Archive for the ‘privacy’ Category

GDPR Presents Opportunities for MSPs

In today’s digital world, the issue of data privacy is provoking constant debates with large corporations and even governments being objurgated for invasions of privacy. According to online statistics firm Statista, only about a third of internet users in the United States are concerned about how their personal is data is shared. However, that number is likely to rise as privacy compliance becomes a ubiquitous business concern due to the growing number of regulations formulated to curb the unauthorized access and use of personally identifiable information. The GDPR is one such legislation. No other legislation measures up to the inherent global impact of the EU’s General Data Protection Regulation (GDPR).

Gartner’s prediction that more than half of companies governed globally by the GDPR will not be fully compliant by the end of 2018 has come to fruition. With less than a month to go, a survey of 400 companies conducted by CompTIA inferred that 52 percent were still assessing how GDPR applies to their business. The research also showed that only 13 percent were confident that they are fully compliant. GDPR will without a doubt be a disruptive force in the global marketplace that cannot be ignored. This presents prodigious business opportunities for MSPs to leverage their experience in network security offerings, class analytics solutions, and their own experiences implementing strategies around this new development.

1. An Opportunity to Become GDPR Compliant

As an MSP, it makes sense to protect your business from any reputational and financial consequences by becoming GDPR compliant. It is said that charity starts at home, it would therefore be incongruous for an MSP that is yet to achieve full GDPR compliance to offer guidance in the same aspect. The experiences you gain in your journey to compliance will be of great value to both current and potential customers.

2. An Opportunity to Engage and Educate Your Clients

Most non-European businesses are yet to establish whether the GDPR will apply to them. And for those that are aware, their MSP will likely be the first place they turn to for help; whether its to set up reporting tools, work on data encryption, conduct audits, or implement new data management practices. MSPs should ensure that their clients fully understand the extent and impact of the regulations, and prepare them for GDPR. Since they are already aware of their client’s internal practices and processes, managed service providers are better suited to architect solutions that incorporate GDPR compliance and governance.

MSPs will have to re-onboard clients to make sure their prescribed SaaS offering will meet GDPR requirements. Gather resources and links that can help educate your clients. The use of informative marketing campaigns, or a resource center on your site will help create channels for dialogue – which may subsequently lead to new business projects.

3. An Opportunity to Understand Your Clients Data

Data is a crucial asset, however, most MSPs know very little about the data their clients possess. The only way an MSP can offer guidance and services related to GDPR is by understanding what data your clients have and the location of said data. MSPs should be ready to make an extra effort beyond protecting business applications to protecting personal data. The only way to accomplish this is by analyzing your client’s existing data. Through this process, you will be able to identify any security gaps and create customized security offerings to fill them. Additionally, the data discovery will allow you to adjust your pricing accordingly and push your customers towards more secure technologies or sell additional services that mitigate the risks their current business systems present.

4. An Opportunity to Offer Compliance and Security Related Services

MSPs tend to act as virtual CIOs for their customers. In most cases, the line between packaged service and free consultation tends to get blurred somewhere along the line. GDPR guidance could easily follow the same track – unless the value you offer is presented as a bundle that can be allotted a price tag. Compliance and security services are a potential gold mine for service providers who have acquired the management expertise to satisfy and simplify the complexities associated with the General Data Protection Regulation. Since having a designated Data Protection Officer (DPO) is a mandatory requirement under GDPR regardless of the size of the company; MSPs can use that as an opportunity to establish a DPO as a service model geared towards SMEs that may lack the resources to recruit costly, in-house compliance staff.

5. An Opportunity to Expose Your Brand

Marketing a compliance culture with transparency builds greater relevance and trust among current and potential customers. Companies looking to achieve full GDPR compliance are likely to align themselves with a service provider that has a demonstrated track record. Publicly documenting your GDPR compliance milestones on blogs, social media and your website confirms your familiarity with the subject. Once achieved, full GDPR compliance will act as a quality standard that can be placed on marketing channels to attract and reassure prospective clients.

In Closing

As the weight of the General Data Protection Regulation continues to impact the globe, sagacious MSPs will have an opportunity to assist their customers prepare and gain incremental revenues while supporting the European Unions effort to create a digitally secure global marketplace. Despite the current rush to beat the May 25th deadline, compliance isn’t a one off activity. Companies will always have a budget for comprehensive strategies aimed at achieving and maintaining privacy compliance.

image curtesy of freepik

 

 

Author: Gabriel Lando

International Traffic in Arms Regulations (ITAR) Compliance in the Cloud

 

 

ITAR was enacted in 1976 to control the export of defense-related articles and services. It stipulates that non-US persons are not allowed to have logical or physical access to articles modulated by International Traffic in Arms Regulations; which is administered by the Directorate of Defense Trade Controls – DDTC, a sub-division of the State Department. The articles covered by ITAR are listed on the United States Munitions List – USML, and generally, encompass any technology that is specifically designed or intended for military end-use. ITAR was also contrived to govern the import and export of any related technical data that consists of describes, supports, or accompanies the actual exported service or goods unless exemptions or special authorization is created.

The goal of ITAR is to prevent the transfer or disclosure of sensitive information, typically related to national security and defense, to a foreign national. In most cases, non-compliance usually translates to the loss of assets and professional reputation. However, with ITAR, lives may possibly be at stake. This is why the International Traffic in Arms Regulations is a strictly enforced United States government regulation and carries some of the most austere criminal and civil penalties that not business or individual would want to be on the receiving end of.

ITAR is not applicable to information that is already available in the public domain, or that is commonly taught in school under general scientific, engineering or mathematical principles.

Who is required to be ITAR compliant?

The law essentially applies to defense contractors who manufacture or export services, items or other information on the United States Munitions List. However, any company that is in the supply chain for such items must make ITAR compliance a priority. ITAR has a fairly complicated set of requirements, and since the repercussions of non-compliance are severe, companies should not hesitate to seek legal clarifications of their obligations if they even suspect the regulation applies to them – better safe than sorry. The vague categories of the USML make it difficult to intelligibly understand what exactly falls under the purview of military equipment.

The list is inclusive of most technology used for spaceflight, along with a vast range of technical data such as product blueprints, software and aircraft technology. Most of these items were initially developed for military purposes but were later on adapted for mainstream purposes – in aviation, maritime, computer security, navigation, electronics and other industries. It is crucial for firms that offer products and services to government consumers to fully grasp this distinction, to avoid expensive legal violations. ITAR may also likely impact large commercial enterprises, universities, research labs, and other institutions who are not directly involved in the defense industry.

The Repercussions of Non-compliance

Violating ITAR could lead to both criminal and civil penalties. The imposed fines are virtually unlimited – typically, organizations are prosecuted for hundreds of violations at once. The penalties for ITAR violations, both criminal and civil, are substantial. Criminal penalties may include fines of up to a million dollars per violation and 10 years’ imprisonment while civil fines can be as high as half a million dollars per violation. Failure to comply with ITAR may also damage an organizations reputation and ability to conduct business. The State Department maintains publicly available records of all penalties and violations dating back to 1978. Organizations and individuals run the risk of being completely debarred from exporting defense-related services and items.

Challenges in the Cloud

ITAR compliance and the adoption of cloud platforms presents unique challenges. Uploading technical data to the cloud carries with it a huge risk of penalties and violations. There are a lot of questions in regards to whether or not regulated technical data can be stored in a public cloud. The intrinsic quandary in that cloud vendors use distributed and shared resources that will likely cross national borders, and this dispensation of resources is not entirely transparent to the end-user. Data back-up and replication are common security measures when sharing files and collaborating via the cloud, but they can inadvertently lead to unlicensed exports in the event data is sent to servers located outside the United States. Once technical data goes beyond U.S borders, the risk of non-US persons having access to it increases exponentially.

In 2016 for example, Microwave Engineering Cooperation settled an ITAR violation with the State Department after technical data related to a defense article was exported to a foreign person without authorization. So if giving a foreign person access to technical data, or placing it on a server in a foreign nation is deemed and export. What guidance does ITAR give to ensure the entire process is done in a legal manner? Or is cloud storage simply off the table?

The State Department maintains that technical data can be stored on servers outside the U.S, provided that the of the ITAR license exemption conditions are met, and adequate measures are taken to obviate non-US individuals from accessing technical data. In most cases, the measure typically involves ensuring that any data sent to a server beyond U.S borders, or that is potentially accessible by a foreign person within or outside the U.S has to be properly encrypted. It is important to note that by law, cloud providers aren’t considered exporters of data, however, your organization might be. So the burden of ensuring ITAR compliance when handling technical data falls squarely on the people within the organization. Organizations dealing with defense-related articles in any capacity have to exercise extreme caution when using any commercial file sharing and sync service.

 

Author: Gabriel Lando

Personal Data Breach Response Under GDPR

personal data breach

Data security is at the heart of the upcoming General Data Protection Regulation (GDPR). It sets strict obligations on data controllers and processors in matters pertaining data security while concurrently providing guidance on the best data security practices. And for the first time, the GDPR will introduce specific breach notification guidelines. With only a few months to go until the new regulations come into effect, businesses should begin focusing on data security. Not just because of the costs and reputational damage a personal data breach can lead to; but also because under the GDPR, a new data breach notification regime will be applied to statute the reporting of certain data breaches to affected individuals and data protection authorities.

What Constitutes a Personal Data Breach Under GDPR?

GDPR describes A personal data breach as – a security breach that leads to the unlawful or accidental loss, destruction, alteration, or unauthorized disclosure of personal data stored, processed or transmitted. A personal data breach is by all means a security incident; however, not all security incidents require the same strict reporting regulations as a personal data breach. Despite the broad definition, it is not unusual in data security laws that require breach reporting. HIPAA, for example, makes the same distinctions at the federal level for medical data. It aims to prevent data protection regulators from being overwhelmed with breach reports.

By limiting breach notifications to personal data (EU speak for personally identifiable information – PII), incidents that solely involve the loss of company data/ intellectual property will not have to be reported. The threshold to establish whether an incident has to be reported to a data protection authority is dependent on the risk it poses to the individuals involved. High risk situations are those that can potentially lead to the significant detrimental suffering – for example, financial loss, discrimination, damage to reputation or any other significant social or economic disadvantage.

…it should be quickly established whether a personal data breach has occurred and to promptly notify the supervisory authority and the data subject.

– Recital 87, GDPR

If an organization is uncertain about who has been affected, the data protection authority can advise and, in certain situations, instruct them to immediately contact the individuals affected is the security breach is deemed to be high risk.

What Does The GDPR Require You to Do?

Under GDPR, the roles and responsibilities of processors and data controllers have been separated. Controllers are obliged to only engage processors who are capable of providing sufficient assurances to implement appropriate organizational and technical measures to protect the rights of data subjects. In the event of a data breach that affects the rights and freedoms of said data subjects, the organization should report it, without any delay and, where practicable, within 72 hours of becoming aware of it.

The data processor is mandated to notify the controller the moment a breach is discovered, but has no other reporting or notification obligation under the GDPR. However, the 72-hour deadline begins the moment the processor becomes aware of the data breach, not when the controller is notified of the breach. A breach notification to a data protection authority has to at least:

  1. Have a description of the nature of the breach, which includes the categories and number of data subjects affected.
  2. Contain the data protection officer’s (DPO) contact information.
  3. Have a description of the possible ramifications of the breach.
  4. Have a description of steps the controller will take to mitigate the effect of the breach.

The information can be provided in phases if it is not available all at once.
If the controller determines that the personal data breach can potentially put the right and freedoms of individuals at risk, it has to communicate any information regarding the breach to the data subjects without undue delay. The communication should plainly and clearly describe the nature of the personal data breach and at least:

  1. Contain the DPO’s contact details or a relevant contact point.
  2. Have a description of the possible ramifications of the breach.
  3. Have a description of measures proposed or taken to mitigate or address the effects of the breach.

The only exception in this case is if the personal data has been encrypted, and the decryption key has not been compromised, then there is not need for the controller to notify the data subject.

The most ideal way for companies to handle this GDPR obligation is to not only minimize breaches, but also, establish policies that facilitate risk assessment and demonstrates compliance.

The GDPR stipulates that all the records pertaining the personal data breach, regardless of whether the breach needs to be reported or not. Said records have to contain the details of the breach, any consequences and effects, and the follow up actions taken to remedy the situation.

Should Ransomware Attacks Be Reported?

Ransomware typically involves the ‘hijacking’ of cooperate data via encryption and payment is demanded in order to decrypt the ransomed data. Under GDPR, Ransomware attacks may be categorized as a security incident but it does not necessarily cross the threshold of a personal data breach. A Ransomware attack would only be considered a personal data breach if there is a back up but the outage directly impacts user’s freedoms and rights, or if there is no back up at all. Ideally, a Ransomware attack where the ransomed data can be quickly recovered does not have to be reported.

What Are the Consequences of Non-Compliance?

A failure to comply with the GDPR’s breach reporting requirements will not only result in negative PR, constant scrutiny, and possibly loss of business; but will also attract an administrative fine of up to € 10 million or up to two percent of the total global annual turnover of the preceding financial year. Additionally, failure to to notify the supervising authority may be indicative of systematic security failures. The would show an additional breach of GDPR and attract more fines. The GDPR does have a list of factors the supervising authority should consider when imposing fine; chief among them being the degree of co-operation by the data controller with protection authority.

In Closing

Data breach notification laws have already been firmly established in the U.S. These laws are designed to push organizations to improve their efforts in the detection and deterrence of data breaches. The regulators intentions are not to punish but to establish a trustful business environment by equipping organizations to deal with with security issues.

Author: Gabriel Lando

image courtesy of freepik

Personal Data, PII and GDPR Compliance

GDPR

 

The countdown for the European Union’s General Data Protection Regulation (GDPR), which will go into full effect in May 2018, is coming to a close. GDPR aims to solidify the data privacy rights of EU residents and the requirements on organizations that handle customer data. It introduces stern fines for data breaches and non-compliance while giving people a voice in matters that concern their data. It will also homogenize data protection rules throughout the EU. The current legislation, the EU Data Protection Directive was enacted in 1995, before cloud technology developed innovative ways of exploiting data; GDPR aims to address that. By enacting strict regulations and stiffer penalties the EU hopes to boost trust within a growing digital economy.

Despite the fact that GDPR came into force on 24th May 2016, organizations and enterprises still have until the 25th of May 2018 to fully comply with the new regulation. A snap survey of 170 cybersecurity pros by Imperva revealed that While a vast majority of IT security professionals are fully aware of GDPR, less than 50 percent of them are getting everything set for its arrival. It went on to conclude that only 43 percent are accessing the impact GDPR will have on their company and adjusting their practices to comply with data protection legislation. Even though most of the respondents we based in the United States, they are still likely to be hit by GDPR if they solicit and/or retain (even through a third party) EU residents’ personal data.

Remaining compliant with GDPR demands, among several other things, a good understanding of what constitutes ‘personal data’ and how it differs from ‘personal identifiable information’ or PII.

What is Personal Data In the GDPR Context?

The EU’s definition of personal data in GDPR is markedly broad, more so than current or past personal data protection. Personal data is defined as data about an identifiable or identified individual, either indirectly or directly. It is now inclusive of any information that relates to a specific person, whether the data is professional, public or private in nature. To mirror the various types of data organizations currently collect about users, online identifiers like IP addresses have been categorized as personal data. Other data such as transaction histories, lifestyle preferences, photographs and even social media posts are potentially classified as personal data under GDPR. Recital 26 states:

To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments.

This personal data term directly applies to all the 28 states in the European Economic Area (EEA)

Is Personally Identifiable Information (PII) the Same as Personal Data?

The term ‘Personally Identifiable Information’ doesn’t appear anywhere in the GDPR; however, it does have a definite meaning in US privacy law. Therefore the term in itself is likely to cause confusion to anyone seeking to comply with GDPR. For a concept that has become ubiquitous in both technological and legal colloquy, PII is surprisingly hard to define. In a nutshell, PII refers to any information that can be used to distinguish one individual from another. This includes any information that can be used to re-identify anonymous data. This can solely refer to data that is regularly used to authenticate/identify an individual, this may be averse to information that violates the privacy of on individual, that is, reveal sensitive information regarding someone. The US interpretation of the term is undeniably incongruous with what is relevant for a proper GDPR assessment since it pre-selects a set of identifying traits.

To put it bluntly, all PII can be considered personal data but not all personal data is Personally Identifiable Information. Developing a solid GDPR compliance program demands that IT architects and marketers move beyond the restricted scope of PII to examine the full spectrum of personal data as defined by the EU.

Handling Personal Data in Accordance With GDPR

The first step to GDPR compliance in matters pertaining personal data is undoubtedly the risk assessment of how existing data is being stored and accessed, the level of risk attached to it, and whether it contains any PII. The data might be stored on server file systems, databases or even on an end user’s physical storage or cache. Becoming GDPR compliant will mean that you are not only protecting more data types in the future but will also involve dissipating more effort in the identification of existing data that initially wasn’t considered personal data. It is important to note that you cannot limit your scope to the data you hold as if it were a closed system. Nowadays, people typically interact with interconnected systems, and GDPR mirrors that. In such scenarios, organizations should focus outward, and infer who in their ecosystem can connect with an attribute to another, from the multiple varying paths to re-identification within their ecosystem.

Additionally, GDPR requires that a document ‘opt-in’ consent must be provided by each individual. The consent has to explicitly pinpoint the data collected, how it is going to be used and how long it will be retained. Organizations also have to provide participants with an option to remove their consent at any given time and request their personal data be permanently deleted. Participants should have the ability to get factual errors amended, and even request their personal data for review and use.

FileCloud Can Help You Comply With GDPR

The General Data Protection Regulation sets a new standard in the protection of personal data. Its efforts aim to grant data subjects more control over their data while ensuring the transparency of operations. FileCloud provides a set of simple features that can help organizations meet GDPR requirements.

Click here for more information.

Author: Gabriel Lando

Image courtesy of freepik.com

GDPR – Top 10 Things That Organizations Must Do to Prepare

May 25, 2018 – that’s probably the biggest day of the decade for the universe of data on the Internet. On this date, Europe’s data protection rules –  European General Data Protection Regulation (GDPR) – becomes enforceable. In 2012, the initial conversations around GDPR began, followed by lengthy negotiations that ultimately culminated in the GDPR proposal. At the time of writing this guide (Sep 2017), most European businesses have either started making first moves towards becoming compliant with GDPR, or are all set to do so. Considering how GDPR will be a pretty stringent regulation with provisions for significant penalties and fines, it’s obvious how important a topic it has become for tech-powered businesses.

Now, every business uses technology to survive and thrive, and that’s why GDPR has relevance for most businesses. For any businessman, entrepreneur, enterprise IT leader, or IT consultant, GDPR is as urgent as it is critical. However, it’s pretty much like the Y2K problem in the fact that everybody is talking about it, without really knowing much about it.

Most companies are finding it hard to understand the implications of GDPR, and what they need to do to be compliant. Now, all businesses handle customer data, and that makes them subject to Data Protection Act (DPA) regulations. If your business already complies with DPA, the good news is that you already have the most important bases covered. Of course, you will need to understand GDPR and make sure you cover the missing bases and stay safe, secure, reliable, and compliant in the data game. Here are 10 things businesses need to do to be ready for GDPR.

Top 10 things that organizations should do to prepare and comply with GDPR

1.      Learn, gain awareness

It is important to ensure that key people and decision makers in your organization are well aware that the prevailing law is going to change to GDPR. A thorough impact analysis needs to be done for this, and any areas that can cause compliance issues under GDPR needs to be identified. It would be appropriate to start off by examining the risk register at your organization if one exists. GDPR implementation can have significant implications in terms of resources, particularly at complex and large organizations. Compliance could be a difficult ask if preparations are left until the last minute.

2.      Analyze information in hand

It is necessary to document what personal data is being held on hand, what was the source of the data, and who is it being shared with. It may be necessary for you to organize an organization-wide information audit. In some cases, you may only need to conduct an audit of specific business areas.

As per GDPR, there is a requirement to maintain records of all your activities related to data processing. The GDPR comes ready for a networked scenario. For instance, if you have shared incorrect personal data with another organization, you are required to inform the other organization about this so that it may fix its own records. This automatically requires you to know the personal data held by you, the source of the data and who it is being shared with. GDPR’s accountability principle requires organizations to be able to demonstrate their compliance with the principles of data protection imposed by the regulation.

3.      Privacy notices

It is important to review the privacy notices currently in place and put in a plan for making any required changes before GDPR implementation. When personal data is being collected, you currently need to provide specific sets of information such as information pertaining to your identity and how you propose to use that information. This is generally done with a privacy notice.

The GDPR requires you to provide some additional information in your privacy notices. This includes information such as the exact provision in the law that permits asking for that data and retention periods for the data. You are also required to specifically list that people have a right to complain to the ICO if they believe there is a problem with the way their data is being handled. The GDPR requires the information to be provided in the notices in easy to understand, concise and clear language.

4.      Individual rights

You should review your procedures to confirm that they cover all the individual rights set forth in the GDPR. These are the rights provided by the GDPR.

  • To be informed
  • Of access
  • To rectification
  • To erasure
  • To restrict processing
  • To data portability
  • To object
  • To not be subject to automated profiling and other such decision-making

This is an excellent time to review your procedures and ensure that you will be able to handle various types of user requests related to their rights. The right to data portability is new with the GDPR. It applies:

  • To personal data provided by an individual;
  • When processing is based on individual consent or to perform a contract; and
  • Where processing is being done by automated methods.

5.      Requests for Subject access

You would need to plan how to handle requests in a manner compliant with the new rules. Wherever needed, your procedures will need to be updated.

  • In most of the cases, you will not be allowed to charge people for complying with a request
  • Instead of the current period of 40 days, you will have only a month to execute compliance
  • You are permitted to charge for or refuse requests which are apparently excessive or unfounded
  • If a request is refused, you are required to mention the reason to the individual. You are also required to inform them that they have the right to judicial remedy and also to complain to the correct supervising authority. This has to be done, at the very latest, within a month.

6.      Consent

It is important to review how you record, seek and manage consent and if any changes are required. If they don’t meet the GDPR standard, existing consents need to be refreshed. Consent must be specific, freely given, informed, and not ambiguous. A positive opt-in is required and consent cannot be implied by inactivity, pre-ticked boxes or silence. The consent section has to be separated from the rest of the terms and conditions. Simple methods need to be provided for individuals to take back consent. The consent is to be verifiable. It is not required that the existing DPA consent have to be refreshed as you prepare for GDPR.

7.      Aspects related to children

It would be good if you start considering whether systems need to be put in place in order verify the ages of individuals and to get consent from parents or guardians for carrying out any data processing activity. GDPR brings in specific consent requirements for the personal data of children. If your company provides online services to children, you may need a guardian or parent’s consent so as to lawfully process the children’s personal data. As per GDPR, the minimum age at which a child can give her consent to this sort of processing is set to 16. In the UK, this may be lowered to 13.

8.      Aspects related to data breaches

You should ensure that you have the correct procedures necessary to investigate, report, and detect any breaches of personal data. The GDPR imposes a duty on all companies to report specific types of data breaches to the ICO, and in some situations, to individuals. ICO has to be notified of a breach if it is likely to impinge on the freedoms and rights of individuals such as damage to reputation, discrimination, financial loss, and loss of confidentiality. In most cases, you will also have to inform the concerned parties directly. Any failure to report a breach can cause a fine to be imposed apart from a fine for the breach by itself.

9.      Requirements related to privacy by design

The GDPR turns privacy by design into a concrete legal requirement under the umbrella of “data protection by design and by default.” In some situations, it also makes “Privacy Impact Assessments” into a mandatory requirement. The regulation defines Privacy Impact Assessments as “Data Protection Impact Assessments.”’ A DPIA is required whenever data processing has the potential to pose a high level of risk to individuals such as when:

  • New technology is being put in place
  • A profiling action is happening that can significantly affect people
  • Processing is happening on a large set of data

10.  Data protection officers

A specific individual needs to be designated to hold responsibility for data protection compliance. You must designate a data protection officer if:

  • You are a public authority (courts acting in normal capacity exempted)
  • You are an institution that carries out regular monitoring of individuals at scale
  • You are an institution that performs large-scale processing of special categories of data such as health records or criminal convictions

Many of GDPR’s important principles are the same as those defined in DPA; still, there are significant updates that companies will need to do in order to be on the right side of GDPR.

Author: Rahul Sharma

Sources

https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/

 

 

Sharing Large Medical Images and Files – Factors to Consider

ID-100414456

According to data collected by the HHS Office for Civil Rights, over 113 million individuals were affected by protected health information breaches in 2015. Ninety-nine percent of these individuals were victims of hacking, while the remaining 1 percent suffered from other forms of breach such as theft, loss, improper disposal, and unauthorized access/disclosure. A quick look at the trend from 2010 shows that health information data breaches are on the rise. An even deeper look at this report shows that network servers and electronic medical records are the leading sources of information breaches, at 107 million and 3 million, respectively.

Sadly, security is not the only issue that medics face when sharing medical records. A 2014 article in the New York Times explains the difficulty medics face when trying to send digital records containing patient information. While the intention is noble—to improve patient care coordination—doctors are facing problems with their existing large file sharing options.

To help doctors share files such as medical images in an easier and safer way, we will explore four factors that should be considered.

HIPAA Compliance

Medical records are sensitive and confidential in nature. This means that handling them should be guided by set industry policies, in this case, Health Insurance Portability and Accountability Act (HIPAA), for example. HIPAA is actually a response to security concerns surrounding the transfer and storage of medical records, in this case, images.

HIPAA places responsibility on medics and healthcare providers in general to secure patient data and keep it confidential. As a result, non-compliance could lead to legal action, which can be costly. Usually, HIPAA makes sure that all Personal Health Information (PHI) is covered, outlining more stringent rules on electronic PHI, mainly because a security breach is more likely to affect a larger number of patients, all at once.

It is a medic’s responsibility to ensure that the selected EFSS solution is HIPAA-compliant if you want to maintain patient trust, keep positive publicity, and avoid steep HIPAA fines imposed after a breach. In fact, the first time you commit an offense, HIPAA will charge approximately $50,000, a figure that escalates accordingly with each subsequent offense.

Encryption

This is the second level of security you should consider before settling on a large file sharing solution. As much as an EFSS service provider is HIPAA-compliant, you need to ensure that measures outlined in HIPAA are taken.

When you read about patients’ rights as outlined in HIPAA, specifically the ‘Privacy, Security and Electronic Health Records’, you will notice that information security is emphasized. For this reasons, medics should ensure that patient data is encrypted in order to prevent it from being accessed by rogue colleagues or professional hackers.

It is entirely important that all hospital departments—ranging from cardiology, imaging centers and radiology, among others—encrypt medical images and files to further protect patient privacy. Better still, encryption should be both at rest and on transit, and files should only be shared with authorized specialists and physicians as well as the patients themselves.

To further tighten security, these files should be encrypted with non-deterministic encryption keys instead of fixed ones, whose passwords can be hacked. The best thing about this technique is that even when faced with a security breach on the server side, hackers cannot access the encryption keys. Additionally, you can opt for EFSS solutions that offer client-side encryption alone, barring the service provider and its employees from accessing this information.

File Scalability

Compared to other medical records, medical images present a great challenge with regards to file size. It is actually reported that a significant number of sequences and images are an average of 300MB. Additionally, average file size for a standard mammography image and a 3D tomography image are 19MB and 392 MB, respectively. While these file sizes already seem too large, Austin Radiological Association (ARA) predicts that by 2024, annual data from its 3D breast imaging files will reach 3 petabytes. These facts expose the storage challenges that medics face.

A glance at the process of finding medical images for active cases, storing them, and archiving those of inactive cases shows the immense need for medics to find a reliable and convenient large file sharing solution that caters to these storage needs.

A weak server could get overwhelmed with data, progressively becoming inefficient and inept as more files are uploaded into the system. The best way to solve this issue is by using cloud-based services that automatically scale your files according to your needs. This way, you will upload more files in the server, significantly reducing hardware costs by approximately 50 percent, especially when this is done on the cloud as opposed to in-house. In addition to these perks, the cloud will allow you to share these images faster and more conveniently, saving both time and storage.

Technology Increases the Likelihood of Medical Errors

While technology helps solve issues such as security and storage, over-reliance could actually lead to medical errors, incidents that are dreadful to patients and medics as well. As reported by Eric McCann of Healthcare IT News, medical errors cost America a colossal $1 trillion each year, and 400,000 Americans die annually due to these preventable mistakes.

Even though the cloud has been paraded as a solution to reduce incidences of medical error, the need to be watchful and keen can never be overstated. Take, for example, the erroneous click of a mouse and mislabeling of data. A case study on Kenny Lin, MD, a family physician practicing in Washington, D.C., which is detailed in his 2010 piece in the U.S. News & World Report, shows us how easy it is to make a mistake with technology. Dr. Lin nearly made a wrong prescription by accidentally clicking on the wrong choice in his EMR system.

Now, what if you mislabeled a patient’s radiology report? Wouldn’t that start a series of misdiagnosis and treatment? Could you imagine the damage caused? It is for this reason that even when technology makes it easier to share large, sensitive files like medical images, you should counter-check and make sure that the file is labeled correctly and sent to the intended, authorized recipient.

The Way Forward

The sensitivity of medical files is eminent, and with data breaches on the rise, it is vital to ensure the privacy of all medical documents, including large medical images and files. To reduce the possibility of a data breach, any EFSS solution used to share these files should guarantee a reasonable level of file security and HIPAA compliance. In addition to that, its capacity to efficiently handle file sizes and offer easy access to these files should not be ignored. Lastly, as you remain cautious when feeding data into the system, create a safe backup for your data just in case of a data breach. By taking such precautions, medical files can be shared between all necessary parties easier and more safely.

Author: Davis Porter

Image courtesy: freedigitalphotos.net, stockdevil

Data ownership in the cloud – How does it affect you?

The future of the cloud seems bright, Cisco predicts that by 2018, 59% of cloud workloads will be created from Software As A Service (SaaS). While these statistics are optimistic, we cannot ignore a few concerns that stifle cloud adoption efforts, such as data ownership.

Most people would be inclined to say that they still own data in the cloud. While they may be right in some sense, this is not always the case. For instance, let us look at Facebook, which many people use as cloud storage to keep their photos. According to the Facebook end-user-agreement, the company stores data for as long as it is necessary, which might not be as long as users want. This sadly means that users lose data ownership. Worse still, the servers are located in different locations, in and out of the United States, subjecting data to different laws.

According to Dan Gray, as discussed in ‘Data Ownership In The Cloud,’ the actual ownership of data in the cloud may be dependent on the nature of the data owned and where it was created. He states that there is data created by a user before uploading to the cloud, and data created on the cloud platform. He continues to say that data created prior to cloud upload may be subject to copyright laws depending on the provider, while that created on the platform could have complicated ownership.

In addition to cloud provider policies, certain Acts of Congress, although created to enhance data security and still uphold the nation’s security, have shown how data ownership issues affect businesses. Two of these, the Stored Communications Act (SCA) and the Patriot Act show the challenges of cloud data ownership and privacy issues, with regards to government access to information stored in the cloud.

The Stored Communications Act (SCA)

Usually, when data resides in a cloud provider’s infrastructure, user owner rights cannot be guaranteed. And even when users are assured that they own their data, it does not necessarily mean that the information stored there is private. For example, the United States law, through the Stored Communications Act (SCA), gives the government the right to seize data stored by an American company even if it is hosted elsewhere. The interpretation of this saw Microsoft and other technology giants take the government to court, claiming that it was illegal to use the SCA to obtain a search warrant to peruse and seize data stored beyond the territorial boundaries of the United States.

Microsoft suffered a blow when a district court judge in New York ruled that the U.S government search powers extend to data stored in foreign servers. Fortunately, these companies got a reprieve mid-2016, when the Second Circuit ruled that a federal court may not issue a criminal warrant to order a U.S cloud provider to produce data held in servers in Ireland.  It is however, important to note that this ruling only focused on whether Congress intended for the SCA to apply to data held beyond U.S.A territory, and did not touch on issues to deal with Irish data privacy law.

The Patriot Act

The Patriot Act was put into place in 2001 as an effort by George Bush government to fight terrorism. This act allowed the Federal Bureau of Investigation (FBI) to search telephone, e-mail, and financial records without a court order, as well as expanded law enforcement agencies access to business records, among other provisions. Although many provisions of this Act were set to sunset 4 years later, the contrary happened. Fast-tracking to 2011, President Barrack Obama signed a 4-year extension of 3 key provisions in the Act, which expanded the discovery mechanisms law enforcement would use to gain third-party access. This progress brought about international uproar especially from the European Union, causing the Obama administration to hold a press conference to quell these concerns.

The situation was aggravated when a Microsoft UK director admitted that the Patriot Act could access EU based data, further disclosing that no cloud service was safe from the ACT, and the company could be forced to hand over data to the U.S government. While these provisions expired on June 1 2015, due to lack of congressional approval to renew, the government found a way to renew them through the USA freedom Act.

The two Acts show us that data owned in the cloud, especially public cloud, is usually owned by the cloud providers. This is why we are seeing the laws asking cloud providers to provide this information, and not cloud users.

What To Do In Light Of These Regulations

Even if the SCA has been ruled illegal as not to be used to get warrants to retrieve data stored in the cloud, and the USA freedom Act is purported by some parties as a better version of the Patriot Act, we cannot ignore the need for cloud users to find a way to avoid such compulsions.

One idea users could have is escaping the grasp of these laws, which is unfortunately impractical. To completely outrun the government, you would have to make sure that neither you nor the cloud service used has operations in the United States. This is a great disadvantage because most globally competitive cloud providers are within the United States jurisdiction. Even when you are lucky and find a suitable cloud provider, it is may still be subject to a Mutual Legal Assistance Treaty (MLAT) request. Simply, put, there is no easy way out.

Instead, understand the risks and let your clients know. For example, if the Patriot Act extension attempts were successful, financial institutions would be obliged to share information with law enforcement agencies on suspicion of terrorist activities. In such a case, a good financial institution would warn its clients of these risks before hand. Alternatively, you can find a way of storing data in-house, forcing the feds to go through you and not the cloud provider.

Conclusion                                                       

Truthfully, data ownership in the cloud is a complicated issue.  Determined by both government and company policies, data ownership in the cloud is not always retained.  Gladly, depending on data policies and how they categorize data in the cloud, a user could be granted full ownership. In the event that this doesn’t happen, prepare for instances of third-party access and infringement of complete privacy, hence rethink your business strategy. In short, as a cloud services client, please pay attention to the contract that you sign with your provider and understand the laws under which the provider operates.

Author: Davis Porter

HIPAA Prescribed Safeguards for File Sharing

health care data governance

The Health Insurance Portability & Accountability Act (HIPAA) sets standards for protecting sensitive data of patients in the cloud. Any company which is dealing with PHI (protected health information) needs to ensure all of the required network, physical, and process safety measures are properly followed. If you want to learn more about requirements of HIPPA, click here to learn more.

This includes CE (covered entities), anyone who is providing treatment, operations, and payment in health care, BA (business associates) with access to patient’s information stored in the cloud or those who provide support in payment, operations, or treatment. Subcontractors and associates of associates need to be in compliance too.

Who needs HIPAA?

The privacy rule of the HIPAA helped address the saving, sharing, and accessing of personal and medical data of individuals stored in the cloud while the security rule is more specifically meant for outlining national security standards to help protect the health data which is received, maintained, transmitted, or created electronically, also known as e-PHI (electronic protected health information).

Technical and physical safeguards

If you’re hosting data with HIPAA compliant hosting providers, they need to have particular administrative, technical, and physical safeguards in place as per the US HHS (Department of Health & Human Services). The technical and physical safeguards which are the most important for services provided by hosts are listed below:

  • Physical safeguards include limited facility control or access with authorized access procedures. All entities need to be HIPAA compliant, need to have policies regarding the use and access of electronic media and workstations. This includes removing, transferring, reusing, and disposing of e-PHI and electronic media.
  • Technical safeguards should only allow authorized users to access e-PHI. Access control will include the use of unique user ID’s, emergency access procedures, automatic logoffs, decryption, and encryption.
  • Tracking logs or audit reports need to be implemented in order to keep a record of activity on software or hardware. This is very useful when it comes to pinpointing the source or the cause of security violations.
  • Technical policies need to be used for covering integrity controls and measures should be in place to confirm e-PHI has not been destroyed or altered. Offsite backup and IT disaster recovery are very important in order to ensure any electronic media errors or failures can quickly be remedied, and health information of patients can be recovered intact and accurately.
  • Transmission or network security is the last safeguard needed of HIPAA compliant hosts in order to protect them against any unauthorized access or use of e-PHI. This concerns all of the methods for transmitting data, whether it is over the internet, email, or even on private networks, like a private cloud.

A supplemental act passed in 2009 known as the HITECH (Health Information Technology for Economic & Clinical Health) Act which supported the enforcement of all of the HIPAA requirements by increasing the penalties imposed on organizations who violated the HIPAA privacy or security rules. The HITECH Act was created in response to the development of health technology and increased storage, transmission, and use of electronic health information.

HIPAA has driven a number of healthcare providers to search for solutions that can help them secure cloud data. Medical information is very private, and regulation keeps getting tighter, which means enforcement is also getting tighter. There are a number of healthcare providers have chosen to move their whole EHRs onto a HIPAA compliant platform such as FileCloud in order to reduce their expenses and become more inter-operable across various other devices in a safe, HIPAA-compliant fashion.

 

Author: Rahul Sharma

images courtesy: freedigitalphotos.net/ Stuart Miles

US-EU Safe Harbor – Origin, Reasons to strike down, Implications

The US-EU Safe Harbor was a great framework that simplified operations of many organizations. Recently, US-EU Safe harbor was struck down due to series of accusations, threat to national security and mistrust between countries. The following three articles cover the origin of the agreement, the details on how it worked, reasons why it was struck down and what are the implications.

Essential Tools for Cloud Security

cloud security (2)

Cloud computing is steadily growing to become the most expansive business platform in the world primarily because of its numerous benefits, among them scalability, cost effectiveness, mobility and increased security. Although 56% of entrepreneurs are reportedly optimistic about cloud security, it still faces a significant amount of risks and potential threats.

For most corporations, especially small and medium businesses, the cloud is a relatively new networked paradigm whose security protocols are still yet to be completely comprehended. Consequently, a large number of businesses owners who are concerned about security, are considerably uncertain about relying on third party cloud service providers. Their fears are further fueled by some of the recent news, where hackers have targeted and successfully infiltrated some of the most popular cloud servers including Dropbox, Amazon Cloud Service and GoGrid.

Despite the security compromises, these cloud providers have managed to successfully recover and subsequently implement impenetrable security measures to prevent future occurrences. Protecting your cloud servers is therefore possible as long as you understand the threats and utilize the necessary tools. In fact, cloud security is easier to implement and harder to penetrate than regular in-house data security.
So, which are the essential tools for cloud security? To determine this, you need to first evaluate and determine the type of cloud service you are using. There are three types of cloud services, each facing a unique set of security threats.

  1. Infrastructure as Service (IaaS): As a consumer, this type of cloud allows you to use arbitrary software like programs and operating systems through its resources including networks, storage, processing and other critical resources which are distributed through the internet as virtualized systems.

The underlying framework of resources is protected by service providers. The security of the applications and operating systems on the hand, is dependent on the consumer. Therefore, it’s critically important to install the necessary security infrastructure to protect your data and operations as you use IaaS.

  1. Platform as a Service (Paas): This cloud system eliminates the need to install any system or platform in your computer, and instead allows you to deploy your own applications directly on its infrastructure through the internet. A number of resources including software development frameworks are provided to you to boost your applications and overall operations.

Just like IaaS, security is implemented in two levels- the primary cloud runtime engine and the individual applications deployed by the user. Of course the latter level is dependent on you while the former is dependent on the service provider. Some of the security threats you may experience include:

  • Underlying Infrastructure Threats: The underlying framework is the most important element because it forms the foundation of many applications running on it. A system failure would completely cripple all the applications and subsequently disable all the features. Protecting this infrastructure is therefore more important than securing the individual applications.

Fortunately for consumers, its security is entirely dependent on the developers and service providers. It has to be comprehensively protected by sealing all the loopholes including the individual applications. An infiltration on an application shouldn’t be subsequently passed on to the runtime engine.

  • System Development Threats: Developers should come up with an architecture that securely accommodates all the frequent application updates, without exposing the system to additional vulnerabilities. The security development processes should therefore be flexible enough for all the updates.
  • Third Party Threats: Since Paas cloud models provide users with third party web services like mashups, security should extend to such components to avoid possible network and data infiltrations. Any security threat from mashups should be effectually contained before spreading to other entities.
  1. Software as a Service (SaaS): Contrary to other two cloud models, SaaS consumers have very limited control on security. The security is largely controlled by the service providers, who host and distribute services like SCM, CRM, ERP, conferencing software, and more, to their individual subscribers. The primary threats come from malware lodged into the main cloud systems to infiltrate the networks and possibly cripple them. The responsibility of detecting such malware and preventing attacks by blocking them lies sorely with the service providers- through impenetrable firewall and anti-malware systems.

After assessing your type of cloud model, you should install the essential security tools that correspond to your potential data, network and system security threats. Here are some of the most critical counter measures and tools you should consider:

Encryption

Encryption has been a standard data security tool even before the invention of computers. It reportedly started with ancient Egyptians, who used cryptography, an encryption system, to pass messages without revealing the actual details to the general public.

Today, encryption could be used to store sensitive data within the cloud. Consequently, the data would be useless and meaningless to hackers if they successfully infiltrated the system. Some of the most widely used schemes include SSL and Advanced Encryption Standard (AES).

Web Application Scanners

Cloud services which utilize web applications are predominantly vulnerable since such applications are easy targets to hackers. They are particularly notorious of creating malware that pose as web applications to steal data from cloud users. The most effective strategy of protecting your data and network is installing efficient web application scanners- to comprehensively scan all the web applications to block cyber-attacks and malware.

Virtual Network Security Framework

This is a security framework to protect against the spoofing of virtual networks, where data could be stolen by a malicious virtual machine as other virtual machines communicate. The Xen based system comprises of a three layered model (shared networks, firewall and routing layers) that uses routed or bridged configuration modes to detect and block inter-virtual machine spoofing.

Fragmentation Redundancy Scattering

Data leakage is a common security phenomenon in cloud networks, where data is distributed to the wrong party as it’s being processed, stored or transmitted. The most reliable method of preventing this is Fragmentation Redundancy Scattering– where data is first broken down into minute, meaningless fragments and distributed separately. If it falls to the wrong hands, the receiver won’t make sense of the individual fragments without defragmenting the rest.

There are many other tools, strategies and countermeasures to protect your cloud system and boost your overall data security. The suitability of a tool depends on your data architecture, infrastructure and relative efficiency of the tool in protecting other similar systems. That’s why it’s advisable to first do a comprehensive analysis on the reviews of a tool/strategy from IT architects before implementing it. Finally, remember to periodically review and scan your entire system to identify potential developing vulnerabilities.

Author: Davis Porter

Image Courtesy: Feelart, freedigitalphotos.net