Archive for April, 2010

Copier Insecurity Sideswipes HIPAA

April 22nd, 2010 No comments

If you haven’t watched this video on hard drives in copiers, take 5 minutes and have a look. It is a quick glimpse into how vulnerable the information that is stored on copiers really is, because they store nearly everything you do on a hard drive.

Watch CBS News Videos Online

After a few months of showing presentations out about the HITECH Act, this adds fuel to the fire of how loose our data control really is.  As hospitals, or in my case non-profit health care providers work to comply with regulations, it shows how mis-applied the regulations are to preventing data loss.

How exactly does this affect HIPAA & HITECH?

This constitutes a breach of confidential information, putting you right in line with the provisions regarding secure data loss and your control of that information.

Anybody who has access to or deals with Personal Health Information, including vendors who support systems that control such information need to sign a business agreement, now holding them liable for the same extortion level fines that the covered entity.  Before you run out and try to find your local HIPAA certified copier technician, I will give you a clue.  The copier resale industry is not anywhere close to recognizing the impact of this.  While I may retire from my job tomorrow to open a copier technician company revolving around securing and encrypting copier drives, the real copier industry just isn’t there yet.

That is not to say the copier companies themselves aren’t aware.  In fact most manufacturers offer encrypted drives and systems that wipe the information from any form of buffer.  The problem is that nobody buys a copier direct from Xerox any more and  you will find that your local copier resale rep knows less about encryption or media sanitization than the Buffalo Police department.

How do we react, while we wait for the industry to mature enough to have this problem taken care of?

  • Contact your copier lease company and inform them that all hard drives will be removed before returning the copier.  Frankly at this point, you should’t care what the lease terms say regarding this.  Run them through a validated media sanitization company, with the rest of your hard drives.  Don’t rely on any claims that the copier company will handle the destruction, until they are a signed Business Associate, placing them in fiscal responsibility.
  • Prepare  you copier reseller for the discussion on a business vendor agreement surrounding the regulations of HIPAA, if they aren’t already.
  • Keep a log of any support calls for the copier and approach each technician who shows up to work on that copier with legal disclaimers, ensuring the same HIPAA partner agreements.
  • Possibly tag or mark the hard drive inside of the machine itself, taking inventory of it’s serial number for tracking reference.
  • Wait for the same episode to come out regarding how insecure faxes and fax machines are, because we choose to ignore that too.
Categories: Uncategorized Tags:

Now Recommending: Microsoft Security Essentials

April 5th, 2010 No comments

Despite what is happening in technology on a global, corporate, or even economic scale, there are a few questions that people never stop asking that bring it all back into reality for me.  Only slightly less popular than “what computer should I buy” is the age old question of “What anti-virus software should I use?”.  For the record, I don’t like any of the anti-virus software available. Knowing that, my selection process is which one seems to be the better of the worst options available.  I wouldn’t pay for any of the commercial ones available, so up until now I would recommend AVG’s free anti-virus.  It seems that Microsoft themselves have brought a formidable solution to the table and decided to offer it for the right price to pay attention to…free.

In October of 2009 Microsoft released their Microsoft Security Essentials software as an anti-virus solution for Windows XP, Vista and 7 machines.  After 5 months of poking it with a stick, I have changed my recommendation to anybody who asks what anti-virus to use.  Microsoft has filled in a large hole with in their missing suite of security and delivered it quietly.

I rarely throw Microsoft’s name into the same sentence as security software.  I also think the big names solutions miss the mark when it comes to filling in only the missing holes in an otherwise stable operating system. Over the past 5 years the anti-virus market has turned into bloat-ware, delivering solutions that took over every aspect of your operating system from networking to browser applications. Somewhere in these bloated suites they also have anti-virus software, setup to monitor and scan for known infected files.  As a consumer it has almost been difficult to find a solution that only offers anti-virus.

Don’t I need all of that other stuff?

Service Pack 2 in Windows XP marked a pivotal moment in security for all Windows machines. It was this update which turned on your Windows Firewall by default.  I remember what life was like before that update, as virus protection was a serious problem as viruses spread through networks like wildfire.  Adding another layer of software and protocols on top of the ones already in place risk bringing things to a crawl.

What it does right

  • Free always sits well with people.  I learned a long time ago that some of the best software available is free. It certainly makes it attractive to not have to pay a yearly extortion fee for software that might catch the viruses.
  • It is simple to install. I sent my mother-in-law a 4 step instruction of download – uninstall old – reboot – install and I got an email back 20 minutes later with her telling me it was done.
  • It let’s you control what you want to scan, where you want to scan and when you want to scan.  The simple settings that can either strangle a piece of software or set it free.
  • It is happy running quietly in the corner. There are few annoying pop ups telling you to buy into something or to allow something to happen.
  • It is lite.  By allowing the operating system to use it’s naturally established utilities like the firewall, it doesn’t seem to completely strangle the operating system.  Somebody more ambitious than I am will need to run some statistics on that one.

Why haven’t I heard about this?

You might begin to wonder why Microsoft doesn’t just build this into their operating system suite.  After years of anti-trust agreements and the creation of a software security industry, the software giants hold more control of this fact than Microsoft does.  Microsoft needs to leave this as a third party application to keep the major powers at peace. It also attributes to why Microsoft isn’t pushing the marketing of this software or why you might not have known.

I do not think Microsoft Security Essentials is the final answer in security, but I think it is the best option off the market to fill in that void of protection for home users.  Without some standardized practices like maintaining your software updates, isolating your computer from the Internet and not clicking on everything you are presented with from a webpage, this software will not save you. Neither will that other software you paid too much for.

Categories: IT Perspectives Tags: