The HITECH Act mandates that the HHS Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. The list is compiled and published in its “Breach Notification Portal,” which has become known as the “Wall of Shame.”
The Wall of Shame shows that more than 160 breaches have been added so far in 2018, and here’s some trivia gleaned from the Wall of Shame: (1) “unauthorized access/disclosure” breaches are the most common type of incident; (2) second most commonly reported type of breach is hacking incidents, which affect far more individuals than other types of breaches; and (3) 2 dozen breaches involved loss/theft of #unencrypted computing devices.
Stay cyber-safe with #encrypted devises and by using #encryption when transmitting data.
bTrade, the leading provider of secure and managed file transfer technology solutions, has been recertified as a Minority Business Enterprise (MBE) by the National Minority Supplier Development Council (NMSDC). “I am pleased to announce that we have renewed our MBE certification, which is highly regarded by many customers, prospective customers, and business partners,” said Steve Zapata, President and CEO of bTrade. “Having the MBE certification is very valuable, and we take great pride in being recognized as a minority-owned business.”
NMSDC certifications cover a wide variety of businesses from small minority-owned organizations to billion-dollar powerhouses and NMSDC maintains a directory of certified MBEs. MBE certification is accepted and generally required by many of the largest publicly, privately and foreign-owned companies, as well as universities, hospitals and other buying institutions. NMSDC has an impressive list of corporate members that represent a veritable “Who’s Who” in corporate America.
NMSDC has established stringent certification standards which identify bona fide minority businesses, and the regional Councils do the investigation to determine whether a business is worthy of MBE certification. For the recertification process, bTrade worked with the Southern California Minority Supplier Development Council (SCMSDC). SCMBDC’s recertification process often alleviates the need for customers, prospective customers and business partners to conduct additional audits to verify bTrade’s commitment to workplace diversity. This process also distinguishes NMSDC from other organizations that publish directories which allow “self-certification” as their standard.
“This certification stands proudly alongside bTrade’s other certifications,” said Zapata. “These include our FIPS 140-2 security certification, meeting Drummond Group interoperability requirements, compliance with HIPAA standards, and many more.”
The US federal government, thru @USCERT_gov, has published an excellent “security tip” (which actually is more of a detailed guide) for better securing network infrastructure: https://bit.ly/2txAHLw . We love it when we see government working for its citizens!
Starting with the FTC vs. Wyndham case, bTrade’s MFT Nation blog has run a series of posts that we described as “case studies for what not-to-do” in the rapidly changing world of data security. The latest in this series involves the University of Texas MD Anderson Cancer Center (“Anderson”).
The U.S. Department of Health and Human Services, Office of Civil Rights (“OCR”), investigated Anderson after learning of three separate data breaches involving the theft of unencrypted electronic protected health information (ePHI) of tens of thousands of individuals. To Anderson’s credit, it had written encryption policies going as far back as 2006 and risk analysis performed by Anderson showed that the lack of device-level encryption posed a high risk to the security of ePHI.
The problem for Anderson, however, was its failure to implement the required encryption. Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and it failed to encrypt its inventory of electronic devices containing ePHI until much later.
OCR imposed a $4.3 million penalty against Anderson for violating HIPAA’s Privacy and Security Rules. The penalty was justified “given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” a risk that Anderson “not only recognized, but that it restated many times.”
Click here to read more on OCR’s website about the recent actions taken against Anderson.
If you want to speak with bTrade’s data security experts about implementing an enterprise-wide encryption solution to protect ePHI, or any other type of data, please contact us at firstname.lastname@example.org.
Several recent MFT Nation posts have explored factors to consider when deciding between deploying your IT infrastructure on-premise (“on-prem”) or moving some or all of it to “the cloud.” Our last post said we were sharing “one last bit of info” on the subject. That was a bit premature because a lot of info is being published and we want to continue sharing for the benefit of our readers.
For example, Forbes wrote a good article titled With Cloud Security, The Devil’s In The Details. The author, Ameesh Divatia, begins by highlighting the virtue of deploying some or all of your infrastructure in the cloud—it “simplifies IT and offers a lot of value for companies.” But he continues the thought process by asking the question: “Who’s responsible for cloud security?” Mr. Divatia’s answer to the question imparts some food for thought, so to speak:
You, and virtually everyone else, will likely answer that the cloud provider (Microsoft, Amazon, etc.) is responsible. After all, it’s their cloud, right? But wait — dig a little into the details, and you’ll find that’s not the case. In all major cloud provider contracts and agreements, there’s a little devil of a detail: The cloud provider is responsible only for infrastructure security of the cloud — not for safeguarding the security, privacy or appropriate use of the data or information stored within it. And therein lies the rub.
The article is a good read for those of you concerned about #cloudsecurity. The author offers some real-world, common-sense points to consider.
If you want to speak with bTrade’s data security experts about deployment models, please contact us at email@example.com. If you want to keep updated on developments in the world of secure file transfer and data security, follow us on Twitter, LinkedIn, and our blog MFT Nation.
Beware of the “free” file sharing apps; often time you get what you pay for, so to speak:
MFT Nation wants to share on more last bit of info on #cloudsecurity, this time from a thoughtful article discussing how hackers prey upon the “mass movement of company and personal data to the cloud”: https://bit.ly/2seV1R2 . Please contact us at firstname.lastname@example.org to learn about using a bTrade MFT solution to protect ANY movement of data, to the cloud or ANYWHERE, whether internally or externally.
In a recent post, bTrade’s MFT Nation explored two matters to consider when deciding between deploying your IT infrastructure on-premise (“on-prem”) or moving some or all of it to “the cloud.” We said in that post that while cybersecurity considerations are “always vital,” some industry sectors generally do not trust cloud providers to safeguard their data. Well, based on a recent report on CIO cloud perspectives, perhaps we should add the healthcare industry to the list of doubters.
The article, entitled “Healthcare Cloud Take-off: Waiting for the Fog to Clear,” summarizes the results of a survey taken at HIMSS18 Las Vegas conference of 175 healthcare IT professionals. Although nearly 60% of respondents said their organizations have placed a priority on moving some IT to the cloud, only about 30% have devised a cloud migration strategy. Why? According to the survey, HIPAA compliance, security, and privacy worries are the main reasons why healthcare IT professionals are reluctant to use the cloud. And around 50 percent of respondents cited security concerns as their primary worry associated with cloud migration.
The CEO of the company that produced the report offered this thought about the results: “Although cloud hosting for healthcare has become mainstream, the understanding of and confidence in the cloud to meet the exacting standards of the highly regulated industry is still a major concern for healthcare systems.” The report concluded with this observation: “Healthcare organizations are not 100 percent convinced that cloud storage is safe for the protected health information (PHI) of their patients and therefore remain grounded for take-off.”