Outsourcing: Losing Control

Computerworld - A woman in Pakistan recently struck fear among IT executives who outsource. She had obtained sensitive patient documents from the University of California, San Francisco, Medical Center through a medical transcription subcontractor that she worked for, and she threatened to post the files on the Internet unless she was paid more money.
The story didn't sit well with John Golden, CIO at CNA Financial Corp., a $12.3 billion insurance company in Chicago that outsources a small portion of its billing functions to India. Golden's team implemented a slew of physical, technical and contractual security precautions to protect customer data, such as sending only necessary bits of customer information, backing up files in a centralized server at the home office and putting tough restrictions on employee turnover at the outsourcing facility. But there's always a horror story to make him wonder.
"I wish I could say we have the security issue licked," Golden says. "We haven't had any security breaches to our knowledge in this space" since CNA began outsourcing its billing function a year ago. But with the growing number of sophisticated hackers, terrorist threats and old-fashioned opportunists, the threat of a security breach looms daily.
The outsourcing train has left the station with many top financial, health care, tax reporting and credit reporting companies on board. The business process outsourcing market in India alone is expected to grow 54% to $3.6 billion by the end of this quarter, according to the National Association of Software and Services Companies, a New Delhi-based organization made up of 800 Indian IT and outsourcing companies.
Industry observers warn that if outsourcing isn't done thoughtfully, with proper security controls beyond the encrypted domain level, companies will have their own horror stories to tell. Here are their tips on controlling data that's in the hands of a third party:
Ask to See a Security Audit
"If you're handling financial data or health data, you are required by law to have an information security plan that has administrative, technical and physical steps taken to safeguard the data -- even less sensitive customer consumer data," says Becky Burr, an attorney and member of the International Association of Privacy Professionals in Philadelphia.
Though the requirement is broad and doesn't point to one particular standard, Kelly Kavanagh, an analyst at Gartner Inc., says outsourcing vendors should provide evidence that they have undergone a security audit by a reputable third party, such as a Big Four accounting firm.
Audits using standards provided by a government agency such as the National Institute of Standards and Technology or a Statement of Auditing Standards 70 form also provide protection. But many outsourcing firms balk at the high cost of those audits -- some run to six figures -- and choose less expensive documentation.
Some outsourcing vendors conduct audits against vertical industry standards. Health care companies should see an audit related to Health Insurance Portability and Accountability Act (HIPAA) regulations. CIOs in the financial services industry can look for audit guidelines under the Gramm-Leach-Bliley Act.
Set Up a Clean Room
Some facilities handling sensitive data require a clean-room environment to keep information from literally walking out the door.
Peter Bendor-Samuel, CEO of The Everest Group, an outsourcing consulting firm in Dallas, describes a standard clean room: "All the machines and output devices except for terminals are disabled. You can't copy, can't use a hard drive or a PDA to get information out of there. Their servers reside back in the U.S. So there's no way to get data out of there."
What's more, employees are physically searched when entering and leaving. "These are extraordinary precautions," says Bendor-Samuel, and they might not be for every company.
Limit Access to Data
At CNA, all workers enter the centralized server through CNA's intranet, where they can also view links to CNA's methods and procedures and to the company's chat site. To handle its growing outsourcing needs, CNA in April will roll out a companywide portal that will restrict access based on user identity. A customized screen will pop up at the outsourcing facility with only a few options.
Once offshore workers have access to the server, CNA limits the amount of client information they can see. "If we're trying to verify that a customer is a good credit risk, we don't have to send all parts of the application, just [those] required to approve the application," Golden says.
Know Your Workers
No matter how many safety precautions are taken, it's hard to stop the opportunist who steals data for money or revenge. James "Zeke" Zoccoli, CIO at LifeCare Management Services LLC, says the best way to keep his company's outsourced medical transcription records safe is to know the outsourcing workers and make sure they're trained properly about procedures and legal consequences.
"We do that through training, agreements and contracts," says Zoccoli. LifeCare, a Plano, Texas-based operator of 20 long-term-care hospitals in nine states, outsources 400,000 lines of medical transcription data each month to Affiliated Computer Services Inc. in Dallas. Transcriptionists have HIPAA training and know the rules and regulations required to maintain compliance with privacy standards.
Zoccoli and Golden also recommend sending people to visit outsourcing sites regularly to meet employees and monitor employee turnover and subcontracting activities.
Collett is a freelance writer in Chicago. Contact her at stcollett@aol.com.

Read more about security in Computerworld's Security Knowledge Center.