Blog Listing

Another insider unauthorized access incident came across my radar just as I put the finishing touches on my most recent blog post highlighting Lesmany Nunez’s case being the latest example of a disgruntled employee breaching a network. As of today, the most current remote access security breach involves Danielle Duann, an IT director of a nonprofit organ and tissue donation center.…

A recent Gartner Blog Network post and Wall Street Journal article both focus on new, stricter data regulations being passed in several states, including Massachusetts. The final set of the Massachusetts regulations focus on restricting employee access to data, monitoring malicious activity on the network, and strong authentication protocols. The new regulations will go into effect beginning January 1, 2009.…

Users from temporary staff all the way up to the corner office complain about ‘drowning in security.' Why does it take four more passwords to open an email at work in some cases than to check a bank balance via the home PC? The things that make a car safe - airbags, safety glass, crumple zones, etc. - are not obvious to the driver. What lessons can we adopt from hidden security measures to make security less of a drag on employee performance?…

The National Institute of Standards and Technology (NIST) published its Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule back in late 2008, but spurred by a jolt of healthcare IT investment driven by HITECH mandates has renewed relevance today. From a user access perspective, there are important technical safeguards outlined in the area of Access Control, Audit Control, Integrity, and Person or Entity Authentication that are worth calling out. Specific Key Activities within these technical safeguards criteria you should review include...…

The right single sign-on (SSO) solution can resolve your password management issues. However, some SSO solutions raise as many issues as they promise to solve—the cost of purchase can be quite high, and the complexity of implementation and management can overwhelm IT departments. As you start your SSO vendor evaluation process, it’s important to know what questions to ask to ensure that you have a thorough understanding of the complete solution including product features and functionality, implementation and deployment, and ongoing management. Sample questions across important categories include...…

I was reading the recent security breach news about Lesmany Nunez, a former IT administrator who was recently sentenced to a year and one day in federal prison for computer fraud. Mr. Nunez was an employee at Miami-based Quantum Technology Partners (QTP) and three months after his employment ended, he was still able to access the company’s network with an administrator password. What he did then was break into QTP’s servers, shut them down, change the system administrators’ passwords and erase files, all of which ended up costing QTP more than $30,000.…

The other week, we announced some findings from a survey conducted over the past couple of months aimed at understanding where authentication and access management sits in the eyes of those concerned with Payment Card Industry (PCI) data security standards (DSS). With PCI publishing the latest PCI Data Security Standard 1.2 on Oct. 1, 2008, this online survey highlighted some interesting trends as companies work toward compliance. Here are a few stats to briefly call out...…

The merger between RxHub and SureScripts has garnered extensive coverage - here,here and here, among others. This is a huge step forward for standardizing on, and speeding the adoption of, electronic prescriptions. It is significant progress, and the latest of many advancements the healthcare sector is driving forward. There is one area of the electronic prescriptions story though that is missing from all of the stories around the RxHub/SureScripts merger, though it's an important piece of the equation - authenticating that the prescription drug order is legitimate, and truly from an approved physician. Electronic transactions are easier and quicker, sure, but so is the potential for misuse and fraud.…

The Digital Healthcare Conference 2010 occurred last week in Madison, WI, under the theme of “Healthcare IT in transition.” Imprivata Chief Medical Officer Dr. Barry P. Chaiken served as the conference chair for this event, which boasted an impressive agenda that kicked off with KLAS Founder and Chairman Kent Gale exploring the obstacles to physician adoption of electronic medical records (EMRs). Gale’s “Top Ten” list highlighted common things that stand in the way of EMR adoption, and the takeaway from the entire session aimed to get attendees to see how establishing transparent workflow can lead to physicians truly embracing EMRs.…

The HIMSS Virtual Conference occurred this week, covering myriad of topics ranging from Electronic Health Records (EHRs), impact of the HITECH Act, workflow optimization as well as privacy and security in the cloud for healthcare systems. One presentation that readers of this blog may find useful was that from Box Butte General Hospital on Nov. 4 at 9:00am CT (you can register on the site for access; HIMSS members can already access it online). Here’s a brief synopsis from the session description highlighting what was covered in the presentation...…

Late last year, California enacted a new state law to help notify patients of potential breaches of their personally identifiable health information, requiring healthcare organizations to report suspected incidents of data breaches. The initial results are in, and it’s not pretty. According to the Journal of the American Health Information Management Association, California officials have received more than 800 reports of potential health data breaches in the first five months since the laws went into effect on January 1st. Of the 122 cases that have been investigated, 116 have been confirmed assecurity breaches. Officials expect the numbers to grow as more organizations put in the processes to report potential breaches.…

I've had a few conversations lately tied around the topic of the insider threat in the financial services arena, so I figured I'd scan around the Web to see what's out there and came across an interesting InfoWorld article. Though it is from last Fall, it hits on a number of concerns that are timely now, especially given the major breaches like Societe Generale. The article reports on a Deloitte study that highlights two major data points that I want to call out:…

A couple of weeks ago I moderated a Healthcare IT News webinar session that examined how hospitals today make patient data easily and securely accessible throughout the clinical workflow. I was joined by Dr. Zafar Chaudry, CIO of Liverpool Women’s NHS Foundation Trust & Alder Hey Children’s NHS Foundation trust and Dr. Lawrence Losey, Pediatrician, Chief of Pediatrics and Chief Medical Information Officer (CMIO) for Parkview Adventist Medical Center. The session addressed the clinical workflow, process and technology behind providing fast, secure access to patient data, touching on all the areas within a hospital where a workstation sits and from anywhere a clinician may need access.…

This week, I took part in Network World’s annual real-life scary security stories podcast, a panel hosted by Keith Shaw that looks at some of the most frightful security incidents over the past year. This year, I focused on some of the data security incidents that are becoming all too common in the healthcare industry.…

Back in January, I shared some of my observations on 2009 Priorities for identity management in the new economic reality people are faced with - productivity, security and manageable IT projects. This year’s economics have forced people to do more with less, manage tighter budgets and maintain enterprise security while dealing with re-orgs and layoffs. While 2008 was the worst year to date for data breaches, 2009 hasn’t been much better if you look at this chronology of data breaches, including the recently disclosed incident at Goldman Sachs. The Identity Theft Resource Center keeps tabs as well, and has a nice snapshot of high-profile data breaches. Many of these are the result of unauthorized access, some combined with placing malicious code on servers or laptops to siphon off data. It’s amazing the methods that are being used to access systems, steal data, sometimes extort money and always damage reputations. Potential impact of the Goldman Sachs’s unauthorized upload of proprietary software is still under investigation, but information on how easy it was to pull off makes for scary reading. Given the potential impact of data breaches, there has been significant progress made to tighten access to systems, so let’s review some of the relevant things that are happening in identity management. Following are three areas, I believe, we need to watch for in the latter half of 2009...…

While the concept of cloud computing (accessing applications online) has been around for close to a decade, talks on the subject have intensified significantly in recent months. The catalysts to these discussions range from the sharp decline in hardware and network infrastructure costs to the desire for a business to 'go green' to the need for accessibly by an increasingly distributed workforce. Whatever the reason, big business has taken notice and as this interest turns into action, these companies must be prepared to look at all of the key issues around this move before taking action.…

There's a lot of news and opinions on the web as the blogosphere continues to grow. As a result, the web can be overwhelming on one hand and full of wonder on the other as you sort and click through the rabbit hole of conversations on the other side. In light of this, I thought I would provide a short list of great blogs and resources that I follow from the identity management circles that are worth checking out and engaging with:…

I’m excited to join Imprivata at a time where healthcare IT, patient data security and clinician workflow efficiencies are front and center in boardrooms and nurses' stations across the country’s healthcare institutions. With more than 500 hospitals on the customer roster, one million healthcare users and strategic relationships with all of the popular HIS vendors, Imprivata has built a strong foundation that was very attractive for me to join and bring my experiences. Imprivata’s healthcare pedigree enables us to focus on delivering practical innovations for solving real-world problems surrounding simplifying and securing user access in hospital environments.…

Back when this blog was in its infancy, we outlined a number of identity management resources that readers should check out. Those blogs are still on the “must-read” list, but there are a number of new ones that have popped up that people interested in identity and access management may find useful...…

The New York Times recently published an interesting article on the rising problem of medical identity theft. When the federal government last researched the issue in 2007, more than 250,000 Americans reported that they were victims of medical identity theft. Since that last report, most experts agree the problem has undoubtedly grown, in part because of the growing use of electronic medical records built without extensive safeguards. To exacerbate the situation, cleaning up after medical ID theft can be hindered by HIPPA compliance – the regulations protect the medical information of the ID thieves as well as you.…