By Aaron Riddle on January 26, 2012
With smartphones and social media platforms becoming a major means of communication between friends, family and co-workers, we have come to appreciate the evolution of mobile applications. With over 500,000 apps on iPhone, 350,000 on Android and thousands more on other operating systems, there are many different apps out there that offer many different services and solutions to its users. In order for these apps to work, they require permissions to use certain features of your phone in order to function. Sometimes, these apps require permissions that ultimately the app doesn’t need.
Pandora App Redistribution of User Information
For example, if you download an app from the Android Market, a screen will appear asking you to accept the permissions of this app having access to certain components and programs on your phone.
Apple takes a similar approach, except they approve permissions before they even put the app on their App Store.
Each of these methods has its pros and cons that may put users in jeopardy. Android puts more reliance on permissions of apps to its users while Apple takes that measure for you, but they are not perfect and some slip through the cracks.
Lookout, a U.S.-based security firm did a study in 2010 and found that over 300,000 apps on both iPhone and Android were stealing user data without user knowledge. Most of those privacy breaches were due to advertisement kits installed on the applications. These kits provide a little extra revenue to developers since information from the app is sent to third-party advertisers and used to target specific ads to its users.
They also pointed out that one specific Android wallpaper app,“Jackeey,” was stealing personal data from its users, including:
- Location
- Phone Number
- Voicemail Passwords
This information was then sent to a website hosted in China. This particular app was downloaded somewhere between 1.1-4.6 million times.
Here are a couple of precautionary tips when it comes to downloading apps on your phone:
- Make sure the app is created and distributed by a verified developer. Make your best judgment on what you download.
- Review the permissions that the app is requesting from your phone – does this app really need access to my contacts, location or text messages?
There’s a great resource on Wall Street Journal’s website that has an interactive diagram in which you can see some of the most popular apps on your iPhone and Android (I’m sure there’s a good chance one of these apps is on your phone right now), and how they distribute your information.
For example, Pandora (seen in the photo above) shows that it requires your Phone ID (Red), Location (Purple), and Age/Gender (Blue), and then sends those resources to multiple advertising companies and groups.
Users need to be aware of what apps they are downloading to their phone. To users who are employed with companies that deal with compliance regulations such as HIPAA (PHI, EMR) and PCI (CHD), it’s even more important due to heavy fines and potential legal action if any of that information is accessed. You don’t want to be that person that costs your company thousands of dollars because you needed the latest wallpaper app, do you?
Sources:
Android Wallpaper App That Steals Your Data Was Downloaded By Millions
Mobile App Security: 5 Ways To Protect Your Smartphone
Mobile Apps Stealing Personal Data
WSJ Interactive Diagram
Posted in PCI/HIPAA/SAS-70 Compliance | Tagged HIPAA compliance, HIPAA hosting, mobile data security, mobile security, PCI compliance, PCI hosting, smartphone data security, smartphone security |
By Mike Klein on January 25, 2012
HIPAA – The Health Insurance Portability and Accountability Act focuses on three key criteria for handling Protected Health Information (PHI): availability, confidentiality and integrity. This blog post focuses on availability as it applies to HIPAA applications and HIPAA data.
Availability means that PHI is always available, accessible and never lost. When a patient arrives at the emergency room at three o’clock in the morning, the electronic health records need to be available so the physician can address the emergency with all of the patient’s records at her fingertips. Patient records in the health care world is no longer a 9-5 job – and one of the main drivers behind electronic health records (EHR) is the portability and availability of patients’ records to health care providers around the clock.
Availability also means that PHI isn’t lost. HIPAA and the HITECH Act make Covered Entities and Business Associates responsible for making sure PHI isn’t lost. For electronic records, this means offsite data backups are imperative and offsite disaster recovery is strongly recommended.
So what does “availability” mean from a computing and application infrastructure? I like to look at availability from 2 perspectives:
- Disaster Prevention – putting all the tools in place to minimize the probability of an outage in the data center infrastructure, server hardware, software and network connectivity.
- Disaster Recovery – assuring that the applications and data can be recovered and restored in a reasonable timeframe to continue running the business and making patient data available if there is a disaster in the primary data center.
Disaster Prevention is typically thought of in terms of “High Availability” – or redundant systems to assure that there is no single point of failure on the delivery of the application or data. Examples of high availability at the data center level include high availability power delivery through redundant generators, uninterruptible power supplies (UPSs), power distribution units (PDUs), and redundant power supplies in the servers. With high availability power, the failure of any element (generator, UPS, or power supply) does not affect the availability of the application – since the entire infrastructure is redundant.
Redundancy can also be delivered in the cloud server platform. For example, unlike many public clouds, Online Tech’s managed cloud servers are running on redundant hardware hosts with multiple power supplies, multiple network connections to SANs, redundant controllers and redundant RAID drives. Again, any hardware failure or even complete shutdown of a hardware hosts will not affect the availability of the application and the PHI data.
Disaster Recovery is typically thought of in terms of Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO is the amount of time it takes to spin up the servers, network, application and data as a separate data center in the case that the application is shut down from a disaster. RTOs can range from minutes to weeks depending on the technology selected. RPO is defined as how close to the disaster the data can be recovered, which is tied to how often the data is backed up. If backups are made every night, then the RPO is 24 hours (up to 24 hours of data can be lost). If continuous replication is used, the loss may be as short as a few minutes. The shorter the RTO and RPO, the better for most businesses.
As a minimum, we recommend that all HIPAA applications use offsite backup for their data. That way, if the production data center has a disaster or is destroyed, the PHI isn’t lost. The backup is stored at a second data center that is located a significant distance away to assure the same disaster doesn’t strike both sites. In the Midwest, for example, best practices dictate a geographic separation of 50 miles between data centers. Online Tech’s data centers are 53 miles apart on separate power utilities and are interconnected with high speed fiber to assure timely replication between sites.
For critical PHI, we recommend warm site disaster recovery between data centers. Several years ago, warm site disaster recovery was difficult and expensive to achieve. However, with the advent of cloud computing, disaster recovery has become very cost-effective. DR Now!, our cloud disaster recovery service provides offsite disaster recovery for cloud servers with a four hour RTO that starts at just $99 per server.
So when you think about meeting the HIPAA availability requirements for your health care applications and PHI, I’d suggest you think about it in terms of disaster prevention (high availability) and disaster recovery and ask yourself two key questions:
- Is your application hosted in a high availability environment where the power infrastructure, servers and network infrastructure can sustain failures without impacting your application and PHI data?
- How will your application and PHI data survive a disaster in your production data center? Do you need only to recover your data with offsite backup, or do you need your application and data to be back online in as short a time as possible?
How you answer these questions will be critical to how you comply with the availability criteria of HIPAA and the HITECH Act.
Posted in Cloud Computing, Disaster Recovery | Tagged Cloud Computing, cloud disaster recovery, disaster recovery, high availability, HIPAA compliant hosting, HIPAA hosting, it disaster recovery, managed cloud, offsite backup
By Mike Klein on January 25, 2012
To Our Valued Clients:
Each quarter I like to share with our clients the major initiatives we’re undertaking at Online Tech, and a look at what is in store for the near future.
Last year, we grew over 26%, added a new data center, and invested in a number of improvements to our data centers and service offerings. Some of our 2011 initiatives included:
- A $1M investment in our Mid-Michigan data center, including the complete replacement of the Uninterruptible Power Supplies (UPS). The in-line UPS retrofit was achieved with no downtime and increased the capacity to a full 1 MW at the data center floor.
- We remodeled the office and entry areas of the Mid-Michigan data center and now have a kitchen area and conference rooms available for our clients’ use.
- We opened a third data center, Ann Arbor 2, in the same Avis office park as our Ann Arbor 1 data center was filling up. The new data center went live in November and adds another 10,000 square feet of raised floor and 300 KW of capacity to our footprint.
- We completed our first SSAE 16 Type II (SOC 1), SOC 2, SOC 3 and HIPAA audits and reports last year. Online Tech was the first data center operator in Michigan to complete its SSAE 16 Type II (SOC 1) audit. We are one of a handful of data centers nationally who invested in a SOC 2 and SOC 3 audit which is much more stringent and focuses on privacy and security controls. We are also one of very few data centers across the country found to be fully HIPAA compliant across all 54 citations of the HITECH act. Online Tech shares audit reports with clients under NDA – every hosting provider should. You can learn more about the latest set of data center audits from this blog post.
- Our new multi-tenant managed cloud computing offering was released last year. Rather than competing against low-end public clouds like Amazon and Rackspace, we designed our managed cloud offering to run mission critical applications. The uptake of server deployments has ramped very quickly since the product release and allows clients to leverage the flexibility and scalability of the cloud.
- HIPAA compliant cloud – through the design and audit process, both our multi-tenant managed cloud and private cloud offerings are HIPAA audited and 100% compliant.
- DR Now! - Last quarter, we introduced the first cost-effective disaster recovery solution for cloud computing. Our managed and private cloud clients are able to get complete disaster recovery in a second data center with a 4 hour recovery time, starting at $99 per server. Fast, automatic disaster recovery is one of the demonstrated benefits of deploying cloud computing.
It was nice to see so many of you at our Ann Arbor 2 open house last month. Over the holidays, we were able to take a deep breath and start planning for what we hope will be an exciting 2012. Some of the plans on our first quarter horizon include:
- Rolling out a new website. Along with a cleaner, easier-to-navigate site, we’ve added a number of resources to the new site that you might find helpful, including information on HIPAA compliance, PCI compliance and SOX compliance.
- We are completing our PCI (Processing Card Industry) audit and will be listed on the Visa’s Global Registry of Service Providers. PCI compliance is required for companies that process, transmit or store credit card data across the Internet.
- We are announcing additional fiber optic capability in our Mid-Michigan data center that enhances the connectivity to the Ann Arbor data centers and adds direct fiber connections to additional Internet service providers.
- Comcast has just finished installing a fiber connection into the Mid-Michigan data center – to provide cost-effective high-speed data connections from anywhere in Michigan to our data centers.
- Finally, if you’re going to be at the February HIMSS health care IT conference in Las Vegas, please stop by – we’ll be in booth #13528, where we’ll be discussing our HIPAA audited hosting capabilities. Our HIPAA auditor and one of the foremost legal experts in HIPAA compliance and the HITECH Act will be at our booth to answer your HIPAA questions.
We wish all of our clients continued success into the new year and we look forward to continuing to serve your hosting needs. As always, I welcome your feedback on how we can improve our services and the value we deliver. Feel free to drop me an e-mail or call anytime.
Best Regards,
Mike Klein
President & Chief Operating Officer
Online Tech Inc.
Posted in Online Tech News | Tagged Ann Arbor data center, disaster recovery in the cloud, hipaa compliant cloud, HIPAA compliant hosting, managed cloud computing, mid-michigan data center, pci compliant hosting, private cloud computing, SOC 1, SOC 2, SOC 3, sox compliant hosting, ssae 16 |
By Thu Pham on January 24, 2012
Mobile devices are becoming ubiquitous in the healthcare industry – from quickly filing e-prescriptions to collecting and sending patient health information (PHI) directly to an EHR/EMR (electronic health or medical record) system, the use of smartphones, tablets and other portable devices is changing the quality of patient care for the better across the nation.
But when it comes to securing your mobile devices and meeting strict HIPAA compliance standards, physicians and other healthcare professionals may not realize the security precautions they need to take to prevent a data breach and HIPAA violation.
One example of recommended best practices can be found in Yale University’s HIPAA guide for mobile device security (intended for its covered components, such as the Schools of Medicine, Health Services, etc.) including:
Smartphone Security
- Passwords – Yale recommends users have a password with a minimum of four characters. They also recommend implementing a lock-out setting after 10 failed attempts to enter a password.
- Encryption – Data must be encrypted at rest and in transit, including backup data.
- Message Storage – The storage limit is capped at 200 messages at one time or 14 days of messages.
- Applications – All applications that create, store, access, send or receive PHI must meet HIPAA security standards. Yale also has a Security Design Review service that can check out any custom developed apps for compliance (although the website really needs to update its language regarding Application Service Providers and the required SAS 70 Type II documentation – SSAE 16/SOC 1 have since replaced the SAS 70 standard).
- Software – Apply security updates frequently and use the most recent OS available.
- Remote Management and Tracking – Mobile devices must have a remote deletion and tracking feature or you have to sign up for a service that can wipe it if it is stolen or lost. For the iPhone, that can mean installing the Find My iPhone app. Yale provides a comprehensive guide to locating and wiping iPhones, Blackberrys (read this, grammar nerds) and other smartphone devices.
- No Circumvention – This refers to protecting the security of mobile devices by prohibiting users from using unauthorized software and hardware, etc.
- Wireless – Yale requires the use of VPN services when using digital cellular to connect to the Yale network and if not using one of Yale’s cell carriers. For Bluetooth™, passwords or PINs are required to secure connections.
- Thumb Drives and Other Portable Media Devices – Storing PHI is prohibited unless the devices meet the Yale encryption standards.
- File-Sharing – Users that need to send or exchange PHI outside of the network have to use a secure file transfer tool, or secure file transfer protocol (SFTP).
- Servers – Naturally Yale recommends using their IT department-owned servers to store all PHI. Their requirements are aligned with the HIPAA breach notification rules that require reports of data breaches if it affects 500 or more patients.
- Privacy Filters – Computer screens that display PHI must have privacy filters installed if they’re viewable by the public.
- Device Disposal – When upgrading or getting rid of your mobile devices, you must first securely destroy or delete PHI.
- Email – Configuring email accounts to auto-forward to a non-Yale email account is prohibited if the email account may have PHI in its inbox.
This is a great start when it comes to documenting and specifying the security measures your organization needs to take, but don’t just copy and paste these policies. Every company has different needs that require a customized plan to keep PHI safe.
Also, not every device is created equal. Last year, BGR.com found a major security flaw in the security lock design of AT&T’s Samsung Galaxy S II cellphone that left it open to a simple workaround, allowing users to bypass the PIN or unlock feature. If you tap the lock button to wake it, wait for it to time out and go black, then tap the lock button again, the phone is suddenly accessible and the PIN rendered useless.
Make sure you know your device and its features, and deploy similar security measures as found above to stay compliant even on the go.
For more on IT security and best practices, read HIPAA Compliant IT Security and Best Practices. Or for more about smartphone security, read Mobile Security: How Safe is Your Data?
References:
Yale University’s HIPAA Security Updates and Reminders
Major Security Flaw Lets Anyone Bypass AT&T Samsun Galaxy S II Security
Posted in PCI/HIPAA/SAS-70 Compliance | Tagged HIPAA compliance, HIPAA compliant hosting, HIPAA hosting, iphone security, mobile device security, mobile security, smartphone security |
By April Sage on January 23, 2012
How does your BAA (Business Associate Agreement) address breach notification to your clients? We’re asking ourselves tough questions about HIPAA compliance, and our responsibilities as a trusted Business Associate and hosting partner.
#1 What timeframe does your BAA promise clients for PHI breach notification?
As a data center hosting partner to hospitals, physician groups, and health IT companies, we want to be a trusted Business Associate. We consulted experienced health care attorneys and HIPAA auditors to fully understand our responsibilities. Together we created a Business Associate Agreement (BAA) that reflects HHS requirements for timely breach notifications. We’ll share the exact language with you below.
Why preparing for PHI breach notification is critical for Business Associates
Speaking from our own experience, Online Tech serves the health care industry with colocation, managed servers, private and managed clouds, and disaster recovery. A lot of PHI flows through our networks and resides in our servers, clouds, and storage. 62% of the breached records reported to HHS, or 4.4 million, involved a Business Associate. The costs of a PHI breach to patients, Business Associates, and Covered Entities are high with HHS penalties, and lawsuit damages of $1000 per breached patient record.
Anything short of 100% HIPAA compliance puts any Business Associate, their clients, and their patients at undue risk. We weren’t comfortable assessing our own state of HIPAA compliance, so we invested in the expertise of independent health IT security specialists, auditors, and attorneys.
What timeframe does Online Tech’s BAA promise for PHI breach notification? ?
HHS requires extensive documentation within 10 days of a PHI breach — documentation that must be prepared well in advance. Online Tech’s preparation included an independent risk assessment, remediation, and complete HIPAA audit of all 54 HITECH citations across our company policies, procedures, facilities, and HIPAA security training by Certified HIPAA Security Specialist Joe Dylewski, president of ATMP Solutions. Our BAA was prepared in accordence with HITECH requirements with the help of experienced health care attorneys Brian Balow and Tatiana Melnik from Dickinson Wright.
Click here for Online Tech’s BAA Breach Notification Timeframe Clause.
Next week, we’ll discuss preparing for an independent HIPAA audit and the end deliverables.
Related resources:
BAA Breach Notification Clause
OCR Audit Requirements Following a Self-Reported HIPAA Breach
Who Needs to be HIPAA Compliant?
HIPAA Resources: Policies, Procedures & Training Materials
HIPAA, HITECH, BAAs and the Law: Concerns & Best Practices
What’s in a Business Associate Agreement?
HIPAA Compliant IT Security and Best Practices
For more information on HIPAA Compliant hosting, contact us at 877.740.5028 or himss@onlinetech.com
Posted in PCI/HIPAA/SAS-70 Compliance | Tagged breach notification, business associates agreement, HIPAA breach, HIPAA compliant hosting, HIPAA hosting |
By Yan Ness on January 23, 2012
Video, music, classified ads, newspapers, magazines, pictures – all forms of media have been dramatically transformed by their digitization. iTunes, Amazon and all of their various devices have enabled a new business model that created fantastic wealth at the expense of old-guard leaders. This digital transformation was an onslaught that decimated local newspapers, record stores, film production, magazines and many more.
IT professionals claim they dodged this. In fact, they claim they benefit from this. All of this digitization will call for more and more of their expertise. As everyone digitizes everything, the world needs more servers, more storage, more memory, more connectivity, more software and more people who can make it all work.
But I can imagine now a discussion in the decimated old-guard leaders of the newspaper industry. “The ever-growing and aging population will consume ever-increasing quantities of news.” They were right that more and more people wanted to consume more and more news content. But they completely missed that it wouldn’t be in print. It would be in a new form. One they didn’t anticipate and that came on faster than they predicted. Hence they failed to exist. Their newspaper had been virtualized.
IT professionals are right that there will be an ever-increasing demand for digital content. But they are wrong to assume that means their skills will remain relevant as that happens. In fact, I predict that many of the IT skills currently in demand will experience a similar trend as those who ran printing presses in the 80s for those same old-guard newspapers.
Why do I think this? Because the same thing that happened to newspapers is happening to IT equipment. Servers, storage and networks are all being virtualized – which is exactly what a digital version of a newspaper is. It’s a virtual newspaper. And what happens when you virtualize something? That metamorphosis results in a transformational change. Transformation is both highly creative but also very destructive. Once something is virtualized, it can be instantly transported across the globe, instantly searchable, modifiable by software so it can be customized, along with a plethora of other traits. Those traits add so much value it makes the physical rendition completely obsolete.
Virtualizing a server is essentially digitizing the server hardware. I don’t see any reason why that won’t be as transformational to the IT industry as virtualizing a newspaper was to newspapers or virtualizing photos was to Kodak.
Posted in Information Technology Tips, Managed Servers | Tagged IT industry news, mass digitization, server virtualization, virtual servers, virtualization |
By Thu Pham on January 19, 2012
Do you know what level of PCI (Payment Card Industry) compliance your company falls under? Or even what merchant type best categorizes your payment process?
Here’s your guide to the four different levels of PCI compliance as mandated by the major payment card brands, Visa and Mastercard, as well as action items for each:
|
Level 1
|
Over 6 million Visa and/or Mastercard transactions processed per year. Requires yearly on-site reviews by an internal auditor, and a network scan by an approved scanning vendor (ASV). |
|
Level 2
|
1 million to 6 million Visa and/or Mastercard transactions processed per year. Must complete a Self-Assessment Questionnaire (SAQ) annually, and requires a network scan with an approved scanning vendor. |
|
Level 3
|
20,000 to 1 million Visa and/or Mastercard e-commerce transactions processed per year. Must complete a Self-Assessment Questionnaire (SAQ) annually, and requires a network scan with an approved scanning vendor. |
|
Level 4
|
Less than 20,000 Visa and/or Mastercard e-commerce transactions processed per year all other companies that process up to 1 million Visa transactions per year. Must complete a Self-Assessment Questionnaire (SAQ) annually, and requires a network scan with an approved scanning vendor. |
Now, how do you know which SAQ (Self-Asssessment Questionnaire) to fill out? Find which merchant type best fits your company profile:
|
A
|
E-commerce, mail or telephone order merchants that do not store cardholder data (CD). All cardholder data functions are outsourced. This does not include face-to-face merchants. |
|
B
|
Merchants that do not store electronic cardholder data. Instead, this applies to merchants that use an imprint machine to copy cardholder information. Also applies to standalone, dial-out terminal merchants. |
|
C-VT
|
Web-based virtual terminal merchants that do not store electronic cardholder data. |
|
C
|
Merchants that use a payment application system connected to the Internet and do not store electronic cardholder data. If using a software vendor for the payment application system, they must take security measures to ensure the app meets PCI compliance. |
|
D
|
This includes all of the other merchants that aren’t included in the above categories, including all service providers defined as eligible to complete a SAQ and approved by a payment brand. |
You’ve narrowed down what level and type of merchant you are, so now what? Read up about the 12 requirements to meet PCI Compliance with What is PCI Compliance? or watch a webinar on the detailed requirements of PCI compliance.
References:
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Levels of PCI Compliance
Posted in PCI/HIPAA/SAS-70 Compliance | Tagged PCI compliance, pci compliance levels, pci compliance saq, pci compliant hosting, pci dss compliant hosting, PCI hosting, pci merchants |
By Thu Pham on January 18, 2012
HIMSS
Online Tech will be exhibiting in Las Vegas at the 2012 Annual HIMSS Conference & Exhibition, Feb. 20-24 at the Venetian Sands Expo Center.
Drawing in more than 30,000 attendees, HIMSS 12 is one of the largest healthcare IT and management systems conferences in the world, bringing healthcare industry professionals and exhibitors together from around the nation.
Online Tech will be exhibiting its audited HIPAA compliant hosting solutions for healthcare and related organizations at Booth #13528, including:
Please stop by and contact us if you’re also planning to be at the show!
A full list of exhibitors providing healthcare IT products and services can be found through the HIMSS Online Buyers Guide.
Farzad Mostashari, MD, ScM Speaking at HIMSS 11
Featured keynote speakers include:
- Biz Stone - the Co-founder of Twitter will speak on how social media can influence the changing healthcare landscape.
- Farzad Mostashari, MD, ScM – the National Coordinator for Health Information Technology will share top level insight about the latest on healthcare reform.
- Donna Brazile - Renowned Political Strategist and Commentator Vice Chair of Voter Registration and Participation, Democratic National Committee
- Dana Perino - Political Commentator and Former White House Press Secretary
- Dan Buettner - Founder of Blue Zones and World-Renowned Explorer
HIMSS 12 will also feature more than 400 educational sessions, networking events, pre-conference workshops, knowledge center sessions and symposia on the following topics:
- ICD-10: Is Your Organization Ready?
- Accountable Care Organizations (ACOs): Health IT – Connecting Systems, Connecting People, Changing Care
- Achieving Meaningful Use: Achieving and Sustaining the Meaningful Use of Health IT – The Go Forward Plan
- Clinical Engineering and IT Leadership: Critical Ingredients for Medical Device Connectivity
- Health Information Exchange (HIE): The Year of Implementation, Collaboration & Beyond
- Nursing Informatics: Nursing Informatics Leadership – Delivering Value with HIT
- Physicians’ IT: The Health IT Balancing Act: Managing the CMIO Workload
- Performance Measurement and CDS Symposium: Meaningful Use Improves Quality Care
- RFID & RTLS in Healthcare: Business and Technical Essentials for Improving Patient Care and Safety
- Secondary Use of Data Symposium: Create Value from the Data
For more information about the event, visit www.himssconference.org.
About HIMSS
HIMSS is a cause-based, not-for-profit organization exclusively focused on providing global leadership for the optimal use of information technology (IT) and management systems for the betterment of healthcare. Founded 50 years ago, HIMSS and its related organizations are headquartered in Chicago with additional offices in the United States, Europe and Asia. HIMSS represents more than 38,000 individual members, of which more than two thirds work in healthcare provider, governmental and not-for-profit organizations.
To learn more about HIMSS, please visit www.himss.org.
Posted in Online Tech News, PCI/HIPAA/SAS-70 Compliance | Tagged health IT conference, HIMSS 12, HIMSS 2012, HIPAA audit, HIPAA compliant hosting, HIPAA hosting |
By Thu Pham on January 17, 2012
Strafor, the latest target of hackers, lost credit cardholder data in December that was released to the public later that month. The data belonged to thousands of customers, including politicians, military officers, government officials and business executives.
Stratfor is a private international affairs research firm that may have not encrypted data before storing it in its database, allowing hackers to access and release customer credit card numbers. As a result of lax online security, the firm’s website was taken down and lost a month’s worth of subscriptions – forcing the company to draw on its savings to survive.
The PCI DSS (Payment Card Industry Data Security Standard) is regulated by major industry card-issuers, including VISA, American Express, Discover, MasterCard and JCB International, and applies to companies that accept, store, process and transmit cardholder data.
The second goal of the 12 requirements is to Protect Cardholder Data. Within this goal, requirement #3 states the company must protect stored cardholder data, while Requirement #4 explicitly states:
Encrypt transmission of cardholder data across open, public networks.
PCI Requirements
Detailed requirements of encryption include using industry best practices to implement strong encryption for authentication and transmission over wireless networks or networks connected to the cardholder data environment. When it comes to outsourcing a hosting solution, your PCI compliant hosting provider should provide evidence that the network is secure and encrypted.
The provisions also strictly forbid sending unprotected PANs (Primary Account Numbers) by email, instant messaging, chat, etc.
Stratfor’s subsequent steps will be to limit the scope of compliance by outsourcing credit card processing to a vendor. They are also revamping their website, email and internal systems with the help of an Internet security firm.
Zappos, the online shoes and apparel retailer owned by Amazon, most recently suffered a data breach that may affect more than 24 million customers. An internal email to their employees reports that a hacker gained access to their internal network through one of their servers located in Kentucky.
Although they report that no credit card or payment information was accessed, they are urging customers to change passwords on their online accounts. Names, contact information, password hashes and the last four digits of their credit card numbers were accessed. The company has not released any other details about the incident due to the ongoing investigation.
Need more information about PCI compliance? Watch our pre-recorded PCI webinar series hosted by Online Tech and led by expert Adam Goslin, co-founder of High Bit Security.
References:
Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures Version 2.0
Stratfor Relaunches Web Site in Wake of Attack
Zappos Latest Company Hit by Data Breach
Zappos Hacked; Notifying 24+ Million Zappos.com and 6pm.com Customeres of Breach and to Reset Passwords
Posted in PCI/HIPAA/SAS-70 Compliance | Tagged 2012 data breaches, hosting ecommerce, PCI compliance, pci compliant host, pci compliant hosting, PCI DSS compliance, PCI hosting |
By Thu Pham on January 16, 2012
To streamline IT service management and assets, the convergence of technology and processes to better meet business objectives is ideal. It also allows in-house IT teams to spend more time on other endeavors and projects for industry-specific, targeted business growth.
A recent survey conducted by IDG Research Services found that more than half of IT executives have a limited process automation, meaning they still have several manual processes when it comes to managing their IT assets.
The report also acknowledges that companies with higher levels of process automation and data/process integration are more likely to rate their processes as better when it comes to efficiency, cost-effectiveness and freeing up their IT team’s time.
The survey also reports that companies typically have three or four different installed solutions for monitoring and managing their IT assets and services, with minimal integration and some reported gaps. More than half are working with multiple IT vendors although they report they would prefer not to – it can be difficult to monitor, integrate and manage all of their needed solutions.
Online Tech’s managed hosting solutions offer comprehensive IT disaster recovery, offsite backup, remote server monitoring and more for colocation, managed dedicated servers and cloud hosting services.
OTPortal: Client Hosting Portal
Our OTPortal is an easy-to-use, secure client hosting portal designed as an all-inclusive dashboard detailing everything you need to know about your server, from bandwidth to firewall rules.
The portal allows for optimal process, service and asset integration to cut down on the time it takes to manage your IT services, streamlining your business operations and giving you more time to focus on your own company.
The IT convergence report also details some trends that will demand more of IT teams and require more integration. A few notable trends include:
- Remote access – Evolving working habits and schedules means critical applications and data need to be accessible and available nearly 24×7. A fully redundant data center built for high availability is ideal since it provides automatic failover and protected power to keep servers up and running.
- Full compliance – Industry and government regulations such as PCI DSS compliance and HIPAA compliance are demanding IT services to all meet pre-defined standards for optimal security and privacy of sensitive data. Noncompliance can result in major legal and security fines and damage to your business.
- Mobile support – With the use of personal devices in a work setting come the security concerns around transmitting or storing sensitive data. The issue of integrating and managing mobile applications and data is now a necessity.
- Cloud computing – Complex IT infrastructures require a computing solution that can support many applications and easily scale up or down as needed. Compliance concerns may be eased with private clouds, while managed clouds take the burden off of internal IT staff and allow them to focus on other projects.
References:
The Convergence of IT Operations Management
Posted in Cloud Computing, PCI/HIPAA/SAS-70 Compliance | Tagged cloud compliance, Cloud Computing, cloud hosting, colocation, it disaster recovery, managed cloud computing, managed cloud hosting, managed dedicated servers, managed hosting, offsite backup, private cloud computing, private cloud hosting, remote server monitoring |
