[Webinar Recap] How to Get the C-Suite to Prioritize Cybersecurity

Webinar slide
One of the most important pieces of a successful breach response is senior executive involvement. Yet research by Ponemon Institute shows that only 45 percent of executives believe they’re accountable for the incident reporting process. In fact, they view breaches as part of the cost of doing business.

Convincing the C-suite to prioritize cybersecurity can sometimes feel like an uphill battle, which is why we spoke on that topic during our recent webinar with the Disaster Recovery Journal. During the session, Rentsys Senior Manager Brandon Tanner and Director of Network Services Scott Frieszell offered their top three tips for getting the C-suite on board with cybersecurity initiatives:

  1. Don’t start at the top.
  2. Emphasize the benefits to stakeholders in each department.
  3. Provide a picture of the total impact.
 To hear more, check out the webinar recording here

Four Ways to Keep Your ePHI From Becoming a Statistic

Doctor using a computer
Medical Provider Struck by Hackers!

Insurance Giant Suffers Massive Data Breach!

Millions of Patients Have Data Stolen!

It seems like there are new headlines about data breaches in the healthcare industry every month — if not more frequently. In the last few years, electronic protected health information (ePHI) has become the primary target for hackers, and it's easy to see why.

According to a recent report by Reuters, ePHI fetches 10 to 20 times more than credit card data on the black market. That's why organizations that handle healthcare data are prime targets for data breaches and theft. In fact, 28.5 percent of the entire U.S. population was affected by just two — Anthem and Premera — healthcare data breaches that were discovered in 2015.

Starting to feel a little overwhelmed? Don't worry. Here are five things you can do to keep your ePHI safe from prying eyes.

Encrypt Everything

In 2013, two laptops were stolen from a secure office at a hospital in California. The laptops contained ePHI such as financial information, health conditions and demographic information. Unfortunately, the data wasn't encrypted, so the hospital had to notify 729,000 individuals that their ePHI had been compromised. The hospital implemented policies and procedures to reduce risks to the patients' ePHI, but the damage was already done. Had the laptops been encrypted, the hospital could have protected the information.

A recent article by Health Data Management points out that it's easy to encrypt everything, since encryption tools are embedded in current operating systems and come with nearly every device. (If a device doesn't have built-in encryption functionality, that's a sign that it's outdated and shouldn't be used to handle ePHI in the first place. We talk about that more below.) Yes, encrypting all your data costs time and money, but it's a drop in the bucket when you compare it to the cost of recovering from a breach.

Know Who You're Working With

While keeping ePHI out of the hands of outside thieves is hard enough, you also need to be able to trust your employees and your vendor's employees with the sensitive information. The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) maintains a "wall of shame" website listing major healthcare data breaches. Of the 1,472 breaches on the website, 309 (21 percent) involved a business associate. These associates were responsible for exposing 32.8 million records.

You should thoroughly vet your employees and vendors who have access to your ePHI to make sure they're not susceptible to using the information for personal gain. Routine audits can catch employees who are putting their noses where they don't belong.

Stop Using Outdated Devices

Encrypting ePHI and auditing employees' system usage can go a long way toward better controlling patient data, but the ability to do those things can be hampered by outdated technology. The healthcare industry is traditionally slow to adopt new technologies, and old communications methods and technology (such as pagers) are costing hospitals $8.3 billion per year.

Obsolete, poorly secured technology leads to vulnerabilities in your network. In fact, even one outdated system connected to the network could provide hackers with a back door. To monitor for threats, use a firewall service that includes intrusion detection and prevention, port scanning and protocol inspection, and perimeter anti-virus/malware blocking.

Don't Count on Obscurity

When healthcare giants like Anthem and Premera make headlines with massive data breaches, you might think you can get away with less-than-cutting-edge ePHI security by being a smaller provider. After all, hackers are only interested in big scores, right? Wrong. ePHI from a small physician's practice is just as valuable as ePHI from an insurance giant. According to a recent Health Data Management article, smaller providers represent a tantalizing target for hackers for one key reason: They're easy targets.

A lack of awareness about what the hackers are capable of and concerns about cost have kept many small healthcare providers from being properly equipped to handle sophisticated cyber attacks. Regardless of the size of your practice or company, you should always be aware of the threat of cyber attacks and keep your company prepared to fend off hackers. The cost of keeping your patients' ePHI secure pales in comparison to the consequences both you and your patients could face after a data breach.

To find out more about how to keep your data safe, read our post "Five Ways to Thwart a Cybersecurity Nightmare."

Q&A: Brandon Tanner on the Hybrid Cloud

Brandon Tanner
We recently sponsored a Disaster Recovery Journal (DRJ) webinar, during which Brandon Tanner, our senior manager, discussed the evolution of hybrid cloud disaster recovery as a service (DRaaS) and the challenges addressed during its development. (If you weren’t able to attend the webinar, you can listen to it here.) During the Q&A session at the end of the webinar, attendees wanted to know more about how hybrid cloud DRaaS fits into their work environment. We've highlighted a few of their questions below.

Q: How does a managed service in the cloud differ from one our IT team manages, and who is responsible for what?
A: It varies depending on who the managed service provider (MSP) is, but if the MSP offers a hybrid solution, they typically handle both environments. So, for example, instead of your IT team handling a particular on-site infrastructure and solution, the MSP handles both the on-site and off-site component, whether it's a public or private space.

That service provider is tied to service level agreements that give you remediation both for local and off-site solutions, so it's a seamless end-to-end solution. With an in-house solution, you're on the hook for managing it yourself.

Q: What specific workloads are best suited for the hybrid cloud?
A: It varies depending on your business. For example, data analytics and seasonal demands are some of the workloads the public cloud does a good job of.

Dedicated workloads specific to the organization may have certain sets of data, parameters, types of software or uses associated with them. These workloads might need to be managed locally to ensure connectivity, minimize bandwidth requirements and keep costs down. It depends on how an application is built and how users access systems and data. So you have to understand what apps people are accessing and what speed those apps require. You also need to know whether or not they need to run independently if, for instance, the outside network is unavailable.

Q: What are your strategies for providing DRaaS to customers who have a mixed environment of VMs and physical servers?
A: The solution needs to address how you handle both physical and virtual environments and how they fit into your data management strategy, whether it's data replication or recovery. You may have hardware that's replicated to other hardware, and you may have your virtual environment that's replicated to a virtual environment. Or you may have an on-site solution that's backing up both physical data and virtual environments locally. Your recovery strategy then becomes a matter of asking yourself, "Do I need to dropship equipment in, do I need to keep spares on-site, or do I want to replicate that data off-site, where there's spare hardware that can be used?"

In our experience, from a recovery standpoint, we take physical infrastructure and recover it into a virtual environment, and oftentimes, once we've done that, the client stays in the virtual environment. The only exception is when the client uses equipment with a specific use. We've also seen a lot of testing that has moved the physical world into a virtual world. But you can't virtualize everything, so you have to account for that hardware component as part of your solution, both in a private infrastructure and in a public cloud infrastructure.  

Q: What are some of the gotchas to be aware of with hybrid cloud and DRaaS offerings?
A: Number one is connectivity and communications, both WAN and LAN. You could say it costs you a penny a gig to store things up in the cloud. But you still have to be able to access it. Connectivity could be a major gotcha, depending on the architecture of your solution. If you put everything up in a public cloud, and you're running the users in the private cloud, all the data has to move back from that cloud environment. You're moving a lot of data back and forth, so architecture related to your applications and systems is critical.

The other thing is cost containment. With these hybrid models, it's easy for a private cloud provider to give you a fixed cost or a model with some variability. If you have a hybrid model with stuff in the public cloud and you need to recover something or need help with an issue, a lot of those costs are a la carte. They're advertised as storage costs, cost of server instances, those kinds of things. That all comes with the hybrid cloud solution, so you need to make sure that either you or your provider has the knowledge to account for some of those additional variable costs.

For more cloud Q&As, check out this post

[INFOGRAPHIC] The Sick State of Healthcare Data Breaches

Data breaches in the healthcare sector have become an epidemic. In the next five years, the industry could lose as much as $305 billion in lifetime patient revenue due to cyber attacks.

To learn more about the sick state of healthcare data breaches, check out this infographic by LightCyber.

The Sick State of Health Care Data Breaches

Want to learn how to prepare for a cybersecurity breach? Read our post "Five Ways to Thwart a Cybersecurity Nightmare."

DRaaS Can Unlock Revenue Potential for Resellers

Restaurant cloche with cloud computing symbolIf you’re a reseller and haven’t added disaster recovery as a service (DRaaS) to your portfolio, you could be missing out on vast revenue potential. Here are two reasons why.

Fewer Businesses With DR Plans Means More Opportunities for You

Surprisingly, 49 percent of businesses have yet to implement a comprehensive business continuity and disaster recovery (BC/DR) plan. While this doesn’t bode well for those organizations, it means resellers have a wide-open door for successfully selling DRaaS services.

For companies that are just getting started with DR — and even for those who already have a DR plan in place — DRaaS solutions are an easy in. The solutions offer easy implementation, access to vendor expertise, fully managed IT infrastructure and the ability to meet recovery time objectives of as little as less than two hours. Gone are the days of having to build out a redundant environment in-house. More companies are realizing this fact, and the market is expected to grow 739 percent during the span of 2015 to 2020. Take advantage of this momentum early on.   

Businesses Are Prioritizing Strategic Objectives in IT Spending

According to research by IDG Research Services, most organizations aren’t pouring money into maintaining or improving the value of legacy systems anymore. Instead, they’re investing in technology that can help the business meet key objectives. These objectives include improving the customer experience, managing costs, increasing operational efficiency and mitigating risk.

When it comes to mitigating risk, security and BC/DR projects are two of the top technology initiatives currently underway. As an IT reseller, you’ll experience the most success when your solution portfolio aligns with these business drivers. Because DRaaS has the ability to reduce downtime, enable more efficient DR testing, adhere to compliance requirements and more, organizations will find that it’s a good fit for their strategic objectives.

Realizing these benefits, we recently added a DRaaS solution to our reseller program. To learn more, read this press release and visit our Partners page.

Five Ways to Thwart a Cybersecurity Nightmare

Malware virusEmployees of Hollywood Presbyterian Medical Center received a nasty surprise on February 5 when they discovered that a hacker had infiltrated the network and taken the computer systems hostage using ransomware. In exchange for the decryption key, the hacker demanded 40 bitcoins, which is approximately $17,000. In the interest of restoring the network quickly, the CEO decided to pay the ransom.

The hospital reported that patient care wasn’t compromised, but the incident is yet another example of the sobering prevalence and potential impact of cybersecurity threats.

While some organizations are greater targets for security breaches because of the type of data they handle and its value on the black market (healthcare and financial organizations are prime targets), no business is impervious to cybersecurity threats.

Here are five of the most important things you can do to prevent or minimize the impact of a cybersecurity breach on your company.

Protect the Perimeter

The most effective way to prevent the spread of malware is to thwart it before it penetrates the network. This might seem obvious, but even big firms lack adequate security protection. Make sure your business uses a perimeter anti-virus that can filter out viruses at the network edge in a complementary manner to PC-based anti-virus services.

Sometimes, though, even if a business is using anti-virus software, malware breaches the perimeter and resides in the network unnoticed. That’s what happened in the infamous Anthem breach — the hack is estimated to have started as early as April 2014, but it wasn’t discovered until January 2015. To prevent an ongoing breach, implement intrusion prevention services that inspect, quarantine and log any suspicious activity.

Beware of Outdated Software

In a recent survey, Cisco technicians analyzed 115,000 of its devices installed in customer environments, viewing them as they would be seen from the Internet. They discovered that 92 percent of the devices examined were running software with 26 vulnerabilities on average. They also found that some customers in the financial, healthcare and retail sectors were running outdated software.

Because software updates usually include patches for newly discovered vulnerabilities, running earlier versions of the software could leave your network susceptible to a security breach. Be sure to install updates as soon as they’re available.

Protect Data

As one senior managing consultant for an e-discovery firm points out, just because a hacker is successful at breaching your network perimeter doesn’t necessarily mean your critical or sensitive data has been compromised.

Computer crime conceptTo protect your sensitive data, however, it needs to be encrypted. You should also maintain full backups of your IT environment. Backups are crucial if your network is taken hostage by ransomware, as Hollywood Presbyterian Center’s was. In this scenario, you can avoid paying the ransom by restoring your network from a backup. As a caveat, this strategy won’t work if your backups have also been infected by malware — another reason having intrusion detection services is important.

Educate Staff

Human error accounts for about 52 percent of the root cause of security breaches. When it comes to cybersecurity specifically, phishing is a major culprit. Most computer-literate people are aware that they shouldn’t click links in suspicious emails or enter information on web pages that appear untrustworthy, but hackers are becoming more sophisticated in their methods, and it’s becoming harder for people to spot phishing attempts.

Whaling is especially notorious for scamming employees. In this phishing method, highly customized emails containing the target’s name, job title or other information are sent to a high-profile recipient (usually a C-level executive) from a source that mimics a person or entity the recipient is familiar with.

To help your employees avoid making a critical error or being duped by hackers, make sure you educate employees on handling sensitive data with care and on how to identify phishing emails. Also give them a clearly outlined process for reporting any suspicious emails.

Give Employees a Secure Way to Work Remotely

It’s rare nowadays for a company not to have some employees that work remotely at least part of the time. However, if those employees connect to public Wi-Fi networks to do their jobs, they’re putting your company data at risk if they don’t take the proper precautions.

Ideally, your employees should have the ability to access your network through a company virtual private network (VPN), which encrypts traffic between the employee’s device and the business’s network.

These recommendations are only scratching the surface of a thorough, effective cybersecurity plan. For more tips, review the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool, which the FFIEC released last year as an appendix to its IT Examination Handbook.

[Webinar Recap] The Hybrid Cloud and DRaaS

"What Is the Hybrid Cloud?" PowerPoint slideToday the hybrid cloud is the backbone of several disaster recovery as a service (DRaaS) solutions on the market. These solutions are helping DR planners and IT personnel better manage diverse workloads, achieve more aggressive recovery time objectives, meet compliance requirements for data handling and more. But the hybrid cloud wasn’t always welcome in the IT DR world.

In a recent webinar with the Disaster Recovery Journal, Rentsys Senior Manager Brandon Tanner discusses the history and challenges of the hybrid cloud and explains why businesses are now adopting it in droves.

Check out the recording here.