Aggregating the Management of Policies

Daryl Eicher, VP, Industry Solutions, Axway

Three Words to Say to C-Level Management About Complete MFT Data Security (Pt. 1)

by Shawn Ryan
VP Technology Marketing & Chief Architect

Cost, risk and brand.

In other times, the first on the list in terms of drivers is obvious: revenue. But now, three words at the top of mind are cost, risk and brand.

First, cost. Cost and benefits associated with consolidation are essential drivers to surviving and thriving. In any organization, various one-off solutions handle file transfers. Various solutions stay nailed down and in place just because they are there. They arrive when a project demands a fast solution where one does not exist. They arrive due to mergers and acquisitions. They arrive because “files” were not thought to be strategic, because “files” have not had the sizzle, and thus “files” are neither the focus of SOA projects nor the focus of technology that could bring them into a services oriented approach. But times are different, and with files representing eighty-plus percent of an organization’s data, it’s time to gain control. Various one-off solutions are costly to an organization and filled with security flaws, just as Swiss cheese is filled with holes.

By focusing managed file transfer and transmissions through a single service oriented framework, MFT consolidates the overhead of one-off services and reduces costs—a concern of all C-level management.  While cost creates a convincing argument for complete MFT data security, unified governance across the different types of interaction patterns that comprise managed file transfer brings in security and controls and is simply the best way to go.

The second point: risk. More specifically: governance, risk and compliance. GRC. Cybercrime is a trillion-dollar industry. That alone should be enough to wake C-level management up and seriously consider data security. Add compliance mandates to that, breach notification laws with safe harbors for encrypted data, and now encryption mandates like HITECH and the Massachusetts state laws coming on line, and a response is not only wise, it’s mandatory. Massachusetts 201 CMR 17, like California SB1386, is a precedent-setting mandate. It states that any data containing personally identifiable information of a resident of Massachusetts must be encrypted. A challenge like this is a formidable one that your company must not take lightly.

Third, brand. Closely paired with the topic of risk, but it deserves a front-row seat in the discussion. Data is the lifeblood of your business. Anytime you have a breach, your company makes headlines for a terrible reason, thanks to the 45-plus states that have notification laws in place. What do you want to be known for? You must protect your brand.

Complete MFT data security is essential. The only answer is to look for a complete solution that can cover all interaction patterns. Sure, start where you feel the most risk, but stop to be sure you will address the risk strategically, and have a plan to cover the entire spectrum of interaction patterns. Sure, cybercrime is on the rise, but internal jobs account for eighty-plus percent of publicized breaches. Are you just going to cover B2B? Human interactions? Portal based? You must cover them all.

But which interaction patterns demand complete MFT data security?

(To be continued.)

Embedding DLP Tools in Applications Will Bring Better Results

Taher Elgamal, CSO, Axway

A “Meaningful” Act (Pt. 2)

by Ruby Raley
Director, Healthcare Solutions

(To read the first part of this blog post, click here.)

The body continues to be an apt metaphor in this post.

One of the other areas I find that people have neglected in their plans is the “nervous system.” So, you’re going to put this new eMR system in, you have to have all of these data breach protections, you have to have encryption, you have to be able to notify people promptly if data is lost. You need a nervous system that knows when any blood vessel is cut, when there is a leakage of information, which would be equivalent to internal bleeding—perhaps not obvious to anyone but going on nonetheless—and a significant impact on your patient’s health, possibly even a cause of death if left untreated.

How are you going to know that there is internal bleeding of data? Are you really going to go through log files and every system you have and verify that every transmission went through? Wouldn’t you rather just have a dashboard where you could quickly see the stats, find anomalous situations, immediately be alerted if something goes astray, and take action promptly and resolve the problem before there is internal bleeding and the “patient” is in critical care? I really think that some of those additional ways of thinking about the HITECH Act are critical to the success of the providers.

It’s just too hard to try to do everything inside your eMR system. You can’t stop people from sending attachments, needing to communicate with third parties, and needing to get data in and out of your enterprise. It’s just a fact of life, so why not put a plan together for it?

People who think that they don’t need a nervous system, that all they have to do is search through log files to find out what happened, I find, have either had better luck in life than I have or aren’t IT people on the front lines, because what I’ve seen over and over again is log files get erased every time there is an upgrade.

If you had an outage on Friday, and you had a system upgrade going in on Saturday, your log files might not be where you can find them on Monday. Maybe they were saved before the upgrade went in. Maybe the tapes didn’t work right. How do you know? In order to do the diagnosis, you have to look at the sending and receiving system, line up the time, look at the messages and try to figure out whether the darn messages were delivered.

To me, thinking that log files sufficiently satisfy the data breach and HIPAA security rule—I don’t quite get that. One of the things that I recommend to providers is that they do a mock exercise. How would they find the data breach? How would they convene their SWAT team? How would they actually plan through and respond to a real-life data breach? It’s much like having a patient flatline on the ER table—mitigating action needs to be taken immediately.

What they’re going to find is that, first of all, they have to include many more departments than they might have thought. When is the last time an IT outage or a service disruption required that the compliance officer, corporate marketing and PR people got called? Did you have to call the CEO when the system last went down? Do you know the criteria that need to be satisfied before you notify people? You have to make sure that a large number of people understand what the process is, because with a data breach, the legal ramifications of not taking due diligence, of exhibiting willful neglect, or of not following your own processes are severe.

And you never had to do that before. Who cared if a file didn’t get received by the insurance company on the other end? They’d call you and you’d resend it. Before, you never called the CEO or CSO to say that a file went astray and you didn’t know it had happened. You’re going to discover department people who aren’t aware, too. You’re going to discover people in the IT organization, people who might not have been exposed to the HITECH Act before, who need training so that they understand the circumstances under which to act. If you don’t have all of this preplanned, then it’s going to be fairly random and it’s not going to come together for you. Can you prove to the HHS and the auditors that your process, as written, was followed in these events? Can you afford the excessive fines and penalties that will follow if you can’t prove that your process, as written, was followed?

A “Meaningful” Act (Pt. 1)

by Ruby Raley
Director, Healthcare Solutions

Healthcare providers implementing the HITECH Act seem to regard the implementation of eMR (electronic medial records) like a major organ transplant. All they’ve got to do, they figure, is get a new heart in the body, or a new liver, or a new lung, and get the patient set back up again, and everything is good. But what they forget is that they have to integrate that organ into the support systems of the body. Those are the vascular systems, the lymph nodes, the nervous systems and so forth. They need a specialist that has the ability to integrate that new organ, that new eMR system, into their ecosystem so that it’s much more effective.

One of the definitions of “meaningful use,” which you need to meet in order to qualify for incentives, is a capability for information exchange. I doubt that you’re going to upgrade every organ in your body or every system in your ecosystem or in your enterprise to achieve meaningful use, but I don’t doubt that you need a helping hand to integrate that new component, that new eMR, that new eHR-upgraded system. And that’s where a B2B service provider comes in, and that’s a B2B service provider’s core strength. A B2B service provider integrates, knits together and connects up components.

What I find is that people forget that there’s a lot of ad hoc file transfer that goes on today. You’ll have many partners who aren’t connected to your eMR/eHR. They could be third-party clinics and labs, external payers, external HIEs—all of these people and systems need to be connected. You have choices. You can pay your eMR/eHR vendor to connect them, or you can come up with new connective tissue, new vascular systems, to ensure that information flows, as Dr. Blumenthal says, to every corner of the body, and that it flows back in, is reoxygenated and sent back out to the body parts so that every part of the body is as healthy as possible. Again, that’s a B2B service provider’s strength. That’s what they do. Managed file transfer, email attachment management—these are core capabilities that you may have neglected to consider while you were focusing on implementing that new eMR system in your enterprise. But they’re necessary for security and for meeting meaningful use criteria.

(To be continued.)

How Does B2B Consolidation Help Your Staff Focus on Mission Critical Projects?

Ulf Persson, Director, Product and Solutions Marketing, Axway.

Encryption and Electronic Health Records: A Q&A with Paul Fowler (Pt. 2)

(To read the first part of this blog post, click here.)

AXWAY: Let’s talk about compliance. Some would say that if you’re compliant, you’re doing fine.

PF: Some people think compliance is setting up a few rules and some people think compliance is pretty much locked-down infrastructure. The government tells you what needs to get done to satisfy the law; they never tell you how to go about actually satisfying the law. There are people who do not believe that encrypting email is necessary, but there are also people who don’t believe that seatbelts are necessary! It doesn’t mean that it’s not common knowledge that seatbelts save lives. There are many people asking themselves, “Do I cut three employees from my staff in order to buy an encrypted email system?” And their answer is, “No, that’s not necessary.” And I tend to liken it to seatbelt laws: anybody who thinks they don’t need a seatbelt is right until they have a wreck, don’t have one on, and die. Then the realization of its importance becomes clear, but at a high cost. In the same way, there are tons of people who don’t believe that encryption is a necessary thing. They don’t believe they need their files managed in a very secure, two-factor-authentication method. Now clearly, the government, when they’re ordering nuclear weapons, uses managed file transfer, a system that will provide that encryption. But when you’re chatting on IM with your friends, you don’t have any security there at all. And you don’t worry about it because who cares what you’re saying to your friends? But if you’re in a hospital and IMing with your friends that some famous actor came in, here’s his medical record, and look what they’re treating him for—this all creates a host of issues for the hospital to worry about, issues that could expose them to massive liability. That’s big dollars. Managed file transfer, encrypted email, the encryption of IM systems—these things should become important to hospitals so that they can identify who internally is responsible for violations and educate those people constructively.

AXWAY: Protecting the company is fine, but besides privacy concerns, what else do these technologies address?

PF: As you implement managed file transfer and these kind of encrypted email technologies, you begin to see patterns of your trading partners and exactly how they operate. You begin to establish the connections with networks and facilitate the safe spread of medical information. The more medical information gets shared, globally and collectively, the better patient outcomes are, both individually and collectively. So if every diabetic knows what works for every other diabetic, the community of diabetes patients is treated better. And if you can share one diabetic’s record with an expert, without compromising the diabetic’s identity, then that expert’s patient has an improved chance for better treatment, and everybody wins. Ultimately, that’s what’s it all about. It transcends mere compliance in some real way. The real challenge is this: How do we share medical information without compromising the privacy of an individual? The goal is not just to protect the information. The goal is to share the information with people who need it. For example, if I travel to Paris, which I do two or three times per year, and I don’t have an eHR, if I find myself in a hospital in Paris, nobody will know anything about me. How do I, as a patient, get my medical records to brand new doctors in a safe and secure way all the time?

Encryption and Electronic Health Records: A Q&A with Paul Fowler (Pt. 1)

In this two-part Q&A blog post, the Axway Editorial Staff talks with Paul Fowler, Axway’s vice president of Healthcare Innovation, about electronic health records and the new HITECH Act.

AXWAY: The compliance deadline for the HITECH Act changes, including the breach notification requirements, is February 17, 2010. How will that affect healthcare professionals starting next month?

PF: The HITECH Act was part of the president’s stimulus bill. What it basically was designed to do was stimulate the adoption of electronic health records (eHR) in the health industry. (eHRs are mandated by 2015.) Like all bills, it covers several areas. In one area, it gives physicians, hospitals and other folks a minor financial stimulus to adopt an eHR system. The healthcare interchanges and the healthcare record companies need to transmit these records to other partners, and to do that, they will need infrastructure, a robust B2B system to act as a backbone. But one of the more interesting things about the HITECH Act is that it puts teeth into the HIPAA law. HIPAA’s been around for years; it specified how eHR should be stored and even how your private health records should not be used. Previously, there was a law that stated that the only time you actually could get caught with a HIPAA violation was if somebody caught you stealing electronic records. The people who had to complain about it were the people victimized by the breach, i.e., the patients. In 99.9% of all scenarios, nobody cares about these breaches, because they simply don’t know; if your medical information gets leaked to a healthcare company, you don’t know it. So this old law had limited penalties. The only time anyone got in trouble was when, for instance, a famous person’s records were revealed and made news. But now, with this new HITECH Act, they’ve increased the fines and created an agency that will actually do an inspection on HIPAA compliance. That’s a law with real teeth, and it’s good for everybody.

AXWAY: What are you seeing hospitals doing to make themselves iron-clad against violating the HITECH Act and HIPAA in general? What are some steps all hospitals should take?

PF: What I’m seeing is that most hospitals are hiring Chief Privacy Officers, senior-level people in the organization, to demonstrate to both the government and the customers that they’re serious about HIPAA and healthcare privacy. Hiring this person is a good start. Second, a hospital needs to do a complete systems review and a technical roadmap and ask themselves, “Where are we relative to this? What is our risk?” These Chief Privacy Officers are really risk managers. They need to do a complete systems audit. Third, they need to safeguard against liability in the event that a partner has a breach. They need to do an extended audit, and have an extensive understanding of the people they’re actually exchanging information with, and ask, “Are they compliant with the information that they’re giving and receiving?” Hospitals need encrypted email, yet the email that comes in and out of the hospital is often not encrypted. Anybody can intercept it. It can be forwarded anywhere. They need the ability to send encrypted email so that they know that if anybody intercepts it, the only people who can read it are the people it’s intended for, the people who could decrypt it.

(To be continued.)

Needful “Things” (Pt. 2)

by Kim Loughead
Director, Product & Solutions Marketing

(To read the first part of this blog post, click here.)

Will we find this technology in cereal boxes? I doubt it. Active tags, which are four times more expensive than passive tags, emit a signal that can be picked up from a distance. There are so many other low-cost ways to track products today that to add the cost of RFID-enabled disposable packaging, unless there is a significant upside on market knowledge, would be silly. RFID has really struggled precisely because of this—the cost/benefit ratio for the lion’s share of products is just not there.

To put it another way: whether a given “thing” deserves to be in the “Internet of Things” (IoT) will depend on whether there is some risk associated with the product not being a part of the IoT, and this is especially true of items susceptible to diversion and/or improper use. But another element to consider, one not so immediately obvious, will be market intelligence, how gathering data about a particular product will enable manufacturers to gain market knowledge so they can sell more, make the product better, or potentially break into a different market.

That type of application makes sense. As RFID becomes more mainstream, it will evolve. Today, it’s still very pigeonholed around supply chain efficiency efforts and asset tracking. That’s where it’s stuck. The economy has all but killed a lot of these efforts—they’re considered cute science projects, not revenue generators. But as the economy comes back a little bit, these projects will get their funding back, and the science-fictiony world that folks at Supply Chain Digest predict will come one step closer to reality.

Needful “Things” (Pt. 1)

by Kim Loughead
Director, Product & Solutions Marketing

Supply Chain Digest’s editorial staff recently posted an article discussing the development of the so-called “Internet of Things” (IoT).

You may not be aware of it, but slowly the “Internet of Things” (IoT) is being built, or at least preparing to be built.

The Auto ID Institute at MIT – the organization that served as the catalyst behind the move to low-cost RFID tags and what was to become the electronic product code (EPC) –  is generally credited with coining the term “The Internet of Things.”

What does this term mean? The concept involves an extension of the current web to embrace a wide – perhaps nearly ubiquitous – set of objects (people?) that can identify themselves and/or be identified electronically, and share increasing levels of intelligence about what they are and what they are doing…

…Of course, these sensors have to be wireless connected to communicate that information – and determining how often they do that, how to make sense of all that data, and how much of it to actually store and when are almost as important as the new technology itself would be.

It seems like that ought to make some form of RFID quite affordable for basic supply chain applications.

There are definitely practical applications for this type of thing and, in fact, there are already applications in place that you could regard as precursors to this concept. Consider hospital equipment inventory management. Most hospitals have critical equipment that constantly needs to be serviced. Some have already applied active RFID tags to this equipment and utilize their wireless networks to not only determine where this equipment is, but also to monitor its maintenance state. If an inducer, for example, needs to be cleaned after it’s been used, it can communicate that it needs to be moved to the maintenance closet for cleaning. Or, later, it can communicate to a nurse that it’s in the maintenance closet, cleaned and ready for duty.

Products that, if they aren’t maintained properly or are used in an incorrect manner, may risk human life—those are the obvious ones that you would want to place a higher level of tracking or monitoring upon. Assets or parts that require an extra level of monitoring, either because they are related to safety issues or there is a high rate of risk if that product is tampered with or counterfeited and may risk public safety are, by all means, worth tracking. That concept applies to a slew of products—automotive, aerospace, pharmaceutical, medical devices, and to some extent consumer electronics, like batteries.

However, when it comes to consumer products, this sort of thing becomes a bit more challenging.

(To be continued.)