Health Care: Operational Risk on Steroids...

Health Care Sector Operational Risk Management is on the front burner once again. Recent changes to federal law governing health information suggest expanded regulation, increased enforcement, and significantly enhanced penalties could be on the horizon for businesses not previously subject to HIPAA. The Health Insurance Portability and Accountability Act (HIPAA), which was amended by the American Recovery and Reinvestment Act of 2009 (ARRA) in February, regulates the use of, access to, and dissemination of healthcare information. The increased scrutiny of our own health related personal identifiable information is only the beginning of a national platform for health care. Personal health records will be highly sought after by criminal organizations to help them with extensive online extortion schemes so they can monetize the stolen information.

Does your business or organization have a website that allows people to maintain their medical information online? Do you provide applications for personal health records – say, a device that allows people to upload readings from a blood pressure cuff or pedometer into their personal health record?

The American Recovery and Reinvestment Act of 2009 includes provisions to strengthen privacy and security protections for this new sector of web-based businesses. The law directed the Federal Trade Commission to issue a rule requiring companies to contact customers in the event of a security breach. After receiving comments from the public, the FTC issued the Health Breach Notification Rule.

Transnational economic crime syndicates that have been fueled by the failures in systems and people at institutions in the financial services industry may now be getting a better source to perpetuate their wave of extortion . Just think about the phishing e-mail that goes out to the hundreds of thousands of people who have a particular type of medical condition or are taking a specific drug to help a particular medical diagnosis. Revealing the names, occupations and other relevant information on the subset of male politicians running for office that are currently taking the Pfizer drug for ED or the subset of women talk show hosts that are taking the drug Xanax may have some individuals willing to pay up the 500 or 1000 dollars being demanded from the criminals that stole the Protected Health Information (PHI).

As the United States speeds along towards the consensus on a national health care system the risk of health care data breaches will be rising. Where a doctor had a small staff helping with the back office to bill insurers and where the health care information systems vendors were in high demand you will now have the nexus of targets that cyberspace criminals will be focused on. Like the consumer retailers who rely on third party credit card processing companies to take care of the millions of annual point-of-sale transactions, so too will the consumers of health care services at the retail level. Doctors offices, pharmacies and out patient or triage centers.

The HHS and FTC interim rules were mandated by more stringent privacy and security requirements outlined in the American Recovery and Reinvestment Act of 2009 (ARRA) for Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entities and business associates and certain non-HIPAA-covered entities.

"This new federal law ensures that covered entities and business associates are accountable to the Department and to individuals for proper safeguarding of the private information entrusted to their care," said Robinsue Frohboese, acting director of the HHS Office for Civil Rights.

HHS and FTC said their rules were intentionally written to be harmonious with one another. The entities covered by either rule have up to 60 days to notify individuals whose information was accessed without authorization. If the breach involves PHI belonging to 500 or more people, entities must alert the media and either HHS or FTC, depending on which rule they are subject to. If the breach involves less than 500 people, the entities must keep a log of the incident to be submitted to either HHS or FTC at the end of the year.

Unlike the motive to utilize the information from a compromised credit card to monetize through additional fraudulent purchases, the new health care criminal syndicates will find their own niches. Whether there is a continued attempt at utilizing the PHI for spear phishing attempts at specific individuals online or a more broad use of PHI to steal ones identity to obtain health services at hospitals or physicians offices, the impact could now turn more deadly:

Medical identity theft is potentially lethal to its victims. When the identity thief obtains medical treatment, medical records are created in the name of the victim. When treatment occurs in the same locality as the victim, the treatment of the thief can be appended to local medical records of the victim. With the strong movement towards electronic medical records, all those under the victim’s name and social security number can be collated in seconds. Once the thief’s medical records are collated with the victim’s, there is a risk of mistreatment of the victim, which can potentially lead to death.

Lind Weaver, a retired school teacher, was harassed by a bill collector for a medical bill for the amputation of her foot. The problem was that Weaver still had two feet. Foot amputations are associated with diabetes, a disease that Weaver did not have. Months later Weaver suffered a heart attack, when she awoke in the hospital a nurse asked her which type of drugs she was taking for her diabetes. Had Weaver underwent heart surgery as a diabetic, mistreatment could have been life threatening.

Protected Health Information will continue to be a challenge for those institutions that are trying to achieve a "Defensible Standard of Care" in the decade ahead. The wave of risks associated with online banking and the technologies driven by consumers thirst for financial information will seem non-consequential compared to what we are about to experience in the online health care industry.

Cloud Security: OPS Risk in a Virtual Infrastructure...

"Cloud Computing" is heating up as the information centric business enterprise looks for new economic strategies to reduce costs, save energy, and share expensive resources. Cloud Security is getting into the discussion simultaneously as the lobbyist alliances make their way around the "Obama Beltway." The Cloud Security Alliance held it's symposium this past week at Mitre to set the stage for it's 501(c)(6) activities in the federal agencies.

Welcome to the topic of more effective "Operational Risk Management" as an increasing relevant strategic mandate for the future of enabling enterprise business resilience and achieving a defensible standard of care. Cloud Computing is already here and rapidly accelerating into the way business is leveraging the economies of scale, efficiency of provisioning new users, lowering energy and overhead costs and rapidly gaining new found applications. Why wait around for the IT department any longer? All the headaches of procuring, maintaining and supporting the physical infrastructure of large Information Technology operations is seemingly going to disappear. Or is it?

What once could be called that minor headache could quickly turn into a major migraine or subarachnoid hemorrhage. When a data breach, denial of service (DoS) or business disruption occurs it will most certainly be on a more massive scale that requires a substantial response to contain the bleeding. If you thought disaster recovery and continuity of operations (COOP) was something you could ignore until you ultimately had an incident, that mindset is certainly over.

Attack on Twitter Came in Two Waves

By Jenna Wortham

The meltdown that left 45 million Twitter users unable to access the service on Thursday came in two waves and was directed at a single blogger who has voiced his support for the Republic of Georgia in that country’s continuing conflict with Russia.

Facebook’s chief security officer, Max Kelly, told CNet that the attack was aimed at a user known as Cyxymu, who had accounts on Facebook, Twitter, LiveJournal and other sites affected by Thursday’s cyberassault.

In an interview with The Guardian, the blogger said he believed the strike was an attempt to silence his criticism on the behavior of Russia in the conflict over the South Ossetia region in Georgia, which began a year ago on Friday.

How did a targeted attack against a single user manage to cripple Twitter for almost an entire day?

As Cloud Computing takes businesses into a greater degree of "Domestic Outsourcing" the risk factors change along with the legal risks of 3rd party or 4th party liability. Contractual service level agreements (SLA) that were used in the past for hosting a web site will be far greater in scope and with a table of loss events and their respective costs per incident by the minute of downtime. And this is just the beginning of the "What if's?" Some of these will be different than the normal offshoring risk management question sets.

Take eDiscovery and digital forensics for a minute. What is the difference between a lawful intercept and economic espionage? The name of the government behind it. With no perimeter and data everywhere who can say where your vital mission critical data actually is in the midst of the 100,000 sq. ft. server farm full of VMWare and racks of EMC storage? Even if you new exactly where it was located in the U.S., India or Singapore, what are the assurances that it is safe or safer than in your own facility? Even with 16 pages of security documentation controls and a SAS 70 Type II certification it may not be enough to defeat the "Fuzzing of VMware" and Hypervisor "Blue Pills".

At the MidAmerica Industrial Park in Oklahoma, amid a Gatorade plant, a pipe manufacturer and nearly 80 other companies, Google is piecing together a plain-looking 100,000-square-foot building it will stock with servers. Next to the industrial park stands a coal-fired electrical generating plant operated by the Grand River Dam Authority.

It helps that the price is right. Google's corporate headquarters sit in Mountain View, Calif. The average industrial electrical rate in the Golden State runs about 9 cents per kilowatt hour. In Iowa and Oklahoma, the meter runs at between 4 and 5.5 cents.

"Google is ... not the type of industry that is really dependent on location, since its product is Internet-based," said Justin Alberty, Grand River spokesman. "The real factors in choosing a location tend to be land, water and electricity."

Server farms, also referred to as data centers by the industry, are also becoming more common with the growth of "cloud computing." The term refers to companies building massive computing power and then renting that capacity out to other firms. Amazon, for one, sells not just books, but time on its servers to run Web sites or store electronic records.

In that way, computing is starting to look like the next utility. In the same way it would be inefficient for each home to have its own electrical generator, it can make sense for consumers and businesses to farm out their computing needs. Some analysts even see consumers buying less highly powered personal computers in the future and relying on firms like Google to fire up the necessary microprocessors when the demand requires.

Operational Risk is a key facet of Cloud Computing and the security of this growing IT strategy. Navigating the laws on the ground in advance of the unseen barriers in the cloud will provide the enterprise with significant hedges against the new emerging risks of the virtual infrastructure before you.