Group items tagged

best practices are being swept under the rug. Only 31 percent of respondents archived according to HIPPA recommendations

Another third stored archives in a single data center and only slightly more (36 percent) stored archives in datacenters located less than 100 miles apart.

Hosted solutions offer an attractive alternative to the healthcare industry. Such solutions ease the burden on in-house IT, which is typically characterized by few people, limited dollars and huge workloads.

Network & Systems delivering the cloud service How does the authentication to access the network devices and operating system implemented? Does it use any two factor authentication? About the availability of the network and security infrastructure? does it implement load balancing or high availability solutions for the critical infrastructure components like firewalls, IPS, reverse proxies etc… Is the underlying cloud systems are secured? Do they have a baseline configuration implemented? How does the configuration managed? Does the cloud computing provider got a plan and/or policy to perform configuration management, patch management, anti-malware etc. Does the network undergoes periodic penetration testing? Does it undergo internal vulnerability assessment periodically? How is it ensuring that a compromised client with privileged access to the operating system is separated internally? Does it undergo periodic audits against standards like ISO27001, SAS70 etc? How is the customer data separated from one another? What are the security controls implemented to ensure this separation? What are the protection and response controls against the Denial of Service attacks?

Cloud Applications & Data Protection What are the security controls in the application development process? Does it include security code reviews of the code being developed or used? Is there a documented change and configuration management process? How does the application servers patched and what frequency? What are the mechanisms for managing the access control? How is the database protected from unauthorized access? How are they identifying the access reset requests are from the actual user. How do they create and delete/disable user accounts? what are the procedures for these activities. IS the data encrypted? If encrypted, how is the encryption keys are protected? What is key management process being followed? How is the data loss prevention ensured? Details of the DLP controls implemented? Is there a backup mechanism established? How is the data protected in the backups? Does the cloud service provider meets the regulatory requirements? For example, if the service is a ecommerce service then the cloud service could become part of the card holder environment and thus the PCI DSS regulation as there are potential card data being processed. Similarly, if the health information is processed, it can be HIPAA and similar other regulations. Is the cloud computing service provider meets the compliance requirements? Where is your data being hosted? Is it within your country or its jurisdiction? Is your organization comfortable with the legal system in the country where your data resides? How about cloud computing service provider who has a network of data centres across the globe and your data is scattered across these data centres? Can it limit the countries where the data is stored?

What are the conditions / scenarios where the data is revealed without the consent / approval of the organization? Does the application provide enough audit trials to review the incidents? Does it corporate with local legal system? Often the local law authorities require access to the processing computers, how is it support those requests?

“The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays.  If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.”

The issue regarding the delays in FTC enforcement relates to “scope of entities covered by the Rule,” as indicated in the FTC news release.  Congress is taking action[2]:

“House lawmakers in October [2009] passed H.R. 3763[3], which would exclude from the Red Flags guidelines meaning of ‘creditor’ any healthcare, accounting, or legal practice with 20 or fewer employees, as well as any other business which the FTC determines knows all its customers or clients individually; only performs services in or around the residences of its customers; or hasn’t experienced incidents of ID theft, and identity theft is rare for businesses of that type.  An identical bill, S.3416 was introduced in the Senate on May 25 [2010].” A lawsuit was filed in federal court on May 21, 2010, to accomplish a similar objective of narrowing scope of entities covered by the Rule. 

The regulations, which went into force in March, are intended to protect a consumer’s personal information from identity theft and other privacy breaches and to spell out steps that businesses must take to ensure data is secured. Some large companies — particularly those in the finance and health care industries that are already subject to data security laws like the Health Insurance Portability and Accountability Act (HIPAA) — had privacy measures in place, which helped get them ready for Massachusetts’ regulations. However, for many smaller and midsize companies that have not been subject to data security laws before, complying with the rules is a longer and often more painful process.

some businesses that are complying with privacy regulations for the first time and have limited in-house technology expertise “are running around with their hair on fire, trying to figure out what to do first,”

“We’ve seen a substantial uptick in activity in clients seeking guidance in how to comply,” said Carlos Perez-Albuerne, a partner at Choate Hall & Stewart LLP. “There’s a whole swath of businesses that never had to deal with anything like this before.”

The Microsoft Business Productivity Online Suite (BPOS) has recently earned the Statement on Auditing Standard (SAS) No. 70 Type II, Federal Information Processing Standard (FIPS) 140-2 compliance, and the International Organization for Standardization’s (ISO) 27001 standard – among others.  In addition, Microsoft has launched a new dedicated government cloud as part of the Business Productivity Online Suite to meet the most rigorous government requirements for security and privacy, including complying with the International Traffic in Arms Regulations (ITAR). Learn how these and other certifications help ensure our customers security, privacy, and business continuity. 

They will be more strict because there are no clear policies for it,"

The rules will come with time, but they don't exist yet, so businesses need to be careful what data they submit to clouds and be sure data subject to compliance standards such as HIPAA, PCI and Sarbanes-Oxley can be provably handled within those standards.

"Auditors want to see the guts of the cloud," Richter says, and that is something many cloud providers don't allow. Many keep their physical architectures, policies, security, virtual LAN structure and other essential factors secret. "If they can't see how data flows, how VLANs are segmented, see how your data is partitioned from others', they won't OK it."

The PCI Security Standards Council created the criteria, but the five leading credit card companies each maintain their own compliance and enforcement programs

In many cases, banks or merchant service providers are now sending letters to organizations that have smaller payment card transaction levels and asking them to prove they are compliant by completing a self-assessment questionnaire,