Providers successfully added virtual doctor visits and expanded the data and services that patients could access online. Many also enabled many non-clinical employees to work from home. 2020 was a year of rapid innovation and deployment of new technologies.  

However, these new modes of accessing and sharing healthcare data must be accompanied by updated security technologies and policies. Likewise, remote workers need strong security to ensure that patient information isn’t compromised.   

How healthcare is addressing cybersecurity and IT compliance regulations

Now that the pandemic is becoming more manageable, healthcare providers need to upgrade their security technologies and strengthen their IT compliance programs to ensure these new digital services are fully protected.  

Healthcare organizations are governed by an array of state and federal requirements, many of them related to the security and privacy of consumer healthcare data. The two best-known regulations are the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.  

HIPAA regulation applies to the storage, usage, and dissemination of confidential patient healthcare data. The HITECH Act mandates audits of healthcare providers to ensure that they comply with HIPAA. Both carry penalties for noncompliance.  

Because healthcare is a highly regulated industry, data breaches cost significantly more than in other industries. Ponemon’s 2020 report found that compliance failures added more than $255,000 to the average cost of a data breach, which, for healthcare providers averaged $7.13 million, the highest of any industry and a 10% increase from 2019.  

However, meeting compliance standards is about more than avoiding fines, lawsuits, and mitigation costs—although those are all excellent reasons for having an IT compliance program. A well-communicated compliance program can also be a valuable competitive differentiator from other healthcare providers.  

Consumers today are very concerned about data security and identity theft. Media have highlighted multiple breaches at companies ranging from credit monitoring companies and retail outlets to hospital chains. Consumer data, or personally identifiable information (PII), is the most commonly stolen type of data–80% according to the 2020 Cost of a Data Breach study.  

The fallout from a data breach can be substantial. Criminals can use this data to get fake credit cards, open bank accounts, and obtain prescription medicines under a stolen patient’s name.  

Healthcare providers without the security measures in place to keep patient data secure suffer the loss of reputation and business. Lost business costs accounted for nearly 40% of the average total cost of a data breach, according to the IBM/Ponemon Institute’s 2020 Cost of a Data Breach study. That 40% includes increased customer turnover, lost revenue due to system downtime, and a diminished reputation which makes acquiring new patients more expensive.  

Having a detailed and actively updated IT security compliance program can both prevent breaches and, if there is a breach, mitigate the damage.  

Three big advantages of an effective healthcare IT compliance program

Credibility and trust

Implementing a thorough compliance program tells consumers and employees the organization is committed to protecting them from identity theft and fraud. It enhances the provider’s image in the community and increases consumer trust. 

Valuable insights

Data security and compliance require data to be well organized and accessible. That makes data more useable and useful for analysis and reporting. Data mining can provide insights on improving patient care and treatment, as well as insights for making operations more efficient and cost-effective.   

Faster breach response

A compliance plan (based on compliance standards) provides a template for post-breach mediation and communication. A plan will guide not only IT staff and auditors, but your marketing and legal teams and outside stakeholders – auditors, officials, consumers, and even police. Rapid mediation and communication often make a huge difference in minimizing damage and retaining the goodwill of customers.  

Is your healthcare business positioned to manage IT security compliance?

With increasingly complex governance, regulation, and compliance rules, most healthcare providers need help from outside experts to understand their IT security options. A third-party IT security consultant or managed security services provider (MSSP) can help evaluate and update your organization’s security technologies and policies. An MSSP can evaluate security practices, as well as provide planning, deployment, and management services to protect your patients and employees from unauthorized access to their personal data.  

Balancing consumers’ digital expectations while keeping their personal health information secure is critical to the success of any healthcare organization. TierPoint helps healthcare organizations to safeguard patient and employee data, as well as comply with state and federal regulations. Our experts can design a customized solution that will help meet your security compliance requirements. 

Learn more about how security and compliance work together to protect the business. Learn more about our IT security & compliance solutions and read our Strategic Guide to IT Security to learn more.  

Are you looking to improve patient outcomes using modern healthcare IT solutions? Our new ‘Delivering Modern Healthcare’ eBook highlights: 

• The value of emerging tech for patient care, healthcare data privacy, and customer experience 
• How cloud enables team collaboration 
• Data privacy and compliance management 
• How the cloud can protect against cybercrime 

Follow these 10 steps to build a better disaster recovery plan that truly serves your business – for recovery from any type of downtime event and to minimize unnecessary downtime every day.

1.) Build your disaster recovery plan on business continuity

Your business is different from every other business and to be effective your disaster recovery plan needs to be in lock-step with the needs of your business. The first step in building an effective disaster recovery plan is to acquire a deep understanding of how the continuity of the business depends on your IT environment. What applications does the business need to function? How current does the data need to be? How long can the business function without that application?

Disaster recovery requires prioritization to ensure the most important applications come up fast enough. To this end, you’ll need a matrix that ranks the urgency of each critical business function along with the application that supports that function. Your recovery services provider will use the information to design the best disaster recovery solution for your business.

2.) Understand your application and data dependencies

The next step is to understand the application and data dependencies of the priority applications. For example, SQL Server or Active Directory may need to be online before the application can run, so network services, databases and directories will need to be recovered first.

This step in disaster recovery planning includes deep discovery and the documentation of servers and virtual machines. A provider with professional or consulting services capabilities will have the tools to uncover dependencies and specific system details. This discovery may also reveal the complexity of your IT infrastructure such as SQL clustering services, or IBM mainframe or Power Systems (pSeries) that require specialized high availability DR.

>>On our blog: 10 Questions to Ask When Shopping for Disaster Recovery as a Service (DRaaS)

3.) Application tiering prioritizes system recovery

Tiering applications is crucial for disaster recovery planning. Like the IT strategy of tiering application data storage – wherein IT administrators invest in faster, more expensive disk drives for some applications – disaster recovery involves making decisions and investments to ensure the most important applications are recovered fastest. A DR and business continuity approach in which an organization assesses and makes strategic decisions about which applications and data are most urgent to recover is called application tiering.

The matrix discussed earlier can be extended with recovery point objectives (RPO) and recovery time objectives (RTO) for each application, and the applications grouped accordingly. With this information, the matrix supports the tiering of applications for disaster recovery.

Recovery point objective (RPO) is the amount of time in minutes or hours for which it is tolerable to lose data should a disruptive event occur. RPO affects the frequency of data replication.

Recovery time objective (RTO) refers to the window of time between a disruptive event and a return to operational status. RTO largely determines the class of equipment and the means by which data is recovered.

4.) Understand data change rates and replication bandwidth

Keeping your recovery environment up to date requires bandwidth. To understand the amount of data involved, you and your DR provider will work together to quantify the rate of change. Changed data will need to replicate to the provider or DR site. Do you have a hundred servers each with 100 terabytes of data that changes frequently? That’s very different from a similarly high-volume infrastructure with less change. Change rate will bear upon your disaster recovery plan and replication resources.

5.) Set requirements for recovery environments, including SLAs

Identify what is an acceptable recovery environment for your business, and whether you’ll need multiple environments for applications with differing service level agreements (SLAs). Will a multitenant environment meet the needs of your business, or do you need a hosted private cloud?

Another factor playing into this decision is how long you expect to be running your disaster recovery environment. One level of performance and functionality might be fine for a couple of days but may not be acceptable if your business needs to run in the DR environment for a longer time span.

6.) Choose your replication method based on RPOs and RTOs

Many organizations use a combination of data movers to address application tiers with different recovery requirements. A complex IT organization will use more than one technology to copy data from one location to another, that is, multiple data movers. For example, if a business application needs a 15-minute RPO with near-zero RTO, synchronous replication will be necessary. Otherwise, most organizations with short RPO and RTO goals choose asynchronous replication.

Synchronous replication is the process of copying data over a network so there are multiple up-to-date copies of the data. Data is written to multiple sites at the same time, so the data remains current between sites. Latency requires the sites to be located close together.

Asynchronous replication writes data to the primary storage array first and then copies the data to replication targets. This type of replication is designed to work over long distances and requires less bandwidth.

Backup services are used to archive and recover non-critical data. These include cloud or online backup, remote file backup, and local tape/disk backup.

7.) Identify internal resources and application experts

Regardless of the DR vendor you choose, your organization will need to provide people to help. A DRaaS provider delivers the data mover technology and DR application expertise to set up your DRaaS infrastructure and get your data copied from one location to another – and to orchestrate recovery.  Your business will need to contribute people who are familiar with your IT environment and applications, including troubleshooting. They’ll be needed throughout the implementation, which could take a few weeks – or a few months in a complex environment.

8.) Change happens, so test your DR plan regularly

Beyond the initial implementation, set aside time quarterly or at least yearly to test your disaster recovery plan to ensure it is ready. These tests often reveal changes made to an IT environment that impact disaster recovery: a server was retired, firewall and network settings that have been changed, or a new environment was put into production. Disaster recovery testing finds these types of gaps and allows for a smooth recovery when you need it.

9.) Drive short-term ROI from your DRaaS environment

Many of our clients find they can drive further ROI and value from their DRaaS environments. For example, businesses can speed the rate of security patching and mitigate cyber threats and stop ransomware with DRaaS. No longer do you need to apply a patch and hope it doesn’t crash your production environment. DRaaS lets you set up a test bubble where you can safely apply and test security patches before deploying them in production.

Watch the webinar,” From Hurricanes to Hackers: The Expanding Horizons for Disaster Recovery “, to learn more about the impact of DRaaS on cybersecurity.

10.) Derive long-term ROI from your disaster recovery environment

Does your IT transformation journey involve migrating to the cloud or from one cloud to another? Forrester Research’s survey, Cloud Migration Services (May 2017), revealed that more than two-thirds of organizations involved in modernizing their business application portfolio were migrating their existing applications to the cloud.

DRaaS uses the same tools in many cases as cloud migration, so the availability of these tools can increase your business and IT agility. Consider the business’s long-term goals for the cloud in your disaster recovery plan.

Putting requirements into action with the best DRaaS provider

Since the success of your DR plan depends upon choosing a vendor that meets all of your requirements, this is an important step. Businesses in many industries will want their DRaaS provider to have expertise in regulatory compliance, security services and hybrid cloud deployments, for example. In addition, experience with the platforms and applications you use is essential. (Tip: Certifications can tell you a great deal about which platforms the vendor is qualified to support.)

Focusing your disaster recovery plan on the needs of the business means that RPO, RTO, SLAs and rollover data center locations play huge roles in your choice. In addition, ensure the DRaaS provider offers solutions that allow them to test their systems with minimal to no disruption to your business operations.

As a DRaaS provider, TierPoint helps organizations like yours plan for and limit the impact of interruptions to data, application and infrastructure – in natural disasters, cyber disasters, cloud migration, and routine maintenance and security management.  We’ll meet you where you are in your digital transformation journey, including any combination of public cloud providers, a fully-managed TierPoint private cloud, colocation and on-premises solutions.

We collaborate and customize DRaaS solutions to meet your requirements. With a customer-first mindset, TierPoint is a responsive partner that will be involved in the entire planning, implementation and maintenance of your disaster recovery solution. TierPoint scored the highest for satisfaction among evaluated providers in Gartner’s 2018 Magic Quadrant for DRaaS. You’ll get 24×7 support from our available and responsive DR experts.

Take the next step

Build a better disaster recovery plan that truly serves your organization’s business continuity goals and beyond – in any type of downtime event, not just a natural disaster such as a hurricane. Review and strengthen your organization’s disaster readiness plan today with a disaster recovery strategy session.

But compliance with isn’t all about avoiding fines and the other costs of post-breach remediation. In their report, IDC states that, “During 2019, multinational organizations will need to move beyond achieving minimal viable compliance to using compliance as a competitive differentiator…”

Compliance as a competitive differentiator may require a bit of a paradigm shift. Let’s start by looking at two of the most common regulations, HIPAA/HITECH and PCI DSS, to see how you might approach this whether you’re a multinational organization or a boutique shop/provider serving a community of local customers.

Reduce customer churn with HIPAA/HITECH compliance

Healthcare consumers sign a HIPAA agreement every time they visit a healthcare provider. A few of them may even read the agreement before they sign. But whether they take the time or not, they go into their appointment with the understanding that their provider is required by law to keep their information private. The formality of this process can lead to pretty high expectations.

When a healthcare data breach happens, no doubt some consumers feel doubly betrayed. Not only did the healthcare provider not live up to their end of the bargain, but they also allowed the release of some of the most personal information imaginable.

Perhaps that’s why healthcare sees higher levels of post-breach customer churn than any other industry. According to the Ponemon Institute’s 2018 Cost of a Data Breach study, healthcare providers had an abnormal churn rate of 6.7% after a breach as compared to 6.1% in the financial sector, 5.2% in services, 3.0% in energy, and 2.7% in education. Abnormal churn is defined as customer turnover above what would be considered normal.

Abnormal customer churn is keenly felt in healthcare as it is in other industries where repeat business is the norm. People go to a doctor, dentist, or other provider expecting to develop a long-term relationship. If they’re happy with their provider, it’s almost a certainty that they will go back to that provider again.

So, a 6.7% abnormal customer churn rate can lead to a significant loss of long-term revenues, and that requires providers to spend even more as they try to win back the business. A study recently published in the American Journal of Managed Care found that hospitals increased their advertising spend by 64% on average in the year following a data breach. Over a two-year period following the breach, advertising spend jumped to 79%.

Customer trust, once lost, is a hard thing to regain. Healthcare providers can keep the customers they have from leaving by strengthening their IT security strategy.

Attract new customers with PCI DSS leadership

Credit card fraud is becoming increasingly common. According to Experian, credit card number exposure rose 88% in 2017 to 14.2 million accounts. In addition, data thieves stole nearly 158 million social security numbers as well. The final tally isn’t in yet for how many of the 2017 incidents led to identity fraud, but 31.7% of 2016 breach victims later experienced identity fraud.

US consumers know that nothing can stop all breaches. (They’re told something similar every time a breach happens.) But they also want to work with companies that aren’t putting their data at undue risk.

Companies think they’re keeping their customers informed through their privacy policies, but there are two problems with these documents. First, no one reads them. In 2012, Carnegie Mellon University estimated that it would take seventy-six (76) 8-hour workdays for the average person to read through all the privacy documents they receive. And that was in 2012!

Second, these privacy documents are written by the legal team, not marketing. That may be a necessary evil (sorry legal), but organizations might consider collaborating with marketing to put some of the language in real-people speak or allowing marketing to use compliance as a message to their target audience. While marketing will, of course, need to stop short of promising customer data will never be stolen, they can be more vocal about the measures they take to protect their customer’s privacy.

In the event a breach happens, transparency is vital. Many forward-thinking organizations make a very public effort to notify potential victims and even offer remediation assistance.

What other opportunities does 2019 have in store?

Digital transformation success requires organizations to stay one step ahead of the trends. If you’d like to see what else 2019 has in store, download the report: 2019 Enterprise Infrastructure Trends and Their Impact on Digital Transformation.

Somewhat paradoxically, this good news may leave some businesses in a bit of a bind. After a decade or more of belt-tightening, many are finding themselves without the agility required to make the most of the economic recovery.

Recently, a change in PCI regulations prompted Potbelly, a fast-growing sandwich business with more than 420 locations, to revisit their IT infrastructure. As noted in her article on HospitalityTech.net, Maryann Byrdak, Potbelly’s CIO, decided it was also a good time to consider whether their current infrastructure could keep up with their growth plans:

 “As Potbelly’s CIO, I am responsible for modernizing our cloud strategy to accommodate the company’s ambitious growth plans and changing PCI compliance requirements. To meet our business goals, Potbelly needs an agile, flexible and secure IT infrastructure to support critical applications including business intelligence and credit card processing. At the same time, we did not want to own or maintain infrastructure components.” 

Potbelly partnered with TierPoint to move from their current multitenant cloud environment to a hosted private cloud that better met their security and compliance requirements and gave them the agility they needed to meet their growth goals. We’re looking forward to partnering with Potbelly to help them grow and witness their transformation to the sandwich shop of the future.

Learn more about Potbelly’s transformation from a panel discussion at BraveIT 2018, where Ms. Byrdak was featured in Bravery in the Midst of Digital Transformation: Success Stories. 

Read the full article on Hospitalitytech.com.

In this post, I am not going to address the types of emails you need to retain, nor the length of time you need to store them. You should work with qualified legal counsel to determine the requirements for your business. What I am going to address is how Microsoft Exchange Online can help you safely, securely and cost-effectively comply with whatever records retention guidelines you establish.

What is Exchange Online?

Exchange Online is the hosted messaging application found in Office 365. For businesses both large and small, Exchange Online is a more cost-effective solution because it eliminates the need to maintain Exchange Server in-house or invest in the hardware needed to run the application. For organizations that are moving from on-premises messaging applications, it also offers increased reliability. Microsoft’s financially backed uptime guarantee of 99.9% is better than any guarantee you’ll get from almost any other provider, let alone the kind of uptime you’ll typically find for an on-premises implementation of Exchange Server.

Records Retention is Not Easy

In the old days, companies generally complied with records retention rules through email backups and journaling. There are a few obvious challenges with backups: they don’t always get done, backup media has a higher propensity to fail the older it gets, and worst of all, storing all of those emails can get costly.

Journaling is often confused with email backups, but it’s a slightly different animal. An email journal contains all of the same information as the backup plus additional information such as the physical location of the sender and receivers and the unique identifier of the systems involved. Journaling is required in the event an organization ever needs to prove something for a legal challenge.

As anyone who’s managed journaling before knows, it can be tedious and time-consuming. If you’re managing the journaling destination, the emails pile up quickly. Mid-sized and enterprise organizations may need a dedicated administrator for journal management because they will constantly be creating new mailboxes and redirecting journaling to the new locations. A great deal of processor capacity and storage space must be dedicated for the filing, archiving, and indexing of the journaling mailboxes.

How Microsoft Exchange Online Can Help You Comply with Records Retention Rules

Litigation Holds are the latest evolution, or alternative, to journaling and email backups. While email journaling and backups send a copy of an email to another location, Exchange Server offers a category of Litigation Hold called an In-Place Hold that keeps a copy of the email in a specified location. A user can still delete the email or content as they’d expect, but In-Place Holds will indefinitely retain the email in a hidden location only administrators can access.

Litigation Holds also let you refine your retention policies according to your specific requirements with a feature called Query-Based Holds. For example, you can place holds on emails that match criteria you set such as keywords, time parameters, and sender/recipient. You can also specify the length of time for which you want to retain these records.

Managing Litigation and In-Place Holds is pretty easy to do. While you want to ensure you are managing these parameters under the direction of legal counsel, you don’t necessarily need to use an IT resource. Microsoft often talks about assigning the task to a paralegal, for example.

Finally, in the event of a legal challenge, eDiscovery allows you to search your electronically stored information across documents, presentations, audio and video files, SharePoint sites and emails including those in Litigation Hold.

The Benefits Add Up

As I’ve described how you can use Litigation Holds and In-Place Holds in Exchange Online, you’ve no doubt made note of several important benefits. Let me summarize a few that should stand out:

• No change in user behavior required – Getting users to follow prescribed processes has always been one of the toughest challenges in compliance. Litigation and In-Place Holds don’t require any behavioral or process changes.
• Less chance of human error/intervention – Users can’t permanently delete emails covered under the holds, nor can they access emails in the hidden location without an administrator’s assistance.
• More control over what is stored – Legal counsel will probably recommend you only store what is absolutely required. Query-Based Holds give you that control.
• Improved legal response – In the event of a legal challenge, counsel will probably recommend you submit only what is needed, but to do it as quickly as possible to avoid additional, more intrusive requests. eDiscovery makes the process much simpler and faster.

Cloud computing. Simplified.

TierPoint offers managed cloud services across public cloud platforms like Azure, private hosted clouds, and hybrid environments. For organizations migrating to Office 365, we offer services like initial environment assessments, performance recommendations, managed Office 365, migration and deployment services and more. Contact us today to learn about how we can help you get started on your path to digital transformation.

Physical security of your data can be just as important as your cybersecurity. While data centers have, so far, been immune to the types of physical attacks seen in other industries (like in the energy industry), off-premises service providers should protect against these types of threats. While ensuring the physical security of your data may seem like a daunting task, one way to quickly address it is to consider colocation with a trusted data center provider. 

8 vital physical security features for data centers

1. Threat assessment

Physical threats are just as likely to come from within your organization as from external individuals with malicious intent. There are two types of physical threats: the theft of hardware (often for purposes of stealing the data residing on that hardware) and physical attacks designed to sabotage a data center. A good data center provider knows how to properly define and assess these threats.

2. On-site security staff

Alarm systems and other precautions are a great idea, but the best defense is a good offense. Just having visible security staff on site 24x7x365 can be enough to thwart an attack before it happens.

3. Video surveillance

Camera systems can help you catch a criminal in the act and can also help you present critical evidence for an investigation, trial or insurance claim. At a minimum, your data center provider should have cameras on every entry point to the facility. Less windows are better, but if you can’t control that, there should also be cameras on these as they are access points. Security cameras make easy targets for theft as well, so a good data center should digitally archive the data in real time.

4. Controlled access

When your servers are simply on a rack in an unlocked room, it’s all-too-easy for someone to simply lift a server and walk out. A good data center provider will have options that range from simple PIN or electronic-key access to more sophisticated controls such as multi-factor identification and biometric scans for more sensitive areas of the facility.

5. Background checks

Pre-employment background checks have become nearly universal. Your data center partner should be running them routinely through a third-party vendor with experience in performing background checks for IT employees. They should also perform background checks on vendor and contractor employees who will have access to data.

6. Proper employee exit procedures

When an employee with secured access leaves your company, there should be procedures in place to change access codes as necessary and revoke all access credentials. It’s also important to notify your provider to have their access removed – they should have strict controls regarding who has access to your data.

7. Vendor control

When a vendor or a contractor needs access to the data center, your provider should have policies around access and be able to continually monitor their activity to prevent data theft.

8. Compliance

Data center physical security is also a matter of compliance. Industry standards and government regulations, such as PCI DSS, don’t assign different penalties based on whether personal data was stolen by cybercriminal or by a thief who broke a window in the middle of the night. Select a provider that complies with regulations and regularly undergoes compliance audits. A provider with knowledge of compliance regulations is critical to your data security. 

We have secure data centers

Colocation with TierPoint allows you to put your company’s IT infrastructure in our strategically located, state-of-the-art data centers. Our facilities are independently audited to ensure we have the controls, processes, and physical security features to help clients get certified as compliant for critical regulations including HIPAA/HITECH, GLBA, PCI-DSS v3.2, and ITAR. 

Here is a list of our data center locations. You can read about each of them to take a closer look at their attributes including physical security features. When you’re ready, you can also request an on-site tour. 

In April of 2016, the European Union (EU) adopted the General Data Protection Regulation (GDPR), a set of rules governing and protecting customer data. The EU then gave organizations a little more than two years to update their people, policies and systems to meet this new regulation. On May 25, 2018, GDPR will go into effect with promises of steep penalties for those who fail to comply with its mandates.

Our clients have been updating their data protection plans and looking to TierPoint for guidance, information and technical resources to ensure their organizations are meeting the new requirements. With the “go live” date rapidly approaching, interest in this topic has increased. To help you prepare, we are sharing answers to some of the more common questions we are getting from our clients.

Our responses are based on our business interpretation of GDPR regulations related to our services and will not cover all possible scenarios. Nor can we predict the way individual GDPR Data Protection Authorities and courts will interpret or enforce the regulation as time goes on. As always, TierPoint cannot provide legal advice and this article should not be considered legal advice. Any compliance initiatives should involve the on-going involvement of your legal counsel.

Q: My business is based in the United States. Do I need to comply with GDPR?

A: GDPR is not about where your business is located, but about the type of information you gather, store or process. GDPR is about protecting the privacy of citizens of the EU. So, even though your business isn’t located in any one of the EU member countries, GDPR will apply if you gather or process personal information belonging to a citizen of the EU. Where you store or process the information is irrelevant.

Q: What are the penalties for non-compliance?

A: There are two tiers of fines. The lower-level fines are for technical non-compliance, e.g., not meeting the breach notification timelines. Though these infractions are considered less severe, the fines are still stiff: the greater of 10 million Euros or 2% of global annual revenues. The higher-level fines are for noncompliance with specific directives that infringe directly on an EU citizen’s rights. For example, not providing the level of transparency into what data is being collected and how it is being used could result in fines up to 4 percent of annual global turnover or 20 million euros ($24.6 million), whichever is bigger.

What fines are levied and on whom, will end up becoming clearer as instances of non-compliance and breaches occur. Privacy advocates are already preparing to test the new regulations in court.

Q: Is GDPR a data security regulation?

A: That’s part of it. GDPR is designed to protect the privacy of EU citizens and give them greater control over how their personal data is used. Keeping personally identifiable information out of the hands of bad actors is only a part of that. The regulation introduces the “Privacy by Design” concept and defines EU-wide privacy rights that fundamentally change the ownership of personal data and responsibilities associated with personal data. As these regulations will fundamentally change how businesses gather, use, retain and dispose of EU personal data and the risks associated with that data, you should establish a GDPR compliance task force and involve heads of other departments, such as marketing and legal, rather than just addressing it as an IT issue.

Q: Does GDPR define personal data the way other regulations like PCI-DSS and HIPAA do?

A: GDPR defines personal data as “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity”.

The “directly or indirectly” language may end up catching a lot of companies unaware. Let’s say you’re gathering market information through a survey. If you’re not collecting any personal data such as names, email addresses or phone numbers, you may think you’re not covered by GDPR. However, if you have an IP address connected to that record (which many marketing surveys collect to ensure that responses aren’t duplicated), that data may be defined as personally identifiable data if you could use the IP address and other demographic data collected, such as employment and educational history, to identify a specific individual.

Also, HIPAA and PCI-DSS tend to be more focused on security of personally identifiable information such as Personal Health Information (PHI) or Cardholder Data (CD). GDPR goes beyond security to define privacy rights that that give EU citizens ownership of their personal data and includes the right to access and transparency of the data, allowing them to see what you have collected and what you are doing with their personal data. They also have the right at any time to object or withdraw their consent to gathering of personal data, update that information or have companies completely erase it. GDPR also requires companies to implement privacy by design when launching a new product or service. Privacy considerations must be addressed upfront in the design process, rather than an afterthought and includes minimizing the amount of data gathered and ensuring legitimate reasons to gather that data. If you do business with customers in the EU, you should consider evaluating whether you are meeting this requirement by conducting a Data Protection Impact Assessment (DPIA).

Q: Does GDPR require me to use a data center in one of the EU member countries?

A: No. Again, GDPR is less about where you store data than what data you gather, how you protect and use it. If your data is stored in a country that the European Commission has found to have adequate protection there is no need to move your data from that country. There is no need to scramble to move data to the EU if that doesn’t make sense for your business model; however, you should ask your current data center provider whether they are prepared for GDPR and, at minimum, have implemented adequate security controls and understand the different roles and their responsibilities established under the regulation.

The Data Controller is the entity that determines the purposes, conditions and means of processing the personal data. You decide what information to collect and what is done with it. The Data Controller may outsource some processing functions, such as data storage and transmission, to third parties known as Data Processors, but not their responsibility for the security of data and for monitoring entities that process the data. A Data Processor may also outsource some processing tasks or services to sub-processors, but again, not the responsibility for monitoring their sub-processors.

Under GDPR, TierPoint is defined as a Data Processor (or in some cases a sub-processor). TierPoint’s responsibilities as a Data Processor are defined in our contracts and are limited to the logical and physical security of data in accordance with the services outlined in service agreements between TierPoint and its customers. We are responsible for maintaining the data center and cloud infrastructure that our clients use to host and transmit personal data but do not have a business need to view, modify, manipulate, transmit, or otherwise use the personal data to deliver contracted services. TierPoint undergoes annual third-party audits, including SOC 2 Type II, PCI-DSS and HIPAA, that focus on the security and availability of our data center services system.

Through contractual obligations Data Controllers and Data Processors are responsible for meeting GDPR compliance, but that shared responsibility in no way absolves or lessens the responsibility of any of the parties. Each organization should conduct a DPIA and consider reviewing the Terms and Conditions and Data Protection Agreements (DPA) it has with its own Data Processors to confirm the terms for processing and protecting data are appropriate.

Q: How can I be sure my data center has adequate controls in place? Is there some sort of certification I should look for?

A: There is not a GDPR certification process for data centers, but one thing you should consider looking for in US data centers is EU-US Privacy Shield compliance and industry-recognized third-party audits related to security. As explained on the U.S. Department of Commerce website (Commerce.gov), Privacy Shield is a “framework designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.”

Granted, this is only one aspect of ensuring the safety and privacy of your EU-based customer data, but it’s an important one. Without adherence to Privacy Shield, data transfers to US data centers (or those based in other countries not deemed to have adequate security) may be illegal. You can read more about our Privacy Shield certification in our privacy policy statement or by visiting privacyshield.gov.

With the GDPR deadline looming, it’s important for organizations to understand how they are impacted and take steps to ensure they have plans in place to meet the new standards. If you have more specific questions about this regulation, please feel free to reach out to us here. One of our compliance experts would be happy to provide TierPoint’s perspective.

[author] [author_image timthumb=’on’]/wp-content/uploads/2018/05/Simon-Campbell.jpg[/author_image] [author_info]Simon Campbell is Director of Compliance and is responsible for implementing TierPoint’s customer, internal and external audit programs and helped develop TierPoint’s ISMS, QMS and other supporting documents. He joined TierPoint through its acquisition of Windstream Hosted Solutions in 2015 where he served first as a Data Center Manager and then as Compliance Manager leading various internal, external and customer audits as well as developing Hosted Solutions’ ISMS, QMS, BCP/DRP, Document Control Process. He is a Certified Information Security Auditor (CISA), member of ISACA and has over 20 years of data center hosting and IT audit experience.[/author_info] [/author]