Chris Nguyen

Stories By Chris Nguyen

• 

  0

  Cybersecurity

  Cybersecurity By Chris Nguyen

  Are All Your Cloud Service Providers HIPAA Compliant?

  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established standards to ensure the security of electronic health care records and transactions. For most organizations, navigating the complex requirements of this and other privacy acts remains a daunting challenge, especially as the cloud becomes the home for ever-more data. While HIPAA was designed primarily to standardize the use of electronic health care information, Congress also realized that technology advances could affect the privacy of health information. Rules were created to regulate the types and uses of personally identifiable health information, and the act also identified required disclosures to customers about the use of their data. The rules apply to "covered entities" which are defined to be health plans, health care clearing houses, and health care providers who electronically transmit any health information. However, the list of those who have to comply with the rules also includes those with whom the covered entity does business to carry out their services. Compliance Applies to Related Companies, Too Therein lies the problem. If you are required to be "HIPAA compliant," everyone with whom you do business who handles your data must be as well. Your organization must have procedures to determine if the services you use also have HIPAA compliance practices. As more businesses deal with many providers of all kinds of services in the cloud, keeping your business insulated from data breaches, HIPAA audits, and noncompliance fines becomes a major issue. And all parties have yet to realize just how HIPAA requirements will impact the development of new technologies which will, in turn, impact medical practices. Protection If You Use Distributed Cloud Services Organizations in the healthcare space are under tight regulations to adhere to privacy and HIPAA laws as the implications of being non-compliant are severe. If you use distributed cloud services, how can you be sure that they are HIPAA compliant? Technology news provider eWeek provided some helpful ideas: Your cloud provider must be able to give you a Business Associate Agreement (BAA) that clarifies its HIPAA compliance and makes it subject to the same accountability that you are. Since there are no official government-sponsored HIPAA certifications, the only way you can be sure of a cloud provider's compliance is an audit from an independent organization. Make sure your cloud service provider gives you guaranteed response times in the event of a security incident. Otherwise, you might be in violation of HIPAA guidelines. Your cloud provider should encrypt your data everywhere in the system, not just while it is in transit as the HIPAA rule states. Make sure it has at least the Advanced Encryption Standard 256 which is the level enforced by federal agencies. Your cloud provider should have the expertise to secure databases of all kinds, including those that span inter-cloud networks with older applications. "Born in the cloud" providers may not have this level of expertise. HIPAA does not define what it means by "regular" audits, so make sure your agreement with your cloud provider specifies the type and frequency of reviews, audits, and reporting. HIPAA has administrative requirements as well. New employees must be trained and policies must be reviewed among staff regularly. You should review the administrative policies of your cloud provider. Make sure that adequate security practices are in place at the actual data center that houses the cloud provider. Your cloud provider should be able to give you the results of its compliance with the standards set by the Department of Commerce (National Institute of Standards and Technology). These standards are the minimum requirements for the federal government. HIPAA requires a disaster recovery plan. Make sure that your cloud provider has a plan for protecting information in all manner of disaster and emergency. A secure, integrated platform provides many benefits, especially when it comes to HIPAA compliance. If you must distribute your data functions across multiple cloud services, your complexity increases and you have to work harder to insure compliance. The key is to associate yourself with providers who protect your data as if it was their own.

  By Chris Nguyen Read More
• 

  0

  Cybersecurity

  Cybersecurity By Chris Nguyen

  Managed Services and Safeguarding Financial Data

  It's widely known that cyber-criminals see financial services firms as prime targets in cyber space simply because, as Willie Sutton put it, "that's where the money is." In 2010, a private investment firm called MF Global lost billions of investor dollars overnight in a mishap that led to a congressional investigation and left everyone wondering where the money went and what happened. Data breaches like this can be disastrous to organizations, personal fortunes, and the privacy of clients' personal information. Safeguarding financial data is not an easy task under any circumstance. So, the big question is: how does an organization ensure its data isn't inadvertently or maliciously passed from one organization to another or simply vanish, without burdening the IT department? To get to the solution, we must first understand the history. The financial failures resulting from the Great Depression created a tough time for financial institutions and in 1933, Congress passed the Glass-Steagall Act barring banks from conglomerating with other financial institutions so one company couldn't act as a combination of an insurance company, investment bank and commercial bank. But more than a half a century later, as the Internet led digital rush of the 90s pushed firms and organizations to transition their records into digital formats, the U.S. Government passed the Financial Services Modernization Act of 1999, more commonly referred to as the Gramm Leach Bliley Act (GLBA), lifting some of the restrictions set in 1933, to let financial firms team up with compliant organizations to offer a wider range of financial services under one corporate umbrella while ensuring the safe transmission of customer data across offerings. GLBA conveniently breaks down responsibility for data integrity and security into three general definitions. The Financial Privacy Rule and the Pretexting Protection provisions require policies for employee handling of customer data, focused on protecting and preventing access not authorized by the customer. The Safeguards Rule requires that risk assessments be performed on the technology that collects, stores and processes customer information and that these safeguards be updated and maintained in an effective state. These provisions map implementation to current best practices that are designed to remain effective even as threats continue to evolve over time. While important, these obligations for digital and Internet infrastructure quickly become daunting for organizations of any size, not to mention those needing to coordinate work flow, data processing and customer interactions. Many on premise IT departments have found themselves challenged to keep up with the demands of new security trials. To solve this, many have decided to move some portion of their IT burden to cloud-hosting experts that offer this type of compliance. By leveraging managed services that offer GLBA compliance, IT departments in financial services firms can pass the GLBA burden onto managed services experts. These compliant services provide those protections for cloud-hosting support and relieve a firm's IT department from having to divert resources for hiring and/or training personnel to assume a burden they may never be able to keep up with. It's important for financial firms to confidently find their footing in this seemingly ever new and challenging digital realm. By partnering with GLBA compliant managed services companies, they not only ensure protection and privacy for customers, but also implement a more economical option for their company. It's a win-win.

  By Chris Nguyen Read More
• 

  0

  Computing

  Computing By Chris Nguyen

  Why Companies Should View Cloud Services as a Utility

  In the past seven years we've seen a seismic shift in the way organizations have structured IT needs to leverage cloud technology. It's enabled faster deployment, more efficient maintenance through automation, and the ability to quickly navigate the changing security landscape with near-constant updates. But even with the clear benefits of cloud services, many organizations continue to feel plagued by nagging concerns around the reliability, security and privacy of their data. The U.S. Federal Government is well aware of the benefits and risks of the cloud, as more and more government services become reliant on the cloud to maximize efficiency and streamline processes. To better safeguard against security and privacy risks, the government took a page out of the types of standards it creates for public utilities or new technologies, and developed specific standards to ensure its cloud-services providers meet the highest level of security without compromising service. Approaching cloud-service standards like a utility is based on past success. Take the railroad industry for example. After the Civil War, railroads saw an increase in both traffic and job-related fatalities of railroad workers, forcing the government to enact a set safety standard for all railroad companies in an effort to protect the workers. In another example, electricity needed government standards for many reasons beyond corruption and the designation as an "essential service," and the standards helped protect public interest, reduce duplication of resources, and increased the grid's reliability. The utility model overall improved reliability, safety and performance, leading to wider acceptance, usage, and economies of scale and savings. Stringent standards, like those imposed by the U.S. government, heralds the arrival of more secure and reliable cloud-services and helps address security concerns from organizations considering the cloud. In 2011 the government assigned its scientists and technologists at the National Institute of Science and Technology (NIST) to develop criteria to ensure its cloud-services providers meet the highest standards of security and reliability and adequately safeguard the government's departmental and agency data, while maintaining authorized accessibility and high availability in the cloud. The resulting Federal Risk and Authorization Management Program (FedRAMP) standard mandates compliance with 328 requirements and involves an intensive auditing process that can easily take years to complete. While the high standards and rigors of such a process results in a rather short list of authorized providers, having recourse to a vetted provider results in immense savings of time, duplication of effort, tax-payer dollars and peace of mind. FedRAMP certification is also a big win for cloud-service provides because approval from one agency means approval for all agencies on the federal level, opening the door for standardization on their platform. The FedRAMP standard also has implications for other sectors of the economy. For example, the broad and overarching authority of FedRAMP certification extends even over the already established digital security measures in place in the financial services industries (GLBA) and those in the healthcare industries (HIPAA), which can now be viewed as, for all intents and purposes, subsets of the security controls implemented by FedRAMP. Now, businesses and organizations in sectors other than government can leverage technology with the highest standards to host and manage their digital experiences. The age of secure and reliable cloud services has begun, so just as the government did with FedRAMP and many other utilities in the past, organizations should evaluate and develop their own set of standards for their cloud-services providers in an effort to ensure the highest level of reliability, security and privacy for their companies and customers.

  By Chris Nguyen Read More
• 

  0

  Cybersecurity

  Cybersecurity By Chris Nguyen

  Behind the IoT: Success Hinges on Reliability, Scalability and Security

  On April Fool's day of this year I fell victim to a common household oversight. Planning to do some laundry, I quickly discovered we were out of detergent. Coincidentally, the day prior, Amazon had introduced its DASH button, which lets you replenish household consumables with the push of a button. The rather curious looking push-button device quickly sparked speculation as to whether Amazon was playing an April Fool's Eve joke on the public, or maybe even having a laugh at the fear, uncertainty and doubt of its rivals. Contemplating sorted piles of clothes that would remain on the laundry room floor until we could get to the store, I was led to some considerations in a marketing vein. The fate of Amazon's DASH button and its success or failure as an Internet of Things (IoT) device that creates consumer touchpoints and harvests conversion opportunities is yet to be decided. But Amazon's first foray at innovation in this area highlights both the irresistible draw of opportunities that are attracting marketers, coupled with the uncertainty of what forms the marketing spaces and interfaces might take in the coming IoT of smart devices and smart environments. According to Gartner, by 2020, more than 7 billion people and businesses, and close to 35 billion devices, will be connected to the Internet. (Gartner, Seize the Moment: Driving Digital Business Into 2015, Jorge Lopez, October 2, 2014). Whether its Amazon with DASH or any other connected device, success to market via the IoT is dependent on what happens after the DASH button or any other IoT user-interface is activated. The promise of the IoT means nothing if it's not reliable, scalable and secure. Therefore the very first key to unlocking success is to secure confidence in your working infrastructure and its management. In other words, as marketers experiment with smart devices and the smart environments of the IoT, the user-input end of the system is still only the doorway to a larger and much more complicated infrastructure where all the data transfer and information processing is done. While value is key, such as the DASH button's convenience, even the most well-designed, user-friendly, intuitive and convenient front-end will be for naught if the back-end of the system is not reliable, scalable and secure. An awkward or less than stylish front-end user-interface can still work if the back-end can deliver. But without a dependable back-end system and management even the most user-friendly front-end can result in a poor holistic customer experience. Performance is the measure of success in all things and in the online world - whether cable, fiber optic or wireless, stationary or mobile, and cloud-hosted or managed on-premise - performance relies on the quality and ability of back-end infrastructure and its management. Reordering household consumables is one thing. But going beyond the DASH button and its pre-agreed, pre-configured order amounts and single item selection lies a far larger IoT of more involved data exchange and complex interactions than push-button orders. Consider, for example, exercise and home health aids relaying vital signs and other health metrics back and forth to remote data centers for processing. The importance of reliable infrastructure support and management of the back-end is beyond debate. Your customers' touch points in the IoT, whatever forms they'll take, need to be supported with a reliable, scalable and secure infrastructure that as a marketer you'll most likely choose to not manage yourself – but rather instead pass on the responsibility of to experts, most notably to a managed services provider. Remember, the 'coolness' of the device, the immersive experience through your smart home, smart car or phone is only 50 percent of the journey. If an order is lost or it takes longer than expected to exchange information, you run the risk of ruining the customer experience early on. Today, due to the data processing demands of their interactive nature, even the most well-designed campaigns risk imploding if not supported by a robust and expertly managed back-end. Tomorrow, despite whatever forms the marketing spaces and consumer touch points will take in the IoT, the demands on data processing and capacity will make a robust, scalable and expertly managed infrastructure even more critical to your campaign's success.

  By Chris Nguyen Read More