08-10-11 | Blog Post
Hackers strike again – and hard. In March 2011, 24,000 Pentagon files were stolen during just one intrusion into a corporate contractor’s computer system by a foreign intelligence service. As a result, the U.S. Department of Defense is now tightening security gaps in military allies’ systems to avoid future breaches by a hacker looking to find a way in through the backdoor. The invasion has prompted increased investment in building better firewalls, but the question must be asked, who is regulating the electronic privacy practices of vendors, or business associates, of the government?
A recent string of attacks on the very computer security companies that are contracted to protect corporate and government data exemplify their own insecurity and inability to protect their clients. While this form of hacking was conducted more on principle to expose security vulnerabilities than it was to steal information for illicit use, it still reveals a trend of critical network security weaknesses within government and corporate privately-held IT contractors.
While electronic regulations exist for healthcare organizations and all commerce merchants, including e-commerce, should they also relate to confidential strategic political plans? The HIPAA Privacy and Security Laws and the HITECH Act aim to protect health records and patient data from medical identity theft, an issue that affects 1.5 million Americans, according to a study by the Poneman Institute. However, the physicians, hospitals and other types of covered entities are only as safe as their business associates, including hosting providers, billing and coding services and others that touch patient data in some form.
E-commerce companies have also been classic targets of hackers searching for credit card information to use or sell. The major global payment brands, Visa, Discover, American Express, JCB International and MasterCard are the founding members of PCI DSS – Payment Card Industry Data Security Standard. Developed to keep customer cardholder data secure during storage and transactions, merchants are encouraged to follow network security, access control and other PCI requirements to create a safe environment for private data.
While identity theft is not the only issue that IT professionals must address, the need for security is essential when choosing a compliant hosting solution. One security aspect is firewalls and application of the different types. If your company is looking for HIPAA compliant hosting or PCI compliant hosting solutions, a Virtual Private Firewall is the minimum recommended option due to key firewall features, including Intrusion Detection Service (IDS) and Intrusion Prevention Service (IPS) that provide network monitoring and auditing to identify security breaches. While a shared firewall is often included in most hosting packages, it does not provide IDS or IPS. Additionally, managed firewall services are shared and not private to the client, thus increasing security vulnerabilities. Some companies opt to use dedicated firewall hardware, taking the level of privacy to the physical level of the device itself.
With the recent security breaches at the government and private contractor level, it is even more imperative to investigate all data hosting options and security measures provided by your vendors as you choose a PCI or HIPAA compliant hosting solution in order to avoid potentially costly and brand-damaging invasions by data thieves.