skip navigation
Subscribe via RSS  


Tag Cloud
password management, hitech, data breach, breach, security, hipaa compliance, biometrics authentication, password sharing, security risk, security breach, secure authentication, data security, password policy, healthcare access management, user authentication, fingerprint biometrics, user access, data breaches, biometric authentication, healthcare single sign on, strong authentication, fingerprint biometrics,, hipaa, access management, single sign-on, onesign, application access, network access, proximity cards, insider breaches, compliance, authentication management, healthcare, emr, finger biometrics, two-factor authentication, security risks, biometric fingerprints, identity management, management, identity and access, secure application access, enterprise security, biometrics, application security, single sign on, mckesson insight conference, medical records, healthcare single sign-on, enterprise single sign on, single sign on technology, fingerprint biometric, identity and access management, biometric fingerprint, password policy management, himss 09, physical and logical convergence, two factor authentication, biometric identification, insider threat, events, user provisioning, electronic transactions, passwords, physical-logical convergence, physical logical security, esso, simple sign-on, sso, sso appliance, summit, keystone, 2008, authentication and access management, physical and logical access, authentication, physical/logical, asis, convergence, strong passwords, physical security, access and authentication, security breaches, secure access, sign-on


Archive
July 2010 (2)
June 2010 (3)
May 2010 (3)
March 2010 (4)
February 2010 (5)
January 2010 (1)
December 2009 (3)
November 2009 (3)
October 2009 (4)
September 2009 (4)
August 2009 (7)
July 2009 (4)
June 2009 (4)
May 2009 (1)
April 2009 (2)
March 2009 (2)
February 2009 (2)
January 2009 (1)
December 2008 (1)
November 2008 (2)
October 2008 (3)
September 2008 (4)
August 2008 (4)
July 2008 (6)
June 2008 (5)
May 2008 (8)


Authors
Michael Bilancieri
Dr. Barry Chaiken
Jim Whelan
Ali Pabrai
Tom McDermott
Jon Hamdorf
Chris Feeney
David Ting
Bill McQuaid
Jason Mafera
John Clark
Chip LeBlanc
Christopher Paidhrin
Rik Van Bruggen


Recent Posts
Even Spies Have Password Management Problems
HIT Policy Committee Consumer Choice Technology Hearing Recap
Major Healthcare Patient Data Breaches Nearing 100-Mark
PHI Access Requires Robust Security and Privacy
User Access Relevance in a HITECH Age


Chat Now
Chat Now
 


SSO and Strong Authentication: How OhioHealth Built a Paperless Hospital
In this case study presentation, Joe Greene, IT Security Director at OhioHealth, explains how he and his team approached employee access challenges when they laid the IT foundation at Dublin Methodist, a brand new paperless hospital. More than a year after the doors opened at Dublin, their project is a proven success and there are many best practices and lessons learned to be shared with viewers.  Download the webinar today!

Identity 360 - An Imprivata Blog



filter by tag: security risk

User Access Relevance in a HITECH Age

June 3, 2010 at 9:24 AM by David Ting

The National Institute of Standards and Technology (NIST) published its Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule back in late 2008, but spurred by a jolt of healthcare IT investment driven by HITECH mandates has renewed relevance today. 

The HIPAA Security Rule “specifically focuses on the safeguarding of electronic protected health information (EPHI)… All HIPAA covered entities, which include some federal agencies, must comply with the Security Rule, which specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule.”  This NIST 800-66 Revision 1 document provides a comprehensive guide for HIPAA compliance to the Security Rule, and details “Key Activities” to engage in that are segmented by defined categories that are easy to read and navigate.

From a user access perspective, there are important technical safeguards outlined in the area of Access Control, Audit Control, Integrity, and Person or Entity Authentication that are worth calling out.  Specific Key Activities within these technical safeguards criteria you should review include:

4.14 Access Control, Key Activity #3: Ensure All System Users Have Been Assigned a Unique Identifier
This requirement is integral to tracking who is accessing what information, and whether they have authorization to do so.  Enforcing policies that eliminate credential and password sharing are a crucial complement to this requirement as it ensures that all activity can be traced back to a specific user identity.

4.14 Access Control, Key Activity #8: Automatic Logoff and Encryption and Decryption
This requirement calls for “electronic procedures that terminate an electronic session after a predetermined time of inactivity.”  There are plenty of automatic logoff solutions in the field which satisfy this requirement, but they’ve hindered workflow by requiring active logging back into a system.  In a healthcare environment, where doctors, clinicians and staff are sharing workstations and need fast access to patient information, session time-outs can add hiccups when time is of the essence.  This was a core consideration when we designed our OneSign Secure Walk-Away solution, which leverages computer vision technology with active presence detection and user tracking to identify an authenticated user in front of a workstation, automatically locking the desktop upon their departure and providing instant re-authentication upon their return.  It combines compliance with this Key Activity and real-world workflow for the best of both worlds.

4.15 Audit Control, Key Activity #1: Determine the Activities that Will be Tracked or Audited
This Key Activity serves as a foundational pillar to managing healthcare security risk.  Determining what systems and activities need to be monitored and reported are crucial to closing any potential security breach gaps and streamlining reporting requirements from other sections of the Security Rule.  The data breach notification requirements of HITECH that went into effect on Feb. 18, 2010 present new security risks for healthcare organizations, so it’s critical to understand and quickly report on breaches, whether malicious or accidental, to avoid penalties and fines from both state attorneys general and the feds.  To do so effectively, one must first establish what is tracked and/or audited, making this Key Activity even more relevant today than before HITECH went into effect.

4.16 Integrity, Key Activity #1: Identify All Users Who Have Been Authorized to Access EPHI
4.16 Integrity, Key Activity #5: Implement a Mechanism to Authenticate EPHI
These Key Activities combine to focus on identifying all approved users with the ability to alert or destroy data, ask questions around user authentication and seeks to determine if authentication tools interoperate with other applications and systems.  These requirements dovetail into audit trail requirements for understanding how information is accessed and authorized, so healthcare entities can report on all aspects of cross-organization healthcare access management.

4.17 Person or Entity Authentication, Key Activity #2: Evaluate Authentication Options Available
Secure authentication is integral to protecting patient information, so it comes to no surprise that the Security Rule calls out commonly used authentication approaches.  Specifically, the guideline urges aligning different levels of authentication with assessment of risk to the information and systems.  Password policy, biometrics authentication, smart cards, proximity badges and/or any combination of the aforementioned can satisfy this requirement, but it’s essential that they are all tied together in the form of easy-to-manage identity management – otherwise, it can become unwieldy and burdensome to keep up with as new hires are brought onboard and terminated employees are de-provisioned.


There’s a lot to this NIST resource for navigating the HIPAA Security Rule – it is 117 pages of guidelines and supporting appendices.  It’s a tremendous guide to a significant HIPAA compliance requirement.  With a recent injection of funds and incentives into the healthcare IT market from HITECH and healthcare reform driving increased investment in electronic medical records (EMR), secure user access to EPHI plays an increasingly important role. 

Building on this, the guidelines outlined in the NIST 800-66 Revision 1 document should be applied worldwide as increased legislation in numerous countries drives greater attention to protecting patient health information in any form, and put stringent requirements around data security and the tools necessary for reporting on activities to demonstrate compliance.  It’s a great asset out there for public consumption, and can help drive best practices worldwide.

TagsHIPAA_compliance user_authentication security_risk secure_authentication password_policy security_breach biometrics_authentication data_security password_sharing healthcare_access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Mass 201 CMR 17.00: When State Compliance Kicks in, How Do You Respond?

March 11, 2010 at 8:08 PM by David Ting

While many of us were down at HIMSS 2010, on March 1, 2010, Mass 201 CMR 17.00 officially went into effect:

17.05: Compliance Deadline

(1)Every person who owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 on or before March 1, 2010.

We began talking about this Massachusetts data privacy regulation and what it means back in November 2008, and continued the discussion on this blog in September 2009 as the compliance deadline was pushed off numerous times throughout the course of 2009.  Now, the day has finally come, and Mass 201 CMR 17.00 is officially here and active. 

As you may know, Massachusetts is at the forefront with legislation that creates standards for protecting personal information in both paper and electronic format.  A key purpose of the standards is to “protect against unauthorized access to or use of such information that may result in substantial harm or inconvenience to any consumer” and minimize overall security risk.

While we’ve examined the specific parameters in our previous blog posts on the topic, it’s important to recognize what companies must do now if they own or license information about a resident of the Commonwealth.  A majority of the provisions in the Mass 201 CMR 17.00 standards center on securing access to data, so as such it’s crucial to:


• Map where personal information resides in your company
• Inventory which applications access and/or store personal information
• Understand what third-party service providers access this personal information
• Ensure only appropriate, authorized access to data by personnel by deploying appropriate user authentication technologies
• Assign unique identifications such as fingerprint biometrics plus strong passwords to fortify security and eliminate password sharing… then streamline log-on/off process by single sign-on enabling applications
• Monitor and report on access of personal information to ensure compliance
• Regularly educate and train users on appropriate system user and the importance of securing personal information

If you’ve accounted for the above, you’re well on your way toward compliance.  If not, what are you going to do when the Commonwealth of Massachusetts comes knocking?   Do you really want to find out?

--David

Tagsuser_authentication fingerprint_biometrics, security_risk password_sharing

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Guest Post: ecfirst CEO, Ali Pabrai, on HITECH’s Meaningful Use and Compliance

February 23, 2010 at 12:35 PM by Ali Pabrai

There’s a lot of discussion around meaningful use, its definition and how organizations can obtain the government incentives that recent legislation promises. However, in the dash for these types of healthcare IT investment reimbursements, one must not overlook the role of security risk in satisfying compliance requirements.

For instance, the Centers for Medicare & Medicare Services (CMS) will withhold meaningful use payment for any entity until any confirmed HIPAA privacy or security violation has been resolved.  At the state level, State Medicaid administrators will also withhold meaningful use payment for any entity until any confirmed state privacy or security violation has been resolved. Compliance with HIPAA’s Privacy & Security Rules remain an integral part of the meaningful use definition as a policy priority, with corresponding goals and objectives for 2011 that organizations must achieve.  For example, physicians are eligible to receive up to $44,000 in total incentives per physician from Medicare for “meaningful use” of a certified Electronic Health Record (EHR) starting in 2011. However, these EHR initiatives are coupled with strong mandates for privacy and security compliance that must be addressed.

In a HIPAA compliance audit, policies, procedures and capabilities that the Office of Civil Rights (OCR) would review include the area of Identity and Access Management (IAM). Specifically, the investigation includes a review of IAM processes related to:

  • Establishing user access for new and existing employees
  • List of secure authentication methods for users authorized to access EPHI
  • Monitoring systems use - authorized and unauthorized
  • Granting, approving, and monitoring systems access (for example, by level, role, and job function)
  • Termination of systems access

Keep in mind that compliance mandates represent minimal capabilities that organizations must implement and manage pro-actively. HIPAA and HITECH are the floor and not the ceiling of core capabilities required to enable a resilient organization. This requires that your information security strategy must be risk-based, pro-active and integrated. 

Ali Pabrai, chief executive of ecfirst, is a highly sought after security and compliance expert. He is also author of the executive brief Cyber Security Strategy: The 4 Laws of Information Security. Pabrai was the first to launch a program focused on global information security regulations, the Certified Security Compliance Specialist™ (CSCS™) program. The CSCS™ program addresses PCI DSS, FISMA, ISO 27001/27002, FISMA and other security regulations and standards.

 

TagsHIPAA_compliance secure_authentication security_risk

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Identifying Identity Resources, Part II

October 22, 2009 at 9:36 AM by David Ting

 

Back when this blog was in its infancy, we outlined a number of identity management resources that readers should check out.  Those blogs are still on the “must-read” list, but there are a number of new ones that have popped up that people interested in identity and access management may find useful

 

·         The Health Care Blog: this blog covers everything from electronic health records (EHRs) and HIPAA Compliance to HITECH and Health 2.0, often with amusing headlines and relevant details to get the most pressing issues across succinctly.

·         ITBusinessEdge’s Authentication Systems channel:   This covers opinion pieces and news, ranging from fingerprint biometrics and other forms of strong authentication to password policy and security risk.

·         FierceEMR: “Mapping the future of Healthcare Information,” this site combines news with opinion on topics ranging from electronic medical records (EMRs), health information exchanges, healthcare access management, interoperability and deployment updates.

·         Healthcare & Technology blog:  this blog covers the high-level healthcare IT issues and trends while also pulling in various graphics, charts and video to help tell the story. 

·         Planet Identity blog: This blog aggregates blogs related to identity management topics, leaning towards the technical while pulling through data, survey findings and trends from some of the most highly-subscribed blog feeds.

 

Tagspassword_policy security_risk identity_management identity_and_access strong_authentication management healthcare_access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

2009 Identity Management Mid-Year Report: A brief look back and ahead

July 9, 2009 at 3:23 PM by David Ting

Back in January, I shared some of my observations on 2009 Priorities for identity management in the new economic reality people are faced with - productivity, security and manageable IT projects. This year’s economics have forced people to do more with less, manage tighter budgets and maintain enterprise security while dealing with re-orgs and layoffs. While 2008 was the worst year to date for data breaches, 2009 hasn’t been much better if you look at this chronology of data breaches, including the recently disclosed incident at Goldman Sachs. The Identity Theft Resource Center keeps tabs as well, and has a nice snapshot of high-profile data breaches. Many of these are the result of unauthorized access, some combined with placing malicious code on servers or laptops to siphon off data. It’s amazing the methods that are being used to access systems, steal data, sometimes extort money and always damage reputations. Potential impact of the Goldman Sachs’s unauthorized upload of proprietary software is still under investigation, but information on how easy it was to pull off makes for scary reading. Given the potential impact of data breaches, there has been significant progress made to tighten access to systems, so let’s review some of the relevant things that are happening in identity management. Following are three areas, I believe, we need to watch for in the latter half of 2009.

Biometrics Hit Stride, Will Gain Even More Steam

Frost & Sullivan projects the European biometrics market to triple from 2008 to 2012, as biometrics are used more now to secure access and prevent breaches. With fingerprint biometric readers and other scanners embedded in everyday devices, the ability to tie unique identity to access via strong authentication means has a profound effect on overall data security.

EHRs Become Focal Point of Healthy Debates

Electronic Health Records (EHRs) are also making headway, thanks in large part to the Recovery and Reinvestment Act of 2009. A large portion of the discussion is based on healthcare access management, patient data security and user authentication. Security assurance is a key hurdle to widespread EHR adoption, but using strong authentication capabilities that are now widely available is a significant enabler to achieving the benefits EHRs promise, while minimizing the security risk. Watch for these specific debates and discussions to progress in 2H 2009.

Greater Emphasis on User Workflows Considered in Product Development
While biometrics authentication has certainly played a role in making user lives easier, new developments around walk-away security and faster access to systems are shortening the process to secure logon. By making it easier for users to come and go from a system, there is less password sharing and improved employee productivity, while encouraging and enforcing better overall identity and password policy management.

What areas do you see most, now that we are half way through 2009?

What issues do you seek to solve?

How can identity management better serve you? --David

Tagshealthcare_access_management password_sharing security_risk fingerprint_biometric enterprise_security user_authentication strong_authentication identity_management data_security password_policy_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

OneSign Customers Talk Shop: Fingerprint Biometric Security, Password Management and Security Risk

March 11, 2009 at 7:43 pm by David Ting

We've found that the best resource for better understanding how to solve employee access management are our customers.  So over the past week or so, as a few of our customers have shared details of their OneSign experiences, I thought you may want to hear what some of them are saying and doing.

CSOonline.com's Joan Goodchild created a cool video-based interview with Bill McQuaid on how Parkview Adventist combined OneSign with fingerprint biometrics to improve productivity, streamline operations and minimize security risk.  Check it out here.  Key take-aways from Bill when deploying systems are:

1. Test, test and test again: with physicians and nurses you only get once chance to get them to buy in (which they did at Parkview)

2. Have a comprehensive training program: training up-front minimizes helpdesk calls later

3. Have a back-up plan: at Parkview, employees have several fingers scanned in case the biometric doesn't scan properly

Over at SearchCIO.com, Linda Tucci chatted with Chuck Christian about Good Samaritan Hospital's single sign-on deployment, capturing the hospital's experience using OneSign for the past four years.  Chuck shares advice on how he evaluated SSO solutions, how he got executive buy-in early on, and once installed, his ability to quickly change employee access (including complete shut-off) and how he deters bad security behavior by ensuring everyone is clearly aware of audit features.  The full story is here, and his advice is worth reading.

Anne Gabriel talks with OneAmerica's Jeff Hornung about the intersection of employee productivity, SSO and security for a story in Insurance & Technology.  Jeff explains his experience rolling out SSO to 1,500 users, and how that has translated into a 15 percent drop in help desk calls (and 50 percent for one specific application!) and enhanced employee productivity.  Next up for OneAmerica?  The life insurer will "leverage Imprivata's two-factor authentication and biometric device capabilities to meet changing needs and regulations" according to the article.

Tell us how you're using OneSign, and what's working for you.  We'd love to hear it.

David

TagsSSO security_risk Fingerprint_biometrics password_management two-factor_authentication

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Stimulating Strong Authentication

February 20, 2009 at 6:54 pm by David Ting

The stimulus package recently signed by President Obama has been the cause for vigorous debate.  One by-product of the package that has not been widely discussed is a provision that would reshape the medical industry by creating a central repository of computerized medical records for all American's.  An increase in the level of electronic information of this magnitude exponentially raises the vulnerability of a security breach, which we'll focus on today.

While the program sets high goals of making records accessible, increasing healthcare efficiencies and reducing costs, security for a program of this magnitude needs to take a zero-gap approach - removing any security risk that could lead to a data breach. When you consider the number of sources for medical information, and the number of healthcare employees across the country, security for a project of this size represents some huge challenges.  

So where do we start?  From a data security standpoint, a lot can be learned from the hospitals and healthcare facilities, which have spent years focused on HIPAA compliance,  as well as from other countries that have embraced a similar approach to digital medical records.    

We've seen customers such as OhioHealth go completely paperless, with digital record keeping replacing extensive paper file commonplace in the industry.  OhioHealth took an innovative approach to securing patient data from the access standpoint, leveraging single sign-on as the core of its digital authentication strategy.  Ensuring employees access the applications and information they need, after having first authenticated via a biometric device or strong password. 

Controlling the access is only part of the equation.  Once in, there is a need to monitor and control how the information is being used; preventing a breach once initial access has been granted.  While the proper steps may be taken to authenticate a user, what happens when the clinician walks away and leaves the computer in a compromised position?  And, when a life or death critical order needs to be placed, or a prescription filled, the proper doctor, nurse or clinician must be tracked to that activity.

Making the medical records of 100s of millions of citizens accessible is certainly a step forward, yet keeping them private is a tremendously complex problem - one that will need to be addressed before the program can move forward in earnest.   

What are your thoughts?   Email me and let me know.

TagsSingle_Sign-On HIPAA_compliance security_breach data_security security_risk

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

2009 Priorities: Security and Strong Authentication

February 5, 2009 at 7:40 pm by David Ting

In our last blog posting, we discussed three priorities all organizations should focus on in 2009:  security, productivity and manageable IdM projects.  Today we're looking more closely at enterprise security.

Businesses continue to grapple with economic realities, making hard decisions to stay competitive during the downturn.  These decisions can have a negative impact on IT security  - as IT staffs are re-organized, budgets slashed and  security professionals tasked with doing more with less while addressing data security.   Unfortunately, as this is happening, the number of vulnerabilities they're tasked with covering is growing.  The latest news about the logic bomb at Fannie Mae just reinforces the need for additional vigilance as organizations down size.

The challenges can be overwhelming, but they're not insurmountable.  So where do you start?  The important thing is to have a plan - think through the challenges and anticipate possible problems.  With that in mind, here are three areas you can address to make sure your company is secure:

Identify and deal with your greatest areas of risk

It may sound simple, but it represents a shift in philosophy and mindset, moving away from comprehensive, enterprise-wide projects that take years to fully implement with little to show for in return.  Given the constraints in staffing and budgets, IT staffs need to focus on the immediate areas of security risk and make sure those gaps are closed.  For example, if you're undergoing a company-wide reorganization, start by asking yourself:  Can we immediately revoke access of former employees, and alter access to employees whose job functions have changed? Are we fully aware of all access points of dismissed consultants?  If the answer is no to either of those questions, then you're at risk and have identified your first project. Assess what potential damage can be perpetrated if revocation is not immediate or all inclusive. 

To understand the risk you face, just look at the case that came out last week about the former employee of Fannie Mae who was charged with implanting malware on the company's network that could have potentially caused millions of dollars in damages.  While the case is still pending, the fact remains that this former employee, in the time between when he was informed of being laid off and when he left the building, was able to plant a logic bomb that could have wiped out data on 4000 servers  .   This remains one of the biggest security risk facing organizations - one that can be dealt with quickly and efficiently with the proper systems and processes in place.

Know who is getting on your system

Trust has never been a sound security strategy, especially when you consider the number of insider related security breaches over the last year.  The nature of business dictates that you need to know what your employees are accessing, providing the ability to track users and audit usage.  Having confidence in who is getting on your system means believing more than just who someone is as a username and password. It means relying on strong authentication and using a comprehensive model of device-based authentication to prove the user's identity. The dramatic reduction in the cost of fingerprint biometric scanners, card scanners and tokens allows for corporate wide deployment of new technology that is now mainstream. Think about this in the context of what happens if the wrong person is getting onto a computer, the network, an application or conducting a transaction within an application. It's become best practice in many businesses to require biometric authentication or building smart cards for enforcing user authentication and access whenever sensitive information or applications are at stake.

Have demonstratable ROI for your project

The general consensus of the CIOs I've spoken to recently is that they are being selective in the  security projects they tackle in 2009 - undertaking only those projects that can yield immediate results either to improve business productivity or reduce security risk.  We discussed this recently with some of our customers in a webinar roundtable discussion.  If you weren't able to attend, I encourage you to download the webinar to see how they're addressing the security challenges in 2009.

So what challenges are you facing? 

What steps are you taking to tackle security in 2009? 

Feel free to email me if your organization is facing a different set of challenges in the coming year.

TagsFingerprint_biometrics enterprise_security security_breaches data_security biometric_authentication security_risk

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 
© 2010 Imprivata, Inc. all rights reserved | Sitemap