A global healthcare issue
The researchers started running more tests and continued to find more clinics, hospitals and other medical organizations with data leakage issues. Erven stated “This is thousands of organizations that are leaking this information across the world.”
Weak passwords like BigGuy21 were also found, obviously some senior managers password? In some cases default vendor passwords were still in use!
Cisco published a brief in 2014 titled data leakage worldwide: Common Risk and Mistakes Employees make. This study was not focused on healthcare but all corporate networks across the globe.
Cisco noted the following employee behaviors:
- Unauthorized application use: 70 percent of IT professionals believe the use of unauthorized programs resulted in as many as half of their companies' data loss incidents.
- Misuse of corporate computers: 44 percent of employees share work devices with others without supervision.
- Unauthorized physical and network access: 39 percent of IT professionals said they have dealt with an employee accessing unauthorized parts of a company's network or facility.
- Remote worker security: 46 percent of employees admitted to transferring files between work and personal computers when working from home.
- Misuse of passwords: 18 percent of employees share passwords with co-workers. That rate jumps to 25 percent in China, India, and Italy.
The Cisco survey results revealed a variety of risky behaviors and a widespread disregard for security policies. One of the most noteworthy findings is the varying prevalence of particular behaviors in different parts of the world. For example:
- China has such a high level of information technology abuse that IT decision makers audit computers for unauthorized content.
- In Japan, 65 percent of end users do not adhere to the corporate IT policy all of the time, and the research indicates that end-user abuse of information technology is increasing.
- End users in India tend to use email and instant messaging for personal use and change IT security settings on business computers so they can view unauthorized websites.
- Employees in Brazil use business computers for personal communications and for activities such as downloading music.
- End users in France have the lowest rate of IT policy compliance of all the countries surveyed, with only 16 percent of employees claiming that they adhere to security policies all the time.
Despite corporate policies directing employees to do the right thing, unauthorized applications were often being used, 78% employees accessed personal email from a business system, 70% of IT professionals believe that the use of unauthorized programs resulted in half of their companies data losses.
The survey continues to point out some very serious issues which contribute to data loss.
- 46 percent of employees admitted to transferring files between work and personal computers when working from home.
- More than 75 percent of employees do not use a privacy guard when working remotely in a public place. This number is much higher in Brazil, China, and India-countries that have the most reckless behavior.
- 68 percent of people do not think about speaking softly on the phone when they are in public places outside of the office.
- 13 percent of those who work from home admit that they cannot connect to their corporate networks, so they send business email to customers, partners, and co-workers via their personal email.
In many cases employees modified computer settings to get to an otherwise non accessible website and then stated “it’s none of the company’s business, they should respect my privacy”. Most companies cover the fact that corporate computers are not private systems and state that you are subject to monitoring in the corporate AUP, Acceptable Use Policy.
The Department of Health and Human Services' Office for Civil Rights recently posted a revamped HIPAA compliance protocol on its website, noting, "The protocol has been updated to reflect the [HIPAA] Omnibus Final Rule. You may submit feedback about the audit protocol to OCR."
OCR published the revamped protocol, along with some additional details about phase two of the HIPAA audit program, which is in the early stages of being rolled out.
This is another improvement but will it make a huge difference? HIPAA still suffers from being too vague. If you read the HIPAA protocol it states
"….Must reasonably safeguard or protect against reasonably anticipated threats......."
It does not say to scan all internal and external networks for potential vulnerabilities with an emphasis on exploitable vulnerabilities. It does not say to make sure your network is not leaking data via SMB. It does not state to employ risk based threat modeling. The following examples illustrate my point.