Not sure where I was last year, but I somehow missed the entire Michigan Cyber Initiative launched by the State of Michigan. If you did too, you can review their efforts at www.Michigan.gov/cybersecurity. After scanning the Cybersecurity Measures for Businesses section, one thing that caught my eye was the Personnel Security Controls – ‘People, People, People’ is listed as both an asset and a threat. I’m guessing the iteration of the word makes it extra important, so let’s review what this could mean.
Not sure where I was last year, but I somehow missed the entire Michigan Cyber Initiative launched by the State of Michigan. If you did too, you can review their efforts at www.Michigan.gov/cybersecurity. After scanning the Cybersecurity Measures for Businesses section, one thing that caught my eye was the Personnel Security Controls – ‘People, People, People’ is listed as both an asset and a threat. I’m guessing the iteration of the word makes it extra important, so let’s review what this could mean.
Their three-bullet point list starts with: “People are the key ingredient to a successful organization; but people can be the weakest link for security of the environment.” It’s true. An untrained or careless staff can unknowingly be the root cause of many a data breach. A data breach is the event in which confidential data is leaked, stolen or lost.
Among the tiers of security any organization should implement, administrative security is equally if not more important as the physical security and technical security of your data environment. For a Michigan hosting provider, administrative security should include audits, policies, staff training and industry-specific compliance training.
If you’re a Michigan business seeking an IT vendor, it’s important to understand which audits and reports are specific to IT/managed hosting providers. Read a brief description of each audit and what it means in our Data Center Standards Cheat Sheet – From HIPAA to SOC 2.
If you’re a Michigan healthcare organization, it’s even more important to understand what HIPAA compliance (Health Insurance Portability and Accountability Act) means for your hosting solution, as there are serious legal implications on the storage and transmission of all protected health information (PHI). These legal implications can mean state and civil lawsuits, lost business, remediation costs and reputational damage, if you experience a data breach.
Likewise, if you’re a Michigan retail or e-commerce organization, it’s important to understand what PCI DSS compliance (Payment Card Industry Data Security Standards) means for your hosting solution in order to avoid the loss of credit cardholder data you may be storing or transmitting.
Back to ‘People, People, People’ – employee error is a very common cause for a data breach. The Human Factor in Data Protection, a study by the Ponemon Institute reported 78 percent of respondents’ organizations had experienced a data breach as a result of negligent or malicious employees or other insiders. According to the report, the top 10 employee behavior that could lead to a vulnerability include:
- Connecting to the Internet via an insecure wireless network.
- Not deleting information off of their computer when no longer necessary.
- Sharing passwords with others.
- Reusing passwords and usernames on different websites.
- Using generic, unencrypted USB drives.
- Leaving computers unattended when outside the workplace.
- Losing unencrypted USB drives and not immediately notifying their organization.
- Traveling and working on laptops without a privacy screen.
- Carrying unnecessary sensitive information on a laptop while traveling.
- Using personal mobile devices that connect to their organization’s network.
Here are a few real examples:
- In the largest healthcare breach (4.9 million people affected) by a contractor for TRICARE, the military’s healthcare program, an employee their data security contractor, SAIC (Science Applications International Corp.), left backup tapes that contained a decade of unencrypted patient history data in the back of his car. Theft ensued. In the subsequent lawsuit, one charge targeted their employee training policies; claiming that the contractor’s staff was unaware of how to properly handle data.
- In April, an employee of the South Carolina Department of Health and Human Services (SCDHHS) Medicaid program transferred personal data of over 200,000 Medicaid beneficiaries to his personal email account.
- Over 700,000 individuals were affected by a hacker gaining access to a server due to a configuration error at the password authentication level at the Utah Department of Technology Services (DTS). The server was a test server, and it was misconfigured after it was put into production. According to InformationWeek.com, processes were not followed, and the password was very weak.
The Ponemon Institute study lists specific security and governance procedures that organizations employ, in order of importance:
| High importance | Data protection and security measures |
| 80% | Manage and monitor end-user privileges and entitlements |
| 57% | Conduct criminal background checks before granting privileged access |
| 52% | Ensure security governance practices are consistently applied |
| 48% | Attract and retain high quality IT security personnel |
| 47% | Train employees about IT security policies and procedures |
| 45% | Enforce security and data protection policies |
| 36% | Obtain intelligence about probable attacks or advance threats |
| 35% | Ensure security administration is consistently managed |
| 35% | Conform with leading IT security frameworks |
| 35% | Ensure encryption keys or tokens are adequately secured |
| 31% | Ensure that third parties are properly vetted before data sharing |
| 31% | Manage and monitor end-user access to Internet apps |
| 30% | Control all live data used in systems development activities |
Read our guide, Five Questions to Ask Your HIPAA Hosting Provider for tips on how to properly vet third parties before data sharing – although written primarily for healthcare organizations, anyone concerned with security can benefit from it.
Visit our administrative security section of our website for details on the various components of a secure hosting service:
| Administrative Security | |
 | Audits and Reports Data center and hosting providers should maintain reports on compliance (ROC) in order to clarify which requirements they cover, and which requirements your company needs to fulfill. Online Tech provides copies of our audit reports for SSAE 16, SAS 70, SOC 1, SOC 2, HIPAA and PCI compliance. |
 | Policies Online Tech’s documented policies and procedures reflect our protocol in the event of a data breach in order to provide your company visibility into our notification timeline. Additionally, documentation can outline other important security standards, from how data is handled after service termination to password policies. |
 | Staff Training Documented policies and procedures are only effectual if employees are made aware of and trained on a regular basis. The mishandling and misuse of sensitive data can potentially lead to a data breach. Check the last dates of employee training, and inquire about hiring policies to ensure that your data is in safe hands. |
 | Business Associate Training As your HIPAA hosting provider, we are trained on how to specifically handle ePHI (electronic protected health information). Part of your due diligence as a covered entity includes vetting your third-party service providers and ensuring they are trained on how to prevent a data breach. Additionally, we offer to sign and provide a business associate agreement with every healthcare client. |
References:
Cybersecurity Measures for Businesses
People, People, People
The Human Factor in Data Protection (PDF)
Utah’s Medicaid Data Breach Worse Than Expected
