NWC | Feature | The Business of IT | Feds Reach Out and Touch IT |

NEWS BLOGS FORUMS NEWSLETTERS RESEARCH EVENTS DIGITAL LIBRARY CAREERS

IMMERSE YOURSELF:

Storage & Servers

F E A T U R E

Feds Reach Out and Touch IT

July 10, 2003
By Sean Doherty

>> continued from previous page

All in the Implementation

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	All in the Implementation
	Gramm-Leach-Bliley
	Whip Out the Crystal Ball
	HIPAA
	An Open Door Policy
	Sarbanes-Oxley
	Executive Summary
	Law vs. Regulation
	FYI
	With 1386, California Leads the Way
	Hospitals Get HIPAA
	Web Links
	Epoll Results

Regulatory standards are not linked to specific technologies: Standards address all aspects of security and scale to many types and sizes of organizations. Enterprises are free to implement a program they find appropriate. But you must know what's going on in your network. Ignorance is no defense. For example, a small clinic that maintains all patient data on a standalone PC won't need to go so far as, say, an identity-management package, but it should implement secure password-management practices and control physical access to the machine.

Defining standards rather than specific regulations also keeps the door open for technology advancements and lets IT implement best-of-breed systems. For example, providing secure e-mail to transmit protected data under GLBA or HIPAA means using encryption like PGP to protect privacy, digital signatures or digital certificates to authenticate users, and a hashing function to ensure data integrity. Both Lotus Notes and Microsoft Exchange can satisfy these requirements. Newer products like one from Siemens and Sigaba provide secure e-mail and a document-delivery service for the health-care industry. There are also outsourced secure e-mail services, like MxSecureMail and Hushmail.

Speaking of outsourcers, choose them wisely. There's no passing the buck when dealing with financial and health information. If your company engages a service that handles data that comes within the scope of these acts, make sure the service provider complies with the law and regulations. Although the Department of Health and Human Services (HHS) would not likely prosecute an offshore transcription service, it would go after an enterprise that intentionally or negligently entrusted PHI to an insecure link.

A commonsense approach to keeping networks secure goes a long way toward complying with these laws (though the government is moving to offer guidelines; see "FYI"). For example, keep your Internet-connected hosts and proxy servers patched at the operating system and application levels, and maintain firewalls, VPNs and other devices that control TCP/IP traffic between the Internet and the intranet. Apply antivirus software to protect data from malicious code.

In addition, maintain logs of system access and keep track of who accesses data and engages in transactions. These requirements are not new for network professionals--in fact, more than two-thirds of readers surveyed say they already audit log data. But now you are required by law to maintain this data and archive it. Treat your logs like business records, complying with your company's data-retention policies. Several vendors are releasing data-archiving tools to help streamline this task. Addamark Technologies provides software to archive large volumes of systems activity, and database vendors like Oracle are shoring up their products' logging features. In addition, e-mail archiving applications, like Re-Soft's EmailXtender, can add e-mail to your data-retention policies and maintain a record of incoming and outgoing messages (if you have yet to set up a data-retention policy, see "The Rules of Electronic Record-Keeping").

Beyond the immediate technical solutions, complying with these laws also requires administrative support for safeguards. In other words, documentation. For IT, though, documentation often is more of a bear than are installation, configuration and maintenance.

Both GLBA and HIPAA require written information-security policies, and an individual or a group must be designated as responsible for their creation and implementation throughout the enterprise. Sarbox dictates that the corporate management team assess and maintain controls over financial reporting systems. At the very least, spell out what is where and who has access when. For small organizations, this might be easy. For large, complex enterprises, you may need a policy-management package, such as BindView's bv-Control or ConfigureSoft's Enterprise Configuration Manager. These tools not only help you develop policies to comply with the law, they also help enforce policies for system-access controls, computer configurations, patch levels and more (for information on policy tools and best practices, see "Got Discipline?").

Minding the Ps & Qs

Your written policies must cover more than your systems. They also must address your employees.

Although IT uses firewalls and secure remote-access tools to keep bad guys out, the success of any enterprise security plan begins with the employees who implement it. They are the first to handle customer data and should be considered the first line of defense. Know them well. Check references during the hiring process. Require employees to read and understand your institution's privacy and security policies, and train them to take basic steps to maintain security (see "Start with Staffing").

Next, treat your customer information as a valuable, renewable and reusable asset. Provision rights to handle sensitive information and lock down workstations that access it. In most companies, especially hierarchical organizations such as financial and health-care institutions, employees are not all equal. Their access to information should correspond to their job requirements.

For instance, a teller needs read-and-write access to accounts to credit and debit transactions. Does he need rights to a customer's loan history? A cardiologist needs access to the records of patients in her direct care. But does she need to see all the patient records at the hospital? Each institution will have to answer these questions, and based on complexity and size, some may need help from secure-authentication tools, such as smart tokens and smartcards, and employee-provisioning tools from the likes of Business Layers and Waveset Technologies.

Each workstation in the enterprise should authenticate users before granting access to local resources. For further assurances, desktop-management tools, like Novell's ZENworks, enforce policies on workstations to limit access to local and network resources, regardless of the login ID. Location-specific access to resources can be controlled at the server. Some may want to investigate biometric authentication, but this is far from standard industry practice today. If you run Linux or Unix, the venerable and free TCP wrappers should be installed to deny service requests from unknown workstations.

At a minimum, employees must be trained in all aspects of handling customer or patient information. This includes the use of password-activated screensavers and the practice of religiously locking rooms and filing cabinets containing customer information in hard copy. Once a training program is in place for employees, monitor it for compliance and update it as required. This will buttress your weakest link.

If you take your customer information seriously and consider it a valuable asset, you're in the ballpark to complying with the guidelines. Here's a rundown of specific requirements of GLBA, HIPAA and Sarbox.