Having problems with message search?
In your security management program please add the following to your survey questions to your system vendors: Are there
any characters that if used in passwords will cause degradation of confidentiality, integrity, or availability of the system or the data
contained in the system?
Here are some snippets of a thread from a vendor specific interface or IE users listserv.
<snip>
We are running [interface engine and version] on [platform].
A security audit recently highlighted the fact that we are running with
the default Administrator password.
We ran for a few days with a new password, then the Monitor quit
connecting. We were getting the following error in the control
broker log: "User authentication failed for " then the user name. We
tried several accounts, but got the same result. I updated the
password file. No change.
Everything worked fine as soon as we changed the Admin password back to
the default.
<snip>
Wow! Using the default Administrator password on any vendor technology opens
you up to a lot of security risks.
<snip>
We recently updated our password standards to include complex passwords.
After changing the admin password we ran into some similar issues. The
reason we were having issues with the new passwords was because we were
including special characters. Maybe this is a similar situation. Here is
the resolution from [Vendor] (hope this helps):
Unfortunately we do not have a list of special characters that should
not be used, and [IE] can take special characters in passwords with
a caveat. My testing shows the following.
1) The Enterprise Manager will not allow certain special characters to
be used in a password. For example, the GUI allows % and * but not other
characters on, such as !,@,#, etc
2) ***aclutil will allow some additional special characters but none
that conflict with the execution of the command. for example, ^ or &
on a Windows system.
3) some special characters allowed by ***aclutil may later conflict
with component startup.
The above "lesson learned" will be included in a document that I am now finalizing that will include a collection of security practices in the Health Care Industry and a NIST security controls crosswalk to each HIPAA security standard and implementation specification. A lot of good ideas were shared by the 60 or so participants of the recently concluded series of Mitigation Planning Workshops. Due to space consideration of the ShareHIPAA group's file section, we will not be able to include it in the ShareHIPAA group's files section. Blass Consulting, LLC has agreed to provide it freely for access/download to all from its "Free HIPAA Tools" page from the ComplyAssistant website (www.complyassistant.com). If you have any security practices that you would like to have included in this document, please send them to me at mcgowin@... by this Friday, October 8th. We hope to have the final document available by mid October. And if you participated in the workshops and would like to have your participation acknowledged, please send me your name and how you would like to be listed in the document's acknowledgements.
any characters that if used in passwords will cause degradation of confidentiality, integrity, or availability of the system or the data
contained in the system?
Here are some snippets of a thread from a vendor specific interface or IE users listserv.
<snip>
We are running [interface engine and version] on [platform].
A security audit recently highlighted the fact that we are running with
the default Administrator password.
We ran for a few days with a new password, then the Monitor quit
connecting. We were getting the following error in the control
broker log: "User authentication failed for " then the user name. We
tried several accounts, but got the same result. I updated the
password file. No change.
Everything worked fine as soon as we changed the Admin password back to
the default.
<snip>
Wow! Using the default Administrator password on any vendor technology opens
you up to a lot of security risks.
<snip>
We recently updated our password standards to include complex passwords.
After changing the admin password we ran into some similar issues. The
reason we were having issues with the new passwords was because we were
including special characters. Maybe this is a similar situation. Here is
the resolution from [Vendor] (hope this helps):
Unfortunately we do not have a list of special characters that should
not be used, and [IE] can take special characters in passwords with
a caveat. My testing shows the following.
1) The Enterprise Manager will not allow certain special characters to
be used in a password. For example, the GUI allows % and * but not other
characters on, such as !,@,#, etc
2) ***aclutil will allow some additional special characters but none
that conflict with the execution of the command. for example, ^ or &
on a Windows system.
3) some special characters allowed by ***aclutil may later conflict
with component startup.
The above "lesson learned" will be included in a document that I am now finalizing that will include a collection of security practices in the Health Care Industry and a NIST security controls crosswalk to each HIPAA security standard and implementation specification. A lot of good ideas were shared by the 60 or so participants of the recently concluded series of Mitigation Planning Workshops. Due to space consideration of the ShareHIPAA group's file section, we will not be able to include it in the ShareHIPAA group's files section. Blass Consulting, LLC has agreed to provide it freely for access/download to all from its "Free HIPAA Tools" page from the ComplyAssistant website (www.complyassistant.com). If you have any security practices that you would like to have included in this document, please send them to me at mcgowin@... by this Friday, October 8th. We hope to have the final document available by mid October. And if you participated in the workshops and would like to have your participation acknowledged, please send me your name and how you would like to be listed in the document's acknowledgements.
To effectively implement HIPAA security standards into our operations and business decisions most would agree that a baseline risk assessment should be conducted. How do you do this? Where do you start? How do you know what to put in the survey questions? I have put together a free audio/video presentation that is web accessible 24/7. It is a high level overview of the NIST recommended Security Risk Management Program and steps you through a HIPAA security management approach from "defining the scope", conducting a survey to determine security gaps, through mitigation work plan and budget development (encompassing P&P, training, implementation/process integration, monitoring, and audit). You can access this presentation from the link below. The white paper that this presentation was based on is available in the ShareHIPAA files section (look for securityicepp-final.doc). It is also available for access/download from www.complyassistant.com . Look in the left column under White Papers for Security Issues, Concerns and Enforcement.
Here is the link for DeMystify Security - NISTify IT! presentation:
http://www.placeware.com/cc/complyassistant/view?id=NZTQJ4
Requires Name, No password, then email address and Company Name. (1 hour 2 min).
Requires Name, No password, then email address and Company Name. (1 hour 2 min).
For high-speed and broadband connections choose the 2nd file option. It is called "Microsoft Office Live Meeting Replay: Windows MediaTM - formatted streamed audio & video". When the windows media window opens you can right click on the window, then click on zoom, and then click on full screen.
For 56K modems, your bandwidth will not support video. You can choose the 1st file option. It is called "Basic recording with Windows Media TM formatted streamed audio". You can listen to the recording and refer to the white paper mentioned about. If you can get to a PC with high-speed internet access, I would recommend viewing it this way.
Regards,
Barbara McGowin, CPC
Executive Recruiting
HIT Recruiting
(843) 824-8537
Connecting Healthcare Organizations with People,
Products and Services to Achieve HIPAA Compliance.
Offline 
Send Email