Biscom Delivery Server Blog

Healthcare IT News just published an interview with Mark Haas, associate director of health information services at Mass General Hospital, one of the premier hospitals in the world. Mark discusses how MGH implemented Biscom Delivery Server to more than double the number of release of information (ROI) requests they can handle with the same staffing. MGH is now handling 52,000 releases per year with the help of BDS.

Another interesting statistic – MGH has reduced their costs for providing these medical records to insurance companies, law firms, and others who request them from $16.08/request down to $5.61 – a 65% savings. MGH also benefits by using BDS to comply with meaningful use objectives.

To see the full case study on MGH, go here.

Lora Bentley from IT Business Edge asked a smattering of people for their opinion on privacy — whether it’s alive or dead. I started thinking about this and to me, privacy is what we make of it — we can choose whether we keep our lives private (as much as it’s possible to do these days) or open ourselves up to the online world. To me, privacy is both alive and dead, and we’re ultimately responsible for it. That’s when a vision of Schrodinger’s cat popped into my mind — pretty esoteric reference to those who did not take quantum mechanics in college, but what can I say, I’m a bit of a nerd.

I also remembered an article that came out not too long ago about some teen who killer her boyfriend because she was drinking and driving. Not only was this a horrible event, for which the girl was going to be charged as a minor (she was only 17), but she posted a picture of herself on Facebook titled “Drunk in Florida” a month later. The judge caught wind of this and changed his decision, denied her youthful offender status, and instead charged her as an adult. Now, this girl, in my opinion, did not choose wisely regarding her online privacy. However, it was her choice. How much of ourselves we put out there is really up to us.

I don’t subscribe to the idea of complete privacy, because these days that’s pretty hard to do (who doesn’t buy an occasional something from Amazon?) However, we do need to be judicious. And of course, when it comes to obeying the law (e.g. HIPAA, SOX, GLBA, etc.), we should also be aware of the consequences if we don’t protect confidential or sensitive information.

File sharing sites have never been known for their security but now physicians are starting to put their patients’ data up on these peer to peer sites, potentially exposing private and confidential information, and clearly violating HIPAA requirements.

Healthcare IT News is reporting on this study and it’s really quite scary: http://www.healthcareitnews.com/news/docs-file-sharing-risky-business-patient-data

The International Legal Technology Association (ILTA) just published its March issue of Peer to Peer magazine. You’ll find an article I authored on data breaches, privacy laws, and how secure file transfer can help companies distribute their confidential information while complying with various legal requirements. You can also use this link to download the specific article as a PDF.

Our Legal Practice Manager Charlie Magliato is going to be hosting a webinar on managing large email attachments, with special guest Bruce Bial, IT Director at Riemer & Braunstein. You’ll see how Bruce and his team implemented BDS to handle their secure file transfer needs and eliminated large file attachments from going through their Exchange server.

The webinar is scheduled for Thursday, February 25, 2010 from 2-3pm EST.

Click here to register!

Up to $204 per compromised record. That’s the latest data the Ponemon Institute has collected based on their annual study. Ellen Messmer’s PC World article on the cost of data breaches again supports the notion that, just like your doctor keeps telling you, preventive strategies will save you in the long run, in more ways than one.

The article also contains a link to the 2009 Data Breach Hall of Shame, which is interesting reading. Heartland Payment Systems topped the list with 130 million records breached through SQL injection! Ouch.

Google is not infallible? That’s crazy talk. Well, this apparent leak just goes to show that no company or organization is truly safe from data breaches. This was not an intentional or malicious data breach, and most data breaches are not — it was  simple human error, which is never going to be extinguished as a potential chink in a company’s data protection armor.

If Google were using Biscom Delivery Server for its secure communication however, this could have been avoided. Even if it was sent out in error (which even the best DLP solutions may not catch), the recall feature of BDS could have prevented the leak.

Read about the leak here: http://www.pcworld.com/article/186719/google_blames_human_error_for_data_leak.html

Microsoft’s biggest SharePoint show of the year in Las Vegas was a pretty big success. They were sold out (7400 attendees) completely, and the Microsoft fanboys were out in force. Luckily, Microsoft was there feeding them some good information on SharePoint with a plethora of classes, sessions, and discussions.

We had a booth out there showing off our SharePoint integration with our SFT and fax products. Some good interest. Didn’t notice any other MFT/SFT vendor there however. We got quite a few SharePoint system integrators and developers who were interested in our Web services APIs to add secure file transfer and inbound/outbound fax to their solutions.

I attended several of the sessions while I was out there. One of the most lively was an analyst panel which was probably the most intense and argumentative events I’ve seen. Most analysts either seem to agree for the most part, or politely disagree. At this session, phrases like “you’re wrong” were flying back and forth. That was fun.

Otherwise, the big news is SharePoint 2010 and various announcements surrounding the next release. The analysts suggested waiting for the first service pack before moving it into production, which is of course the wise, conservative approach.

SharePoint 2010 sounds like a pretty big step up from 2007. A lot more functionality, flexibility, search power (adding FAST searching), and focus on personalization, a la FaceBook, and community. One of the cooler demos shown was the ability to directly pull data from SQL databases and show that data in a list. Users can also make CRUD changes from within SharePoint and have it automatically update the back end database.

Of course, Steve Ballmer was there at the keynote. I was hoping to see some crazy dancing, or at least some hopping around, but no, he was pretty calm. Of course, he’s so loud he really didn’t need a microphone to reach the entire auditorium.

Just had a conversation with Mark Gilbert at Gartner a few days ago. That guy knows his stuff! We updated him on Biscom’s SharePoint development and that we’ll be exhibiting at the Microsoft SharePoint conference this Fall (October 19-22, 2009 in Mandalay Bay, Las Vegas). If you’re a Gartner client and have SharePoint questions, want to know who the players are, and where Microsoft is going with this technology, Mark is the guy to talk to!

A whopping 90% of business leaders surveyed had concerns that SharePoint might enable data theft because they did not have the tools in place to monitor and protect data as it’s being shared. That’s a significant percentage!

BDS is adding a layer of protection that doesn’t come out of the box with SharePoint to provide secure collaboration with external users. Not only does BDS lock down the delivery through a secure file transfer interface, but it also tracks everything so you always know exactly who sent out documents and who accessed them.

TJX finally settles suits in 41 states for $9.75 million for the huge data breach that exposed up to 94 million accounts. Makes Ben Franklin’s saying “an ounce of prevention is worth a pound of cure” really resonate.

“This settlement ensures that companies cannot write off risk of a data breach as a cost of doing business,” Massachusetts Attorney General Martha Coakley. If you look at the risk reward ratio, it’s pretty skewed. It’s good emprical evidence that investing in security policies and tools is definitely worthwhile.

I just had a talk with Carol Baroudi, Security Research Director at Aberdeen, today. She wrote an excellent, data-driven whitepaper on Secure File Transfer which you can download for free here. Some of you may know Carol from her Internet for Dummies book. She’s updating her SFT whitepaper and wanted to find out what’s new in the secure file transfer space. Well, lots actually!

It made me think about what we’ve been up to in the last 6-12 months here at Biscom. We released version 3.1 of Biscom Delivery Server just last month, added a new compliance role, introduced a Chinese language version of BDS, set up a real-time monitoring tool for watching system activity and user transactions, added support for user quotas and user expiration, and have built new modules for automating many of the manual tasks of sending and receiving files.

One topic we covered quite a bit is the cloud. We’ve been secretly offering a cloud version of BDS for a while now, and will be coming out with an official offering soon. We see a big market for cloud computing, and secure file transfer really fits in nicely as a cloud solution — no CAPEX, reduced management of physical servers, robust performance, scalable performance as demand increases, and often it’s faster because of better availability of bandwidth. We’ve also designed our cloud solution with our premise solution in mind, so customers can start off with our cloud offering, and easily migrate to a premise solution as their needs change. Moving from cloud to premise, end users will not see any change in the user interface or have to change their existing behavior, and all their files and deliveries will still be available. Companies can also go the other way — from a premise to cloud solution just as easily! The hybrid approach that we’re taking offers a lot of flexibility to our customers. Many want to explore the cloud, but would like an easy alternative if they need it brought in-house, or vice versa. Carol calls it “security as you like it,” and I think that’s a perfect description of our hybrid model.

SharePoint deployments are becoming increasingly common, and we’ve been hearing a common concern from IT folks who have installed SharePoint in their network. As usual, Microsoft is trying to do a lot with SharePoint, including collaboration, content management, business intelligence, enterprise search, and portal development. However, it seems that many companies are using SharePoint primarily for file sharing. CMS Wire noted this concern last year: SharePoint Security Concerns Simply a Lack of Governance?

Many of today’s corporate environments are embracing enterprise CMS solutions as a way to disseminate and share information amongst workers and workgroups. Microsoft SharePoint is a popular choice because it aligns well with an existing Microsoft-powered network and project groups’ workflow. However, according to new research from Courion, companies who are deploying SharePoint are doing so in a manner that might be putting crucial data at risk.

According to Courion’s web-based study, 86% of IT managers are concerned about sensitive data being exposed on SharePoint sites when SharePoint is used outside of applicable data security guidelines.

Think about it — companies can put a lot of sensitive information on their SharePoint sites, and because SharePoint can give almost anyone the ability to publish content and files out to both internal and external users, IT managers have a new hole to plug: unauthorized SharePoint sites that are exposing confidential corporate data.

We’ve announced our support for a solution that will help IT managers provide a method of sharing files through SharePoint securely using Biscom Delivery Server.

Just got a copy of Frank Kenney’s latest note on Managed File Transfer called “Key Issues for Managed File Transfer, 2009″ published this month. In our last meeting, Frank told me about MFT evolving from a siloed point solution into a broader, more integrated solution that has multiple touch points within an organization’s data delivery and management services. In addition to the obvious security requirements, Frank ties in aspects such as monitoring, reporting and auditing, provisioning, and workflow. He also flags a key issue — companies need visibility into the processes and systems that transport content, and a way to lock that content down during delivery. Frank also discusses adaptability, which he defines as the ability to leverage and connect to existing systems and infrastructure.

Biscom Delivery Server will definitely benefit from this new viewpoint — we’ve always believed that tying into existing investments such as LDAP and Active Directory, SAN and NAS storage systems, and common clients like email and Web applications, are critical features of any MFT/SFT solution. And it’s about time people looked at secure file transfer as not just a single, discrete function, but as an integrated enabling tool for sharing all sensitive information in this increasingly paranoid world. The demand is not just internal — companies are feeling greater pressure from their own customers and partners who are wary of how they are sending their personal and confidential data in.

There’s a lot more to Frank’s piece, so I recommend you request this paper if you’re a Gartner client. I’m just scratching the surface of Frank’s vision in this blog posting but Frank’s paper offers some interesting predictions at what’s coming down the MFT road.

We’re hosting a webinar with Derek Brink, VP and Research Director of IT Security at Aberdeen Group. Before joining Aberdeen, Derek was VP of Strategy at RSA, and has deep knowledge of security, encryption, and file transfer technologies. Derek will be discussing the growing threat of internal data breaches and what best in class companies are doing to prevent these problems.

So, mark you calendars for March 11th, 2009 from 1-2pm ET and register for this webinar. You’ll have the opportunity to talk to Derek and also have access to one of Aberdeen’s whitepapers on Secure File Transfer at the end of the webinar.

During my research into the new MA law on data privacy, I also found this law (Public Act No. 08-167) which became effective on October 1, 2008. The act is aimed at protecting social security numbers. The interesting thing about this act is that it’s not just businesses that are required to adhere — individuals will be held responsible as well. Here’s a quote from the actual act:

Any person in possession of personal information of another person shall safeguard the data, computer files and documents containing the information from misuse by third parties, and shall destroy, erase or make unreadable such data, computer files and documents prior to disposal.

It’s a $500 civil penalty per violation, and maxes out at $500,000 per event. By the way, personal information doesn’t just include social security numbers, but also driver license numbers, passport numbers, credit or debit card numbers, and health insurance identification. I love that they added this extremely important item too: “account number” — is it just me or is that just a wee bit vague?

Catchy title? Well, maybe not, but it’s a new privacy and security law in Massachusetts that takes effect May 1, 2009 (postponed from January 1, 2009).

The purpose and scope, as described on the Mass.gov site:

(a) Purpose
This regulation implements the provisions of M.G.L. c. 93H relative to the standards to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts. This regulation establishes minimum standards to be met in connection with the safeguarding of personal information contained in both paper and electronic records. Further purposes are to (i) ensure the security and confidentiality of such information in a manner consistent with industry standards, (ii) protect against anticipated threats or hazards to the security or integrity of such information, and (iii) protect against unauthorized access to or use of such information in a manner that creates a substantial risk of identity theft or fraud against such residents.

(b) Scope
The provisions of this regulation apply to all persons that own, license, store or maintain personal information about a resident of the Commonwealth.

While this sounds quite onerous for many companies, and has pretty far reaching implications on IT data management processes and procedures, it’s a step in protecting against the increasing incidence of identity theft and other data leaks. Was this law spurred by the TJX breach of 45.7 million credit cards or when 4.2 million credit card numbers were nicked from Hannaford Foods in 2007? The cleanup efforts far outweigh the investment in security that might have prevented these data breaches (some estimates put TJX at $4.5 billion in accumulated costs in fines, legal fees, notification expenses, and brand damage).

I see stories like these, and dozens of other high profile breaches, as the tip of the iceberg. I doubt there’s going to be any law or compliance legislation that will protect 100% of individual and company data from being lost or stolen, but it does make sense for companies to reassess their data storage and transmission policies to harden their defenses against this.

Companies must look holistically, however, and can’t overlook the fact that data must be protected from many angles. In the introduction to the book Practical Cryptography, the authors, Niels Ferguson and Bruce Schneier, mention scores of companies obsessed with building robust and highly protected network security to foil hackers, but ignored internal concerns, both malicious and unintentional, akin to installing a huge steel front door in your house, but having an unlocked screen door in the back.

With this law, the pendulum has swung quite a bit in requiring companies to have implementations in place to protect personal data, but I hope solutions built for this have both the technical aggressiveness to maintain security, but provide it in a way that is not so complex and hard to use that individuals dismiss it and look for alternative methods that may compromise security.

My first blog and my first blog posting. Actually, Frank Kenney, Research Director at Gartner, paid us an onsite visit today, and suggested that it might be worthwhile for me to start a blog on managed file transfer (aka secure file transfer/intelligent file transfer) and to start evangelizing the concept. As someone who’s been quietly evangelizing this for the last 8 years, I guess this is as good as any forum to share news, industry events, and other thoughts on the state of the SFT/MFT market (like the military, tech is full of acronyms).

Biscom Delivery Server (BDS for short, to remain true to the acronym-phillic technology community), is an enterprise Web-based secure file transfer application. (EWBSFTA?) BDS enables people (or machines/automated processes) to send files and messages to each other securely, while tracking every transaction that can later be used for reporting and auditing purposes (think regulatory or compliance requirements). Basically, if you have a file that contains sensitive or confidential information that you can’t send over email because it’s either too large or you’re concerned about other people being able to view it, and FTP, PGP, and other security technologies are too complex for your end users, then you need our product. BDS, above all else, is easy to use!

In a nutshell, here’s how it works.

Questions? Comments? I guess I’m opening myself up to the world now, so fire away!