Understanding the Security & Privacy Rules Associated with the HITECH and HIPAA Acts

The Health Information Technology for Economic and Clinical Health (HITECH) Act requires covered entities and their business associates to comply with new guidance related to security and privacy of Protected Health Information (PHI). The Health Insurance Portability and Accountability Act (HIPAA) was recently strengthened via Security and Privacy Rules issued by the Centers of Medicare and Medicaid Services (CMS). The purpose of this paper is to examine the regulations, rules and guidelines for one aspect of security and privacy, multifactor authentication. The goal of this paper is to aid organizations in decisions regarding implementation of security and privacy protections to support electronic access to health information or electronic health records (EHR).

 Unsecured SSH - The Challenge of Managing SSH Keys and Associations

The Secured Shell (SSH) service is widely deployed to provide secured connectivity between systems. In other words, SSH is the secured alternative for telnet or ftp services, which are clear text and could expose user credentials and sensitive network traffic to eavesdroppers. SSH provides an encrypted tunnel through which users can enter commands, transfer files, or even use an X Windows graphical users interface. For many years, auditors have been advocating wide deployment of SSH as a costeffective solution to the security problem of clear text network transports. OpenSSH is the most commonly deployed implementation of the SSH protocol. The price is right – it’s free – and it does not require the complexities of a Public Key Infrastructure (PKI) for generating keys. However, many organizations that have large OpenSSH deployments have found that SSH can introduce new security problems that can be as significant as the problem of clear text transmissions.

 Emerging Standards and Initiatives to Support the Adoption of Cloud Computing by the U.S. Government

The U.S. Government has established the Federal Cloud Computing Initiative (FCCI) to promote the adoption of cloud computing solutions by federal government agencies. Through a series of initiatives the Federal government is creating standards, identifying reference implementations, and tackling the challenges of security and privacy. These programs will impact federal government agency future IT plans and subsequently impact companies and non-profit organizations which provide services to federal agencies. The purpose of this paper is to provide a perspective on these cloud computing initiatives identifying some opportunities as well as highlighting important factors that public, private and non-profit organizations must consider when developing IT plans, providing or acquiring cloud computing solutions.

 CyberScope and Recent FISMA Guidance from OMB Create New Challenges for Federal Agencies and Considerations for Government Contractors

 Protect Databases from Security Threats and Automate Compliance

The whitepaper examines the critical challenges confronted by Federal government agencies associated with protecting database systems and the sensitive data they contain. Weak database security controls and threat detection has led to continued data breaches involving the loss of sensitive and critical information from Federal government computer systems. The whitepaper presents the security challenges and requirements faced by government agencies along with the need to adopt emerging technology such as cloud computing. The paper provides a series of use cases to overcome many of these challenges and outlines an enterprise solution that can be implemented today.

 Improving Security Vulnerability and Configuration Management through a Service Oriented Architecture Approach

Organizations have worked to reduce vulnerabilities and adapted new technologies to detect and prevent security threats. However, attackers continue to create new and innovative ways to achieve their objectives. Agencies have an unprecedented opportunity to move from discrete, disconnected, point security management and monitoring solutions to a holistic, integrated strategy. This paper examines approaches to detect and manage vulnerabilities in infrastructure, applications and software through commercially available technology and standards such as SCAP, Service Oriented Architecture (SOA) and Web Services to deliver significant cost savings and improved security management, situational awareness, performance measurement and compliance with FISMA and other security laws and policies.

 The Challenges and Solutions associated with Sensitive Data Classification and Protection

There are numerous forms of sensitive information processed by Federal Government agencies. If this sensitive information were inappropriately disclosed, browsed, or copied for improper or criminal purposes, it could be used to disrupt critical government operations or cause harm to an individual's privacy, personal freedoms or impact a corporation's business. Security incidents can undermine your agency resulting in diminished confidence, financial cost and impact on current operations. The whitepaper describes the forms of sensitive data and associated security implications and presents some of the common challenges associated with identifying, classifying and protecting this information. Solutions are presented for overcoming these challenges.

 Checklist to Assess Security in Federal Government IT Service and Outsourcing Contracts

This whitepaper examines the security threats and information technology (IT) security requirements associated with contracted IT services, Cloud Computing, and outsourced business processing. When Government agencies contract for these services, agency officials must ensure adequate security and compliance with a series of national security policies and standards. This paper provides a checklist to assist in reviewing current contracts and aid in planning for new acquisitions. Solutions are provided to enable Federal agency personnel responsible for IT, contracts, and business operations to perform these assessments, remediate non-compliance, address security risks and put in place sustainable cyber security programs.

 Does a SAS 70 Audit Address all the Requirements of FISMA?

As the Federal government increases its use of industry for outsourced services and business processes, the requirement for equivalent security certification and accreditation as measured by FISMA and NIST Special Publications is increasing. This whitepaper compares a common industry audit standard, called the SAS 70 Type II, to the requirements of FISMA and NIST. The paper identifies the gaps that Federal agencies and providers of these services and solutions must be aware in order to obtain the necessary security certification.