e-Records 2012: An Information Exchange Primer

e-records conference imageThis article is the fifth in a series of recaps of the 2012 e-Records Conference, a conference dedicated to electronic records management that has been co-sponsored by TSLAC and the Department of Information Resources since 2000. Presentations from the e-Records Conference are available on the e-Records 2012 website.

By Angela Ossar, Government Information Analyst

I admit that the term “Information Exchange” (or IX for short) was not one that I was very familiar with before the conference. But it’s a basic concept: it’s just the way you share information, and it’s of increasing concern to organizations as large-scale data breaches continue to become more common. The presenter for this session, Xavier Chaillot, said that indeed this is a very new topic…but also a very old topic. That is, we’ve been exchanging information as long as we’ve been recording it — since the emergence of the Phoenician Alphabet in 3500 B.C.

Some of the Challenges

The volume of network traffic is ever-increasing, and therefore risks of exposing sensitive data are also on the rise. Chaillot broke down the systems for information exchange in the current era as follows:

  1. Courier (which he called “archaic”);
  2. Fax (“cumbersome”);
  3. Email (“limited”);
  4. File transfer/share (“unsecure”);
  5. Electronic Data Interchange, or EDI (“proprietary”); and
  6. System integration (“hard to scale”).

Data breaches are often borne of unsecured exchanges of information. Chaillot gave some startling statistics about data breaches, such as the fact that (according to the 2012 Data Breach Investigations Report by Verizon), 96% of attacks were “not difficult” and 97% were “avoidable.” The cost of a data breach?  Between $90 and $305 per record in discovery costs and regulatory fines. Those costs might even be higher in Texas, where the Texas Identity Theft Enforcement and Protection Act requires mandatory notification of customers any time there’s a security breach that exposes a name, Social Security Number, or other sensitive information. Chaillot pointed to the Privacy Rights Clearinghouse for a timeline of all data breaches in the U.S. since 2005 and all of the records that have been stolen – over 563 million to date!

Several new challenges to information exchange were identified, like BYOD (bring your own device) policies (where employees may conduct business on their personal devices) and IT “consumerization” (where employees can install file sharing software (e.g., Dropbox) on their own computers temporarily to circumvent problems like file size limits on email attachments). These practices can pose threats to information security.

Some of the Solutions

The presentation was “vendor agnostic,” so even though Chaillot works for OpenText, the solutions offered were not specific to that company. There were two areas of information exchange that Chaillot identified as the “low-hanging fruit”: email and file transfer.

A much more secure way of sending something via email, he said, is to use what’s called Managed File Transfer (MFT). This is a system where the attachment is separated from the email message. A user hits send, the email is encrypted, and the attachment (whose file size is limitless) is taken out, moved to a central repository (or peer-to-peer exchange), and replaced by a link. The recipient must then authenticate before accessing the file.  The link usually expires after two weeks, at which time the attachment is removed from the central repository. Every action taken on that message is logged in an MFT database, so if information is leaked to an unintended recipient, the system has an audit trail showing how that data breach occurred.

The security of file sharing was connected to whether an organization owns the file sharing solution. When you trust an outside entity to store and share your data, said Chaillot, you lose control of that data. So if an organization must use a service like Dropbox, then it should be a Dropbox solution that the organization owns – it’s more secure that way.

Today’s information exchange tools enable faster sharing of information than ever before. There is no question that the switch from paper to electronic records will drastically improve the sharing of information, enabling better care to patients, faster service to customers, and increased productivity all around. The challenges of securing exchanged information shouldn’t necessarily keep us from embracing these tools — but it’s a good idea to have records managers at the table in preliminary discussions to make sure that protecting sensitive data is just as much a priority as exchanging it.