New encrypted hardware solves aged issues
May 2, 2016
Security standards have advanced in IT, while HP's 3000 hardware has not. Encryption resolves a key need for data security that's a part of the HIPAA regulations. The 3000 components won't allow for full disk encryption. There's another approach. A replacement hardware solution for MPE/iX -- which is still being used in the insurance industry -- has been on the market for more than four years. In fact, the hardware is all around us.
Encryption solutions for an older 3000 hardware's data are available. FluentEdge Technologies has sold a PCI-ready solution for Ecometry sites for more than five years. A built-in full-disk approach is only an option with a fresher OS, though. We don't mean the environment powering the application; that's still MPE/iX. The control of the hardware is where such new hardware can be put into play.
Virtualizing with the Charon HPA software offers several advantages over relying on HP's hardware. Component failures are a matter of when, not if, in 15-year-old hardware. If the 3000 isn't an A- or N-Class, it's even older. Shrink-wrapping replacement drives won't look as good to security auditors as a full disk encryption of recent-model components. Newer drives include broader options.
The virtualization of the MPE/iX hardware can become an encryption strategy. Alternative methods that rely on legal defenses don't exist like they once did. A security expert friend of mine tells a story about using lawyers instead of encryption. It's a story from a different time: the era when 3000 hardware was not so old.
The certified CISSP Steve Hardwick was once involved in a HIPAA audit. After the presenting the audit results to the CIO, the next question to be resolved was remediation -- bringing the systems into compliance. The CIO’s response, Hardwick said, took advantage of an older version of HIPAA instead of newer hardware.
The CIO said that "after consulting with legal counsel, we are taking no action to mitigate the deficiencies found in the audit. They have informed us it will be cheaper to litigate than spend funds on security changes.”
That was in the early days of HIPAA. In those days, that regulation lacked teeth. To rectify this, the US government passed the Health Information Technology for Economic and Clinical Health (HITECH) Act for enforcement. It defines what's a breach of information. plus the responses that organizations must take after a breach. Very quickly, the cost of not putting security controls in place changed, especially due to the enforcement defined by the act.
Bringing 3000 applications into line with regulations like HIPAA and HITECH usually includes securing the healthcare data. Full disk encryption is an option if the drives are controlled at the host level by an OS other than MPE/iX. At the host level, Linux is the controlling environment in a virtualized environment. Drives in Charon, for example, are disk images in OS instances such as RedHat. Choosing virtualization can supply something to pass an audit. It's not exactly brand-new hardware, but it can be generations newer and leave the old and reliable app software in place.