Monthly Archives: March 2014

With security breaches dominating news headlines daily, those responsible for securing our systems, networks, and devices are struggling to keep pace with the evolving threat landscape. Perhaps some of the most concerning potential breach data comes from the healthcare industry where we entrust our most personal information—social security number, birth date, medical history—as well as our immediate family members’ sensitive information to medical care providers. Further, medical devices rely on secure IT networks to function properly and deliver continuous, critical care to patients with heart conditions, diabetes, and other ailments. In the event of a security breach, the malfunction of devices could have potentially life-threatening consequences.

So what can we do to create a more secure environment for protected health information and equip healthcare IT staff with the security skills they need to fulfill this task?

First, we must start with a level of awareness. Calling attention to the alarming number of data breaches in today’s healthcare industry certainly helps the cause. According to Redspin’s Breach Report 2013 – Protected Health Information (PHI), the number of PHI breaches were up 138 percent from 2012, with 199 incidents reported to the U.S. Department of Health and Human Services (HHS), impacting over 7 million patient records. HHS even has a “wall of shame” webpage for the world to see lists of U.S. healthcare organizations that have had a security breach of protected health information affecting more than 500 individuals.

Part of the problem with security awareness lies in current processes, which don’t take into account how to mitigate fraud or medical identity theft. “If a patient’s healthcare record is compromised by someone who stole the identity to receive care and consequently had false information entered into that patient’s electronic health record, there’s no process in place that allows medical providers to go in and fix the record because it’s considered a legal document,” said Lisa Gallagher, BSEE, CISM, CPHIMS, vice president, Technology Services, HIMSS. “Right now, we’re still at the awareness level for security and part of what we’re trying to do at HIMSS is to help hospitals and other healthcare organizations recognize when an instance of medical identity theft has occurred so they can improve processes to protect patients.”

Medical records are more susceptible to identity theft because the online systems for medical records and the networks on which they operate are not as locked down and sophisticated as other industries. According to the recently released HIMSS 2013 Security Survey, only 52 percent of hospital-based respondents reported that they had a CSO, CISO or other full-time leader in charge of security of patient data. The survey also found that in the past 12 months, 19% of respondents had a reported security breach and 12 percent of organizations had at least one known case of medical identity theft reported by a patient.

While these stats may seem alarming, we must also realize that healthcare is one of the last industries to move data from paper to online systems. Many physicians still use paper records for their patients. And others are only beginning the process of transitioning patient records to digital systems.

When it comes to educating healthcare IT staff, they need the resources, experience, and continuous drive to ensure they possess the latest knowledge and skills required to secure protected health information. (ISC)² recently introduced the HealthCare Information Security and Privacy Practitioner (HCISPP) credential to educate and certify those responsible for securing protected health information. HCISPP is designed to provide healthcare employers and those in the industry with validation that a healthcare security and privacy practitioner has the core level of knowledge and expertise required by the industry to address specific security concerns.

At the HIMSS Conference this past week, a number of attendees were drawn to the (ISC)² booth stating that a credential like the HCISPP is critical to developing a qualified workforce to protect the healthcare industry. Many also stressed the lack of security even at the basic awareness level in their organizations.

Let’s face it, making security a priority for the healthcare industry won’t happen overnight. It will require a concerted effort that begins with security awareness, followed by education and training of healthcare IT staff, and finally adoption and acceptance from the healthcare industry to create a secure digital environment for protected health information.

Via: isc2

Despite big-name support, newly finalized OpenID Connect protocol is a security building block, not a silver bullet.

After some four years of wrangling, the OpenID Foundation has finally given the thumbs-up to OpenID Connect, its protocol for both authenticating users and providing a distributed way to handle privacy and permissions.

But a protocol by itself is a long way from being a full solution to the nasty hash of credentials, mechanisms, and standards that developers and administrators have to deal with whenever the word “security” enters the conversation.

OpenID Connect isn’t OpenID 2.0, which gained little traction as the single-sign-on solution it was intended to be. It’s an identity layer that uses OAuth 2.0, and it’s billed as being able to do the same things OpenID 2.0 did, as well as stuff OpenID 2.0 could never do, such as provide access tokens. Data is passed around using REST calls and JSON, obviating the need to create firewall exceptions and making it theoretically easier for developers to implement than OpenID 2.0.

The OpenID Foundation describes OpenID Connect this way: “[It] lets developers authenticate their users across websites and apps without having to own and manage password files. For the app builder, it provides a secure, verifiable answer to the question: ‘What is the identity of the person currently using the browser or native app that is connected to me?'”

You don’t need to look very far to find a working example of OpenID Connect: Google.

Google has been bullish enough on the technology that it took its existing Google+ Sign In technology, originally built with OAuth 2.0, swapped in OpenID Connect, and deprecated use of legacy OpenID. Microsoft and Salesforce — two big outfits who’ve locked horns before over who gets to be the bigger and better identity provider — are also backing OpenID Connect. And work is set to begin on figuring out how to use mobile phone accounts as an OpenID Connect identity in Europe.

Consequently, OpenID Connect is a building block, not a silver bullet by itself. That said, it’s possible one or more powerful federated identity solutions could arise from it, each connected in a central way that would make juggling passwords obsolete. Such an arrangement might also constitute one way to deal with the problem of living in an age where multiple digital identities are a good idea and not a bad one.

But the resulting implementations will need to hold up under scrutiny better than OpenID’s previous implementations did. Back in 2013, Facebook’s OpenID implementation was found to be sporting a bug severe enough to pay out a $33,500 bounty to its finder. And back in 2012, a study of OpenID implementations found many of them to be poorly implemented, and the OpenID implementation of Mozilla’s own Persona identity management service was shown to have vulnerabilitiesas well.

If switching to OpenID Connect makes it easier for the developer to avoid those kinds of errors of implementation, it’ll automatically be a step in the right direction. For now, it’ll help to start with the existing real-world deployments like Google+ Sign In and see how they fare.

Via: infoworld