Burton Group Identity Blog

Blogger: Kevin Kampman

In my March 10, 2008 blog entry “Short and to the point, if not so sweet” regarding the electronic capture and publication of medical records, I discussed how we frequently mask or defer basic issues by focusing our attention on something else. As Dr. Molly Coye stated in USA Today regarding the potential misuse of medical records: “But those are human actions. They have nothing to do with the technology.” This perspective underscores our fundamental tendency to gloss over technological issues by blaming mistakes on the people using the technology. I believe it is important to recognize this and to address the basic issues.

Sometimes we need to get some distance from an issue in order to see it clearly. Last week I attended a motivational seminar given by Curtis Zimmerman. Mr. Zimmerman is a talented speaker with a compelling message about overcoming adversity and changing the direction of one’s life, individually and as a leader. He teaches juggling as a way to force the audience to drop its barriers to listening and learning. The key takeaways from his presentation are that we need to change our perspectives to recognize and reward failures, not to hide them. He also identifies that we are living a script, someone else’s or our own, and that we need to rewrite the script in order to “live the dream” in our own lives. 

Earlier in April, we heard about a US Airways pilot discharging his gun in the cockpit while stowing it for landing. This was an unfortunate incident, but one to learn from. In a conversation with another (off-duty) pilot on a flight to North Carolina, we determined that this situation demonstrates that current on-aircraft gun handling policies and weapon configurations are accidents waiting to happen.

The guns carried by pilots are the same as those used by law enforcement. The guns have no positive locking safety switch, a round is chambered (by policy), and the gun is out and ready to use while the craft is in the air. Given the backup and failsafe environment that a cockpit represents, it is amazing that a device configured in this manner has been introduced without appropriate, common-sense precautions. This is one reason we often read about law enforcement officers having self-inflicted accidents. Fortunately, in this case no one was injured, but the pilot did lose his job.

The bottom line here is that US Airways did not reward him for demonstrating a failure in the system and take appropriate actions to prevent similar failures in the future. The result is that we will continue playing out this flawed script. Next time, someone may get hurt.

A notorious, identity-related failure has to do with the performer and musician Britney Spears. While undergoing medical treatment, her medical records were voluntarily accessed by professional and medical staff having no reasonable association with her care. This demonstrates that the medical records system in use by her provider has inadequate controls. The resolution to this situation is that a number of non-physicians were fired, while the physicians were only “disciplined”.

The bottom line here is that we have different scripts for different people. In a medical community, the physicians are in control, and are in a position to continue to violate patient privacy at will, until fundamental changes are introduced into the records systems.

And late last week, we heard of yet another records disclosure failure. WellPoint, a health care benefits firm, exposed nearly 130,000 personal medical records (records, mind you, not attributes like social security numbers) by using a third-party’s improperly secured web servers. This is the first occurrence of a records disclosure of this magnitude, and is the harbinger of what is likely to come.

The risk of disclosure, misappropriation and misuse of our medical records is higher today than ever, and the burden of dealing with the situation is being pushed off to us. The risk of aggregation aggravates the problem even more, since companies who want to collect this information, like Microsoft and Google, will become targets of compromise. Whatever mechanisms they employ to protect this information must be professionally vetted by independent experts prior to any public deployments. Since there is no medical equivalent in this country to the credit reporting bureaus, we have even fewer means to protect ourselves than we do in the case of financial compromises. This being the case, we can’t afford to make mistakes. 

The final “bottom line” is that anyone dealing with private information needs to recognize that it can cause irreparable harm if it is not handled in an appropriate manner. We have already heard of situations where a person’s medical identity has been hijacked to obtain services for someone else, and run up payments to the benefits limit. Medical conditions could also be used as a gating factor for denial of employment. My family learned of my father’s impending demise due to the disclosure of diagnostic information by an indiscreet radiology technician.

We can’t continue with the same old same old; it’s clearly inadequate, as are regulations regarding disclosure of compromises (such as California’s SB 1386). We need to examine, reward and learn from these organizational and systemic failures, or else the script of records disclosures, potentially on the order of millions of records, will continue.

Blogger: Lori Rowland

Using the 2008 RSA conference as its platform, Hitachi announced the acquisition of majority shares in M-Tech. The new formed company will operate under the name Hitachi ID Systems and be rolled into Hitachi’s information security portfolio. Hitachi ID Systems will operate as a subsidiary of the Hitachi parent company.

M-Tech, headquarter in Calgary, Alberta Canada has been a long standing vendor in the IdM market. The company’s product profile includes provisioning, password management, privileged account user, AD group management, and various other IdM technologies. M-Tech is best known for P-Synch, its password management offering, but has also faired well in the provisioning market.

While Hitachi is well known in North America, it is a powerhouse in Asian markets. Hitachi sells various consumer products (e.g. electronics and power tools), but also offers hardware and software components for enterprise organizations. Hitachi has a heavy presence within Asian enterprise organizations. The Asian market has been slower to adopt IdM technologies, however it is gaining traction primarily because of the enactment of laws and regulations, such as Japan’s Financial Instruments and Exchange Law (J-SOX). Hitachi ID Systems may have “a foot in the door” with Hitachi’s existing customer base.

Another interesting characteristic of the acquisition is that Hitachi ID Systems will operate as a subsidiary. According to M-Tech founders Gideon Shoham, CEO and Idan Shoham, CTO, M-Tech had been approached by other vendors in the market and had turned down acquisition offers. What made the Hitachi offer stand out? As a subsidiary, M-Tech founders will maintain control over technology direction and day-to-day operations, the M-Tech employee base will remain intact, and the impact on M-Tech’s existing customers will be minimal.

M-Tech realized several other benefits to the acquisition. As the IdM market has become increasingly competitive it was difficult for M-Tech to compete against large, major brand vendors. The acquisition gives M-Tech (now Hitachi ID Systems) access to a global sales team and a large information security consulting team which will be trained on the Hitachi ID Systems product family. Most importantly it gives M-Tech global name recognition.

The attitude of this acquisition seems somewhat different than acquisitions we have seen in the past. While the benefits of the acquisition to M-Tech are obvious, Hitachi’s (the parent company) overall vision for the IdM it is not yet clear. The company does offer various security technologies such as RFID and vein pattern recognition biometrics. However, how and if these technologies will be integrated with M-Tech’s product family has not yet been defined.

Hitachi’s acquisition of M-Tech will no doubt leave some in the market scratching their heads in wonderment.  It is too early to tell the full impact of the acquisition. However, one thing is clear, M-Tech needed the backing and sales channel of a larger vendor to progress in the market. However the battle is yet to be won. This is an unpredictable market; customers are concerned with vendor viability and longevity. The long-term relationship between vendor and customer has become a differentiating factor for many IdM purchases. To be successful, Hitachi ID Systems must quickly communicate a clear vision and an aggressive strategy. Although Hitachi is a recognized name – they are competing with large vendors such as IBM, Oracle, and Microsoft all of whom have already established themselves as powerhouses in the IdM market.

This acquisition proves that the IdM market is full of surprises – never a dull moment. There is still ample opportunity for acquisitions. Acquisition activity will likely continue in the role management, entitlement management, and authorization spaces.  However, even the more mature markets like the provisioning market may see continued activity – as evident by the M-Tech acquisition.