How Much Security is Secure?

The recent data breach at healthcare insurer Anthem whereby close to 80 million records were

compromised has brought the security and privacy of patient health information back to the forefront. Healthcare providers and affiliated organizations seem to be the next target for hackers, the reason being that they appear to be relatively easy targets, and in many cases don’t have the comprehensive security mechanisms that the financial institutions and e-commerce sites have learned to put in place.

Medical records are very valuable as they can easily be used by another person to create an account, for example at a bank, get access to existing accounts, and perform many other actions that can provide cash by using false identities. These hacking incidents can be very lucrative for hackers; knowing that a complete person-record might fetch between five and ten US dollars, stealing 100,000 records could fetch between $500,000 and $1 million US dollars.

How does the healthcare industry deal with this? The answer is that you put as much deterrent in place as practical, affordable and feasible, without impacting patient care. Any security expert will agree that it is virtually impossible to have a 100 percent secure system, but if you make it relatively hard, the potential hacker will search for an easier target and move on. By the way, security is not rocket science but more common sense than anything else.

A key part of security includes using passwords that are not being shared, hard to decipher and have a combination of characters, letters and special characters. If you go to the site “how secure is my password” you can actually see that the pw “123456” can almost instantly be cracked. By the way, this particular password happens to be in the top three used passwords, together with “password” and “12345.” But if you look at the list of common passwords, you’ll find that “baseball, football, monkey, batman superman and even Michael” are all in the top 25. This information is based on the statistics done of stolen passwords that were made public. Needless to say, there is a lot that can be improved in this area.

In addition, the use of firewalls, a DMZ, intrusions detection at your external gateways, use of VLAN’s for vendor access, VPN’s for external connections, shutting down unused ports, and other commonly known practices are a must. The use of a centrally managed virus protection is critical as well. This goes hand in hand with policies about the use of external media such as flash drives, which are notorious for transmitting viruses, and opening email attachments and downloading Internet spam.

The overriding concern however should always be the impact on patient care. There should be a balance between the means and tools that are needed by clinicians and what is allowed by what many people call the “IT mafia.” I actually believe that for every institution that hasn’t done its due diligence with regard to protecting patient privacy and security, there is at least one that goes too far. I personally have had a few experiences in that regard, In one instance, I wanted to provide support to a service engineer on another continent, we had set up an agreed upon time, and at the time that we were supposed to have the call we found that the IT department of the far institution did not allow users to connect to Skype. Another example, was when I saw my specialist, and I had brought my ultrasound exam on a CD, while specifically requesting a DICOM CD without a viewer from the imaging center (to avoid having them putting some proprietary images on there that could only be viewed on their own viewer). So, for this “clean” CD to be read by the specialist, he needed a DICOM viewer to be installed on his PC. I instructed him where to find one on the Internet, but his PC was locked down by his IT department and therefore he could not review my case. I learned that next time I will bring my own laptop for him to review my case, but this was definitely impacting patient care at the time of my appointment.

What to do next? As required by the US federal privacy regulation Health Insurance Portability and Accountability Act (HIPAA), a comprehensive risk analysis is definitely in order. This should be done at least once a year, and it might make sense to use an outside consultant for this. This audit should include all of the HIPAA items, such as physical security, policies and procedures, and technical means such as encryption, access, authorization, password usage or misuse, etc. You might come to the conclusion that there are more areas of patient information than you might be aware of, for example, on discarded computers, on the disks on intelligent copiers and fax machines, etc.

This analysis will identify weak spots and things to fix and monitor. Put an action plan in place to fix them and continue to provide patient care unhampered by extreme security measures but by policies, procedures and technical means that are pragmatic and make common sense.

OTech security update: The UPS Race

UPS making its daily run to our office

Don't worry,
I am not as vicious as I look

Boy-o-boy, do we like those brown trucks. Their drivers are first class sports man. Let me tell you how this goes. The truck comes racing down the street (they always seem to be in a hurry), but then, upon approaching our office, it suddenly slows down and approaches us very slowly and carefully. It appears he wants to approach the premises un-noticed. However, we are trained to spot any intruders and don’t let them fool us. In addition, our early warning approach system rarely fails as the neighboring dog typically spots the truck before us and has started to bark. He is a brown golden retriever who has a sidekick, a nervous little comrade who tries to bark in unison. Now, the problem with any canine who is let’s say less than 30 lbs is that they are prime targets for the coyotes who are roaming our neighborhood. Especially when they are in packs, they will go after our small brethren and many of them have disappeared. They coyotes tried to impress us one time as well, but my partner Victoria used to boldly attacked them and chased them away, however not before being bitten in the side, which required a few stitches from our vet.

But getting back to the brown van, we watch the approach maneuver from behind the window in the main office. Then, after about 30 seconds or so, as the brown truck man is looking through the truck window, he opens the door very slowly and then with his package under his arm, suddenly bursts out of the van and sprints to the front door. We have been watching for this and immediately jump into action. The rules of the game are to try to nip his package that he carries under his arm while he is running as we are jumping up and down next to him. Of course, he never outruns us, but he keeps on trying every time, that is why these brown truck guys are such good sports.

After the delivery, we perform an incoming goods inspection. We do that by carefully ripping the packaging paper from the suspected subject, which has been deposited on the front porch, to make sure that there was nothing there that might jeopardize the safety of our premises. For whatever reason, my master and matron now have a big box that they have the delivery packages put in so we can’t do a thorough inspection anymore. Oh well, if they want to take on the inspection responsibility on themselves, good for them, as we don’t need to bother.

So, of all our visitors, we love the You-Pee-Es people the most. They are true sportsmen, unlike the Veddex and other visiting trucks and vans. I think they deserve the MVP award of the delivery squad!

Respectfully: Sajiv, OTech's security officer

The Veddex Incident



The regular "Veddex-Guy"



I saw it coming. It was too good to be true. About twice a week the white vans with the red and blue letters pick up packages from our office. There are two trucks, one is called “ground” and the other one “eks-press.” For some reason that I don’t get, the first truck can’t take all packages and another truck has to come as well. I guess sometimes we canines don’t understand why humans duplicate efforts, but in any case, for us being charged with the security of the premises, it is double the fun.

The ground truck guy is really cool. He always carries little treats for us in his truck. So, as I spot him, I used to race outside, and as he comes down the driveway I would jump up and down with excitement. As he opens his sliding door I jump inside the truck to get to the place where he stores his treats.

Sometimes, there is another driver; I guess that even those Veddex folks occasionally need to take a day off to spend with their respective pets. Unfortunately, they don’t seem to talk to each other and these replacement people are not aware of the standard dog treat procedure. So, upon approaching their truck, they are as confused as I am. I try to tell them by showing a lot of excitement by trying my newest jumps, but most of them are absolutely clueless and try to ignore me. 

Now about our regular eks-press driver, he is a totally different person than our ground guy. He does not really seem to like our attention. He drives down the driveway really slow, and since we don’t know which van it is, I jump up and down and when he opens his door I jump inside. However, he tries to turn his back to us as I conduct an inspection of his pockets to see if there are any treats. 

Anyway, this approach procedure went on for quite a while and everyone was happy, till one day, this eks-press person left a note at the front door of our office. I don’t know what the note said but it can’t be good as my matron later on changed the rule on me.

So, now I don’t get to greet the Veddex trucks anymore except from a distance. I make sure I intimidate them, especially if there are newbees and/or replacement drivers, by barking and looking viciously from the back of the driveway. However, no more treats, less exercise as I do more barking than jumping. Oh well, life is not always fair for a canine, especially for me with this important guard task on my shoulders so as to secure and protect our master and matron’s premises from potential harmful intruders.

Respectfull, Sajiv, OTech chief security officer

Introduction of the OTech security team.

Sajiv in front,
with Victoria covering his back

Let me introduce myself, my name is Sajiv, I know a weird name, but I’ll tell that story another time. I am responsible for the security of the OTech offices. My job is a real boondoggle, I inspect the grounds in the morning, keep an eye out for anyone who might come close or potentially intrude during the day, at night I do my final rounds and in between I get fed a great meal and nap most of the time. As members of the canine species we are trained and raised to perform this important task and, being of the boxer breed, we can look very threatening. In general, we do very little harm, except occasionally to other animal species, in particular squirrels, possums and in worst cases even coyotes. Sometimes we also need to deal with those small black and white animals, which get really, and I mean really smelly. For some reason, after a successful mission against those furry creatures, we are always yelled at by our master and matron and are subjected to a bath with really sticky red stuff. We also run after deer but that is more as a sport as we can’t outrun them anyway.

One of the most important jobs is to leave our scent at the perimeter to distract and confuse other species, and we do this very systematically. My partner, her name is Victoria (she is really the boss but I try to act otherwise), takes care of the surface area and I, being a male, am better equipped to take care of anything between about one half foot and one foot on any tree, mailbox, and an occasional parked car. I can assure you that it takes a lot of practice to discharge not too much and not too little so we can cover the distance we walk in the morning with our matron. (I call her matron as I am told that the word for female master has a poor connotation).

We have an excellent EWACS (Early Warning and Control System) deployed in our vicinity. We communicate very effectively among our species. We have a golden retriever positioned strategically at the entrance of our block who serves as a scout and roams the back of his premises and, upon seeing a potential intruder entering our neighborhood, immediately signals this to all of us. About halfway in between him and our property there is a pair of hush puppies who make up for their size with their signal volume. If an intruder still manages to arrive within eye sight we’ll immediately storm out of the office and go full blast to the border of our premises doing our best to look like attack dogs. So far this strategy has worked pretty well, although sometimes too well as there have been some incidents where we were unable to identify friend or foe in a timely manner (and gotten in trouble for that with our master and/or matron).

Like I mentioned, my partner Victoria is really in command, even though I am faster and can outrun her easily, if there is a real threat, I let her take the first blow as a good commander should. You see, canines are like the Israeli army; the highest number of casualties occurs among the commanders. She has the scars to show it as well. A nasty one on her side from a coyote who tried to enter the premises and one on her belly, when she was defending her matron from a nasty little dog when we were traveling. So, she is typically behind me covering my back but as I mentioned she is not afraid to take charge.

The only problem with my commander is that she suffers a nasty case of PTSD, which causes her to panic when there is a thunderstorm in the air. As soon as the clouds start to form, she gets nervous, and when it starts rumbling she is in a pretty bad shape. Her matron actually has her on drugs when this happens. I guess that happens when you have been deployed in action for too long.

Well, this is enough for now as I see my master just entering the driveway and I he does not appreciate me typing on his keyboard. I need to keep him as a friend as I don’t want to end up in the doghouse.

Signing off, Sajiv, SOIC (security officer in command), OTech Inc.