healthcare backup

Healthcare backup vs record retention

Healthcare overspends on long term backup retention

There is a dramatic range of perspective on how long hospitals should keep their backups: some keep theirs for 30 days while others keep their backups forever. Many assume the long retention is due to regulatory requirements, but that is not actually the case. Retention times longer than needed have significant cost implications and lead to capital spending 50-70% higher than necessary. At a time when hospitals are concerned with optimization and cost reduction across the board, this is a topic that merits further exploration and inspection.

Based on research to date and a review of all relevant regulations, we find:

  • There is no additional value in backups older than 90 days.
  • Significant savings can be achieved through reduced backup retention of 60-90 days.
  • Longer backup retention times impose unnecessary capital costs by as much as 70% and hinder migration to more cost-effective architectures.
  • Email retention can be greatly shortened to reduce liability and cost through set policy.

Let’s explore these points in more details.

What are the relevant regulations?

HIPAA mandates that Covered Entities and Business Associates have backup and recovery procedures for Patient Health Information (PHI) to avoid loss of data. Nothing regarding duration is specified (CFR 164.306CFR 164.308). State regulations govern how long PHI must be retained, usually ranging from six to 25 years, sometimes longer.

The retention regulations refer to the PHI records themselves, not the backups thereof. This is an important distinction and a source of confusion and debate. In the absence of deeper understanding, hospitals often opt for long term backup retention, which has significant cost implications without commensurate value.

How do we translate applicable regulations into policy?

There are actually two policies at play: PHI retention and Backup retention. PHI retention should be the responsibility of data governance and/or application data owners. Backup retention is IT policy that governs the recoverability of systems and data.

I have yet to encounter a hospital that actively purges PHI when permitted by regulations. There’s good reason not to: older records still have value as part of analytics datasets but only if they are present in live systems. If PHI is never purged, records in backups from one year ago will also be present in backups from last night. So, what value exists in the backups from one year ago, or even six months ago?

Keeping backups long term increases the capital requirements, complexity of data protection systems, and limits hospitals’ abilities to transition to new data protection architectures that offer a lower TCO, all without mitigating additional risk or adding additional value.

What is the right backup retention period for hospital systems?

Most agree that the right answer is 60-90 days. Thirty days may expose some risk from undesirable system changes that require going further back at the system (if not the data) level; examples given include changes that later caused a boot error. Beyond 90 days, it’s very difficult to identify scenarios where the data or systems would be valuable.

What about legacy applications?

Most hospitals have a list of legacy applications that contain older PHI that was not imported into the current primary EMR system or other replacement application. The applications exist purely for reference purposes, and they often have other challenges such as legacy operating systems and lack of support, which increases risk.

For PHI that only exists in legacy systems, we have only two choices: keep those aging apps in service or migrate those records to a more modern platform that replicates the interfaces and data structures. Hospitals that have pursued this path have been very successful reducing risk by decommissioning legacy applications, using solutions from HarmonyMediquantCITI, and Legacy Data Access.

What about email?

Hospitals have a great deal of freedom to define their email policies. Most agree that PHI should not be in email and actively prevent it by policy and process. Without PHI in email, each hospital can define whatever email retention policy they wish.

Most hospitals do not restrict how long emails can be retained, though many do restrict the ultimate size of user mailboxes. There is a trend, however, often led by legal to reduce the history of email. It is often phased in gradually: one year they will cut off the email history at ten years, then to eight or six and so on.

It takes a great deal of collaboration and unity among senior leaders to effect such changes, but the objectives align the interests of legal, finance, and IT. Legal reduces discoverable information; finance reduces cost and risk; and IT reduces the complexity and weight of infrastructure.

The shortest email history I have encountered is two years at a Detroit health system: once an item in a user mailbox reaches two years old, it is actively removed from the system by policy. They also only keep their backups for 30 days. They are the leanest healthcare data protection architecture I have yet encountered.

Closing thoughts

It is fascinating that hospitals serving the same customer needs bound by vastly similar regulatory requirements come to such different conclusions about backup retention. That should be a signal that there is real optimization potential both with PHI and email.


This article was provided by our service partner : veeam.com

Understand the Language of Cybersecurity

When you get started working around cybersecurity, it can sound like people are speaking a foreign language. Like most of the IT industry, cybersecurity has a language of its own. We’ve all become familiar with the basic security terms and aspects when we secure our personal data and information, but when you go deeper into the rabbit hole, the more technical things can get.

Let’s go over some commonly used terms you’ll hear so you can talk the talk when it comes to cybersecurity.

Antivirus / Anti-malware

A program that monitors a computer or network to detect or identify major types of malicious code and to prevent or contain malware incidents, sometimes by removing or neutralizing the malicious code.1

Chief Information Security Officer (CISO)

A senior-level executive who’s responsible for developing and implementing an information security program which includes procedures and policies designed to protect enterprise communications, systems, and assets from both internal and external threats. The CISO may also work alongside the Chief Information Officer (CIO) to procure cybersecurity products and services and to manage disaster recovery and business continuity plans.

The CISO may also be referred to as the chief security architect, the security manager, the corporate security officer, or the information security manager, depending on the company’s structure and existing titles. While the CISO is also responsible for the overall corporate security of the company, which includes its employees and facilities, he or she may simply be called the Chief Security Officer (CSO).2

Continuous Monitoring

A risk management approach to cybersecurity that maintains an accurate picture of an agency’s security risk posture, provides visibility into assets, and leverages use of automated data feeds to quantify risk, ensure effectiveness of security controls, and implement prioritized remedies.

Controls

Safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets.

Cybersecurity

The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.3

Cybersecurity Framework

An IT security framework is a series of documented processes used to define policies and procedures around the implementation and ongoing management of information security controls. These frameworks are basically a blueprint for building an information security program to manage risk and reduce vulnerabilities. Information security pros can utilize these frameworks to define and prioritize the tasks required to build security into an organization.4

Data Breach

The unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information.5

Data Exfiltration

The unauthorized transfer of data from a computer, attached device, or network. Such a transfer may be manual and carried out by someone with physical access to a computer, or it may be automated and carried out through malicious programming over a network.

Data Loss Prevention

A set of procedures and mechanisms to stop sensitive data from leaving a security boundary.6

Data Protection/Insider Threat

Data protection places emphasis on data as an asset that has a value assigned. Think about intellectual property, trade secrets, personally identifiable information (PII), personal health information (PHI), credit card, or financial information as an example. This IS the last layer of defense. Activities include data classification, data loss prevention (DLP), data masking, or de-identification.

Endpoint Protection

Relates to all manners of protection regarding the operating systems, applications, connections, and behavior of an endpoint such as a laptop, desktop, mobile device, or server. This is one of the last layers of defense. Activities include antivirus, anti-malware, operating system/application hardening, configuration management, email/web filtering, access control, patching, and monitoring.

Exposure

The condition of being unprotected, thereby allowing access to information or access to capabilities that an attacker can use to enter a system or network.7

Firewall

A capability to limit network traffic between networks and/or information systems.

Extended Definition: A hardware/software device or a software program that limits network traffic according to a set of rules of what access is and is not allowed or authorized.8

Governance

An umbrella approach referring to a company’s posture towards governance, risk, and compliance. This includes the rules of the road and guidance that the company follows. These activities are foundational and provide meaning and direction to the following items: security policies and procedures, training and awareness, risk and vulnerability assessment, and penetration testing along with providing metrics as to where a company is on a risk and maturity scale as well as trends showing progress.

Incident

An occurrence that actually or potentially results in adverse consequences, adverse effects on or poses a threat to an information system or the information that the system processes, stores, or transmits and that may require a response action to mitigate the consequences.

Extended Definition: An occurrence that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.9

Incident Response

Activities related to how an organization prepares, trains, and coordinates response to assumed or confirmed security incidents that have a material impact of the corporate business strategy, as well as impacts to employees or business partners. Incident response in action includes the following activities: monitoring, incident identification and triage, remediation, restore, and recovery activities (designed to restore the company to normal operations). In the SMB, space this may include Business Continuity and Disaster Recovery.

Log Collection

Log collection is the heart and soul of a SIEM. The more log sources that send logs to the SIEM, the more can be accomplished with the SIEM.10

Log Management

The National Institute for Standards and Technology (NIST) defines log management in Special Publication SP800-92 as: “the process for generating, transmitting, storing, analyzing, and disposing of computer security log data.”

Log management is defining what you need to log, how it’s logged, and how long to retain the information. This ultimately translates into requirements for hardware, software, and of course, policies.11

Malware

Software that compromises the operation of a system by performing an unauthorized function or process.12

Synonym(s): malicious code, malicious applet, malicious logic

Multi-Factor Authentication (MFA)

A security system that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction.13

The National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the nation’s oldest physical science laboratories. The organization’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

Phishing

A digital form of social engineering to deceive individuals into providing sensitive information.14

Risk Assessment

The product or process which collects information and assigns values to risks for the purpose of informing priorities, developing or comparing courses of action, and informing decision making.

Extended Definition: The appraisal of the risks facing an entity, asset, system, or network, organizational operations, individuals, geographic area, other organizations, or society, and includes determining the extent to which adverse circumstances or events could result in harmful consequences.15

Risk Management

The process of identifying, analyzing, assessing, and communicating risk and accepting, avoiding, transferring, or controlling it to an acceptable level considering associated costs and benefits of any actions taken.

Extended Definition: Includes 1) conducting a risk assessment; 2) implementing strategies to mitigate risks; 3) continuous monitoring of risk over time; and 4) documenting the overall risk management program.16

Security Information and Event Management (SIEM)

SIEM became the generalized term for managing information generated from security controls and infrastructure. It is essentially a management layer above your existing systems and security controls. SIEM connects and unifies information from disparate systems, allowing them to be analyzed and cross-referenced from a single interface.17

Security Operations Center (SOC)

A security operations center (SOC) is a facility that houses an information security team responsible for monitoring and analyzing an organization’s security posture on an ongoing basis. The SOC team’s goal is to detect, analyze, and respond to cybersecurity incidents using a combination of technology solutions and a strong set of processes.18

Single Sign-On (SSO)

Single sign-on (SSO) is a session and user authentication service that permits an end user to enter one set of login credentials (such as a name and password) and be able to access multiple applications.19

Weakness

A shortcoming or imperfection in software code, design, architecture, or deployment that, under proper conditions, could become a vulnerability or contribute to the introduction of vulnerabilities.20

Now that you have a better understanding of cybersecurity terms and phrases you’ll hear around the industry, share them with your customers so you’ll start speaking a common language.

References

1, 3, 5, 6, 7, 8, 9, 12, 14, 15, 16, 20 Explore Terms: A Glossary of Common Cybersecurity Terminology
Retrieved from https://niccs.us-cert.gov/about-niccs/glossary

2 Rouse, M (December 2016) CISO (Chief Information Security Officer) 
Retrieved from https://searchsecurity.techtarget.com/definition/CISO-chief-information-security-officer

4 Granneman, J (May 2019) Top 7 IT Security Frameworks and Standards Explained) 
Retrieved from https://searchsecurity.techtarget.com/tip/IT-security-frameworks-and-standards-Choosing-the-right-one

10 Constantine, C (December 2018) Standards and Best Practices for SIEM Logging 
Retrieved from https://www.alienvault.com/blogs/security-essentials/what-kind-of-logs-for-effective-siem-implementation

11 Torre, D (October 2010) What Is Log Management and How to Choose the Right Tools 
Retrieved from https://www.csoonline.com/article/2126060/network-security-what-is-log-management-and-how-to-choose-the-right-tools.html

13 Rouse, M (March 2015) Multifactor Authentication (MFA) 
Retrieved from https://searchsecurity.techtarget.com/definition/multifactor-authentication-MFA

17 Constantine, C (March 2014) SIEM and Log Management—Everything You Need to Know but Were Afraid to Ask, Part 1 
Retrieved from https://www.alienvault.com/blogs/security-essentials/everything-you-wanted-to-know-about-siem-and-log-management-but-were-afraid

18 Lord, N (July 2015) What Is a Security Operations Center (SOC)? 
Retrieved from https://digitalguardian.com/blog/what-security-operations-center-soc

19 Rouse, M (June 2019) Single Sign-On (SSO) 
Retrieved from https://searchsecurity.techtarget.com/definition/single-sign-on

Security risk

How MSPs Can Reduce Their Security Risk

While technology improves our lives in so many ways, it certainly isn’t free from drawbacks. And one of the biggest drawbacks is the risk of cyberattacks—a risk that’s escalating every day.

To reduce the increasing risk of cyberattacks—to your customers and your MSP business—it’s essential to put protocols in place to strengthen your internal security (we often refer to this as ‘getting your house in order’) and protect your clients. The truth is, your customers automatically assume that security is integrated into the price of their contract. That means you need to educate them on the subject, or risk falling short of their (potentially unrealistic) expectations.

What’s more, this is a prime opportunity to offer additional services—and increase revenue.

“You don’t want to deliver security services and not have the client invest in those services,” explains George Mach, Founder and CEO of Apex IT Group. “It would impact your MSP in a negative way.”

In our Path to Success Security Spotlight, I sat down with George Mach to discuss how you can define, identify, and reduce your level of risk, and boost revenue as a result. Here are just a few of our tips.

Understand Your Risk

The first step to reducing risk and providing Security-as-a-Service is understanding the current state of your MSP’s security.

“If you don’t know your own gaps or have good security hygiene in your own MSP, it’s really hard to deliver world-class security services to your client,” Mach says.

As an MSP, you have access to a wealth of sensitive information about your clients, including their passwords, addresses, and names. As such, it’s crucial that your MSP is fully protected. Even the smallest data breach could cause your clients to lose trust in you—damaging your reputation and costing you their business.

Trust, Train & Protect Your House

To protect your MSP (and by extension, your clients), Mach recommends following three simple steps.

First, make sure that you only hire trustworthy people. Of course, it isn’t always easy to spot a wolf in sheep’s clothing, but there are a few measures you can take to safeguard your organization against harmful presences. During the hiring process, this could include conducting a background check and verifying a candidate’s education and employment history. You can also consider creating new onboarding policies and asking employees to sign agreements that go on file, holding them accountable to specific standards.

Secondly, it’s important to train everyone at your organization about how to detect potential scammers—including staff in non-technical positions. As part of this training, you may also want to conduct a security skills assessment and record that it has taken place. That way, should the worst happen and a client decides to sue following a security breach, you can prove the measures your company took to try and prevent it—helping protect your reputation.

“The goal is to be in a defensible position if something were to happen,” Mach says.

Thirdly, it’s essential to enforce technical, physical, and administrative controls at your organization. Firewalls and endpoint protection are a must. Investing in swipe cards or biometric scanners can also help you strengthen your protection by helping you identify every person who enters your building. And to reduce your legal risk, don’t overlook the importance of nondisclosure agreements (NDAs) and business associate agreements (BAAs).

Follow the Framework

Once you’ve increased security at your MSP, you can start thinking about how to offer Security-as-a-Service. Following the protocols outlined in the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework is a good place to start. These protocols are: identify, protect, detect, respond, and recover.

By following these protocols, your company can turn secure protection into a competitive advantage. But that’s only possible if you communicate it properly to your clients.

Throughout conversations with your clients, it’s crucial to gain an understanding of their security priorities and the metrics they use to determine their success. Once you’ve identified these factors, you can establish risk thresholds that are closely aligned with your client’s risk tolerance.

Benchmarking your clients’ level of risk against industry standards and using a weighted scoring system to rank it from high to low can make it easier to communicate the value of your services to them—and the impact you’ll have on their business.

Measure Risk Reduction—Then Market It

You can use two approaches to measure risk reduction.

The quantitative approach, which is more technical, considers a server’s asset value, its exposure factor (which takes into account how often the server is left unattended and whether that server is in a protected environment), and the loss expectancy, which is related to the rate of occurrence of various risks. Taking all these factors into account, you can more accurately price your services—and your clients can make a more informed decision about whether to live with the risk or do something to mitigate it.

The qualitative approach is less complex. It uses available data to calculate the likelihood of a risk. You can then suggest countermeasures to ensure protection.

Whichever approach you choose, explaining your findings and suggested solutions in layman’s terms and backing up your claims with evidence helps to build trust with your clients.

It’s this trust that will persuade clients to invest in your security service—and remain satisfied customers for years to come.


This article was provided by our service partner : Connectwise

DNS Security – Your New Secret Weapon in The Fight Against Cybercrime

It’s time to use the internet to your security advantage. Did you know more than 91% of malware uses DNS to gain command and control, exfiltrate data, or redirect web traffic?

But when internet requests are resolved by a recursive DNS service, they become the perfect place to check for and block malicious or inappropriate domains and IPs. DNS is one of the most valuable sources of data within an organization. It should be mined regularly and cross-referenced against threat intelligence. It’s easier to do than you might think. Security teams that are not monitoring DNS for indications of compromise are missing an important opportunity.

Don’t believe us? New analysis shows widespread DNS protection could save organizations as much as $200 billion in losses every year. Check out the full report  The Economic Value of DNS Security,” recently published by the Global Cyber Alliance (GCA). According to their findings, DNS firewalls could prevent between $19 billion and $37 billion in annual losses in the US and between $150 billion and $200 billion in losses globally. That’s a lot of bang for your buck. If organizations around the globe were to make this simple addition to their security stack, the savings could add up into billions of dollars.  Translation: an easy way to prevent one-third of total losses due to cybercrime.

About Cisco Umbrella

Cisco Umbrella uses the internet’s infrastructure to stop threats over all ports and protocols before it reaches your endpoints or network. Using statistical and machine learning models to uncover both known and emerging threats, Umbrella proactively blocks connections to malicious destinations at the DNS and IP layers. And because DNS is a protocol used by all devices that connect to the internet, you simply point your DNS to the Umbrella global network, and any device that joins your network is protected. So when your users roam, your network stays secure.


This article was provided by our service partner : Cisco Umbrella

Offering Security Services: Should You Build, Buy, or Partner?

One size DOES NOT fit all.

Let’s consider the ‘build, buy, partner’ framework for security services, which offers three very different approaches you could take. There is no absolute right or wrong way, only what is best for your business. Explore the pros and cons of each so you can determine the right way for you.

Building Security

Utilizing this approach means you create/develop the solution with the resources you own, control, or contract to.

Strategy of Things gives us deeper insight into what is required to pull this off.

When to consider this approach:

  • You have the requisite skill sets and resources to do it
  • You can offer security faster, cheaper, and at lower risk
  • This is a strategic competence you own or want to own
  • There is strategic knowledge or critical intellectual property to protect
  • You are fully committed throughout the company

Pros

  • Most product control
  • Most profit opportunity

Cons

  • Longest time to market
  • High development cost

The Challenge: Hiring security resources to monitor 24/7 (emphasis on 24/7)

According to PayScale, the average salary for a cybersecurity analyst is $75,924. How much revenue would you need to earn to bring on just one analyst? Security talent is a hot commodity. Even if you can hire them, keeping them on will be a challenge when you’re fighting bigger businesses or one that specializes in cybersecurity who will pay more and offer more benefits.

Buying Security

This approach could also be referred to as ‘acquiring’ where you are seeking to acquire another company that specializes in a particular area (for example cybersecurity or physical security) to get the missing skill set you’re looking for under your umbrella.

Let’s take a look at the requirements needed for this approach courtesy of Strategy of Things.

When to consider this approach:

  • You don’t have the skills or resources to build, maintain, and support security
  • There is some or all of a solution in the marketplace and no need to reinvent the wheel
  • Someone can do it faster, better, and cheaper
  • You want to focus limited resources in other areas that make more sense
  • Time is critical, and you want to get to market faster
  • There is a solution in the marketplace that gives you mostly what you want

Pros

  • Shortened time to market
  • Acquiring skill sets

Cons

  • Can be costly to acquire
  • Integration takes time

The Challenge: The MSP M&A market is hot, AND it’s a seller’s market
Jim Schleckser, CEO, Inc. CEO Project and author of Great CEOs Are Lazy states in an article on Inc.com, “Many acquisitions fail to live up to their financial or performance expectations because the acquiring company hasn’t done its proper homework.” Take the time to do some serious research on how to take advantage of a seller’s market and find the expertise you need for M&A success. We have a couple of webinars to help you get started:

Bonus for ConnectWise partners: We’re fully invested in helping you throughout the M&A process every step of the way, including technical assistance post-acquisition from our M&A specialist.

Partnering for Security

Strategy of Things gives us insight into this approach. Cybersecurity is a specialized field that many vendors cannot address on their own and must buy or license for their solution.

The company allies itself with a complementary solution or service provider to integrate and offer a joint solution. This option enables both companies to enter a market neither can alone, access to specialized knowledge neither has, and a faster time to market.

Companies consider this approach when neither party has the full offering to get to market on their own.

Pros

  • Shortest time to market
  • Each party brings specialized knowledge or capabilities, including technology, market access, and credibility
  • It lowers the cost, time, and risk to pursue new opportunities
  • Conserves resources
  • Opportunity to learn the skill set before building something of your own

Cons

  • Least control
  • Integration cost
  • Shared gross margins

Many vendors today offer a lot more flexibility today to make partnering an easy choice. A great example is Perch Security threat detection and response.

No matter where you are in your security journey, Perch enables you to choose your level of involvement:

  • Fully managed by Perch SOC

If you’re more of a ‘hands-off, I trust you to do your thing’ type of person/company, then you have the freedom to sit back and relax while the Perch team does their thing. They’ll only involve you when absolutely necessary and equip you with the tools to look good in front of the customer while they do all the heavy lifting.

  • Mostly managed by Perch SOC, your team reviewing or jumping in on specific issues

If you want to be aware on a high level of what’s going on in the world of threat detection but not to the level of fully geeking out, then this level of involvement is right up your alley and 100% possible with the Perch team. Get updates on the things you care about without being inundated with the things you don’t.

  • Fully manage alerts yourself

If you want to geek out on threat reports side by side with the Perch flock, you’re more than welcome to. If you have a person on your team that’s interested in security but not able to dedicate 100% of their time to it, feel free to carve out a portion of their daily responsibilities to working hand-in-hand with the Perch team. Should things change along the way, and you need more or less involvement, you’re free to leverage the Perch team as needed.

Conclusion

Security isn’t solved by one single tool. It’s an ongoing journey that requires continuous assessment and refinement. Everyone has to start somewhere, but keep in mind that the starting line for you might look different than the starting line for someone else, and that’s okay. Carefully review the options at your disposal and determine which path is best for you.

“The journey of a thousand miles begins with a single step.” Lao Tzu


This article was provided by our service partner Connectwise