AHPRA data breach is a healthcare community wake up call
Protecting personal identifiable information (PII) is everyone’s business.

I’ve been reading about today’s news from Australia regarding allegations of a data breach against the Australian Health Practitioner Regulation Agency (AHPRA) agency. Guardian Australia reported that an AHPRA employee assaulted a nurse over a personal grudge, after using his credentials to access her home address and phone number last September. AHPRA functions like a watchdog group and investigates complaints against Australian healthcare practitioners

Additionally, in 2014 another AHPRA employee used her credentials to access medical records regarding a complaint made against her as a midwife, and used the information in a court proceeding.

AHPRA Data Breach: “Classic Case of Systematic Regulatory Failure”

John Madigan, an independent senator in Australia told the newspaper, “While AHPRA is a classic case of systemic regulatory failure, unfortunately it is not unique. In recent times there has been an explosion in regulatory agencies of this type.”

These very unfortunate breaches reveal ongoing data security issues within the healthcare industry in any country. In this case it’s more serious than stealing information. This breach led to a physical attack upon a healthcare employee. There were signs that these kinds of breaches were possible as AHPRA noted in annual reports that resources were not sufficient for proper controls to patient data.

How Australia’s Largest Health Insurance Company Protects Data

The major gaps in data security practices in parts of the Australian healthcare system serve as a cautionary tale to any organization, in any industry, in any country. In my opinion, if you run any kind of organization – whether non-profit, government or corporate – you should be held accountable for any mishandling of sensitive personal information that leads to a data breach. It seems to me that the Australian government needs to enforce tighter regulatory compliance mandates that comprehensively cover their healthcare system, including watchdog groups like AHPRA.

Today’s news made me think of our customer Medibank, Australia’s largest provider of integrated health insurance and health solutions. Each day, Medibank employees must transfer up to 15GB of confidential healthcare files, a volume that is expanding by around 3GB per month. These files include patient policy records that must be transferred securely between Medibank’s sites and 15 external business partners.

Medibank needed to meet Australian government and Commonwealth regulations and policies, including the National Safety and Quality Health Service Standards and the Privacy Act 1988 as outlined by the Office of the Australian Information Commissioner (OAIC). The organization sought out a managed file transfer system to provide a better, more secure and regulated way to send files within the organization and beyond. They knew they needed tight security controls built-in including identity and access management, data loss protection and encryption controls to avoid a data breach. This all together would allow their IT team to manage, view, secure and control all file transfer activity through a single system.

Jason Atkinson, IT Claims & Product Team Lead for Medibank shared with us, “As a health organization handling large volumes of sensitive data, security and compliance were probably the biggest drivers behind this project. It was important to us that any solution not only had good security controls in operation but also excellent auditing capabilities.”

Medibank turned to our Australian partner DNA Connect to address their needs. The healthcare organization ultimately chose Ipswitch MOVEit managed file transfer software to radically decrease the time required to set up secure file transfers.

MOVEit passed the Medibank security team’s demanding requirements for end-to-end encryption and auditability with flying colors. After quickly deploying MOVEit, Medibank staff and business partners were able to gain full visibility, auditing and compliance with Australian laws and regulations.

I don’t see why any agency or healthcare organization couldn’t do the same thing as Medibank. Our product is not high-priced software from Big IT. It’s simple to deploy and use. Medibank’s innovative work to protect patient data is something that the entire Australian healthcare community can model for themselves to better protect personal information.

safeharbor-ruling

CJEU Rejects Safe Harbor Rules for User Data Transfer

If you’ve been listening, the CJEU has just rejected the safe harbor rules put into place 15 years ago. The implications of this ruling could render many global companies in a tough spot, specifically companies that rely on the free transfer of data between the EU and US. Companies likely to be affected not only include US social media sites, but US cloud file share sites like Dropbox (and their customers who use their services to store EU citizens’ personal data), global retailers with buyers in the EU, and any US business that manage personal data of EU citizens.

User Privacy Impacts ‘Business As Usual’

Although the changes are not immediately in effect, the demands of user privacy will likely impact ‘business as usual’. It is an obvious backlash to NSA surveillance of citizens online activities without their knowledge or consent. But the cost to global businesses is that it’s going to be harder to provide services and data between the US and Europe.

“If the Safe Harbor rules in place since 2000 are done away with, each country in the European Union could potentially set is own privacy rules and regulations, creating enormous barriers to U.S. firms doing business there.” – USA Today, Europe’s top court rejects ‘Safe Harbor’ ruling

Now the scramble for CISOs in global companies is to find ways to comply with the new ruling. It goes without saying that user privacy is extremely important and should be a fundamental right, but this ruling affects more than Facebook and Google, who may have anticipated and already addressed this issue within their organizations. It most likely will change how companies need to handle data flows between the two continents. About half the world’s data is exchanged between Europe and the US, and rejecting safe harbor means drastic changes for small and medium business alike.

In talking to my colleague, Alessandro Porro, in London this morning about this news, he had the following to say:

“The strike down of the Safe Harbor agreement by the Court of Justice of the European Union (CJEU) adds a large amount of uncertainty and risk to any enterprise whose business involves data movement between the EU and US.  Safe Harbor was found to not meet the requirements of the Data Protection Directive.Whilst the EU’s general approach to data protection has been agreed, the actual regulation is still in consultation and so there could be the flexibility to include clear guidance to these firms.  However, it would be fair to assume that this could impact that target adoption date which is currently the end of the year. Businesses should to start working immediately to audit their data sharing practices, including use of US cloud sharing services like Dropbox, so that they understand exactly where they stand and are ready to act when further guidance is issued. “

Tough for Tech But Win for User Rights

On the other side of this, advocates of user privacy as a fundamental right are cheering a huge win. Edward Snowden was quick to tweet out form his new Twitter handle about the ruling.

In either case, it will be interesting to see how the tech industry reacts to this. Companies will need to start getting a little more creative about how they share data between the US and EU.

What is your company doing to adjust to the new rules?

Related Articles

Practical Guide to Control and Compliance

How ready is your organization to comply with evolving regulatory landscape and security risks?

>> Engage with us next month during the Ipswitch Innovate 2015 User Summit, a two-day (October 21-22) online event for IT pros to learn from each other and our product experts.

innovate-FB-1200x628

Google announced in a blog post on Tuesday a vulnerability in the design of SSL version 3.0 (CVE-2014-3566), nicknamed POODLE.  The SSLv3 protocol is used in OpenSSL and other commercial products.  This vulnerability allows the plaintext of secure connections to be calculated by a network attacker and has an overall CVSS severity rating of MEDIUM.  security POODLE

Ipswitch immediately assessed all of its products as soon as we became aware of the vulnerability.  We’ve identified specific recommendations for MOVEit Managed File Transfer, WS_FTP Server and MessageWay and continue to evaluate remaining Ipswitch products, including WhatsUp Gold and IMail Server.  While POODLE is not considered high risk to our customers we will provide additional guidance for those products as soon as it’s available.

To protect against this attack, it is recommended that all customers disable SSLv3 for all services and clients.  Please find specific instructions for the following products in this Ipswitch Knowledgebase article:

  • MOVEit File Transfer (DMZ) Server and API Module
  • MOVEit Central
  • MOVEit Ad Hoc
  • MOVEit Mobile
  • MOVEit Xfer
  • MOVEit Freely
  • WS_FTP Server
  • WS_FTP Web Transfer Module
  • WS_FTP Professional

Following the instructions above may present compatibility problems for users on old platforms and browsers, where there is no support for TLS 1.0 or higher. While both Google and Mozilla have announced plans to remove support for SSLv3 from their browsers soon, it’s still recommended that you test these configuration changes and carefully monitor the production system after making any changes, so that you are prepared to handle any negative impact.

 

Dropbox IpswitchYesterday Dropbox posted an update at the end of their 10/13 blog that noted their servers were not hacked. Apparently the compromised credentials in question were stolen from a different source. At the end of the day, Dropbox isn’t to blame. The stolen credentials were used to access multiple services, including theirs.

So let’s leave the folks at Dropbox alone. Every organization that holds personally identifiable information (PII) is a target. And I agree with Dropbox’s advice to their users should use unique passwords across different sites, and when possible, add a layer of security to make things a lot safer.

Like everyone else, I just want to keep all my work and personal stuff online safe. So the Dropbox brouhaha got me thinking about how hard it is to remember and manage all my user account names and passwords. I’m a Mac guy and have found Apple iCloud Keychain to be helpful for managing my personal login credentials, but it has limitations.

Identity management in the enterprise world

IT pros who are responsible for security and compliance around managed file transfer and/or file sharing security should work with an identity management provider to evaluate solutions integrated with SAML 2.0. These vendors’ products can provide single sign-on (SSO), data loss prevention and two-factor authentication – any and all of which will add layers of security to protect personal and business information.

At the end of the day, security should be accessible to everyone in the borderless enterprise composed of employees, customers and partners.

 

openssl-logoAs you may already know, there was a recent Security Advisory about new vulnerabilities in OpenSSL released in early June. This specific flaw requires a vulnerable OpenSSL library active on both the client and server ends of the transaction. The flaw allows a savvy attacker to sit between the client and server and turn off encryption, silently exposing information exchanged between those two end points. Technologies that only use OpenSSL to accept web-browser (HTTPS) connections will be vulnerable to this flaw only when the browser is using a vulnerable version of OpenSSL. Chrome for Android is the only major browser that is currently susceptible.

Security is a top priority for Ipswitch and our customers. Since this announcement, the Ipswitch Security Team has been working to determine the impact and issue patch fixes where vulnerabilities were found.

Impacted Ipswitch products include:

  • MOVEit Mobile & Cloud
  • WS_FTP Client & Server
  • MessageWay
  • IMail
  • WhatsUpGold

Through your Customer Portal you’ll be able to access instructions to properly implement the Security Update for impacted versions as available.

As with any security advisory, we understand that our customers may have additional concerns. If you should have any questions or concerns, feel free to reach out to the appropriate technical support team:

CLOUDAt a recent CIOboston event by CIOsynergy, I met two folks from Apprenda: Chris Gaun, Senior Product Marketing Manager, and Dave Cohn who heads Northeast Sales for the company.  Apprenda is a ‘Private Platform as a Service’ company that sponsored the event with Microsoft. Both made the remark that IT needs to transition from being a cost center to being a profit center and do so by developing more customer-facing software for the business.

An intriguing concept and one that got the conversation flowing between the three of us and Al Ingram, Director of Operations in my IT department. And it got me thinking.  At Ipswitch, IT worked with R&D on our Licensing System within our products to communicate with an IT-created back-end for product fulfillment and activation. That project certainly would fit the bill. We also manage ecommerce. Plus, as one of the leaders in Salesforce implementation, we have developed many tools and processes that could be shared/sold in the Salesforce ecosystem.

But I think this view of IT and what is needed is too narrow. Traditional P&L models, with their roots in manufacturing, assign IT as a cost center. But the way out is to question whether the model needs to be updated, rather than insist that IT produce traditional products that can be sold to customers. There is a value-add to the business from today’s IT that goes beyond viewing it as a sequence of projects or as simply ‘support’ resources. There is sustained return for the business, beyond just the savings that IT may have delivered vs. doing a project using more expensive outside consultants.

Measuring the Impact IT has on Business ROI

Business ROI must have an associated IT fraction that indicates long term value that IT created – it is a shared benefit. I am not suggesting that modeling IT as a profit center will be easy.  Certainly, measuring just IT’s contribution to business productivity has been fraught with difficulty and controversy. But at a time when most IT departments can feel in their bones that they are making a difference to the business and every project is tagged as a business project rather than an IT project (as in the old days) we need these new models to evolve. Such measurement will lead to better valuation of IT: better funding, greater confidence by the business in IT spend, and expanded use of IT as a vital business leader.

emr

Of course, in order to understand the challenges (and solutions) of healthcare file transfer, there are a few essential terms that you’ll need to know. Let’s take a closer look at a few in particular:

  • HIPAA – Health Insurance Portability and Accountability Act.  This act requires the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and national identifiers for providers, health plans and employers. Specifically, this act was put in place to improve the efficiency and effectiveness of the healthcare system. In many ways, HIPAA compliance is the number one file transfer priority for those in the healthcare space.
  • BAA – Business Associate Agreement. This document is essentially a promise that the people hired to handle the sensitive healthcare information are adhering to the same confidentiality agreement that the healthcare providers observe.
  • HIE – Health Information Exchanges. This system provides the capability to mobilize information electronically, across a designated region or healthcare information system.  The HIE is designed to provide a more timely, efficient and effective patient-care system.
  • HIO – Health Information Organization. An organization that brings together health care stakeholders within a defined geographical area. This group then exchanges health information among themselves, for the purpose of improving the health and care within that region.
  • HITECH – Health Information Technology for Economic and Clinical Health. An act that promotes the adoption and meaningful use of health information technology. In other words, facilitating healthcare providers with the technology in order to use electronic health records. This would allow physicians to provide better care to their patients because the health records would be undamaged and easily accessible.
  • PHI (ePHI) – Protected Health Information (electronic). This individually identifiable information relates to past, present and future physical or mental health conditions of an individual.
  • EMR – Electronic Medical Record. This record contains both the medical and treatment history of a patient in a given facility, for one practice. This record stays within said facility and is not easily accessed by any additional doctors who may also be treating the patient.
  • EHR – Electronic Health Record. This report focuses on the total health of an individual. It recaps a patient’s history in every facility, for every practice, that the patient has used.  Think of the EHR as combining the information from every individual EMR that the patient may have, and placing it into one, central location.
  • Managed File Transfer (MFT) – While EHR is the central location for patient data to reside, MFT systems provide a complimentary central system to manage the transfer of files & data (including sensitive and confidential patient information) to/from the healthcare organization to its extended ecosystem of partners, suppliers and payers. This includes integrating with other systems and vendors with multiple configurations and access controls. MFT systems are a key cog in enabling a healthcare organization with file transfer automation and auditing to support HIPAA compliance.
  • Unstructured Data – Also known as the “patient narrative,” unstructured data is text-heavy information that may be unorganized, have irregularities or be ambiguous. This type of information would require the “human touch” to read, capture and interpret properly.  Most of the information that would be needed to make a decision about a patient can be found here.  This data is also difficult to standardized, difficult for a healthcare provider to gain access to, and difficult to share between dissimilar computer systems.
  • EDI – Electronic Data Interchange. This electronic communications system provides a means for exchanging data. This interchange facilitates the exchange of information from one computer to another with zero human intervention.
  • Omnibus Rule – A rule that was put in place to implement statutory amendments under the HITECH Act. Some of the effects that this rule had were: strengthening the privacy and security protection for individuals’ PHI, modified HIPAA Privacy Rule to strengthen the privacy protections for genetic information, and set new limits for how information is used and disclosed for marketing and fundraising purposes. Basically, the Omnibus Rule set further requirements for holding all custodians of PHI the same security and privacy rule of covered entities under HIPAA.

The list goes on. If you’re looking for a way to simplify the file transfer process within your organization, be sure to check out some of our healthcare case studies or this resource page. If there are any other terms that you would like to be explained, please be sure to leave them in the comments section below.

AgileHow It’s Made is a popular TV show here in the States, where the viewer gets a behind-the-scenes look at how the products they use on an everyday basis are created. Sometimes it’s an episode on yellow mustard, other times it’s toothpicks and sporks, but almost every time it’s a mainstream consumer product.

Since the show’s creators are not going to air an episode on how MOVEit is made (we tried, no luck), I thought I would do the next best thing: Give you a quick look into how our file transfer products are created – and it starts and ends with the Agile methodology Scrum.

For those unfamiliar with the approach, Scrum is commonly defined as “a software development framework  based on iterative development and incremental delivery, where requirements and solutions evolve through close collaboration on self-organizing, cross-functional teams.”

In other words, Scrum is a process that adapts to change – changes in scope, in requirements, in deadlines. Hence the name, Scrum (adapted from the sport of Rugby where teams operate in very close contact.)

Those of us here at Ipswitch are strong proponents of Scrum. It provides transparency around the day-to-day activities. It accelerates the development process but not at the expense of quality. It helps us move quickly. But there is another reason why we’re such big fans of Scrum, and it’s not a reason you hear very often…

For us, this approach facilitates an egalitarian approach to software development. So often within software companies, the path of product development is done through a top-down approach, where orders are given by senior members and executed by junior members. Not so at Ipswitch. Rather, our Scrum adoption gives everyone – regardless of title or experience level – an equal say as to how the product is to evolve. Everyone has a voice, in other words (though there are occasional overriding votes as you might expect).

Great ideas can come from everywhere, something every Scrum team can attest. By eliminating the usual hierarchy and command and control culture, we’re able to receive new ideas and insights from our entire team, from the CTO to the QA engineer and everyone in between.

The result? Industry leading file transfer products from Ipswitch. Scrum has played a part in the production of every product – from WS FTP Server to MOVEit. Moreover, it played a part of each new version, as well as products that have yet to be released!

The purpose of this post was two-fold. On the one hand, we wanted to explain why we’re such strong proponents of Scrum, which hopefully we’ve done. The second purpose was to attract like-minded developers and QA engineers. So if you’re interested in this egalitarian approach to software development – if you want to contribute more to a project than just your coding and testing skills – then we’d love to hear from you. Take a look at our current list of career opportunities.

ChallengesI recently attended CIOboston, a CIOsynergy event headlined as “A New Dimension to Problem Solving Within the Office of the CIO”. We talked about paradigm shifts propelled by technologies like the cloud, the necessary new engagement models for business and IT and the changing world of expectations to name a few topics. But before getting to all this, our moderator Ty Harmon of 2THEEDGE posed the simple question to the attending 50 or so CIOs and senior IT heads: “What are your challenges?”

Here are the answers that I have assembled. I think there is value in seeing what was/is top of mind for IT leaders in raw form:

  • How do we make the right choices between capital and expense?  Service offerings are growing and additive – the spend never ends.
  • How do we integrate multiple cloud vendors to provide business value?
  • User expectations are being set by the likes of Google and Amazon for great UX, 7X24 support, etc. – but it is my IT staff that is expected to deliver all that on our budget. The business does not want to see the price tag – but they want the same experience that is available at home from these giants.
  • IT needs to run like a business but this takes a lot of doing. It matters how we talk and collaborate. We have to deliver business results that must be measurable.
  • Adoption of the cloud is a challenge. How do we assess what is out there? It is not easy to do apples-to-apples comparisons and security is a big concern.
  • How do we go from private to public cloud? Current skill sets are limited.
  • We are constrained by vendors that are not keeping up with the new technologies! One piece of critical software may want an earlier version of Internet Explorer to run; another may use an obsolete version of SQL Server, etc. This clutter prevents IT departments from moving forward.
  • Business complexity is a challenge. IT is asked to automate – but we must push back to first simplify business processes.
  • “Shadow IT” is an issue. A part of the business goes for a “shiny object” rather than focusing on what is the problem that really needs to be solved. They do so without involving IT. Then IT is expected to step in and make it all work, integrate with other software and support it.
  • Proving ROI is a challenge.
  • Balancing performance, scalability and security is tough.
  • How do you choose old vs. new, flexibility vs. security? It isn’t easy.
  • How do we support more and more devices?
  • How do you fill security holes that are in the cloud?
  • How do you manage user expectations, find the balance for supporting them when you have limited resources.

Many heads nodded as these challenges were spoken of.  But all agreed that these are exciting times and IT will push forward through them and be recognized as the true business enabler that it is. What are your thoughts—were you nodding your head at these questions?

managed file transfer predictionsIn part one, we heard from Stewart Bond of Info-Tech Research Group on his predictions for the Managed File Transfer (MFT) market. Next up we have Terri McClure, Senior Analyst at ESG (@esganalysttmac), and her thoughts on the IT trends for 2014.

Changing Role of IT:  Over the last year there has been a notable increase in number of end users and LOB managers choosing their own work platforms, resulting from increased consumerization and BYOD trends. In addition, cloud-based solutions like online file sharing applications make it incredibly easy for employees to purchase and deploy themselves with just a few clicks over the internet.  As a result, IT is no longer a command and control role and many IT professionals are struggling with how to deal with these changes in order keep control over and secure company data. Some have tried to block unauthorized “rogue” application usage, only to find employees traveling to their local Starbucks, or using personal hotspots to bypass company VPN or networks. Now, more and more IT are embracing the change and proactively playing a more advisory role to help both employees be productive while simultaneously steering them toward a solution that will meet corporate needs around privacy and security.

Increase in Enterprise File Sharing: Corporate File sharing application usage is expanding throughout organizations and crossing organizational boundaries.  In 2012 ESG research indicated that the majority of online file sharing and collaboration application usage was limited to departmental or groups, but over the last year we’ve seen more and more organizations using sync and share applications to collaborate not only across departments, but with external users like contractors, partners, and clients as well.  To ease IT concerns around sharing corporate data, many vendors have responded by adding granular permission controls and including simple data loss prevention and digital rights management functionality.

Security: Security is still top of mind, but flexibility and the ability to integrate with existing IT systems/tools is increasingly important to IT.  Security features like end to end encryption, antivirus, and remote wipe are still among the most requested sync and share features, but as solutions mature a certain level of security is becoming table stakes for enterprise IT.  Customers are increasingly interested in the ability to integrate solutions with their existing storage solutions through hybrid or private cloud online file sharing deployments, and want increased flexibility with other existing tools (content management, backup, data analytics, mobile application management, etc.).

There is certainly not a lack of perspectives on the IT trends in the year ahead but I’m interested in what the readers think! Leave your thoughts below and feel free to keep this discussion going on Twitter with me @Cheri29.

During the past year, we shared news of our expanded partner program and new partner web portal, reinforcing our commitment to the channel.

Today, we’re very excited to share news that our suite of MOVEit solutions will now be made available for sale through North American distributor Tech Data.

“Adding MOVEit to their portfolio ensures that our partners will have a strategic offering to meet the evolving needs of their customers.” said Gary Shottes, president, Ipswitch File Transfer.

“Businesses of all sizes are looking to VARs to support their security and compliance needs, and Tech Data and Ipswitch are working together to ensure that VARs have access to the support they need to add the MOVEit solutions to their offerings.” said Stacy Nethercoat, vice president at Tech Data.

Our channel partners will continue to be a critical component of the Ipswitch File Transfer worldwide sales team, providing customers with advisory and consultative solutions.  Please do visit our partner webpage to find a local Distributor or Reseller.

Let’s do a news recap of yesterday. Some tax legislation was passed, lame-duck Congress, celebrity mishaps, missteps and gossip as usual. Oh and there was also notification of a few data breaches; most notably McDonalds, University of Wisconsin and the Gawker website (the folks that bought a prototype of the iPhone 4 after it was lost by an Apple engineer.). Unlike the “it’s been two weeks and it’s still in the news” WikiLeaks data breach, expect McDonalds, UW and Gawker to melt into the ether of public consciousness along with the Jersey Shore, AOL and two dollar a gallon gas prices.

Lately, we are seeing more companies and institutions admitting to data breaches. Passwords get hacked and ATM cards, identities and cell phones are stolen all the time. Expect to here about more breaches as companies move ahead of legislation that forces them to admit security breaches and expect the media to pick up on the stories and run wild with them. What this forces the public to do is look closer at the type of data breach, the type of data that was stolen and what the company or institution did to cause the breach.

 For example:

  • the McDonalds breach was about third-party contractors and not enough governance around customer e-mail
  • the UW breach was about unauthorized access to databases over a two-year period… again not enough governance around data storage and access
  • the Gawker breach was about outdated encryption mechanisms and a rogue organization purposely trying to embarrass that community.

Of these three things, the Gawker breach is most troubling because of the organized and intentional motivations of a rogue organization. This is why the FBI is involved. For the past year I’ve been telling you to classify your data, assign risk to your data and mitigate that risk appropriately. Old news.

The new news is this: even something like a breach involving low risk information can actually damage your brand. And damage to the brand can be costly to repair. So when classifying risk be sure to consider not just the loss of the data but the nature of the media hell-bent on reporting any and all data breaches.

This just in… I’m getting that watch I always wanted for Christmas because I compromised that space in the attic where we hide all the gifts. Happy holidays!