To illustrate the point just in the area of key management, a Computer Weekly survey found that 88 percent of organizations had multiple administrators managing their encryption keys. And that doesn’t mean that those multiple administrators are required to look over one another’s shoulder when other keys are accessed, it means that they have a lot of different people who have to have access to the keys. And 22 percent have ten or more. This basically means that there’s a lot of opportunity for things like collusion or wiki leaks or insider threats. It also speaks to the complexity of the environments and the need to have all these people trained on these systems just to understand them. Interestingly, 42 percent of administrators are managing encryption technologies from at least four suppliers while eight percent are dealing with more than ten suppliers. This is amazing considering the complexity that can exist in one encryption system and then having to deal with ten is just remarkable. But I can also understand why people say well I need to protect my servers, I need to protect my Macs, I need to protect my Windows devices, my handheld devices, etc. It’s understandable how you could quickly get to four or more technology platforms for encryption.
But it doesn’t have to be that way. What really then is the core problem that’s driving the complexity and the change is the fact that the traditional approaches just aren’t working. There are a lot of problems organizations are dealing with but one of the fundamental problems is the fact that users are now self-sufficient. We have a self-sufficient population. I mean they don’t wait for IT. They move data immediately to solve business problems. That’s what they’re paid to do. They do that 24/7 because nobody works a regular day anymore. So, our users are self-sufficient and the technologies they use are more self-serving now.
There’s lots of different technologies and startups out there trying to make technology more and more simple. Today, you can have what might’ve took IT six months to develop in years past – instantly. You can have computed storage in minutes now, at the most hours. That kind of pace, that kind of rate of change means that data flows instantly. And so, we have to set up systems that first of all anticipate that and where data protection is built in what our users are going to do. Giving them paths that are approved, good paths to follow instead of blocking or missing the paths that users come to follow. And obviously this is not a trend that’s going to change. This is only going to get worse going forward.
So there’s a new approach really that we need to take. We need to not depend on setting up perimeters. And of course everybody’s heard this for years. We’ve been talking about it in the security industry – the perimeter’s dead. I remember years ago we used to talk about how there is no perimeter. And there’s a lot of good work done by the Jericho Group and others who tried to get that message out and I think by and large people have received that message. But what we have not really gotten to is what is the unified consistent data protection strategy.
Stay tuned for my next post on the solutions to this….
I’ve worked with HIPAA compliance ever since it was signed into law in 1996. Over the years working with many covered entities (CEs), and ever since HITECH was signed into law a very large number of business associates (BAs), I’ve heard some of the same questions. One I am getting more often from BAs, who for the most part are just now realizing that they need to get into compliance with HIPAA and HITECH, is: “With what parts of HIPAA and HITECH do I have to comply?”
BAs, as well as CEs, need to understand that they must comply with all HIPAA Security Rule and HITECH requirements. CEs need to comply with all HIPAA Privacy Rule requirements, and BAs will need to comply with them as well, depending on the types of services and products provided to CEs. An important point is that CEs and BAs must safeguard protected health information (PHI) at *ALL* times according to all the regulatory requirements.
I recently had a BA that provides cloud services to CEs tell me that they did not think that they needed to follow the HIPAA Security Rule Physical and Administrative requirements since they were a cloud service, which they viewed as being a strictly technology-based service, and since they used an outsourced data center. So, they thought they only had to follow the requirements listed within the Technical Requirements of HIPAA (45 CFR §164.312). Au contraire, mon frère! You cannot be selective in this way.
I had another BA tell me that they received patient databases from a CE that contained names, email addresses, mailing addresses, and assorted related medical information. They understood that the data had to be protected when it was sent from the CE to them, because they understood that it was PHI coming from the CE. Where their confusion came in was what they had to do after they received it. They asked, “We can send these files on to the companies who do outsourced work for us without any special security, right? It’s no longer PHI if we are sending it to a company that is not a CE, right?” WRONG!
Unless it has been de-identified (another topic for another time), PHI remains PHI after a BA receives it, and throughout any business processing, storage, subcontracting or other activity that occurs. Think about it; you want your doctor to protect your medical information and ensure they protect it so that it is not used inappropriately, and not shared with others who don’t need it, don’t you? Well, if they pass it along to some other organization to process, store or otherwise use, don’t you want that other organization to protect it just as stringently? One of the goals of HIPAA and HITECH is to ensure PHI remains appropriately secured no matter who is handling it. It’s all about protecting PHI, not about who is touching PHI. That’s an important point to understand. HIPAA/HITECH compliance is basically all or nothing; it’s not a pick-and-choose proposition.
Guest Blogger Rebecca Herold
Rebecca Herold, CIPP, CISSP, CISM, CISA, FLMI, is owner and CEO of Rebecca Herold & Associates, LLC, is partner in Compliance Helper, has been an adjunct professor for the Norwich University Master of Science in Information Assurance (MSIA) program since 2005, is working on her 15th published book, was recently voted the 3rd best privacy advisor in the world by Computer World, in addition to doing many other assorted information security, privacy and compliance activities. Rebecca Herold is also the author of the Realtime eBook Understanding Data Protection from Four Critical Perspectives available from CREDANT Technologies.