HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Organizations are not adequately protecting E-health records

The American Recovery and Reinvestment Act of 2009 (aka the stimulus package) included funds to both implement electronic health records and rules to specifically improve personal health information breach notification rules. It’s ironic, then, that the rush to digitize personal health information didn’t include implementing security.  A recent survey of IT managers involved in healthcare revealed that 80% had suffered at least one incident or more of lost or stolen health information over the past year. More tellingly, most still have no support from their senior management to fix the problems.


It's not that the costs of a breach don't have sufficient teeth. Heartland Payment Systems has incurred over $12.6 million in fines, penalties, and other costs associated with their breach of credit card information. And while that's a different industry and a disproportionately massive example, the breach penalties and notification requirements between PCI and HIPPAA are not dissimilar. According to this health information study, the costs of a compromised health information record exceed $210 per instance. That can obviously add up quickly when a database containing thousands of records has been exposed.


So what's the problem, then? One huge one is that developers still don't have a good understanding of security. Most have heard of Cross-Site Scripting, for instance, but they've never seen it exploited. And when you don't understand the problem, it's hard to convince budget and time constrained managers that the costs to fix the problems are ultimately reasonable. Until the ease with which data breaches occur are understood, vendors are going to continue to play a dangerous game by not fixing the problems. There is a proven need for upgrading our medical systems to be both more cost-effective and to provide better overall health care. But security needs to be a part of that prescription, too.



Rules for web-based health repository breach notifications announced

The Federal Trade Commission (FTC) has released the final rules concerning breach notifications for Personal Health Information (PHI) that were required under the American Recovery and Reinvestment Act of 2009 which was passed in February (otherwise known as the stimulus package). The Department of Health and Human Services (HHS) and the FTC were tasked with issuing rules requiring vendors of personal health records and related entities to notify individuals when the security of their individually identifiable health information was breached. This closes a loophole in the Health Insurance Portability and Accountability Act (HIPAA) for web-based companies that gather health information. Until now, they had typically not been covered under HIPAA. The new rules go into effect 30 days after publication in the Federal Register. The FTC plans to begin enforcement 180 days after that.


 Some interesting items in the new rules:


 ·         Encrypted data is considered secure (hope it's strong).


 ·         The media must be notified if more than 500 individuals have had their information accessed.


 ·         Companies have up to 60 calendars days to provide notifications.


 ·         Law enforcement can delay notifications if it would impede an investigation or be a threat to national security.


 ·         If the contact information for 10 or more individuals is out of date, alternate notice may be given via a posting on the vendor web site or through the media. (10 is not a lot. It might be 'easier' to find those and do the notification on your web site…and then save the postage.) Read the rules here.




Read the rules here.







Extortion can mean double jeopardy for personal health information providers

I've been thinking a bit more about the personal health information extortion attempt that's been in the news recently, and which Ken Swinney mentioned in his  Keep the snakes at bay  post yesterday. If you haven't been following the story, the gist is that a state agency responsible for identifying prescription medication abuse was hacked and compromised. Their site was then replaced with a ransom note demanding 10 million dollars for access to the database.

Under current guidelines, would this have required that patients be notified of a potential breach? It's hard to say without knowing all the specifics, and what 'concerned entities' were involved. Under the new HIPAA breach notification rules  that go into effect this September, though, notifications would most definitely be required.If nothing else, that's a lot of postage.

I can only imagine that we'll see more and more incidents of this nature in the future. In fact, this is not the first extortion attempt involving personal health information to become public in the past year. One of the nation's largest processors of pharmacy prescriptions (think benefit claims) also suffered an extortion attempt roughly six months ago. Smartly, they didn't pay. Even so, public extortion of this kind is double jeopardy for those who maintain personal health information (or financial, for that matter). At that point, providers are already in violation of any applicable legislation, and will be subject to those fines and penalties no matter what approach is taken in recovering the compromised data.





Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Top Kudoed Posts
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.