MS Exchange Critical Security Threat – We’ve Got Your Back!

You may have heard rumblings across the Internet of a giant Microsoft Exchange vulnerability that raised its ugly head this week.  On Tuesday evening, Microsoft announced the existence of four critical zero-day security vulnerabilities affecting all current versions of Microsoft Exchange Server.  That’s the same time we stepped up to make sure that all DataYard and our clients’ servers were patched and secured as soon as possible.

Starting at 2AM on Wednesday morning, our engineers began installing the needed upgrades and patches to all DataYard managed Microsoft Exchange servers .  The Exchange infrastructures in question were quickly updated and rebooted, after which point DataYard engineers took a deeper dive to determine if there were any lingering threats.

In many cases across the globe this security vulnerability had already been exploited in an attempt to open a backdoor to critical and private data – our customers were no exception.  DataYard engineers discovered malicious web shells which had been remotely uploaded by nefarious bots in the final days of February 2021. While a malicious shell was indeed uploaded on these systems to provide access to a bad actor in the future, there is no evidence to suggest that the shell was ever accessed or utilized after the initial automated upload.

As of 2PM on Thursday (3/4/21), DataYard had completed the following for all of our managed VIP clients:

  • Determined if the VIP was vulnerable to the exploit in question
  • Updated OS when applicable
  • Installed critical security patches
  • Reboot and test
  • Removed all malicious files remotely updated by third parties
  • Investigated all system logs to ensure no malicious files were executed:
    • Network traffic logs
    • System events logs
    • Exchange application logs
    • Remote login records

At this point, the team at DataYard is confident to give all of our managed Exchange VIP systems a thumbs-up and a clean bill of health.  We appreciated the trust and confidence that all of our client partners have in DataYard – we are happy to have helped to avoid this nasty security breach and potential data compromise.  Please let us know if you have any questions or requests to help make IT better.

Have a fantastic weekend,
The DataYard Team

Bring Your Own Device

With the increasing affordability of modern technology, along with the integration of that technology in our day-to-day lives, an individual person often has numerous devices they utilize throughout the day. Almost every adult has their own smartphone. Over 50% of US adults own a tablet. Laptop ownership is even higher among certain age groups.

Continue reading

Why Backing Up Data is So Important for Businesses

Remember the days of floppy disks where you entrusted important documents to tiny pieces of plastic that were easily lost, destroyed, erased? Well maybe you don’t because you’re too young to have even held a floppy disk, but it’s the same scenario with CD’s, flash drives and external hard drives today. Thankfully, we have cloud storage systems like DataYard’s OwnCloud, which is similar to Google Drive, OneDrive, and Dropbox to hold various documents.  

On top of that, many of our files end up in our email or on a project management system that we can access from any internet-connected device. 

These days, you’d have to be crazy to trust important files to a single disk, or even one hard drive. And yet, many businesses fail to properly backup their computer and server systems, leading to much bigger issues. 

Many companies that suffer a major data loss without a proper backup system in place never fully recover. Don’t think your business can suffer from data loss? Think again. 

There are many ways to lose data....

People often associate data loss with data breaches and malicious attacks, which is fair. After all, cyber-attacks, viruses, and other malicious activities ultimately result in the theft, corruption, and/or general loss of data. 

But that’s certainly not the only way you can lose data. 

Even if your systems are updated and well protected from external threats, things can still go very wrong. Machines break. Hard drives wear out. A power outage can result in the loss of unsaved information. A fire or natural disaster can destroy the equipment housing your data. 

Let alone the dreaded data loss due to something as basic as spilling a cup of coffee on a computer or network device. Nearly 30% of hard drive failures are caused by simple accidents. 

Losing data costs a lot of time and money. Having your systems down can cost a lot as wellIf you want to keep your business safe and your information protected, you need proper backup systems in place.  

For those who operate under various compliancy standards, backup systems are likely required. Failure to follow backup protocol can result in the loss of clients, as well as potential fines. 

Providing Peace of Mind with Quality Backup Support 

At DataYard, we understand just how important backups are to modern businesses. That’s why are backup services go above and beyond the various needs of our customers. Whether you have compliancy standards to meet or not, we can make sure you information is safe. 

Our cloud hosting automatically creates daily backups going back at least 30 days. Additional backups can be made as needed. Our servers our housed in our data center which is well protected against power outages and other dangers. 

Additionally, we offer colocation for those who prefer/need to use their own equipment. Want backups created offsite? We can help with that too. 

In addition to our general server capabilities, we offer consultation and management to clients across the globe, along with onsite IT services in the Dayton, Ohio area. 

Keep your business protected from data loss. Contact DataYard today.

Our Data Center is Here for You

LEARN MORE ABOUT OUR SECURITY AND BACKUP SERVICES


Protecting CUI and Maintaining NIST 800-171 Compliance

If you work for a company with government contracts, you’re well aware of how important security and compliance is, especially when it comes to how data is handledWhile you might not be working with officially classified information as a non-federal contractor, you’re still handling potentially sensitive materials. 

The primary standard governing the handling and accessing of non-classified information is NIST 800-171. NIST 800-171 (also referred to as NIST SP 800-171 or simply 800-171) is a set of security standards for non-federal computer systems, mandating how Controlled Unclassified Information (CUI) is to be handled. 

NIST 800-171 was created in response to a lack of consistency across federal departments and their contractors that left openings for exploits and resulted in some major breaches of informationWith NIST 800-171all non-federal contractors have a universal set of standards to follow when it comes to how they handle CUI. 

Handling Controlled Unclassified Information (CUI)

CUI is a classification created in 2008 to cover information that is potentially sensitive and relevant to US interests. CUI includes intellectual property, technical drawings, blueprints, legal materials, and more. 

Before CUI, agencies used their own internal systems for marking and filing unclassified information, creating confusion and openings for security breaches. CUI helps keep unclassified information better protected and better organized through a filing system of categories and subcategories such as Agriculture, Patent, Law Enforcement, etc.  

CUI should not be confused with classified information, which falls under NIST 800-53Classified information is placed under significantly higher restrictions, can only be accessed with officials holding specific security clearance, and can result in criminal charges when mishandled. 

Handling CUI might not be as strict, but it can still be a complicated process achieving NIST 800-171 compliance.  

Achieving and Maintaining NIST 800-171 Compliance 

If you’re handling CUI in any way, then you are bound to NIST 800-171 standards. If you are working for a federal or state organization, you fall under NIST 800-171. Even if you are working with a third party who in turn, is working with a government agency, you may need to follow NIST 800-171. 

It’s always best to be safe rather than be in trouble with the federal government. Failure to protect CUI and follow NIST 800-171 will result in the loss of your current contract, as well as future work. It may incur additional penalties as well. 

NIST 800-171 sets standards for user access, authentication procures, activity monitoring, maintenance and updates, physical server access, risk assessment, incident response, and more. Achieving compliance is not as simple as checking a few boxes. It is a process that is on-going. That’s where we can help. 

Being located in Dayton, Ohio, DataYard is well-versed in NIST 800-171 compliance. We provide a roadmap experience for our clients, guiding them along the way to meeting all of the necessary standards and helping them maintain them. 

From IT consultation to secured hosting to Dayton colocation, our suite of services can be tailored to meet all of the necessary NIST 800-171 standards. Contact us today to learn more and begin your journey towards true compliance.  

Need Help Maintaining Compliancy?

TELL US WHAT YOU NEED


Who Exactly Needs to be HIPPA Compliant?

HIPPA compliance can be a little intimidating for those who have never dealt with it before. Not only are the rules vast and complex, but failure to follow HIPAA can lead to major fines, lawsuits, and more. Before you dig too deeply into the ins and outs of HIPAA, it makes sense to wonder whether or not HIPAA is a factor for you in the first place.  

Though HIPAA stands for the Health Insurance Portability and Accountability Act, it of course extends to more than just health insurance providers.  

Anyone working within the health or medical industry at any capacity will encounter some part of HIPAA. This includes physicians, dentists, counselors, and more. Additionally, companies that have vendors, customers, or third-party connections in the health industry may also be required to follow parts of HIPAA. 

In today’s digital age, one area where businesses really need to be mindful of HIPAA compliance is regarding their online tools and services. 

Do Your Online Services Need to be HIPAA Compliant?

Virtually every business or organization has a website these days. That website is hosted on a physical server somewhere. However, not all servers are the same.  

In addition to different speeds, capacities, and software, some servers are HIPAA compliant while others are not. Now, just because you operate within the health industry does not necessarily mean you need HIPAA compliant hosting. 

For example, let’s say you’re a dental office with a simple website explaining who you are, what you do, and how you can be reached. In this case, HIPAA compliant hosting isn’t required. However, if you wish to add digital intake forms, or you plan on storing current or potential client’s health information, HIPAA comes into play. 

Of course, it’s not just websites that are hosted on servers. Email, online software, cloud storage, and more all fall under HIPAA compliance rules. It’s important to make sure you’re protected. 

HIPAA Consultation Makes Compliance Easy 

At DataYard, we provide HIPAA compliant hosting solutions and IT services to protect your clients’ information and keep you from facing hefty fines. We realize you might not exactly know what you need when it comes to maintaining HIPAA compliance. That’s why we also offer IT consultation services that we call the Discovery process to make sure you get exactly what’s needed. 

Whether you know what you’re looking for, and you’re looking to talk to someone who does, DataYard is here for you. 

Need Security Consultation?

TELL US A LITTLE BIT MORE ABOUT YOUR BUSINESS

Basic Requirements of HIPAA Data Compliance

Security should be a high priority for any business sharing information across the internet (or any other digital network). For those who operate under HIPAA, it’s not just something you should do; it’s something you have to do by law. 

Recently, we discussed what part of HIPAA covers digital and online assets. Today, we’re going to focus on some of the basic features HIPAA requires. This is by no means a full breakdown, as that would very long, confusing, and attention shattering. 

Instead, we’ll discuss on some of the broader areas you’ll want to make sure are covered by your hosting provider and IT team. 

The goal is here is to handle PHI (protected health information) appropriately by ensuring three things: 

  1. PHI can only be viewed, edited, and shared by authorized people. 
  2. An individual must be able to access their PHI whenever they choose to. 
  3. PHI must be safeguarded against data loss. 

To do so, you’ll need the following… 

Data Encryption 

Data encryption is the first level of defense for your PHI. This ensures that data can only be accessed through the proper points of access (such as login portals). Should a person or program go around your server controls to break into your system, any data obtained will be undecipherable.  

Access Logs 

It’s important to know who accesses what data and when they access it. Also, any changes, edits, or additions must be logged. These logs will help prove that compliance has been maintained. Should problems arise, they’ll also help determine the source and what’s been affected.  

Typically, access logs should go back as far as six years. 

Automated Backup Systems 

It’s not just data breaches that you need to protect against. The loss of data can be just as damaging. HIPAA systems are required to make regular, complete backups that are fully encrypted. That way, should your system be breached or destroyed, a backup can be put in place to maintain compliance.  

Backup Power 

In order to keep information accessible, the power needs to keep running to your servers and systems at all times. Backup power is required to prevent against potential outages and ensure that PHI can always be accessed. 

System Updates 

Outdated software or hardware systems can be a common cause for both technological issues and breaches in security. Any server, network, OS, or device that’s involved in the handling of PHI must stay up to date. 

Depending on the complexity of your network, this can be quite an undertaking. 

Password Compliance 

Weak passwords are very dangerous for any system. In fact, they’re the most common causes for data breaches. In the case of HIPAA, weak passwords aren’t just a liability; they can violate policy. Organizations operating under HIPAA must have systems implemented for creating, changing, and safeguarding passwords”. 

The specifics of how you go about doing this can vary. What matters most is that you have an established system that everyone follows. 

Still, using complex passwords and changing them frequently aren’t always enough. Even when strong passwords are used and regularly changed, you can still be vulnerable to brute force attacks (programs that randomly generate characters until the right password is entered). 

To truly protect yourself, you need additional security measures in place that signal warnings and lock-out hackers before they can break your password. 

When It Comes to HIPAA, You Can’t Plead Ignorance 

Whether you understand all the specifics of HIPAA requirements or not makes little difference. You’ll be penalized all the same. Failure to comply with HIPAA rules will put you under the enforcement of the Office for Civil Rights of the Department of Health and Human Services (or OCR). 

An individual HIPAA fine can be as much as $50,000. An organization can be fined as much as $1,500,000 per violation category in a single year. On top of that, you may face civil lawsuits from people affected by any breaches or data losses. 

This is enough to crush many large companies let alone the small ones. The best protection against this happening is by leveraging the assets, knowledge, and experience of a company like DataYard. 

At DataYard, we provide dedicated cloud hosting, cybersecurity services, and colocation services that can meet the strictest areas of HIPAA compliance. We house are cloud servers in Dayton, Ohio where they are protected against outages, breaches, and data loss.  

Additionally, our IT expertise enables us to consult, advise, and directly assist you in maintain HIPAA compliance across the rest of your systems. 

Contact us today and make sure you maintain compliancy.  

We Can Keep You HIPAA Compliant

TELL US WHAT YOU NEED

HIPAA Compliance for Hosting and Data Security

If you work anywhere in the healthcare space, you’re probably very familiar with HIPAA compliance. Passed in 1996, the Health Insurance Portability and Accountability Act provides rules and guidelines for healthcare access, health information storage, health insurance, and more.

HIPAA consists of five primary parts or titles:

  • HIPAA Title I – Health care access, portability and renewability,
  • HIPAA Title II – Preventing health care fraud and abuse; administrative simplification; medical liability reform
  • HIPAA Title III – Tax-related health provisions
  • HIPAA Title IV – Group health insurance requirements
  • HIPAA Title V – Revenue offsets for tax deductions

While HIPAA provides an important function of protecting the health coverage and personal information of individuals, along with reducing fraud across the industry, it can get a little confusing.

Arguably the most complex section of HIPAA is Title II, which among other things, covers how information is stored and accessed. Since almost everything is digital these days, that means Title II covers your hosting, server, and network setup. 

Meeting the Requirements of HIPAA Title II

Failure to follow the proper requirements of HIPAA Title II can put your customers personal data at risk, not to mention result in some serious penalties. It’s very important that all of your information is stored securely within a HIPAA compliant system. 

Of course, HIPAA extends beyond hosting, covering IT areas such as account access, password management, and more. You also need to be mindful of working with external vendors and third parties, as they bring additional risks and requirements regarding your data. 

Professional Help for Staying HIPAA Compliant 

By itself, the world of hosting and IT support is very technical. When you add in HIPAA compliance, the complexity multiplies. That’s why it’s best to utilize an experienced IT team that’s well versed in HIPAA compliance. 

At DataYard, we offer a wide range of services for companies and organizations that operate under HIPAA. This includes private cloud hosting at our data center in Dayton, Ohio that meets HIPAA and HITECH requirements. Additionally, we can provide you with consultation, on-going support, and threat protection so that all of your technological and digital fronts are covered. 

You don’t need to understand all of the complexities of HIPAA Title II. You just need an IT team that does. Contact us today! 

Our Data Center is Here for You

LEARN MORE ABOUT OUR HOSTING AND CONSULTATION SERVICES


How Data Backups Can Help Your Business Meet Compliance

I am often baffled on how often I need to explain the importance of backing up business data. Personally I feel like I need to backup my own personal data two or three times out of fear that I’ll loose years worth of my life in photographs. Those feelings of fear do not seem to translate to everyone when it comes to their business data, but maybe it should.

What type of compliance does my business need?

Depending on the industry there may be multiple layers of security and data compliance regulations that are required by law. Most businesses have at least one industry compliance measure that requires some degree of security and backups. Not meeting compliance on these measures can result in fines, penalties, and in some cases close down the business.

Many compliance measures require some level of security and safeguarding be in place with business data. If your business keeps record of personal information like name, address, phone numbers, emails, etc. or even more sensitive data like financial or medical there are strict rules to how you protect that data. One layer of protection is how you’re going to keep it stored and ensure that it does not get lost.

What do backups have to do with compliance?

Backing up data ensures that data is protected from being lost due to unintentional actions, failure or disaster. Imagine running a medical office and losing a server that stored information about patients treatments. If that server is not backed up that data is gone and could set patients and doctors behind by weeks, months or years in their treatment. In this scenario people’ lives are affected drastically not to mention the compliance fees and fines that the office may face. Due to scenarios like these there is often a backup strategy that is required in most compliance regulations.

What compliance measures does my business need to address?

If you’re not sure what requirements your business needs to meet we’ve made a list below of different compliance regulations by industry. If you want to know how we can help you become complaint on any of these regulations or other feel free to contact our team so we can be your guide.

Finance:
• Gramm-Leach-Bliley Act (GLBA)
• Basel II
• Electronic Fund Transfer Act, Regulation E (EFTA)

Healthcare:
• Health Insurance Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic Clinical Health (HITECH)
• GDPR

Education:
• Family Educational Rights and Privacy Act (FERPA)
• Children’s Online Privacy Protection Act (COPPA)
• Data Protection Act (UK)

Government Compliance Regulations:
• Criminal Justice Information Services (CJIs)
• Federal Information Security Management Act of 2002 (FISMA)

General Business:
• Sarbanes Oxley Act
• Payment Card Industry Data Security Standard (PCI-DDS)
• Identity Theft and Assumption Deterrence Act

State Specific:
• Massachusetts 201 CMR 17 (Mass Data Protection Law)
• Nevada Personal Information Data Privacy Encryption Law (NRS 603A)

International:
• Personal Information Protection and Electronic Documents Act (PIPED Act)
• European Union Data Protection Directive

We can protect your data from yourself.

USER ERROR

Is the source for the majority of data loss. Our backups provide a safety net from little mistakes becoming major catastrophes.

COST OVER COST

The cost of backups is minimal in comparison to what a business could face in fines or data recovery fees.

PEACE OF MIND

Live and work without the worry of little mistakes and threats or malicious activity because we have your back (ups).

GET YOUR BACKUPS HERE