Benefits of Outsourcing HIPAA Hosting

Posted on May 16, 2012 by Thu Pham

Our HIPAA hosting and HIPAA compliant data center white paper provides a description of a HIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria.

Here’s an excerpt from section 4.1. on the benefits of outsourcing HIPAA hosting:

Save on Costs

Why would a covered entity with sensitive data outsource their hosting solution to a third-party? A HIPAA compliant hosting provider that has already passed an independent HIPAA audit can save time and money by eliminating the need to audit your vendor in addition to your own business. While it does not release you of the obligation and responsibility of meeting compliance, it helps you more readily achieve compliance and mitigate risk.

Additionally, managed hosting allows your IT team to focus on the applications directly related to your business, not on the day-to-day details involved with server updates, data center infrastructure, network management and security which can more readily be outsourced to a trusted provider.

Security

A HIPAA compliant hosting provider can provide the latest tested and audited technology to help achieve compliance and secure your ePHI. With a variety of required and recommended security methods, you can trust experienced, certified professionals to maintain, monitor and accurately generate logs of activity on your servers.

Outsourcing allows you to benefit from the various levels of security that a quality hosting provider should have in place. These advantages include physical security, environmental controls, logged access and video surveillance, and multiple alarm systems to detect unauthorized access.

Network security includes protection of sensitive infrastructure, including managed servers, cloud, power and network infrastructure built with redundant routers, switches and paired universal threat management devices to protect sensitive information.

While the HITECH Act requires private accessibility on request by your patients, your outsourced hosting provider should never access PHI, but instead build, maintain and monitor the secure infrastructure that your sensitive information is stored and transmitted in.

Availability

The use of high-availability (HA) solutions in a fully redundant and compliant data center can allow clients to increase their uptime and PHI availability. Using an HA infrastructure can reduce the risk of business downtime due to a single point of failure. Outsourcing to a HIPAA hosting provider means your business can take advantage of your data center operator’s design of power connections, UPS (Uninterruptible Power Supplies) systems, generators, air conditioning and networks.

Flexibility

Outsourcing allows you to benefit from the latest virtualization technologies, such as fifth-generation VMware that dominates the market for applications that require a high degree of scalability. Choosing a high-performance managed cloud allows for the ability to scale servers up and down as needed to respond to the demands of end-users with fast deployment time.

To read about the Risks of Outsourcing, download our HIPAA white paper today.

Posted in HIPAA Compliance | Tagged , , | Leave a comment

Keep ePHI on Secure Networks, Not Mobile Devices, Recommends OCR

Posted on May 15, 2012 by Thu Pham
2012 Healthcare Data Breach Update

2012 Healthcare Data Breach Update

Of the 425 reported breach events to the OCR (Office of Civil Rights), two-thirds of all large breach cases involved loss or theft of information and more than half of these large breaches involved electronic devices.

While a BAA (business associate agreement) can help a healthcare organization maintain control and insight into privacy and security practices involved with handling their ePHI (electronic protected health information), risks of storing and transporting ePHI are also of concern, as exemplified by the reported 5 million individuals affected by a breach caused by backup tapes being stolen from an employee’s car.

About 1 million have been victims of lost backup tapes in office renovation situations, and 400,000 affected by theft of a laptop from an employee’s car. Desktop computer theft from offices has affected 943,000 more, and 63,000 have been affected by theft of a portable media device from an employee’s car.

What’s the solution to this seemingly prevalent problem with ePHI? Revert to paper records in a healthcare vault with multiple doors and lock combinations? Restrict ePHI to existing only on non-mobile electronics? Demand counter-reform in the face of federal reform with the advent of EHR system implementation?

The answer is fairly simple but often ignored ‘best practice’ advice.

Aside from the common sense lesson of ‘don’t leave your electronics in your car,’ David S. Holtzman from the OCR recommends storing data on a secure network, not a mobile device. Instead of losing data when you lose your phone or laptop, the data should be stored in a HIPAA compliant data center with standardized network security in place.

Sensitive infrastructure, such as servers, power and network should be protected by restricted access. Using an Intrusion Detection Service (IDS) and monitoring can help notify administrators of a potential breach, and give you the tools to resolve an issue, including times and user activity on a server and network.

As a second choice and additional layer of protection, Holtzman recommends encryption to protect the data, with the cost ranking up as minimal compared to breach fines. For detailed data on the minimum and maximum fines for breaches by type, visit What is a HIPAA Violation?

HIPAA Compliant Data CentersLooking for more information on HIPAA IT requirements, recommendations, and the foundation of a secure HIPAA compliant data center?

Download our HIPAA Compliant Data Centers white paper now for a complete guide to HIPAA hosting with IT vendors.

Still have questions? Contact us or chat with us now. Find out more about our fully compliant, HIPAA hosting solutions, or submit a quote request for your project today.

Posted in HIPAA Compliance | Tagged , , , , , , , , | Leave a comment

Liveblogging from Online Tech’s Spring into IT Seminar!

Posted on May 11, 2012 by Thu Pham

I’m liveblogging from Online Tech’s Ann Arbor data center – our Spring into IT seminar is underway! The first presentation of the day is You Are Vulnerable: How Not to be a Data Breach Statistic by Adam Goslin of High-Bit Security, at 8:30 A.M. There’s still time to join us for other sessions this morning until 1 P.M.

For the full schedule with times, speakers and location, check out Spring into IT.

Stay tuned for live coverage of the presentations!

8:30 A.M. – You Are Vulnerable: How Not to be a Data Breach Statistic
Speaker: Adam Goslin

There’s been an increase of small-scale breaches involving small to medium-sized businesses. Recent breaches also involve lost or stolen devices (mobile phones or laptops). Encryption allows people a false sense of security – there are many other ways that security can be breached.

Mobile threats are also increasing with the use of mobile devices. Critical infrastructure attacks are also increasing – this includes malware that is designed to attack buildings. Breach costs are now averaged at $194 per record – this includes loss of business, remediation and more.

Only 10 percent of software developers and IT were documenting their security protocols.

Vulnerability Scanning

  • Relatively inexpensive
  • Automated, pre-configured scan that will look for any configured, and known incompatibilities on your network

Penetration Testing

  • Significantly more expensive, but provides more coverage over networks, all devices, wireless systems and more
  • Detailed website and application testing
  • Performed and evaluated by a certified security engineer
  • A detailed report includes what was found, where it was found, and what the issue means, as well as specifics on how to resolve the issues

A few ways to test the security of an organization include external hacking (ethical hacking) to find vulnerabilities of a system and social engineering – attempting to gain access to a system face-to-face.

9:00 A.M. – Compliance Reporting and Remediation with VMware
Speaker: Brian Foley

Introducing vCenter Configuration Manager

Customer concerns include: lacking visibility into their environment, dealing with change management issues, industry compliance standards, ensuring systems are patched.

VCM is cloud-ready, with quick-time-to-value to meet compliance requirements – compliance standards are built into the system.

Benefits include:

  • Correlate performance to change with change management logs.
  • Allows you to create and customize your own compliance rules, as well as a number of predefined compliance standards that can check your current system against.
  • VCM also gives real-time and historical graphs of your degree of ongoing compliance, and allows for accelerated auditing with automated compliance.

9:30 A.M. – HIPAA at 16
Speaker: Joe Dylewski

HITECH was created in order to enforce the implementation of EMR (electronic medical record) systems by providing incentives for healthcare organizations. Meaningful use was created for physicians to prove the systems were being used. The maximum breach penalty was increased to $1.5 million.

Spring into IT Seminar Speaker Joe Dylewski

Spring into IT Seminar Speaker Joe Dylewski

10:00 A.M. – Data Security in the Cloud
Speaker: Steve Aiello, CISSP

Cloud computing security is a corporate strategy. Most of the vulnerabilities and threats have been around for a long time. Security concerns have risen due to the major attacks on Sony, PBS, CIA, FBI, PayPal and other large corporations. Just because you’re compliant, it does not mean you are secure.

What is Security? It’s the CIA Triad – includes the confidentiality, availability and integrity of the data.

  • Confidentiality – Keep information private. Determine what’s intellectual property to your company, and what needs to stay secure.
  • Integrity – Keeping your data intact/accurate.
  • Availability – Your data is there when you need it.

Question to ask your company: Where can you reinvest cost-savings from using cloud technologies to improve overall security?

Something to consider: the introduction of external parties/providers shouldn’t lessen your security profile. Questions to ask about your vendor:

  • Is your cloud provider audited regularly?
  • Will they share the results of their audit?
  • Do they have processes in place to pass on that tribal knowledge?

Provider offerings that increase security:

  • WAF
  • Encryption
  • Unique user IDs
  • Two-factor authentication
  • Applications
  • And more

Cloud Options vs. Security

  • The lower down the cloud stack the service providers tops, the more security you as a user absorbs

Potential targeted technology:

  • Hypervisors
  • Orchestration Tools
  • Administrative Machines
  • API Endpoints
  • Virtual Machines
  • Applications

10:30 A.M. – Two-Factor Authentication
Speaker: Chris Schmitt

Factors of authentication include something you are (biometrics), something you own (card), and something you know (pin number). Two-factor is required for PCI compliance.

Ideal for protecting sensitive data – it’s important to have wide integration with the two-factor tool you choose. TFA solves the problem of a weak password – it provides an extra layer of security, and helps with access control. TFA doesn’t solve regulatory financial compliance.

When picking a TFA solution, focus on simplicity and management – the ability to sign up all users at one time and easily manage them is ideal. Online Tech uses Duo Security, an Ann Arbor-based tech company. Uptime availability is also important.

11:00 A.M. - How to Properly Configure a High Availability Server Rack
Speaker: Noah Wolff

[This will be video-taped and posted after the seminar concludes].

High availability is the percentage of time a system is available – do you need it? Consider the costs/consequences of downtime and your mission critical applications.

Common HA misconceptions – having a UPS is enough, having two firewalls is enough, power supplies on a server is enough, and collocating in a data center is enough (although a DC may provide HA, you may not be taking advantage of it).

Reasons to go HA – ease of maintenance, a single point of failure can affect your uptime and downtime can mean a loss of clients and business.

HA does not protect you from security breaches or human error. Backup is still important, even if you do have HA. DR assumes multiple points of failure. HA does cost more, and does not cover all possible sources of failure.

The most common mistake with configuring for HA is the failure to test it.

Noah Configuring a HA Server Rack

Noah Configuring a HA Server Rack

12:00 -The Mobile Explosion: What Does it Mean for You, Your Business, and Michigan’s Economy
Speaker: Linda Daichendt

Mobile is today’s primary consumer device – 5.3 billion have mobile devices of some kind, and 1.1 billion have tablets or laptops. We have 103.9% mobile subscriptions per capita, meaning more subscriptions than our entire population.

Consumption of the internet via mobile phones has increased over 1200% in the last few years. When it comes to marketing, the average response rate to a mobile offer is between 12-15%. Depending on the type of business (consumer-based), some markets have seen over 60% response rates.

Linda Daichendt's Keynote Speech on Mobile Trends

Linda Daichendt's Keynote Speech on Mobile Trends

Check back to our blog in the next week for a full blog post on the mobile trends, statistics and latest technology presented by Linda.

Posted in Online Tech News | Tagged , , , , , , , , | Leave a comment

Healthcare Organizations: Seeking a Cloud Provider? BAAs Required

Posted on May 10, 2012 by Thu Pham

If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service.

- David S. Holtzman of the Health Information Privacy Division of OCR during a speech at the Health Care Compliance Association’s 16th Annual Compliance Institute.

The OCR, Office of Civil Rights, is the federal enforcer of HIPAA/HITECH. This definitive statement straight from the governing body puts to rest the question about whether or not cloud providers should be considered business associates for covered entities in the healthcare industry, as well as the question of whether a business associate agreement is required or not.

Holtzman’s speech included a specific example of a recent HIPAA violation involving the Phoenix Cardiac Surgery physician practice. Protected health information (PHI) was found posted on an Internet-based calendar, openly available to the public. The practice was using a public cloud-based application that did not have any privacy or security controls.

The lessons learned, according to Holtzman, include the physician’s lack of security and privacy controls, as well as the failure to consider cloud providers to be business associates and sign a business associate agreement (BAA).

Why is it imperative to sign a BAA with a HIPAA cloud provider, as a healthcare organization concerned about PHI security and HIPAA compliance?

Ownership
Who has access to data and rights to your data should be clarified in the BAA with your cloud provider – some cloud providers may include provisions in your contract that give them ownership and control of your data while hosted in their environment. Loss of ownership and control may mean your PHI can be left vulnerable to a breach.

Location
HIPAA security standards apply to covered entities within the United States; if your data is being hosted overseas, the same privacy and security laws may not apply. Know where your data lives and assess the physical, logical and network security of the data center or hosting facility. Read more about Data Center Security and Secure Hosting.

Breach Notification
A clause in your BAA should address breach notification in the event of a data leak – if your cloud provider is aware of a breach, they should have a plan in place that outlines a timeline of notifying the covered entity and their next steps. The OCR requires multiple documents within ten days of a breach – check that your cloud provider is aware of and has the information or ability to help you collect and/or create those documents.

Security and Privacy Controls
Does your cloud provider have documented policies and procedures in place that include employee training on how to securely handle PHI? The obligations and responsibilities of the cloud provider should be outlined in your BAA clearly.

Protocol After Termination
After contract termination with a cloud provider, the terms of data destruction and/or how to return the data to the covered entity should be addressed. Keeping copies of sensitive information within your organization is key to maintaining the data confidentiality and access limitation.

The OCR’s HIPAA audit pilot program launched late last year was intended to identify areas of improvement for covered entities when it comes to data security. With this field research, the OCR can provide more useful guidelines for other healthcare organizations, including the necessity of signing of a BAA with cloud vendors.

Recommended Reading
What’s in a Business Associate Agreement?
Online Tech’s BAA Breach Notification Clause
Five Questions to Ask Your HIPAA Hosting Provider
Who Needs to Be HIPAA Compliant?

References:
HIPAA Audits Wrapping Up at Year’s End as Federal Funding Winds Down – Health Law Resource Center, Bloomberg BNA

HIPAA Compliant Data CentersLooking for more information on HIPAA IT requirements, recommendations, and the foundation of a secure HIPAA compliant data center?

Download our HIPAA Compliant Data Centers white paper now for a complete guide to HIPAA hosting with IT vendors.

Still have questions? Contact us or chat with us now. Find out more about our fully compliant, HIPAA hosting solutions, or submit a quote request for your project today.

Posted in Cloud Computing, HIPAA Compliance | Tagged , , , , | Leave a comment

Mobile Security: Trying to Keep Up

Posted on May 8, 2012 by Aaron Riddle
Mobile Security

Mobile Security

There’s no question that our society is embracing the technology that is in front of us. You can go back almost 25 years and in 5 year gaps, see the massive innovation and technological impact that our society is seeing on an everyday basis. In the US today, more than 50% of cell phone purchases are now smartphones, up from 21% two years ago. With this massive increase in mobile computing, security has become the focal point. However, it has seemed that security is always on the tail end of the explosion in the mobile computing sphere.

This past January, a story broke out about a man who forgot his passport as he was entering customs to enter the United States from Canada. Realizing he had a scanned image of his passport on his iPad, he then proceeded to hand his iPad to the customs agent in hopes of it being enough to get him into the United States. After a few minutes of deliberation and some awkward looks, he was allowed into the United States with his scanned image of his passport in hand towards his destination. According to border officials, these types of situations are usually handled on an individual basis and can go many different ways, but this type of thinking by this man is a possible realization of things to come.

With the technology available, there is an opportunity to have documents with us at all times when we need them. Not only could this result in us having access to our music, videos and pictures at a moments notice, but personal documents as well. This could pose a huge security risk to ourselves.  There is always someone trying to manipulate systems in place for their own benefit. People have created fake passports, fake IDs, and have found many loopholes in systems. These types of malicious activity happen all the time and are a continuing and growing threat to our everyday life.

In an everchanging world, more and more of these types of cases will be coming up in the near future. There are already talks and technologies in place where your phone could become a personal wallet to make transactions with the flick of a wrist. It wouldn’t surprise me if there comes a day when we’ll have scans of all of our sensitive documents (SSN Cards, birth certificates, financial documents) all on our tablets for identification purposes and having a paper copy becomes obsolete. If this becomes the norm of mobile computing, there needs to be measures on all ends of the spectrum to better secure ourselves.

This first and foremost starts with the user. Whether that’s having some sort of Disaster Recovery plan to all of your files, or implementing a Two-Factor Authentication solution to the mix, there are ways where you can keep yourself better protected. Until there are full security measures in place among everyone and is implemented by everyone, security will always be a huge factor to the future of mobile computing as it stands today.

On the topic of Mobile Security, Linda Daichendt from the Mobile Technology Association of Michigan will be the keynote speaker at our Spring into IT event on May 11th discussing: “The Mobile Explosion: What Does it Mean for You, Your Business, and Michigan’s Economy”.

For more information on mobile security, check out Mobile Security: How Safe Is Your Data? and Mobile Security: Are Your Apps Safe?

Sources:
http://blog.nielsen.com/nielsenwire/online_mobile/smartphones-account-for-half-of-all-mobile-phones-dominate-new-phone-purchases-in-the-us/
http://www.theglobeandmail.com/news/national/flash-of-an-ipad-gets-man-past-border-security/article2290029/

Posted in Information Technology Tips | Tagged , , | Leave a comment

Online Tech On The Michigan Business Network

Posted on May 8, 2012 by Thu Pham
Michigan Business Network

Michigan Business Network

Yan Ness, CEO of Online Tech, will be on the Michigan Business Network, 10 A.M. ET tomorrow morning. Be sure to tune in and listen online!

If you happen to miss a show, you can always listen to podcasts of previous programs by using the Michigan Business Network’s Broadcast Schedule. We’ll post a link to the podcast after it airs.

Yan will discuss our upcoming Spring into IT seminar scheduled for this Friday morning, with seminar sessions running from 8 A.M. to 1 P.M. ET at our newest Ann Arbor data center.

It’s free to attend, and online registration is still open. Please join us for just one session or stay for the special noon keynote on mobile technology.  Register online today.

 

Posted in Michigan Data Centers, Online Tech News | Tagged , | Leave a comment

Raising the Bar on Security, Reliability and Compliance

Posted on May 8, 2012 by Thu Pham

An update from Online Tech’s President:

As we roll into spring, Online Tech continues to raise the bar on the security, reliability and compliance of our data centers and services.  Here is a brief list of some of the capabilities we’ve added over the first four months of this year:

Audits and Compliance:
As you may know, we continue to invest heavily to ensure we meet the top tier of data center standards.  In the recent months, we’ve successfully completed three new audits:

  • SOC 2 & SOC 3 Audits – Online Tech was the first multi-tenant data center in the country to complete this much more stringent AICPA audit. SOC 2 is a more objective standard for high quality data center operators and we passed the audit with flying colors.  You can read more on this audit at: http://www.onlinetech.com/secure-hosting/sarbanes-oxley-sox-compliant-hosting/soc-2-a-soc-3-hosting
  • PCI Audit – In February we completed one of the most technically demanding audits for security in the Payment Card Industry (PCI).  PCI compliance is required for any company that receives, processes or stores credit card information on their servers.
  • Energy Star Certification – With our investments last year in our Mid-Michigan data center, we achieved the EPA’s Energy Star Certification for energy efficiency.  The Mid-Michigan data center performs in the top 25 percent of data centers nationwide for energy efficiency and meets strict performance levels set by the EPA.

Data Center Infrastructure:

  • New Fiber into Mid-Michigan – We’ve added another optic path to our Internet providers in Mid-Michigan – increasing the redundancy and resiliency of our Internet connections.
  • Comcast Fiber in Mid-Michigan – Comcast has also installed fiber into Mid-Michigan. Comcast Business Class is an additional connection option for our clients that need high speed direct connection to our data centers.
  • We also added a redundant dark fiber circuit between our Ann Arbor data centers.  This second path takes an entirely different route through the Avis Farms office park – providing a more resilient connection between the two data centers.

New Network Security Services:
In the next 90 days, we will be rolling out an enhanced set of network services to meet PCI security requirements. The first of these services is two-factor VPN authentication.

  • Two-factor VPN Authentication– We teamed up with Duo Security to provide a simple, mobile phone-based authentication method that is much more convenient and easier to use traditional two-factor systems. The security measure adds an extra layer of protection to critical VPN connections by requiring a secondary authentication method to achieve network access.  If you have critical data such as financial or healthcare information on your servers, we recommend you take a look at two-factor VPN authentication.

Website & Seminars:

  • Spring into IT Seminar- This Friday, May 11th, we’re bringing in the experts on Mobile Computing, Cloud Security, HIPAA, PCI Compliance, and Network Security for a morning of technical seminars at our Ann Arbor 2 data center.  We’d love to have you join us.  You can register at: http://www.onlinetech.com/resources/events/seminars/spring-into-it
  • New Web Site & Blog – We launched our new website at the beginning of this year and we’d love your feedback.  Something confusing?  Something you love?  Let us know.  We appreciate your feedback because it helps us continue to better serve you.

Net Promoter Score:

  • We started using the Net Promoter System (NPS) from the book “The Ultimate Question 2.0” by Fred Reichheld to track and measure client satisfaction. We want to consistently deliver excellent client service through our metrics, accountability and visibility.

As you can see, we’re working hard to earn our reputation as one of the top mission-critical data center operators in the country.  We look forward to continuing to serve your hosting needs.

Best Regards,

Mike Klein
President & Chief Operating Officer
Online Tech Inc.

Posted in Michigan Data Centers, Online Tech News | Tagged , , , , , , | Leave a comment

Online Tech Update: Tech Seminar, White Paper and Scholarships

Posted on May 7, 2012 by Thu Pham

Here’s a brief roundup of what’s new with Online Tech in May:

Spring into IT

Spring into IT May 2012

Spring into IT May 2012

This Friday, we’re bringing in the experts to launch technical discussions and provide tactical knowledge around topics like cloud computing security, HIPAA compliance, how to properly configure server racks, how to comply with PCI DSS standards, and more.

Don’t miss our special noon keynote speaker, Linda Daichendt, Executive Director of the Mobile Technology Association of Michigan, and her presentation on “The Mobile Explosion: What Does it Mean for You, Your Business, and Michigan’s Economy.”

Stay for a few sessions, breakfast or lunch, or join us for the morning for great networking opportunities. Sign up online and view the seminar schedule and location here.

HIPAA Compliant Data Centers White Paper

CIO’s, CEO’s, physicians, healthcare SaaS (Software-as-a-Service providers) and any other IT decision-maker or influencer should download and read this paper.

HIPAA Compliant Data CentersThis is a comprehensive, detailed document for anyone seeking more information about the implications of HIPAA/HITECH on data centers, the role of business associates, specific technology requirements and recommendations, and more.

We consulted with a Certified HIPAA Security Specialist (CHSS) and internal engineers to create a diagram comparing each HIPAA standard to our applied technology to create a secure and private hosting environment. We’re serious about compliance, and we want to share our research and knowledge to educate the industry to make more informed hosting decisions. Download the white paper today.

Data Security Scholarships

Stay tuned for more about this great opportunity for tech-minded students interested in health IT, cloud computing, data security, disaster recoverycolocation and a variety of other topics. We’ll post a detailed blog tomorrow about how to sign up and what you’ll need to enter the scholarship program.

IMN Data Center Forum in NYC

IMN Data Center Forum

Online Tech will be attending the Second Annual Spring Forum on Financing, Investing and Real Estate Development for Data Centers at the end of May, in New York City, New York.

Online Tech CEO and President Mike Klein will be leading a session on Evaluating Data Center Business Models, May 24 at 8:30 A.M. Find out more about session and panel here.

Posted in HIPAA Compliance, Michigan Data Centers, Online Tech News | Tagged , , , , , , | Leave a comment

Big Data: What It Means for Science, Healthcare and Social Media

Posted on May 4, 2012 by Thu Pham

It is just what it sounds like – an immense amount of data.  From social networks to genomics to medical records, big data is everywhere and rapidly growing. Technology must adapt and advance in the management of big data – otherwise these large data sets would be rendered useless without the capability to efficiently analyze and produce results. Federal agencies have announced $200 million in research and development investments that will allow them to mine, process and store big data.

Science

Cancer Genomics Hub

Cancer Genomics Hub

The National Cancer Institute is funding a $10.5 million project managed by UC Santa Cruz for a supercomputer that will store the genetic codes of malignancies from 10,000 patients with the intent of revealing mutations that trigger uncontrolled cell growth. The Cancer Genomics Hub (CGHub), said to be the world’s largest repository for cancer genomes, will sift through the large amount of data attempting to find gene mutations that cause tumors and make it easier to make cross-dataset comparisons – significantly accelerating the time it takes to analyze and produce results from data sets.

To get an idea of why big data is so big – according to the Oakland Tribune, each tumor’s DNA record is 300 billion bytes (1 gigabyte), which has to be compared to a normal genome (billions of bytes), plus the sequence data from RNA – all adding up to nearly a terabyte for each case.

Healthcare

Not only does big data have major implications for scientific breakthroughs, the aggregate and analysis of healthcare data sets can improve patient care. Digital records stored in electronic medical record or electronic health record systems (EMR/EHRs) can be mined to detect patterns in care. These patterns can help advance the healthcare industry by assisting in the automation of processes in the workflow of patient care, and get the industry up-to-speed with the technological advancement of other industries.

Hospitals and healthcare software companies also need storage-intensive hosting solutions for systems such as PACS (Picture Archiving and Communications Systems) that store and process medical imaging, including X-rays, MRIs, CAT/CT scans and others. A high-capacity HIPAA cloud with a managed SAN (Storage Area Network) can offer a scalable solution to healthcare’s big data needs.

Social Media

Social media involves the countless amount of user-generated data collected from various sources, including mobile phones – demanding an intelligent way to manage and analyze the content. DataSift is a U.K.-based startup launched to handle the vast amount of social media data by analyzing feed data based on pairing related quantifiers and keyphrases.

The company intends to take monitoring and data analysis to measure the level of intent-to-buy to help sales teams and companies build financial models based around customer conversations. The last week of April was even declared Big Data Week by the Head of Client Services at DataSift and sponsored by Oracle and EMC, with meetups and communities in three countries to discuss big data innovations and startups.

While brands have been long tracking social media for mentions and support-related issues, entrepreneurs are taking it a step further by developing new and more meaningful ways to analyze big data in social media to shape and influence business decisions.

Twitter recently announced its plan to team up with UC Berkeley School of Information to develop and teach a class entirely about analyzing big data, aptly named, Analyzing Big Data with Twitter. The course description details the topics, including applied natural language processing algorithms such as sentiment analysis, large scale anomaly detection, real-time search and more. Students will get advising from Twitter engineers on programming-intensive projects that include building apps and social media data analysis.

Beyond the hype, big data has the potential to put hard facts and real figures behind scientific research, business development and healthcare management.

References:
Cancer Genome Data Center Raises Hope for Cures
DataSift Exploits Big Data for New Insights Into Customers
Twitter Teams Up with UC Berkeley to Teach Students About Big Data
White House Launches Government-Wide Investment in Big Data
World’s Largest Hub for Cancer Genomes Opens
Cancer Genomics Hub – UC Santa Cruz

Posted in HIPAA Compliance, Michigan Data Centers, PCI Compliance | Tagged , , , , | Leave a comment

NIST Recommendations for Security in the Outsourced Cloud

Posted on May 2, 2012 by Thu Pham

NIST (The National Institute of Standards and Technology) provides a number of recommendations addressing security and privacy issues with outsourcing cloud hosting services in its Guidelines on Security and Privacy in Public Cloud Computing published last December:

Governance
NIST refers to the organizational controls over policies, procedures, standards of development, and the design, implementation, testing, use and monitoring of deployed services. In short, they explain that while the cloud requires less capital investment, it still requires a high level of employee training and administrative oversight to maintain security.

Governance also refers to proactive risk management in the form of deploying audit tools to determine how data is stored, protected and used. Securing an audit trail of user/system activity  is also a PCI DSS requirement (10.5), and recommended for HIPAA compliance. The use of file integrity monitoring and log monitoring can provide continuous records of activity and alert you to any abnormal use to help prevent a breach.

Compliance
While NIST recognizes the complexity and breadth of compliance regulations varying by industry, region and governing body, the take-home message is that organizations are ultimately held accountable for the security and privacy of data that is held by a cloud provider on their behalf.

NIST doesn’t come out and say cloud providers need to abide by the same standards that, for example, covered entities or health organizations in the healthcare industry need to follow. They also recognize that “the degree to which they will accept liability in their service agreements, for exposure of content under their control, remains to be seen.” This statement is more a reflection of current industry trends in compliance, instead of endorsing a standard that cloud providers should follow.

But if the organization is responsible for the security and privacy of data held by a cloud provider, then it’s up to the organization to do a thorough assessment of their cloud provider’s security controls and knowledge of industry standards.

Another aspect of compliance is data location – if outsourcing, be sure to tour their data center facilities to know exactly where your data will live, and what kind of security is in place to protect it. Download our HIPAA compliant data centers white paper for a complete guide to HIPAA hosting.

Trust
Direct control over security and privacy is transferred to the cloud provider, obviously demanding a fair amount of trust between the organization and provider. NIST recommends ensuring visibility into a cloud provider’s security and privacy controls and their performance over a period of time. NIST also recommends establishing cohesive and exclusive ownership rights over data.

Insider access can also lead to threats such as fraud and theft – ask your cloud provider if they do background checks on employees, and if they are properly trained on how to handle sensitive data.

Establishing data ownership and access, gaining visibility into security controls and conducting a risk analysis or assessment is fundamental to risk management. Prior to undergoing a third-party audit, a cloud provider should conduct a risk assessment of any potential vulnerabilities, whether alone or with the help of a security consultant. Find out what’s in a HIPAA risk analysis (helpful for healthcare organizations and anyone concerned with security).

Stay tuned for future blog posts on other cloud security recommendations, including Architecture, Identity and Access Management, Software Isolation, Data Protection, Availability and Incident Response.

References:
Guidelines on Security and Privacy in Public Cloud Computing (PDF)

Posted in Cloud Computing, HIPAA Compliance, PCI Compliance | Tagged , , , , | Leave a comment