Re: [funsec] [article] The iPad in the Hospital and Operating Room
Hi Phester, On Thu, Jan 20, 2011 at 20:50, phester fun...@armorfirewall.com wrote: Yeah, but it illustrates an universal issue. If users can't do what they want over the network, they'll find a way around it. Exactly. This is great technology and enables medical pros to do more for patients. But it's also worth mentioning that security people can expect a great deal of pushback from medical pros when trying to assign the risk and place limitations on these kind of consumer devices in a medical environment -- and believe me, they can be a tough group of articulate, forceful and powerful people to deal with. As a lowly network security monkey, I can vouch that it's no fun to go head-to-head with with a MD with a Ph.D who brings in millions in grants to the organization and wants to use his fancy iPad or iPhone for medical work. And I would go even further in that the article mentions medical schools like Stanford issuing iPads to incoming med students beginning 2014. So we can expect a entire new group of medical pros who expect support and security with these devices. What's also interesting and a huge, undefined challenge is the blending of these consumer devices into medical devices. With the addition of medical image viewing software on the iPad, that device has now transitioned from a personal learning/entertainment platform to a bona fide medical device, which opens up many more questions in terms of organizational policy, data management/retention, and regulatory requirements (HIPAA/HITECH, etc.). After all, one can jailbreak an iPad by visiting a website, clearly there are risks to PHI on a iPad, no? Further compounding the issue are cloud applications, specifically the growing use of personal cloud services like DropBox. There's a great deal of uncertainty as to the DropBox use with medical information and regulatory requirements. For more than a year on the DropBox forums, folks have been going back and forth as to if this application meets regulatory requirements. But, as you note, people are going to do what they want, and this is reinforced by DropBox making it way into Top 20 Lists of apps for medical pros [1] And with medical pros not fully understanding how personal storage cloud apps like DropBox actually work insofar as data retention and flow, we are facing tremendous challenges. When asked about security concerns with the iPad, especially if one is left behind inadvertently, Dr. Feldman pointed out that as with everything web-based, nothing is stored on the device. [2] From a vendor perspective, there are huge opportunities in this space to provide workable security solutions for these kinds of devices and, as Bruce Schneier writes, the Consumerization and Corporate IT Security [3] Bottom line is that we need these solutions to keep the management folks happy with their regulatory compliance goals, and to provide more assurance to network security guys like me who are sweating bullets and worrying in the trenches as we face irate medical pros with serious pull who expect us to not only secure these devices, but also take on the liability risks of data loss. Said hospitals need to find a way to provide function securely. Solutions are out there. You mention there are solutions out there. I welcome further discussion, either off-list or on-list. Cheers, --scm [1] http://www.imedicalapps.com/2010/12/bes-free-iphone-medical-apps-doctors-health-care-professionals/19/ [2] http://www.imedicalapps.com/2010/12/dropbox-osirix-ipad-radiology-images-operating-room/ [3] http://www.schneier.com/blog/archives/2010/09/consumerization.html ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] [article] The iPad in the Hospital and Operating Room
I'm in a similar situation. We're currently rolling out security policies for tablet devices, and have been getting a lot of push back from the medical staff. The thing that seems to be working here is a combination of policy and education. We're allowing personal iPads to be used if the user agrees to let us install a basic security profile on the device. The standard profile includes the usual wireless, email and VPN settings that we give to other remote users, but it also forces stronger passwords and a shorter idle screen lock. Those settings, coupled with treating all of the iDevice/tablets as untrusted resources, have gone a long way toward making the things less of a security risk. We've been trying to plan for more consumer devices on the network. It takes some effort and a bit more flexibility from a policy and procedure standpoint, but our willingness to work with the non-tech staff on this seems to have gained us a lot of good will. The users are much more willing to listen to why we don't want them to do something rather than just trying to find ways to evade us. Regards, James On Fri, Jan 21, 2011 at 11:25 AM, Shawn Merdinger shawn...@gmail.comwrote: Hi Phester, On Thu, Jan 20, 2011 at 20:50, phester fun...@armorfirewall.com wrote: Yeah, but it illustrates an universal issue. If users can't do what they want over the network, they'll find a way around it. Exactly. This is great technology and enables medical pros to do more for patients. But it's also worth mentioning that security people can expect a great deal of pushback from medical pros when trying to assign the risk and place limitations on these kind of consumer devices in a medical environment -- and believe me, they can be a tough group of articulate, forceful and powerful people to deal with. As a lowly network security monkey, I can vouch that it's no fun to go head-to-head with with a MD with a Ph.D who brings in millions in grants to the organization and wants to use his fancy iPad or iPhone for medical work. And I would go even further in that the article mentions medical schools like Stanford issuing iPads to incoming med students beginning 2014. So we can expect a entire new group of medical pros who expect support and security with these devices. What's also interesting and a huge, undefined challenge is the blending of these consumer devices into medical devices. With the addition of medical image viewing software on the iPad, that device has now transitioned from a personal learning/entertainment platform to a bona fide medical device, which opens up many more questions in terms of organizational policy, data management/retention, and regulatory requirements (HIPAA/HITECH, etc.). After all, one can jailbreak an iPad by visiting a website, clearly there are risks to PHI on a iPad, no? Further compounding the issue are cloud applications, specifically the growing use of personal cloud services like DropBox. There's a great deal of uncertainty as to the DropBox use with medical information and regulatory requirements. For more than a year on the DropBox forums, folks have been going back and forth as to if this application meets regulatory requirements. But, as you note, people are going to do what they want, and this is reinforced by DropBox making it way into Top 20 Lists of apps for medical pros [1] And with medical pros not fully understanding how personal storage cloud apps like DropBox actually work insofar as data retention and flow, we are facing tremendous challenges. When asked about security concerns with the iPad, especially if one is left behind inadvertently, Dr. Feldman pointed out that as with everything web-based, nothing is stored on the device. [2] From a vendor perspective, there are huge opportunities in this space to provide workable security solutions for these kinds of devices and, as Bruce Schneier writes, the Consumerization and Corporate IT Security [3] Bottom line is that we need these solutions to keep the management folks happy with their regulatory compliance goals, and to provide more assurance to network security guys like me who are sweating bullets and worrying in the trenches as we face irate medical pros with serious pull who expect us to not only secure these devices, but also take on the liability risks of data loss. Said hospitals need to find a way to provide function securely. Solutions are out there. You mention there are solutions out there. I welcome further discussion, either off-list or on-list. Cheers, --scm [1] http://www.imedicalapps.com/2010/12/bes-free-iphone-medical-apps-doctors-health-care-professionals/19/ [2] http://www.imedicalapps.com/2010/12/dropbox-osirix-ipad-radiology-images-operating-room/ [3] http://www.schneier.com/blog/archives/2010/09/consumerization.html ___ Fun and Misc security discussion for OT posts.
[funsec] Fwd: [Infowarrior] - Classified Memo Toughens Cyber-Threat Portrayals In DOD Exercises
Cheers, - ferg Forwarded message -- From: Richard Forno rfo...@infowarrior.org Date: Fri, Jan 21, 2011 at 12:26 PM Subject: [Infowarrior] - Classified Memo Toughens Cyber-Threat Portrayals In DOD Exercises To: (h/t Anonymous) Inside the Pentagon - 01/20/2011 https://defensenewsstand.com/component/option,com_ppv/Itemid,287/id,2351617/ Classified Memo Toughens Cyber-Threat Portrayals In DOD Exercises The military's top officer has issued a classified memo directing the Defense Department to use tougher, more realistic portrayals of cyber threats in its exercises. A reference to the September 28, 2010, memo, stamped secret and signed by Chairman of the Joint Chiefs of Staff Adm. Michael Mullen, is buried in the latest annual report from Michael Gilmore, the Pentagon's operational testing chief. Cyber threats portrayed during military exercises have been consistently below that expected from a nation-state, but red teams playing the enemy role have generally beaten U.S. defenses, according to the report released last week by the director of operational test and evaluation (DOTE). The report announces that the level of cyber-threat portrayal in future exercises is expected to increase significantly in response to Mullen's classified memo. A spokesman for Mullen declined to release the memo, but told Inside the Pentagon that the excerpts included in the report seem to summarize an important point -- that our combatant commands must integrate aggressive cyber threats into their training events in order for us to maintain our competitive advantage in the field. Mullen's directive makes sense because cyber threats are becoming increasingly sophisticated, said Stewart Baker, who served as the Department of Homeland Security's first assistant secretary for policy. In general, it's fair to say that you have to change your exercises on a regular basis because the threat gets more consistent on a regular basis, Baker told ITP. If you're still doing the same thing you were doing three years ago, you're out of date. Baker acknowledged a competing consideration when looking to bolster the level of cyber-threat portrayal in exercises. You don't want to run an exercise between people doing a good job and people doing a bad job, he said. If it's so one-sided the attackers win all the time . . . then the exercise is not actually teaching people anything. However, we're going to have to dramatically up our game given the sophistication of the attacks, he added. Gilmore's report states that assessing organizations within DOD performed information assurance and interoperability assessments during 21 combatant command and services exercises, eight of which involved units deployed or preparing to deploy to Iraq or Afghanistan. The information assurance posture observed during FY-10 exercise assessments is insufficient to prevent an advanced adversary from adversely affecting the missions that were being exercised, the report states. Improvements in certain areas of network defense were observed, but red teams generally overcame defense during exercises by increasing their level of effort, the report adds. All red teams reported increasing difficulty in penetrating network defense, but with sufficient time, they typically managed to penetrate networks and systems, the report states. Although in some cases red teams were successfully blocked from employing certain attacks due to specific preparations or precautions on the part of network defenders, the overall assessment is that information assurance remains a significant operational concern across the Defense Department, according to the report. DOD's operational testers also conducted interoperability assessments on cyber exercises and found that issues encountered typically hindered, rather than prevented, mission accomplishment due to operators who developed and executed effective workarounds. But the workarounds often resulted in degraded efficiency of completing tasks, the report adds. -- Amanda Palleschi ___ Infowarrior mailing list infowarr...@attrition.org https://attrition.org/mailman/listinfo/infowarrior [end] -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Re: [funsec] [article] The iPad in the Hospital and Operating Room
Hi James, Thanks for sharing your insights. sigh...maybe I'm just getting old, being pragmatic, or selling out -- but my takeaway from this iPad/OR stuff is to patent a single-use iPad sterile wrapping solution and sell the rights to a medical sterile packaging company. Considering the pervasive threat of nasties like MRSA [1] in medical environments, a single-use sterile iPad bag would help mitigate the most likely immediate threat to patient safety: dirty iPads crawling with Staphylococcus Aureus. ughi'm almost ashamed of myself ;) Cheers, --scm [1] http://www.cdc.gov/mrsa/ Cheers, --scm On Fri, Jan 21, 2011 at 12:50, James Philput jamesphil...@gmail.com wrote: I'm in a similar situation. We're currently rolling out security policies for tablet devices, and have been getting a lot of push back from the medical staff. The thing that seems to be working here is a combination of policy and education. We're allowing personal iPads to be used if the user agrees to let us install a basic security profile on the device. The standard profile includes the usual wireless, email and VPN settings that we give to other remote users, but it also forces stronger passwords and a shorter idle screen lock. Those settings, coupled with treating all of the iDevice/tablets as untrusted resources, have gone a long way toward making the things less of a security risk. We've been trying to plan for more consumer devices on the network. It takes some effort and a bit more flexibility from a policy and procedure standpoint, but our willingness to work with the non-tech staff on this seems to have gained us a lot of good will. The users are much more willing to listen to why we don't want them to do something rather than just trying to find ways to evade us. Regards, James On Fri, Jan 21, 2011 at 11:25 AM, Shawn Merdinger shawn...@gmail.com wrote: Hi Phester, On Thu, Jan 20, 2011 at 20:50, phester fun...@armorfirewall.com wrote: Yeah, but it illustrates an universal issue. If users can't do what they want over the network, they'll find a way around it. Exactly. This is great technology and enables medical pros to do more for patients. But it's also worth mentioning that security people can expect a great deal of pushback from medical pros when trying to assign the risk and place limitations on these kind of consumer devices in a medical environment -- and believe me, they can be a tough group of articulate, forceful and powerful people to deal with. As a lowly network security monkey, I can vouch that it's no fun to go head-to-head with with a MD with a Ph.D who brings in millions in grants to the organization and wants to use his fancy iPad or iPhone for medical work. And I would go even further in that the article mentions medical schools like Stanford issuing iPads to incoming med students beginning 2014. So we can expect a entire new group of medical pros who expect support and security with these devices. What's also interesting and a huge, undefined challenge is the blending of these consumer devices into medical devices. With the addition of medical image viewing software on the iPad, that device has now transitioned from a personal learning/entertainment platform to a bona fide medical device, which opens up many more questions in terms of organizational policy, data management/retention, and regulatory requirements (HIPAA/HITECH, etc.). After all, one can jailbreak an iPad by visiting a website, clearly there are risks to PHI on a iPad, no? Further compounding the issue are cloud applications, specifically the growing use of personal cloud services like DropBox. There's a great deal of uncertainty as to the DropBox use with medical information and regulatory requirements. For more than a year on the DropBox forums, folks have been going back and forth as to if this application meets regulatory requirements. But, as you note, people are going to do what they want, and this is reinforced by DropBox making it way into Top 20 Lists of apps for medical pros [1] And with medical pros not fully understanding how personal storage cloud apps like DropBox actually work insofar as data retention and flow, we are facing tremendous challenges. When asked about security concerns with the iPad, especially if one is left behind inadvertently, Dr. Feldman pointed out that as with everything web-based, nothing is stored on the device. [2] From a vendor perspective, there are huge opportunities in this space to provide workable security solutions for these kinds of devices and, as Bruce Schneier writes, the Consumerization and Corporate IT Security [3] Bottom line is that we need these solutions to keep the management folks happy with their regulatory compliance goals, and to provide more assurance to network security guys like me who are sweating bullets and worrying in the trenches as we face irate medical pros with serious
[funsec] It is Today. IANA runs out of IPv4.
http://www.ipv4depletion.com/?page_id=326 -- @dragosr World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada, March 9-11 2011 http://cansecwest.com ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
