FIPS 140-2 is a standard with which cryptographic-based (encryption) security systems must comply when protecting sensitive data in U.S. government agencies and departments.  This FIPS 140-2 standard also extends to other entities that may exchange sensitive data with the federal government, including defense contractors, state agencies, county and city government.

Brief history of FIPS 140-2

The National Institute of Standards and Technology (NIST) is an agency of the U.S. Department of Commerce which establishes the standards for cryptographic modules used to protect and secure sensitive information.  NIST issued FIPS 140-1, the first set of standards developed in conjunction with cryptographic industry vendors and users on January 11, 1994. This group specified four security levels and eleven requirement areas of meeting a cryptographic standard.

On May 25, 2001, NIST issued FIPS 140-2, updating its specifications to address the technology changes since 1994 and is currently working on the draft version of FIPS 140-3 issued in Sept. 2009.

Why FIPS 140-2

The purpose of the FIPS 140-2 standard is to coordinate the standards to be used by U.S. government and other regulated industries in gathering, storing, transferring, sharing, and disseminating sensitive information.  It also provides an FIPS 140-2 accreditation program for private sector vendors that develop cryptographic modules that can be used in other products.  For instance, our GoAnywhere solution uses an encryption module from RSA® which is FIPS 140-2 certified by an independent lab.

Traditional methods of sending files such as email or FTP do not meet the FIPS 140-2 standards. If you intend to exchange files with the federal government, it is critical that your file transmission is encrypted with a FIPS 140-2 compliant encryption module.

When researching managed file transfer (MFT) solutions, it is important to determine if they have a FIPS 140-2 compliant module available, especially if you are exchanging sensitive data with the federal government. Read more about GoAnywhere’s FIPS 140-2 support.

By utilizing an automated and secure file transfer solution like GoAnywhere along with FIPS 140-2 compliant encryption, doing business with the federal government and other such regulated industries becomes much easier.

It’s Friday, heading into a long overdue holiday weekend, so we thought we’d share a video we recently posted that highlights how Lorraine Callahan, a senior programmer analyst with United Security Life and Health, has implemented GoAnywhere to improve workflow and save time.

▶
YouTube - GoAnywhere Success Story: United Security Insurance

If you’d like to see other customer success stories, visit our website where you can find videos, testimonials, and case studies.

HITECH laws were enacted to up the ante on healthcare organizations to meet HIPAA legal compliance for data security and privacy, which, of course puts an additional burden on IT to make sure all bases are covered.  But regardless of the rigors of enacted laws, compliance doesn’t happen overnight. It takes diligence and continued effort to understand and address all necessary requirements. To avoid the potential penalties of breaking HIPAA and HITECH laws, losing the confidence of patients and partners, and incurring hefty penalties, a focused, deliberate, measured plan is essential.

In addition to becoming familiar with HIPAA and HITECH regulations (a good place to start is the HHS.gov website), it’s critical to meet with your security and management team and make decisions as to how your organization can best protect sensitive healthcare information. One of the first places to start this process is to fully document your department’s own security policy and procedures.  This provides the foundation from which to train internal users in understanding and complying with the HIPAA and HITECH rules. In fact, having a security policies and procedures document is a requirement by HIPAA and HITECH.

If you don’t currently have your security policies and procedures documented, one option for finding a good template is to Google the term, “IT Security Policies and Procedures.” You will find free downloadable templates that give you a basic outline to follow.

If you already have this document in place, keep in mind it needs to be treated as a living document, to be changed and updated often as circumstances and requirements change.  Make a point to do a yearly, if not a bi-yearly, review.

Of course, documentation of security policies is only a start. You need to procure and implement proven security tools across your enterprise to protect your data — whether the data resides on a server or is being transmitted across a network or the Internet.  A less-than exhaustive list of necessary IT security tools for ensuring compliance:

• Firewall – This security measure prevents intrusion into the private network from unauthorized outside viewers.
• Email encryption  – To meet privacy requirements, email communications that contain private data must be encrypted.
• Malware protection – This step keeps spyware/malware from infecting PCs and servers containing private data.
• FTP communications – Managed file transfer solutions are designed specifically to provide encryption, logging and automation tools that make sure the sensitive data is secured and tracked while in motion, while reducing the time to manage all incoming and outgoing transactions
• Backup protection – Backup files and tapes need to be encrypted and otherwise secured to make sure sensitive data can’t fall into the wrong hands
• Data shielding – Sensitive fields need to be encrypted or hidden to ensure that it can’t be viewed or extracted by unauthorized viewers. A good data encryption product can also encrypt data on backup tapes as well sensitive data that might be shown in on-screen applications.
• Physical facility protection – Server rooms, fax/copy/printer rooms, workstations all must be  considered when protecting sensitive data that is printed on paper or residing on servers or PCs.
• Telephone and online communications – Anyone involved in telephone, online chat or discussion groups needs to be trained to be sensitive to privacy regulations and exposing sensitive information.

As you can see, there are several aspects of compliance to HITECH and other laws that need to be considered and addressed.  Healthcare professionals and organizations need to take their patients’ privacy seriously, whether in the hospital, physician office or in electronic format on servers and digital communications with others.

Accounting needs to receive invoices from vendors at various times on a daily basis.  Human Resources needs to transmit scheduled secured documents to the bank hourly and must follow PCI guidelines.  The legal department needs to provide a location for third party vendors to drop contracts for approval and encryption is crucial.  Real estate has maps and drawings that are extremely large and have to be unzipped onto a separate internal server.

These are scenarios that most all IT departments face on a regular basis.  But, what if you manage an iSeries shop and these transfers involve a Windows or Linux server?  How do you handle these quickly, managing a multitude of options with access to numerous internal servers?

Historically, iSeries shops would have their developers and programmers write individual command language or high level programming scripts to accommodate specific requests from each of the departments as needed.  To save time and effort, these scripts would often have been replicated and tweaked based on new requests.

But, what if the communication protocol changes?  The IP address changes?  There are updates to user IDs and passwords?  Any of these fairly typical complications extends the programming life cycle, tying up valuable resources for research, programming, unit testing, QA, acceptance and implementation.

This now begs the question:  How can you manage all your file transfers logically and specifically by request but, most importantly, without having to tie up a programming resource?

The most practical solution is to transfer your iSeries FTP scripts to a Managed File Transfer (MFT) solution.  This allows you to separate management of the communication service from the file movement and manipulation.  Effectively, you get to pick and choose when and how to communicate or where to place the file without requiring a programming resource.

An additional benefit of utilizing an MFT solution is that the scheduling of file transfers can also be relocated into the MFT solution further allowing your programming staff to focus more on the internal file processing than the intricacies of communication and file placement.  This reduces your development cost and allows you to provide a solid solution to your requesting departments with a faster and improved turnaround time, not to mention a more manageable effort for future enhancements.

Once it has been configured, an MFT solution will change the way you initiate and maintain FTP requests from within your organization or from an outside resource.  GoAnywhere Director combined with GoAnywhere Services allows for a truly flexible transition into a “Managed” file transfer that will allow you to re-focus your development and programming staff and allow for a quick return on your investment.

With the latest release of GoAnywhere Services 2.8.0, the development team included a plug-in that integrates Secure Mail with Outlook 2010.  This is great news for both the IT staff and everyone else in the organization who finds themselves needing to send files via email.

Whether we realize it or not, the simple act of emailing a file as an attachment can pose a significant security vulnerability, especially for organizations governed by strict compliance regulations.  Learn more in the previous post “Ad-Hoc File Transfers Present Challenges, Vulnerabilities.”

For those unfamiliar with the GoAnywhere Services Secure Mail module, it allows users to send files securely by generating a unique, encrypted link that is emailed to the recipient.  The receiver can then click on the link to view or download the files via HTTPS.

The benefit for employees is that they can now send any files, regardless of size, through their Outlook 2010 email client, or they can use the web form that comes with the Secure Mail module.

Even better for the IT staff is the ability Secure Mail provides to track these ad-hoc file transfers and maintain thorough audit trails required by compliance auditors.  And, by implementing a secure mail solution throughout the organization, the IT department regains control over protecting sensitive data while eliminating the need for employees to use any of the free FTP tools they may have downloaded to their desktops or the various cloud applications popping up each month.

If you’re curious about how GoAnywhere Secure Mail, looks, feels, and operates, check out our free 30-minute webinar on Wednesday, August 15, where Chief Architect Bob Luebbe will demonstrate how easy it is for even the least technically inclined person in your company to use it to send ad-hoc files.  Register to view recorded webinar here.