Cisco Blogs


Cisco Blog > Retail

Retailers Lying Awake at Night – Who’s Next?

In the past few weeks, I’ve received two replacement credit cards. And, no, this does not indicate I’ve done too much shopping! It means that hackers are continuing to target retailers and the bank decided I needed to be protected by new credit card numbers.

I’m Carol Ferrara-Zarb, and as the leader of Cisco’s Security Solutions team, I’m joining the Cisco Retail blog today to talk to you about security and compliance in the store. While consumers certainly worry about security, the concerns of retailers are magnified because you are among the highest-profile targets right now for professional hacker attacks. Store owners and operators are just about lying awake at night wondering who is going to be next.

At the same time, change is continuing on the security front, particularly in the area of PCI compliance. At the end of this calendar year, the new 3.0 version of the PCI DSS mandate will come into force. Are you ready for the new requirements?

If you’re a Cisco customer, you very well may be. Join us on July 23 for a free, one-hour webcast called, “Straight Talk about Reducing Complexity and Maintaining Compliance in Retail.” Cisco Security Architect Christian Janoff, who sits on the PCI Security Standards Council Board of Advisors, and Aaron Reynolds, PCI Managing Principal for Cisco partner Verizon, will lead a candid discussion on retail security. The session covers:

  • The changes in the PCI DSS 3.0 mandate and their impact on your retail business
  • How to satisfy three standards—PCI, SOX, and HIPAA—by configuring one control
  • Implementing the latest, simplified strategies for PCI scope reduction, and how they can be superior to traditional methods for many retailers

You’ll come away with an overview of today’s threat landscape, and we’ll put it all into perspective to support your continued pursuit of compliance and retail success. Registrants will also receive the Simplifying Compliance Answer Kit, a set of documents and tools to help you understand compliance better.

The webcast takes place on July 23 at 10:00 am PT/1:00 pm ET. Please register today! Be sure to bring your questions to take part in the discussion.

We’ll see you there!

Tags: , , , , , , , , , , , , , ,

Cisco Web Security and the Health Insurance Portability and Accountability Act (HIPAA)

Spurred by the Health Insurance Portability and Accountability Act (HIPAA), which outlined a set of standards and guidelines for the protection and transmission of individual health information, as well as the subsequent amendment to address standards for the security of electronic protected health information, customers often ask me the following questions:

  • Is your product HIPAA certified?
  • Is your product HIPAA compliant?
  • Will your product meet HIPAA standards?
  • If I implement your products, will I be HIPAA compliant?

While this blog post is in no way to be construed as legal advice, I wanted to provide an overview pertinent to answering the above questions.

The Reality

In short, the answer to the above questions is NO! Here is why. There are no products on the market that are HIPAA certified or HIPAA compliant! I know this sounds challenging and some vendors have claimed that implementing their products will make the customer HIPAA compliant, but that is not the case.

HIPAA cannot be addressed with a single product or set of products. HIPAA is a series of policies and procedures that “covered entities” must implement to safeguard information. Products manufactured by Cisco and other technology companies can be used to implement those defined policies and procedures but the simple inclusion of a technology in the network does not automatically make an entity compliant. Products have to be configured to adhere to the standards set forth by HIPAA.

For a better grasp on the implications of HIPAA, let’s take a look at some of the details outlined in the Act.

Covered Entities

First, let’s examine a 2“covered entity” as defined by HIPAA.

HIPAA standards apply only to:

  • Health care providers who transmit any health information electronically in connection with certain transactions
  • Health plans
  • Health care clearinghouses

What is a Health Care Provider?

Any person or organization who furnishes, bills, or is paid for health care in the normal course of business

Protected Information

1The statute requires the privacy standards to cover individually identifiable health information. The Privacy Rule covers all individually identifiable information except for: (1) Education records covered by the Family and Educational Rights and Privacy Act (FERPA); (2) records described in 20 U.S.C. 1232g(a)(4)(B)(iv); and (3) employment records. (see the Privacy Rule at 65 FR 82496. See also 67 FR 53191 through 53193).

3The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information” (PHI).

“Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.

Technical Safeguards

HIPAA defines security controls around the storage, access, control, and transmission electronically of the above noted protected information.

1Technical Safeguards (§ 164.312)

We proposed five technical security services requirements with supporting implementation features: access control, audit controls, authorization control, data authentication, and entity authentication. We also proposed specific technical security mechanisms for data transmitted over a communications network, communications/network controls with supporting implementation features; integrity controls; message authentication; access controls; encryption; alarm; audit trails; entity authentication; and event reporting.

In this final rule, we consolidate these provisions into § 164.312. That section now includes standards regarding access controls, audit controls, integrity (previously titled data authentication), person or entity authentication, and transmission security.

4Technical Safeguards Summary

  • Access Control—A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
  • Audit Controls—A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
  • Integrity Controls—A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
  • Transmission Security—A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.

Cisco believes that today’s dynamic threat landscape, new business models, and complex regulatory requirements require a new threat-centric approach to security. This new security model reduces complexity, while providing superior visibility, continuous control, and advanced threat protection across the extended network and the entire attack continuum. This makes it easier for customers to act more quickly before, during, and after an attack, which is particular important to risk management and reduction.

In regards to Cisco Web Security products and transmission security conformance, Cisco Web Security products provide the necessary encryption services along with audit, entity authentication, and event reporting to help address the technical safeguards.

Cisco Web Security products do not determine that the receiving website is of the appropriate type or has implemented the appropriate controls for handling HIPAA protected data but ensures that the information was transmitted securely upon request by the transmitter (think data loss prevention, not covered in this paper). It is the responsibility of the customers’ security and administrative staffs to determine which sites are deemed acceptable for receiving or transmitting this data. Cisco Web Security products can provide transmission security, transmission entity authentication, event reporting, and integrity of the transmission via the HTTPS protocol.

Conclusion

The Department of Health and Human Services HIPAA Act of 1996 amended in 2003 has many complex provisions and should be reviewed on a regular basis by any covered entity’s security and administrative staffs for conformance. The intent of the Act is the protection of private health information via both administrative and technical safeguards. Cisco provides a range of security products that can be used by customers to meet many of the requirements outlined in the HIPAA standards but only if properly configured, maintained, and monitored. As stated earlier, deployment of a single product or set of products will not, in and of themselves, ensure HIPAA compliance.

References

  1. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf
  2. http://www.hhs.gov/ocr/privacy/hipaa/understanding/training/coveredentities.pdf 45 CFR §§ 160.102, 164.500
  3. http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html
  4. http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

Tags: , , , ,

Summary: Healthcare in the Cloud and the Benefits of Analyzing Patient Data

The Internet of Everything is altering not only our personal lives, but also business practices across every major industry – healthcare included. From telehealth to increasing caregiver efficiency to data sharing, the IoE enables opportunities for improvement. But with these new connections and advances in healthcare technology, many physicians and healthcare professionals are skeptical of this new wave of advancements.

How do you appease these apprehensions? Hosting in environments that are HIPAA compliant to start. But consider the opportunities to use large data sets of a population for better treatment.

Healthcare in the Cloud

Cloud opens opportunities to utilize the Internet of Things to better treat cities, states, countries and the entire world. Physicians have begun using multiple devices to track patient information because cloud environments and applications can provide omnipresent access to medical records, as well as increase the opportunity for communication among other physicians. For example, when flu season rolls around, data can be gathered and analyzed from previous seasons to better inform the endangered cities of when the flu season will begin.

Dr. Jeffrey Brenner decided to see where rising healthcare costs were actually being spent; his research is discussed in The Human Face of Big Data.  >> READ MORE

 

 

Tags: , , , , , , , , ,

Healthcare in the Cloud: Benefits of Analyzing Patient Data

The Internet of Everything is altering not only our personal lives, but also business practices across every major industry – healthcare included. From telehealth to increasing caregiver efficiency to data sharing, the IoE enables opportunities for improvement. But with these new connections and advances in healthcare technology, many physicians and healthcare professionals are skeptical of this new wave of advancements.

How do you appease these apprehensions? Hosting in environments that are HIPAA compliant to start. But consider the opportunities to use large data sets of a population for better treatment.

Cloud opens opportunities to utilize the Internet of Things to better treat cities, states, countries and the entire world. Physicians have begun using multiple devices to track patient information because cloud environments and applications can provide omnipresent access to medical records, as well as increase the opportunity for communication among other physicians. For example, when flu season rolls around, data can be gathered and analyzed from previous seasons to better inform the endangered cities of when the flu season will begin.

Dr. Jeffrey Brenner decided to see where rising healthcare costs were actually being spent; his research is discussed in The Human Face of Big Data.

Brenner, with a memory drive containing the records of 600,000 hospital visits, built a map linking hospital claims to patients’ addresses. He analyzed the patterns of data and the results took him by surprise, about 1,000 people accounted for 30% of hospital bills, because these patients were showing up in the hospital time after time.

Healthcare in the Cloud

Furthering the connection of data and the cloud, when surveyed, 63% of consumers were comfortable with having their medical records stored in the cloud. With movement of the patient record to the cloud, there will be more opportunity to analyze cross population data to better evaluate care protocols and support evidenced based medicine.  In addition, when using the cloud to facilitate analyzing patient data, there are more opportunities for collaboration and continuation of care by allowing experts from around the world to share their expertise in a secure and seamless environment. It also allows simplified scalability and the opportunity for expansion for smaller organizations or providers with fewer resources immediately available in non-cloud, on-premises, environments.

As we continue to virtualize more and more aspects of our lives, we will move toward a wholly cloud-based healthcare system. Ahead are the days that healthcare providers will deliver unique patient experiences through cloud-based services securely through purpose-built private and healthcare community clouds.

To read more insights on the cloud, visit our Cloud Perspectives page. Also, be sure to join the conversation – follow @CiscoCloud and use the hashtag #CiscoCloud or leave a comment below.

Read some of our past stories of how cloud and The Human Face of Big Data are changing our personal and professional lives:

 

Tags: , , , , , , , , ,

Cisco ACI adds New Security and Application Delivery Vendors to Ecosystem: A10 Networks and Catbird

February 3, 2014 at 4:00 am PST

Cisco announced last week that its rapidly expanding ACI ecosystem now includes the A10 Networks aCloud Services Architecture based on the Thunder ADC Application Delivery Controllers, as well as the Catbird IDS/IPS virtual security solutions. These new ACI ecosystem vendors are announcing support for the ACI policy model and integration with the Application Infrastructure Policy Controller (APIC) which will accelerate and automate deployment and provisioning of these services into application networks. This should also resolve any speculation that the ACI ecosystem would not be including technology vendors that compete with Cisco’s other lines of business, as Cisco expands the solution alternatives for customers.

Each of the solutions will rely on two primary capabilities of the APIC and ACI to provide a policy-based automation framework and policy-based service insertion technology. A policy-based automation framework enables resources to be dynamically provisioned and configured according to application requirements. As a result, core services such as firewalls, application delivery controllers (ADC) and Layer 4 through 7 switches can be consumed by applications and made ready to use in a single automated step.

A policy-based service insertion solution automates the step of routing network traffic to the correct services based on application policies. The automated addition, removal, and reordering of services allows applications to quickly change the resources that they require without the need to rewire and reconfigure the network or relocate the services. For example, if the business decision is made to use a web application firewall found in a modern ADC as a cost-effective way of achieving PCI compliance, administrators would simply need to redefine the policy for the services that should be used for the related applications. The Cisco APIC can dynamically distribute new policies to the infrastructure and service nodes in minutes, without requiring the network be manually changed.

Read More »

Tags: , , , , , , ,