MEDICAL SCHOOL FOR FREE?
That’s the article's title: How to Go to Medical School for Free

This is quite an opportunity. Previously, I had explored the salary range of different medical specialties in two entries: HOW MUCH DO PHYSICIANS EARN? and the recession-resistance index (!) of a profession in healthcare in A HEALTHCARE-RELATED CAREER OR NOT? THINKING DEFENSIVELY....

To me, this article indicates the seriousness of the problem with the healthcare system in America. Healthcare currently accounts for 16 to 17 percent of the Gross Domestic Product (GDP) of the United States. It is the single largest component of the economy.

A related article by the same author discussed how medical school has become less expensive for some.

One of the better deals, in my opinion, is serving in the US military if you can.

At any rate, I can see demand and supply meeting each other within the next 15 to 20 years. Until then, demand far exceeds supply which means that healthcare professions have an above-average rating in terms of compensation and security.

The flip side of the equation is work and study. Since demand exceeds supply, be prepared to study and work a lot and continuously. Medical school is not a walk in the park either. As this other article indicates, medical students are more depressed than the general population. Doctor, heal thy self!

MAJOR SECURITY FLAW JUST DISCOVERED IN INTERNET EXPLORER (IE)

Users are urged to switch immediately! The problem was discovered about 36 hours ago. The flaw allows thieves to steal your password. I work with information technology and my password has been stolen before. It’s a huge hassle to say the least since I had to estimate the severity of the damage after several of my passwords were stolen. May I recommend a free application that has done a great job of protecting me since then? The application (or program) is called “Spybot.” There’s a link to it at the end of this posting.

This post was updated on Dec. 17.

The security flaw allows hackers to steal passwords. Some 10,000 websites have code that can exploit the flaw.

Here are links to several stories:

Microsoft: Microsoft Security Advisory (961051)

Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in (the web browser) Internet Explorer. Blah, blah, blah... (It continues in very sterile language. The other links state the severity and urgency of the problem in plain language.)

BBC News: Serious security flaw found in IE

Users of Microsoft’s Internet Explorer are being urged by experts to switch to a rival until a serious security flaw has been fixed.

The flaw in Microsoft’s Internet Explorer could allow criminals to take control of people’s computers and steal their passwords, internet experts say.

Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it.

Computerworld: Microsoft preps emergency IE patch for Wednesday release

December 16, 2008 (Computerworld) Microsoft Corp. announced today that it will issue an emergency patch tomorrow to quash a critical Internet Explorer bug that attackers have been exploiting for more than a week.

The advance warning came less than a week after Microsoft acknowledged that exploit code had gone public and was being used by hackers to hijack Windows PCs running IE.

Microsoft will deliver the out-of-cycle patch Wednesday at 1 p.m. Eastern time via its normal update mechanisms, including Windows Update, Microsoft Update and Windows Server Update Services.

The update will be pegged “critical,” the most serious ranking in Microsoft's four-step scoring system.

Even as it declared that it would release an emergency fix, Microsoft continued to downplay the threat. “At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7,” said company spokesman Christopher Budd in an e-mail today.

Initially, Microsoft and other security companies believed that only IE7 was vulnerable to attack, but on review, the company confirmed that all versions of its browser, including IE5.01, IE6 and IE8 Beta 2, contain the bug.

Last weekend, Microsoft researchers said that they had seen a “huge increase” in attacks, and that some were originating from legitimate Web sites. Another researcher added that about 6,000 infected sites were serving up exploits that target the IE vulnerability.

Also today, Microsoft confirmed that attacks could be launched through Outlook Express, a free e-mail client bundled with Windows XP. Because Outlook Express renders HTML-based messages using IE’s engine, attackers could exploit the bug by getting users to open or view malicious messages.

New York Times: Microsoft Issuing Emergency Fix for Browser Flaw

REDMOND, Wash. (AP) -- Microsoft Corp. is taking the unusual step of issuing an emergency fix for a security hole in its Internet Explorer software that has exposed millions of users to having their computers taken over by hackers.

The “zero-day” vulnerability, which came to light last week, allows criminals to take over victims’ machines simply by steering them to infected Web sites; users don’t have to download anything for their computers to get infected, which makes the flaw in Internet Explorer’s programming code so dangerous. Internet Explorer is the world’s most widely used Web browser.

Microsoft said it plans to ship a security update, rated “critical,” for the browser on Wednesday. People with the Windows Update feature activated on their computers will get the patch automatically.

Thousands of Web sites already have been compromised by criminals looking to exploit the flaw. The bad guys have loaded malicious code onto those sites that automatically infect visitors’ machines if they’re using Internet Explorer and haven’t employed a complicated series of workarounds that Microsoft has suggested.

Microsoft said it has seen attacks targeting the flaw only in Internet Explorer 7, the most widely used version, but has cautioned that all other current editions of the browser are vulnerable.

Microsoft rarely issues security fixes for its software outside of its regular monthly updates. The company last did it in October, and a year and half before that.

Cnet: Critical IE 7 exploit making the rounds

Microsoft issued a critical security warning Tuesday that a malicious exploit is making the rounds and attacking vulnerabilities in Internet Explorer 7.

The risk is believed to be widespread, given that IE 7 is the latest version of Microsoft’s browser and is bundled with XP service pack 3 and also Vista, said Dave Marcus, director of security research and communications for McAfee's Avert Labs.

The AZN Trojan, which has been making the rounds since the first week of December, has the potential of infecting users’ system with a Trojan horse, or “downloaders” that can download other forms of malware onto a user’s system.

Microsoft announced it will release a security patch Wednesday via its automatic update system to patch users computers.

Users can potentially get infected two ways, Marcus said. One is to visit a malicious Web site that already has the malware installed on the site, or visit a legitimate site, in which the attacker has inserted the malicious script to run in the background, leaving visitors unaware their systems have been compromised.

“A lot of Web sites are pushing out this exploit,” Marcus noted. Some of the infected sites include Web sites that offer free wallpaper for mobile phones to sites that feature property to product-related sites.

Microsoft is encouraging users to update their systems once the patch is released Wednesday at 10 a.m. PDT.

A SUGGESTION

If you still use IE, stop using it until you learn that it’s safe once again. On the other hand, why not just switch to another web browser? It wouldn’t be a bad idea to make any of these other browsers your primary browser and use IE only as your secondary browser.

These browsers are listed in order of popularity. All of them are safer, relatively speaking, than Internet Explorer. Another bonus: all of them work faster than IE.

1. Firefox
2. Opera
3. Google Chrome
4. Apple Safari

Earlier, I mentioned my bad experience with stolen passwords. I looked around for an anti-spyware program and found Spybot. I recommend Spybot. I find it so useful that I donate to it. The application is free and it serves me well.

LESSONS FROM CONDUCTING A SECURITY GAP ANALYSIS

There are many reasons for ensuring that you have a secure information system. It becomes a question of how instead of why. How do you create and maintain a secure system?

I participated in my first security gap analysis project in 2006, blogged it that year, lost that blog, and found my notes again. It was an eye-opening experience especially since it was conducted in one of the largest hospitals—whether public or private—in the country. It serves the second most populous county in the U.S. According to 2006 US Census Bureau estimates, the county had 5.3 million residents—larger than the populations of 29 individual U.S. states or the combined populations of the six smallest US states.

There are many reasons for ensuring that you have a secure information system. It becomes a question of how instead of why. How do you create and maintain a secure system? Starting with what you have, the first step is to create a baseline—a model of your expectations about the security of your information system. If your business belongs to one of several industries that are governed by laws and regulations then you should start with the security requirements of those same laws and regulations.

A hospital, for instance, would be directly governed by the Health Insurance Portability & Accountability Act (HIPAA). It is also subject to other regulations like the eDiscovery rules but we will keep it simple by focusing on HIPAA alone.

The second step is to categorize the sensitivity of your data, identify its source, its location within the system, how its accessed, and who can access it.

Sensitive data can take the form of intellectual property. For a hospital, sensitive data is frequently legally protected. An example is the X-ray images of a patient.

Armed with this information, you can begin your gap analysis. Before this discussion goes further, it must be understood that gap analysis is an ongoing process. The environment is constantly changing. Your information system is constantly changing with it and, naturally, your security gaps are changing as well.

Comparing your actual practices with security requirements will identify the gaps in your system. Once identified, the gaps can be prioritized (by severity, for instance). Then a plan can be created for eliminating (or at least minimizing) those vulnerabilities.

Gap analysis is a specialized form of risk analysis. Risk analysis recognizes the fact that risks are everywhere and that you have limited resources to deal with them. The goal of risk analysis, therefore, is to learn how to deploy your resources in the most effective manner to eliminate or minimize the worst or most likely threats.

It is best to approach gap analysis as a project and like any project, senior management must support it. Security gap analysis must be conducted on a regular basis. It must be thorough and objective. The degree of thoroughness will establish the scope of the analysis. Will the project include physical as well as electronic security? Will it be limited to customer-facing applications?

Objectivity requires a fresh set of eyes. It wouldn’t make sense for an accountant to audit himself. It makes a lot of sense therefore to hire an outside firm to lead the project.

These are the lessons I learned when we conducted a security gap analysis at one of the largest hospitals—whether public or private—in the country.

Our presence was announced with a bang! When you stage a systems break-in, attack the system like a team of hackers would. A team attack is just as likely to happen in real life as a solitary attempt would. The ease and speed of our break-in convinced the hospital’s administration of the risks it faced.

Your project team should have members from different disciplines. I came away convinced that if the core team could only have two groups then the two should be your IT and your HR departments. Why HR? It’s because people will be the primary source of vulnerabilities.

Hospitals are very politicized organizations. In addition to having senior management’s blessing, we created a RACI matrix that was jointly accepted by all department heads.

RACI stands for Responsible-Accountable-Consulted-Informed. A RACI matrix will identify the authority and responsibility of all roles involved in the project. We had determined that our scope was going to be limited to electronic security and to customer-facing applications only. Due to the size of the hospital and the number of applications it ran, our gap analysis focused on the two most heavily implemented applications: lab and accounting.

This was the first gap analysis conducted on this hospital and the spotlight was on it. (And did it ever need it!)

WE ANALYZED THE GAP IN FIVE AREAS

FIRST AREA

AAA – Authorization, Access, and Accounting on an enterprise level. This included single sign-on, a primary aspect of federated identity. Our goal was to standardize the security infrastructure. We discovered numerous instances where Nurse-A could log in at Station-1, stay logged in while logging in again as herself at Station-2, and be granted a different access level.

All current authentication processes were reviewed. Possible vendor solutions were evaluated. A general implementation plan was developed.

SECOND AREA

Awareness. How security-conscious are the employees? Did they know about the different security levels of information?

1. Unclassified
   
2. Classified
   
3. Confidential
   
4. Restricted
   
5. Secret
   
6. Top Secret

Our goal was to heighten the security awareness of workers throughout the organization. Make it clear that this is everyone’s responsibility and request for their cooperation. A regular familiarization course was developed and all employees have to attend it every six months. A hotline was also established.

THIRD AREA

Incident Notification & Response. The security awareness course and the hotline are just two of the responsibilities of a new IT-based group. Our goal was to create a first-response team and proactive overseer of enterprise security. They did not make policy; instead they implemented it. At the same time, they tracked actual user practices, compared it to best practices, and submitted progress reports to the Chief Security Officer (a position that was newly created).

FOURTH AREA

Technical Security. We conducted a comprehensive review of the existing security framework. The framework covered firewalls, DMZs, intrusion detection & prevention tools, and the like. Security logs were audited. Patch management was taken seriously. Password policies were enacted. Our goal was to optimize the hospital’s technical security. These efforts were primarily focused at the hospital’s data center. Technical security briefly touched on Disaster Recovery but DR was going to be a separate project.

FIFTH AREA

Best Practices. Our objective was to train users to work using best practices. This was easier said than done since this was change management and most of the staff were lifers, i.e., employees of long tenure. We had to start over several times. In the end, we learned that the best way to coax them to accept change was to first listen to them. This is the area where our business analysts really proved their worth!

CONCLUSION

Several areas above, e.g., Technical Security and Best Practices, were longer and more difficult than expected. The entire project took eight months—two months past schedule and 40% over budget! The core project team consisted of three full-time members. I was one of them.

Would I consider it successful? Yes. We achieved the project's goals. Were the customers happy? The end-users were. Management was not. From the beginning, we articulated to senior management that they had an unrealistic schedule especially because they were ripping out an old application software system. Delays cost money.

At the project onset, they practiced an all too familiar but ill-advised tactic. They asked us for a "realistic" budget. We were outside consultants. Specifically we were the subcontractors of a (politically-connected) contractor. We used parametric and bottom-up estimates, got the agreement from our contractor, and we jointly submitted it to hospital management.

I remember the incident vividly. We were in the office of the hospital administrator. He glanced at it, asked us a few questions, crossed out our figure, deducted 30%, and wrote that down and signed off beside his scribbled amount. Furthermore, he slashed a month of our projected schedule.