Monthly Archives: June 2010

Electronic prescriptions of controlled substances – a key area where information security is paramount

Posted on June 27, 2010 by John Reno in Main | 1 Comment

Earlier this month the Drug Enforcement Administration (DEA) revised their regulations surrounding the writing of prescriptions for controlled substances electronically. The rule had been published in March on the Federal Register and is now effective. Streamlining the process associated with the e-prescribing of controlled substances has many benefits including cost reduction and improvement in the quality of care. At a recent conference some of the challenges in this area were discussed by Leisa Jenkins, executive director of CareSpark. In the …

Healthcare Web Applications – The Security Achilles Heel

Posted on June 24, 2010 by mmarshall in Main | 1 Comment

At Redspin we have a unique view of the security space, given that we are hired to perform security assessments of customer web applications all the time. Our clients want to know if a hacker can access their Electronically Protected Health Records. The answer, sadly, is often yes. Many times it is dreadfully easy. This week we accessed a customer portal chock full of EPHI using the classic ‘or 1=1;– trick (SQL injection). For those not technically inclined, this string …

Healthcare Breach Fines – Legal defensibility and the implications for healthcare information security programs

Posted on June 21, 2010 by John Reno in Main | Leave a comment

Last week the media was buzzing with the actions of the California Department of Public Health (CDPH). The CDPH announced fines of $675,000 against six hospitals that had reported security breaches involving medical records. The legal basis for these fines and penalties are associated with two bills that amended California law in 2008, AB 211 and SB 541. Since the laws went into effect the CDPH has issued fines of $1.1M. The major elements of the legal requirements associated with …

State HIE deployments – Some thoughts from the field

Posted on June 16, 2010 by John Reno in Main | Leave a comment

Health and Human Services Secretary Kathleen Sebelius is one busy government employee. From announcements regarding Regional Extension Center Awards and Job Training Grants to the State Health Information Exchange Cooperative Agreement Program, it’s a daunting task to keep up with the acronyms and initiatives. For the healthcare provider on the front lines, these announcements are just part of several waves of carrot and stick techniques that will ideally drive the U.S. healthcare system toward competitiveness. The carrots have already started …

A bad Apple…

Posted on June 9, 2010 by jhaddix 1 Comment

This week iPad owners had their emails leaked via a security vulnerability in the way iPads registered with AT&T’s 3g service. Approximately 114,000 email addresses were brute forced from a script that was supposed to recognize an iPad owners ICC ID ( an “unique” identifier” which turned out to be predictable) and supply them an AJAX response of that ICC ID’s associated email address. The grey-hat security group that found the vulnerability brute-forced ICC ID’s and analyzed the resulting successful …

Focus first on IT security goals, compliance will follow

Posted on June 6, 2010 by John Reno in Main | Leave a comment

I was depressed earlier this week from conversations with a security vendor and a system developer. They both had developed, more or less, the same point of view. The security vendor said, “Compliance is what sells”. The system developer said, “Failed audits are what can get the attention of management.” Compliance is certainly necessary for most companies, whether driven from the standpoint of adherence with internal policies or government regulations. In many cases compliance requirements have provided the impetus and …