The IT security industry is constantly changing, and we want our blog to evolve with it.  A variety of GuardianEdge voices will be sharing their expertise here, keeping you up to date with industry changes. My posts will include thoughts about the current state and future of enterprise security.  Ram Krishnan, senior vice president of products and marketing, will provide his take on market trends, enterprise security, and customer and product news.  Joe Gow, senior director of product management, will discuss trends in data protection technology, and Balaji Venkateswaran, vice president of engineering, will bring technical information and details on the nitty-gritty of IT security to the blog.  In addition, you may also hear from other GuardianEdge thought leaders.

We hope you will appreciate the fact that we will take a stand on controversial issues from time to time.  Part of our desire is to engage the broader data security industry in a dialogue, so please feel free to join the conversation.  We look forward to hearing from you.

We agreed that Electronic Personal Health Information (ePHI) is a necessary byproduct of this digital age.  Healthcare data needs to be mobile.  But, with the transition to more digital records, each being touched by the complete spectrum of healthcare organizations (providers, insurers, etc.), how does this impact the complexity of security?

When you look at the healthcare industry from a 30,000 foot view, some staggering statistics emerge.  According to the Health Information and Management Systems Society (HIMSS), the association that guides healthcare IT, 69 percent of healthcare data breaches are a result of a lost or stolen endpoint.  This usually comes in the form of laptops, but does include other devices like Smartphones and USB thumb drives.

A terrifying 34 percent of healthcare organizations have had a known data breach, and fewer than 50 percent currently encrypt data where it is stored.

Most surprising to me? Only 39 percent encrypt their mobile devices.

Because ePHI is highly mobile, often stored in multiple locations, and overwhelmingly shared with third parties, it is important that IT administrators consider the complete lifecycle of each record.

When it comes to HITECH compliance, it is absolutely necessary that healthcare organizations demonstrate beyond a reasonable doubt that systems are in place to secure ePHI, and that they can audit and report against those systems.  If a device is ever in question, the organization falls victim to stringent disclosure and audit requirements.

So the question is: How mobile is your healthcare organization’s data and how ready are you for the HITECH Act?

The 451 Group Research Director of Enterprise Security, Josh Corman, joined me in a recent GuardianEdge eSeminar and explained the new challenges facing the “good guys” of IT security.  While obvious threats include malware and data breaches, many administrators are also finding themselves fending off auditors armed with regulations and strict compliance standards.

“Compliance is now eclipsing threat as the number-one driver in security spending,” Corman noted.  “Nearly every penny spent last year on security was under a compliance mandate.”

Corman added that when he asked administrators why they were focused more on dealing with the auditors then on fending off the latest threat or what their risk management research noted as key issues, the response was very clear: “I might get hacked, but I WILL be fined.”

“That’s a troubling development for me,” Corman responded.

So in today’s world of emerging threats, what is scarier: having a portable device stolen or having a device that does not meet your industry’s compliance standards?  Being non-compliant but secure; or being compliant but exposed to real risks?  Take a listen to Corman, or download his recent report, titled, “Security Derivatives: The Downward Spiral Caused by Information Asymmetry.”   Let me know what you think.

How does a company protect its sensitive data when much of it resides on the endpoints of third-party agents who are not employees?  This is the challenge Bruce and his team faced at MassMutual, when tasked with rolling out encryption to their internal workforce as well as a large network of insurance brokers and agents in the field.  It’s an interesting dilemma, and as part of this discussion Bruce will draw on his many years as a leader amongst his CISO peers and highlight the importance of being proactive in outlining an overall protection strategy.

Recently NetworkWorld magazine recognized Josh Corman as a top Influencer of IT for 2009, and he is going to bring some interesting insight on wider security issues to the discussion. Josh is an original thinker with strong opinions, and will talk about the choices that organizations make between addressing a real security risk with a focused solution, versus satisfying an auditor’s checkbox with a consolidated suite.  I’m excited to hear him share his perspective on the tradeoffs between these approaches.

I’m looking forward to a good discussion with both Bruce and Josh about how companies can stay ahead of today’s security threats.

If you’d like to listen in, please sign up at http://www.guardianedge.com/eseminar/20100325/recording.php