With the increasingly frequent and damaging security breaches in the news today, the natural tendency for IT professionals is to run back to the data centre and patch, upgrade, test and make sure that all business data and, therefore, the corporate reputation, is safe. While corporations continue to lock down the enterprise and its users, they often forget one important factor – employees have their own powerful computing devices, their mobile phone. Generally, employees will stop at nothing to make their jobs more convenient and efficient, despite the pesky obstacles put in front of them by the corporate cybersecurity team. It’s similar to comparing users to water and the IT security teams to a rock placed in its path. Water will always find a way to get around the rock and continue flowing forward. One of the ways that the “flow” continues is via shadow IT, which is technology deployed in an organisation without the approval of the IT department.
Over recent years, shadow IT has evolved from the threat of employees using unauthorised applications to employees using personal devices for work purposes. Shadow IT brings new security and compliance issues to an organisation, as the technology is not subject to the same security processes and procedures that are applied to approved solutions. Since most employees essentially carry a computer in their pocket in the form of their cell phone, it is easy to download apps that enable them to do their jobs easier, even though those apps may not be sanctioned and could throw the enterprise out of compliance. Unapproved apps can also significantly increase an organisation’s risk of cyberattack, as Gartner predicts a third of successful attacks experienced by enterprises will be on their shadow IT resources by 2020.
Further, according to eSecurity Planet, “enterprises face a far greater threat from the millions of generally available apps on their employees’ devices than from mobile malware.” Shadow IT was born because it has become so easy to download an app or use a home laptop for both work and personal use as a way around what is perceived to be an obstacle to productivity. This doesn’t mean that employees are trying to be malicious, they simply have more access to ease-to-use, easy-to-deploy technology at their fingertips. In addition, they may simply not know the risks proliferated by the activity on their personal devices.
Maintaining efficiency and security
Organisations may be under the impression that they can prevent risky app downloads through corporate policies and mandates. However, the question remains – will employees actually follow these rules? For example, most enterprises, especially those with compliance requirements, will often completely disallow texting. Despite the policy, according to Seyfarth Shaw LLP, even if email is the sanctioned form of communication in the workplace, employees will text. Organisations must have a clear and obvious way to enforce or monitor policy compliance, including how employees communicate over text. In many situations, employees download free apps like WhatsApp to communicate in confidence, which is often not sanctioned. The reality unfortunately is that “in confidence” is only partially true, since once delivered, the recipient of text has the information stored on their device, can forward it to anyone, or post it on Facebook for the world to see. Once “send” is hit, control is lost.
Organisations risk data breaches and compliance issues by allowing such unsecure applications to be utilised. On the other hand, by deploying an approved, secure texting solution, the enterprise can embrace the need to discuss sensitive matters via text. Today’s modern secure messaging solutions ensure that communications are secure, confidential and compliant to meet enterprise requirements.
With a secure messaging platform, users can still leverage the convenience and instantaneous nature of texting, while accommodating the enterprise’s needs. CIOs must stay on top of the needs of the business and the users, and provide staff with easy-to-use sanctioned solutions that can minimize the need for shadow IT. Organisations must then also realise that:
•Policies need to be enforceable and reasonable
•Policies need to be enforceable and reasonable
•Training must be given to the user community on a continuous basis
•Employees should be encouraged to bring apps that can help business productivity to IT’s attention
The bottom line? In today’s mobile-driven environment, IT must be seen as business enablers, not the rock in its path.
(Article originally published on ENTERPRISECIO by Galina Datskovsky on October 24, 2017)
Over the last few years, competitive pressure to offer consumer-focused banking access, as well as opportunities for increased internal efficiency, have led to a surge in text usage across the financial services industry. In fact, major banking corporations like Wells Fargo, Bank of America, U.S. Bank and Chase are all offering SMS text and banking apps to expedite communications and transactions with their customers. While certainly an improvement to convenience and efficiency, financial institutions should strongly consider the potential ramifications of native SMS texting and instead implement a more secure, compliant and equally convenient communication option – secure messaging.
The Rise of Text Banking
Traditionally, banks and other financial institutions are required to call their clients to confirm customer bank account and credit card balances, transactions and amounts before processing anything. This process not only delays transactions and updates for the customer, but also impedes the financial professional with menial tasks that they could be relieved of through a more modern approach.
(Related:What Tech Traps Are Examiners Looking For?)
In addition, today’s consumers expect these retail-like services across the financial services spectrum, as nearly half of millennials want to receive SMS alerts from their bank and more than a quarter are completely reliant on mobile banking apps. With their preference for instant gratification, millennials don’t visit brick and mortar banks or ATMs, but fully depend on their mobile phones to deposit checks, transfer money and pay bills in real time.
Recognizing the inefficiencies of manual processes, in addition to consumer demand, big banks have led the charge to modernize with mobile banking apps and text banking services, which enable customers to perform basic transactions and communicate account information using SMS text messaging. Implementing mobility in banking significantly enhances convenience and efficiency for both the client and the employees, as the majority of phone calls are related to such simple requests that can now be completed in real-time by the client. As a result, it frees up employees to focus on more lucrative tasks.
To keep up with mobile banking demand, smaller financial firms, particularly in specialty areas like private wealth management, are feeling the pressure to quickly communicate with clients over text instead of time-consuming phone calls. For example, a wealthy retiree or busy executive values the ability to communicate with their wealth manager via text, as it provides an increased sense of availability and personalization.
As a result of the rising popularity of text banking, FINRA recently published a regulatory notice that states financial organizations must keep records of any communications made via text messages. However, since native text messaging doesn’t offer this functionality, many firms are putting their customer’s data and sensitive organizational information at risk, opening themselves up for compliance and legal ramifications, or banning use of text completely.
Securing Sensitive Communications
In 2016, financial services became the No. 1 target of cybercriminals, according to an IBM threat index. With the increasing use of text banking, targeted cyberattacks via SMS messages is a growing practice. A typical SMS phishing (SMiShing) scam involves a text alert that appears to be from a bank. The text creates a sense of urgency by saying something is wrong with the recipients’ account and directs them to a toll-free phone number or website, where they are tricked into providing their account and password, Social Security number or other PII. A successful SMiShing attack can result in significant financial and reputational damages to financial institutions and, based on severity, can even put them out of business.
Banning text banking and mobile banking apps, however, does not have to be the solution. While the convenience and efficiency do not outweigh the risk of cyberattacks and compliance violations, there is a way to have both.
Secure messaging alleviates the risks associated with native SMS text, so financial organizations can leverage the efficiency of modern day mobile messaging without risking business information leaks and sensitive data breaches. With an advanced secure messaging solution, the sender maintains complete control of the conversation, the data and its use at all times, preventing unintentional sharing and propagation of information. Further, unlike native SMS texting, secure messaging ensures all texts are captured and archived to the organization’s repository of record for compliance purposes and processes, while removing texts from sender and recipient devices.
For example, a private wealth manager can provide real-time investment advice directly with a client via secure messaging to allow for immediate decision making, much to the delight of the client. In addition to convenience, wealth managers can communicate with confidence knowing they have full control of the information shared, that their clients’ financial information is secured, and that they’re protected from legal ramifications.
Though text banking creates more cybersecurity and regulatory issues, implementing a secure messaging platform allows financial organizations to maintain the convenience of SMS texting while ensuring the financial and personal information exchanged is protected. As the financial services industry continues to integrate texting into their operations and offerings, they must ensure that their text messaging is secure and compliant.
(Article originally published on Think Advisor by Galina Daskovsky July 25, 2017)
(Article originally published on Health IT Outcomes by Galina Daskovsky May 17, 2017)
Patient care requires fast-paced, asynchronous collaboration that ensures quick responses for life-saving decisions. Because text is the most rapidly responded to communication channel utilized today, many healthcare professionals communicate and collaborate via their mobile device. In fact, a recent HIMSS Analytics study reported 70.6 percent of IT professionals, clinicians, C-suite executives, and department heads use smartphones for EHR access, and 76.5 percent access clinical information through smartphone apps. However, according to Lisa Gallagher, vice president of technology solutions for HIMSS, text messaging by clinicians is a major source of protected health information (PHI) leaks and violation of HIPAA privacy and security standards.
To reduce cybersecurity risk, ensure compliance, and improve efficiency, healthcare organizations have started to implement enterprise-wide secure messaging platforms to communicate sensitive information and patient data.
These platforms allow employees to leverage the convenience of text messaging without jeopardizing the integrity of patient data or the reputation of the business that could result from a data breach or compliance violation. While larger healthcare systems have started to incorporate secure messaging into their communications, small and midsize organizations, specialty clinics, support groups, and even dentistry should also strongly consider utilizing these platforms as they’re held to the same standards and face the same risks.
Cybersecurity Risks To Patient Information
Healthcare consistently ranks as the number one, most targeted industry for cybercrime which is no surprise given the fact patient data sells for more money than any other information on the black market.
Because healthcare organizations have lagged behind in terms of implementing advanced cybersecurity technology — and attackers are becoming ever more sophisticated — cyber threats show no sign of slowing down. In fact, major cyberattacks on U.S. healthcare organizations increased 63 percent in 2016 alone. However, cyber criminals are not just targeting enterprise healthcare systems, as one of the biggest healthcare data breaches of last year affected 882,590 patients of an anesthesiology and pain clinic.
While hospitals may have protection for their computers and systems such as antivirus and firewalls, a new trend in ransomware is targeting mobile devices. According to Kaspersky Labs, between 2014 and the present mobile attacks have almost quadrupled and are expected to be even more popular in 2017. Without a secure messaging platform in place, hospitals and healthcare organizations will remain vulnerable to advances is “smishing” (SMS phishing) and other mobile cyberattacks, as 95 percent of healthcare professionals, physicians, and nurses use their smartphones and tablets for work — whether sanctioned or not. Unlike SMS text messaging, senders communicating via an advanced secure messaging platform have complete control of the communications, images, and documents they deliver meaning, recipients cannot copy, forward, store or share information received. This denies unintended propagation of sensitive patient data outside of the circle of care.
Further, secure messaging platforms can prevent images from being screenshotted and users can shred or expire sent messages at any time from all devices and message servers, providing ultimate control over the conversation and content at all times. Messages can also be set to automatically expire based on corporate policies that establish appropriate timeframes per role.
Stricter HIPAA StandardsDue in part to the increase of cybersecurity risks that threaten the integrity of patient information, HIPAA will be enforcing stricter compliance requirements for small to midsize healthcare businesses this year resulting in higher fines and even jail time for major violations. Hospitals not requiring employees to communicate via secure messaging platforms not only put patient data at risk, but their entire business as employees will continue to use non-compliant messaging channels to communicate sensitive patient information if a secure option is not available. Secure, ephemeral, and compliant messaging platforms provide a means in which to confidentially collaborate between care giving teams, physicians, specialists, pharmacies, payers, and even the patient, enabling healthcare professionals to utilize text in a HIPAA-compliant manner. What’s more, advanced platforms integrate with leading EHR and scheduling systems to increase efficiency and compliance.
Further, a reputable secure messaging provider does not have control or even a copy of users’ data, so patient data is always under the control of the healthcare organization.By archiving a single instance of text messages into the EHR to ensure complete and comprehensive record, any burden of manual transcribing is essentially eliminated and can, in fact, improve efficiency and decision making for superior patient care.
Efficiency Challenges Prohibiting Collaboration
When caring for patients with changing care needs, nurses often need to locate doctors in-person or via phone to verbally communicate updates which can often result in miscommunications or delayed care. Relying solely on verbal communication hinders workflow, patient care and collaboration should the physician or practitioner not be on call, in surgery or otherwise unavailable — something particularly important during emergency situations.
Whereas waiting for a return call can delay treatment, text is an alternative, quick response mechanism in which to share information, images, etc., in order to quickly get direction and orders on how to proceed. Unlike in-person communication, a geographically-separated doctor can easily collaborate and consult with other doctors or nurses throughout the decision-making process via secure messaging.
With the ability to take and share photos real time, healthcare organizations can improve the odds of better patient care and, in some cases, patient survival. Further, secure group chat features create a central source for collaboration and shared decision making among care providers. In an age of increased innovation, mobility, and security concerns, secure messaging helps organizations improve efficiency and business workflows to expedite response times, improve decision-making, and increase knowledge sharing – all without jeopardizing security or compliance. From admissions, to emergency room staff, to physicians and specialists, to nurses and home healthcare and hospice, to skilled nursing and more; secure messaging helps medical professionals communicate with confidence.About The Author Dr. Galina Datskovsky, CRM, FAI and serial entrepreneur is an internationally recognized privacy, compliance, and security expert.
Galina is currently the CEO of Vaporstream, a position where she applies her knowledge and strategic guidance in building businesses, product development, and governance policies, as well as cyber security.
Due to the nature of care required for elderly LTC patients, it has become common for family members to play an integral role in long-term care for patients at home, during the transition between facilities, and even in healthcare decision making. In fact, 65.7 million family members have become caregivers who provide care to someone who has aged, is ill or disabled in the United States.
This support can be extremely beneficial to both the patient and the family, as numerous studies, including a recent report from Johns Hopkins Evidence-Based Practice Center (JHUEPC), have proven. The systematic communication between healthcare providers, patients and their families simply results in better patient care and better peace of mind for the family members involved.
In order to maintain consistent and quality care, high levels of communication are required between the skilled nurses, physicians, as well as the patient’s family who make up the immediate care team. These care team members, whether professional or familial, form a circle of communication surrounding the health of a patient. Since senior patients often have multiple conditions with various specialty providers, collaboration with the appropriate parties is vital to ensure coordination of care.
Methods for efficient communication must be established in order for providers to control the conversation and keep necessary caretakers involved in important medical decisions and informed of any health changes in a timely manner.
Because text messaging has become a preferred means of communication in both professional and personal environments, healthcare teams and family members often rely on native SMS text to collaborate for faster patient care decisions. In fact, 95% of healthcare professionals, physicians and nurses use their smartphones and tablets for work – whether sanctioned or not. However, because healthcare data breaches are up 40% from 2015, skilled nursing facilities need to be confident that the sensitive patient information shared within the circle of care will not be compromised.
To help manage patient health and ensure privacy and security, care teams and family members have the opportunity to leverage enterprise-strength text or messaging platforms that offer secure chat and collaboration, sender control, image and screenshot security as well as ephemerality – features particularly beneficial to long-term and post-acute care providers.
Protecting Communications with LTC Patients
As healthcare providers transition from fee-for-service to value-based care, it’s becoming more important than ever for healthcare providers to streamline communications with the entire care team, all while maintaining HIPAA compliance. Because healthcare is one of the most targeted industries for cyberattacks, it’s equally important to go beyond compliance to truly ensure the integrity of the patient record and protect patient privacy. Therefore, skilled nursing facilities should consider secure messaging platforms that focus first and foremost on the protection of the circle of care communications.
Unlike SMS text messaging, senders communicating via an advanced secure messaging platform have complete control of the communications, images and documents they deliver. Specifically, this means recipients can’t copy, forward or share information, which denies unintended propagation of sensitive patient data outside of the circle of care.
As such, the care team can leverage the efficiency and features of SMS texting, such as group text, without opening up the conversation to risks, vulnerabilities or outside sources. Further, secure messaging platforms available today can prevent images from being screenshotted or stored on devices, and provides the ability to expire messages from devices and message servers based on policy while maintaining a copy of the communication with the patient record in the EHR. These capabilities not only protect patient data, such as test results and diagnostic imaging, but also ensure critical information is immediately and confidentially accessible to the care team.
As technology continues to evolve and advance across the healthcare industry as a whole, long-term and post-acute care facilities will certainly reap the benefits of customized, tailored solutions. In fact, a recent report revealed the marketplace for technology designed to assist aging adults is expected to reach more than $30 billion in the next few years – a 1400 percent increase from today’s market figures. As a result, skilled nursing facilities should proactively leverage modern technology, particularly technology specific to long-term care, in order to improve efficiency of communications, security of patient data and, ultimately, quality of care.
Galina Datskovsky, Ph.D., CRM, FAI, is CEO of Vaporstream®, a leading provider of secure, ephemeral and compliant messaging.
(Article originally published in Mcknight’s by Galina Daskovsky April 10, 2017)
Secure technology gives providers new options to successfully support patient outcomes
(Article originally published in HomeCare Magazine by Galina Daskovsky in their March 2017 Cover Series)
In the health care industry, patient care is the number one priority. Whether a patient is undergoing a routine medical procedure, managing a chronic illness or needs ongoing care due to a disability—the quality and effectiveness of any patient’s care is a collaborative effort. As such, care teams—from doctors and nurses to the patients and their caregivers—need the ability to communicate efficiently, effectively, privately and securely to ensure the highest level of service. Unfortunately, the ability to have these critical conversations on demand is an ongoing challenge, particularly when it comes to home health care.
According to the National Center for Health Statistics, 4.9 million patients received homecare from 2013 to 2014. That’s 4.9 million people who relied on home visits from health care professionals for everything from infusion therapy to physical therapy, or in-home caretakers to provide around-the-clock assistance. If the status of a patient at home changes and it is difficult for these health care professionals in the field to communicate with their team for feedback, collaboration is delayed and the patient may not receive the care they need in a timely manner.
The Communication Challenge
Unfortunately, communication and effective collaboration is not always as easy as it should be. As an example, it is unlikely that a doctor, nurse and caretaker can connect easily by phone as they are constantly on the move, whether meeting with patients at the hospital or traveling between homes. Pagers also leave much to be desired when a rapid response is required.
To try and help streamline this communication issue, many health care organizations have adopted tools such as secure communication portals and email encryption. However, these alternatives can result in delays to needed responses.
As one might expect, in order to overcome the communication challenge without added complexity, many health care professionals have turned to text messaging, either via native SMS text or through texting applications. In fact, worldwide text has outgrown email as the tool of choice due to its immediate response rates. Text messages have a 98 percent open rate and a 45 percent response rate, while email has a 22 percent open rate and 6 percent response rate.
Estimates show that roughly 95 percent of health care professionals are already using smartphones and tablets in the workplace, whether sanctioned or not. While texting is an efficient and effective communication alternative, patient care teams must ensure they are using apps that provide features to maintain privacy and confidentiality as well as meet HIPAA compliance. In order to avoid fines and to ensure patient information security, health care organizations are turning to secure enterprise messaging applications.
Enterprise Messaging AppsA secure messaging app includes features that place the emphasis on patient privacy. Sender controls offered by enterprise messaging apps are essential for homecare teams to ensure that messages cannot be forwarded, copied, pasted or otherwise shared with an unauthorized outside party.
These controls also guarantee that screenshots of messages or photos cannot be taken and used for a purpose other than the intended one. With the proper controls in place, homecare teams can communicate with physicians, transmit notes, photos of wounds and securely send patient information, such as insurance cards and social security numbers, without unintended propagation.
Not only are messages encrypted for security purposes, but many of these messaging apps also provide ephemerality, or the ability to set an expiration date for messages on the mobile devices. Ephemerality ensures that no data remains on the device or the message server. If a homecare nurse needs to take a photo of a patient’s wound to send back to the hospital, for example, the image will expire from the device based on a period of time of inactivity. This alleviates any concerns that a copy of the photo could be compromised should the nurse’s phone be lost or stolen. In fact, approximately 96 percent of health care organizations say they have had a security incident involving a lost or stolen device. In addition, if the organization uses a secure, ephemeral messaging app and this situation does arise, the owner has the capability to shred all remaining unexpired data from the device on demand, making it inaccessible.
Crucial to the health care industry and patient care is support of information governance and compliance. As messages are sent between various members of the care team, a single copy is saved and stored to a patient file so a complete patient record is available through the patient care system. Having a secure, ephemeral enterprise messaging app that allows for patient information to be stored in a secure repository of record means that home health care organizations can meet HIPAA compliance standards while removing the risk of messages remaining on mobile devices.
Secure Collaboration and the Patient Journey
Streamlining communication and collaboration for patient care also empowers the patient to play a powerful role in their own care. With an easy-to-use application, patients and their family members can securely communicate directly with health care professionals.
For example, if a patient is concerned about a new symptom that presents itself, rather than wait for a nurse to stop by and express their concern, they can communicate directly with their doctors or the nurse. Likewise, doctors can communicate directly with patients to encourage behaviors that aid their care and quality of life, such as reminders to take medication or simply to check on their status.
In a recent clinical trial conducted at Johns Hopkins University, it was determined that personalized text messages that encourage people to increase their physical activity or that congratulate them for having done so makes a significant difference in the patient’s well-being. In their study of 48 individuals, those who received nudges via text message were twice as likely to walk farther and reach a preset goal of 10,000 steps daily. When patients are at home, the personal touch and direct communication with doctors can positively impact their overall care and well-being.
Empowering Home Health Teams
Patient care is a collaborative effort and it requires accurate, secure and efficient communication. By enabling quick and protected communication between all members of a patient’s care team, including the patient themselves, secure enterprise messaging apps enable high-quality efficient care. Specifically, when a patient relies on homecare, these apps provide a quick, secure and compliant way for the home-based care team to coordinate with health care staff at the hospital, doctor’s office, physical or occupational therapist’s and pharmacies, as well as the patientand patient’s family.
Bottom line—with enhanced communication, comes superior patient care.
In December 2016, The Joint Commission announced its decision to continues its ban of secure messaging as a means for clinicians to place patient care orders. This ban essentially reverts back to the same standards for patient care orders that were set into place in 2011 – despite the technological advances that have been made in secure messaging applications over the past six years. Also in spite of medical professional’s use of less secure means to communicate. The timing of the decision added to the confusion, since the texting ban had previously been lifted in May 2016 and then swiftly put back in place while under further review in July 2016.
Per the most recent December announcement, The Joint Commission, together with Centers for Medicare & Medicaid Services (CMS), cited concerns about doctors using secure text messaging for orders, including potential delays and the additional steps required for clinical staff to input messaged data into electronic health records (EHR). The newsletter noted that clinicians should use the preferred method of computerized provider order entry (CPOE) so that providers can input orders into the EHR, or, under extenuating circumstances, orders should be placed verbally.
Though The Joint Commission’s concerns are justified, considering the healthcare industry is one of the most targeted sectors for cyberattacks, its latest statement against secure text orders for patient care is unreasonable, based on advances in today’s secure messaging platforms. With proper implementation, modern secure messaging platforms not only dispel The Joint Commission’s concerns, but go one step further by proactively addressing security threats that weren’t included in the recent announcement. Further, they can actually provide significantly greater benefits to efficiency and compliance, both greatly sought after in healthcare today.
In fact, secure messaging platforms can address all three of The Joint Commission’s stated concerns, as outlined below:
1) The implementation of an additional mechanism to transmit orders may lead to an increased burden on nurses to manually transcribe text orders into the EHR.
On the contrary, today’s secure messaging technology can seamlessly integrate into a hospital or healthcare organization’s EHR, which allows for comprehensive documentation to the patient record and full archival. This process improves overall efficiency by eliminating the unnecessary step of having to manually transcribe orders, allowing for clinicians to focus on patient care. As an added benefit, secure messaging platforms offer PHI, PII, and IP protection and ensures the privacy of patient records.
2) The transmission of a verbal order allows for a real-time, synchronous clarification and confirmation of the order as it is given by the ordering practitioner. As the process for texting an order is an asynchronous interaction, an additional step(s) is required to contact the ordering practitioner for any necessary discussion prior to order entry.
By its very nature, verbal dialog is highly susceptible to miscommunication caused by outside factors, misunderstandings or forgetfulness after conversations. Instead, secure messaging platforms provide communication-intensive healthcare organizations with a written transcription delivered in real time that can be easily reviewed by both parties, referred back to after discussions take place, and recorded in an encrypted format that meets compliance standards.
3) In the event that a CDS recommendation or alert is triggered during the order entry process, the individual manually entering the order into the EHR may need to contact the ordering practitioner for additional information. If this occurs during transmission of a verbal order, the conversation is immediate. If this occurs with a text order, the additional step(s) required to contact the ordering practitioner may result in a delay in treatment.
Patient care requires fast-paced, asynchronous collaboration that ensures rapid response for life-saving decisions. In any situation when patient orders or recommendations need further clarifications between two parties, then further dialog – whether written or in person – will be required. Relying on verbal conversations can cause delays due to the steps needed to track someone down by phone or in-person. By having a written record of what was discussed, miscommunication can be quickly identified and errors and alerts can be managed expediently. Also, as time is of the essence in patient care, it should not be understated that text is the most rapidly responded to communication channel that is utilized today with a 98 percent open rate and 45 percent response rate, drastically outpacing both email and voice.
The Joint Commission indicated it will continue to monitor advancements in healthcare to determine “whether future guidance on the use of secure text messaging systems to place orders is necessary.” Considering there are platforms already available that offer secure, ephemeral and compliant messaging to healthcare organizations, we expect The Joint Commission will soon catch up with advances in technology and reverse its stance yet again – this time with confidence, knowing that secure messaging platforms are more secure than SMS texting and more expedient than verbal communications.
(Article originally published in Healthcare Innovations and Technology News and Views by Galina Daskovsky March 20, 2017)
HiMSS – a tech-enabled vision of health potential. As health spending approaches 20% of the US GDP, health Technology innovation has become a visible lever for its curtailment. At this annual HiMSS event those with comfortable shoes could see a plethora of ways to improve outcomes, lower costs, change behaviors, engage patients, streamline the back office processes, about telehealth, confronting the onslaught of security breaches, sessions on population health, healthcare transformation and improved care delivery workflow. This was an opulent show, spanning a 1300-participant exhibit hall with major player (anchor) exhibitor booth investments writ large. Here are seven interesting examples that could benefit the older adult market– listed in alphabetical order:
Beyond Verbal. An ’emotions analytics’ vendor, the software “turns any smartphone or mic-equipped wearable device into an emotional wellbeing sensor using technology that doesn’t consider the actual content or context of spoken word, but instead studies intonation in the voice. The company has two free, consumer-facing apps, Moodie and Empath and one for clinicians called Beyond Clinic. The goal is to enable voice-powered devices and apps to interact with the user on an emotional level, “just as humans do.” Learn more at Beyond Verbal.
Higi. “Surpassing 10,000 retail locations this year and rapidly approaching 200 million individual screenings since the company was founded four years ago, higi has the largest health station network in the United States, including more than 50 food, drug and mass retail banners. Combined with health and activity data linked to a user’s account from 70 different devices and apps, higi’s data is drawing the broader healthcare community into the higi ecosystem for population health, chronic care, and disease prevention solutions.” Learn more at higi.
IBM Watson Health and Global Ageing. In 2015, IBM Research followed up on its initiative to deliver iPads to 5 million Japanese seniors. “The nationwide infrastructure of Japan Post Group and its ability to cover the “last mile” with a custom iPad tablet/application to virtually every citizen of Japan.” IBM now has a Global Ageing Initiative as part of IBM Watson Health group. Lilian Myers heads that effort, which helps governments, industries, and companies around the world, as they seek to develop products (like SimpleC) and tech-enabled services for consumers in the new ‘longevity economy.’ Learn more at IBM Watson Health.
Orbita Voice and Lenovo Health. “Lenovo’s Smart Assistant, first previewed at the Consumer Electronics Show in January, is a voice-controlled speaker for the home that combines the Amazon Alexa voice platform with Lenovo styling and Harman Kardon speaker technology. Orbita’s Voice is a voice experience manager builds on other voice-assistant platforms like Amazon Alexa to enable intuitive, patient-centric home care experiences designed to improve patient engagement, care coordination and outcomes.” Learn more at HealthIT News.
Reflexion Health. “Virtual physical therapy provider Reflexion Health is an industry-leading digital healthcare company dedicated to transforming traditional medicine and improving clinical outcomes. We specialize in using motion-tracking technology to create innovative digital health solutions that help patients receive the benefits of physical therapy in the safety and comfort of their own home.” Learn more about tele-rehabilitation at Reflexion Health.
Stratus Video – multi-language interpreter services. “Stratus Video telehealth services leverage everyday technology like tablets, smartphones, and laptops quickly and easily access needed specialists to translate in as many as 200 languages – enabling communication between patients and providers. Our integrated solutions also allow one of our medical specialty interpreters to be added to any conversation, resulting in improved patient engagement and outcomes.” Learn more at Stratus Video.
Vaporstream. “Vaporstream provides secure, ephemeral and compliant messaging for the enterprise. We empower business professionals to communicate with confidence. By securely leveraging one of the most prominent 21st-century communication channels – text messaging – Vaporstream® Secure Messaging enables your business to streamline workflows, ensure confidentiality and remain compliant while you collaborate.”
Learn More at Vaporstream.
(Blog originally published in Aging In Place Technology Watch by Laurie Orlov February 23, 2017)
Q&A With Vaporstream CEO Galina Datskovsky on critical risks and compliance.
Today we bring you an interview between Maurice Gilbert, CCI’s CEO, and Galina Datskovsky, CEO of Vaporstream, a leading provider of secure and compliant messaging offering best-in-class infrastructure enabling companies to meet complex bring your own device (BYOD) and information governance requirements.
Maurice Gilbert: How did you get started on a career in compliance?
Galina Datskovsky: At my first software company, we were writing a record management application that required in-depth information governance knowledge, and I decided to learn everything I possibly could about it in order to produce a better product. Then I got involved in various associations including ARMA, and I decided to join the board of ARMA International. Over time, I’ve developed more and more expertise in compliance policies, compliance monitoring and compliance software.
MG: Who helped shape your views?
GD: The associations, particularly ARMA, were extremely helpful for me in terms of shaping my views. As has been the analyst community. I’ve worked very closely with Gartner, Forrester and 451 Group, and that’s been tremendous from my perspective. I also work a lot with various legal authorities including the Sedona Conference, which has been pretty instrumental – particularly former judge Ron Hedges, who I’ve worked very closely with on various papers. He has been very influential.
MG: How do you stay current on ethics and compliance issues?
GD: Staying current means keeping up with current publications. I do this through ARMA, the Sedona Conference, analyst research and by reading the various relevant publications including Corporate Compliance Insights. I also organize and attend events that relevant organizations put on. One such organization is the Executive Women’s Forum (EWF), of which I am a part. I am also a member of the EWF Advisory Board.
MG: What are some of the significant issues facing CCOs, Risk Managers, etc.?
GD: There are many issues, and it all depends on the organization and industry you’re in. There are always changing regulations one has to consider, as well as the changing landscape of an organization – for example, if it’s acquiring another organization or becoming global. One issue that is particularly significant is the changing nature of technology. What I find is that it’s very hard for CCOs to keep up with the advances in technology. This includes the official technology that’s brought into the organization, as well as what’s called the shadow IT – technology that’s brought in by individual people behind the organization’s back. What employees are using outside the workplace is often very different than what’s deployed within the office. When it’s so easy to provision applications and have shadow IT, it makes ensuring compliance (both industry and ethical) and following security standards very difficult. Even if you have official systems in place and don’t have shadow IT, making sure that all your considerations are taken into account when those are used, rolled out, etc., is a really challenging situation.
MG: What do you believe is the optimal reporting structure for the CCO and why?
GD: I generally favor the CCO being in the legal department because I think that compliance and legal really go hand in glove. Oftentimes laws and regulations drive compliance, so I think the legal department is a natural fit for the CCO.
MG: How do you effect change within your client’s environment?
GD: To effect change, you need to understand the culture of your client’s organization. You need to understand the needs and technology being used and who actually regulates the client. Once that is understood, you have to put that all together and make a reasonable road map that’s divided into manageable pieces. The only way you can effect anything and not paralyze an organization into inactivity because of the scope and breadth of things is to say, “let’s attack a critical problem with a good ROI that we could affect, show benefit, show better compliance, ensure outcome and go from there.” If you create a big road map and attack small chunks, that’s the best way to effect an environment.
MG: How do you see the CCO role evolving within the next three years?
GD: I see the CCO role as almost a bridge between IT, security, legal and the business. I think organizations would benefit if the CCO role evolved into a mediator between all of those units. Making sure there’s compliance, but also understanding where the business is coming from and being able to manage the risk vs. reward based on the corporate culture.
MG: What do you see as the greatest business risks facing companies today?
GD: There are many business risks facing companies today. If we talk about risks in light of compliance specifically, I think the greatest risk is the wild field of communication. Communication is still taking place with old technology, like email. We saw from this year’s election how easy it is to hack email and leak it, especially when the email is not under your control anymore. I think one of the biggest threats in terms of compliance is the proliferation of content and inability to secure content, especially when it leaves an organization’s perimeter.
MG: What do you see as the greatest regulatory risks facing companies today?
GD: It all depends on the business you’re in. Some companies are really not regulated and other companies are supremely regulated, and thus their regulatory risks would be completely different. In general I think companies need to know what their culture, landscape and requirements are and tailor their regulatory program to the actual needs. The risk comes by not understanding these elements and creating regulatory programs based on some ideal standard or a total lack thereof.
MG: How might Chief Compliance Officers, Chief Audit Officers and Chief Risk Officers prepare to face these risks?
GD: Executives in the Chief Compliance Officer, Chief Audit Officer and Chief Risk Officer roles need to understand the various pillars – like business need, risk, landscape, corporate culture – and make sure they take all of it into account. They need to make sure that all of the stakeholders are represented and have buy-in and that there’s some agreement between the stakeholders as to what the priorities are. If they can accomplish that, they would be very prepared to face those risks. It’s also important to note that this is a continual process rather than a one-time deal – this is something you do and revisit and improve all the time. That’s really key to preparing for risks.
MG: How does your company help its clients mitigate risk?
GD: Vaporstream provides secure, ephemeral and compliant mobile messaging. We address that key problem of untethered content proliferation while also addressing the idea of a new technology being used for business – particularly texting for business.
In today’s mobile world, almost every person communicates instantly. The reality is that many companies outlaw texting, yet people still do it. It’s very important to not fall into the trap of “I have a policy, therefore I’m protected.” Having a policy which might say “we do not allow texting,” won’t protect an organization from the fact that everyone in the company texts anyway. Since texting is the next wave of communication, having mobile messaging that is secure and controlled by the sender, and that can disappear from devices but be recorded for corporate compliance, is extremely important. Rather than saying “no” to texting in general, organizations can say “yes” and, with the appropriate product, mitigate the risk of unmanaged communication and someone hacking into communication. That’s where Vaporstream comes in.
MG: What new service offerings do you have in the queue?
GD: We’re constantly revising our key offering. Our key offering is very simple, but when you talk about simple, there’s a lot of complexity behind it. We already allow many different types of attachments, but we’re looking to enable sending videos and other forms of media securely and mitigating risk in that regard. You’ll also see more from us becoming an integral part of the corporate landscape since secure storage is a big deal for many organizations and is key to the success of compliance programs.
MG: Compliance departments are often asked to accomplish their work with limited resources… do you see this situation changing any time soon?
GD: I don’t see that changing. The state of the business world today means that everyone needs to do more with less.
Dr. Galina Datskovsky is CEO of Vaporstream®. She has also served on the board of multiple startups, assisting with strategy, and was formerly Senior Vice President of Information Governance at Autonomy, an HP Company. She served as Chair, President, President Elect and Director of ARMA International (2007-2013) and as a Fellow in 2014. Galina also served as Senior Vice President of Architecture at CA Technologies, where she was responsible for corporate-wide architecture and design initiatives; General Manager of the Information Governance Business Unit; and a Distinguished Engineer. Galina joined CA in 2006 with the acquisition of MDY Group International, where she served as Founder and CEO. Prior to founding MDY, Galina consulted for IBM and Bell Labs and taught at the Fordham University Graduate School of Business and the Graduate School of Arts and Sciences at Columbia University.
Galina is a Certified Records Manager (CRM) and is recognized around the world as an expert in information governance and associated technologies. She received her CRM certification in 2004 and earned doctoral and master’s and bachelor’s degrees in Computer Science from Columbia University. She is the recipient of the prestigious Leahy award and a Fellow of ARMA International. She has been widely published in academic journals and speaks frequently for industry organizations such as AIIM, ARMA International, ILTA, IQPC and Cohasset Associates/MER. She received the NJBIZ: Best 50 Women in Business Award in April 2010.
(Article originally published on Corporate Compliance Insites by Maurice Gilbert, December 08, 2016)
(Article originally published on Corporate Compliance Insites by Maurice Gilbert, December 08, 2016)
There is a sudden bustle in the emergency ward at one of Illinois’ biggest hospital, as the staff wheels in a petite blond with major burn injuries. In the dire situation, the nurse uses her smartphone and sends a few pictures of the burn, along with the patient details to a specialist located 700 miles away. Within seconds, the doctor replies, instructing the nurse on necessary treatment. The patient’s condition becomes stable and the doctor gets back to his meeting.
The scenarios in the healthcare arena today look no less different than a sci-fi movie. However, in an environment that demands a high level of privacy and compliance, what will happen to the information and the images that are left over on devices? Enter Vaporstream, a company that is taking healthcare communication to new heights. Utilizing the Vaporstream app, as soon as the doctor is done with the information, images along with information about the patient gets erased! Balancing compliance with efficiency, the company is spearheading a revolution in private, secure communication. Vaporstream empowers healthcare organizations to securely leverage the efficiencies of modern day mobile messaging while ensuring the protection of sensitive information and confidentiality. Built by compliance and security experts with over 30 years of experience in the content management industry, Vaporstream enhances mobility, information governance and compliance initiatives to securely facilitate mobile text messaging within healthcare ecosystem. “Today, short mobile communication methods like text is getting immediate response and better read rates, facilitating a new way of doing business,” says Galina Datskovsky, CEO of Vaporstream.
Vaporstream’s secure, ephemeral and compliant messaging app provides controlled, encrypted texting that helps ensure that only the intended receiver sees the contents of the message. Unlike email, Vaporstream messages cannot be saved, stored, forwarded, shared or printed. Patented screenshot protection ensures transmitted images or chats can never be captured in their entirety. Also, images sent via Vaporstream are not intermingled with native camera rolls where they could be inadvertently leaked. The ephemeral nature of messages ensures that messages automatically expire from all devices and servers after a period of inactivity, protecting patient privacy while addressing lost or stolen device concerns. “Often, the doctors don’t require messages after a week, or even days, once the treatment is over. Having that information stick around provides no value to the person receiving it. Our app removes the images or message after the doctor has provided the answer to the problem,” says Galina. Even though the messages are removed from the device, healthcare organizations can save a copy of the message to system of record, such as an EHR, for compliance, legal or business requirements.
Complete Content Control
The idea of having to communicate in a quick but confidential and secure manner is what spurred the conception of Vaporstream. “We tried to understand the importance of content control, because once we release the content to the world we do not have further control over it. There was a need to restrict the misuse or plagiarism,” adds Galina. “With Vaporstream, you can share content without worrying that it will be forwarded to a competitor or will be twisted and crafted into something harmful.” Recognized for its patented ephemeral technology, Vaporstream’s SaaS-based application offers the encryption, enhanced security and best-in-class infrastructure needed to meet the most complex requirements while helping maintain Health Insurance Portability and Accountability Act (HIPAA) standards. With expertise serving regulated industries, Vaporstream enables healthcare organizations of all sizes to provide an improved clinician experience and superior patient care, without jeopardizing any patient detail or official message.
Stating an example of visiting nurses, Galina explains that the nurses need to communicate and consult with the head physician or head nurse back in the home base in order to offer proper care to a patient. These nurses might take photos of the patient’s wound or condition and text the confidential information quickly to the doctors or other nurses. Furthermore, those particular caregivers are not always the employees of a single company. They may be contract employees who work for multiple organizations. They bring their own device to work and receive any and every bit of information on their device. An organization that utilizes an application like Vaporstream is able to interact in the most convenient way possible; and when the person moves on to another task, the conversation disappears from their device, whether they work for one organization or many. “On the flip side, the entire conversation has been recorded in an encrypted format for compliance purpose that can be safely entered into the patient record for any future need,” adds Galina.
Vaporstream’s services are delivered via an independent, robust cloud infrastructure, which remains available during unexpected events and emergencies, regardless of the status of corporate IT systems. Every Vaporstream user has a unique user ID determined by a previously assigned corporate email address or phone number. The ID is verified using a verification code at registration. On mobile devices, the Vaporstream app works in conjunction with device policies that lock the device after a period of inactivity. Additionally, the app can be configured to auto lock, requiring a PIN code after a period of inactivity.
The Vaporstream Information Governance Module (IGM)—with features designed to more effectively and compliantly meet the transitory and confidential messaging needs of businesses—provides a permanent, secure record of the information that an organization chooses to record for auditing and monitoring purposes. Vaporstream messages cannot be altered once sent, and are only stored via the IGM in a user’s designated system of record where they control the application of their retention / destruction policies. Vaporstream does not store users’ messages—only a single copy is stored in the user’s system if they choose to implement the IGM to support their records retention, business or other compliance requirements. They may only choose to selectively record a portion of their conversations. Vaporstream does not rely on the main infrastructure of the organization using the technology, and can, therefore, be used as an alternative communications channel during emergencies and disasters. Vaporstream also conducts annual evaluations of their security and compliance policies and procedures. The Vaporstream app is audited and certified by a reputable third party, NowSecure, for information security.
Initiating Texting Revolution
The company’s success directly ties back to their core values of integrity and respect for highest ethical standards, customer focus, innovation and teamwork. “Our values drive our business and they are deeply rooted in everything we do here at Vaporstream. They are the fabric of how we work together with our colleagues, customers and partners, and are the foundation for how we deliver solutions and services,” says Galina. Vaporstream realizes that partners are very essential to contributing towards any business’ productivity. “Partners that are technology savvy, who can integrate the latest offerings – they give us the potential to work in a better way,” explains Galina.
Apart from healthcare, the company plans to deepen its roots in other verticals including financial services, higher education, legal and media. “We had a client who was under severe ransomware breach, and they knew that their email and normal channel of communications were compromised. They used Vaporstream to communicate during the breach, sharing ideas to overcome the situation,” states Galina. “This is the reach of Vaporstream and how clients across various industries are using our solutions.” The company wants to continue offering secure ways of mobile communication that will enhance customers’ business productivity and efficiency for years to come. “I want to take the company to new heights. I would like to see Vaporstream grow to be the golden standard in secure communication for patient care. It would make me very proud indeed concludes Galina. HT
(Article originally published in Healthcare Tech Outlook by Eileen Singh November 04, 2016)
7 Principles to Consider
At least 2.5 quintillion bytes of data are produced daily, from emails to documents and everything in between. As information used for daily business is converted into digital files at a rapid pace, organizations across industries have been driven to create policies that guide how information is managed. These frameworks help to effectively support recordkeeping, answer compliance needs and ensure data availability for e-discovery in today’s digital world. Information governance is one such accepted discipline, ensuring a reasonable level of security for records and information that requires protection. Following these guidelines has become even more critical in today’s mobile age, where employees rely on texting for quick, easy business communication and collaboration – creating another form of business data.
Many business executives are overwhelmed by the management of mobile devices and the information they create. That does not have to be the case. In order to have effective information governance for mobile messaging, businesses need to first reference an accountability framework to define what elements of information management are most important to them. They can then develop relevant objectives and determine what tools fit their specific needs.
The Accountability Framework – Going Beyond What to Keep
Good information management may look different for a bank, hospital or law firm, but the questions and principles that guide their information governance program are the same. There are various frameworks available today, but the ARMA International Generally Accepted Recordkeeping Principles(the Principles) is the “standard” that businesses follow. There are eight principles in total: accountability, integrity, transparency, protection, compliance, availability, retention and disposition.
Accountability, and more specifically accountable executives, is necessary to the success of any endeavor. This applies for all information – not just mobile messaging. But organizations need to evaluate the other seven principles when looking to put information governance in place for mobile messaging and when selecting tools to support their initiative. Keep in mind that many of these principles go hand-in-hand.
1. Integrity: “An information governance program shall be constructed so the information generated by or managed for the organization has a reasonable and suitable guarantee of authenticity and reliability.”
The organization must consider how they can ensure the authenticity and integrity of data transmitted via mobile messaging. How can they guarantee where the information came from and who the parties involved are?
2. Transparency: “An organization’s business processes and activities, including its information governance program, shall be documented in an open and verifiable manner, and that documentation shall be available to all personnel and appropriate interested parties.”
To operate in a transparent manner, businesses need to capture a record of all relevant data and provide a single source of truth for discovery, Freedom of Information Act (FOIA) requests and other searches. An organization must look at how it can capture a record of all communications, including text, with the right metadata.
3. Protection: “An information governance program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, classified, essential to business continuity or that otherwise require protection.”
Businesses must determine how to accommodate what has become an accepted method of communication (texting), while maintaining protection of the information. Protection of information is often the number one priority for businesses’ information governance programs.
4. Compliance: “An information governance program shall be constructed to comply with applicable laws and other binding authorities, as well as with the organization’s policies.”
Organizations should know the breadth of regulations and laws impacting their business. For instance, HIPAA regulations require that health care organizations capture the right information for completeness of the patient record and store it in a secure repository. Knowing this, a hospital’s mobile messaging solution needs to be HIPAA compliant and enable all relevant text messages to be saved to a secure repository.
5. Availability: “An organization shall maintain records and information in a manner that ensures timely, efficient and accurate retrieval of needed information.”
Access is often the biggest hurdle for businesses when it comes to information and a huge concern when considering mobile messaging and mobility. Organizations must consider who needs access to information – internal colleagues, external parties or both. How can a business ensure the right people have access to it and information is not shared with the wrong recipients?
6. Retention: “An organization shall maintain its records and information for an appropriate time, taking into account its legal, regulatory, fiscal, operational and historical requirements.”
The business must consider what mobile communications information needs to be retained and for how long. According to a recent study by Information Governance Initiative, 98 percent of information professionals have records that need to be kept for at least 10 years. Text communications are no exception. How can an organization retain relevant mobile communications that take place over corporate-issued devices as well as personal devices?
7. Disposition: “An organization shall provide secure and appropriate disposition for records and information that are no longer required to be maintained by applicable laws and the organization’s policies.”
Once an organization no longer needs a record of the communication, how can they securely dispose of it? Mobile communications should be treated no differently than any other information source.
By looking at mobile messaging and information governance through the lens of these principles, businesses can define what is important to them, set information management objectives for corporate mobile communications and put technologies in place to support their specific needs.
New Objectives and Apps for Secure Communication
Once a business has outlined priorities for its information governance program, executives should then enact guidelines that align. For instance, if the top principles of concern for a health care organization are protection, availability and compliance, some example objectives they may put in place are:
- Do not use unsecure/native chat and text for business purposes.
- Do allow enterprise text messaging via secure, encrypted texting application.
- To meet HIPAA compliance standards, make sure to capture communications in a secure repository of record.
- Facilitate easy communications. Make the deployment and access to messaging as simple as possible.
- Make it easy for people outside the organization, such as a patient family member, to communicate and enable such communications.
- Ensure that security policies do not remove content from the devices too soon for practical business purposes.
- Make the information available only to the right people.
- Enact all protections possible to guard against information propagation or leak.
To meet these objectives, the organization should leverage a secure enterprise messaging app. These apps offer the ease of use of consumer-based apps, but provide the security features that guarantee text conversations, including documents and images sent via text, are seen only by the intended recipient.
To support compliance, enterprise messaging apps should enable a set expiration date of messages to ensure that data does not live on the device or server, while also offering the ability to save necessary information to a secure repository of record such as an electronic health record system. Other controls should take security past the basics of encryption to ensure that messages cannot be forwarded, copied, saved or otherwise shared with an outside party, and offer screenshot protection, eliminating risk of information leak or propagation.
As mobile messaging continues to be a preferred mode of communication within business – quickly becoming the new email – organizations need to enforce information management policies and leverage tools that enable them to meet specific requirements for security and compliance. These apps offer secure, confidential and efficient mobile communications while ensuring all information needed for compliance is properly retained. With these tools in place, organizations will be able to effectively enforce information governance for mobile messaging and leverage information to meet their business goals.
Dr. Galina Datskovsky is CEO of Vaporstream®
She has also served on the board of multiple startups, assisting with strategy, and was formerly Senior Vice President of Information Governance at Autonomy, an HP Company. She served as Chair, President, President Elect and Director of ARMA International (2007-2013) and as a Fellow in 2014. Galina also served as Senior Vice President of Architecture at CA Technologies, where she was responsible for corporate-wide architecture and design initiatives; General Manager of the Information Governance Business Unit; and a Distinguished Engineer. Galina joined CA in 2006 with the acquisition of MDY Group International, where she served as Founder and CEO. Prior to founding MDY, Galina consulted for IBM and Bell Labs and taught at the Fordham University Graduate School of Business and the Graduate School of Arts and Sciences at Columbia University.
Galina is a Certified Records Manager (CRM) and is recognized around the world as an expert in information governance and associated technologies. She received her CRM certification in 2004 and earned doctoral and master’s and bachelor’s degrees in Computer Science from Columbia University. She is the recipient of the prestigious Leahy award and a Fellow of ARMA International. She has been widely published in academic journals and speaks frequently for industry organizations such as AIIM, ARMA International, ILTA, IQPC and Cohasset Associates/MER. She received the NJBIZ: Best 50 Women in Business Award in April 2010.
(Article originally published in Corporate Compliance Insites by Galina Datskovsky, Ph.D., CRM, FAI, November 04, 2016)
There is no doubt about it; the cloud is here to stay. According to Forbes 2015 Tech Roundup, more than 60% of enterprises will have at least half of their infrastructure on cloud-based platforms by 2018. And by 2019, according to “Cisco Global Cloud Index: Forecast and Methodology, 2014–2019,” 86% of workloads will be processed by cloud data centers, leaving only 14% to be processed by traditional data centers.
Before an organization can wisely select cloud services providers and applications, its information governance (IG) professionals must understand the relevant cloud-related terms. Software as a Service (SaaS) SaaS is a standard term used for applications, such as Expensify or Salesforce.com, that operate in the cloud. Organizations can buy the number of seats needed, use the product, and pay for that usage. Google mail is an example of a SaaS product used by millions of people around the world. Platform as a Service (PaaS) A developer needing a platform on which to write a software product that can later be offered as a SaaS product might turn to a company like Amazon and buy its PaaS. This gives the developer a development area on which to produce products. Infrastructure as a Service (IaaS) An organization may choose to purchase just infrastructure, such as servers and storage, through a cloud provider and then load its platform and application on top of that. This is IaaS. Thus, an organization may buy IaaS from provider one, PaaS from provider two, and offer its end users an SaaS product. This leads to the questions about where the data is stored and, more importantly, who is responsible for it. These questions will be answered in this article.
Deployment It is worthwhile to note the different ways cloud software can be deployed. As organizations make decisions regarding cloud offerings, it is important to be familiar with the following terms. Public Cloud This is essentially like LinkedIn’s deployment. Users get free access unless they choose to pay for LinkedIn’s premium offering. They share the service with others, so this is generally what the industry calls a multi-tenanted implementation. Users upload the requested personal information they want to and occasionally provide updates. Their data may be commingled with others’ data, and they often do not have a choice as to its physical location. They also are not given much choice regarding their terms of service. Private Cloud Many organizations do not want their information to be in the public infrastructure, so they require that their cloud services be private, often with a separate connection or at least a separate set of servers and customizations. This is a much more expensive service, but it gives them much more say in how and where their data resides. Hybrid Cloud A hybrid cloud is a cloud computing environment that uses a mixture of on-premises, private cloud, and public cloud services with orchestration between the platforms. By allowing workloads to move between private and public clouds as computing needs and costs change, a hybrid cloud gives organizations flexibility and more data deployment options.
Cloud Deployment Benefits
There are many benefits of cloud deployments, and organizations migrate to cloud services to take advantage of them. Likewise, vendors are offering fewer on-premises solutions and moving to cloud-only offerings. However, many of the benefits of using the cloud also present potential risks that IG professionals should be aware of and make sure their organizations consider when selecting vendors and applications. (See “Cloud Deployment Risks” in the next section.) On Demand Self-Service In the cloud, provisioning users with software and services is so much easier. Organizations can often do so on-demand, allowing departments and users to self-provision. Broad Network Access Users can easily access needed information from various locations as necessary. Rapid Elasticity Organizations that suddenly find that they need more capacity than they expected can rapidly scale up and expand. Likewise, if demand drops, they can contract. In fact, they can contract without even knowing it, and since they pay for what they use, this leads to cost savings. It allows organizations to
Pay as they go
Pay for service, not hardware cost
Share the risk of hardware or software loss (cost and downtime.)
Scalability Organizations can scale up or down as they need. For example, in the retail business, they can scale up just in time for the Christmas rush and scale down in January. Low-Cost Experimentation Because cloud services do not require an extensive capital and IT investment to stand them up, it is much easier for businesses to experiment with various offerings by provisioning a simple pilot. Enhanced Security Because many cloud providers specialize in securing applications, infrastructure, and hardware, an organization’s information potentially can be more secure in the cloud than it would be on its own premises.
Cloud Deployment Risks
It is important to remember that storing data in the cloud does not relieve an organization of the responsibility for protecting, managing, retaining, and disposing of its data in compliance with its legal, regulatory, and operational requirements. While there are many benefits to using the cloud, there are also risks related to their cloud providers’ negligence, inability, or unwillingness to do their part in fulfilling that responsibility. Some of the major risks are described below. Inability to Access Data With its information living in the cloud, an organization does not control its own destiny in terms of its ability to access it. Even though most cloud providers are very reliable, if they have an outage, their clients might be out of luck. An organization also must consider what would happen if its cloud vendor goes out of business. In one situation the author knows about, a vendor went into Chapter 11 bankruptcy, and its clients’ e-mail archive data was tied up for months in the bankruptcy court, which was a disaster for some of its clients.
So, organizations must make sure they have a way to retrieve their data in this type of event or even if they are just looking to change vendors. Insecure Data Although the potential for enhanced security is listed above as a benefit, it can also be a risk because it is not within the organization’s control. If the provider is not diligent, the organization’s information may be at risk.
For example, the organization must coordinate with the cloud provider to put controls around who can access what information. While there are plenty of automatic methods for doing this, this factor should be considered during deployment. Improper Data Location Where the data is located may be quite important.
For example, data in the right geographic location is critical for a multi-national organization that must conform with other countries’ data transfer regulations. An organization also must check to ensure that the fail-over facilities for its data are far away from the main facilities to ensure business continuity in case of a disaster. Inability to Hold, Produce Data When an organization has information in the cloud that is subject to a legal preservation order, the vendor must be able to comply with that order. If the vendor does not have that capability or if it is negligent in suspending disposition and the information is disposed of, the organization could be sanctioned for spoliation. When faced with a discovery request for information in the cloud, the organization also needs a vendor that can either analyze the data to identify the relevant data to be produced or provide tools that will allow the organization to do so.
The costs involved for the cloud services provider to analyze and export needed data should also be factored into vendor selection decisions. Losing Ownership of Data When using services like SaaS, PaaS, and IaaS, an organization needs to be aware of and prepared to deal with contractual issues like who owns data stored in the cloud. Signing some standard contracts could actually involve relinquishing the organization’s rights to its own data – for example when allowing Google to index Gmail messages. Data Privacy Violations Protecting the privacy of an organization’s data must be considered.
For example, storing healthcare data may require an organization to contract with a vendor that has a Health Insurance Portability and Accountability Act-compliant cloud, such as is available from Amazon. An organization should also be aware that many public clouds have a click-through contract that does not allow it to opt out of the provider indexing and using its information. It must make sure that no privacy issues arise from any of those provisions. Also, when data is commingled, as in multi-tenanted systems, there is a potential that an organization’s data can be inadvertently disclosed during another client’s production or discovery event. So, this factor must be considered. Loss of Data Integrity, Authenticity An organization must ensure that the chains of custody and authenticity of its information are taken seriously by its cloud provider, as it needs to be able to trace and prove authenticity of its data.
To realize the rewards of moving to the cloud and mitigate risks, an organization must do the following:
Outline the risks. Be clear about what the risks are so each can be evaluated.
Weigh the risks vs. the reward. Determine whether the rewards are greater than the risks or if the risks are too great.
Investigate providers. Check thoroughly to make sure each provider is reputable, reliable, and meets the relevant criteria outlined above.
Audit providers. Regularly audit providers for compliance with agreed-to policies and practices.
Negotiate important issues in the agreement. If able to sign a separate agreement – as opposed to being forced to just take the standard one – make sure to include the issues most critical to the organization.
Consult with counsel. Make sure the organization’s legal requirements are met and blessed by counsel.
Consult relevant guidance. Consult relevant guidelines, such as ARMA International’s Guideline for Outsourcing Information to the Cloud, which is available for purchase at www.arma.org/bookstore.
By using the knowledge gained from this article, IG professionals will be equipped to help their organizations make wise decisions when selecting cloud services. Knowing the terminology, the risks, the rewards, and the risk mitigation factors will allow them to become business enablers and help their organizations embrace this exciting technology.
(Article originally published in Information Management by Galina Datskovsky, Ph.D., CRM, FAI, September/October 2016)
Today’s fast-paced, mobile world offers a myriad of solutions to help users communicate instantly. According to Pew, texting is the most widely used app on a smartphone, with 97 percent of Americans using it at least once a day. This comes at no surprise as text messages have a 98 percent open rate and a 45 percent response rate, according to recent studies. This is compared to the 22 percent open rate and 6 percent response rate of email. In addition, many have turned to free applications such as WhatsApp, Snapchat or dozens of others to try to enhance their communication experience.
The texting behavior we see in the consumer world often carries over in the workplace. Users expect the same consumer-focused applications and efficiencies they enjoy outside the office while at work. The communication efficiency supported by SMS, native-texting and messaging apps go hand-in-hand with enabling information literally at our fingertips.
But, our texting culture and habits outside the workplace can present key security challenges when consumer-focused apps are used for business communications. While consumer apps or native text may seem like tools to ensure that business gets done efficiently, their lack of security and message control can put business information, client data and IP at risk. This leaves many organizations asking – how can secure mobile communications be supported when asynchronous conversations and collaboration are a necessity for business? Enterprise-strength applications that support secure, ephemeral and compliant messaging can be the answer.
Security & Privacy Don’t Need to Be at Odds
Most employees do not have security at top of mind. They are more concerned about doing business “at the speed of business.” That does not mean, however, that security and privacy must be jeopardized. An enterprise messaging app that offers the same ease-of-use as consumer-based apps with best-in-class security and ephemerality can ensure that employees can communicate in a safe manner. Message ephemerality, which applies an expiration date to the message, keeps conversations secure and controlled while ensuring no data ever remains on the device or servers. With an enterprise messaging app, users also have the ability to expire, or shred messages on demand when necessary.
In the case of the recent Democratic National Committee (DNC) hack, more than 19,000 emails were released during the Democratic convention, with more released in the weeks following. Today email is one of the largest targets for any hacker, so why should organizations use email when unnecessary? The DNC could have used ephemeral messaging to have private and secure conversations – eliminating the possibility of messages being comprised by hackers and in the wrong hands. With an enterprise texting app, information is stored in a secure repository of record instead of on devices or servers, further eliminating the security challenges that unfolded for the DNC.
Keeping Up With Compliance
Security and privacy are not the only requirements at odds. What the business needs or what employees want can be very different than what regulatory and compliance guidelines require. However, the obligation for compliance and record keeping cannot be overlooked. Using an enterprise texting app with the ability to save necessary conversations to a secure repository, while removing data from devices, enables IT teams to answer security and compliance needs at the same time, and provides employees with an easy-to-use app to get business done. Whether for eDiscovery, information access, secure records or information management, communications will be stored in a secure repository of record – not on email servers like in the DNC case – and available for business purposes. Employees and staff can communicate with confidence knowing that information is secure and compliant.
A prime example for use is with healthcare. Medical professionals need the flexibility to communicate quickly to provide effective patient care, especially for those that work offsite, such as home health nurses. What if the nurse needs to quickly check the patient’s records, check in with the doctor or otherwise communicate with staff at the main office? HIPAA standards require that all patient information is dealt with securely and saved to the patient record. By using an enterprise messaging app with secure message retention capabilities, a copy of each text message can be saved in a patient’s electronic health record, supporting HIPPA compliance for a repository of record. The ephemerality of the enterprise texting application ensures security as no data ever lives on the device past the set expiration period.
Business at the Speed of Business – Texting Supports Collaboration
For employees not at their computer, mobile devices become their core connection to clients or other team members. While employees are more focused on getting their jobs done, they often let security take a back seat. If they are texting with a team member using native SMS or a consumer app, whether they work for the company or as part of a contracted team, they can lose control of the data in the message, giving the recipients the ability to forward, copy or otherwise misuse the information at hand adding risk for the company.
The need to support today’s texting culture without making security an extra consideration makes enterprise texting apps an ideal solution as employees and executives embrace bring-your-own-device (BYOD). These apps not only support written communications but also the sharing of documents and photos for true collaboration on the go – critical for your mobile workforce. For example, a contractor may need to take a picture in the field that contains confidential information. With an enterprise messaging app the contractor can send the picture to the project management team of the company who hired him, obscuring the image so that only the recipients can see it. This protects the image from screen shots and unintended propagation, keeping the information private and secure.
Supporting a mobile-centric, text-friendly and secure workplace
Employee affinity towards texting is only going to grow as mobile devices continue to become more of an integral part of every workplace. In fact, according to Gartner, by 2020 85 percent of businesses will have some kind of BYOD or Corporate Owned Privately Enabled (COPE) programs in place. Texting provides employees with an easy and efficient way to read and respond at their fingerprints, anytime, anywhere. In order to keep up with the texting culture employees expect and the business demand for instant communication, organizations need to deploy enterprise texting applications that support increased security and answer strict compliance needs – without leaving information at risk.
Without a secure enterprise texting application in place, organizations leave employees with no choice but to rely on native SMS or consumer-based apps that can leave your enterprise and client data at risk. As organizations are considering new technologies to meet the needs of their mobile workforce, secure ephemeral messaging should be included in the mix.
(Article originally published on Information Security Buzz by Galina Datskovsky, CEO, Vaporstream, October 4, 2016)
Identifying and recruiting new talent is a core responsibility of HR teams and hiring managers that requires extensive communication both internally and externally. Keeping the breadth of communication and the confidential details discussed private during recruiting creates a challenge for HR teams—as well as potential new hires. During recruitment, secure communications protect both the recruiter and the potential new hire. This especially rings true when HR teams are recruiting individuals that are employed at competitor companies. Recruiters need to keep the conversation with these candidates confidential, either because the potential new hire simply does not want their current employer to know about it, or there is a non-compete in place.
The downside of common communication channels
The traditional means of communication for recruiters often fall short of what they need to in order to successfully engage candidates and keep conversations secure. Though e-mail is often viewed as the simplest and most direct way of contacting a potential new hire, it comes with a lot of potential issues. E-mail can easily be forwarded and shared with anyone, accidentally or intentionally. As the workforce becomes increasing mobile, bring your own device (BYOD) practices see many employees co-mingle their work and personal information on a single device. This practice can potentially create privacy issues if a candidate is indeed e-mailing with a recruiter. As an alternative, hiring managers and recruiters have turned to LinkedIn. However, using this communication tool does not circumvent the privacy issues of e-mail. A candidate may link their business e-mail to LinkedIn, which means they receive notifications, including recruiter messages, to their work account. As this information is accessible by the candidate’s company, their employer could potentially find out about the interaction—leaving them less likely to engage for fear of repercussions. Another important issue while recruiting is speed and responsiveness. According to the 2015 Mobile Marketing Watch, text messages have a 98% open rate and a 45% response rate, while e-mail has only a 20% open rate and a 6% response rate. Ensuring that response times are as high as possible are critical for the recruiter competing for high-profile candidates. Recognizing the pitfalls of relying on e-mail and social media for recruiting, some HR teams and hiring managers have already turned to messaging services to aid them in these ‘off the grid’ conversations. However, the free, consumer-focused apps available today do not have the security and sender controls in place to safeguard conversations. To successfully engage candidates, and avoid the security pitfalls of traditional communications, recruiters need to utilize an enterprise messaging app that meets consumer demand while providing the security required.
The case for secure, ephemeral mobile messaging
Secure, ephemeral messaging is all about sender control. The ephemerality, or set expiration date of a message, ensures content is not available after a set timeframe. So, if recruiting a specific candidate is not successful, the recruiter does not have to worry about the conversation being accessed after it expires. Other sender controls ensure that messages cannot be forwarded, copied, pasted, or otherwise shared with an outside party. In the case a user accidentally sends a message to the wrong party, enterprise messaging apps like this offer a “shred on demand” feature that enables the sender to delete the message from the recipient’s device at any time. While the ephemerality of the message ensures that it is gone from all devices, enterprise messaging solutions also have capabilities that support governance and compliance. This enables HR managers or recruiters to control what messages are saved to a secure repository for recordkeeping purposes. By keeping track of the key parts of a hiring negotiation, such as salary, benefits, and start time, the HR manager can review everything to make sure all the terms are in place before sending the final contract to the candidate. The messages can then be deleted from the repository in accordance with organizational policy. Some best practices used by organizations include:
- Ensure that a copy of all text messages are placed into the repository of record when required by compliance or business use.
- Dispose of the messages based on the retention schedule for similar items.
The core of the organization
HR’s use of secure mobile messaging can also go beyond recruitment and be leveraged for other confidential conversations, from raises and promotions to disciplinary actions and whistleblowing. Ephemeral enterprise messaging apps eliminate the concern of information being misused, while ensuring employee records can be maintained via the secure repository. The security of the conversation also reassures employees and potential new hires that their communication with HR is confidential and the enterprise messaging capabilities become core to the operations of the organization. As the workforce increasingly becomes mobile and candidates and employees develop a preference of having professional conversations via mobile messaging, recruiters and HR teams need to shift their approach. Ephemeral, secure, enterprise messaging apps enable HR departments to keep communications private, creating a win-win situation for their company and employees.
(Article originally published on HR.BLR.com by Galina Datskovsky, September 22, 2016)
(Article originally published on HR.BLR.com by Galina Datskovsky, September 22, 2016)
The following is part two of a two-part series addressing outside counsel’s vulnerability to emailrelated cyberattacks and breaches. Part one discussed the specific legal and IT risks that law firms’ face when communicating with clients with inadequate data protection. In corresponding with clients via email, law firms expose themselves to an array of risks, including data breaches, unauthorized use of privileged content and cyberattacks on their own servers and systems. And in the face of recalcitrant or unable clients, the responsibility of securing email communications and all its related risks falls on law firms’ shoulders. But how exactly can firms go about protecting themselves from “spillover” cyber risks? Here are three innovations that can help legal defend its flanks:
1. Encrypted Email Portals
When securing emails, encryption would seem like the first goto defense. But many often shun the technology, because traditionally it has been thought “of as very clunky to implement, requiring a lot of handson work from the participants and users to manage keys,” said Jacob Ginsberg, senior director at email encryption and security firm Echoworx. However, this is far from the current case, he added, citing a “new generation of encryption” where security companies “do all the key management on behalf of the so no one cannot steal the keys or passwords.” Email security firm Vaporstream, for example, recently launched a proprietary communications solution deemed “ephemeral messaging” that erases all correspondence after a set time limit. The technology can prove pivotal when handling highly sensitive content, or during incident responses after a law firm or its client systems have been compromised. Liz Lederer, Vaporstream’s senior vice president of channel sales, previously told Legatech News that “during times of incident response, it’s critical for conversations to remain between those remediating the situation, and we’re able to do that by keeping messages encrypted and enabling crossdevice interactions without the risk of unauthorized sharing or storing.”
2. “Ephemeral Messaging
”Isolating and encrypting emails through a dedicated channel still leaves a paper trail, which of course can be necessary due to legal and regulatory retention demands. But for those who do not need to keep records, making sure emails are deleted shortly after they are opened is an even more secure way to ensure those emails never end up in the wrong hands.Abrenio noted that some modern security solutions, “use temporary emails that will evaporate after certain usage. They combine encryption and they [create a separate communication channel] so no one cannot steal the keys or passwords.”Email security firm Vaporstream, for example, recently launched a proprietary communications solution deemed “ephemeral messaging” that erases all correspondence after a set time limit. The technology can prove pivotal when handling highly sensitive content, or during incident responses after a law firm or its client systems have been compromised.Liz Lederer, Vaporstream’s senior vice president of channel sales, previously told Legatech News that “during times of incident response, it’s critical for conversations to remain between those remediating the situation, and we’re able to do that by keeping messages encrypted and enabling crossdevice interactions without the risk of unauthorized sharing or storing.”
3. Scanning Solutions
No matter what email solution a law firm uses, there is still always a chance of an emailbased attack or infiltration. Which is why on top of secure channels, law firms should also proactively watch both what comes into, and is sent out of their primary email systems. To this end, Echoworx has a solution that “will make sure that all emails leaving an organizations are scanned for sensitive information, and just what is sensitive information is left up to the law firms to decide,” Ginsberg said. “That can help flag sensitive information leaving the law firm unsecured, and that’s just a bare bones compliance step.” Firms can also hide its email server behind another server layer, which gives them protection against distributed denial of service attacks (DDoS), as well as the ability to track and flag suspicious emails. Avi Solomon, director of information technology at Rumberger Kirk & Caldwell, previously told Legaltech News that his firm uses such technology to filter out emails from newly registered domains or ones not associated with the firm or their clients, a telltale sign of phasing email cyberattacks. Scanning solutions are essentially a firewall within an email server, a necessary part of email security, given the furtive techniques of cybercriminals. In this day and age, no communication, whether it appears to come from an internal colleague or an external client, should be trusted at face value.
Copyright 2016. ALM Media Properties, LLC. All rights reserved.
(Article originally published on Legaltech News by Ricci Dipshan, August 22, 2016.)
(Article originally published on Legaltech News by Ricci Dipshan, August 22, 2016.)
M&As Leave Much Room for Data Leaks. Vaporstream’s Galina Datskovsky Talks Securing Communications When Closing the Deal.
When it comes to being vulnerable for a breach, mergers and acquisitions (M&As) tend to leave many doors open, creating great potential for highly-confidential information to get in the wrong hands. The leaky-nature of M&As is partially attributable to “human nature,” says Galina Datskovsky, CEO of secure messaging app service Vaporstream. In a conversation with Legaltech News, Datskovsky explained that people often email parties they shouldn’t be contacting about M&A deals, such as family members that might have investing interests based off a deal’s implications or colleagues not involved in the deal but from whom they would like to get feedback. Many companies have turned to enterprise communication tools, such as Slack, which are downloaded by end users, and often they leave information vulnerable. “The only way to limit who actually knows about the M&A is to keep the information about it to the most limited amount of people you can,” Datskovsky added. “And generally that is not easy to do with the tools we use today.” Yet communication is core to M&As, and thus “lots of chatter” between the multiple parties involved must occur. “You need the chatter; you need to discuss the terms of the deals,” such as parameters, people in the organization, etc., Datskovsky explained. Unfortunately, most of this communication occurs over standard office email, and thus the chatter can easily be exposed. “It’s just the nature of the beast.” So how to secure? Datskovsky has some practical tips for being more secure in your M&A communications:
1. Control Your Content: Sending is Not the End
How often have you sent an email that, moments later, you wished you hadn’t? Whether filling the recipient field with the wrong address, clicking “send” too quickly, or suddenly realizing your recipient shouldn’t have this information, we’ve all been there. Wish you had a “retract message” button? Certain enterprise tools allow this, so long as the recipient has yet to open it. This can be particularly handy for M&A communications. Privy parties need to prevent forwarding of messages “so somebody can’t say, ‘Oh, I think this would be useful to get the opinion of X, Y, Z, and let me just forward this,” Datskovsky noted. Additionally, senders “want to be able to control who sees , how they see it, and what they can do with it,” which can be done with certain apps, she added.
2. Too Little Too Late: Maintain an Expiration Date for Content
Often, documents can linger in storage, forgotten about once they’re no longer immediately useful. However, as many know, that doesn’t mean they don’t exist. By setting an expiration date for a message, you are “limiting distribution through channels,” Datskovsky said. “The more you limit the conversation … the more you are likely to limit leakages and inappropriate distributions.”
3. Don’t Forward the Master: Copies are Key
It’s important to draw a clear distinction between a master document and its copies. This distinction is important to adhere to in emails as well, for in the digital age, sending a master document could lead to unintended edits to a document, hugely problematic for M&As. While you’ll need to keep a master copy for record keeping, sending copies in PDF format for review limits security risks. In the event of a breach, “it’s one thing to have a copy and another to have the content walking around across the board on devices that belong to your organization and any outside entities,” Datskovsky explained. Overall, Datskovsky says that while many rely on the encryption of an enterprise messaging app for protection, that alone isn’t enough. “You’re not going to get that benefit of expiration and forward prevention. You need a greater sense of control.”
(Article originally published on Legaltech News by Ian Lopez, August 15, 2016.)
BYOD policies, or Bring Your Own Device policies, allow employees to use and access company information on their personal devices. You can send messages to coworkers on your personal phone’s Slack app, between right swipes on Tinder. Instead of staying at the office all night, you can download corporate reports onto your home computer. For many, BYOD policies are great. They give employees a bit more freedom to work where and when they want, on the device that’s most convenient. For employers, the policies eliminate the need to provide workers with dedicated work phones and laptops. But when it comes to eDiscovery, BYOD policies can start looking like a very B-A-D idea.
Bring Your Own Device — Back to the Lawyers
When company information is dispersed across dozens, sometimes hundreds and thousands, of devices, gathering it all back up for discovery purposes can be a real pain. If you’re lucky, the relevant information has been securely archived on corporate servers. When employees sign in to a corporate app on their personal devices, for example, those devices may sync with corporate servers, creating a copy of any relevant data. But that’s a best case scenario. It’s also often the case that a record hasn’t been created or centralized, given the wide diversity in programs and devices out there. If data is only saved locally on the device, it might be necessary to return the physical device itself in order to access information for discovery. “One of the challenges you clearly face is getting the device to come back into the organization to begin with,” Galina Datskovsky, CEO of Vaporstream, recently explained to Legaltech News. “And that can be quite a challenge.” While current employees may be more willing to bring in their own phones and computers, it could be much more trying to get ex-employees to lend a hand. “Yes, there are subpoenas and things you can issue,” Datskovsky says, “but it just makes the process fairly difficult.”
Personal Data and Personal Deletion
And then, of course, there’s the fact that corporate information may become intermingled with personal information. As part of information collection for discovery, companies may get access to protected personal information. This is a pronounced risk in jurisdictions, like the E.U., that place strict limits on what can be done with personally identifiable information. And then there’s the fact that necessary data might not be there at all. In one recent case, Small v. University Medical Center of Southern Nevada, a special master recommended sanctions after the university medical center failed to preserve data on BYOD devices, allowing employees to delete work-related messages from their personal phones. We don’t expect BYOD policies to go away anytime soon, however. The benefits in cost and productivity to employers and employees simply outweigh most of the risks. But when it comes to eDiscovery, BYOD isn’t making any lawyers’ lives easier.
(Article originally published in FindLaw Legal Technology Blog by Casey C. Sullivan, Esq. on June 13, 2016)
Beyond encryption, mobile e-discovery faces challenges with data retention, inaccessible custodians and ineffective BYOD policies
For all the ways technology has revolutionized discovery, the advancement of mobile devices has almost stopped it dead in its tracks. Though the FBI’s legal battle with Apple is a pivotal moment for mobile e-discovery, the challenges of this practice go beyond recalcitrant manufacturers and encryption. For mobile devices are never used in a vacuum, and during discovery requests, attorneys have to consider everything from privacy regulations and organizations’ “bring your own device” (BYOD) policies to each single data custodian’s specific station.”
On a very simple, basic level, if you have to discover information, and that information happens to be on mobile devices around the organization,” said Galina Datskovsky, CEO of Vaporstream, “one of the challenges you clearly face is getting the device to come back into the organization to begin with. And that can be quite a challenge.”
Given corporate servers and cloud infrastructure, however, there are inevitably times when “discovery doesn’t have to go back to your device, because I’m creating a record and putting it in my secure archive, and that’s where I’m going to go to pick up the data,” Datskovsky added.
But the reality is far more complex, for not all mobile e-discovery data and apps are made to sync up to external servers. “The devices are unique,” Datskovsky explained, because “there are things that only reside as mobile apps, like, for instance, text and chat or certain apps that may be apps that only reside on the device,” and save data locally.
This in turn makes discovery a uniquely manual experience, where much depends on the data custodian’s ability or desire to give up the device. This can make for a difficult situation, “especially if it happens to be an employee who left or quit or is not cooperative. And, yes, there are subpoenas and things you can issue but it just makes the processes fairly difficult,” Datskovsky said.
“What’s interesting is that to actually collect the device one literally just has to ask the person for its password,” said Adi Eliott, vice president of market planning at Epiq Systems. He added that the discovery process largely relies on custodian interviews, such as those “asking them what do you use to talk about business, what apps you discuss this matter or this situation on, and then you have to physically get their device, and that container has all the corporate data. Then on which apps to use to talk about business, primarily like email. If there’s an internal instant messenger app that’s officially sanctioned, use that, etc. The problem is that it’s not necessarily how humans work. The friction that is required to record and communicate is almost nonexistent,” Eliott explained.
“Even anecdotally if you think about it, if you and another person you know have WhatsApp, whether you’re talking about personal or business, you’re highly likely to fall into WhatsApp, if that just happens to be something you use because, there’s no friction to it and you both have the app,” he said.
Additionally, “We don’t compartmentalize our communications anymore between business and personal,” Eliott said. “Socially, I’m more likely to be doing something personal at work and I’m definitely more likely to be doing work on my personal time and asking us to compartmentalize by app is largely a human and a social challenge more than it is an e-discovery challenge.”
Privacy, By Any Other Name
The blurred lines between private and business data create situations where “if there is discovery done on a device that is owned by to the corporate network and you sign something that said generally that the corporation has access to it, people don’t question that largely.
“And part of this is just social and the way Americans think, they are very likely to give up their password when asked and let their device be collected from. And in Europe it very much has to be contemplated deeply because and there are some cases that have been decided about who has the right to the phone and the privacy rights… but it’s still an emerging set of cases that we are seeing.”
Eliott added that with privacy issues, “in the U.S., things are evolving… It’s being talked about more,” especially after the Apple and FBI legal battle.
“The conversations are being raised in a way in which they before, and my opinion is that when you see conversations raised like this, there are generally downstream consequences from the consciousness shifting on an issue. And we don’t yet know what that is going to be,” he said.(Article originally published in Legaltech News by Ricci Dipshan on June 9, 2016)
Cyberthreats Abound, Lawyers are Increasingly Called Upon to Improve Mobile Security and Secure Their Clients’ Information. Vaporstream’s Galina Datskovsky Talks Taking Security Mobile.
As mobile continues to repurpose the way we communicate in our daily lives, it also changes the ways we share our business information. This had led to a number of challenges, touching upon everything from the conflation of the professional and the personal to leaving valuable and sensitive data accessible to those who seek to exploit it. Vaporstream’s CEO Galina Datskovsky is no stranger to this reality. Having worked in information governance and compliance for over two decades, her experience has versed her in the nuances of law firm data security as well as attorneys’ perceptions to these technology-fueled changes. She told Legaltech News that the mobile market is currently, in many ways, “where email used to be twelve years ago.” “Law firms are usually slow adapters of new technology,” she said. “I distinctly remember when emails sort of first started taking hold everywhere else.” Attorneys would say “I don’t get this whole email and Blackberry thing.” Nevertheless, she explained that “the mobility practice of the mobile lawyer” is “really important” in the modern Big Data environment, a place where law firms, overseeing sensitive client information, are more vulnerable than ever before. With mobile, the stakes are elevated. In demonstrating how law firms may react to mobile security, Datskovsky discussed an experience in which she provided data governance and policy consulting for a law firm, where the topic of texting was an issue. “I said, ‘Well what about text and chat? What do your attorneys do? And none of the people in the firm said, ‘Wait a minute, our policy strictly says right here that that’s not allowed.’ I said, ‘How’s your compliance with that policy,’ and they said, ‘Well, everybody texts.’” When asking about the company policy, “the answer I got that kind of blew my mind, although what’s very typical of law firms again, is that, ‘If it’s in the policy that we can’t, then we can defend ourselves by saying it’s not sanctioned,” she noted. “Really, it’s in your policy but everybody does it, and you know everybody does it, you think it’s going to be secured?” “In particular, with the kinds of breaches that we saw in law firms I think this is going to become a front and center issue because it’s mobile security,” she added. “And coupled with device governance and compliance,” mobile policies “make the firm safer in general.” Here are some of Datskovsky’s tips for law firms to improve their mobile security:
1. Accept it – Everyone is Mobile. Enact Policies That Reflect This Reality.
In Datskovsky’s view, mobile security is something that comes “in various shapes in forms,” and when considering this, it’s important to differentiate securing the device from the lawyer using it. A first step in getting the firm more secure is accepting that “lawyers clearly have mobile phones.” Thus, “there should be very, very clear guidelines and policies on how a device should be secured. And this could be some very simple things, like everybody has to have a pin and a password, to everybody must encrypt all data on the device, to making sure that there is a mobile device management application in place where the policies are actually pushed to the device by the IT department, so it’s not optional. It’s not up to the lawyer. It’s up to the firm.” Getting the firm to observe the policies, she explained, is “very realistic, but only if the people who are in charge of policies – IT, general counsel – really take the time to think it through to make it almost seamless for the attorney. Otherwise, I don’t think you can get compliance.” “I don’t think it’s realistic to have a policy in place that says, ‘do not touch.’ Because people will do it anyway. I think is frankly a naïve to approach things,” she added.
2. Take Back Control – in the Form of Mobile Device Management.
While there are a number of ways to theoretically secure a lawyer’s device, sometimes it’s advisable to place the task in IT’s hands. As previously noted, one route comes in the form of mobile device management applications. Datskovsky said in using this, “‘I could push my security practices and policies then in general manner to everybody.” Additionally, “I feel more comfortable with having a bring your own device (BYOD) policy if such a play is in place because in that case, I could separate the partition the personal and the business, and I don’t have to worry about the personal being unlocked and somebody seeing the personal.” This is important, she added, “because a lot of the breaches happen not because somebody hacks … but because somebody is careless.”
3. Keep the Personal Personal – Know What’s SFW
Given that many lawyers can now work from any location at any time, it’s fairly easy to enmesh the personal with the professional. However, some methods of communication are more suitable for work than others. To demonstrate this, Datskovsky pointed to text messaging. “I would never think that texting in my normal native form of text is appropriate for business,” she said. This is partially because, often, it isn’t necessary for a task you’re undergoing, and furthermore, it’s not always encrypted in transit. Also, upon sending, the sender has no control of the text. “If I send you a text, you could forward that to anybody, you could put it on Facebook. Whatever you do, I have no control over it.” “If you look to secure text, especially a text that can be ephemeral in the sense of control and disappear from devices, we can secure those types of communications much better,” she said. This means that some communications may be better for email, and by using it, there is “a single source of truth, a single copy of records of which you could search, you can go for e-discovery to and for completeness of records to without sacrificing privacy and security.” However, Datskovsky also warned, “Not everything belongs in a mail box in a system where I don’t know how readily available for available for the mobile worker to get to what they need without having to permanently store at the device level.” “I think with mobility, you have to think in those terms. You have to think about governance and compliance, you have to think about convenience, but you also have to think about the fact that not everything belongs on your mobile device, not everything belongs there forever,” she added.
(This article was originally published by Legaltech News by Ian Lopez on May 27, 2016)
Why are there so few women in tech leadership roles?
According to a recent Reuters study, 30% of 450 technology executives stated that their groups had no women in leadership positions. Only 25% of the IT jobs in the US were filled by women and considering the fact that 56% of women leave IT in the highlight of their career, it’s no surprise that there’s so few women leading the tech industry.
30% of 450 technology executives stated that their groups had no women in leadership positions
The value of having women in leadership is common sense – women make up half of the purchasing demographic so having limited or no representation of women leading companies can make them miss out on valuable insight. This common sense is backed by a study by a DDI consulting firm that found the top 20% of top-performing companies had 27% or more women in key leadership positions while the bottom 20% of companies had less than 19% of women in these roles.
I asked women in leadership roles to share their experience in the tech space, everything from why they chose a career in tech to perks/challenges of being a woman in a male-dominated industry to advice for young women considering tech as a career. Thank you to Becca Stucky, Director of Demand Generation at tech company Thycotic; Katie McCroskey, Senior Manager Channel Operations at Thycotic; Karen Nowicki, director of engineering for a Chicago-based software company called kCura; Diane Merrick, VP of Marketing at Teradici; Robbie Hardy, tech sector veteran, and author of the new book UPSETTING THE TABLE: Women Mentoring Women; and Dr.Galina Datskovsky, CEO of Vaporstream for contributing to this episode.
Advice to young women considering tech
Brush up on your math.
Becca Stucky, Director of Demand Generation at tech company Thycotic, says that math skills are critical. “Tech companies move fast, and to know you’re making the right choices, you need to be able to read trends and metrics for how your initiatives perform – this is true not only for marketing, but also for making choices for product features or UX, running tech support and client happiness teams, and even working across teams and explaining to other managers why your team is making certain choices.”
Diane Merrick, VP of Marketing at Teradici agrees with Stucky, adding “Don’t be intimidated by math and science. Ask questions. Sometimes the problem is the teacher, not the subject. You may need to explore other sources of learning.” Merrick also recommends young women check out the option of a co-op degree where you’re guaranteed work after graduation. “It is a fantastic way to help you discover what you like and maybe more importantly what you don’t like,” she says.
Know your worth
For Katie McCroskey, Senior Manager Channel Operations at Thycotic, it’s important for young women to know their value. “Women bring a lot to a tech company – different perspectives and skill sets, tech companies with more women are more successful and it’s a hot industry to be in, good paying jobs with lots of diversity in focus (dev, cybersecurity, ops, etc.) and opportunity. Don’t allow yourself to be intimidated by a room full of men.”
Become a life-long learner
Karen Nowicki, director of engineering for a Chicago-based software company called kCura, says that women in tech need to become life-long learners. “Make learning part of your commitment to yourself and keep looking for new ways to grow. Technology is an especially fast-paced career. Not only will you find the domain changing quickly, but career growth also demands being proficient in each new role. Joining user groups in your industry and national societies to keep current are just a couple ways to stay sharp.”
Go for it
“There are so many options open to you when you go into a tech career,” says Dr. Galina Datskovsky, CEO of Vaporstream. “It is not just programming or coding – the options are unlimited. You should never be afraid and never think that the guys are better at it then you. You are capable of the same and more. So, just go for it.”
Robbie Hardy, tech sector veteran, and author of the new book UPSETTING THE TABLE: Women Mentoring Women, says that young women should consider tech because they’ll stand out. “Technology is a great career for smart women who like a challenge and lots of opportunity. While it has been a male-dominated Wild Wild West for years, it is changing. An increasing number of women are embracing STEM, which is the basis of most technology careers. These women “stand out” and therefore their talents and integrity are more exposed than a man. This has both pluses and minuses, but if you understand that you must not take no for an answer and take your rightful seat at the table of technology (upsetting the table, as I like to say), you will succeed.”
Choosing a career in tech
Solving real-world problems
For Stucky, she enjoyed the idea of working for a company making lives better was a big motivation for her to enter the tech space. “In tech — and software specifically — if you can imagine it then you can make it. There are very few limits to what people can do when given a computer and the knowledge to code. I find that very inspiring. Software can make people’s lives easier, it can make work more productive, companies more secure, and it can connect people all over the world. Productivity is something I get especially excited about. I absolutely hate doing something if I know it can be done faster, with less steps, or if I can automate it. Even though my own coding skills are mediocre at best, I get to be part of an industry of problem solvers, idea-dreamers, and of virtual builders, who are creating entirely new markets and tools that the world never considered before now, but once made, could not imagine living without.”
Not everyone starts out with a desire to join a tech company. “My tech career began by accident,” McCroskey said. “I joined Thycotic seven years ago with a background in marketing and grew my technical knowledge and background as the company grew; now I love the challenge of constant change and teaching myself new technical topics, this constant quest for knowledge keeps me driven and engaged.”
Hardy also stumbled into tech on accident. “The technology world chose me. I was a research assistant at UNC Chapel Hill, putting my husband through his PhD program, and in order to do my job I had to learn to use technology to analyze the data we had collected. It was certainly challenging, because I am not a math and science person by nature, but once I unlocked the door to all that was possible with those 1s and 0s, I was hooked for life,” she said. “I found my sweet spot in technology management. My experience in those days as a research analyst and beyond, gave me the technology foundation I needed to be successful in managing it.”
Creating a shared vision
For Nowicki, knowing how to earn respect from an early age is a critical part of a tech career. “In high school, I became president of a rifle club and it was my first foray into leadership. I had to earn respect to get the role and incorporate everyone’s feedback to shape the program in a positive way. In college, I picked up computer science and led a national mathematics honor society where I put on a national math convention. Throughout the process, I got the hang of how to collaborate effectively and make decisions that were best for the group,” she said. “I’m also a volunteer coach for an Olympic-style junior air rifle club and there are very few female coaches. When I take the students to tournaments, the other coaches and attendees are sometimes surprised to see me. They perceive the sport to be male-dominated and have to shift how they think, so we can work together effectively. From a leadership standpoint, volunteering has taught me that you have to appreciate and maximize the unique passions and talents that everyone brings to the table and work with people of all different skill levels and backgrounds to create a shared vision.”
Ground breaking field
For Datskovsky, the opportunity to be in a revolutionary space like tech was too attractive to resist. “I always liked exact sciences and found that computer science gave the right mix of science, technology and human interaction, as well as the ability to work in a ground breaking field that is constantly changing and evolving.”
Being in an innovative space is what drew Merrick to a career in tech. “I began my career as a civil structural engineer in Ontario, Canada – a technical career but not in the “tech space”. There are several things that intrigued me about the tech space: The pace of innovation. The openness to do things differently. A lesser degree of prejudice – good ideas seemed welcome from anyone regardless of age or sex.
The tech space is also a very global industry and it afforded me the opportunity to not only move to California but to travel the world.”
The challenges facing women in tech
Finding the right company
Not all women have faced challenges in their tech career. For Stucky, she says that a good company culture can make all the difference. “I give most of the credit for my personal experience to Thycotic, and our founder Jonathan Cogley’s focus on hiring good people and giving them the opportunity to succeed. Because of Thycotic’s culture, I’ve never been treated differently because I am a woman, and I have been given incredible opportunities to grow.”
Be thick-skinned and dance it off
For McCroskey, it’s important to remember that the tech industry is still a male-dominated space and women need to be confident and thick-skinned. “It is very challenging to walk into a room of ALL men knowing they are going to drill you with tech questions until you prove yourself – but this is common,” she commented. “All I can do is come as correct as possible through preparation and constantly retrospect, self-analyze, improve and sometimes just dance it off.”
Confidence to be yourself
According to Nowicki, women work and see things differently than men and add a different perspective that’s highly valuable. “When an environment doesn’t have prior experience with women in the workplace, it’s initially difficult for all involved to adjust to changing dynamics. The most important change that can be made is for women to feel confident enough to be themselves. If you’re in a workplace with a small female population, partner up with one another to build up confidence, discuss resources, and lean on one another for support.
Being the only one at the table
“Often I am the only one in the room. Frequently, I would go to a conference, and there would be a long line for the men’s room and none for the ladies’ room – although that’s a welcome change,” says Datskovsky. “It was occasionally more difficult to be taken seriously, as the men would be assumed to be the ones in charge. I always felt that I had to perform at my maximum at all times being a woman.”
Merrick admits it can get lonely as a woman in tech due to their being so few women in tech leadership. “My move to tech also involved moving from engineering to marketing, albeit marketing of very technical products. In the early years my engineering degree definitely bought me credibility. I am also told that my physical stature helped; I am quite tall. It is definitely sometimes harder to be heard as a woman. I also think we are less self-promoting. We let the work speak for itself and sometimes the work needs a voice to get noticed. As I moved up the ladder, the number of woman in my ranks definitely decreased. It can be a bit lonely. You may need to find a peer set outside of your company through associations and special interest groups. You do have to get used to being the only woman in the room on many occasions.”
Although Hardy admits there is a gender bias, she sees it as an opportunity. “There are always challenges but I like to look at challenges as opportunities.
The gender bias is alive and well in technology, but not any more than any other sector. I was always the only woman in the room, but I learned early on to not own that or see it as a problem, but as a fact. I had to stand a little taller, work a little harder, be a bit more agile … but as long as I could maintain mutual trust and respect (T&R) with my colleagues, it always worked out. Once that trust and respect was gone, it was time to move on.”
The perks of being a woman in tech
According to Stucky, there are perks for anyone, not just women, to find a career in tech. “Compared to the other industries I’ve worked in, tech companies give more time off, seem to have better family leave policies, and they provide food to bring people together and so those working late have snacks. At Thycotic, we have men and women who come in early so they can pick their kids up from school, and night owls who work well into the evening.”
The best perk for McCroskey is being surrounded by other women in tech. “The women tech community is unique because we seem to all admire each other and promote empowerment in each other – as it’s often us against them. There is very little backstabbing or pettiness – in my experience tech women easily feel a bond and want to learn from each other and help other women be successful.”
Finding a passion
For Nowicki, the opportunity to create and learn in different spaces is most exciting. “In my first role at a defense company, I wasn’t just coding—I got the opportunity to write the newsletter, conceptualize and apply processes, and develop tools that were first-to-market. I even had access to the internet before it was available to the public. I couldn’t have asked for a better first job because I got to work on so many different projects and was hungry to learn. That passion sticks with me today.”
Being a pioneer
Datskovsky enjoys being a pioneer in a new space. “You are still a pioneer in the tech world, and sometimes get to cover new ground, which is exciting. It is also nice to be the one to provide that diversity in the work place.”
Great pay and career advancement
Along with the opportunity to contribute to a new and innovative field, Merrick also lists perks of being in tech as good pay and career advancement. “I think there are a lot of perks to being in tech for men or women. The pace of change in tech is exciting. Tech is competitive and for that reason it is a very innovative space. Tech is very broad and there is a lot of opportunity for job changes and career advancement.
Tech is still a well-paid field with a lot of job perks unheard of in other industries. I do believe women think differently and problem solve differently. With the right attitude you can make those differences work for you by bringing new and different ideas to the table.”
Hardy is never bored with her career choice in tech. “With T&R in full gear, a woman is often rewarded/ sought after for her unique skills and intuition (yes I said intuition), however, I don’t think that this is unique to technology,” she says. “Since technology is still a male dominated field, being a woman in tech gives you an opportunity to stand out from others and be recognized and rewarded for your talent and work ethic. For me, the perks are also the opportunity to be on the cutting edge of new products, techniques, and technologies. It is certainly never boring.”
Although women are still lagging in numbers in the tech space, it’s important for girls and young women to know they have the opportunity to change the tech scene and become positive influencers. Want to jump into the tech space and learn to code for free? Here’s a great list of free places to learn coding basics.
(Article originally published in the ProTech blog by Elizabeth Becker on May 18, 2016)