Public Sector: June 2011 Archives

Looking at the HITECH Act from a security strategist perspective

Posted by
Ed Moyle
on June 6, 2011

"Situational awareness" is a term we hear often enough (particularly in security) but one that isn't always fully appreciated; put simply, it's the art and science of paying attention to the world around you and responding appropriately to situations as they change.

 

Believe it or not, this is a critical skill - one that can quite literally mean the difference between success and failure in a business context. When something changes about the business environment, not noticing the change creates risk - noticing the change creates opportunity. And both risk and opportunity abound in looking at the current environment within the healthcare sector.

 

Risk and opportunity: HITECH and business associates

In healthcare, HIPAA is obviously a very big deal. For the past decade and a half since the law went into effect, organizations in the healthcare community have been struggling to come to grips with a set of federally imposed mandates governing the security and privacy of the electronic health data within their organizations. Historically though, the situation has been quite different for "business associates" - those firms that provide IT or other support to hospitals, insurance companies, or clinics but not covered entities directly.

 

In most cases, business associates have access to the same data, the same systems, the same documents and artifacts of patient care as covered entities. But yet, they were not required to implement the same physical, technical and administrative security controls as covered entities were. They were required to sign agreements with covered entities stating their intent to protect data, but they were not on the hook to implement any specific security technology or controls to actively defend the data in question. At least not until recently.

 

As of the Health Information Technology for Economic and Clinical Health (HITECH) Act, business associates are in a different boat. Now, they are required to adhere to the same security standards as covered entities. What's more, they're on the hook from an enforcement standpoint as well. For business associates not paying attention, this introduces risk and opportunity: risk that they will not get into compliance with the law and that they will be subject to enforcement action and opportunity to differentiate themselves to their customer base based on their understanding of the requirements and ability to implement secure practices that safeguard patient data.

 

Meeting the requirements: Cloud strategies

For business associates going through this, it's important to realize that getting to where they need to be from a HIPAA security standpoint could potentially be facilitated through a (seemingly) unlikely source: their cloud migration efforts. In other words, a migration to cloud already in progress may (under certain circumstances) be one potential avenue to meet some of the required security HIPAA security controls head on. Why, you ask? There are two reasons for this:

 

1.) Many firms that provide cloud services have already implemented the specific controls required by HIPAA security in the course of servicing covered entities; and

2.) Overlapping controls (such as those required to support other requirements such as payment or banking regulatory requirements) may potentially be used in support of HIPAA.

 

In other words, the promise of cloud is leveraging economies of scale for security as well as other desirable technical outcomes; so rather than each firm having to implement security and other controls themselves, they "consolidate" that effort and implement it once in an environment that can be shared among consumers.

 

So for business associates looking to rapidly meet the specific controls required by HIPAA security, looking at environments that are already servicing covered entities could be a good bet. Since these environments are on the hook as business associates (just like you are), they are required to meet the equivalent bar as you; so by leveraging their service you ostensibly leverage the effort they've put into implementing the technical, physical and administrative security controls as well.

 

Of course, this is by no means a substitute for an internal compliance effort. You'll still need to make sure that you're doing the right thing throughout every place that you interact with, handle or access patient health information, but it can certainly be a head start for areas that you're looking to migrate to the cloud anyway. By selecting an environment that will implement the same controls you are required to, and by getting in writing that your service provider will implement the appropriate controls, you just might put yourself farther down the road than you'd otherwise be.

 

Ed Moyle is senior security strategist at Savvis.
| TrackBacks (0)

Release of International Strategy for Cyberspace a significant moment in evolution of IT industry

Posted by
David Shacochis
on June 1, 2011
cybersecurity.jpg

"Cyberspace, and the technologies that enable it, allow people of every nationality, race, faith and point of view to communicate, cooperate and prosper like never before. ... The digital world is no longer a lawless frontier, nor the province of a small elite. It is a place where the norms of responsible, just and peaceful conduct among states and peoples have begun to take hold. It is one of the finest examples of a community self-organizing, as civil society, academia, the private sector, and governments work together democratically to ensure its effective management." - U.S. President Barack Obama, International Strategy for Cyberspace, 2011

 

"All I knew about the word 'cyberspace' when I coined it, was that it seemed like an effective buzzword. It seemed evocative and essentially meaningless. It was suggestive of something, but had no real semantic meaning, even for me, as I saw it emerge on the page." - William Gibson, No Maps For These Territories, 2000

 

We've come a long way, haven't we? What started as a science fiction phrase coined in the early 1980s has achieved near-sovereign status - worthy of formal policy-making by the leader of the free world.

 

Last week the White House released the U.S. International Strategy for Cyberspace, a truly historic document that asserts United States policy in matters of Internet transparency, reliability and security. All tongue-in-cheek comments about sci-fi derivations aside, it is a significant moment in the evolution of our industry - the realm where we all operate, innovate and compete is now something greater than just a capitalist market. Events of the past year have proven that the Internet will challenge the cartography of traditional diplomacy, and become as significant a geopolitical arena as the physical world itself.

 

In the 30-page document, the current administration ties its cyberspace policy to the fundamental principles of American democracy, describes the future state sought by U.S. strategy, and outlines some high-level policy goals for future consideration.

 

In reading the strategy document, one cannot help but think of the upheaval brought about during the recent Arab spring uprisings - and the manner in which social networks, pervasive mobility and Internet access all served as force multipliers for the cause of democracy. If cyberspace is the level playing field across which democracy wins the day, then the United States of America wants to make sure that much of the world has fair and equal access to the pitch.

 

Is the document perfect? Of course not. The high-level goals included in the strategy are in most cases not actionable enough to serve as mandate. In some cases, there are abject contradictions between the stated respect for privacy and the firm conviction against cyber-crime. In other areas, the document glosses over the very real international differences between nations and their current attitudes towards individual liberties, nationalized infrastructure, intellectual property and cyber-crime.

 

Nonetheless, this document serves as a sort of mission statement - a guiding set of principles the Obama administration wishes to weave into all its legislation and policy-making that impacts cyberspace in the future. The funny thing about mission statements is that their impact is never felt upon first reading. What remains to be seen is how well this strategy is adhered to during the subsequent discourse in the U.S. and abroad, and how well the actual laws, rules and treaties honor its intent.

 

For example, as a member of the Commission on the Leadership Opportunity in the U.S. Deployment of the Cloud (CLOUD2) I can already say that the International Strategy for Cyberspace has informed our thinking and challenged us to begin making more actionable recommendations that align with this stated policy.

 

In reflecting on the International Strategy for Cyberspace, I couldn't help but flash forward to a future state where the Internet becomes a political bargaining chip, choked by national firewalls, unfriendly to innovation and fraught with cyber-crime. In that hypothetical scenario, what would we say about our leaders if they had stood idly by while such degeneration occurred?

 

History will show that the U.S. government did not watch quietly as the global cloud of cyber-networks evolved at exponential speed. Whether or not modern government and international diplomacy are able to keep pace with the challenging nature of cyberspace remains to be seen.

 

David Shacochis is vice president, global public sector, at Savvis.

| TrackBacks (0)
« Public Sector: April 2011 | Main Index | Archives | Public Sector: July 2011 »