I've mentioned in previous blogs that BIDMC has contracted for an enterprise wide security assessment to ensure our security projects are aligned with best practices. Over the next few months I'll write several posts about the issues we've reviewed and the evolution of our thinking about security.
Today I'll start with something basic.
What is the right frequency to require passwords changes?
Many security experts and commonly used guidelines suggest a 90 day password expiration frequency.
To understand the common practices of hospitals in Massachusetts, I asked many of my peer CIOs about their password change policies. The answer - some organizations are at 9 months, some are at 6 months, and some are at 3 months. One is at 4.5 months - a compromise between 3 months and 6 months.
Two questions we need to answer before crafting the ideal policy.
1. Does changing passwords frequently actually increase security?
2. What is the impact of frequent password changes on the user experience (especially for smartphone and iPad users)
For question 1 - The benefit of requiring a more frequent change to passwords has been the topic of debate within the IS community for years. While many experts claim shortening the period reduces risk, others argue the opposite because users cannot remember frequently changed passwords and write them on post it notes which they affix to their work area.
Here are three references which suggest that increasing password frequency reduces security.
http://www.cerias.purdue.edu/site/blog/post/password-change-myths/
http://www.healthcare-informatics.com/blogs/dale/password-expiration-insanity
http://digitaltrustllc.com/?p=49
For question 2 - Frequent password changes can be challenging for users of mobile devices. Generally, something like this happens
You change your password via a desktop application
Your iPhone and iPad try to synch email before you can change the password on them
Your account is locked out for 20 minutes
You try to change your password on your mobile devices but you cannot because of the lock out
You call the IS help desk and they remove the account lock but you spent two hours trying to change the password on all your mobile devices before the account is locked again, calling the help desk several times.
I'm sure there is an ideal way to do this i.e. turn off all the cellular and network connections on your mobile devices and change your password via a desktop application. Then, change them on your mobile devices before reimplementing wireless network connections.
Regardless, doing this every few months will increase help desk support call volume and user frustration.
A side effect of creating a suboptimal user experience is that users will stop using tightly controlled corporate applications and instead access consumer grade technology such as Gmail, Dropbox, and text messaging, increasing risk and ultimately reducing security.
As a next step, we'll ask our multi-stakeholer IS Security and Privacy Committee to review the literature (pro and con) about frequent password changes. They'll evaluate the risks and benefits of various password change frequencies and then we'll select a path forward which hopefully balances the risks of infrequent password changes and too frequent password changes.
Just as I asked about remote access, I welcome your comments about your password expiration frequency policies and experience.
Monday, December 3, 2012
Friday, November 30, 2012
Cool Technology of the Week
Last week I had dinner with the CEO of a very successful software company. He told me that 30% of all downtime for his products was caused by anti-virus software.
Given the sophistication of today's malware, it's clear that a new approach is needed to anti-virus software.
Intel introduced a virtualization component to their chipset a few years ago. When they acquired anti-virus company McAfee, they collaborated to leverage their "VT-x" chipset to catch advanced persistent threats and root kits, both of which run at the same privileged level as the typical anti-virus products. The VT-x chip enables a security monitoring process which runs at a low level in a very highly privileged status in the chip. It can monitor CPU and memory state changes and flag, quarantine or stop anything it sees as suspicious. All new Intel-based, Windows 7 machines include this capabilities. Here's a white paper about it.
For those of us who live in the trenches of information technology, malware and root kits are the bane of our desktop management staff because they cannot be cleaned with existing standard antivirus software and require re--imaging the machines.
Anti-virus on a chip that cannot be disabled by malware. That's cool!
Thursday, November 29, 2012
Building Unity Farm - The Guinea Fowl Who Lost His Mojo
Last week, one of Guinea Fowl, named Piebald (because he's a patchy blend of black and white) flew into the male alpaca area which is guarded by our Great Pyrenees Mountain dogs, Bundle and Shiro. Normally our dogs ignore our birds, since the dogs have lived with the poultry for most of their lives. Piebald ran around the inside of the pasture fence and his fluttering attracted the dogs. They wanted to "play" with Piebald by "fetching" him. Within seconds of this happening, I ran to the pasture, body slammed the dogs to the ground with a sharp NO, indicating that eating a fellow citizen of Unity Farm is unacceptable behavior.
My wife picked up Piebald and began walking him back to the coop. A few of his tail feathers were missing, his head had a few spots of blood, and he looked a bit traumatized but otherwise intact. On the way back to the coop, he jumped from her hands and ran straight into the forest surrounding our farm. Kathy and I spent an hour looking for him to no avail. As darkness fell, we suspended our search.
The next morning he reappeared in the coop, looking out of sorts. That afternoon he disappeared again and spent the night in the forest.
The following day, he reappeared in the coop but his affect was very submissive. Previously Piebald was high on the pecking order. Now, he was being pecked at by his subordinates. He lost his mojo.
He spent the day running away from the other Guineas and losing various pecking order battles.
His wounds had healed and he was eating/drinking vigorously. He stayed in the coop overnight but slept with the chickens.
The next day he began cruising the property with the other guineas. He regained his upright posture and assertiveness.
Today he's been leading the pack once again, completely comfortable with being a leader of Guineas. He's regained his stature.
Every day is an adventure at Unity Farm. You never know what interpersonal dynamics will develop with the alpacas, llama, guineas, chickens, and dogs. You never know who will squabble, who will have an injury/illness, and who will develop new behaviors. If it wasn't for the rigors of being a CIO, I could spent the day watching the events of the barnyard - far more interesting than Fox News or CNN.
We've had life and death on the farm, sickness and health on the farm, joy and sorrow on the farm. At the moment, everyone is healthy, happy, and knows their place in the pecking order.
As we prepare for the Christmas on the farm, it's good that our citizens are all at peace in their community.
Wednesday, November 28, 2012
Rethinking Remote Access
As I travel the country, I find that CIOs everywhere are struggling with BYOD in particular but remote access more generally. Who is responsible if
A personal unencrypted laptop with email containing personally identified/protected healthcare information is stolen? The CIO of the institution providing email takes accountability and reports the theft to appropriate government regulators.
An employee prints a web page on their home computer and patient data is discovered blowing around in a nearby dump? The CIO of the institution hosting the patient data is responsible.
An employee with a malware infected but encrypted smartphone accesses a web application and a keystroke logger sends the username/password to hackers in Asia who use it to send spam. The CIO is responsible for all the consequences.
Policy against using personal laptops, home desktops, and smartphones for processing of healthcare data is not sufficient. CIOs must use technology controls to mitigate risk of data loss.
For example, BIDMC has already used AciveSync to enforce encryption of every smartphone accessing our network and to deny access to those smartphones that do not support encryption.
Personal laptops and home desktops are much harder to control. Purchasing institutionally supported laptop/desktop devices for every user needing remote access would be cost prohibitive.
Rather than try to manage the home clients that have multiple varieties of hardware, operating systems, and third party apps, it's more practical to impose restrictions on who can access resources remotely, where they can access resources from, and what they can do (block downloads and printing). Solutions I've heard from industry experts include
1. ActiveSync as the only means of smartphone email access with a configuration to require encryption of client devices. Use Outlook Web Access as the only laptop email access method and close all other types of remote email access - WebDav, Web Exchange Services, and RPC over HTTPS, IMAP, POP
2. SSLVPN for all remote access to all applications (including web portals) with configuration settings to prevent remote downloads and printing
3. Citrix or Virtual Desktop Infrastructure, which typically does not persist data on local clients.
I've described security as a continuous improvement process - the journey is never done. I'm curious what you are doing to restrict remote access in a world of malware, BYOD, and enhanced regulatory enforcement. Comments are welcome!
Tuesday, November 27, 2012
A Presentation to HIMSS in North Dakota
This morning, I joined a HIMSS group in North Dakota to discuss Meaningful Use Stage 2, Health Information Exchange, and Personal Health Records.
Here are the slides I used.
I was asked an interesting question about the transition from Stage 1 to Stage 2.
The Stage 2 Final Rule notes that as of 2014, any provider or hospital attesting to Stage 1 must use Stage 2 certified technology. Since the capabilities of Stage 2 certified technology are different than Stage 1, the nature of meaningful use changes for those who begin the program late.
The details of the changes to Stage 1 Core and Menu set objectives over time is summarized in this excerpt from the Stage 2 final rule.
A summary table of the effects is below, illustrating that the number of objectives changes as the certified technology changes. I hope you find this useful.
Here are the slides I used.
I was asked an interesting question about the transition from Stage 1 to Stage 2.
The Stage 2 Final Rule notes that as of 2014, any provider or hospital attesting to Stage 1 must use Stage 2 certified technology. Since the capabilities of Stage 2 certified technology are different than Stage 1, the nature of meaningful use changes for those who begin the program late.
The details of the changes to Stage 1 Core and Menu set objectives over time is summarized in this excerpt from the Stage 2 final rule.
A summary table of the effects is below, illustrating that the number of objectives changes as the certified technology changes. I hope you find this useful.
EPs
Stage 1 (2011-2012)
|
Stage 1 (2013)
|
Stage 1 (2014+)
| |
Core
|
15
|
13
|
13
|
Menu
|
5 of 10
|
5 of 10
|
5 of 9
|
Hospitals
Stage 1 (2011-2012)
|
Stage 1 (2013
|
Stage 1 (2014+)
| |
Core
|
14
|
12
|
11
|
Menu
|
5 of 10
|
5 of 10
|
5 of 10
|
Thursday, November 22, 2012
Building Unity Farm - Thanksgiving on the Farm
The entire family selected vegetables from the farm and surrounding farms, then spent the day peeling, chopping, and preparing a vegan feast. Just about everything but the Tofurkey was grown on the farm or within a mile of it. We had
Tofurky with roasted potatoes and carrots
Celery and chestnut stuffing
Rutabegas
Mashed potatoes
Green beans
Brussells sprouts
Squash
Pickles/onions
Sweet potatoes
A remarkable meal.
During dinner 30 turkeys dropped by the farm for a visit and roosted in the trees above our alpacas. It's clear to me that the best place for a turkey on Thanksgiving is a vegan/vegetarian farm!
Wednesday, November 21, 2012
A Time for Giving Thanks
2012 has been a year of joys and sorrows. My wife had breast cancer, my mother broke her hip, my cat died of pancreatic cancer, I left my CIO role at Harvard Medical School to focus on BIDMC's emerging accountable care organization, and moved/consolidated two families from suburban houses into Unity Farm.
Some would consider this amount of change and challenge to be overwhelming.
I think of them as transformative.
It may sound strange to quote Marilyn Monroe when reflecting on Thanksgiving, but her words are appropriate:
“I believe that everything happens for a reason. People change so that you can learn to let go, things go wrong so that you appreciate them when they're right, you believe lies so you eventually learn to trust no one but yourself, and sometimes good things fall apart so better things can fall together.”
Without the catalyst of my wife's cancer diagnosis, we would not have sold our home and purchased the farm at a time when market conditions were ideal for both transactions.
My mother's hip fracture enabled us improve their house for accessibility and reconcile her medications.
My cat's unexpected illness educated us about animal care at a time when we took on the responsibility for 50 chickens, llamas/alpacas, and guinea fowl.
My job consolidation enabled me to channel all my passion and energy into healthcare information exchange at the federal, state, and local level such as the Massachusetts Golden Spike event.
Unity Farm has provided a healing environment for everyone in the family and the memories of the work required to sell two houses, close my wife's gallery and move her studio to the farm is fading fast.
BIDMC was ranked the #1 IT organization in America this year. We were the first hospital in the country to attest to meaningful use and receive stimulus funding. We achieved all our FY12 application and infrastructure goals.
Regardless of the events of any given day, temporary crises or urgencies pale in comparison to the well being of people. As we approach Thanksgiving 2012, all the people in my world are good.
My wife and daughter are happy. My parents are healthy. My Federal and State colleagues are working hard on challenging projects they enjoy. My BIDMC teammates are making a huge difference during the most exciting time in the history of healthcare IT. The citizens of Unity Farm are loved and well cared for.
In 2012, the events of each day were sometimes negative, but the trajectory for the year has been overwhelmingly positive.
As I tell my daughter, it's unclear what the endpoint will be, but as long as the journey along the way is the best you can make it, everything will be ok.
After all the events of the past year, I remained convinced that the future will be bright.
Thanks to everyone who traveled the path with me this year.
Some would consider this amount of change and challenge to be overwhelming.
I think of them as transformative.
It may sound strange to quote Marilyn Monroe when reflecting on Thanksgiving, but her words are appropriate:
“I believe that everything happens for a reason. People change so that you can learn to let go, things go wrong so that you appreciate them when they're right, you believe lies so you eventually learn to trust no one but yourself, and sometimes good things fall apart so better things can fall together.”
Without the catalyst of my wife's cancer diagnosis, we would not have sold our home and purchased the farm at a time when market conditions were ideal for both transactions.
My mother's hip fracture enabled us improve their house for accessibility and reconcile her medications.
My cat's unexpected illness educated us about animal care at a time when we took on the responsibility for 50 chickens, llamas/alpacas, and guinea fowl.
My job consolidation enabled me to channel all my passion and energy into healthcare information exchange at the federal, state, and local level such as the Massachusetts Golden Spike event.
Unity Farm has provided a healing environment for everyone in the family and the memories of the work required to sell two houses, close my wife's gallery and move her studio to the farm is fading fast.
BIDMC was ranked the #1 IT organization in America this year. We were the first hospital in the country to attest to meaningful use and receive stimulus funding. We achieved all our FY12 application and infrastructure goals.
Regardless of the events of any given day, temporary crises or urgencies pale in comparison to the well being of people. As we approach Thanksgiving 2012, all the people in my world are good.
My wife and daughter are happy. My parents are healthy. My Federal and State colleagues are working hard on challenging projects they enjoy. My BIDMC teammates are making a huge difference during the most exciting time in the history of healthcare IT. The citizens of Unity Farm are loved and well cared for.
In 2012, the events of each day were sometimes negative, but the trajectory for the year has been overwhelmingly positive.
As I tell my daughter, it's unclear what the endpoint will be, but as long as the journey along the way is the best you can make it, everything will be ok.
After all the events of the past year, I remained convinced that the future will be bright.
Thanks to everyone who traveled the path with me this year.
Subscribe to:
Posts (Atom)
