Saturday, August 6, 2011

Capability-based, Secure Convergence

Continued from previous blog article: Communication Convergence

Communication convergence is ongoing, for example between the mobile and the fixed Internet. This is putting pressure on businesses to enable more of their services to be accessed and used seamlessly across different networks and platforms.

While communication convergence is good for business, it must also meet contract, regulatory, and legal duties such as availability, accessibility, equal access, integrity, breach notification requirements and fines, and confidentiality (when needed). These concerns, of course, also affect consumers and whether they are willing to use an online resource provided by an organization.

The ZSentry solution is as ingenious as it is simple to explain. The next sections can help you apply it.

Organizations today would likely see the following main choices of resources for services, devices, software, network, and providers:
Google Apps, Gmail, Yahoo, Outlook, Thunderbird, Apple Mail, iPad, iPhone, Android, Blackberry, Internet Explorer, Firefox, Safari, Exchange Server, email, webmail, SMS, IM, Single-Sign-On, and file storage.
However, in defining a suitable set of resources, the central question for a corporate purchase decision is not about the resources themselves. What matters is the set of capabilities that they can support in common, and how this set matches the business needs of the organization. Organizations, therefore, have to look into what capabilities those resources may have in common, such as:

(a) They are HIPAA compliant
(b) They work together
(c) They can help reduce online risks
(d) They make it easier to use different devices

Today, however, the only common point between those resources is (e) none of the above.

But option (e) is not helpful. The list of resources above includes leading brands and services and yet many organizations cannot use them due to lack of HIPAA compliance, which is a mandatory business need in the US health-care sector. Other organizations have no legal HIPAA requirement but face other barriers in using those resources, such as higher online risks (e.g., passwords, server breach), not working well together, and limited functionality.

Adding NMA ZSentry creates a new option: “all of the above and more”

NOTE: NMA ZSentry is available at

What NMA ZSentry does NOT do: Changes. ZSentry does not change any of the services, devices, software, network, or providers. There is no change to any user interface. Does not change how email or other Internet protocol works. Does not receive email and does not host email addresses for users. There is nothing to download or install, no plugins or add-ons, no digital certificate to add. There is no POP or IMAP server use, no stored cookies, no ActiveX controls, no Java, Javascript is not required, setup is optional.

For example, you continue to receive email at your usual Inbox, with an email address that you already have, using your Mail client or web browser as before, and with nothing routed through ZSentry.

What NMA ZSentry DOES do: ZSentry complements the capabilities offered by leading services, devices, software, network, and providers, enabling compatible, usable, secure, HIPAA & HITECH Safe Harbor compliant solutions in all platforms, with seamless operation and surpassing known limitations including higher online risk (for example, due to password vulnerabilities and server breach).

How is this even possible?

We designed NMA ZSentry as a middleware, which is a technical term. It means that ZSentry stays in-between (the “middle” in middleware) what you already have. It works with the message itself, not receiving the message, not at a storage place for the message, and not even in sending the message.

User Requirements & Security

Particularly for businesses, communication convergence must not only offer services that work together. They should also be HIPAA compliant (when needed), Safe Harbor compliant (to eliminate costly breach notification requirements and fines), help reduce online fear, make it easier to use different devices, present a uniform user interface and, for easier adoption, reduce change.

These needs can be provided by adding ZSentry, which works Sans Target and is able to fully protect personal and other sensitive information against inappropriate and unauthorized use and disclosure, whether due to external or internal attacks.

ZSentry can also work at client and server sides with a least-requirements strategy, automatically using what is available and offering “instant-compliance” with HIPAA and HITECH Safe Harbor regulations.

The Focus is on Capability, not Resources

By adding ZSentry, communication convergence becomes more effective and can be used to also blur the lines between resources such as services, devices, software, network, and providers. Rather than talk about resources the focus is now on capability, which is what matters for businesses.

With ZSentry, it is also not so relevant anymore where a capability resides or how it emerges for the user. What matters is that the capability is provided according to the User Requirements that are needed for the operational conditions. For example, if the organization sending protected information is a Covered Entity under HIPAA, it matters whether a user can read it with HIPAA compliance.

Easier Market Entry, More Choices for Customers

By adding ZSentry, what used to be a software, that needed to be bought, installed, and often updated, can become a service that has no installation and is always up-to-date. A market dominated by a secure corporate email service using proprietary devices tied to a single provider, can be disrupted by a secure corporate-oriented ZSentry service that works in any device and provider, and not just for email.

Adding ZSentry is also a platform that facilitates the opening of communication markets to competition and empowers users to find their own desired aggregation of resources including services, devices, software, network, and providers, rather than only using available market packages.

Can Convergence be Personalized?

Communication convergence benefits both consumers and business, and increasingly allows real-time, anywhere use. However, users need to make do with whatever convergence level might be available in the market, even at the high-end.

By adding ZSentry, users can personalize the convergence experience. For example, consumers may just want a least-cost combination, while organizations may want to choose a best-of-breed combination of resources that reduces both risk and cost.


NMA ZSentry provides organizations with regulatory compliance and communication convergence as a service/platform, working with leading solutions in an “all of the above and more” approach.

Adding NMA ZSentry technology can also help new companies play a role in the process of convergence, where new market players can move in more rapidly and with less cost, adopting different market models from conventional telecommunication companies and potentially create new markets.

More: Visit ZSentry >>

Monday, August 1, 2011

Communication Convergence

Not so long ago, the world of communications was neatly compartmentalized. Companies used email for quick discussions, FedEx for contracts, fax for urgent documents, phone for business conversations, websites for digital media, and meetings usually required traveling. Each method was specialized in application.

Today, we look to do all that with a cell phone.

Or a tablet, or whatever we want to use. This shift to communication convergence is felt by many organizations today, but one may not be quite aware of it as a pattern, or that it can greatly benefit —or doom— a business.

However, once recognized, the communication convergence pattern starts to pop up everywhere. Communication convergence is a broad shift in business communication and messaging applications, including services, devices, software, network, and providers worldwide.

What may be driving this shift? Perhaps you can identify some causes in your own line of business, such as:
  • Users' changing expectations
  • Real-time pressure
  • Less cost, less waste, less people
  • Unfettered mobility
  • Replace older services (fax, voice mail, telex, help desk, ...)
  • Benefit from new technologies
  • More online services
  • Eliminate paper, improve availability
  • Integrate auditing
  • Simplify (billing, management, training, sales, ...)
  • Reuse investment
  • Promote revenue
According to Microsoft, the explosion of social networking with consumers has changed their expectations about how they can and should connect with businesses. Real-time is a new imperative.

While causes may vary by use and location, and differ in relevance for a particular business, what is relevant is that many businesses are finding that they have to keep continuously rethinking their communication strategies with customers, employees, and partners, and react fast. What worked last year may no longer work today.

For example, the ongoing communication convergence between the mobile and the fixed Internet is putting pressure on businesses to enable more of their services to be accessed and used seamlessly across different networks and provided over multiple platforms, including office systems, in an interactive way.

Communication convergence represents a broad shift from the traditional “vertical silos” architecture, i.e. a situation in which different services are provided through separate networks, to a situation that changes service boundaries, service
characteristics, and enables the offer of new services.

What to do when the “fear gauge” flashes red?

Communication convergence also means that systems that were never meant to interoperate are now able or even called to do so, and this can create unexpected problems on different levels, for example with users, administrators, and in auditing.

Everyone knows about well-designed webpages on the desktop that fail to show anything useful on a cell phone. Urgency may cause protected health information to be sent by email, exposing the organization to a HIPAA violation.

Convergence can also be misused, for example when different systems share a vulnerability that serves as a backdoor between them. Protocols and devices which were not designed to be connected together, all of a sudden can communicate as when using a jail-broken cell phone to hack into another phone or a web site. Limited-performance mobile systems can be tethered to powerful desktop systems and avail themselves of much higher computing and connectivity capacity than their software was designed to contain.

These issues are particularly important for businesses, where communication convergence must often meet contract, regulatory, and legal duties such as availability, accessibility, equal access, integrity, breach notification requirements and fines, and confidentiality (when needed).

That is when the “fear gauge” flashes red. Clearly, communication convergence militates against the IT security need to lock down systems and prevent unintended access. These concerns, repeated by media in frequent cases, can enforce consumer online fears, affect users, and influence whether they are willing to use an online resource provided by an organization.

And that is when enterprises meet the flip side of communication convergence, which is also made very expensive by regulatory compliance with HIPAA, HITECH, mandatory breach disclosure and other rules that impose large fines and cost.

Communication convergence increases the probability of hacking, can be quite messy, and seems to not yet work quite well enough with what users want.

NMA ZSentry is a unique middleware technology that takes in the difficult aspects of communication convergence and regulation compliance and balances them with a service/platform that creates "instant on" compliance and convergence, anywhere, anyhow. The result is communication convergence that is functional with the usability, security and privacy needs, not adversarial.

Continues in the next NMA Tech Note: Capability-based, Secure Convergence

Friday, July 1, 2011

Who needs a HIPAA-disclaiming PHI service?

by Ed Gerck, Ph.D.

Apparently, according to Google, not consumers. Google to End Health Records Service After It Fails to Attract Users, is the headline as seen in

This news has been seen and talked about in many different ways. It could be that Google is reducing claims on health services. It could be evidence of broken data flows among US health-care institutions. Perhaps, it is evidence that many doctors do not use electronic records at all. While all these views may be true, so that something like Google Health would not be worthwhile at this time, Google's action may actually be signaling a reaction that is much more important to understand.

It is true that Google has blamed it on (lack of) users. A former manager of Google Health said the service could not overcome the obstacle of requiring people to laboriously put in their own data.

However, the problem that  the Personal Health Record (PHR) had to be updated by the consumer was mostly overcome early on by Google Health by making it automatic (opt-in from your lab results, for example).  Google also solved many of the incompatibility issues in sharing electronic health records across institutions, and making it easy for doctors to join in.

Saying that "the problem was the user" (where did we hear that before?) seems to be more of a credible excuse for failing than another much more relevant reason, which was consumers not trusting a service that disclaimed HIPAA.  Even calling it PHR and not Protected Health Information (PHI, protected by HIPAA), might have by itself alarmed consumers, who are becoming more educated about their privacy needs.

Another possibility is that HIPAA enforcement can no longer be held at bay and that Google "got it" early, before the New York Times, Information Week, MIT Technology Review, Microsoft, WebMD, and others.

Indeed, it looks ever more likely that HIPAA enforcement and fines will be applied also to those disclaimers that are seen as just a "run around" of the consumer-protection PHI regulations that were one of the very reasons for the HITECH Act. Why would otherwise federally-regulated PHI be "free-for all" (meaning: affiliates) just because the consumer uploaded it to a website that disclaimed HIPAA protection as a requirement to provide service? How did the provider (Google, Microsoft, WebMD) determine whether a patient is aware of the possible risks?

But HIPAA enforcement is not even the major source of worries.

HIPAA violations can also be criminal (eg, Knowingly - 1 year/ $50,000) and  “Covered entities cannot avoid responsibility by intentionally ignoring problems with their contractors”.

So, failing to provide HIPAA privacy based on a disclaimer by a contractor (eg, Google Health, Microsoft, WebMD) will likely fail the industry standard of care today and expose the covered entities to responsibility in various levels, in addition to duties under state tort law.

Now, looking at NASDAQ, Epsilon, Citibank, and other "secure service provider" breach cases, they still argue that user data security needs only to be secure enough to deter the type of intrusion that a reasonable person might expect to occur, just as Google Health also does with username/password access control.

Well, even if this argument is valid (and there are legal reasons why not, such as preventing contributory negligence in breaching other people's files by using information gained from breaking my file) it's questionable under relying-party HIPAA and HITECH considerations whether it would apply to anyone but oneself -- even under HIPAA rule 45 C.F.R. § 164.530(c).

And HITECH is funded by fines, which is not a unique model in enforcing HIPAA.  Recently, I heard of a new unit in the California DHHS that is looking for more audits. They were funded for two years with the expectation that the unit would become self funded via penalties before it ran out of the initial funding. It was reported to me that they fined one hospital (a large one) $75,000 for an x-ray technician looking at four medical records that he had no medical or business reason to look at them.

Now, imagine someone using Google Health to improperly look at the medical records of someone else. This could be a potential large liability for Google, and a potential "black eye".

That's also why IT customers, and their users, should not work with anything short of Safe Harbor, even if the customer does not need HIPAA and HITECH. It's just a proven time-bomb otherwise, in regulatory enforcement and/or in attacks.

Here, hackers, HITECH, and HHS enforcement are actually least of worries. Private law suits by patients are more of concern and easier because standard of care is so much higher.

Google Apps, however, even if just through a mail client, can be part of a cost-effective HIPAA and HITECH Safe Harbor compliant solution for PHI using ZSentry for Google (click for free trial & Premium options).

ZSentry for Google can also be used with webmail and cell phones, does not add any liability to Google's operation and uses Google's strong points of reliability, support, and ease-of-use, for the benefit of health care providers and consumers. Read More...