Full Disclosure mailing list archives
Re: More Unusual request
From: Etaoin Shrdlu <shrdlu () deaddrop org>
Date: Fri, 14 Feb 2003 02:39:14 -0800
First, I must say I'm surprised that the only two posts I've seen in answer to this have come from folk whom I suspect have absolutely NO experience with HIPAA. The answer here needs to be more specific to the problem. Eric Wright wrote:
Seeing the positive and helpful comments from the before mentioned thread 'Unusual request', I would also like to ask for help. I work for a company that deals a good bit in healtcare and with the hippa requlations coming down the pipe I have been asked to help with the security aspects of our network.
First, if you are attempting to help address HIPAA, then the security aspects you need to address are quite specific, and already well documented. I can only hope that you are working with others in this matter, and have not been cast alone on the waters, in some strange belief that there is anything you can possible do in the very short time before these requirement come into effect. As others have requested, you really need to supply more information. What exactly is your role? How many others are helping you? Is there an IT audit group of some sort that is charged with ensuring various portions of the company? Have you someone whose specific task it is to know whether you are complying with HIPAA, and you are just trying to harden the network?
I have been in the comp field for a number of years but am fairly new to security (at least to the depth that I need now). I am only asking for help, knowledge, experience, guidance, or anything else that would be useful.
You may or may not have come to the right place, depending on your answers to the questions above. If this is your company's first real attempts at addressing HIPAA, run, don't walk, to the nearest group of want ads. You're in a lot of trouble. Unless your company is very, very small, with a very limited budget, hearing that you are "new to security" is not good. You need to acquire a consultant that is NOT new, and is well-versed in the specific industry you are in, and that needs to be done yesterday. If there isn't the budget for that, tell them you don't want the job.
It's easy to search for exploits and run them but what I am after is an "Understanding". I am not a programmer so code is a new area and challenge. I need help in understanding the exploits and how to search for them and diagnose them on our network.
You should not be concerned with "exploits" but rather with hardening your network. I suspect that it is something older, and I'm wondering if it is the usual shop of ex-mainframe types transferring all they know and do to a pile of PCs, without the requisite knowledge that would keep them safe. You have already identified precisely who and where you work (don't you just LOVE hotmail), so I can see that it is indeed a medical place of business, and that you really, truly do need help.
I would like to work on a personal basis with anyone who is willing to help, but could also go directly through this board, if that is a better way. Thanks in advance.
Putting more public information on this, or any mailing list, would be a bad idea for you, since it seems that you are quite open in your inexperience. I answer publically in the awareness that this list is archived, and that there may be other innocents also reading who will gain information from this. I have a certain experience in HIPAA and similar privacy issues, and can point you in helpful directions if you'd like to take this off line. -- Open source should be about giving away things voluntarily. When you force someone to give you something, it's no longer giving, it's stealing. Persons of leisurely moral growth often confuse giving with taking. -- Larry Wall _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- More Unusual request Eric Wright (Feb 13)
- Re: More Unusual request Etaoin Shrdlu (Feb 14)
- Re: More Unusual request Paul Schmehl (Feb 14)
- <Possible follow-ups>
- RE: More Unusual request Sung J. Choe (Feb 13)
- RE: More Unusual request Rapaille Max (Feb 14)
- Re: More Unusual request Etaoin Shrdlu (Feb 14)