piedmont’s audit questions and requests

If you didn’t think auditing and security was going to be a growing field, add this to the reasons you should stop being naive. ComputerWorld posted a series of questions and requests reportedly made by HHS to Piedmont Hospital as part of a (surprise?) HIPAA audit. Keep in mind that it seems Piedmont only had 10 days to submit the answers. That basically means having it all done and ready, not trying to slap it together during a couple 120 hour weeks. (And even if they did that, any even minor interview with IT techs will reveal the wide-eyes and confusion about the superficiality of anything slapped together.)

Likewise, if these questions don’t make you gulp at least a dozen times, you might be living in a dream world. Lots of people talk about security enabling business and ROI and things like that, but there is still going to be a growing field of people just taking care of the back rooms, because these things simply cannot be tacked onto “enabling” projects or expensed properly by a project or business initiative.

I am also very confident that these questions en masse cannot and never will be answered or tracked by any one product no matter how unified it is. Technology changes too quickly and there is too much of it. By the time products dig in and solve something like Windows 2000, then Windows XP is released. And then Vista. And then wireless. And then new attack vectors arise like wireless driver attacks, plus “arguable” attacks like DRM-justified rootkits. And then businesses that simply have to retool their infrastructure every 4-5 years, plus all the homegrown glue that holds everything together. And the changing landscape of almost every business. And the fact that while each company only has a handful of problems when it comes to IT, there are unlimited solutions free and commercial… Oh man, headache…!

A product can never do all this, nor can a CSO/CISO alone. There will continue to be backroom people, unless we want to just do security on a superficial surface level or make our networks much more homogenous such that Company A’s setup is almost exactly the same as Company B’s setup. No product can do that, although you can argue that service providers may have a chance…but no service provider will be able to scale up to provide for every company even in their own city, let alone make a dent on larger companies or on a wider scale.

I know I’m slightly keeping Rothman in mind when I say the back room is not going away, but I firmly believe all of this just goes back to being as pragmatic as possible when managing security. I still need to get my hands on his book… 🙂

Update: I know that these questions may be no different than people are being treated to with SOX and HIPAA, but still, how many have really been able to take either of those 100% seriously and adhere to them? Like PCI, it’s all about the teeth…maybe cyberinsurance will add the teeth, I dunno. But I would amateurishly estimate that 98% of all businesses would have major infractions from any audit performed, PCI, SOX, or HIPAA.