Live from the National HIPAA Summit
Live from the National HIPAA Summit
Greetings from the Eighteenth National HIPAA Summit in Washington, DC! It’s turned out to be an interesting event pulling in an array of people as it is co-located with the National Health IT Summit for Government Leaders, the National Health Information Exchange (HIE) Summit and the International mHealth Networking and Web Conference. Mid-way through the week-long event, there are some notable highlights from the conversations I’m having, and from the chatter on the floor and the breakout rooms. In no particular order...
HITECH Grants – Earmark Dollars for Data Security Too
HITECH Grants – Earmark Dollars for Data Security Too
In February 2009, the Obama administration announced that $2.0 billion in grant money will be made available to help hospitals and other health care providers transition to electronic health records (EHR). This past Monday, the White House took a big step and launched the first of two grant programs under the HITECH act which lays the groundwork for EHR.
Stimulating Strong Authentication
Stimulating Strong Authentication
The stimulus package recently signed by President Obama has been the cause for vigorous debate. One by-product of the package that has not been widely discussed is a provision that would reshape the medical industry by creating a central repository of computerized medical records for all American's. An increase in the level of electronic information of this magnitude exponentially raises the vulnerability of a security breach, which we'll focus on today.
Modeling Risk
Modeling Risk
Risk management seems to be the conversation du jour. I was just a the Lenel Paradigm Conference in Rochester with some of their leading security consultants and the topic that constantly came up was Risk and how security practioners needed to understand the business drivers around mitigating risk. With access and authentication management-centric security breaches like LendingTree and Societe Generale making headlines and compliance requirements mandating greater information security, how does one even begin to understand what a company needs to do?
The Impact of New HHS Rules for Health Information Privacy and Security
The Impact of New HHS Rules for Health Information Privacy and Security
The U.S. Department of Health and Human Services (HHS) recently announced new rules surrounding health information privacy and data security that is important for everyone involved in healthcare IT (HIT) to understand. By now, you’ve likely seen these rules, however the Healthcare IT Consultant blog has a nice synopsis of the news that drills down into the aspects most relevant for those in the Imprivata community. Pulling the key points from that blog and summarizing the primary requirements of the rules, here are some things to consider...
HITECH Act:  One Year Later, Are you Ready for Compliance?
HITECH Act: One Year Later, Are you Ready for Compliance?
On Feb. 17, 2009, the HITECH Act was enacted, giving birth to new tiered civil monetary penalties for data breach violations, new powers to state attorney generals (AGs) for class-action pursuit and new guidelines for technology and methodologies that render data “unusable, unreadable or indecipherable.” While we previously covered how HITECH will make available $2.0 billion in grant money for organizations to transition to electronic medical records (EMRs) and deploy appropriate security measures, the time is now upon us for full compliance. Otherwise, organizations risk significant penalties from the department of Health and Human Services (HHS)/ Office of Civil Rights (OCR). The Healthcare & Technology blog has a good, quick post with some useful resources...
Thoughts from the Siemens Innovations Conference
Thoughts from the Siemens Innovations Conference
I just got back from the annual Siemens Innovations Conference in Philadelphia. Imprivata had a booth at the event. I had an opportunity to talk with existing and prospective OneSign customers. Clearly, single sign-on and authentication are top of mind for many of the Siemens customers we spoke with. One thing is clear - CMIOs and IT folks are looking for ways to make application access seamless and secure for the clinicians while NOT changing workflows. Imprivata OneSign is what Siemens Med is recommending as the solution of choice. In fact, there were two customer presentations where OneSign was discussed.
2009 Healthcare IT Security Priorities
2009 Healthcare IT Security Priorities
In our last blog posting, we discussed three priorities all organizations should focus on in 2009: security, productivity and manageable IdM projects. Today we're looking more closely at enterprise security.
SSO Summit field notes
SSO Summit field notes
Full disclosure: I'm just a medium-sized hospital's IT security guy. I've had Imprivata'sESSO appliance (three of them actually, a pair of HA, and a test box) up and running, happily, for about three years. I was invited by Imprivata and Ping Identity to participate in a panel discussion at the SSO Summit held in Keystone, CO, on July 23-25 (http://www.ssosummit.com/). Andre Durand (Ping Identity) and friends put on a very nice event. There was a good blend of topics, from SSO-centric details, to Federation issues, and a mixture of interesting case studies to visionary presenters like John Haggard (independent security consultant and long-time IT mentor) and Gunnar Peterson (Arctec Group). The event was solid throughout, but to hear John and Gunnar speak about the important issues of the past and future of SSO and IT/Web security, made the event a powerful experience not to be missed.
Even Spies Have Password Management Problems
Even Spies Have Password Management Problems
Catching up on some news from last week and I thought Tim Greene’s article in Network World was an interesting piece on the Russian spy ring story that is currently grabbing headlines. One of the most glaring errors made by one of the spy defendants was leaving an imposing 27-character password written on a piece of paper that law enforcement officers found while searching a suspect's home. They used the password to crack open a treasure trove of more than 100 text files containing covert messages used to further the investigation.
2010 Look Ahead: Chief Security Concerns for Chief Executives
2010 Look Ahead: Chief Security Concerns for Chief Executives
As we turn the page to 2010 and look to delve into the top–level security concerns that lie ahead, we’d be remiss not to reflect on those security events that helped shape 2009 into the ‘year of the data breach,’ and take these as learning experiences for the New Year.
The Enterprise Systems Design Challenge: Security vs. Usability
The Enterprise Systems Design Challenge: Security vs. Usability
Security expert Bruce Schneier pulls out an interesting excerpt from an essay “When Security Gets in the Way” that is sparking great discussion on his Schneier on Security blog. The essay, from Don Norman’s jnd site, debates security vs. usability, and addresses design considerations for enterprise security systems. This article captures important concerns often discussed in security circles on how to make security stronger without disrupting user behavior. It’s a delicate balance – we often say the most secure computer is the one in a locked room not powered up but that would hardly be usable. At Imprivata we have always believed that usability and security don’t need to be mutually exclusive.
Proving policies work – easing audit and enforcement of physical and logical security
Proving policies work – easing audit and enforcement of physical and logical security
The term 'security policy' used to mean different things to different people. For the facilities management department, it covers physical access points and teaching staff to lock office doors and file cabinets before leaving for the night. For the IT manager, it means keeping up to date with the latest patches and ensuring that users can only access the applications and data that they are allowed to. However, this situation is changing with IT and physical security being managed together. Although they come from separate disciplines, what these two areas have in common is policy.
HIT Policy Committee Consumer Choice Technology Hearing Recap
HIT Policy Committee Consumer Choice Technology Hearing Recap
Last week, I attended the Privacy and Security Tiger Team Health Information Technology Policy (HIT) Committee Consumer Choice Technology Hearing in Washington, D.C. The gathering brought together an impressive group of healthcare industry leaders, patient data privacy advocates and HIT vendors to discuss technologies that enable consumers to choose whether or not to share their information in health Information Exchanges (HIEs). Here are few things worth highlighting from the conference...
Security Wish List and This Year’s Ultimate Strong Authentication Stocking Stuffer
Security Wish List and This Year’s Ultimate Strong Authentication Stocking Stuffer
2009 was a tough year with the global economic downturn resulting in unprecedented workforce reductions. As a result, security risk from insider breaches has never been greater. Now, as we look to turn the page to 2010, it’s already clear that organizations will continue to go beyond the traditional levels of network access security by implementing policies that require users to provide a second form of identity to gain access to IT resources.
Reaching Stage 6 Status with Imprivata
Reaching Stage 6 Status with Imprivata
At Parkview Adventist Medical Center we're very proud of our accomplishment of being only one of a handful of hospitals that have been awarded with HIMSS Analytics Stage 6 status.Moving to an EMR format and a paperless environment requires a significant commitment from the executive team and from our clinicians. As we began our move to EMR, we had two major concerns. 1 – Can we maintain patient data security and HIPAA compliance in an electronic format? 2 – Will the clinicians buy into what we’re doing and use the technologies we provide? These are two critical components in achieving Stage 6 status.
Desktop Virtualization – Has it hit your desk yet?
Desktop Virtualization – Has it hit your desk yet?
The discussion on desktop virtualization, or hosted virtual desktop, is heating up. Some view it as futuristic. Others say it is throwback to the world of mainframe computing. With economic concerns forcing businesses to take a hard look at expenses across the enterprise, however, there are many reasons this is such a hot topic.
Where’s your Remote Control?
Where’s your Remote Control?
Managing the Increasing Vulnerability of a Decentralized Workforce More and more companies today are enabling employees and partners to work remotely, accessing networks, data and applications from just about anywhere to be productive. Being productive is good. Behaving less responsibly is not. I was reading that Cisco Systems commissioned a survey to examine the security behavior of remote workers, and I found some of the findings startling -- here's a few that stood out for me:
Major Healthcare Patient Data Breaches Nearing 100-Mark
Major Healthcare Patient Data Breaches Nearing 100-Mark
I read an interesting story over at HealthcareInfoSecurity.com highlighting the “Official Breach Tally Approaches 100”. The article includes a link to the official federal list of healthcare information breaches that was launched a few short months ago. While the article highlighted the major breaches affecting 500+ individuals as reported to the HHS Office for Civil Rights (OCR) and called out 61% of incidents stemming from stolen computer devices (e.g., laptops, USB drives, hard drives etc.), many of the largest breaches involved unauthorized access. Here’s a snapshot at the major breaches stemming from unauthorized access...
Bill McQuaid Named Computerworld Premier IT Leader for 2010
Bill McQuaid Named Computerworld Premier IT Leader for 2010
This week, Computerworld announced the honorees for its annual Premier IT Leaders awards program, and we’d like to congratulate Imprivata customer Bill McQuaid of Parkview Adventist Medical Center for making the 2010 list! Bill was recognized for his innovative approach to electronic medical records (EMR) and the significant contribution he has made to Parkview’s healthcare IT infrastructure.