Archive for November, 2010

This week, we feature the third part in our series with Shahid Shah, an enterprise software analyst that specializes in healthcare IT with an emphasis on e-health, EMRs, data integration, and legacy modernization.  He is also founder of the popular Healthcare IT Guy blog.

VPNHaus: What role does HIPAA play in mobile health?

Shahid Shah: Quite a bit because mobile devices are not treated any differently than any other computing device. If you’re running any application that has patient data on it, you must treat it the exact same way. It doesn’t matter if it’s on a computer or paper. That is, privacy must be protected using the rules and regulations laid out by HIPAA.

This essentially means you have encrypt data in transit and data at rest. If you’re dealing with a server and physical security, encryption at rest isn’t as big of a deal. It really comes into play for mobile devices. It’s important to point out that with healthcare application on mobile devices, it’s very difficult to enforce HIPAA regulations. Just because someone sets up a device to be secure, it doesn’t mean three months later that it’s operating that way.

VPNHaus: Do you think healthcare organizations do a good job of provisioning people on-and-off the network as appropriate?

Shah: Healthcare has roughly the same approach as other enterprises. That is, pretty poorly. How seriously people take provisioning is directly related to how big you are and how big your IT department is. A lot of companies do single sign-on solutions for provisioning but the most common reason for this is they don’t have central administration or the healthcare applications don’t support single sign-on. But once you have central administration, it becomes much easier.

VPNHaus: What other trends do you see in mobile health security?

Shah: The wireless sector is picking up steam because the numbers are really exciting for some people and really dangerous for others, depending on if you’re the guy handling the wireless. It’s exciting because the adoption rate in healthcare sector is significantly higher than other commercial sectors. When we think of wireless we think of mobile phones but that’s just one small area.

For the first two parts of this series, click here, and for more on upcoming trends on mHealth, see next week’s post.

Enterprise Networking Planet, Seven Security Policies for the IPv6 Network of the Future
Forbes, A Call To Arms For Enterprise Mobile Security
Heavy Reading, Next-Gen Security Strategies for Mobile Network Infrastructure
Network World, Enterprises Want Broad Functionality for Mobile Device Security
ZDNet, Use IPv6 in Windows 7 Today

Info Security, ZeuS Now Targeting Enterprise Access Gateways
InfoWorld, End-Users With Admin-Level Access Put Your Network Security at Risk
PC World, Lock Down Your Android Devices
Tech Republic, Five Tips for Remotely Administering Desktops
ZDnet, Use IPv6 in Windows 7 Today

VPN Haus continues its conversation with PCI compliance expert Anton Chuvakin about the latest updates to PCI DSS 2.0, issued late last month.

VPN Haus: Do the new standards leave too much open to merchant’s interpretation?

Anton Chuvakin: This is really a $1 million-question and only practice will tell. I think the 2.0 version leave less than before to interpretation. For example, virtualization was a big question mark in many merchants’ mind and now it is resolved. Many other questionable and debatable points are clarified but I am sure merchants would come with more excuses as PCI DSS 2.0 is implemented in practice.

VPN Haus: Do you think pushing the DSS lifecycle from 24 months to 3 years will stagnate the rate of change? Or will it allow more time to investigate and build support around necessary changes?

Chuvakin: Well, I will side with [PCI General Manager Bob Russo] on this one:  PCI DSS is getting mature enough to not need change that frequently. While some assault the standard as “not being dynamic,” in reality doing what PCI DSS prescibes and doing it well, by following the spirit and not only the letter, will equip organizations for dealing with today’s and – in my opinion – tomorrow’s threats. For example, recent Verizon PCI report showed that compliant non-organizations seem to fare worse, which indirectly confirms that PCI DSS in its current form helps reduce risk of data theft.

See previous interviews VPN Haus did with Chuvakin on PCI compliance here and here.

InfoTech Spotlight, Network Security is More Valuable Than you Think
Enterprise Networking, Network Security Concerns Small Businesses
Network Computing, Cisco survey: Disconnect Between End Users And IT Over Device Use Policy
Network World, Firesheep, Blacksheep, and Protecting Your Wi-Fi Data