About Me

My photo
I have a new job! I am now working for MicroHealth as the Chief Governance & Compliance Officer. I start in December, 2011. I am a dentist and have been in the Air Force for the past 26 years and now am retiring out of a great job...the Chief Medical Information Office at the DHIMS program office where we build and maintain the military electronic health record. I am also back in school at the GWU Masters program in Information Systems Technology...great experience. In my spare time, I love to get creative and work with polymer clay and paint.

Thursday, September 29, 2011

Code Security...How to find and fix vulnerabilities


During our studies at eMSIST, we have read and discussed security risks and vulnerabilities, but it never dawned on me that the vulnerabilities may be within the code itself.  I had the opportunity to learn about the HP Fortify code analyzer the other day while speaking to an HP analyst https://www.fortify.com/products/hpfssc/index.html.

The Military Health System analyzed over 5 million lines of code in their electronic health record using both static and dynamic code tools this past year and discovered thousands of vulnerabilities.  Two good things came out of this.  First, we integrated code analysis into all new software development projects to identify and fix problems immediately.  This reduced costs dramatically because we fixed problems early.  Secondly, we used the analysis findings to prioritize code defect fixes that bubbled up from trouble tickets to prioritize which defect to fix first.

OWASP or Open Web Application Security Project encourages the use of a code analyzer during software development as a powerful tool that gives the developer immediate feedback with recommendations how to re-write the code. https://www.owasp.org/index.php/Source_Code_Analysis_Tools  Although code analyzers are excellent tools, they cannot detect all vulnerabilities and have particular difficulty in the area of authentication, access control and encryption.  Because the only look for problems in the code, they cannot identify configuration or infrastructure issues.

On September 12, 2011 Information Week reported that HP Expands Security Offerings http://www.informationweek.com/news/security/app-security/231601254 providing dynamic analysis for web applications in the cloud.
Posted by at 1 comment:

Tuesday, September 13, 2011

Is your electronic health information safe?


Brian Horwitz posted an article on eWeek on September 8, 2011: 

71 Percent of Health Care Companies Suffer Data Breaches in Past Year: Report, see http://www.eweek.com/c/a/Health-Care-IT/71-Percent-of-Health-Care-Companies-Suffer-Data-Breaches-in-Past-Year-Report-332736/ 

A Saas-based company, Veriphyr analytic and access intelligence reported what most of us already knew - our electronic personal healthcare information may not be safe.  Although most of the breaches were from insiders looking at the medical records of family and friends, this is by no means reassuring.  Nearly 80% of those surveyed are concerned that current processes will not detect a breach when it occurs.

The future sharing of health data is a wonderful thing that will provide the medical and dental teams with access to the right information at the right time, no matter the source (private sector, military or VA).  But this comes with a great responsibility to protect the privacy of that patient's information.  Breaches must be detected and stopped quickly.  Patients must be notified.  The healthcare field needs to look for industry experts to provide this skill set.  



Page McNall
Posted by at 1 comment:
Location: Herndon, VA, USA
Subscribe to: Posts (Atom)