HIPAA | Bach Seat

Tag Archive for HIPAA

RB | January 29, 2015

Comments Off

Are Firms Ignorant About BYOD Issues?

Enterprises are being ignorant towards the issues BYOD is causing to their business says backup vendor Acronis. James Rawbone, Senior Partner Account Manager EMEA, Enterprise Mobility Solutions at Acronis, shared his opinions with Desire Athow at ITProPortal on why and how enterprises are being ignorant towards BYOD issues.

The Acronis 2013 Global Data Protection Trend Report developed by the Ponemon Institute identified five surprising BYOD trends:

1. There are big gaps in secure BYOD policies across organizations. The Acronis survey found that 60% of businesses have no personal device policy in place, and those with policies 24% make exceptions for executives, who are most likely handling the most sensitive corporate data. As a result, these organizations are increasingly vulnerable to data loss and serious compliance issues.

2.Simple security precautions are not being adopted. The survey found only 31% of companies mandate a device password or key lock on personal devices, and only 21% do remote device wipes when employees leave the company, drastically increasing the risk for data leakage.

3.Businesses underestimate the dangers of public clouds. The researchers report that corporate files are commonly shared through third-party cloud storage solutions such as DropBox, but 67% of organizations don’t have a policy in place around public clouds and 80% haven’t trained employees in the correct use of these platforms.

4.The growth of Apple (AAPL) devices is complicating BYOD security for administrators. 65% of organizations will support Macs in the next year, and 57% feel compatibility and interoperability are still big obstacles to getting Macs compliant with their IT infrastructure. This puts data stored and shared across the corporate network and on Apple devices at risk.

5.Some organizations are ignoring the benefits of mobile collaboration altogether. More than 30% surveyed actually forbid personal devices from accessing the network.

Mr. Rawbone sees two reasons organizations are not educating or training their employees on the risks of BYOD. First is time and money. Most companies have tight budgets across the board and in particular within their IT department, as well as their overall staffing. The second excuse for not training their staff is that they are unaware that their staff is using these solutions, or they are turning a blind eye to the issues effect their corporate data and overall IT infrastructure.

The Acronis Senior Partner told ITProPortal there are legal and compliance issues associated with BYOD; but generally BYOD can be adapted to each compliance regulation and rule. The main concern of BYOD is data protection and ensuring that as employees bring devices to-and-from the workplace, confidential corporate data is adequately protected while remaining easily accessible. An important part of data protection, often not addressed by BYOD strategies, includes ensuring that information and records comply with privacy laws like the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley (SOX), as well as specific industry and regional privacy regulations.

Mr. Rawbone concludes by reminding the author that the important thing every business needs to remember is that mobile devices can be replaced for a small cost in comparison to having your confidential data stolen and used incorrectly.

Companies need to embrace technological evolution and look at the business benefits of BYOD. Otherwise, he claims they will be facing some serious network and data issues and worst of all potentially facing some legal problems in the coming future.

Creating a mobile device security policy doesn’t have to be complicated, but it needs to encompass devices, data, and files. The article lists a number of simple things organizations should do, like require users to key-lock their devices with password protection. 68% of those surveyed use VPN or secure gateway connections across networks and systems, and 52% use Microsoft (MSFT) Active Directory and/or LDAP. The simplest place to start is to use device key-lock and password protection.

BYOD Widening Employee-Employer Trust Gap, Survey Finds (cio.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2015, AAPL, Acronis, Active Directory, Apple, BYOD, Data loss, Dropbox, Hardware, HIPAA, Microsoft, MSFT, Ponemon Institute, SOX

RB | September 18, 2014

Comments Off

10 Policies to Minimize BYOD Risk

The challenge for employers offering BYOD, according to schnaderworks, a labor and employment blog from Schnader Harrison Segal & Lewis LLP, is finding the right cost/benefit balance for their businesses. In developing an effective “bring your own device” (BYOD) policy, employers must first identify which employees will be eligible for the program according to the blog.

Once the basic parameters are set, the lawyers stress a written policy is essential to set up ground rules and permit enforcement to protect the company’s data and other interests. They suggest the following steps are key to establishing an effective BYOD policy:

1. Establish a Mandatory Authorization Process: The lawyers say this should be completed before an employee can use company data and systems on a personal mobile device.

2. Require Password Protection: Each authorized device should have the same password protection as an employer-issued device. According to the article, such protections include limiting the number of password entry attempts, setting the device to time out after a period of inactivity, and requiring new passwords at regular intervals.

3. Clarify Data Ownership: A BYOD policy should specifically address who owns the data stored on the authorized device. It should be clear that company data belongs to the employer and that all company data will be remotely wiped from the device if the employee violates the BYOD policy, terminates employment, or switches to a new device. The policy should also alert employees that it is their responsibility to backup any personal data stored on the authorized device states the article.

4. Control the Use of Risky Applications and Third Party Storage: Schnader Harrison Segal & Lewis recommends employers may want to ban the use of applications that present known data security risks, such as the use of “jailbroken” or “rooted” devices and cloud storage.

5. Limit Employee Privacy Expectations The BYOD policy should clearly disclose the extent to which the employer will have access to an employee’s personal data stored on an authorized device and state whether such personal data is stored on the company’s backup systems. The article recommends minimizing the co-mingling of company and personal data. Employers may want to install software that permits the “segmenting” of authorized devices. However, no matter what measures the company takes to preserve employee privacy, the policy must emphasize that the company does not guarantee employee privacy if an employee opts in to the BYOD program.

6. Address Any Business-Specific Privacy Issues: Certain businesses are subject to legal requirements about the storage of private personal information (such as social security numbers, drivers’ license numbers, and credit and debit card numbers, etc.) which may need to be addressed in a BYOD policy. The blog points out that HIPAA requires native encryption on any device that holds data subject to the act. An employer may need to put in place processes prohibiting or limiting remote access for certain categories of sensitive data.

7. Consider Wage and Hour Issues: Permitting employees to use an authorized device for work purposes outside of the employee’s regular work hours may trigger wage and hour claims. The lawyers suggest the BYOD policy should set forth the employer’s expectations about after-hours use (such as a requirement that non-exempt employees must refrain from checking or responding to work emails, voice mail, and texts after hours) (rb- Yeah).

8. Ensure Compliance with Company Confidentiality Policies. The author says a BYOD policy should reiterate that an employee using an authorized device must comply with all company policies on confidentiality and the “acceptable use” of company information.

9. Spell Out Procedures In Case of Loss or Theft: The employer should set up a specific protocol to be followed in the event an authorized device is lost or stolen. The blog says the process should include the prompt reporting of a lost or stolen device and the remote wiping of the device.

10. Document Employee Consent: Finally the law firm, in good lawyer form, suggests the employer should get an employee’s written consent to all terms and conditions of the BYOD policy.

Where to start with BYOD security (techpageone.dell.com)

Category: Uncategorized | Tags: 2014, BYOD, HIPAA, Legal, Mobile, Password, Policy, Privacy, Security

RB | November 26, 2013

Comments Off

Data Centers Expand in the D

Online Tech continues its data center build-out in the Metro Detroit area. The new data center, formerly a Sprint-Nextel facility will expand Online Tech’s total Michigan footprint to 100,000 gross square feet. The firm’s $10M renovation of the Westland, MI site will create a 34,000 square foot facility with 18,000 square feet of raised floor space with a total IT load capacity of 1.2 MW. The Metro Detroit data center will feature fiber connectivity to eight different telecommunications providers. The firm will add 15 new jobs in the data center over the next five years to run the facility according to Whir.

The firm operates three other Michigan data centers, two in Ann Arbor and one in Flint. The new facility will bring its total data center footprint to 100,000 square feet. It is the market leader in the Detroit Metro with the top market share in multi-tenant data center space in Michigan, according to 451 Research. Yan Ness, co-CEO of Online Tech called the new data center a milestone for the firm.

This new facility is a major milestone for Online Tech because it is our fourth data center and it brings us to an overall total of 100,000 square feet of gross data center space. This facility will allow us to serve the large Detroit market, where we see strong demand for the secure, compliant cloud and hosting services

Mike Klein, co-CEO of Online Tech explained to Whir that the firm’s advantage is it focus on compliance.

Our data centers deliver secure colocation and cloud hosting services to clients whose IT operations must comply with regulations like HIPAA, PCI, and Sarbanes-Oxley. Our data centers, including the new Metro Detroit Data Center, reflect our commitment to protecting our clients and their sensitive data

In anticipation of further growth, the firm expanded its Ann Arbor headquarters in September 2013 to meet its rapid growth after doubling its employee count to nearly 50 over the past 18 months.

In October 2011 the company opened a 20,000 square foot data center with 10,000 square feet of raised floor in the Avis Farms complex minutes away from Online Tech’s headquarters and original data center in Ann Arbor. The Tier 3 data center has a fully redundant power and network infrastructure to maintain availability for colocation, managed server, and cloud computing hosting business according to reports.

Online Tech invested more than $1 million in upgrades and expansion to its Flint, MI data center during August 2011. The 2011 update enabled 1 megawatt of power to the Flint data center floor. Whir says the Flint site was built in 1986 as a disaster recovery center for General Motors (GM). Online Tech took over the facility in 2005 with its acquisition of Gentech. Separated by more than 50 miles, the Flint data center is on a separate electrical grid to provide clients with production and disaster recovery data centers in Michigan.

Online Tech has plans to grow beyond metro Detroit. Co-CEO Ness told Whir,

… our growth won’t stop there We see similar opportunities for us in other markets in the Great Lakes region and the Midwest, and we expect to continue our growth strategy by expanding our portfolio of data centers into other cities in the near future.

New York’s data centers have a vacancy issue, while Seattle co-lo is on the rise [GigaOM] (gigaom.com)

Category: Uncategorized | Tags: 2013, Ann Arbor, Cloud computing, Data center, Flint, HIPAA, Metro Detroit, Michigan, Mike Klein, Online Tech, PCI-DSS, SOX, Westland, Yan Ness

RB | October 15, 2013

Comments Off

Need Cyber Insurance?

Standard business insurance does not cover data breaches or almost any other loss involving data. Standard insurance covers tangible losses and damage. Data isn’t tangible says Network World. The ruling that data is not tangible goes back to a 2000 ruling by a U.S. District Court. The article explains the ruling arose from an Arizona case, American Guarantee & Liability Insurance Co. vs. Ingram Micro Inc.. In that case, the court said that a computer outage caused by a power problem constituted physical damage within the meaning of the policy Ingram Micro had purchased from American Guarantee.

“After that, the insurance firms changed their policies to state that data is not considered tangible property,” Kevin Kalinich, national managing director for network risk at Aon Risk Solutions told Network World. The upshot is that an enterprise needs special cyber insurance to cover data-related issues. The problem is that the field is new and there is no such thing as standard coverage with a standard price.

Larry Ponemon, chairman of the Ponemon Institute, told Network World that the resulting complexity is a major source of push-back by potential buyers. “The policies have limitations and constraints similar to home policies with act-of-God provisions, and that has created a lot of uncertainty about what is covered, and what the risks are.” Mr. Ponemon told the author, “Those who are nevertheless purchasing cyber insurance are typically very selective about what coverage they want.”

Network World describes the types of cyber coverage available.

Data breach coverage: This pays for expenses that result from a data breach. Covered expenses typically include notification of the victims, setting up a call center, credit monitoring, and credit restoration services for the victims, and other crisis management services, Ken Goldstein, vice president at the Chubb Group, told Network World. “You might want to hire forensic experts, independent attorneys for guidance concerning the multiple state (data breach notification) laws, and public relations experts.”

Regulatory civil action coverage: Pays in cases where the insured is facing fines from a state attorney general after a data breach, or from the federal government after a violation of the Health Insurance Portability and Accountability Act (HIPAA) or similar regulations. Some policies only cover the cost of defending against the action, while others may pay the fine as well, says Steven Haase, head of INSUREtrust, an Atlanta-based specialty insurance provider.

Cyber extortion coverage: For cases where a hacker steals data from the policyholder and then tries to sell it back, or someone plants a logic bomb in the policy holder’s system and demands payment to disable it. Among other things, the policy should cover the cost of a negotiator, and the cost of offering a reward leading to the arrest of the perpetrator, Chubb’s Goldstein says.

Virus liability: Pays in cases where the policyholder is sued by someone who claims to have gotten a virus from the policy holder’s system.

Content liability: Covers lawsuits filed by people angered over something posted on the Web site of the policyholder. Such coverage should also cover copyright claims and domain name disputes, INSUREtrust’s Haase told Network World.

Lost income coverage: Replaces revenue lost while the policy holder’s computer system or Web site is down. But Aon’s Kalinich notes that insurers often apply minimum downtimes of 12 or 24 hours, or require proof of actual losses, “They’ll say that, after all, the customers who did not get through (during the outage) could have come back later.”

Loss of data coverage: Pays for the cost of replacing the policy holder’s data in case of loss, “Backup policies are not always effective, and accidents and sabotage happen,” Mr. Haase says.

Errors and omissions coverage: Otherwise known as O&M policies, this type of coverage predates cyber insurance, but is increasingly added to cyber policies to cover alleged failures by the policy holder’s software, Haase says.

As for what coverage costs, Aon’s Kalinich told Network World that firms smaller than $100 million in annual revenue can expect to pay $5,000 to $15,000 per million of coverage, while larger firms would pay $10,000 to $25,000. For those over a billion, the price can be in the $20,000 to $50,000 range. Robert Parisi, senior vice president with Marsh, an insurance broker, and risk advisory firm put it simpler, saying the cost is between $7,000 and $35,000 per million. Of course, the lower ranges are for buyers who look like better risks — and deciding who is a better risk is another factor that makes cyber insurance a complex topic.

“You cannot get good insurance unless you have good security practices,” VP Kalinich says. “Due diligence underwriting has become more streamlined as the insurers have learned what to look for. They will typically benchmark you against other members of your industry.”

15% of the premium goes to commissions INSUREtrust’s Haase explained the cyber insurance purchase process to the author, “This is a complex purchase and you need a professional helping you. Most policies are highly customizable, and there are a lot of endorsements.” Typically the buyer goes to their local agent, and the local agent uses a specialist, Haase says. Both the local agent and the specialist get commissions ranging from 7.5% to 10% so that 15% to 10% of the premium goes to commissions.

Finally, Toby Merrill, vice president of insurer Ace Professional Risk cautions that cyber insurance buyers must understand that if they are outsourcing their data handling, they are not at the same time outsourcing their liability if there is a data breach. The onus of the various breach notification laws is on the organization that gathered the data, not on the organization that was storing it when it was exposed, he notes.

“Cyber insurance is not there to replace sound risk management,” VP Merrill told Network World, “It is there to supplement it.”

Why Target’s 100-Million Dollar Cyber Liability Policy is Worthless (securestate.com)

Category: Data protection | Tags: 2013, Breach, Business, Cyber, Data, HIPAA, Insurance, Protection

RB | June 25, 2013

Comments Off

Box Beefs Up Backbone for Business

The evolution of Box from an idea to let its customers share and manage and access their content from anywhere to a cloud file-sharing and storage start-up to a business serving over 150,000 businesses, including 92 percent of the Fortune 500 continues. DataCenter Knowledge reports that half of Box’s activity comes from outside of the U.S. and 40% comes from mobile devices.

In order to support the growth, DCK says Box is touting Accelerator, its global data transfer network, as well as adding several key certifications in a bid to make its global enterprise customer base happy. Further infrastructure expansion lies ahead. “We really think we’re solving a problem for an end-user,” said Jeff Quesser, VP of Technical Operations for Box. “But we’re also solving an IT concern; they can get all the auditing, compliance they need. This can be run in a very safe way.”

With over 150 percent growth last year the company has had to tailor its service in the best ways possible to serve the enterprise crowd. The blog says 50 percent of Box activity is happening outside of the US, either from international firms or U.S. enterprises with a global presence. Mr. Queisser told DCK. “Speed is absolutely critical. If you have sites all around the world, you need blazing fast download speeds.”

This enterprise customer need was the impetus behind Box Accelerator. The company has established upload endpoints in key global data center hubs featuring end-to-end encryption. The company has built patent-pending intelligent routing and optimization technology that delivers uploads 2.5 times faster on average. It has built a network that helps you get data into Box as fast as possible.

Box Accelerator tweaks the TCP stack to get better performance. Mr. Queisser explained to DCK.

“(With) most consumer operating systems, networking stacks are not optimized … There’s the bandwidth delay problem. TCP is an amazing protocol, but wasn’t made for these types of distances and this kind of bandwidth. It’s a testament to how amazing the protocol is that it’s done what it’s done.”

The article says the biggest problem for Box is how to handle inbound traffic.

“What we’ve done is unique in that it’s optimizing inbound data … How do you ingest 100MB rather than send it out? The other piece is that we built these nodes, and a routing feedback loop technology. It determines the fastest way to get to Box. Sometimes it’s an accelerator node, but there are times when direct is the fastest path.”

Accelerator started off small but has added nine new points of infrastructure. It’s a small footprint that provides a big performance boost. The goal is to have cloud-based endpoints in all regions. The article claims that Neustar conducted a performance analysis test and found that “Box had the lowest average upload time across all locations, about 66% faster than the closest competitor.”

The company is also planning to apply this technology to file downloads. Accelerator has added speed to enterprise uploads, but the company told DCK it is looking to speed up downloads in a similar fashion. “We need to do that in a way where it’s encrypted and it isn’t cached,” said Mr. Quiesser.

It in terms of certifications, Box has recently added ISO 27001 and support for HIPAA. ISO 27001 is the international standard for information security management systems (ISMS) and demonstrates how the policies and controls put in place at Box protect user data.

rb-

Better performance and security are great things from a cloud vendor. But what impact does the NSA spying scandal is going to do on the cloud storage business model. There could be repercussions if vendors don’t cooperate.

What do you think? is the Box network ready for the enterprise?

Taking a reality check on Cloud security (intechnology.co.uk)

Category: Uncategorized | Tags: 2013, 27001, Cloud computing, HIPAA, Information security management system, ISO/IEC, NSA, Security, TCP

« Older Entries Recent Entries »

Bach Seat

Tag Archive for HIPAA

Are Firms Ignorant About BYOD Issues?

Related articles

10 Policies to Minimize BYOD Risk

Related articles

Need Cyber Insurance?

Related articles

Meta