HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Why is continuous monitoring (OMB M-10-15 Compliance) so important?

it ops analytics.pngIT operators rely on event reduction techniques such as correlation engines, or limit either the breadth or depth of data collection to only machine data from business-critical applications. The machine data collected is typically not categorized or normalized, and there are no tools to search events or logs.


The data is also retained for the short term and may not fulfill the need to keep services up and running at all times. This short-term retention of data limits the intelligence in the system, as events fixed and annotated a few months ago may not be stored for retrieval. The alternate option is to invest in expensive databases and resources to manage and analyze the data.

Top 10 things for security people to do at HP Discover 2013 - Las Vegas, NV

small.pngHP Discover kicks off today with over 10,000 people from some of the best brands in various parts of the world. Meg Whitman the CEO and President of Hewlett-Packard, kicked-off the HP Discover 2013 with a keynote suggesting her top 10 list things to do at the show.


With cyber-security gaining momentum every year, we would like to recommend our IT Security & Compliance people to make sure they complete this check list of top 10 things to attend while in Las Vegas for the event.

New Personal Health Information (PHI) breach guidelines included in stimulus package

Under the American Recovery and Reinvestment Act of 2009 passed in February (otherwise known as the stimulus package), the Department of Health and Human Services (HHS), in consultation with the Federal Trade Commission (FTC), must issue rules requiring vendors of personal health records and related entities to notify individuals when the security of their individually identifiable health information is breached. As a first step, the (FTC) has now issued a formal notice seeking public comment on a proposed rule requiring vendors of personal health record systems and related entities to provide notice to consumers in the event of a security breach. This is a positive move towards building federal standards for Personal Health Information (PHI) breaches that at least match the same requirements given other important data such as credit card numbers.

The stimulus package also tries to close the current Health Insurance Portability and Accountability Act (HIPAA) notification 'loophole' by recognizing that there are now new entities (for example, third-party storage vendors) that collect consumers’ health information that are not covered by the current breach of data guidelines. Beginning September 16th,  “covered entities” under HIPAA will be required to give breach notifications, and “business associates” of HIPAA-covered entities will be required to report breaches of PHI to the covered entities. Until the HHS and FTC can issue new guidelines, the new HIPAA requirements should ensure that affected individuals from physicians to patients are notified within 60 days of discovery of a breach. This will apply to any organization that utilizes or maintains “unsecured protected health information.”

There is definitely a need for federal guidelines regarding PHI breaches. Currently (and until September when the new HIPAA requirements go into effect), only two states (California and Arkansas) require breach notifications for all concerned entities.  What exists now is a mishmash of existing state and federal regulations concerning PHI breaches that only serves to breed confusion.  And that’s not helped by organizations (third-party storage vendors, for example) who aren’t following simple standards of customer service when notifying either patients or physicians of PHI breaches because they don’t yet have to.  As we've seen with Wall Street, self-regulation is not always the best answer, especially when it comes to delivering bad news. Companies should be aware that any breach of PHI will soon require across the board notification from consumer to health care provider, and that lack of compliance can result in hefty fines. The stimulus package created four tiers of penalties for different levels of culpability ranging from $100 to $50,000 for each violation that are not to exceed $25,000 to $1,500,000 during a calendar year. These fines are also effective immediately. As well, there are also new state guidelines enacted this year that contain hefty penalties for non-compliance. California guidelines adopted this year as part of SB 541 have penalties for violations including $25,000 per patient for unauthorized access, use, or disclosure of patients’ records, $17,500 for each subsequent occurrence of access to an affected patient’s records, and $100 per day of delayed reporting of a breach.  Any company that is involved with PHI would be well served to step up security efforts to avoid a breach now that the consequences are more severe, and to have a notification policy in place and ready to go in the unfortunate event of a breach.


Labels: compliance| hipaa| phi
About the Author(s)
Follow Us

HP Blog

HP Software Solutions Blog

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation