« August 2009 | Main | October 2009 »
Find Your HIPAA Violations Before Others Do
by Lex van den Berghe
LogLogic Customer Evangelist
Dominique Levin previously wrote on this blog about Kaiser Permanente after it fired nurses for unauthorized access to Nadya Suleman’s “Octomom” healthcare records. Dominique raised the question whether it perhaps would have been better for Kaiser to hide their findings since disclosing the dismissals led to hefty fines. To get to the bottom of this I interviewed Mark Seward, our resident HIPAA expert and Director of Product Management at LogLogic.
Lex: Should Kaiser have kept quiet about the privacy violations?
Mark: No! Pro-actively disclosing the breach was not only the right thing to do, it also minimized Kaiser’s fines. Had Kaiser failed to disclose the HIPAA violations, and had the violations been later discovered by outsiders, the fines could have been much higher.
Lex: How much higher?
Mark: There are a number of healthcare resources online who lay it out pretty clearly, but it basically boils down to this: If I access a record that I shouldn’t because “I didn’t know I shouldn’t do that” the fine is $100 per violation (read: per record, so if 250 records are breached that is $25,000). However, if there is “reasonable cause” to think that these privacy violations aren’t inadvertent, fines go up 10 times (!) to $1000 per violation. But if my behavior is deemed to be due to “willful neglect”, fines are a whopping 100 times (!) higher as compared to inadvertent disclosure - $10,000 for each violation.
Lex: So what should health organizations do?
Mark: Follow the Kaiser Permanente example! Monitoring and periodically reviewing who is accessing patient information is a really good idea and the (log management) technology to do so is readily available. Not adopting such basic security measures could soon be seen as “willful neglect”. Also look out for more guidance by the Office of the National Coordinator for Health Information Technology (ONCHIT). They will annually “issue guidance on the most effective and appropriate safeguards for use in carrying out the sections…”. Access monitoring will likely be included as a foundational requirement as it has been in other security standards, such as the Payment Credit Card Industry Data Security Standard.
So there you have it…self-monitoring and self-regulation may be a very worthwhile investment for healthcare organizations who must navigate the confusing and perilous seas of regulatory compliance. In much the same way that putting coins in the family “curse/swear-jar” builds a foundation for good behavior in the future, the practice of voluntary disclosure, when inappropriate information access has occurred, is a solid investment for healthcare organizations in the long run.
You can also learn more about HIPAA and the HITECH act by reviewing the official U.S. Department of Health & Human Services guidance document.
Posted September 29, 2009 in | Permalink | Comments (0)
« August 2009 | Main | October 2009 »
Big Data is information overload. Organized.
by Dimitri McKay
LogLogic Security Architect
Recently I was quoted in an article on CNet about “Big Data”. Dave Rosenberg made some excellent observations about how Big Data is being handled, and spotlighted some companies that are developing FOR Big Data.
But it got me thinking…Do most people really understand what Big Data is?
Big Data is a phrase becoming increasingly more popular. It’s a statement which implies that we’re moving from the Terabyte age to the Petabyte age. It has become the latest challenge for large enterprises and government. It’s not just a buzz word. It’s a real problem that IT departments everywhere are struggling with. And storage isn’t the hardest part of Big Data. In fact, storage is easy. We have the ability to store petabytes and exabytes of data today. But making SENSE of that data…that is the real challenge.
Big Data, as with most quantifications, is a relative term.
How do you know when you have Big Data? Here’s how. If you have to ask yourself “How are we going to store this, organize this and manage this? How are we going to get information out of this that’s useful?”...then you have Big Data.
Martin Wattenberg, a mathematician and computer scientist at IBM's Watson Research Center in Cambridge, Massachusetts says, “You can talk about terabytes and exabytes and zettabytes, and at a certain point it becomes dizzying. The real yardstick to me is how it compares with a natural human limit, like the sum total of all the words you'll hear in your lifetime. That's surely less than a terabyte of text. Any more than that and it becomes incomprehensible by a single person, so we have to turn to other means of analysis: people working together, or computers, or both.”
And he’s right. The more you have, the harder it is to work with. But, if analyzed, you can glean incredible information.
Data on a corporate network, whether it be database data, tons and tons of flat files, or even log data is often unstructured and hard to make sense of. For some, this is a nightmare. The capture and storage of mass amounts of data is a thorn in the side of the average CTO. But on the academic side, on the research side, on the private sector side – this data is a goldmine. Being able to trend events over time, to build predictive models, and to index the entire internet... that’s big. To use it as a performance tool and to identify throughput and use cases... that’s big. Big Data then becomes a decision making tool.
But what caused this?
Over time, disk prices dropped as data storage requirements went ever skyward. And with the advent of cheap storage, the need to delete that data went down. With more and more data being stored and going online every day, suddenly the focus shifted to data security. How do we protect our data? How do we know if our data has been stolen? If it’s been stolen, who stole it?
Before we knew it...storing data for the sake of forensics was on the rise, and after a rash of IP and user data thefts, compliance from the Payment Card Industry kicked in, as did the scourge of all public companies.... compliance to Sarbanes Oxley (SOX). Soon HIPAA grew some teeth in the healthcare industry, and ISO17799 came into effect. All of these mandates required audit trails for a period of time from three months to seven years. That’s when the log data piece of Big Data became a major part of the pie. Think about it. We’re talking about the storage of every log message from every device on a corporate network for up to seven years!
NOW we’re talking about BIG DATA.
Soon you may find yourself asking, “How are we going to store our data, organize our data and manage our data? How are we going to get information out that’s useful?”
It’s at that point you’ll realize that you too have Big Data.
Posted September 23, 2009 in | Permalink | Comments (0)
« August 2009 | Main | October 2009 »
Logs are the New Sexy!
By Lex van den Berghe
LogLogic Customer Evangelist
My day-to-day world is all about logs, logging and log management. And no offense to all of you logophiles out there, but to be honest, until recently I would’ve never imagined using the word ‘log’ and ‘sexy’ in the same sentence. But, believe it or not – logs are sexy.
Case in point: Britney Spears. Stuck in there, right along with her melodic moan, bare midriff and those signature gyrating moves are…logs! (More on this later.)
I have one of the best jobs ever at LogLogic – I talk to our customers. And one of the perks of this gig is that I get to hear about real-world use cases and the stories that go along with them. And you know what? A lot of these stories are shocking, sensational, smoking hot and sexy.
I find it fascinating that so many of the conversations I have with customers regarding their LogLogic success stories, are actually some of the same stories featured on the covers of our global newspapers and tabloid magazines. Here are just a few scandalous topics that made their way into our lively dinner conversation at a recent customer event (disclaimer- these may or may not involve actual LogLogic customers):
- Britney Spears & “Octomom” Nadya Suleman, who share a not-so-rare, but vexing by-product of celebrity…medical patient records that were improperly and illegally accessed
- The recent theft of 130 million credit and debit card numbers – believed to be the world’s largest hacking and identity theft case ever prosecuted
- This summer’s stock fraud scandal involving a rogue French futures trader who lost over seven billion dollars of his bank’s money – one of the largest banking scandals in history
Each of these juicy scandals share a common thread – the problem (and solution/resolution) is all about the data, and as a log-geek you know that where there’s data, there are logs.
We are hopelessly dependent on “big data” – the massive quantity of data that is woven into the very fabric of our world. Our economies, our governments…even our societies (e.g. facebook, MySpace, LinkedIn, Twitter, Flickr…) are inextricably bound to the data that they generate and on which they depend. And the scandalous stories that make our world go ‘round, also generate squillions of logs, leaving behind the digital equivalent of a fingerprint, or bread crumb trail or a fallen airplane’s black box – basically, all the clues you need to solve the crime, save the girl or paint a complete picture.
This is profoundly cool and sexy stuff. Logs are not just nerd fodder anymore…they are the New Sexy.
Got a log management story you'd like to share? We are always stoked to hear about product implementation and use cases from our customers. Click here to contact me directly and share your stories – the good, the bad, the ugly…and yes, the sexy! I promise you…your story will not end up on the cover of the tabloid magazines – but more likely than not, it should!
Posted September 18, 2009 in | Permalink | Comments (0)
March 2010
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 |
Categories
Archives
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005