I came into work today (with my surgery I wasn’t supposed to be up and around til tomorrow) because we were having our mandatory HIPAA training again and I didn’t want to have to go to a special session, even though I find it fairly unlikely that I’ll even touch anything HIPAA related before the next mandatory training session rolls around. I tried to make it a good time, though, as I do with all meetings.
It started off with a bang when the presenter asked us to all fill out an amusing form for which we would each receive a prize, the fastest three receiving a better prize than the rest of us. It was full of silly things along the lines of certain internet quizzes which obviously required putting down personal information. I guess it wasn’t really obvious because at first I was trying to figure out what they meant by ‘your nascar name’ and figured since I didn’t know anything about nascar I was failing some sort of quiz. To my relief, it seems as though Brian thought so too as he started asking the questions I was thinking. Once I got it I figured out it was an example of social engineering, so I lied on all the pieces of information that aren’t readily available. I did salt it with truth in that I drive an S-10 Pickup and my middle name. Unfortunately my thought experiment in deciding how much of a lie would be believable kept me from finishing in the money. When it came time for the presenter to divulge that we’d all been socially engineered it resulted in this conversation:
Presenter: “So for a little toy you gave me all this personal information.”
Me: “But I lied on all of it.”
Presenter (smiling): “But you gave me information.”
Me: “Yes, but It was incorrect information.”
Presenter (still smiling): “But it was still information, correct?”
Me: “Incorrect information”
It might have gone on, but Guy pointed out I’m one of the tinfoil hat guys that deals with security. The presenter* said that we should go so far as to make the entries in our cell phones anonymous. We shouldn’t have a HOME phone number detailed with that moniker because someone who finds our lost phone would know that bit of information easily. I spoke up and said that I thought that was going a bit far, because my home address and phone number are easily obtained through google or the phone book, so saving some malicious person a hand full of seconds on finding my home number really buys them nothing.**
As the meeting was wrapping up the presenter noted that none of us were wearing our badges. Upper campus is pretty strict about badge wearing and display, where down among us working people it’s generally not required. The presenter seemed a bit concerned that an interloper could just walk among us unchallenged because they didn’t have the proper piece of plastic affixed to a lapel.*** I piped up with one last little thing:
“Well, I can see that badge you’re wearing there, and you’ve just given me a bit of information.”
One of my finer meetings. Lucky for me it’s recorded, and probably on our wiki. I’d give you the URL, but…
——————–
*I’ll diverge here and say that I’ve habitually removed personalization even in the gender of the presenter for some compulsive reason, so maybe the training was preaching to the choir on this one
**And it makes it harder for an honest person to do the right thing.
*** Which is silly, really.****
**** comment redacted… stupid anicdotal information availability protection getting in the way of entertainment.