Archive for category General

Managed File Transfer Streamlines HIPAA/HITECH Complexity

Posted by on Monday, 9 May, 2011

Managed File Transfer (MFT) systems are great for policy enforcement, access authentication, risk reduction, and more. But for HIPAA and HITECH requirements, MFT shines as a work-flow automation tool.

MFT as the B2B Enabler

It shines because Managed File Transfer systems are actually automation platforms that can help companies streamline the secure transfer of data between business partners. How? It removes many of the configuration steps traditionally required for complex Business-to-Business (B2B) processes, keeping it straightforward and manageable.

Transferring patient information is a difficult challenge which many healthcare institutions are facing. Data standards were supposed to simplify this communication between healthcare institutions and their partners. But ask any technical professional about the underlying variability of data formats, and you’ll hear a tale of potential confusion and complexity.

Nightmares of Compliance

The HITECH regulations within HIPAA require the security and privacy of healthcare records, strongly suggesting the use of data encryption. These records may travel between various healthcare-related partners including hospitals, clinics, payment processors and insurers. Each partner may require their own unique data format, and each may prefer a different encryption technique or transport protocol.

Considering these differing requirements, adding each new trading partner has traditionally needed the attention of in-house programming or manual processes, which has become hugely inefficient. Furthermore, if the new trading partner is not implemented properly, this can also create the potential for errors that may lead to data exposures. Any exposures could move the healthcare institution out of HIPAA/HITECH compliance and may cost them severely.

Simplifying and Integrating Information Transfer

A Managed File Transfer (MFT) solution can significantly reduce the potential for errors and automate those processes. With a good MFT solution, any authorized personnel should be able to quickly build transfer configurations for each healthcare business partner. This should allow for quick selection of strong encryption methods (e.g. Open PGP, SFTP, FTPS, HTTPS) based on the partner’s requirements, so that HITECH requirements are maintained. At the same time, a MFT solution creates a visible audit trail to ensure that compliance is sustained.

But, perhaps just as important, a good Managed File Transfer solution is constructed as a modular tool that can be easily integrated into existing software suites and workflow processes. In fact, a good MFT is like a plug-able transfer platform that brings the variability of all kinds of B2B communications under real management.

Now extend the MFT concept beyond the healthcare business sector, into manufacturing, finance, distribution, etc. Suddenly MFT isn’t a niche’ utility, but a productivity and automation tool that has myriad uses in multiple B2B environments.

A Day-to-day Technical Solution

Perhaps this is why the Gartner Group has identified Managed File Transfer as one of the key technologies that will propel businesses in the coming years. It’s more than just a utility suite: It’s a system that can be utilized over and over as an integral part of an organization’s solutions to automate and secure B2B relationships. In other words, MFT isn’t just for specialized compliance requirements, but a lynch-pin of efficient B2B communications technology that can bring real cost savings to every organization.

Healthcare Case Study Utilizing a MFT Solution: Bristol Hospital Takes No Risks with Sensitive Data

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

Data Breach: Are You Next (or Again)?

Posted by on Monday, 25 April, 2011

A data breach is closer than you think. As the percentage of data breaches increase, the risk of organizations losing your sensitive data also increases. No one wants to receive the news that some or all of their personally identifiable information (PII) was stolen. There are people who are victims of various phishing scams, but it is more likely that your information will be leaked or stolen from an organization.

The health care industry is currently in the spotlight, as they are moving to mandated Electronic Health Records (EHR) and the American National Standards Institute (ANSI) is investigating the two main health care related data privacy concerns today: how to protect patient information and what is the financial harm or cost per record if it is stolen.

The numbers are staggering. According to the Privacy Rights Clearinghouse (www.privacyrights.org), there have already been 47 reported leaks or breaches in the health care realm this year. That is about one every other day (102 additional reported breaches if counting business and government).

In the world of data security; breaches are no longer thought of in terms of “if,” but “when.” Fortunately, there are easy steps companies and health care organizations can take to protect the PII that they maintain from direct hacking attempts. The procedures data security companies recommend you acquire begin with the following:

  • Require strong passwords
  • Use encryption to protect files in motion and at rest
  • Reduce the number of computers that process sensitive information
  • Audit every transaction
  • Limit the number of accounts that can access the critical data

The organization you own or work for doesn’t have to be the next headline, start researching different options to protect your customer’s sensitive data and keep your organization from a possible breach. The fines and surcharges are exponentially higher than purchasing a secure managed file transfer solution or a database encryption tool. Not sure where to start? Read the Top 10 Managed File Transfer Considerations.

Encrypting Files with OpenPGP

Posted by on Monday, 11 April, 2011

When our users send a file over the Internet there are really just a few things that seem important to them at the time:

a)      Is the file complete?

b)      Is it being sent to the right place?

c)      Will it arrive intact?

and — if the data is sensitive —

d)     Will the intended recipient (and only that recipient) be able to use it?

That’s where encryption comes in: By scrambling the data using one or more encryption algorithms, the sender of the file can feel confident that the data has been secured.

But what about the file’s recipient? Will she/he be able to decode the scrambled file?

Encryption, Decryption, and PGP

For years, PGP has been one of the most widely used technologies for encrypting and decrypting files. PGP stands for “Pretty Good Privacy” and it was developed in the early 1990s by Phillip Zimmerman. Today it is considered to be one of the safest cryptographic technologies for signing, encrypting and decrypting texts, e-mails, files, directories and even whole partitions to increase the security.

How PGP Works

PGP encryption employs a serial combination of hashing, data compression, symmetric-key cryptography, and, finally, public-key cryptography. Each step uses one of several supported algorithms. A resulting public key is bound to a user name and/or an e-mail address. Current versions of PGP employ both the original “Web of Trust” authentication method, and the X.509 specification of a hierarchical “Certificate Authority” method to ensure that only the right people can decode the encrypted files.

Why are these details important for you to know?

Growing Pains for PGP

PGP has gone through some significant growing pains – including a widely publicized criminal investigation by the U.S. Government. (Don’t worry! The Federal investigation was closed in 1996 after Zimmerman published the source code.)

One result of PGP’s growing pains has been the fragmentation of PGP: Earlier versions of the technology sometimes can not decode the more recent versions deployed within various software applications. This PGP versioning problem was exacerbated as the ownership of the PGP technology was handed off from one company to another over the last 20 years.

And yet, because PGP is such a powerful tool for ensuring privacy in data transmission, its use continues to spread far more quickly than other commercially owned encryption technologies.

Fragmentation and the Future of PGP

So how is the industry managing the issue of PGP fragmentation? The answer is the OpenPGP Alliance.

In January 2001, Zimmermann started the OpenPGP Alliance, establishing a Working Group of developers that are seeking the qualification of OpenPGP as an Internet Engineering Task Force (IETF) Internet Standard.

Why is this important to you? By establishing OpenPGP as an Internet Standard, fragmentation of the PGP technology can be charted and – to a large degree – controlled.

This means that the encrypted file destined for your system will be using a documented, standardized encryption technology that OpenPGP can be appropriately decrypted. The standardization helps ensure privacy, interoperability between different computing systems, and the charting of a clear path for securely interchanging data.

The OpenPGP Standard and Linoma Software

OpenPGP has now reached the second stage in the IETF’s four-step standards process, and is currently seeking draft standard status. (The standards document for OpenPGP is RFC4880.)

Linoma Software uses OpenPGP in its GoAnywhere Director Managed File Transfer solution. Just as importantly, Linoma Software is an active member of the OpenPGP Alliance, contributing to the processes that will ensure that OpenPGP becomes a documented IETF Internet Standard. This will ensure that your investment in Linoma’s GoAnywhere managed file transfer software remains current, relevant, and productive.

For more information about OpenPGP and the OpenPGP Alliance, go to http://www.openpgp.org. To better understand how OpenPGP can help your company secure its data transfers, check out Linoma Software’s GoAnywhere Director managed file transfer (MFT) solution.

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

The Culture of Data Security

Posted by on Monday, 21 March, 2011

Data SecurityWe hear a lot of buzz about protecting both customer and company data, but it is alarming how few IT departments and enterprise users are protecting their data correctly. A recent survey conducted for Oracle reveals that fewer than 30 percent of their respondents are encrypting personally identifiable information.

Data and network security should be the basis for every IT decision, but it is typically an afterthought. The Oracle report also concludes that half of companies surveyed profess a strong commitment to data security, but only 17 percent of them have begun to scratch the surface.

Lack of data security is often due to corporate culture and the fear of change. Most companies at the corporate level agree they are committed to data security and protecting customer records. If a company’s official stance is to protect their data, where are the security holes?

In my experience, the largest security holes exist in the departments outside the core IT organization. They don’t place the same value on the data as the IT Security team. Many companies still allow their employees to perform file transfers directly from their desktops and laptops using FTP or other unsecure tools. Not only are these ad-hoc methods unsecure and capable of exposing passwords or entire databases, they do not all function alike and do not provide centralized logs.

Educating employees about the dangers of unsecured and/or unnecessary data transfer is more business-friendly than preventing it altogether. Part of this process should be moving everyone to a managed file transfer methodology, like Linoma Software’s GoAnywhere Director. This not only secures your data transfers, but it creates a digital paper trail showing where assets are going – something which is of particular importance when you consider all the data security compliance regulations in effect today.

Data security for the millions of files sent over the Internet or within “the cloud” is of great importance to all industries, including health care, retail, banking and finance. Internet transfers include the critical data needed to conduct business, such as customer and order information, EDI documents, financial data, payment information, and employee- and health-related information. Many of these information transfers relate to compliance regulations such as PCI, SOX, HIPAA and HITECH, state privacy laws, or other mandates.

We need to grow a data security culture that includes securing file transfers.

1.800.949.4696  |  sales@linomasoftware.com  |  privacy policy
Copyright ©1994 - 2012 Linoma Software  |  All rights reserved