Security: Solutions Guide – March 2016

Feb. 23, 2016

Mobile Data

Encrypted USB keeps data protection simple

By Stephen Cobb, Senior Security Researcher, ESET

There are a lot of ways that data can – and will – roam out of healthcare environments, where it could be easily lost or stolen. The mobility of data made possible by advances in technology can make health IT security managers’ jobs more challenging. Any healthcare organization that is using unencrypted USB devices to store sensitive information is taking a considerable risk. It’s a real security boon to be able to easily encrypt the data stored on them.

We have seen the loss or theft of unencrypted USB devices trigger breach notifications, audits, fines – even lawsuits. And in all such cases reported to HHS and listed on the OCR “wall of shame,” the remediation process has included the eventual purchase of encrypted USB devices. We downloaded the OCR breach report that lists all 1,457 HIPAA breach incidents involving more than 500 records (that have been published so far).

What we take away is this: The steps taken after an incident, presumably to assuage OCR, often include a shift to encrypted USB drives.

ESET recently introduced the Kingston DataTraveler Vault Privacy (DTVP) 3.0 with DriveSecurity into new sales channels, making it easier for partners to provide a secure solution for data transfer to their customers.

The hardware-encrypted USB flash drive features five years of pre-installed and pre-activated security software with the ESET NOD32 Antivirus engine that scans a drive’s content for viruses, spyware, trojans, worms, rootkits, adware, and other Internet threats. If DriveSecurity detects infected files, they are automatically deleted and listed in bold red characters in a pop-up software window.

From a risk management perspective, it makes a lot of sense to buy them and avoid the risk.

Securing Cloud Services

Cisco takes on shadow IT for about $1 a head

When employees and business work groups circumvent the IT department, it’s a problem. But only recently have CIOs begun to realize “shadow IT’s” full extent.

For instance, the average large enterprise uses 1,220 individual public cloud services, according to a recent analysis by Cisco. That’s up to 25 times more than estimated by IT departments. And the average number of public cloud services has grown 112 percent over the past year – and 67 percent over the past six months.

Even though employees most often access public cloud services to get tools they think they need to do their jobs, the business risks associated with uncontrolled adoption of public cloud services are significant, ranging from regulatory compliance and data protection to business continuity, hidden business costs, and degraded service performance.

A new and novel service offering from Cisco aims to help CIOs manage these shadow IT issues. Cloud Consumption as a Service is a software-as-a-service (SaaS) product that discovers and monitors all those known and unknown public cloud services an organization is using.

In one initial trial of the service, CityMD, a fast-growing urgent care organization with 50 facilities across New York City and New Jersey, discovered that employees were using 522 cloud services – with IT only formally supporting 15 to 20.

The Cisco Cloud Consumption service runs around $1 to $2 per employee per month, depending on the size of the business. There is a 30-day free trial available.

Contact [email protected].

Data Breaches

Verizon PHI report full of eye-openers

Just when we thought we have seen it all when it comes to assessing the current vulnerable state of protected health information (PHI), Verizon comes out with its “2015 Protected Health Information Data Breach Report,” a first-time effort that provides a detailed analysis of confirmed PHI breaches involving more than 392 million records and 1,931 incidents across 25 countries.

Think you know how many types of industries overall have experienced a PHI breach? Try 90 percent. That’s 18 out of the 20 industries examined in this report. Not surprisingly, healthcare is the top industry in this dataset, experiencing almost eight times as many incidents as the next-highest industry type: public sector. However, the report stresses that just because an organization is not in the healthcare industry or isn’t a HIPAA-covered entity doesn’t mean that it’s not at risk of a PHI data breach.

And have you been wondering why we can’t capture more of those no-name data thieves sooner? That’s because we often do know their names – and they work for us. “The incidents that take the longest to detect are those being perpetrated by the organization’s trusted insiders,” says the report. “For those incidents taking years to discover, they were three times more likely to be caused by an insider abusing their LAN access privileges and twice as likely to be targeting a server, particularly a database.”

Organization size doesn’t matter. The report states that PHI loss is not strongly correlated with whether the organization is large or small. There are differences, though, in healthcare organization types. When it comes to ambulatory care providers, for example, external actors (data thieves) “are having a field day,” according to the report. For hospitals, the picture is different; there are more internal actors committing breaches through errors and misuse.

All in all, the final result is that nearly half of the population of the Unites States has been impacted by breaches of PHI since 2009. One worrisome consequence on the healthcare front is that people are sometimes withholding critical information from their healthcare providers because they are concerned that there could be a confidentiality breach of their records. As a result, their care may suffer.

What can be done? In healthcare, lost and stolen assets ranks first as a category among incident patterns. “It is frustrating to see this category return year after year, because it’s one of the more easily solved problems,” the report states. “Encryption (particularly of portable devices) offers a figurative ‘get out of jail free’ card, since the data remains secure despite the loss of control over the asset.”

As for privilege misuse, when people with legitimate access to the networks and systems use their privileges to do “bad things,” the report authors say that education is key: Reiterate that people get arrested for this stuff. Sanitized results of audits that catch people abusing their access are also useful to include in awareness programs.

Download the full report for more statistics and solutions at

IT Services

Top IT service providers named

Cognizant, Accenture, IBM, TCS, and Wipro top the list of IT service providers who consistently rank among top performers in Everest Group’s inaugural PEAK Matrix Service Provider of the Year awards for IT services.

The rankings were announced in January and recognize IT service providers who have demonstrated consistent leadership in the company’s 26 PEAK Matrix reports in the previous year. Each service provider was comparatively assessed on two dimensions (market success and delivery capabilities), which also included buyer satisfaction. Five industry segments were considered: IT Services (overall), Healthcare and Life Sciences; Banking, Financial Services, and Insurance; Cloud and Infrastructure Services; and Application and Digital Services.

Accenture and Cognizant were named as the top Leaders of the Year in the Healthcare and Life Sciences market. A complete list of winners is available in the report, “2016 PEAK Matrix Service Provider of the Year Awards,” which can be downloaded at


IBM granted highest DoD authorization for cloud services

If you’re looking for secure cloud services, IBM is a good place to start.

The U.S. Defense Information Systems Agency (DISA) has authorized Big Blue to deliver IBM Cloud services at the highest security levels (known as Impact Level 5) for Controlled Unclassified Information as defined by the Department of Defense (DoD). This designation paves the way for DoD agencies to take advantage of all the innovations the cloud can offer for managing sensitive data.

IBM is the first cloud provider with a direct connection to the DoD’s internal network, known as the Nonsecure Internet Protocol Router Network (NIPRNet).

IBM Cloud will provide defense agencies with access to commercial cloud services and technology in an environment dedicated to their security needs. The highly secure data center at the Allegany Ballistics Laboratory in West Virginia enables agencies to have dedicated environments, leverage cloud technologies, or choose a hybrid solution where they can connect existing on-premise applications with those that are ready for the cloud, migrate existing applications, and/or develop new ones.

Bloomberg Government estimates that the DoD will spend nearly $4 billion in 2016 on “cloud and provisioned services,” taking advantage of the security and flexibility cloud offers, and the ability for agencies to deploy new applications when and where they are needed.


Deploy and manage multi-cloud environs

VMware vRealize Automation 7 introduces unified service blueprint capabilities that enable IT and DevOps teams to simplify and accelerate delivery of integrated multi-tier applications with application-centric networking and security across clouds. These exportable service blueprints enable the modeling of infrastructure, networks, security, applications, and custom IT services, including their relationships and dependencies within a graphical canvas. VMware vRealize Automation 7 blueprints span the hybrid cloud, featuring support for VMware vCloud Air, Amazon Web Services, and more. VMware

Provide secure BYOD services

Managed Mobile Services provide an all-inclusive suite of mobile device and application management tools to help address the concerns of sensitive data in a mobile environment. Clinicians benefit from knowing their private emails, photos, and personal applications are untouched, while IT administrators can help ensure patient data is secure. These mobile services enforce security requirements for your BYOD policy while providing IT administrators with access to a real-time, easy-to-use dashboard to manage end-user devices. McKesson

Get simplified data encryption

Smartcrypt is an enterprise encryption and key management solution that ensures security threats are nullified by eliminating the value of stolen or leaked data from unauthorized users, including insider and external threats. With Smartkey technology, businesses gain across-the-board control of who can decrypt files and read data. This solution protects data across all platforms from mainframe to mobile to cloud. Since Smartkeys are generated for each dataset, decryption can only occur when information is viewed on an authorized user’s device. PKWARE

Secure your physician-to-nurse communications

A new report from KLAS Research says that Imprivata Cortext, a secure healthcare communications platform that can also improve care coordination inside and outside the hospital, is considered twice as often as products from other vendors amongst customers making strategic secure-messaging purchasing decisions. “Secure Messaging 2015: First Look at Who Providers Are Considering and Why” notes that this solution is a standout because of the ability for nurses to exchange messages and data securely with physicians and vice versa, rather than just the ability to facilitate physician-to-physician or nurse-to-nurse communications. Imprivata

Partnership protects physician offices

Healthcare organizations of all shapes and sizes need tools and services to help protect patient privacy, show who is accessing patient data at all times, and detect any inappropriate behavior or breaches. That’s why Iatric Systems and MindLeaf Technologies have partnered to offer Iatric Systems Security Audit Manager (named KLAS Category Leader in the Patient Privacy Monitoring segment in 2014) to urgent care clinics, community clinics, group practices, and outpatient clinics. MindLeaf will offer its medical compliance and support services in conjunction with Security Audit Manager, which integrates and correlates data of all access to PHI from diverse systems. Iatric Systems

On-demand incident response for AWS

Dell SecureWorks has announced an on-demand Emergency Cyber Incident Response (ECIR) capability that helps organizations investigate cyber incidents affecting their assets deployed on Amazon Web Services (AWS). The new offering is in response to the growing enterprise adoption of production workloads on AWS and the customer requests for on-demand incident response solutions that are optimized for the dynamic operating environment of the cloud. Dell SecureWorks also offers an Incident Management Retainer that expedites responses to cyber incidents within four hours of receiving an incident report from a retainer client or onsite within 36 hours. Dell SecureWorks

Comprehensive MDM

XenMobile is a comprehensive enterprise mobility management (EMM) solution that manages mobile apps, data, and devices, available both on-premises and in the cloud. With this solution, end users have single-click access to all of their apps from a unified corporate app store. Moreover, XenMobile enables infrastructure and operations professionals to configure, secure, and support many mobile devices, meeting compliance and control needs while giving users freedom to work the way they want to. This solution received the highest score possible for mobile device management in Forrester Research’s December 2015 Forrester Wave report on MDM. Citrix

E-prescribing for controlled substances

Caradigm has added Electronic Prescribing of Controlled Substances (EPCS) to its Identity and Access Management (IAM) portfolio, providing a solution that has been designed specifically to confront challenges faced by hospitals, clinics, and other organizations that electronically prescribe these drugs. This solution manages critical aspects of EPCS workflows and integrates with multiple third-party systems that provide complementary functions required to meet all federal and state regulations from end to end – from the time drugs are ordered through fulfillment and delivery. The Caradigm IAM portfolio includes Single Sign-On, Context Management, and Provisioning Identity Management. Caradigm

Best In KLAS Awards 2015-2016:  Software and Services

Released Jan. 28, 2016, this highly anticipated annual report from KLAS Research reflects feedback from thousands of healthcare providers about the best-performing healthcare IT vendors for more than 100 market segments. Epic dominated the winner’s list this year (nine top awards, including two overall awards). Merge earned three top awards, while athenahealth, CareTech Solutions, CureMD, and Galen Healthcare each earned two. Learn more at

Best in KLAS Awards 2015-2016

Software and Services

  • Overall Physician Practice Vendor. Epic
  • Overall IT Services Firm. Impact Advisors
  • Overall Software Suite. Epic

Software Solutions

  • Acute Care EMR, Epic EpicCare Inpatient EMR, (Large – Over 200 Beds)
  • Business Intelligence/ Analytics, Dimensional Insight The Diver Solution
  • Cardiology, Merge Cardio
  • Community HIS,  MEDITECH C/S Community HIS (v.6) (Small – 1-200 Beds)
  • Document Management and Imaging,  Hyland OnBase
    Emergency Department, Wellsoft EDIS
    Enterprise Scheduling, Streamline Health Looking Glass Enterprise Scheduling and Resource Management 
  • ERP, Oracle PeopleSoft Enterprise
  • Health Information Exchange (HIE), Epic Care Everywhere
  • Homecare, Thornberry NDoc
  • Laboratory, McKesson Lab
  • Long-Term Care, PointClickCare
  • PACS, Sectra PACS (Large – Over 200 Beds)
  • Patient Access, Experian Health eCare NEXT (Passport)
  • Patient Accounting and Patient Management, Epic Resolute Hospital Billing (Large – Over 200 Beds)
  • Patient Portals, Epic MyChart
  • Population Health, IBM Population Health Management Suite (Phytel)
  • Radiology, Merge Unity RIS (DR Systems)
  • Speech Recognition – Front End, Dolbey Fusion Speech EMR (EMR)
  • Surgery Management, Epic OpTime
  • VNA/Image Archive, Merge iConnect Enterprise Archive
  • Global (Non-US) Acute EMR, InterSystems TrakCare EPR
  • Global (Non-US) PACS, Sectra PACS (Non-US)
  • Global (Non-US) Patient Administration Systems, Cerner Millennium Patient Administration System (Non-US)

Physician Practice Solutions

  • Ambulatory EMR (1-10 Physicians), CureMD EMR
  • Ambulatory EMR (11-75 Physicians), athenahealth athenaClinicals
  • Ambulatory EMR (Over 75 Physicians), Epic EpicCare Ambulatory EMR
  • Practice Management (1-10 Physicians), CureMD PMS
  • Practice Management (11-75 Physicians), athenahealth athenaCollector
  • Practice Management (Over 75 Physicians), Epic Resolute/Prelude/Cadence Ambulatory
  • Claims and Clearinghouse, ZirMed Clearinghouse


  • Application Hosting (CIS ERP HIS), Cerner Application Hosting (CIS/ERP/HIS)
  • Extended Business Office, Navigant Cymetrix
  • Extensive IT Outsourcing, CareTech Solutions
  • HIT Enterprise Implementation Leadership, Navin, Hafty & Associates (NHA)
  • HIT Implementation Support & Staffing, Galen Healthcare
  • IT Advisory Services, Impact Advisors
  • Partial IT Outsourcing, CareTech Solutions
  • Revenue Cycle Transformation, Deloitte Consulting
  • Technical Services, Galen Healthcare