Enterprise Security Blog

Sunil Bhargava: The White House is kicking up the volume on health care reform and several plans are under consideration. While the overriding goal of healthcare reform is to ensure the right to healthcare for a larger segment of the US population, it will require a close look at taking the cost out of healthcare by providing streamlined, secure management of health information. Everyone knows that the collection of and access to patient information represents a major portion of the cost of healthcare. Overall, the prevalence of legacy systems, processes requiring redundant data collection and incompatible data bases create lots of cost in delivering patient care. The In the following post, guest author, Warren Axelrod, suggests that forethought can minimize the exposure to unavoidable costs resulting from medical ID theft.

Warren Axelrod: In an article by Walecia Konrad, (6/13/09 New York Times, “A New Ailment: Medical ID Theft: Treatment at Your Expense, Or at Least Your Insurer’s”) I read that medical ID theft is on the rise. Medical ID theft is when someone hijacks your health card account and charges all manner of services without your knowledge. Usually you only become aware of it when a red flag is raised, in the form of you exceeding your limit or you being notified of charges that you did not make. So how is credit card account ID theft and medical account ID theft different?

For one, if “Joe” (the thief) steals your medical ID and charges various services to your account, the information relating to Joe’s medical condition is protected personal information under HIPAA (Health Insurance Portability and Accountability Act). The implications are somewhat ridiculous but are surely unintended consequences of HIPAA. The article states that if and when your medical information is intermingled with Joe’s, you may have trouble accessing your files since HIPAA apparently requires that Joe’s medical information, which may be intertwined amongst your records, must be kept confidential. The article goes on to state that the discovery of “erroneous information in … medical files … may pose a bigger danger than the financial risks.” These risks include the possibility that a doctor will make an incorrect diagnosis or prescribe the wrong treatment because he/she is distracted by Joe’s information in your file.

As President Obama pushes for the massive automation of medical records, we must take into account the risks that medical account hijacking imposes. As more information is converted to electronic form, the security of those records becomes increasingly at risk. Yes, automation will likely yield greater efficiencies and lower direct costs. However, the cost of ID theft and its consequences to the health and financial wellbeing of the patient must be taken into account. While there is money to be saved by automating health records there is money to be spent building the requisite levels of security. Measuring the indirect costs resulting from misdiagnosis and rectifying damaged credit ratings are less easily measured than direct out-of-pocket costs, and therefore much more likely to be ignored. Positive results from reform could likely be diminished by the impact of lax security.

Pam Dixon, executive director of the World Privacy Forum, is quoted as saying, “Without aggressive safeguards, we could be building an infrastructure for massive medical fraud.” Agreed. So the mission is clear: design and implement the requisite security measures before the system is developed; rather than afterwards when the costs will be orders of magnitude greater.

Want to know more about securing patient information? Go to www.intellitactics.com to learn about HIPAA compliance.

Sunil Bhargava: It might appear that the security industry isn’t making as much progress as we might expect against increasingly sophisticated and damaging exploits. When we step back to assess the reasons there doesn’t appear to be more progress we have to consider if we’re doing anything different today than we were doing five years ago. We reviewed a new book – Enterprise Information Security and Privacy (Artech House, 2009) – and interviewed one of the editors, Warren Axelrod, in our First Person Series podcast “Busting Security Myths”. This book focuses on new thinking and has many stellar contributors, subject matter experts from several verticals like financial, telecommunications, energy and transportation. Here’s Warren Axelrod, one of the editors, giving a preview of what new information the book provides.

From the desk of Warren Axelrod: In the new book Enterprise Information Security and Privacy, edited by Jennifer Bayuk, Dan Schutzer and me, we quoted Marshal McLuhan, who stated:

Our Age of Anxiety is, in great part, the result of trying to do today’s job with yesterday’s tools and yesterday’s concepts.

We editors went to great lengths to persuade those in the information security field, who are forward-looking, to write for the book and come up with innovative and effective approaches to improving the security and privacy of our systems and processes. We didn’t confine ourselves to “Young Turks” who might question everything but not have any useful solutions. We found that even someone, such as Donn Parker, who has been in the field for more than 35 years, can question “hand-me-down” security myths and suggest better ways of tackling security risk, for example.

But there are many in our profession who are not as imaginative and follow the well-trod paths. We still hear the mantra of “complex passwords” in response to phishing and session hijacking which allow the bad guys to gain access regardless of how complex passwords might be. We are regularly admonished about “data leakage prevention” when most organizations, as Jennifer Bayuk describes in her chapter, haven’t even classified their data or even knows where the data might be at every point in time. Many practitioners are not familiar with the security and privacy laws and regulations that impact their every day decision and will benefit greatly from Tom Smedinghoff’s chapter. What about the energy industry? Peter Curtis gives us an insider’s view of the security issues confronted in that sector.

We could go on and on about areas in which security and privacy professionals are backward-facing and are missing the demands and complexities of the evolving computer and network environments. It is shameful since there are many tools and practices that can reduce security risk and lead to more trustworthy environments; they are just not being used. A number of security officers, with whom I have spoken, have their heads in the sand. They seem to think that if they are not aware of a vulnerability or exploit, then they won’t be held accountable when things go awry. Experience has shown that this is not the case. It behooves security and privacy managers to install monitoring probes wherever feasible and work through the logs using automated methods in order to reveal improper behavior. They need to be thinking ahead as technologies like virtualization and cloud computing burst into the IT world.

You can’t steer a car by looking at the rear-view mirror, and you can’t manage security by relying solely on methods and approaches that have been successful in the past. Some of these techniques don’t have the impact they once had. There is a growing recognition that a huge research and development effort is needed to address the rapidly increasing number, complexity and sophistication of threats. However, if we were to use the many tools and good practices, which are already available to us, in meaningful ways, we could achieve a significantly higher level of security, privacy, trustworthiness and safety. This is a pragmatic course of action that can be taken while we wait for the silver bullet that may never come.

Sunil Bhargava: Cyber attacks are typically silent, stealth in nature and don’t command the attention of the general public. President Obama’s announced cyberspace policy didn’t get the attention it deserved – given that cyber attacks have the potential to close down critical infrastructure – effectively closing down the markets, strategic defenses, disease control infrastructure or the core communications networks. So why isn’t the cyberspace policy getting the attention it may deserve? This is what we asked Warren Axelrod, security expert, author and speaker. Here’s Warren’s response.

From the desk of Warren Axelrod: Why is the cyberspace policy boring? The answer I’m giving is one that security professionals will be able to identify with – to an outsider it’s boring. Virginia Heffernan in a recent New York Times Magazine article entitled “Lights! Camera! Inaction! People Using the Internet are Boring”. Ms. Heffernan discusses the various, mostly unsuccessful, attempts by filmmakers to create excitement when something, which would cause all sorts of reactions in the physical world, happens in cyberspace. The flashing of messages of doom and destruction on a screen does little to raise one’s pulse. It is only when the messages are linked to visuals of bad physical things happening, as in the Terminator or Batman movies or Die Hard and Live Free that anxiety increases in the audience.

The people tuned into the President’s announcement are the professionals at Homeland Security, the Pentagon and the utility officials protecting the three main electric grids. These are people who know that attacks are up year over year and the attackers are getting smarter and more devious every day. There were a couple of articles on the cyber speech the next day but not as many as one would expect – given the gravity of the situation. The news aggregation magazine, The Week, provided Cyber Security 101 in the article “The Rise of the Cyberspy”. This article focused on the Pentagon’s “near constant” cyber attacks by foreign hackers primarily from Russia and China.

So again, the general public, who depend so heavily on the Internet and computer systems and networks in general for their well being and economic progress, can’t seem to get excited about a President who actually uses technology and knowing the dangers is setting policy, making cyber security a priority. We can only hope that the steps we need to take to defend ourselves in the dangerous realm of cyber space won’t be delayed and prioritized out of existence as it was eight years ago. The new “cyber czar” may be greeted with some fanfare, but will likely find it as difficult as his or her predecessors to implement effective measures. If only cyber criminals had two heads and long tails that could decapitate an innocent bystander.

Postscript: Intellitactics is the chosen SIEM by intelligence and defense organizations on the front line of cyber attacks. Join Intellitactics every Tuesday to see what it takes to defend against cyberspys and hackers.

Jeff Vince, Director of Solution Services with Intellitactics, spends more time in Fortune 100 SOCs than anyone else at Intellitactics. He relates that the job of enforcing security policy is hard and thankless. "While the security team is accountable for prevention and defense, they need every employee to be on board with the rules and regulations. Training is the obvious answer, but reminding people every day to DO what they learn in training requires continuous awareness."

That's what EnterpriseVue for ISM is designed to do. Using state of the art dashboard technology, EntepriseVue transforms gigabytes of data into graphical and tabular reports arranged on a role appropriate dashboard. The dashboard is dynamic with protected access to specific roles and responsibilities. ISM or Intellitactics Security Manager is a fully featured security information and event management (SIEM) solution that transforms millions of logs into actionable security events, automates alerting and accelerates investigation and incident response. "You can configure dashboards for the NOC, the application managers, the business line managers and other stakeholders. Everyone benefits from the ISM repository of security information, while the SOC works with security events to actively monitor control violations and attacks," explains Vince.

“Training end users on behaviors they can watch out for amongst their peers and then reinforcing that training with frequent reporting may deter the activity of a malicious insider,” is an example offered by Jeff Vince, Director of Solution Services for Intellitactics. “We encourage the SOC to run reports that keep security front of mind. We also suggest they involve other IT functions like network operations, database managers, application managers and others by providing reports they can use to make decisions and take actions to comply with policies.”

Read more about EnterpriseVue for ISM. Looking for a SIEM appliance? Intellitactics SAFE offers the same powerful, dynamic dashboard powered by the Intellitactics Security Data Warehouse - the only fully integrated repository that doesn't limit capacity to maintain performance.  

Now, QUEST- a California based service provider - is offering a NEW Managed Security Service. They'll be implementing Intellitactics SAFE appliances on the customer's premise and remotely managing logging, compliance reporting and event analysis. Their clients get all the control of ownership without the overhead.

Everyday we talk to companies that want and need to automate log reviews, threat detection and reporting requirements for multiple regulatory standards. They are all doing something, but they all want to do more. Unfortunately, the economic turmoil has created obstacles for these companies to move forward. Staffing is an issue, deploying and implementing the solution takes time, even the evaluation process required for a capitol investment requires more energy than they have. These are all good reasons to consider security as a service.

QUEST CEO Tim Burke and I were talking about what they're clients say are good reasons to engage with a security service provider. More companies are considering security as a service and by implementing Intellitactics SAFE on the Client premise - they get the best of both worlds. Quest offers redundant operation centers and SAS 70 Type II certification; the staff is highly qualified. This new security offering, featuring Intellitactics SAFE may be just the ticket for companies that need a fast start  - whether they're prepping for audtis, augmenting staff or defending against cyber criminals that stalk mid-size companies. Quest's unique service offering is a short term fix for lots of companies which will offer long term benefits.