Home » Blog

Blog

The latest announcements, insights and commentary from Linoma Software

Who is Protecting Your Health Care Records?

How important is a patient's privacy? If your organization is a health care facility, the instinctive answer that comes to mind is "Very important!" After all, a patient's privacy is the basis upon which the doctor/patient relationship is based. Right?

But the real answer, when it comes to patient data, may surprise you. According to a study released by the Ponemon Institute, "patient data is being unknowingly exposed until the patients themselves detect the breach."

The independent study, entitled "Benchmark Study on Patient Privacy and Data Security" published in November of 2010examined the privacy and data protection policies of 65 health care organizations, in accordance with the mandated Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. HITECH requires health care providers to provide stronger safeguards for patient data and to notify patients when their information has been breached.

Patient Data Protection Not a Priority?

According to the study, seventy percent of hospitals say that protecting patient data is not a top priority. Most at risk is billing information and medical records which are not being protected. More significantly, there is little or no oversight of the data itself, as patients are the first to detect breaches and end up notifying the health care facility themselves.

The study reports that most health care organizations do not have the staff or the technology to adequately protect their patients' information. The majority (67 percent) say that they have fewer than two staff members dedicated to data protection management.

And perhaps because of this lack of resources, sixty percent of organizations in the study had more than two data breaches in the past two years, at a cost of almost $2M per organization. The estimated cost per year to our health care systems is over $6B.

This begs the question: Why?

HITECH Rules Fail to Ensure Protection

HITECH encourages health care organizations to move to Electronic Health Records (EHR) systems to help better secure patient data. And, indeed, the majority of those organizations in the studies (89 percent) said they have either fully implemented or planned soon to fully implement EHR. Yet the HITECH regulations to date do not seem to have diminished security breaches at all, and the Ponemon Institute's study provides a sobering evaluation:

Despite the intent of these rules (HITECH), the majority (71 percent) of respondents do not believe these new federal regulations have significantly changed the management practices of patient records.

Unintentional Actions - The Primary Cause of Breaches

According to the report, the primary causes of data loss or theft were unintentional employee action (52 percent), lost or stolen computing device (41 percent) and third-party mistakes (34 percent).

Indeed, it would seem that - with the use of EHR systems - technologies should be deployed to assist in these unintentional breaches. And while 85 percent believe they do comply with the loose legal privacy requirements of HIPAA, only 10 percent are confident that they are able to protect patient information when used by outsourcers and cloud computing providers. More significantly, only 23 percent of respondents believed they were capable of curtailing physical access to data storage devices and severs.

The study lists 20 commonly used technology methodologies encouraged by HITECH and deployed by these institutions, including firewalls, intrusion prevention systems, monitoring systems, and encryption. The confidence these institutions feel in these technologies are also listed. Firewalls are the top choice for both data breach prevention and compliance with HIPAA. Also popular for accomplishing both are access governance systems and privileged user management. Respondents favor anti-virus and anti-malware for data breach prevention and for compliance with HIPAA they favor encryption for data at rest.

The Value of Encryption

The study points to the value of encryption technologies - for both compliance purposes and for the prevention of unintended disclosure - and this value is perceived as particularly high by those who participated in the study: 72 percent see it as a necessary technology for compliance, even though only 60 percent are currently deploying it for data breach prevention. These identified needs for encryption falls just behind the use of firewalls (78 percent), and the requirements of access governance (73 percent).

Encryption for data-at-rest is one of the key technologies that HITECH specifically identifies: An encrypted file can not be accidentally examined without the appropriate credentials. In addition, some encryption packages, such as Linoma's Crypto Complete, monitor and record when and by whom data has been examined. These safeguards permit IT security to audit the use of data to ensure that - should a intrusion breach occur - the scope and seriousness of the breach can be assessed quickly and confidently.

So how important is a patient's privacy? We believe it's vitally important. And this report from the Ponemon Institute should make good reading to help your organization come to terms with the growing epidemic of security breaches.

Read how Bristol Hospital utilizes GoAnywhere to secure sensitive data.

Message Queues and Network Shares Added to Managed File Transfer Solution

The new 3.5 release of GoAnywhere Director is now available with more features to help organizations automate, secure and manage file transfers.

In this new release, GoAnywhere Director provides simpler access to files and folders on Network Shares. It can also connect to enterprise Message Queues (e.g. WebSphere MQ) for better integration with customer applications. The new version also includes "File Monitors" which can be used to easily scan for new, modified and/or deleted files in targeted folders. Additionally, this release includes the ability to auto-resume file transfers if FTP and secure FTP connections are broken.

In addition, better High Availability (HA) capabilities allow GoAnywhere Director to store configurations in customer database systems including SQL Server, MySQL and DB2 for IBM I (iSeries). This allows customers to manage and replicate this data using in-house database and HA tools.

I'll say it again, that of all the tools I have purchased over 28 years in I.T. GoAnywhere Director is my favorite! ~ Don McIntyre, Kansas City, Missouri School District

Read the press release > >

Dealing with the HITECH Requirements of HIPAA

Last November, six hospitals and one nursing home were fined in California for data security breaches related to patient healthcare records. The total fines were $792,500 by the California Attorney General. The cause? The facilities failed to prevent unauthorized access to confidential patient medical information.

While these breaches made headline news in California, they were but the tip of the iceberg of the total healthcare record breaches in 2010. According to the Privacy Rights Clearinghouse, there were 592 reported healthcare data security breaches last year, which potentially exposed more than 11.5 million records. This was double the breaches of healthcare facilities in 2009, opening severe liabilities to the organizations that housed those patient records.

So what now? If your organization can be fined for failing to prevent unauthorized access, how can you safeguard your company's healthcare records?

HITECH - What is it?

Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, extended the complete Privacy and Security Provisions of HIPAA to business associates of covered entities. This includes the extension of newly updated civil and criminal penalties to business associates. On November 30, 2009, the regulations associated with the new enhancements to HIPAA enforcement took effect.

What's it mean? If your company merely does business with an organization that is involved with healthcare records, HITECH says that you are liable for any security breaches on your watch that reveal patient vital healthcare information. This could include things like names, addresses, social security and Medicare/Medicaid numbers, or any info that could lead to misuse of healthcare information.

So how can your company protect itself from this liability?

The Department of Health and Human Services (DHHS) interim Security Rule says that "a covered entity must consider implementing encryption as a method for safeguarding electronic protected health information." The DHHS rule does permit something called "comparable methods" in lieu of encryption, but it does not specify what those methods might be.

Encryption vs. Comparable Methods: The Vague Alternatives

To determine if your company can provide security through some so-called "comparable method" it's important to look at the types of breaches that occurred in the past. The Privacy Rights Clearinghouse provides a good free search service to investigate at http://www.privacyrights.org.

By looking through the types of breaches that occurred in 2010, (stolen laptops, doctors emailing records to their home computers, lost or missing flash drives, unauthorized browsing by employees), the first question that you should be asking is "Can our organization really secure all those potential mechanisms for data theft without relying upon encryption?" It's a difficult task, and the resources that your organization will expend (hardware solutions, policy solutions, etc.) can be significant.

Still, the monetary fines for failing to provide adequate protection are severe, and your management may decide that a thorough review of your security will be required.

By comparison, implementing encryption technology like Crypto Complete - is undoubtedly a faster and more cost-effective means. Crypto Complete encrypts sensitive data at the source using integrated key management, complete with auditing, field encryption and backup encryption, without interrupting the normal IT workflow. Data encryption permits the source of information itself to be put under a lock and key, and once encrypted, that data is protected from both unlawful use and the HITECH liability rule.

Now is the Time

Finally, consider the downside of ignoring the HITECH rules? Take a look at one attorney's perspective "Responding to an Electronic Medical Records Security Breach: What Every Health Care Provider Needs to Know" to get a handle on the steps for determining the scope of the law. You'll be surprised at how comprehensive the requirements have become, and why your management should be concerned.

Encrypting your data is the most recognized, safest and least expensive means of protecting your organization from liability from unauthorized access. If you've been to putting off addressing the potential pitfall of unauthorized access to your data, now is the time to investigate.

FTP "Lack of Security" Exposed

Apollo Project CSM Simulator Computers and ConsolesFTP was designed as an easy mechanism for exchanging files between computers at a time when networks were new and information security was an immature science. In the 1970s, if you wanted to secure a server from unwanted access, you simply locked the computer room door. User access to data was controlled by the basic User ID and password scenario. (Right is a reminder of how much technology has advanced since the 1970s. The photograph, taken December 11, 1975, is the Apollo Project CSM Simulator Computers and Consoles. Photo Courtesy of NASA.)

The Internet did not yet exist and the personal computer revolution was still a decade away.

Today, the security of business file transfers is of paramount importance. The exchange of business records between computing systems, between enterprises, and even across international borders has become critical to the global economy.

Yet, the original native FTP facility of TCP/IP wasn't designed for the requirements of the modern, globally connected enterprise. FTP's basic security mechanisms - the User ID and password -- have long ago been outdated by advances in network sleuthing technologies, hackers, malware, and the proliferation of millions of network-attached users.

Risks associated with using native (standard) FTP include:

  • Native FTP does not encrypt data.
  • A user's name and password are transferred in clear text when logging on and can therefore be easily recognized.
  • The use of FTP scripts or batch files leaves User IDs and passwords in the open, where they can easily be hacked.
  • FTP alone, does not meet compliance regulations. (For example: HIPAA, SOX, State Privacy Laws, etc.)
  • When using an FTP connection, the transferred data could "stray" to a remote computer and not arrive at their intended destination leaving your data exposed for third parties or hackers to intercept.
  • Conventional FTP does not natively maintain a record of file transfers.
The first step is to examine how FTP is being used in your organization. The next step is to identify how your organization needs to manage and secure everyone's file transfers. The final step is to evaluate what type of Managed File Transfer Product your company needs.

For more information download our White Paper - Beyond FTP: Securing and Managing File Transfers.

Compliance and Regulations for Sensitive Data Transfers

Secured ComputerHighly sensitive data is frequently exchanged between organizations. For instance, a business will routinely transmit financial information to their bank including payroll direct deposits and ACH payments. These transactions most likely contain sensitive elements like bank account numbers, routing numbers, social security numbers and payment information.

Industry-specific transactions may also contain highly sensitive data. For example, in the health care business, patient records are regularly exchanged between hospitals, doctors and payment providers. In the insurance business, policy information is often transmitted between carriers. This information may contain names, addresses, birth dates, social security numbers and other private information.

Loss of sensitive data can result in great financial expense, lawsuits and public embarrassment for the affected organization. Therefore it is no surprise that industries are setting new regulations and standards to address the security of their data. For instance:

  • PCI DSS requires that credit card numbers are encrypted while "at rest" and "in motion". Failure to do so can result in severe fines and potential loss of your merchant account.
  • HIPAA requires that healthcare records are secured to protect the privacy of patients.
  • State privacy laws require that customers are notified if their personal information may have been lost or stolen. Some states will also assess large fines against organizations if this data is not protected properly.

Organizations should consider compliance requirements and regulations when looking for a Managed File Transfer solution. An effective solution should have a number of encryption methods available to protect sensitive data including SSL, SSH, AES and Open PGP encryption. Audit trails should also be in place to track file transfer activity so you can easily determine what files are being sent, what time they are sent, who the sender and receiver is, and so on. If you are looking for a comprehensive solution be sure to check out our GoAnywhere Managed File Transfer Suite.

Related Blog: PCI DSS v2.0

Was FTP Behind the Wikileaks Breach?

November and December were difficult months for IT security.

Wikileaks began on Sunday November 28th publishing 251,287 leaked United States embassy cables, the largest set of confidential documents ever to be released into the public domain. How do security officials believe these documents were originally retrieved by the alleged source, Pfc. Bradley Manning? Many security professionals are wondering if FTP was the software mechanism used.

Also in the news was the security breach at the popular publication Gawker.com. Over the weekend of December 11, Gawker discovered that 1.2 million accounts were compromised, the infrastructure breached, and access to MySQL databases raided. Gawker internal FTP credentials were listed as a part of the breach.

Gawker's problems prompted Social Networking giant LinkedIn to reset the passwords of all users that had Gawker.com accounts, for fear of contamination by hackers who had gained Gawker profile information.

Smaller national headlines of other breaches included the theft of an undisclosed number of email addresses, birth-dates, and other information by a contractor working for McDonalds.

Also, it was reported that a mailing list was pilfered from the drugstore giant Walgreens. In addition, a leak of law enforcement data was reported by a Mesa County, Colorado.

Finally, a popular Open Source FTP server software application, ProFTPD version 1.3.3c, was distributed containing a malicious backdoor that permits hackers to access FTP credentials. It is thought the attackers took advantage of an un-patched security flaw in the FTP daemon to gain access to the server and exchange distribution files.

What do these various breaches have in common? The threats may be too diverse to slip into a single category, but the likely culprit is the use of powerful native FTP, without proper, secure management. Once a doorway is left open, native unmanaged FTP access can wreak havoc in any organization.

It doesn't have to be this way. Using a managed secure file server like Linoma Software's GoAnywhere Services - which has granular permissions and security controls, along with detailed audit logs and alerts - IT can monitor and better secure and control its data resources.

Regardless of how your organization or your trusted business partners are configured to exchange data, isn't it time to consider a better way to manage your company's file transfer security?

Related Blog Post: Are You Confident Your FTP Credentials are Secure?

Linoma Renews IBM Advanced Business Partner Level

IBM Advanced Business PartnerAchieving and maintaining the IBM Advanced Business Partner level is completely based on product quality and customer satisfaction. IBM assigns their partner levels for ISV's (independent software vendors), like Linoma Software, on customer feedback.

Linoma Software actively produces five products that run natively on the IBM i (iSeries).

What is the benefit of Advanced Partnership? Quite simply, Advanced Partners have direct access to resources within IBM. Linoma Software has a direct connection to IBM support, labs and knowledge-base. The Advanced Partnership also provides Linoma Software the ability to test against upcoming software, like the recent i7.1 operating system for IBM i and p systems, before it is released to the public.

Linoma Software is a long-time IBM Advanced Business Partner and is well known for its dedication to high quality software, user-friendly applications, and outstanding technical support. With over 3000 satisfied business customers ranging from small business to Fortune 100, government entities and not-for-profit organizations - Linoma Software provides the same level of expertise to all.

"We work with thirty-plus vendors for all our 'Power System' related software, and no one has better technical support staff than Linoma Software. When I call other vendors, I anticipate multiple levels of call routing, and if I'm lucky the person may be able to research a solution. With Linoma's support team, it's always been the first person, and they've handled the issue with the feel of a practiced hand who recognized my problem and had a solution ready immediately."

Shaun Skelton - Berry Plastics

Are You Confident Your FTP Credentials Are Secure?

Nesting Dolls to Wormholes

Do You Know Where Your FTP Credentials Are?

FTP Security WormholeA security researcher named Chris Larson happened onto a curious website last September that had been serving some malicious-looking exe files. While poking around, he wrote in his blog, "I came across an 'unlocked door' on the malicious Web site and took a look inside." Treading like an adventurer in Alice's Wonderland, Larson discovered that this little doorway opened into a world of potential hurt for companies around the world.

There was a strange, oddly-sized GIF file that, with further poking, revealed a hidden payload. The GIF, when poked, revealed four text files. Little by little, their contents spilled out, until, finally it revealed a dark criminal archive. The files contained the login credentials of more than 100,000 FTP sites.

It was an unbelievable discovery, like a Russian nesting doll, that - when unpacked - opened a veritable wormhole to FTP sites around the world: Domain names, User IDs, and Passwords.

Nearly two thousand of these FTP credentials were the domain credentials from one particular site that claimed to Web-host nearly two hundred thousand separate FTP sites. Another file contained a hundred thousand credentials from a variety of unrelated individual sites. Using this archive of FTP credentials, the thief (or thieves) could penetrate, inspect, and selectively harvest the information contained within stored files that users had transferred between their workstations and their corporate computers.

How this archive was assembled and hidden demonstrates how the network of thieves profits and expands. Larson noticed a duplication of a small percentage of the FTP credentials. This seems to indicate that the archive was probably robotically created by a virus or Trojan.

Larson had discovered an actual retail operation that gathers FTP credentials, and then sells those credentials - like a retail mailing list -- throughout the underworld to anyone who can pay the price. The archive, in its hidden GIF packaging, appears to be the actual product. Such an archive would be valuable to identity thieves with its hidden payload. In this state, it was ready to be transmitted to other thieves, running beneath the radar of security network packet sniffers.

This begs the question: "Do you know where your company's FTP credentials are stored?" If your company is using a managed file transfer (MFT) suite like Linoma's GoAnywhere, you already know the answer.

The best MFT suites manage the access to FTP, centralize the file transfer process, and secure the credentials that are communicated between hosts. By using a MFT suite, IT can institute rules by which file transfer credentials are organized, encrypt the transfers themselves, and log every transfer activity. User credentials to other servers are also centralized and secured, and the connection rules that your business partners use can be managed to ensure that user ids and passwords regularly updated.

Chris Larsen uncovered a secret world in which the doors to our systems - and our business partner's systems - are sold as simple commodities, available to anyone who can pay the price. It's like a toyshop where your company's FTP credentials are displayed like exotic dolls, nested within a GIF wrapping: a GIF that promises to keep on giving.

Isn't it time to do something about it?

Transferring Large Files over the Internet? A Few Managed File Transfer Recommendations

Internet File TransfersRecent posts on this blog have outlined reasons to consider installing a file transfer system that will help streamline productivity and secure the transfer of sensitive documents. We understand that selecting a product can be time consuming. To help you make the most educated decision here are a few more helpful suggestions to consider when selecting a managed file transfer solution.

  • Easy to learn and easy to use - The managed file transfer (MFT) system you choose should have an intuitive interface that can be learned quickly. No programming skills should be required. If it isn't easy to use, end-users and non-IT personnel will shy away from using it.
  • Audit trails - The secure file transfer solution should produce comprehensive audit trails of all file transfer activity and support SYSLOG feeds to a central logging server.
  • Produces alerts - An automated file transfer solution should be able to send you email alerts or texts instantly when problems occur.
  • Password security - The managed file service you choose should not show password values on any screens or logs. Encrypts all passwords that are stored.
  • Remote access - The file transfer product allows for remote administration and monitoring of file transfers, preferably through the browser.
  • Web site transfers - The file transfer solution needs the ability to support HTTP and HTTPS protocols for transferring data.
A managed file transfer solution can not only save your department time, but it can also save you money. A comprehensive solution will enable you to complete menial tasks and allow your department to concentrate on the larger picture.

Did I mention we have a managed file transfer product…GoAnywhere? GoAnywhere allows organizations to secure and automate the exchange of data with their trading partners, customers, employees and internal systems. Still not sure what you are looking for? We offer a free product trial and we would be happy to schedule a demo to go over how GoAnywhere can help your company.

Related Blog Post: Top 10 Managed File Transfer Considerations

Top 10 Managed File Transfer Considerations

Before looking for a managed file transfer solution, it is important to determine how data is currently being transferred from your organization. You should find out what users and applications are performing the data transfers, where the source of the data resides, how sensitive the data is, how the data is formatted for the partners and what pGoAnywhere Managed File Transferrotocols are used to transmit the information. If the files are encrypted or compressed before transmission, find out what tools and standards are being utilized.

After you've done your in-house analysis, then start a search for a secure file transfer solution that best fits your needs. Listed below are the Top 10 managed file transfer considerations.

1. Platform Openness - To reduce the points of connection to sensitive data and reduce the risk of exposure to those without a need-to-know the MFT solution should be installed on the server operating system where the sensitive data and applications reside. If your corporate data mostly resides on the IBM i, then it would make sense to get a MFT solution that runs on the IBM i.

2. Authorization Controls - To meet many compliance regulations, the MFT solution must provide role based access to limit user access to certain servers or MFT functions based on user credentials.

3. Secure FTP - Plain FTP is not secure. The MFT solution must support both SFTP (FTP over SSH) and FTPS (FTP over SSL) protocols for secure FTP transfers.

4. Encryption Standards - At minimum, the solution should support the industry standard encryption standards: AES, Open PGP, AS2, SSH, SSL, TLS and S/MIME.

5. Database Integration - The MFT should readily connect to DB2, SQL Server, Oracle, MySQL and other popular database servers for extracting and inserting data.

6. Data Transformation - Is the ability to translate data between popular data formats including XML, CSV, Excel and fixed-width text formats.

7. Data Compression - Compresses and packages data using popular standards such as ZIP, GZIP and TAR to reduce transmission times.

8. Application Integration - The MFT should provide commands and APIs for interfacing with your applications.

9. Scheduling - Allows transfers and other MFT functions to be scheduled for future dates and times.

10. Key Management - Does the MFT include management tools for creating, importing and exporting keys and certificates?

Related Blog Post: What Qualifies a Product as a Managed File Transfer Solution?