28
Jul 17

The Register – Healthcare dev fined $155 MEEELLION for lying about compliance

A health records software company will have to pay $155m to the US government to settle accusations it was lying about the data protection its products offered.

The Department of Justice said that eClinicalWorks (eCW), a Massachusetts-based software company specializing in electronic health records (EHR) management, lied to government regulators when applying to be certified for use by the US Department of Health and Human Services (HHS).

According to the DoJ, eCW and its executives lied to the HHS about the data protections its products use. At one point, it is alleged that the company configured the software specially to beat testing tools and trick the HHS into believing the products were far more robust and secure than they actually were.

More of The Register article from Shaun Nichols


12
Jun 17

HBR – The Behavioral Economics of Why Executives Underinvest in Cybersecurity

Determining the ROI for any cybersecurity investment, from staff training to AI-enabled authentication managers, can best be described as an enigma shrouded in mystery. The digital threat landscape changes constantly, and it’s very difficult to know the probability of any given attack succeeding — or how big the potential losses might be. Even the known costs, such as penalties for data breaches in highly regulated industries like health care, are a small piece of the ROI calculation. In the absence of good data, decision makers must use something less than perfect to weigh the options: their judgment.

But insights from behavioral economics and psychology show that human judgment is often biased in predictably problematic ways. In the case of cybersecurity, some decision makers use the wrong mental models to help them determine how much investment is necessary and where to invest. For example, they may think about cyber defense as a fortification process — if you build strong firewalls, with well-manned turrets, you’ll be able to see the attacker from a mile away.

More of the Harvard Business Review post from Alex Blau


28
Apr 17

IT Business Edge – Perception or Reality: Your Security System Is Probably Weaker Than You Think

How confident are you about your cybersecurity operations? If you are like the vast majority of respondents in Arctic Wolf Networks’ recent survey, you are highly confident in your cybersecurity defenses.

However, the perception of cybersecurity operations doesn’t match the reality for these mid-market companies. While 95 percent of the respondents think their security posture is well above average and 89 percent think their security systems are combatting attacks, large majorities also admit that they aren’t able to stop certain types of threats and they are so overwhelmed with the breadth of overall IT that security isn’t given the attention it deserves. In a formal statement, Brian NeSmith, CEO of Arctic Wolf Networks, said:

Most mid-market enterprises believe they are safe because they have the traditional perimeter defenses in place. This falls far short of what’s needed for rigorous security in today’s complex threat environment. The challenge smaller enterprises face is that they have all the same security issues as large enterprises with only a fraction of the budget and less specialized personnel.

More of the IT Business Edge post from Sue Marquette Poremba


13
Apr 17

Arthur Cole – The New Cloud and the Old Data Center

What do your business requirements tell you about your best data center or cloud solution?

The more things change, the more they stay the same. It’s a trite saying but appropriate for today’s cloud infrastructure market, which seems to be evolving along much the same vendor-defined trajectory as the data center before it.

According to new data from Synergy Research Group, the top three vendors duking it out for cloud dominance are … wait for it … Dell EMC, Cisco and HPE. This may come as a surprise to some, considering commodity manufacturers in the APAC region are supposed to be taking over. But according to the company’s research, the new Big Three each hold about 11.5 percent of the market, while an equal share went to multiple ODMs in the Pacific Rim. Microsoft and IBM each held smaller shares, which means that more than a third of the market is divvied up between numerous small to medium-sized vendors.

More of the IT Business Edge post from Arthur Cole


31
Jan 17

The Register: Suffered a breach? Expect to lose cash, opportunities, and customers – report

More than a third of organisations that experienced a breach last year reported substantial customer, opportunity and revenue loss.

The finding is one of the key takeaways from the latest edition of Cisco’s annual cybersecurity report, which also suggests that defenders are struggling to improve defences against a growing range of threats.

The vast majority (90 per cent) of breached organisations are improving threat defence technologies and processes following attacks by separating IT and security functions (38 per cent), increasing security awareness training for employees (38 per cent), and implementing risk mitigation techniques (37 per cent). The report surveyed nearly 3,000 chief security officers (CSOs) and security operations leaders from 13 countries. CSOs cite budget constraints, poor compatibility of systems, and a lack of trained talent as the biggest barriers to advancing their security policies.

More than half of organisations faced public scrutiny after a security breach. Operations and finance systems were the most affected, followed by brand reputation and customer retention. For organisations that experienced an attack, the effect can be substantial: 22 per cent of breached organisations lost customers and 29 per cent lost revenue, with 38 per cent of that group losing more than 20 per cent of revenue. A third (33 per cent) of breached organisations lost business opportunities.

More of The Register article from John Leyden


06
Oct 16

AFCOM – Dissecting the Data Center: What Can – and Can’t – Be Moved to the Cloud

Practical approaches on cloud migration from the AFCOM folks. Re-platforming is a great opportunity for the move, but there are others as well, including staff changes, entering new lines of business, and financial drivers.

According to the results of a recent survey of IT professionals, 43 percent of organizations estimate half or more of their IT infrastructure will be in the cloud in the next three to five years. The race to the cloud is picking up steam, but all too often companies begin implementing hybrid IT environments without first considering which workloads make the most sense for which environments.

The bottom line is your business’s decision to migrate workloads and/or applications to the cloud should not be arbitrary. So how do you decide what goes where?

The best time to consider migrating to the cloud is when it’s time to re-platform an application. You should not need to over-engineer any application or workload to fit the cloud. If it’s not broken, why move it? For the purposes of this piece, let’s assume your organization is in the process of re-platforming a number of applications and you are now deciding whether to take advantage of the cloud for these applications. There are a few primary considerations you should think through to determine if moving to the cloud or remaining on-premises is best.

Evaluating What Belongs on the Ground or in the Cloud

First, ask yourself: Is our application or workload self-contained or does it have multiple dependencies? Something like the company blog would be considered a self-contained workload that can easily be migrated to the cloud. At the other extreme, an in-house CRM, for example, requires connectivity to your ERP system and other co-dependent systems. Moving this workload to the cloud would introduce more risk in terms of latency and things that could go wrong.

More of the AFCOM article from Gerardo Dada


05
Oct 16

Data Center Knowledge – Hospital Pays $400,000 HIPAA Breach Penalty for Obsolete ‘Business Associate’ Agreement

HIPAA has teeth. Are your BAAs accurate and up to date?

A Rhode Island hospital agreed this month to pay $550,000 in settlements after failing to properly update business associate agreements as required under the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA), federal authorities said.

The U.S. Department of Health and Human Services Office of Civil Rights (OCR) opened an investigation into Women & Infants Hospital of Rhode Island (WIH) after receiving a report of a data breach in November 2012.

WIH told federal authorities it had lost unencrypted backup tapes containing ultrasounds of 14,004 women, including patient names, dates of birth, dates of exams, physician names and, in some cases, Social Security numbers.

More of the Data Center Knowledge post from Aldrin Brown