On Shoshin and Software Security
I am an independent software security consultant specializing in medical device security and HIPAA compliance in Israel. I use the state-of-the art PTA – Practical Threat Analysis tool to perform quantitative threat analysis and produce a bespoke, cost-effective security portfolio for my customers that fits their medical device technology. There are over 700 medical device companies […]
10 ways to detect employees who are a threat to PHI
Software Associates specializes in software security and privacy compliance for medical device vendors in Israel. One of the great things about working with Israeli medical device vendors is the level of innovation, drive and abundance of smart people. It’s why I get up in the morning. Most people who don’t work in security, assume […]
The death of the anti-virus
Does anti-virus really protect your data? Additional security controls do not necessarily reduce risk. Installing more security products is never a free lunch and tends to increase the total system risk and cost of ownership, as a result of the interaction between the elements. We use the quantitative threat analysis tool – PTA that enables […]
It’s friends and family breaching patient privacy – not Estonian hackers.
A 2011 HIPAA patient privacy violation in Canada, where an imaging technician accessed the medical records of her ex-husband’s girlfriend is illustrative of unauthorized disclosure of patient information by authorized people. Data leakage of ePHI (electronic protected health information) in hospitals is rampant simply because a) there is a lot of it floating around and […]
Picking Your Way Through the Mime Field
Picking Your Way Through the Mime Field We’re a professional software security consultancy and experienced software developers. Almost 10 years, one of our partners proposed that we develop a utility to encrypt Microsoft Outlook email messages. A prototype was developed – but an interesting thing happened when we started talking to potential beta customers […]
Out of control with BYOD in your hospital?
The number of bring your own device (BYOD) workplaces is increasing. Hospitals are certainly no exception with nursing staff, doctors and contractors bringing their own mobile devices into the hospital – and in many cases, jacking into WiFi networks in the hospital premises. With mobile access points via your smart phone – you don’t even […]
מלחמת סייבר – לתקוף את המרקם החברתי של האקרים ולא להתגונן
הפרדיגמה הצבאית קונבנציונלית אינה מתאימה לאבטחת סייבר מדיניות Cyber Security של מדינות שונות עוצבה בידי הצבא ולכן באופן מסורתיcyber security נתפשת רק בהקשר של אסטרטגיית הגנה. אסטרטגיה זו מתבססת על איסוף מודיעין, ניתוח איומים וסיכונים, מידול וניטור יחד עם פרישה של טכנולוגיות הגנה כמו firewall, מניעת DDoS, מניעת חדירות ושימוש ב-honeypots. הבעיה בגישה מתגוננת כזו […]
Why security defenses are a mistake
Security defenses don’t improve our understanding of the root causes of data breaches Why is this so? Because when you defend against a data breach – you do not necessarily understand the vulnerabilities that can be exploited. If do not understand the root causes of your vulnerabilities, how can you justify and measure the effectiveness of […]
Is your HIPAA security like a washing machine?
Is your HIPAA security management like a washing machine? Most security appliance vendors use fluffy charts with a 4 step “information risk management” cycle. It’s always a 4 step cycle, like “Discover, Monitor, Protect and Manage” and it’s usually on a circular chart but sometimes in a Gartner-style magic quadrant or on a line. It’s […]
How to use BI to improve healthcare IT security
Information technology management is about executing predictable business processes. Information Security Management is about reducing the impact of unpredictable attacks to your healthcare provider organization. Once we put it this way – it’s clear that IT and security and compliance professionals, as dedicated as they are to their particular missions – do not have common […]
