Enabling Secure Business Operations
«
»

A Window that Can’t Be Closed

In a recent case in Arkansas, a registered nurse has pleaded guilty to violating HIPAA rules by disclosing confidential patient information for personal gain. No one should be surprised that things like this happen.

Every industry has laws, regulations and penalties set up for the purpose of consumer (and business) protection. In the health care industry, there is and has been an enormous amount of money spent to bring processes and systems into compliance with regulations like HIPAA to try to protect patient confidentiality. You can lock down electronic systems as much as you want, but nothing can ever be truly secured, because of one simple fact – these systems are owned and operated by people.

A “weakest link” analogy that’s popular in the security industry is the concept of putting deadbolts, latches, chains, and bars on a door while leaving the window next to it open. This is usually used to make a case to bring an insecure area up to par, or to discourage spending a lot of money on one aspect of a system when there’s another module in dire need of attention. Social engineering attacks, like the one in the article, are the “unclosable window” in the proverbial computer security house.

Now, this isn’t an argument against trying to secure electronic systems as much as reasonable or possible, or that laws and regulations are a waste of time. Keeping out as many attackers as possible from as many angles as possible is a “good thing”. Social engineering is just one of those things that makes a security professional occasionally throw their hands up in the air and wonder why they’re trying at all. It’s an insidious type of attack that no one can ever plan for, and, despite all efforts to the contrary, will never, ever go away. Unfortunately, despite the lofty goals that legislation like HIPAA aspires to accomplish, nobody’s data will ever be truly safe.

Post to Twitter Post to Facebook

This entry was posted on Wednesday, May 7th, 2008 at 7:53 pm by Walt Turnes and is filed under data theft. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

2 Responses to “A Window that Can’t Be Closed”

  1. Scott Shorter Says:
    May 7th, 2008 at 9:07 pm

    Considering human factors is imperative to designing a secure system. One of the major problems I see in current election technology is that election administrators are assumed trusted. Whether or not electronic fraud occurs, fraud can be alleged on the basis that an untrustworthy person had access to the machine. If the system is designed not to trust anyone, these allegations cannot be made with the same credibility. This is why elections administrators should support new technology, in my self-interested opinion.

  2. Peter Hesse Says:
    May 8th, 2008 at 2:19 pm

    Good point Scott, and thanks for the related story on your blog . All good points.

Contact

Twitter Updates

Recent Posts

Archives

Categories

© Gemini Security Solutions, Inc. 2008. All Rights Reserved.       Privacy Policy