Northern Ohio HIMSS Summer Conference

If you’ve ever been to a HIMSS show, you know it’s one of the most important healthcare organizations ever made. It’s brimming with healthcare information management hot button topics and innovative ideas. It’s working collectively to optimize patient outcomes and care through technology and policy changes that will keep people safe and healthy. It’s comprised of the field’s leading experts and advocates, and is continually making positive change in the healthcare industry.

Which is why we’re so excited to go to the Northern Ohio HIMSS Summer Conference. It will be on June 6th at the new Global Center for Health Innovation in Cleveland. The theme is, “The Winds of Change: The Impacts of Information Technology on the Economy of Healthcare & Patient Outcomes”. From the Northern Ohio HIMSS site, here’s an idea of what you’ll get if you join us for the show:

“We are in the center of a substantial change in Healthcare, with Information Technology playing a major role. This conference explores how components of the Patient Protection and Affordable Care Act (e.g. eHealth Initiatives, the shift from the Fee-For-Service model, Health Information Exchanges, and the Health Insurance Market Place) impact Operations, Revenue Cycle and Knowledge Management of Healthcare Systems.

Subject areas:

  • Healthcare Reform Impact on Healthcare
  • Accountable Care Organizations (and/or Patient Centered Medical Homes)
  • Information Technology Efficiencies in Healthcare
  • eHealth Initiatives

So join in the conversation, and give your insight on the impact of IT on overall patient health and wellness. Come to the show and share how your company solved an inefficiency or vulnerability within your systems. We hope to see you there!

Want to register right this second? Head over to the NOHIMSS chapter website.

Posted in HIPAA Compliance, Information Technology Tips | Tagged , , , , , | Leave a comment

iHT2 recommendations for HIPAA-compliant cloud business associates

Cyber criminals are being drawn to the healthcare industry like moths to a flame and providers are more vulnerable as the sharing of electronic health records proliferates.

To help diminish both those trends, the Institute for Health Technology Transformation (iHT2) recently compiled its “10 Steps to Maintaining Data Privacy in a Changing Mobile World.”

With a goal of explaining “how healthcare organizations can best protect themselves from the rapidly growing threat of security breaches and medical identity theft,” the paper is compiled by CIOs and security consultants who describe best practices for preventing these incidents and suggesting “how to deal with the proliferation of electronic data on the web and on mobile devices, which has created many new avenues for cyber attacks and the theft of personal health information.”

The paper ends with 10 suggested strategies to follow, each of them worth investigating further. (Find the full paper here.) For brevity’s sake, let’s take a look at two of the suggested strategies that are particularly relevant to our secure and compliant data hosting world.

The first deals with business associate agreements:

Get business associate agreements. All outside partners and service providers, including cloud storage providers, should sign BAAs acknowledging their responsibility to protect PHI. You should also require business associates to upgrade their security procedures.

As of September 2013, the HIPAA Omnibus Final Rule asserts that business associates are as liable for data security breaches as the HIPAA-covered entities they work with. This includes cloud vendors, many of whom had earlier been reluctant to sign these pacts.

There’s strong rationale for providers to insist vendors and partners sign business associate agreements: according to the Ponemon Institute, healthcare organizations simply don’t trust their third parties or business associates with sensitive patient information.

A recent Ponemon study revealed that 73 percent of organizations are either “somewhat confident” (33 percent) or “not confident” (40 percent) that their business associates would be able to detect, perform an incident risk assessment and notify their organization in the event of a data breach incident as required under the business associate agreement. … Only 30 percent are “very confident” or “confident” that their business associates are appropriately safeguarding patient data as required under the Final Rule.

To fully manage cloud security risks, we recommend you go beyond business associate agreements and review the provider’s complete policies, procedures and processes. The business associate agreement should outline policies and procedures. Review a copy of your cloud provider’s independent HIPAA audit report, if they invested in one, and check that they’ve been audited against the OCR HIPAA Audit Protocol.

The good news: The iHT2 report presents data that indicates business associates are paying greater attention to data security. From 2009 to 2012, business associates were involved in 56 percent of large-scale data breaches of 500 records or more. In 2013, that number was reduced to just 10 percent of breaches.

The second suggested strategy deals directly with cloud security:

Choose your cloud provider and cloud type carefully. A cloud service provider should sign a BAA and be HIPAA compliant. Healthcare providers might find the public cloud enticing because of cost efficiencies, but a hybrid cloud might be preferable because it allows them to control their data.

The iHT2 report cites a HIMSS focus group of senior health IT executives that said they are “more comfortable using a private cloud” than a public cloud and were “more likely to store administrative data than clinical data in the cloud.”

The report also cites legal expert John DeGaspari recommending healthcare organizations wanting to use a cloud vendor should make sure the company has a comprehensive set of security procedures. At a minimum, DeGaspari says, the vendor should have third-party certification from an entity such as Services Organization Control (SOC) 2.

Online Tech — which is backed by independent HIPAA, PCI, SOC 2 and Safe Harbor audits — produced its own list of what to look for in a HIPAA cloud provider:

1. Encryption. Do they offer encryption of data at rest and in transit with their cloud solution? Or do you have to spend more time and resources to add another encryption service on top of their cloud to make it work? Encrypting data exempts you from the HIPAA Breach Notification Rule and keeps data confidential even if accessed.

2. HIPAA Report on Compliance (HROC). The final HIPAA rule says cloud providers are considered business associates. Wouldn’t you rather your cloud provider has already undergone a third-party audit of their services to ensure your data safety and compliance (and to save you the trouble of paying for another audit of your business associate)? Don’t just take their word for it – review a copy of their HIPAA audit report and check they’re audited against the OCR HIPAA Audit Protocol.

3. Business Associate Agreement (BAA). Check on their policies around data breach notification, data termination, data access and what services they provide that help you meet compliance.

4. Private clouds. A HIPAA compliant private cloud environment can give you dedicated compute, memory and disk performance, meaning your resources are always reserved for you when you need them. Some public cloud setups allocate resources to other tenants on a first-come, first-served basis, meaning you may be out of luck.

5. Disaster recovery and offsite backup. The HIPAA Contingency Plan standard requires covered entities to establish and implement a backup and full disaster recovery plan to recover systems that contain electronic protected health information (ePHI) – having one for the cloud ensures your data is always available regardless of a natural disaster.

Related content:
HIPAA Compliant Hosting white paper

What to look for in a HIPAA cloud provider

Top 5 healthcare cloud security guides

IHT2’s 10 Steps to Maintaining Data Privacy in a Changing Mobile World

Ponemon Institute’s Benchmark Study on Patient Privacy and Data Security

Posted in Cloud Computing, HIPAA Compliance, Information Technology Tips | Tagged , , , , , , , , | Leave a comment

Cloud Security at Columbus Information Security Conference

On May 22nd, industry experts from around the Columbus area will converge to speak at the Data Connectors Columbus Tech Security Conference. This will be held in the Quest Conference Centers in Columbus.

The focus of the Data Connectors event circuit is information security. Within these events, topics range from VoIP and LAN security to wireless security and securing USB drives. Below is a sampling from the agenda in Columbus:

The Evolution of Endpoint Security: Detecting and Responding to Malware Across the entire Kill Chain
Brian Orr, CISSP, GISP,
Systems Engineer, Bit9

Over the past decade, the volume of malware produced and potentially infecting organization, has multiplied by orders of magnitude. The scope of the threat, in conjunction with little to no innovation by traditional security vendors has left organizations like yours vulnerable. The time is NOW to expand security infrastructures to include detection and response capabilities that allow you to fully scope, contain, and remediate each threat in real-time on your endpoints and servers. Join Bit9 to discuss the emergence of endpoint malware and the new class of security solutions that can detect threats early and across more points on the kill chain.

Anatomy of the Target Stores Breach: Lessons Learned
Ken Donze, Senior Manager of Customer Engineering Solutions, Trend Micro

Target Stores has invested millions in “next gen” cyber security and had received PCI certification. And yet hackers compromised its systems and credit card data during the busy retail holiday season. Over 70 million people were impacted. Join Trend Micro as they outline the breach, how people and processes were impacted, and how warnings and false positives were overlooked. As more and more firms consolidate data centers and invest in new solutions, how can human error and social engineering be mitigated and risks managed? How can organizations balance risk and security investment? What Best Practices and controls are recommended?

At 3:15pm Jason Yaeger, Director of Product Management will also be speaking, about security in the cloud:

Securing the Cloud in a Regulated World
Jason Yaeger, Director of Product Management, Online Tech

Securing the cloud for one organization is hard enough. A cloud architecture that can fit within the performance, security, and compliance constraints across many organizations and industries requires a few novel approaches – and investments. For one, a positive partnership with auditors. Second, security and compliance driven culture, not checkboxes. Third, serious technology investments to enable key functions like encryption and remote backup to play nicely together. This presentation with share a behind-the-scenes look into the architectural decisions behind a cloud capable of protecting sensitive data in the healthcare, banking and other regulated industries.

Head to our event page to find out more about our session at the Data Connectors event this week, or to the Data Connectors site to register to attend.

Posted in Cloud Computing, HIPAA Compliance, Information Technology Tips, Online Tech News, PCI Compliance | Tagged , , , , , , , , | Leave a comment

Staying ahead of the enterprise cloud backup and recovery curve

At the end of May, I’m speaking on a panel at IMN’s Data Center East Conference in New York City. The panel is titled “Staying Ahead of the Curve on Services (for data center operators)” and will focus its message on market demand for managed services that deliver high value for colocation and cloud computing users.

Mike Klein
Online Tech

I define high value as an essential service that a service provider can deliver at a lower cost and with higher quality than their clients can build or buy on their own. For example, many colocation providers offer “rack & stack” service to rack and wire servers in colocation racks. “Rack & stack” is a good example of a “win-win” service. It is typically far more cost effective for the full-time staff at the data center to rack and wire new servers in the rack than for a client to drive to the data center to do it themselves.

“Rack & stack” services give both the service provider and the client a “win.”  The service provider uses their full-time staff that has expertise wiring thousands of servers with a process and documentation that delivers a high quality experience.  The service provider can deliver the service profitably and more cost effectively compared to their clients’ staff time and travel costs to and from the data center.

It’s much like when I hire a plumber. I may be able to do the work myself, but when I consider the cost of my time and the quality of my own plumbing work, it’s a higher value – and safer – to have the job done correctly and quickly by a professional. (My wife would agree that hiring a plumber is “win-win” for our household.)

From our experience, two of the highest value managed services a data center operator can provide are backup and managed security services.  I’ll talk about security services in a future blog post – for now, let’s discuss enterprise backup and recovery services for colocation and cloud computing.

The single highest uptake of all of the services we offer at Online Tech is our managed backup offering. I use it as an example of a high value managed service that data center operators can use to deliver a strong value to their clients with a good return on their investment in people, tools and processes – a true “win-win” service in my book.

There are a number of ways to deliver backup services. Some providers offer unmanaged backup – with a local or offsite storage target where the client loads and manages the backup software. For clients willing to take on the burden of managing their own backups, this DIY option provides the ultimate in flexibility because the client can select the backup software, schedule, network bandwidth and the amount of storage they need.

Another popular approach used by many of the commodity cloud providers is daily snapshots. This is typically a local copy of the entire virtual cloud server as a file that a client can fall back on if they lose their server. While cheap to deploy and easy to offer, our experience is that many clients shy away from this approach because:

  1. they prefer to have their data offsite to protect the data in case of a disaster at the production data center; and;
  2. the work it takes to restore a single file makes it impractical to do file-level restoration – you can only restore the entire snapshot of the whole server.

Contrary to popular belief that backups are primarily used to recover from major incidents or total loss of data, 95 percent of the time our clients use their backup to recover a single lost or corrupted file. Less than 5 percent of the time backups are actually used for a total system recovery. We’ve seen file level restoration to one of the highest demand use cases for backup services.

At Online Tech, we decided to offer a full service offsite backup product that:

  • supports file level restoration.
  • backs up offsite to a geographically disperse data center.
  • supports daily backup for severs with 10 TB+ of data.
  • encrypts all backup traffic and data at rest.
  • offers clients their choice of backup windows to run in their low work periods.

The technology investment to deliver these capabilities in this service was significant. We use EMC Avamar technology – essentially leveraging an enterprise-grade backup architecture – to deliver a full service product experience to our mid-market client base.

Obviously, the decisions of which managed services and feature sets to offer varies – and frankly depends on the service provider’s business model. In our case, we choose to deliver a full service, fully encrypted backup service for the mid-market client base we serve, many of which are in regulated industries where compliance & data security are paramount.

One point I’ll contribute to the panel at IMN is that there are a number of services that colocation and cloud computing providers can offer that deliver high value to their clients from a win-win perspective – a profitable service that can be delivered more cost effectively than clients can do it themselves. Backup is a great example of this type of service, which in our experience has a high uptake because of the value it delivers to clients. The mix of features and capabilities of these services depends on the market and type of clients that the service provider is targeting.

… and that’s where the differentiation and fun starts for those of us in the colocation and cloud computing business.

Download Mobile Security White PaperRelated content:

Encryption of Cloud Data white paper

Mobile Security white paper

PCI Compliant Hosting white paper

HIPAA Compliant Hosting white paper


IMN’s Spring Forum

Posted in CEO Voices, Disaster Recovery, Managed Servers, Michigan Colocation | Tagged , , , , , , , , | Leave a comment

Webinar: Healthcare IT and HIPAA policy attorneys discuss risks of sharing PHI in the ACO and protection strategies

Accountable Care requires clear visibility into longitudinal patient data across multiple providers, but interoperability introduces legal and security risks that must be carefully navigated if organizations hope to become trusted, data sharing entities. In this complex environment, collaborative knowledge sharing is just what the doctor is ordering to improve outcomes while reducing costs.

When attorneys Tatiana Melnik and Carrie Nixon met for coffee at HIMSS in Orlando, each realized the combination of their respective fortes would be beneficial to the other’s clients in the bigger picture of accomplishing meaningful use. Now it’s your turn to reap the benefits of that alliance when they co-present the latest edition of Online Tech’s ‘Tuesdays at 2’ webinar, PHI in the ACO: Risk Management, Mitigation, and Data Collection Issues.

Melnik, a frequent contributor to the Online Tech webinar series, concentrates her practice on healthcare data privacy, security and regulatory compliance. Nixon focuses on healthcare law and policy issues relating to the Affordable Care Act reforms. She launched Healthcare Solutions Connection, a network of consultants providing integrated service solutions for the healthcare industry.

At 2 p.m. on Tuesday, May 20, Melnik and Nixon will share lessons learned from early adopters, role of patient health and quality, legal risk exposure, risk mitigation strategies, role of technology and data collection in coordinated care, and ways to align risk management programs, technology, and interests to improve patient health and quality of care. This is the first in a two-part presentation on PHI in the ACO. The second part, A Focus on Data: Analytics, Collection, Risks and Contracting Considerations, will be held on June 17.

Register: PHI in the ACO: Risk Management, Mitigation and Data Collection Issues (May 20)

Register: PHI in the ACO: A Focus on Data: Analytics, Collection, Risks and Contracting Considerations (June 17)

Nixon said it is critical to understand that an ACO is not going to succeed in a vacuum, but rather the data obtained from patients must be analyzed to determine what care given can succeed in a lower-cost environment.

“I hope that people walk away understanding the important role that Health Information Technology and data play in making an ACO successful,” Nixon said. “In general, I think ACOs have become sort of a catch phrase … ‘I need to have an ACO,’ ‘Should I form an ACO?’ The larger picture is the important role that data and patient data plays in an ACO. You’ve got to be looking at data, analyzing data and asking questions about how we improve based on that data.”

Because of that dependence on data, Melnik said she hopes the key takeaway for attendees of the webinar is, simply, that “an ACO cannot succeed without the proper use of technology.”

While Nixon will explain why it’s important to collect and analyze data, Melnik will focus on the importance of keeping that data safe. She will discuss the risks and concerns surrounding data use, sharing and aggregation, the importance of data analytics, and the related privacy and security concerns.

Tatiana Melnik is an attorney concentrating her practice on IT, data privacy and security, and regulatory compliance. Melnik regularly writes and speaks on IT legal issues, including HIPAA/HITECH, cloud computing, mobile device policies, telemedicine, and data breach reporting requirements, is a Managing Editor of the Nanotechnology Law and Business Journal, and a former council member of the Michigan Bar Information Technology Law Council.

Melnik holds a JD from the University of Michigan Law School, a BS in Information Systems and a BBA in International Business, both from the University of North Florida.

Carrie Nixon is the CEO of Nixon Law Group and President of Accountable Care Law & Policy. She is a founding member of Healthcare Solutions Connection, a network of expert consultants providing integrated service solutions for the healthcare industry. As a longtime attorney for a variety of clients in the assisted living and long-term care industry, Nixon has on-the-ground experience with the unique challenges facing those who serve our aging population. She has successfully defended these clients against malpractice claims and deficiency citations, helping them to navigate the ever-changing regulatory and risk management landscape.

Nixon holds a JD from the University of Virginia Law School.

Posted in Information Technology Tips, Online Tech News | Tagged , , , | Leave a comment

Expansion of secure, compliant hosting into Indianapolis a ‘win-win-win’ for current clients, future clients and Online Tech

Well hello, Indy!

Earlier today, Online Tech announced it has acquired a data center in downtown Indianapolis and will outfit it with the company’s full product line of secure, compliant cloud and colocation services. The Indianapolis Data Center, located roughly an Andrew Luck hail mary pass from Lucas Field, is the company’s fifth data center and its first outside of Michigan.

At Online Tech, co-CEOs Yan Ness and Mike Klein stress the importance of “win-win” situations between the company and its clients and business partners. In this case, expanding our footprint is a “win-win-win” situation … for our current Michigan data center clients, our future Indiana data center clients and Online Tech.

For current clients, the 44,000 square foot Indianapolis data center is ideal for providing disaster recovery services—not only because of the quality and security of the facility, but because of its geographic distance from our Michigan data centers. With more than 300 miles in between, we will be able to support clients that need disaster recovery services across state lines and want significant geographic separation between sites.

In Indianapolis, Klein feels the city’s large population of healthcare companies and growing community of financial, retail, e-commerce and software businesses are “underserved by secure cloud computing providers.” The $10 million investment – renovation will be complete in the third quarter of this year – will provide up to 25 permanent jobs (see our careers page).

Said Ness, in today’s press release:

“The world-class infrastructure that we are bringing to Indianapolis will support the local economy. It will provide local businesses access to one of the most secure and compliant clouds in the world—right in their backyard. We looked at the entire Great Lakes region, and chose Indianapolis as it has a need for the full suite of security products and services that we offer. CIOs and CEOs know the challenges of making cloud computing not only secure, but also fully encrypted and compliant with regulations and standards ranging from HIPAA and SOX to PCI and Safe Harbor. Our record of accomplishment helping businesses to keep their data safe and their systems compliant is unmatched. Our Indianapolis investment will allow us to serve the expanding and critical needs of the region’s businesses immediately.”

For Online Tech, the addition of the Indianapolis Data Center to our portfolio is a milestone in our goal to become the leading provider of secure, encrypted and compliant hosting services in the Great Lake region. It follows major investments to expand and upgrade our Mid-Michigan Data Center and the build-out of our first data center in Metro Detroit.

Win. Win. Win.

Related content:

Online Tech Named One of the “20 Most Promising Enterprise Security Companies” in the U.S. by CIO Review Magazine

Cloud Protects PHI with Encryption from Front End to Back Up

Posted in Data Centers, Michigan Data Centers, Online Tech News | Tagged , , , , | Leave a comment

Is Apple dying because it ‘doesn’t think about the cloud’? That’s debatable, but future of cloud computing is not

Highly successful tech venture capitalist Fred Wilson created some waves last week when he predicted Apple wouldn’t be among the top three most important tech companies in the world by 2020. Speaking at a conference in New York City, he said he envisions Google, Facebook and “one that we’ve never heard of” making up that triumvirate.

Why would his dismiss the current largest tech company in the world (Apple’s first quarter revenues of $43.7 billion was more than Google, Facebook and <insert name of any company you’ve never heard of here> combined). According to a TechCrunch article, he said Apple is “too rooted in hardware” and not sufficiently tied into the cloud.

“I think hardware is increasingly becoming a commodity,” he said. “Their stuff in the cloud is largely not good. I don’t think they think about data and the cloud.”

Of course, Wilson – who has backed huge success stories like Twitter and Tumblr – has been wrong about Apple before. As CNN Money points out, he dumped all of his Apple stock at $91.36 per share in January 2009. The day of his comments at the TechCrunch Disrupt conference, Apple closed at $600.96. (Note: Wilson said he sold his stock because he didn’t feel Apple was being honest about Steve Jobs’ health.)

Mark Rogowsky, a contributing technology writer at Forbes, took Wilson’s comments to task in a recent article – citing “1/3 of a billion people use iCloud backups regularly” and the success of Apple’s massive iTunes/App Store. Of iTunes, Rogowsky writes:

“Apple’s revenues from all those downloads would total $23.5 billion if it were accounted for as a standalone business, according to Asymco. That small part of Apple’s overall business would be #130 on the Fortune 500 if it were a standalone company. For a sense of just how much that is, Facebook — the company Wilson says will be the second-most valuable behind Google in 2020 — took in just under $8 billion last year. For having “nothing,” Apple’s producing a good deal more than nothing in cloud revenues.”

So, check back in six years and see if Wilson or the plethora of pundits who disagree with him were correct.

What’s not disputable in this conversation is that hardware, as Wilson points out, is indeed becoming a commodity and cloud computing is essential for future innovation and success.

Online Tech co-CEO Yan Ness discusses that topic in the following video clip, saying “(organizations) don’t want to deal with the hardware anymore … they just want to pay the price and have somebody else take care of it.”

Related content:

Is Data Less Secure in a Cloud Environment?

Private Cloud Computing Explanation, Benefits, and Recommendations

After the Cloud, What’s Next? Mobile Technology in Data Centers


TechCrunch: VC Fred Wilson: By 2020 Apple Won’t Be A Top-3 Tech Company, Google And Facebook Will

CNNMoney: Fred Wilson writes off Apple, and not for the first time

Forbes: New York’s Top VC Says Apple Doesn’t Get The Cloud; He’s (Mostly) Wrong

Posted in Cloud Computing | Tagged , , | Leave a comment

Midwest IT executives talk innovation at Midwest Technology Leaders event

One of the best networking and strategy sharing events in the midwest is happening in just a few short days. On May 14th, hundreds of senior IT executives are going to meet at the Inn at St. John’s in Plymouth for the Midwest Technology Leaders conference. The theme this year is The Next Decade of Innovation, Disruption, and Consumerization. This is the 10th anniversary of the Midwest Technology Leaders event, and promises to be a particularly engaging and helpful with about 25 speakers and a networking reception that runs into the evening.

This show touches on the whole gamut of IT related topics, including:

  • Driving Customer Centric Innovation
  • Driving Growth and Business Value
  • Capitalizing on the Growth of Data
  • Facing the Challenge of ever Increasing Risk with IT Security
  • Design and Deliver the Transparent Enterprise
  • Building a High Performing Team in a Complex Workforce Environment
  • Conquering the War on Talent
  • Various Hot Topics on the Minds of todays top CIO’s, via new CIO Rapidfires
  • Healthcare’s Changing Landscape Creates Challenges for CIOs

As a truly for executives, by executives event, MTL has worked hard to get leaders in the industry to speak at this event. Here are just a few of the faces you’ll see next week:


Subra Sripada is executive vice president and chief administrative and information officer at Beaumont Health System. Areas reporting to him include Information Technology; Strategic Planning and Business Development, Marketing and Public Affairs; and the Project Management Office.

Sripada has extensive U.S. and global health care industry and consulting experience. Prior to joining Beaumont in November 2008, he served in a leadership role at PricewaterhouseCoopers, a global management consulting firm, where he consulted on health information technology and business strategy in the U.S. and internationally. He has also held leadership positions at CapGemini, Ernst and Young and worked for six years at Henry Ford Health System.


David B. Behen holds dual roles as director of the Department of Technology, Management and Budget and as Michigan’s chief information officer. In these capacities, he is responsible for setting strategic direction and ensuring timely delivery of state services.

As director of DTMB, Behen leads efforts to provide the full range of information technology and communications, facility management, financial, procurement, fleet and retirement services, among others. As state CIO, he directs development of IT resources to meet the growing needs of Michigan’s citizens.

Online Tech will be present as well, to answer questions about our secure, compliant hosting solutions. Find out more about the Midwest Technology Leaders event here.

Posted in Encryption, Michigan Colocation, Michigan Data Centers, Online Tech News | Tagged , , , , | Leave a comment

Bridging the software and infosec professional chasm

In contrast to the unseasonably cold weather Columbus, Ohio, has experienced of late, this week’s InfoSec Summit kicked off in bright purple ‘Aloha’ style with Jim Manico’s recommendations for improving web application security. Only one other attendee could match his shirt color, but none were equal to the energy with which Jim highlighted some serious software security concerns.

No, this wasn’t a dig on the software developers who face an incredibly daunting tempest of deadlines, budget constraints and requirements as part of their daily existence. This was a heartfelt plea to security professionals to provide clear and specific security requirements as part of the pre-design documentation. If we do anything less than proactive, constructive communication about security with application developers, we’ll never slow down the freight train of increasing cybersecurity threats.

The description of Manico’s session explained “we cannot ‘firewall’ or ‘patch’ our way to secure websites. In the past, security professionals thought network security practices and corporate policies were enough. Today, however, these methods are outdated and ineffective to protect application, as attacks on prominent, well-protected websites are occurring every day. No company or industry is immune. Programmers need to learn to build websites and other applications differently.”

Manico — an author, developer security educator and 17-year veteran of building software as a developer and architect — shared several examples of poor software security practices and some healthy antidotes. Here are a few, and you’ll find a link to his library of software security slides referenced at the end.

Thwart SQL Injections

Would the email address ‘;– pass your email address validation? Hope not. It’s the perfect recipe for a SQL injection attack that sets the email address field to nothing (that’s the ‘; part of the address). And the two dashes? Well, they comment out the rest of the link.

Solution? Use query parameterization. Now, be honest. When was the last time your development team received “query parameterization” in their list of requirements? None of the software developers at this week’s InfoSec Summit had the benefit of such instruction, but were still mandated and doing their best to write secure code.

Improve poor password management

OK, now would “Password1!” meet your password policy? How many banking websites are there that still limit passwords to eight characters? Please, allow your passwords to be as long as you reasonably can.

Sprinkle a little cryptography and salt on your passwords to slow down your password verification. That’s right — slow it down. It puts a real crimp on brute force hackers and can buy you days or even weeks against an aggressive attacker without significant negative impact to your users.

Use multi-factor authentication

First, if you’re not using multi-factor authentication for your Gmail, Twitter, LinkedIn and other accounts, stop reading this. Enable multi-factor authentication now, and then come back. Seriously. No, go ahead, we’ll wait right here. If you really took the time, you’ve just spared yourself and your networks a lot of spam and hassle.

Think the impact of poor password management is trivial? Blizzard, producer of World of Warcraft, implemented multi-factor authentication when players’ accounts were brute forced hijacked to facilitate cyber money laundering and the involuntary dispersal of valuable possessions. As every business is discovering, digital assets are a currency all their own, and protections are woefully weak

Don’t reinvent the wheel

There are many excellent software security libraries available, such as the OWASP Java Encoder Project. If you are writing your own security code from scratch — stop. Chances are a mature library already exists that you can leverage and help meet those crazy deadlines and requirements even more gracefully!

Download Mobile Security White PaperRelated topics:

Encryption Video Series

White paper: Encryption of Cloud Data

White paper: Mobile Security


Jim Manico’s software security slides:

Posted in Cloud Computing, Information Technology Tips, Mobile Security | Tagged , , , , , | Leave a comment

Data breaches ending careers “right to the top” of C-suite

Co-CEO Yan Ness has a saying that Online Tech is “in the business of helping our clients sleep at night.” Primarily, he’s speaking of organizations not losing sleep worrying about compliance and data security. But at the C-suite level, more and more, protecting data privacy also means protecting careers.

On Monday, Target president and CEO Gregg Steinhafel resigned after 35 years with the company. According to a statement from the company’s board of directors, Steinhafel “held himself personally accountable” for the massive data breach Target experienced late last year. Target CIO Beth Jacob also resigned following the breach, which compromised up to 110 million customer records and cost the company $17 million in breach-related expenses and a significant blow to its reputation.

An Associated Press story claims Steinhafel is the first CEO of a major corporation to lose his job because of a data breach, “showing how responsibility for computer security now reaches right to the top.”

Research released on the day of Steinhafel’s resignation offers a glimpse into the severity of data breaches for companies: The Ponemon Institute’s annual Cost of Data Breach Study indicates U.S. companies that suffered a data breach in 2013 lost an average of $5.4 million. That’s a 9-percent increase from 2012 and an average of $201 per record lost.

To help it fight cybercrime, Target recently hired Bob DeRodes – a security expert who has worked with the U.S. Department of Homeland Security and the Department of Defense – as its new CIO. If that kind of hire is not in your organization’s budget, contracting with an experienced infosec professional can put solid security requirements in place at the design phase and clean up those that made it to production environments. Alternatively, outsource IT infrastructure to a company dedicated to security and compliance that will maintain your patches, monitoring, and other cybersecurity safeguards and best practices so you can focus your resources just on what your own organization needs to do to improve security.

What else can a company or organization do to protect against the threat of an attack on their systems? Layer up with security and create a comprehensive defense in depth solution that ties together log and file monitoring, two-factor authentication, patch management, vulnerability scanning and other technical security tools that can potentially detect and prevent a data breach of proprietary or sensitive data.

Weigh the cost-benefit analysis of preventative IT and the potential cost per record of a data breach in your respective industry – a little bit of good security can go a long way.

Related reading:

White paper: PCI Compliant Clouds

White paper: Mobile Security

Encryption Video Series

White paper: Encryption of Cloud Data


Associated Press: Target’s CEO first major corp boss to lose job in customer data breach

Network World: Data breaches 9% more costly in 2013 than year before

InfoSecurity: Target appoints new CIO, adds chip and PIN to payment cards

Posted in HIPAA Compliance, Information Technology Tips, PCI Compliance, SAS 70/SSAE 16/SOC | Tagged , , , , , , | Leave a comment