Security Measures That Are a Must When Outsourcing Data

22 Mar Security Measures That Are a Must When Outsourcing Data

Our founder, Harry Stephens, always knew the importance of protecting data. One of his favorite sayings is, “An ounce of prevention is worth a pound of cure.” That is never truer than when it comes to protecting a company’s data. In a business like ours, even simple mistakes, like using the wrong size window envelopes, can expose customer data, leading to costly regulatory fines. And when a high-profile data breach makes headlines, the damage to a company’s reputation can be permanent.

Take for example, Change Healthcare, a healthcare technology company headquartered in Nashville, with locations across the U.S., Canada, the United Kingdom, New Zealand, Israel, and Taiwan. A cyberattack on Change Healthcare was carried out by a ransomware group known as ALPHV, or BlackCat, leading to significant disruptions in Change Healthcare’s operations. The attackers somehow gained unauthorized access to Change Healthcare’s network, disrupting key operations and shutting down the largest healthcare claims and payment infrastructure. The attackers demanded money to return services online.

This incident is a stark reminder of the vulnerability healthcare companies are to cyberattacks because of the highly personal patient information it maintains, just as is any company operating in an industry that collects data involving Sensitive Personally Identifiable Information (SPII). Because enterprises in these industries often contract a service provider to handle the printing and mailing of their transactional documents, it goes without saying that there are security measures you need to expect—and inspect— when you outsource your data to a third-party provider.

Choose to outsource wisely

Much like your own security program, the provider you choose should have a contingency program that includes business continuity and disaster recovery planning, as well as a redundant IT infrastructure. You will want to verify that they test their contingency plans annually and incorporate identified security gaps into their risk mitigation plans.

It is important to include a review of their technical safeguards as part of your due diligence. Things to look for include encryption, multi-factor authentication, installation of firewalls, malware detection and protection, strong authentication controls, and 24/7 network monitoring. You will also want to verify that your third-party provider has auditable service level agreements and cybersecurity liability insurance in the event that a breach does occur.

Be sure to ask about security certifications

Proper certifications ensure a security program functions at an optimal level. Certification is critical to gaining the peace of mind that comes from knowing the most rigorous security measures are in place, since most security certifications require companies to implement risk management, contingency planning, technical safeguarding, and other security controls as part of the assessment process.

In pursuing which certifications are important, learn about the security frameworks that address the unique requirements of your industry. For example, companies that accept credit card payments should maintain PCI certification. Overseen by the Payment Card Industry Security Standards Council (PCI SSC), PCI certification requires businesses to meet stringent requirements, maintaining seven critical security controls throughout the year.

HITRUST certification is a great option for businesses that handle protected health information. The HITRUST Common Security Framework (CSF) provides a mechanism for companies to address rigorous HIPAA standards. HITRUST CSF is also mapped to several other security requirements, like NIST, FedRAMP, and the EU’s recently implemented General Data Protection Regulation (GDPR).

For companies working in financial services, the American Institute of Certified Public Accountants (AICPA) offers SOC 2 reporting, which assesses a company’s security program against five trust services principles. As a bonus, SOC 2 reporting is widely recognized across multiple industries.

With cybersecurity incidents and data breaches continuing to be a threat, implementing a vigorous security program, both internally and verifying any supplier you use externally, is critical to the health and vitality of your business. At DATAMATX, we make security our number one priority and are happy to offer your business professional expertise on developing and maintaining optimal security fitness.