As I was reading about Cedar Sinai’s recent implementation of Bottomline’s Healthcare Data and Security Solution, I couldn’t help but to wonder – why is patient data at risk in the first place?
Clearly, we can all understand why big box shops like Target and Home Depot were hacked; credit card numbers are better than cash. Siphoning electronic funds is the digital age’s form of Bonnie and Clyde-style bank robbing. So, realistically, what could a hacker possibly stand to gain from breaching healthcare data security and gaining access to my records?
After consulting with a few colleagues in the healthcare industry, I realized there is one extraordinarily valuable piece of information that all U.S. residents have – a social security number. With that 9-digit treasure chest, individuals with more nefarious tendencies can open a line of credit under your SSN, file for a fraudulent tax refund and open financial accounts. But, that’s not all.
Medical identity threat was up 40 percent in 2013. Stolen health credentials go for about $10 each, double and sometimes triple the black market value for credit card numbers. This information can be used in hundreds of ways, but what they’re really after is your identity.
In some cases, only a few that I found, are hackers ever really interested in your maladies. Social security checks, yes, credit lines, yes… your latest blood pressure reading? Not so much. But it does happen. Mostly, though, they’re breaching healthcare data security so they can pretend to be you, convincing a bank they are you, which is much more valuable than health history.
So that’s why protecting patient data is extremely important to healthcare organizations. It isn’t just about not having the world know about your heart condition, although that certainly is one reason. It’s about what people are capable of doing once they get ahold of all the information that they need to take control of your financial credibility. Cedar Sinai’s decision to implement Bottomline puts them one step farther away from a reputation-damaging data breach.
That being said, what can smaller companies do for healthcare data security? Bottomline has a price tag that could bankrupt small specialty providers. What are the security options out there for the healthcare SMBs?
While there are many options out there, IBM has a whole arsenal of data, application and integration security options – many of which are scalable for both size and budget. Fortune 500s all the way to private locally-owned practices can benefit from a number of these solutions. These security products are packaged to meet individual organizations’ needs, ranging from identify protection to fraud prevention, from encryption to vulnerability assessment. How do you know what’s right for you? As an IBM Business Partner, TxMQ assists companies with the selection, deployment and maintenance of enterprise security options. As experts in securely integrating solutions in the cloud, we can not only help make your patient records more secure, but we can help you digitize them, as well. We’ll stay with you for as short or as long as you need us.
Photo from BrainFoodTV.com
Author: admin
MQTT Repositories Review – Mosquitto, MessageSight & More
In my previous blog (Rigorous Enough! MQTT For The Internet Of Things Backbone), I presented the MQ Telemetry Transport (MQTT) protocol, which helps provide the required communication for smart devices. But without a broker repository or destination to support the protocol, MQTT can’t complete its mission.
In this article, I’ll first review one of the open-standard MQTT repositories called Mosquitto, and then cover IBM MessageSight. In future blogs I’ll present additional information on both the security component and additional broker functionality.
Mosquitto is an open-source (BSD-licensed) message broker that implements the MQTT protocol versions 3.1 and 3.1.1. It provides a lightweight server implementation of the MQTT and MQTT-SN protocols, written in C, so it can run on machines that can’t run a JVM.
Mosquitto regularly has an executable in the order of 120kB that consumes around 3MB RAM with 1,000 clients connected. There have been reports of successful tests with 100,000 connected clients at modest message rates.
In addition to accepting connections from MQTT clients, Mosquitto can bridge to other connected MQTT servers, including other Mosquitto instances. It’s thus possible to architect MQTT server networks, and pass MQTT messages from any network location to any other.
A second repository for MQTT is IBM MessageSight, which is built for high performance to offer persistent, transactional messaging. The hardware is 2U form factor. IBM MessageSight includes built-in security to enable integration with external Lightweight Directory Access Protocol (LDAP) security systems. MessageSight also offers Transport Layer Security (TLS), Secure Sockets Layer (SSL), FIPS 140-2, NSA Suite B ciphers and Level 1 secure Crypotgraphic Store securities.
Fine-grained messaging-authorization policies restrict access based on combinations of: user or group, client identifier, protocol, network interface, listening address and/or port, client IP address or range and destination topic and queue name.
The MessageSight repository supports connectivity to WebSphere Message Broker via JMS and/or MQTT nodes. It also integrates with Java environments and with rich HTML5-based web applications. Additionally, MessageSight allows development of interactive mobile-messaging applications with IBM Worklight Studio Developer, which delivers:
- Friendly APIs and libraries
- MQTT clients and libraries for a variety of platforms (C- and Java-based APIs)
- Libraries for Google Android and Apple iOS
- JMS client
- JavaScript API for HTML5-based applications
- PhoneGap MQTT plugins with JavaScript API for use with IBM Worklight
- Apache Cordova
- Adobe PhoneGap
MessageSight also offers simple and scalable management through policies. A single user ID is defined on the queue manager for IBM MessageSight, which enables a business to sense and respond to data coming from the edge of the enterprise. IBM MessageSight offers high availability with either an active or passive standby.
There are several public repositories that include Hive MQ, which provides a repository that anyone can engage with. In addition, there is cloudMQTT, which is a repository hosted in the cloud. There are other implementations of the broker space, namely gnatMQ, which is an implementation of MQTT but specifically for.Net, and ActiveMQ, which is a product of the Apache group.
How it Works: KPIs and the future of your business
How do you measure your business goals?
For some companies, success is measured mostly by profits. For others, the key indicator is customer satisfaction. Some companies measure their success by the success of their products. For each of them, however, there is one guarantee – success is never measured by just one criteria.
Not only is it essential to learn what drives success, but smart business executives must also understand why. That means you can’t just collect data, you have analyze it to learn what the information means to your bottom line. Keeping track of all this nuanced information, however, can become extremely overwhelming. That’s why businesses of all sizes turn to software that collects and analyzes key performance indicators, or KPIs.
KPIs help you monitor and manage the metrics that impact company growth. For example, maybe you’re a retailer looking to boost sales by 10% in Q3. KPIs can be used to help you project how to adapt labor and product costs to achieve this goal. KPIs aren’t just for overall company goals. They bring insight into individuals and departments, too. For example, your social media manager should have a list of KPIs that determine whether or not the company’s campaigns are successful at generating qualified leads. Your helpdesk team would work more productively if they had KPIs that kept track of how quickly and effectively they resolve tickets.
Most likely, your business uses KPIs in some form or fashion, but it’s how you utilize the data that makes the real difference. The whole process can even be automated, so your executives don’t need an IT degree to interpret data. Business activity monitoring tools harness big data analytics to bring insight to a broad range of users, from line-of-business to accounting to administrative. This means easy access for the people who need to apply the data toward decisions that impact the whole company.
IBM’s business activity monitoring solution not only provides you with current data, but it also helps you predict future situations by analyzing potential “what-if” scenarios. You can empower your company with analysis-driven strategies, becoming more proactive and less reactive.
The IBM solution isn’t the only one out there, but what set it apart is it’s flexibility. It works for companies of all sizes—from large-scale enterprises to SMBs. So whether you’re a small retailer looking to bring in more customers or a Fortune 500 ready to start a rebranding process, KPI software solutions can help you transform slow and expensive processes into strategies that help you grow.
IRS Get Transcript Breach – The Agency Didn't Adequately Prepare
The announcement came yesterday: Chinese hackers had breached the federal government’s personnel office. In isolation, this might seem a single event. But when viewed in the grouping of several other top-level hacks, it becomes clear that the federal government is extremely vulnerable.
One clear parallel was the recent IRS Get Transcript breach, announced in late May, which is believed to trace to the Soviet Union. The information was taken from an IRS website called Get Transcript, where taxpayers can obtain previous tax returns and other tax filings. In order to access the information, the thieves cleared a security screen that required detailed knowledge about each taxpayer, including their Social Security number, date of birth, tax-filing status and street address. The IRS believes the criminals originally obtained this information from other sources. They were accessing the IRS website to get even more information about the taxpayers, which would help them claim fraudulent tax refunds in the future. Might the information in the more recent hack also provide the fuel for a future hack? Quite likely, in my opinion.
What’s especially bothersome to me is the IRS had received several warnings from GAO in 2014 and 2015. If the warnings had been implemented, there would have been less of an opportunity for the attack. The IRS failed to implement dozens of security upgrades to its computer systems, some of which could have made it more difficult for hackers to use an IRS website to steal tax information from 104,000 taxpayers.
In addition, the IRS has a comprehensive framework for its cybersecurity program, which includes risk assessment for its systems, security-plan development, and the training of employees for security awareness and other specialized topics. However, the IRS did not correctly implement aspects of its program. The IRS faces a higher statistical probability of attacks, but was unprepared. Let’s face it: The US federal government is a prime target for hackers.
The concern here, of course, is the grouping of attacks and the reality that the US government must be more prepared. I’ve managed IT systems and architecture for more than 3 decades and I’ll say this: The IRS testing methodology wasn’t capable of determining whether the required controls were in effective operation. This speaks to not only physical unpreparedness, but a general passive attitude toward these types of events and the testing protocols. The federal government doesn’t adequately protect the PII it collects on all US citizens, and simply sending a letter to those impacted by a breach is not enough to prevent recurrence in the future.
I don’t need to tell you that. The GAO told the IRS the same thing: “Until IRS takes additional steps to (1)address unresolved and newly identified control deficiencies and (2)effectively implements elements of its information security program, including, among other things, updating policies, test and evaluation procedures, and remedial action procedures, its financial and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure.”
These shortcomings were the basis for GAO’s determination that IRS had a significant deficiency in internal control over financial-reporting systems prior to the IRS Get Transcript Breach.
Author Note: In my next blog on security, I’ll talk about the NIST standard for small businesses, with recommendations to prepare and protect in the wake of these high-level breaches.
(Photo by Ray Tsang)
Do health-tracking wearables actually make us healthier?
When I’m not writing all about the health IT world, I am a personal trainer, and it never ceases to amaze me how often these two worlds collide. The other day one of my training clients said to me – “I’ve gained almost 10 pounds since I got my <insert name of popular health-tracking device here>. Isn’t it supposed to do the opposite?”
I thought about it for a minute.
“Well,” I began, “Do you wear it every day? Have you forgotten it any?”
The client shook her head. “I only take it off to shower and to charge it.”
I thought a little more.
“How have your behaviors changed since you started wearing it?”
Now she looked at me strangely. She shrugged. I asked her to keep wearing her health-tracking fitness band, but to also go back to keeping a journal where she logs in her activities and her food. In addition, I asked her to also log in how often she consults her wearable.
When she came back to me the next week, she handed over the journal. It didn’t take long to see what the problem was. In the evenings, when my client had consulted her health-tracking device (which she does about a billion times a day), she would then consume the exact amount of calories she had remaining in order to come in right at her daily goal. However, sometimes these snacks consisted of highly processes carbohydrates and sugars. In addition, her fitness band had no way of knowing her muscle mass or the speed at which she metabolizes specific types of food.
Technology plays an enormous and essential role in the detection, diagnosis and treatment of many life-threatening diseases. Digital devices monitor heartbeats and blood pressure, all able to be analyzed by the amazing connectivity of the Internet of Things. We can cure and prevent more illnesses than ever imagined before with digestible sensors, hybrid operating rooms and 3D printed biological materials. However, as a fitness professional, I’m not talking about that kind of technology. I’m talking about the kinds of health-tracking gadgets, like wristbands, apps and trackers, that have become as common place as the timeless Timex. Can these wearables really stop, or even reverse, the American obesity epidemic?
The answer is — it depends. In my client’s case, no. Or, not exactly. She was using the fitness band to justify eating poorer quality foods more often. For some people, however, they do work amazingly. I regularly meet marathon runners who worship the Garmin watches that help them track speed, as well as fitness band enthusiasts who saw the fat melt away from the moment they plugged in. The crux is this – in order to live a healthier lifestyle, you have to change human behavior. While these health-tracking devices cannot force behavior change, they can make us more aware of our actions and choices.
Interested in using health & fitness tech to kickstart or continue your healthy lifestyle? Check out CNet’s review of top wearables under $200:
Time To Study For Your PMP – Don't Panic!
You’ve received the green light from PMI to schedule your test and you’re ready to go! Just one small thing — you have got no idea how much time you should give yourself or what you should spend your study time on.
There’s so much information out there, especially boot camp advertisements with “pass guarantees.” There are tests you can purchase, books you can buy and a fair amount of fear mongering on project management websites, as well.
I wanted to share my method because it was cheap and, for me, it worked. The test is either pass or fail; you don’t receive a percentage, but you do get a breakdown of how you did in each of the five areas: initiating, planning, executing, monitoring, controlling and closing. You’re rated as either proficient, moderately proficient or below proficient. I was proficient in four areas and moderately proficient in one. I hope this gives you the confidence to believe me when I say: You do not need to drop $1,000+ on a project management boot camp!
Ok, so what should you do? First, my suggestion is to give yourself four weeks to study. If you give yourself more time you might get in the habit of thinking you don’t need to buckle down because you have more than enough time. You could possibly do this in less time but I spent about 1-2 hours a day over four weeks. If you want to put in more time you can condense this down to about two weeks. If you read my first post you know I suggest signing up for PMI membership, and if you did this you got access to the latest electronic version of the Project Management Body of Knowledge Guide (PMBOK). This book is the Bible for project management. Now don’t hate me when I tell you this (remember I just saved you $1,000), but you’re going to need to read this. It’s dry; there are no anecdotes and no cartoons, just facts. But read it once, and then you’re done with it other than as a reference material. I promise.
Now that you have a general concept of the project phases, knowledge areas and processes, you need to memorize them. All of them. The five phases and 10 knowledge areas shouldn’t be too hard.
I used “Integrating Scope and Time Costs Quality Human Resources to Communicate with a Risk of Procuring Stakeholders” as my little reminder for the knowledge areas.
I know, it’s not super catchy; but, it’s not terrible either.
The best way to then memorize the 47 processes, from my point of view, is to memorize how many are in each column (2, 24, 8, 11, 2 across the top) and then also in each row (7 – Time, 6 – Scope, 4 – cost, HR, Procurement, Stakeholder, 3 – Quality and Communications). I stared at the processes chart and then tried writing it out from memory daily. By the start of week 3 of studying you should have this down, but continue writing it out anyways. Disclaimer: I absolutely believe in the power of rote memorization.
The next thing I suggest memorizing cold are project management formulas, I also wrote these out daily. Here’s my list:
CV: EV-AC
SV: EV-PV
CPI*: EV/AC (Considered the most important earned value metric)
SPI: EV/PV
TCPI: (BAC-EV)/(BAC-AC)
EAC: AC + Bottom Up Estimate
AC + BAC -EV
BAC/CPI
AC + (BAC – EV)/(SPI*CPI)
Communication Channels: N (n-1)/2
PERT: (P+4M+O)/6
Activity Variance ((P+4M+O)/6) ^2
Future Value: Present value/ (1+r) ^n
Present Value: Future Value (1+r)^n
Internal Rate of Return (Benefit-Cost)/Cost
VAC: BAC-EAC
There are a few more you could memorize, but this is what I did. There’s only so much data you can get down cold and you’ll have to pick and choose.
These two chunks of data are what I included in my brain dump prior to starting the exam. This means that I spent a portion of the testing demo writing this out before taking the test – this way I didn’t cut into the time I had to take the actual test.
As far as ITTOs (Inputs, Tools and Techniques, Outputs), I did not memorize these. I worked on understanding them and being able to recognize the most common. Make sure you have a firm grasp on what constitutes an Enterprise Environmental Factor (an organization’s culture, governance and structure) and what constitutes an Organizational Process Asset (processes, procedures, and knowledge base).
There are some things you’ll need to know about project management that the PMBOK does not cover – remember this exam isn’t just about studying a book, you’re proving that you know and live project management daily. So do yourself a favor and look up these names: Deming, Fielder, Shewart, Ouchi, Juran, Douglas McGregor, Kaizen, Frederick Herzberg, Maslow, McClelland, Vroom and Crosby. These are all theorists in either quality management or behavior management and their theories have an impact on project management processes.
The other half of studying is testing what you’re retaining. There are a ton of practice exams online and a lot ask you to pay. I don’t think you need to. I really hope you got that PMI membership because they have a link on their website to something called Books24x7. It’s access to a ton of relevant reading material. Right now a book called PMP Exam Prep: Questions, Answers & Explanations, 2013 Edition by Christopher Scordo is up there. I took every test in that book and reviewed every answer, both those I got right and what I got wrong. Anything I repeatedly got wrong went on a note sheet to be reviewed daily until I did get it and anything that I didn’t recognize went on a sheet to be Googled later. After finishing this book I moved to ExamCentral.net. This site has full length exams with 200 questions, and gives you the option of reviewing all questions and their answers afterwards. They also track your progress and show your scores in a nifty little bar chart and also even break down your score by project phase area (just like the real exam!). By the time I sat for the exam I’d racked up another eight exams. I would usually do one a night, with a complete review and then look at the notes I’d taken from questions I missed on past exams. I was scoring between 69% and 88% once I moved on to ExamCentral.net after completing all of Christopher Scordo’s exams.
The night before my test, I took one last practice exam, reviewed the answers and looked at my notes. Then I went to bed early (Don’t skip this part, please; it’s easy).
The day of the test I had breakfast, read my notes one last time and then arrived at the testing center 30 minutes early. All centers are different but I believe the majority recommend coming early as you’ll need to check in (you may need two forms of identification) and put your items in a locker.
Once you’re in the testing center, remember these steps: do your brain dump first, breeze through the testing demo and then focus! I wish you the best of luck on the exam!
So You Want to be a PMP?
Read it again, there’s no “I” in there. Okay, are we all on the same page now?
The Project Management Professional certification by PMI (Project Management Institute) is prestigious because you not only have to pass a 200 question exam, but also earn a minimum of 4,500 hours of project management experience and 35 hours of project management education. This is the minimum requirement if you have a bachelor’s degree. If you don’t have a 4-year degree, the requirements are even higher (7,500 project management hours).
There are numerous reasons to get the certification — whether you’re trying to land a new job, gunning for a promotion or looking to increase customer confidence in your project management abilities. The PMP can be a stepping stone to any one of these goals. If you’re considering getting certified, NOW is the time. Why? The exam is changing in November 2015, with more information to memorize, including an additional eight new processes. Find additional information here: http://www.pmi.org/certification/exam-changes/pmp.aspx.
There are a few pitfalls to avoid when taking on this endeavor, and the first is not giving yourself enough time to apply, study, and sit for the test. Applying to be eligible to sit for the exam can be incredibly time consuming; you’ll need to document each of your 4,500 hours for every project you’re counting towards that requirement.
- First, you’ll need to break the hours down by the 5 basic project management phases – Initiating, Planning, Executing, Monitoring and Controlling and Closing.
- In addition, you’ll need to give contact information for your project contacts and write a brief summary describing the project.
- Next, you’ll need to list where you got your education hours and make sure they’re PMI approved.
- Finally you’ll need to record your information related to either your high school or college degree.
Once you submit, you’ll wait about 5 business days to find out if your application has been accepted. Don’t get too excited yet though! Once you pay the testing fee you’ll find out if you’re selected for an audit!
Note About the Testing Fee: Sign up to be a PMI member ($139) because the reduced rate ($405 instead of $555) you receive on the test covers your membership fee! It’s actually $11 cheaper and you get a ton of benefits, including study aids!
If you’re one of the unlucky few that get chosen for an audit (I was), don’t panic! First, it doesn’t mean that you did anything wrong, it just means that PMI wants to ensure the validity of the information you provided. Your 1-year time frame for taking the test doesn’t start until your audit is complete. You have 90 days total to complete the audit. You’ll need to send a copy of your degree and also have your contacts sign off on your project hours and your education hours (unless your have a certificate from your training you can provide). PMI will give you a form with information from your application that you’ll need your designated contact to initial as accurate. Your contact will then send the signed form to you in a sealed envelope with their signature over the seal. You then send the unopened envelopes, along with proof of your degree to PMI.
I highly suggest paying to track your audit package – I didn’t and I was a wreck waiting to hear if PMI had received it! But eventually they let me know that they received it and I was all set to actually schedule my test! Overall from submission to completing the audit it took 3 weeks, and believe me, I wasted no time sending out those e-mails to my contacts. I also called them and walked them through the process to make sure they understood what to do. So make sure to choose contacts you can count on!
I hope this helps you plan out your timeline and soothes your nerves a bit if you’ve been chosen for the random audit. Check out my next post for study tips!
Rigorous Enough! MQTT For The Internet Of Things Backbone
The topic of mobile devices and mobile solutions is a hot one in the IT industry. I’ll devote a series of articles to exploring and explaining this very interesting topic. This first piece will focus on MQTT for the Internet of Things – a telemetry functionality originally provided through IBM.
MQTT provides communication in the Internet of Things – specifically, between the sensors and actuators. The reason MQTT is unique is, unlike several other communication standards, it’s rigorous enough to support low latency and poor connectivity and still provide a well-behaved message-delivery system.
Within the Internet of Things there’s a universe of devices that provide inter-communication. These devices and their communications are what enables “smart devices,” and these devices connect to other devices or networks via different wireless protocols that can operate to some extent both interactively and autonomously. It’s widely believed that these types of devices, in very short time, will outnumber any other forms of smart computing and communication, acting as useful enablers for the Internet of Things.
MQTT architecture is publish/subscribe and is designed to be open and easy to implement, with up to thousands of remote clients capable of being supported by a single server. From a networking standpoint, MQTT operates using TCP for its communication. TCP (unlike UDP) provides stability to message delivery because of its connection-oriented standard. Unlike the typical HTTP header, the MQTT header can be as little as 2 bytes, and that 2 bytes can store all of the information required to maintain a meaningful communication. The 2 bytes store the information in binary using 8 bits to a byte. It has the capability to add an optional header of any length. The 2 bytes of the standard header can carry such information as QOS, type of message, clean or not.
The quality-of-service parameters control the delivery of the message to the repository or server. The options are:
Quality-Of-Service Option | Meaning |
---|---|
1 | At most once |
2 | At least once |
3 | Exactly once |
These quality-of-service options control the delivery to the destination. The first 4 bits of the byte control the type of message, which defines who’ll be interested in receipt of these messages. The type of message indicates the topic of the message, which will manage who receives the message. The last element will be the clean byte, which like the persistence in MQ will determine whether the message should be retained or not. The clean option goes a step further in that it will also tell the repository manager whether messages related to this topic should be retained.
In my next blog I’ll discuss the broker or repository for these messages. There are several repositories that can be used, including MessageSight and Mosquitto among others. The beauty of these repositories is their stability.
(Photo by University of Liverpool Faculty of Health & Life)
MQ In The Cloud: How (Im)Mature Is It?
Everyone seems to have this concept that deploying all of your stuff into the cloud is really easy – you just go up into there, set up a VM, install your data and you’re done. And when I say “everyone” I’m referring to CIOs, software salespeople, my customers and anyone else with a stake in enterprise architecture.
When I hear that, immediately I jump in and ask: Where’s the integration space in the cloud today? Remember that 18 or 20 years ago we were putting up application stacks in datacenters that were 2- or 3-tier stacks. They were quite simple stacks to put up, but there was very little or no integration going on. The purpose was singular: Deal with this application. If we’d had a bit more foresight, we’d have done things differently. And I’m seeing the same mistake right now in this rush to the cloud.
Really, what a lot of people are putting up in the cloud right now is nothing more than a vertical application stack with tons of horsepower they couldn’t otherwise afford. And guess what? That stack still can’t move sideways.
Remember: We’ve been working on datacenter integration since the old millennium. And our experience with datacenter integration shows that the problems of the last millennium haven’t been solved by cloud. In fact, the new website, the new help desk, the new business process and solutions like IBM MQ that grew to solve these issues have all matured within the datacenter. But the cloud’s still immature because there’s no native, proven and secure integration. What we’re doing in the cloud today is really the same thing we did 20 years ago in the datacenter.
I’m sounding the alarm, and I’m emphasizing the need for MQ, because in order to do meaningful and complicated things in the cloud, we need to address how we’re going to do secure, reliable, high-demand integration of systems across datacenters and the cloud. Is MQ a pivotal component of your cloud strategy? It’d better be, or we’ll have missed the learning opportunity of the last two decades.
How mature is the cloud? From an integration standpoint, it’s 18 to 20 years behind your own datacenter. So when you hear the now-familiar chant, “We’ve got to go to the cloud,” first ask why, then ask how, and finish with what then? Remind everyone that cloud service is generally a single stack, that significant effort and money will need to be spent on new integration solutions, and that your data is no more secure in the cloud than it is in a physical datacenter.
Want to talk more about MQ in the cloud? Send me an email and let’s get the conversation started.
(Photo by George Thomas and TxMQ)
What The Premera Breach Teaches Us About Enterprise Security
By TxMQ Middleware Architect Gary Dischner
No surprise to hear of yet another breach occurring – this time at Premera Blue Cross. The company became aware of a security breach on Jan. 29, 2015, but didn’t begin to notify anyone involved (including the state insurance board) until March 17, which was 6 weeks later. The actual attack took place in May 2014 and may affect 11 million customer records dating back to 2002.
As with many companies that experience a security breach, the excessive delays in first identifying and confirming that a breach has occurred, coupled with the typical delays in assessing and providing notification, subsequently led the state insurance board to fault Premera with untimely notification. A review of the HIPAA regulations for breach reporting indicates that a notification of those impacted absolutely needs to occur within 60 days. Many companies, including Premera, just aren’t equipped with the tools and security-management processes to handle these incidents. For Healthcare companies, HIPAA guidelines state that notification to the state insurance commissioner should be immediate for breaches involving more than 500 individuals. Consequently, Premera is now being sued by the state insurance commissioner.
A company found guilty of late notification should concern the public: There’s at least the appearance of a general lack of concern over both the impact and severity to its customers, partners and constituents. Blue Cross Premera has responded to its own behavior with efforts to protect itself and to cover up details of the incident, rather than be forthright with information so that those impacted can take the needed steps to protect themselves from further exposure and potential consequences, such as fraud and identify theft.
A secondary concern is the lack of security-management measures around protected data at many companies. In this case, the audit recommendations – which had been provided to Premera on Nov. 28, 2014 – found serious infractions in each of the following domains:
- Security management
- Access controls
- Configuration management
- Segregation of duties
- Contingency planning
- Application controls specific to Premera’s claims-processing systems
- HIPAA compliance
More and more companies are being reminded of the data exposures and related risks, but remain slow to respond with corrective measures. Companies of high integrity will take immediate responsive measures and will openly express concern for the repercussions of the exposure. Companies that do not? They should be dealt with severely. Let this Premera example serve as the Anthem breach for companies that are holding sensitive data. As a customer or business partner, let them know you expect them to take every measure to protect your healthcare and financial information.
And in closing, let’s all take away a few lessons learned. Security assessments must become a regular operational function. Self-audits demonstrate a company’s high integrity and commitment to identifying process improvements for security management. Such efforts should be assessed quarterly with reports to the company board to make sure every vulnerability is remediated and customers who are working with the company are protected. After all, it’s only the company that can secure its own technical environments.
Photo by torbakhopper