bTrade, the industry leading compression and managed file transfer (MFT) provider, announced today that it once again scored well in connection with an ISO 9001:2008 supplier evaluation, this time from its customer, Telered, S.A.
Telered is a Panamanian company that provides the electronic payments network for Panama. The shareholders of Telered are all the major Panamanian banks who demand infrastructure supported by state-of-the-art technology, including bTrade solutions. Telered maintains connections with many entities, both private (local and international) and public, through a communications infrastructure that transmits the information between the entities and the affiliated financial institutions in a secure and reliable manner.
Telered conducted the ISO 9001:2008 supplier audit for bTrade in June 2015. In this audit, bTrade was rated on key metrics such as product quality, expertise and experience of employees, timeliness and effectiveness of problem resolution, return on investment, and overall performance in the competitive market space. According to Yolany Leon, a Process and Quality Analyst at Telered, bTrade continues to score highly as a Telered supplier. Telered has been a bTrade customer for more than a decade.
“It is extremely gratifying to receive this recognition from our customer, Telered, S.A.,” said Steve Zapata, President and CEO of bTrade. “bTrade has always focused on continued quality, and this supplier rating reconfirms our mission to provide our customers with the highest quality products and services possible,” added Zapata.
For more information on bTrade’s solutions and services, please visit bTrade.com.
If So, Take Some Encryption and Call the Doctor in the Morning
Earlier this year, a business acquaintance received a data breach notification letter from Anthem, an insurer in the healthcare industry. The letter begins with the standard assurances that Anthem “works hard to protect your personal information.” But the mood quickly changes in the next sentence as Anthem advised: “Unfortunately, we were the victim of a cyber attack and your personal information may have been accessed.”
The same person had the misfortune of thereafter receiving a similar type of letter from another company in the healthcare industry, UCLA Health. The letter from UCLA Health conveyed the same type of canned message: assurances about “working hard” to protect personal information; followed by a claim of being a “victim” of hackers; and then the “unfortunate” result that personal information may have been compromised.
This person was concerned, and she asked me a lot of questions. How could so many healthcare companies become “victims” of hackers? Don’t these “victim” companies have data security protections in place to prevent this sort of thing? Have they ever heard of encryption? She asked me for answers, so I did some research into the state of data security in the healthcare field, and I want to share some of it with readers of bTrade’s MFT Nation.
Health Insurers Aren’t Required to Encrypt Data???
One of the first items I came across is this article from Wall Street Journal online entitled “Health Insurer Anthem Didn’t Encrypt Data in Theft.” The article discusses data breaches involving Anthem and another health insurer, Humana, and suggests that the hackers were successful because the companies weren’t encrypting data. According to the authors, health insurers aren’t required by law to encrypt data:
Health insurers don’t always encrypt members’ data, and aren’t required by the federal Health Insurance Portability and Accountability Act to encrypt data.
Under HIPAA, doctors, hospitals, health plans and others must “address” encryption in their operations, but don’t have to scramble data if they determine doing so would impose an unreasonable burden, the likelihood of disclosure is low and they have implemented alternative security measures.
The authors are technically correct, but in practice, health insurers should consider encryption to be a required part of their data security practices.
The Healthcare Industry is Subject to Strict Data Security Laws
If you want to know the data security standards for the healthcare industry, you need to understand the Health Insurance Portability and Accountability Act, or “HIPAA” for short. HIPAA is a comprehensive federal law, and when I say “comprehensive,” I mean it’s got a lot of data security standards that, if followed, will help protect the confidentiality of personal information when it is stored, maintained or transmitted by healthcare entities such as Anthem and UCLA Health.
As the authors of the WSJ article stated, HIPAA does not explicitly require encryption. In fact, it doesn’t explicitly require the implementation any specific security technology. However, this doesn’t mean what people sometimes think it means, and this misunderstanding can cause healthcare folks some real heartburn.
Encryption is Reasonable and Appropriate, Right?
In a section of HIPAA captioned “Technical Safeguards,” there is an “Implementation Specification” dealing with encryption. But the Implementation Specification for encryption is categorized as “addressable” rather than “required.” Why are some things “addressable” rather than required? Because there is not always a “one-size-fits-all” solution for data security issues. For example, a healthcare entity with only a local network and no electronic connectivity to any person or entity outside of the organization may not need to encrypt. Also, encryption is just one method of rendering electronic data unreadable to unauthorized persons.
It should be noted, though, that “addressable” does not mean “optional.” A healthcare entity must still determine whether an addressable Implementation Specification is a “reasonable and appropriate” data security measure to apply within its particular environment. The key phrase here is “reasonable and appropriate.” In other words, encryption is required if it’s reasonable and appropriate to do so.
Whether a particular security measure is “reasonable and appropriate” depends on a balancing of factors such as an entity’s size, complexity, capabilities, infrastructure, hardware and software, as well as the costs of the security measures and probability and criticalness of potential risks. Basically, a company doesn’t “have to” encrypt, but if it chooses not to, it better be prepared to demonstrate clearly in the event of an audit by HHS’s Office for Civil Rights that its analysis is accurate.
In summary, health insurers are required to encrypt personal information whenever it is “reasonable and appropriate” to do so. In what situations would it be considered reasonable and appropriate to not use encryption? Except for the local network example mentioned above, I can conceive of very few, if any. Even if you think that such a situation exists in your organization, you better be prepared to convince HHS’s Office of Civil Rights that you are right, and remember that this office generally considers encryption to be both necessary and appropriate. For these reasons, I believe that encryption is required by most, if not all health insurers.
Let us know us know whether you agree or disagree by posting a comment below, or by sending a confidential email to email@example.com.
Federal Appeals Court Says FTC has Authority to Regulate Data Security Practices
MFT Nation has written before about the FTC vs. Wyndham Worldwide Corp. case. The FTC sued Wyndham after three separate hacking incidents led to more than $10 million in fraud losses for customers. Wyndham allegedly did not use encryption, firewalls, and other commercially reasonable methods for protecting consumer data.
In our previous posts we did not address a corollary issue raised by the FTC vs. Wyndham case–whether companies that fail to provide customers with reasonable data security protections can be punished by federal regulators. Earlier this week, a federal appeals court confirmed that the FTC can punish companies for unreasonable data security practices. The appeals court ruling is interesting on several levels, but for purposes of this post, I want to share some of the humorous and biting ways the court dealt with some of Wyndham’s arguments.
Reductio Ad Absurdum Invites a Tart Retort
For example, Wyndham asserted that a business shouldn’t be held liable if “the business itself is victimized by criminals.” Basically, Wyndham tried to deflect attention from its alleged wrongdoing by pointing the finger at another wrongdoer, the hackers. Wyndham suggested that if it can be held liable in such circumstances, then the FTC could conceivably sue supermarkets that are “sloppy about sweeping up banana peels.” I kid you not; Wyndham actually proffered this argument.
The appeals court had fun with it, though, describing the argument as reductio ad absurdum. For non-lawyers and those who don’t speak Latin, the court is telling Wyndham that its argument is absurd. And the court used the banana peel analogy to explain the absurdity of Wyndham’s argument: “It invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability.” Generally speaking, you’re not doing well when the court feels your argument “invites a tart retort.”
In Some Instances, the Third Time Isn’t a Charm
Wyndham also argued that it was not given adequate notice of “what specific cybersecurity practices are necessary to avoid liability.” To this argument, the court quickly offered another tart retort: “We have little trouble rejecting this claim.” The court explained:
As the FTC points out in its brief, the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points, did not restrict specific IP addresses at all, did not use any encryption for certain customer files, and did not require some users to change their default or factory-setting passwords at all.
In other words, Wyndham’s practices would fail under any cybersecurity standard imposed by the FTC. And the court went on to say that Wyndham’s case was made “even weaker given it was hacked not one or two, but three times. At least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed.”
Beaten by Not Broken
What did Wyndham say about the ruling? It remained defiant, saying that ultimately “the facts will show the FTC’s allegations are unfounded.” But in a more conciliatory tone, Wyndham did acknowledge that “safeguarding personal information remains a top priority for our company, and with the dramatic increase in the number and severity of cyberattacks on both public and private institutions, we believe consumers will be best served by the government and businesses working together collaboratively rather than as adversaries.”
Stay tuned to MFT Nation for further developments in the FTC vs. Wyndham case, as well as others affecting the world of data security.
You may know that some people, referred to euphemistically as “dumpster divers,” search through garbage for items they find useful/valuable. But did you know that some dumpster divers are much more sophisticated and focused on harvesting data stored on discarded hard drives, full workstations, old mainframe tapes, and now cell phones? With everyone seemingly worried about hackers on the wild internet, we forget about this other security risk. And it is real. These sophisticated dumpster divers can recover data from such discarded items. (more)
In a previous post about the long running Oracle vs. Google case, we noted that “Oracle has a federal appeals court precedent on its side, which it can use as a sword against all other Java API users who Oracle believes may be violating its copyrights. So, unless and until another court decides otherwise, the IT community should be aware that Oracle may be on the hunt for violators.” (more)
I’m pleased to report that bTrade has been acknowledged by Info-Tech Research Group as an “experienced and recognized leader in the MFT industry.” The acknowledgement follows a period of evaluation by Info-Tech of bTrade and its MFT products, and is memorialized in a vendor landscape report appropriately titled, “Select and Implement a Managed File Transfer Solution.” (more)
The United States Supreme Court (aka, the “Supremes”) left today for summer vacation, and on the way out the door they posted a list of cases they will hear in the fall term. We thought MFT Nation readers would want to know that the Oracle v. Google case was not on the list. So what does this development mean? (more)
I want to offer a short follow-up to a previous MFT Nation post about the results of Aon’s Risk Solutions survey in which its business clients ranked cybersecurity as a Top 10 concern, for the first time ever.