Unencrypted Devices Still a Breach Headache

May 13, 2015

The Ongoing Risk Posed by Lost, Stolen Mobile Devices

By , May 12, 2015.

Unencrypted Devices Still a Breach Headache

While hacker attacks are grabbing most of the health data breach headlines so far in 2015, a far more ordinary culprit – the loss or theft of unencrypted computing devices – is still putting patient data at risk.

See Also: PHI Security: The Role of Encryption and Tokenization

Incidents involving unencrypted laptops, storage media and other computing devices are still popping up on the Department of Health and Human Services’ “wall of shame,” which lists health data breaches affecting 500 or more individuals. Among the largest of the most recent incidents is a breach at the Indiana State Medical Association.

That breach involved the theft of a laptop computer and two hard drives from a car parked for 2-1/2 hours in an Indianapolis lot, according to local news website, The Star Press. Information on more than 38,000 individuals, including ISMA employees, as well as physicians, their families and staff, was contained in the ISMA group health and life insurance databases on those devices.

The incident occurred on Feb. 3 while ISMA’s IT administrator was transporting the hard drives to an offsite storage location as part of ISMA’s disaster recovery plan, according to The Star Press. An ISMA spokeswoman declined Information Security Media Group’s request to comment on the breach, citing that there are “ongoing civil and criminal investigations under way.”

A breach notification letter sent by ISMA indicates that compromised data included name, address, date of birth, health plan number, and in some cases, Social Security number, medical information and email address. ISMA is offering those affected one year’s worth of free credit monitoring.

Common Culprit

As of Feb. 27, 51 percent of major health data breaches occurring since 2009 involved a theft while 9 percent involved a loss, according to data presented by an Office for Civil Rights official during a session at the recent HIMSS 2015 Conference in Chicago. Of all major breaches, laptop devices were involved in 21 percent of the incidents, portable electronic devices in 11 percent and desktop computers in 12 percent, according to the OCR data.

Two of the five largest breaches to date on the Wall of Shame involved stolen unencrypted computing devices:

  • A 2011 breach involving the theft of unencrypted backup computer tapes containing information on about 4.9 million individuals from the car of a Science Applications International Corp. employee who was transporting them between federal facilities on behalf of military health program TRICARE.
  • The 2013 theft of four unencrypted desktop computers from an office of Advocate Health and Hospital Corp. in Chicago, which exposed information on about 4 million patients.

Many smaller breaches affecting less than 500 individuals also involve unencrypted computing devices, according to OCR.

Safe Harbor

The thefts and losses of encrypted computing devices are not reportable breaches under HIPAA. That’s why security experts express frustration that the loss and theft of unencypted devices remains a common breach cause.

“It is unfortunate that [encryption] is considered an ‘addressable’ requirement under HIPAA, as many people don’t realize that this does not mean optional,” says Dan Berger, CEO of security risk assessment firm Redspin, which was recently acquired by Auxilio Inc.

Under HIPAA, after a risk assessment, if an entity has determined that encryption is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI, it must implement the technology. However, if the entity decides that encryption is not reasonable and appropriate, the organization must document that determination and implement an equivalent alternative measure, according to HHS.

Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says he’s expecting to see soon an OCR resolution agreement with a healthcare provider that suffered several breach incidents caused by their failure to manage the mobile devices used by their employees on which electronic protected health information was stored or accessed.

Read full article…

Feds Get Forward-Looking IT Procurement Advice

May 6, 2015


By John K. Higgins – E-Commerce Times – ECT News Network
May 1, 2015 9:23 AM PT

The old cliché about the difficulty of turning an aircraft carrier around applies to changing the way government deals with investing in information technology, according to two recent reports.

Federal agencies need to change course in handling IT spending quickly, particularly in reversing the inertia behind longstanding conflicts between chief information officers and chief financial officers over the procurement of IT resources, according to Research Director Shawn McCarthy, who authored the IDC Government Insights report.

Government IT managers need to loosen their longstanding attachment to unproductive legacy systems and focus on the advantages of newer technologies — especially the cloud and mobile platforms, suggested Research Director Rick Howard, author of the Gartner report.

From Confrontation to Collaboration

Despite past conflicts between finance and IT staffs, federal IT spending has been robust — although it should remain largely flat, at about US$78 billion per year for the next few years. However, budgetary demands to do more with less almost certainly will create tension between the CIO and the CFO.

“When it comes to where information technology money should be spent, the goals and motivations of a CFO can differ from those of a CIO,” McCarthy said.

With the tightening of government budgets, the role of the CFO has expanded, he noted. The CFO now has a central role in determining how the taxpayers’ money is spent. However, that can — and often does — lead to clashes with the IT staff, who have in-depth expertise on utilizing technology.

In the future, collaboration between the two will be required in the productive acquisition and deployment of IT, McCarthy said.

To reconcile the differences between IT staffs and financial managers, federal government departments and major agencies should continue the trend to “consolidate multiple, lower-level CIO offices into a single, more powerful agency-wide CIO,” McCarthy suggested.

That would lead to a more focused and coherent approach to IT management. The process also would simplify collaboration between the CIO and CFO by reducing or even eliminating diffuse communication between multiple low-level IT staff members and the CFO.

Another major factor for improving collaboration is for each side to recognize the sea change in IT management that has resulted from the maturing cloud and shared service environment.

IT managers, especially the CIO, must jettison the idea that the IT department has control of IT equipment, facilities and programs, and is the sole owner, provider and guardian of those assets.

Especially in the procurement function, where CIOs and CFOs are most likely to tangle, managers need to “move IT procurement away from systems purchasing and management and toward IT services management,” McCarthy said.

This approach is based on a realization that IT departments don’t have to own and operate IT resources to be effective. Instead, IT departments need to act as internal advisors and facilitators to provide guidance to agencies in how best to utilize available technologies to meet agency goals and citizen requirements.

Sometimes that might involve actual on-site resources, but increasingly it will involve the IT staff acting as an expert intermediate to match up agency needs with appropriate capabilities, such as private sector cloud providers.

Similarly, CFOs must shed any behavior in which they purport to “know it all” when it comes to cost-effective IT. They may have a good knowledge of IT costs from their own exploration of vendor offering pricing points and from reviewing budget data.

However, they most likely don’t know it all in terms of what is effective in the application of IT resources. That expertise resides, and still should reside, with the CIO staff.

“Often the IT team doesn’t understand the agency’s budgeting process, while the finance team doesn’t understand the agency’s IT systems,” McCarthy said.

A good starting point for collaboration is for both departments to buy into the process of jointly developing a business approach for deploying IT resources, McCarthy suggested. CFOs who seek to logically influence IT planning should require the development of strong business plans to justify new IT expenditures. The objective of the process is for both teams to agree on the purpose for which the IT spending is required, and then to work out the procurement approach to implementing the plan.

“The business-focused collaboration that is needed today includes protecting the interests of each other and supporting the business needs of the other. The discussion should not be about fixing failures, it should be about how technology can be leveraged to meet the organization’s strategic objectives,” McCarthy said.

The CFO can be instrumental in establishing a business context.

“Often the IT people are reluctant to give up control, so it’s the CFO who becomes the driver here to introduce budget realities and ask, for example, about what older machines are costing us money,” McCarthy told the E-Commerce Times.

The CFO can directly or indirectly begin the consideration about using newer technologies, he said, by “initiating the conversation on what alternatives are available.”

Slipping the Yoke of Legacy Systems

IT managers should establish an innovation budget to formally facilitate digital experimentation and to build strong working relationships with other digital leaders, within and outside an agency, recommends the Gartner report.

As with military planning, IT managers need to be wary of making investments designed to win the last war while failing to anticipate the conditions of the next one, it suggests.

“There is a risk that circumstances such as deferred infrastructure investments are forcing government CIOs to ‘renovate the core’ of IT at the expense of deploying new user-centric systems and services, such as CRM, industry-specific applications and enterprise applications, all of which rank low on the priority list,” Howard noted.

The next challenge is to achieve full exploitation of both cloud technology and mobile platforms, he said, noting that the cloud has matured to the point that it should be the first option of any potential IT investment.

“Gartner believes that IT vendors are moving fast in the direction of cloud-based service models, and government agencies are becoming more comfortable with cloud-based solutions for reasons of subscription pricing and increased business agility,” Howard wrote in the report.

“We recently predicted that by 2015, 50 percent of all new independent software vendors will be pure SaaS providers. This trend will challenge traditional procurement practices and expose government procurement channels to a more diverse array of small and midsize businesses than has been the case in the past,” he pointed out.

“Government CIOs should begin with the default assumption that a public cloud option will be selected when re-engineering current business processes or designing new mobile services that are augmented by context-aware interactions,” Howard advised.

In principle, every new investment or service, on every dimension — including infrastructure — should “incorporate the most advanced position,” rather than rely on what has worked in the past, he added.

“With cost, value and security as top considerations, the most advanced position available to government CIOs is delivering services on public cloud, unless there is a reason not to,” Howard said.

So too with the mobile world, which has moved from an interesting IT option to a nearly essential requirement. The Gartner study makes the following recommendations government IT managers:

  • Make mobile the foundation of your digital government channel strategy;
  • Increase mobile access to more business applications;
  • Focus on mobile user experience design and the effectiveness of end-to-end processes involving a device and its context;
  • Build a “Have we maximized contextualization opportunities?” step into all planning.

One major objective is to make sure that the value proposition of any investment fully recognizes the benefits of advanced technologies.

“The challenge is less about developing adequate cost-benefit and return-on-investment tools for IT investments and more about the discipline required to apply them consistently when measuring project performance or benefits realization,” Howard told the E-Commerce Times.

Standard methods, including ROI, key performance indicators and similar tools, are still workable. However, the changing landscape of technology also introduces modifications in value analysis.

For example, by using digital and mobile technologies, an agency could significantly improve the number of online queries it could handle from citizens. That improvement is a transactional benefit with a measurable cost — and benefit.

On the other hand, the value of improved technologies that lead to more accurate government weather reports through improved analytics is not easily captured in conventional budget terms but is still significant.

“In the digital/mobile age,” said Howard, “both are integral to creating measurable value.”

See original article…