I’ve long observed that doctors are often irritated with the myriad of privacy and security consideration that IT solutions bring into their practices. However, in making the decision to adopt an EMR solution, you frankly have no choice. To point the finger at your vendor and suggest that they are responsible end to end simply won’t work. Docs have to enforce their  share regarding the people, process and technology within their practice, otherwise security and privacy incidents affecting patient data will continue.

Ensure you have a solid security and privacy policy, Ensure you educate and inform you staff about it. Ensure you have hard disk encryption on any storage device you use to manage patient data. Don’t use personal web-mail addresses and the like, Think about two-factor authentication, etc. The list goes on.

Doctors, take a long look and have a hard think about the risks you assume when you use a smartphone, like an iPhone or Android just because of the cool medical apps. Think twice about using it or an iPad for processing practice or patient data, as they have no real inherent security mechanisms. If you intend on using them, look at solutions like Mobile Active Defense, to provide the secure means to properly leverage these assets in your practice.

https://www.infosecisland.com/blogview/11439-Medical-Device-Security-Trends.html?sms_ss=linkedin&at_xt=4d522413a31748fa%2C0 or,

http://www.software.co.il/wordpress/2011/01/medical-device-security-trends/

@SecBarbie @ashimmy @beaker @falconsview @georgevhulme @jack_daniel @jtkeating @mgbits @SecRunner @WH1T3RABBIT @bug_bear @spacerog @myrcurial @benrothke @jjx @dewzi @danielkennedy74 @lauren @selenakyle @wardspan

@leighhollowell @petermannmc @Shpantzer @rybolov @csoandy @e_cowperthwaite @grecs @wikidsystems @lmwalsh2112 @PHYSECTECH @BrianHonan @kriggins @MikD @WeldPond @mckeay @ken5m1th @leighhollowell @petermannmc @hinesmatt @SecureSun @mmurray @dacort

@adamshostack @RafalLos @agent0x0 @rogueclown @alexhutton @joshcorman @armorguy @quine @rmogull @treyford @gattaca @mckeay @andrewsmhay @burgessct@mschafer @0ph3lia and @lmacvittie @hypatiadotca @451wendy

@tottenkoph @stacythayer @pauldotcom @donicer @aloria @SilverstoneA @DeathwishDuck @SecurityBSides @NAISG_atl @quadling @kidko92 @lennyzeltser @sans_isc @nickf4rr @jeremiahg @dakami @shrdlu @jsokoly @adamely

Why would anyone think that Wikileaks methods are the right way to enable an open government?

What gets me is this bloody sense of entitlement many have. You think you’re entitled to every document that your Government processes. There are laws in place to protect certain information for very good reasons. No different than you’re not supposed to run stop lights, steal a car, or walk up to a cop and punch him in the face should you be stealing Government (or corporate) documents and feeding this beast. It’s against the law. If you want the law changed, Wikileaks isn’t the way to do that!

Moreover, we still do not know the methods Wikileaks employs to get its content. Is it paying people? Do they actively recruit and subvert? That possibility exists as well. So let the other mechanisms of Government determine all that before you start writing cheques for Assange!

Details are here: Wikipedia: http://en.wikipedia.org/wiki/Arrow_Air_Flight_1285

I was serving in Gander at that time. The evening prior we had celebrated our Junior Non-Commissioned Officers Christmas Dinner and by the time I hit the rack, I was feeling no pain. In the morning, having had a bite to eat and boarding the morning run to our operations building, we were turned around by the dispatcher due to an emergency back on base.

The following 4 days were a blur do to security details, bagging and tagging dead soldiers, extracting charred remains from various components of the planes broken pieces and facilitating various duties to ensure the comfort of the 101 Airborne members who came to set up the morgue and begin the laborious process of identification and return of these men back home to their unit and families.

Without getting into gruesome details, it is an event I would not want to do again, but volunteered to do it gladly at the time.

My thoughts and prayers are with the families of those fine men and the crew of the aircraft today. May you all be resting peacefully in the knowledge we all appreciated your ultimate sacrifice.

Risk, is only one component of GRC and means different things to different parts of the organization. For example, I am working in the financial world. The context of risk takes a different meaning in different parts of the business. For example, the insurance company is primarily concerned with the downside of risk. By contrast, the financial community is concerned about upside benefits from taking risk. IT Risk seemingly reacts to downside risk as well. Personal behavour mirrors that. When someone buys a vehicle or property insurance, he or she is concerned about the potential of an adverse event. When that person utilizes a retirement plan’s financial tools, he or she is managing risk to maximize opportunities and seek better returns.

Notably, despite these differences, nearly all risk management frameworks and professionals agree that opportunities, obstacles and threats must be addressed in a holistic fashion to yield an optimal result. The benefit of GRC is aligning the different approaches to assessing risk by:

• identifying the obstacles and threats along the way
• assessing their potential impact
• making risk-intelligent decision, and
• implementing governance structures to ensure that the org appropriately pursues opportunities in light of those obstacles and threats

This is especially important for Enterprise Risk Managers that may not have experiences outside their particular realm of experience (which may not include IT).

• The specific GRC benefits include (according to OCEG and my experiences):
• reduced cost, as redundant activities are identified and streamline or eliminated;
• reduced need and cost for reconciling information across the organization
• reduced gaps and errors, as the integration creates a holistic system of checks and balances;
• increased quality of risk-based info on which strategic and tactical decisions are based;
• enhanced employee motivation as contribution to achieving objectives becomes more clear;
• trust resulting from consistent organizational positions and actions, from oversight through operations;
• agility driven by a clear delineation of who handles what activities in what sequence;
• more effective management of stakeholder expectations; and
• assurance that expectations and objectives are met.

Simply leveraging an ISMS will not facilitate the collaboration or buy-in necessary to achieve these outcomes, as an ISMS does not resonate the same way with all CXO’s. The ISMS would be ancillary to other GRC governance. But I’m telling you from recent successes, GRC resonates!

Establishing trust is certainly an abstract concept in most organizational models, but there are tangible results, as recent incidents have demonstrated, to be gained by thinking them through. Trust is a key outcome of a good Governance, Risk and Compliance model. Trust relationships are built from consistent organization positions and actions, from oversight through operations, OCEG tells us. Lead by example was the mantra during my military career. Facilitating these approaches from the top will go a long way to establishing a trust-based culture that cascades down and creates the relationship you would like to build with your employees.

We cannot expect loyalty to be given blindly. We must set goals to inspire and promote an organizational culture of performance, accountability, integrity, trust and open communications.

Security B-Sides is the first grass roots, DIY, open security conference in the world! Security B-Sides is a great combination of two event styles: structured anchor events and grass-roots geocentric events. There are three core events that are both geographically and chronologically separated. These events are corporate sponsored and centrally managed (though locally organized). Typically about 100+ people attend each event, which are FREE to all attendees. These events work by having speakers post presentation topics to the wiki, which are then voted upon by the community. This process makes these events almost entirely community created and driven.

Beyond the three core events, Security B-Sides takes it to the streets by offering others the opportunity to create their own local event and have lots of fun doing so. Security B-Sides offers you unconference-in-a-box by providing the framework of tools necessary to deliver a structured event.

The Ottawa unconference was no exception. Held at Tucson’s in Ottawa’s South end, the conference organizers, Justin Foster (@justin_foster), Andrew Hay (@andrewsmhay) and Peter Hillier (@DeathwishDuck), found the perfect venue for the 121 attendees. They were able to get the venue for free and negotiated an exceptional rate at the hotel directly across the street for the folks traveling from across Canada and the US to attend and speak. They were supported byf volunteers, who ensured the even registration and other details were facilitated. Kudos to Carl Anctil (@canctil), Keli Hay (@klhay), Norbert Griffin (@norbert_griffin), and Bryan Tice (@Blaidd) for their outstanding efforts.

The talks are the centre point of any great conference and BSides Ottawa was no different. With speakers like Rafael Los (@rafallos) of HP, Ben Tomhave (@falconsview) and many others, the crowd got their money’s worth!

One of the co-organizers, Andrew Hay kicked off Friday morning with “My Life on the Information Security D-List”. In his humourous talk, Andrew points out that your personal brand it key to your success as a security professional. Thanks to the blogosphere, Twitterverse,social networking and podcasting made easy, many security pros are taking on a much more public persona, becoming near-rock stars.

Pete Hillier later discussed the gaps in eHealth security assurance and drew attention to some of the current efficiencies that would make security and privacy easier for Doctors to enable in their practices.

HP’s Rafal Los left us with some particularly insightful thoughts based on his discussion “Into the Rabbithole Evolved Web Application Security Testing”. He presented the concepts behind more intelligent web application security testing. Combining automation + human testing is the only way forward and he and the audience were appreciative of the great discussion and questions as it progressed. From it we understand the inefficiencies of managing security “vulnerabilities”, which should really be considered security defects. In classifying them as such, it puts the real responsibility into the correct teams; Quality Assurance!

Ben Tomhave gave a poignant talk entitled “The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform”. In a very articulate and well-structured presentation, he taught us that:

• Narrow the Human Paradox Gap (HPG) – that is, connect peoples’ decisions and actions to the eventual impact.
• Model Success – we need to quit focusing on the negatives so much
• Culture Change – needs to start with introspection, needs to move away from an enablement culture to one of responsibility and accountability, but also one where failure (to a degree) is acceptable knowing that a) we cannot be 100% secure, and b) that creating conditions that allow people to succeed also means letting them fail. A big part of this is shifting the mindset toward a survivability mentality.
• Sensible & Automatic – if we’re asking people to make changes that won’t let them do their jobs, or that simply doesn’t make sense to them (partly due to HPG), then we won’t be successful. People generally want to do the right thing, but they need to grok it.
• More Carrots – we need to get away from such a heavy negative focus, such as brought on my assessments, scans, audits, etc. Failure is inevitable, and it’s not a bad thing… we learn some of our best lessons from failure… at the same time, if praise successes, then we’ll achieve better results.
• Build Security In – very few people have security in their job description, and yet we complain that they don’t care… security should be an emerging property that permeates the entirety of an
organization; not in a dominating manner, but akin to how we already take care of ourselves and our work (i.e like reminding people to wash their hands regularly, obey driving laws, etc).
• Sustainability – we need to advocate for changes and practices that are sustainable… if we’re adding onto what they’re doing, then we won’t achieve the desired outcome. Security should make things better, not worse.

Not to be outdone by Ben, Adrien De Beaupre then initiated an hour-long session on the marked need for “CERTs or CIRTs in Canada”. With several long in the tooth Incident Response folks in the room and participation by Public Safety Canada, this quickly became the most contentious issue for Saturday. As Adrien points out, he “firmly believes that the Canadian InfoSec community deserves, desires, and requires a true National C*RT to be formed”. However, the devil is in the details, as the audience participants firmly attested. It is clear that the Canadian InfoSec community would like to be both consulted and involved in its formation. I will go one step further to suggest that it not be coordinated by the Government of Canada.

Keeping BSides events free is a lot of work and it cannot be done without significant support of sponsors. BSides Ottawa was proud to be supported by 15 vendors, whose generosity was overwhelming. Tripwire, the BSides corporate advocate, ensured we had giveaways for everyone and even provided a Macbook Air as our key prize! Food and beverages were among the largest spends for the event and the majority of the sponsors supported this effort.

All in all, it was an outstanding show. The collaboration was palpable; people engaged more than any other conference I’ve attended and I guarantee there will be a repeat next year.