Industrial IoT Authors: Elizabeth White, Stackify Blog, Yeshim Deniz, SmartBear Blog, Liz McMillan

Blog Feed Post

Tokenization: A Secure strategy for Healthcare

Proxy Workflows

Tokenization can be a good strategy for staying out of the news. These are the headlines of our times:  “Hospital warns patients of a data breach” – May 9, 2013. “Hospice informs 800 patients of health data breach” – April 29, 2013. Employee exposes patient data in unsecured email. “Patient Data posted online in Major Breach of Privacy – Sept 2011. Vendor spreadsheet containing  20,000 patients data is compromised. “University Medical Data Breach leaks Patients’ Social Security Numbers” – April 9 2013. A doctor’s laptop containing patient data is stolen. Patient privacy data breaches are on the rise.  Hacking from outsiders with criminal intentions is a constant threat to guard against but we are seeing alarming incidents of inadvertent abuse by authorized users.

56% of respondents to the 2012 survey for the HIMSS Analytic Report: Security of Patient Data commissioned by Kroll Advisory Solutions indicated that the source of their breaches was by individuals employed in their organizations.  Organizations are increasing risk with providing access to third parties and with the fast growing addition to organizations infrastructure to support mobile access. The cost to healthcare organizations is great in terms of lost customers, lost revenue and lost respectability.

Tokenization vs. Encryption

The tokenization strategy for protecting healthcare data is to remove personal information from databases, services and reports.  Data that is not there – cannot be breached. Encryption strategies maintain patient privacy data in place – Tokenization strategies remove data completely. Patient data can’t be compromised if it has been removed. With encryption the original value is still present in the application or database. Tokenization removes the data from harm’s way.  This is especially useful in healthcare environments where so many varied users have access to the protected information including doctors, clinicians, partner hospitals, HMOs, insurance providers, drug companies, clinics, and government agencies.  When patient data is tokenized, the report that is emailed insecurely now contains tokens instead of social security numbers. The vendor spreadsheet now contains tokenized patient names, phone numbers and email addresses. The doctor’s laptop now holds medical record numbers that are actually tokens.

Proxy Workflows

The beauty of a proxy scenario is that there is little disruption to existing services. Intel’s Expressway Tokenization Broker supports proxy messaging for MLLP, Raw TCP, HTTP,

No Code Changes

FTP(S), File and custom protocols.  Any data format can be supported with the embedded power of Informatica’s Data Transformation. For example, HL7 over MLLP can be parsed,

inspected and tokenized before forwarding the message to the Health Information System.  XCPD transactions can be opened to inspect CDA Documents and to tokenize the PII data.  IHE workflows implemented through the Token Broker workflows allow for tokenization of data prior to storage in the data repository.  Expressway products are optimized for XML processing and can process these transactions at high volumes.

Secure the Perimeter

Token Broker combines the security of tokenization with secure message transport.  Transactions passing through the proxy solution can be secured with Transport Layer Security provided with Token Broker. Service endpoint protection methods include Authentication with Kerberos and LDAP, Oauth 2.0, API Keys, X.509 Tokens, WS-Security/SAML, Content Attack Prevention, Input Validation, adaptive Denial of Service, Anti-Virus, Anti-Malware and DLP Protection and sophisticated Quality of Service protocol management.

Healthcare data today is more exposed and accessible, but we want to encourage that in order to foster innovation. Healthcare providers are using mobile devices more.  Mobility is a great way to speed the delivery of healthcare solutions. Healthcare data is being shared with third parties more often.  Openness and interoperability gives providers more data input points for developing informed solutions.  When the Personally Identifiable Information (PII) and Protected health Information (PHI) data is removed through tokenization, we can open up access to the clinical information.  Analytics can be applied to the tokenized scrubbed data.  API‘s can mash up the data from the various provider streams without risking the privacy of the patients.


Read the Intel Expressway Tokenization Broker data sheet

Follow me on twitter @WBohner



The post Tokenization: A Secure strategy for Healthcare appeared first on Application Security.

Read the original blog entry...

More Stories By Application Security

This blog references our expert posts on application and web services security.

IoT & Smart Cities Stories
The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform and how we integrate our thinking to solve complicated problems. In his session at 19th Cloud Expo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and sh...
What are the new priorities for the connected business? First: businesses need to think differently about the types of connections they will need to make – these span well beyond the traditional app to app into more modern forms of integration including SaaS integrations, mobile integrations, APIs, device integration and Big Data integration. It’s important these are unified together vs. doing them all piecemeal. Second, these types of connections need to be simple to design, adapt and configure...
Cloud computing delivers on-demand resources that provide businesses with flexibility and cost-savings. The challenge in moving workloads to the cloud has been the cost and complexity of ensuring the initial and ongoing security and regulatory (PCI, HIPAA, FFIEC) compliance across private and public clouds. Manual security compliance is slow, prone to human error, and represents over 50% of the cost of managing cloud applications. Determining how to automate cloud security compliance is critical...
Contextual Analytics of various threat data provides a deeper understanding of a given threat and enables identification of unknown threat vectors. In his session at @ThingsExpo, David Dufour, Head of Security Architecture, IoT, Webroot, Inc., discussed how through the use of Big Data analytics and deep data correlation across different threat types, it is possible to gain a better understanding of where, how and to what level of danger a malicious actor poses to an organization, and to determ...
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build revenues and shareholder value. He has consulted with over 130 companies on innovating with new business models, product strategies and monetization. Chris has held management positions at HP and Symantec in addition to ...
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
DXWorldEXPO LLC announced today that Telecom Reseller has been named "Media Sponsor" of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities - ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups.
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, will provide an overview of the evolution of the Internet and the Database and the future of their combination – the Blockchain. Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life ...