Aggregating the Management of Policies

Daryl Eicher, VP, Industry Solutions, Axway

Three Words to Say to C-Level Management About Complete MFT Data Security (Pt. 1)

by Shawn Ryan
VP Technology Marketing & Chief Architect

Cost, risk and brand.

In other times, the first on the list in terms of drivers is obvious: revenue. But now, three words at the top of mind are cost, risk and brand.

First, cost. Cost and benefits associated with consolidation are essential drivers to surviving and thriving. In any organization, various one-off solutions handle file transfers. Various solutions stay nailed down and in place just because they are there. They arrive when a project demands a fast solution where one does not exist. They arrive due to mergers and acquisitions. They arrive because “files” were not thought to be strategic, because “files” have not had the sizzle, and thus “files” are neither the focus of SOA projects nor the focus of technology that could bring them into a services oriented approach. But times are different, and with files representing eighty-plus percent of an organization’s data, it’s time to gain control. Various one-off solutions are costly to an organization and filled with security flaws, just as Swiss cheese is filled with holes.

By focusing managed file transfer and transmissions through a single service oriented framework, MFT consolidates the overhead of one-off services and reduces costs—a concern of all C-level management.  While cost creates a convincing argument for complete MFT data security, unified governance across the different types of interaction patterns that comprise managed file transfer brings in security and controls and is simply the best way to go.

The second point: risk. More specifically: governance, risk and compliance. GRC. Cybercrime is a trillion-dollar industry. That alone should be enough to wake C-level management up and seriously consider data security. Add compliance mandates to that, breach notification laws with safe harbors for encrypted data, and now encryption mandates like HITECH and the Massachusetts state laws coming on line, and a response is not only wise, it’s mandatory. Massachusetts 201 CMR 17, like California SB1386, is a precedent-setting mandate. It states that any data containing personally identifiable information of a resident of Massachusetts must be encrypted. A challenge like this is a formidable one that your company must not take lightly.

Third, brand. Closely paired with the topic of risk, but it deserves a front-row seat in the discussion. Data is the lifeblood of your business. Anytime you have a breach, your company makes headlines for a terrible reason, thanks to the 45-plus states that have notification laws in place. What do you want to be known for? You must protect your brand.

Complete MFT data security is essential. The only answer is to look for a complete solution that can cover all interaction patterns. Sure, start where you feel the most risk, but stop to be sure you will address the risk strategically, and have a plan to cover the entire spectrum of interaction patterns. Sure, cybercrime is on the rise, but internal jobs account for eighty-plus percent of publicized breaches. Are you just going to cover B2B? Human interactions? Portal based? You must cover them all.

But which interaction patterns demand complete MFT data security?

(To be continued.)

Embedding DLP Tools in Applications Will Bring Better Results

Taher Elgamal, CSO, Axway

A “Meaningful” Act (Pt. 2)

by Ruby Raley
Director, Healthcare Solutions

(To read the first part of this blog post, click here.)

The body continues to be an apt metaphor in this post.

One of the other areas I find that people have neglected in their plans is the “nervous system.” So, you’re going to put this new eMR system in, you have to have all of these data breach protections, you have to have encryption, you have to be able to notify people promptly if data is lost. You need a nervous system that knows when any blood vessel is cut, when there is a leakage of information, which would be equivalent to internal bleeding—perhaps not obvious to anyone but going on nonetheless—and a significant impact on your patient’s health, possibly even a cause of death if left untreated.

How are you going to know that there is internal bleeding of data? Are you really going to go through log files and every system you have and verify that every transmission went through? Wouldn’t you rather just have a dashboard where you could quickly see the stats, find anomalous situations, immediately be alerted if something goes astray, and take action promptly and resolve the problem before there is internal bleeding and the “patient” is in critical care? I really think that some of those additional ways of thinking about the HITECH Act are critical to the success of the providers.

It’s just too hard to try to do everything inside your eMR system. You can’t stop people from sending attachments, needing to communicate with third parties, and needing to get data in and out of your enterprise. It’s just a fact of life, so why not put a plan together for it?

People who think that they don’t need a nervous system, that all they have to do is search through log files to find out what happened, I find, have either had better luck in life than I have or aren’t IT people on the front lines, because what I’ve seen over and over again is log files get erased every time there is an upgrade.

If you had an outage on Friday, and you had a system upgrade going in on Saturday, your log files might not be where you can find them on Monday. Maybe they were saved before the upgrade went in. Maybe the tapes didn’t work right. How do you know? In order to do the diagnosis, you have to look at the sending and receiving system, line up the time, look at the messages and try to figure out whether the darn messages were delivered.

To me, thinking that log files sufficiently satisfy the data breach and HIPAA security rule—I don’t quite get that. One of the things that I recommend to providers is that they do a mock exercise. How would they find the data breach? How would they convene their SWAT team? How would they actually plan through and respond to a real-life data breach? It’s much like having a patient flatline on the ER table—mitigating action needs to be taken immediately.

What they’re going to find is that, first of all, they have to include many more departments than they might have thought. When is the last time an IT outage or a service disruption required that the compliance officer, corporate marketing and PR people got called? Did you have to call the CEO when the system last went down? Do you know the criteria that need to be satisfied before you notify people? You have to make sure that a large number of people understand what the process is, because with a data breach, the legal ramifications of not taking due diligence, of exhibiting willful neglect, or of not following your own processes are severe.

And you never had to do that before. Who cared if a file didn’t get received by the insurance company on the other end? They’d call you and you’d resend it. Before, you never called the CEO or CSO to say that a file went astray and you didn’t know it had happened. You’re going to discover department people who aren’t aware, too. You’re going to discover people in the IT organization, people who might not have been exposed to the HITECH Act before, who need training so that they understand the circumstances under which to act. If you don’t have all of this preplanned, then it’s going to be fairly random and it’s not going to come together for you. Can you prove to the HHS and the auditors that your process, as written, was followed in these events? Can you afford the excessive fines and penalties that will follow if you can’t prove that your process, as written, was followed?

A “Meaningful” Act (Pt. 1)

by Ruby Raley
Director, Healthcare Solutions

Healthcare providers implementing the HITECH Act seem to regard the implementation of eMR (electronic medial records) like a major organ transplant. All they’ve got to do, they figure, is get a new heart in the body, or a new liver, or a new lung, and get the patient set back up again, and everything is good. But what they forget is that they have to integrate that organ into the support systems of the body. Those are the vascular systems, the lymph nodes, the nervous systems and so forth. They need a specialist that has the ability to integrate that new organ, that new eMR system, into their ecosystem so that it’s much more effective.

One of the definitions of “meaningful use,” which you need to meet in order to qualify for incentives, is a capability for information exchange. I doubt that you’re going to upgrade every organ in your body or every system in your ecosystem or in your enterprise to achieve meaningful use, but I don’t doubt that you need a helping hand to integrate that new component, that new eMR, that new eHR-upgraded system. And that’s where a B2B service provider comes in, and that’s a B2B service provider’s core strength. A B2B service provider integrates, knits together and connects up components.

What I find is that people forget that there’s a lot of ad hoc file transfer that goes on today. You’ll have many partners who aren’t connected to your eMR/eHR. They could be third-party clinics and labs, external payers, external HIEs—all of these people and systems need to be connected. You have choices. You can pay your eMR/eHR vendor to connect them, or you can come up with new connective tissue, new vascular systems, to ensure that information flows, as Dr. Blumenthal says, to every corner of the body, and that it flows back in, is reoxygenated and sent back out to the body parts so that every part of the body is as healthy as possible. Again, that’s a B2B service provider’s strength. That’s what they do. Managed file transfer, email attachment management—these are core capabilities that you may have neglected to consider while you were focusing on implementing that new eMR system in your enterprise. But they’re necessary for security and for meeting meaningful use criteria.

(To be continued.)

How Does B2B Consolidation Help Your Staff Focus on Mission Critical Projects?

Ulf Persson, Director, Product and Solutions Marketing, Axway.

Encryption and Electronic Health Records: A Q&A with Paul Fowler (Pt. 2)

(To read the first part of this blog post, click here.)

AXWAY: Let’s talk about compliance. Some would say that if you’re compliant, you’re doing fine.

PF: Some people think compliance is setting up a few rules and some people think compliance is pretty much locked-down infrastructure. The government tells you what needs to get done to satisfy the law; they never tell you how to go about actually satisfying the law. There are people who do not believe that encrypting email is necessary, but there are also people who don’t believe that seatbelts are necessary! It doesn’t mean that it’s not common knowledge that seatbelts save lives. There are many people asking themselves, “Do I cut three employees from my staff in order to buy an encrypted email system?” And their answer is, “No, that’s not necessary.” And I tend to liken it to seatbelt laws: anybody who thinks they don’t need a seatbelt is right until they have a wreck, don’t have one on, and die. Then the realization of its importance becomes clear, but at a high cost. In the same way, there are tons of people who don’t believe that encryption is a necessary thing. They don’t believe they need their files managed in a very secure, two-factor-authentication method. Now clearly, the government, when they’re ordering nuclear weapons, uses managed file transfer, a system that will provide that encryption. But when you’re chatting on IM with your friends, you don’t have any security there at all. And you don’t worry about it because who cares what you’re saying to your friends? But if you’re in a hospital and IMing with your friends that some famous actor came in, here’s his medical record, and look what they’re treating him for—this all creates a host of issues for the hospital to worry about, issues that could expose them to massive liability. That’s big dollars. Managed file transfer, encrypted email, the encryption of IM systems—these things should become important to hospitals so that they can identify who internally is responsible for violations and educate those people constructively.

AXWAY: Protecting the company is fine, but besides privacy concerns, what else do these technologies address?

PF: As you implement managed file transfer and these kind of encrypted email technologies, you begin to see patterns of your trading partners and exactly how they operate. You begin to establish the connections with networks and facilitate the safe spread of medical information. The more medical information gets shared, globally and collectively, the better patient outcomes are, both individually and collectively. So if every diabetic knows what works for every other diabetic, the community of diabetes patients is treated better. And if you can share one diabetic’s record with an expert, without compromising the diabetic’s identity, then that expert’s patient has an improved chance for better treatment, and everybody wins. Ultimately, that’s what’s it all about. It transcends mere compliance in some real way. The real challenge is this: How do we share medical information without compromising the privacy of an individual? The goal is not just to protect the information. The goal is to share the information with people who need it. For example, if I travel to Paris, which I do two or three times per year, and I don’t have an eHR, if I find myself in a hospital in Paris, nobody will know anything about me. How do I, as a patient, get my medical records to brand new doctors in a safe and secure way all the time?