Converge conference in Detroit: Before finding data breach solution, be sure your business is ready to receive it

More from the Converge information security conference in Detroit, this time recapping Enterprise Security Back to Basics presented by Joel Cardella, the director of information security, IT security, governance, risk and compliance at Holcim US.

(Also see a recap of Thursday’s The Challenge of Natural Security Systems.)

Why this back to basics talk? Cardella feels we’re being beguiled by all these large breaches that push people to a solution they aren’t yet ready to receive. He holds that the importance of this talk is getting organizations mature enough to be ready to buy what vendors are selling. It’s about asking if your company is sure you need what is being offered.

The goal for security is being able to become proactive from the normally reactive InfoSec environment. Each single record lost is worth $145 in a data breach. That’s up 15% this year from last year. When breaches affect thousands, or even millions, of records the cost is incredible.

Cardella defines risk as:

Threats x Vulnerabilities x Time = Risk

Threats are not something we can control. Vulnerabilities are things we can control and influence, both directly and indirectly. Time is also in our control. Taking care of something quickly can help drive the risk down. The point: Do what you can to secure your company as quickly as possible to immediately lower risk within your organization.


  • Security requires resources, you must invest in order to get a return
  • Act/think like an adversary.
  • Find and understand what’s happening in your network. Find your baselines.
  • Document everything. Especially if you deal with audits, you want to have everything written down.
  • Make a plan. Write that plan down. Even if it’s simple, write it down, and then flesh it out over time.
  • Keep your scope small.
  • Go back and do it all again. Verify, and find the things you missed.

Cardella says that in IT, it’s important to understand your business, and how the IT infrastructure supports that business. Knowing how your business uses the infrastructure means you can create and change it to be more effective and secure in the future.

Another really important basic is network segmentation. Not allowing systems to talk to each other within a network means that an attacker cannot break into one section because they have access to a different section. He admits that this takes a lot of time, and it’s important to seek out an expert who can help with firewall implementation. You also need to test to be sure that your network is actually segmented, not just that they should be segmented.

Managing the accounts that are on your system is incredibly important, and goes back to understanding how your company works, and who needs what access. Restrict access to employees and vendors to a need to know. Set up a classification scheme in order to determine the sensitivity of data, and thus what access is necessary for certain users in order to get to the information they need.

At the end of the day, Cardella explains that there is no magic bullet. InfoSec is multi-layered and multi-disciplinary. It costs time, money and resources. Focus on the implementation, not just the technology – that’s where much of the problem is.

Humans are the weakest link, so you can’t take for granted that a great technology is implemented correctly. Always ask “Are you sure?”, and prove that you’re secure through trials, testing, changing and repeating.


Converge conference in Detroit: InfoSec organizations must learn, modify and adapt like organisms

Online Tech opens its doors to fast-growing tech hub of Metro Detroit

Posted in Information Technology Tips | Tagged , | Leave a comment

Want a good job? Study computer or information science

Momma, don’t let your babies grow up to be cowboys. Don’t let ‘em pick guitars and drive them old trucks. Make ‘em be software engineers and network systems analysts and such.

With apologies to Waylon Jennings, it’s true that a recent study by the US Education Department found that more than 95 percent of computer and information science students were employed full-time four years after graduation. Engineering graduates had similar success.

The findings are based on a survey of 17,110 students conducted in 2012, about four years after the students obtained their bachelor’s degrees.

And there’s this: Just 16 percent of the students had STEM (science, technology, engineering, math) degrees, but those who did were paid significantly better than their counterparts.

Speaking of tech jobs, Online Tech is currently looking for senior sales engineers and a data center facilities engineer. Check out our careers page for details.

Associated Press: Survey finds math, science grads earn top dollar

Posted in Information Technology Tips, Online Tech News | Tagged | Leave a comment

Converge conference in Detroit: InfoSec organizations must learn, modify and adapt like organisms

Today is Day 2 of the Converge information security conference at Detroit’s Cobo Center, and it promises to be full of significant insights into IT security within organizations.

Here’s a recap of one of Thursday’s sessions, The Challenge of Natural Security Systems, presented by Rockie Brockaway, the security practice director at Black Box:

Brockaway started with a really important point: Information security is currently viewed as a tactical response within companies, when it should be treated as a function of the business. InfoSec’s role is to prevent the loss of business-critical data, promote innovation within other parts of the company and protect the brand. One of the biggest hurdles in InfoSec, Brockaway explains, is understanding what a company’s critical data is, and where it’s stored. Without that information, there’s no way to fully protect it and vulnerabilities will be created.

Another issue within enterprise InfoSec is the obsession with static models like walls. If a security measure is put into place without learning, modifying and adapting from new information, it will eventually be circumvented and will become useless.

So what should companies do to become more adaptive? Brockaway looks at business similar to animals, with small systems making up a larger organism. Using characteristics of adaptable organisms, he found traits that will help in the business sense.

First, he says, learn from your successes. There is value in understanding mistakes, but analyzing what is working helps give more information about attacks. The next is setting up a company in a semi-autonomous fashion, with little central control. One of the biggest issues with centrality is the issue of a single point of failure. Redundancy is key to the survival of a system, and with no redundancy, one issue could be devastating.

Another trait Brockaway mentions is the ability to use information to mitigate uncertainty. An animal survives by evaluating its surroundings and being aware of potential danger. Understanding a corporate IT environment and continuing to assess the surroundings means being able to see when things are out of the ordinary, and fixing potential vulnerabilities.

Lastly, Brockaway states that in order to be adaptable, organisms have many symbiotic relationships with other organisms. He translates this to having relationships with solution providers that can help open up a company to mutual benefits and stronger security.

There’s more to come about information security, so stay tuned! The Converge conference concludes today and it is followed Saturday by BSides Detroit.

Online Tech opens its doors to fast-growing tech hub of Metro Detroit

Posted in Information Technology Tips | Tagged , | Leave a comment

Online Tech opens its doors to fast-growing tech hub of Metro Detroit

The Metro Detroit area has been one of the country’s fastest-growing technology hubs for years, topping that list in 2012 and placing fifth in 2013.

In its 2014 Technology Industry report, Automation Alley says the automotive capital of the world has “quietly become a leader among the nation’s technology economies,” the largest tech hub in the Midwest with a growth rate significantly higher than more traditional technology regions like Silicon Valley.

Online Tech’s Metro Detroit data center.

“Everyone in Michigan knows the exciting story that is emerging, but Detroit has been under the radar nationally,” Online Tech co-CEO Mike Klein said in a press release announcing the company’s new Metro Detroit data center will officially open on August 1. “With smart people like Dan Gilbert making major investments in a wide range of local technology businesses, there is now a vibrant community of startups in Detroit that rivals anywhere in the country.”

As the installation of Henry Ford’s first moving assembly line transformed Detroit’s industrial past, world-class data centers will provide the infrastructure necessary to make today’s Motor City more productive and profitable, and also prepare the burgeoning tech scene for the next several decades.

More than a year ago, Online Tech co-CEO addressed this topic in a video entitled Data Centers Come to Town:

“You can’t have a really successful community with lots of high tech activity if there’s not a single intellectual property lawyer in town or a single accountant that knows how to do depreciation for software. Companies end up leaving those areas because they can’t get important help,” he said. “(Similarly, data centers) are seen as an important piece of the infrastructure. You can’t be a technology corridor if you don’t have at least one or two data center providers.”

Note: Tours of Online Tech’s new Metro Detroit data center are available upon request.


Request a visit of Online Tech’s fourth Great Lakes data center in Metro Detroit

Online Tech ready to meet Metro Detroit’s growing IT infrastructure demand

Smitten with the mitten: Online Tech honored for improving economy in state of Michigan

Celebrating Michigan’s metamorphosis to a digital, science and technology base

Metro Detroit has ‘become a leader among the nation’s technology economies’

Posted in Data Centers, Michigan Data Centers, Online Tech News | Tagged , , | Leave a comment

Americans agree government must do more to protect data, but can the government act?

The National Consumer League released a study last week based on surveys from identity fraud victims across the United States. It claims that just 28 percent of victims think the government’s requirements for protecting healthcare and financial data are sufficient.

“In this polarized political climate, it’s rare for Americans to express such agreement on any issue,” Al Pascual, a senior analyst at Javelin Strategy & Research, said in a press release. Javelin was a partner in the study. “But when it comes to the security of their personally identifiable information, the respondents said with one voice that the government must do more.”

With that kind of support, government action is assured. Right? Well, not so fast.

Let’s back up a few weeks to a significant political occurrence: Eric Cantor, the Majority Leader in the House, losing his Virginia primary to Dave Brat. In the words of political pundits – which we certainly do not claim to be – voting the No. 2-ranking Republican out of office is a sign of continued political gridlock. (Just Google ‘Cantor loss gridlock’ and read multitude of headlines.)

So what’s the tie-in to data breaches? An article by Eric Chabrow on titled Cantor’s Defeat: Impact on Breach Law.

Chabrow, the executive director of and, had this to say about the election result:

The rout of the No. 2 Republican in the House – Cantor lost by 11 percentage points – makes other lawmakers timid to act on nearly any bipartisan bill, even on what many would consider common-sense legislation. It’s a toxic atmosphere in Congress, which explains why a data breach notification measure and other cybersecurity reforms can’t get passed and sent to the Oval Office for President Obama’s signature. The current Congress is on the way to enact fewer laws than any since the 1940s.

Another obstacle: Getting lawmakers to agree on the bill’s language. There may be widespread agreement on a need for a national data breach notification law, but not necessarily on its provisions. Plus, business lobbyists likely will try to water down data breach legislation provisions to make them less onerous, and in turn help businesses save money. If those lobbyists succeed, support among consumer advocates in Congress for a national law could evaporate.

So if there’s little hope for a national law any time soon, at least state governments are taking action.

Just last month, Kentucky became the latest state to enact a data breach notification law that requires companies to provide notice to Kentucky citizens when a security breach involving personal data occurs. That leaves Alabama, New Mexico and South Dakota as the only states without notification laws. (The District of Columbia, Guam, Puerto Rico and the Virgin Islands are also on board).

Elsewhere, states that already had security breach notification laws are getting tougher. On July 1, a new Information Security Act took effect in Florida that repeals the state’s previous data breach notification law and increases companies’ reporting obligations and liability in the event of a data security breach. (Notable is the fact that Florida has more identification theft complaints per capita than any other state in the nation.)

But back to Chabrow, who argues different rules in different states isn’t the best solution.

… States, for instance, differ on the amount of days before organizations notify consumers their accounts might have been breached. Different rules for different states make it tough for businesses operating nationally because they must adhere to 47 different state statutes.

“The nuances of breach notification laws across the country … further complicate responding to multi-state breaches,” says Joseph Lazzarotti, who heads the privacy, social media and information management practice at the Jackson Lewis law firm in Morristown, N.J. “Companies have to exercise care when determining whether a particular incident constitutes a breach, and to whom notice must be provided.”

Creating uniform national requirements for data breach notification through federal legislation would seem to be a no brainer that business would back. In fact, lawmakers have introduced nine bills in this Congress that address data breach notification, according to a congressional database. But don’t count on Congress to pass any of them. Cantor’s defeat for the Republican nomination for the House seat in his Richmond, Va.-area district exacerbates the situation.

New Javelin Strategy & Research/National Consumers League study: Consumers losing trust in businesses, expect government action on fraud and data breach

Cantor’s defeat: Impact on breach law

Florida overhauls data breach notification law

Commonwealth of Kentucky enacts data breach notification law


OCR audit requirements following a self-reported HIPAA breach


Posted in HIPAA Compliance, PCI Compliance | Tagged , , | Leave a comment

Don’t Strand your Data (Stranded Backups)

Co-CEO, Online Tech

As a sailor, the notion of being stranded is really, really scary. As remote as the possibility (and location) may be, you have to develop a contingency plan for the rare event that you might find yourself in that predicament. The plan has to contemplate extreme isolation for long periods of time and/or risky transit back to society. But the plans can be so onerous to imagine, you put it away once they are developed and don’t bother to remind yourself of them, except to know they are there. Then, if the unexpected happens, you pull out your backup plan. If done right, it can save your life. It’s why sailors say every trip should be two way, there AND back (unless you go all the way around).

Your data’s life is much like that sailor. Your data needs to be backed up from a production environment AND it needs to be able to get back to a production environment in the case of disaster. But most offsite backup solutions leave your data in isolated locations with many barriers creating risky or unreliable transit back to your production environment. That sounds like a stranded backup plan to this sailor.

Traditional Backup-as-a-Service providers backup data from your server or laptop to an undisclosed data center or storage location. Most often, you don’t know the physical location where your backup data resides. If you have no idea where your data lives, how would you know if it was in the path of a pending hurricane or tornado? How could you prepare or react in advance? If you don’t know if physical location of your backup data, you might as well consider it stranded.

Let’s say that you DO know where your data lives, and you have significant volumes of mission-critical data. How do you get all of that data back to a ready-to-go production environment so you can restore to normal operations before the health of your business systems are severely compromised?

One class of backup solutions includes cloud-backup providers like Mozy, Carbonite, Duva, VaultLogix etc. There are 100s of companies that allow you to replicate data from your servers (or laptops etc.) to their storage environment. While this provides “point-and-click” backup, I’ve always been struck by what must go through if you actually experience data loss and have to recover your backup data. Consider the following scenario.

Let’s say you have 500 GB of data from 4 servers backed at a backup service provider. Your recovery begins with a search for servers, network, and other infrastructure to which you can restore your data. That can be a very time consuming if you haven’t invested in redundant infrastructure and already have it standing by. Whether you are buying it after experiencing a disaster and need everything expedited, or purchasing it in advance, it will be expensive. Next, you have to get the data from that backup silo, wherever that is, and onto that new infrastructure, wherever that is. If you have funded redundant equipment, housed somewhere, in various states of readiness to power-up, you have a backup service that has your data and separately an infrastructure stack sitting somewhere to take that data. This model has even worse IT resource utilization than most physical servers; you’re paying for it, but can’t use any of those resources in the meantime.

This approach ignores the fact that there’s already a ton of infrastructure stood up and available, thanks to the advent of cloud and hosting business models. These business models depend on the ability to turn up new infrastructure quickly with appropriate incentives on fast deployments; the sooner they can deploy, the sooner they can start billing. This means they already have “at-the-ready” infrastructure. Better yet, you don’t pay for until you need it. Imagine if your data was backed up to a data center with a complete spectrum of on-demand infrastructure at your disposal that you could contract and pay for only when you need it.

Bottom line? Don’t strand your data in some unknown place that can only send it back to you – at a really slow rate. Backup your data to a location that can immediately begin helping with your restoration and provides local access to your backup data from on-demand infrastructure.

Data is money: Just as money belongs in a bank, data belongs in a data center
Data protection spectrum in the cloud
Disaster Recovery white paper

Posted in Online Tech News | Leave a comment

IT-as-a-Service: Need for speed and drive to align is changing operating model

Note: This is the third of three blog entries from Online Tech Director of Infrastructure Nick Lumsden reflecting on his key takeaways from EMC World 2014: 1. Speed of Change, 2. Shift in Ownership of IT Dollars, 3. Transition to IT-as-a-Service.

Speed of change and a shift in ownership of IT dollars – two topics covered in previous posts – have been the driving force behind the topic of the third: the paradigm shift of internal IT departments to IT-as-a-Service, a trend touched on in nearly every EMC World session I attended.

IT-as-a-Service is a growing operating model, especially for those internal IT departments serving multiple lines of business (LOB). No longer strictly a cost center, the IT-as-a-Service model focuses more on operational efficiencies, competitiveness and response.

The traditional model of IT is perceived as slow and lacking emphasis on LOB outcomes. Internal IT organizations are now competing with shadow IT organizations, acquired or divergent IT organizations, and/or business units outsourcing their IT needs.

The common scenario that develops is finding that LOBs end up outsourcing IT needs when they need fast deployments instead of benefiting from the security and compliance frameworks that the core internal IT organizations have evolved. Reconciling the speed of change with increasing compliance pressures and cybersecurity risks remains challenging.

The need for speed and the drive to align IT to LOBs has created a need for internal IT organizations to adopt an IT-as-a-Service operating model. This means a significant shift in the role of internal IT from owner to facilitator, especially when it would ease the burden for internal IT and meet the need for speed for other LOBs to outsource when appropriate.

The shift to ITaaS is intended to turn internal IT organizations into cost-transparent business partners delivering as-a-service services in a rapid and predictable manner. They act as both a broker and a business partner.

EMC & VMware are targeting this shift with their drive for “software-defined” everything, pushing intelligence up to the software layer and making every product software accessible. If internal IT organizations are to survive this transition, they need to embrace the speed of change that LOBs expect and adopt a role as a business solutions partner to their LOBs, brokering and delivering the cloud services that LOBs need.

Speed of change: Enterprise business technology advancing daily (and faster!)

Shift in ownership of IT dollars: Competition makes everyone better
The big switch to managed services and private cloud

Nick Lumsden is a technology leader with 15 years of experience in the technology industry from software engineering to infrastructure and operations to IT leadership. In 2013, Lumsden joined Online Tech as Director of Infrastructure, responsible for the full technology stack within the company’s five Midwest data centers – from generators to cooling to network and cloud infrastructure. The Michigan native returned to his home state after seven years with Inovalon, a healthcare data analytics company in the Washington D.C. area. He was one of Inovalon’s first 100 employees, serving as the principal technical architect, responsible for scaling its cloud and big data infrastructure, and protecting hundreds of terabytes worth of sensitive patient information as the company grew to a nearly 5,000-employee organization over his seven years of service.

Posted in Information Technology Tips, Online Tech News | Tagged , | Leave a comment

Experts: Be fast and forthcoming with details of a data breach

After the recent rash of high-profile data breaches, the Internet is ripe with tips for handling a breach at your organization. The standard experts’ message: Notify consumers immediately and don’t downplay the impact.

The Dallas Morning News has a keen interest in data breaches because some of the largest recent reports come from retailers headquartered in its home state of Texas: Nieman-Marcus (Dallas), Sally Beauty Holdings (Denton) and Michaels Stores (Irving).

In a Sunday story, reporter Pamela Yip discussed proper handling of a breach with Javelin Security & Research senior analyst Al Pascual. His comments:

“If you don’t tell consumers how they’ve been victimized, they can’t take the necessary steps to protect themselves. Plus, it looks bad on the business. In reality, it does look like they’re holding back.

“People want to place blame, so keeping the story to yourself or minimizing details to really prevent liability just exposes businesses to greater liability in the end.”

The story claims poor breach notification strategies and a higher rate of identity fraud have resulted in a loss of customers for retailers, which tend to be punished more by the actions of consumers than other industries.

More from the story:

“Release clear, descriptive, and prompt notifications,” Javelin said. “Notifications that describe in detail how a breach occurred can bolster an organization’s claims that they have corrected the security vulnerability … restoring some degree of confidence among consumers.”

Shutting down about information is the worst thing a business can do in a data breach.

“To avoid having a breach event’s narrative hijacked by the media or by adversarial organizations, prompt disclosure is imperative,” Javelin said. “A loss of control can imperil an organization’s reputation, diminishing the trust of business partners, consumers, and shareholders.”

Days before the Dallas Morning News report, Healthcare IT News associate editor Erin McCann published her own “breach response tips from experts” directed at the healthcare industry. The message from the experts she contacted was strikingly similar.

Along with an immediate breach response, there is another key takeaway from Gerry Hinkley, a partner at the Pillsbury Winthrop Shaw Pittman law firm: “Don’t give in to individuals who want to sugar coat this. … You do much better really saying what happened up front.”

McCann quoted Hinkley from a presentation he gave at the recent HIMSS Media and Healthcare IT News Privacy and Security Forum in San Diego. He says proper breach response can help limit cost, avoid litigation and help retain the integrity of the organization.

After a breach, Hinkley suggests the following steps: 1) An internal report throughout the organization that explains the forthcoming breach notification before the Department of Health and Human Services (HHS) and media are informed. 2) Quickly report the breach to HHS. Don’t wait the allowed 60 days. 3) Immediately after the breach, change passwords and authorizations and preserve all evidence. 4) Remediation, including credit monitoring and a phone line available to those affected.

“What we advise, whatever the plan is, it should engender trust in your organization that you’re doing the right thing,” said Hinkley. “You can really put a lid on subsequent enforcement and litigation risk if you’re very up front; you’re apologetic; you’re very clear on what the consequences are and you provide remedies that are well-tied to what the actual risks are that are presented to the individual.”

Health IT News: Breach response tips from experts
Dallas Morning News: Businesses should be open about data breaches

Mobile Security white paper
iHT2 recommendations for HIPAA-compliant cloud business associates
What to look for in a HIPAA cloud provider
Top 5 healthcare cloud security guides

Posted in HIPAA Compliance, Information Technology Tips, PCI Compliance | Tagged , , , | Leave a comment

Data protection and the cloud

Co-CEO, Online Tech

In my last blog post I made the case that data is money. So it’s important to have a strategy for data protection just as you would for cash management.

It helps to have a framework when developing a strategy. One framework for developing a data protection strategy is the Data Protection Spectrum.

Traditionally, costs grow exponentially as you move from “Not Never” on the left of the spectrum to the “Always On” to the far right. But the cloud has completely disrupted that exponential cost growth. Here’s how.

Doing absolutely no backup of your data means you aren’t even on the spectrum. I call that the “Never” scenario. If asked when services will be restored, your only honest answer is “never,” then you’re in really big trouble. So doing the bare minimum backup or snapshot at least gets you on the data protection spectrum, but only at the “Not Never” scenario. Which means your answer would be “I don’t know but at least it’s Not Never.”

Yan Ness
Online Tech

At the other end of the spectrum is data that is highly distributed, in real-time and the ability to completely lose an entire stack of hardware or application and still maintain operation with no interruption. This extreme level of resiliency is achievable but is exponentially more expensive than “Not Never.”

Most organizations need to be somewhere in between, and this is where the framework can really help. How much data protection is enough? What processes can you afford to live without and which ones do you absolutely have to have? What does it cost to lose access to one of those systems? What budget do you have to protect it? These are all questions a skilled business continuity or disaster recovery expert can help you answer and then make the business case for where you should be on the spectrum.

But one thing that is clear is that the advent of virtualization, and the maturing of the cloud industry has dramatically shifted the cost curve for the middle of the spectrum. It’s still extremely difficult and expensive to have multiple systems of records at multiple sites, geographically dispersed with sufficient global load balancing to deliver solutions on the far right of the spectrum. The “Not Never” is satisfied by the plethora of commodity offsite providers like Mozy, Carbonite or Druva.

But what about those organizations for whom “Not Never” isn’t good enough but can’t afford and don’t need the complexity of “Always On” multi-site real-time production?

A big driver of cost as you move to the right on the data protection spectrum was the redundant hardware, network, connectivity and processes required that was often seldomly, hopefully, never used.  The traditional cold, warm, hot site disaster recovery which would typically be in the spectrum left to right resulted in significant idle IT assets. So one has to ask, who already has idle IT assets at the waiting? Well, the entire cloud service provider industry is exactly that – idle IT assets available to you as a service, with pretty rapid deployment cycles.  It’s a perfect match for IT and enables one to move to the right on the spectrum with significantly lower capital costs.

By backing up your data to an existing cloud or IT infrastructure provider you basically get access to their entire unused capacity (which they always have) at the ready, in the case of disaster without having to pay for it. So for what used to cost a bit more than “Not Never,” you have access to what effectively used to be a cold disaster recovery site.

In the next blog post, I’ll explain how you can put together an offsite backup service with a cloud, colocation and managed service product suite to very cost effectively establish a full set of DR options.

Data is money: Just as money belongs in a bank, data belongs in a data center
Disaster Recovery white paper

Posted in CEO Voices, Cloud Computing, Disaster Recovery | Tagged , , , , | Leave a comment

Friend or foe? Cybersecurity risks for shared data and a few precautions

Mom always said to choose your friends wisely. Maybe she was trying to protect you from a data breach.

AT&T learned that lesson the hard way. From a statement released by the company :

“We recently learned that three employees of one of our vendors accessed some AT&T customer accounts without proper authorization. This is completely counter to the way we require our vendors to conduct business. We know our customers count on us and those who support our business to act with integrity and trust, and we take that very seriously. We have taken steps to help prevent this from happening again, notified affected customers, and reported this matter to law enforcement.”

This breach was less nefarious than the recent credit card data theft at P.F. Changs, Target and other retailers. While the employees of the vendor had access to sensitive data (such as Social Security numbers), their intent reportedly was to find codes used to unlock mobile phones in the secondary market.

As Washington Post technology writer Brian Fung noted, the heavy restrictions mobile carriers place on unlocking your phone likely motivated the breach: “It’s clear there are people out there who will compromise our most sensitive information just to make it easier to recycle used devices.”

Regardless of the intent or the result, there’s one key sentence in the letter AT&T sent to affected customers: “Employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization.”

This isn’t the only breach in the news recently that harkens back to Mom’s advice mentioned above. In May, New York Presbyterian Hospital and Columbia University agreed to pay the Department of Health and Human Services $4.8 million to settle an alleged violation of the HIPAA Privacy and Security Rules. It’s the largest payment in history.

Tatiana Melnik, an attorney who focuses on data privacy and security issues, offered her thoughts on the case involving the affiliated, but separate, entities that operate a shared data network:

This settlement is a good reminder that covered entities, business associates, and subcontractors must choose their partners carefully. As more organizations implement data sharing agreements, form strategic healthcare IT partnerships (e.g., those involving big data, analytics, etc.), and otherwise store their data with vendors, data breach issues are inevitable. Healthcare providers and vendors must carefully review their agreements to ensure that each party bears the appropriate amount of risk. Provisions related to indemnification, limitation of liability, damages caps, and insurance requirements should be reviewed with special attention.

A lack of trust between business associates isn’t unusual when it comes to data breaches. A recent Ponemon Institute study revealed that 73 percent of organizations are either “somewhat confident” (33 percent) or “not confident” (40 percent) that their business associates would be able to detect, perform an incident risk assessment and notify their organization in the event of a data breach incident as required under the business associate agreement.

The good news: An iHT2 report presents data that indicates business associates are paying greater attention to data security. From 2009 to 2012, business associates were involved in 56 percent of large-scale data breaches of 500 records or more. In 2013, that number was reduced to just 10 percent of breaches.

What can you do to make sure your IT friends are an alliance for good in the battle to protect sensitive data?

  1. When did the business associate last perform a comprehensive risk assessment? If it’s been more than a year, move on.
  2. Ask for a copy of their audit report – and actually read it. A business associate that invests in a culture of compliance and security is comfortable and confident in sharing details of their controls. In addition to sleeping better at night, you’ll also save a lot of time and money by being able to provide this documentation during your own audits.
  3. Visit your business associates in person. If you have sensitive data, it’s worth whatever airfare and time it takes to visit them face-to-face. You’ll know a lot about the reality of their attitude towards their clients and security from experiencing it yourself.
  4. Consult with references. Don’t just take your associate’s word for it – ask their clients. If they keep their clients happy, this list will be readily available.
  5. Do they have insurance against data breaches to help with remediation costs and understand what’s at stake in terms of timeliness and thoroughness of a response and investigation into any suspicious activity?
  6. How would they know if a data breach happened? Is there enough monitoring in place, and detailed logging, to know if something is amiss and have the information to assess damage and risk?

OCR reminds covered entities to choose friends carefully
AT&T confirms data breach as hackers hunted for codes to unlock phones
Washington Post: Carriers’ tight grip on cellphone unlocking seems to have resulted in a cyberattack
IHT2’s 10 Steps to Maintaining Data Privacy in a Changing Mobile World
Ponemon Institute’s Benchmark Study on Patient Privacy and Data Security

Download Mobile Security White PaperRELATED
Mobile Security white paper
iHT2 recommendations for HIPAA-compliant cloud business associates
What to look for in a HIPAA cloud provider
Top 5 healthcare cloud security guides

Posted in HIPAA Compliance, Information Technology Tips, PCI Compliance | Tagged , , , , , , | Leave a comment