We’ve also been running a bi-weekly webinar series, with the next session scheduled for May 17th at 1:00 p.m. eastern. We hope you’ll join us:

Defending Data in Healthcare: Securing Private Information to Ensure Ironclad HIPAA Compliance

Register here!

There is an aggressive audit program in place to assess compliance with HIPAA this year. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has already started a pilot program of 150 audits, and it plans to add even more.

Is your company ready for a compliance audit?

Join Ilker Taskaya, Data Security Architect, and Joe Santangelo, Senior Security Consultant, from data security solutions leader, Axis Technology, LLC, for a webinar that will cover critical steps for ensuring your business is protected, including:

•Non-compliance – potential consequences

•How to know exactly where your sensitive data is and identify where the real risks are

•Protecting data from external threats

•Securing data from improper internal access

•Protecting PHI when business associates are involved

•The impact of Bring Your Own Device (“BYOD”)

Title: Defending Data in Healthcare: Securing Private Information to Ensure Ironclad HIPAA Compliance
Date: Thursday, May 17, 2012
Time: 1:00 PM – 2:00 PM EDT

After registering you will receive a confirmation email containing information about joining the Webinar.

Next month we’re exhibiting at SIFMA, NY:

SIFMA brings together the shared interests of hundreds of securities firms, banks and asset managers. These companies are engaged in communities across the country to raise capital for businesses, promote job creation and lead economic growth.

We hope you’ll join us at one of our events- live or virtually!

Tomorrow Axis is exhibiting at TechForum’s Security Forum in NYC. Stop by our table and learn about how DMsuite can safeguard your business’ sensitive data.

The showcasing doesn’t stop there! Next month Axis will also be exhibiting at The GRC Summit in Boston, May 8 – 10, 2012.

We hope you will join us!

Secure Outsourcing Success: Best Practices for Minimizing Data Risk
Ilker Taskaya, Director of Security Strategy
Tuesday, April 17, 2012- 5:30PM-6:00PM

In addition to events, we’ve also been weighing in on some important data security topics that have been making headlines:

InformationWeek- 8 Lessons From Nortel’s 10-Year Security Breach

SC Magazine- Social security risks

Another subject that is still receiving lots of attention is e-records and HIPAA. I was recently quoted in Western Pennsylvania Hospital News for a story called, “Bullet Proofing Your Online Security:”

“Healthcare costs continue to rise and many organizations want to adopt information technology to reduce those costs and improve the service they provide,” says Mike Logan, president of Boston, MA-based Axis Technology, a provider of IT consulting and data security offerings. “In the excitement to get these savings, special consideration should go to security. Addressing online security up front will prevent costly mistakes later.”

Additionally, regulatory requirements such as the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 require you to consider online security as part of your risk based compliance efforts to secure electronic protected health information (ePHI).

…

Online security breaches are becoming more prevalent across the board. This has directly affected the healthcare industry because they have become direct targets. Identity thieves look for systems that are insecure or using out-of-date software and attack them. Since most healthcare organizations need to use ePHI data, Logan says they must be vigilant and build in security from the start.

When it comes to the increased practice of sharing electronic records, cybercriminals are definitely an issue, among other risks. With the data privacy compliance, state laws and federal standards craze occurring now, many believe that encryption will solve the world’s data theft problems. Logan says that in reality, encrypted information is merely a puzzle that takes a little time to decode if it falls into the wrong hands.

“Additionally, it makes sharing necessary information difficult,” Logan says.

…

The good news is that the technology exists to protect your organization from cyber attacks. Most organizations are familiar with tools that provide perimeter security such as virus scanners. It is important to realize that just buying some software does not make you safe.

“Locking the front door doesn’t help if the back door is wide open,” says Logan. “One important thing to keep in mind is that you should reduce your risk by minimizing the number of places ePHI is stored. A well thought out approach to securing ePHI is needed.”

Understanding your current state of online security is also critical. For example, who is managing your HIPAA Security compliance program; what risk based framework are you using as part of your assessment approach; how are you protecting PHI at rest and in transit on operational systems and supporting applications; and how do you maintain vigilance over monitoring who and what has access to your environment?

…

The most successful solution that many companies are starting to deploy is new technologies that render data useless if a hacker or thief manages to break through perimeter security, such as data masking which manipulates data so that it’s still useable to doctors and nurses, but unable to be tied back to the individual patient. In short, if data is stolen, masked data is useless to a thief because it is out of context with no way to utilize it outside of the environment.

“By using data masking, companies do not have to disclose if there is a breach because the private data is unable to be used by thieves, therefore eliminating the risk to the patient,” says Logan. “It’s an effective measure to protect against both cyber thieves and accidental losses caused by internal mishandling.”

So, as the title of my post says, “we’re busy!” Stay tuned for more to come…

Network World’s Carolyn Duffy rounded up the worst Internet privacy scandals of all time. While there were many memorable, painful breaches in recent years, the one we definitely feel is up there among the top “worst” was last March’s HealthNet breach:

8. Patient data exposed

In March 2011, California-based insurer HealthNet announced a privacy breach for nearly 2 million of its customers, exposing their names, addresses, Social Security numbers, health and financial data. The data were unencrypted and stored on hard drives that have gone missing from contractor IBM’s data centre. A nationwide class action suit was filed against HealthNet and IBM as a result of this incident. It was HealthNet’s second big data breach in two years, having lost the Social Security numbers of 1.5 million policyholders stored on a hard drive in 2009.

HealthNet isn’t the only healthcare provider to lose private medical data or inadvertently post it online. The US Department of Health and Human Services says personal medical data for more than 11 million people have been exposed online in the last two years.

Loss of private data is continuing to plague the healthcare industry and according to a study conducted by the Poneman Institute, breaches have risen by 32 percent.

Three leading causes of data breaches in health care are lost or stolen equipment, errors by third parties and employee mistakes. In fact, sloppy mistakes by employees have led to many data breach increases, according to 41 percent of respondents.

Data breaches have cost the health care industry an average of $6.5 billion annually since 2010. With that money, the industry would have been able to hire 81,250 nurses nationwide, the Ponemon Institute reports.

This is extremely unsettling when it’s put that way. If healthcare organizatons took a simple step, they would literally eliminate costly risks that could have life-saving results. What a waste.

According to ZDNet, here are a few highlights:

One regulation, less fragmentation
The current Data Protection Directive had to be implemented into the legal system of Europe’s 27 member states. This led to all countries having the same framework, but some legal systems having stronger and more protective rules than others. Germany’s data protection laws have the same elements as every other European country, but are far stricter than the ‘lenient’ UK’s laws, as an example.

The new Data Protection Regulation is a ‘one-size-fits-all’ legal instrument, and removes the need for member states to interpret the laws. It also makes way for better cross-border data transfers between European countries, and will save around €2.3 billion ($3.1bn) each year in ‘administrative’ costs.

The new Criminal Justice Directive will cover all matters pertaining to law enforcement, investigation, detection, or prosecution of criminal offences.

Right to be forgotten
This one is a tricky one, and details are still yet to be finalised. This ‘pet project’ of the European Justice Commissioner, Viviane Reding, will in effect allow European users to wipe their online slate clean. It will allow users to have their photos, details, and other data removed from websites, social networks, and search engines.

Users will have the right to demand that data held on them be deleted if there are “no legitimate grounds” for it to be kept. This includes if a user leaves a service or social network, like Google or Facebook, the company will have to permanently delete any data that it retains.

Search engines will also have to comply with this rule. The practicalities of search giants like Google complying, which has already warned that this may harm innovation, remains unclear.

ZDNet’s Zack Whittaker also summarized what US businesses need to know in terms of the reaching affects:

A European Commission spokesperson confirmed to ZDNet that the proposed measures are “focused on younger people”, particularly teenagers, students and young adults, in a bid to “protect the consequences of putting photos and other information on social network websites”.

It does not guarantee the right to have data held by local and European law enforcement agencies deleted, however.

But the proposed “right to be forgotten” laws have already been met with harsh criticism from the wider Web industry. It will create a right that will not only be difficult to implement, but could have a detrimental effect on the use of the Web in Europe.

Sheryl Sandberg, Facebook’s chief operating officer, gave an insight on what the wider argument could be amongst businesses and European regulators. While Web companies provide employment and spur on economic growth — such as seen with Facebook’s impact on the European economy — governments should not get in the way.

The Sony breach is a reference point for this, particularly because of the impact level it had on consumers and businesses alike:

Businesses are expected to lobby heavily for amendments that benefit them, and reduce the long-term workload that would be expected as part of the new Regulation’s finer details.
Details of data breaches — something every company will have to deal with at some point — also takes a high standing in the Regulation. Since the Sony breach, where over 70 million user accounts were hacked, Europe is responding by enforcing a “24-hour rule”.

“Companies that suffer a data leak must inform the data protection authorities and the individuals concerned, and they must do so without undue delay. As a general rule, without undue delay means for me ‘within 24 hours’,” Reding said in a speech earlier this week.

But should a company not be aware of a hack, a breach, or a data loss for 24 days, let alone 24 hours, it applies more pressure on companies to be aware of their own internal security matters and data protection policies.

Businesses will have a two or three year grace period with compliance, but nonetheless, the European data reforms are sparking a global shake-up. We’ll be watching this one closely…

According to a Wired article by Kim Zetter:

U.S. Bank seized about $10,000 from the McCombs’ account to pay $90,000 in fines that Visa and MasterCard imposed after alleging that Cisero’s had failed to secure its network and suffered a data breach that resulted in fraudulent charges on customer bank cards. U.S. Bank sued the McCombs to obtain the remaining balance on the fines, saying a contract the McCombs signed with the bank makes them liable for such fines.

But in their countersuit against U.S. Bank, the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized.

If this case proceeds, it could unravel the PCI structure:

Andrea Matwyshyn, a law and business ethics professor at the University of Pennsylvania’s Wharton School says the system of fining merchants could prove to be a problem for the payment card industry if the court views them as punitive in this case.

“In general, contract law does not like punitive damages being included in contracts,” she says. “If you argue that these fines are punitive and unrelated to actual losses suffered, courts could deem your contract to be overreaching and conclude that its intent is to punish rather than to compensate harm.”

Matwyshyn also says the fact that merchants are liable for a third-party agreement their banks make with Visa and MasterCard is also problematic because it disempowers merchants and prevents them from being able to “negotiate the kinds of balanced provisions we would expect to see between two parties to a contract.”

“We should see some interesting contract analysis from the court [on this],” she said.

This will be one to watch, though it’s hard to imagine the banks will let this go to court. My bet is they will probably settle. Interestingly enough, TJX made a similar argument which resulted in a TJX settling and avoiding fines in its own breach case several years ago.

The incident could be an example of hackers trying to get “inference data,” or information that can be combined with other pieces of information to “infer something useful,” Mike Logan, president of Axis Technology, told eWEEK. Since the type of sensitive information being inferred is usually protected at a higher security level, the breach attempt illustrates the importance of protecting all types of customer data, according to Logan.

Managing Sensitive and Confidential Data in Development & Test Environments

Does your organization have production data in development & test environments?

Do you worry about the privacy of your test data?

Do you share your production data with off-shore vendors?

If you answered “Yes” or “I don’t know” to any of these, you need to learn about data masking!

Date:
Wednesday, November 16, 2011

Time:
12:00 PM – 1:00 PM PST

After registering you will receive a confirmation email containing information about joining the Webinar.

Click here to register now! Space is limited…

What: Handling healthcare claims and benefits can be challenging enough. A data breach or loss of private information can literally cripple a business. Check out the pioneering data masking product, DMsuite, and learn about how it can meet all of your data security needs. Don’t count on network security or encryption alone—especially when your business is trying to keep up with ever-changing privacy regulations or working with multiple organizations and contractors.

Where: Las Vegas Convention Center

Why: The data security landscape is constantly changing with more and more threats emerging every day. The Axis team will guide you through the ins and outs of safe-guarding your sensitive data so you can go about running your business with secure confidence.

It’s been a steady event for us so far, and yesterday we announced our latest DMsuite news:

Axis Technology Announces Comprehensive Applications Support

DMsuite™ Data Masking Increases Roster of Secured Applications; Provides Dedicated Sensitive Data Protection for Insurance Industry

Boston, MA & National Workers’ Compensation and Disability Conference & Expo, Las Vegas, November 9, 2011 – Axis Technology Software, LLC, the leading provider of enterprise data masking solutions proven to save businesses hundreds of thousands in costs, today announced that DMsuite™, the industry’s premier and most effective data masking platform, provides dedicated support to applications most used by businesses including PeopleSoft, SAP, Oracle, SalesForce, and custom applications. In particular, DMsuite is a critical component in securing data used by insurance providers, especially in processing claims.

By masking data with DMsuite, insurance providers sharply reduce their risk by eliminating a number of vulnerable data sources. Additionally, DMsuite automatically identifies sensitive data across databases, copybooks, and files. DMsuite allows insurance companies to easily and safely share masked data with partners, third parties, and outside vendors.

“Doing business in the insurance field requires accessing and sharing tremendous amounts of private consumer data. There’s just no way to avoid it,” said Mike Logan, President of Axis Technology Software, LLC. “With the increasing incidents of data loss, both by theft or unintended negligence, it’s more important than ever for businesses to execute multiple data security measures. Data masking is rapidly becoming a key level of defense for at-rest data, which is a very vulnerable source of sensitive information. If that data is lost it can prove costly, both from business and legal standpoints, as evidenced by recent data losses experienced by TRICARE in which reports are saying a class action suit could cost nearly 5 billion dollars.”

To learn more about data masking with DMsuite, visit the Axis team at the National Workers’ Compensation and Disability Conference & Expo in booth #443, from November 9 to 11, 2011.

DMsuite™ secures development, quality assurance, and third-party testing environments by removing confidential data and replacing it with realistic, fictitious data. Because the masking transformation is executed in memory, production data is not accessible within DMsuite or anywhere in the target environment, making DMsuite the most secure and effective data masking offering on the market today. It maintains referential integrity across business lines and different platforms, including InterSystems Caché, Oracle, IBM DB2, SQL Server, Sybase, Teradata, Netezza, MySQL, Adabas, Informix, flat files, and mainframe. It also supports file formats that include VSAM, Excel, delimited, and XML. DMsuite can be used straight out of the box, offering self-service provisioning functionality. DMsuite is web-based and its central point of control enables easy operation, administration, logging, and auditing.

Data Breach Costs: Beware Vendor Contract Fine Print

Organizations often end up paying the consequential costs of data breaches when third-party vendor contracts aren’t scrutinized.

Whether it’s from a vendor improperly securing database information it’s hosting for a customer or a storage company that leaves backup information unlocked in a truck, data breaches caused by third parties happen all the time. If organizations are not careful in the way they construct their contracts with those vendors, the organization itself could end up being on the hook for far more of the breach liability than it expected. But if they do it right, they could use that contract as a tool to mitigate risk to their organization.

Litigation in these cases of third-party breaches is a common occurrence, frequently with the third-party organization ducking under the radar as their customer gets hammered by class action suits. For example, when a breach that exposed data for 4.9 million active and retired U.S. military personnel was caused by the theft of backup tapes from the car of an employee at Science Applications International Corp. (SAIC), working on behalf of Tricare, in September, the $4.9 billion lawsuit by affected individuals filed last week was lodged against TRICARE and the Department of Defense, not SAIC.

Similarly, Stanford Hospital had a $20 million lawsuit filed against it after an employee at its billing contractor, Multi Specialties Collection Services (MSCS) inadvertently posted patient information on a homework help site online. Stanford has been on a publicity blitz claiming its outsourcer was totally to blame for the breach.

These examples are quite common- and costly! It’s a lot easier to avoid becoming a PR nightmare…