When attempting to streamline your security and event data, an integrated approach that includes identity management is necessary in order to maintain compliance and proactively prevent breaches from occurring.
The Health Insurance Portability and Accountability Act (HIPAA) changed the landscape for how healthcare organizations handle sensitive information. As a result, organizations implemented comprehensive changes and improvements to security practices in the areas of data access protection, storage, monitoring and auditing, along with ongoing assessments of how and by whom data is being accessed.
However, the scope of compliance extends well beyond just meeting HIPPA regulations. Compliance concerns are compounded with HITECH, SAMHSA, COBIT, PCI, etc. Often, organizations implement specific modules for each area of concern — the “a la carte” method, leaving them with a complex, disjointed mix of products and modules that are difficult to manage, inefficient, expensive, have redundant capabilities, leave gaps in coverage and fail to provide the complete visibility required.
The “a la carte” method fails to comprehensively identify new and advanced threats facing the industry. Due to the personal nature of health information, past health data breaches such as AvMed Health Plans and the Philadelphia Family Planning Council have attracted increased scrutiny and sensitivity. A siloed approach to data monitoring prohibits organizations from gaining a holistic view of the threats facing their organization. This means that many advanced threats and abnormal behavior goes unnoticed — or is identified after the incident has occurred and customer trust has been compromised.
Healthcare organizations need solutions that cover the broad landscape of compliance and operational requirements. Security information and event management (SIEM) and log management technologies can deliver a unified view of compliance for the entire organization, not just what a particular regulation or standard requires. SIEM and log management require an integrated approach to all logging, monitoring, auditing and reviewing activities for a healthcare organization's compliance and operational concerns. The results from an integrated approach using SIEM and log management break through the data silos and proactively monitor and deter abnormal user activity. This not only meets compliance requirements more efficiently, but helps protect organizations against the latest threats.
Multi-dimensional approach to healthcare and SIEM
The traditional approach to SIEM and log management focuses on three main areas: operations, security and compliance. In the operations area, SIEM solutions monitor and analyze the health of the network, watching for events that can affect overall performance, failures and availability of the network and servers. In terms of security, SIEM solutions help organizations analyze and assess their risk posture, helping them identify aberrant behavior and potential threats to their infrastructure. Compliance needs are addressed using log management and are traditionally offered as individual modules that address the requirement of individual laws or regulations. For example, a HIPAA module will come with a prescribed set of rules for logging events for HIPAA requirements, while a PCI module has its own set of rules for logging events. The lack of integration between these compliance modules creates complexity, inefficiency, ineffectiveness and functionality gaps.
It is no longer sufficient for traditional SIEM and log management solutions to simply collect logs from network servers, workstations and other devices. The different applications and systems in a healthcare organization might each produce between several hundred and several thousand event logs per minute. That's simply too much information for a manager to manually compile, digest, analyze and correlate to produce a meaningful report. The complexity and difficulty significantly rises as the number of individuals in the organization increases.
In order to achieve a meaningful, complete healthcare solution, SIEM and log management offerings must break through the data silos and correlate all relevant compliance, operational, security and privacy events from a variety of systems and sources into a single view to give administrators and managers comprehensive visibility into all relevant areas of concern for their entire enterprise. In addition, and most importantly, IT organizations need to tie SIEM and log management events to user identities so they not only know when a certain event occurred, but who was involved in that event.
User identity correlation and normalization
The ability to account for user activity is a much needed component that is noticeably absent from most traditional solutions. The ability to pull together multiple pieces of identity-based information from multiple sources and then automatically normalize and make sense of that information allows organizations to more accurately identify who did what and when — a critical component in terms of satisfying the risk management criteria of new regulations.
To address this lack of user correlation, some organizations might deploy an identity management system in conjunction with their SIEM solution. However, most identity management solutions don't include the necessary integration with SIEM products required to tie events back to specific users. Unless the SIEM solution provides out-of-the-box identity management integration, organizations will be left to expend significant resources in an attempt to create the level of integration required — if even possible — to provide complete and accurate correlation and normalization process of events based on specific users and their roles.
The challenge of creating this level of integration from scratch is exacerbated by the fact that the identity management system needs to understand all the different usernames and logins that individuals use in all the different applications being monitored by the SIEM.
The most practical way to address this level of user monitoring is to ask solution providers if their SIEM product has the built-in ability to monitor, correlate and normalize individual user activity in all of an organization's different systems, no matter what the user ID is in that system.
Recent regulations have presented healthcare with an opportunity to streamline their security and event data. While traditional SIEM and log management solutions have done part of the job, an integrated approach that includes identity management is necessary in order to maintain compliance and proactively prevent breaches from occurring. Healthcare organizations that practice an identity-centric, integrated strategy will not only be more secure, but more intelligent in preventing attacks.
About the author
Brian Singer is a senior solution marketing manager for security management, Novell. For more information on Novell: www.novell.com.