Data Security
Data Security – Finding Affordable, Easy to Use HIPAA Compliant Software
January 31, 2012 | 
Author
As the United States joins other industrialized countries with the advance of the Electronic Health Record (EHR), many small hospitals and clinics are getting lost in the technological shuffle. Hiring and training IT staff and adding computer resources to implement EHR encryption software can cost hundreds of thousands of dollars.
This leaves many physicians scratching their heads at how to afford to keep up with the requirements of the HITECH Act of 2009. Thankfully, there are options that can be customized to fit the needs of small community clinics or solo physician practices.
In the past, traditional software packages were sold on a per license basis and installed either on a remote server or local standalone computer. This setup required the organization to have a fully-trained set of IT staff on-hand to support and maintain the hardware and software. Unfortunately, hardware can be out-of-date almost as soon as it is purchased.
Software and anti-virus protection are constantly evolving. All aspects of maintaining a computer system in a large metropolitan or small rural company involve updates, changes and fixes on a regular basis. As expected, high costs are often encountered when dealing with complex encryption software.
HIPAA requires security and encryption for four types of private and protected health information: “data in use”, “data in motion”, “data at rest”, and “data disposed”. Traditional paper charts rely on mail and fax machines to transmit information across the country and around the world.
These types of “data in motion” have a relatively low risk and rate of breach. Electronic charts have the potential to move important information about a patient around the world in mere seconds. However, unsecure internet lines can easily be tapped and the valuable personal patient information used toward malicious ends.
Manage-Trak now offers a customizable, on-demand, secure messaging application that will help your hospital or clinic comply with HITECH “data in motion” standards while protecting your patient’s privacy. Bring your practice up-to-date with new technology and bring your patients a better level of service. Allow us to show you how to send protected health information to a third party without worry of unauthorized access.
Manage-Trak’s Encrypt-A-Note is available to organizations for a low monthly fee. Forget about hiring and training an IT team to install a complex appliance- or server-based software package. “Cloud computing,” as offered by Manage-Trak allows hospitals and clinics to reduce the total cost of ownership by offloading technical support and maintenance to a third party.
Proper Data Security And Storage Methods
The PCI DSS (Payment Card Industry Data Security Standard) requires that any merchant who accepts, processes, stores, transmits sensitive credit card information must do everything possible to protect and guard that data. Proper data security and storage, however, can be a difficult thing to do in-house.
Data security and storage comprise a major portion of the PCI DSS and is also a necessary part of maintaining trust with your customers. In an age where personal information is a valuable commodity, customers need to know that their transactions are secure and you have a priority on guarding their personal data.
The third requirement of the PCI DSS states simply: “Protect stored cardholder data.” This may be a simple thing to say, but that doesn’t necessarily make it an easy thing to implement, nor does it downplay the importance. There are quite a few individual security controls that are required before you can say that you have created the proper data security and storage environment.
The first step is encryption. If you must store sensitive information on your own system you must encrypt it. This is a basic step because if a criminal intruder should happen to bypass all the other security measures that are in place, all they will find on your system are strings of random gibberish that are useless without the encryption key.
The next step is to limit the amount of cardholder data on your system. This includes only keeping the data that is absolutely necessary for legal, business, or regulatory purposes. When you don’t need it anymore, get rid of it. The less you have that is worth stealing, the less of a target you become. There are also a few things you’re not allowed to store at all. These include the full contents of any track from the magnetic stripe (like the card verification code or PIN verification value), or the three or four digit validation codes or personal identification numbers.
Of course, even if you’ve taken the steps to electronically protect data by encrypting it, there’s still the possibility that someone inside the company could steal or wrongfully employ the encryption keys. For that reason, the third requirement of the PCI DSS also mandates protecting those keys against misuse and disclosure.
Access to these keys must be restricted to the fewest number of people possible. These keys must also be stored in as few places as possible. Backups are, of course, necessary, but if you end up backing it up in too many places, you’re likely to forget where they all are, or accidentally place one where someone with criminal intentions can get a hold of it.
Requirement numbers seven, eight, and nine also deal with limiting physical access to cardholder data. These mandate that you restrict access to this data by to business need-to-know, and that you assign unique IDs to each person with computer access. These are measures that help ensure that you can trace the source of your problem, should a breach occur.
There is another option for proper data security and storage that simplifies all these security controls. Simply don’t store any data on your own system. Remote storage is becoming a very popular option for merchants who are worried about attacks on their system and possible security breaches.
The only way to ensure that your data security measures are effective is through constant monitoring and management. The unfortunate truth of the matter, though, is that most merchants simply don’t have the time or resources to efficiently and actively control the security on their systems.
But there are companies out there now who specialize in providing effective data security and storage. Remote storage on these systems is one of the best ways to protect sensitive data and take some major steps toward becoming PCI compliant.
Above all, remember that these steps are about more than simple compliance. As consumers grow more weary about who they give their information to, it will be more and more important to guarantee the safety of their personal data.
Posted in Data Security | 
Tags: Magnetic Stripe, Random Gibberish, Storage Environment | 
No Comments »
How Important is Data Security and PCI Compliance?
Identity is an extremely valuable commodity in this modern business world. Customers are becoming more and more aware of the need to guard their personal information and to demand a high level of data security around any electronic transactions they make. The PCI DSS was created to be a standard and a measure against which merchants can be judged and a tool to help them achieve the necessary level of security.
PCI compliance is required of any company that stores, processes, or transmits sensitive credit card data. The PCI DSS (Payment Card Industry Data Security Standard) was created by the five major credit card companies and consists of 12 requirements that merchants must conform to. These are not necessarily easy requirements to fulfill, nor are they necessarily cheap. PCI compliance can, in fact, be an impressive drain on your resources.
If, then, PCI compliance is so complex and time consuming, where is the incentive to accomplish it? Is the concept of data security on its own enough to motivate a merchant to take action?
First, let us back up and answer the original question. Exactly how important is data security and PCI compliance?
To answer this question we can look at some of the current examples of what can happen if you don’t place the proper importance on data security.
The TJX company is one of the most high profile cases in recent history. Starting around July 2005 hackers were able to spend about 18 months exploiting various vulnerabilities in their system to download nearly 100 million credit card numbers. But it didn’t end there. These hackers were also able to intercept information that was transmitted when a return was processed. This information is often even more sensitive than what is transmitted for a normal transaction.
What did this cost them? Between legal fees, regulatory fines, and other costs, some estimates put the monetary costs over a hundred million dollars. Other estimates put that number much, much higher.
The costs don’t end there, though. There are other, more detrimental costs that are, unfortunately, less quantifiable. These are the costs that include the loss of reputation and the increase of suspicion. When word gets out about their lack of security, how many customers will rethink their desire to do business with them? Herein lies the real detriment to future success.
Investigations continue, but it seems that the TJX company was not keeping up with PCI compliance measures. They were transmitting unencrypted data across wireless networks which means that any hacker that intercepted those transmissions can easily read that information. This is not good.
So what can most companies expect if they suffer a breach? Merchants can be fined up to 500,000 dollars per incident. If, after the breach, the merchant still does not reach PCI compliance, they may be subjected to more fines, which could include monthly fines and periodical audits as well.
Data security measures cannot be procrastinated, and they should always have a high priority in your business. Despite the inherent costs that come with PCI compliance, it will, in the end, be worth it.
There is another option for companies who do not believe they have enough time or resources to accomplish PCI compliance in-house. Many companies have emerged that specialize in data security and PCI compliance. Outsourcing payment processing and data security and storage is becoming a popular option for many companies. By relying on a company that specializes in these areas you can reach PCI compliance more quickly, and without any major interruptions in your normal business practices.
In the end, you cannot underestimate the importance of strong data security and PCI compliance. If you take care of your customers’ interests, they will take care of yours.