24 August 2009

Health Care: Operational Risk on Steroids...

Health Care Sector Operational Risk Management is on the front burner once again. Recent changes to federal law governing health information suggest expanded regulation, increased enforcement, and significantly enhanced penalties could be on the horizon for businesses not previously subject to HIPAA. The Health Insurance Portability and Accountability Act (HIPAA), which was amended by the American Recovery and Reinvestment Act of 2009 (ARRA) in February, regulates the use of, access to, and dissemination of healthcare information. The increased scrutiny of our own health related personal identifiable information is only the beginning of a national platform for health care. Personal health records will be highly sought after by criminal organizations to help them with extensive online extortion schemes so they can monetize the stolen information.

Does your business or organization have a website that allows people to maintain their medical information online? Do you provide applications for personal health records – say, a device that allows people to upload readings from a blood pressure cuff or pedometer into their personal health record?

The American Recovery and Reinvestment Act of 2009 includes provisions to strengthen privacy and security protections for this new sector of web-based businesses. The law directed the Federal Trade Commission to issue a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule.

Transnational economic crime syndicates that have been fueled by the failures in systems and people at institutions in the financial services industry may now be getting a better source to perpetuate their wave of extortion . Just think about the phishing e-mail that goes out to the hundreds of thousands of people who have a particular type of medical condition or are taking a specific drug to help a particular medical diagnosis. Revealing the names, occupations and other relevant information on the subset of male politicians running for office that are currently taking the Pfizer drug for ED or the subset of women talk show hosts that are taking the drug Xanax may have some individuals willing to pay up the 500 or 1000 dollars being demanded from the criminals that stole the Protected Health Information (PHI).

As the United States speeds along towards the consensus on a national health care system the risk of health care data breaches will be rising. Where a doctor had a small staff helping with the back office to bill insurers and where the health care information systems vendors were in high demand you will now have the nexus of targets that cyberspace criminals will be focused on. Like the consumer retailers who rely on third party credit card processing companies to take care of the millions of annual point-of-sale transactions, so too will the consumers of health care services at the retail level. Doctors offices, pharmacies and out patient or triage centers.

The HHS and FTC interim rules were mandated by more stringent privacy and security requirements outlined in the American Recovery and Reinvestment Act of 2009 (ARRA) for Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities and business associates and certain non-HIPAA-covered entities.

"This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care," said Robinsue Frohboese, acting director of the HHS Office for Civil Rights.

HHS and FTC said their rules were intentionally written to be harmonious with one another. The entities covered by either rule have up to 60 days to notify individuals whose information was accessed without authorization. If the breach involves PHI belonging to 500 or more people, entities must alert the media and either HHS or FTC, depending on which rule they are subject to. If the breach involves less than 500 people, the entities must keep a log of the incident to be submitted to either HHS or FTC at the end of the year.

Unlike the motive to utilize the information from a compromised credit card to monetize through additional fraudulent purchases, the new health care criminal syndicates will find their own niches. Whether there is a continued attempt at utilizing the PHI for spear phishing attempts at specific individuals online or a more broad use of PHI to steal ones identity to obtain health services at hospitals or physicians offices, the impact could now turn more deadly:

Medical identity theft is potentially lethal to its victims. When the identity thief obtains medical treatment, medical records are created in the name of the victim. When treatment occurs in the same locality as the victim, the treatment of the thief can be appended to local medical records of the victim. With the strong movement towards electronic medical records, all those under the victim’s name and social security number can be collated in seconds. Once the thief’s medical records are collated with the victim’s, there is a risk of mistreatment of the victim, which can potentially lead to death.

Lind Weaver, a retired school teacher, was harassed by a bill collector for a medical bill for the amputation of her foot. The problem was that Weaver still had two feet. Foot amputations are associated with diabetes, a disease that Weaver did not have. Months later Weaver suffered a heart attack, when she awoke in the hospital a nurse asked her which type of drugs she was taking for her diabetes. Had Weaver underwent heart surgery as a diabetic, mistreatment could have been life threatening.


Protected Health Information will continue to be a challenge for those institutions that are trying to achieve a "Defensible Standard of Care" in the decade ahead. The wave of risks associated with online banking and the technologies driven by consumers thirst for financial information will seem non-consequential compared to what we are about to experience in the online health care industry.

17 August 2009

Business Resilience: Beyond Readiness...

The continuity of your telecom operations is an operational risk that in many cases is underestimated until a significant business disruption occurs. When telecom is down, this means a combination of voice and data services that serve your business enterprise may not be available. The resilience of both the voice and data communications is the holy grail of continuity of operations and disaster recovery professionals on a global basis.

Business Resilience and the ability to effectively anticipate or absorb the impact of an incident, whether man made or as a result of a natural phenomenon differentiates your suppliers. When is the last time you tested your Tier I service supplier for a mission critical business process to determine the ability to keep their voice and data services running during a time of crisis? And maybe more important, is your own enterprise Incident Command system survivable so that you can provide voice leadership to your "Incident Commanders" where ever they may be located?

Until now, telework, disaster recovery and business continuity professionals have primarily been limited to expensive, hardware-based, or location-specific solutions that remain inherently vulnerable. TeleContinuity’s end-user driven and “virtual” service solution is predicated on turning the traditional disaster recovery and business continuity model on its head. Instead of focusing on protecting centralized telecom infrastructure and equipment-based assets; pre-planning for employee relocation; and location-specific solutions designed to enfranchise only a select number of key executives -- TeleContinuity assumes the entire telecom capability of the enterprise is wiped out and that all employees and key executives are individually scattered to a myriad of undetermined locations.

Unencumbered by the traditional telco infrastructure mentality or by the business agendas of telecommunication hardware or IP equipment vendors, TeleContinuity’s founders synthesized the best design elements of PSTN, Internet, and dynamic call center technologies to create a seamless, ubiquitous, and fully resilient outsourced services solution. There is no equipment to buy. We do not touch the customer’s PBX. A customer does not need to change their carrier relationship.

Additionally, TeleContinuity can provide your organizations all the capabilites that they need on a daily basis so that you can work remotely from any location with access to the infrastructure that makes your data and voice applications usable.

Telecontinuity is just one good example of how to make your organization more business resilient. As we approach the middle of the Hurricane season here in the U.S., you can understand why having energy to power systems is an important aspect of most COOP discussions. This simple yet valid argument for back-up power has been going on for a decade or more. Yet not until the last several years as Iraq, Afghanistan and other places that have been the result of some of our most horrific displays of "Mother Nature's" wrath on domestic urban infrastructure has energy innovation become commercialized.

White Door offers a proprietary line of portable towers systems fueled by non-traditional power sources. These self-powered towers can be rapidly deployed to satisfy physical security and communications requirements in areas where conventional power is not readily available or too expensive to deploy.

Utilizing alternative energy power sources including solar panels, wind turbines and hydrogen fuel cells, the towers have been designed to power communications and security systems for both long term and short term requirements. Completely independent of the power grid, they eliminate the costs of trenching and physical bandwidth provisioning, are flexible to place and relocate, and easily upgraded because they utilize COTS (commercial-off-the-shelf) integrated security and communication systems. These mobile trailer-towers offer an effective, reliable and energy efficient platform to power mission critical applications anywhere in the world.


White Door provides resilience to the warfighter, first responder or the corporate enterprise in their quest for alternative power and communications capabilities. When it comes to planning for the next Hurricane Katrina or the "Tip of the Spear" overseas operations readiness, resilient business organizations need to implement robust planning, exercises and systems to be able to overcome the operational risks that are before them.

Power blackouts are the catalyst for many risks to the critical infrastructure including Transportation, Internet, Voice commmunications and even those services that you take for granted like pumping gas at the local petrol station or emergency services at the local hospital. September is DHS Preparedness Month in the US and the focus is once again on the physical readiness of our nation.

There is however another facet of readiness that is slowly getting attention across the landscape of data systems blackouts, such as the mission critical applications we utilize almost everyday such as Online Banking and Voice Over Internet Protocol (VOIP) for voice communications. Cyberspace as we know it is so embedded into most of the mission essential aspects of business today that our readiness factor needs to go well beyond redundant power supplies and battery back ups for power. Cyber-Readiness is a key component of any organizations plan to stay resilient in the face of a Distributed Denial of Service Attack (DDOS) and other cyberspace exploits that disrupt our operations.

Federal prosecutors on Monday charged a Miami man with the largest case of credit and debit card data theft ever in the United States, accusing the one-time government informant of swiping 130 million accounts on top of 40 million he stole previously.

Albert Gonzalez, 28, broke his own record for identity theft by hacking into retail networks, according to prosecutors, though they say his illicit computer exploits ended when he went to jail on charges stemming from an earlier case.

Do you think you're spending too much time with your team planning and training? You haven't. Success in your organization doesn't happen because everything goes according to the plan. It happens because you were prepared when things go wrong. The organizations whose team has planned for every possible scenario and trained together in live simulations will become the most successful in their strategy execution. Their missions will be accomplished on time and within budget.

Incidents of different severity and frequency are happening around you and your organization every day. Would your employees know what an incident looks like let alone know what to do next to mitigate the risk to them and the organization?

07 August 2009

Cloud Security: OPS Risk in a Virtual Infrastructure...

"Cloud Computing" is heating up as the information centric business enterprise looks for new economic strategies to reduce costs, save energy, and share expensive resources. Cloud Security is getting into the discussion simultaneously as the lobbyist alliances make their way around the "Obama Beltway." The Cloud Security Alliance held it's symposium this past week at Mitre to set the stage for it's 501(c)(6) activities in the federal agencies.

Welcome to the topic of more effective "Operational Risk Management" as an increasing relevant strategic mandate for the future of enabling enterprise business resilience and achieving a defensible standard of care. Cloud Computing is already here and rapidly accelerating into the way business is leveraging the economies of scale, efficiency of provisioning new users, lowering energy and overhead costs and rapidly gaining new found applications. Why wait around for the IT department any longer? All the headaches of procuring, maintaining and supporting the physical infrastructure of large Information Technology operations is seemingly going to disappear. Or is it?

What once could be called that minor headache could quickly turn into a major migraine or subarachnoid hemorrhage. When a data breach, denial of service (DoS) or business disruption occurs it will most certainly be on a more massive scale that requires a substantial response to contain the bleeding. If you thought disaster recovery and continuity of operations (COOP) was something you could ignore until you ultimately had an incident, that mindset is certainly over.

Attack on Twitter Came in Two Waves

The meltdown that left 45 million Twitter users unable to access the service on Thursday came in two waves and was directed at a single blogger who has voiced his support for the Republic of Georgia in that country’s continuing conflict with Russia.

Facebook’s chief security officer, Max Kelly, told CNet that the attack was aimed at a user known as Cyxymu, who had accounts on Facebook, Twitter, LiveJournal and other sites affected by Thursday’s cyberassault.

In an interview with The Guardian, the blogger said he believed the strike was an attempt to silence his criticism on the behavior of Russia in the conflict over the South Ossetia region in Georgia, which began a year ago on Friday.

How did a targeted attack against a single user manage to cripple Twitter for almost an entire day?

As Cloud Computing takes businesses into a greater degree of "Domestic Outsourcing" the risk factors change along with the legal risks of 3rd party or 4th party liability. Contractual service level agreements (SLA) that were used in the past for hosting a web site will be far greater in scope and with a table of loss events and their respective costs per incident by the minute of downtime. And this is just the beginning of the "What if's?" Some of these will be different than the normal offshoring risk management question sets.

Take eDiscovery and digital forensics for a minute. What is the difference between a lawful intercept and economic espionage? The name of the government behind it. With no perimeter and data everywhere who can say where your vital mission critical data actually is in the midst of the 100,000 sq. ft. server farm full of VMWare and racks of EMC storage? Even if you new exactly where it was located in the U.S., India or Singapore, what are the assurances that it is safe or safer than in your own facility? Even with 16 pages of security documentation controls and a SAS 70 Type II certification it may not be enough to defeat the "Fuzzing of VMware" and Hypervisor "Blue Pills".

At the MidAmerica Industrial Park in Oklahoma, amid a Gatorade plant, a pipe manufacturer and nearly 80 other companies, Google is piecing together a plain-looking 100,000-square-foot building it will stock with servers. Next to the industrial park stands a coal-fired electrical generating plant operated by the Grand River Dam Authority.

It helps that the price is right. Google's corporate headquarters sit in Mountain View, Calif. The average industrial electrical rate in the Golden State runs about 9 cents per kilowatt hour. In Iowa and Oklahoma, the meter runs at between 4 and 5.5 cents.

"Google is ... not the type of industry that is really dependent on location, since its product is Internet-based," said Justin Alberty, Grand River spokesman. "The real factors in choosing a location tend to be land, water and electricity."

Server farms, also referred to as data centers by the industry, are also becoming more common with the growth of "cloud computing." The term refers to companies building massive computing power and then renting that capacity out to other firms. Amazon, for one, sells not just books, but time on its servers to run Web sites or store electronic records.

In that way, computing is starting to look like the next utility. In the same way it would be inefficient for each home to have its own electrical generator, it can make sense for consumers and businesses to farm out their computing needs. Some analysts even see consumers buying less highly powered personal computers in the future and relying on firms like Google to fire up the necessary microprocessors when the demand requires.


Operational Risk is a key facet of Cloud Computing and the security of this growing IT strategy. Navigating the laws on the ground in advance of the unseen barriers in the cloud will provide the enterprise with significant hedges against the new emerging risks of the virtual infrastructure before you.