There are three different federal identity theft protection bills working their way through Congress, and certain provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH), which updates HIPAA, will go into effect February 17th. HITECH not only adds breach notifications, but also extends coverage to a much broader range of organizations, including Web-based electronic health records management systems such as Google Health via FTC declaration.
This is going to be particularly challenging for the many organizations and products like Google Health that have not had to be compliant with HIPAA in the past; they will have a lot of work to do to get in line with the new regulations. Even if an organization has been compliant with HIPAA in the past, the new requirements for notification will force many organizations to pay more attention to their logs and the auditing of those logs to determine if they had a breach. That will require more work and better organization on the part of security and network teams, and in some cases, the use of new tools and third-party assistance to audit the network and examine results.
New compliance requirements for electronic health records management services highlight a broader compliance issue in the forthcoming year. That is, compliance for cloud computing systems. None of the existing regulatory requirements specifically address cloud computing, and few (HIPAA/HITECH and the FTC's Red Flags Rule excepted) address outsourcing well.
This means that until the various governing bodies provide guidance, practitioners need to assume that, at minimum, cloud computing services must be treated with the same level of care as internal systems. That is to say, any outsourced system should be treated the same as an in-house system that is directly under your control. It's important to ensure the outsourcer has a similar level of control over the data as the enterprise would, as well as similar, appropriate security policies and procedures in place. In other words, if the enterprise or the service provider were to be attacked, the provider should not be easier prey.
This is particularly problematic, since many cloud providers today just don't have the process, policies or infrastructure in place to support many key compliance initiatives, especially when it comes to PCI DSS. In fact, Amazon.com has explicitly stated that its Amazon Web Services (AWS) are not suitable for PCI DSS-related data, as it doesn't provide the necessary encryption options.
As suitable options for secure cloud computing are somewhat limited, what should be done, especially considering that business demands for moving to the cloud can be quite compelling in terms of saved costs? Start researching cloud computing options before the business comes asking. In other words: Prep ahead, because finding the right providers is going to be tricky.
Many of the forthcoming compliance regulations, including the FTC's Red Flags Rule, require that organizations not only report breaches, but also specifically monitor for breaches and have plans in place to deal with them should they occur. This is where technology can be a huge boon, especially DLP, DAM and network traffic-analysis. These technologies can help identify when PII and other confidential data may be leaving an organization or to detect other trends that may be indicative of a data-loss event.
Although these tools are not specifically required by PCI DSS currently, it's a good bet that some upcoming version of the standard will require some or all of them, and it never hurts to be ahead of the game, especially with compliance.
About the author:
David Mortman is a contributing analyst with Securosis LLC. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and his team were responsible for Siebel's worldwide IT security infrastructure, both internal and external. He also worked closely with Siebel's product groups and the company's physical security team and led up Siebel's product security and privacy efforts. A CISSP, Mr. Mortman sits on a variety of advisory boards including Qualys and Applied Identity and Reflective, amongst others. He holds a BS in Chemistry from the University of Chicago.
This was first published in January 2010