Comments on: HIMSS Report on Hospital Security http://securitymusings.com/article/308/himss-report-on-hospital-security Rants and raves from information security professionals Sat, 19 May 2012 23:32:04 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Walt http://securitymusings.com/article/308/himss-report-on-hospital-security/comment-page-1#comment-134 Walt Sat, 24 May 2008 11:56:36 +0000 http://securitymusings.com/article/308/himss-report-on-hospital-security#comment-134 <p>Turnes’ law and the Hesse Corollary are good complements. I think the tech side has one advantage over the policy side, however; tech has the advantage of coming up with new ideas to combat old problems, while the compliance side has to deal with the same tired human factors it always has. With this great power comes great responsibility; the tech side has to always try harder and be smarter. Science is fast; evolution isn’t.</p> Turnes’ law and the Hesse Corollary are good complements. I think the tech side has one advantage over the policy side, however; tech has the advantage of coming up with new ideas to combat old problems, while the compliance side has to deal with the same tired human factors it always has. With this great power comes great responsibility; the tech side has to always try harder and be smarter. Science is fast; evolution isn’t.

]]> By: Peter Hesse http://securitymusings.com/article/308/himss-report-on-hospital-security/comment-page-1#comment-131 Peter Hesse Fri, 23 May 2008 18:08:22 +0000 http://securitymusings.com/article/308/himss-report-on-hospital-security#comment-131 <p>I believe the converse of Turnes’ Law, “Policy problems can’t be solved with technical controls alone” is also true. There are some situations that no amount of technical work will solve a problem. Training and education really is an important and necessary piece of the security puzzle.</p> I believe the converse of Turnes’ Law, “Policy problems can’t be solved with technical controls alone” is also true. There are some situations that no amount of technical work will solve a problem. Training and education really is an important and necessary piece of the security puzzle.

]]> By: Walt http://securitymusings.com/article/308/himss-report-on-hospital-security/comment-page-1#comment-130 Walt Fri, 23 May 2008 00:02:13 +0000 http://securitymusings.com/article/308/himss-report-on-hospital-security#comment-130 <p>“The report shows that a large amount of attention is paid to educating employees and instituting policies and disciplinary actions to protect against internal privacy breaches.” </p> <p>Ugh. If systems were designed with security in mind, this kind of approach would (and should) be redundant. I’ll quote what I’ve been calling Turnes’ Law (although if someone else said it first, I’ll stop doing that): “Technical problems can’t be solved with policies.” </p> <p>If someone is intent on creating a breach of privacy, then they’re probably going to do it regardless of whatever penalties are in place. Similarly, if someone does it accidentally, then policies and disciplinary action are irrelevant.</p> <p>Education and policies are fine and good, but they can’t be considered a solution for privacy and security concerns. They’re just a piece of the puzzle. Private data should be protected by more than a reliance on the user base to be voluntarily compliant. Policy should be used to plug up the holes that are technologically impossible (or overwhelmingly impractical) to fill, not as a panacea.</p> <p>I agree that more attention needs to be paid to malicious intrusion as well. The fact that this lopsided approach exists is somewhat strange, although if an overwhelming majority of breaches are internal, then I guess it makes a slight amount of sense. Hopefully a more balanced approach can be taken to security in this sector…and not in the form of more policies.</p> “The report shows that a large amount of attention is paid to educating employees and instituting policies and disciplinary actions to protect against internal privacy breaches.”

Ugh. If systems were designed with security in mind, this kind of approach would (and should) be redundant. I’ll quote what I’ve been calling Turnes’ Law (although if someone else said it first, I’ll stop doing that): “Technical problems can’t be solved with policies.”

If someone is intent on creating a breach of privacy, then they’re probably going to do it regardless of whatever penalties are in place. Similarly, if someone does it accidentally, then policies and disciplinary action are irrelevant.

Education and policies are fine and good, but they can’t be considered a solution for privacy and security concerns. They’re just a piece of the puzzle. Private data should be protected by more than a reliance on the user base to be voluntarily compliant. Policy should be used to plug up the holes that are technologically impossible (or overwhelmingly impractical) to fill, not as a panacea.

I agree that more attention needs to be paid to malicious intrusion as well. The fact that this lopsided approach exists is somewhat strange, although if an overwhelming majority of breaches are internal, then I guess it makes a slight amount of sense. Hopefully a more balanced approach can be taken to security in this sector…and not in the form of more policies.

]]>