Health Care Providers to Self-Police Themselves on Privacy Harm

In an article that hit the web this week, a new DHHS rule is purported to allow health care providers to determine if their privacy breaches have caused any harm. While I understand the nature of assigning the reporting burden to healthcare companies, I don’t think this new rule is in the public’s (or patient’s) best interest. We already know that most complaints related to HIPAA are not investigated. This new provision all but ensures that most breaches will not even be reported.

Let’s not kid ourselves…although we’d all like to think that our health care organizations are worthy of our trust and good faith (and many are), when all is said and done, they are businesses and they need to keep the bottom line in mind at all times. These new “self-service” breach notification rules could put some of us on the unpleasant receiving end of what happens when the fox holds sentry over the chicken coop.

With that said, it’s worth pointing out that in a recent independent survey of several hundred IT practitioners in the healthcare industry, a whopping 80 percent of the respondents reported that their organization had experienced one or more data breaches involving the loss or theft of electronic health information in the past year!

The real solution is stringent monitoring, along with input from an external party, like a privacy ombudsman. This is a model followed today by many press organizations, as well as police departments with regard to misconduct complaints.

Read the full article here: http://bit.ly/4CaTPG

Posted by Lex Van den Berghe on November 19, 2009 in | Permalink | | Comments (0) | TrackBack (0)

Are IT Security Professionals the Last Line of Defense for Patient Privacy?

By Dominique Levin

EVP Marketing and Strategy

As the national debate about overhauling the $2.5 trillion United States healthcare system rages, the federal government is already investing tens of billions of dollars as part of the stimulus program to push our medical care industry to shift from paper to computer records.

In our rush to computerize patient records to reap the benefits of higher quality of care and safety, and to better control fraud, who is making sure that our private medical records are being protected?

To better understand the issues, we at LogLogic spoke with some of our largest healthcare customers about their steps to bolster patient privacy protection. We also partnered with the independent research firm the Ponemon Institute to survey 542 senior IT practitioners from healthcare organizations with an average of more than 1,000 employees about how secure they believe electronic patient medical records are.

According to the October 2009 Ponemon report, “Electronic Health Information at Risk: A Study of IT Practitioners,” 80 percent of healthcare organizations had experienced at least one incident of lost or stolen electronic health information in the past year – four percent had more than five patient data breaches. More than two-thirds of these healthcare organizations had already digitized at least a quarter of their patient records and a third had digitized more than half.

The most surprising finding was the almost three-quarters of respondents said their organization failed to make patient record protection a priority.

At LogLogic, we think this presents a unique opportunity for IT security professionals to take a leadership role in this critical national issue. There are new rules mandated by the Health Insurance Portability and Accountability Act (HIPAA) that became effective in September that are important steps towards bridging the traditional gap between “Cover Your Ass” compliance and real IT security.

To find out more highlights and read a complete copy of the Ponemon Institute study and the LogLogic healthcare customer survey, please take a moment to register at our site at www.loglogic.com/resources/analyst-reports/ponemon-electronic-health-info-at-risk/

In LogLogic’s interviews with senior security professionals responsible for overseeing the protection of hospital patient records, a consensus emerged that best practices in securing patient privacy go beyond HIPAA compliance. New technologies allow hospitals to more closely monitor and protect patient privacy than ever before. The recent changes in HIPAA also put more stringent requirements on medical organizations to secure patient privacy. Hospital security professionals today have a unique opportunity to be patient privacy heroes.

If you’re in the healthcare industry, do you feel you have a role to play as a privacy hero? Let us know. We want to hear from you.

Posted by Dominique Levin on October 20, 2009 in | Permalink | | Comments (0) | TrackBack (0)

People Have Grown Immune to Breach Notifications

by Lex van den Berghe
LogLogic Customer Evangelist

Back in simpler times, the “high tech” approach to breach notification was a gang of domestic geese or peacocks posted as sentries ‘round the farm to squawk bloody murder whenever strangers approached the property line. Times have changed, as has the definition of “high tech”…but the basic principles and necessity of effective breach notification remain the same.

I spoke with Sudha Iyer, Director of Product Management at LogLogic, and she shared her two cents on breach notification and why it pays to be prepared…

It seems that not a day goes by without a report of a data breach, or a discussion of the latest attack of the Conficker (or other malware) variant. Lest organizations become desensitized to such attacks, I’ve noticed that that breach notifications can have a negative impact on the organization’s net worth.

Take the case of Heartland Payment Systems (NYSE - HPY) for example. When markets opened after Heartland’s public announcement of their credit card breach in January 2009, their stock price shrunk to $8.54 and plummeted to $3.95 by March 2009.  Today, Heartland is fortunate that their stock is almost back to its pre-breach notification price of $14.53.

Despite the continuous flood of public breach notifications like Heartland Payment Systems, I find it troubling that so many organizations continue to act as if they are immune to such attacks. Has the barrage of public breach notifications bred enough apathy so as to undermine the primary reasons for public notifications in the first place? I thought breach notifications were meant to…

·  Spur the offending organization into action to put in place the necessary process, people and technology to do the right thing for the individual(s) and the business to which they are accountable.

·  Serve as a warning to other organizations to do the same before their data is compromised.

Consider the healthcare industry. The Health Information Technology for Economic and Clinical Health Act (HITECH) includes a health care breach notification law. This interim final rule on the HITECH Act just became effective on September 23^rd, and the law requires any organization covered under the Health Insurance Portability and Accountability Act (HIPAA) to notify patients of a data breach involving their personal health information. Will this law, especially with its recent amendments that critics say completely guts the original intent of the bill, achieve the aforementioned aims of data breach notification? This leads to a larger question, does data breach notification adequately protect the consumer or patient whose information is compromised?

If there’s a lesson to be learned here, it would have to be: “Don’t put off until tomorrow, what you can do today.” Rather than be vulnerable and exposed to attack, enterprises should enact the proper defenses and alerts to fend off the perpetrators. If your high tech “farm” could use a good flock of geese or peacocks, check us out…we can help!

Posted by Lex Van den Berghe on October 05, 2009 in | Permalink | | Comments (0) | TrackBack (0)

Find Your HIPAA Violations Before Others Do

by Lex van den Berghe
LogLogic Customer Evangelist

Dominique Levin previously wrote on this blog about Kaiser Permanente after it fired nurses for unauthorized access to Nadya Suleman’s “Octomom” healthcare records. Dominique raised the question whether it perhaps would have been better for Kaiser to hide their findings since disclosing the dismissals led to hefty fines. To get to the bottom of this I interviewed Mark Seward, our resident HIPAA expert and Director of Product Management at LogLogic.

Lex: Should Kaiser have kept quiet about the privacy violations?

Mark: No! Pro-actively disclosing the breach was not only the right thing to do, it also minimized Kaiser’s fines. Had Kaiser failed to disclose the HIPAA violations, and had the violations been later discovered by outsiders, the fines could have been much higher.

Lex: How much higher?

Mark: There are a number of healthcare resources online who lay it out pretty clearly, but it basically boils down to this: If I access a record that I shouldn’t because “I didn’t know I shouldn’t do that” the fine is $100 per violation (read: per record, so if 250 records are breached that is $25,000). However, if there is “reasonable cause” to think that these privacy violations aren’t inadvertent, fines go up 10 times (!) to $1000 per violation. But if my behavior is deemed to be due to “willful neglect”, fines are a whopping 100 times (!) higher as compared to inadvertent disclosure - $10,000 for each violation.

Lex: So what should health organizations do?

Mark: Follow the Kaiser Permanente example! Monitoring and periodically reviewing who is accessing patient information is a really good idea and the (log management) technology to do so is readily available. Not adopting such basic security measures could soon be seen as “willful neglect”. Also look out for more guidance by the Office of the National Coordinator for Health Information Technology (ONCHIT). They will annually “issue guidance on the most effective and appropriate safeguards for use in carrying out the sections…”. Access monitoring will likely be included as a foundational requirement as it has been in other security standards, such as the Payment Credit Card Industry Data Security Standard.

So there you have it…self-monitoring and self-regulation may be a very worthwhile investment for healthcare organizations who must navigate the confusing and perilous seas of regulatory compliance. In much the same way that putting coins in the family “curse/swear-jar” builds a foundation for good behavior in the future, the practice of voluntary disclosure, when inappropriate information access has occurred, is a solid investment for healthcare organizations in the long run.

You can also learn more about HIPAA and the HITECH act by reviewing the official U.S. Department of Health & Human Services guidance document.

Posted by Lex Van den Berghe on September 29, 2009 in | Permalink | | Comments (0) | TrackBack (0)

Big Data is information overload. Organized.

by Dimitri McKay
LogLogic Security Architect

Recently I was quoted in an article on CNet about “Big Data”. Dave Rosenberg made some excellent observations about how Big Data is being handled, and spotlighted some companies that are developing FOR Big Data.

But it got me thinking…Do most people really understand what Big Data is?

Big Data is a phrase becoming increasingly more popular. It’s a statement which implies that we’re moving from the Terabyte age to the Petabyte age. It has become the latest challenge for large enterprises and government. It’s not just a buzz word. It’s a real problem that IT departments everywhere are struggling with. And storage isn’t the hardest part of Big Data. In fact, storage is easy. We have the ability to store petabytes and exabytes of data today. But making SENSE of that data…that is the real challenge.

Big Data, as with most quantifications, is a relative term.

How do you know when you have Big Data? Here’s how. If you have to ask yourself “How are we going to store this, organize this and manage this? How are we going to get information out of this that’s useful?”...then you have Big Data.

Martin Wattenberg, a mathematician and computer scientist at IBM's Watson Research Center in Cambridge, Massachusetts says, “You can talk about terabytes and exabytes and zettabytes, and at a certain point it becomes dizzying. The real yardstick to me is how it compares with a natural human limit, like the sum total of all the words you'll hear in your lifetime. That's surely less than a terabyte of text. Any more than that and it becomes incomprehensible by a single person, so we have to turn to other means of analysis: people working together, or computers, or both.”

And he’s right. The more you have, the harder it is to work with. But, if analyzed, you can glean incredible information.

Data on a corporate network, whether it be database data, tons and tons of flat files, or even log data is often unstructured and hard to make sense of. For some, this is a nightmare. The capture and storage of mass amounts of data is a thorn in the side of the average CTO. But on the academic side, on the research side, on the private sector side – this data is a goldmine. Being able to trend events over time, to build predictive models, and to index the entire internet... that’s big. To use it as a performance tool and to identify throughput and use cases... that’s big. Big Data then becomes a decision making tool.

But what caused this?

Over time, disk prices dropped as data storage requirements went ever skyward. And with the advent of cheap storage, the need to delete that data went down. With more and more data being stored and going online every day, suddenly the focus shifted to data security. How do we protect our data? How do we know if our data has been stolen? If it’s been stolen, who stole it?

Before we knew it...storing data for the sake of forensics was on the rise, and after a rash of IP and user data thefts, compliance from the Payment Card Industry kicked in, as did the scourge of all public companies.... compliance to Sarbanes Oxley (SOX). Soon HIPAA grew some teeth in the healthcare industry, and ISO17799 came into effect. All of these mandates required audit trails for a period of time from three months to seven years. That’s when the log data piece of Big Data became a major part of the pie. Think about it. We’re talking about the storage of every log message from every device on a corporate network for up to seven years!

NOW we’re talking about BIG DATA.

Soon you may find yourself asking, “How are we going to store our data, organize our data and manage our data? How are we going to get information out that’s useful?”

It’s at that point you’ll realize that you too have Big Data.

Posted by Lex Van den Berghe on September 23, 2009 in | Permalink | | Comments (0) | TrackBack (0)

Logs are the New Sexy!

By Lex van den Berghe
LogLogic Customer Evangelist

My day-to-day world is all about logs, logging and log management. And no offense to all of you logophiles out there, but to be honest, until recently I would’ve never imagined using the word ‘log’ and ‘sexy’ in the same sentence. But, believe it or not – logs are sexy.

Case in point: Britney Spears. Stuck in there, right along with her melodic moan, bare midriff and those signature gyrating moves are…logs! (More on this later.)

I have one of the best jobs ever at LogLogic – I talk to our customers. And one of the perks of this gig is that I get to hear about real-world use cases and the stories that go along with them. And you know what? A lot of these stories are shocking, sensational, smoking hot and sexy.

I find it fascinating that so many of the conversations I have with customers regarding their LogLogic success stories, are actually some of the same stories featured on the covers of our global newspapers and tabloid magazines. Here are just a few scandalous topics that made their way into our lively dinner conversation at a recent customer event (disclaimer- these may or may not involve actual LogLogic customers):

-  Britney Spears & “Octomom” Nadya Suleman, who share a not-so-rare, but vexing by-product of celebrity…medical patient records that were improperly and illegally accessed

-  The recent theft of 130 million credit and debit card numbers – believed to be the world’s largest hacking and identity theft case ever prosecuted

-  This summer’s stock fraud scandal involving a rogue French futures trader who lost over seven billion dollars of his bank’s money – one of the largest banking scandals in history

Each of these juicy scandals share a common thread – the problem (and solution/resolution) is all about the data, and as a log-geek you know that where there’s data, there are logs.

We are hopelessly dependent on “big data” – the massive quantity of data that is woven into the very fabric of our world. Our economies, our governments…even our societies (e.g. facebook, MySpace, LinkedIn, Twitter, Flickr…) are inextricably bound to the data that they generate and on which they depend. And the scandalous stories that make our world go ‘round, also generate squillions of logs, leaving behind the digital equivalent of a fingerprint, or bread crumb trail or a fallen airplane’s black box – basically, all the clues you need to solve the crime, save the girl or paint a complete picture.

This is profoundly cool and sexy stuff. Logs are not just nerd fodder anymore…they are the New Sexy.

Got a log management story you'd like to share? We are always stoked to hear about product implementation and use cases from our customers. Click here to contact me directly and share your stories – the good, the bad, the ugly…and yes, the sexy! I promise you…your story will not end up on the cover of the tabloid magazines – but more likely than not, it should!

Posted by Lex Van den Berghe on September 18, 2009 in | Permalink | | Comments (0) | TrackBack (0)

Security Change Manager: Lifeline in an Ever-Changing World

By Lex van den Berghe
LogLogic Customer Evangelist

Renowned twentieth century statistician W. Edwards Deming said:
“It is not necessary to change. Survival is not mandatory.”

Like it or not, change is a hard reality that permeates every aspect of the world around us (including the IT world), and survival in this ever-changing world depends on our ability to adapt and meet these changes prepared.

I recently interviewed one of our security architects, Jason Kirby about our latest product release, LogLogic Security Change Manager, and this is what he had to say about change and the new product release that can be your secret weapon in surviving the many challenges that today’s IT environments throw at you…

As Network Security Engineers, how many times are we stuck performing the repetitious task of updating firewall policies? This process can be very error prone due to the complexity of the network, and becomes more difficult as multiple firewall solutions are deployed, each with their own unique commands and management interface.

With every change comes the repetition of having to verify routing tables, determining the impacted devices on the path, and relying on notepad to manually type out configs – always a tedious and time consuming process. For these and other frequent changes, wouldn’t a way to automate these changes not only save time but also allow you to focus on the other projects that have to be completed?

LogLogic Security Change Manager was designed to address this problem. Starting in 1997 (as Solsoft Policy Manager) it began with Cisco ACL generation and has grown to manage security policies from all of the major firewall vendors – Juniper, Checkpoint, Fortinet and Cisco firewalls.

Adding Security Change Manager to your IT environment can help you:

· Focus on an end-to-end policy generation, by linking and adding visibility for the security rules

· Reduce common human errors (i.e. typos, wrong interface application)

· Reduce the amount of work to rollback and modify changes in case the original request was incorrect

· Deploy the changes simultaneously to multiple devices (benchmarked at 300 devices in under 15 minutes) after automatically generating the configurations

· Save time, especially when engineers are not familiar with one or multiple vendor platforms or not familiar with the Network Topology

These are only a few of the benefits of using LogLogic Security Change Manager (SCM). If you were familiar with the old Solsoft product and haven’t seen Solsoft recently, it has grown up! I’d recommend becoming reintroduced so you can see all of the great changes. And if you’re not familiar with Security Change Manager, checkout the screencast demo, download a data sheet or sign up for a free trial.

Posted by Lex Van den Berghe on September 11, 2009 in | Permalink | | Comments (0) | TrackBack (0)

How Smart Is Our Critical Infrastructure When It Comes to Security?

By Dominique Levin

EVP Marketing and Strategy

In recent studies, the energy sector was deemed the most vulnerable of our nation’s critical infrastructure.  A world without functioning energy and utilities companies means businesses shut down, traffic lights go dark and groceries begin to rot. When it comes to energy, security is of utmost importance.  The CIA has revealed, “cyberattacks have been used to disrupt power equipment in several regions inside the United States." 

Yet the Obama administration is pushing smart grid initiatives that could further undermine the security of our most critical infrastructure.  As demonstrated at Black Hat last week, the so called 'smart meters' are not very smart when it comes to security and a worm could easily propagate throughout the grid and  blackout major cities, states, or whole regions. 

To get to the heart of this issue, we at LogLogic surveyed our own energy customers to find out how they approach IT security and whether the North American Electric Reliability Corporation's (NERC) compliance standards in fact do help build a secure critical infrastructure. 

Over half of utility companies, both large and small, interviewed for this survey, reported they currently experience more than 150 attacks per week.

We also found unanimous concern that compliance with NERC standards alone is NOT sufficient when it comes to protecting the nation’s critical infrastructure. 

One respondent even commented at length that NERC causes him to lower his security benchmarks to the lowest common denominator to be in full NERC compliance. The interpretation of NERC in that particular organization dictated that no special 'extra' security could be put in place for one system, without bringing all systems up to that same standard (which was cost prohibitive).  Let's hope that this interpretation is the exception, not the rule.

From our interviews it is clear that security professionals are trying their utmost to protect our nation.  However, it is also clear that the 'stick of compliance' is required to force management to 'do the right thing'.  Many smart meter budgets did not include a line item for security, though that is changing fast now the issue is receiving some national press attention (thank god).

NERC and SOX compliance are consistently cited as helpful, even necessary, to justify security spending with executive management.  NERC is supposed to come out with an updated standard in 2010 and security practitioners are hoping for more clear guidance, as well as a higher bar for security in new standard.

Also, organizations in violation of NERC can be fined up to US$1 million per day per violation with audits starting from July 1, 2009.  We know from other industries, such as the healthcare and payment card industries, that many organizations wait with making security investments until fines are being handed out.  For NERC, that's still a 'wait and see'. 

You can check out the full report here after registering to download. Please let us know what you think - is NERC enough to secure your business or organization? Can you be 'secure' without being compliant, or compliant without being 'secure.' How much security is enough?

Posted by Dominique Levin on August 05, 2009 in | Permalink | | Comments (0) | TrackBack (0)

Medium Sized Vendors Are Best Positioned in the Security Battle

Ralph DeFrangesco's blog on IT Business Edge raised a good question on "best of breed" versus "a single comprehensive solution" in the security industry.

Ralph favors a comprehensive solution:

• When I have a support problem, I like going to just one vendor.
• What really gets me is when I am using a best-of-breed solution and one vendor updates its software -- but the others do not.
• Generally, packages integrate better in a comprehensive solution. (Granted, not always.)
• If packages overlap, and a lot of best-of-breed packages do today, then I am paying for redundant functionality.
• Comprehensive solutions tend to have the same look and feel, making them easier to learn and use.
• Comprehensive solutions tend to have lower costs.
• I like writing just one check at the beginning of the year.

Perhaps there is a middle ground?

First priority when buying security solutions? SECURITY!

Here is the rub, the threat landscape evolves so quickly, it is difficult for large vendors with long development cycles to keep up to date.

However, startups which are too small may not be viable in this tough economic climate.

Perhaps the solution is for medium sized vendors to take the lead and to develop a focused product portfolio.

McAfee is one such example of a "focused" suite vendor. McAfee has multiple product lines, integrated around their ePO platform and APIs. The product portfolio is a lot more focused (and a lot more successful) thanOracle or Computer Associates. Another example is LogLogic. We are by now a medium sized company building a comprehensive portfolio of products in security and log management, integrated around our open log management platform and APIs. LogLogic recently made its first acquisition by buying Exaprotect.  Exaprotect had two complementary product lines  in security event management and security change management. The combined products deliver better visibility and control at a lower cost.

You can read more on the acquisition http://bit.ly/rLlJt.

Posted by Dominique Levin on July 23, 2009 in | Permalink | | Comments (0) | TrackBack (0)

HIPAA Gone Bad: Hospital Fined for Doing the Right Thing

Why is Kaiser Permanente being fined for doing the right thing when it comes to privacy and information protection?

See here.

Kaiser Permanente’s Bellflower Hospital is also finding out how serious federal officials are about HIPAA privacy rules. This current incident involves the records of Nadya Suleman's octuplets. The hospital has been fined $187,500 for failing to protect their medical privacy.

Kaiser Permanente’s Bellflower Hospital apparently didn’t take seriously it’s role in protecting patient’s medical records as this is the second time it has been fined. The first was in May for employees looking at Suleman’s medical information. The find then was $250,000.

It is true that Kaiser nurses inappropriately looked at octomom Nadya Suleman's healthcare records. But Kaiser is also one of few hospitals that has sophisticated monitoring technology in place to detect that privacy violations are occurring so that they can take disciplinary action.  In this case, they promptly fired the nurses involved, see here.

At the time of the firing, I thought of writing a blog congratulating Kaiser.  They are doing something right!  Few hospitals can detect such privacy violations and even fewer hospitals are willing to go public with the findings and openly fire employees.  People in the security industry know that 100% prevention of these type of violations is impossible.  Nurses need access to patient records.  Setting access rights on patient information too tight could cost human lives.  What if at the crucial moment in patient's treatment, a nurse is denied access to a patient file?  You get the picture.  Therefore, where you cannot 100% prevent access to information, you must monitor access to information.  And if those people abuse their access privileges, you discipline them.  This is what Kaiser did.

So why exactly is Kaiser being punished so hard?  Are regulatory oversight bodies implicitly saying that it would have been better for Kaiser NOT to do any monitoring, not to detect the privacy violations and NOT to fire the nurses? 

I still believe Kaiser was doing the right thing and they should be applauded, rewarded, not punished for it!  If I have the choice, I will be a patient at Kaiser any day.

Posted by Dominique Levin on July 22, 2009 in | Permalink | | Comments (0) | TrackBack (0)

Visit loglogic.com

Subscribe to this blog’s feed

• November 2009
• October 2009
• September 2009
• August 2009
• July 2009
• June 2009
• May 2009
• April 2009
• March 2009
• February 2009
• January 2009
• December 2008
• November 2008
• September 2008
• August 2008
• July 2008
• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008
• December 2007
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• August 2006
• July 2006
• June 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005

Blogroll

• Bruce Schneier
• CynergisTek
• InfoSecDaily

Compliance

• Compliance Pipeline
• Continuity Central
• Sarbanes-Oxley 101
• SOX Compliance Journal

Good Reading

• Log Management Best Practices
• Log Management ROI
• SANS Institute Log Management White Paper

LogLogic

• Anton Chuvakin
• Jian Zhen
• LogLogic.Com
• O’Reilly

LogLogic Partners

• Bluecoat
• Counterpane
• Juniper Networks
• ONStor

Sites We Watch

• C/Net
• CIO Insight
• CRN
• eWeek
• InformationWeek
• IT Architect
• IT Manager's Journal
• Jamie Lewis - Burton Group
• MIT Magazine
• SANS
• Security Focus
• Slashdot
• TechWeb
• The Merc
• The Reg
• VNU