Archive for September, 2010

As the Mobile Health Expo 2010 gets underway next month, we’ll feature experts on the topic of mobile health. This week, VPN Haus interviews Dr. Ruchi Dass, mHealth champion and council member for the Gerson Lehrman Group, in a three-part series on mobile health. Dass has been involved in specific healthcare IT, e-learning and ICT projects for the public/private sector in India.

VPN Haus: What are the major trends you’re noticing in healthcare mobility?

Dr. Ruchi Dass: In a country like India where the doctor to patient ratio is 1:900, doctors are a few and work is 24/7. Patients demand low costs, and timely and quality healthcare coverage. For healthcare enterprises, patient data is critical to collect and manage. Hence [mobile] health is primarily aimed at bridging the economic divide in terms of healthcare. Mobility is the key here- many healthcare enterprises which are spread over 10-20 establishments in India are now using VPNs as the enabling technology which allows doctors to use standard public Internet ISPs and high-speed lines to access closed private networks. A simple use case for this is to access virtual patient health records and there are other wireless technologies designed specifically for use in the provision of healthcare, like:

  • Standard mobile enterprise services used by health-care workers, such as remote access to e-mail and health-information systems;
  • Mobile applications to meet a specific need of medical workers, such as mobile prescriptions and remote diagnoses;
  • Applications that play a direct role in the provision of care, such as mobile data collection and wireless transmission of health data; and
  • Consumer-targeted applications to encourage health and help prevent illness.

VPN Haus: What are the security concerns around these trends?

Dass:  Security of patient data is important. Even if you comply with HIPAA, it doesn’t have that depth and breadth of protection, which is required as health care is comprised of exceedingly complex information environments that demand comprehensive patient data security approaches especially when the data is shared across networks. For a simple use case of accessing a patient’s Virtual Electronic Patient Records with a wireless device, there are 3 main security issues to address:

1. To Authenticate & authorize from the wireless to the wired network
2. Secure data share in transit
3. Integrity & good resolution in the information that is requested and visualized by the users/doctors.

Stay tuned, next week we’ll continue our conversation with Dass, discussing the most overrated and underrated mobile health security risks.

Oct 7 – Oct 14

CrunchGear, Back To School: Trying Our Best To Stay Safe Online In 2010
CSO, Are You Too Perfect To Be An Effective Security Manager?
Download Squad, Google To Make Apps Accounts More Secure With Two-Factor Authentication
SearchSecurity, Jaquith on Forrester’s Endpoint Security Management Zero Trust Model
Security Management, Network Security’s Achilles Heel: End-User Rights

We continue our conversation with Jennifer Jabbusch, a network security engineer and founder of the blog Security UnCorked who recently tweeted a thought-provoking comment, “NAC is a philosophy, not a technology.”

VPN Haus: What do you think caused NAC’s dismal market performance and why do you think it’s changing?

Jabbusch: The birth of “Franken-NACs.” I say this all the time. The industry created the confusion and the vendors have perpetuated it by creating homegrown products and labeling them ‘NAC’ so they can play in the market. Look at the NAC vendors – we have everything from switch manufacturers (such as Cisco, Juniper, HP, Enterasys) to software and application vendors (such as Symantec, McAfee). Very few vendors started off with a dedicated NAC solution (Bradford is one of those). In what other world does an antivirus vendor and a router manufacturer have the same product? None. It’s ludicrous. Everyone saw a market opportunity and took whatever product they had and turned it into a NAC. Well, they turned it into something they *call* NAC. Each vendor approaches NAC from a completely different angle, with a similar set of marketed features and completely diverse ways of accomplishing them. The market confused the public and the public threw their hands in the air and said “I give up.” The failed implementations have killed the market growth.

VPN Haus: How are vendors getting better at embracing NAC, rather than stirring up more confusion?

Jabbusch: Standards! Standards and common frameworks will be the saving grace of NAC, and vendors that embrace these standards are the ones bringing NAC out of that dismal market performance. By having common frameworks, the vendors can offer similar solutions with similar functionality under the hood and THAT will decrease the confusion in the market.

VPN Haus: What is the major misconception about NAC that you’d like to set straight?

Jabbusch: There’s not one best NAC. Different solutions work better in different environments. There are a few that are universally good across the board, a few that are perfect fits and many that will be horrible matches for any one environment. Consumers and vendors need to understand that so they can pick something that works.

For Part 1 of this series including more on why Jabbusch sees NAC as a philosophy, click here.

What We’re Reading, Week of 9/13

Posted: September 17, 2010 in Uncategorized

Computerworld, Security Experts Warn of Hot-Spot Dangers
The Chief Engineer, Addressing WiFi Issues
eSecurityPlanet.com, CCNY Students Feel Sting of Data Security Mishap
SmallBusinessComputing.com, Keep Your Small Business Mobile, Connected and Secure
Computerworld UK, Oxford University Revamps Remote Access With Tokens
Dark Reading, Firewalls Top Purchase Priority In 2010, Survey Says

We continue our conversation with Martin McKeay, a seasoned IT security professional dedicated to spreading awareness about security and privacy through his “Network Security Blog” and podcast series.

On whether PCI standards will strengthen:

I think the standards are going to change, but slowly. They’ll change faster than a federal mandate could, and I think that’s their strength. The PCI standards 2.0 should be released in October, but from what we’re seeing right now, there are no major changes.

I’m hoping some of the other special interest groups working behind the scenes will provide some clarity and some guidance on new technologies. But even that’s going to take awhile, so I don’t see any major changes in the next few years.

On the technologies he’d like to see recommended in the PCI standards:

Hopefully, we’re going to see tokenization and end-to-end encryption as technologies the PCI Council recognizes and encourages more people to use and implement. Both of those are still nascent technologies.  They are technologies that a lot of people are trying to figure out and implement. But neither has an accepted industry definition or an accepted industry implementation.

On his definition of end-to-end encryption and tokenization:

End -to-end encryption is when you encrypt a credit card from the moment you take the information to the end. I feel that unless you’re encrypting from the moment you take the credit card, it’s not end-to-end encryption. But that’s open to interpretation. There are technologies that call themselves end- to-end [but don’t do that]. But it’s a nascent technology that is still being defined, and it hasn’t been implemented fully,  except in a few cases.

Tokenization is a form of encryption. You have a tokenization server that would encrypt the credit card number and give you back a number that you can use in your database. This number would look like a credit card number, but it would have no actual real relation to the credit card number.  You have the credit card information available in your server, but in your more public-facing databases, you have a number with no direct relation.

For Part 1 of this series, click here.