HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Organizations are not adequately protecting E-health records

The American Recovery and Reinvestment Act of 2009 (aka the stimulus package) included funds to both implement electronic health records and rules to specifically improve personal health information breach notification rules. It’s ironic, then, that the rush to digitize personal health information didn’t include implementing security.  A recent survey of IT managers involved in healthcare revealed that 80% had suffered at least one incident or more of lost or stolen health information over the past year. More tellingly, most still have no support from their senior management to fix the problems.


It's not that the costs of a breach don't have sufficient teeth. Heartland Payment Systems has incurred over $12.6 million in fines, penalties, and other costs associated with their breach of credit card information. And while that's a different industry and a disproportionately massive example, the breach penalties and notification requirements between PCI and HIPPAA are not dissimilar. According to this health information study, the costs of a compromised health information record exceed $210 per instance. That can obviously add up quickly when a database containing thousands of records has been exposed.


So what's the problem, then? One huge one is that developers still don't have a good understanding of security. Most have heard of Cross-Site Scripting, for instance, but they've never seen it exploited. And when you don't understand the problem, it's hard to convince budget and time constrained managers that the costs to fix the problems are ultimately reasonable. Until the ease with which data breaches occur are understood, vendors are going to continue to play a dangerous game by not fixing the problems. There is a proven need for upgrading our medical systems to be both more cost-effective and to provide better overall health care. But security needs to be a part of that prescription, too.



Budget pressures still leading to increased risks

The Independent Oracle Users Group (IOUG) just released a database security survey of their members. As we've recently seen a lot, budget pressures are once again leading to increased risks. Organizations know there is a problem, understand it's getting worse, yet don't have the budget or resources to fix it. For instance, database breaches grew by 50% from last year to this. That's not a slight increase by any standard. Yet, the demand to do more with less has kept pace with the rise of the threats. And on top of that, database administrators see their biggest problems as internal threats, not external.  While spending on security has fared somewhat better than most areas during the down economy, until things pick up significantly security is still going to take a back seat to other concerns.



Labels: breach

Rules for web-based health repository breach notifications announced

The Federal Trade Commission (FTC) has released the final rules concerning breach notifications for Personal Health Information (PHI) that were required under the American Recovery and Reinvestment Act of 2009 which was passed in February (otherwise known as the stimulus package). The Department of Health and Human Services (HHS) and the FTC were tasked with issuing rules requiring vendors of personal health records and related entities to notify individuals when the security of their individually identifiable health information was breached. This closes a loophole in the Health Insurance Portability and Accountability Act (HIPAA) for web-based companies that gather health information. Until now, they had typically not been covered under HIPAA. The new rules go into effect 30 days after publication in the Federal Register. The FTC plans to begin enforcement 180 days after that.


 Some interesting items in the new rules:


 ·         Encrypted data is considered secure (hope it's strong).


 ·         The media must be notified if more than 500 individuals have had their information accessed.


 ·         Companies have up to 60 calendars days to provide notifications.


 ·         Law enforcement can delay notifications if it would impede an investigation or be a threat to national security.


 ·         If the contact information for 10 or more individuals is out of date, alternate notice may be given via a posting on the vendor web site or through the media. (10 is not a lot. It might be 'easier' to find those and do the notification on your web site…and then save the postage.) Read the rules here.




Read the rules here.







Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.