Linoma Software is hosting a FREE October Webinar Series on the advantages of securing your system-to-system and person-to-person file transfer processes. Please take a moment to register for one, or both, of these informative live presentations.
Get Your FTP Server in Compliance
Are you still running an outdated FTP server in your DMZ? Does your FTP server have the security controls and audit reporting needed to meet the latest PCI and HIPAA compliance requirements?
GoAnywhere goes beyond a typical FTP server by providing the enterprise-level features and security you need to get compliant.
FREE WEBINAR: Now Available On-Demand
We demonstrate GoAnywhere and how to:
3 Advantages of an On-premise Solution for File Sharing
Are you looking for a better solution than cloud-based file sharing services like Dropbox to transmit sensitive company data?
Put an end to employees using unsecure cloud-based file sharing services. Improve compliance and cut the risk of sensitive company data falling into the wrong hands.
FREE WEBINAR: Now Available On-Demand
We cover the three advantages of an on-premise product for Enteprise File Sync and Sharing (EFSS):
Join us for these complimentary webinars to get a valuable tour of GoAnywhere MFT. Linoma’s engineers will be on hand during the webinars to answer your technical questions.
Posts Tagged HIPAA
As healthcare information security requirements and penalties get tougher, a great deal of discussion is focused around how well the healthcare industry is securing patient data.
The general consensus is that the industry still has a long way to go. One of the industry’s publications, Healthcare InfoSecurity, released the results of the Healthcare Information Security Today survey sponsored by RSA which took an in-depth look at security and IT practices of senior executives in the healthcare industry.
<< click on the image to learn more
The survey reviews many information security topics including
- Impact of a data breach
- Security threats
- Compliance and steps to improve security
- Risk assessment
Some of the responses surprised us on how far healthcare companies need to go for proper HIPAA compliance. Take a look at these statistics:
- 55% of respondents were not confident in their organization’s ability to comply with HIPAA and HITECH Act regulations concerning privacy and security (grading themselves adequate or less).
- 66% responded that their organization’s ability to counter internal information security threats was adequate or less.
- Only 47% of survey participants utilize encryption for information accessible via a virtual private network or portal.
- 32% of respondents have not conducted a detailed information technology security risk assessment/analysis within the past year with 47% updating their risk assessment only periodically.
The good news is that the survey shows that healthcare organizations are taking steps in the right direction to improve their security practices.
- 37% of organizations’ budgets for information security are scheduled to increase over the next year.
- 40% of respondents plan to implement audit tool or a log management solution within the next year.
When asked what their organization’s top three information security priorities are for the coming year, the top responses included
- Improving regulatory compliance efforts
- Improving security awareness/education
- Preventing and detecting breaches
Healthcare IT teams will need updated security policies, comprehensive training for employees, and reliable tools and solutions that can deliver functionality, ease of use, audit reporting, and efficient workflows that protect the security of confidential data at rest and in motion.
The pressure is growing, compliance audits are looming, and tackling these issues are just part of the evolution of the healthcare industry.
Yet another layer of regulation has been added to the Health Insurance Portability and Accountability Act (HIPAA) that offers even greater protection for healthcare patients’ privacy, while also defining new rights regarding how they can access their health records.
The biggest change is the expansion of HIPAA compliance requirements to include trading partners and third parties who also handle patient data, such as billing companies, contractors, and more. The U.S. Department of Health and Human Services (HHS) reports that these third parties have been responsible for several significant data breaches which is one reason the responsibility for compliance has been extended to this group.
Penalties for violating HIPAA compliance rules will be assessed based on the determined level of negligence, and can go as high as $1.5 million per incident.
Other issues addressed with the latest additions to the HIPAA regulations include more clarity in defining which types of breaches need to be reported, as well as how patients will be allowed to access and interact with their health records electronically.
If you’re concerned about whether your FTP server meets compliance regulations, join us for a webinar on Thursday, Jan. 31 at Noon Central entitled “Get Your FTP Server in Compliance!” You can learn more about the agenda for this webinar here.
For more information about the new HIPAA rules, check out the press release from HHS.
Stories of data breaches across all industries continue to make the news, and nowhere is the pressure greater to keep data safe than on healthcare IT managers.
Healthcare IT News states that health data breaches increased by 97% in 2011. The 2012 Data Breach Investigations Report from Verizon’s RISK team confirmed that over 174 million records were reported as compromised, mostly as the result of hackers accessing the data. According to the Identity Theft Resource Center 2011 Breach Stats Report, 20% of all data breaches in 2011 were in the healthcare industry.
What is most startling about this report is that, according to the RISK study, 97% of these cases could have been avoided through simple or intermediate security controls. The graphic (see right) is one of the many included in Verizon’s study.
Because the most common place where data is compromised is from corporate databases and web servers, hackers who gain access to these vulnerable areas are mining this data for private information such as social security numbers, birthdates and credit card information.
Studies like these underscore the importance of establishing network security perimeters and implementing procedures that protect the privacy of patients’ information residing on these servers.
IT managers must be vigilant to combat hackers’ ever more sophisticated tools and methods, and that begins with better security procedures at the office.
Security Policy and Procedures Document
The first step in ramping up security is to write and formalize a security policy and procedures document that addresses best practice protocols and that encompasses applicable HIPAA and HITECH regulations.
Next, all employees must be trained and expectations for compliance made clear, because it takes a concerted effort on everyone’s part to ensure the required protections are implemented consistently.
Secure Data Files In Motion
One of the more popular ways for hackers to capture sensitive data is via the movement of files and documents across the Internet. In an earlier blog post, we talked about how standard FTP is commonly used to send files. However, FTP sends the files in unencrypted form, and offers no protection for the server’s login credentials. Once those credentials are captured, hackers can use them to access the FTP server to mine additional data files.
While managing the security of all of the files in the office may seem overwhelming, Managed File Transfer solutions can simplify this task. Used in conjunction with a reverse proxy gateway, a much greater security perimeter is formed around the network, servers and the sensitive data that need protection.
HITECH laws were enacted to up the ante on healthcare organizations to meet HIPAA legal compliance for data security and privacy, which, of course puts an additional burden on IT to make sure all bases are covered. But regardless of the rigors of enacted laws, compliance doesn’t happen overnight. It takes diligence and continued effort to understand and address all necessary requirements. To avoid the potential penalties of breaking HIPAA and HITECH laws, losing the confidence of patients and partners, and incurring hefty penalties, a focused, deliberate, measured plan is essential.
In addition to becoming familiar with HIPAA and HITECH regulations (a good place to start is the HHS.gov website), it’s critical to meet with your security and management team and make decisions as to how your organization can best protect sensitive healthcare information. One of the first places to start this process is to fully document your department’s own security policy and procedures. This provides the foundation from which to train internal users in understanding and complying with the HIPAA and HITECH rules. In fact, having a security policies and procedures document is a requirement by HIPAA and HITECH.
If you don’t currently have your security policies and procedures documented, one option for finding a good template is to Google the term, “IT Security Policies and Procedures.” You will find free downloadable templates that give you a basic outline to follow.
If you already have this document in place, keep in mind it needs to be treated as a living document, to be changed and updated often as circumstances and requirements change. Make a point to do a yearly, if not a bi-yearly, review.
Of course, documentation of security policies is only a start. You need to procure and implement proven security tools across your enterprise to protect your data — whether the data resides on a server or is being transmitted across a network or the Internet. A less-than exhaustive list of necessary IT security tools for ensuring compliance:
- Firewall – This security measure prevents intrusion into the private network from unauthorized outside viewers.
- Email encryption – To meet privacy requirements, email communications that contain private data must be encrypted.
- Malware protection – This step keeps spyware/malware from infecting PCs and servers containing private data.
- FTP communications – Managed file transfer solutions are designed specifically to provide encryption, logging and automation tools that make sure the sensitive data is secured and tracked while in motion, while reducing the time to manage all incoming and outgoing transactions
- Backup protection – Backup files and tapes need to be encrypted and otherwise secured to make sure sensitive data can’t fall into the wrong hands
- Data shielding – Sensitive fields need to be encrypted or hidden to ensure that it can’t be viewed or extracted by unauthorized viewers. A good data encryption product can also encrypt data on backup tapes as well sensitive data that might be shown in on-screen applications.
- Physical facility protection – Server rooms, fax/copy/printer rooms, workstations all must be considered when protecting sensitive data that is printed on paper or residing on servers or PCs.
- Telephone and online communications – Anyone involved in telephone, online chat or discussion groups needs to be trained to be sensitive to privacy regulations and exposing sensitive information.
As you can see, there are several aspects of compliance to HITECH and other laws that need to be considered and addressed. Healthcare professionals and organizations need to take their patients’ privacy seriously, whether in the hospital, physician office or in electronic format on servers and digital communications with others.