Get My Score

Blog

 

This last week, the US Centers for Medicare & Medicaid Services (CMS) announced MyHealthEData, a federal initiative that for the first time will provide patients with full and secure control over their healthcare data, no longer locking it to a single healthcare system or provider.

When announcing the program, CMS Administrator Verma related an experience where her husband was in the hospital for a week due to heart failure. Upon discharge, Verma asked for her husband’s records, and was presented with a CD-ROM, itself incomplete. This brought up memories of my wife’s experience in Taos where she came down with a bad case of pneumonia and upon discharge was presented with a large folder containing X-Rays. Very useful. Verma then went on to question the $30 billion spent to-date by the US government on EHR implementation, and whether the patient experience has improved.

Key stakeholders in MyHealthEData include the White House, the NHS, the VA, and the NIH. The intent is to completely revamp the way patients interact with the healthcare system, making them the center of control and permitting them to better compare providers based on cost and capabilities. Other impacts of greater data sharing should be better diagnosis and less duplication of care, outcomes that will hopefully drive down the cost and raise the quality of care for everyone.

Note that the data ‘ownership’ aspect of MyHealthEData is much like the intent of GDPR within the EU, placing people and privacy first. It reflects a growing trend given the pervasiveness of personal data hosted across the Internet and especially within healthcare. And paralleling the EU, we’ll see the rise of the Data Protection Officer (DPO) within US enterprises and other organizations, a role integral to privacy.

But with portability comes additional requirements for security. No longer confined to the network of a single provider, records will be ‘borderless,’ accessible by almost every healthcare provider and across multiple devices including smartphones. To encourage security, MyHealthEData will leverage the Merit-based Incentive Payment System (MIPS) which includes penalties for security breaches. This is where Cavirin can help.

With data spread across a much larger and interconnected threat, there are many more chances for breach, both intentional and non-intentional. The workload and cloud account protection provided by Cavirin will be even more critical, and since security is a function of its weakest link, the ease of implementation and automation we provide will permit the adoption of best practices by anyone within the healthcare value chain.

Cavirin as a company is not new to healthcare, with customer use cases spanning the OS hardening of servers used in medical device manufacturing, HIPAA compliance on-premise and within AWS, including the application of the AWS HIPAA Quickstart, and use of our open APIs to connect to other security platforms within a genomic research environment.  We also have multiple deployments within the largest dental benefits provider in the United States.  Learn more at http://www.cavirin.com/solutions/continuous-compliance/hipaa-hitech.html.

0
0
0
s2sdefault
Azure Hardening

 

This morning, Cavirin announced the near-term availability of the new CIS Microsoft Azure Foundations Benchmark.  The document is expected to be generally available within the next week or two, but why wait?  It is available today to anyone with CIS access, and is a milestone for public multi-cloud security as a foundational and prescriptive guideline for organizations to establish a healthy security posture in Azure Cloud investments.  This is the first hardening benchmark for Azure, completing an earlier available benchmark for AWS, also supported by Cavirin.  To address any confusion, other cloud security vendors do offer a view into one’s Azure security posture via published APIs.  We do the same, but the CIS Benchmark takes a different approach to uncover a deeper level of understanding.

The availability of the new CIS Benchmark is critical in securing hybrid cloud environments.  CNBC recently reported that AWS held a 62% market share for public cloud deployments, a drop from 68% a year earlier.  In the same timeframe, Azure jumped from 16% to 20%.  More importantly, ESG states that by the end of 2018, 81% of enterprises in the cloud will deploy on more than one provider. Cavirin’s goal is to enable hybrid cloud security, offering an organization a single, correlated view of their security posture across multiple public clouds, as well as on-premise.  This is very different from a simpler multi-cloud deployment that looks at each cloud in isolation, ‘clouds in the night’ if you will.

The recommendations fall into eight areas:

  • Identity and Access Management
  • Security Center
  • Storage Accounts
  • SQL Services
  • SQL Databases
  • Logging and Monitoring
  • Networking
  • Virtual Machines
  • Other Security Considerations

0
0
0
s2sdefault
Hybrid Cloud Strategy Advantages

A Hybrid Cloud Strategy is Important for Security 

Cybersecurity is evolving and strengthening every day, but Lloyd’s, in partnership with AIR Worldwide, released a cautionary report entitled Cloud Down – The impacts on the US economy. This report outlines the possible, and probable, repercussions of the failure of one of the leading cloud providers. In focus: the financial impact of such an event.

Why should we care? If these insights are heard and headed, insurance managers could better grow their cyber business in a judicious manner. Along the same train of thought, it is important to remember that these analyses are made with the notion that a unique CSP would be affected at a time. As such, distributing workloads across multiple CSP’s, taking the time to analyze which advantages of each cloud would best help you attain your goals, would be a possible real-world application of this report.

To provide us with a baseline, the report specifies that “the results published in the report are based on the top 15 cloud providers in the US, which account for a 70% market share.”

0
0
0
s2sdefault
DevOps automation

Earlier today, Bashyam Amant, our Sr Director of PLM, and Vaidehi Rao, our Director of Engineering, hosted a webinar entitled ‘Full-Stack Container Security,’ borrowing for the container space a (sometimes confusing) term familiar to many of you.  One of the best definitions, and a good jumping-off point, is at codeup:

‘A full-stack developer is simply someone who is familiar with all layers in computer software development. These developers aren’t experts at everything; they simply have a functional knowledge and ability to take a concept and turn it into a finished product. Such gurus make building software much easier as they understand how everything works from top to bottom and can anticipate problems accordingly. In our opinion, this is the most realistic definition of a full-stack developer.’  For those looking for even more history on the topic, the turtles end at FB.

Extending this paradigm to containers and Docker, in our view, and in order to have a complete awareness as to how your container deployments impact your overall security posture, you must have tools that look at each ‘layer’ of the ‘stack’ while at the same time offering a unified vs a disjointed view. 

0
0
0
s2sdefault
cloud DevSec Ops

Devops Security Automation plays a key role in DevSecOps

Check out the executive viewpoint, “It’s Time to Stir Security into the DevOps Mix”, posted on the Security Current Web site earlier this month.  The article highlights the fact that creating secure software and systems has never been more challenging as the number of devices that hook into company data, coupled with increased mobility and a shift to cloud services and storage, has dramatically increased the potential attack surface of most organizations.  These organization changes require the adoption of a new approach–chiefly breaking down barriers, boosting collaboration, and increasing automation works—often referred to as cloud DevSecOps.  In the article, we emphasize three key ingredients necessary to pursue cloud DevSecOps.

0
0
0
s2sdefault

Too start off the year, at least two publications have reported on surveys that detail the criticality of the cybersecurity skills gap.  For those old enough, it harkens back to the Cold War missile gap of the 1950s.  But unlike the missile gap, which was mostly fictional, this gap is very real, and much more relevant to the typical enterprise.

CSO drew on a Nov, 2017 ESG study that looked at gaps and potential solutions. The most alarming observation is that, despite increased spending and visibility, the percentage of respondents that reported a shortage of skills rose from 23% in 2014 to 51% in 2018. This doubling implies that the majority of organizations are threatened. As solutions, two areas that stand out include:

  • Moving toward technologies with advanced analytics.Think of artificial intelligence and machine learning as a helper application that can accelerate security processes and make the staff more productive.
  • Automating and orchestrating processes.Cybersecurity grew up with a reliance on manual processes, but these processes can no longer scale to meet growing demands. As a result, security automation/orchestration has become a top priority for many organizations.

 

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.