EHR Stimulus Incentive

/0 Comments/in , , , , /by

EHR technology is a medical software that can help your practice keep track of and treat patients more efficiently and effectively. Additionally, many of these technologies, when implemented correctly and used properly, are subject to government incentives, making them affordable to install.

With the Stimulus Incentive Calculator app for the iPhone, you can figure out how much you will earn by using certified EHR software. Using various factors, such as the size of your practice and the number of patients you see per year, this calculator can show you the incentives for which you may be eligible.

To learn more about the benefits of using EHR technology in your practice, contact PathMaker Group. We provide security solutions and identity management servicesw.

Visit our website or call (817) 704-3644.

Leveraging Centralized Log Management in a PCI DSS Environment

/1 Comment/in , , , , , /by

Enterprise environments generate vast amounts of log data on their own before even being required to meet PCI DSS section 10 logging requirements. When taking into account the volume of logs from the large variety of sources across a network it is important to find an effective and efficient manner to address this data. IT departments could easily dedicate one full time employee to this task alone when logs are decentralized across the organization and need to be reviewed, at times, on a daily basis. Admins also face the daunting task of having a working knowledge of the vast array of system interfaces used to access and review this data where it is stored by default. Obviously this configuration is highly inefficient as well as impractical. The only logical solution to meet the PCI DSS required logging volume as well as the review requirements is a centralized log management system. PathMaker Group offers such a solution, built on a SaaS platform, that can provide the necessary functionality, usability, and reporting that PCI DSS requires. Read more

Understanding the Basics of SOA Security

/0 Comments/in , , , /by

Service-oriented architecture (SOA) is a type of software design that allows applications to be integrated as services, allowing for easy management of a company’s operations. However, the level of integration that SOA provides is compromised by the use of standard security features that are traditionally embedded into individual applications. In order to make up for this security deficiency, companies are employing the use of specialized SOA security. The following are some of the features of SOA security that address typical vulnerabilities:

  • Content Validation: Specialized SOA security ensures that data is only received in the system by trusted users to prevent a forced error by SQL injection that exposes access information.
  • Time Stamps: Digitally signed security requests can be forged by replicating previously used messages that are valid for other services. Time stamping requests prevent this sort of infiltration.
  • JavaScript Protection: This is a defense that prevents hackers from using JavaScript to input data visible by users from the client end. System scans detect and remove these malicious scripts. Read more

PCI Updates

/0 Comments/in , , , , , /by

I thought i would take a few minutes to wish everyone happy holidays and a very prosperous 2011. I also noticed that I hadn’t blogged in a while so I thought I do a little of that…

This blog provides a few updates and observations related to the following:

  • PCI DSS v1.2.1 to PCI DSS v2.0 transition – very well defined, except for the cut-over date. The bottom line is that the PCI SSC is encouraging all merchants and service providers to convert as soon as possible, but at the same time saying everyone has until New Years Eve 2011 (one year).
  • PCI DSS and PA-DSS v2.0 Scoring Templates – QSAs can’t plan their projects without the new Scoring Templates. This will stall migrations.
  • Sampling And ASV Scanning Do Not Mix – this wasn’t a like a free lunch but some still manage to screw it up…
  • PCI DSS Timeline Clarification Read more

Stuxnet Worm, Research and Recommendations

/1 Comment/in , , , , /by

As you may be aware, a worm (originally appearing in 2009) and named Stuxnet has recently resurfaced as a focused attack at Industrial and Energy control systems, namely but not exclusively targeting those systems built by Siemens, AG. This worm has the capability to take control of and/or alter settings within SCADA systems and PLC/RTU sub-components.

Below are some good articles related to recent research into the worm.

Read more

iTunes Accounts Hacked? or, Something Worse?

/1 Comment/in , , , /by

So perhaps only a few have heard about the July 4th news story reporting that several iTunes accounts (30 accounts ??) across the globe were compromised by the developer of an application (or several apps).

The story alleges that iTunes was hacked and several user accounts were compromised by an application developer who exploited peoples’ iTunes accounts to purchase his applications, so much so that it elevated him to the top in his applications’ category. Now, i would suggest that more that 30 accounts would have to be involved to elevate an app to the top of its category, but that’s beside the point. It is likely that there are more accounts involved, some go not reported, some completely oblivious to their losses.

Read the story for yourself….

I’m not so convinced that iTunes was hacked by some thief brute forcing username/password combinations to crack 30 accounts out of millions. While it is entirely possible that Apple could be hacked and that data could be stolen in bulk, I think there are some alternative ideas that should be considered. Read more

Virtual Machines != Security Virtual Reality

/0 Comments/in , , /by

Post #1, Virtual Machines != Security Virtual Reality

PathMaker Group is introducing some exciting new technologies to the market that greatly reduce business cost of securing virtual environments and simultaneously increasing system efficiencies, measured in hard-dollar savings. In order to truly embrace the value of these innovative solutions and approaches, one needs to consider some of the obvious and not-so-obvious security issues rooming in virtual space today.

This post is the first of my multi-part series on securing virtual machine environments and I hope that it provides some additional insight into the security issues that I anticipate would concern every business using virtual machines, or considering using it. Read more

Log Management the Easy Way!

/2 Comments/in , , /by

The Need for Effective Log Management

Log Management is a necessity for regulatory compliance and essential to maintaining a positive security posture in your environment. As your IT organization evolves to comply with today’s regulations and defend against new network security threats, you should choose a solution that avoids expensive maintenance and operating costs, reduces the number of resources needed to maintain and support your solution, and most importantly provides the most effective log management solution on the market today.

Our SaaS offering collects log data via an agentless collection device and provides log storage, reporting, correlation and monitoring leveraging our grid computing and storage architecture in our highly secure redundant datacenters. Read more

Cyber attacks, they occur more often than you think!

/0 Comments/in , , , /by

Cyber attacks have become a ‘weapon of choice’ for many terrorist organizations. Cyber attacks can be launched from anywhere in the world that has Internet access, are often untraceable, and have the potential to wreak havoc on our financial and economic systems, defense networks, transportation systems, power infrastructure, and many other essential capabilities.

Although not widely publicized, cyber attacks occur routinely. Within the State of Texas, a major computer security incident with significant financial and operational impact is an annual event for most organizations, including state government entities. In fact, state entities reported a daily average of almost 575 security incidents in fiscal year 2009, including malicious code execution, unauthorized access to data, and service disruptions. Most of these attacks are blocked, prevented, or result in only minor disruptions.

Between January 2005 and August 2009, Texas-based organizations reported 105 incidents involving privacy data; 43 of these incidents were government-related (universities, cities and counties, and state agencies). These 105 incidents exposed over 3 million records, with the cost estimated at an all-time high of $202 per record exposed, totaling $606 million dollars to recover from the attacks. This is why it is imperative for organizations to have a “multi-layered” approach to security to ensure these attacks remain unsuccessful or only do minimal damage and disruption.

Why is it even more important to have an IR plan than a DR plan?

/0 Comments/in , , , /by

Virtually every organization has a DR (disaster recovery) plan in place as they should. However, most organizations don’t have a detailed IR (incident response) plan in place for when their IT systems are impacted by malicious behavior from either external or internal causes.

Why is it potentially more important to have an IR plan in place vs. a DR plan? The answer is simple, statistics. According to several creditable sources, the percentage of companies in the United States who experienced an IT incident in 2009 related to a directed malicious attack from either an external source (malware, etc.) or internal source (privileged user, disgruntled employee) was 49% compared to less than 10% of organizations who actually activated and used their DR plan.

Over the last few years we, at PathMaker Group, have seen the number of incidents, and the impact from those incidents, dramatically increase in number and impact (both downtime and financial). Suprisingly, most organizations still don’t have a defined Incident Response team and procedures to address these issues in a timely fashion to reduce downtime and financial impact. Read more