Staying Secure and Compliant With Cloud and Mobile

by CoSo

October 8, 2018

Do you know where all your organization’s digital assets are stored? Back in the day, companies could answer this question with a confident “yes!” because the answer was usually simple. It’s all in our datacenter, on our machines. But times have changed drastically, and security and compliance haven’t consistently kept up. Now, companies routinely store data on clouds, both public and private, and both directly and through services that companies use. For example, if a company uses an online conferencing service, that service probably stores information like recordings of calls, logs of call length, and what phone numbers dialed in to the line—but where is that information actually being stored?

For companies in regulated industries like healthcare and financial services, the answer to those kinds of questions must be clear. Since 2013, new HIPAA rules have made substantial fines a much more real threat for healthcare organizations than they had been in the past. HIPAA compliance requirements now also extend to “business associates,” or any company that provides services to a covered entity, like storing data in a cloud or providing conferencing and communication services. The practical upshot of these kinds of rules is that you could be exposed to fines for the way your service providers are handling your organization’s data.

“High-consequence” conferencing and e-learning often refers to situations where communication must take place. This includes applications ranging from military planning to utility maintenance. However, in regulated industries like healthcare and financial services, the spectre of large fines, regardless of whether any actual damage is done, is enough to make a much wider range of business communications “high-consequence.”

 

Have You Cast Your Data to the Wind?

The proliferation of cloud and mobile have made it shockingly easy to find one’s data spread far and wide across the internet—including sensitive and regulated data. In addition to the challenges posed by the cloud, data that is transmitted, stored, and viewed on mobile devices poses a weak spot in many organizations’ compliance nets. Employees’ individual use of mobile devices, including collaboration and meeting apps, texting and other messaging, and collaboration tools can leave sensitive data strewn over thousands of devices and vulnerable to loss or leakage.

Between the use of mobile devices and storing data in the cloud, most organizations will find their data is actually stored in many more—and often less secure and compliant—places than they had realized. Even if an organization has its own house in order however, the data management practices of its partners and service providers could be setting the stage for security and compliance issues down the road.

 

What the Expanding Data Footprint Means for E-Learning and Conferencing

The data send as part of e-learning and conferencing sessions is no exception to the risks posed by mobile and cloud tools. In fact, since secure conferencing is critical in many high-consequence and regulated industries, including healthcare, financial services, and government, ensuring that the content of conferences and e-learning sessions doesn’t fall victim to accidental exposure should be a security priority for organizations in these industries.

This necessity for securing conferencing and e-learning is complicated by the fact that it is a service that is almost always outsourced to companies that often have their own third party partners that handle storage and computing in the cloud. In addition, mobile devices are frequently a part of the picture. This poses not only a problem of data being stored on an increasing number of unsecured devices, but also the involvement of potentially problematic tools like encrypted messaging services, which can subvert compliance requirements.

The bottom line is that organizing conferencing and e-learning in regulated industries and for high-consequence applications can be a real mess in the era of cloud storage and mobile. However, there are a few things organizations can do to ensure their service providers and partners have their backs, rather than putting them at risk.

 

Conferencing and E-Learning That Has Your Back

The first step to ensuring your organization’s high-consequence communication is secure and compliant is to examine how seriously your service providers take compliance and security themselves. For regulated industries, providers should be certified by the relevant compliance authorities, including certification under HIPAA, FedRAMP, and SOC II Type 2. In healthcare, all service providers should be willing to sign Business Associate Agreements (BAAs), which will give you confidence that they will follow the rules and bear the burden of any fines for mistakes they make.

Providers should also take the opportunities and vulnerabilities of the cloud seriously. For high-consequence communication, private managed clouds are the gold standard. Finally, providers should be able to integrate with tools you already use or want to take advantage of. For example, if you’re one of the many organizations that likes Adobe Connect, you should find a provider that can ensure back end end compliance and security without requiring you to completely change the way you do conferencing and e-learning.

At the end of the day, cloud and mobile are not unlike any new and powerful technology: they offer new challenges for compliance and security that could cause disasters if not taken seriously. However, they also have the potential to make your high-consequence communication easier, cheaper, and more flexible and effective. In today’s environment of serious regulators and big fines, a big part of the difference lies in working with the right service provider.