D14.1: Discussion Topic 1:
In regards to laws and regulations… Complying with the law is obviously important, but in my industry (healthcare), sometimes this is a gray area. In my professional field, HIPPA regulates how we handle personally identifiably information. Encryption both at rest and in transit, is required in many cases. However, consider the nature of healthcare, and the urgency of providing emergency care. I have witnessed many times, where a physician in the emergency department needed to consult on case, and the most expedient method was to simply email the patient’s test results, images, etc., without any encryption or protection of their data. How do you feel about this situation? Is non-compliance ever justified? How could these issues be mitigated, without impacting the mission of the organization?
D14.2: Discussion Topic 2:
Read RFC 1087: Ethics and the Internet. Is the document still relevant today? Is this document still something that Internet users would understand today? How could it be improved?
D14.3: Discussion Topic 3:
You are a security consultant with the Security Advisors Co. and have been asked to help investigate a recent security incident that took place at the law firm of Dewey, Cheatham, and Howe. In your assignment you have been assigned to work with the vice president of IT.
The security incident that you are investigating appears to be a case of an intruder who broke into a company computer to remove and destroy information on an upcoming legal case. A forensic examination revealed that the incident was actually an inside job that was perpetrated by one of the new programmers, who is a relative of the VP of IT.
When you wrote your findings and presented them to your client, the VP of IT asked you to change the findings in your report to show that the perpetrator could not be found. The VP has promised future work for your company and a good recommendation for your work if you comply.
What will you do next?
Shain R. Amzovski says
Discussion 14.1
As many laws and regulations are in place for encryption of data when in transit and at rest in the medical industry, it is not uncommon for employees, doctors, etc. to violate HIPPA. In the event of an emergency, this should be acceptable, especially if the patient’s life is at risk, and time is a factor in receiving these materials. An alternative method would be to have a system in place that allows quick, encrypted messages to be sent. For example, at Temple University, we have a system called TUsafesend. TUsafesend is a resource that makes it easy to securely send and receive files from within and outside the University. It is essentially a drop-off location, where you can send files safe and securely to a recipient. The recipient can view these files immediately, similar to receiving an e-mail. A real-life example would be for someone who has overdosed on illegal drugs. Many of these deaths are preventable if emergency medical assistance is called upon. “Many people using drugs or alcohol illegally often fear arrest if they call 911, even in cases where they need emergency medical assistance for a friend or family member at the scene of a suspected overdose.” Yes, it is against the law to do illegal drugs, but there is a law in place known as Good Samaritan 911 that prevents arrest if a call is made to provide medical attention and potentially save a life. There are certain circumstances where it is okay to use discretion to violate laws that are in place.
Source: http://www.drugpolicy.org/911-good-samaritan-fatal-overdose-prevention-law
D14.2: Discussion Topic 2:
Read RFC 1087: Ethics and the Internet. Is the document still relevant today? Is this document still something that Internet users would understand today? How could it be improved?
RFC 1087, from January 1989, discusses how the Internet Activities Board issued an internet code of ethics. RFC 1087 was a policy statement, concerning the proper uses of the resources of the internet. RFC 1087 states, “Irresponsible use of this critical resource poses an enormous threat to its continued availability to the technical community.” This sentence can be interrupted to fit modern day use of the internet. If you are irresponsible in the way you are using the internet, it can leave you more vulnerable to attacks, and other cyber crimes. For example, if you are not careful where you are entering your credit card numbers on the internet, you leave yourself more vulnerable to identity theft, and your credit card being stolen. Also, improper use of internet in an organization, such as carelessness when opening an e-mail from an unknown sender could give an intruder direct access to a network, which jeopardizes the availability of an organizations network. These examples were not directly talked about in this RFC from 1989 because this was not the primary function of the internet at the time. A statement from RFC 1087 that is not relevant today is, “Access to and use of the Internet is a privilege and should be treated as such by all users of this system.” I think we take the internet for granted today. No one sees the internet as a privilege, more so a right. Internet, for the most part is widely accessible around the world, with the exception of third-world, and other developing nations. Internet has evolved from its original intended purpose, and is now used in almost every aspect of life.
D14.3: Discussion Topic 3:
In the scenario presented above, I believe the best way to address the issue is by presenting the correct findings. It may not pay out in the short-term to be ethical with the findings and expose the relative of the VP of IT, but the job of the security consultant is to examine the situation and provide findings that lead to the root cause of the security incident. Also, if you were brought in as a security consultant, and were not able to present any findings, this would not look good on the security consultant’s end either. Although promised work in the future, would it be worth taking a reputation hit if the news is later brought up that the relative of the VP of IT was the perpetrator that deleted the documentation relating to a case. A similar situation happened in the early 2000’s with Arthur Anderson and Enron. The auditing company, Arthur Anderson, was helping Enron manipulate its books, and helped them with their earning reports, etc. When Enron was finally exposed, Arthur Anderson, one of the largest accounting firms in the United States, went out of business. If they would have ethically reported Enron, they may still be in existence today.
Ruslan Yakush says
Regarding HIPPA compliance, I agree that there should be an exception to unforeseen life-threateaning situations. Compliance is obviously important too, but it comes to human lives, it should override any kind of laws and regulations. There is nothing more critical than saving humans life. So, I would say that if a medical consultant need to reply to a customer as urgent matter, while complying with HIPPA, there could be a Centralized Medical-Related Only Email system that would provide encryption in-transit and at-rest to customers receiving medical information, and most importantly, customers would have pre-set special email account for medical purposes only. in this example, a patient would always be providing special medical-only email account that would belong to one patient and be unique similar to SSN. All medical providers would have to use special medical-only email accounts that would be part of compliance.
Regarding Internet Ethics, I agree that for the most part it is taken as a granted. It is under users’ discretion to make sure internet ethics and safety are properly used with full responsibility and consequences of misuse. It is hard to control internet, because it does not belong to one entity, but the entire world. While there is freedom of internet use, there should be some level of surveillance that would be enforced, but aware by public so that people understand their rights and responsibilities.
Regarding perpetrator’s case, professional consultant should stay as professional and ethical consultant. Even if VP promises good recommendations and future work, promises may be broken and VP may change his/her mind. In addition, falsification of documents is illegal and may be turned against consultant. I think current law “8 U.S. Code 1324c – Penalties for document fraud” would apply to this case.
Darin Bartholomew says
I agree with Shain with regards to question one. I think that when faced with a life threatening situation, a violation of HIPPA could be a risk that is accepted but there are things that can be done to reduce the number of incidents where that would happen, using mitigations like a safe send mentioned by Shain. Without a safe send the “life or death” situations where HIPPA violations might have a larger time window because there aren’t sufficient tools in place to safely expedite the sending of sensitive data. I think an important component to these situations is for the medical staff to be knowledgeable of a potential violation and weakened security practice followed during a life or death situation so that it can be documented and proper post incident steps can be taken to ensure that this wasn’t exploited.
Andres Galarza says
Darin,
The point you raise about medical staff being informed and aware is key. Some element of common sense has to be appropriate in the example that Shain gave. As long as the decision is well-informed and properly documented/communicated, I don’t see an issue with it.
Loi Van Tran says
I didn’t know where else to Post:
For those working on Practical Application 13.2 , Step 6 asks you to edit the “server.conf” file. You can use the command below to copy the file to your /etc/openvpn folder:
cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server.conf
Loi Van Tran says
Another note for the server.conf file edit:
To correctly input the ip address:
it should be “;local xxx.xx.xxx.xxx ” or else it will not start properly.
Loi Van Tran says
When configuring the client.ovpn file:
Make sure that you are using quotes ( ” ) and forward slashes ( / ) for the file path. Using a backslash ( / ) will escape the values.
Also both the server (server.conf) and client (client.ovpn) configuration files must be set up to use the same encryption. There server is default to use Blowfish and the client is set up to use AES-256-CBC.
Vaibhav Shukla says
D14.1: Discussion Topic 1
There is a provision or an exception in the HIPAA called Privacy Rule which allows health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise.eg-A physician may consult with another physician by e-mail about a patient’s condition.
The Privacy Rule requires that covered health care providers apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure.
There should be some infrastructure and some process knowledge to be known by healthcare professionals regarding this beforehand like during an emergency rather than sending mail through normal email site they can use a encrypted version or otherwise alternate method of snapmail which is a secure message service and allows users to send ‘self-destructing text emails for Gmail’
D14.2: Discussion Topic 2:
RFC 1087 I think is still acceptable with its few points mentioned but it doesn’t cover all area of so called internet ethics extensively. The clauses which tells some activity as unethical like purposely seeking to gain unauthorized access to the resources of the Internet which defines the breach of confidentiality of the systems
It mentions about waste of resources (people, capacity, computer) through such actions is also unethical which nowadays can be called as a DDOS attack where availability is compromised
I think the document addresses the concerns for unethical use of internet but we need strong rules,regulation or laws to complement such points to prevent malicious users to perform unethical activity on internet
D14.3: Discussion Topic 3:
I think it seems lot lucrative when VP promised future work for your company and a good recommendation for your work if you comply..
But I think as you are hired from an external security agency and not a part of internal security team so there might be some legal charter or clauses being signed with the security company.
The safer side for the consultant is to work ethically and prevent any future legal issues .The VP will only promise for such things orally and never give any written confirmation on this .Any Legal issues which can arise at a later stage due to any reason may be the cam recorded conversation between you and VP can land consultant in trouble
http://www.hhs.gov/sites/default/files/emergencysituations.pdf
Loi Van Tran says
Vaibhav,
The segment you’ve provided about the HIPAA privacy rule was very informative, but I think the word ‘reasonable’ would put safeguards into a gray area. What is reasonable, what is not? I believe that in the healthcare industry, emergency, life-threatening situations are more of the norm than an exception. The need for doctors to share patient information, outside of more secured channels, in these cases are out of necessity. Hospitals and other healthcare institutions has been sharing information, typically in the same network, for a long time. In extenuating circumstances where information has to go outside of that network, these providers should already have defined processes to ensure confidentiality of patient information. I believe that human-life is of utmost important, but health providers also has the responsibility to protect that information, not only from a compliance standpoint but also from legal actions that the patient might take if their privacy is comprised or accidentally disclosed.
I agree that the document is still relevant since it focuses on the three pillars of Information Security; Confidentiality, Integrity, and Availability. It also states it is unethical to compromise privacy. Although the RFC was written in 1989, those four components are the central focus of our classes. With technology evolving every day and laws trying to catch up, it would be a daunting task to cover more specifics details and keep it updated.
I personally would not alter the report and doing so would be unethical. This is a bribe for you to leave out incriminating evidence on fraud and abuse. By doing so, you will leave opportunities for the perpetrator to commit the crime again. This would also leave you vulnerable to legal actions for breach of contract and/or withholding evidence. If somebody else was hired to conduct the same investigation, you will be exposed and probably end up being fired or losing your credential reputation.
Mushima K. Ngalande says
D14.1: Discussion Topic 1:
They’re those situations that warrant expedited service however the whole purpose of HIPPA is to maintain confidentiality of Patient PII. Therefore non-compliance can never be justified. So to mitigate this rather than send direct unencrypted email, there could be some other service where a client can be sent the files that would need a code to be picked up. Files can then be deleted after a certain number of days. An example of this is the Temple service, tusafesend, https://tusafesend.temple.edu/ which is a resource that can be used to securely send and receive files from within and outside the University.
Additionally there also secure intranets that hospitals can use to send e-mails. These networks are restricted to employees and other individuals authorized by Hospital or its affiliates. A doctor would only need to share urgent patient information within the intranet which is restricted to outside access.
D14.2: Discussion Topic 2:
Read RFC 1087: Ethics and the Internet.
Is the document still relevant today? The general concept is still relevant today. Though at the point of this document the internet was a service being extended by the government to researchers it has since exploded to been availed to broader audience worldwide. Though directed to researchers and internet entities, what it defines as unethical and unacceptable activities is still relevant today.
1. Seeks to gain unauthorized access to the resources of the Internet.
2. Disrupts the intended use of the Internet.
3. Wastes resources (people, capacity, computer) through such actions.
4. Destroys the integrity of computer-based information, or
5. Compromises the privacy of users
It ultimately points out that the health and well-being of the Internet is the responsibility of its users who must, uniformly, guard against abuses which disrupt the system and threaten its long-term viability.
Is this document still something that Internet users would understand today?
Internet users today cannot understand being denied access to the internet the scope of the World Wide Web is just to vast for one to conceive being denied access. At the time of the document it was possible as it was a service being offered by government to researchers and some internet entities. However users can pick up on the aspect of acceptable behavior though today it is down to individuals and not a specific group.
How could it be improved?
It can be improved by no longer looking at the internet as a product. It has grown beyond that. It is now a service like electricity where someone just needs a service provider to have access. The ethical guidelines would have to be narrowed down to individual users and service providers. It would also have to include organizations granting users access to their domains.
D14.3: Discussion Topic 3:
What will you do next?
As an ethical security auditor I am obliged to provide my findings without fear or favor. As enticing as it may be to be promised future work it’s more important to maintain my honor and have a reputable name. With a good name more work can follow as opposed to word going round that I’m corruptible. So I would not oblige to the VP of ITs request and just present my findings to the relevant authorities at the Law firm.
Ioannis S. Haviaras says
D14.1:
This situation can be seen in many organizations not just healthcare. Anything that involves an urgent matter that needs to get taken of quickly sometimes requires these unsafe methods to transport this information. Even though these might be isolated incidents, these incidents could ultimately lead to leakage of sensitive data. An organization could implement an encrypted instant messaging system, this could mitigate this issue in the future making it more secure and faster to transfer critical data in a moment’s notice. A product like SecureChat by LuxSci could solve these issues. SecureChat has a mobile platform as well as on a computer. With only a slight learning curve your organization could be significantly more secure when it comes to quick messaging.
D14.2:
RFC 1087 I believe is still relevant today. The way it is written is very vague in order to accommodate future crime on the internet. The five unethical and unacceptable activities are still very relevant, even more so today. I believe that it could be improved by maybe adding criminal activity as one of the unacceptable activties.
D14.3
:
First, I would speak to a manager and talk to them about the incident and what the VP told me. I believe that even though we will get more business form this company it is not worth ruining the integrity of our report just to accommodate them. This goes against all of what cyber security experts stand for. One company should not stand in the way of the integrity of the data you are reporting.
Mengqi He says
D14.1:
It’s important to comply HIPPA to protect patient information and privacy. However, I don’t think it is necessary to regard HIPPA as the top priority in a emergency room (ER). The ER is one place where unpredictability is the norm, saving lives should always be the main priority, and HIPPA compliance should be considered as the secondary priority. I believe violation of HIPPA in this kind of situation should be considered justified. To give patients with an emergency care they need and comply HIPPA in the greatest extent at the same time, it is important to develop thorough policies and procedures for handling this kind of situation. HIPPA should allow clinicians and physicians to use their own judgment to make decision when an emergency occurs.
D14.2:
I think the RFC 1087 is still relevant today, and it is still a great guideline for proper use of the resources of the internet. The document listed five unethical and unacceptable activities: gaining unauthorized access, disrupting the internet, wasting resources, destroying integrity of information, and compromising privacy. All these activities are common cyber issues today, and are discussed in our previous classes. RFC 1087 was developed in January 1989, around 28 years ago. Since the technologies are developing so fast, this document may not cover all internet concerns and issues anymore. I think more modern unethical activities should be included into it, such as deception and cyber terrorism.
D14.3:
This is very common dilemma to many IT auditors and security consultants. The decision would be hard in real life. I do understand and believe that we security consultants should always be ethical and discover the truth. However, it would be very hard for persons who can only see the attractive short-term economic benefits to balance between the benefits and ethic. It is possible to hide the evidence and truth for a while, but I don’t think this can be hided forever. Intrusion is not a small thing. Once the truth is disclosed, the relative of VP would still be responsible to the intrusion and the VP would also be responsible for attempting to hide the truth and probably be demoted. In addition, Security Advisors Co. would be responsible for not completing their jobs, and this would affect the reputation of the company. I, would be the most blamed person for lying, hiding the truth and bribery, and probably be fired. Therefore, what I’m going to do is not just write and present my findings to my client without informing the VP. I would first have a talk with VP to let him understand it is not a good decision to attempt to hide the truth in long term. If he insists his decision, I would present my real findings anyway.
Mengxue Ni says
D14.1: Discussion Topic 1:
The HIPPA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. This is the description of HIPPA. It’s understandable that healthcare industry didn’t use encryption in-time, since emergency always happens. In order to mitigate these issues, first, there should be consultants that help to solve customers’ questions about HIPPA. Second, a secure software should be used for submitting any test results, images, etc. It can manage data properly and it is also a defense of hackers. I read an article that talks about healthcare industries are still using Windows XP system today. The privacy of patients is at danger since Windows had announced that they didn’t provide support for XP system in 2014. So we can tell that healthcare industries’ data are very easy to be breached. Although human lives override laws, they should take care of sensitive data afterward as well.
D14.2: Discussion Topic 2:
In January 1989, the Internet Advisory Board (IAB) recognized that the Internet was rapidly expanding beyond the initial trusted community that created it. Understanding that misuse could occur as the Internet grew, IAB issued a statement of policy concerning the proper use of the Internet. The contents of this statement are valid even today. The statement is a brief list of practices considered unethical. Where a code of ethics states what you should do, this document outlines what you should not do. RFC 1087 states that any activity with the following purposes is unacceptable and unethical:
• Seeks to gain unauthorized access to the resources of the Internet
• Disrupts the intended use of the Internet
• Wastes resources (People, capacity, computer) through such actions
• Destroys the integrity of computer-based information
• Compromised the privacy of users
(CISSP)
This is how CISSP described RFC 1087, by looking at the list above, I think it is still relevant today. However, it needs to add more because internet has involved since 1989. I think we can start with identify categories of ethical issues related with internet. First is privacy issue, does sensitive data encrypt? Does the Wi-Fi service secure? There are a lot ethical issues relate to privacy when we are using internet. Second is consent issue, when is it necessary to take consent for using information available on the Internet? 1. Data are collected from research participants through any form of communication, integration, or intervention. 2. Research participant is unaware of any observation or reporting is taking place. Since today’s internet can be accessed by anybody, all information can be used at anytime, anywhere. Once you post something online, it will be public. Third category should be Anonymity issue, the anonymity can be maintained by removing the identity elements such as message header, name of the list etc. Your knowledge or information can be stolen by someone else online. The last category is accuracy of information, most of the information available on the internet is not reviewed. People can post anything they want online. This is also the reason why professors ask us not to trust Wikipedia because anyone can edit the information.
D14.3: Discussion Topic 3:
I believe that this kind of “offers” happen a lot, especially when it relates laws and criminal. I would provide the correct result of investigation. I am an external security consultant to help this case, I believe there would also be internal investigation. There is no meaning to tell a lie, once internal reports show different result than mine. I will be helper of the perpetrator. Even if there is no internal consultant, it is my job to find out who broke into the company’s computer and destroyed the information on the legal case. Also, the legal case relates someone else’s life or benefits. I can’t just think about my benefits in this case.
Jon Whitehurst says
D14.1: Discussion Topic 1:
Being PHI aware and how to handle has to be the DNA of culture for a hospital and its administration. Email internally is not really the concern it’s when its shared outside the hospital control. Hospitals that I am I know of when an email is being sent out to an external email address there is a application/system (ZIX) search email for patterns such as a hospital ID or SSN and if flagged will send the destination an email to retrieve the email in a secured manner. The issue with HIPPA is when there were 500 records or on a workstation has been stolen as an example and the system was not encrypted it has to be reported to the government and fines are handed out.
D14.2: Discussion Topic 2:
In the US I think RFC 1087 is not used on the internet. Ethics on the internet is based on the person behind the keyboard. If RFC 1087 had “technology teeth” would there be a “Dark Web”? I think RFC 1087 is a guideline that businesses use for their policies on how to use company owned computers or network devices. Business can have more control and how to find if someone is misuse the company property.
D14.3: Discussion Topic 3:
Interesting question. I would hope that the security incident is not a team of one. Security incidents are handled by committees or a group of people, including the VP of IT. If a case like this were to exist one of two things would happen. If the security incident committee has signed a no discussion agreement before joining the group then the VP of IT would be allowed to stay on until it has been proven that he or she has been directly involved. If an agreement has not been signed then the VP of IT would be dismissed from the incident team until the investigation has concluded posing a conflict of interest. In incident teams that I have been a part of one person based on rank would not have the ability to alter a report based on an outside vendor.
Amanda M Rossetti says
D14.1: Discussion Topic 1:
As someone who uses healthcare a lot, this is terrifying to me. Healthcare data breaches are on the rise. Lucas Mearian from Computer World says that 1 in 4 breaches in 2016 will be against the healthcare industry, and every time there is a breach 1 in 13 patients are effected. This leads me to believe that doctors should never send information without encryption or protection. But, I also am cognizant of things in emergency situations needing to be done as quickly as possible. I think that if they really can’t wait for encryption to send the information, they should just walk the file to the other physicians. If you can’t do that, they could use an encrypted telephone line to tell the other physician the information. There are so many options that are still secure and not that much slower that I don’t see why they would ever risk sending something unencrypted and having it stolen.
Source: http://www.computerworld.com/article/3090566/healthcare-it/hackers-are-coming-for-your-healthcare-records-heres-why.html
D14.2: Discussion Topic 2:
RFC 1087: Ethics and the Internet is not really relevant today. The internet is a vastly different place today than it was 30 years ago when this was written. Back then it was largely supported by the US government and mainly only researchers were using it. Today there are many private companies that support the internet and virtually everyone uses it. The average internet user today would not understand this document. They may have a vague idea that the internet was invented by the US government, but the IAB statement of policy section would have almost no meaning to them. Everyone has access to the internet (if you pay for it or go to the library) so the idea of gaining unauthorized access to it is absurd today. I like the idea of having an ethics policy talking about how you shouldn’t use the internet to attack others. If the policy was revised to be relevant to the internet as it stands today, I think it would be a good idea and could be used to teach computer classes in public school and help lawmakers understand the internet when they are making laws that effect it such as net neutrality.
Source: https://www.ietf.org/rfc/rfc1087.txt
D14.3: Discussion Topic 3:
Change nothing in the report and present the findings as they are, that the perpetrator was the new programmer. It would be absolutely unethical to change the findings and nothing the VP of IT could promise you would be worth lying and damaging your integrity. I don’t want a recommendation from someone who would willfully deceive their employer. Someone who is dishonest saying I did a good job means nothing, because I know they’ll lie to get their way, including give a false review. Also, I am doing the firm who hired me (who is my client, NOT the VP of IT) no favors by not revealing the true perpetrator. In addition, I have no guarantee the perpetrator won’t do it again, and it will make me look bad if it is later revealed that they did this again.
BIlaal Williams says
14.1
In an emergency situation, it is definitely justified for a physician to use the most expedient method to communicate the necessary information to provide the proper care. This is why it is important to plan for these types of situations prior to prevent compromising the security of the information. If possible, a secure channel should be available in which encryption and decryption can be done in a safe, and time efficient matter. These situations should be tested in drills by all the appropriate parties, so when these emergency situations do arise all of those involved will know the proper procedures and protocols to follow. In the case that a secure channel is not available, the time and medium of communication should be documented so in the case that a client’s information is compromised, authorities will have a means to identify where the breech occurred.
14.2
The document still has relevance today in that it presents the history of the Internet and the importance of ensuring its usage remains ethical. I think it would good practice to introduce the general public to this document so they are more aware of the origination of the Internet and the costs that were made to create it. The reliable operation of the Internet and the responsible use of its resources is still of common interest and concern for its users, operators and sponsors. Since the Internet no longer exists in the general research milieu, researchers are no longer the only ones responsible to exercise great caution when using the Internet; the message now applies to the general public, as usage of the Internet has transcended all walks of life.
14.3
This is unacceptable and I would not agree to comply with the wishes of the VP. Not only is this against the law but if negligence were discovered down the line your decision to cover up the perpetrator could now make you an accomplice. As a security professional we have a responsibility to uphold the truth and present it as such regardless of the implications. In this case, I know that by upholding the truth and presenting the findings as such, I will gain work in the future and do not have to rely on the solicitations of the VP. If the VP asks you to do this on this particular assignment, who knows what levels he will go to in the future?
Joseph Nguyen says
14.1
It’s interesting to know about the details of healthcare regulation and how patients’ information are handled. Nothing is perfect and it’s our job to improve things and find solutions for the better. I believe that patients’ health is always the priority for all healthcare providers, so all decisions should be made with that idea in mind – i.e. if we must make some “security compromises” to benefit the patient’s health, it is understandable and acceptable. I am optimistic that human goodness and our advance society will find a creative solution in this case and we don’t have to settle for “compromises”.
14.2 rfc1087
Mushima made a good summary list of 5 purposes of hackers. Unethical and unacceptable activities are costly and destructive to society as a whole. And we together must do all that we can to fight back every one of those criminal acts.
14.3
I think there are enough jobs out there for all serious job-seekers, and honesty is always the best policy! Happy new year and hope you will have great time during this holiday season.
JR says
14.1 I had this conversation with a CISO last month regarding our email policy. He had to deal with similar issues. As per his organization’s policy users are to use the encrypted secure message center on their EHR for such communication. I asked him what happens if physicians or users decide to send emails anyway since using the message center requires quite a few steps that non-IS staff would find frustrating and time consuming. Non compliance should not be tolerated but it is unrealistic to not consider non=compliance and prepare for it. In response to this, email usage policy was communicated to personnel and a decision was taken to encrypt all email thoroughout the network to mitigate risks of data falling into the wrong hands.
14.2 I think this document was written with good intentions but there is nothing the document can do to enforce itself unless whoever is in power enforces it in their jurisdiction. I think users today will still be able to understand this document.
14.3 I think honesty is the best policy, I’d let the VP know that I cannot modify the report as it conflicts with my code of ethics. I would also let my immediate supervisor at Security Advisors Co. and whoever is responsible to the engagement aware of my actions.
Noah J Berson says
What this seems to be asking is in the event of an emergency that the rules can be broken on a case by case review. The family of the patient in this situation probably would want everything possible to be done to cure the patient. A doctor may take it in their own hands to weigh their Hippocratic oath versus their adherence to regulations of HIPAA. Justification of non-compliance in a case like this is not up to anyone involved; it is up to a court. We already make sure medical personnel can ignore laws in certain situations. The rules of the road apply to everyone but when there’s an emergency the ambulance can ignore speed limits, traffic, and lights. To mitigate this, issue a special lane can be created that could implement protections in emergency situations. This could be a new network just for medical personnel or a new email protocol as well.
This document although published before I was even born, is still relevant. I think they foresaw the internet being classified as a common carrier like other utilities. It also hopes that the internet can be protected like one. No one should have unauthorized access to where they can’t, can’t invade users’ privacy, and no one should infringe on the integrity of data on the internet. Since this document, we have enacted certain laws to help prevent this. This list includes HIPAA, COPPA, CAN-SPAM, identity theft laws, and the ECPA. These all attempt to inflict penalties or legal action on those who try to do harm on others via the internet and harm the internet itself. I think it could be improved by covering privacy issues more. We often pay for services with our identity instead of money on the internet. This document could expand on what it means when people trust all of their photos and personal information to a company and how they should protect them from improper access.
There will always be people offering unethical rewards for compromising your integrity. If your job is keeping people safe and secured, you can never give this up. For those who consider this keep in mind that secrets do come out in the long run. You are risking not just your reputation but of the firm you work for. Fudging evidence will end up hurting the company you were trying to protect as well. The evidence pointed to an internal attack and this means that they would not be caught. They would be compromising all the employees and all the clients of that firm after you left. The next steps to resolve this issue would be to let your colleagues know at Security Advisors Co. that there was another attempted bribe. This would result in some protocol being followed which has been built into the contract between the firms and brought to a higher level discussion. This may end with the VP and the VP’s relative being fired in the end.