Home » Blog

Blog

Sign Up for the FREE Secure File Transfer Webinar Series

Linoma Software is hosting a FREE October Webinar Series on the advantages of securing your system-to-system and person-to-person file transfer processes.  Please take a moment to register for one, or both, of these informative live presentations.

Webinar: Get Your FTP Server in Compliance

Get Your FTP Server in Compliance

Are you still running an outdated FTP server in your DMZ? Does your FTP server have the security controls and audit reporting needed to meet the latest PCI and HIPAA compliance requirements?

GoAnywhere goes beyond a typical FTP server by providing the enterprise-level features and security you need to get compliant.

FREE WEBINAR: Now Available On-Demand

We demonstrate GoAnywhere and how to:

  • Use SFTP, FTPS and HTTPS for file transfers
  • Protect files at rest and in motion with AES 256 encryption
  • Set triggers to automatically process files
  • Control access to private and shared folders with granular permissions
  • Generate detailed audit logs and reports

Register Now


3 Advantages of an On-premise Solution for File Sharing

Are you looking for a better solution than cloud-based file sharing services like Dropbox to transmit sensitive company data?

Put an end to employees using unsecure cloud-based file sharing services. Improve compliance and cut the risk of sensitive company data falling into the wrong hands.

FREE WEBINAR: Now Available On-Demand

We cover the three advantages of an on-premise product for Enteprise File Sync and Sharing (EFSS):

  • Local management of user accounts and files
  • End-to-end encryption of files at rest and in motion
  • No monthly user subscription fees or storage limits

Register Now


Join us for these complimentary webinars to get a valuable tour of GoAnywhere MFT. Linoma's engineers will be on hand during the webinars to answer your technical questions.


Healthcare Industry Still Lags in Protecting Data

As healthcare information security requirements and penalties get tougher, a great deal of discussion is focused around how well the healthcare industry is securing patient data.

healthcare data security survey results

The general consensus is that the industry still has a long way to go. One of the industry's publications, Healthcare InfoSecurity, released the results of the Healthcare Information Security Today survey sponsored by RSA which took an in-depth look at security and IT practices of senior executives in the healthcare industry.

<< click on the image to learn more  

 

The survey reviews many information security topics including

  • Impact of a data breach
  • Security threats
  • Compliance and steps to improve security
  • Risk assessment

Some of the responses surprised us on how far healthcare companies need to go for proper HIPAA compliance. Take a look at these statistics:

  • 55% of respondents were not confident in their organization's ability to comply with HIPAA and HITECH Act regulations concerning privacy and security (grading themselves adequate or less).
  • 66% responded that their organization's ability to counter internal information security threats was adequate or less.
  • Only 47% of survey participants utilize encryption for information accessible via a virtual private network or portal.
  • 32% of respondents have not conducted a detailed information technology security risk assessment/analysis within the past year with 47% updating their risk assessment only periodically.

The good news is that the survey shows that healthcare organizations are taking steps in the right direction to improve their security practices.

  • 37% of organizations' budgets for information security are scheduled to increase over the next year.
  • 40% of respondents plan to implement audit tool or a log management solution within the next year.

When asked what their organization's top three information security priorities are for the coming year, the top responses included

  • Improving regulatory compliance efforts
  • Improving security awareness/education
  • Preventing and detecting breaches

Healthcare IT teams will need updated security policies, comprehensive training for employees, and reliable tools and solutions that can deliver functionality, ease of use, audit reporting, and efficient workflows that protect the security of confidential data at rest and in motion.

The pressure is growing, compliance audits are looming, and tackling these issues are just part of the evolution of the healthcare industry.  


New Protections for Patient Data Increase Pressure For Trading Partners to Get Compliant

Yet another layer of regulation has been added to the Health Insurance Portability and Accountability Act (HIPAA) that offers even greater protection for healthcare patients' privacy, while also defining new rights regarding how they can access their health records.

meet HIPAA compliance regulationsThe biggest change is the expansion of HIPAA compliance requirements to include trading partners and third parties who also handle patient data, such as billing companies, contractors, and more.  The U.S. Department of Health and Human Services (HHS) reports that these third parties have been responsible for several significant data breaches which is one reason the responsibility for compliance has been extended to this group.

Penalties for violating HIPAA compliance rules will be assessed based on the determined level of negligence, and can go as high as $1.5 million per incident.

Other issues addressed with the latest additions to the HIPAA regulations include more clarity in defining which types of breaches need to be reported, as well as how patients will be allowed to access and interact with their health records electronically.

If you're concerned about whether your FTP server meets compliance regulations, join us for a webinar on Thursday, Jan. 31 at Noon Central entitled "Get Your FTP Server in Compliance!"  You can learn more about the agenda for this webinar here.

For more information about the new HIPAA rules, check out the press release from HHS.


Healthcare Data Breaches on the Rise

Stories of data breaches across all industries continue to make the news, and nowhere is the pressure greater to keep data safe than on healthcare IT managers.

Healthcare IT News states that health data breaches increased by 97% in 2011. The 2012 Data Breach Investigations Report from Verizon's RISK team confirmed that over 174 million records were reported as compromised, mostly as the result of hackers accessing the data. According to the Identity Theft Resource Center 2011 Breach Stats Report, 20% of all data breaches in 2011 were in the healthcare industry.

data breach statistics for 2012

What is most startling about this report is that, according to the RISK study, 97% of these cases could have been avoided through simple or intermediate security controls.  The graphic (see right) is one of the many included in Verizon's study.

Because the most common place where data is compromised is from corporate databases and web servers, hackers who gain access to these vulnerable areas are mining this data for private information such as social security numbers, birthdates and credit card information.

Studies like these underscore the importance of establishing network security perimeters and implementing procedures that protect the privacy of  patients' information residing on these servers.

IT managers must be vigilant to combat hackers' ever more sophisticated tools and methods, and that begins with better security procedures at the office.

Security Policy and Procedures Document

The first step in ramping up security is to write and formalize a security policy and procedures document that addresses best practice protocols and that encompasses applicable HIPAA and HITECH regulations.

Next, all employees must be trained and expectations for compliance made clear,  because it takes a concerted effort on everyone's part to ensure the required protections are implemented consistently.

Secure Data Files In Motion

One of the more popular ways for hackers to capture sensitive data is via the movement of files and documents across the Internet.  In an earlier blog post, we talked about how standard FTP is commonly used to send files. However, FTP sends the files in unencrypted form, and offers no protection for the server's login credentials. Once those credentials are captured, hackers can use them to access the FTP server to mine additional data files.

While managing the security of all of the files in the office may seem overwhelming, Managed File Transfer solutions can simplify this task. Used in conjunction with a reverse proxy gateway, a much greater security perimeter is formed around the network, servers and the sensitive data that need protection.


Building a Framework for HIPAA and HITECH Compliance

HITECH laws were enacted to up the ante on healthcare organizations to meet HIPAA legal compliance for data security and privacy, which, of course puts an additional burden on IT to make sure all bases are covered.  But regardless of the rigors of enacted laws, compliance doesn't happen overnight. It takes diligence and continued effort to understand and address all necessary requirements. To avoid the potential penalties of breaking HIPAA and HITECH laws, losing the confidence of patients and partners, and incurring hefty penalties, a focused, deliberate, measured plan is essential.

In addition to becoming familiar with HIPAA and HITECH regulations (a good place to start is the HHS.gov website), it's critical to meet with your security and management team and make decisions as to how your organization can best protect sensitive healthcare information. One of the first places to start this process is to fully document your department's own security policy and procedures.  This provides the foundation from which to train internal users in understanding and complying with the HIPAA and HITECH rules. In fact, having a security policies and procedures document is a requirement by HIPAA and HITECH.

If you don't currently have your security policies and procedures documented, one option for finding a good template is to Google the term, "IT Security Policies and Procedures." You will find free downloadable templates that give you a basic outline to follow.

If you already have this document in place, keep in mind it needs to be treated as a living document, to be changed and updated often as circumstances and requirements change.  Make a point to do a yearly, if not a bi-yearly, review.

Of course, documentation of security policies is only a start. You need to procure and implement proven security tools across your enterprise to protect your data -- whether the data resides on a server or is being transmitted across a network or the Internet.  A less-than exhaustive list of necessary IT security tools for ensuring compliance:  

 

  • Firewall - This security measure prevents intrusion into the private network from unauthorized outside viewers.
  • Email encryption  - To meet privacy requirements, email communications that contain private data must be encrypted.
  • Malware protection - This step keeps spyware/malware from infecting PCs and servers containing private data.
  • FTP communications - Managed file transfer solutions are designed specifically to provide encryption, logging and automation tools that make sure the sensitive data is secured and tracked while in motion, while reducing the time to manage all incoming and outgoing transactions
  • Backup protection - Backup files and tapes need to be encrypted and otherwise secured to make sure sensitive data can't fall into the wrong hands
  • Data shielding - Sensitive fields need to be encrypted or hidden to ensure that it can't be viewed or extracted by unauthorized viewers. A good data encryption product can also encrypt data on backup tapes as well sensitive data that might be shown in on-screen applications.
  • Physical facility protection - Server rooms, fax/copy/printer rooms, workstations all must be  considered when protecting sensitive data that is printed on paper or residing on servers or PCs.
  • Telephone and online communications - Anyone involved in telephone, online chat or discussion groups needs to be trained to be sensitive to privacy regulations and exposing sensitive information.

 

As you can see, there are several aspects of compliance to HITECH and other laws that need to be considered and addressed.  Healthcare professionals and organizations need to take their patients' privacy seriously, whether in the hospital, physician office or in electronic format on servers and digital communications with others.


HITECH Compliance Offers Challenges for IT

Outside of the finance industry, healthcare is one of the most regulated industries in the U.S.  As the healthcare policy debates rage on, one issue on which most Americans can agree is the need to keep personal healthcare information confidential and secure.

Major regulations such as HIPAA and HITECH have been passed into law to increase the security of our personal health information.  For better or worse, a major portion of the burden to comply with the regulations and all of their revisions falls upon the IT professionals.

HIPAA and HITECH: a brief overviewHITECH, data security, compliance

While HIPAA (Health Insurance Portability Accountability Act), passed in 1996, has received the most attention (see our blog), the more recently implemented HITECH law is quickly having an impact.

HITECH (Health Information Technology for Economic and Clinical Health Act) was passed into law in 2009. The goal for the  HITECH is to strengthen the civil and criminal enforcement of already existing HIPAA regulations that require health organizations and their business partners to report data breaches.  HITECH also increases the penalties for security violations, and implements new rules for tracking and disclosing patient information breaches.

Data breach notification

Under HITECH rules, all data breaches of PHI (protected health information) must be reported to the individuals whose data was compromised. This includes reporting files that may have been hacked, stolen, lost or even transmitted in an unencrypted fashion.  If such a breach -- or potential breach -- affects 500 people or more, the media must also be notified.   Breaches of all sizes must always be reported to the Secretary of Health and Human Services (HHS), but if fewer than 500 individuals' records are affected, healthcare organizations can report the breach via the HHS website on an annual basis.  Larger breaches must be reported to HHS within 60 days.

Penalties for data breach

The HITECH Act implements a four tier system of financial penalties assessed based on the level of "willful neglect" a healthcare organization demonstrated resulting in the breach. Fines range from  $100 per breached record for unintended violations all the way up to $50,000 per record (with an annual cap of $1.5 million) when "willful neglect" is demonstrated.

Access to electronic health records (EHRs)

HITECH requires that the software that a health organization uses to manage its EHRs must make a person's electronic PHI records available to the patient and yet remain protected from data breach by encrypting the data and securing the connection.  Not surprisingly, email is not considered a secure method of data transmission.

Business associates

Before HITECH,  business associates of healthcare organizations were not held directly liable for privacy and security under the HIPAA rules, even though they had access to PHI.  HITECH now requires that all business associates with access to PHI are subject to the HIPAA rules and must maintain Business Associate Agreements with the healthcare organization that provides the PHI.  Business associates are also required to report any data breaches and are subject to the same penalties as their healthcare business partners.


Silence the Nagging By Securing Your Data

Compliance issues and the ever-growing list of compliance regulation acronyms (HIPAA, PCI, SOX, etc.) are persistently nagging IT folks who must meet tough mandates and overly complicated rules. compliance, HIPAA, PCI DSS, data security

Of course, the real reason we must now pay so much attention to compliance is others' irresponsible abuse. Somewhere along the data strewn path, a few malicious malcontents had to succumb to the voice of greed and abuse their technological skill sets.  All IT professionals' jobs are tougher thanks to those that through hacking, sniffing, or lifting data sources chose to steal and sell inadequately secured information.

The truth is, though, that "data" really is sensitive information and we live in a paranoid modern world where dastardly damage is done with a just a little twist of the facts.  So in response to the cries of outrage among our citizens, politicians have wrung their bureaucratic hands and offered plenty of passing legislation designed to protect our data.

Because IT is responsible for the company's data, we need to stay abreast of the laws that apply to it. We also need to to fully understand and implement the three types of data protection: physical, transitional, and procedural.

Physical

Physical protection is probably the easiest. We secure the data on our servers, backup tapes and offsite facilities with technologies such as passwords, drive encryption, backup encryption, data center surveillance, physical locks, etc. We spare no expense in securing the physical because we can see it and believe it is secured. Or so we think.

Transitional

Transitional protection is a little more difficult.  Any data files that leave our networks should be secured with managed FTP solutions that encrypt the files with SFTP, FTPS, HTTPS, PGP, and other protocols.  Firewalls are set up to control what can leave or enter our data domain. DMZ gateways are set up to increase the virtual protection of the data and still allow designated users access to it.

Procedural

Procedural security is a type of data protection that is least understood and implemented.  A clear and understandable security policy needs to be communicated to the end users so they become familiar with sensitive data is secured, and what consequences may loom if procedures aren't followed.

The majority of us in IT are protective about who has access to our own sensitive data, so we can understand the reason for protecting everyone else, too.  Yes, it's a lot of work, but it's part of the new normal.


Reverse Proxy Gateway Video Now Live

Rounding out our series of GoAnywhere product videos, we've recently added an overview of GoAnywhere Gateway.  It explains how incorporating a reverse proxy and a forward proxy into your managed file transfer processes adds an extra layer of protection for your private network.reverse proxy DMZ gateway

When GoAnywhere Gateway is implemented, trading partners can exchange files with your organization without gaining access to your private network because no inbound ports will need to be opened to complete the exchange.  This feature is especially important to auditors evaluating compliance with regulations such as PCI DSS, HIPAA, and SOX.

Our Gateway video premier coincides with the release of our latest white paper entitled DMZ Gateways: Secret Weapons for Data Security.  Please let us know if you'd like to learn more about how our reverse proxy DMZ gateway can improve your secure file transfer system.


Managed File Transfer Solution Now on Video

We're always looking for new ways to illustrate the power and versatility of our GoAnywhere suite of secure file transfer and encryption solutions.  Very simply, GoAnywhere helps you streamline, encrypt and automate your file transfer processes to save time and money while meeting ever-growing compliance requirements.

Still, we find it's sometimes challenging to quickly explain the power and convenience of our managed file transfer software, so we're excited to introduce some brand new videos to showcase the flexibility and control GoAnywhere clients have.

GoAnywhere secure file transfer software solution

GoAnywhere's suite of secure file transfer solutions helps you manage all of your organization's inbound and outbound file transfers -- both internally as well as with external trading partners.

With support for virtually any platform and protocol, including FTP, FTPS, SFTP, HTTP/S, AS2, SMTP and ZIP, GoAnywhere puts local control of the entire process into one intuitive dashboard.  GoAnywhere eliminates the need for custom scripts, generates detailed audit logs, and provides a rich catalog of features for comprehensive management, all without additional hardware or specialized skills.

If you'd like to test drive a free trial, let us know.  We'd also love to hear what you think of our videos!


Citigroup Breach Triggers Congressional Response

The data breach at Citigroup in May - a breach which reportedly exposed an estimated 200,000 customer accounts - has motivated members of the U.S. Congress to re-introduce legislation to penalize the very organizations that have been victimized by hackers.  What are the next steps your company should take?

New bills to protect consumers' personal dataLinoma Software Managed File Transfer Solutions

Two bills are proposed by both House and Senate legislators.

First, Sen. Patrick Leahy (D-Vt.) has introduced the Personal Data Privacy and Security Act of 2011.  The new bill provides:

  • Tough criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data;
  • A requirement that companies that maintain personal data establish and implement internal policies to protect data privacy and security; and
  • A requirement that the government ensure sensitive data is protected when the government hires  third-party contractors.

This act would also require, under threat of fine or imprisonment, that businesses and agencies notify affected individuals of a security breach by mail, telephone or email  "without unreasonable delay." Media notices would be required for breaches involving 5,000 or more people.  The FBI and the Secret Service would need to be notified if the breach affects 10,000 or more people, compromises databases containing the information of one million or more people, or impacts federal databases or law enforcement.

But that's not the only security bill that has businesses concerned.

In the House, Rep. Mary Bono Mack (R-Ca) is holding hearings in preparation of a bill she's named The SAFE (Secure and Fortify) Data Act that would also require "reasonable security policies and procedures" to protect consumers and enable disclosures to victims and the Federal Trade Commission within 48 hours of a data breach.

Companies no longer viewed as the victims

All this sounds good from the consumer's point of view. But what about the expense - and potential Linoma Software GoAnywhere Managed File Transfer Solutionpenalties - suffered by the "owners" of the data: the businesses themselves?

While these bills may address the public's interest for notification -- and indeed they would bring some semblance of a national standard - they also represent an interesting shift in the liabilities that companies will face.  How is that?

Though we currently have no federal data breach notification law, federal policies now view the companies that experience a data breach as the victims of crime. However, under the proposed legislative bills, companies that do not act quickly to appropriately secure the personal data of customers - or fail to report a data breach in a reasonable amount of time - would not only suffer the theft of data, but also be held liable for its loss.

This is a significant shift. Companies are now being viewed not as the owners of consumer data, but merely guardians and trustees whose job it is to protect that data or face criminal penalties. And the message is clear: if companies won't take adequate precautions to secure the sensitive data of our customers, they'll pay a hefty price.

Where does your company stand?

In a world in which diligent hackers have the power break into seemingly secure networks and systems, what can your company do?

The challenge is first to determine exactly what qualifies as adequate precautions.

GoAnywhere Secure Managed File Transfer A review of the HIPAA HITECH security provisions that took effect last year provides some insight about what the government considers adequate protection.

HITECH strongly recommends the use of encryption technology. Encryption is a good place for your company to start, especially when dealing with the data your company stores on its servers.  If sensitive data itself is kept securely encrypted, a data breach doesn't expose the content of the information itself.

Secure managed file transfer protocols - which send data using encryption - is the second place to focus attention.

If data is encrypted when it is being securely transmitted between business partners, the value of that data should it be breached - through hacking, theft, or other malicious actions - is worthless.  Encryption and secure managed file transfers can dramatically minimize the holes of technical breaches, significantly reducing an organization's liability.

Preventing exposure

The Citigroup data breach has rekindled the momentum for a nationwide, cross-industry data breach reporting standard. This standard will not to eliminate the physical breaches themselves. What's needed is legislation to encourage companies secure the underlying data that is the target of the hackers.

Isn't it time for your company to take a serious look at its liabilities and to investigate how encryption and managed file transfers can close these important security holes?