Data Security In The Age of HIPAA And Gramm-Leach-Bliley:

BY MIKE ULICKI

The advent of federal laws designed to safeguard consumer financial and medical information has brought a heightened sense of urgency to the issue of network security. Now more than ever, financial institutions and healthcare providers have reason to lose sleep over the possibility that their Internet-connected networks will be compromised -- and to consider curing their insomnia by turning security responsibilities over to a managed service provider.

In the privacy-conscious world of the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), network security is no longer just a matter of wanting to keep information under lock and key to protect trade secrets or customer databases. Uncle Sam has upped the ante for organizations that allow their network borders to be breached, because now these organizations face the threat of regulatory discipline, legal liability and/or monetary penalties.

Sarbanes Oxley, the corporate governance legislation passed in the wake of the Enron and Worldcom meltdowns, may soon add to the angst. A new California law requiring companies to notify all customers of any network intrusions that may have exposed credit card or other private information, may increase these security concerns to the business community at large, especially if similar bills that have been introduced on Capitol Hill spread the obligation nationwide.

Outsourcing security services is an effective answer for addressing federally mandated privacy rules because a provider for whom information security is a full-time job has the industry knowledge, security-specific experience, and 24x7 resources to be sure that every known security loophole is closed, even when problems occur at 3 a.m. or on Christmas Day. No internal IT staff member who deals with network security on a part-time basis can provide that coverage -- or that peace of mind.

From ensuring that corporate firewalls are properly configured and invoking new virus definitions within minutes after their distribution to troubleshooting a user's access problem with a VPN, managed security services providers can supply essential assistance to an organization that is facing federal scrutiny of its privacy procedures.

GLBA: (DON'T) SHOW ME THE MONEY
In the financial services arena, Section 501(b) of the Gramm-Leach Bliley Act establishes guidelines for developing and implementing administrative, technical and physical safeguards to protect the security, confidentiality and integrity of customer information.

With regulatory agencies like the FDIC and the Office of Thrift Supervision actively policing these provisions, not to mention the ever-present threat of electronic money-napping by today's increasingly sophisticated computer hackers, institutions governed by the Act are compelled to keep their networks sealed as tightly as the Pentagon's.

While the GLBA guidelines stop short of dictating the specific security measures that must be deployed, the act clearly instructs the institutions under its purview to assess their risk as well as develop, implement and enforce a comprehensive information security program. The program must be designed to prevent unauthorized disclosure, misuse, alteration or destruction of customer information, including any security violation that is capable of resulting in "substantial harm or inconvenience" to any customer.

Published procedures intended to assist regulatory examiners in evaluating a given institution's compliance with the Act give some additional guidance. In the area of electronic network security, auditors are asked to review monitoring systems and procedures such as network and host intrusion detection systems, network traffic monitoring and manual review of logs; determine whether procedures are in place to isolate, analyze, recover and report unauthorized access; and so on.

In practice, this simply means that financial services institutions should employ all safeguards that are appropriate to their size and activities. The burning question, both here and with HIPAA, is how best to manage whatever security applications are used to demonstrate a concerted effort to comply with the regulations.

HIPAA: OUR BODIES, OUR PRIVACY
In the healthcare industry, the HIPAA privacy rule designed to protect the confidentiality of personal health information went into effect on April 14, 2003. (See http://www.hhs.gov/ocr/hipaa/.) To help guide healthcare providers who are regulated under the act, the Department of Health and Human Services issued a separate security rule (see http://www.cms.hhs.gov/regulations/hipaa/cms0003-5/0049f-econ-ofr-2-12-03.pdf) covering administrative, physical and technical safeguards that must be observed to maintain the integrity of individually identifiable health information that is stored and/or transmitted electronically.

As with GLBA, the HIPAA security rule provides no step-by-step checklists but instead offers general directives reflecting security best practices and procedures. In the area of technical safeguards, these include access controls to limit data use to authorized individuals, authentication strategies to verify the identity of those seeking information access, audit controls to track information systems activity, policies designed to prevent data modification or destruction, and transmission security when information is traveling over an electronic communications network.

Again, as with GLBA, the rule contains no specific technology recommendations. Each healthcare provider covered under the regulation is simply instructed to choose the appropriate technology to keep consumer information safe.

HIPAA violators not only face penalties of up to $250,000 in fines and 10 years in jail, but they also may find themselves subject to negative publicity or even civil lawsuits. If medical information about a celebrity or even a private citizen is obtained because of inadequate electronic security, the ripple effects could be extremely damaging to a healthcare organization.

THE CASE FOR MANAGED SERVICES
Managed security services can reduce an organization's risk of running afoul of GLBA or HIPAA because they provide a robust defense against two potential antagonists: The electronic trespassers who may come knocking at your door, and the regulators or attorneys who may come searching for proof that you've built adequate barricades against the interlopers.

In the case of the regulators and the courts, hiring an expert to stand sentinel over your network will help establish that you have done the due diligence necessary to comply with federal mandates. Among the lengthy examination procedures used to ascertain GLBA compliance, for example, two of the criteria include whether the institution has used qualified personnel to assess security risks and whether the staff is adequately trained to implement the security program. Institutions that outsource to a managed security expert should be able to pass both of those tests easily.
In the case of network protection, managed services can help bridge the gap between the implementation of a particular security measure and the ongoing upkeep required to ensure that it is working. Like a diet or a New Year's resolution, a firewall or intrusion detection system is only as effective as what you put into it. Cut a corner, make a mistake, or stop crossing all the Ts and dotting all the Is, and your security perimeter can turn into Swiss cheese.

Case in point: Firewall configuration. In one nationwide survey of community banks, every respondent had a firewall, but a full 90 percent of them were incorrectly configured in a way that materially affected the banks' security. In some cases, the firewalls failed to block certain classes of traffic that should have been barred from entry. In others, software patches were not up to date.

A managed security service can make those problems go away -- and more. For that reason, one large regional financial institution based in Wisconsin recently decided to outsource multiple security services to Norlight Telecommunications. The decision is not only giving the organization vital security protection vis a vis GLBA, but is also eliminating security-related oversight that previously prevented IT staff from focusing exclusively on business-critical projects.

TO REDUCE RISK, SIGN ON THE DOTTED LINE
Given both the complexity of network security and the pressure from federal watchdogs, financial institutions and healthcare providers that must deal with GLBA or HIPAA can benefit from the services of managed security providers in several areas. These include:

• Risk assessment/vulnerability testing
• Managed firewall service
• Managed intrusion detection service
• Managed VPNs
• Managed virus blocking

All necessary hardware and/or software is installed and configured at the customer site, with ongoing maintenance and 24x7x365 monitoring conducted from dedicated data centers. Customers can also see any activity and reports from a Web portal. Even with setup costs and monthly fees, these services are typically less expensive than hiring full-time in-house security experts, in part because the provider is able to amortize the investment in analysts, hardware, software and facilities over its entire client base.

The services also keep detailed logs of activities such as intrusion attempts, providing a robust defense against potential accusations of lax security. Most services specializing in GLBA and HIPAA security also can supply written guidelines to aid customers in complying with the specific provisions of each law.
Bottom line: Managed security services can furnish an important security blanket for financial services and healthcare providers that are dealing with GLBA and HIPAA. It's better to be safe than sorry -- especially when the federal government is involved.

Mike Ulicki is vice president and chief technology officer of Norlight Telecommunications, a provider of business-to-business telecommunications solutions ranging from Internet connectivity and data transport to business continuance, audio and video conferencing and managed services.