Over the past few years we’ve seen massive breaches at a number of large and small retailers where millions and millions of consumer information was stolen and promptly showed up on illicit markets for sale. Late last year a major studio was breached and valuable content (emails, video, etc.) were stolen and promptly exposed. Most recently, over 80 million current and former members were affected by a data breach at large health insurance.
I came across an article on Healthcare Executives Network website about the breach and it contained some insight on healthcare compliance in regards to the hack at the large health insurance provider. In 2013 HIPAA regulations were updated to encourage better management of healthcare records.
Below is a table I copied from the aforementioned article of the fines for mismanagement of healthcare records.
Exhibit 1: Categories of Violations and Respective Penalty Amounts Available
Violation Category-Section 1176 (a)(1)
All such violations of an identical provision in a calendar year
(A) Did Not Know
(B) Reasonable Cause
(C) (i)Willful Neglect-Corrected
(D)(ii)Willful Neglect-Not Corrected
Source: Omnibus Final Rule – Federal Register Vol.78, No.17, Department of Health and Human Services, and Frost & Sullivan
For IT personnel, suffering a breach is a horrific experience because several things are set in motion upon discovery of a breach:
Determination (deep research of voluminous logs) of breach extent and how it was done
Finding the ‘holes’ and closing them
Working with the legal department and possibly external auditors to re-examine and update documentation on the breach, remediation, and on-going review.
The new reality of increasing hack attacks and expanded compliance/regulation means that traditional methods must be re-thought. With IT budgets under pressure to deliver more applications and user access to them, building a ‘security blanket’ over the top of it just is too costly and in many cases really not feasible. Security must naturally be a part of the base IT architecture to reduce cost and complexity but without compromising quality.
Encryption of data is vital, and often focuses on data at rest (storage) but data in-flight is just as exposed. For health systems, data in-flight is just a fact of business. Secondary data centers have been added for BC/DR purposes to prevent unplanned outages disrupting clinical, administrative and patient services. With electronic health record (EHR) and other clinical information systems and medical devices being implemented to improve patient outcomes and the organization’s bottom line, a multitude of data capture devices (e.g. Mobile phones, tablets, imaging equipment, patient monitors, etc.) have been distributed across many locations to improve patience services. Encryption of all of this data crossing the WAN is paramount.
Traditionally, encryption of data has been done by either by firewalls or dedicated encryption appliances. Firewalls can encrypt and decrypt data but it’s at a huge cost – typically a 75-80% drop in performance which means an extremely high cost per Gbps of traffic encrypted. Dedicated encryption appliances are limited in performance and must be placed in a number of different locations which add complexity and costs.
The Brocade MLXe IPsec module is integrated into the MLXe router and enables wire-speed encryption of data to minimize risk without impacting application performance or user access. If you’re open to a ‘test drive’ drop me an email and we’ll arrange it!