Tag: security

IT security staffing shortage? Nonsense.

From Codas to Coding

Many years ago I was a kid living in the Raleigh area and I met a music teacher who was leaving her job to go work for IBM as a programmer. I asked whether she had any programming background and she said no — but IBM was going to train her. She said IBM was recruiting new talent into the software field and wanted folks that could handle some math and logic, and to their thinking, music majors fit the bill for them. They were going to provide months of training and bring this music educator up to speed with new skills and then use her to create software for IBM.

That’s how you solve a lack of skills in your industry: you find people that are smart and trainable, and you train them.

The So-Called Security Skills Crunch

These days you can’t swing a dead cat around without hitting a hand-wringing or cheer-leading security industry article talking about:

Well that sounds good to me! I’ve been doing IT security work for years as part of my various IT infrastructure, project, and management jobs. I work with firewalls, VPNs, networks, servers, directories and so forth all the time. I’ve been a HIPAA Security Officer in the healthcare sector. I’m gonna be rich!

So… where’s my big fat check?

Reality of Corporate Attitudes Toward Security

The truth is corporations really don’t like security and they aren’t hiring nearly as much as the salary surveys and feel-good security industry articles would have you believe. To most corporate leaders, IT security feels extravagant and wasteful: “Why would I hire even more people to not produce anything marketable?” Even worse, more security slows productivity for those that actually are generating marketable goods and services. And to guys in the C-suite, it’s painfully boring to boot — whether it’s endless policy discussions or technical reviews, it ain’t sexy or fun.

The data breach explosion and the corresponding breach fatigue come from these corporate attitudes: that security is boring, too expensive, and anti-productive. Corporations that get “hacked” — like Target, Home Depot, the USPS, your local hospital chain — aren’t getting taken by brilliant mastermind super-villains with supercomputers. They’re getting their data splattered across the Internet because they’re lazy and cheap.

It’s Not Good to be the King

king

All that said, I feel for these corporate leaders. They’re living through a Catch-22 situation. Since they haven’t yet spent any attention or money (to speak of) on security, their only internal line of defense is a socially-inept neckbeard who’s answer to every threat — no matter the real risk — is “lock it down” and scold everyone for being so foolish. When that proves fruitless and frustrating they turn to outside security consultants, who cost them a fortune, but who cannot — no matter how much you pay them — force your company to develop and follow better policies or allocate capital or operating budgets to really, truly solve the most pressing security problems.

If you’re a CEO or COO or even if you’re the CIO, most likely you’re better at politics than policy, and you simply don’t know how much to spend in cash or attention to solve enough of your security problems to be helpful without spinning off into infinite expenses.

Security, at the policy and prioritization level, is damn hard. Someone needs to be smart enough on the tech and the business, but have enough political pull to guide changes in daily behaviors throughout the organization. That’s a really rare combination of skills and political powers.

So About That Hiring Problem…

Yep, the situation stinks for the CEOs, CIOs, and other leaders. But the fact remains that they need good security techs and security policy wonks, and they need to keep them moored to the reality of the business and market while also funding their work to a sufficient level.

Given the Breach-a-palooza we’re living through, clearly there’s not enough hiring going on for security-minded people, and security is not part of most companies’ core cultures. But let’s assume that changes. Let’s assume businesses want to get rolling with security-minded hiring. How do they find the talent?

Create it.

Because the Catch-22 that’s stopping businesses from hiring also creates a Catch-22 for potential candidates. Companies that do start hiring security people slap on all kinds of prior-experience and certification requirements. If you’re a candidate with limited or even tangential-but-relevant experience… too bad, chump. You’re not a CISSP? HR’s resume-scanning software will kick out your resume before you even talk to anyone. You haven’t been doing IT security work in a dedicated security role for the last 10 years? Don’t bother applying.

Welcome to the Catch-44

catch22

I’ve seen this before:

  • the software company that wants to hire coders with 10 years of Java experience when the language was only 7 years old
  • the marketing group that wants 5 years of social media experience only 3 years after Facebook opened to the public
  • the certification group that wants you to prove you have industry experience before you sit for the test, but you can’t get the experience without the cert.

This is what I call the Catch-44: companies that can’t hire for security because they’ve never hired for security and are scared to start, and candidates that can’t get security jobs because they haven’t done security work in the past. Employer Catch-22 + Candidate Catch-22 = Catch-44.

Someone has to make the first move here.

Investments Are Made by the Guys with the Capital

So here’s the deal. Companies are the ones with something to lose. They’re the ones traded on the touchy risk-averse stock market. They’re the ones with the deep pockets, funded by tax breaks and 10+ years of depressed employee wages. It’s their responsibility to foot the bill and break this Catch-44 logjam (to mix metaphors).

Follow IBM’s lead… from the late 80s. Hire the music teacher with the raw skills and train them. Only this time you can actually hire experienced IT folks who’s jobs are being outsourced and automated anyway. Move them “up the stack” into security work.

The training is out there, ready to be absorbed. The policy frameworks are out there. Start making the investments.

And until we see real investments in the field by the incumbent businesses, I don’t want to see another “security staffing shortage” article, mmmkay?

Ignore the Windows XP anti-malware extension and dump XP immediately

Microsoft announced today they will continue to provide anti-malware software updates past the April 2014 end of support for Windows XP. For those that felt pressured to migrate to Windows 7 or 8 before the deadline, this might sound like a big relief.

It is not.

Don’t be fooled. Yes, continuing to get updates to Microsoft-supplied anti-malware software is a good thing, but that’s just one part of your risks and your defenses. Microsoft did not announce they were extending support and updates for Windows XP itself. And if you’re not using Microsoft anti-malware software, then the announcement doesn’t help anyway.

Here’s the deal: If Windows XP isn’t patched by Microsoft on a regular basis, new exploits are revealed and your computer gets more and more vulnerable over time. Microsoft’s XP patches stop in April. At that point Windows XP gets increasingly dangerous to your business and information. What’s worse is that security researchers have suggested there’s a pile of XP security exploits already developed, and miscreants are just waiting for April to release them. If they’re correct, an avalanche of unannounced attacks on XP would arrive in April or May, and any PCs left running XP could be reduced to quivering jelly. Or something. Anti-malware updates won’t protect against all those possible attacks.

The solution? Well… you already know the solution. Get rid of Windows XP and move to…

  • Windows 7
  • Windows 8
  • Mac OS X
  • Linux
  • iPad
  • Chromebook
  • …whatever it takes.

Let’s be honest here. You’ve known XP needed to go for years now, as Microsoft has extended the XP deadline again and again and again. At this point any excuses you’ve got left are hollow and exposed as either laziness or criminal cheapness. There are no legitimate excuses left.

And nonprofits don’t get a free pass here. In many ways nonprofits have it easier than other businesses, given the insanely cheap licensing avaiable via TechSoup or the very affordable charity licensing available from Microsoft.

I’m a pretty compassionate IT professional, recognizing that nonprofits in particular and businesses in general can find IT systems management challenging. But when it comes to Windows XP as of April 2014, I have no compassion left.

As Jim Gaffigan would say, Chip Chop Chip!

Patch your Adobe plugins when you get a minute

Recent editions of Adobe Reader and Adobe Flash have prompted users to install an auto-update feature along with the core application code. Hopefully you’ve got that turned on, because it will pick up security patches and feature updates for you in the background. If not, get a fresh download here:

I mention this because some serious new security flaws have been identified this week, and you need to patch your common Adobe plugin and utility software. This applies to Windows and Mac OS users, so check your stuff and get up to date.

When it comes to Google Apps, I’m certifiable

Back in mid-2007 I deployed my first instance of Google Apps, replacing a Microsoft Exchange 2003 server. It was a controversial choice back then — Google Apps was still pretty new and it wasn’t yet clear whether Google was going to stick with the platform and build it out. But there were several deciding factors that pushed me to an Apps deployment:

  • I was working at a nonprofit, so Google Apps was free for us; worst case I could always fall back to the in-house system
  • Our Microsoft Exchange 2003 server was constantly running out of space and was a pain to backup
  • We lived under a monstrous waterfall of spam that required a special appliance outside the Exchange box that worked well but was costly
  • Our Internet connection was relatively slow and outrageously expensive, so handling all the mail traffic in-house was painful, especially when the in-house web site was what we really wanted to share with the world, not our email system
  • Our users wanted to send and receive larger and larger files via email, which only strained all of the above factors further

We made the switch, I uploaded a bunch of mail using Google’s then-primitive migration tools,  and I put everyone onto the web-based interface — no Outlook allowed. We did trainings and I spent a lot of time helping users get acclimated to the new way of doing things. This was before drag-and-drop email attachments in Gmail. It was before full compatibility with external calendar invitations. It was before Chrome.

And I was immediately hooked.

Why Go Google?

From an IT perspective, this Google Apps thing was awesome. There were no servers to own, nothing to back up, nothing to manage — aside from creating and deleting accounts. The users had far more space than they’d ever had (7GB at the time) and far more space than I could have ever offered locally at a reasonable price. The system was accessible everywhere, and no matter where you got your mail or looked at your calendar, it functioned the same way. And, as a nonprofit, it was all free! We even started using Google Docs right away, sharing selected spreadsheet data with remote workers and volunteers, allowing for real-time collaboration that at the time was mind-blowingly simple yet powerful.

Since then the Google Apps platform has matured with better features, a more homogenized interface in the apps, better administration tools, more reporting, more granular controls, and great (paid) add-ons for email archiving and spam control. And since then I’ve deployed Google Apps 4 more times, not to mention personal use. My most recent migration was last year, again dropping Microsoft Exchange 2003 and Outlook to go all-cloud all the time.

And then there was this past weekend.

Getting Certified

After managing and evangelizing Google Apps all these years, I stumbled across a certification program for Google Apps nerds like me: the Google Apps Certified Deployment Specialist. So I dug through the Study Guide, re-read a lot of stuff I knew, learned a few new tricks Google has developed in the last couple of years, and paid my testing fee.

The weird part was the testing method. Rather than send you to a local testing center — where you might sit for Microsoft or Citrix or VMware or other vendor exams — this one is done at home or in your office. You can take the test anywhere you have a live Internet connection, a Windows or Mac machine, and a special USB webcam they make you buy. Total cost is about the same as those other exams, but you can schedule it on weekends in evenings and take it at home. They proctor the exam through the webcam and special software.

It worked great. The only thing I was “corrected” on during the exam was the fact that I started to read some of the questions out loud, to puzzle them out audibly. That’s verboten, probably because they fear you’d read the questions out loud so you could either record the questions (and give them away to others wanting to take the exam) or ask someone else nearby to provide an answer. It’s too bad, because I like to “talk out” technical solutions. Oh, well.

61 questions after starting, I had passed the exam, so now I’m certified! It’s the first major cert I’ve picked up since the “good old days” of Windows NT 4 and Lotus Notes and Domino. And it’s fun to have a Google certification, perhaps because it’s so rare. My certificate was numbered “1298”, which suggests there were less than 1,300 people certified when I took the exam. That’s cool — I’m in a group smaller than my high school census (except we’re all certified Google Apps pros!).

Can you use Google Apps in a healthcare environment?

I may need to address this further in a future post, but the short answer is yes. People freak out about HIPAA (as they well should) but the key thing to consider is how you use your email system. Bottom line: If you don’t store or share PHI (protected health information) in your email system, then HIPAA rules don’t apply. And for those that are using email systems (of any kind) to share or transmit patient data, I have a question: Are you out of your mind? Email is a promiscuous platform by design — it’ll “sleep” with anyone and it’s 1 degree away from every email account worldwide — so why would you ever push patient information through it? If it helps, I’ve actually addressed the Apps/HIPAA discussion elsewhere before.

Sidebar: I may also have to write a post someday (really a rant) about email footers with lots of legal language in them — a silly practice that has no force of law behind it. If you want to put in a “please don’t share this” message down there, that’s cool, but stop trying to create unilateral contracts with your footers — that’s not a thing.

All that said, I do think Google needs to rethink their stance on signing HIPAA Business Associate Agreements (they won’t sign them). They either need to start signing or they need to post a definitive position paper on HIPAA issues related to Google Apps. Microsoft has shown a willingness to sign BAAs for Office 365 services, which makes their service more attractive, despite their downtime problems. Google has done a good job addressing the overall security of Google Apps, but they need to go a step further, to assuage the fears of healthcare executives and Boards that don’t understand technology very well.

What’s next?

For now I’m a happy Google Apps administrator, still learning, still sharing tips with users new to the platform. Oh, and I’m a Certified Deployment Specialist, of course! So if you’ve got questions about going Google in your healthcare environment (or any business, really) just let me know. I can answer some questions in the comments or we can take the conversation offline.

Desperately seeking a HIPAA-compliant Ford Mustang

After the harrowing account of a hospice in northern Idaho being slapped with a $50,000 fine for 411 breached patient records, it’s good to see that even the big players — the biggest in the industry — screw up from time to time.

This widely-cited case, first reported by the L.A. Times, tells the story of how healthcare giant Kaiser Permanente got a little sloppy and ended up working with a contractor who stored electronic patient records all over the place, including sometimes storing records — and I love this — in the trunk of his Ford Mustang.

Which raises the obvious question: Are Ford Mustangs HIPAA compliant? What about a Honda Accord? Maybe a PT Cruiser?

And while that’s the wildest part of the story for me, what’s even more fun is the fact that Kaiser and their mom-and-pop patient records handler (yes, literally — mom-and-pop) have been trading accusations in and out of court for the past 2 years, each accusing the other of not caring about patient privacy and data security.

L.A. Times writer Chad Terhune did a masterful job painting a picture of the comical data security with these gems:

  • “On a recent day [the patient records] sat next to a red recliner where Ziggy, the family’s black-and-white cat, curled up for a nap.”
  • “…kept those patient records at a warehouse in Indio that they shared with another man’s party rental business and his Ford Mustang until 2010.”
  • “…Kaiser said the Deans put patient data at risk by leaving two computer hard drives in their garage with the door open. In response, Stephan Dean moved them to a spare room.”
  • “‘We could have sold these emails [with patient records] to somebody in Nigeria, but Kaiser doesn’t care about its patients’ information.'”
  • “‘[Kaiser] should have signed a contract prior to the commencement of this project,” the manager wrote.”

Be sure to read the article all the way to the end. That last sentence is a killer.

Kaiser got into this mess because they gobbled up yet another smaller hospital and needed to absorb all the patient records quickly. So they outsourced the job. No problem there, really. It’s who they outsourced to that ended up being a disaster.

So far, there’s no known patient data breach, which is great for patients. But authorities are investigating and Kaiser’s got a lot of egg on face with such a high-profile piece hitting the Times.

The lessons for your patient data security efforts? Wait… you really need me to spell this out?

It’s simple. You need your own Ziggy — a certified Patient Privacy Attack Cat — and a Mustang. IT’S RIGHT THERE IN THE FEDERAL CODE, PEOPLE.

Health IT Links: 2012-01-03

Here are my selected links, with commentary, from the Health IT, community health center (CHC), nonprofit, and general IT sectors today. Please pass me any recommendations you’ve got in the comments or hit me up on Twitter: @jmproffitt.

Products

  • PhoneFactor (Mini-Review at SC Magazine)
    Add 2-factor authentication based on phone calls, SMS messages, and OATH to your web apps, Terminal Services, Citrix sessions, and RADIUS-backed VPN sessions on the cheap. Pretty cool. SC Magazine certainly liked it. (Another option would be to deploy an SSL VPN with 2-factor features built-in, but that’s a story for another day.)
  • Technologies to watch 2013: Windows Server 2012 cannot be ignored
    The Windows Server platform continues to march on, with some great additions in the 2012 edition. This article points to more than 9 advances that just might solve some problems for you, including the vastly-improved Hyper-V, and some fascinating storage pooling techniques blended with a faster SMB file transmission implementation. Of course, watch out for application hosting issues — your app vendors may not yet support Server 2012. I don’t know about you, but we’re still eliminating Windows Server 2003 servers.

Security

Business of Healthcare

  • WellPoint to cover virtual doctor visits
    More payers are starting to cover telemedicine / telehealth costs. Do you do any telehealth in your clinic today? We don’t do it yet, but there’s a real future here, so I know I’m paying close attention.

Lose a laptop with 441 patients’ records, pay $50,000 and pray for donations

The latest HIPAA breach story out of northern Idaho breaks my heart. It also chills me to the bone. First off, here’s the news:

I actually worked with a hospice on tech issues in the last couple years, and I can tell you the attitude about security and IT in general was… less than progressive. They had better things to do. Literally. Hospice folks have a really rough job, emotionally and financially, providing a service that’s simply not properly supported by payers, whether private or public. They live on donations and posthumous gifts. They’re the soup kitchen of modern healthcare, providing a vital service that no one really wants to think about.

But pleading a charity case obviously didn’t work on HHS. The hammer continues to fall with increasing speed and strength in matters of ePHI security.

Yet again, this breach is the story of a lost, unencrypted laptop with patient information on board. It’s not clear whether the records were actually accessed or distributed, but that’s obviously irrelevant.

Community Health Centers and other smaller health providers: Pay attention. HHS is now bringing the penalty thunder down to breaches of less than 500 records. And the price is high, at $50K for just 441 records (theoretically) stolen in this case. Of course the HHS write-up points to lack of policies, no risk assessment, no controls over mobile devices, no encryption, and so on. It’s kind of a broken record now.

So consider this your last chance to get your HIPAA policies and procedures drafted and start making regular progress on improving security. The key is to show active interest and ongoing improvements. Do your risk assessment. Build your list of critical improvements. Do them. Keep records of what you’re doing.

This stuff takes staff time and cash money to buy some technology, which is always tough in nonprofit healthcare. So get these stories in front of your CEO right away if you’re not getting the resources you need. Alternatively, put them in front of your CFO — because a big enough breach could threaten the financial viability of the company.

Health IT Links and Notes: 2012-12-31

Here are my favorite links from the Health IT and general IT sector today. Follow me on Twitter to get most of these links real-time, albeit with less commentary.

OCHIN awarded federal grant to help community health centers with HIT
OCHIN has scored a 3-year $775,000 annual grant to provide services to client clinics dealing with PCMH, MU, EHR implementations and so forth. Good for them. But I wonder whether the client clinics might be better off struggling with some or all of these issues directly. After all, they’ll have to change their cultures to really develop a viable PCMH program, and you can’t buy culture. Furthermore, if you think Health IT changes are going to stop after PCMH and MU, you’re dreaming. Plan to hire IT capacity in-house if you can, because you have got to have internal change and technical capacity.

Vampire data and 3 other cyber security threats for 2013
I’m always a little suspicious of a security services vendor trumpeting all the threats that will destroy your business if you don’t hire someone like them. But in truth the threats are real — it’s just a question of how much risk you’re really facing in your situation. Still, the threats and issues to consider here include:

  • Watch out for risks posed by data you aren’t aware of or can’t easily monitor or control (what they’re calling “vampire data”), including cloud-hosted stuff or old data stores you’ve forgotten about
  • If you don’t already have lawyers and others on retainer to help you in a breach situation, you really should because you don’t want to be scrambling to hire them after a breach
  • You really need to be logging stuff and reviewing the logs, folks (easier said than done)
  • Hackers are as much about disrupting your business as stealing your data these days
  • Just start publishing your breaches, even if it doesn’t involve ePHI

Analysis: Microsoft Is Squandering Its Hyper-V Opportunity
Critics love the Hyper-V included with Windows Server 2012. But it’s not taking off because of several strategic mistakes Microsoft has made and continues making. Meanwhile, VMware remains king of virtualization for most businesses.

How to Say ‘Yes’ to BYOD
Saying “no way in hell” to smartphones, tablets and other employee-owned gear in the enterprise strikes me as a bigger risk than saying “yes, but with controls” and this audio panel discusses how you can say yes and feel good about it. About 15 minutes long.

How MiGym plans to quantify the health club workout
Finally. Pretty soon you’ll be able to take your smartphone to the gym and capture workout data from the machines already there, then sling that data into an online PHR (like Microsoft’s almost-forgotten HealthVault). My own thinking is that there’s a future for CHCs in the health club space. I mean what are we doing, disease management or health promotion? Keep an eye on gyms, health data devices (the “quantified self” movement), PHRs, and developments in payer preferences for preventive care with results.