Often it’s the little security issues we overlook that hurt us the most. 
By: Brand BarneySecurity cameras? Check. Guards? Check. Locked doors? Check. Privacy monitors? Umm . . .When it comes to data security, many health organizations don’t always worry as much about the physical aspect. While many foundational security issues may have been addressed, organizations are likely to have overlooked details such as
Unlocked office doors during the dayWindow blindsReception desksLack of screensavers and privacy monitorsTheft of devices/hardwareMalware in left-behind devicesPeople may think physical security only applies after hours. However, most data thefts occur in the middle of the day, when the staff is too busy with various assignments to look at the person walking out of the office with a server, company laptop, phone, etc.Organizations may also think data thefts are large events that take months of planning, looking like something from those heist movies. (Oceans 11, anyone?) However, most data thieves use simpler plans.The majority of physical data thefts take less than only minutes in planning and execution.
TweetMalicious entities (hackers) strike quickly, take what data they can and leave with little to no trace. In this case, data thieves take advantage of the lack of physical security in healthcare organizations. Here are some issues that your organization may not have considered.Taking devicesThe main problem offices have with devices is a nurse and a client use the same type of mobile device, such as an iPad. A thief could walk in, take an iPad off the reception desk when no one was looking, and walk out, all within five minutes. Would you stop someone if they were walking out of your office with an iPad? Probably not, because you would assume it was theirs. But within a few potential minutes, that hacker has access to the network and whatever data or PHI is on that iPad. This type of theft can and does happen, and sadly it’s not limited to your office, hospital, etc. Many workforce members work long hours and take devices with PHI on them home, stopping at a grocery store or a child’s school on the way home from work. Theft is quite likely if a device is left alone and unsecured in or out of the workplace, and that breach can cause quite a bit of heartburn.See also: Balancing Mobile Convenience and PHI SecurityLeaving devicesYou don’t often think of thieves leaving something behind, but for hackers, an easy way to further the data heist is to leave behind malware. Here’s an example: A receptionist at a large hospital notices a flash drive was left on the desk. It’s labeled “HR,” so the receptionist decides to just drop it off at the Human Resources Department. The person in HR takes it and plugs it into a computer without a second thought. But that flash drive was full of malware and now the hospital’s system is infected and likely losing data.Be suspicious of any unfamiliar hardware or device that randomly appears.Windows and peeping eyesOften a thief doesn’t have to enter an office to steal information. They can look through a window and see information on the computer screens of workers. This can be remedied simply by putting up blinds in offices that have sensitive information.Follow for more data security articles like thisReception desks reveal more than you thinkReceptions desks are filled with tidbits of information and loose PHI that cause data thieves to grin. Things like passwords written on sticky notes, computers without privacy monitors, and patient records lying out in the open are all fair game for social engineers.Reception desks also get the most traffic, which is why they are typically the first target. Social engineers can steal a lot of information without being noticed. It’s critical to the safety of your patient’s data that your receptionists are properly trained to handle social engineers and aware of everything that’s going on.See also: Healthcare Reception Desks: Breeding Ground for HIPAA Compromise
Check-in and check-outKeeping track of clients coming in and out may seem insignificant, but it can help discourage thieves and provide information should your data get stolen.Having check-ins helps your staff to acknowledge and remember the clients that come in, making it harder for social engineers to slip in and out unnoticed. Make sure all clients/vendors that come into the building sign in and out when entering secure zones (like a data center, or networking areas/server areas), and always assess who really needs access to those very sensitive areas.Unlocked doors: a social engineer’s paradiseSocial engineers love an entity that doesn’t pay as much attention to physical security. It makes their jobs that much easier, and if you aren’t paying attention to these areas, what else might that attacker poke around at? A social engineer can go into a hospital, walk into an unlocked office, sit down on an unlocked computer, steal phi, and then leave all within ten minutes.But if the office door is locked, then the social engineer usually won’t bother.Hackers and thieves are often lazy. Why go to a lot of trouble to get past a locked door if there’s an unlocked one down the hall? By locking office doors and computers, you deter many data thieves (what’s crazy is this very basic concept translates to all areas of security).Fighting back: it’s surprisingly easyMost of these risks can be prevented with little effort. Here are some suggestions:In risk analysis, look for physical security risksLock all office doors when not in use day and nightRequire passwords to access computers and mobile devices (encrypt your data or don’t have data on devices)Use screensavers and privacy monitors on computersInstall and use blinds in all office windowsKeep logs of who goes in and outKeep track of devices that go in and outHave policies in place for stolen equipment (Make sure to have a good Incident Response Plan and know your Breach Notification Policy front and back.)Train staff against social engineeringLimit access to PHI through role-based access.Have staff report suspicious people and devicesMake sure all reception desks protect PHI from prying eyesSee also: Common HIPAA Violations: HIPAA Quiz/HIPAA TestMost social engineering and data thefts can be prevented by following these simple practices. If your organization is taking into account the smaller issues, a social engineer, or a thief will be less likely to bother you because it’s not worth the effort.It’s the greatest benefit from the littlest effort.Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.
A Totally Awesome DIY Security Project – Raspberry Pi Face Recognition Treasure Box
As you know, I’m currently working on a few DIY security projects to share with you guys. My favorite place to go for inspiration has been, Make. These folks do some seriously awesome DIY projects. Most of them beginner to intermediate-level DIYers can do themselves. While perusing their site, I found this gem:Raspberry Pi Face Recognition Treasure Box – MAKE
If I Had To Design A Parking Lot, This Is How I’d Do It
The other day, I noticed in a discussion group someone asked about designing a parking lot access control system. This got me to thinking about why security officials are often tasked with designing and deploying these systems and why they are flawed many times. Here’s the response I gave.There is no technological answer for this. This would be dependent upon METT-TC (Mission, Enemy, Terrain, Troops—Time, Civilians). The best parking plans I’ve seen first started by looking at the mission of the facility.This immediately beckons you to ask if any of the vehicles parked are or will at some point need to be mission critical. In other words, if this is a hospital, would it be prudent to have access control measures which take into account emergency vehicles? Will you have sufficient room in the lot to accomodate them and an emergency egress? I would also determine who NEEDED to be able to park in this lot. Not everyone needs to park in your lot though they may want to. This should create a decent entry authorization list wherein you can identify who will need an expedient, yet effective means of gaining access. How critical is the facility? Tech is great but sometimes having a guy at the gate is more prudent, with respect to handling visitors, LEOs/first responders without access control tags, etc. It is also really helpful to not interfere with the mission of your facility, when designing your access control system whether for the parking lot or anywhere else. Seriously. I can’t overstate this enough. DO NOT make your system so cumbersome or strict that it impedes on the mission of those who do the work that pays you and your personnel. I have seen parking plans so restrictive that mission-essential personnel have been denied access to their facilities for things such as day-old expired vehicle tags and hours-old expired vehicle passes. Make sure your plan is flexible enough to accommodate those who need access right away but need to get their credentials in order. Be wary of making it susceptible to social engineering, though. I find the best way to mitigate this is through codification of your policies with exceptions allowed to accommodate those whose credentials may be lacking but can be verified. NEVER allow anyone access without verification. Ensure your access control system has authenticators, whether it be electronic or solely paper-based. However, ensure your authenticators are never discussed with anyone. I’d suggest making this a definitive terminable offense. I’d also consider your threat profile. Who has an interest, as a nefarious actor, to gain entry to this lot or through this lot to your facility? How can you mitigate this, bearing in mind how they could obtain entry feasibly? Seriously. Don’t plan on ninjas and SOF to make entry if that’s not your threat. Plan physical measures with this in mind.What’s the size of your lot? Has your lot grown to an extent where it requires fencing? If it does, how often do your security officers check that fence? No sense in having a fence if you’re not checking it. Remember fences are a demarcation AND a detection piece of your plan. Also determine if your lot is situated with any physical obstructions wherein you can’t observe who may have circumvented your parking plan. Consider CCTV or even a roving patrol to help if needed. Also, I find that if you use stickers, a few things tend to happen. One, people tend to park illegally and need to be towed. This takes up precious time and resources. And it could create confusion depending on how “creative” your sticker plan is. If you use stickers, keep it simple and wheel lock. Give each of your patrolmen a wheel locks and authority to deploy on cars illegally parked in select spots. Also address parking violations on a stakeholder basis as well. Talk to them about the potential loss in revenue should responders be delayed because of illegal parking in their reserved spots. Also describe what you’re trying to accomplish and how a sound parking plan can be a force multiplier (Boss, if our plan works, I can reduce the number of patrols and increase security efficiency and efficacy by x-amount).Start thinking about how you want to accommodate vehicles in terms of their egress and entry. How long should it take them to leave and get in? Are there any chokepoints in the plan that can cause congestion and make for additional security heartaches?Finally, consider the impact your plan could have on civilian or non-business related entities such as neighbors. Will you have to consider parking off campus? Will your plan cause congestion that impacts them? Will your plan address neighbors and their parking plans? Will your plan have a demarcation for neighbors to know where your property extends?