Posts Tagged Data Security

Building a Framework for HIPAA and HITECH Compliance

Posted by on Monday, 27 August, 2012

HITECH laws were enacted to up the ante on healthcare organizations to meet HIPAA legal compliance for data security and privacy, which, of course puts an additional burden on IT to make sure all bases are covered.  But regardless of the rigors of enacted laws, compliance doesn’t happen overnight. It takes diligence and continued effort to understand and address all necessary requirements. To avoid the potential penalties of breaking HIPAA and HITECH laws, losing the confidence of patients and partners, and incurring hefty penalties, a focused, deliberate, measured plan is essential.

In addition to becoming familiar with HIPAA and HITECH regulations (a good place to start is the HHS.gov website), it’s critical to meet with your security and management team and make decisions as to how your organization can best protect sensitive healthcare information. One of the first places to start this process is to fully document your department’s own security policy and procedures.  This provides the foundation from which to train internal users in understanding and complying with the HIPAA and HITECH rules. In fact, having a security policies and procedures document is a requirement by HIPAA and HITECH.

If you don’t currently have your security policies and procedures documented, one option for finding a good template is to Google the term, “IT Security Policies and Procedures.” You will find free downloadable templates that give you a basic outline to follow.

If you already have this document in place, keep in mind it needs to be treated as a living document, to be changed and updated often as circumstances and requirements change.  Make a point to do a yearly, if not a bi-yearly, review.

Of course, documentation of security policies is only a start. You need to procure and implement proven security tools across your enterprise to protect your data — whether the data resides on a server or is being transmitted across a network or the Internet.  A less-than exhaustive list of necessary IT security tools for ensuring compliance:

 

  • Firewall – This security measure prevents intrusion into the private network from unauthorized outside viewers.
  • Email encryption  – To meet privacy requirements, email communications that contain private data must be encrypted.
  • Malware protection – This step keeps spyware/malware from infecting PCs and servers containing private data.
  • FTP communications – Managed file transfer solutions are designed specifically to provide encryption, logging and automation tools that make sure the sensitive data is secured and tracked while in motion, while reducing the time to manage all incoming and outgoing transactions
  • Backup protection – Backup files and tapes need to be encrypted and otherwise secured to make sure sensitive data can’t fall into the wrong hands
  • Data shielding – Sensitive fields need to be encrypted or hidden to ensure that it can’t be viewed or extracted by unauthorized viewers. A good data encryption product can also encrypt data on backup tapes as well sensitive data that might be shown in on-screen applications.
  • Physical facility protection – Server rooms, fax/copy/printer rooms, workstations all must be  considered when protecting sensitive data that is printed on paper or residing on servers or PCs.
  • Telephone and online communications – Anyone involved in telephone, online chat or discussion groups needs to be trained to be sensitive to privacy regulations and exposing sensitive information.

 

As you can see, there are several aspects of compliance to HITECH and other laws that need to be considered and addressed.  Healthcare professionals and organizations need to take their patients’ privacy seriously, whether in the hospital, physician office or in electronic format on servers and digital communications with others.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

GoAnywhere Secure Mail Now Works with Outlook 2010

Posted by on Friday, 3 August, 2012

With the latest release of GoAnywhere Services 2.8.0, the development team included a plug-in that integrates Secure Mail with Outlook 2010.  This is great news for both the IT staff and everyone else in the organization who finds themselves needing to send files via email.

Whether we realize it or not, the simple act of emailing a file as an attachment can pose a significant security vulnerability, especially for organizations governed by strict compliance regulations.  Learn more in the previous post “Ad-Hoc File Transfers Present Challenges, Vulnerabilities.”

For those unfamiliar with the GoAnywhere Services Secure Mail module, it allows users to send files securely by generating a unique, encrypted link that is emailed to the recipient.  The receiver can then click on the link to view or download the files via HTTPS.

The benefit for employees is that they can now send any files, regardless of size, through their Outlook 2010 email client, or they can use the web form that comes with the Secure Mail module.

Even better for the IT staff is the ability Secure Mail provides to track these ad-hoc file transfers and maintain thorough audit trails required by compliance auditors.  And, by implementing a secure mail solution throughout the organization, the IT department regains control over protecting sensitive data while eliminating the need for employees to use any of the free FTP tools they may have downloaded to their desktops or the various cloud applications popping up each month.

GoAnywhere Services Secure Mail WebinarIf you’re curious about how GoAnywhere Secure Mail, looks, feels, and operates, check out our free 30-minute webinar on Wednesday, August 15, where Chief Architect Bob Luebbe will demonstrate how easy it is for even the least technically inclined person in your company to use it to send ad-hoc files.  Register to view recorded webinar here.

 

Susan Baird

Susan is the Marketing Manager at Linoma Software, helping promote our secure file transfer and encryption solutions. Her specialty is content creation and social media marketing.

More Posts - Website - Twitter - Facebook - LinkedIn - Pinterest - Google Plus

FTP May Be Easy, But That May Be the Problem

Posted by on Monday, 23 April, 2012

It happens in your office every day:  someone on your team hits a roadblock when they realize that email just won’t handle the huge file they need to send – immediately. Or another coworker starts to send an account number or password via email and realizes that perhaps, email isn’t all that secure.

FTP alternative, managed file transferThat’s when the tech savvy gal in the corner suggests the obvious solution: just send that file or sensitive personal information via FTP!  She lists a variety of “free” tools that can be downloaded easily, as well as a couple cloud solutions, and in desperation (and often ignorance), your coworker takes her advice and a new FTPer is born.

FTP, or “file transfer protocol,” is a solution that’s been available for more than 30 years.  Within the last decade, so many free or inexpensive FTP tools have become available that many of us assume that FTP must be a reliable solution, or why would so many people be using it?

As we know with many of society’s ills, just because something is easy to find and popular to use doesn’t mean it’s a smart or effective idea.

The downside of FTP

While FTP may be able to send large files, standard FTP – like email — is not secure, and is therefore vulnerable to hackers.

Rogue FTP tools, like those free tools sprinkled on employees’ PCs, start to become a liability to the company, both financially and to its reputation and credibility.

To begin with, multiple employees with multiple FTP tools mean that no one has a master view of the flow of data in and out of your company. It’s impossible to know who is sending what to whom, and who is receiving files from where.

State and Federal laws require that data which contains personally identifiable information must be encrypted and secured. This also applies to most of the financial data that we collect and create. How can you keep tabs on all of this with a lot of FTP processes running on various PCs throughout the office?

Second, because FTP is not secure, the company increases its risk for a data breach.  Costs to notify those affected when a data breach occurs, combined with the fines that can be assessed, can be in the millions of dollars, not to mention the damage to the company’s brand.

If not FTP, then what?

One approach to control FTP traffic is to set up restrictions on the corporate firewall, essentially prohibiting access for all but specifically authorized personnel to the ports required for FTP processes to work.

Chances are, though, that the same tech savvy employee who suggested FTP in the first place also knows how to bypass this restriction by finding different ports or switching to online FTP services. For determined FTPers, even our cell phones are equipped to send and receive files.

So, if it’s hard to stop it, the next best option is to educate your employees, and to develop and promote clear expectations and consequences regarding sending files and sensitive data from work. Many employees want to do the right thing, but don’t understand the implications of sending sensitive data through the easiest – though not necessarily the safest – means.

Another option that is rapidly growing in popularity is the implementation of a managed FTP solution that can be configured to allow users to send and receive large files  and sensitive information within their daily workflow, but with the addition of administrative control and much greater security.

A managed file transfer solution such as Linoma Software’s GoAnywhere Suite, in combination with setting up appropriate firewall rules and educating all employees of corporate policy and procedures,  will keep your employees – tech savvy or not – productive and happy, and give your IT department peace of mind knowing that the company data is secure.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube

Finding the Path to PCI DSS Compliance

Posted by on Wednesday, 28 March, 2012

PCI DSS Compliance with Managed File TransferIf you’re doing business and collecting payments via credit card, debit card, or other e-commerce options that allow you to store and/or transmit cardholder data, you are subject to PCI DSS compliance regulations.

In an attempt to reduce credit card fraud, the Payment Card Industry Security Standards Council developed an information security standard for those with access to consumers’ transactions and card numbers.  This standard continues to evolve, and is now labeled PCI DSS 2.0.  While the compliance verification process isn’t formal for all organizations, they all must meet the standard to manage liability in case of credit card fraud.

Linoma Software has published a new white paper entitled PCI DSS Compliance with Managed File Transfer that reviews the requirements for PCI DSS 2.0, and explains what role implementing a managed file transfer solution can have in meeting several aspects of the regulations, especially the protection of cardholder data. Download the white paper now, and review other resources available at GoAnywhereMFT.com.

Susan Baird

Susan is the Marketing Manager at Linoma Software, helping promote our secure file transfer and encryption solutions. Her specialty is content creation and social media marketing.

More Posts - Website - Twitter - Facebook - LinkedIn - Pinterest - Google Plus

Silence the Nagging By Securing Your Data

Posted by on Monday, 6 February, 2012

Compliance issues and the ever-growing list of compliance regulation acronyms (HIPAA, PCI, SOX, etc.) are persistently nagging IT folks who must meet tough mandates and overly complicated rules.

compliance, HIPAA, PCI DSS, data securityOf course, the real reason we must now pay so much attention to compliance is others’ irresponsible abuse. Somewhere along the data strewn path, a few malicious malcontents had to succumb to the voice of greed and abuse their technological skill sets.  All IT professionals’ jobs are tougher thanks to those that through hacking, sniffing, or lifting data sources chose to steal and sell inadequately secured information.

The truth is, though, that “data” really is sensitive information and we live in a paranoid modern world where dastardly damage is done with a just a little twist of the facts.  So in response to the cries of outrage among our citizens, politicians have wrung their bureaucratic hands and offered plenty of passing legislation designed to protect our data.

Because IT is responsible for the company’s data, we need to stay abreast of the laws that apply to it. We also need to to fully understand and implement the three types of data protection: physical, transitional, and procedural.

Physical

Physical protection is probably the easiest. We secure the data on our servers, backup tapes and offsite facilities with technologies such as passwords, drive encryption, backup encryption, data center surveillance, physical locks, etc. We spare no expense in securing the physical because we can see it and believe it is secured. Or so we think.

Transitional

Transitional protection is a little more difficult.  Any data files that leave our networks should be secured with managed FTP solutions that encrypt the files with SFTP, FTPS, HTTPS, PGP, and other protocols.  Firewalls are set up to control what can leave or enter our data domain. DMZ gateways are set up to increase the virtual protection of the data and still allow designated users access to it.

Procedural

Procedural security is a type of data protection that is least understood and implemented.  A clear and understandable security policy needs to be communicated to the end users so they become familiar with sensitive data is secured, and what consequences may loom if procedures aren’t followed.

The majority of us in IT are protective about who has access to our own sensitive data, so we can understand the reason for protecting everyone else, too.  Yes, it’s a lot of work, but it’s part of the new normal.

Daniel Cheney

Daniel has been the IT Director at a healthcare company for the last 12 years and a longtime beneficiary of GoAnywhere Director and the IBM i platform. He is also a technical analyst and writer for various technical and social media projects with Humanized Communications.

More Posts - Website - Twitter - Facebook - LinkedIn - Google Plus - YouTube