. Those old phones were workhorses that rarely if ever wore out. Ours were newer and had push buttons even if they had no caller ID. Actually the keypad was the only thing they had. Then again, that was all any phone had. Who would do anything except try to talk to someone a distance away with a phone? At one point it was a fad to play a musical riff by tapping the keys, but it paled quickly as a form of amusement. We were still repairing many of the household appliances in our homes often by ourselves, but sometimes taking them to repairmen. There was some planned obsolescence, mostly in the expected three-year life span of a car. The man who sold Walt the vacuum tube knew what sort of TV we had and that our problem was lack of sound just because of which vacuum tube that needed to be replaced. Walt built many of our first electronic machines from kits. We became very familiar with the component parts. One evening he made a wrong connection that caused spectacular arcing of electricity in our kitchen. Today’s electronic toys are built with tiny silicon chips that require special labs to manufacture. Most washable clothing still required ironing, especially men’s business shirts, which took a fair amount of time each week. I no longer had to sprinkle everyday shirts with water and allow them to sit before pressing, but deep wrinkles released better with a light misting of water, hence the spay bottle on the ironing board. And we watched the show that was on at the time. Ergo, PBS was showing Sesame Street in the late afternoon, after most children’s naptime, and I could iron the clothes while I supervised what was being watched on TV. We also had to gather in front of the TV, not play something on an electronic device that we carry with us or have available in the car. Some shows were still an event that we would watch together or at least discuss near that social center, the water cooler, the next morning. Much of our slang came from tag lines in these shows. Things such as: “Where’s the beef?” which has come and gone from our vernacular. It did have the advantage of suppressing spoiler alerts as you watched a show only when it was on. We couldn’t time shift it for convenience sake.

None of this is a value judgment. It’s just fun to take note of how the times, they are a changing.

The last word:

These mindset changes are important to your company, the government, and even each of us individually. These mindsets will drive the future   There are now more millennials than baby boomers in the US. The millennials are a much more diverse group than the boomers, and a lot more accustomed to a world where everything is changing at an ever faster rate.

The only constant is change.

Comments solicited.

Keep your sense of humor.


A few weeks ago my wife and I went to the Clark Art Institute in Williamstown in the northwest corner of Massachusetts. This is a fabulous, small art gallery with many of the paintings you learned about in your Art Appreciation or Art History course. But from September 6 through November 2 it also has one of the four original copies of the 1215 Magna Carta. For the first time, one of these original copies was in the US – the copy in the National Archive in Washington DC is from 1297.

The document was copied by hand with very small letters made with a quill pen and dipped ink. The letters have faded and the cotton “paper” has discolored, and while my Medieval Latin is rusty making my ability to comprehend the script limited, the document is readable 799 years later.

In another case of amazing longevity for saved data, a friend of mine was able to get data from computer tapes from the 1960s. The story of finding the tapes, finding a tape drive that would read them, and a company that had the technology and process to make it all work makes that data recovery remarkable. If you have data on floppy disks (remember them?), try to figure out how you would access it.

Is it even possible to save today’s data for 800 years? Maybe, but not easily.

You need four things in order to save data for the long term:

  1. A digital copy of the data.
    For digital data, that is fairly easy; just copy it. For analog data, like vinyl records, magnetic tape, or paper, you need to first get it into a digital electronic form. In the case of the 1215 Magna Carta, the four existing copies are not identical. Since it was copied by hand, sometimes by monks who could not read, there are accidental differences among the copies. The same thing happens with analog data – every time you read it you damage it, and any copy is modified from the original.
  2. A media that will last for the time period you want.
    CDs and DVDs are probably good for up to 20 years, thumb drives for probably longer. The more critical factor is how many times you write to the thumb drive, not how often you read it or even how you treat it while stored. Even an inexpensive thumb drive will support 3,000 to 5,000 erase / write cycles. Potentially the weakest part is the physical connector that you plug into your computer: they are only specified to withstand about 1,500 insert / removal cycles. For the purpose of archive, these limitations are not significant.
  3. A device to read the media later.
    The latest Macintosh desktop I have has no optical drive. While I could still purchase one, it is likely that ten years from now it will be difficult to find a drive to read CDs or DVDs. At some point, USB ports will also disappear, to be replaced by some newer better faster cheaper connection mechanism. For a while there will be gadgets that will still accept that thumb drive, but quicker than you can image it will be very difficult, and expensive, to read a thumb drive.
  4. A program to read the data.
    Perhaps the most significant long-term risk is having some program that can interpret the data on the media. With the 1215 Magna Carta, all I would need is my eyes, a magnifying glass, plus a refresher course in old Latin. Try to find a program that can read a Microsoft Word document created in 1982, or worse a document created by a program published by a company that does not exist. I lost some drawings I had created in an extinct Macintosh program that does not run on existing hardware and operating systems. Fortunately, I didn’t really care, but it was annoying. For long term storage, I suggest not using the native program format (e.g., .docx) but create PDF files. I expect that PDF, standard picture formats like .jpg, and using iTunes compatible formats for music will still be readable for decades, or at least give you time to convert the file formats. If you do need to keep the native formats, plan on running a test before you completely move to a new version of a program, a new platform (e.g., Macintosh to Windows or vice versa), or a new major operating system release. If it looks like it may be a problem, convert to a newer or different native format before you make the jump. A good rule of thumb is to update the native format files at least every five years anyway.

In general, you should not expect to successfully get data from stored electronic media after ten years, and you should plan to refresh your long-term data storage every five years or so. So you could endow an organization to do the refresh every five years and have some expectation that your data would still be accessible in 800 years.

Or you could print a dozen copies on cotton paper and give one to each of a dozen monasteries or cathedrals in England.

The last word:

That monk who copied the Magna Carta would, other than language, be pretty much at home in England for the first 600 years of the document’s existence. After that, with the changes including the indoor plumbing that first appeared in England around 1890 in London, he would be more and more lost. He would however have to find a different line of work, maybe typesetting, after about 225 years.

He, like many of us, would be baffled by a world where almost everything changes every 20 years.

Comments solicited.

Keep your sense of humor.


Protecting Healthcare Data

Last time I wrote about The Need to Protect Healthcare Data, or perhaps more importantly the potential cost of not protecting it. This time I want to talk about how to do that in a non-disruptive way that will probably save your organization money while significantly reducing the chances of a major data breach involving hundreds or thousands of patient records.   Of course the same approach can be used to protect any kind of protected information from exiting en masse in any line of business.

The key is to protect the “crown jewels” – the database that contains the data that must be protected. Normally, these systems are implemented as three-tier environments. To keep the picture and words simple, in this discussion each tier has only one server but in a real implementation each tier is usually composed of multiple servers for redundancy or to provide the necessary performance.

  • The data tier contains the database server that actually contains the database. This server contains the software that manages all access to the data: no one can access the data without eventually getting to the database server.
  • The application tier that controls the business logic that uses the database. These are the programs that implement information retrieval and update for the medical staff, capture information from medical device controllers, and handle data retrieval for meaningful use and billing.
  • The presentation tier is what interfaces with the user or another application system. It is often implemented as web services so that any device with a web browser can access the same information.

For example, when a doctor needs to see a patients chart from her tablet, she can use a browser or a special tablet application to ask for the current chart for “John Smith DOB 04/23/1945.” The tablet browser or application sends that request to the presentation tier, where the doctor is authenticated if necessary, then sends that request to the application tier. There a program formats a query against the database and sends it to the data tier. The data tier retrieves the information and sends it back to the application tier, who formats the specific information for the chart and sends that to the presentation tier. The presentation tier then sends it to the tablet browser or application for display to the doctor.

While this may seem like a complicated process, it nicely separates the operation so that, for example, a different kind of user device with completely different display characteristics can be easily added by changing only the presentation tier, and usually just making a single change that will work independent of the specific kind of transaction. Similarly, it allows the application layer to perform additional validation on a specific transaction, such as verifying that the doctor is permitted by HIPAA to see John Smith’s information.

The purpose of this requirement is to limit access to the application and data tiers to only those specific devices that have a valid need to access those tiers. In particular, only the servers in the application tier should be allowed to access the servers in the data tier, and only the servers in the presentation and data tiers should be allowed to access the servers in the application tier. There are, of course, users called administrators that require access directly to the application and data tier servers. These are the people who are responsible for the management and operation of the applications and database. In most organizations, there are just a few database administrators and application administrators who must have direct access into those servers.

This solution described there uses the Unisys Stealth Solution. Stealth uses state-of-the-art encryption, but the key principle behind Stealth is that it only allows a device to communicate with another device if they share a Community of Interest, a COI. A COI is nothing more than a group of people and servers. Data can be shared freely within a COI, but must not be shared with any person or server not in the COI. In the usual Stealth installation, a user’s COI or set of COIs is specified in the site’s identity management system, the system that is used to authenticate a user when the user signs on. If some device tries to access a Stealth-protected server or workstation without belonging to the same COI, then the Stealth-protected device is completely invisible; the Stealth-protected device simply will not respond to anything from that device.


The picture represents each tier by a single server and shows one database and application administrator. As stated before, there are usually multiple of each. The red lines show the communications paths protected by Stealth. The black line represents clear-text traffic coming from the organizations internal network or over the Internet. The Internet traffic should already be protected by some form of encryption such as IPsec or SSL. There are three Communities of Interest (COIs) in the diagram. The green dots represent devices in the DB COI, the blue dots represent devices in the Application COI, and the yellow dots represent devices in the DB Administrator COI. Only the database Administrator and the application tier server can access the data tier server. Only the data tier server, application administrator, and presentation tier server can access the application tier server. Any other device attempting to access the data or application tier servers would be completely ignored.

Since the individual administrator’s COI is determined at log on time, it does not matter which workstation an administrator uses. When an individual signs on with a database administrator’s credentials, he now has the DB ADMIN COI and can access the data tier server.

One Stealth implementation can protect multiple databases that are in the same network segment, i.e., are visible from each other in the network. Otherwise you can replicate the Stealth implementation as needed.

This solution has no impact on existing applications and is invisible to end-users and even to the database and application administrators. Capital savings come from not requiring as much network infrastructure such as firewalls. Operational savings come from not needing to reconfigure firewalls or other network security devices and applications. If an administrator is added or moves on, simply change your identity management system. Stealth then automatically permits or prevents the individual from accessing the database or application servers.

If you do not have a tiered implementation or have collapsed the tiers onto a single server, and therefore allow end users to directly access the server containing the database then this mechanism does not help. Then again, not much would be able to help in this situation. You first need to separate your environment into multiple tiers so that any security solution can control access to the database and application servers.

The last word:

This mechanism does not protect against the accidental or deliberate loss caused by inappropriate actions of individuals who are authorized to access the data. This includes the file clerk who walks away from a logged-on workstation in a semi-public area, or the doctor who foolishly loads a couple of patient files on her son’s laptop at home. There are ways to reduce the chances of these kinds of incidents, and in super-sensitive environments it makes sense to make those investments. But they are very expensive and usually not worth the cost. While these errors are regrettable they rarely lead to fines or the risk of losing accreditation, or the CIO needing to find a new job.

As always, the key is to have a good security policy document and provide annual security training emphasizing to employees and contractors that you are serious about data security.

Comments solicited.

Keep your sense of humor.


Healthcare CIOs have some real problems today. The Affordable Care Act (ACA) is having a big impact on the industry. The rules themselves are changing as the US President makes changes to the law, and depending on the outcome of the November congressional elections in the US we may have a congress that makes additional changes. The behavior of insurance companies is transforming as a result of the ACA, and health care customers, like you and me, are changing the way we access health care as we learn, usually the hard way, what is and is not covered and how much it will cost us. Just adding millions of new customers can have a destabilizing impact to the industry.

On top of that, factor in the government mandated migration from paper records to electronic medical record (EMR) systems. While the end results are probably beneficial, the migration is nothing but pain over many months or years for most organizations.

If that wasn’t enough, a combination of factors, including the ACA, is leading to massive mergers of hospitals and medical practices into larger and larger enterprises. A decade ago dozens of hospitals in my area are now just a couple of mega-medical companies. These mergers and acquisitions offer the CIO the opportunity to reconcile and merge a number of totally different hardware and software medical systems into one, or figure out how to run a business with multiple billing systems and keeping patients records accurate across multiple EMR systems.

No wonder that most of these CIOs do not have the time to be very interested in data security. There are millions of dollars of government rewards for moving to EMR and enabling Meaningful Use. Meaningful Use has the potential to provide significant benefits in health care and could lead to quicker approval of new uses for existing treatments, along with a significant increase in the potential for the government and insurance companies to misuse data about individuals. There are millions to be saved by quickly moving to a single software environment in these growing amalgamations of separate health care organizations. Besides, what’s the worse that can happen if a few records are stolen? It happens every day with doctors and file clerks accidentally leaving patient records out on an unattended desktop or similar sloppy behavior at labs, pharmacies and hospitals.

To a large extent, that is a reasonable response. Even in the desired end state of complete integrated EMR and billing systems plus a fully functional nationwide Meaningful Use infrastructure will not prevent these kinds of small errors. The loss of one person’s information is not a big problem for the medical institution.

However, the loss of thousands or millions of people’s medical records is a big problem for a medical organization. In my February 2014 posting The Cost of a HIPAA Breach I show that for significant breaches the cost in fines alone can start at $150,000 and easily rise to over a million dollars per incident. This does not include the approximately $200 for each lost record that it costs an organization on average to deal with a data breach.

A major data breach at your hospital or medical practice can cost million of dollars in fines, plus risks the loss of accreditation of your organization. It also often causes the CIO, or even the CEO, to seek employment elsewhere. If you think you have never had a breach, you would be better to think instead that you don’t know that you have had a data breach. Health care data accounted for 43% of major data breaches in 2013, and the Washington Post reported that over 30 million patients have been impacted by health care data breaches. Over 80% of data breaches are discovered by a third party.

For a longer look at these issues, check out Daniel Berger’s June 2014 What Healthcare CEO’s Need to Know about IT Security Risk paper. Mr. Berger is President and CEO of Redspin, Inc. Based in Santa Barbara, California, Redspin has become a leader in healthcare IT security and provides HIPAA security risk analysis and compliance, including meaningful use.

As your organization advertises its new treatment options, new care centers and new growth, a front page article that you have just lost thousands of patients’ data can negatively impact its reputation.

Next time I plan to talk about a way to protect the crown jewels of your IT infrastructure: the databases that contain your critical health care and financial data.

The last word:

In addition to the financial risks, hacking into health care records can kill people. Changing prescriptions, diagnosis, or test results, or modifying instructions to network-connected imaging, drug dispensing, and operating room equipment can kill or seriously harm a patient. Or a thousand patients.

Comments solicited.

Keep your sense of humor.



Get every new post delivered to your Inbox.

Join 112 other followers