In this week's #TechTuesday roundup: Lenovo patches problems found in the SHAREit app, the University of Virginia was hit with a phishing scam that affected 1,400 people, a software bug exposes the tax information of one Uber driver, Hurley Medical Center in Flint, MI was hit with a cyber-attack, and Apple can read your encrypted iMessages.
Do you know what to look for in an Intelligent Identity and Access Management system? Let us help with today's checklist of 9 essential items for IIAM.
In this week's #TechTuesday roundup: Nest thermostat leaked the zip codes of users, $0 PayPal invoice spam was recently discovered, tax preparation software TaxAct detected a data breach and suspended customer accounts, a major flaw in Apple's Gatekeeper system was left unpatched and Cisco patched several critical bugs that could allow device takeover.
What is Intelligent IAM?
Intelligent IAM (IIAM) encompasses all the administrative processes used in Identity and Access Management (IAM), but the processes are influenced by real‐time data. IAM solutions that use intelligence continuously collect, monitor, and analyze large volumes of identity and access‐related information, combining data not only from provisioning and governance solutions but also from security products and other external systems. IIAM solutions are often designed to be used with a provisioning system, a governance system, or both.
- IIAM solutions, which include integrated identity analytics and intelligence (IAI), help find key information hidden in complexity and provide visibility into context and comparative data. These solutions may help organizations.
- Avoid security breaches by continuously monitoring for policy violations and vulnerabilities and by uncovering problems hidden in large volumes of data
- Strengthen risk management by reducing vulnerabilities immediately and by highlighting individuals and resources associated with high risks
- Continuously improve provisioning, governance, and other IAM processes by focusing attention on weak links and ineffective processes
- Improve the productivity of IT staffs by giving them tools to quickly and reliably conduct analyses, find patterns, identify anomalies, and spot trends
Why Is Traditional IAM No Longer Enough?
Until recently, traditional IAM encompassed only provisioning and governance products needed to evaluate or audit access to confirm that the access provided is in compliance with business policies and external governance regulations.
Some examples of traditional IAM functionality include the following:
- Provisioning solutions automate the granting and revocation of access to applications, IT systems, and services; tangible assets such as laptops, smartphones, and security badges; and intangible entitlements such as access to secure areas.
- Governance solutions provide tools to enable compliance with government regulations, industry standards, and organization policies, and to verify that compliance.
- IAM solutions have helped organizations automate operations, reduce manpower needs, simplify audits, and provide users with access to the applications and resources they need. Yet traditional IAM processes are far from perfect.
Organizations are still challenged by issues such as lingering abandoned accounts for users no longer affiliated with the organization, proliferating orphaned accounts with no administrative oversight, people with inappropriate access to data, and policy violations. These challenges increase the level of risk to the organization.
In Figure 1-1 (right), you can see the impact abandoned accounts have on your organizations. With so many accounts left with no owner, you greatly increase your risk of a breach.
Is Intelligent Identity and Access Management (IIAM) for you? Read more about how you can use IIAM in your business to turn big data into actionable information by downloading IIAM for Dummies today!
Core Security and their incredible team are not the only new additions to Courion. We are thrilled to welcome back Lisa Lombardo to Courion. Lisa recently sat down with me and gave me a bit more insight on why she came back and what she thinks of the company today.
Ashley Sims: Lisa, you were here for over 18 years. You left during the recapitalization and resulting restructuring last spring and we are thrilled to announce that you have just come back. Can you let us know why you made this important decision?
Lisa Lombardo: Look, I knew Courion had to change, we all did, but with change comes uncertainty. We lost a lot of great people and while I say I “left” the company, I was never that far away because I was still helping out in a consulting capacity during the transition. That gave me a front seat to see the “sausage being made” and it wasn’t always pretty – It strained many parts of the organization. However, I’ve also gotten to see the investments that have been made across our business and their resulting benefits. Our capacity to deliver has grown with our expanded partner network, our internal and customer training has gone from adequate to ever-improving, our backend financial, expense and customer management systems are all upgraded so our business just runs faster, more smoothly and more effectively. I was surprised to learn we’ve hired and ramped 120+ people. We have the resources to invest in improvements in deployability, reliability and UX across the product offerings. With the acquisitions of SecureReset and Bay31, they make our existing products better and you can see that with our merger with Core Security that begins to delivers a new, intelligent driven, better together vision for the entire security industry. Finally, and perhaps most important to me, we have absolute clarity that making our cherished customers “raving fans” is a pillar of our business. Here again we have made much needed and long sought after investments – our new Customer Success organization is bigger and better than ever. Yes, I am glad to rejoin Courion but I am happier that my Courion is improving and advancing both tactically and strategically.
In this week's #TechTuesday roundup: Fitbit users fall victim to account takeovers, Indiana University Health Arnett Hospital Loses USB Drive with over 29,000 patient records, the U.S. Federal Financial Institutions Examination Council warns banks of an increase in ransomware, encrypted emails can be read on Blackberry devices and a recently patched XXS vulnerability on eBay invited spearphishing.
In November we started a wonderful webinar series with industry leader William "Buddy" Gillespie, HCISPP and we introduced that series with a sit down interview. Yesterday, we concluded the series with a webinar titled "Healthcare 2020: Focus on the Future". While the webinar series may be over, our partnership with Buddy will continue and we would like to continue to showcase his knowledge through another sit down interview. Here's what Buddy had to say about the future of Healthcare IT.
Courion Corporation: What are the changes you have seen in the last six years?
William "Buddy" Gillespie: The last 6 years has been a fast-train for Health Information Technology and has resulted in a huge magnitude of change to the delivery of healthcare. The major force vector behind the high rate of change has been the HITECH Act. There is no doubt that this Act was the major catalyst to get hospitals to invest in the EMR and other related technologies. The number one change has been in the way patient care is delivered. Physicians, for the most part, no longer fight technology but embrace it. The question on the table, is will the changes sustain or will they fall back, we can only hope that Meaningful Use is “too big to fail”.
CC: What about the sustainability of HITECH, Electronic Health Records, Meaningful Use, and the Triple Aim?
BG: In 2009, the HITECH Act was signed into law which established the goal to implement the Electronic Health Record across all healthcare providers and thereby establish a road to have every caregiver to utilize the EHR in a manner which constitutes a “meaningful use” of the patient data. Rules were established to define Meaningful Use and if the provider achieved the goal incentive payments would be paid to the providers. The Act was setup into three phases and each phase have its own criteria/rules to define the objectives for achievement. Ninety percent of providers have achieved the first two phases and over $20 billion dollars have been paid-out in incentives. The criteria for the final phase have been released and providers are gearing up. The ultimate goal of the HITECH Act and Meaningful Use is to meet the three pillars of the Triple Aim: Reduce the cost of healthcare, increase quality and improve the patient experience. The question now becomes how successful have the first two phases been in meeting the goals of the HITECH Act and the Triple Aim. Surveys to that regard have resulted in mixed reactions. While the overall feeling is positive some have responded that the Act has created additional burden on an already excessive patient load for physicians. There is no doubt that the Act has resulted in the expansion of the EHR to a level never before seen in healthcare. Today over 50 percent of physician practices and over 60 percent of hospitals have implemented a robust EHR. Phase Three will be the ultimate test of the success factors for the HITECH Act. That phase will build on the first two phases and take into account the pros and cons of the first two phases.
In my opinion the real critical success factor will be sustainability. Once the dollar incentives are gone and the “awe gee” reaction has passed, will the current level of Meaningful Use survive? I think not unless healthsystems and providers continue to monitor, nurture and invest in the resources and technology to sustain Meaningful Use.
CC: How can one be ready for the readiness for Phase 2 of the OCR and the HIPAA Audit Program?
BG: The Office for Civil Rights (OCR) has announced that they are ready to start the second phase of the HIPAA/HITECH audit program. The scope of Phase 2 will be to audit 200 plus covered entities. The audit criteria will be benchmarked to the compliance of the HIPAA Privacy and Security Rules plus the requirements for Breach Notification. The Covered Entities Audits will be followed by audits of the Business Associates to include EMR vendors, Cloud Service Providers, and other BAs in the HIPAA Chain of Trust continuum.
Although OCR has indicated that the first round of audits will be a review of policies and processes, additional on-site audits will be more comprehensive in nature and focus on a deep-dive of internal technology and other types of mitigating solutions in place to support risk prevention.
So what is a good rule of thumb for preparing for the OCR audit? First of all make the assumption that you will be part of the 200 plus and prepare a plan sooner than later. The plan should be kept simple and kept to a few basic components:
- Review OCR’s audit protocol and be well versed on the HIPAA and HITECH regulations
- Review your documentation and insure you have the most recent HIPAA guidelines, policies, and procedures in place and the organization is well-educated relative to those documents
- Have a clear understanding on what OCR’s expectations/process is relative to providing your documentation to the auditors.
- Orchestrate a “mock” audit with all internal parties and simulate a real audit.
- Lastly, establish a communication chain within your organization to communicate events, timelines, tasks, status, etc.
CC: What is the role of analytics and business intelligence with healthcare? Also, how is it affected by the “Big Data Storm”?
BG: We hear a lot about Big Data, Analytics and Business Intelligence and their role in healthcare. We are in the middle of a “Big Data Storm” which means some amount of turbulence as we sort through the best methods to survive the storm and harvest the best use of the data. I recall being asked twenty years ago by a physician to produce some clinical decision support reports. I had to reply “I am sorry, but we don’t have the data”. Today that response is no longer valid, we do have the data, lots of it, actually petabytes of data. So now it is all about turning that data into meaningful analytics/dashboards so that the C-Suite and physicians can make predictive decisions to forecast the financial status of the hospital or forecast and improve the outcomes of their patients. In order for the benefits of Analytics to be recognized it will take a large investment of resources and tools to extract, categorize, and build the meaningful dashboards. It can be done but it will require a top-down data governance and investment in technology to make it happen.
CC: What are the pros and cons of employees bringing their own devices to their respective hospitals?
BG: Today 90 percent of hospitals allow their employees to BYOD. The justification is based on perceived increased productivity because the employees are using devices they are familiar with 7 by 24. BYOD also can boosts employee morale, they can view pictures of kids, grandkids and communicate with family members with minimal disruption to their work day.
The downside is the “Internet of Things” which means different devices, different operating systems and different touch and feel. This creates a security nightmare for the IT department. A recent Gartner survey shows that only 50 percent of hospitals have a Mobile Device Management system in place to mitigate the security risks associated with BYOD.
CC: What is the importance of mobile device management? What are the safeguards to protect their devices?
BG: BYOD is on a sprawl across healthcare and becoming a standard for doing business.
A recent survey by HIMSS indicates that 70 percent of clinicians use a mobile device to access patient data. Physicians say that mobile devices increase their efficiency and results in improved quality of care. However, the chance of a data breach increases with the BYOD scenario and can result in a HIPAA violation.
So what is the best solution to mitigate the risk of a data breach? The industry is pointing toward the implementation of a Mobile Device Management solution (MDM).
MDM can provide the following safeguards:
- The enforcement of device security by creating a standard across all types of devices
- Provide for a “lock-screen” if a device is lost or stolen
- The disablement of apps which may be corrupted and open to breach
- Remote monitoring to see the status of all devices and thus proactively sense an impending breach.
Well it all gets back to budgets and the priority of investments. Where surveys indicate that security is a high priority, when the allocation of dollars are decided, the security investments fall toward the bottom. In contrast, the cost to a hospital for the remediation of a HIPAA breach instance can cost millions of dollars.
The decision is whether to be proactive or reactive, we will see.
CC: Finally, what keeps you up at night?
BG: Upon retirement as a healthcare CIO/CTO a few years ago, I realized how much better I felt after a good night’s sleep. After so many years of being the executive in charge of a large data center, miles of network connectivity, gigabytes of patient data and 200 IS professionals there was always something on my mind as I retired to a doubtful good night sleep.
Although I sleep more soundly these days, I still recall the pain points that kept me tossing at night. The “internet of things” has exploded since my CIO/CTO tenure but the basic issues still exist although somewhat changed in terminology, structure and magnitude.
Here are a few of the issues I recall that kept me up at night and still do if I am having a nightmare:Privacy/Security and HIPAA Compliance
- After the HITECH Act of 2009 and the Omnibus Bill of 2013 the HIPAA bar raised relative to the Privacy and Security regulations. CIOs must now partner with the CISOs to understand what is required to comply with the expanded regulations. HIPAA is not one and done and continues to evolve. In years past if you had a good firewall in place you didn’t worry, but today the onslaught of Cyber Attacks has brought a new dimension of requirements and added layers of technology.
- After the billions were invested in technology after the HITECH Act was passed, healthcare organizations are slowing down on IT investments. At this point the investments are focused more on sustaining what was purchased and implemented in the last 6 years. CIOs are looking at the cloud and consultation to lower ongoing operational costs. What we build, we must sustain.
- After the HITECH Act passed in 2009, ONC announced that there would be an increased need for 50,000 more healthcare IT professionals. I am not sure that number was reached, but if you look at the job postings for the large healthsystems you will find a large number of IT vacancies. Talented and experienced IT professional are in high demand and that void will continue into the next decade. .
- CIOs are expected to not just be a technology expert but an innovator as well. To be able to understand the changing landscape of healthcare and how to couple the technology and business together for better outcomes. The C-Suite is constantly taking up more of the CIOs time resulting on less focus toward the basics of running a solid IS department.
- The paperless patient record has brought about the necessity for business continuity planning. At the heart of that is a viable Disaster Recovery plan. A recent survey shows that 50 percent of hospitals with an EMR have no DR plan. Given the bad experience with Katrina and the Sandy Storm you would think that would be a lesson learned. The number one priority for CIOs is to keep the lights on in the data center.DR is more than just backing data up to tapes!
Thank you so much to Buddy for another great interview and for another insightful webinar.
Missed Buddy's webinar, "Healthcare 2020: Focus on the Future"? Catch up here!
In this week's #TechTuesday roundup: Time Warner Cable says up to 320,000 customers' data may have been stolen, Blackphone is given a blackeye with a vulnerability discovery, a security expert discovered a major security flaw in PayPal's security system, Sony's PlayStation Network was shut down by a possible DDoS attack and Brain Test malware was back on the Google Play store.
While it may be hard to imagine with the cold weather we've seen across the U.S. this week, May really is just around the corner and registration for our annual user conference has begun! If you're new to Courion, Core Security, or just wondering what these two companies have to offer - let me tell you a little more about our favorite event of the year.
What is CONVERGE?
Converge is the industry’s longest running identity governance and administration user conference. However, just as our company continues to grow so does our conference. This year we are thrilled to be able to offer insight into the world of vulnerability management and expand our vision to serve our customers cyber-security needs as a whole. Information security professionals from around the world will gather together for three days of product training, case studies, and panel discussions designed to help your team make the most of their Courion and Core Security investments and achieve meaningful business results.
On Tuesday, May 24, workshops that offer a deep dive into provisioning, governance, and vulnerability management are offered for your technical staff, while general conference sessions for all begin Wednesday, May 25 and conclude with a guest keynote on Thursday, May 26. In addition to our conference sessions we will be hosting a special event on Wednesday and a Solutions Showcase on Tuesday where all attendees will have the chance to check out new product demos, meet our customer success team, and network with our partners.
Why should you attend?
This year will be bigger and better than ever as we bring together Courion’s expertise on identity and access governance with Core Security’s top notch vulnerability management experts. If you’ve been curious as to just how these solutions work together, there is no better time to learn than at CONVERGE!
Also by taking advantage of Tech Tuesday, a full day of technical workshops, you can earn up to 15 continuing professional education (CPE) credits for ISC2 or ISACA accreditations.
More reasons to attend:
- Mix, mingle, and learn from peers, analysts, industry thought leaders, and Courion executives and product specialists
- Learn what’s next in Courion’s roadmap and how Core Security will make an impact
- Become a cyber security expert- Take advantage of Tech Tuesday for tips and tricks for getting the most out of your solutions
- Earn 15 hours of continuing professional education (CPE) credits toward your ISC2 or ISACA accreditations such as CISSP or CISM. We do the paperwork for you!
- Connect with our partners such as PING, SecZetta, and IDMWORKS.
- Meet our executives. Register now to be eligible to book a one-on-one meeting with CEO David Earhart, COO Chris Papadakis, or VP of Product Management and Marketing Venkat Rajaji.
- Contact your account representative to learn more
- Enjoy sunny Orlando. Because who doesn’t need a few days of sunshine?
- Save now. We’ve extended our Early Bird special for our new Core Security Customers. Register before January 31 to save $300.
- $499 if registered before January 31
If you have any questions, send us a note at CONVERGE@courion.com and we will help get you started.