10-12-12 | Blog Post
Not sure where I was last year, but I somehow missed the entire Michigan Cyber Initiative launched by the State of Michigan. If you did too, you can review their efforts at www.Michigan.gov/cybersecurity. After scanning the Cybersecurity Measures for Businesses section, one thing that caught my eye was the Personnel Security Controls – ‘People, People, People’ is listed as both an asset and a threat. I’m guessing the iteration of the word makes it extra important, so let’s review what this could mean.
Their three-bullet point list starts with: “People are the key ingredient to a successful organization; but people can be the weakest link for security of the environment.” It’s true. An untrained or careless staff can unknowingly be the root cause of many a data breach. A data breach is the event in which confidential data is leaked, stolen or lost.
Among the tiers of security any organization should implement, administrative security is equally if not more important as the physical security and technical security of your data environment. For a Michigan hosting provider, administrative security should include audits, policies, staff training and industry-specific compliance training.
If you’re a Michigan business seeking an IT vendor, it’s important to understand which audits and reports are specific to IT/managed hosting providers. Read a brief description of each audit and what it means in our Data Center Standards Cheat Sheet – From HIPAA to SOC 2.
If you’re a Michigan healthcare organization, it’s even more important to understand what HIPAA compliance (Health Insurance Portability and Accountability Act) means for your hosting solution, as there are serious legal implications on the storage and transmission of all protected health information (PHI). These legal implications can mean state and civil lawsuits, lost business, remediation costs and reputational damage, if you experience a data breach.
Likewise, if you’re a Michigan retail or e-commerce organization, it’s important to understand what PCI DSS compliance (Payment Card Industry Data Security Standards) means for your hosting solution in order to avoid the loss of credit cardholder data you may be storing or transmitting.
Back to ‘People, People, People’ – employee error is a very common cause for a data breach. The Human Factor in Data Protection, a study by the Ponemon Institute reported 78 percent of respondents’ organizations had experienced a data breach as a result of negligent or malicious employees or other insiders. According to the report, the top 10 employee behavior that could lead to a vulnerability include:
Here are a few real examples:
The Ponemon Institute study lists specific security and governance procedures that organizations employ, in order of importance:
|High importance||Data protection and security measures|
|80%||Manage and monitor end-user privileges and entitlements|
|57%||Conduct criminal background checks before granting privileged access|
|52%||Ensure security governance practices are consistently applied|
|48%||Attract and retain high quality IT security personnel|
|47%||Train employees about IT security policies and procedures|
|45%||Enforce security and data protection policies|
|36%||Obtain intelligence about probable attacks or advance threats|
|35%||Ensure security administration is consistently managed|
|35%||Conform with leading IT security frameworks|
|35%||Ensure encryption keys or tokens are adequately secured|
|31%||Ensure that third parties are properly vetted before data sharing|
|31%||Manage and monitor end-user access to Internet apps|
|30%||Control all live data used in systems development activities|
Read our guide, Five Questions to Ask Your HIPAA Hosting Provider for tips on how to properly vet third parties before data sharing – although written primarily for healthcare organizations, anyone concerned with security can benefit from it.
Visit our administrative security section of our website for details on the various components of a secure hosting service:
|Audits and Reports
Data center and hosting providers should maintain reports on compliance (ROC) in order to clarify which requirements they cover, and which requirements your company needs to fulfill. Online Tech provides copies of our audit reports for SSAE 16, SAS 70, SOC 1, SOC 2, HIPAA and PCI compliance.
Online Tech’s documented policies and procedures reflect our protocol in the event of a data breach in order to provide your company visibility into our notification timeline. Additionally, documentation can outline other important security standards, from how data is handled after service termination to password policies.
Documented policies and procedures are only effectual if employees are made aware of and trained on a regular basis. The mishandling and misuse of sensitive data can potentially lead to a data breach. Check the last dates of employee training, and inquire about hiring policies to ensure that your data is in safe hands.
|Business Associate Training
As your HIPAA hosting provider, we are trained on how to specifically handle ePHI (electronic protected health information). Part of your due diligence as a covered entity includes vetting your third-party service providers and ensuring they are trained on how to prevent a data breach. Additionally, we offer to sign and provide a business associate agreement with every healthcare client.