Here at Coviant Software we have been preaching about the dangers of relying on home-brewed, DIY MFT applications for handling sensitive data and files for a long time. If you need a reminder, here are a few examples:
“Please stop wasting your corporate money on tasking the IT team to build solutions to transfer files out of Python, PowerShell, or disparate open-source solutions that are cobbled together. They put your company at unnecessary risk. You can spend less money and task your IT to more meaningful projects by entrusting your file transfers to a reputable commercial solution.”
“At $1,999 per year, Diplomat MFT standard edition would be the right fit for this moderately sized organization. The average pay rate for an IT professional where this organization is located is about $40 per hour, meaning the cost of our secure, proven managed file transfer solution is equivalent to 50 hours of one IT staff member’s labor. If the organization really couldn’t justify $2,000 for a product that could be installed and operating in a matter of minutes, and that will save their staff the time and aggravation it would take to manage these processes manually (not to mention do it more accurately), it might signal bigger problems.”
“In our experience these file transfer mishaps take place because someone didn’t appreciate the importance of reliable and secure managed file transfer and thought they could cobble together a “free” solution with some open-source tools and a little ingenuity. But free can be mighty expensive. What’s more, the risks of relying on someone in-house to build, manage, and operate a home-baked file transfer solution can easily become a DIY horror story (we’ve seen it). Besides, if you hire someone for one job, why would you ask them to do something important that isn’t in their area of expertise? It typically costs more in the long run.”
“FileZilla is easy to use and provides basic file transfer functionality, but for sharing business critical information or data like protected health information (PHI) regulated under HIPAA, or other personally identifiable information (PII) protected by the Federal Trade Commission and other government agencies, it doesn’t stand up. That’s because FileZilla lacks the advanced security features of secure MFT software. FileZilla does not support OpenPGP encryption, doesn’t support advanced automation and monitoring capabilities, and doesn’t capture processes needed for auditability.”
And those were just from blogs we wrote in 2023. Trust me, there’s more where that came from.
Governor Hochul Boards the Bandwagon
We were happy to see a new passenger on the anti-DIY bandwagon last week when New York Governor Kathy Hochul released new draft rules that will require hospitals to improve their data security footing. The announcement on November 13 came on the heels of a series of incidents affecting several hospitals in the Empire State, including two attacks on Westchester Medical Center Health Network hospitals in Kingston and Margaretville that forced the re-routing of ambulances and prompted “code dark” scenarios that took the facilities offline for hours “to address the threat and take necessary steps to fully retore our secure network.”
Now, in what feels like frustration from Albany, Governor Hochul will require hospitals to beef up their cybersecurity capabilities. According to a post on the Governor’s official web site, the new proposals will “establish a cybersecurity program and take proven steps to assess internal and external cybersecurity risks, use defensive techniques and infrastructure, implement measures to protect their information systems from unauthorized access or other malicious acts, and take actions to prevent cybersecurity events before they happen.”
Among the proposed mandates, hospitals that use in-house applications for handling protected health information (PHI) covered under the Health Insurance Portability and Accountability Act (HIPAA) must have in place “written procedures, guidelines, and standards to develop secure practices for in-house applications intended for use by the facility.”
DIY Doesn’t Make Sense
That’s smart, but as we’ve been saying for a long time, the risks of using DIY applications for data movement and management don’t make sense, and asking employees to become expert on all the elements required to deliver the functions needed for automating things like PGP management, data capture for auditability, multi-factor authentication, alert notifications, recipient verification, and task management at a virtually unlimited scale is expecting a lot.
The smart decision is to invest in the secure-by-design, value leader in managed file transfer. Hospitals and other healthcare services organizations across the country—including some of the largest enterprises in the industry—depend on Diplomat MFT to safely and reliably send, receive, host, and retrieve their most sensitive files. You can, too.