Archive for category Data Security

Healthcare Data Breaches on the Rise

Posted by on Wednesday, 19 December, 2012

Stories of data breaches across all industries continue to make the news, and nowhere is the pressure greater to keep data safe than on healthcare IT managers.

Healthcare IT News states that health data breaches increased by 97% in 2011. The 2012 Data Breach Investigations Report from Verizon’s RISK team confirmed that over 174 million records were reported as compromised, mostly as the result of hackers accessing the data. According to the Identity Theft Resource Center 2011 Breach Stats Report, 20% of all data breaches in 2011 were in the healthcare industry.

data breach statistics for 2012

What is most startling about this report is that, according to the RISK study, 97% of these cases could have been avoided through simple or intermediate security controls.  The graphic (see right) is one of the many included in Verizon’s study.

Because the most common place where data is compromised is from corporate databases and web servers, hackers who gain access to these vulnerable areas are mining this data for private information such as social security numbers, birthdates and credit card information.

Studies like these underscore the importance of establishing network security perimeters and implementing procedures that protect the privacy of  patients’ information residing on these servers.

IT managers must be vigilant to combat hackers’ ever more sophisticated tools and methods, and that begins with better security procedures at the office.

Security Policy and Procedures Document

The first step in ramping up security is to write and formalize a security policy and procedures document that addresses best practice protocols and that encompasses applicable HIPAA and HITECH regulations.

Next, all employees must be trained and expectations for compliance made clear,  because it takes a concerted effort on everyone’s part to ensure the required protections are implemented consistently.

Secure Data Files In Motion

One of the more popular ways for hackers to capture sensitive data is via the movement of files and documents across the Internet.  In an earlier blog post, we talked about how standard FTP is commonly used to send files.  However, FTP sends the files in unencrypted form, and offers no protection for the server’s login credentials. Once those credentials are captured, hackers can use them to access the FTP server to mine additional data files.

While managing the security of all of the files in the office may seem overwhelming, Managed File Transfer solutions can simplify this task. Used in conjunction with a reverse proxy gateway, a much greater security perimeter is formed around the network, servers and the sensitive data that need protection.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

Hacking and File Transfers: What You Need to Know

Posted by on Tuesday, 4 December, 2012

In the battle to secure information, it helps to know a little bit about how it can be compromised. Using FTP is one way to expose critical vulnerabilities that can allow credentials to be hacked.  However, these holes in security can also be easily closed if you know how.

How Hackers Discover Vulnerabilities

Here’s how hackers could access sensitive data sent via FTP.  With the use of a “sniffing” tool, an attacker could intercept and log any data traveling across the network. This log can then be analyzed to look at the content that was sent across specific TCP ports like FTP (port 21), as well as the user ID and passwords used to log in to the FTP servers that may have been sent as clear text.

managed file transfer, secure file transferStart with Networks, Routers, and Firewalls

To prevent this kind of hacking, the wired network can be secured by first making sure network ports are not available for public access, and then by separating network segments for sensitive servers and workstations.

However, many companies also have wireless networks where hackers just need reasonable proximity to the Wi-Fi signal, such as in an adjacent office or parking lot.  Therefore, it is critical to secure wireless routers with WPA or WPA2 encryption options, rather than WEP encryption, which is no longer considered effective protection against hackers.

Once networks are secured, the next most effective tactic against hackers is to block all FTP traffic at the firewall. Then, for permitted file transfers, allow only secure encryption protocols such as SFTP, FTPS, HTTPS, PGP, or GPG for file exchanges in and out of the network. These security restrictions will deter most hackers.

Security Measures Can Be Challenging

Implementing these security measures is important, but it doesn’t come without some challenges.  The IT staff will have to handle more complicated secure file transfer management processes, and users may be inconvenienced as files are transferred to people and organizations that need them.  As a result, users may look for a workaround for sending and receiving files to avoid being slowed down by the IT staff.  Popular alternatives users may try include email attachments or browser-based cloud services such as Dropbox that present a new vector of vulnerability as these options may not meet necessary security standards.

MFT Minimizes Hassle, Solves Security Vulnerabilities

There is a solution, however, that can provide not only the highest security for file transfers, but also create fewer hassles for both the IT department and the general employee.

Managed File Transfer (MFT) solutions increase data file security implementations and simplify the entire file management process by providing the tools for easily creating and managing all of the unique encryption keys for the company’s various trading partners.  Access controls can be set up for authorizing each employee’s file exchange requirements. MFT also provides a detailed log of all transactions so that any required audits may be easily fulfilled.

Some MFT vendors also provide intuitive and convenient email encryption solutions that can integrate with existing corporate email clients such as Outlook. This reduces the temptation for employees to use workaround tools that may bypass the security restrictions that have been put in place to prevent hacking of sensitive data.

Keeping data secure is an ongoing mandate that will only become more critical as industries move toward paperless environments.  Adopting a managed file transfer solution is one of the best ways to strengthen your file transfer processes and security as the pressure and liability risks continue to grow.

photo credit: kryptyk via photopin cc
 
 

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

Do Business with the Government with FIPS 140-2

Posted by on Monday, 8 October, 2012

FIPS 140-2 is a standard with which cryptographic-based (encryption) security systems must comply when protecting sensitive data in U.S. government agencies and departments.  This FIPS 140-2 standard also extends to other entities that may exchange sensitive data with the federal government, including defense contractors, state agencies, county and city government.

Brief history of FIPS 140-2

The National Institute of Standards and Technology (NIST) is an agency of the U.S. Department of Commerce which establishes the standards for cryptographic modules used to protect and secure sensitive information.  NIST issued FIPS 140-1, the first set of standards developed in conjunction with cryptographic industry vendors and users on January 11, 1994. This group specified four security levels and eleven requirement areas of meeting a cryptographic standard.

On May 25, 2001, NIST issued FIPS 140-2, updating its specifications to address the technology changes since 1994 and is currently working on the draft version of FIPS 140-3 issued in Sept. 2009.

Why FIPS 140-2

FIPS 140-2 data securityThe purpose of the FIPS 140-2 standard is to coordinate the standards to be used by U.S. government and other regulated industries in gathering, storing, transferring, sharing, and disseminating sensitive information.  It also provides an FIPS 140-2 accreditation program for private sector vendors that develop cryptographic modules that can be used in other products.  For instance, our GoAnywhere solution uses an encryption module from RSA® which is FIPS 140-2 certified by an independent lab.

Traditional methods of sending files such as email or FTP do not meet the FIPS 140-2 standards. If you intend to exchange files with the federal government, it is critical that your file transmission is encrypted with a FIPS 140-2 compliant encryption module.

When researching managed file transfer (MFT) solutions, it is important to determine if they have a FIPS 140-2 compliant module available, especially if you are exchanging sensitive data with the federal government. Read more about GoAnywhere’s FIPS 140-2 support.

By utilizing an automated and secure file transfer solution like GoAnywhere along with FIPS 140-2 compliant encryption, doing business with the federal government and other such regulated industries becomes much easier.

 

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

HITECH Compliance Offers Challenges for IT

Posted by on Tuesday, 19 June, 2012

Outside of the finance industry, healthcare is one of the most regulated industries in the U.S.  As the healthcare policy debates rage on, one issue on which most Americans can agree is the need to keep personal healthcare information confidential and secure.

Major regulations such as HIPAA and HITECH have been passed into law to increase the security of our personal health information.  For better or worse, a major portion of the burden to comply with the regulations and all of their revisions falls upon the IT professionals.

HIPAA and HITECH: a brief overviewHITECH, data security, compliance

While HIPAA (Health Insurance Portability Accountability Act), passed in 1996, has received the most attention (see our blog), the more recently implemented HITECH law is quickly having an impact.

HITECH (Health Information Technology for Economic and Clinical Health Act) was passed into law in 2009. The goal for the  HITECH is to strengthen the civil and criminal enforcement of already existing HIPAA regulations that require health organizations and their business partners to report data breaches.  HITECH also increases the penalties for security violations, and implements new rules for tracking and disclosing patient information breaches.

Data breach notification

Under HITECH rules, all data breaches of PHI (protected health information) must be reported to the individuals whose data was compromised. This includes reporting files that may have been hacked, stolen, lost or even transmitted in an unencrypted fashion.  If such a breach — or potential breach — affects 500 people or more, the media must also be notified.   Breaches of all sizes must always be reported to the Secretary of Health and Human Services (HHS), but if fewer than 500 individuals’ records are affected, healthcare organizations can report the breach via the HHS website on an annual basis.  Larger breaches must be reported to HHS within 60 days.

Penalties for data breach

The HITECH Act implements a four tier system of financial penalties assessed based on the level of “willful neglect” a healthcare organization demonstrated resulting in the breach. Fines range from  $100 per breached record for unintended violations all the way up to $50,000 per record (with an annual cap of $1.5 million) when “willful neglect” is demonstrated.

Access to electronic health records (EHRs)

HITECH requires that the software that a health organization uses to manage its EHRs must make a person’s electronic PHI records available to the patient and yet remain protected from data breach by encrypting the data and securing the connection.  Not surprisingly, email is not considered a secure method of data transmission.

Business associates

Before HITECH,  business associates of healthcare organizations were not held directly liable for privacy and security under the HIPAA rules, even though they had access to PHI.  HITECH now requires that all business associates with access to PHI are subject to the HIPAA rules and must maintain Business Associate Agreements with the healthcare organization that provides the PHI.  Business associates are also required to report any data breaches and are subject to the same penalties as their healthcare business partners.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

FIPS 140-2 Validation Encryption Module Now Available for GoAnywhere

Posted by on Thursday, 24 May, 2012

Linoma Software has partnered with RSA Corporation to make it easier for organizations to do business with the government by adding the FIPS 140-2 Validation Encryption Module to its GoAnywhere™ suite of managed file transfer products.  Read the press release.

Most companies at one time or another find that they need to transfer or exchange sensitive data files with the government, whether it’s the IRS, the SEC, or other state or federal agencies.

Increasingly, more organizations are wanting to become vendors for the government, and for those companies, meeting the federal government’s strict data security compliance standards is required before any business relationship can ensue.

FIPS 140-2 Validation EncryptionThat’s where the Federal Information Processing Standard (FIPS) 140-2 comes in.  FIPS is a U.S. government computer security standard for the accreditation of cryptographic modules.

In order for a  module to receive FIPS 140-2 accreditation, it must undergo a time-consuming and rigorous testing process through a third-part laboratory that’s been certified by the National Institute of Standards and Technology (NIST) through its National Voluntary Laboratory Accreditation Program.

Because the FIPS 140-2 accreditation process is so daunting and expensive, only a few vendors have successfully earned the esteemed designation. RSA Corporation is one of these elite vendors.

RSA is a leader in information security and sponsors the popular annual RSA Conference that attracts security professionals from all over the world.  As a premier security organization, they have chosen to partner with Linoma Software to embed their FIPS 140-2 validation encryption module into GoAnywhere Director and GoAnywhere Services.

Once a GoAnywhere customer activates the FIPS 140-2 Compliance Mode, only FIPS 140-2 compliant ciphers (e.g. AES, Triple DES) will be permitted for encryption processes. The RSA security module will be utilized for any SSH and SSL communications in GoAnywhere including SFTP, SCP, FTPS and HTTPS protocols.

For companies exploring the myriad business opportunities available with government at all levels, being prepared by incorporating FIPS 140-2 validation encryption into your data transfer processes is a key step in winning those lucrative government contracts.

Susan Baird

Susan is the Marketing Manager at Linoma Software, helping promote our secure file transfer and encryption solutions. Her specialty is content creation and social media marketing.

More Posts - Website - Twitter - Facebook - LinkedIn - Pinterest - Google Plus