Bringing secure, compliant hosting to Indianapolis

Online Tech’s newest data center, right, is located near Lucas Oil Stadium in Indianapolis. It’s the company’s fifth data center in the Midwest and the first in Indiana.

It’s official!  Our newest data center in Indianapolis is open for business.

Mike Klein
Online Tech
Co-CEO

We’re very excited to bring secure, compliant, enterprise class cloud, colocation and offsite backup and disaster recovery to Indianapolis. It’s a great pleasure to have the opportunity to serve Indiana businesses and its IT community from the 44,000 square foot facility on Merrill Street, minutes from downtown, that officially opened today.

So what makes Online Tech unique in the Indianapolis market? Just like at our four other Midwest data centers, we will be delivering secure, compliant, enterprise hosting for our clients’ mission critical applications. Businesses in need of the level of protection and access to the cloud that we provide previously had to look to other regions of the country for this type of data center.

What the heck does that mean? Let’s start off with the type of hosting that we don’t focus on. We don’t offer cheap commodity cloud servers for gamers, email marketers or low-end web hosting. There are plenty of low cost alternatives out there that don’t need to deliver 100-percent uptime or the stringent security or regulatory compliance we deliver.

Our clients include healthcare companies, banks, credit unions, insurance agencies, retailers and mid-size to large businesses that can’t afford downtime in their mission critical IT systems. They tend to be very concerned about security and regulatory compliance, and need the uptime benefits of enterprise technology without the capital outlay required to purchase the equipment themselves.

We think of our value proposition this way:

Security: The war against hackers continues to escalate, as does the cost and pace of new security technologies. Rather than build, monitor and maintain their own layered security defense in-house, our clients leverage the full array of security technologies available at our data centers and in our cloud server platform.

Compliance: Regulatory requirements continue to escalate – HIPAA for health care, SOX for financial industries, PCI for credit card processing and Safe Harbor for protecting EU citizen data. Rather than hire outside auditors to test their systems and processes, our clients leverage our third party audits as part of their compliance programs. We provide our audit reports to our clients annually so they don’t have to do the audits themselves.

Enterprise Hosting:  From our Tier 3 data centers with 100-percent uptime SLA to our high performance, high availability cloud computing, we’ve designed our systems for applications that can’t afford downtime. Our enterprise off-premise backup handles bigger data sets and offers faster recovery than most hosting companies in the market.

We’re excited about opening our new data center in Indianapolis. We invested $10 million making extensive improvements to create a world-class facility that will create up to 25 permanent jobs for local IT, sales and data center professionals.

There is a growing demand for secure, compliant hosting in Indianapolis and the surrounding region and we’re looking forward to serving all of Indiana as we continue to expand our network of data centers across the Midwest.

YOU’RE INVITED! JOIN US AT OUR
OCT. 23 GRAND OPENING EVENT

There will be an open house at the Indianapolis data center from 3 to 7 p.m. on Thursday, Oct. 23. We’re offering a no-pitch, behind-the-scenes look at a secure, compliant, enterprise cloud computing and colocation data center.

We invite all IT professionals in and around Indianapolis to come network with your peers, meet some of our clients, eat, drink and be merry! Click here or the button below to register for the event.

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in CEO Voices, Cloud Computing, Data Centers, HIPAA Compliance, Online Tech News, PCI Compliance, Safe Harbor | Tagged , | Leave a comment

Online Tech’s April Sage, attorney Tatiana Melnik presenting on challenges and opportunities of cloud computing at AHIMA conference

The American Health Information Management Association (AHIMA) is holding its 86th annual convention and exhibit in San Diego this week. This year’s theme is “Leading the Way to Health Intelligence” and its schedule of events is designed to address the challenges and opportunities healthcare professionals face now and in the future.

Cloud computing presents many of those challenges and opportunities, so Online Tech has gotten in on the fun.

April Sage

At 8 a.m. Wednesday, Online Tech Director of Healthcare IT April Sage and attorney Tatiana Melnik are co-presenting “A Primer on Moving to the Cloud – HIPAA, Encryption, eDiscovery, Oh My!”

Sage will discuss the risks and benefits highly-regulated healthcare companies face when moving to the cloud and help compare the risk profile of traditional and cloud environments when storing protected health information. She’ll also discuss administrative and technical implementation challenges with a discussion of how the choice of cloud structure – public, private, or hybrid – may impact HIPAA/HITECH compliance.

Melnik, a frequent contributor to Online Tech’s educational webinar series, will handle the legal portion of the presentation. It will include sample contract language often included in cloud computing agreements, contract language that healthcare providers often overlook during negotiations and terms that healthcare providers often do request, but should not.


RELATED CONTENT

Up your HIPAA IQ with a little HIPAA FAQ

Webinar: PHI in the ACO – Risk Management, Mitigation and Data Collection Issues

Webinar: Is the FTC Coming After Your Company Next? Court Confirms that the FTC Has Authority to Punish Companies for Poor Cyber Security Practices

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in HIPAA Compliance, Information Technology Tips, Online Tech News | Leave a comment

Visit the grand opening of our Indianapolis data center on Oct. 23

Hello, Indianapolis!

Online Tech invites all IT professionals in and around the Circle City to attend the grand opening celebration of our fifth Midwest data center – and first in Indiana – from 3 to 7 p.m. on Thursday, Oct. 23.

We’re offering a no-pitch, behind-the-scenes look at a secure, compliant, enterprise cloud computing and colocation data center. Network with your peers, meet some of our clients, eat, drink and be merry!

Registration is simple (click here or the button below) and required. You must present a valid photo ID (we are a secure and compliant data center, after all!) on the day of the event.

Our Indianapolis facility has more than 44,000 square feet of data center space. All critical equipment is N+1, or fully redundant. It is is SAS 70, SSAE 16, and SOC audited to provide security and reliability and also PCI, HIPAA, SOX and Safe Harbor audited to meet national industry compliance requirements.


RELATED CONTENT
Expansion of secure, compliant hosting into Indianapolis a ‘win-win-win’ for current clients, future clients and Online Tech

Press release: Online Tech Acquires Indianapolis Data Center

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in Data Centers, Online Tech News | Tagged , | Leave a comment

What to do about Bash bug, which could pose bigger threats than Heartbleed

Cybersecurity experts are saying a bug in the widely-used command prompt software Bash could be a bigger threat to users than the Heartbleed bug that surfaced earlier this year. The vulnerability affects Unix-based operating systems, including Linux and Apple’s Mac OS X.

The bug – which has picked up the moniker Shellshock – allows for malicious code execution to take over an operating system and access information. Patches have been issued by many of the major Linux distribution vendors.

Security expert Robert Graham, who has extensive coverage of the bug on his Errata Security blog,  describes why it is so worrisome:

The first reason is that the bug interacts with other software in unexpected ways. We know that interacting with the shell is dangerous, but we write code that does it anyway. An enormous percentage of software interacts with the shell in some fashion. Thus, we’ll never be able to catalogue all the software out there that is vulnerable to the bash bug. This is similar to the OpenSSL bug: OpenSSL is included in a bajillion software packages, so we were never able to fully quantify exactly how much software is vulnerable.

The second reason is that while the known systems (like your web-server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable. These systems are rarely things like webservers, but are more often things like Internet-enabled cameras.

So, what to do?

ArsTechnica.com published a test to determine if a Linux or Unix system is vulnerable:

To check your system, from a command line, type:

env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”

If the system is vulnerable, the output will be:

vulnerable

this is a test

An unaffected (or patched) system will output:

bash: warning: x: ignoring function definition attempt

bash: error importing function definition for `x’

this is a test

The fix is an update to a patched version of the Bash shell. To be safe, administrators should do a blanket update of their versions of Bash in any case, ArsTechnica.com suggests.

David Kennedy, security expert and CEO of northeastern Ohio’s TrustedSec, also strongly recommends updating systems.

The TrustedSec blog offers this local system test to see if you are vulnerable:

env x=’() { :;}; echo Your system is vulnerable’ bash -c “echo Test script”

However, Graham provides this somber note: “There’s little need to rush and fix this bug. Your primary servers are probably not vulnerable to this bug. However, everything else probably is. Scan your network for things like Telnet, FTP, and old versions of Apache (masscan is extremely useful for this). Anything that responds is probably an old device needing a bash patch. And, since most of them can’t be patched, you are likely screwed.”


RELATED CONTENT
Bridging the software and infosec professional chasm
Encryption video series
White paper: Encryption of Cloud Data

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in Information Technology Tips | Tagged , | Leave a comment

A data loss prevention strategy guide

Note: The following article is part of a shared content agreement between Online Tech and InfoSec Institute. (View original post.) For more information on IT disaster recovery, download disaster recovery white paper or check out our case studies.


In this article, we’ll learn about the concept of data loss prevention: why it is needed, what are the different types of DLP and its modes of operations, what is the planning and design strategy for DLP, what are the possible deployment scenarios, and what are workflow and best practices for DLP operations.

OVERVIEW

Every organization fears losing its critical, confidential, highly restricted or restricted data. Fear of losing data amplifies for an organization if their critical data is hosted outside their premises, say onto a cloud model. To address this fear or issue that organizations face, a security concept known as “Data Loss Prevention” has evolved, and it comes in product flavors in the market. The most famous among them are Symantec, McAfee, Web-sense, etc. Each DLP product is designed to detect and prevent data from being leaked. These products are applied to prevent all channels through which data can be leaked.

Data is classified in the category of in-store, in-use and in-transit. We will lean about these classifications later in this article. Before starting the article, we have to keep in mind that the information is leaking from within the organization.

Continue reading

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in Information Technology Tips | Tagged , | Leave a comment

Michigan HIMSS 2014 Fall Conference

Online Tech rarely misses an opportunity to attend a HIMSS event, which are always packed with healthcare information management hot button topics and innovative ideas. So we’re particularly eager for next week’s Michigan HIMSS Chapter 2014 Fall Conference in Plymouth Township, just minutes from our Ann Arbor headquarters and three of our four Michigan data centers.

The theme for the Sept. 16-17 event is “Health Information Technology: The Vision and the Value” and it will be held at The Inn at St. John’s. Some of the subject areas include:

  • Health Reform in Michigan and the Role of HIT
  • Care Transitions: Hospitals and Nursing Centers Improving Patient Outcomes
  • Navigating a Meaningful Use Audit
  • The Value of Electronic Health Records: TCO for Transformation Projects
  • And, a Mobile Health Roundtable with eight industry experts

The Michigan Chapter of HIMSS was formed in the spring of 2002 and chapter members come from diverse backgrounds, all involved in some aspect of healthcare information systems and management. Non-members are invited to attend the fall conference.

Also: Online Tech will be showcasing our HIPAA-compliant hosting services in the exhibition space at the conference. Stop by!

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in Michigan Data Centers, Online Tech News | Tagged , | Leave a comment

7 business drivers for your backup and recovery strategy

In a previous post, I laid out the first three questions your CIO should answer before you start your backup and recovery research. The CIO should provide direction around the value of the data, the Recovery Point Objective (RPO) and the Recovery Time Objective (RTO).

Mike Klein
Online Tech
Co-CEO

Once these executive-level business requirements are understood, the context can be used to ask the next set of high-level business and technical questions that drive your backup and recovery strategy.

1) How confidential or compliant does your data need to be? Do you need your backups encrypted — both in transit to your provider and at rest on the provider’s backup storage — to meet HIPAA, PCI or Sarbanes-Oxley compliance requirements? Do you need to choose a provider that meets specific compliance requirements for your industry so your company can remain compliant at your next audit?

2) How secure does your backup strategy need to be? Security is different from compliance. Compliance is the set of rules and audits that surround the data center and any provider delivering backup services. Security is the physical, electronic and network measures that are put in place to prevent theft or unauthorized access to the data.

If you drive tapes off-site, consider the human factor and physical security risks. Consider the type of security infrastructure that you want to see delivered by your offsite backup provider to keep your backup data secure. Do you know where they are physically storing the data? Do you understand their approach to data encryption and data deletion?

3) What is your recovery strategy? If you lose a file, how quickly do you need it be restored to your servers? If you lose a server, how quickly can the server be recovered? If you lose your data center, how quickly can your business be up and running again?

Once you understand your RTO, you can design your recovery strategy to meet these objectives. For example, sending your backups to a file storage system in the cloud (like Amazon) can be very cost effective, but the data is unstructured and getting your data back across the internet can take a very long time (days). Enterprise-grade backup and recovery with deduplication technology can reduce the recovery time significantly.

4) Do you need a backup partner that can provide cloud servers for you to quickly restore your data in the case of a disaster? For even faster recovery times, consider a provider that can recover your backup data directly onto cloud servers in the same data center. Providers that can connect your cloud servers to your backup data over a 10G network can change your recovery times by orders of magnitude.

5) Can you bring your own servers or SANs directly to the data center to recover your data? The internet is the slowest pipe when it comes to recovering terabytes of data. If you can’t use cloud servers at your backup provider, consider the option of collocating backup servers or SANs to recover the data over their 10G network into your equipment.

6) How automated is your backup procedure and how many technical man-hours are required on your part to set, monitor and restart failed backups? These are often overlooked costs. Many CIOs don’t understand how often their backups fail or how much time is spent managing the backups on a daily basis.

7) What is the infrastructure of the backup target — is it designed to withstand drives, hardware, network and data center failures? Not all backup targets are built with RAIDed drives or redundant network infrastructure.

When it comes to your backup and recovery strategy, it’s best to take the time to understand your critical drivers, ask the tough questions of your backup vendor and test your recovery strategy before you need it.

Backups don’t matter until they matter. You don’t want the last remaining copy of your data to be corrupted or find out that your recovery strategy isn’t fast enough to recover your business when you need it.


RELATED CONTENT

Disaster Recovery white paper

Don’t strand your data

New managed disaster recovery solution eliminates the surprise of ‘stranded backups’

3 questions your CIO needs to answer to set your offsite backup strategy

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in CEO Voices, Cloud Computing, Disaster Recovery, HIPAA Compliance, PCI Compliance | Tagged , , , | Leave a comment

Keeping cybercrime secrets despite increasing data breach reports

We attempt to stay on top of cyber security and data breach topics here on the Online Tech blog, providing some industry perspective to news of large data breaches like those at Community Health Systems, P.F. Changs, eBay, Target and other unnamed victims.

Of course, we don’t cover them all. We’d be writing nothing else. You’d be reading nothing else.

Consider that along with reports today about Home Depot investigating a potential breach of customer credit card numbers, over the past two weeks alone there have been news reports on cyber attacks and data breaches at the following organizations: UPS, the Chicago Yacht Club, SuperValu, Schnucks, the Nuclear Regulatory Commission, US Investigation Services, Otto Pizza, Cedars-Sinai Medical Center, the University of Louisiana-Monroe, New Mexico State University, the University of Miami, PlayStation Network, JPMorgan Chase, Albertsons, Dairy Queen, the Memorial Hermann Health System, the Australian Federal Police, the Racing Post, the Summit County (Utah) Fair and half the population of South Korea.

That’s 20 organizations and one country for those keeping score at home. And there are probably others that escaped our radar.

In fact, news of large-scale data breaches have become so commonplace that CNET.com senior writer Seth Rosenblatt recently published an article about industry experts becoming concerned about alert fatigue – fearing “that people may throw up their hands and stop caring as news of even more breaches get reported.”

In that piece, Rosenblatt suggests that “companies are getting better at reporting security breaches, which also feeds into the perception that the increase in the number of breaches may even be larger than it really is.” He quotes Andy Serwin from analyst firm Morrison and Foerster as saying, “I’m not sure that we’re seeing more activity, or more attention on the activity.”

While that may be true, other reports issued just days later by different media outlets indicate that not all companies “are getting better at reporting security breaches.”

Take, for instance, the JPMorgan Chase data breach. As the Washington Post reports, rumors were circulating in cyber-security circles for a week that a major New York-based bank had suffered a data breach before JPMorgan confirmed it was victimized. The impression is that JPMorgan – like many companies before it – kept evidence of a cyber crime private until journalists forced the issue.

From that Washington Post story:

This reticence is both deeply rooted within corporate America and, to some consumer advocates, deeply infuriating. Had a family’s precious jewelry been stolen from a safe deposit box, any bank would have quickly notified the affected customer. Yet loss of personal information, especially when it happens on a mass scale, is treated differently, both by the law and by industry custom.

The result is that days, weeks or longer can pass between when a company learns of a cyber-crime and when its customers do. That gap, say security experts, can amount to crucial lost time for people who might want to protect themselves by monitoring transactions, changing passwords or alerting other relevant parties – such as a credit card company – that the risk of fraud or identity theft is elevated.

Dairy Queen is being similarly criticized. The following is an excerpt from a story in the Minneapolis/St. Paul Business Journal, noting two days had passed since the chain revealed a potential data breach at its stores – an admission seemingly coerced by a KrebsOnSecurity.com report:

The Edina-based restaurant chain hasn’t said how many stores were affected, how widespread the breach could be or how long it may have lasted. Though its brief announcement included a statement that it is complying with an investigation into the matter, it did not indicate what else it may be doing to protect customers. There are no notifications to customers on the company’s home page, its Twitter feed or Facebook page. Company representatives have not responded to requests for further comment.

But it’s not all bad news. The same story applauds another Minnesota-based company for properly handling its data breach. Within 24 hours of disclosing its breach, SuperValu, Inc. “had issued a full list of affected stores, along with information about the duration of the breach and what the company was doing in response. Supervalu also established a call center for concerned customers.”


RELATED CONTENT:
iHT2 recommendations for HIPAA-compliant cloud business associates
Top 5 healthcare cloud security guides
Data breach reporting: A job killer or business saver?
Experts: Be fast and forthcoming with details of a data breach


RESOURCES:
CNET.com: As security breach reports mount, experts fear alert fatigue
Washington Post: Hacked? Customers are the last to know
Business Journal: Dairy Queen’s silence on data breach could have ‘corrosive effect’ on consumer perception, crisis expert says

 

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in HIPAA Compliance, Information Technology Tips, PCI Compliance | Tagged , , , , | Leave a comment

3 questions your CIO needs to answer to set your offsite backup strategy

There are a number of options for offsite backup, including tape backup shipped offsite, backing up to a simple cloud storage like Amazon, or an enterprise-grade offsite backup and recovery solution.

Mike Klein
Online Tech
Co-CEO

Before any detailed conversation takes place around the technical and business considerations impacting your backup strategy — such as compliance, confidentiality of the data, security requirements and recovery targets — there are three questions your CIO needs to answer prior to researching solutions for your offsite backup and recovery plan.

Question 1: How important is your data?

If you lost an important file or all of your servers to a disaster, what kind of impact does it have on your business? Backup and recovery is basically an insurance policy. Your insurance can provide system-level recovery in case of a major disaster or file level recovery to restore lost files for minor disasters as well.

This first question is important to ask because it gives you a framework on how to think about the type of “insurance” you want to buy with backup. If your data is critically important to the success of your business, your CIO will most likely want a higher coverage, faster response insurance policy than if your data could be completely recreated from paper records.

Question 2: How much data can you afford to lose?

Once you know how valuable your data is to the business, you need to understand the recovery point objective (RPO) that your CIO wants for the different applications.

The RPO dictates how often you capture your data and send it offsite – weekly, daily, hourly or instantly. If you can survive with weeks-old data without an impact to your business, it drives a different set of decisions than if you need to recover the latest up-to-the minute customer transactions.

Question 3: How fast do you need to recover your data and be operational again?

This is your recovery time objective (RTO). Some applications may not need to be back up for weeks while others need immediate failover. Many mid-size businesses look at a 4- to 24-hour range as reasonable targets for recovery on their applications.

In my experience, once you have the answers to these three strategic questions, you’re ready to dive into the technical and business drivers for your backup and recovery strategy, as you start researching solutions to meet your goals.


RELATED CONTENT
Data is money: Just as money belongs in a bank, data belongs in a data center
Don’t strand your data
Data protection and the cloud

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in CEO Voices, Cloud Computing, Disaster Recovery | Tagged , , | Leave a comment

Largest HIPAA breach ever: Hackers steal data on 4.5 million Community Health Systems patients

There’s a new leader on the U.S. Department of Health & Human Services’ Wall of Shame.

A hacking group known as “APT 18” is suspected of stealing names, Social Security numbers, addresses, birthdays and telephone numbers from 4.5 million patients of Community Health Systems, a network of 206 hospitals across 29 states (see map at right). Credit card numbers and medical records were not accessed.

It’s the largest attack involving patient information since the HHS started tracking HIPAA breaches in 2009, passing a Montana Department of Public Health breach that affected roughly 1 million people.

Patients who were referred or received services from doctors affiliated with Community Health Systems in the last five years were affected, the company reported in a regulatory filing on Monday. The sophisticated malware attacks occurred in April and June.

According to numerous news reports, security experts said the hacker group may have links to the Chinese government. Charles Carmakal, managing director of the Mandiant forensics unit, hired by the hospital group to consult on the hack, told Reuters that “APT 18” typically targets companies in the aerospace and defense, construction and engineering, technology, financial services and healthcare industry.

In an Online Tech webinar titled Why is it So Hard to Secure a Company,” security expert Adam Goslin discussed how the past decade has seen “a continuous and steady increase in attempts by specifically the Chinese attempting to gain intellectual property.”

According to a CNN report, Mandiant and federal investigators told the hospital network that the hacking group has previously conducted corporate espionage to target information about medical devices. This time, however, the bounty was patient data.

Community Health Systems stated in a release: “Our organization believes the intruder was a foreign-based group out of China that was likely looking for intellectual property. The intruder used highly sophisticated methods to bypass security systems. The intruder has been eradicated and applications have been deployed to protect against future attacks.”

In his aforementioned webinar, Goslin, the CEO of Total Compliance Tracking, detailed examples of the value of intellectual property theft:

One of the stories that the FBI was bringing up was the Chinese were trying to get into a manufacturing facility to get a sample of a rinse solution for some type of a glass manufacture. It was a coating for glass and they couldn’t figure how they were doing it. So, the Chinese were trying to get a hold this of this rinse solution in the manufacturing setting. …

There was a story of an organization that had spent some number of years developing a patent. They were just about to file it and found that they have gotten hacked by the Chinese. The Chinese filed for the patent. Because the organization’s entire business revolved around this work, they literally had to pay royalties to the Chinese just to use the patent that they developed themselves that got hacked out from under them.

The value of personal information is clear: Hackers can sell the information to those looking to steal identities. And hospital networks are becoming a hotbed for finding that information.

Michael “Mac” McMillan, CEO of security consulting firm CynergisTek, told Modern Healthcare that hospitals are “going to become a bigger and bigger target as the hacking community figures out it’s easier to hack a hospital than it is to hack a bank and you get the same information. I’m not sure healthcare is listening yet.”

McMillan told the website there has been a spike in hacking activity directed at hospitals this year:

“I know at least a half a dozen or so hacks against hospitals we work with where the data wasn’t transferred, but it still caused a lot of disruption,” McMillan said. “But it wasn’t a HIPAA issue, so it didn’t get reported.”


Download HIPAA Hosting White PaperRELATED CONTENT
Defense in depth

What took so long? How data breaches can go months without being detected


Data breaches ending careers “right to the top” of C-suite


RESOURCES:
Online Tech webinar: Why Is It So Hard to Secure a Company?
Modern Healthcare: Chinese hackers hit Community Health Systems; others vulnerable
Reuters: Community Health says data stolen in cyber attack from China
CNN: Hospital network hacked, 4.5 million records stolen

 

facebooktwittergoogle_pluspinterestlinkedinmail
Posted in Encryption, HIPAA Compliance | Tagged , , , , | Leave a comment