HITECH Act: What you need to know about new data-breach guidelines

Healthcare providers and others handling sensitive patient data are now finding the stakes raised if they suffer a data breach because of a new law known as the "Health Information Technology for Economic and Clinical Health Act," or HITECH Act. Depending on whether a data breach arises from a simple mistake to willful theft, fines will range in tiers from as low as $100 per violation for a slip-up regarding unencrypted data to $1.5 million or more for knowingly and willfully violating the data-breach rules, say those familiar with the HITECH Act. "Under the HHS rule, you have to figure out if you had a data breach," says Rebecca Fayed, attorney-at-law firm Sonnenschein, Nath & Rosenthal's healthcare group division in Washington, D.C.. But the new rules, which cover both electronic and paper formats, are far from simple.  Healthcare organizations find IT cures for identity and security  The HITECH Act, devised by Congress primarily to address electronic medical records, is being noted for its impact in adding a tough data-breach notification requirement to the long list of long-existing Health Information Portability and Accountability Act (HIPPA) security and privacy rules. Passed by Congress in February, the HITECH Act is now coming into enforcement by the U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC), which each have been given a role to play under the law, potentially levying punishments and fines on organizations that stumble in protecting personal health information. Like HIPAA, the HITECH Act covers healthcare providers, insurers, clearinghouses and also business associates handling personal information about patient health, as well as other protected information, including name, Social Security number, address and insurance account numbers.

If the data breach "is only five people, HHS doesn't want you calling them," though you will have to inform the individuals impacted. Fayed says there's often the misperception that the HITECH Act will require public disclosure of any data breach of unencrypted personal health information (PHI) but the fine print actually says the data breach has to have impacted at least 500 people in one state. "Then you have to notify the media," she says. And it appears there's no need to report an employee unintentionally accessing a record by mistake in the course of doing his  job. The HHS guidelines set forth two basic ways to secure that data, "encryption" for electronic data and "destruction" applied as a means to destroy electronic data or paper. A lot of the talk about HITECH is centering on encryption because the breach notification only applies to "unsecured PHI," Fayed says. When it comes to encryption and stored data security, guidelines from the National Institute of Standards and Technology are referenced, including NIST's FIPS 140-2 for certification of encryption products.

So, the bottom line is the HHS-issued guidelines, now an interim final rule that went into effect Sept. 23 (though it won't be enforced until February 2010 by the office of civil rights at HHS), is a game-changer. Though encryption isn't mandatory under HITECH Act, just by bringing encryption technology into the discussion of a data breach the federal government is raising the bar about what's implied about best practices, Fayed notes. Wes Rishel, vice president and distinguished analyst at Gartner, calls the HITECH Act ground-breaking. "This is the first time there's been a federal regulation for data breach," Rishel says. Although there are now far fewer known instances of data breaches involving PHI than credit cards, for example, it doesn't mean that these cases don't happen, many say. It changes the balance in terms of security and puts an emphasis unknown before on encryption because a data breach of encrypted data is not going to have to be reported. Fraud involving stolen patient healthcare data, primarily Medicare/Medicaid identity theft for making money off submitting fraudulent claims, is not uncommon, Fayed says. "The reason you haven't heard about these is because people haven't had to report these yet," she says.

But encryption use to protect stored data is not typical today among HIPAA-regulated organizations and they are going to be struggling to encrypt and decrypt effectively among business partners. "Encryption can create a big mess, too." The HITECH Act has more healthcare providers crafting encryption strategies.  "They should be deploying encryption," says Forrester analyst Noel Yuhanna.

IPv6 and VoIP – Friend or foe?

Whether enterprise users are ready or not, it appears that implementation of IPv6 is in the not-too-distant future. IPv6: the essential guide At the same time, it's also a given that VoIP is firmly entrenched as the current – no longer even the "next" - generation of voice networks. The need for enhanced addressing is needed, especially as everything from your PC to your toothbrush (so your dentist can immediately know whether you're really brushing after every meal) becomes IP-enabled.

So this leaves us wondering what the impact will be when these two inevitable trends merge. Voice packets tend to be quite small. Not that many years ago, we were quite concerned about VoIP due to the bandwidth overhead. In fact, for the low-bit-rate codecs that tend to be used with VoIP, a typical packet size is on the order of 20 to 40 bytes. (These small packets are necessary in order to avoid too much latency.) And the overhead simply due to IPv4 and UDP about equals the payload size, with at least 20 bytes (octets ) for IPv4 plus at least 8 octets for UDP. Now IPv6 is coming, and at least doubling the header size. On the plus side, IPv6 offers some much-needed additional control.

We can see two sides to this situation. Overall, VoIP should perform "better" when it's VoIPv6. At the same time, the additional overhead is a concern. Thanks to our colleagues Gary Kessler and Gary Audin for their contributions to the ideas above. Have we finally reached the point that we can make the same assumption of "free unlimited bandwidth" for WAN communications that we've made for years concerning LAN communications? And we look forward to continuing this conversation with you and our team of analysts at Webtorials.

Ellison: Fusion Applications in 2010

Oracle plans to launch its long-awaited Fusion Applications in 2010, and they will be deployable both on-premises and as SaaS (software as a service), CEO Larry Ellison said Wednesday during a keynote address at the OpenWorld conference in San Francisco. Oracle has placed special emphasis on improving the user experience with Fusion, as well as embedded BI (business intelligence) throughout the applications, Ellison said. Fusion Applications, which Oracle first announced several years ago, will combine the best elements of Oracle's various business software product lines into a next-generation suite.

Ellison's keynote contained the most specific information the company has provided about Fusion Applications since first announcing the project several years ago. We're absolutely committed to do that," he said to applause. "We can afford to not only maintain the software you're running today, but also build the software you may want to move to tomorrow." Ellison did not provide details regarding licensing and pricing models, including whether Oracle will sell the new applications via subscription, as is the norm with SaaS. But Oracle is nonetheless ensuring the products are ready for SaaS, including by developing monitoring tools that will track their performance, Ellison said. The CEO took pains to tell the packed room of Siebel, JD Edwards and E-Business Suite users that Oracle has no plans to abandon the product lines anytime soon. "Oracle will continue to enhance those applications for the next decade and beyond. While SaaS vendors provide users with service-level agreement guarantees, "there aren't very good tools for figuring out whether you're actually getting the service levels you're paying for," he said. This gives Oracle "a huge advantage" because the SOA model will allow users easily to tie together "the Fusion generation and all the stuff you have deployed today," Ellison said. "We don't think all customers are going to replace what they have today with Fusion," he added. "We think they will augment what they have with some Fusion.

Oracle's tools will enable it to "not only contractually commit but prove we're delivering the service levels." Fusion Applications are based on a SOA (service oriented architecture) provided by Oracle's Fusion Middleware stack, Ellison said. Fusion is designed to be delivered that way. ... We have replacement applications and then we have net-new applications." The initial suite will include modules for financial management, human capital management, sales and marketing, supply chain management, project management, procurement management and GRC (governance, risk and compliance), but other key areas, such as manufacturing, will come later. Oracle has worked "very, very closely" with customers to design and test Fusion Applications, work that has resulted in a superior user interface, Ellison said. Ellison stressed the benefits of the modular approach. "You assemble the components in the order you want to use them, in the order that makes sense for your industry," he said. Embedded BI is another major focus of the suite. "You can't use the system without using business intelligence," Ellison said.

The application allowed the user to bring up a dashboard showing which order manager was responsible for the particular transaction, and then begin an instant-messaging conversation with him directly from the tool. In a demonstration, a pair of Oracle executives showed how the system alerted one user that a particular shipment had been delayed. In turn, the order manager was able to search for less critical orders and reroute them to fulfill the first one. "We tell you what you need to know, what you need to do, and we tell you how to do it," Ellison said. While Oracle "definitely has the capability to deliver this as SaaS, it's really up to them to figure out if they want to enter [that market] large-scale," Wang added. Ellison's presentation proved that "Fusion apps are real," said Ray Wang, a partner with the analyst firm Altimeter Group.

In some product areas, such as talent management, "they can't compete without the SaaS option," he said. In a presentation Tuesday, on-demand CRM (customer relationship management) vendor and Oracle rival Salesforce.com compared multitenancy to an office building, where individual tenants share the overall infrastructure but customize their office spaces. SaaS applications are different from straight application hosting, because they use a "multitenant" architecture wherein customers share a single instance of an application but their data is kept private from other customers. Oracle "will definitely" offer a hosted version of Fusion Applications, although it remains to be seen exactly how their SaaS strategy for the software plays out, Wang said. They're playing catch-up." Meanwhile, the work ahead of companies looking to adopt Fusion Applications sooner rather than later is "not trivial," said Floyd Teter, head of the Oracle Applications Users Group's Fusion Council, which has been educating group members about the upcoming applications release.

When Fusion Applications arrive, they will also raise the competitive stakes between Oracle and its main rival, SAP. But SAP spokesman Saswato Das dismissed Oracle's announcement. "Basically, our Business Suite 7 is the most comprehensive and flexible suite of applications on the market," Das said. "Oracle has been talking about Fusion for a long time, and our suite is available now. One key step customers should take is to catalogue their application customizations and determine which ones could be retired, Teter said. "A lot of us have done a lot of custom things. The skill set now is more Java and specifically [Java Enterprise Edition]. You also better have some knowledge of JavaScript." In addition, Fusion Applications rely on Oracle's JDeveloper IDE (integrated development environment), rather than other Java development tools like Eclipse. If you're a long-term Oracle customer, it's easy to lose track." Fusion Applications will also require some companies to acquire new development skills, Teter said. "A lot of us run a lot of customizations through MOD PL_SQL. That's going to be gone. For many companies, there will be plenty of time to plan, since the first version of Fusion Applications won't include certain functional areas. In the meantime, we'll continue to stay current on EBS." But Teter said the vendor's work on Fusion has produced impressive results, particularly in regards to user experience.

The lack of manufacturing has prompted the Jet Propulsion Laboratory at the California Institute of Technology, which uses E-Business Suite, to wait for a future version, said Teter, who is a project manager at the lab. "When I get a full-functionality replacement, we'll look at it. Earlier in his keynote, Ellison turned to Oracle's recently announced Exadata 2 appliance for data warehousing and transaction processing. Exadata 2 uses Sun hardware, while the original machine, announced at last year's OpenWorld show, used Hewlett-Packard iron. He claimed the machine widely outperforms and is much less expensive than competing technologies, such as from IBM, calling it "the fastest computer that has ever been built to run data warehousing applications." "This system will outperform any of the competition," he said. Oracle is in the process of buying Sun Microsystems but the deal is on hold while European officials conduct an antitrust review. Ellison temporarily ceded the stage to California Gov.

Ellison didn't discuss the acquisition during his keynote, but Sun and its officials have played an active role in this year's OpenWorld conference. Arnold Schwarzenegger, who delivered a joke-peppered talk espousing the value of technology, from biotech to the Hollywood special effects that powered his long career as an action star. "Think of Conan the Barbarian fighting the giant snake," he said, referring to his role in the 1982 film based on Robert E. Howard's tales of a legendary warrior king. "I never could have done that and look so studly without technology," he said to an eruption of laughter from the crowd. Schwarzenegger also congratulated Ellison and Sun chairman Scott McNealy on the pending acquisition, stressing the companies' importance to California's economy. "Working together, I know the sky is the limit for you and your employees," he said.

U.S. Dept. of Education ties desktop encryption to employee ID cards

The U.S. Department of Education is rolling out desktop encryption software in a way that links the cryptographic process to employees' government-issued Personal Identity Verification (PIV) smart cards. The system, which is based on PGP's disk encryption technology, is intended to meet government rules for safeguarding sensitive financial and personal information, says Phillip Loranger, chief information security officer at the Department of Education. "There is a large amount of financial resources we're responsible for; we are in the student-loan business and we interface with universities and colleges," Loranger says. Tying encryption to the PIV card is a novel approach that will offer stronger authentication than a simple password. The Department of Education is actually "one of the largest banks in the country, with grants, student loans and school financial requests," he says.

The agency picked PGP in part because the encryption software company is willing to do some custom development to make sure that its Whole Disk Encryption software works with the government-issued PIV smart card and Microsoft Active Directory, Loranger says. Biometrics: The human body as proof of identity The Department of Education intends to first deploy PGP's Whole Disk Encryption on all mobile computers to protect data at rest. Loranger says he's in favor of the more stringent security tied to the PIV smart cards, but he acknowledges there will be situations when end users forget their PIV cards or lose them. In such circumstances, employees won't be locked out of their computers but will be granted a temporary password they can use for 24 hours, he says.

Unisys introducing software for private clouds

Unisys announced Monday software and services that will enable organizations to deploy and run their own internal private clouds, as part of its strategy to offer customers a variety of cloud computing options. In a poll of customers conducted in June by the company, 72 percent said security was their biggest concern about moving workloads to the cloud. The private cloud offering addresses the requirement of organizations that prefer a private cloud for mission-critical applications that use sensitive data, so they can retain greater control over their own and their customers' information, Rich Marcello, president for Consulting and Integration Solutions at Unisys Technology, said in a telephone interview on Thursday. Although there is no technical reason for this, some customers are still not convinced that an external cloud is reliable or robust, and are likely to move in stages, Marcello said.

The company also plans to launch next year a hybrid cloud that combines private and public cloud capabilities. The new Unisys Secure Private Could Solution, which will be available from next month, follows the company's introduction earlier this year of technology and services for a managed cloud service on shared IT infrastructure that is hosted by Unisys. Customers will be able to run many of their applications unchanged in a private cloud, and Unisys is also offering these companies services to help move their workload into the cloud, Marcello said. Organizations of any size can set up their private clouds with an up front investment of US$50,000 for the management server, software, and services, Marcello said. Customers can also use their own hardware, or buy hardware from Unisys, he added.

The software will include provisioning, virtualization, and management software that provides for features such as a self-service portal, he added. Unisys' Stealth technology, that cloaks data through multiple levels of authentication, encryption, and bit-splitting into multiple packets, is also available for private clouds though at an extra price, Marcello said. Ongoing maintenance will involve extra fees for hardware and software support and updates. He did not however expect customers to deploy Stealth on private clouds, as they would have their own firewalls and other security mechanisms in place. Unisys has also announced that its managed cloud service will support new platforms including Microsoft's .Net, IBM Websphere, and Oracle software platforms from this month, so that customers can move their applications that were developed on these software stacks unchanged to the cloud. Stealth is a key component of Unisys' managed cloud service.

When the service was launched earlier this year it supported only Java, Marcello said. This new service provides business continuity and disaster recovery services on a subscription basis, it added. The company has also added disaster recovery as a service for customers of its managed Secure Cloud Solution.