HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Keep the snakes at bay

Recently, a state agency announced that their site had been compromised by computer hackers. The attackers left a ransom note on the web site claiming that they had captured 8.3 million patient records and 35.6 million prescriptions. The attackers also claimed to have created a password-protected, encrypted backup of the data.  For a mere $10 million the miscreants offered to “gladly send along the password.”


To quote the great philosopher Morpheus, “Welcome to the desert of the real.”


Warnings about security flaws in web applications have been ignored by most for as long as web applications have existed. A small contingent of evangelists, including folks in our own HP Application Security group, have consistently warned about the existence and exploitability of these vulnerabilities.


The U.S. Department of Health and Human Services Inspector General, in a report dated October 27, 2008, stated that “limited actions” by the Centers for Medicare & Medicaid Services (CMS) have “not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities.” Voluntary compliance (an oxymoron?) was a key problem cited for this lack of effectiveness.


Some suggest that healthcare records simply should not be made available via the public internet. That’s a lot like saying people shouldn’t eat greasy cheeseburgers. It may be true, but it’s not gonna stop.


The first step to understanding the real problem is recognizing that the availability of information, even healthcare information, is a growing part of our everyday lives. You wouldn’t put sharp kitchen knives on the floor where your toddler could reach them, would you? If you did do something this dangerous, would you then punish the toddler for cutting himself?


We need to stop wondering why snakes bite and start wondering what we can do to put a healthy distance between our toes and the snakes.

The federal government has enacted new, strong provisions to begin forcing developers of healthcare management software applications to provide notice of breaches to the medical providers they serve, who can in turn notify the affected individuals. This is a huge step, because in the past HIPAA compliance was a burden borne by the medical providers. If they aren’t notified of the breach, nobody is the wiser…until somebody finds out at the pharmacy that all of their pain prescriptions have already been filled by some nice young gentleman.

Now that software application developers are held accountable for security, I believe we’ll start to see some distance between us and the snakes. By the time these software developers figure out they need a plan for their web application security, they’ll find out HP has been there all along.


Ken Swinney
R&D Group Manager
HP Application Security Center

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Follow Us


HP Blog

HP Software Solutions Blog

Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation