May 22, 2019

Disclaimer: We are a transparent organization, and this is going to be very (very) transparent.
All day, every day I speak to CIOs, CTOs, CISOs, IT Directors, Risk Management Professionals, etc. in charge of managing information related risk within their organizations, who are aspiring to reach the level of security they want or need. That’s why we are here, to help these technology and security professionals bridge their knowledge and resource gaps to prove their organizations are secure and compliant.
One result of all this security-related conversation is a significant level of skepticism on my part (which did not need bolstering to begin with) that I can trust people with my personal data. This plays out in many areas of my life: Are online payment apps like Venmo really secure? Can I trust logging into my bank account from a computer that isn’t mine? Is the open hotel WiFi something I can safely connect to? But nothing compares to my annual OBGYN visit. This is where I really hand over the keys to the kingdom (and that’s not a euphemism for my lady bits).
My primary concern during a visit used to be dropping my pants, letting a stranger examine my private parts, and them finding something wrong … Being in information security has put those concerns on the back-burner. Let me share a little about what it’s like to be me…

View our free cybersecurity resources »

Security Risks at an OBGYN Office

Before I even show up to my appointment I’m forced to jump onto a web page and type my most personal information into a “secure patient portal.” It’s every piece of information needed to steal my identity. All I can think is, “Has this web app been scanned for potential vulnerabilities? Is it built on a secure platform? Where is my data even kept? In the cloud? On-prem? How is it transferred and who has access to it?”
Although the receptionist who greets me when I show up for the appointment is as pleasant as a cold margarita on a July afternoon, all I can think about is if she has gone through any security awareness training? Has she scored well on her phishing assessments? One wrong click on a malicious email from her and my social security number that I just submitted on the “secure patient portal” is being sold for $15 on the dark web.
My mind continues to race in the exam room. Most women with their legs in stirrups (private parts exposed to the world) are more concerned about what their OB is searching for and may find, while all I’m concerned about is how exposed my information is. Once I even asked if she conducted a penetration test on her “secure patient portal” while I was doing the no-pants-dance in her exam room.
Doc… Don’t ask me when my last pap smear was until you tell me when you last patched the version of Windows on that machine you are entering all my information into.
While my doctor is setting up the mammogram machine I’m not thinking about a potential lump in my breast—instead, I’m wondering if I ever saw their HIPAA policy. We recommend to clients all the time to require important vendors to complete a third-party due diligence questionnaire (the likeness of which I compare to that tedious health history form). I’ve considered showing up to my appointment with a SIG questionnaire and say, “I’ll fill out yours if you fill out mine.” (I picture this happening in slow motion and the whole office gasping at my strong-arm move. Information security has even infiltrated my fantasies.)
That’s what living in the world of information security has done to me. I think it’s time for that margarita… but need to put my pants on first.
If you’ve got information security worries on your mind (like me), contact Pivot Point Security. We can empathize, and we can help.

ISO 27001

ISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know – and things you may already be doing.
Get your ISO 27001 Roadmap – Downloaded over 4,000 times