Archive for the ‘privacy’ Category

GDPR – Top 10 Things That Organizations Must Do to Prepare

May 25, 2018 – that’s probably the biggest day of the decade for the universe of data on the Internet. On this date, Europe’s data protection rules –  European General Data Protection Regulation (GDPR) – becomes enforceable. In 2012, the initial conversations around GDPR began, followed by lengthy negotiations that ultimately culminated in the GDPR proposal. At the time of writing this guide (Sep 2017), most European businesses have either started making first moves towards becoming compliant with GDPR, or are all set to do so. Considering how GDPR will be a pretty stringent regulation with provisions for significant penalties and fines, it’s obvious how important a topic it has become for tech-powered businesses.

Now, every business uses technology to survive and thrive, and that’s why GDPR has relevance for most businesses. For any businessman, entrepreneur, enterprise IT leader, or IT consultant, GDPR is as urgent as it is critical. However, it’s pretty much like the Y2K problem in the fact that everybody is talking about it, without really knowing much about it.

Most companies are finding it hard to understand the implications of GDPR, and what they need to do to be compliant. Now, all businesses handle customer data, and that makes them subject to Data Protection Act (DPA) regulations. If your business already complies with DPA, the good news is that you already have the most important bases covered. Of course, you will need to understand GDPR and make sure you cover the missing bases and stay safe, secure, reliable, and compliant in the data game. Here are 10 things businesses need to do to be ready for GDPR.

Top 10 things that organizations should do to prepare and comply with GDPR

1.      Learn, gain awareness

It is important to ensure that key people and decision makers in your organization are well aware that the prevailing law is going to change to GDPR. A thorough impact analysis needs to be done for this, and any areas that can cause compliance issues under GDPR needs to be identified. It would be appropriate to start off by examining the risk register at your organization if one exists. GDPR implementation can have significant implications in terms of resources, particularly at complex and large organizations. Compliance could be a difficult ask if preparations are left until the last minute.

2.      Analyze information in hand

It is necessary to document what personal data is being held on hand, what was the source of the data, and who is it being shared with. It may be necessary for you to organize an organization-wide information audit. In some cases, you may only need to conduct an audit of specific business areas.

As per GDPR, there is a requirement to maintain records of all your activities related to data processing. The GDPR comes ready for a networked scenario. For instance, if you have shared incorrect personal data with another organization, you are required to inform the other organization about this so that it may fix its own records. This automatically requires you to know the personal data held by you, the source of the data and who it is being shared with. GDPR’s accountability principle requires organizations to be able to demonstrate their compliance with the principles of data protection imposed by the regulation.

3.      Privacy notices

It is important to review the privacy notices currently in place and put in a plan for making any required changes before GDPR implementation. When personal data is being collected, you currently need to provide specific sets of information such as information pertaining to your identity and how you propose to use that information. This is generally done with a privacy notice.

The GDPR requires you to provide some additional information in your privacy notices. This includes information such as the exact provision in the law that permits asking for that data and retention periods for the data. You are also required to specifically list that people have a right to complain to the ICO if they believe there is a problem with the way their data is being handled. The GDPR requires the information to be provided in the notices in easy to understand, concise and clear language.

4.      Individual rights

You should review your procedures to confirm that they cover all the individual rights set forth in the GDPR. These are the rights provided by the GDPR.

  • To be informed
  • Of access
  • To rectification
  • To erasure
  • To restrict processing
  • To data portability
  • To object
  • To not be subject to automated profiling and other such decision-making

This is an excellent time to review your procedures and ensure that you will be able to handle various types of user requests related to their rights. The right to data portability is new with the GDPR. It applies:

  • To personal data provided by an individual;
  • When processing is based on individual consent or to perform a contract; and
  • Where processing is being done by automated methods.

5.      Requests for Subject access

You would need to plan how to handle requests in a manner compliant with the new rules. Wherever needed, your procedures will need to be updated.

  • In most of the cases, you will not be allowed to charge people for complying with a request
  • Instead of the current period of 40 days, you will have only a month to execute compliance
  • You are permitted to charge for or refuse requests which are apparently excessive or unfounded
  • If a request is refused, you are required to mention the reason to the individual. You are also required to inform them that they have the right to judicial remedy and also to complain to the correct supervising authority. This has to be done, at the very latest, within a month.

6.      Consent

It is important to review how you record, seek and manage consent and if any changes are required. If they don’t meet the GDPR standard, existing consents need to be refreshed. Consent must be specific, freely given, informed, and not ambiguous. A positive opt-in is required and consent cannot be implied by inactivity, pre-ticked boxes or silence. The consent section has to be separated from the rest of the terms and conditions. Simple methods need to be provided for individuals to take back consent. The consent is to be verifiable. It is not required that the existing DPA consent have to be refreshed as you prepare for GDPR.

7.      Aspects related to children

It would be good if you start considering whether systems need to be put in place in order verify the ages of individuals and to get consent from parents or guardians for carrying out any data processing activity. GDPR brings in specific consent requirements for the personal data of children. If your company provides online services to children, you may need a guardian or parent’s consent so as to lawfully process the children’s personal data. As per GDPR, the minimum age at which a child can give her consent to this sort of processing is set to 16. In the UK, this may be lowered to 13.

8.      Aspects related to data breaches

You should ensure that you have the correct procedures necessary to investigate, report, and detect any breaches of personal data. The GDPR imposes a duty on all companies to report specific types of data breaches to the ICO, and in some situations, to individuals. ICO has to be notified of a breach if it is likely to impinge on the freedoms and rights of individuals such as damage to reputation, discrimination, financial loss, and loss of confidentiality. In most cases, you will also have to inform the concerned parties directly. Any failure to report a breach can cause a fine to be imposed apart from a fine for the breach by itself.

9.      Requirements related to privacy by design

The GDPR turns privacy by design into a concrete legal requirement under the umbrella of “data protection by design and by default.” In some situations, it also makes “Privacy Impact Assessments” into a mandatory requirement. The regulation defines Privacy Impact Assessments as “Data Protection Impact Assessments.”’ A DPIA is required whenever data processing has the potential to pose a high level of risk to individuals such as when:

  • New technology is being put in place
  • A profiling action is happening that can significantly affect people
  • Processing is happening on a large set of data

10.  Data protection officers

A specific individual needs to be designated to hold responsibility for data protection compliance. You must designate a data protection officer if:

  • You are a public authority (courts acting in normal capacity exempted)
  • You are an institution that carries out regular monitoring of individuals at scale
  • You are an institution that performs large-scale processing of special categories of data such as health records or criminal convictions

Many of GDPR’s important principles are the same as those defined in DPA; still, there are significant updates that companies will need to do in order to be on the right side of GDPR.

Author: Rahul Sharma

Sources

https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

 

 

Sharing Large Medical Images and Files – Factors to Consider

ID-100414456

According to data collected by the HHS Office for Civil Rights, over 113 million individuals were affected by protected health information breaches in 2015. Ninety-nine percent of these individuals were victims of hacking, while the remaining 1 percent suffered from other forms of breach such as theft, loss, improper disposal, and unauthorized access/disclosure. A quick look at the trend from 2010 shows that health information data breaches are on the rise. An even deeper look at this report shows that network servers and electronic medical records are the leading sources of information breaches, at 107 million and 3 million, respectively.

Sadly, security is not the only issue that medics face when sharing medical records. A 2014 article in the New York Times explains the difficulty medics face when trying to send digital records containing patient information. While the intention is noble—to improve patient care coordination—doctors are facing problems with their existing large file sharing options.

To help doctors share files such as medical images in an easier and safer way, we will explore four factors that should be considered.

HIPAA Compliance

Medical records are sensitive and confidential in nature. This means that handling them should be guided by set industry policies, in this case, Health Insurance Portability and Accountability Act (HIPAA), for example. HIPAA is actually a response to security concerns surrounding the transfer and storage of medical records, in this case, images.

HIPAA places responsibility on medics and healthcare providers in general to secure patient data and keep it confidential. As a result, non-compliance could lead to legal action, which can be costly. Usually, HIPAA makes sure that all Personal Health Information (PHI) is covered, outlining more stringent rules on electronic PHI, mainly because a security breach is more likely to affect a larger number of patients, all at once.

It is a medic’s responsibility to ensure that the selected EFSS solution is HIPAA-compliant if you want to maintain patient trust, keep positive publicity, and avoid steep HIPAA fines imposed after a breach. In fact, the first time you commit an offense, HIPAA will charge approximately $50,000, a figure that escalates accordingly with each subsequent offense.

Encryption

This is the second level of security you should consider before settling on a large file sharing solution. As much as an EFSS service provider is HIPAA-compliant, you need to ensure that measures outlined in HIPAA are taken.

When you read about patients’ rights as outlined in HIPAA, specifically the ‘Privacy, Security and Electronic Health Records’, you will notice that information security is emphasized. For this reasons, medics should ensure that patient data is encrypted in order to prevent it from being accessed by rogue colleagues or professional hackers.

It is entirely important that all hospital departments—ranging from cardiology, imaging centers and radiology, among others—encrypt medical images and files to further protect patient privacy. Better still, encryption should be both at rest and on transit, and files should only be shared with authorized specialists and physicians as well as the patients themselves.

To further tighten security, these files should be encrypted with non-deterministic encryption keys instead of fixed ones, whose passwords can be hacked. The best thing about this technique is that even when faced with a security breach on the server side, hackers cannot access the encryption keys. Additionally, you can opt for EFSS solutions that offer client-side encryption alone, barring the service provider and its employees from accessing this information.

File Scalability

Compared to other medical records, medical images present a great challenge with regards to file size. It is actually reported that a significant number of sequences and images are an average of 300MB. Additionally, average file size for a standard mammography image and a 3D tomography image are 19MB and 392 MB, respectively. While these file sizes already seem too large, Austin Radiological Association (ARA) predicts that by 2024, annual data from its 3D breast imaging files will reach 3 petabytes. These facts expose the storage challenges that medics face.

A glance at the process of finding medical images for active cases, storing them, and archiving those of inactive cases shows the immense need for medics to find a reliable and convenient large file sharing solution that caters to these storage needs.

A weak server could get overwhelmed with data, progressively becoming inefficient and inept as more files are uploaded into the system. The best way to solve this issue is by using cloud-based services that automatically scale your files according to your needs. This way, you will upload more files in the server, significantly reducing hardware costs by approximately 50 percent, especially when this is done on the cloud as opposed to in-house. In addition to these perks, the cloud will allow you to share these images faster and more conveniently, saving both time and storage.

Technology Increases the Likelihood of Medical Errors

While technology helps solve issues such as security and storage, over-reliance could actually lead to medical errors, incidents that are dreadful to patients and medics as well. As reported by Eric McCann of Healthcare IT News, medical errors cost America a colossal $1 trillion each year, and 400,000 Americans die annually due to these preventable mistakes.

Even though the cloud has been paraded as a solution to reduce incidences of medical error, the need to be watchful and keen can never be overstated. Take, for example, the erroneous click of a mouse and mislabeling of data. A case study on Kenny Lin, MD, a family physician practicing in Washington, D.C., which is detailed in his 2010 piece in the U.S. News & World Report, shows us how easy it is to make a mistake with technology. Dr. Lin nearly made a wrong prescription by accidentally clicking on the wrong choice in his EMR system.

Now, what if you mislabeled a patient’s radiology report? Wouldn’t that start a series of misdiagnosis and treatment? Could you imagine the damage caused? It is for this reason that even when technology makes it easier to share large, sensitive files like medical images, you should counter-check and make sure that the file is labeled correctly and sent to the intended, authorized recipient.

The Way Forward

The sensitivity of medical files is eminent, and with data breaches on the rise, it is vital to ensure the privacy of all medical documents, including large medical images and files. To reduce the possibility of a data breach, any EFSS solution used to share these files should guarantee a reasonable level of file security and HIPAA compliance. In addition to that, its capacity to efficiently handle file sizes and offer easy access to these files should not be ignored. Lastly, as you remain cautious when feeding data into the system, create a safe backup for your data just in case of a data breach. By taking such precautions, medical files can be shared between all necessary parties easier and more safely.

Author: Davis Porter

Image courtesy: freedigitalphotos.net, stockdevil

Data ownership in the cloud – How does it affect you?

The future of the cloud seems bright, Cisco predicts that by 2018, 59% of cloud workloads will be created from Software As A Service (SaaS). While these statistics are optimistic, we cannot ignore a few concerns that stifle cloud adoption efforts, such as data ownership.

Most people would be inclined to say that they still own data in the cloud. While they may be right in some sense, this is not always the case. For instance, let us look at Facebook, which many people use as cloud storage to keep their photos. According to the Facebook end-user-agreement, the company stores data for as long as it is necessary, which might not be as long as users want. This sadly means that users lose data ownership. Worse still, the servers are located in different locations, in and out of the United States, subjecting data to different laws.

According to Dan Gray, as discussed in ‘Data Ownership In The Cloud,’ the actual ownership of data in the cloud may be dependent on the nature of the data owned and where it was created. He states that there is data created by a user before uploading to the cloud, and data created on the cloud platform. He continues to say that data created prior to cloud upload may be subject to copyright laws depending on the provider, while that created on the platform could have complicated ownership.

In addition to cloud provider policies, certain Acts of Congress, although created to enhance data security and still uphold the nation’s security, have shown how data ownership issues affect businesses. Two of these, the Stored Communications Act (SCA) and the Patriot Act show the challenges of cloud data ownership and privacy issues, with regards to government access to information stored in the cloud.

The Stored Communications Act (SCA)

Usually, when data resides in a cloud provider’s infrastructure, user owner rights cannot be guaranteed. And even when users are assured that they own their data, it does not necessarily mean that the information stored there is private. For example, the United States law, through the Stored Communications Act (SCA), gives the government the right to seize data stored by an American company even if it is hosted elsewhere. The interpretation of this saw Microsoft and other technology giants take the government to court, claiming that it was illegal to use the SCA to obtain a search warrant to peruse and seize data stored beyond the territorial boundaries of the United States.

Microsoft suffered a blow when a district court judge in New York ruled that the U.S government search powers extend to data stored in foreign servers. Fortunately, these companies got a reprieve mid-2016, when the Second Circuit ruled that a federal court may not issue a criminal warrant to order a U.S cloud provider to produce data held in servers in Ireland.  It is however, important to note that this ruling only focused on whether Congress intended for the SCA to apply to data held beyond U.S.A territory, and did not touch on issues to deal with Irish data privacy law.

The Patriot Act

The Patriot Act was put into place in 2001 as an effort by George Bush government to fight terrorism. This act allowed the Federal Bureau of Investigation (FBI) to search telephone, e-mail, and financial records without a court order, as well as expanded law enforcement agencies access to business records, among other provisions. Although many provisions of this Act were set to sunset 4 years later, the contrary happened. Fast-tracking to 2011, President Barrack Obama signed a 4-year extension of 3 key provisions in the Act, which expanded the discovery mechanisms law enforcement would use to gain third-party access. This progress brought about international uproar especially from the European Union, causing the Obama administration to hold a press conference to quell these concerns.

The situation was aggravated when a Microsoft UK director admitted that the Patriot Act could access EU based data, further disclosing that no cloud service was safe from the ACT, and the company could be forced to hand over data to the U.S government. While these provisions expired on June 1 2015, due to lack of congressional approval to renew, the government found a way to renew them through the USA freedom Act.

The two Acts show us that data owned in the cloud, especially public cloud, is usually owned by the cloud providers. This is why we are seeing the laws asking cloud providers to provide this information, and not cloud users.

What To Do In Light Of These Regulations

Even if the SCA has been ruled illegal as not to be used to get warrants to retrieve data stored in the cloud, and the USA freedom Act is purported by some parties as a better version of the Patriot Act, we cannot ignore the need for cloud users to find a way to avoid such compulsions.

One idea users could have is escaping the grasp of these laws, which is unfortunately impractical. To completely outrun the government, you would have to make sure that neither you nor the cloud service used has operations in the United States. This is a great disadvantage because most globally competitive cloud providers are within the United States jurisdiction. Even when you are lucky and find a suitable cloud provider, it is may still be subject to a Mutual Legal Assistance Treaty (MLAT) request. Simply, put, there is no easy way out.

Instead, understand the risks and let your clients know. For example, if the Patriot Act extension attempts were successful, financial institutions would be obliged to share information with law enforcement agencies on suspicion of terrorist activities. In such a case, a good financial institution would warn its clients of these risks before hand. Alternatively, you can find a way of storing data in-house, forcing the feds to go through you and not the cloud provider.

Conclusion                                                       

Truthfully, data ownership in the cloud is a complicated issue.  Determined by both government and company policies, data ownership in the cloud is not always retained.  Gladly, depending on data policies and how they categorize data in the cloud, a user could be granted full ownership. In the event that this doesn’t happen, prepare for instances of third-party access and infringement of complete privacy, hence rethink your business strategy. In short, as a cloud services client, please pay attention to the contract that you sign with your provider and understand the laws under which the provider operates.

Author: Davis Porter

HIPAA Prescribed Safeguards for File Sharing

health care data governance

The Health Insurance Portability & Accountability Act (HIPAA) sets standards for protecting sensitive data of patients in the cloud. Any company which is dealing with PHI (protected health information) needs to ensure all of the required network, physical, and process safety measures are properly followed. If you want to learn more about requirements of HIPPA, click here to learn more.

This includes CE (covered entities), anyone who is providing treatment, operations, and payment in health care, BA (business associates) with access to patient’s information stored in the cloud or those who provide support in payment, operations, or treatment. Subcontractors and associates of associates need to be in compliance too.

Who needs HIPAA?

The privacy rule of the HIPAA helped address the saving, sharing, and accessing of personal and medical data of individuals stored in the cloud while the security rule is more specifically meant for outlining national security standards to help protect the health data which is received, maintained, transmitted, or created electronically, also known as e-PHI (electronic protected health information).

Technical and physical safeguards

If you’re hosting data with HIPAA compliant hosting providers, they need to have particular administrative, technical, and physical safeguards in place as per the US HHS (Department of Health & Human Services). The technical and physical safeguards which are the most important for services provided by hosts are listed below:

  • Physical safeguards include limited facility control or access with authorized access procedures. All entities need to be HIPAA compliant, need to have policies regarding the use and access of electronic media and workstations. This includes removing, transferring, reusing, and disposing of e-PHI and electronic media.
  • Technical safeguards should only allow authorized users to access e-PHI. Access control will include the use of unique user ID’s, emergency access procedures, automatic logoffs, decryption, and encryption.
  • Tracking logs or audit reports need to be implemented in order to keep a record of activity on software or hardware. This is very useful when it comes to pinpointing the source or the cause of security violations.
  • Technical policies need to be used for covering integrity controls and measures should be in place to confirm e-PHI has not been destroyed or altered. Offsite backup and IT disaster recovery are very important in order to ensure any electronic media errors or failures can quickly be remedied, and health information of patients can be recovered intact and accurately.
  • Transmission or network security is the last safeguard needed of HIPAA compliant hosts in order to protect them against any unauthorized access or use of e-PHI. This concerns all of the methods for transmitting data, whether it is over the internet, email, or even on private networks, like a private cloud.

A supplemental act passed in 2009 known as the HITECH (Health Information Technology for Economic & Clinical Health) Act which supported the enforcement of all of the HIPAA requirements by increasing the penalties imposed on organizations who violated the HIPAA privacy or security rules. The HITECH Act was created in response to the development of health technology and increased storage, transmission, and use of electronic health information.

HIPAA has driven a number of healthcare providers to search for solutions that can help them secure cloud data. Medical information is very private, and regulation keeps getting tighter, which means enforcement is also getting tighter. There are a number of healthcare providers have chosen to move their whole EHRs onto a HIPAA compliant platform such as FileCloud in order to reduce their expenses and become more inter-operable across various other devices in a safe, HIPAA-compliant fashion.

 

Author: Rahul Sharma

images courtesy: freedigitalphotos.net/ Stuart Miles

US-EU Safe Harbor – Origin, Reasons to strike down, Implications

The US-EU Safe Harbor was a great framework that simplified operations of many organizations. Recently, US-EU Safe harbor was struck down due to series of accusations, threat to national security and mistrust between countries. The following three articles cover the origin of the agreement, the details on how it worked, reasons why it was struck down and what are the implications.

Essential Tools for Cloud Security

cloud security (2)

Cloud computing is steadily growing to become the most expansive business platform in the world primarily because of its numerous benefits, among them scalability, cost effectiveness, mobility and increased security. Although 56% of entrepreneurs are reportedly optimistic about cloud security, it still faces a significant amount of risks and potential threats.

For most corporations, especially small and medium businesses, the cloud is a relatively new networked paradigm whose security protocols are still yet to be completely comprehended. Consequently, a large number of businesses owners who are concerned about security, are considerably uncertain about relying on third party cloud service providers. Their fears are further fueled by some of the recent news, where hackers have targeted and successfully infiltrated some of the most popular cloud servers including Dropbox, Amazon Cloud Service and GoGrid.

Despite the security compromises, these cloud providers have managed to successfully recover and subsequently implement impenetrable security measures to prevent future occurrences. Protecting your cloud servers is therefore possible as long as you understand the threats and utilize the necessary tools. In fact, cloud security is easier to implement and harder to penetrate than regular in-house data security.
So, which are the essential tools for cloud security? To determine this, you need to first evaluate and determine the type of cloud service you are using. There are three types of cloud services, each facing a unique set of security threats.

  1. Infrastructure as Service (IaaS): As a consumer, this type of cloud allows you to use arbitrary software like programs and operating systems through its resources including networks, storage, processing and other critical resources which are distributed through the internet as virtualized systems.

The underlying framework of resources is protected by service providers. The security of the applications and operating systems on the hand, is dependent on the consumer. Therefore, it’s critically important to install the necessary security infrastructure to protect your data and operations as you use IaaS.

  1. Platform as a Service (Paas): This cloud system eliminates the need to install any system or platform in your computer, and instead allows you to deploy your own applications directly on its infrastructure through the internet. A number of resources including software development frameworks are provided to you to boost your applications and overall operations.

Just like IaaS, security is implemented in two levels- the primary cloud runtime engine and the individual applications deployed by the user. Of course the latter level is dependent on you while the former is dependent on the service provider. Some of the security threats you may experience include:

  • Underlying Infrastructure Threats: The underlying framework is the most important element because it forms the foundation of many applications running on it. A system failure would completely cripple all the applications and subsequently disable all the features. Protecting this infrastructure is therefore more important than securing the individual applications.

Fortunately for consumers, its security is entirely dependent on the developers and service providers. It has to be comprehensively protected by sealing all the loopholes including the individual applications. An infiltration on an application shouldn’t be subsequently passed on to the runtime engine.

  • System Development Threats: Developers should come up with an architecture that securely accommodates all the frequent application updates, without exposing the system to additional vulnerabilities. The security development processes should therefore be flexible enough for all the updates.
  • Third Party Threats: Since Paas cloud models provide users with third party web services like mashups, security should extend to such components to avoid possible network and data infiltrations. Any security threat from mashups should be effectually contained before spreading to other entities.
  1. Software as a Service (SaaS): Contrary to other two cloud models, SaaS consumers have very limited control on security. The security is largely controlled by the service providers, who host and distribute services like SCM, CRM, ERP, conferencing software, and more, to their individual subscribers. The primary threats come from malware lodged into the main cloud systems to infiltrate the networks and possibly cripple them. The responsibility of detecting such malware and preventing attacks by blocking them lies sorely with the service providers- through impenetrable firewall and anti-malware systems.

After assessing your type of cloud model, you should install the essential security tools that correspond to your potential data, network and system security threats. Here are some of the most critical counter measures and tools you should consider:

Encryption

Encryption has been a standard data security tool even before the invention of computers. It reportedly started with ancient Egyptians, who used cryptography, an encryption system, to pass messages without revealing the actual details to the general public.

Today, encryption could be used to store sensitive data within the cloud. Consequently, the data would be useless and meaningless to hackers if they successfully infiltrated the system. Some of the most widely used schemes include SSL and Advanced Encryption Standard (AES).

Web Application Scanners

Cloud services which utilize web applications are predominantly vulnerable since such applications are easy targets to hackers. They are particularly notorious of creating malware that pose as web applications to steal data from cloud users. The most effective strategy of protecting your data and network is installing efficient web application scanners- to comprehensively scan all the web applications to block cyber-attacks and malware.

Virtual Network Security Framework

This is a security framework to protect against the spoofing of virtual networks, where data could be stolen by a malicious virtual machine as other virtual machines communicate. The Xen based system comprises of a three layered model (shared networks, firewall and routing layers) that uses routed or bridged configuration modes to detect and block inter-virtual machine spoofing.

Fragmentation Redundancy Scattering

Data leakage is a common security phenomenon in cloud networks, where data is distributed to the wrong party as it’s being processed, stored or transmitted. The most reliable method of preventing this is Fragmentation Redundancy Scattering– where data is first broken down into minute, meaningless fragments and distributed separately. If it falls to the wrong hands, the receiver won’t make sense of the individual fragments without defragmenting the rest.

There are many other tools, strategies and countermeasures to protect your cloud system and boost your overall data security. The suitability of a tool depends on your data architecture, infrastructure and relative efficiency of the tool in protecting other similar systems. That’s why it’s advisable to first do a comprehensive analysis on the reviews of a tool/strategy from IT architects before implementing it. Finally, remember to periodically review and scan your entire system to identify potential developing vulnerabilities.

Author: Davis Porter

Image Courtesy: Feelart, freedigitalphotos.net

Alternative to Microsoft OneDrive – Why FileCloud is better for Business File Sharing?

FileCloudvsOneDrive

FileCloud competes with Microsoft OneDrive for business in the Enterprise File Sync and Share space(EFSS). Before we get into the details, I believe an ideal EFSS system should work across all the popular desktop OSes (Windows, Mac and Linux) and offer native mobile applications for iOS, Android, Blackberry and Windows Phone. In addition, the system should offer all the basics expected out of EFSS: Unlimited File Versioning, Remote Wipe, Audit Logs, Desktop Sync Client, Desktop Map Drive and User Management.

The feature comparisons are as follows:

Features OneDrive
On Premise
File Sharing
Access and Monitoring Controls
Secure Access
Document Preview
Document Edit
Outlook Integration
Role Based Administration
Data Loss Prevention
Web DAV
Endpoint Backup
Amazon S3/OpenStack Support
Public File Sharing
Customization, Branding
SAML Integration Under Development
Anti-Virus
NTFS Support
Active Directory/LDAP Support
Multi-Tenancy
API Support
Application Integration via API
Large File Support
Network Share Support
Mobile Device Management
Desktop Sync Windows, Mac, Linux Windows, Mac, Linux
Mobile OS Compatibility iOS, Android, Windows Phone iOS, Android, Windows Phone
Pricing for 100 users/ year $4199 $6000

From outside looking-in, the offerings all look similar. However, the approach to the solution is completely different in satisfying enterprises primary need of easy access to their files without compromising privacy, security and control. The fundamental areas of difference are as follows:

Feature benefits of FileCloud over Microsoft OneDrive

On Premise: FileCloud is a pure private EFSS solution that will run inside enterprise’s own infrastructure. And, enterprises can have complete control over their data.

Embedded File Upload Website Form – FileCloud’s Embedded File Upload Website Form enables users to embed a small FileCloud interface onto any website, blog, social networking service, intranet, or any public URL that supports HTML embed code. Using the Embedded File Upload Website Form, you can easily allow file uploads to a specific folder within your account. This feature is similar to File Drop Box that allows your customers or associates to send any type of file without requiring them to log in or to create an account.

Unified Device Management Console – FileCloud’s unified device management console provides simplified access to managing mobile devices enabled to access enterprise data, irrespective of whether the device is enterprise owned, employee owned, mobile platform or device type. Manage and control of thousands of iOS and Android, devices in FileCloud’s secure, browser-based dashboard. FileCloud’s administrator console is intuitive and requires no training or dedicated staff. FileCloud’s MDM works on any vendor’s network — even if the managed devices are on the road, at a café, or used at home.

Device Commands and Messaging – Ability to send on-demand messages to any device connecting to FileCloud, provides administrators a powerful tool to interact with the enterprise workforce. Any information on security threats or access violations can be easily conveyed to the mobile users. And, above all messages are without any SMS cost.

NTFS Shares Support – Many organizations use the NTFS permissions to manage and control the access permissions for internal file shares. It is very hard to duplicate the access permissions to other systems and keep it sync. FileCloud enables access to internal file shares via web and mobile while honoring the existing NTFS file permissions. This functionality is a great time saver for system administrators and provides a single point of management.

Network Shares Support – FileCloud’s network share feature satisfies enterprise requirement of user/group specific access to folders. And, as files are already shared via network shares, no need for additional setup or products to buy. Moreover, FileCloud provides Active Directory & LDAP support along with NTFS permission support restricting access to network folders to just authorized users.

Multi-Tenancy Support – The multi-tenancy feature allows Managed Service Providers(MSP) serve multiple customers using single instance of FileCloud. The key value proposition of FileCloud multi-tenant architecture is that while providing multi-tenancy the data separation among different tenants is also maintained . Moreover, every tenant has the flexibility for customized branding. MSPs who are interested in becoming FileCloud partners click here

Pricing

Microsoft OneDrive:

Enterprises need to buy add-on or upgrade to satisfy basic requirements of an EFSS solution. For a 100 user package, the cost adds up to around $6000.

FileCloud:

Enterprises get one simple solution with all features bundled. For the same 100 user package, with more features the cost is $2999/year, better value than Microsoft OneDrive.

Conclusion

Microsoft OneDrive is another public cloud based EFSS solution. If enterprises need complete control and host all enterprise data on-premise, they should go with FileCloud. With FileCloud, enterprises not only get a true on-premise private cloud EFSS solution, but also get a rich feature set product at a great value.

Here’s a comprehensive comparison that shows why FileCloud stands out as the best EFSS solution.

Try FileCloud For Free & Receive 5% Discount

Learn more about FileCloud

Alternative to PowerFolder – Why FileCloud is better for Business File Sharing?

FileCloudVsPowerFolder

FileCloud competes with PowerFolder for business in the Enterprise File Sync and Share space(EFSS). Before we get into the details, I believe an ideal EFSS system should work across all the popular desktop OSes (Windows, Mac and Linux) and offer native mobile applications for iOS, Android, Blackberry and Windows Phone. In addition, the system should offer all the basics expected out of EFSS: Unlimited File Versioning, Remote Wipe, Audit Logs, Desktop Sync Client, Desktop Map Drive and User Management.

The feature comparisons are as follows:

Features sharefile
On Premise
File Sharing
Access and Monitoring Controls
Secure Access
Document Preview
Document Edit
Outlook Integration Beta Release
Role Based Administration
Data Loss Prevention
Web DAV
Endpoint Backup
Amazon S3/OpenStack Support
Public File Sharing
Customization, Branding Optional
SAML Integration Under Development Additional Integration
Anti-Virus
NTFS Support
Active Directory/LDAP Support
Multi-Tenancy Upgrade – Pay More
API Support
Application Integration via API
Large File Support
Existing Network Share Support
Mobile Device Management Limited
Desktop Sync Windows, Mac, Linux Windows, Mac, Linux
Mobile OS Compatibility iOS, Android, Windows Phone iOS, Android
Pricing for 50 users/ year $2199 $1950

From outside looking-in, the offerings all look similar. However, the approach to the solution is completely different in satisfying enterprises primary need of easy access to their files without compromising privacy, security and control. The fundamental areas of difference are as follows:

Feature benefits of FileCloud over PowerFolder

Embedded File Upload Website Form – FileCloud’s Embedded File Upload Website Form enables users to embed a small FileCloud interface onto any website, blog, social networking service, intranet, or any public URL that supports HTML embed code. Using the Embedded File Upload Website Form, you can easily allow file uploads to a specific folder within your account. This feature is similar to File Drop Box that allows your customers or associates to send any type of file without requiring them to log in or to create an account.

Document Quick Edit – FileCloud’s Quick Edit feature supports extensive edits of files such as Microsoft® Word, Excel®, Publisher®, Project® and PowerPoint® — right from your Desktop. It’s as simple as selecting a document to edit from FileCloud Web UI, edit the document using Microsoft Office, save and let FileCloud take care of other uninteresting details in the background such as uploading the new version to FileCloud, sync, send notifications, share updates etc.

Unified Device Management Console – FileCloud’s unified device management console provides simplified access to managing mobile devices enabled to access enterprise data, irrespective of whether the device is enterprise owned, employee owned, mobile platform or device type. Manage and control of thousands of iOS and Android, devices in FileCloud’s secure, browser-based dashboard. FileCloud’s administrator console is intuitive and requires no training or dedicated staff. FileCloud’s MDM works on any vendor’s network — even if the managed devices are on the road, at a café, or used at home.

Device Commands and Messaging – Ability to send on-demand messages to any device connecting to FileCloud, provides administrators a powerful tool to interact with the enterprise workforce. Any information on security threats or access violations can be easily conveyed to the mobile users. And, above all messages are without any SMS cost.

NTFS Shares Support – Many organizations use the NTFS permissions to manage and control the access permissions for internal file shares. It is very hard to duplicate the access permissions to other systems and keep it sync. FileCloud enables access to internal file shares via web and mobile while honoring the existing NTFS file permissions. This functionality is a great time saver for system administrators and provides a single point of management.

Network Shares Support – FileCloud’s network share feature satisfies enterprise requirement of user/group specific access to folders. And, as files are already shared via network shares, no need for additional setup or products to buy. Moreover, FileCloud provides Active Directory & LDAP support along with NTFS permission support restricting access to network folders to just authorized users.

Multi-Tenancy Support – The multi-tenancy feature allows Managed Service Providers(MSP) serve multiple customers using single instance of FileCloud. The key value proposition of FileCloud multi-tenant architecture is that while providing multi-tenancy the data separation among different tenants is also maintained . Moreover, every tenant has the flexibility for customized branding. MSPs who are interested in becoming FileCloud partners click here

Pricing

PowerFolder:

Enterprises need to buy add-on or upgrade to satisfy basic requirements of an EFSS solution. For a 50 user package, the cost adds up to around $1950.

FileCloud:

Enterprises get one simple solution with all features bundled. For the same 50 user package, with an all-inclusive rich feature set, the cost is $1799/year, better value than PowerFolder.

Conclusion

The reality is that every business out there small, medium or large has network shares already setup for their users. And, they have employees using their personal mobile devices to access enterprise data and network shares. Hence, it would be best for businesses to choose a solution that provides support for network share integration and mobile device management.

PowerFolder provides very limited network share integration and mobile device management. Moreover, some of the key features such as over the web document edit & branding needs an upgrade. On the other hand, FileCloud not only provides the ability to integrate into existing network shares, but also has a robust mobile device management solution built-in that will provide administrators tighter control on user access. Plus, all features are included in one simple price.

FileCloud is the least disruptive solution for any business that is looking for an on-premise EFSS solution.

Here’s a comprehensive comparison that shows why FileCloud stands out as the best EFSS solution.

Try FileCloud For Free & Receive 5% Discount

HIPAA 101 – An introduction to HIPAA 

HIPAA Guidance

 

HIPAA, otherwise known as the Health Insurance Portability and Accountability act, which was first introduced in 1996, demanded that the department for human services and health in the U.S. (HHS) should create specific regulations  to protect the security and privacy of health information. In order to properly fulfill this new requirement, the HHS published the HIPPA security rule, and the HIPAA privacy rule. The privacy rule, otherwise referred to as the standards for privacy of individual health information, establishes the standards that should be used nationally to protect health information. The security rule addresses the non-technical and technical safeguards that covered entities needed in place to ensure individuals’ information (or e-PHI) remains secure.

Within the HHS, the office of civil rights is responsible for enforcing the security and privacy rules, utilizing voluntary compliance activities, and penalties. Before HIPAA was introduced, there was no widely accepted set of general requirements or security standards available for protecting the health information that exists in the care industry. However, new technologies have continued to evolve, and the health care industry has started to move away from the process of using paper, to rely more heavily on utilizing electronic information systems to answer eligibility questions, pay claims and conduct various other clinical administrative functions.

HIPAA today

Currently, providers are using clinical applications such electronic health records, computerized physician order entries, and electronic pharmacy, laboratory and radiology systems. Health plans more regularly provide access to care management and claims, as well as various self-service options, meaning that the workforce in the medical industry has become more efficient and mobile. However, the rising online adoption has increased the potential security risks that are emerging.

One of the primary goals of the security rule is to ensure that individuals’ private health information remains secure, while allowing certain entities to engage with new technologies and improve the way the patient care can work. Because the marketplace in healthcare is so vast and diverse, the security rule needed to be versatile and flexible enough to give covered entities access to policies, technologies and procedures appropriate for that entity’s size and organizational structure. At the same time, it has to make sure it doesn’t limit innovations that help the industry and help in its cause to keep electronic healthcare information of patients private.

Like many simplification rules regarding Administration, the Security Rule applies to health care clearinghouses, health plans, and providers of healthcare who transmit information and data about health in electronic form in combination with a transaction for which standards have been adopted under HIPAA.

The Information that Is Protected

The HIPAA privacy rule is used to protect the privacy of individual health information, known as protected health information. The security rule, on the other hand, protects the subset of that information covered by the privacy rule, which can be any individual health information created, maintained, received or transmitted by a covered entity in an electronic way.

The security rule means that any covered entity must maintain the appropriate technical, physical and administrative safeguards established for protecting personal information. Covered entities need to ensure that all of the e-PHI they create, maintain, transmit or receive is confidential, and maintains its integrity. They must also take steps to identify potential threats to the security of that information, and protect it against problems.

The Security Rule and Confidentiality

According to the security rule, confidentiality can be defined as e-PHI that is not made available or disclosed to people who are not authorized to view it. The confidentiality requirements of the security rule directly support the privacy rule when it comes to improper disclosure and use of personal healthcare information. The security rule is also used to promote further goals of maintaining the availability and integrity of e-PHI. Beneath the security rule, integrity refers to the fact that personal healthcare information in an electronic medium cannot be destroyed or altered without authorization. Availability suggests that the e-PHI is usable and accessible on demand by any person who is authorized.

One important thing to remember about the HHS, is that it recognizes covered entities can range from incredibly small providers, to large nation-wide health plans. Therefore, the rule regarding security is scalable and flexible to ensure that covered entities are still able to assess their own needs, and create solutions that are appropriate to their particular environments. The rule will not dictate exact measures, but forces the entity to consider certain key factors, including:

  • The cost of security measures
  • The complexity, capability and size of the entity
  • The possible risk or impact to e-PHI
  • The software, hardware, or technical infrastructure.

Self hosted cloud such as FileCloud could help organizations in health care industry meet HIPAA standard. Here is a great example of how FileCloud helped Precyse to provide cloud features, while meeting HIPAA standards.

 Author: Rahul Sharma

image courtesy: Stuart Miles,  freedigitalphotos.net