Skip to main content

The WiKID Blog

Viewing posts tagged Information Security


The healthcare world is abuzz with the news that the Department of Health and Human Services is auditing Atlanta's Piedmont Hospital:

Neither Piedmont nor the HHS has confirmed that the audit was launched, and few details about it have been disclosed publicly. But an HHS document obtained by Computerworld shows that Piedmont officials were presented with a list of 42 items that the agency wanted information on.

Among them were the hospital's policies and procedures on 24 security-related issues, including physical and logical access to systems and data, Internet usage, violations of security rules by employees, and logging and recording of system activities. The document also requested items such as IT and data security organizational charts and lists of the hospital's systems, software and employees, including new hires and terminated workers.


ComputerWorld has the list of 24 questions HHS had for Piedmont Hospital (where my three children were born, incidentally, as well as my wife, though that was earlier). Adam points to an article on about the government's increased focus on HIPAA compliance which includes this choice quote from Joseph Lazzarotti of Jackson Lewis' White Plains, N.Y., office and what he advises his clients:

"I want them to know that HIPAA does really mean something and the government is going to do something about it. What that is, well, it's more than they were doing yesterday," Lazzarotti said.
Of course, that is not saying much since there have only been 4 convictions out of 26,000 complaints.


According to MessageLabs via ZDNet:

During March, MessageLabs intercepted 716 e-mail messages that were part of 249 targeted attacks aimed at 216 of its customers, the Gloucester, England-based provider of hosted e-mail filtering services said in a research report. Of the attacks, almost 200 consisted of a single malicious e-mail designed to infiltrate an organization, MessageLabs said.
Emphasis added.


Having just posted on de-perimeterization, I thought that this quote from Scott Borg of the U.S. Cyber Consequences Unit on the consequences of breaches:

"We started seeing huge vulnerabilities," Borg said Wednesday at the GovSec conference in Washington, where the draft document was released. Most of the systems were compliant with current security checklists and best practices. "And portions of those systems were extraordinarily secure. But they were Maginot Lines," susceptible to being outflanked.


In thinking a bit more about PCI security since my post on PCI visibility. I think what Visa and Mastercard need to do is to hire independent 3rd party penetration testers to pen test merchants and processors.

The PCI Three are making a big switch in September, when they will start fining acquiring banks non-compliant merchants. However, there are two problems with the auditing procedures: Auditors are paid by the companies they are auditing and audits are static snapshots. I'm not insinuating anything here about the ethics of PCI auditors, just pointing out the agency conflict and that a company might get compliant for an audit, then lapse out of compliance.

Recent Posts







RSS / Atom