Our phones have been ringing off the hook the past few weeks (which is a good thing!) and we anticipate that this will continue as customers, prospects and partners work to get their arms around the new U.S. Department of Health and Human Services (HHS) Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule that took effect this week. While business associates have until September 23 to reach compliance, the Rule, which encompasses new requirements and modifications to the Privacy and Security Rules, could present some confusion in the marketplace.

To help, we partnered with Coalfire to provide our readers with the below top five tips to ensure a speedy transition. For further reading, you can also check out our joint-byline with Andrew Hicks of Coalfire that “Electronic Health Report” published, as well as our press release that we issued today.

  1. Know if you need to be compliant. Many people do not realize that shredding companies and office cleaning crews that may see patient data without realizing it are now liable. Anyone that has access to PHI, regardless of their position and how far removed they are from the covered entity, is now in full scope.
  2. Take a solid inventory of where data lives. Data is constantly being transmitted back and forth via applications, web servers and file servers. However, many organizations lack a comprehensive inventory of where all of this data lives. This makes it difficult to accurately assess the risk of data storage. Participants must be able to control physical and logical access to patient information and proactively protect against inappropriate access to the data at every exchange point. This is impossible to achieve without a solid inventory.
  3. Conduct a risk analysis and data classification. Under HIPAA, there is a clear requirement that companies need to complete a thorough risk assessment of the storage, processing and transition of ePHI data. This risk to data needs to be clearly defined and any control gaps need to be outlined.
  4. Control the flow of ePHI data via mobile devices. While there is not a specific requirement within HIPAA that addresses mobile devices, tablets and smartphones frequently hold ePHI data. Organizations need to implement corporate BYOD policies and have controls in place including passwords and remote capabilities to protect this data.
  5. Know the definition of encryption. There seems to be a lot of confusion around encryption as many people translate this addressable specification as being optional. Some organizations see “encryption” and after evaluating what it entails, decide that it costs too much money or is too difficult to implement. If there is a security breach, HHS officials will first ask if the data was encrypted. If the answer is no, the investigation can easily lead to fines, penalties and negative publicity. We recommend that our partners and clients conduct a thorough risk assessment to document all controls that may be at risk. This documentation serves as a road map for developing action items based on priority or level of risk. When a breach occurs, organizations need to demonstrate their due diligence to show that all risks were acknowledged, especially those that cannot be technically met. We cannot stress enough how thorough this documentation should be – it should be supported through a risk management program and updated at least annually or with the introduction of new risks. We have seen documentation ranging from 20 to 100+ pages; anything less than that will be insufficient.

What We Brought Home with us from RSA

By: Camilla Mason-Jones, Director of Marketing, StillSecure

What a week for StillSecure at RSA! In addition to making new connections and sitting down with analysts and reporters to share our latest StillSecure news, we were excited to add award plaques to our carry-on luggage for the return trip home from San Francisco.

StillSecure won five (1, 2, 3, 4, 5!) Global Excellence Awards from Info Security Products Guide on Wednesday night!  If you’re not familiar, these Global Excellence Awards recognize security and IT vendors worldwide with advanced, groundbreaking solutions that are helping to set the bar higher for others in all areas of security and technologies.

The full list of winners can be viewed here and below are the categories that we received awards in:

  • HIPAA Compliance: StillSecure for HIPAA Essential (Gold)
  • Managed Security Services: StillSecure for StillSecure Cloud NSA (Gold)
  • Network Access Control (NAC): StillSecure for StillSecure Safe Access (Silver)
  • Cloud Security: StillSecure for StillSecure Cloud NSA (Bronze)
  • Payment Card Industry (PCI) Compliance: StillSecure for StillSecure PCI Complete (Bronze)

Also, StillSecure was an honoree at the SC Magazine award ceremony on Tuesday night and we were honored to have been selected as a finalist in the “Best NAC Product” category for Safe Access in the 2013 SC Magazine Readers Trust Awards.

Check out some of our photos from the events. It was an exciting week with some of the brightest minds in the security industry all in one place. What did you bring home from RSA?

Decoding the PCI DSS Cloud Computing Guidelines Information Supplement

By: James D. Brown, CTO at StillSecure

As you may have heard, the PCI Security Standards Council recently released its PCI DSS Cloud Computing Guidelines Information Supplement. The supplement is intended to serve as a guide for businesses looking to choose solutions and third-party cloud providers that will help them secure their customer payment data and support PCI DSS compliance.

The supplement provides a roadmap around cloud and how it interacts with PCI, as it outlines very clearly who has responsibility for securing payment card data in cloud environments.

Most importantly, this guide makes it clear that it is no longer just about physical security; when you have a virtualized environment, there are different attack vectors that can be taken advantage of via the hypervisor. This is similar to having physical access to a machine in a physical environment. Hypervisors enable introspection, the ability to look into cloud instances that are running, which means they provide a means of monitoring activities unbeknownst to the instance and any malware that may be running on it. A hypervisor also provides access to multiple virtual machines from a single login. In contrast, a physical host console provides access to only a single virtual machine. That ability to access many devices at once must be protected to prevent unauthorized access to cardholder data environments.

It is also key to make sure that devices are segmented in a shared work environment. Sharing memory and space needs to be isolated to ensure that it is kept completely separate from other environments. This guide formally states the need for isolation in the cloud and that merchants, vendors and auditors should pay particular attention to this in order to keep cardholder data secure.

Because of the fact that your data may physically reside anywhere in the world, cloud service providers will have to be clearer about where data is stored, especially across international borders. This has a serious impact on the ownership of the data and the ability to move data.

This may lead you to ask, who takes the blame if you process credit card payments with a vendor and the information is hacked? The guide clearly spells out that is the merchant’s responsibility to verify that a provider is secure and compliant. This means that a merchant needs to pay an auditor to verify the cloud’s level of compliance. To me as a merchant, the difference between using a PCI compliant vendor and doing it on your own is this security audit.  While the overall responsibility always rests with the merchant in the end, it makes it much easier to navigate through the auditing process with a PCI compliant vendor.

Overall, these new requirements are a step in the right direction to regulate the industry and despite the risks will help to drive cloud adoption faster.

Coming to You Live from San Francisco: RSA Conference 2013

By James D. Brown, CTO, StillSecure

Today marks the beginning of RSA Conference 2013 in San Francisco! The conference gathers together the best and brightest IT security pros to discuss critical issues and provides an opportunity to interact with and share ideas with their peers. We at StillSecure couldn’t be more excited to be surrounded by such great company.

RSA promises to be a busy five days with insightful sessions, seminars, tutorials, and more, and we recognize it can be quite difficult to choose which to attend. That’s why we’ve put together a list of our “must-see” events at RSA:

Did we leave out any sessions that you’re most looking forward to? Let us know in the comments or send us a tweet (@StillSecure)

We hope to see you there!

CRN Honors Our VP of Managed Security Sales as a Channel Chief

We’re excited to announce that our Vice President of Managed Security Sales, Brian Herman, has been named one of UBM Tech Channel’s CRN 2013 Channel Chiefs. This prestigious list of the most influential leaders in the IT channel recognizes those executives directly responsible for driving channel sales and growth within their organization, while evangelizing and defending the importance of the channel throughout the entire IT Industry.

CRN honored Brian for his hard work around the launch of HIPAA Essential, our managed security service for HIPAA HITECH compliance. He was also recognized for growing the reach of our managed security services for public and private clouds, helping our partners to meet their customers’ growing demands for cloud security. As we work alongside Brian each and every day, we’re the first to attest that this honor is very well deserved.

You can view our “official” announcement here.

Congrats, Brian!

Introducing Our Newest Partner: HealthGuard

We are excited to announce our new partnerships with HealthGuard, a health security and risk management services company. We are providing them with a full suite of Managed Security Services for their customers and partners, including HIPAA Essential, PCI Complete, managed firewall, intrusion detection and prevention, log management, and web application firewall (WAF).

Additionally, HealthGuard customers and partners opting for managed security services can now leverage our Security Operations Centers (SOCs). Our SOCs actively monitor and defend customer networks against the latest security threats, while providing 24×7 support. HealthGuard will also benefit from our bundled compliance managed services. Both are independently audited by Coalfire Systems, and provide expert personnel, proven tools and technology, and certified processes to help address HIPAA HITECH and PCI DSS compliance issues. In turn, end users can relax knowing that their compliance obligations are covered as they save time, cut costs, and free up other resources.

To learn more about our new partnership, check out our press release.

CUISPA 2013: Why Credit Unions Are Turning to NAC

By James D. Brown, Chief Technology Officer at StillSecure

Yesterday I had the honor of presenting to fellow security professionals at CUISPA 2013, one of the credit union industry’s most highly regarded information security and risk management conferences. The summit gathers together information technologists, regulators, service providers, and, of course, security specialists under one roof to discuss compliance, risk management, cloud computing, and more.

As you may know, the Federal Financial Institutions Examination Council (FFIEC) recently provided guidance that all credit unions ensure they have the technology to quarantine endpoints based on their compliance with defined security policy so risky vulnerabilities can be remediated before a network is exposed to those vulnerabilities as a potential attack vector. Because network access control (NAC) fits this need perfectly, it’s definitely a hot topic in the industry right now as many IT Managers are scrambling to comply.

During my presentation, I spoke about what we at StillSecure have recognized for years – mainly that NAC offerings, such as our Safe Access solution, should be relatively quick and painless to deploy as well as deliver a full range of functionality to provide the most up-to-date picture of compliance across the network, and provide customers with the ability to isolate and patch devices in a totally automated fashion. Among its advantages, NAC shows a single picture of security postures across multiple security software vendors, providing a way to verify reports from vendor management consoles. It also provides identity and access control for guest users and unmanaged devices, so it’s perfect for managing BYOD!

While NAC solutions assist credit unions looking to comply with FFIEC regulations, selecting the best installation for your organization and policies for your users can prove challenging. Here are some helpful tips:

Installation Types:

  • Interrogation only – If you’re just getting started, this installation is worth considering. NAC can be deployed without access control to interrogate endpoints only.
  • Inline – This installation ensures the compliance of endpoints connecting to your network.
  • DHCP – The easiest way to start enforcing access controls; does not require any changes to your network.
  • 802.1X – The most secure deployment for your internal network but also the most complex and expensive to install. Note: 802.1X can be phased in slowly, increasing your security level, and spreading costs and network impact over time.

Policy Types:

  • White list with or without testing – This policy is best for VIPs or unmanaged devices.
  • Innocent until proven guilty – Most managed users fit here.
  • Guilty until proven innocent – This policy works well for handling managed users accessing sensitive networks and high-risk managed users.
  • Blacklist with or without testing – Blocks specified devices or users without a means of getting on the network.

NAC is by no means a one size fits all security solution, and it is important to determine your organization’s specific needs. Whether you have a specific concern about an installation or just want to know how much enforcement your environment requires, we’re here to answer all of your questions. Leave a comment, send us an email, or give us a call – we’re never more than a few clicks or phone rings away.

New Technical Upgrade Announced to Our Award-Winning NAC Solution Safe Access®

This week, we are announcing a technical upgrade to our award-winning Network Access Control (NAC) solution, Safe Access®. The new version, Safe Access 6.1, will significantly increase the number of supported end-user devices from 10,000 to 30,000 devices per server and adds cloud support.

The simple fact is that employees and visitors are bringing their own devices into the office – smartphones, tablets, personal laptops and in some cases, personal gaming devices — and they expect to be able to use them for work. This makes it tough for an IT manager to ensure the corporate network is safe. Enforcing bring-your-own device (BYOD) policies based on user roles and the ability to restrict access for individual employees to certain times of the day and specific days of the week is a crucial security feature for our customers.

Most policies are based on specific devices; however, with Safe Access, if a laptop fails and an employee needs a “loaner,” the new device will immediately recognize that employee’s settings and allow that person access on the temporary device. Bottom line – only workers who are supposed to have access to the server at certain hours of the day can get on.

StillSecure Named Finalist in Five Categories of Info Security Products Guide’s Global Excellence Awards

Awards season may be taking over Hollywood, but we’re convinced that some of its energy has made its way down to our Colorado headquarters. We recently learned that StillSecure is a finalist in five categories of Info Security Products Guide’s Global Excellence Awards! Our managed security offering Cloud NSA was shortlisted in the Cloud Security and Managed Security Services categories. Safe Access is among the finalists in the NAC category. In terms of our compliance offerings, HIPAA Essential and PCI Complete are finalists in the HIPAA Compliance and PCI Compliance categories, respectively.

The Global Excellence Awards recognize security and IT vendors worldwide with advanced, groundbreaking solutions that are helping to set the bar higher for others in all areas of security and technologies. We at StillSecure work around the clock to deliver an innovative and complete suite of solutions to meet our partners and customers’ growing security needs, and we’re honored that Info Security Products Guide has recognized our efforts.

And while we are on the subject of awards, you may have recently seen that our Safe Access was named Best Endpoint Security Solution in the Government Security News Homeland Security Awards and was also listed as a finalist in the 2013 SC Magazine Readers Trust Awards.

Info Security Products Guide will announce the winners of the Global Excellence Awards on February 27. In the meantime, help us prepare our acceptance speeches by letting us know in the comments what you love most about our offerings.

We hope to see you at AFCEA West 2013!

While having headquarters in scenic, mountain-capped Colorado definitely has perks, we’re looking forward to escaping our snowy state tomorrow to attend AFCEA West 2013!

Taking place in sunny San Diego, California, AFCEA West brings together the brightest IT minds from the military, government, industry, and academic professionals on the West Coast. The event serves as a forum to discuss critical issues surrounding defense, homeland security, and much, much more.

We’re especially looking forward to the panel session “Cyber Security: How Do We Balance the Cost with the Risk” on Wednesday at 3:15PM. Not to mention, there will also be a cyber-training track, and we encourage all who are eligible to attend.

For our team at StillSecure, AFCEA West 2013 is a great opportunity to connect with leaders in military and government IT.  More importantly, we’re excited for insightful discussions on critical security issues so that we can make our network access control solution Safe Access even better for you, our partners and end users. As hard as we work to deliver some of the safest security solutions on the market, we understand that data breaches and hackers are constantly evolving – and therefore, so must we!

Will you be at AFCEA West? Come visit us at Booth 1351, and let us know in the comments which topics you’re most excited to discuss! Also, tweet at us (@StillSecure), if you’d like to schedule a meeting!