Re: More Unusual request

[Etaoin Shrdlu <shrdlu () deaddrop org>]

First, I must say I'm surprised that the only two posts I've seen in answer
to this have come from folk whom I suspect have absolutely NO experience
with HIPAA. The answer here needs to be more specific to the problem.

Eric Wright wrote:
> Seeing the positive and helpful comments from the before mentioned thread
> 'Unusual request', I would also like to ask for help.  I work for a company
> that deals a good bit in healtcare and with the hippa requlations coming
> down the pipe I have been asked to help with the security aspects of our
> network.

First, if you are attempting to help address HIPAA, then the security
aspects you need to address are quite specific, and already well
documented. I can only hope that you are working with others in this
matter, and have not been cast alone on the waters, in some strange belief
that there is anything you can possible do in the very short time before
these requirement come into effect.

As others have requested, you really need to supply more information. What
exactly is your role? How many others are helping you? Is there an IT audit
group of some sort that is charged with ensuring various portions of the
company? Have you someone whose specific task it is to know whether you are
complying with HIPAA, and you are just trying to harden the network?

>  I have been in the comp field for a number of years but am fairly
> new to security (at least to the depth that I need now).  I am only asking
> for help, knowledge, experience, guidance, or anything else that would be
> useful.

You may or may not have come to the right place, depending on your answers
to the questions above. If this is your company's first real attempts at
addressing HIPAA, run, don't walk, to the nearest group of want ads. You're
in a lot of trouble. Unless your company is very, very small, with a very
limited budget, hearing that you are "new to security" is not good. You
need to acquire a consultant that is NOT new, and is well-versed in the
specific industry you are in, and that needs to be done yesterday. If there
isn't the budget for that, tell them you don't want the job.

>  It's easy to search for exploits and run them but what I am after
> is an "Understanding".  I am not a programmer so code is a new area and
> challenge.  I need help in understanding the exploits and how to search for
> them and diagnose them on our network.

You should not be concerned with "exploits" but rather with hardening your
network. I suspect that it is something older, and I'm wondering if it is
the usual shop of ex-mainframe types transferring all they know and do to a
pile of PCs, without the requisite knowledge that would keep them safe. You
have already identified precisely who and where you work (don't you just
LOVE hotmail), so I can see that it is indeed a medical place of business,
and that you really, truly do need help.

>  I would like to work on a personal
> basis with anyone who is willing to help, but could also go directly through
> this board, if that is a better way.     Thanks in advance.

Putting more public information on this, or any mailing list, would be a
bad idea for you, since it seems that you are quite open in your
inexperience. I answer publically in the awareness that this list is
archived, and that there may be other innocents also reading who will gain
information from this. I have a certain experience in HIPAA and similar
privacy issues, and can point you in helpful directions if you'd like to
take this off line.

--
Open source should be about giving away things voluntarily. When
you force someone to give you something, it's no longer giving, it's
stealing. Persons of leisurely moral growth often confuse giving with
taking.    -- Larry Wall
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html