This blog post is for informational and educational purposes only. Any legal information provided in this post should not be relied upon as legal advice. It is not intended to create, and does not create, an attorney-client relationship and readers should not act upon the information presented without first seeking legal counsel.

By Kenneth N Rashbaum Esq. and Jason M. Tenenbaum of Barton, LLP.

Much of the discussion on law firm security has focused on data encryption. The idea of “encryption” can generally be broken down into two types, encryption in motion and encryption at rest. Encryption in motion refers to the process of securing data while the data is sent and received so that the data cannot be intercepted. Encryption at rest refers to the practice of securing the data itself so that, even if intercepted, the data is unreadable.

Law firms are undoubtedly attractive targets for hackers because of the information law firms typically store. Corporate law firms often store information about a company’s financials, investments, business strategies and intellectual property. Law firms that handle non-corporate matters like real estate, personal injury, or trusts and estate matters may often times store medical information, billing information, social security numbers, insurance information, driver’s license information, and other valuable information about individuals.

Indeed, depending on the size and scope of a law firm’s practice, certain aspects of the same law firm may be subject to a greater risk than others. As such, both aspects of encryption are important for law firms seeking to ensure that their information remain secure and confidential.

As the costs of off-site storage for law firm data decrease and the availability of cloud-based practice management tools increases, law firms moving aspects of their practice to the cloud should pay particular attention to how a vendor encrypts a law firm’s data both in motion and at rest for both legal and monetary reasons.

In addition to state or federal laws that may mandate security requirements for personal data and responses in the event of a breach, ethics rules generally require that an attorney strive to ensure that client information is kept confidential. Even more specifically, ABA Model Rule 1.1 and its state equivalents require attorneys to provide “competent representation” which includes staying up to date with the benefits and risks of technology.

Law firms in certain sectors may also be subject to additional information security requirements. For instance, law firms that handle cases for hospitals and other covered entities in the healthcare space are required by the Health Information Portability and Accountability Act (HIPAA) to maintain certain information security safeguards as Business Associates of the covered entity. Similarly, under the Gramm-Leach-Bliley Act, law firms that work with clients in the financial sector also must maintain certain security practices.

Importantly, encryption technologies and security threats change over time. As such, law firm security protocols that have not been kept current do little to ensure security of law firm data as time progresses. Keeping abreast of new security threats and technologies and implementing changes in security systems is a costly endeavour in terms of both time and money. A law firm can rely on its vendor to ensure up-to-date security systems are protecting its data, if the data is stored with the vendor.

Many law firms address security of their client and firm information by hosting it with cloud providers. Cloud business models often comprise data security protocols audited by third-parties. Yet, many hosting providers require the law firm to encrypt data at rest, since the provider often has access to the firm’s data infrastructure and the provider’s risk management protocols require that be encrypted so that there is little risk of damages if the infrastructure is breached.

Ensuring that law firm information is secure and remains confidential requires more than an understanding of encryption in motion and at rest. Internal procedures for creating, storing and transmitting data are essential to a law firm information governance environment that meets ethics and other rules.  These protocols should be prepared and thoroughly vetted by the firm to assure that they comport with the firm’s practice areas and organizational culture. 

More than that, though, it is good business for a law firm to assure that information received from or created for clients is maintained and exchanged securely. In an age in which over eighty percent of business documents are in electronic format and less than ten percent of them are ever printed, electronic security for law firms is a paramount consideration.

The post Data Encryption and Law Firms, a Match Required by Law appeared first on Cloud Computing News.

On the heels of the recent Community Health Systems (CHS)  data breach, in which 4.5 million Personal Health Records (PHI) were compromised, the industry is abuzz about data security in the HIPAA Compliant cloud businesses.  Data breaches like the one at CHS are not the exception – they’re the norm.  The FBI warned that the healthcare industry is extremely vulnerable to hackers in a recent Internet Crimes Bulletin.

The massive security breach at CHS shows just how important it is to be proactive with all aspects of data security. PHI can no longer be secured with traditional security technologies and methodology- even up to date antivirus and firewall technologies are not enough to protect sensitive data from professional hacking teams. As the healthcare industry rapidly adopts new technology to meet the Meaningful Use: Stage I & II mandates of the Affordable Care Act, patient data is digitized and exchanged more than ever.  Securing this data has become increasingly difficult, requiring sophisticated tools and armies of engineers.

Keeping PHI secure is a difficult job, but there are resources available to guide you through the process.  Having an expert who can walk you through keeping your environment secure, available to your end-users, and profitable is the key to success.  Work with your Managed Services Providers to create a “Security Matrix of Responsibility”, and use this as a basis to develop a proactive security policy.  Service providers like Logicworks and AlertLogic can help identify which areas of the matrix fall under your purview.  By narrowing the focus to those areas of your security policy are your responsibility, it becomes easier to identify areas of focus for your business.

While CHS did have security technology in place, others often have little to no additional security beyond a traditional firewall to protect their infrastructure.  Even in the case of the CHS breach, there was the possibility to do more; they have publicly stated that they have recently increased security and implemented new technologies to reduce the likelihood of this kind of attack in the future.  Consult an expert in securing businesses in your industry, and consider implementing solutions such as:

• Web Application Firewall
• Log Shipping and analysis (with Alert Logic)
• Monitoring service to alert you of any anomalies in your infrastructure.
• Intrusion Detection (with Alert Logic)

HIPAA Compliance, and the security of PHI is not possible without an ongoing commitment to policies, standards and procedure.  Here at Logicworks, to ensure that we’re always at the top of our security game, we constantly audit ourselves. Aside from identifying area of improvemnts, internal audits help identify where you are failing to gather data effectively.  Maintaining proper access-control logs is essential to protecting against cyber-attackers.

The post Community Health Systems, HIPAA, and Cloud Hosting appeared first on Cloud Computing News.

By David Linthicum

Private cloud was popular in the early days of cloud computing when enterprises struggled with security and control issues.  These days, public cloud dominates, as revealed in the recent “State of the Cloud Study” from RightScale.

The reasons for the growth of public clouds are pretty clear, including low operating costs, instant scalability, and the ability to better support changing businesses.  However, the private cloud still has a place in IT, and understanding what’s about to emerge in the private cloud space will give you a better focus on this pattern of cloud architecture.

Private clouds are being leveraged as points-of-control or interfaces into public clouds.  These emerging hybrid clouds or multi-cloud architectures use a tiered approach where the private cloud (tier 1) links to public cloud services (tier 2), and those looking to access cloud services do so using the private cloud services as the primary interface.  Then, as needed, the private cloud leverages the public cloud services.

An example would be a private cloud that runs on an MSP for an enterprise.  While the private cloud provides cloud services such as storage and compute using the native interface of the private cloud software, these services are supported with resources that run in the MSP’s public cloud.

If the private cloud needs additional resources, then it links to public cloud services, such as storage and compute.  The public cloud services carry out operations on behalf of the request made by the private clouds, which, in turn, is carrying out a request made by the application or end-user.

This hybrid architectural approach uses the private cloud as an entry point, and it is beginning to gain popularity for a few core reasons:

• Enterprises typically like to focus on private clouds as the primary resources for applications when there are considerations around control and security, and, in some cases, standing laws and regulations that dictate where data can and cannot reside.
• Use of the private cloud as the “public cloud controller” (for lack of a better term) means there is a single set of interfaces to many different public cloud providers.  This simplifies the use of cloud services by providing a common layer of abstraction using a private cloud.
• Finally, the use of governance and security becomes much easier to implement.  We’re really focused on the private cloud platform, and use the public cloud resources only as needed.  That means there is no repeatable pattern of use that causes vulnerabilities, and the security approaches are fairly straightforward.

The winners in this emerging pattern of use include enterprises that are not yet ready to make the move to the public cloud, but want public cloud types of services.  However, this is a not a temporary solution; this one has scalability to future uses.

MSPs deliver public cloud connectivity as part of their infrastructure, and are naturals to host these types of hybrid clouds.  They will be the more cost effective choice, for sure.

You should at least look at this approach.  Those who thought that private clouds were being relegated to tactical solutions may find that private clouds now have a new role.

The post The New Role for the Private Cloud. It’s Not What You Think. appeared first on Cloud Computing News.

By David Linthicum

When it comes to HIPAA compliant solutions, security, and cloud adoption, what most find frustrating is how to sort the myths from reality.  The “addressable” requirements of the security rules tend to be the most difficult to meet.  Thus, these addressable requirements have a tendency to fall off the radar, and could therefore create issues with compliance.

Under the HIPAA Omnibus Rule, business associates, which include many public cloud computing providers, are now directly liable for HIPAA compliance.  This rule also covers what associate agreements need to be in place, with a clear responsibility outlined for who will protect the data.

So, the trend has been to rethink the role of cloud computing, by those charged with HIPAA security and policy.  At its essence, this means understanding the existing requirements, and then understanding how the emerging use of cloud computing could provide compliant and secure HIPAA solutions.

Cloud computing has the potential to improve upon the best practices and technology that exist today.  Those healthcare organizations that have been reluctant to move IT assets to public cloud, or managed services providers, now see a day when there will be little option but to leverage these services.  Budgets are always tight, and the practice of building new data centers as healthcare organizations expand is becoming a bit tiresome to the boards of directors that pay the bills.

So, consider the next few years to be a bit of a forced marriage between cloud computing, manage services providers and their need to deal with healthcare compliance issues such as HIPAA.  Both the regulators and the healthcare organizations need to work closely together to insure that the resulting solutions don’t place patient data at risk, nor run afoul of the law.

Things are certainly scary.  Last year, breaches at Oregon Health & Science University involved the illegal storage of unencrypted patient information on a public cloud provider.  These types of events put focus on the issue of how the emerging regulations, such as the HIPAA Omnibus Rule, affect cloud vendor compliance.

So, what’s an underfunded healthcare IT shop suppose to do to insure that they remain HIPAA compliant, as well as bring both agility and efficiency to their organization through the use of cloud computing?  Here are a few suggestions:

– First, create a HIPAA cloud strategy that defines the approaches, agreements, and target technology providers that you would like to leverage.  Make sure to note costs, as well as do a quick business case study.

– Second, make sure to understand the risk, and the need for both security and governance.  Many healthcare organizations think that technology will save them.  However, it’s more about the people and processes, and then the technology.

– Finally, make sure to build outside validation and auditing into the process to make certain all of the agreements and technologies are up-to-date, and that the risk is as low as you can reasonably make it.

This is actually not that difficult to figure out, when you dig deeper into the issues.  However, like any other technical changes that require an assessment of legal issues, it’s a bit nerve-racking at first.

The post HIPAA, Cloud, and Your Business. appeared first on Cloud Computing News.

By David Linthicum

Legal IT Professionals’ online survey of its readership presented a split decision on about a move to the cloud.  “The online news publication covering international legal information technology asked readers: ‘If your law firm’s management asked for your advice regarding moving key applications to the cloud, would you be in favour of this strategy?’

The 438 responses from legal information technology staff, lawyers and paralegals was nearly split down the middle, with 46% opposing and 45% in favour, while 9% had no opinion.”  The complete survey report can be found here.

The participants of this 2013 survey might be a bit more cloud-oriented these days, as more law firms find a new home for IT in the cloud. However, overall, law firms continue to balk at the idea of moving toward the cloud since they do not know how to take the first steps. Moreover, as stated by the law firms’ IT staff who responded to the survey, their firms would require new skills to transition, manage and support the new cloud service services.

The cloud migration path for law firms is not unlike that of other small business, with a few more issues to deal with around privacy, compliance, and governance.  Here is a quick process that most law firms should consider:

First, access the mission of the core legal practice.  What are the specialty areas?  International, family, tax, criminal, patent?  In many cases, the practice covers several areas.  Understand the patterns of security and the patterns of governance that are required, such as rules and regulations around how client data should be handled, and even ethical requirements.  Can data be stored in other states or even other countries?  Cloud providers have servers everywhere, but many will isolate data geographically, if necessary.  What level of security is a legal requirement? 

With the cloud, available security and legal security requirements continue to evolve.  Even those skilled with the law often don’t understand the current state of these regulations.  Create a security and governance plan from this effort.

Second, access the existing practice management systems, and get a good understanding of the ongoing operational costs.  In many instances, systems that run in the legal office’s data center carry a huge cost that most of those who manage the practice don’t really understand.  You need to figure out that cost to see if the cloud will be an improvement.  This information will allow you to pick the data and applications that are good candidates to relocate to the cloud.  Create business cases, and systems migration prioritization from this work.

Third, create a migration plan that includes applications and data sets that will be more cost effective when run from a public cloud. Once you understand the specific applications and the data, figure out how those applications and data will migrate.

In some cases, the applications are packaged and you simply want a SaaS version of the same software systems, or an alternative product that provides a SaaS version.  In the case of data, you need to find analogs in the public cloud, including the same versions of the database that run in a public cloud (e.g., Oracle), or opportunities to leverage more purpose-built databases that may provide higher performance and lower costs, such as NoSQL databases.

Finally, execute the plan and include a stepwise path to migrate some of the applications and some of the data.  Start slowly.  Consider security and governance at each step, and make sure that the migration efforts align with the needs of the users in the practice.

Cloud computing is still a little scary to those who work in law offices, but the more innovative and fastest growing practices are moving to the cloud.  The move is certainly for cost reasons, but, more and more, it’s around the practice’s need to grow quickly, without limitations from IT.

The post Cloud Migration Best Practices for Law Firms appeared first on Cloud Computing News.

By Kenneth N Rashbaum Esq. and Jason M. Tenenbaum of Barton, LLP.

This blog post is for informational and educational purposes only. Any legal information provided in this post should not be relied upon as legal advice. It is not intended to create, and does not create, an attorney-client relationship and readers should not act upon the information presented without first seeking legal counsel.

In light of the disclosures by Edward Snowden, there has been a push towards transparency both from governments and from technology companies that have amassed data about the personal lives of citizens. While the call for increased transparency has been worldwide, the European Union has been at the forefront of advocating for change.

In addition to revising its Data Protection Directive, a topic that will be discussed in more detail in a future post, the EU also tasked a group of industry experts from companies like Amazon, Adobe, Google, Microsoft, IBM, and Oracle with standardizing the language of cloud computing contracts to make them more consistent and easier to understand.

As a result, on June 6, 2014, the European Commission’s Cloud Select Industry Group – Subgroup on Service Level Agreement (“C-SIG-SLA”) released its Cloud Service Level Agreement Standardization Guidelines (“Guidelines”). Part of the larger Digital Agenda for Europe, the stated goal of the Guidelines is to “improve[] the clarity and increase[] the understanding of SLAs for cloud services in the market, in particular by highlighting and providing information on the concepts usually covered by SLAs.”

As such, the Guidelines are a “set of principles that can assist organisations[] through the development of standards and guidelines for cloud SLAs and other governing documents.”

The Guidelines propose that SLAs should be drafted with an eye towards consistency across companies in a manner that is “business model  and technologically neutral,” with unambiguously defined terms and with a broad variety of users in mind. In addition to these guiding concepts, the Guidelines suggest that topics such as encryption, logging and monitoring,  privacy,  availability (“up time”), termination processes, and breach response be addressed in sufficient detail to allow customers to make informed decisions about the cloud service providers and their services.

Neelie Kroes, the European Commission Vice-President, hailed the Guidelines as a step in the right direction, stating that “small businesses in particular will benefit from having these guidelines at hand when searching for cloud services.” As the initiative to standardize SLAs is based in the European Union, it remains to be seen what effect these Guidelines will have on American companies and their agreements.  

Currently, the C-SIG-SLA is working with ISO (International Organisation for Standardisation) to present the “European position at the international level.” As such, the Guidelines, in whole or in part, may ultimately become international standards and will find their way into SLAs for engagements with hosting providers and their customers within U.S. This is only logical in that many U.S. cloud engagements in this age of globalization comprise data from beyond the United States.

Accordingly, if the Guidelines have the effect that the European Commission Vice-President believes that they will have, American companies will most probably conform to the principles established by the Guidelines for business reasons.

The post Standardization of Cloud Contracts In Europe: Coming Soon to the U.S.? appeared first on Cloud Computing News.