[ Tuesday, January 22, 2008 ]
I often link to and cite Bruce Schneier as a solid, reasonable voice where e-security is involved. I'm not the only one; he's considered an expert by anyone who knows anything about this stuff. But he's raised an issue that's got George Hulme, writing on InfoWeek's security blog, riled up
: Bruce doesn't secure
his home wireless network, and George thinks that's a bad idea. Bruce wants his houseguests to have access, thinks its neighborly to let his neighbors have access, and thinks the risks are really too remote to worry about. I have to say that whenever I'm visiting friends or relatives, I love the fact that I can usually find a wireless connection through a neighbor's house on my laptop. In fact, my wife used to think I was really odd when I'd take my computer and sit in the driveway of my mother-in-law's beachhouse to check my emails; she thought I was trying to avoid the noise of the kids or trying to keep my emails private. Far from the truth: I was risking the privacy of my emails (negligibly) and sitting in the driveway because I got a clear connection there. I don't know which neighbor's open network I was surfing, but I was glad they had one. At my MIL's primary residence, the best spot inside the house to access a neighbor's wi-fi is the window of the dining room, although to upload a video birthday greeting I had to go out into the cul-de-sac to get a solid enough connection.
The exchange between Bruce and George is very useful in terms of thinking about security, even if your as technically retarded as I am (I read the comments and don't understand half of them). Security is a balancing act, an assessment of risks. Most matters involving security (of any sort) are decided based on balancing the hassle versus the likelihood of harm: do you lock your car when it's in (i) your garage at home, (ii) in the driveway at home, (iii) in the parking lot at the mall, or (iv) in a friend's driveway? I'd answer no, usually no, always, and sometimes, because it's always a balancing of risks. The hassle of unlocking the car is negligible in most cases, if I've got my keys with me, since it's just pressing a button. But at home, I usually leave my keys on the counter and don't have them in my pocket, so if I needed to get into the car for some reason, the hassle factor would increase. And the risk is almost non-existent if the car is in the garage, since there's a garage door opener on the door (you couldn't just lift the door); of course, there is some risk that someone has a garage door opener that would open my garage door, but even then, I might hear the garage door opening and stop them, or they'd probably steal my tools and bike (that's happened, actually) rather than anything out of my car (or my old car itself). So, on balance, the small hassle of having the car locked in the garage outweighs the even-smaller risks. That's not so if the car's parked in the parking garage downtown or at the mall; the hassle is even smaller (I'll always have my keys with me) and the risks are much larger.
There's a similar issue with regard to my home's security system. First, either you install an alarm system or you don't: if you live in a very remote area, you might determine that there's no real value in having an alarm. If you install a system, you might install one with many bells and whistles, or just a basic system. Those decisions will be driven by many factors, but basically will come down to a balance of cost and risk. You might set your alarm every morning when you leave the house for work, but not set it when you run to the grocery store. You might set it when you go to the store, but not when you're working in the yard or go for a run. Those decisions will be a balance of hassle and risk.
Considering your security needs relative to your electronic records and transmissions should be a process of the same balancing considerations. What are the costs, what are the hassle factors, and what are the risks? Like Bruce Schneier's open-access home network, there's very little cost to putting some good privacy in place, but there's at least a little hassle to houseguests or neighbors he wants to be friendly with. And even with costs and hassles that low, do the risks rise enough to make them worthwhile? Bruce says no; George says yes. What that proves is that reasonable, well-informed minds may differ.
That's the point of HIPAA security analysis. You make these balancing decisions without even thinking about them, all the time. With your business and your computer systems and records, your decisionmaking process should be clear, rational, and defensible. The Security Rule requires you to do a risk analysis; you do it anyway, so all you need to do is document it and make sure your decisions are defensible.
Jeff [10:31 AM]
Blogger: HIPAA Blog - Edit your Template