Re: [Full-Disclosure] More Unusual request

From: Etaoin Shrdlu (shrdlu@deaddrop.org)
Date: 02/14/03

  • Next message: debian-security-announce@lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA 251-1] New w3m packages fix cookie information leak" 
    From: Etaoin Shrdlu <shrdlu@deaddrop.org>
To: full-disclosure@lists.netsys.com
Date: Fri, 14 Feb 2003 02:39:14 -0800

    First, I must say I'm surprised that the only two posts I've seen in answer
    to this have come from folk whom I suspect have absolutely NO experience
    with HIPAA. The answer here needs to be more specific to the problem.

    Eric Wright wrote:
    >
    > Seeing the positive and helpful comments from the before mentioned thread
    > 'Unusual request', I would also like to ask for help. I work for a company
    > that deals a good bit in healtcare and with the hippa requlations coming
    > down the pipe I have been asked to help with the security aspects of our
    > network.

    First, if you are attempting to help address HIPAA, then the security
    aspects you need to address are quite specific, and already well
    documented. I can only hope that you are working with others in this
    matter, and have not been cast alone on the waters, in some strange belief
    that there is anything you can possible do in the very short time before
    these requirement come into effect.

    As others have requested, you really need to supply more information. What
    exactly is your role? How many others are helping you? Is there an IT audit
    group of some sort that is charged with ensuring various portions of the
    company? Have you someone whose specific task it is to know whether you are
    complying with HIPAA, and you are just trying to harden the network?

    > I have been in the comp field for a number of years but am fairly
    > new to security (at least to the depth that I need now). I am only asking
    > for help, knowledge, experience, guidance, or anything else that would be
    > useful.

    You may or may not have come to the right place, depending on your answers
    to the questions above. If this is your company's first real attempts at
    addressing HIPAA, run, don't walk, to the nearest group of want ads. You're
    in a lot of trouble. Unless your company is very, very small, with a very
    limited budget, hearing that you are "new to security" is not good. You
    need to acquire a consultant that is NOT new, and is well-versed in the
    specific industry you are in, and that needs to be done yesterday. If there
    isn't the budget for that, tell them you don't want the job.

    > It's easy to search for exploits and run them but what I am after
    > is an "Understanding". I am not a programmer so code is a new area and
    > challenge. I need help in understanding the exploits and how to search for
    > them and diagnose them on our network.

    You should not be concerned with "exploits" but rather with hardening your
    network. I suspect that it is something older, and I'm wondering if it is
    the usual shop of ex-mainframe types transferring all they know and do to a
    pile of PCs, without the requisite knowledge that would keep them safe. You
    have already identified precisely who and where you work (don't you just
    LOVE hotmail), so I can see that it is indeed a medical place of business,
    and that you really, truly do need help.

    > I would like to work on a personal
    > basis with anyone who is willing to help, but could also go directly through
    > this board, if that is a better way. Thanks in advance.

    Putting more public information on this, or any mailing list, would be a
    bad idea for you, since it seems that you are quite open in your
    inexperience. I answer publically in the awareness that this list is
    archived, and that there may be other innocents also reading who will gain
    information from this. I have a certain experience in HIPAA and similar
    privacy issues, and can point you in helpful directions if you'd like to
    take this off line. 

    --
Open source should be about giving away things voluntarily. When
you force someone to give you something, it's no longer giving, it's
stealing. Persons of leisurely moral growth often confuse giving with
taking.    -- Larry Wall
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

    Relevant Pages

    • RE: HIPAA certs
      ... I have been gearing up to do HIPAA COMPSEC audits for about four months ... The do not have to be compliant with the security regs until April 2005 ... based on the clients potential disclosure level. ... One important thing to note is that the preamble to the Privacy Rule ...
      (Security-Basics)
    • Re: Montreal CISSP training etc
      ... NTG Clarify offers training courses and certification in partnership with ... > large-sized healthcare institutions lined up HIPAA consultants long ago. ... > Most of the major IT consulting firms have HIPAA security expertise, ...
      (Security-Basics)
    • Re: hipaa guidance
      ... some of the practicals. ... HIPAA security is largely dependant on your documentation. ... Not that I was looking for a checklist, but something that was not so vague, ...
      (Security-Basics)
    • Re: Niche Security Market
      ... There is apparently such a market. ... for HIPAA folks - Certified HIPAA Administrator, ... Subject: Niche Security Market ...
      (Security-Basics)
    • RE: Niche Security Market
      ... Subject: Niche Security Market ... large-sized healthcare institutions lined up HIPAA consultants long ago. ...
      (Security-Basics)