Arcsight offer $49 entry level logging solution – a monumental change from the SIEM vendors, since they were trouncing their clients at price of 200K and up.
Data security and compliance specialist ArcSight has taken the wraps off a slew of product updates – Enterprise Security Manager 5.0, Identityview 2.0 and Logger 5.0 – with the offer of a $49.00 version of Logger, its universal log management software.
Last yearâs HITECH Act toughened the rules and enforcement penalties health information handlers must follow to protect patient privacy.
Under the new policy regime, providers will have to pay more attention to the confidentiality and safety of patient information as they move more of their operations toward electronic health record-keeping.
Without sound security policies and practices, privacy âwill be just a principle,â said Sue McAndrew, deputy director for privacy in the Office of Civil Rights, the Health and Human Services Department office that was given responsibility for health privacy and security policy under the new law.
âWe want it to be a reality for consumers,â she said at a recent privacy and security conference sponsored by OCR and the National Institute for Standards and Technology.
One of the most basic requirements is that providers must now perform a security assessment, a first step in understanding systems and electronic data over which they are temporary stewards.
OCR recently drafted guidance to help providers and payers figure out what is expected of them in doing a risk assessment. While it might sound onerous, a risk assessment might not be as difficult or costly as some providers might believe, even for small practices, privacy.
âWhen you say, âdo a security risk assessmentâ, peopleâs eyes glaze over,â said Lisa Gallagher, security director of privacy and security for the Healthcare Information and Management Systems Society. âBut really, itâs asking, âwhat are the risk areas?â, âhow could someone get to it?â and âwhat controls can you put in place to protect it.ââ
In its guidance, OCR said organizations should identify and categorize their data collections, document threats to information that might lead to a disclosure of protected data and check to see if their current security measures are adequate.
âFor a small organization, it sounds overwhelming and time-consuming, but in a lot of ways, itâs things that they already do,â said Pat Toth, a computer scientist in NISTâs computer security division.
âWhat small providers need to do is get an understanding of the framework and break down each step,â she said. âIt is something thatâs going to be living in their organization, so if they do their categorization and get that right, it will set the correct tone for the rest of the process.â
NIST has developed a quick-start guide, a âCliffâs Notesâ of its security publications detailing its risk management framework and risk assessment, in addition to frequently asked questions, to help providers, especially small practices.
For large organizations, risk management starts in the planning and architecture of systems across the enterprise and system life cycle, Toth said.
Besides a risk assessment, OCR is planning stricter reporting of disclosures of health information when electronic health records are used, even when the disclosure is for treatment and billing purposes. Providers will also have to give the reason for the disclosure. In May, OCR published a request for comments on its rulemaking.
The most effective method of accounting for disclosures is by using automated logging features in electronic health records and other computer systems, according to Mac McMillan, chief executive officer of Cynergistek Inc., an IT security consulting firm.
System logs are used to document and maintain a permanent record of all authorized and unauthorized access to and disclosure of confidential information so providers can recover evidence of that access.
âA lot of the difficulty to get accounting of disclosures in place is because of a lack of industry auditing capabilities,â he said at the OCR and NIST conference. âMost systems donât have the functionality.â Moreover, IT security folks he works with have logging activated, âbut they are still manually digesting them,â McMillan said, adding that manual audits are a time-consuming and imprecise process.
Even so, such practices must now be the order of the day under the new privacy and security framework. âThe security rule says wherever you have electronic health information, you need to protect it,â said HIMSSâs Gallagher. âYou may not even apply for meaningful use incentives. But if youâre keeping data in electronic form, you have to comply with the security rule.â
Businesses have increased expectations on the security team in recent years, sometimes producing a disconnect between what is expected and what the security team can deliver. In a new report, Forrester Research lays out some advice for building an effective security organization.
As IT security has become a bigger part of business discussions, security teams have increasingly shifted their focus from operations to strategic business objectives.
For businesses building their security groups, there needs to be a balance between fulfilling operational and strategic goals, and a new report from Forrester Research offers advice on how businesses can find it.
âIn a few cases we found that the strategic aspect of security was so important or was so highlighted in terms of the CISO [chief information security officer] role that the CISO was sometimes moved outside the IT organization, [and] sometimes wasnât as connected with the operation [of] the IT…[but] much more connected with the business side and the strategy side,â explained Forrester analyst Khalid Kark. âWhat that does is basically creates an ivory tower for the chief security officers, and then they are not able to operate.â
To avoid that, there are several steps Forrester recommends organizations take. Here are a few of them.
— New Roles: To make your security practice more strategic, add these three positions: a business liaison to advocate for the business unit within the security team and communicate the security perspective to business; the third-party security coordinator to address outsourcing, assessments and cloud computing; and a security engineer focused on working with the enterprise architecture team to build security into the architecture and integrate specific infrastructure security components into the architecture.
— Understand IT security vs. information risk: âMany security organizations fail to get management attention because theyâre always focused on the IT security activities, which the business doesnât understand,â according to the report. âOn the other hand, the business understands risk well, and if you articulate those same problems in the risk context, the business is much more likely to react and respond to them.â
— Develop a cross-functional security council: âFocus on ‘who’ not ‘how.’ Forrester has long professed the benefits of a security council, but one thing that is absolutely essential for the success of this council is its composition,â the report continues. âThe trick is not to aim for the highest ranking businessperson but the one most interested in security and risk issues who has a reasonable level of visibility in the business. When you have a passionate team working on the security issues, the ‘how’ will be easy to determine.â
— Equip the business to perform risk assessments: âTo meet the security and risk obligations effectively, you have to delegate, and risk assessments are ideal for this,â Forrester said. âProvide the checklists and basic training to the business to perform the basic risk assessment tasks so that it takes the pressure off your resources. Make it easy and seamless for the business to incorporate these into its existing processes.â
Complicating things is today’s economic environment in which businesses may be forced to reshuffle or even cut their security personnel. When that happens, organizations may have to refocus their attention from strategic projects and get back to basics, the report noted.
âAs security organizations get leaner, delegation, formalized and documented processes, and good monitoring and metrics become key,â said Forrester analyst Rachel Dines, who worked on the report with Kark. âSecurity organizations donât need to have direct ownership of all security-related processes, but they do need to monitor and control them.â
