Identity 360 - An Imprivata Blog

Imprivata at VMworld 2010: Healthcare IT Panel; OneSign, Multiple Booths; Booth Giveaways

August 26, 2010 at 10:52 AM by Brian Mullins

We’re about to hit the virtual road out to San Francisco for VMworld 2010 next week, and are excited for the many activities and conversations that are lined up for our team at the event.  If you’re going to the event, stop by booth #441 for a chat about securing user access in virtual desktop environments, or a demo of the integration of VMware View and Imprivata OneSign.  We’d love to share ideas, perspectives and experiences onsite!

I thought I’d call out some things you may want to check out as you navigate through the clouds of people milling around the various sessions, booths and labs within the Moscone Center:

• Product Demos: OneSign 4.5 will be featured at the Imprivata booth (#441), the VMware booth (#716), as well as inside and outside of the 2010 VMware Express Virtualization Truck Tour which will be making a stop on the show floor (booth #119) before continuing to travel the country.  See firsthand the power that OneSign’s brings to VMware View™ by enabling secure and convenient end-point application access and user roaming desktops in a virtual desktop environment.
• Healthcare Industry Panel: On Tuesday, Aug. 31 @ 2pm PT in Moscone North Room 130 CTO David Ting will be sitting on the “Virtualization’s Impact on the Delivery of Healthcare IT Services” panel which will feature healthcare industry thought leaders discussing how virtualization impacts the delivery of healthcare IT services. The session will be anchored by real world experiences and best practices for bridging the gap between clinician productivity and security in a virtualized environment.  This is sure to be a hot topic as healthcare continues to blaze a path for virtual desktop environments.
  • Other panel participants include Frank Nydam, Director Healthcare Solutions, VMware, Inc.; Dr. James Philbin, Senior Director Medical Imaging, Johns Hopkins Hospital; Scott Dresen, Vice President, Enterprise Technology Services, Spectrum Health System; and James Fitzgerald, Chief Technology Officer, Dell Services, MEDITECH Solutions Group. 
• Booth Giveaways:  We’re keeping our booth giveaways under wraps for now, but come by the booth for a throwback giveaway that will let you View the future for secure Follow-Me Desktops.  We’ve inserted a little fun in the business of VDI with these giveaways, so hope you can recapture a bit of your youth while mastering what you set out to accomplish at this year’s event.

If you’re going to VMworld 2010, follow Imprivata on Twitter (www.twitter.com/imprivata) for the latest from the show floor and drop us at tweet @Imprivata with #VMworld in it if you want to set up a meeting on the fly.  We’ll be able to coordinate availability quickly and hopefully show you some really cool things we’re up to with virtual desktop environments.  See you there!

--Brian Mullins

 

The DLP Argument for VDI in Healthcare

August 19, 2010 at 1:35 PM by David Ting

Steve Coplan of The 451 Group recently published a terrific report on Virtual Desktops that examines the intersection of management and security.  The report (subscription required) does a great job of capturing how far virtual desktops have come in enabling productivity and efficiencies, while also emphasizing the security needs that these environments must meet.  It’s definitely worth a read so be sure to check it out.

Steve hit the nail on the head in describing the importance of user authentication in securing virtual desktops. This is especially relevant in healthcare, which is rapidly adopting virtual desktop infrastructure (VDI) to improve clinician productivity and secure patient data. We were also pleased that Steve mentioned the work Imprivata is doing with VMware around fast, seamless user access for virtual desktops:

One of the early movers in this area in both tying strong authentication to SSO and embedding its technology into the virtualized desktop agent, specifically VMware View, is Imprivata.

Imprivata has made the astute decision to build VDI support into what we have described as its authentication management middleware, and frame it as one element within the scope of its technology. Imprivata has integrated features for VDI session security, including authentication management, SSO access to applications, user roaming and location awareness, as well as user audit and compliance reporting. The company has not productized the VDI features, instead slotting them into its OneSign appliance – which is also now available as a virtualized version – since it views VDI as part of a broader set of authentication management requirements.

This report reflects many of the conversations we’ve had with our customers.  Healthcare organizations evaluating or moving towards a VDI environment are driven not only by cost/ROI reasons but in many cases the desire to reduce exposure to data breaches, improve clinician productivity and support greater mobility of the clinical desktop.

The data loss prevention (DLP) argument is one that is becoming relevant in healthcare because of the public nature of most healthcare organizations and the penalties/damages associated with patient record breaches. Recently enacted privacy regulations around breach disclosures have forced many organizations to rethink how they are securing patient data. Many hospitals have moved to using thin clients to eliminate the need to have any patient data on public facing computers to reduce exposure if the computer is lost or stolen.

The mobile nature of a clinician’s workflow in a hospital setting forces a clinician to constantly logon and logoff the shared computers spread throughout the hospital. Needless to say this activity is viewed by the clinicians as reducing the time spent taking care of the patient. The ability for the clinician to roam from workstation to workstation and rapidly reconnect to an already-running session has tremendous impact on clinician satisfaction and productivity. We’ve done specific integration with VMView to support the roaming workflow described above and this has been well received in a hospital setting especially when combined with location based services.

From a future-proofing perspective, the ability for a healthcare organization to deliver the same desktop on any device is perhaps the most compelling driver to consider Virtual desktops as clinicians want access to the same applications from their clinics, home offices or while they are on the road.  This trend is only starting as many hospitals are now evaluating how they can support the iPad for clinical use.

At the upcoming VMworld Aug. 31-Sept. 2 in San Francisco, we’ll be demoing some exciting capabilities for secure “follow-me desktops” and VDI in healthcare environments. If you are going to at the event, come by our booth (#441) and see how secure virtual desktops can help your organization. We’d love to talk to you!

 

Secure User Access and VDI: Improving Productivity with Secure “Follow-Me” Desktops

August 6, 2010 at 8:53 AM by David Ting

This week Imprivata announced its partnership with VMware, an exciting time for our company as more and more customers and prospects inquire about combining virtual desktops with simplified and secure user access to improve user productivity.  Partnering with a market leader like VMware presents a great opportunity for both organizations to deliver a secure working environment that allows end users to access their desktops from machines in any location.

As readers here know, healthcare is a big focus for Imprivata, and this sector is actively deploying virtual desktop infrastructure (VDI).  It makes a lot of sense.  Healthcare environments have unique workflow requirements, relying heavily on shared workstations as doctors, nurses and staff go from room to room, patient to patient.  Virtual desktops give clinicians the freedom that comes with roaming sessions which means they can treat more patients, spend more time with patients and have critical information at their fingertips.  Securing the user experience within the virtual desktop means that patient data is easily accessible yet protected from inappropriate access – and clinicians are empowered by a secure “Follow-Me” desktop wherever they are, especially in an increasingly mobile environment.

Combining virtual desktops and secure user access is a win-win combination for productivity and security – whether in a hospital setting, a government agency setting or any other corporate business setting, organizations need to explore whether VDI can be a boon for workflow and must ensure data security at the same time.

Secure user access and VDI: they’re great together, and great for workflow.  Are you exploring or deploying virtual desktops?  Tell us your story; we’d love to hear it!

--David

 

The Impact of New HHS Rules for Health Information Privacy and Security

August 4, 2010 at 2:11 PM by Michael Bilancieri

The U.S. Department of Health and Human Services (HHS) recently announced new rules surrounding health information privacy and data security that is important for everyone involved in healthcare IT (HIT) to understand.

By now, you’ve likely seen these rules, however the Healthcare IT Consultant blog has a nice synopsis of the news that drills down into the aspects most relevant for those in the Imprivata community.   Pulling the key points from that blog and summarizing the primary requirements of the rules, here are some things to consider:

• Expanding individuals’ rights to access their information and to restrict certain types of disclosures of protected health information to health plans.

As was confirmed at the HIT Policy Committee Technology Hearing a couple of weeks ago, the ability for patients to actually restrict disclosure of their PHI is not readily available. While patients can fill out paper forms at the doctor’s office as to the HIPAA compliance regulations, this doesn’t necessarily do anything to actually restrict disclosure of their data.  These new HHS rules should instigate a wave of innovation, process overhaul and investment in new technologies to help the healthcare industry achieve this directive to empower individuals with greater rights and controls of their own personal health information (PHI). 

However, there is still tremendous work to do to, and until that happens, it’s crucial for hospitals to instill safeguards to ensure only appropriate access to PHI by authorized personnel, and to eliminate any potential misuse of PHI.  In addition, until total privacy can be ensured, hospitals need to  actively monitor and track PHI access and take appropriate actions, including being diligent about alerting patients when their PHI has been exposed in a security breach, or even potentially exposed, or face the penalties enforced by the HITECH Act.

• Requiring business associates of HIPAA-covered entities to be under most of the same rules as the covered entities;

This mandate provides additional levels of protection to PHI beyond just the main healthcare entity, ensuring that PHI that is needed by business associates carries the same protections and requirements as for the main entity.  The true value of PHI lives not in its siloed containment, but in its appropriate, approved sharing with doctors and other entities to help best serve the patient.  Strengthening the rules by forcing business associates to adhere to the same policies is a logical step to securing PHI and the integrity of the entire healthcare ecosystem.  In conjunction with this, proactively monitoring direct and indirect business associates activities related to PHI allows privacy officers to easily and efficiently monitor and take action on suspect activities.  These protections should follow PHI wherever it may be used.

• Setting new limitations on the use and disclosure of protected health information for marketing and fundraising; and
  
• Prohibiting the sale of protected health information without patient authorization.

These are both very interesting, and often overlooked. These restrictions are absolutely critical in limiting the abuse and misuse of PHI as there is money to be made here – otherwise why would entities not use/sell PHI without regard for the patient?  This is a valuable aspect of PHI, and limitations of use in this manner will have serious ripple effects that our industry is only now beginning to understand.

What are your thoughts on these new rules?  How do they impact your organization? 

-Michael

Even Spies Have Password Management Problems

July 13, 2010 at 9:03 AM by David Ting

Catching up on some news from last week and I thought Tim Greene’s article in Network World was an interesting piece on the Russian spy ring story that is currently grabbing headlines.  As Tim points out the spy ring was heavily reliant on technology to communicate, and in some cases even went to great lengths (multi-hop travel using numerous passports) to simply repair a laptop. At the same time, they were also plagued by the same IT issues we face: long support times, poor customer support, complex configurations and dealing with IT security.

Despite all the years of covert operations, some of the most incriminating pieces of evidence were obtained through one of the most common password management problems found in companies all over the world – the sticky note password.  A pull-out from the article:

One of the most glaring errors made by one of the spy defendants was leaving an imposing 27-character password written on a piece of paper that law enforcement officers found while searching a suspect's home. They used the password to crack open a treasure trove of more than 100 text files containing covert messages used to further the investigation.

Think of the risk and high stakes involved with global espionage and it’s amazing that it was a common password snafu that unlocked piles of evidence to break the spy ring and which will be used by the Feds to build the case.  Try taking a walk through your offices and you might be surprised what is lying around on sticky notes.  While you may not be involved in something as high-stakes as espionage, this aspect of the spy ring story certainly serves as another reminder to get the password management problem locked down at your company.

HIT Policy Committee Consumer Choice Technology Hearing Recap

July 8, 2010 at 10:11 AM by Michael Bilancieri

Last week, I attended the Privacy and Security Tiger Team Health Information Technology Policy (HIT) Committee Consumer Choice Technology Hearing in Washington, D.C.  The gathering brought together an impressive group of healthcare industry leaders, patient data privacy advocates and HIT vendors to discuss technologies that enable consumers to choose whether or not to share their information in health Information Exchanges (HIEs).  

The day included sessions from HIT vendors on technology solutions that address the use and sharing of electronic medical records (EMRs), and lively discussion around ownership of EMRs (hospitals vs. consumers).  This public hearing included testimony and interactive sessions where presenters fielded  questions from the Security Tiger Team and a panel comprised of doctors, CEOs, universities and other advocates spearheading efforts for consumer controls of patient information.   

A few things worth highlighting from the conference:

• Ownership of EMR Data in Heated Debate: as EMRs are more widely used, and various organizations seek to touch them for each patient, where does the ownership responsibility of such data reside – with the patient, or with the healthcare organization?  This was a hot topic and conversations on this matter spilled into the hallways after the hearing was over.
• Technology Research and Development Timeline Still a Ways Out: many of the solutions for effective sharing EMRs that were presented are in beta stage and/or in early development with aims for full functionality by the end of 2011.  There’s still a long way to go.
• Standards Still Need to be Developed, Embraced: There is a clear need for standards in HIT as it relates to EMRs.  While some vendors feel that the standards are in place to achieve the necessary solutions for patient privacy, there sure seems to be enough discussion around and challenges in granting patients control over their own medical records to indicate that more work needs to be done in this area. This is critical for widespread adoption and efficiencies as hospitals and health networks seek to integrate EMRs and consolidate between and among systems.  Without well-defined, vendor-agnostic standards, the vision for HIEs and the true value of EMRs will remain out of reach for the masses of health organizations, thus limiting the privacy protection that can be afforded patients.
• Patient Consent for EMR Use Poses Complex Challenges, Requires Well-Thought Safeguards:  If patients have ownership of EMR consent, it’s critical that safeguards are in place.  One such safeguard discussed was the concept of a “break-the-glass” trigger in case a patient is unable to provide consent to the caring physician.  In this situation, doctors could override consent requirements to access EMRs with notifications sent to various stakeholders in the system – this may provide the crucial information doctors need to provide care, while ensuring access without consent only occurs when absolutely needed and instances are recorded for auditing and compliance purposes.
• Workflow Matters:  As standards are developed and EMRs are more fully embraced by both healthcare facilities and patients, both clinician and patient workflow must be front and center!  The need for interoperability between clinical systems and the education of patients on how they can control and use their own patient information is crucial to effective long-term benefit.  Studies on user interfaces and usability testing in daily work environments are still needed, but it’s great to see this as a central consideration as vendors and the industry as a whole work toward standards.

Peeling back the onion of EMR use and the patient consent process, it’s clear that there is still much work to be done.  Managing EMRs across various HIEs introduces greater need for vendors to get in alignment to create integrated solutions that protect patients regardless of where and when they may be receiving care.   These types of discussions are critical to leading our industry to collaborate and innovate to ultimately deliver better patient outcomes.

Major Healthcare Patient Data Breaches Nearing 100-Mark

June 24, 2010 at 12:00 pm by Michael Bilancieri

I read an interesting story over at HealthcareInfoSecurity.com highlighting the “Official Breach Tally Approaches 100”.  The article includes a link to the official federal list of healthcare information breaches that was launched a few short months ago.  While the article highlighted the major breaches affecting 500+ individuals as reported to the HHS Office for Civil Rights (OCR) and called out 61% of incidents stemming from stolen computer devices (e.g., laptops, USB drives, hard drives etc.), many of the largest breaches involved unauthorized access.

Here’s a snapshot at the major breaches stemming from unauthorized access:

• Mount Sinai Medical Center of Florida in March 2010 (2,600 individuals affected)
• Blue Cross & Blue Shield of Rhode Island in February 2010 (12,000)
• Wyoming Department of Health in December 2009 (9,023)
• University Medical Center of Southern Nevada in October 2009 (5,103)
• Blue Cross Shield Association of D.C. in October 2009 (15,000)
• [Private Practice] in California September 2009 (6,145)

What’s interesting here is that the breaches show up regardless of geographic location or company size – these issues affect EVERYBODY.  When the HITECH Act breach notification mandates went into effect in September 2009, there was a flood of small breach notifications immediately following in September and October from private practices (these are not named specifically, but that will soon change). Then came a regular drumbeat of larger breaches – some of which are listed above – and they continue to occur.

Will this flow of patient data breaches start to wane with more attention being placed on the issue, and more repercussions from HITECH being enforced?  Or will this become ‘noise’ to most people until it affects them directly? 

Many of these breaches are preventable.  Some are not, but there are now people, processes and technologies available that can help tighten the reins on the vulnerabilities that open the door to many of these breaches.  What are you doing to avoid joining the aforementioned list of breaches?

PHI Access Requires Robust Security and Privacy

June 11, 2010 at 10:34 AM by Dr. Barry Chaiken

In a January 2009 speech, President Barack Obama said, “electronic records will cut waste, eliminate red tape, and reduce the need to repeat expensive medical tests [and] save lives by reducing the deadly but preventable medical errors that pervade our health-care system.”

However, as a nonprofit organization recently reported, over the last five years more than 45 million U.S. electronic health records (EHRs) were either lost or stolen by insiders and/or outsiders. How do we reconcile the absolute need of timely information access critical to patient welfare, while simultaneously protecting a patient’s right to privacy as granted by HIPAA and HITECH?

The solution is to implement policies and technologies that protect a patient’s privacy while granting secure access to those authorized professionals who must have the information in medical files to save lives. The technologies must allow clinicians to incorporate access to personal health information (PHI) in EMRs and other clinical applications in a manner that supports patient care rather than one that impedes it.

Many implementations of clinical applications failed due to processes dictated by clinical software that destroyed the efficient workflows formerly practiced by the clinicians. Therefore, smart implementations that facilitate the rework of processes that leverage healthcare IT (HIT) solutions deliver the greatest value to patients, clinicians and institutions.

Privacy and security surveillance programs also help ensure that access to PHI is on a need-to-know basis.  Just like disease monitoring projects that look to identify potential outbreaks early (e.g., flu), similar approaches can be used to proactively assess whether inappropriate access or security breaches are occurring in patient care databases.  If evidence of potential problems arises, proper actions can be taken to substantiate and close the security and/or privacy hole.

Combining patient privacy technology with fast, secure access to EMRs is a powerful prescription for advancing the use of clinical HIT applications to improve patient care.

User Access Relevance in a HITECH Age

June 3, 2010 at 9:24 AM by David Ting

The National Institute of Standards and Technology (NIST) published its Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule back in late 2008, but spurred by a jolt of healthcare IT investment driven by HITECH mandates has renewed relevance today. 

The HIPAA Security Rule “specifically focuses on the safeguarding of electronic protected health information (EPHI)… All HIPAA covered entities, which include some federal agencies, must comply with the Security Rule, which specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule.”  This NIST 800-66 Revision 1 document provides a comprehensive guide for HIPAA compliance to the Security Rule, and details “Key Activities” to engage in that are segmented by defined categories that are easy to read and navigate.

From a user access perspective, there are important technical safeguards outlined in the area of Access Control, Audit Control, Integrity, and Person or Entity Authentication that are worth calling out.  Specific Key Activities within these technical safeguards criteria you should review include:

4.14 Access Control, Key Activity #3: Ensure All System Users Have Been Assigned a Unique Identifier
This requirement is integral to tracking who is accessing what information, and whether they have authorization to do so.  Enforcing policies that eliminate credential and password sharing are a crucial complement to this requirement as it ensures that all activity can be traced back to a specific user identity.

4.14 Access Control, Key Activity #8: Automatic Logoff and Encryption and Decryption
This requirement calls for “electronic procedures that terminate an electronic session after a predetermined time of inactivity.”  There are plenty of automatic logoff solutions in the field which satisfy this requirement, but they’ve hindered workflow by requiring active logging back into a system.  In a healthcare environment, where doctors, clinicians and staff are sharing workstations and need fast access to patient information, session time-outs can add hiccups when time is of the essence.  This was a core consideration when we designed our OneSign Secure Walk-Away solution, which leverages computer vision technology with active presence detection and user tracking to identify an authenticated user in front of a workstation, automatically locking the desktop upon their departure and providing instant re-authentication upon their return.  It combines compliance with this Key Activity and real-world workflow for the best of both worlds.

4.15 Audit Control, Key Activity #1: Determine the Activities that Will be Tracked or Audited
This Key Activity serves as a foundational pillar to managing healthcare security risk.  Determining what systems and activities need to be monitored and reported are crucial to closing any potential security breach gaps and streamlining reporting requirements from other sections of the Security Rule.  The data breach notification requirements of HITECH that went into effect on Feb. 18, 2010 present new security risks for healthcare organizations, so it’s critical to understand and quickly report on breaches, whether malicious or accidental, to avoid penalties and fines from both state attorneys general and the feds.  To do so effectively, one must first establish what is tracked and/or audited, making this Key Activity even more relevant today than before HITECH went into effect.

4.16 Integrity, Key Activity #1: Identify All Users Who Have Been Authorized to Access EPHI
4.16 Integrity, Key Activity #5: Implement a Mechanism to Authenticate EPHI
These Key Activities combine to focus on identifying all approved users with the ability to alert or destroy data, ask questions around user authentication and seeks to determine if authentication tools interoperate with other applications and systems.  These requirements dovetail into audit trail requirements for understanding how information is accessed and authorized, so healthcare entities can report on all aspects of cross-organization healthcare access management.

4.17 Person or Entity Authentication, Key Activity #2: Evaluate Authentication Options Available
Secure authentication is integral to protecting patient information, so it comes to no surprise that the Security Rule calls out commonly used authentication approaches.  Specifically, the guideline urges aligning different levels of authentication with assessment of risk to the information and systems.  Password policy, biometrics authentication, smart cards, proximity badges and/or any combination of the aforementioned can satisfy this requirement, but it’s essential that they are all tied together in the form of easy-to-manage identity management – otherwise, it can become unwieldy and burdensome to keep up with as new hires are brought onboard and terminated employees are de-provisioned.

There’s a lot to this NIST resource for navigating the HIPAA Security Rule – it is 117 pages of guidelines and supporting appendices.  It’s a tremendous guide to a significant HIPAA compliance requirement.  With a recent injection of funds and incentives into the healthcare IT market from HITECH and healthcare reform driving increased investment in electronic medical records (EMR), secure user access to EPHI plays an increasingly important role. 

Building on this, the guidelines outlined in the NIST 800-66 Revision 1 document should be applied worldwide as increased legislation in numerous countries drives greater attention to protecting patient health information in any form, and put stringent requirements around data security and the tools necessary for reporting on activities to demonstrate compliance.  It’s a great asset out there for public consumption, and can help drive best practices worldwide.

Highlights from the Digital Healthcare Conference

May 25, 2010 at 9:07 AM by Jim Whelan

The Digital Healthcare Conference 2010 occurred last week in Madison, WI, under the theme of “Healthcare IT in transition.”  Imprivata Chief Medical Officer Dr. Barry P. Chaiken served as the conference chair for this event, which boasted an impressive agenda that kicked off with KLAS Founder and Chairman Kent Gale exploring the obstacles to physician adoption of electronic medical records (EMRs).  Gale’s “Top Ten” list highlighted common things that stand in the way of EMR adoption, and the takeaway from the entire session aimed to get attendees to see how establishing transparent workflow can lead to physicians truly embracing EMRs.

A large focus of the event centered on the intersection of clinical workflows and Healthcare IT (HIT) where providing fast EMR access and protecting patient privacy served as topical pillars for the sessions as well as the conversations happening in the hallway.

A couple other sessions worth noting:

•  “Keynote: Clinical Governance” Dr. Thomas J. Handler, MD, Research Director, Gartner Inc. examined the role of clinical governance in establishing HIT system selection and deployment success criteria, and proposed a structure to establish a better model for clinical governance.
•  “Keynote: What do Patients Want?” Deborah C. Peel, MD, President, Patient Privacy Rights, exposed the need for patient data security to prevent inappropriate access of personal health information in a world fast moving to digital records.
• “Return on Investment with Clinical Information Systems – An Oxymoron?” Dick Gibson, Former Senior VP and CIO, Legacy Health provided a detailed presentation on how to drive financial benefit from clinical information systems including a prescription of best practices and methodologies to obtain maximum ROI measurement and benefit.

Overall, the event was extremely well-run and every presenter kept to their time allotment, ensuring plenty of Q&A time for the audience.  In addition, the presenters and keynoters all were highly active in Q&A outside of their own specific presentations, injecting great energy and insight throughout the two-day conference.

The entire agenda for the event is available online, and many of the presenters have made their presentations available via downloadable PDF.  If you were there, what did you take away from the event?

 

Fast Access for Clinicians and Secure Patient Data for IT: Can You Have Both?

May 19, 2010 at 2:00 pm by Dr. Barry Chaiken

A couple of weeks ago I moderated a Healthcare IT News webinar session that examined how hospitals today make patient data easily and securely accessible throughout the clinical workflow.  I was joined by Dr. Zafar Chaudry, CIO of Liverpool Women’s NHS Foundation Trust & Alder Hey Children’s NHS Foundation trust and Dr. Lawrence Losey, Pediatrician, Chief of Pediatrics and Chief Medical Information Officer (CMIO) for Parkview Adventist Medical Center.  The session addressed the clinical workflow, process and technology behind providing fast, secure access to patient data, touching on all the areas within a hospital where a workstation sits and from anywhere a clinician may need access. 

Dr. Chaudry and Dr. Losey shared their experiences providing fast access to electronic medical records (EMR) for clinicians as well as strategies and processes for ensuring patient privacy.  Dr. Losey highlighted finger biometrics and remote access as huge draws for physicians and by providing doctors with laptops loaded with the applications they need to do their job from anywhere, it drove EMR adoption for the Parkview team. 

Dr. Chaudry discussed how his team organized their approach to streamlining secure access to applications.  By conducting workshops to effectively map workflow of clinicians, they were able to measure the before and after effect of what the clinical staff did each day to understand if there was indeed a performance improvement.  Findings were telling, as different clinical roles utilized different processes and workflows which showcased how important it was to take people’s real-world daily activities into consideration when planning any type of shift that impacts clinicians. As such, healthcare access management and secure authentication such as proximity cards and fingerprint biometrics play integral roles in enabling effective, efficient workflows.

The move to electronic systems, as Dr. Losey noted is “a wonderful opportunity to re-engineer your processes.”   It’s not enough just to computerize a process, but to step back and ensure the process is the right one in the first place.  Again, it all gets back to clinical workflows.  The points made in this session were quite prescriptive to deliver not only a successful EMR experience but a successful clinical workflow experience that encourages widespread adoption.

The panel also examined the impact of new patient privacy mandates in both the U.K. and the U.S., the role of patient data security, the auditability needed to ensure compliance and the impact on clinician workflow.  Dr. Losey provided some good anecdotes that illustrated how a complete audit trail is the most powerful way to remind clinical staff that they shouldn’t be ‘snooping’ on patient data records that they weren’t involved with.

The session closed with a number of great questions from the audience that sparked continued knowledge sharing from the panelists.  If you weren’t able to attend the live webinar, I suggest checking it out to hear useful insights from some smart medical executives: http://www.imprivata.com/fast_access_for_clinicians_hc_it_webinar

Barry P.Chaiken, MD, FHIMSS

Welcome, Jim Whelan, VP of Imprivata’s North American Healthcare Group

May 5, 2010 at 4:16 PM by Jim Whelan

I’m excited to join Imprivata at a time where healthcare IT, patient data security and clinician workflow efficiencies are front and center in boardrooms and nurses' stations across the country’s healthcare institutions.   With more than 500 hospitals on the customer roster, one million healthcare users and strategic relationships with all of the popular HIS vendors, Imprivata has built a strong foundation that was very attractive for me to join and bring my experiences.  Imprivata’s healthcare pedigree enables us to focus on delivering practical innovations for solving real-world problems surrounding simplifying and securing user access in hospital environments.

HITECH, healthcare reform and patient data breaches are staples of the news headlines, and rightfully so, as this is a year and an age of change anchored by healthcare issues and concerns.    We understand the strategic goals of healthcare organizations are focused on delivering better patient outcomes. At the same time, patient data privacy and user access are focal points in today’s healthcare environment with fines, penalties and negative exposure putting a spotlight on the clear need for effective security.  At Imprivata, we see the opportunity to help healthcare organizations affect positive change by bridging the gap between security and clinical productivity – and we firmly believe these concepts are not mutually exclusive.

In my role at Imprivata leading the North American healthcare group, I’ve had great conversations with customers about their daily challenges.  I look forward to deeper conversations s to understand the boardroom issues that drive decisions and to hear from the doctors and nurses on the front lines as to how we can better simplify and secure user access.

I’d love to hear your thoughts, questions and ideas.  Because of our customers, Imprivata has established its market leadership, and we are very thankful for these tremendous relationships.  Please drop me a line with thoughts, comments, ideas or other ways that Imprivata can better help you achieve your healthcare access management objectives – I welcome the conversation, and look forward to it!

Regards,

Jim Whelan

 

 

Guest Post: The New Need for Auditing: Privacy and Breach Notification Mandates

March 25, 2010 at 7:57 AM by Ali Pabrai

The HITECH Act, HIPAA, as well as mandates from State regulations (e.g. Massachusetts 201 CMR 17.00), are raising the minimal requirements that organizations such as healthcare-covered entities and business associates must implement to prevent unauthorized access. Further, the Connecticut Attorney General’s lawsuit against Health Net of Connecticut for failing to secure approximately 446,000 enrollees’ Protected Health Information (PHI), and to notify State authorities and enrollees of a security breach, is a reminder that breaches are not just a risk to information, but a risk to the organization.

HITECH Audit Preparedness
Organizations need to take compliance mandates for HIPAA, HITECH and State regulations seriously. Compliance requirements establish the minimal capabilities that organizations must manage and maintain. To be audit-ready, organizations must at a minimal:

• Ensure a robust life cycle is maintained for account access, modification and termination
• Enable proactive audit and monitoring capabilities are used to track and detect unauthorized access  
• Establish Role-Based Access Control (RBAC) to manage job roles and associated access rights (this requires Human Resources to work closely with the Information Technology department)

With the new world order in healthcare driven by privacy and data breach mandates, secure authentication to access patient information is directly in the sights of state AGs and Federal agencies across the country in a concerted effort to tighten data security and ensure patient privacy. As such, effective user authentication is a critical component to avoiding potential breaches and it should enable quick reporting capabilities to prove compliance and appropriate actions taken should anything happen.

More than ever, the Boards of Directors at hospitals, health systems, business associates and others are taking notice and asking an important question – “is the organization compliant with HIPAA and HITECH mandates?” Are you?

Ali Pabrai, chief executive of ecfirst is a highly sought after security and compliance expert. He is also author of the executive brief Cyber Security Strategy: The 4 Laws of Information Security. Pabrai was the first to launch a program focused on global information security regulations, the Certified Security Compliance Specialist™ (CSCS™) program. The CSCS™ program addresses PCI DSS, FISMA, ISO 27001/27002, FISMA and other security regulations and standards.

 

Seven Habits of Highly-Effective Healthcare Security (without Sacrificing Clinician Workflow)

March 22, 2010 at 3:49 PM by David Ting

Healthcare access management plays an integral role in the healthcare industry these days, with patient data security and breach disclosure notification mandates front and center with HIPAA compliance, HITECH incentives and other mandates from various parts of the world focused on protecting personal health information (PHI).

Coming out of HIMSS 2010, it was clear that patient data security was a chief concern, but so was the need for improved clinician workflows.  For all the requirements driven by new laws and the stimulus bill, what was overlooked was the impact of security in the real-world hospital environment from a user perspective.  Forcing someone to change habits and daily routines is difficult, if not impossible, to do. Therefore, it is integral to the successful adoption of these security endeavors that they be paired with improving workflow.  If change makes people’s lives easier, it’s easier for them to embrace.  It doesn’t need to be an either/or argument.  

• As such, here are our seven habits of highly-effective healthcare security:
  Ensure adequate password complexity across systems and applications logons to protect PHI
• Auto-generate strong passwords where possible to simplify the backend security process; take the task out of your hands and focus your attention where it can be better utilized
• Rely on technology that is easy to implement (for you) and support (for your users)
• Select strong authentication technologies (e.g., fingerprint biometrics) that  simplify user access to help achieve user adoption
• Seek solutions that have built-in audit logging and reporting capabilities; when compliance audits knock, proof should be a quick click away
• Manage password resets through self-service portal : enabling clinicians to solve simple password problems themselves eliminates unnecessary IT costs and reduces instances of password sharing across the medical unit or nurses station
• Fast access termination across systems and applications is mission-critical, as unattended workstations create a gaping hole in even the best-laid security plans

From a high-level, aligning with these habits can help secure user access in your healthcare organization, but as I mentioned workflow MUST be improved at the same time. Be sure whatever security solutions you’re deploying are easy for users to embrace.  Practical security innovations born from real-world clinician workflows can deliver the best in both transparent security and user productivity.  This is why the use of healthcare single sign-on and strong authentication that is easy for clinicians to use and doesn’t disrupt workflow is so attractive. 

Do you have any good healthcare security habits to share?   We’d love to hear them!

--David

 

Mass 201 CMR 17.00: When State Compliance Kicks in, How Do You Respond?

March 11, 2010 at 8:08 PM by David Ting

While many of us were down at HIMSS 2010, on March 1, 2010, Mass 201 CMR 17.00 officially went into effect:

17.05: Compliance Deadline

(1)Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.

We began talking about this Massachusetts data privacy regulation and what it means back in November 2008, and continued the discussion on this blog in September 2009 as the compliance deadline was pushed off numerous times throughout the course of 2009.  Now, the day has finally come, and Mass 201 CMR 17.00 is officially here and active. 

As you may know, Massachusetts is at the forefront with legislation that creates standards for protecting personal information in both paper and electronic format.  A key purpose of the standards is to “protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer” and minimize overall security risk.

While we’ve examined the specific parameters in our previous blog posts on the topic, it’s important to recognize what companies must do now if they own or license information about a resident of the Commonwealth.  A majority of the provisions in the Mass 201 CMR 17.00 standards center on securing access to data, so as such it’s crucial to:

• Map where personal information resides in your company
• Inventory which applications access and/or store personal information
• Understand what third-party service providers access this personal information
• Ensure only appropriate, authorized access to data by personnel by deploying appropriate user authentication technologies
• Assign unique identifications such as fingerprint biometrics plus strong passwords to fortify security and eliminate password sharing… then streamline log-on/off process by single sign-on enabling applications
• Monitor and report on access of personal information to ensure compliance
• Regularly educate and train users on appropriate system user and the importance of securing personal information

If you’ve accounted for the above, you’re well on your way toward compliance.  If not, what are you going to do when the Commonwealth of Massachusetts comes knocking?   Do you really want to find out?

--David

HIMSS 2010: Meaningful Use, EMR Standards, Clinician Workflows, Security, Oh My!

March 7, 2010 at 6:38 PM by David Ting

This year’s HIMSS was quite an active conference, with healthcare IT a national focal point with new legislation and stimulus funding being funneled into reform and modernization initiatives. 

To kickoff the conference, Imprivata chief medical officer, Dr. Barry Chaiken, who is the current chair of HIMSS highlighted the need for healthcare IT solutions to drive positive industry change. Here are some pull-outs from an InformationWeek blog covering the event that capture the sentiment well: 
 
In his opening keynote address at the conference, Dr. Barry Chaiken, HIMSS chairman and chief medical officer of Imprivata, put the onus on the industry to create "healthcare IT solutions that are so compelling, so irresistible, that people just want to use them. We cannot rely on incentive programs or executive orders. We must create demand."

There's a raw energy at HIMSS reminiscent of the broader IT industry's go-go days, when there were myriad vendors and incomplete standards and fractious debates and lots of customer uncertainty, but when there was an unshakeable belief that IT could still change the world.

In his opening address, Dr. Chaiken captured that vibe, calling on the HIMSS membership to rise to the challenge. "Through the implementation of compelling healthcare IT solutions, you must transform the way healthcare is provided in this country, not the president, not Congress, not clinicians--you. If you don't do it, it will not happen. You must step forward and you must lead."

At Imprivata’s booth, we had a constant flow of booth traffic, and we received great response to our interactive theater demonstrations – people loved watching our folks act out real-world scenarios vs. watching a canned demo loop on a monitor.  Having a live operational system at the booth allowed us to explore details of the product with customers and prospects with specific questions.

People were especially excited about our OneSign Secure Walk-Away solution for protecting unattended hospital workstations from unauthorized access, and Privacy Alert spurred a lot of interest and engaging conversations with IT and Privacy executives alike.  There were lots of high-energy discussions, mostly centered around definitions of meaningful use, EMR interoperability and the creation/non-existence of standards, clinical workflows, healthcare access management and data security breach issues – and more than few jabs on the outcome of the Olympics! 

This set the tone for the entire conference, and everyone contributed to a great gathering focused on pushing industry progress forward – presenters, vendors and attendees alike.  At Imprivata, we’re coming away from HIMSS 2010 energized for what the future holds in healthcare.  We’re ready to make a difference.  Are you?

 

Guest Post: ecfirst CEO, Ali Pabrai, on HITECH’s Meaningful Use and Compliance

February 23, 2010 at 12:35 PM by Ali Pabrai

There’s a lot of discussion around meaningful use, its definition and how organizations can obtain the government incentives that recent legislation promises. However, in the dash for these types of healthcare IT investment reimbursements, one must not overlook the role of security risk in satisfying compliance requirements.

For instance, the Centers for Medicare & Medicare Services (CMS) will withhold meaningful use payment for any entity until any confirmed HIPAA privacy or security violation has been resolved.  At the state level, State Medicaid administrators will also withhold meaningful use payment for any entity until any confirmed state privacy or security violation has been resolved. Compliance with HIPAA’s Privacy & Security Rules remain an integral part of the meaningful use definition as a policy priority, with corresponding goals and objectives for 2011 that organizations must achieve.  For example, physicians are eligible to receive up to $44,000 in total incentives per physician from Medicare for “meaningful use” of a certified Electronic Health Record (EHR) starting in 2011. However, these EHR initiatives are coupled with strong mandates for privacy and security compliance that must be addressed.

In a HIPAA compliance audit, policies, procedures and capabilities that the Office of Civil Rights (OCR) would review include the area of Identity and Access Management (IAM). Specifically, the investigation includes a review of IAM processes related to:

• Establishing user access for new and existing employees
• List of secure authentication methods for users authorized to access EPHI
• Monitoring systems use - authorized and unauthorized
• Granting, approving, and monitoring systems access (for example, by level, role, and job function)
• Termination of systems access

Keep in mind that compliance mandates represent minimal capabilities that organizations must implement and manage pro-actively. HIPAA and HITECH are the floor and not the ceiling of core capabilities required to enable a resilient organization. This requires that your information security strategy must be risk-based, pro-active and integrated. 

Ali Pabrai, chief executive of ecfirst, is a highly sought after security and compliance expert. He is also author of the executive brief Cyber Security Strategy: The 4 Laws of Information Security. Pabrai was the first to launch a program focused on global information security regulations, the Certified Security Compliance Specialist™ (CSCS™) program. The CSCS™ program addresses PCI DSS, FISMA, ISO 27001/27002, FISMA and other security regulations and standards.

 

Seven Critical Steps for Preparing for HIPAA & HITECH Audits

February 10, 2010 at 1:08 PM by David Ting

On Thursday, Feb. 11 @ 1pm ET, please join me and cyber security and compliance expert Ali Pabrai of ecfirst for a can’t-miss Webinar outlining the critical steps for preparing for HITECH & HIPAA compliance audits.  It’s a must-attend session with enforceable HITECH requirements taking effect Feb. 18, 2010 and HIMSS 2010 a short few weeks away.

To register for this event, please visit the Critical Steps for IAM Compliance page, which provides more details of what this Webinar will cover, including:
• Key considerations for IAM Compliance in healthcare organizations
• How to comply with security controls while maintaining a high-level of productivity
• A checklist to prepare for audits by the Office for Civil Rights (OCR) for HIPAA & HITECH

If you’re unable to attend the live Webinar, an archived version will soon be available on Imprivata’s Events Archive page, where you can find numerous topical Webinars that are useful for gaining insights from industry thought leaders and from real-world deployments of single sign-on and user authentication for securing user access to information.

--David

Barriers to EHR Implementation: Fact and Fun

February 5, 2010 at 7:45 PM by David Ting

Over at the Life as a Healthcare CIO blog, John D. Halamka MD captured a list of top barriers to electronic health record (EHR) implementations, then added on with another ‘Top 10’ that puts a little fun into the serious business of EHRs. Below are barriers that stood out to me from a data security and healthcare access management perspective, and I urge you to check out John’s blog for more specifics – definitely worth the read and a great source of information.

 

Key Barriers to deploying EHR worth noting:

#10. Usability – products are hard to use and not well-engineered for clinical workflow

#8. Fear of lost productivity – clinicians are concerned they will lose 25% of their productivity for 3 months after implementations.  Administrators are worried that the clinicians are right.

#5. Privacy – there is significant local variation in privacy policy and consent management strategies.

 

And my favorite tongue-in-cheek barriers John highlighted in his post:

#4.  You read about your security breaches in the New York Times

#3. Patients get to go home early because clinicians are busy implementing software

 

Click over to John’s post for the full lists, and the #1 reasons that are both worth the quick read!

 

-David

 

Live from the National HIPAA Summit

February 4, 2010 at 2:56 PM by Tom McDermott

Greetings from the Eighteenth National HIPAA Summit in Washington, DC!  It’s turned out to be an interesting event pulling in an array of people as it is co-located with the National Health IT Summit for Government Leaders, the National Health Information Exchange (HIE) Summit and the International mHealth Networking and Web Conference.

 

Mid-way through the week-long event, there are some notable highlights from the conversations I’m having, and from the chatter on the floor and the breakout rooms.  In no particular order:

 

·         Federal vs. State in a Vivid Debate: There are a number of tracks focused on the impact of healthcare reform on federal and state agencies, driven by conversations trying to figure out if responsibility will ultimately fall either way.  With many guidelines already established, there still remains ambiguity as to how HITECH responsibility will play out.

·         The Term of the Event is ‘Breach’:  HITECH mandates are largely-focused on data breach notification, with new stringent requirements for healthcare organizations to quickly report on when patient information may be/is compromised.  The central questions here are two-fold: Will HITECH truly have enough teeth?  And, will efforts be in the form of a Federal response or will action, lawsuits, penalties and fines fall on the state AGs to pursue?

·         Collaboration is Brewing: Increasing collaboration between public and private sector organizations is in great demand.  Between the uses of new tools, more openness and greater transparency all focused on facilitating information sharing and efficiencies, increased public-private collaboration is a key desire from attendees.

·         EMRs isn’t as easy as A.B.C.: As expected, Electronic Medical Records (EMRs) is the hot topic here.  From standards and technologies to business processes and data security to intra- and inter-organizational ownership, EMRs continue to be a focal point as organizations migrate their records to digital format and seek the security and efficiencies necessary for clinicians and staff to embrace.

·         A Herd of HIPAA Privacy Officers:  Overwhelmingly, but not surprisingly, a large majority of attendees have roles/titles such as HIPAA privacy officers, many of whom are working towards getting HIPAA compliance certification by attending sessions earlier in the week.  Surprisingly, I thought there would be more attendees from the IT manager/director or CIO levels. 

 

Overall, there is a tremendous amount of information being passed around that attendees are trying to digest – what’s pertinent for them to take away and act upon, and what is not pertinent to their daily jobs.  Most are speaking with vendors to understand their role in the overall HITECH/HIPAA ecosystem in regards to healthcare reform and legislation as it directly applies to their organizations, beyond the bells and whistles of features and functionality.

 

 

--Tom McDermott

 

HITECH Act: One Year Later, Are you Ready for Compliance?

February 3, 2010 at 7:25 AM by David Ting

On Feb. 17, 2009, the HITECH Act was enacted, giving birth to new tiered civil monetary penalties for data breach violations, new powers to state attorney generals (AGs) for class-action pursuit and new guidelines for technology and methodologies that render data “unusable, unreadable or indecipherable.”  While we previously covered how HITECH will make available $2.0 billion in grant money for organizations to transition to electronic medical records (EMRs) and deploy appropriate security measures, the time is now upon us for full compliance.  Otherwise, organizations risk significant penalties from the department of Health and Human Services (HHS)/ Office of Civil Rights (OCR).

The Healthcare & Technology blog has a good, quick post with some useful resources:
• HIPAA Survival Guide: an overview of HITECH Act and HIPAA, minus the legalese
• HITECH Act Effective Dates: a calendar of key dates you need to know

Beginning Feb. 18, 2010, one year later, civil penalties and settlements will now be enforced, and HHS will be required to begin conducting mandatory audits.    Key take-aways are:
• Data Breach Notification: A significant focus of the HITECH Act and its related penalties is around data breach notification requirements for unauthorized uses and disclosures of “unsecured PHI.”  Whether intentional or accidental, patients have the right to know if their data has been compromised, and HITECH outlines a variety of penalties and disclosure parameters.
• Broader Definition of “Business Associates” bound by HITECH Mandates: The definition of business associate as it applies to HIPAA/HITECH is critical to understand: in short, any person or entity who is involved with the use or disclosure of individually identifiable health information.  Make sure you know who your business associates are to avoid unforeseen violations!

These about links and online resources provide a good, easy-to-read overview of the act, important dates and repercussions for non-compliance.   With the first anniversary of the HITECH Act mere weeks away, this should serve as a vivid reminder that healthcare organizations now need to ensure patient data security with the appropriate levels of user authentication both within the walls of the organizations -- as well as those of their business associates. 

--David

 

2010 Look Ahead: Chief Security Concerns for Chief Executives

January 13, 2010 at 1:22 PM by David Ting

As we turn the page to 2010 and look to delve into the top–level security concerns that lie ahead, we’d be remiss not to reflect on those security events that helped shape 2009 into the ‘year of the data breach,’ and take these as learning experiences for the New Year.

With the economy in its worst state in decades, we saw IT budgets decimated and security threats evolve into clever, sophisticated entities that caused serious havoc for organizations.  Do the names Kaiser Permanente, Fannie Mae and Stens Corporation ring a bell?  These big name organizations experienced some of the most high-profile data breaches as a result of poor security and access management policies.  And whether it is a result of disgruntled employees, inappropriate password sharing or terminated employees retaining access rights, these events point to a trend that isn’t going away. 

Now let’s focus our attention back to 2010 and break down the top-level security concerns chief executives need to focus on to protect the integrity of their organization.  The global economic downturn and wave of breaches mentioned above are clear indicators that these types of activities are only going to propagate more strongly in 2010, as threats are not only escalating but becoming more sophisticated and damaging. And to help protect these organizations, we are seeing an increased number of federal compliance regulations set in place—HITECH ACT, Data Breach Notification Laws, HIPAA, Meaningful Use of EMRs, etc.

Understanding these regulations and having strong security policies in place are critical to starting 2010 off on the right foot.  On Wednesday, January 27th we will be conducting a webinar demo on Imprivata OneSign and will have a discussion on how technologies such as single sign-on (SSO) strengthen user authentication to network applications, streamline application access and simplify the process of compliance reporting—key elements to understanding the changing security landscape in 2010.  We encourage you to attend and participate, and share your ideas for the New Year.

--David

Security Wish List and This Year’s Ultimate Strong Authentication Stocking Stuffer

December 23, 2009 at 10:22 AM by David Ting

2009 was a tough year with the global economic downturn resulting in unprecedented workforce reductions.  As a result, security risk from insider breaches has never been greater.  Now, as we look to turn the page to 2010, it’s already clear that organizations will continue to go beyond the traditional levels of network access security by implementing policies that require users to provide a second form of identity to gain access to IT resources.

Once considered an unnecessary form of security, strong authentication has materialized into an essential part of data security best practices.  In fact, most regulatory bodies are now starting to mandate the use of strong authentication.  The need for organizations to implement multiple types of strong authentication options is driven primarily by user environment, habits and workflow.  While there are several options available—biometrics, One-Time-Password (OTP) tokens, proximity cards, USB tokens, smart cards – there’s only one that stands apart as the strong authentication method must-have this holiday season: proximity cards.

 After speaking with a slew of OneSign customers in recent months to hear how their single sign-on (SSO) experiences are going and to get a grasp on what their future security plans entail, the common denominator amongst these initiatives is the use of proximity cards.  Proximity cards are a practical and affordable way for organizations to gain greater control of their physical access systems and meet regulatory compliance demands. They also serve as an effective way to achieve a comprehensive view of who is accessing what, when, and from where.

From industries including financial services, government and healthcare, proximity cards is the strong authentication modality of choice for chief executives as they look to further leverage their existing network systems, achieve holistic security postures and meet budgetary concerns.  They also make for great stocking stuffers for the security guru that is looking to protect their family from an insider attack.

 What’s on your security wish list this holiday season?

Bill McQuaid Named Computerworld Premier IT Leader for 2010

December 10, 2009 at 10:57 AM by David Ting

This week, Computerworld announced the honorees for its annual Premier IT Leaders awards program, and we’d like to congratulate Imprivata customer Bill McQuaid of Parkview Adventist Medical Center for making the 2010 list!  Bill was recognized for his innovative approach to electronic medical records (EMR) and the significant contribution he has made to Parkview’s healthcare IT infrastructure.

Bill and the Parkview team have had a record year including the prestigious achievement of earning HIMSS Analytics Stage 6 EMR Adoption Status.  When Parkview first embarked on the move to EMR, Bill had the foresight to anticipate the password management issues associated with accessing digital records, and his team incorporated single sign-on (SSO) and finger biometrics into the project.  This initiative provided Parkview’s clinicians and staff secure and full access to the applications they needed, while helping the hospital comply with HIPAA.

This marks the second time in many years that one of Imprivata's customers has been recognized by Computerworld for their technological achievements, as Michael Krouse was honored in 2009 for successfully transforming OhioHealth into a fully paperless facility, deploying Imprivata OneSign for secure and convenient access to electronic records. 

Both Bill and Michael’s accomplishments are indicative of the role SSO and authentication management solutions can play when moving to EMR.

 

SSO and Password Management Best Practices

December 9, 2009 at 7:27 AM by David Ting

Imprivata’s Geoff Hogan authored an article for Security Technology Executive last month titled, “Passwords in Peril” that delves into the password management conundrum that organizations face with the growing number of applications that employees use daily.  While the article summarizes succinctly the helpdesk costs issue, employee productivity and the data security vulnerabilities that a runaway password management problem causes, it also highlights effective single sign-on (SSO) strategies and tactics to overcome these challenges.

I wanted to take this opportunity to pull out a couple of SSO and Password Management best practices that Geoff covered, while adding a couple more.

When Choosing an SSO Solution:

• Scrutinize your real business issues before engaging.  Technology can only truly help if it is guided to solve the right problems; an undirected experiment without clear goals won’t lead to long-term benefit for vendor or buyer and will result in wasted cycles.
• Choose a solution that is easy to deploy without modifying your existing infrastructure. If anything goes awry, there is no “Easy Button” to undo expensive custom code or change policies without severe headaches or business interruption.  Be sure the undo is as easy has the deployment.
• Make sure an SSO solution fully supports the management of multiple strong authentication methods. This provides the flexibility to segment employees and empower them with the specific user authentication they’ll quickly adopt while ensuring the appropriate levels of security.
 

 When Deploying an SSO Solution:

 • Don’t recreate the workflow wheel.  Making employees change their daily behavior and jump through security hoops is a surefire way to stifle adoption, and you’ll find users trying to circumvent the system.  Make SSO easy for employees to embrace by minimizing change.
• Regularly conduct educational sessions.  While SSO should be inherently easy to use, educational sessions for employees around company polices and the technologies that support them are key to getting buy-in and making secure authentication the new status quo.
• Find the internal influencers.  Every organization has people that set the tone, regardless of level.  Get them on-board with how easy SSO is and how it improves productivity, and the rest will follow their lead.  Understanding the social influences within a business can help affect positive change.

These are just a few tips.  What other best practices do you follow?

--David

Evaluating SSO solutions? Be sure to ask the right questions

November 25, 2009 at 5:17 PM by David Ting

The right single sign-on (SSO) solution can resolve your password management issues by enabling users to sign in only once to the network and have access to all the applications they are authorized to access—eliminating password headaches and enabling productivity.  However, some SSO solutions raise as many issues as they promise to solve—the cost of purchase can be quite high, and the complexity of implementation and management can overwhelm IT departments.

As you start your SSO vendor evaluation process, it’s important to know what questions to ask to ensure that you have a thorough understanding of the complete solution including product features and functionality, implementation and deployment, and ongoing management.

Sample questions across important categories include:

• Application Support: Does the product require you to write scripts, create and support custom bridges, use proprietary APIs or change the way the application works? If so, how will you plan to maintain and test have the bridges, and what is the cost?
• Integration with Existing Infrastructure: Does the solution require any permanent extensions or modifications to your directory schema?  Does the solution require additional software or hardware in order to provide reporting capabilities and appropriate redundancy in the report database?
• Ongoing Management Support: What encryption technology is used to secure the credentials?
• User Workflow:  Do users roam from workstation to workstation in their workflow? Does the product support saving and restoring the desktop state as the user roams?

If you’re looking for an SSO solution, and want to know what questions to ask prospective vendors and what criteria to judge solutions on, download our free Evaluation Tool for SSO Vendor Selection.

 

 

Five Security Considerations when Deploying EMR

November 17, 2009 at 8:22 AM by David Ting

EMRs are the hot topic du jour and rightfully so with the tax incentives and federal grants tied to them, as well as the overall efficiencies they bring to the healthcare industry. The conversation is only now starting to talk about the role of secure access in deploying EMRs, and I project this will increase in importance and awareness in 2010.

 To stay ahead of things, here are five security considerations organizations should plan for as they deploy EMRs:

·         The User’s Perspective is Vital

o   Just because this patient information is moving to an electronic format, doesn’t mean the complexity and number of passwords decreases to access data.  It is important to consider how this migration will impact clinician workflow, as any hiccup/disruption in the healthcare setting can be detrimental to patient data security.  Single sign-on technologies, for instance, not only decrease the amount of passwords to remember, but they also have a direct impact on user workflow and productivity improvements.

·    Strong Authentication Remains a Secure Priority

o   Combining EMRs with employee workflow improvements can be further augmented by utilizing strong authentication, fingerprint biometrics and other modes of two-factor authentication, such as proximity badges, to ensure secure access is limited to those who are truly authorized.  Readers of this blog already know the importance of strong authentication—its role and value to the healthcare sector will be vital to data security as EMRs become more widespread.

·         Auditing of Access is a Patient Right

o   Patients have the right to know who has accessed his/her information and when, and by law, healthcare organizations are required to track this information.  Organizations need to be sure they have a system in place that can quickly and easily report on healthcare access management details including: password sharing, what applications users are authorized to access, and what credentials they are using.

·         Compliance is Still King

o   Let’s not forget that, although hospitals are being incented to use EMR, this transition cannot be made at the expense of compliance.  Government mandates such as the Health Insurance Portability and Accountability Act (HIPAA) were put in place to protect patient information.  Electronic medical records are more efficient than paper-based systems, but that shift brings with it a new environment that must be proven secure, otherwise there could be risk fines, penalties and/or reputational damage. 

·         Federation of Identities Equates to a New Level of Required Trust

o   Federated identity establishes a mutual trust between organizations and systems, enabling the portability of identity information between systems and thus allowing secure access.  This plays a central role in the expected efficiencies of EMRs because of the various requirements for patient data privacy, secure access and compliance.  This emphasizes the need for secure authentication within one’s own system in order to ensure that trust with other systems can be guarantted and benefits can be realized.

HIMSS Virtual Conference Box Butte General Hospital -- VDI, Productivity and the User Experience

November 5, 2009 at 11:55 AM by David Ting

The HIMSS Virtual Conference occurred this week, covering myriad of topics ranging from Electronic Health Records (EHRs), impact of the HITECH Act, workflow optimization as well as privacy and security in the cloud for healthcare systems.

 One presentation that readers of this blog may find useful was that from Box Butte General Hospital on Nov. 4 at 9:00am CT (you can register on the site for access; HIMSS members can already access it online).  Here’s a brief synopsis from the session description highlighting what was covered in the presentation:

• Describe attainable savings to a hospital after implementation of virtualized desktop infrastructure (VDI) and single sign-on (SSO)
• Recognize how the use of technologies such as SSO, strong authentication and virtualization increase productivity, improve security and improve user convenience
• Explain how replacing PCs with virtualized desktops, in conjunction with an SSO and strong authentication deployment can garner healthcare organization significant annual savings associated with password management and electricity bills

Congrats to Tony Hindman and Mandy Whaley of Box Butte General Hospital on an insightful session.  Thanks for sharing your experiences and innovative approach with healthcare access management! 

Halloween Scary Security Stories – Healthcare Security Risks

October 30, 2009 at 11:28 AM by David Ting

 

 

This week, I took part in Network World’s annual real-life scary security stories podcast, a panel hosted by Keith Shaw that looks at some of the most frightful security incidents over the past year.  This year, I focused on some of the data security incidents that are becoming all too common in the healthcare industry.

 

It seems like we read about a new healthcare related data breach every other week – whether its celebrity records being exposed, or a case like the Virginia Department of Health exposing more than 8 million patient records.  For security officers and CIOs in healthcare, a bigger scare is found in the new fines imposed by states like California, where organizations are fined up to $250,000 for each data breach incident.

 

These incidents, and the harsh penalties being enacted, have forced the healthcare industry to take a closer look at their security practices.  Most organizations understand the need for strong authentication – using technologies such as biometric fingerprints to ensure that only the properly credentialed can access sensitive data.  While this prevents the wrong people from accessing your systems, it doesn’t address the growing concern of unintentional data breaches caused through inadvertent access.

 

Inadvertent access occurs when someone is authenticated into a system, but accidentally leaves the access open on the workstation they’re using.   Here’s one story I shared with Keith:

 

·         A customer I spoke with had a small clinical practice with 3 examination rooms – each containing a computer.  As the nurse walks in, she securely authenticates into the workstation to log patient data.  When she’s finished, she locks the stations and goes to get the doctor.  As the doctor comes in to see the patient, he re-authenticates into the system and adds in his patient notes and diagnosis, then leaves to check on another patient – leaving the system unlocked.   The patient now has access to his medical records and can see all the notes the doctor wrote – while having the ability to access other records in the system.

 

In the instance above, the healthcare organization was sued by the patient who actually looked at his own record and didn’t like the information the doctor wrote about them.

 

Scary stuff – despite properly authenticating users, unintentionally leaving the system open created a security hole that circumvented these controls.  I’ve blogged about the importance of walk away security in the past, which can close the other side of the security gate and prevent unintentional access from occurring.

 

Have a scary security story to share?  Email me and let me know.

 

Tags:  security risks, data security, strong authentication, biometric fingerprints

Identifying Identity Resources, Part II

October 22, 2009 at 9:36 AM by David Ting

 

Back when this blog was in its infancy, we outlined a number of identity management resources that readers should check out.  Those blogs are still on the “must-read” list, but there are a number of new ones that have popped up that people interested in identity and access management may find useful

 

·         The Health Care Blog: this blog covers everything from electronic health records (EHRs) and HIPAA Compliance to HITECH and Health 2.0, often with amusing headlines and relevant details to get the most pressing issues across succinctly.

·         ITBusinessEdge’s Authentication Systems channel:   This covers opinion pieces and news, ranging from fingerprint biometrics and other forms of strong authentication to password policy and security risk.

·         FierceEMR: “Mapping the future of Healthcare Information,” this site combines news with opinion on topics ranging from electronic medical records (EMRs), health information exchanges, healthcare access management, interoperability and deployment updates.

·         Healthcare & Technology blog:  this blog covers the high-level healthcare IT issues and trends while also pulling in various graphics, charts and video to help tell the story. 

·         Planet Identity blog: This blog aggregates blogs related to identity management topics, leaning towards the technical while pulling through data, survey findings and trends from some of the most highly-subscribed blog feeds.

 

EMR Survey Finds Best Value Resides in Secondary Uses, but what about Data Security?

October 15, 2009 at 7:49 AM by David Ting

I read a good article on FierceEMR recently surrounding a PricewaterhouseCoopers survey on electronic medical records (EMRs) that indicated that the secondary use of this information may be an organization’s greatest asset over the next five years. An overwhelming 76 percent of respondents agreed, and pointed to the abilities for mined data to decrease healthcare costs, predict public health trends and improve patient care. EMRs, with vendors such as Allscripts, NextGen and QuadraMed blazing the trail, have been a huge focal point of healthcare payers and providers, pharmaceutical companies and the general public with healthcare reform a primary platform of the Administration.

The PwC report highlighted that hundreds of billions of terabytes of health data are now being collected in EMRs. The focus of the report calls on all the wonderful potential that de-identified and aggregated data can produce for doctors, researchers, insurance companies and pharma manufacturers. According to the press release, the healthcare industry won’t see the full value of EMR and other healthcare IT investments until it adopts standards and subsequently finds secondary uses of EMR data.

While there is significant opportunity with EMR data, the report only briefly calls out concerns, centered on respondent’s feelings that the industry needs better guidelines on how information can be used and shared. Full-on security of the data has been a topic largely ignored by the populous pushing for healthcare reform and EMR standardization.

What about Data Security?
What is glossed over is the need to secure access to EMR data. With so much data being collected, analyzed and shared, organizations need to get a handle on who has access to this data, through which systems and with which safeguards. Who is authorized, how are they authenticated, and how can companies ensure compliance with policies and procedures?

We’ve seen the problems caused by celebrity medical records being breached by hospital employees. Take that issue and multiply it exponentially as the billions of terabytes of EMR data translates into billions of dollars in market opportunity over the coming decades for healthcare providers, insurance companies and pharmaceutical manufacturers. This will spawn a new wave of insider threats, and healthcare access management must be dealt with during the formative stages of EMR deployments… as the old adage states, “an ounce of prevention is worth a pound of cure.”

Observations from the 2009 Cerner Health Conference

October 8, 2009 at 9:56 AM by Jon Hamdorf

I just left the annual Cerner Health Conference in Kansas City, where clinical and technical users of Cerner software gather to share ideas, best practices and technology solutions that are molding the future of healthcare.

As is the case year after year, I am truly amazed at Cerner’s representation of the worldwide market. There were representatives from healthcare facilities from around the globe - Australia, Dubai, South America, Canada - all here to discuss their Cerner healthcare IT systems and share their experiences with new and innovative healthcare solutions.

As expected, discussions surrounding the migration to electronic medical records and the HITECH Act swirled around both the sessions and the hallways consistently, but one of the surprising topics that dominated the conversations I had was access management. Access management is a significant pain point for hospitals and after speaking with dozens of organizations at the event, it is clear that healthcare IT executives are eager for fast, convenient and secure access to critical data. It’s notable that with compliance challenges and numerous, high-profile patient privacy violations making front page news, healthcare organizations are still looking for ways to properly protect patient information while providing seamless access to heterogeneous technology environments.

I did have the opportunity to meet with end users at organizations that have committed to providing its clinicians with fast and secure application access to data. These organizations (including Advocate Health Care, BJC Healthcare, Baycare and Albert Einstein Medical) all stressed that the faster the provider can access patient information, the more positive the health outcome is for the patient. Each respective organization described similar challenges within their unique environments which single sign-on and strong authentication solutions are addressing to provide secure access to critical applications, while improving user productivity.

The healthcare industry is certainly experiencing some exciting changes and opportunities, which will continue as we look to turn the page to 2010. I’d be interested in hearing about the solutions and initiatives your organization is looking to deploy to help secure application access.

Talking Employee Security Breaches with Network World

September 30, 2009 at 1:13 PM by David Ting

This week I had a chance to talk with Network World’s director of programming Keith Shaw about the various ways that employees breach data security – both intentionally and inadvertently.

The podcast interview captures a number of ways that employees breach enterprise security, whether by accident or with malicious intent. Here are some of the highlights:

• Employees are often fast and loose with their passwords, whether keeping passwords under their keyboards, or giving them to a colleague for quick access to perform a task
• Not logging out of a session when in an open environment like a hospital, where a doctor leaves the workstation to check on a patient but doesn’t return for twenty minutes or more, is a big problem. This presents huge security breach potential for someone who may be walking by who can simply hop on an open, unattended terminal
• Letting people into a building by holding a door open, simply to be nice, opens up whole new can of data breach worms
• The stronger you make a password to be required, the more likely employees will write down those strong passwords and leave them by their computer
• There are now increased attacks on small- to mid-sized businesses because IT departments are smaller and often overwhelmed already, so security becomes a vulnerability

The Bottom Line:

Companies should always do an assessment of what a company’s crown jewels are, who controls access to IT assets and how to secure them; then work downward throughout the organization. However, password management needs to be well thought through, as the more complex you make employee access, the more likely they’ll find a work-around and circumvent the system.

Give a listen to the podcast to get the full details and some great exchanges with Keith outlining the real-world issues these situations present to companies today.

--David

From HIPAA Compliance to HITECH – Reforming Healthcare Security

September 22, 2009 at 3:10 PM by David Ting

Khalid Kark of Forrester Research recently issued a useful whitepaper that outlines the security reforms needed to improve patient data security in the healthcare industry. A complimentary copy of the Forrester whitepaper, “Healthcare Security: Ready or not, Here it Comes,” can be downloaded from the Imprivata website.

The whitepaper highlights four key reasons why healthcare organizations are failing behind on security. Khalid provides a comprehensive set of recommendations to help healthcare organizations address these challenges – these are near and dear to what we do here every day. I thought I would share some of the insights gathered from work with our many healthcare customers.

I’ll tackle two of these issues in today’s post, and address the remaining ones in a subsequent posting.

1. Basic security technologies and processes are missing:
Kark correctly states that many CISOs struggle to get management’s attention on security issues and are limited in the resources they have to address the critical security risks they face. Bill McQuaid, CIO for Parkview Adventist Medical Center, recently spoke about how they were able to achieve Stage 6 HIMSS Analytics status, despite their relatively small size. Deploying strong authentication technologies, like fingerprint biometrics, considerably increases clinician productivity, while ensuring that only properly credentialed users have accessing sensitive information. This combination of security along with greater user productivity is sure to gain the attention of any manager.

2. Security spending lags behind other leading industries

As Khalid notes in his whitepaper, higher spending doesn’t necessarily equate to stronger security. What matters is using the dollars and resources you do have wisely. The days of enterprise-wide projects that take years to complete are over. By identifying the immediate areas of risk and implementing projects that yield immediate results, you can protect your organization, while demonstrating a quick ROI – this can come in handy when fighting for more dollars to spend on additional projects.

What are the main obstacles you’re facing in securing your organization? Share your story.
David

Live from the McKesson Insight 2009 Annual Conference

September 11, 2009 at 9:44 AM by Chris Feeney

I am currently at the Insight 2009 Annual Conference in Orlando, where 1,200-1,400 attendees are converging to learn and build relationships centered on their McKesson healthcare IT systems. Users are hearing details of new product enhancements and integrations, learning best practices and engaging in valuable peer discussions they can take back to their organizations.

Overall, there seem to be two overarching themes that are driving discussions, both in sessions and in the hallways:

1. Economic Stimulus Education: people are learning about the HITECH act, and learning about the stimulus’ impact on healthcare IT, electronic medical records and data security in general

2. Healthcare Reform: on the heels of President Obama’s address to Congress Wednesday night, attendees are eager to get the latest on the healthcare reform debate in which the entire nation is enveloped

It is clear that we’re at a time when unprecedented change is coming to the healthcare industry. With this in mind, McKesson Chairman and CEO John Hammergren’s keynote focused on three things regarding healthcare IT reform:

1. Access to healthcare

2. Quality of healthcare

3. Cost of healthcare

Also worth noting, Hammergren highlighted the coming consumer revolution in healthcare, and tied it back to the healthcare IT systems that will empower patient care. Specifically, Consumer Reports is publishing a new rating system for hospitals, so healthcare organizations must compete in an entirely new way by having the right systems in place to ensure they are amongst the best across the three-legged stool of healthcare excellence: access, quality and cost.

Talking with a number of attendees at the conference, secure authentication continued to be a strong focus, with proximity cards and fingerprint biometrics driving the demos and discussions with vendors and peers. Workflow continues to be amongst the biggest drivers of strong authentication and healthcare single sign-on discussions, as healthcare organizations look to streamline operations, strengthen security and improve usability for clinicians, physicians and staff.

Hospitals are gearing up to make significant changes in healthcare IT, with a singular focus on upgrading systems and improving the healthcare experience for all – it’s clearly on top of everyone’s minds.

Massachusetts Data Protection Law Delayed Again—Is Your Company (Still) At Risk?

September 3, 2009 at 9:44 AM by David Ting

A recent BankInfoSecurity article reported that the Massachusetts Data Protection Law has been delayed yet again, pushing the new effective date back to March 1, 2010. As part of the law, organizations are required to protect confidential data – social security numbers, driver license numbers and financial account/credit/debit card numbers – of Massachusetts citizens. The regulation covers all non-public data, regardless of how the company obtains the information.

However, the state’s Office of Consumer Affairs and Business Regulation (OCABR) modified its data security regulations by facilitating a "risk-based approach" to data security to help small businesses better comply with these regulations. These new amendments take into consideration the size of a business and the amount of personal information it manages, and this is directly linked to the type of security plan that business operates.

As I mentioned in a November 2008 blog post, Massachusetts Data Privacy Regulations – Are You Protected? -- the need for strong authentication and solid access management policies is apparent as all companies, regardless of location and size, need control over who is accessing what information, how and from where and equally important to maintain detailed audit records. These regulations were put in place to ensure companies are doing just that – taking the proper steps to provide a comprehensive security posture that prevents unauthorized access to confidential customer information. This is especially important in preventing a data security breaches as the insider threat continues to escalate.

Nevertheless, this marks the third time in the past 8 months the law has been extended, - perhaps underscoring the point that Massachusetts-based companies may notbe prepared or equipped with the security solutions necessary to properly protect their critical customer data …begging the question: is your organization still at risk of a data breach or unauthorized access.

As I said in 2008, the deadline will be here before you know it and the last thing you don’t want to find your company at risk for being non-compliant. Pushing off compliance-driven activities because the deadline is extended only increasesthe potential for a breach. If the penalties are not enough to warrant taking action, think about the potential damages to your company’s reputation if such a breach were to occur.

Is your organization compliant with the Massachusetts Data Privacy Regulations? If so, what security policies have you implemented to ensure the integrity of your organization?

HITECH Grants – Earmark Dollars for Data Security Too

August 27, 2009 at 7:09 PM by David Ting

In February 2009, the Obama administration announced that $2.0 billion in grant money will be made available to help hospitals and other health care providers transition to electronic health records (EHR). This past Monday, the White House took a big step and launched the first of two grant programs under the HITECH act which lays the groundwork for EHR.

The grant will be used to create what the HITECH Act calls the Health Information Technology Regional Extension Centers. These regional centers will play a major role in implementing a nationwide system of health information networks.
According to the Health and Human Services website, these centers will help hospitals select EMR technology, provide assistance on the implementation front, and ensure that the hospitals are complying with all regulatory and legal requirements to protect the patient’s health information.

While it’s encouraging that the regional centers will have a strong focus on enterprise security, it’s critically important that HITECH doesn’t become a HIPAA like paper tiger of passive regulations with little accountability. As I’ve blogged previously, the universal adoption of EHR significantly increases the vulnerabilities for a security breach of patient information. Security assurance remains a primary hurdle to the widespread adoption of EHR, but technologies like strong authentication, including fingerprint biometrics, proximity cards, etc…, are now widely available and can fullfill the promise of EHRs by significantly minimizing the security risks.

Khalid Kark of Forrester Research just issued a compelling whitepaper on how HITECH can strengthen information security across healthcare – accomplishing what HIPAA ultimately may have failed to do. If you’re moving forward on EMRs and have questions about security, you can download a complimentary copy of the Forrester whitepaper, “Healthcare Security: Ready or not, Here it Comes,” from the Imprivata website.

I’d be interested in hearing how HITECH may impact your hospital’s move towards EHRs, and what role you think these centers can play in facilitating your timely implementation.

2009 Desktop Virtualization Survey – Understanding the New Security Risks

August 18, 2009 at 4:00 PM by David Ting

Last December, I blogged about the growing interest in implementing desktop virtualization (VDI) and the enterprise security challenges companies would face in this new environment. As with any new technology the best way to learn what is really happening is to listen to the field. With that in mind we polled executives across industries to understand the rate of VDI adoption and recently released the results as part of the “2009 Desktop Virtualization Survey.”

While organizations are increasingly embracing VDI/hosted virtual desktop as a way to reduce IT costs associated with desktop maintenance, there are still security concerns and fundamental challenges facing these companies as they change to this new desktop delivery vehicle. Most of these concerns center around managing user identities, roles and enforcing access policies.

In a VDI environment, user identities become relevant in multiple points within the virtual desktop, making the coordination and enforcement of access policies a more difficult task. Having a centralized way to manage user identities, roles and access policies is critical. This is true however you choose to deliver desktops to your users.

To help deal with these security challenges, the survey found organizations are increasingly turning to strong authentication solutions such as fingerprint biometrics, and proximity cards to associate a user identity to the desktop so an authentication and policy can be applied to control the type desktop the user can access. This type of strong authentication ensures the desktop is being used by a properly credentialed user and provides the critical step in managing role-based access at the desktop level.

As the unique security challenges of VDI become more well know, I expect we’ll see a greater emphasis on multiple forms of strong authentication to coordinate user IDs and access policies, which will enable organizations to overcome the final barrier to realizing the true potential of VDI solutions.

I’ll be discussing this and more in an upcoming webinar with Forrester’s Natalie Lambert, go here to register.

Have you implemented VDI in your organization? Are you on that track? Let me know what challenges you’re facing.

Thoughts from the Siemens Innovations Conference

August 12, 2009 at 10:01 AM by Chip LeBlanc

I just got back from the annual Siemens Innovations Conference in Philadelphia. Even though the conference took place in early August, when many people are vacationing, there were over 1000 attendees from 200 hospitals who beat the heat by attending Innovations - attendance exceeded the expectations of the conference organizers.  Innovations is not a Siemens Medical Solutions hosted event, rather it is a Siemens Med customer-driven conference with various tracks offered for the conference attendees to hear real stories from their peers regarding implementing Siemens Med solutions.

Imprivata had a booth at the event.  I had an opportunity to talk with existing and prospective OneSign customers. Clearly, single sign-on and authentication are top of mind for many of the Siemens customers we spoke with. One thing is clear - CMIOs and IT folks are looking for ways to make application access seamless and secure for the clinicians while NOT changing workflows. Imprivata OneSign is what Siemens Med is recommending as the solution of choice. In fact, there were two customer presentations where OneSign was discussed.  

As we all know, conferences can be long and tiring but I truly enjoyed this conference and highly recommend it for the future.

The Enterprise Systems Design Challenge: Security vs. Usability

August 6, 2009 at 5:13 PM by David Ting

Security expert Bruce Schneier pulls out an interesting excerpt from an essay “When Security Gets in the Way” that is sparking great discussion on his Schneier on Security blog. The essay, from Don Norman’s jnd site, debates security vs. usability, and addresses design considerations for enterprise security systems. This article captures important concerns often discussed in security circles on how to make security stronger without disrupting user behavior. It’s a delicate balance – we often say the most secure computer is the one in a locked room not powered up but that would hardly be usable. At Imprivata we have always believed that usability and security don’t need to be mutually exclusive.

As a case in point, the essay highlights password management as an example of the tension between the employee’s desire for ease-of-use and security’s desire for complexity. The unintended result of course is the secondary costs around increased helpdesk calls and escalating problem of users having to know and enter dozens if not hundreds of passwords each day.

The essay concludes with some prescriptive design measures to consider when designing security systems. One of the ones I particularly like is the following:

Both security and privacy are difficult problems. We need systems that are easy to use for their intended purposes or by the intended people, but difficult for non-authorized people or uses. For these purposes we need components not normally considered in simple product design: means of authenticating identities or authority, needs and permissions. Some of this will require physical tokens, biometric identifiers, and privately known information. Some of this requires rules and policies, sometimes editable by the user of the system, sometimes only editable by authorized administrators, sometimes buried in the code and unchangeable without significant development costs.

 

It’s a challenge businesses face each day, and one that emphasizes the role that strong authentication and enterprise single sign-on can serve to unify security and usability.

The essay is a fascinating read and captures a lot of the behind-the-scenes discussions and thinking we at Imprivata go through as we build products that pull through the best of security and usability. Check it out.

Also if you’re really interested in this topic, there is great in-depth discussion going on in the comments section of Schneier’s security vs. usability blog entry.

David

Reaching Stage 6 Status with Imprivata

August 4, 2009 at 9:35 AM by Bill McQuaid

Thanks David.

We’re very proud of our accomplishment of being only one of a handful of hospitals that have been awarded with HIMSS Analytics Stage 6 status, especially when you consider our relatively small size compared to the many other bigger hospitals with larger IT departments trying to accomplish the same thing. Moving to an EMR format and a paperless environment requires a significant commitment from the executive team and from our clinicians.

As we began our move to EMR, we had two major concerns. 1 – Can we maintain patient data security and HIPAA compliance in an electronic format? 2 – Will the clinicians buy into what we’re doing and use the technologies we provide? These are two critical components in achieving Stage 6 status.

Training for Success
To address the concerns simultaneously, we knew that we had to come up with a solution that would get immediate buy-in from our clinicians. If you don’t have people internally using the systems and championing them for you with their colleagues and peers, it makes the road to full scale EMR a very difficult one.

This has been one of the secrets to our success – we haven’t forced any of our doctors to use the systems we implement. Instead, we work with the people who want to be worked with, and then let the rest come to us once they see how easy and successful it is.

A great example of this is when we started asking doctors to do computerized physician order entry (CPOE), which requires all doctors to do their own ordering using a computer. There was some hesitancy on the part of the doctors when we asked them to do their own ordering. The chief concern was accessing the necessary systems – doctors kept telling us “there’s no way we can log in – we won’t be able to remember all the passwords.”

To address these concerns, we used Imprivata OneSign to create a zero sign-on environment through the use of biometric authentication. We went live and gave access to a few people – when other clinicians saw how well it worked, they all wanted to use it. But here’s the key – we made them sign up for training and went through the whole process with them individually. By providing a quick and easy tutorial on the technology, we were able to mitigate any concerns of using the technology. The result is that the doctors loved it, and we use this technology in all of the physician practices now.

Not only did we get a groundswell movement on the part of clinicians to use the technology, but we also solved our core data security issues. Biometric authentication considerably increases productivity, but also ensures that only the properly credentialed users are accessing sensitive information. This level of strong authentication meant that clinical staff now had the ability to walk up to any workstation and securely log into the network, providing the real-time, secure access needed to provide superior care to our patients.

In fact, it’s worked so well, we’re rolling it out to secure remote access as well. We’ve set up virtual desktops for some doctors, so when they log in remotely, they log in once and get the security of single sign-on. So now, no matter where they are, they get their own desktop – they can print orders and do what they need to do from anywhere in the country.

The road to Stage 6 status can be a tough journey. What we’ve learned along the way is that technology alone isn’t the solution – educating the staff on the value of the technology is the most powerful tool in your arsenal.

If you’re currently working on similar projects, I’d love to hear your thoughts on how the project is progressing and if you have great tips to share for others too.

Using Single Sign-On to Ease EMR Adoption – A Look at Parkview Adventist Medical Center

August 3, 2009 at 2:18 PM by David Ting

Congratulations to Imprivata customer Parkview Adventist Medical Center for recently earning the HIMSS Analytics Stage 6 designation! HIMSS Analytics highlights the Stage 6 award as recognition for hospitals that have made significant investments in healthcare IT and as well as implementing paperless medical records. This is a remarkable achievement for Parkview, considering that they’re one of only 42 hospitals out of 5,166 in the US to attain this level.

Parkview is a great example of how our healthcare customers are using single sign-on technology and strong authentication solutions like fingerprint biometric identification to address the productivity and security concerns that come with deploying a full-scale electronic medical records system.

We’ve asked Bill McQuaid, CIO of Parkview, to be a guest blogger to share some tips on how they’re using the Imprivata OneSign platform to increase physician productivity, while ensuring data security for patient records in a completely paperless environment. With the federal government continuing to push healthcare providers to adopt an EMR format, Parkview provides a successful model to emulate and learn from.

Tunneling into a Data Breach: The Problem with Remote Access and the Terminated Employee

July 21, 2009 at 1:48 PM by David Ting

Another insider unauthorized access incident came across my radar just as I put the finishing touches on my most recent blog post highlighting Lesmany Nunez’s case being the latest example of a disgruntled employee breaching a network. As of today, the most current remote access security breach involves Danielle Duann, an IT director of a nonprofit organ and tissue donation center.

According to the Department of Justice’s press release, the LifeGift Organization Donation Center claims that Duann’s access had been revoked when her employment had been terminated. However on the evening she was fired, not only was Duann able to access and delete sensitive information such as organ donation database records, but she also tampered with the computer logging function on LifeGift’s servers to mask her actions.

The DoJ’s also states that Duann plead guilty to the charge of unauthorized computer access and was sentenced to two years in prison, three years of supervised released and ordered to pay more than $94,000 to her former employer as compensation for this incident.

In my perspective, the two key takeaways from this incident are:

1. The organization thought it had enough security measures in place to prevent a malicious insider attack from occurring

2. Duann was able to remotely access the system after her termination

As mentioned in a blog post last month, using the summer months to check for ghost or orphaned accounts is a worthwhile endeavor. Remote access continues to be a common vulnerability with recently-terminated employees holding the keys to the castle from afar… it happens over and over. How many times have we heard about ex-employees who boast they still have remote access to their former place of employment? This incident should underscore how prevalent security breaches are as layoffs increase, and serve as a reminder to survey and close off every potential entry point to an organization through a sound identity management strategy that ensures secure authentication and access.

What do you think are the key points here?

-David

Miami Incident Illustrates Insider Breach Trend

July 17, 2009 at 3:40 PM by David Ting

I was reading the recent security breach news about Lesmany Nunez, a former IT administrator who was recently sentenced to a year and one day in federal prison for computer fraud. Mr. Nunez was an employee at Miami-based Quantum Technology Partners (QTP) and three months after his employment ended, he was still able to access the company’s network with an administrator password. What he did then was break into QTP’s servers, shut them down, change the system administrators’ passwords and erase files, all of which ended up costing QTP more than $30,000.

This is just the latest example of a disgruntled employee destructing their former employers’ networks as a result of having access to critical information well after their job had been terminated.While it is not clear what the motive was behind this activity it is a clear example of the potential damage caused by former employees. Back in March I blogged for SC Magazine about a similar situation at Fannie Mae where an employee performing a similar deed. When organizations let employees go, whatever the reason may be, they have to make sure that orphaned accounts, such as Nunez’s, are properly deactivated and account passwords changed immediately. Otherwise they leave themselves exposed to these types of vengeful malicious attacks. This is precisely where identity and access management (IAM) initiatives come into play. The right IAM platform provides 360 degrees of employee access management security by providing organizations with the ability to securely authenticate users and streamline application access.

What are your thoughts on this latest insider incident?

California Medical Data Breach Report Highlights Healthcare Access Management Concerns

July 14, 2009 at 3:57 PM by David Ting

Late last year, California enacted a new state law to help notify patients of potential breaches of their personally identifiable health information, requiring healthcare organizations to report suspected incidents of data breaches. The initial results are in, and it’s not pretty. According to the Journal of the American Health Information Management Association, California officials have received more than 800 reports of potential health data breaches in the first five months since the laws went into effect on January 1st. Of the 122 cases that have been investigated, 116 have been confirmed as security breaches. Officials expect the numbers to grow as more organizations put in the processes to report potential breaches.

While the majority of the breaches are being called “unintentional” breaches, the intentions behind the unauthorized access of patient information matters little. Seemingly innocuous activities, such as password sharing, present significant data security challenges for healthcare organizations that put them, and their patient’s private information, at risk.

These initial reports demonstrate that access management is still a priority concern for healthcare organizations to prevent unauthorized access to patient records – whether intentional or not. Tying a user’s identity to access via strong authentication, such as proximity cards and biometric fingerprints, can have a profound effect on overall enterprise security and help prevent organizations from becoming another one of the statistics cited in the next report. Are these numbers an accurate reflection of the state of security in the healthcare industry? Do you think that the numbers will decrease as organizations get a handle on the processes to prevent or report breaches? Email me and let me know.

2009 Identity Management Mid-Year Report: A brief look back and ahead

July 9, 2009 at 3:23 PM by David Ting

Back in January, I shared some of my observations on 2009 Priorities for identity management in the new economic reality people are faced with - productivity, security and manageable IT projects. This year’s economics have forced people to do more with less, manage tighter budgets and maintain enterprise security while dealing with re-orgs and layoffs. While 2008 was the worst year to date for data breaches, 2009 hasn’t been much better if you look at this chronology of data breaches, including the recently disclosed incident at Goldman Sachs. The Identity Theft Resource Center keeps tabs as well, and has a nice snapshot of high-profile data breaches. Many of these are the result of unauthorized access, some combined with placing malicious code on servers or laptops to siphon off data. It’s amazing the methods that are being used to access systems, steal data, sometimes extort money and always damage reputations. Potential impact of the Goldman Sachs’s unauthorized upload of proprietary software is still under investigation, but information on how easy it was to pull off makes for scary reading. Given the potential impact of data breaches, there has been significant progress made to tighten access to systems, so let’s review some of the relevant things that are happening in identity management. Following are three areas, I believe, we need to watch for in the latter half of 2009.

Biometrics Hit Stride, Will Gain Even More Steam

Frost & Sullivan projects the European biometrics market to triple from 2008 to 2012, as biometrics are used more now to secure access and prevent breaches. With fingerprint biometric readers and other scanners embedded in everyday devices, the ability to tie unique identity to access via strong authentication means has a profound effect on overall data security.

EHRs Become Focal Point of Healthy Debates

Electronic Health Records (EHRs) are also making headway, thanks in large part to the Recovery and Reinvestment Act of 2009. A large portion of the discussion is based on healthcare access management, patient data security and user authentication. Security assurance is a key hurdle to widespread EHR adoption, but using strong authentication capabilities that are now widely available is a significant enabler to achieving the benefits EHRs promise, while minimizing the security risk. Watch for these specific debates and discussions to progress in 2H 2009.

Greater Emphasis on User Workflows Considered in Product Development
While biometrics authentication has certainly played a role in making user lives easier, new developments around walk-away security and faster access to systems are shortening the process to secure logon. By making it easier for users to come and go from a system, there is less password sharing and improved employee productivity, while encouraging and enforcing better overall identity and password policy management.

What areas do you see most, now that we are half way through 2009?

What issues do you seek to solve?

How can identity management better serve you? --David

Medical ID Theft and Tying Patients to Electronic Records with Strong Authentication

June 26, 2009 at 7:15 AM by David Ting

The New York Times recently published an interesting article on the rising problem of medical identity theft. When the federal government last researched the issue in 2007, more than 250,000 Americans reported that they were victims of medical identity theft. Since that last report, most experts agree the problem has undoubtedly grown, in part because of the growing use of electronic medical records built without extensive safeguards. To exacerbate the situation, cleaning up after medical ID theft can be hindered by HIPPA compliance – the regulations protect the medical information of the ID thieves as well as you.

Medical ID theft is an issue that can impact anyone. From a financial standpoint, if your identity is stolen and then used to receive emergency care, the insurance payments and collections can follow you around for years – without the victim even knowing it. This can destroy credit ratings or create a situation where insurance benefits limits are exceeded at a time when a legitimate claim is made.

More important than the financial impact is the potential impact on the healthcare or treatment a victim receives. Once a medical ID is stolen and used to receive treatment, the medical records can now contain erroneous medical history information. This can lead to a fatal mistake in an emergency care situation.

I’ve blogged about some of the data security and strong authentication concerns that come with accessing electronic patient records from the clinician point of view. Some healthcare providers I’ve spoken to are looking to strong authentication to solve the medical ID theft problem as well, using technologies like biometric authentication to securely and uniquely tie patients to their records.

This would create a seamless environment where clinicians are authenticated for access to applications and information, while the patients are authenticated to their medical records. This will be a critical component of the success of EMRs as these systems begin sharing information between healthcare providers. Strong authentication will be critical not only from a data security perspective, but could also prevent a situation where a patient receives improper care.

Strong Authentication Best Practices for Success Webinar with Forrester Research

June 18, 2009 at 1:07 PM by David Ting

Join us for an informative session on the “Do’s and Don’ts” of employee access management next Wednesday, June 24. Forrester Research’s Bill Nagel will lead the discussion on what organizations should do to improve security with strong authentication.

In addition, the session will discuss the pros and cons of various strong authentication methods, explain why a single point of authentication to the network is key to employee access and provide examples of a wide range of implementations via real-world case studies.

Register for the event today and join us on the 24^th at 11:00am ET to hear from a leading analyst on useful advice for implementing strong authentication in your environment.

Five Things to do in Identity Management this Summer

June 15, 2009 at 8:20 AM by David Ting

Theoretically, as employees go on vacation during the summer months, there will be fewer demands on your IT team. Realistically, we know that’s not true and it seems like there is actually more to do. However, summer can provide the opportunity to step back and evaluate the state of your identity and authentication management infrastructure and policies. Here are five things that are easy to overlook throughout the year that you should consider doing this summer:

1. Check for Ghost and Orphaned Accounts: user provisioning and de-provisioning of accounts can happen in a flurry of activity, especially during times like these with turnover in the workforce being common. In the haste to move through the termination process, accounts are left open or missed – even those organizations with the tightest policies and procedures. Often a user’s primary network credentials are locked but what about remote access accounts or critical applications accounts. Use this time to eliminate any that may be in question.

2. Map the Apps: Take an inventory of what apps are running in your environment. Are they all approved? Any that are ‘rogue’? Are any being used that are not tied to identities at your organization? Getting a clear view of the application population can help ensure holes are plugged, policies followed and data security is optimal. This gets much harder to do as organizations increasingly subscribe to services that are not managed by IT. Getting a handle on those accounts will become even more important as we rely more on applications delivered by service providers.

3. Cut Costs by Weeding Out Unused Application Licenses: While you’re mapping what apps are in your environment, cross examine their usage by analyzing the activity logs of your employees’ identities. Are there shared accounts and passwords being used inappropriately? Are there under-utilized applications? Are you paying for more licenses than you need for an application? There’s a treasure trove of cost savings to be found if you take the time to dig in to your identity and application logs. If you can squeeze savings out of somewhere unexpectedly, your CFO will love you.

4. Let Your Fingers do the Walking: If you’re not using finger biometrics or proximity cards, give these user authentication technologies a try. They are relatively inexpensive and can easily integrate into most identity management systems nowadays. Pull in a small focus group to try them out, and see how they can improve employee productivity while strengthening security… and minimizing password management help desk calls to your team.

5. Reconnect with your customer: Review the identity policies and procedures you’ve set forth for your organization -- when were they originally created? Has anything changed? New industry regulations your organization must adhere to? Examine user authentication requirements, strong authentication modalities that are available to your employees and password management parameters to follow. Update, distribute and schedule a series of brief sessions to educate your user base on security best practices to follow. Remember your customer base is everyone that interacts with or uses the IT system.

What else are you doing during these summer months? Any best practices to share? We’d love to hear them.
--David

Access Management Questions to Ponder

June 4, 2009 at 6:07 PM by David Ting

I was reading about the recent access management related breach at the California Water Services Company, where an auditor resigned, but illegally accessed computer systems to steal more than $9 million before leaving. While the company should be lauded for catching the fraud before the wire transfers could go through and irreparable damage could be done, it should serve as another cautionary tale in what has become a recurring theme on the application security front. This is just one more saga in an every growing litany of tales of breaches that we’ve hearing about.

If you’re looking to review your authentication and access management policies, here’s a quick list of topics to focus on and questions you should ask yourself:

Orphaned Account Clean Up
This is a classic and recurring vulnerability in most organizations, and a priority for getting your house in order. When an employee leaves an organization, too often his access to sensitive applications and information is left open. Organizations run into trouble when accounts can’t be quickly deactivated, or if they lack a direct correlation between employee names and the accounts they were credentialed to access.
By using technologies like single sign-on, organizations can view access records, employee access rights, and accounts that need to be removed. Deactivating orphaned account access is a critical first step towards comprehensive enterprise security.
Questions to ask: Can we track which employees have access to specific systems? If the employee leaves, can we quickly deactivate access? Do you have the means to gain visibility into what application accounts your users access? If you don’t then it is time to think about how to regain some control.

Controlling User Privileges
Too often, security and employee productivity are viewed as being at odds with each other – this doesn’t have to be the case. A good security policy ensures that employees have the access and information required to perform their job function, but at the least level of access.
Questions to ask: Do we understand what privilege levels each individual user has been given? Do they have the lowest level of access privilege required to do their job? What mechanisms do you have to elevate their privilege level, even temporarily and can you control it?

Defining Organizational Roles
Defining roles in an organization is critical to a strong authentication policy. Assigning access by organizational role provides greater insight into what applications users are touching and if access rights are in accordance with the privilege rights provided. Organizations usually have little to no role definition, or go to the other extreme by creating too many roles, which can be unmanageable. Start by getting a handle on who is accessing what. Discuss organizational roles with your business managers to figure out what users need to touch to do their jobs, and then set reasonable boundaries for access outside those defined roles.
Questions to ask: Have we defined roles in our organization? Do the defined roles go far enough? Are our current roles manageable? Again the question goes back to having enough information on what applications your users are actually touching. single sign-on systems that provide detailed reports on usage patterns are invaluable during the role discovery phase.

Testing the Backup Systems
Properly functioning backup systems are crucial to business continuity. Too often, organizations are faced with a situation that requires backup or recovery, only to find out that the procedures, passwords or location of the data are nowhere to be found. Organizations need to ensure they have no dependencies on administrative accounts or employees that may have left the organization. It’s like testing a fire system – you have to make sure it works. In this instance, backup systems will only work if you still have control over them.

Questions to ask: Do we regularly test backup systems? Can we access them? Are they protected with passwords that may reside with employees?
If you ask yourself these questions, and answer “no” to any of them, then you may be at risk. What questions keep you up at night? email me and let me know.

What NIST Missed: The value of password management + SSO + strong authentication

May 20, 2009 at 8:25 AM by David Ting

The National Institute of Standards and Technology (NIST) recently put out a draft “Guide to Enterprise Password Management” for public comment for feedback and improvement. While it gives a lesson in password management history, it doesn’t quite break new grounds on prescriptive opinion.

Dave Kearns provided useful analysis of the NIST paper in his recent Managing Passwords article on Network World, and a couple of nuggets of wisdom jumped out at me:

• To their credit, the authors immediately add “…organizations should make long-term plans for replacing or supplementing password-based authentication with stronger forms of authentication for resources with higher security needs.” If I were editing, I’d remove that last phrase (“for resources with higher security needs”).
• Username/password as sole authentication method needs to go away, and go away now. Especially for the enterprise but, really, for everyone. As more and more of our personal data, private data, and economically valuable data moves out into “the cloud” it becomes absolutely necessary to provide stronger methods of identification. The sooner, the better.

The only way to improve usability and security of password management today is to combine it with single sign-on and multi-factor authentication, as Dave stated in his piece. Dave’s article made me think a bit more about the NIST paper and the intersection of SSO and strong authentication, and here are some of my observations:

• Workflow Trumps Security: No matter how much security folks put ‘best practices’ in place for security (and managing passwords, specifically), they must mesh with the needs of the business. Users won’t embrace policies and best practices unless they are easy to adopt and don’t interrupt their daily workflow.
• Where’s the Business Value: We frequently hear of high-valued users who feel their job is to get the job done (trading, saving lives) rather than dealing with the mechanics of entering passwords. Mandating a longer and more complex password is great from a theoretical point of view if you log into an application once per day, but not so much if you have to repetitively access the same application multiple times each hour. 
• No More Passwords Please: The most effective solution to dealing with password management issues today is to combine stronger user authentication with a system for automating them and leveraging the maximum strength within the passwords – i.e., SSO coupled with the use of opaque (unknown to the users) passwords. This gives you the best of both worlds.
• Automate the Logon Where Possible: Direct injection of the passwords into forms mitigates the ability for keyboard loggers to sniff and record the password and log-in sequence so you can close that potential vulnerability gap.
• Leverage Strong Authentication Options: There are still many people that believe passwords are an inexpensive option for authentication, however today’s strong auth solutions are far more cost-effective, easier to deploy and maintain than they were just a few years ago and more importantly we see higher user adoption.

So the value of password management + SSO + strong authentication is increasing in acknowledgment. Among our customer base at Imprivata 75-80 percent of customers are using one or more form of strong authentication with SSO. We rarely encounter a new deal that does not include strong authentication, and many of our customers prefer to deploy a variety of modalities (finger biometrics, tokens, proximity cards) that they can tie to the security level of the data being accessed by a given user. In fact, now strong authentication is often the driver of a deal, and SSO is pulled through.

We’ve run a few surveys lately, one squarely on this topic of strong authentication and SSO that you may find worth checking out: /content27465
--Dave

Trends Heading into HIMSS - Strong Authentication and Virtualization

April 2, 2009 at 6:55 pm by David Ting

Tips for Implementing Healthcare SSO and Strong Authentication

March 24, 2009 at 8:10 pm by David Ting

OneSign Customers Talk Shop: Fingerprint Biometric Security, Password Management and Security Risk

March 11, 2009 at 7:43 pm by David Ting

Stimulating Strong Authentication

February 20, 2009 at 6:54 pm by David Ting

The stimulus package recently signed by President Obama has been the cause for vigorous debate.  One by-product of the package that has not been widely discussed is a provision that would reshape the medical industry by creating a central repository of computerized medical records for all American's.  An increase in the level of electronic information of this magnitude exponentially raises the vulnerability of a security breach, which we'll focus on today.

While the program sets high goals of making records accessible, increasing healthcare efficiencies and reducing costs, security for a program of this magnitude needs to take a zero-gap approach - removing any security risk that could lead to a data breach. When you consider the number of sources for medical information, and the number of healthcare employees across the country, security for a project of this size represents some huge challenges.  

So where do we start?  From a data security standpoint, a lot can be learned from the hospitals and healthcare facilities, which have spent years focused on HIPAA compliance,  as well as from other countries that have embraced a similar approach to digital medical records.    

We've seen customers such as OhioHealth go completely paperless, with digital record keeping replacing extensive paper file commonplace in the industry.  OhioHealth took an innovative approach to securing patient data from the access standpoint, leveraging single sign-on as the core of its digital authentication strategy.  Ensuring employees access the applications and information they need, after having first authenticated via a biometric device or strong password. 

Controlling the access is only part of the equation.  Once in, there is a need to monitor and control how the information is being used; preventing a breach once initial access has been granted.  While the proper steps may be taken to authenticate a user, what happens when the clinician walks away and leaves the computer in a compromised position?  And, when a life or death critical order needs to be placed, or a prescription filled, the proper doctor, nurse or clinician must be tracked to that activity.

Making the medical records of 100s of millions of citizens accessible is certainly a step forward, yet keeping them private is a tremendously complex problem - one that will need to be addressed before the program can move forward in earnest.   

What are your thoughts?   Email me and let me know.

2009 Priorities: Security and Strong Authentication

February 5, 2009 at 7:40 pm by David Ting

In our last blog posting, we discussed three priorities all organizations should focus on in 2009:  security, productivity and manageable IdM projects.  Today we're looking more closely at enterprise security.

Businesses continue to grapple with economic realities, making hard decisions to stay competitive during the downturn.  These decisions can have a negative impact on IT security  - as IT staffs are re-organized, budgets slashed and  security professionals tasked with doing more with less while addressing data security.   Unfortunately, as this is happening, the number of vulnerabilities they're tasked with covering is growing.  The latest news about the logic bomb at Fannie Mae just reinforces the need for additional vigilance as organizations down size.

The challenges can be overwhelming, but they're not insurmountable.  So where do you start?  The important thing is to have a plan - think through the challenges and anticipate possible problems.  With that in mind, here are three areas you can address to make sure your company is secure:

Identify and deal with your greatest areas of risk

It may sound simple, but it represents a shift in philosophy and mindset, moving away from comprehensive, enterprise-wide projects that take years to fully implement with little to show for in return.  Given the constraints in staffing and budgets, IT staffs need to focus on the immediate areas of security risk and make sure those gaps are closed.  For example, if you're undergoing a company-wide reorganization, start by asking yourself:  Can we immediately revoke access of former employees, and alter access to employees whose job functions have changed? Are we fully aware of all access points of dismissed consultants?  If the answer is no to either of those questions, then you're at risk and have identified your first project. Assess what potential damage can be perpetrated if revocation is not immediate or all inclusive. 

To understand the risk you face, just look at the case that came out last week about the former employee of Fannie Mae who was charged with implanting malware on the company's network that could have potentially caused millions of dollars in damages.  While the case is still pending, the fact remains that this former employee, in the time between when he was informed of being laid off and when he left the building, was able to plant a logic bomb that could have wiped out data on 4000 servers  .   This remains one of the biggest security risk facing organizations - one that can be dealt with quickly and efficiently with the proper systems and processes in place.

Know who is getting on your system

Trust has never been a sound security strategy, especially when you consider the number of insider related security breaches over the last year.  The nature of business dictates that you need to know what your employees are accessing, providing the ability to track users and audit usage.  Having confidence in who is getting on your system means believing more than just who someone is as a username and password. It means relying on strong authentication and using a comprehensive model of device-based authentication to prove the user's identity. The dramatic reduction in the cost of fingerprint biometric scanners, card scanners and tokens allows for corporate wide deployment of new technology that is now mainstream. Think about this in the context of what happens if the wrong person is getting onto a computer, the network, an application or conducting a transaction within an application. It's become best practice in many businesses to require biometric authentication or building smart cards for enforcing user authentication and access whenever sensitive information or applications are at stake.

Have demonstratable ROI for your project

The general consensus of the CIOs I've spoken to recently is that they are being selective in the  security projects they tackle in 2009 - undertaking only those projects that can yield immediate results either to improve business productivity or reduce security risk.  We discussed this recently with some of our customers in a webinar roundtable discussion.  If you weren't able to attend, I encourage you to download the webinar to see how they're addressing the security challenges in 2009.

So what challenges are you facing? 

What steps are you taking to tackle security in 2009? 

Feel free to email me if your organization is facing a different set of challenges in the coming year.

Looking Forward – 2009 Priorities

January 8, 2009 at 4:15 pm by David Ting

Desktop Virtualization – Has it hit your desk yet?

December 15, 2008 at 10:37 am by David Ting

Massachusetts Data Privacy Regulations – Are You Protected?

November 26, 2008 at 3:30 pm by David Ting

A recent Gartner Blog Network post and Wall Street Journal article both focus on new, stricter data regulations being passed in several states, including Massachusetts.  The final set of the Massachusetts regulations focus on restricting employee access to data, monitoring malicious activity on the network, and strong authentication protocols. The new regulations will go into effect beginning January 1, 2009.

While it sounds like common sense legislation, and represents a good step forward in helping mitigate data breaches, the new regulations will have a wide ranging impact and will affect every business in Massachusetts that comes into contact with consumer information - including financial services organizations, healthcare organizations, and even educational institutions.

A closer examination of the regulations shows that they're very similar to the Payment Card Industry (PCI) Data Security Standards (DSS).  That's good news for many companies that handle financial information and have achieved PCI Compliance, or those that are working towards compliance.  In fact, a recent survey of IT decision makers commissioned by Imprivata examining identity management trends in PCI compliance, shows that a majority of companies are either currently compliant with PCI standards, or plan to be in the next 18 months.

The departure from PCI comes from the types of information that need to be secured - the new regulations go beyond financial information and cover any personal information a business might collect, including bank account information, social security numbers, etc...  This impacts a large number of businesses that might not have fallen under the PCI umbrella. 

If your business falls under that category and you haven't gotten started on your way to compliance with these new regulations, a good place to start is to make sure you have access policies in place to control how users access information. Implementing strong authentication wouldn't be a bad idea either as it ensures that access to records are controlled and you can verify and report on the identity of the user accessing the data.

From an IT stand point, this means that, not only do all users in your business have distinct passwords and logins but each user has the authorized rights to access the information. Consistent with the principles of role-based access and least privileged access, you also want to make sure the level of access granted to users is consistent with their job function and restricted in scope. Above all, IT systems need to have authentication, authorization, and traceability to demonstrate user accountability for whatever information they're accessing.

Most importantly, businesses need to ensure that when employees leave or job functions change, there is a quick way to deactivate access to information.  This is a critical step in preventing a data breach, ensuring that former employees can't access sensitive information and applications once they're no longer part of the company, and ensuring that unauthorized personnel can't access the same information using access credentials provided by their former colleague.  How often have we heard of data breaches traced back to expired accounts belonging to innocent former employees that no longer have access to the system? Keeping your IT and applications accounts in sync with active employee is just good IT housekeeping.

These new regulations put the onus on the business to make sure they're taking proactive steps to protect sensitive customer information.  While the new regulations haven't outlined the potential penalties for violation yet, the threat of a fine shouldn't be the trigger for an action when it comes to protecting customer information.  Nor should businesses wait until they have a breach before getting serious about security - these are common sense steps that all businesses should take to ensure that they're protecting their critical assets and data.

Is your business impacted by the new regulations? If so, where are you starting your journey to protect your business and your customers?

-David

Identity Management Trends in PCI Compliance Survey Findings

November 13, 2008 at 3:00 pm by David Ting

Halloween Scary Security Stories 2008

October 31, 2008 at 2:00 pm by David Ting

This week I was part of Network World's second annual real-life scary security stories podcast, a panel hosted by Keith Shaw that told the tales of some frightful security happenings over the past year. There were some amazing examples of breaches of data, corporate espionage and simple access and authentication mis-steps, of which I added a few anecdotes from actual conversations I've had over the past year. [to protect the innocent, actual names were not used]

So here's a run-down of FIVE scary security stories that made me shiver:

1. During a security audit, one company set up a team to see where the vulnerabilities of its organization existed. The undercover team posed as outsourced IT staff in one instance, and asked an employee to offer up her strong password so that he could access the computer to change its fluid... change its fluid!... and sure enough, the employee not only coughed up her password (required to be strong), but noted the strong password was due to their company's strict security policy.

2. Convenience shouldn't be written on the wall... literally. I came across one example of a hospital where they were considering re-painting a room and the doctors were in an uproar about it. Turns out, most of the doctors travelled to different hospitals and had written their application passwords on the wall behind the computer for easy recall and sharing with colleagues. Each doctor had a "reserved" area where they would scribble their logon information specific to that hospital. I've seen a lot of passwords written on sticky notes, behind monitors, but right on a wall!? This was a first, and I later found out it was done at multiple hospitals in the area.

3. In some instances, vulnerabilities are based simply on the basic human nature of trust. One time I was due to meet with a company, and it was raining buckets outside, so as my team waited outside a member of the cleaning crew kindly let us into the facility and pointed out the room we were supposed to meet in. No need to sign in or be escorted - even though there were plenty of signs about security and proper disposal for documents in locked bins. Then left us alone in the conference room complete with network access to setup our equipment and wait for the meeting with the CISO The cleaning crew like most people trusted that people were good (a positive thought, in general, however) and helped us bypass a necessary physical security hurdle.

4. In some instances, thieves can get downright brazen. In one instance I recently heard, someone walked into a company on a Friday afternoon with an overall with PC Repair written on it, and walked off with 50 computers. He told the staff they were getting new computers on Monday and had to remove the old computers. Since it was Friday afternoon, not only was he not challenged by anyone, but someone actually helped him get the stuff out. When I heard this one, I was shocked how easy it is for thieves to get by physical security by using a credible story.

5. I also learned recently about a company that had an employee who was stealing computers by wrapping up laptops in papers and padding, and tossing them into trash cans in the office, then going outside when the trash was taken out to recover them outside of the facility, after the unknowing cleaning people had completed their work. Interesting approach to circumventing the physical security infrastructure, but it goes to show you how creative, yet simple, tactics can be to get around security.

What I took away from these recent conversations and stories is that the human element plays a major role in ensuring overall security. And, that training and education must be a security priority for all types of employees in an organization. Often, the social engineering of threats - online and offline - feeds off the inherent trust that people have in one another, so whether a breach, scam or vulnerability is sophisticated or simple, we all need greater awareness of our environments and follow security best practices even if it may feel a bit awkward.

So with Halloween upon us, what are your scary security stories? [please don't use real names!]

-David

Security in the Cloud

October 13, 2008 at 9:30 am by David Ting

While the concept of cloud computing (accessing applications online) has been around for close to a decade, talks on the subject have intensified significantly in recent months. The catalysts to these discussions range from the sharp decline in hardware and network infrastructure costs to the desire for a business to "go green" to the need for accessibly by an increasingly distributed workforce.  Whatever the reason, big business has taken notice and as this interest turns into action, these companies must be prepared to look at all of the key issues around this move before taking action.

What we are seeing today is a growing wave of interest from businesses in deploying a company-wide cloud computing model. In fact, InfoWorld predicted earlier this month that "the high cost of power and space is going to force the IT world to look at cloud services, with a shift to computing as a cloud resource occurring in the next five years." The author goes on to predict that the "emergence of cloud computing will reduce the need for computing at the enterprise level."

Few people question that cloud computing will bring an array of benefits to businesses, many which have been touched on above.  The issue as I see it is that for those businesses looking to the cloud, many are not easing in with their eyes fully open but rather are jumping in head first -- as a result, they are forgetting to weigh all key areas ahead of time, specifically those on the security side.  A perfect example involves strong authentication.  

Strong authentication solutions are essential for businesses looking to safeguard their company assets against unauthorized access.  For those businesses leveraging a cloud computing model, a major selling point is that employees can access critical applications from virtually anywhere while the company saves bundles of cash on infrastructure and maintenance costs. The issue is that it once you are in the cloud the risks of protecting your systems from unauthorized access grow dramatically.

Since the clouding computing model creates new wave of challenges for the security team, I assumed that these folks are highly involved all discussions.  What surprised me is that in many instances this is not the case.  What I have witnessed is that businesses are shutting the security teams out of the discussions altogether and are instead focusing almost solely on architecture. The security team is eventually brought into the discussions but in many instances the team is literally forced to participate. This is a major oversight that could potentially have significant ramifications down the road.

Strong authentication is a vital element to protecting a business's assets from unauthorized attacks and the need for these solutions only grows when a business shifts to a cloud computing model.  As a result, for those businesses preparing to transform to the cloud model, the security team must be a central participant in the discussion from the very beginning.  By including them in the process and making them a part of the plan at the initial planning stages, businesses will be able to ensure that operating in a cloud doesn't mean they are flying blind.

-David

Tips and Tricks for selecting Strong Authentication

October 3, 2008 at 8:49 am by Jason Mafera

Strong authentication can come in a variety of forms, each with it's own unique strengths and weaknesses.  Before selecting a type of strong authentication, think about the following:

1. Make sure that the technology you select can be easily managed centrally
2. Check that the vendor supports multiple types of Strong Authentication technologies, so that is easy to mix and match different types with a single installation and policy.  In many cases a single type of Strong Authentication technology is not enough to cover an entire organization, as different groups of users may need different types.
3. Make sure you understand the strengths and weaknesses of each approach and that it fits into your overall security needs.
4. Ask what happens if a device is lost or stolen, how easy is it for the user to continue working until the device is replaced?
5. Ask how each technology fits into the 3 categories of multi-factor authentication, something you have (device), something you know (PIN # or Password), something you are (biometric).

 

For more information on different types of strong authentication and a comparison of strengths and weaknesses, please view the pre-recorded webinar by clicking on the following URL:   http://www.imprivata.com/content12349.html

InSights from the Lone Star state

September 30, 2008 at 10:54 am by John Clark

ASIS 2008 in Atlanta: Where Physical/Logical Convergence Happens

September 18, 2008 at 10:18 am by Chip LeBlanc

I just came back from the ASIS 2008 Show in Atlanta and boy, do my feet hurt. Over 15,000 attendees, participation in 6 booths including our own, 3 days of constant conversation will do that to a person. This security show is the top venue for those wanting to be educated on the latest in security...from state of the art manhole covers to new IP video and access control systems. Imprivata participates to support our partners and promote the capabilities of our OneSign platform as a key component of physical/logical convergence. The subject of security convergence has been discussed for years and some pundits are skeptical that it may never happen in their lifetime. Well, based on prospect meetings, sessions, and interactions with attendees at ASIS, convergence is going strong. ...and more importantly, technologies to deliver the capability are being budgeted for 2009. A key factor to expediting the adoption of converged physical and logical security systems is the understanding among the facility security and IT security decision makers that they must engage with each other in order to drive the advancement of their company's security capabilties. To reinforce this, the security integrators and manufacturers, those charged with delivering a converged solution, must understand this as well. And our partners do! I was very happy to hear our partners instructing their customers and prospects (facility security managers and executives) that as they embark on upgrading and/or installing new security systems, their IT counterparts must be involved. If not, their projects will likely not happen. I must say, this was quite refreshing to hear as conversations like that were not quite so prevalent at ASIS 2007. Convergence is happening. Chip

What’s Next: Peering into the Future of Biometrics & Security Convergence

September 11, 2008 at 2:30 pm by David Ting

I was recently asked to comment on the future of biometrics so I wanted to share my thoughts here after distilling them down into four buckets.

What's Next in Adoption: Increase Driven by Usability, Durability and Speed in Mobile Devices
In the world of biometrics, we are witnessing widespread adoption of fingerprint biometrics because it has the longest history in terms of sensor development, image processing and large population statistics. Mobile devices are starting to benefit from evolution rather than revolutionary changes as biometric devices become more usable (to fingerprint and environmental conditions), durable and faster. This coupled with the reduction in footprint, power consumption and cost have driven rapid adoption for mobile and desktop users as evidenced by the number of users today who are buying them as a low-cost enhancement for their notebooks.

What's Next in the Tech: Improved Imaging Performance; Thermal Signatures of Veins and Facial Prints
I expect to see even better speed and imaging performance from future readers. In addition, newer technologies such as infrared (IR) imagers able to detect thermal signatures of either finger veins, palm or hand veins as well as facial prints. These technologies are starting to appear but their price points are higher than fingerprint sensors are so they are still early in their adoption cycle. Whether these will become as mainstream as fingerprint biometrics is still unknown but these technologies look promising. For a variety of reasons, we still have not seen widespread request for voice or facial recognition even though microphones and digital cameras are becoming standard equipment on notebooks. Variability of the operating environment and how they affect the recognition rates certainly play a large role in this.

What's Next in the Enterprise: Centrally-Managed Biometrics Data in a Distributed Environment
Most of the biometrics technology as provided by notebook vendors are device-centric meaning the reference biometric data - be it fingerprint, facial or finger/hand veins - are stored  on the specific notebook used for enrollment rather than in a central server as one would expect for enterprise use. This restricts the user to only authenticating back to the same device - not a very useful model if the user wants to gain network access from a different computer in the office or if the notebook needs to be replaced. Imprivata has long held the opinion that reference biometric data needs to be stored and managed centrally to offer the maximum flexibility and security for the end users. For instance, the OneSign server securely stores the reference fingerprint biometric for all users in an encrypted database that offers rapid fingerprint identification within a distributed environment. This model has proven to be operationally and demonstrably correct within healthcare, government, financial services and utility applications. Next-gen enterprise biometric solutions will evolve towards being able to work both with centralized, distributed as well as mobile (e.g. on smartcards or contactless smartcards).  Another aspect for enterprise-based solutions is interoperability across different devices so a user can authenticate using different sensor technologies from different platforms without having to multiple enroll with different systems. This need will become more significant as first generation scanners get replaced by newer ones. Failure to recognize this need to future proof the biometric system will result in having to re-enroll users to work with newer technologies. This is one of the key design goals for the OneSign biometric system.

What's Next in Consolidation: Workflows; Physical and Logical Systems; and Biometric Support
As biometrics become more adopted we are starting to see more requests for consolidation of the workflow used for enrolling and authenticating users. For instance, many interested in convergence of physical and logical access systems want "one stop enrollment" of employees so the biometrics taken at the time they are issued a facility access badge get used also for granting logical access to computers or applications. Consolidation of biometric authentication/identification services across multiple applications is another change we are seeing as government regulations call for transactional verification within applications. Rather than each application providing their own biometric capabilities, they are looking to external providers to support biometric verification for all applications. Imprivata's ProveID API to access OneSign biometric authentication, for example, is being used by multiple healthcare and financial applications to offload the responsibility for all the workflow, credential storage and device management necessary to support biometrics. We expect this trend to continue as more applications are required to comply with having biometric support. This is a win/win for both customers and application providers; the end user doesn't want multiple proprietary devices for individual applications or the need to individually learn to use and enroll with different systems and the application provider doesn't want to have to wrestle with the complexities of different authentication technologies.

-David

Who’s Really Afraid of HIPAA?

September 4, 2008 at 4:00 pm by John Clark

A Logical Security Convergence Starting Point: The Data Center

August 28, 2008 at 11:27 am by Chip LeBlanc

New York Times article on Single Sign-on: Cryptography vs. Passwords?

August 21, 2008 at 12:00 pm by David Ting

The New York Times recently posted an article decrying passwords as an inadequate defense mechanism for security today in a wave of identity theft occurrences.  The article goes on to push a cryptography-based approach to log-on systems, touting ‘information cards' that rely on the computer handshake between machines to authenticate a user, or in this case, a site visitor.  The article goes on to rail against the OpenID initiative because of its password-driven approach to SSO to access OpenID-enabled Web sites.

I read some of the comments under the article and they are politely saying the same thing - that it would be great if all the servers and users out there used PKI for mutually authenticating each other.  Reality: this won't happen unless everyone makes the big switch.  Unfortunately major upheavals like this take tremendous investment.  Major investment indeed - by a lot of people, companies and policy makers.

Taking a look at a relevant analogy is the transition to fiber optics at home - 30 years ago we knew it was a better technology and it would revolutionize telecommunications *but*, with copper in place for telephone service, who was going to make the investment to solve the "last mile problem" - the copper that runs between the pole and your phone in the house [not to mention ditching the previous investments put into copper all those years]. Only now, with telcos being allowed to sell new services such as video content, are they incented to invest the billions of dollars required to bring fiber to the house.

So it is with PKI - the notion of using an info card to authenticate is the same strategy tried with PKI almost a decade ago. It failed because it required companies to make a significant investment to not only upgrade their server applications to use certificates, but more importantly, it required all clients to have valid certificates. The investment and expense required couldn't be justified on the basis of improving security, much less to provide SSO convenience. If a company has to choose between turning away customers that don't have info cards or certificates and increasing security - which option would it pick? The existing infrastructure for user authentication will continue to use passwords for a long time just like we lived with copper and analog voice support because the economics aren't there to switch. Using PKI to reduce user convenience issues isn't worth it when other technologies such as enterprise SSO can address those same issues.

Sure, single sign-on in the enterprise and Web-based SSO operate in different realities, but the convenience factor combined with the continuous infrastructure investment already made over the past two decades point to the reality that password-based SSO isn't going anywhere anytime soon.  Are there ways to strengthen the security of password-based SSO, while not losing the convenience of it, sure: add strong authentication methods like biometrics [check out my post last week] to provide two factor authentication - at least there's widespread nearer-term investments that are being made in that area in devices all over the world in every industry.

What do you think about password-based SSO vs. the cryptography/information cards approach to SSO the New York Times wrote about? 

-David

Putting my finger on the state of biometrics

August 14, 2008 at 1:30 pm by David Ting

Dave Kearns recently posted an article from an interview with Upek on the state of things in the world of biometrics, talking how fingerprint readers are now being built into laptops, keyboards and all types of devices at a dizzying pace. [disclosure: Imprivata partners with Upek]  It was nice to see Dave addressing the topic of biometrics adoption.

Let's be honest, I spend a good deal of time collecting and vetting these amazing little biometric devices that have proven so valuable to our customers.  Years ago working on civil biometrics programs we had large fingerprint scanners that were nothing more than video cameras that used mirrors, prisms and lenses to obtain an image of a fingerprint.  Today's sensors that are mounted on keyboards, notebooks, electronic door locks and safes are often direct imaging silicon, low-cost sensors capable of producing high quality images with a very small footprint.  Combining biometrics with single sign-on has a strong value prop, as more and more industry and government regulations require two-factor authentication and audit trails for access reporting.  Clearly, this last bit is self-promotional as biometrics is right in Imprivata's sweet spot.  You have to admit the convenience of using a simple finger swipe or touch to access all the applications you need on a daily basis is huge - especially if you have to repeatedly logon and logoff. And hopefully you always bring your fingerprint with you, unless you're having a very bad day.

Seriously though, the combination of biometrics and single sign-on has a natural synergy.  I'll have some more news shortly on the strong authentication front, but in the meantime when you're thinking of using biometrics and SSO, it's important to take into considerations a few things:

• Ensure high-end image processing technology is embedded into the commercial product you are looking at - there are many solutions out there, and some cost more than they should, so keep an eye out for the balance between cost and system capabilities
• Look for solutions that limit failure rate, or "False Accepts" and "False Rejects." While it is impossible to guarantee that there won't ever be a false accept, keeping the rate better than 1 in 1 million is important.
• For most end-users, authentication is something they want to get done quickly so they can get their job done, so identification or authentication speed is paramount. Acceptable time for authentication (where you enter a user name) should be within a second and identification (where you don't enter a username), within 2-3 seconds. Consider the verification speeds of integrated ESSO-biometrics solutions and do head-to-head comparison of the best alternatives
• Focus on solutions that can handle a wide range of finger image presentation with higher accuracy. Users don't put their fingers at the same angle, position within the senor or swipe the same way as they did during enrollment so having a robust solution that can handle variability ensures user adoption. Test the system to see what finger placements are allowed to gauge the user experience - try placing the finger at a different angle or swipe at different speeds. Test with dry, moist, dirty, or oily fingers (right after you've had that French fry) and above all, try using it by touch alone with your eyes closed.

What do you think about biometrics? Are you using it in your environments?  Is it tied to your SSO system?  What type of biometrics are you using?

-David

Strong Authentication at the Point of Transaction

August 7, 2008 at 3:07 pm by David Ting

As more and more industries shift towards paperless transactions, organizations are realizing that identity-based regulations are becoming more common and stringent across various industries. As a result, transaction-level authentication will be the norm in any situation where a person's identity is an important element of the transaction.

Recently, according to a Federal Computer Week article, the Drug Enforcement Administration proposed rules to allow e-prescribing of controlled substances, such as painkillers and stimulants. The proposed rules require doctors to use two forms of identification for each transmission of e-prescriptions for controlled substances in addition to an annual audit of each system by a certified public accountancy. Under current rules, doctors may use e-prescribing for most prescriptions but must sign a written prescription for Schedule II controlled substances, such as Nembutal, OxyContin and opium. The DEA rule, if it becomes final, would allow doctors to use the same system for generating and transmitting all prescriptions.

In addition, other industries are keenly exploring transaction-level security. Wherever there is a need for an absolute audit trail, wherever there is strict regulation like GLBA, HIPAA and PCI -- whether government-driven or industry-driven -- transaction level security is becoming a crucial element that both companies and software vendors must take into consideration as organizational processes shift toward paperless transactions. Here is a snapshot of notable industries and the activities that are sparking interest in transaction-level security:

• Healthcare: electronic pharmacy transactions involving either high-value or high-volume purchases of prescription drugs
• Banking: electronic funds transfers where cash is moved in and out of accounts
• Legal: document and transaction tracking is key to ensuring a deal is legitimate and authorized
• Pharmaceutical: adding or updating testing data
• Manufacturing/logistics: controlling inventory

I believe that these instances of positive identification authentication requirements are just the tip of the regulation iceberg. Whether government-driven or industry-driven -- transaction level security is becoming a crucial element that both companies and software vendors must take into consideration as organizational processes shift toward paperless transactions. Moreover, the business case for transactional strong authentication is very appealing, as authenticated electronic transactions can ensure a more efficient and accountable order system.

Are you about to embark on a paperless journey? How are you dealing with strong authentication with your transactions? I'd love to hear your stories.

-David

Modeling Risk

July 31, 2008 at 3:30 pm by David Ting

SSO Summit field notes

July 29, 2008 at 9:45 pm by Christopher Paidhrin

Proving policies work – easing audit and enforcement of physical and logical security

July 24, 2008 at 1:00 pm by Chip LeBlanc

Where’s your Remote Control?

July 17, 2008 at 3:05 pm by David Ting

Drowning in Security: Keeping Security Transparent from Users

July 3, 2008 at 10:00 am by David Ting

One Small Step for E-Prescriptions, One Giant Leap for Healthcare

July 2, 2008 at 3:15 pm by David Ting

Financial Services CIOs, Insider Threats and the Human Behavior

June 26, 2008 at 11:00 am by David Ting

I've had a few conversations lately tied around the topic of the insider threat in the financial services arena, so I figured I'd scan around the Web to see what's out there and came across an interesting InfoWorld article.  Though it is from last Fall, it hits on a number of concerns that are timely now, especially given the major breaches like Societe Generale.  The article reports on a Deloitte study that highlights two major data points that I want to call out:

1. 91% of financial services companies' CIOs are concerned with the inability to deal with the inside threat

2. 79% of respondents stated that human behavior is a big factor

Read those numbers again.  This was a survey of 100 global financial services firms that have deep pockets and vast technologies, and that was conducted before Societe Generale was in everyone's vocabulary.  More significantly, most weren't providing new training to workers on security.  In general, training requires changes in behavior, and let's face it, most people don't embrace change to their daily routines especially to improve security.  Change is disruptive; change implies more work.  Thus, further reinforcing the belief that security needs to be invisible to the user (which I'll address in a future blog entry). 

These insider threats have brought on the wave of data leakage protection (DLP) technologies, but at the core, identity and access management still remains as the central choke for addressing the insider threat.  Knowing who's accessing what, when and from where is a key part of the paper trail to find out if there's been misbehavior or accidental leakage.  Mix in integration of physical and logical security, a touch of strong authentication and effective access management, and you've created a potent recipe for deterring the insider threat.  The operative word here is deter - the ability to undeniably trace actions back to an individual reduces the urge to push the limits on misusing the system. 

Tell me, what's your insider threat protection recipe?  What are you using (or planning to use) to address the biggest business security threat we now face?  How does/will it change human behavior of your workers?

-David

Identifying Identity Resources

June 19, 2008 at 4:30 pm by David Ting

Inside the Insider Threat

June 12, 2008 at 1:29 pm by David Ting

Congrats to OhioHealth’s Jim Lowder on making the InfoWorld CTO 25

June 5, 2008 at 12:00 pm by David Ting

Just a quick post to congratulate OhioHealth's CTO Jim Lowder on being named to InfoWorld's CTO 25, a short list of visionaries recognized for their industry leadership and technological contributions.  Welcome to the club.

OhioHealth took quite an ambitious vision and made it a reality.  We're proud to have a role in OhioHealth's innovative endeavor to create an all-digital facility that can serve as the template for healthcare facilities of the future.

Congrats, Jim and OhioHealth, on well-deserved recognition of your accomplishments!

--David Ting, CTO

MUSE Musings

June 2, 2008 at 10:30 am by John Clark

The "best" authentication technology?

May 29, 2008 at 3:47 pm by Rik Van Bruggen

2008 Identity Management Trends in Healthcare Survey Results

May 29, 2008 at 11:00 am by John Clark

Good food, great technology

May 28, 2008 at 2:00 am by Rik Van Bruggen

Our partner SecureLink is hosting a fun series of events in the Netherlands: the SecureTour08. Every event discusses one specific security topic in detail - and the participants get free cake, fruit, candy - something tasty :) .... On September 4th, we will be presenting OneSign at the event in The Hague - feel free to join in!

Solving the Chaos of Identities

May 22, 2008 at 9:15 am by David Ting

To paraphrase Princess Leia, ‘the more you tighten your grip, the more star systems will slip through your fingers.' The same can be said in trying to manage identities in today's enterprise.  A number of weeks back, I got into a discussion with the 451Group's Steve Coplan about this very topic:  the chaos of identities.

We talked about the value of single sign-on as not just a convenience and productivity play, but also a key lever to help manage the chaos of identities resulting from an increasingly distributed and decentralized working environment. Provisioning while critical to an identity management strategy by itself is not enough.  The reasons for this are fundamental to the way businesses are run today. Organizations aren't centralized anymore; decisions are made closest to the point where the needs are. Department heads within lines of businesses perform a critical role in authorizing what applications are used and who within their organizations have access to them. This decentralized decision making not only streamlines the speed of business but empowers the departments to make the best decision.

With the trend towards using hosted applications, the responsibility for managing user access rights, data loss prevention and application security migrates away from IT to the hands of individual employees. Think about those applications used within the organization that are signed and managed by individuals within different business units and you start to appreciate how the [star] systems have slipped through the [IT] hands.

At the same time, however, IT is where the auditors focus when they need to assess compliance and where the investigators look when a breach occurs.  It's a bit counter-intuitive from a security perspective, but rather than fighting the chaos brought on by the proliferation of applications and identities, we need to recognize this behavior naturally occurs as part of the business workflow and work to regain visibility and manageability of the identities created around the enterprise.  Rather than trying to mandate control through centralized control of identities, IT needs to decentralize ways to regain visibility into what applications are used, by whom and through what accounts.

Any large company will attest to the thousands of apps they must manage, but this chaos, if managed correctly, can work in our favor.  Extending the value of SSO to help manage this chaos rather than forcing employees to follow strict, time-consuming counter-productive protocol makes more sense... people are going to do what it takes to get their jobs done, so why add hurdles to the rat race that they'll simply find a way around anyway?  Instead, managing the chaos can provide the observability (for auditing and accountability) and controllability (turning access to data, applications and networks on/off) that companies ultimately seek.

Embrace the chaos.  So, tell us... how chaotic is your star system?  Let us know what you're doing to embrace the chaos, or if you're fighting it!

-David Ting, CTO

Discussing the Identity Balance

May 22, 2008 at 8:00 am by Rik Van Bruggen

How does Authentication Management and SSO help Belgian Nurses?

May 21, 2008 at 2:27 pm by Rik Van Bruggen

Tomorrow, May 22nd, we will be participating to a very interesting colloquium in Belgium, specifically on how nurses can benefit from all sorts of IT systems. Two of our partners, Telindus and Siemens, will be showcasing Imprivata OneSign on their booths - so please drop by when you get a chance.

Five Identity Management Trends to Watch

May 19, 2008 at 11:00 am by David Ting

I'm often asked what seems like a simple question: "what's new in identity management?"  As simple as it is, it's a big question so here are five trends that I see out there for identity management... at least for now.

#1: The Pendulum Swing is Back to Thin Client Computing
Technology changes including the 64-bit computing platform, multicore processors, cost effective broadband connectivity, dirt-cheap storage, combined with rising costs of energy, cooling and space are forcing a re-evaluation of how we put computing power at the hands of the user. Virtualization has simplified the management of shared computing resources and to propel the shift back to thin client computing. This has put even greater emphasis on how you manage identities, control access and provision applications managed within these virtualized environments.  The shift to centrally-managed, centrally-hosted environments, enables (and is driven by) greater mobility and flexibility in workflow and workforce - that puts new pressures on how identity management policy, procedure and technology all work together to create a secure yet flexible environment.

#2: De-Perimeterizing the Network:  Softening of the Network Continues
Perimeters are no longer rigid, hard and securable, so firewalls, IDS and IPS are no longer adequate on their own.  Defense in depth security comes to mind as the boundaries of the perimeter blur and soften with insider threats rising in prominence. The notion that the network can be secured is rapidly melting away as business practices force opening up access to partners, customers and remote workers.  The emphasis shifts to knowing who is doing what with your data and applications regardless of where they are geographically.  Strong authentication and contextual authorization including the notion of location-based authentication becomes even more critical in this environment as one tries to extend enforcement of access policies to critical corporate resources.

#3: Enterprise Biometrics Realizing its Potential
Look around you... everything is being biometrics-enabled - laptops and computer hardware are now manufactured with fingerprint readers nowadays, for example.  Cost as a barrier to widespread adoption is no longer the issue as scanners become commoditized. With this change, enterprises are re-examining how best to deploy strong authentication within their organizations.  Storing enterprise biometrics safely to support a mobile workforce is the key to unleashing the true power and usability of biometrics.  Interoperability and assuring the privacy concerns for users that their biometric identities are properly secured are critical to widespread adoption.  The time for biometrics is now.

#4: Enterprise-Level Functionality Moves to the Mid-Market
ESSO, strong authentication and access control have become mainstream.  All of these technologies are becoming more cost-effective for the midmarket and easier to implement, making them more attainable.  The economics are there for midmarket companies to achieve the security that was once thought of as an enterprise luxury, strengthening the security of our overall ecosystem of business worldwide.  Joel Dubin hits this point well in his SearchCIO-Midmarket.com piece.  The more midmarket companies can deploy strong security practices and technologies, the tougher time the bad guys have to wreak havoc.

#5: Higher Emphasis on Insider Threats Drive a Focus on Data Protection and Compliance
At Kuppinger and Cole's 2^nd European Identity Conference it was clear the events at Society Generale have elevated everyone's sensitivity to how much damage can be perpetrated by an insider. One speaker described succinctly when he said that "banks have money, a lot of money and often some of their employees feel they should have some of that money as well." It is clear insider threats will only become more frequent as we open up more access to critical systems.  It is simply too lucrative and too easy to hide behind the anonymity of the digital identity - after all how are they going to prove it is you that has accessed the system when you used your colleague's logon credentials.  As an enterprise, you better know who your people are, how they are getting on the system, what they are doing, and from where.  The insider threat will be amongst the top threats in 2008, and is already a key discussion within identity management circles.

So let me put the question out to you?  What are the trends that you are seeing out there?  Chime in on the comments section, or drop me a line.

-David Ting, CTO

Welcome to Identity 360

May 15, 2008 at 10:30 am by David Ting