Managed File Transfer: Preventing Healthcare Identity Theft

17 06 2010

In a recent report by the Smart Card Alliance entitled, “Medical Identity Theft in Healthcare,” the study sites that, “Further evidence of the significance of the medical fraud problem is the allocation of $1.7 billion for fraud detection in the 2011 U.S. Health and Human Services budget.” In 2009 alone, 68 reported healthcare data breaches in the U.S. put over 11.3 million patient records at risk according to the Identity Theft and Resource Center (ITRC).

Paper records are no longer acceptable for your organization.

The American Recovery and Reinvestment Act (ARRA) and the associated provisions under the Health Information Technology  for Economic and Clinical Health (HITECH),  have highlighted the need to address security and privacy across our healthcare system.

The report goes on to state that “the way to stop medical identity theft confusion is to improve patient identification and provide enhanced data production through strong authentication and encryption.” How can a healthcare organization achieve this? B2B Managed File Transfer. Protection of patient information does not happen just inside the four walls of your organization. Think of the providers, health record banks, health insurance and hospital Web portals.

The key is two-factor authentication and data encryption. Are you employing these security methodologies at your organization?





Is Data Security a Priority for Hotels?

17 05 2010

In a recent Hotel News Now article Hotel data breaches the result of basic failures within the industry,” the editor discusses the many headlines that have recently focused on the hospitality industry. Whether, it’s Wyndham Hotels & Resorts, Radison Hotel & Resorts or the Westin Bonaventure Hotel & Suites in Los Angeles, hotels have been hit hard by data breaches. The article goes on to state that the hotel industry is lacking in very basic security measures that could have otherwise prevented these occurrences, including password resets and remote access. The first article in a five-part series, the editor points to a study conducted by The Center for Hospitality Research in association with the Cornell Hospitality Report dated September 2008. The report, “Hotel Network Security: A Study of Computer Networks in U.S. Hotels,” states, “many hotels have flaws in their network topology that allow for exploitation by malicious users, thereby resulting in the loss of privacy for guests.”

The results of the survey found that about one out of five hotels still uses an antiquated hub-based network, an arrangement that is inherently flawed in terms of security. Also, hotels are providing unsecured wi-fi connections that are not encrypted and are subject to hacking. In fact, just six of the 39 wireless properties were using encryption. So, how can hotels secure their customers’ private information and communications? While the article suggests a series of steps (all good measures), additional security measures should be taken. Between hotel suppliers, customers and employees, secure communication should be established both internally within the hotel and external to other business partners. A complete solution from encrypted ad hoc information and file transfer to an enterprise-wide solution that goes beyond the four walls of the hotel is necessary to provide the most secure infrastructure possible.

Have you experienced a security breach while staying at a hotel?





Data Breaches: Stop the Insanity!

10 05 2010

In a recent article by the Identity Theft Resource Center (ITRC), entitled, “Data Breaches: The Insanity Continues,” the ITRC discusses the highlights of 2009 data breaches:

  • Paper breaches account for nearly 26 percent of known breaches (an increase of 46 percent over 2008)
  • Business sector climbed from 21 percent to 41 percent between 2006 to 2009, the worst sector performance by far
  • Malicious attacks have surpassed human error for the first time in three years
  • Out of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data

What will the stats be for 2010? Take Preventative Measures.

The article goes on, stating, “Insanity might well be defined as repeating the same action again and again, and expecting a different outcome.” So, the ITRC compiled a list related to how businesses are addressing data breaches and security:

  • Insanity 1 – Electronic Breaches: After all the articles about hacking and the ever-growing cost of a breach, why isn’t encryption being used to protect personal identifying information? Proprietary information almost always seems to be well protected. Why not our customer/consumer personal identifying information (PII)?
  • Insanity 2 – Paper breaches: Why aren’t more state legislators passing laws about rendering paper documents unreadable prior to disposal if they contain PII? Do we dare ask that those laws be actually enforceable? Perhaps we are waiting for paper breaches to reach 35% of the total.
  • Insanity 3 – Breaches happen: Deal with it! You will get notification letters. Breach notification does not equal identity theft. Let’s stop the “blame game” and instead require breached entities to report breach incidents via a single public website. This would allow analysts (and law enforcement) to look for trends and link crimes to a single ring or hacker faster.
  • Insanity 4 – A Breach is a Breach: Let’s not kid ourselves. “Risk of harm” is not a useful standard for determining if the public and consumers should be notified about a breach, especially if the company involved gets to define “risk of harm.” If it is your #$@%2 SSN that is out on the Internet, do YOU think there is “risk of harm?” Some companies might say “no.”
  • Insanity 5 – Data on the Move: You will notice that statistically this is a bright spot, with a decreasing incidence in the past 3 years. But, really! This is 100% avoidable, either through use of encryption, or other safety measures. Laptops, portable storage devices and briefcases full of files, outside of the workplace, are still “breaches waiting to happen.” With tiered permissions, truncation, redaction and other recording tools, PII can be left where it belongs – behind encrypted walls at the workplace.

So how are you protecting your data internally and externally?





MFT Secures Both Secrets and Data

7 04 2010

In a new report published by Forrester Research, entitled, “The Value of Corporate Secrets: How Compliance and Collaboration Affect Enterprise Perceptions of Risk,” 90 percent of enterprises surveyed agreed that compliance with PCI-DSS, data privacy laws, data breach regulations and existing security policies is the primary driver of their secure data programs.  Additionally, nearly 70 percent of enterprises said that compliance with internal security policies has caused them to spend more time, money or effort protecting their data.

So, what data are they focusing on?

Enterprises surveyed are putting a higher value on “corporate secrets” such as proprietary knowledge or any information a company wants to keep under wraps. The report states, “secrets tend to be messily and abstractly described in Word documents, embedded in presentations and enshrined in application-specific formats like CAD.” Custodial data, in essence, customer, medical and payment card information, “has little intrinsic value in and of itself.” However, when a data breach occurs, the “benign” data becomes harmful as it has adverse effects via fines, negative press, a tarnished reputation and customer complaints.

While the report finds that most respondents put more value on corporate secrets, shouldn’t there be a solution for both corporate secrets and custodial data? I would think both stolen corporate secrets and data breach headlines would provide equal parts drama. Moreover, one of the conclusions drawn from the study is that most enterprises do not actually know whether their data security programs work or not.

Whether it’s an ad-hoc file transfer (those messy PowerPoints) or thousands of files of customer and partner information (credit cards, Social Security numbers, etc,), there is a solution to ensuring all data is protected.





Managed File Transfer: Not Just a FTP/sFTP Replacement

5 04 2010

Most seasoned IT support staff think of file transfer as a method of moving data between the mainframes of different companies. However, the scope and challenges involved have become much more complex, and accordingly, the space has become segmented.

  • B2B Transfers – This segment has grown tremendously as Web-based protocols have enabled companies to connect all their business partners without the need for dedicated lines, replacing transfers originally performed by exchanging physical media via courier or fax.
  • Internal File Transfers – With the advent of distributed computing, when some business applications moved away from the mainframe or were supplemented with server-based applications, the need arose to transport data in bulk to server-based applications for processing. Often, this need was addressed with free tools such as FTP/sFTP. However, while these tools were cost-effective and solved an immediate problem, little focus was given to the security and reliance these solutions could provide and to the bigger picture of the IT infrastructure.
  • Ad hoc File Transfers – Does you company need to facilitate infrequent, ad hoc data transfers – either between companies or between the data center and a larger user base such as your sales force? Then, you should look for solutions incorporating Web-based portals for this ad hoc data exchange.

Additionally, Managed File Transfer gives you the ability to meet security, compliance and audit requirements. With regulations such as Sarbanes-Oxley (SOX), the Heath Insurance Portability and Accountability Act (HIPAA) and Gramm-Leachy Bliley Act (GLBA), companies are under greater pressure to meet strict mandates. A Managed File Transfer solution should help you streamline the audit process by providing a central point for all audit information.

Through the automation of your file transfer infrastructure, you gain these benefits and more, including cost savings and reduced risk. As a final thought: You also don’t end up in the news. Stories of data breaches and the organizations that have to report them are picked up by major media outlets on a daily and increasing basis.

Is FTP/sFTP doing all this for you? More importantly, can you risk it?





Education and Monitoring Needed to Protect SMBs and Banks

26 10 2009

In a recent article entitled, “Online Fraud: New Victims, New Approaches, on the Bank Info Security Web site, the article states that “commercial banking customers continue to be the hot targets of online crime, as additional U.S. businesses report money stolen from their accounts following the FDIC’s alert in late August.”

Doug Johnson, Senior Policy Analyst at the American Bankers Association, stated, “It’s clear that a wide education campaign is needed on this threat. Community banks need to be aware it is attacking them as well as the large banks.”

The FDIC was also cited in the article, stating an increase in the number of reports of losses resulting from unauthorized electronic fund transfers (EFTs), such as automated clearing house (ACH) and wire transfers.

If you work at a bank or small to mid-sized business how do you protect your and your customers’ financial information from data breaches? Managed File Transfer solutions provide the security, visibility and compliance to industry regulations whether you’re a large international organization or a small community bank. Additionally, there are Managed File Transfer solutions out there that scale to meet your needs.