Book Review: Privacy and Health Care

Working for a health care organization, I must admit that I have at times wondered what all the hoopla regarding medical privacy was about. What is the harm in freely sharing patient information, and why is access to it so tightly regulated?

Privacy and Health Care is a collection of six essays on this difficult subject. Having been exposed to the different viewpoints and the reasoning behind them, I now have a much better understanding of the issues surrounding health care privacy. The most surprising revelation for me was the number of seemingly good reasons for allowing third party access to patient medical records. The relatively rare instances of harm coming to individual patients as a result of inappropriate disclosure would, on the face of it, seem like a reasonable price to pay for the overwhelming benefits to medical research and other legitimate uses.

Yet for all the purported benefits and efficiencies of such free access, the primary purpose of the health care system is to help the patients get better. If they avoid seeking much needed treatment for fear of medical disclosure, or do not feel free to be fully honest with their doctor about their conditions, then the health care system will fail in its primary role. And that is why preserving patient privacy is so important.

Book Review: Outsourcing Information Security

Whenever the topic of outsourcing comes up, some find it difficult to think rationally. The decision of whether (and what) to outsource hinges on factors that are difficult to estimate, and the hidden agendas or preconceived notions of the decision makers come into play. Such is the case with information security risk management decisions as well: subjectivity reigns. Combine the two together, and what do you get? The world of information security consulting firms and managed security service providers (MSSPs).

Outsourcing Information Security by C. Warren Axelrod was intended to guide the uninitiated through each step of the outsourcing process, helping to steer clear of the pitfalls and achieve a partnership with the service provider that is of lasting benefit. However, much of the content is not specific to information security, which was not only disappointing, but a missed opportunity as well. I picked up the book hoping to find advice on selecting risk assessment specialists, auditors, penetration testers, policy developers, and business continuity consultants. Instead, the focus was on generic business issues related to outsourcing that would be considered common sense by most managers. In short, the book would have been more useful had it been aimed at an audience with sound knowledge of business management and limited exposure to information security, not the other way around.

Book Review: Security Engineering

For the past two months, I have been busy reading the 2008 Second Edition of Prof. Ross Anderson’s Security Engineering: A Guide to Building Dependable Distributed Systems. It is, without a doubt, destined to become a classic and will influence my thinking on the subject for years to come. Although written at a level suited to non-specialists, the book has a lot of meat to it, and is packed with deep insight and wisdom gained from the author’s years of real-world experience. I have been recommending the book to colleagues at work, and for those who are not willing to part with their hard-earned money, the first edition (2001) is freely available in electronic format from the author’s web site.

Book Review: Against The Gods – The Remarkable Story Of Risk

To many practitioners, information security is a form of risk management. Since it is impossible to protect a complex system against all conceivable security threats, an approach based on the assessment of risk is employed to distinguish between the threats that are worth worrying about and those that aren’t. But what exactly does the concept of risk represent? How does one measure (never mind control) risk? This is an age-old problem mankind has been struggling with for centuries.

Against the Gods: The Remarkable Story of Risk is a historical overview of the advances made in the struggle to measure and control uncertainty. While the author’s viewpoint is primarily from the perspective of risk to investments made on the stock market, the lessons learned are of value to security professionals as well. Contrasted with the sophisticated methods employed by financial institutions controlling their exposure to the unpredictable ups and downs of the global economy, the risk management methods currently available to security managers seem crude and laughable in comparison. If we are to make any headway in the battle against identity theft, data breaches, malware, and all the other information security woes that currently plague us, we need better risk management tools, so that our limited security budgets can be spent more effectively.

Book Review: Understanding UNIX/Linux Programming

I’ve posted a review of Understanding UNIX/LINUX Programming: A Guide to Theory and Practice by Bruce Molay on Amazon. While not a security topic per se, a solid grounding in systems programming is a prerequisite for vulnerability researchers and other technically oriented security professionals. Arguably, there is no better introduction to the subject than this book.

Book Review: Security Metrics

My Amazon review of Andrew Jaquith’s Security Metrics: Replacing Fear, Uncertainty, and Doubt has been posted. I wasn’t as enthusiastic about it as many others, and in my review, I explain why. Nevertheless, I found the thorough discussion of security metrics useful enough to give the book three stars. Managers charged with running an effective information security program should check it out.

Book Review: The Psychology of Information Security Awareness

I’ve just posted a review of Timothy P. Layton’s Information Security Awareness: The Psychology Behind the Technology on Amazon. There is a worthwhile premise within, but the book misses the mark by failing to build on it in any meaningful manner. You won’t miss much if you read the “Coles Notes” version of this one.


Get every new post delivered to your Inbox.