CAMBRIDGE, Md. -- Ralph Echemendia, an independent IT security contractor -- also known as a "white hat" or "ethical" hacker -- first learned the ins and outs of complex networking in a health care setting. Although he's gone on since then to work for large entertainment companies and a host of clients in other industries, he still works for health care organizations who give him very little information and challenges such as "here's the address of our office tower; find and get into our data center." The goal is to find holes in the organizations' health care IT security policies.
Through clever technological and social engineering means, he's rarely thwarted, Echemendia told attendees at the HealthTech Council's fall meeting in Cambridge, Md. We sat down with him to discuss just what an ethical hacker does, and where he thinks health care CIOs and their compliance-officer peers should look to shore up vulnerabilities in their own privacy and security policies. His advice in a nutshell: Technology controls are easy for securing information; training all the humans to abide by the policies is hard.