Catastrophe will strike, it’s just a matter of when. Here’s what to look for when weighing a DR Service Provider.

Hurricanes, floods, fires, tornadoes, earthquakes, even ransomware — these devastating events can strike almost without warning. Does your business have a plan to not only safeguard sensitive data but contingencies for recovery should a catastrophe occur?

Management should acknowledge their company’s potential exposure to disasters, natural and otherwise. These events can endanger the accessibility and support of an organization’s IT systems and networks.

It’s trite but true: an ounce of prevention is worth a pound of cure. So how does a business protect the integrity of its IT processes before cataclysm strikes? An effective option is to collaborate with a reputable data center, one with the resources to protect valuable data while keeping it secure and accessible.

Now that you recognize the utility of a data center, what should you look for? Below is a laundry list of essentials your DR service should provide.

Proactive Planning for Emergencies

An effective disaster recovery plan starts long before storm clouds gather. You want your IT partner to customize a comprehensive and ordered strategy that maintains and monitors network infrastructure and ongoing processes. Too, your employees should be trained and evaluated on how to reduce or avert system downtime.

Proactive planning also encompasses preventive maintenance. Your DR provider should regularly schedule tests of fire detection/extinguishing systems, power supplies/generators and HVAC systems.

Redundancy and Safety

How do fiber optic networks provide such outstanding redundancy and protection? In large part, due to bidirectional line-switched architecture. This means that in the event of network element failure, optical signals can be rerouted, either with “protection” spare fibers or by backhauling.

You want the same from your DR provider. Does it offer alternative facilities should its primary data center be offline? Are their data centers sited to prevent damage from floods, fires, winds or earthquakes?

Power failures and loss of environmental cooling can wreak havoc on vulnerable infrastructure elements. Look for facilities with redundant uninterruptible power supplies (UPS), supported by generators that switch seamlessly online if utility power fails. Seek the same redundancy within the data center’s HVAC configurations.

Redundancy also includes instantaneous access to multiple “core” or “Tier 1” long-haul networks should the primary carrier interrupt service.

Facility Security

Is the DR provider’s data center monitored at all times? Are employees required to wear visible ID whenever onsite? Nowadays, constant surveillance of network assets is a must to maintain network integrity and data security.

Emergency Ops Team

Your DR provider should have a cross-trained and experienced emergency ops team in place, ready at a moment’s notice to restore operational functionality to networks and systems in case of a disaster. They are the “cavalry” riding to the rescue, freeing local employees to see after their families and homes.

Now that you know, consider Aperio IT as your partner in disaster recovery planning. We provide cloud hosting and backup services to small and mid-sized businesses like yours. It’s never too early to prepare before catastrophe strikes.

Contact us to learn more about planning your Disaster Recovery Plan with Aperio IT.

The HIPAA Audit Program

On March 21, 2016, the Department of Health and Human Services, Office for Civil Rights (OCR) launched Phase 2 of its HIPAA Audit Program. This phase of the audit program, “…will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”

According to the OCR, the number of audits done in this phase will be relatively small. This  smaller number of audits reflects the OCR’s primary goal of better understanding the compliance efforts of covered entities and their business associates. The audit results will hopefully provide information to help them to determine what support is necessary for successful compliance.

This could be good news for companies that experience an audit; while the OCR maintains the option to initiate a compliance review in the case of egregious compliance issues, it will probably not be focusing primarily on enforcement actions.

HIPAA’s Privacy Requirements vs. the Spread of Social Media

How to maintain patients’ privacy in the face of widespread social media use is an ongoing challenge. With privacy rules that were originally written in 2000, then updated only once in 2009, it’s no wonder that HIPAA is lagging behind the rapid pace of technological change.

Although current regulations don’t completely cover the changing technological landscape, there are some common sense steps businesses can take to protect themselves. A good practice is to carefully remove all identifiers from PHI if it must be shared without the patient’s prior consent.

But be warned: modern search engines mean that surprisingly small amounts of information can unexpectedly be enough to identify patients. This means even a seemingly vague post on a site like Facebook could contain enough information to identify a patient, leading to liability concerns for the poster and their employer. Examples in the past few years include a Rhode Island physician who lost her privileges to work in the Emergency Room and faced a monetary fine for posting information online about a trauma patient. According to a Boston Globe article, “… [the] posting did not include the patient’s name, but… enough that others in the community could identify the patient.”

Your company will need to have clear, well-planned policies regarding social media use and will need to be certain that all employees have been made aware of these policies.

If you’d like to learn more about how HIPAA compliance affects your business, Aperio will be holding a Lunch & Learn Event on Wednesday, June 8. Brian Olsen, HIPAA Security Advisor, will be joining us to help answer your concerns about HIPAA regulations.

[action full_width=’no’ content_in_grid=’yes’ type=’normal’ icon=’fa-ticket’ icon_size=” icon_color=” custom_icon=” background_color=” border_color=” show_button=’yes’ button_text=’REGISTER HERE’ button_link=’http://events.constantcontact.com/register/event?llr=hxcf8qcab&oeidk=a07ecnjnfc31de5b02d’ button_target=’_blank’ button_text_color=” button_hover_text_color=” button_background_color=’blue’ button_hover_background_color=” button_border_color=” button_hover_border_color=”]

PLEASE REGISTER FOR OUR EVENT HERE (YOU MAY BRING 2 GUESTS)

[/action]

Additional information on HIPAA:

• For a detailed look at dealing with Protected Health Information online, read The Hospitalist’s article on avoiding data breaches and HIPAA violations when posting online.
• For a basic introduction to what the Health Insurance Portability and Accountability Act is, you can check out our previous blog post “What Does HIPAA Mean?”
• To learn more about what your IT team will face when dealing with HIPAA compliance, take a look at our blog post “What Does Your IT Team Need to Know about HIPAA Compliance?”

With data breaches on the rise for companies around the world, the goal of reliable cyber security remains a challenge. In just the past month, Verizon Enterprise Solutions faced an attack that reportedly compromised the basic contact information of 1.5 million customers, potentially exposing those users to additional risk from phishing attacks. Hospitals also struggled with ransomware attacks, including MedStar Health in Maryland and Washington, D.C., Methodist Hospital in Kentucky, and two California hospitals operated by Prime Healthcare, Inc. Several of these hospitals were forced to temporarily shut down their systems in order to keep malware from spreading. Disturbingly, at least one such hospital has admitted to paying a ransom to have its data unlocked.

Why Users Don’t Follow Security Requirements

Driven by the constantly increasing need to improve security, IT professionals often advise their clients to follow requirements that are seen as cumbersome. As a result, many otherwise well-intentioned users do not comply with these requirements. Even worse, some users are actually willing to sell password information for surprisingly low prices. In a study performed by SailPoint Technologies this year in which 1,000 office workers in various industries and from multiple countries were interviewed, an appalling number admitted to poor password practices such as:

• Using a single password among several applications. (65%)
• Sharing their passwords with co-workers. (30%)
• Willingness to sell their passwords to outsiders for as little as $1,000. (20%)

Surprisingly, SailPoint’s study showed that even though employees expect other companies to make protecting their personal data a priority, they fail to do the same for their own clients. The study showed that 32% of the respondents had been impacted by security breaches at other companies. But in spite of this, many still continue to engage in poor security practices.

The Multi-Factor Authentication Solution

So if the worst users are actively dishonest and the best are still too likely to engage in risky security practices, what is the solution to the password problem?

One possible approach already in use by some companies is multi-factor authentication. With this approach a password is still used, but is combined with additional factors. For example, a company might not complete your online request to change your password until you provide a code they have sent to a phone number you previously designated. In another example, a user signing on to a company laptop might also be required to have their fingerprint or voiced scanned. Here, employees are effectively discouraged from using unwise security practices – you can share a password, but it’s prohibitively difficult to share fingerprints. And hackers who may have acquired a password are much more likely to be blocked by the additional requirement.

Some biometric technologies to facilitate multi-factor authentication already exist and more are on the way. Most of us are familiar with the use of fingerprints and voice recognition. Along with these, additional technologies include keystroke recognition, which focuses on the unique typing rhythms of users; palm vein recognition, which identifies unique vein patterns in palms and/or fingers; and heartbeat recognition, which relies on the unique electrocardiographic signals produced by an individual’s heart; and many more.

Not all of these technologies are sufficiently mature to provide reliable and cost-effective security at present. However, technology changes rapidly. What was expensive yesterday may well be affordable tomorrow. (For an example, see DIY Is Shaping Our Future – design student creates his own braces using 3D printing.)

Biometrics alone or multi-factor authentication are likely to be used in the future to meet security needs. In July, 2015, the Bloomberg BNA Privacy & Security Law Report published a report titled “Should the FTC Kill the Password? The Case for Better Authentication.” In this report, the authors argue that “…in certain circumstances the FTC should start requiring better methods of authentication than passwords alone.” Companies interested in preparing for the future will need to explore this approach.

(Part 6 in our series on IT Compliance Concerns.)

In Part 5 of our series, we discussed how the Payment Card Industry Data Security Standard (PCI DSS) was created in an effort to o improve protections for storing, processing, and transmitting cardholder data. In this part, we will look at some of the details your IT team will need to deal with regarding PCI DSS compliance.

What are some of the Information Technology concerns for PCI DSS compliance?

Keeping in mind that the penalties for failing to comply with these standards can include fines and possibly the termination of privileges to process credit cards, your IT team will need to pay careful attention to many details. We discussed the twelve general requirements for PCI DSS compliance in our last post. Naturally, each one of these raises concerns for your IT department.

Firewalls

This includes installing and maintaining a firewall configuration to protect cardholder data. Additionally, your IT team will need to regularly test your firewall for effectiveness.

Not using vendor-supplied defaults for system passwords and other security parameters

Your company will need to create, maintain, and regularly update your system passwords with unique and secure passwords. You cannot allow your employees to simply continue to use passwords your vendors started them with. For an IT department, getting users to follow password requirements can be a frustrating process. Educating your employees so they understand the real need for inconvenient policies is key to winning their compliance.

Protecting stored cardholder data

(This applies only to companies that store cardholder data.) In addition to encrypting all stored cardholder data, your IT team may need to combine virtual and physical security features. Examples of virtual security: authorization, authentication, etc. Examples of physical security: restricted access, locks on cabinets, servers, etc.

Encrypting transmission of cardholder data across open, public networks

Given the increased use of public networks, your IT team will need to pay close attention to wireless networks and remote access solutions for this requirement.

Using and regularly updating antivirus software

Your IT department is probably already aware of the need for antivirus software. With this requirement in mind, to need to regularly update software and apply patches becomes even more important.

Developing and maintaining secure systems and applications

Your IT team will need to have a process for tracking newly discovered security vulnerabilities in the software your company uses. This may mean making use of alert systems provided by your software vendors.

Restricting access to cardholder data by business need-to-know

This simply means limiting the number of employees who have access to cardholder data. It requires your company to have carefully designed processes for determining which employees will have that access so that your IT team can then provide that access.

Assigning a unique ID to each person with computer access

This will ensure that when actions are taken on critical data, those actions can be connected to known, authorised users.

Restricting physical access to cardholder data

Again, limiting access limits the chances of a security breach.

Tracking and monitoring all access to network resources and cardholder data

This means logging networks and appropriate devices, as well as storing those logs in case they need to be used later as evidence in case of a security breach.

Regularly testing security systems and processes

This means conducting regular vulnerability scans for possible weaknesses.

Maintaining a policy that addresses information security

• Such a policy needs to address remote access and wireless technologies, removable electronic media, email, internet usage, laptops and other mobile devices, as well as addressing the monitoring of service providers.

To learn more about PCI DSS and related issues:

• View the PCI Standards and Documents.
• Frequently Asked Questions for PCI DSS.

Other posts in this series:

• Part 1: Making Sure Your Business is SOX Compliant
• Part 2: What Does Your IT Team Need to Know About SOX Compliance?
• Part 3: What Does HIPAA Mean?
• Part 4: HIPAA Compliance and Your IT Team

Part 5: Is Your Company PCI DSS Compliant?

Thank you ESET and Barracuda Networks for coming out and giving awesome presentations. We will be having another event in October so like us on facebook and add us on linked in so you can stay up to date for our upcoming events and other local tech events in the area.