Group items tagged

This would in effect shift FISMA implementation responsibility away from the Office of Management and Budget (OMB) and the National Institute for Standards and Technology (NIST) to DHS, “where the knowledge of attacks informs the defense”, Paller said.

“DHS has already demonstrated that they are focusing on the critical controls....They are focusing on effectiveness measures, rather than make work”

The proposal would also expand the DHS authority over cybersecurity of private networks, particularly critical infrastructure. DHS would have the authority to develop and conduct risk assessments of private sector critical infrastructure systems and share information with the private sector about threats and best practices.

"Our research shows that the healthcare industry is struggling to protect sensitive medical information, putting patients at risk of medical identity fraud and costing hospitals and other healthcare services companies millions in annual breach-related costs," said Dr. Larry Ponemon, chairman and founder, Ponemon Institute.  "At this point one would hope to see that healthcare organizations have improved information security practices and come into compliance with HITECH, now that it's been more than one year since it was enacted.  Instead we found enormous vulnerabilities.  The protection of patient data should be at the forefront of their efforts."

ey findings of the research: Data breaches are costing the healthcare system billions.  The total economic burden created by data breaches on the healthcare industry is nearly $6 billion annually.  The impact of a data breach over a two-year period is approximately $2 million per organization and the lifetime value of a lost patient is $107,580.  The average organization had 2.4 data breach incidents over the past two years.  Major factors causing data breaches are unintentional employee action, lost or stolen computing devices and third-party error.Healthcare organizations are not protecting patient data.  Organizations have little or no confidence in their ability to appropriately secure patient records (58 percent).  Healthcare organizations have inadequate resources (71 percent) and insufficient policies and procedures in place (69 percent) to prevent and quickly detect patient data loss.Protecting patient data is not a priority.  Seventy percent of hospitals stated that protecting patient data is not a top priority.  Patient billing (35 percent) and medical records (26 percent) are the most susceptible to data loss or theft.  A majority of organizations have less than two staff dedicated to data protection management (67 percent).HITECH has exposed the healthcare industry's lax data protection practices rather than improved the safety of patient records.  The majority (71 percent) of respondents do not believe the HITECH Act regulations have significantly changed the management practices of patient records.  The findings indicate that there is a significant number of data breaches that go undetected, and therefore unreported.

"We talk with healthcare compliance people dealing with data breach risks every day and they just can't get their arms around the problem of data exposure," said Rick Kam, president and co-founder of ID Experts.  "Unfortunately, in healthcare organizations, patient revenue trumps risk management."

The new 25-point plan establishes a Data Center Consolidation Task Force with a goal of reducing the number of data centers by 800 as of 2015.

The plan also touts scalability as a reason for embracing the cloud over traditional solutions. It cited the example of a private-sector company doing video editing that experienced a surge of demand and was able, using the cloud, to scale from 50 to 4,000 virtual machines in three days.

There's an expectation that moving applications such as e-mail to the cloud will facilitate data center consolidation and reduce IT budgets. Some federal agencies have already awarded contracts to move e-mail to the cloud. In addition, the government has selected a dozen vendors to supply Infrastructure-as-a-Service (Iaas).

Back in the 1990s fellow science and technology journalist Charles Mann and I wrote a book uncovering the true story of how a lone, young, cognitively impaired hacker with relatively few computer skills managed to perpetrate what was then the most extensive and scariest series of computer break-ins ever — government weapons labs, dam control systems and ATM networks were among the hundreds of networks compromised. At the end of the book, we predicted that no matter how much effort was poured into making the Internet safer, hackers would always be able to have a field day, partly for technical reasons but also because companies and individuals would never get it together to take simple precautions critical to safe computing.

Sadly, Mann and I called it right. Viruses, trojans and spyware are bigger problems than ever. Employees unwittingly but routinely hand over their passwords to hackers who break into corporate databases to steal credit card and other information of thousands of customers. Private e-mail is rifled through and made public, and companies have their computers incapacitated by “denial of service” attacks. You need to ask yourself: Could your company survive an encounter with a hacker?

they’re always one step behind the latest hacking twist sweeping through networks. Even if you could afford to get a computer-security genius to come in and watch your company’s back 24 hours a day, he or she couldn’t fully protect you if you or any one of your employees were to slip up.

They will be more strict because there are no clear policies for it,"

The rules will come with time, but they don't exist yet, so businesses need to be careful what data they submit to clouds and be sure data subject to compliance standards such as HIPAA, PCI and Sarbanes-Oxley can be provably handled within those standards.

"Auditors want to see the guts of the cloud," Richter says, and that is something many cloud providers don't allow. Many keep their physical architectures, policies, security, virtual LAN structure and other essential factors secret. "If they can't see how data flows, how VLANs are segmented, see how your data is partitioned from others', they won't OK it."

As of April 2010, only about 7% of small-business owners were using cloud services, but that number is expected to grow to more than 10% by mid-2011, according to a survey by technology-research firm IDC.

Half of small firms that use "the cloud" say it has improved their bottom line, according to a survey this fall by Microsoft Corp., which provides cloud services.

A number of surveys show that some business owners are hesitant to try cloud computing because they don't want to stray from familiar systems or invest in new ones. Some owners that have made the switch, however, say it has been a boon to their cash-strapped firms.