Thursday, January 13, 2011

2011 Information Security, Privacy and Compliance Soothsaying

By Rebecca Herold

Looking ahead to what will happen in the coming year is always an interesting exercise.  Just like within a great novel, foreshadowing occurs every day in our lives to drop the hints of things that are likely to come.  The trick is to separate out the valuable hints from the extraneous breadcrumbs that are dropped by dozens of other inconsequential sources that mislead us and cause us to fail in our predictions.   We shall see at the end of the year how close I am with the following predictions…

I try to keep up with all the latest information security, privacy and compliance issues, incidents and reports.  However, there are so many released on an almost daily basis that it is hard, actually impossible, to keep up with everything.  The past couple of years I’ve been immersed in the healthcare industry, in the energy industry leading the NIST Smart Grid privacy working group, in the education industry, and in all things related to social media, cloud computing and mobile computing.  As we move ever yet closer to truly living in an internet of things, where plasma and ether-based data become hard to distinguish between, these three issues will become inextricably intertwined.  And the component that brings the most vulnerability to all forms of information is still the same as it has been for not only the past few years, but also the past few centuries: humans.  But sadly, this component is woefully ignored and neglected when it comes to security and privacy in most organizations.

So, my opinions and viewpoints will skew towards those areas.  But, that’s okay; these areas will have pressing problems like they’ve never seen before, so it is good to reflect upon what is likely in those areas.  Here are just a few specifics for what I see as some of the most pressing issues and emerging trends: 

1.  There will be more emphasis on, and activities for, implementing security and privacy controls within healthcare covered entities (CEs) and business associates (BAs).
In the healthcare arena, there will be more active enforcement by the HHS/OCR of HIPAA/HITECH compliance.  For multiple reasons, including:
  1. Ever-increasing numbers of security incidents and privacy breaches,  
  2. HIPAA/HITECH compliance is becoming more important for the meaningful use (MU) funds (you must perform a risk assessment and then remediate identified risks, per HIPAA), as well as fighting against Medicare/Medicaid fraud, and
  3. The notice of proposed rulemaking (NPRM) will be enacted with the expansion of virtually all HIPAA/HITECH requirements to all business associates (BAs), and their subcontractors, which will encompass significantly many more (several millions more) more entities, and even larger numbers  (BAs to date have not done much for compliance, and their subcontractors have done nothing) of HIPAA/HITECH noncompliance.
I work with a large number of covered entities (CEs), and of all three categories of CEs, I see that providers are most likely the types of entities with the least amounts of controls and with the most significant HIPAA/HITECH compliance gaps.  And it’s not because the CISOs there are not trying.  They just have a very hard audience, the caregivers (doctors, nurses, etc.) to deal with, whose attention (understandably so) on is providing healthcare and not on security and privacy.  And then there are the literally millions of BAs who, to date, have done little more in their HIPAA and HITECH compliance activities than sign a BA Agreement.  So it will become more important than ever before for BAs and CEs to implement comprehensive, effective, HIPAA and HITECH compliance programs to not only meet the associated regulatory requirements, but also more important to those entities that are depending upon those MU funds, to even qualify to get those longed-for monies.

2.   PIAs will emerge as a corporate necessity, with utilities leading the way.
As utilities start converting their customers to smart meters and connecting to the Smart Grid, and as vendors create new types of smart appliances, meters and applications to use within the Smart Grid, they are going to find themselves faced with a large number of questions asking them to prove that their offerings are secure and protect the privacy of all consumers involved within the homes and personal electric vehicles (PEVs) being integrated within this vast new type of network.  As a result of this concern, as well as new federal requirements that will come to pass, we are going to see privacy impact assessments (PIAs) used more within the energy sector, and related vendor businesses, than we’ve seen to date in other industries, with the exception of federal agencies.  However, the PIAs performed will typically be at a greater depth than those performed to date within the federal offices.

The first thing I did when I started leading the NIST Smart Grid privacy group in the summer of 2009 was to do a PIA of the consumer-to-utility portion of the anticipated Smart Grid architecture.  It was the perfect first step; the results clearly revealed where privacy concerns existed.  The concepts were transferred to the rest of the Smart Grid.  Since this time the Smart Grid PIA has been referenced and pointed to many times by numerous government oversight agencies, such as the Department of Commerce, Department of Energy, Federal Trade Commission and others, as a model for entities involved with the Smart Grid to follow.  (See it within NISTIR 7628: “Guidelines for Smart Grid Cyber Security: Vol. 2, Privacy and the Smart Grid” http://csrc.nist.gov/publications/nistir/ir7628/nistir-7628_vol2.pdf.) As a result, PIAs are getting more support, and being recommended, by more government agencies than at any other time and in any other industry.  In the past five months, there has not been a week that has gone by without some entity involved, or who wants to be involved, in the Smart Grid that has contacted me asking to get more information about doing PIAs.  2011 will be the year that PIAs actually become an activity known by not only privacy professionals, but also by information security, compliance and business leaders alike.

3.  Organizations in all sectors must grapple with the mighty trifecta of information security and privacy risks: social media, mobile computing and cloud computing.
These three risks are hitting organizations all at once, from internal and external sources.  Information security, privacy and compliance pros have, to date, been addressing them one at a time, and typically separately from each other’s areas.  To be effective, all three areas must work together to address these issues in a unified, coordinated and collaborative manner.
  1. Cloud services: More organizations will be utilizing outsourced cloud services.  Specific to healthcare, more CEs and BAs, particularly those small and medium-sized organizations, will move their information security and IT functions to outsourced cloud services because they simply do not have the expertise internally do effectively manage security and privacy, and cannot afford to hire typically $200/hour (or even $100/hour) consultants to help them. This will also be the case within  education institutions that are currently struggling with cut budgets and making the hard choices to cut internal staff and go to comparatively less expensive cloud services to manage their systems and data storage and management activities.  More CEs and BAs, because of lack of internal expertise, resources, and funds, will outsource their information security, privacy and compliance activities to third party organizations that specialize in such services.  This will be especially true in small to medium-sized businesses.  These outsourced entities will be like virtual privacy officers and security officers to the CEs and BAs.
  2. Social media sites: Organizations will use social media sites even more to communicate about their services and practices, and as a result of human error, lack of knowledge/training, and malicious intent, there will be significant privacy breaches occur through the release of personal information through social media sites. There already have been many, and there will be many more.  In addition to the organizations actively using the social media sites to enhance and support their businesses, they also need to ensure they have policies and supporting procedures in place for their personnel to follow with regard to posting (and actually NOT posting) information about the business, co-workers, customers and clients.  Even when employees are away from work and using their own computers.  And, as always, the policies and procedures must be communicated using effective, regular training and ongoing awareness activities.  Organizations using social media sites MUST have such policies and training in place as soon as possible!  Their employees are already using social media, even if they don’t know where, how or when their using the sites.
  3. Mobile computing: It would be hard to find a company today where personnel were NOT using some type of mobile computer, smart phone or electronic storage device while doing work activities.  The use of mobile computers, and working away from the office, will continue to increase dramatically in 2011.  Large amounts of sensitive and confidential information can be, and often is, stored upon these devices.  These mobile computers and mobile storage devices are very easy to misplace, to lose or forget, and are also a favorite target of thieves. Appropriate security must be in place to protect them, and the information stored within them. A large portion of the over 200 business partner organizations’ information security and privacy programs I’ve reviewed did not have security or privacy policies or controls in place for these types of mobile computing devices, or for their employees who work from remote locations.  However, they often allowed client data to be stored on the mobile devices, or allowed personnel who used these types of computers to process client data. All without encrypting the data or securing the devices.  Organizations must address the increased use of mobile computing e sure appropriate security is in place for such situations. Most small organizations depend heavily on mobile computers and storage devices, so they too must be very diligent.
4.   Organizations will need to make more efforts and time for information security and privacy training and awareness activities.
The weakest link in information security and privacy is people.  Multiple studies show that most incidents and breaches occur because people simply didn’t know what they were doing, or they made a silly mistake because they were not told how to perform their job responsibilities while keeping information security in mind, or they maliciously did bad things because they knew that, with lack of awareness of their co-workers, they would likely not get caught.  Informed and aware personnel are countermeasures against security incidents and privacy breaches. Training and awareness is a prime factor in an organization’s successful security and privacy compliance program.  Many laws and regulations explicitly require formal, ongoing training and awareness.  Not only HIPAA, HITECH, and GLBA, but also many other federal, state and local level laws, regulations and industry standards.  Fines and penalties will become increasingly more significant for organizations that lack effective training and awareness activities.

A large number of the organizations whose programs I’ve reviewed have not had a formal training and awareness program.  And, the training and awareness activities that were in place have often not been effective.  For example, one organization simply copied and pasted the actual regulatory text of HIPAA into a few hundred PowerPoint slides, put it in a shared folder for their organization, sent a message telling personnel to look at it, and called that training.  This is not training!  In many other organizations I found absolutely no training and no awareness communications or events at all.  Not only does this put information at risk of incidents resulting from lack of knowledge and having more mistakes, it is also significant noncompliance infraction. HIPAA, HITECH and most other regulations require ongoing training and awareness to be occurring right now.  Organizations need to make training and awareness a priority in their information security, privacy and compliance programs.  No matter what some security technology vendor tries to tell you, training and awareness is the least expensive, and most effective, control that they can implement to prevent incidents and breaches.   I’ve seen the direct and measurable benefits many times; those who try to tell you otherwise have not done it effectively, likely because they didn’t believe it would work in the first place.  But, unless you want to have increasing incidents and breaches resulting from not only malicious intent, but also silly mistakes and simple lack of knowledge, you need to be more proactive in providing regular training and ongoing awareness communications and activities.

Last Quiz Question
In what year did Norwich University start the first Civil Engineering program in the US?

Answer: 1820
Winner: Ken Desforges

This Week’s Question
In what month and year was the great flood that devastated much of New England, and Vermont in particular?

Past winners
Andrey N. Chernyaev:  5 wins
Bill Lampe: 4 wins
Matt Bambrick: 3 wins
Ken Desforges: 3
Dianne Tarpy: 2 wins
Scott Madden: 2 wins
Sam Moore
Autumn Crossett
Gil Varney, Jr.
Glen Calvo
Thomas Reardon
Sherryl Fraser
Srinivas Chandrasekar
Marc Ariano
Linda Rosa
Joanna D'Aquanni
Srinivas Bedre
Christian Sandy
Joseph Puchalski
William Westwater