From peeking at Brittany Spears medical records to the theft of almost five million medical records from a tape back-up, no healthcare issue garners more adverse publicity, or passion, than violations of patient privacy. While you might expect that since the institution of HIPAA and quarter million dollar fines that this is relatively uncommon now, you would be wrong. A stunning incidence of nearly 18 million breaches of privacy has occurred over the past two years according to a recent report from ANSI, the American National Standards Institute. That is equivalent to the population of the states of Florida or New York.
As the world moves towards adoption of Electronic Health Records and Health Information Exchanges, concern for the vulnerability of private health information is escalating as the scale of these data breaches reach epic proportions. A West Coast health care system experienced the theft of electronic health information for 4 million of its patients. And another major academic medical center inadvertently disclosed the electronic health records of 20,000 of its patients. The risks are real and global. And they leave an organization -- any organization -- subject to severe legal and financial damage, not to mention the damage to their reputation. None of these organizations were cavalier about their security compliance. But let’s face it, the workforce is larger and more mobile. The data is more prolific and ubiquitous and takes on many different forms. And the thieves are getting more sophisticated.
But so are the solutions. In the past, it was necessary to balance mobility with security-the more mobile, the less secure. Not anymore. Cisco’s AnyConnect combines industry-leading Cisco cloud and premises-based web security and next generation remote access technology to deliver the most robust and secure enterprise mobility solution on the market today.
The realm of Network security encompasses many perspectives and interests as is evident from the wealth of articles prevalent across the media and availability of various proactive protection measures. One particular technology recognized as integral to securing a network is the Intrusion Prevention System (IPS), which is used to detect and prevent suspected malicious network traffic or behavior. However, an IPS is not just a ‘set-it-and-forget-it’ type of solution. This is because of the necessity of employing current Cisco IPS signatures, which are the lifeblood of the IPS and are essential for it to identify and block attacks against specific vulnerabilities or certain types of threats. Because new threats and vulnerabilities are constantly being discovered, the IPS signature database for an IPS-capable device needs to be kept current to maximize the level of protection that it can provide. If you already use Cisco IPS technology, then you might already be familiar how crucial it is to use the most current IPS signatures. Otherwise, the IPS solution cannot provide optimal protection against new threats and attacks. Cisco IPS owners with a Cisco IPS Services License understand this fact and can receive signature updates as they become available. Signature updates can be installed manually or downloaded and installed automatically using native Cisco IPS capabilities or management tools such as Cisco Security Manager. For those inclined to write their own signatures, Cisco has published documentation on how to write customer signatures for the IPS.
And while the signatures are the “lifeblood” of the IPS and keeping them current is paramount, it is also important to make sure that the underlying operating system is kept up to date on the sensor as well. The underlying operating system and engines decompose and analyze the traffic as it passes through the device. Things like protocol decoding, features, and evasion resistance are handled here. The engines work but do not alert without the signature set as the signatures provide the matching framework for an alert to fire. The same can be said about the signatures. They do not work without the engines. Each requires the other to function and therefore keeping them both current is important.
A recent highway project in Orlando had proposed that an off-ramp be built for a future neighborhood and development center. Because the area was planned for future development, this caused some debate within the community. Some argued that that there was no point to spending money on something that might not be possible in the future. Others argued that it was good idea to build the off-ramp and spend the money now so when the neighborhood and development center was ready, a cost savings would occur since building it now would save money in the future. Both sides have good arguments and after some healthy debate, the off-ramp was built for the future neighborhood and development center, which both are now thriving.
Well, what does this have to do with Cisco and wireless technology? This is a good example of how the 3600 Access Point was designed. Even with the pressures of time to market and cost management, the development team took the extra time to add the option for future modular expansion. The same debates in the Orlando community took place here between development engineering and product management. “It will cost too much and delay the release of the product (especially in an industry where time to market is essential)” versus “Let’s have modularity so we can address whatever future technology is available so our customers can take advantage of it without having to rip & replace their APs”. We like to say we’re “future proofing” the AP.
Well, the future proofing argument won, and the 3600 was released last January with an expansion module for additional features and emerging technology. Already in May we announced the 802.11ac Radio Module that will support the emerging standard.
Now, we have another addition to this expansion: the Security and Monitor Module. Read More »
Payment Card Industry (PCI) compliance can often be overwhelming for all enterprises, let alone small and medium businesses (SMBs). Given limited budgets and IT resources, SMBs face an even greater challenge than large enterprises.
The PCI Data Security Standard (DSS) 2.0 is complex on several levels:
It requires expertise on a range of network systems and security technologies.
It requires continual monitoring and management of access to cardholder data.
There is no “silver bullet” technology that can address a growing list of detailed standards and requirements. Technologies such as encryption, tokenization, as well as Europay, MasterCard, and Visa (EMV) smartcards address portions of your infrastructure, but none provide a single compliance solution.
It’s dynamic and requires ongoing diligence. Being compliant at the time of your audit is a snapshot in time that requires simplified maintenance.
These requirements take time, effort and funding, which are all in short supply in SMBs.
Help is at hand. Cisco and many of its partners offer cost-effective PCI compliance services--including assistance for SMBs as they complete their self-assessment questionnaire or assess PCI readiness. In a recent article authored by Cisco and partners Verizon Business and Presidio, we examine ways to simplify compliance for small and medium businesses. Learn the 5 key strategies to securing your customer information while incorporating security best practices from Aaron Renolds, QSA and Principal Consultant at Verizon Enterprise Solutions and Sean Wallis, Senior Security Consultant at Presidio Networked Solutions.
Advice to Managers: Five Ways to Simplify Your PCI 2.0 Compliance:
I have a thing for metaphors. I wrote my dissertation on them. And they have helped me enormously as a non-engineer working in IT security.
Metaphors are powerful tools (that’s a metaphor, by the way). Literally referring to something as something else enables us to make mental connections between concepts that are not really the same. War and weapons have proven historically useful metaphors. In wartime, everything changes. We look at the situation, our opponents, and even ourselves very differently (I like the image of a noble warrior on the battlefield more than that of a guy who spends most of his day sitting and typing…)
But metaphors also cause trouble, especially when we use them to over-simplify. I am skeptical of “security as war” metaphors, including that of the arms race. The metaphor detracts from the very real threats of cyber- and information warfare. War doesn’t define security any more than war defines firearms. Unless we are specifically talking about threats from nation states (and a few other actors) using information technology as part of armed conflict, we are not talking about war. And this is not what we are usually talking about in information security.