We’re liveblogging from Las Vegas, site of the 12th Annual HIMSS Conference & Exhibition, bringing together over 30,000 healthcare IT professionals and exhibitors. Visit us at booth #13528!

• For more on the conference, visit HIMSSConference.org.
• For more about Online Tech’s involvement, including more about HIPAA compliant hosting, visit Online Tech to Exhibit at HIMSS 12.
• We’re also in the HIMSS Online Buyer’s Guide.

Tweeting about #HIMSS? Join us in the conversation on Online Tech’s Twitter.

9:18 A.M. ET – Pre-sunrise from the Wynn Las Vegas & Encore Resort.

Pre-Sunrise at Wynn

11:07 A.M. ET – Dragon encounter on the way to the HIMSS ’12 conference!

HIMSS 12 Dragon

11:07 A.M. ET (8:30 A.M. in Las Vegas) – Educational session “Social Media, Healthcare and Law: Developing a Social Media Policy” about to begin. Come to Room Marcello #4502 for the session at HIMSS ’12!

Speakers:

• Tatiana Melnik, JD, Associate Attorney, Dickinson Wright PLLC
• Brian Balow, JD, Member, Dickinson Wright PLLC

Social Media and Healthcare Speakers

11:37 A.M. ET – Social Media, Healthcare and the Law presentation by health IT attorneys from Dickinson Wright, Tatiana Melnik and Brian Balow.

Social Media and Healthcare Presentation

Big turnout for the Social Media, Healthcare and the Law presentation!

Social Media and Healthcare Crowd

Standing room only at the Social Media & Healthcare presentation.

Standing Room Only at HIMSS 12

1:38 P.M. ET – “Anatomy of a Data Breach” Knowledge Center Session by Chris Andrews of Kroll now in session @ HIMSS12.

Speaker: Chris Andrews, Certified Forensic Computer Examiner, International Association of Computer Investigative Specialists (CFCE), EnCase Certified Examiner (EnCE)

Anatomy of a Data Breach

4:43 P.M. ET – Learning about governmental investments in e-health from a Danish approach.

Governmental Investments in E-Health

• High-capacity storage without CapEx costs – The need for high-capacity storage and computing is high in the healthcare industry, with medical imaging producing large data files (X-rays, CAT scans, MRIs, etc.). A high-capacity HIPAA cloud can meet the needs of storage-intensive applications for healthcare companies that also need compliance. Cloud hosting can provide a viable solution without typical hardware requirements.

Recommended reading: Key Benefits of Leasing vs. Building a Data Center

• PHI availability and accessibility – The HIPAA Security Rule requires protected health information is available, meaning “accessible and usable on demand by an authorized person” (HHS.gov). Hosting your data and applications with a third-party requires trust in their ability to provide high availability services to ensure your data is accessible at all times when requested.

Recommended Reading: HIPAA FAQ: What Does HIPAA Cover?

• Cloud disaster recovery for PHI availability – In the event of a disaster, electronic PHI or e-PHI, needs to be recoverable. The HIPAA Security Rule emphasizes the need to ensure the integrity of e-PHI, meaning that e-PHI “is not altered or destroyed in an unauthorized manner.” Cloud-based disaster recovery can significantly improve your recovery time objectives and is more reliable than traditional disaster recovery methods, including tape backup.

Recommended reading: Disaster Recovery for HIPAA Applications – It’s All About Availability of PHI

• Step closer to compliance – As a covered entity, you need to demonstrate and document compliance and the controls you have in place to achieve HIPAA compliance. An integral part of your compliance lies with the IT controls you have in place – if you partner with an audited, HIPAA compliant cloud provider, they already have the documented policies they can hand over to help you demonstrate your own company’s compliance to the HHS/ONC. Additionally, business associates are also responsible for meeting compliance standards to prevent a data breach, as a recent case in which legal action was taken against a business associate exemplifies.

But how can you be sure they’ll adhere to these controls when it comes to your data or applications in the cloud? Make sure you sign a business associate agreement (BAA) with your HIPAA hosting provider outlining their obligations and responsibilities to meet compliance.

Recommended reading: Five Questions to Ask Your HIPAA Hosting Provider

References:
HHS.gov Summary of the HIPAA Security Rule
6 Keys to Data Storage

• For more on the conference, visit HIMSSConference.org.
• For more about Online Tech’s involvement, including more about HIPAA compliant hosting, visit Online Tech to Exhibit at HIMSS 12.

Tweeting about #HIMSS? Join us in the conversation on Online Tech’s Twitter.

Late o’clock - Play our Las Vegas-centric slideshow below to see the city at its finest, from the Bellagio Fountains to our view of the Las Vegas strip at night.

HIMSS Keynote Speaker

11:46 A.M. – Biz Stone, co-founder of Twitter, speaking at the HIMSS ’12 keynote address!

Biz Stone Twitter Co-Founder

HealthCareITNews.com posted a Twitter recap of Biz Stone’s keynote:

Tuesday’s HIMSS12 Keynote was given by Biz Stone, one of the co-founders of Twitter. Social media is certainly a hot topic at HIMSS12, and Stone explained ways we can refine communication in our businesses.

2:10 P.M. – HIMSS educational session: Data Center Hosting – Build, Upgrade or Partner

Speakers:

Tanya Freeman, MS
Chief Information Officer, Central Maine Healthcare Corporation

Mr. Denis Tanguay
CIO, Central Maine Healthcare

Data Center Hosting

4:30 P.M. – Listening to a cloud and compliance talk at HIMSS.

Cloud Compliance Talk

View from the 60th floor (top) of the Wynn Las Vegas & Encore Resort.

Night View from Wynn

Backup Devices View

Here you’ll find a color-coded indicator of each server’s backup status; green for good and red for failed. Our engineers constantly monitor backup jobs, and promptly restart backups for failed jobs. A notice that a job has been restarted is normally posted to the Messages section on the Status Dashboard.

To view more information for the last backup job for a given server, click the Device Detail button. The Device Detail page shows the date and time of the most recent backup job, as well as several other details regarding the server.

Backup Messages View

If you would like to add OTBackup for a server that doesn’t already have it, simply click on the Upgrade button for that server. You can easily add additional RAM, CPU, disk storage, SAN space, or OTBackup for any server you have that is managed by Online Tech.

Additional information about OTPortal is available in several training videos, found right on the site itself. If you have specific questions or need help, please contact us at support@onlinetech.com, or by calling 734-213-2020 and selecting Option 3.

The Online Tech Team has officially landed in Las Vegas for HIMSS ’12, the Annual HIMSS Conference & Exhibition bringing together over 30,000 healthcare IT professionals and exhibitors.

• For more on the conference, visit HIMSSConference.org.
• For more about Online Tech’s involvement, including more about HIPAA compliant hosting, visit Online Tech to Exhibit at HIMSS 12.

Tweeting about #HIMSS? Join us in the conversation on Online Tech’s Twitter.

9:30 A.M. – Good Morning, Las Vegas!

Good Morning, Las Vegas

The strip waking up … Or more likely going to sleep …

Off to the HIMSS ’12 pre-workshops!

10:50 A.M. – Fueling up, registration at the Las Vegas Sands Expo & Convention Center, and starting a CPHIMS educational session at HIMSS 12.

HIMSS 12 Breakfast & Registration

CPHIMS Certification Education Session

Looking forward to learning more about CPHIMS (Certified Professional in Healthcare Information and Management Systems) with Ruth Bowen & Susan Wozniak @ HIMSS12!

3:30 P.M. – Setting up the Online Tech HIPAA Hosting Booth (#13528) Exhibit.

Online Tech HIPAA Compliant Hosting Booth Setup

HIMSS Exhibitor Booth Unloading

4:40 P.M. – Our HIMSS hotel!

HIMSS Hotel

We’ll be exhibiting our HIPAA compliant hosting solutions for healthcare organizations, healthcare Software-as-a-Service (Saas) and other related organizations at Booth #13528. Stay tuned for some live blogging from our Online Tech reps next week!

Our HIPAA cloud, colocation and managed server packages have just launched! And we’ve revamped and expanded the HIPAA section of our website. Click below for more details.

We’re one of the few (perhaps only) 100% HIPAA compliant hosting providers that have undergone an independent audit by a CHP (Certified HIPAA Practitioner) and CHSS (Cerified HIPAA Security Specialist) and can provide a copy of our audit report to clients under NDAs (non-disclosure agreements).

We also sign business associate agreements (BAAs) to clarify our role and responsibilities when it comes to protecting your personal health information (PHI) and breach notification policies.

HIPAA Compliant Hosting Screenshot

Get the facts about HIPAA and what you need to be HIPAA compliant:

• 100% HIPAA Compliant
• What is HIPAA Compliance?
• HIPAA Compliant Case Studies
• Who Needs to be HIPAA Compliant?
• Benefits of HIPAA Compliant Hosting
• HIPAA Glossary of Terms
• HIPAA Resources: Policies, Procedures and Training Materials
• HIPAA FAQ
• Five Questions to Ask Your Business Associates
• Five Questions to Ask Your HIPAA Hosting Provider

Yet, being enveloped in the HIPAA realm for some time has skewed my thinking – when I heard about the FDA regulating healthcare apps, I was confused. Instinctually, albeit not intellectually, I’d always thought the FDA provided insight into topics like food poisoning and MSG – not smartphones and apps, or anything technology-related.

However a recent blog post by David Lee Scher, MD, opened my eyes to a few reasons why he believes the FDA needs to be the regulatory body of “digital health technologies.” And some reasons why those in the field aren’t very fond of the organization – he mentions the fact that the FDA slows the approval process for apps annually and raises review fees for device companies, increasing developer frustration over the increased time to market.

One of the points he brings up is the fact that the FDA’s mandate isn’t covered by other related agencies – including the ONC and FCC (broadband access). The ONC, acting on behalf of the HHS, is notorious for enforcing the HIPAA and HITECH compliance laws, yet Scher reduces that to, “oversees EHRs.” A slightly broader perspective might say the ONC oversees the handling of PHI, not just EHRs, since the majority of HIPAA breach cases involved some type of physical theft or loss, as you can see in my infographic breakdown of the 2011 HIPAA violation breach types.

While the FDA should and will be involved in evaluating apps for their ability to improve patient health, they need to make collaboration with the ONC/HHS a priority to test apps for their ability to keep PHI secure. Scher references commentary in The Washington Times by Joel White – White’s position is primarily against FDA app regulation, including the argument that the FDA’s “piecemeal and oftentimes conflicting structure” of regulation raises concerns on how these rules intend to coexist with rules established by other agencies.

White argues a point from a recent State of the Union speech in support of his opinion; “tearing down outdated regulatory structures” allows innovation to flourish and encourages economic growth. Although potentially initially true, I don’t think throwing every regulatory body or law out the window is productive – without mHealth oversight, patient care may decrease significantly in quality with the advent of untested apps released to market, causing more costly and potentially dangerous issues down the road.

A regulatory body may also serve to prevent a flooded healthcare app industry (perhaps prolonging its success) and work to inform consumers of their quality and security when it comes to keeping health records secure.

Ultimately, I think we need a cohesive and productive collaboration between every agency and organization that touches mHealth and a way of streamlining the process to prevent wasted resources and time.

References:
Five Reasons Why Digital Health Technologies Need FDA Oversight
White: FDA’s Assault on Mobile Technologies

Minnesota’s Attorney General is suing a business associate over an unencrypted data breach incident that occurred last year when a laptop containing 23,500 patient records was stolen from the business associate’s car. Accretive Health is a licensed debt collector that also provides a patient analysis service for hospitals.

Part of the reason why they were targeted may be linked to further complexity of the case – not only did Accretive Health suffer from a data breach, but the lawsuit claims they were also accessing and using patient data without the knowledge or consent of patients. One of their services provided the probability of a patient’s hospital admittance and their calculated potential financial worth to the patient’s healthcare provider, all based on perceived risk factors from their personal health information, according to the claim (PDF).

Another major HIPAA violation case involving a business associate was the Department of Defense’s military healthcare program, in which nearly the exact same incident occurred – a contractor employee left an unencrypted laptop in their car and it was stolen. About 4.9 million patients were affected. A lawsuit was filed by a few of the affected patients, and in the claim, they indicated the need for all contractor employees to be properly trained in how to handle personal health information (PHI).

Modifications to HIPAA Applicability

Are business associates lax on HIPAA compliance because the law has no teeth? That’ll change very soon – according to HealthCareInfoSecurity.com, March 2012 is the target date to release a final version of the HIPAA modifications and breach notification rule (also known as the Omnibus rule, meaning for all in Latin). And in the proposed version of HIPAA modifications, business associates will be required to comply with the HIPAA standards, as seen in the change to the §164.104 Applicability rule:

When a health care clearinghouse creates or receives protected health information as a business associate of another covered entity, or other than as a business associate of a covered entity, the clearinghouse must comply with §164.105 relating to organizational requirements for covered entities, including the designation of health care components of a covered entity.

Roadmap to Achieving Compliance

How can a business associate avoid a potential HIPAA violation, subsequent lawsuits and fines? Try the following:

• Conduct and document an initial risk assessment/analysis in order to check where your business is at when it comes to implementing HIPAA security safeguards, and where you need to fill in the gaps. This list of the Nine Components of a HIPAA Risk Analysis provides a good high-level overview of what you need to include in your document.
• Research and understand the HIPAA standards, and your role in handling PHI. As a HIPAA compliant hosting provider, Online Tech never accesses PHI or data on clients’ servers, we only provide the secure infrastructure necessary to protect sensitive information in a fully compliant environment.
• Draft a business associate agreement (BAA) that clearly defines your role and obligation in handling a client’s sensitive data. Include clauses about contract termination, data ownership and breach notification. What’s in a Business Associate Agreement? provides a summary of the primary provisions to include in your BAA.
• Ideally, invest in an independent HIPAA audit of your business in order to have the assurance and verification that your policies, procedures and services are in compliance. If you need guidance on which IT components can help you achieve compliance, read our HIPAA FAQ.
• Train all of your employees in HIPAA compliant policies and procedures as they affect the day-to-day operations of your company and according to the level of security needed by position – an employee that transports sensitive data will need more specific guidelines to stay compliant and prevent a data breach. Document proof of employee training and awareness.
• Appoint a Risk Management and Security Officer position in your company to implement, manage and oversee compliance and ensure everyone is following the documented policies and procedures, preferably someone with a strong technical background.

Or are you a covered entity that needs assurance their business associates are handling PHI in a HIPAA compliant manner? Read our E-Tip on the top Five Questions to Ask Your HIPAA Hosting Provider.

References:
March Target for HIPAA Modifications
State of Minnesota vs. Accretive Health, Inc. (PDF)
Minnesota Sues Consulting Firm Over Lost Health Data

Register for our free webinar Tuesday, February 14, 2012 (today) from 2-3pm ET to discuss the differences between AICPA’s (American Institute of Certified Public Accountants) SOC (Service Organization Controls) audits and reports, other types of audits, and the difference between point-in-time, period of time, self-assesments and independent assessments.

Sign up Now!

David Barton, CRISC, Principal, UHY LLP
David is a Principal and is the practice leader of the Technology Assurance and Advisory Services group at UHY Advisors, Inc. in Atlanta, GA. He is Certified in Risk and Information Systems Controls (CRISC) and received his Certified Information Systems Auditor (CISA) designation in 1988.

With over 25 years practical experience in information systems and technology risk and controls, he is an expert in identifying and reducing information technology risk throughout an organization.

Read David Barton’s guest blog post on our blog, “SOCs and SASs: The New Standards for Service Organization Controls Reporting.”

---

Jon Long, CISA, QSA Senior Audit Manager CompliancePoint
Jon is a Senior Manager and Practice Builder at CompliancePoint as well as an enthusiastic blogger at The Risk Assurance Guy. He is a Certified Information Systems Auditor (CISA) as well as a Qualified Security Assessor (QSA) in the Payment Card Industry (PCI).

Jon has over 15 years experience in IT, and crossed over into auditing in 2006.  His background enables him to conduct audits from the perspective of having been audited by external auditors.  He is currently championing an audit approach that allows organizations to combine multiple compliance requirements into a single SOC 2 engagement.

---

Jason Yaeger, Risk Management & Security Officer, Online Tech

Jason Yaeger is Online Tech’s Risk Management and Security Officer. In his 3 years at Online Tech, Jason has guided the company through successful completion of many audits, including SAS 70 Type I, SAS 70 Type II, SSAE 16, and HIPAA. In addition to overseeing operations across all of Online Tech’s data centers, Jason is also the Vice President of the Southeast Michigan Chapter of 7×24 Exchange. Prior to Online Tech, Jason was Director of Internet Operations at 20/20 Communications where he spent 8 years developing the company’s wireless and internet initiatives.

If disaster strikes, how long will it take before PHI is available again?

Part of due diligence is asking yourself and your partners detailed questions about contingency plans in the event of a disaster.

A report by Juniper Research estimates that mobile healthcare and medical app downloads will reach 44 million in 2012 and eventually 142 million by 2016.

[Sidenote: Although I don’t condone the citing of Wikipedia as reference, it’s worth mentioning the mHealth wiki does have a great list of applications for healthcare in the developing world, organized in charts by categories defined by the UN Foundation and Vodafone Foundation, including health education and awareness,  helplines, diagnostic support, treatment support, communication and training for healthcare workers, disease surveillance, remote data collection, epidemic outbreak tracking and more. mHealth for Development PDF. Edit: Forbes also just published a relevant article, The Future of mHealth: Mobile Phones Improve Care in Developing World.]

While there are mobile security measures and policies that should be documented and implemented to abide by HIPAA compliance standards for the ultimate goal of protecting personal health information (PHI), healthcare apps have flooded the industry and are here to stay.

Forbes.com published an editorial by Mobiledia that suggests “healthcare insurers are using apps to streamline patient-care systems, by connecting with and educating members, and ultimately reining in spiraling costs.”

Medscape Mobile

According to Mobihealthnews.com, a healthcare investment firm headed up by former government health IT employees, Health Evolution Partners (HEP), has partnered with Verizon to collaborate on health applications and developments in the mobile health industry.

HEP invests in healthcare startups and partner venture capital firms, providing healthcare facility locators, mobile medication management workflow platforms, e-prescribing services, remote patient visits and more.

So what are some of the most popular health apps being downloaded? InformationWeek.com lists Medscape Mobile, the app of the professional medical website as one of the most popular. Medscape offers news alerts, a drug interaction checker, disease, conditions and drug reference and more, including a searchable database of over 400,000 U.S. physicians, pharmacies and hospitals.

MIM Mobile

Another app that received FDA (Food and Drug Administration) 510(K) clearance for security is MIM Mobile, a remote diagnostic imaging tool said to be HIPAA compliant and encrypted for image transfer and storage. The app allows for direct sharing and cloud storage with the app MIMcloud that stores the large images on their phones.

However, there is some opposition to the FDA’s 510(k) clearance process for medical devices, with critics accusing the process of being inherently flawed as it compares new devices to ones already on the market instead of actually proving the security and effectiveness of these devices (National Research Center for Women & Families).

As the mHealth industry grows, app audit standards, security measures and app effectiveness will continue to require endless revisions to improve overall patient healthcare while meeting national healthcare compliance standards set by HIPAA.

Not sure where to start with HIPAA? Find help in our HIPAA Resources: Policies, Procedures and Training Materials.

References:

The Future of mHealth: Healthcare Apps to Lower Insurance Costs
Next Generation Health IT Is Not Anchored to a Desk
Report: 44M Health App Downloads in 2012
9 Mobile Health Apps Worth a Closer Look
mHealth Users of Remote Health Monitoring to Reach 3 Million by 2016: Smartphones Play Leading Role
Medical Image Sharing for Patients Enabled By New MIM App

• Searching for a medical phrase does not make that phrase protected/patient health information (PHI)
• Users that volunteer search phrases and use Google are consenting to their privacy policy
• It’s unfortunate a House Representative does not understand HIPAA
• It’s unfortunate a House Representative does not understand Google or their privacy policy

In an interview with USA Today’s Technology Live blog, Mack used an example in which a user searches for cervical cancer on Google, doesn’t log out, and then is tracked across other products online (?). I assume she means the information they collect will influence the ads shown on Google’s Display Network across other sites you may visit.

Google doesn’t store any actual patient health information, such as the kind that a physician might collect in a clinic. SearchEngineLand.com’s article cites Google’s new privacy policy, stating:

When showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories, such as those based on race, religion, sexual orientation or health.

They also state that they require opt-in consent when it comes to sharing any sensitive personal information. In her interview, Mack also questions the definition of sensitive data, “They are saying that they do not track sensitive data like that. I don’t know who determines what’s sensitive and what’s not. And that’s probably another question on another day and a more extensive hearing.” Perhaps they should go by the Department of Health and Human Services (HHS)’s definition as written in their Summary of the Privacy Rule, as they are the leading government agency:

The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”12

“Individually identifiable health information” is information, including demographic data, that relates to:

• the individual’s past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13  Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

Yale.edu’s HIPAA Guide offers more specific identifiers, including medical record number, account number, certificate/license number, web URL, IP addresses, finger or voice prints, etc.

Ultimately, the question remains, how can the Department of Health and Human Services and our government expect HIPAA compliance from healthcare and related organizations if government representatives appear to be unfamiliar with the standards and equally out of touch with technology and the use thereof? While the acts passed in 2009, I think healthcare organizations, business associates and the lawmakers could all benefit from a more in-depth review of the law.

If you’d like a refresher on HIPAA, our HIPAA FAQ and HIPAA Glossary of Terms could help.

References:
Google’s New Privacy Policy May Violate HIPAA, Congresswoman Says
Google Preview: Privacy Policy
Google Preview: Privacy FAQ
HHS’s Summary of the Privacy Rule
Yale.edu’s Health Insurance Portability and Accountability Act Guide

Join Online Tech, David Barton and Jon Long for a discussion to help clarify data center audit standards and assessments.

Register for our free webinar Tuesday, February 14, 2012 from 2-3pm ET to discuss the differences between AICPA’s (American Institute of Certified Public Accountants) SOC (Service Organization Controls) audits and reports, other types of audits, and the difference between point-in-time, period of time, self-assesments and independent assessments.

Sign up Now!

Find more information about SOC 2 Hosting, SSAE 16 Hosting and read about the differences between SAS 70, SSAE 16 and SOC.

---

David Barton, CRISC, Principal, UHY LLP
David is a Principal and is the practice leader of the Technology Assurance and Advisory Services group at UHY Advisors, Inc. in Atlanta, GA. He is Certified in Risk and Information Systems Controls (CRISC) and received his Certified Information Systems Auditor (CISA) designation in 1988.

With over 25 years practical experience in information systems and technology risk and controls, he is an expert in identifying and reducing information technology risk throughout an organization.

Read David Barton’s guest blog post on our blog, “SOCs and SASs: The New Standards for Service Organization Controls Reporting.”

---

Jon Long, CISA, QSA Senior Audit Manager CompliancePoint
Jon is a Senior Manager and Practice Builder at CompliancePoint as well as an enthusiastic blogger at The Risk Assurance Guy. He is a Certified Information Systems Auditor (CISA) as well as a Qualified Security Assessor (QSA) in the Payment Card Industry (PCI).

Jon has over 15 years experience in IT, and crossed over into auditing in 2006.  His background enables him to conduct audits from the perspective of having been audited by external auditors.  He is currently championing an audit approach that allows organizations to combine multiple compliance requirements into a single SOC 2 engagement.

Our third most important question to a Business Associate is:

What policies and technologies are used to protect my applications and PHI data?

The Mobile Opportunity

The new U.S. CIO (a newly-minted federal position only two-years-old), Steven VanRoekel, has drafted a mobile strategy outline to push agencies toward a standardized framework and roadmap to complete implementation.

In a WhiteHouse.gov blog post, VanRoekel stresses the importance of mobile use with a few key examples and benefits:

• Realize real estate savings from teleworking
• Joint agency programs give employees working from different agencies remote access to mission-critical data from any location
• The Army’s mCare App allows remote monitoring of soldiers’ healthcare statuses
• The Federal Emergency Management Agency uses mobile Twitter to find victims during an emergency, send out emergency messages and to find out how far the emergency has spread.

Social Media for Informed Decisions

National Dialogue on The Federal Mobility Strategy

In the spirit of social media’s knowledge-sharing ability, the government launched an online forum, the National Dialogue on The Federal Mobility Strategy to collaborate on ideas and topics they would need to address in the final draft of the mobile strategy. With a thumbs-up and thumbs-down voting system, users could submit concerns around mobile security, disability accessibility, web-to-mobile content portability and more, and vote on which issues take precendence. This lends valuable feedback that VanRoekel  will use to create a final plan for agency implementation.

Mobile Data Security

With the widespread adoption of mobile devices come the concerns around data security. Last August, NIST (The National Institute of Standards and Technology) started a pilot program to test and develop a standardized security protocol for iPhones and iPads, according to an InformationWeek.com article.

In addition, the Department of Defense (DoD) is developing full-disk encryption for military smartphone data. The DoD has suffered a recent HIPAA violation when backup tapes with military patient records were stolen last September, calling for an overhaul of their internal processes and stricter security measures.

For a list of tactical mobile device security measures you or your company can implement, read this blog post. Another recent post, Mobile Security: Are Most Apps Safe? explores the privacy of your information on mobile apps.

IT Industry Trends

CIO.com details the federal government’s attempt to move IT progress along through many of the industry’s trends, including the consumerization of IT, migration to the cloud and increasing reliance on mobile devices. Another trend includes streamlining and integrating IT services across different departments – by combining email systems, mobile device plans and other systems, costs go down while productivity goes up. I wrote a blog post recently about IT process automation and its benefits.

References:
WhiteHouse.Gov: The Mobile Opportunity
National Dialogue on The Federal Mobility Strategy
NIST Tests Ways to Secure iPhones, iPads
DARPA To Develop Android, iPhone Encryption
VanRoekel Details Government Mobile Strategy at CES
U.S. CIO Unveils Mobile Strategy for Federal Government

Server Data Deletion
Megaupload’s servers contained more than 25 petabytes (approximately 25 million gigabytes) of data storage (Mashable.com). While the data includes some copyrighted material, a great amount of the data is also legitimate, personal data uploaded by the owners of the content. But the data may be lost forever – initially, the U.S. Attorney’s Office claims the hosting companies that house Megaupload’s servers have filed a letter stating they may begin deleting data as early Thursday, while more recent reports claim the companies have agreed to wait two weeks before wiping servers.

However, a nonprofit, Electronic Frontier Foundation, just announced they will be partnering with Carpathia Hosting to help the legitimate users retrieve their data with at www.megaretrieval.com.

With at least 50 million users’ data at risk of deletion, one to has to wonder if the right to destroy data without providing a copy to their rightful owners or their client was included in their hosting contract. Make sure you know where your data goes if something happens to your cloud hosting provider or if you decide to terminate your contract. While various articles and blogs on this topic point the finger at the cloud storage industry as a whole, the issue at hand is really more about your service provider’s terms of service and your understanding of them.

No Data Backup
Since Megaupload’s assets and domains were frozen, they’ve been unable to pay for their hosting, bandwidth and system administration services and users cannot access their data to back it up. Offsite backup could have come in handy in this situation. Backing up your data to an offsite data center would ensure you still have a copy of your files, instead of depending solely on the state of your servers. A law enforcement official claims the site “clearly warned users not to keep a sole copy of material on the site,” according to the Wall Street Journal.

File-Sharing Recoil
According to PCMag.com, several smaller cloud-based services are changing their services in response to the Megaupload case. FileSonic and Upload.to have disabled their file-sharing functionality, and others are shutting down their affiliate programs. Megaupload paid its users to upload popular files to the site, another point of contention in the case. Many similar file hosting sites have cancelled similar rewards programs.

Hacker Retaliation
Last Thursday, the hacker group Anonymous launched a DDos (denial-of-service) attack on several related websites, taking down those owned by the Department of Justice, FBI, Motion Picture Associate of America (MPAA), the Recording Industry Associate of America (RIAA) and Universal Music Group, according to InformationWeek.com.

As the domino effect of the Megaupload saga continues to play out, other businesses should take note of these lessons learned to take necessary measures to protect themselves and their/their clients data.

References:
Megaupload Shows Online Copyright Protection is Needed
Cloud Storage and What SMBs Can Learn from Megaupload’s Demise
Anonymous Retaliates for Megaupload Raids: 10 Key Facts
After Megaupload, Storage Sites Shutter Services
Feds: Megaupload User Data could Be Gone Thursday
Megaupload Users Get Reprieve on File Wipe
Megaupload’s Ripple Effect
Megaupload Users Plan to Sue FBI Over Deleted Files
Nonprofit to Help Megaupload Users Retrieve Data

Maybe I’m sentimental, but I love the stories my dad tells of being a general practitioner making house calls along the shores of South Haven, Michigan. I realize there’s a lot that’s not practical about this approach today, and advantages for the current system, but every time I sit down at my dad’s piano, I remember that it was gifted to him by a patient who he took care of for many, many years. (It’s a classic 8′ grand, so no trivial gift!).

Can you imagine a patient-doctor relationship today that would be so “meaningful” that a patient would make this type of gift to his or her physician? Can you sense the gratitude that this man must have felt towards a doctor who stopped by in the evenings to check on him, attend to his comfort, and take time for a cup of tea with the patient’s worried wife? Can you guess how humbled my dad was to receive that gift?

Bear with me, I am getting to a point about social media …

Ok, now let’s snap back to today’s reality. How many of you feel a true sense of gratitude towards your health care providers or a solid emotional connection? How well can we really separate our emotional experience with health care from our physical well-being? Feel like this is a bunch of mushy nonsense? Ok, would they know your name if you met in another context? More importantly, does your primary health care provider know you well enough to recognize when you’re not acting yourself and be able to use this observation to make educated decisions and recommendations about your health?

When I think of my local family practice, I get frustrated. Case in point: I was told last year that I had to “follow protocol” and “wait for a nurse to call back” before getting a basic strep swab. Now, I was on good enough terms with my (then) primary care doctor that if he heard me say “Hey Doc, my throat’s on fire and I see these fuzzy white patches on my throat – can I come in to get a swap culture done?” I would have been on my way in a heartbeat.

But there was NO chance that I would ever be able to have that 30 second conversation with him due to the current system of administrative screening, followed by nurse screening; making any direct communication with physicians impossible. I had to take the initiative to call back and beg for permission to get a culture after not hearing back for 3 hours. When I compared this experience with what we expect as clients of other industries, I really started scratching my head. Would anyone put up with that at a restaurant, clothing store, Amazon, Zappos, or anywhere else? Of course not.

Dang, I could have TWEETED my request for a strep culture to my doc and it would have taken him 2 seconds to reply “Come on in.”

I know that my old family practice is following common protocol – they didn’t invent this model of disservice on their own. And I know that us pesky patients can be quite a handful sometimes if we actually make it through the administrative and all other pre-screening barriers to actually express ourselves directly to our physician. But does this model lead to better health?

If the primary purpose of the doctor-patient relationship is to promote health, prevent disease, and help patients lead healthier (dare I say happier) lives, then wouldn’t a system where we could have direct and ongoing dialogue with our primary care physicians on a regular basis BEFORE we get so sick that we can’t work, be parents or lead our productive lives serve everyone’s interests? (If not, maybe we need a sanity check on incentives and the basis of health care spending – but that’s a whole other discussion). And maybe, just maybe, this is where social media and better access to our own patient records could fill a gap.

I don’t pretend to think that FaceBook, LinkedIn, or Twitter can recapture or replace the type of bond I described between my dad and that patient, but many of us ARE connecting on these platforms today. A weird virtual community, granted – but a community nonetheless. And for those physicians who tire of us question-asking pesky patients, maybe using social media to ask those quick questions (can I please get a strep swab?) would be less intrusive than a phone call or walk-in “interruption.”

If we can get past the security issues (which we can and will as more attention and great minds address it), social media offers a new way for patients and physicians to connect in a more “meaningful” way. If we could maintain an ongoing dialogue with those we entrust with our health, I think we’d see a lot less misdiagnosis, unhappy patients (malpractice lawsuits), stressed out doctors, and unhealthy patients. Heck, as a patient I would subscribe to a service offered by my primary care physician to review my health tweets about exercise, diet, energy level, etc. on a regular basis and reach out with suggestions or concerns! Wouldn’t you?

Despite the fact that I respect, appreciate and genuinely like the physicians at our old family practice, my kids and I are not patients there anymore. There’s no evidence they miss me or even know we’re gone, despite the fact that we had been there for years. And I’ve never been a difficult patient to deal with – at all. I talk more with the Nurse Practitioner (who is my daughter’s boyfriend’s mother) about health concerns more than with the primary care physician who is formally listed on my insurance. Why? Because she knows me, I see her at horse shows, and she emails me Maxine jokes. We are socially connected. I trust her. We have a social context to draw from. It’s too bad her practice isn’t close enough for a strep swab.

In my desperation to get treated for strep so I could get back to work, I reached out to my former ob-gyn, Elizabeth Shadigian, to see if she knew of a better option than an expensive trip to urgent care. Yep, I used my mobile phone to Google her name, pressed the “Call” button from Google Maps, and within minutes, was actually connecting directly to her. Her practice has a website, and she publishes her email address, LinkedIn profile, FaceBook profile, and Twitter profile where she posts info about flu clinics, invitations to health-related educational lectures, and fun community events (darn, I missed fountain making class!)

In person, by phone, by email, tweet, FB post, or LinkedIn (um, what … link?), Elizabeth is ready to engage with me about my health in whatever format works for me. Wow. Of course she’s not tweeting anything about my personal health – come on – she’s a consummate professional who knows and cares about me! But I have complete confidence that whenever I have a health concern, I can connect with her directly, she will remember who I am, and she knows me well enough to use that context to inform educated recommendations about my health. Wow.

I’m truly grateful for her willingness to communicate openly and directly with me about my health. I wouldn’t go anywhere else and I recommend her practice to EVERYONE who mentions the word “doctor.” Sharing her social media and online information with her patients was a jaw-dropper for me (ever try asking for your primary care physician’s email address? Try it, I dare you). Elizabeth would be a great physician without social media, but the spirit of it reflects direct, engaged, and responsive communication which is great for business, and great for (my) health care.

Related articles:
3 Ways Social Media is Transforming the Doctor-Patient Relationship
Family Physician Can’t Give Away Solo Practice

IMPACT 2012 Conference

Mike Klein, President and COO of Online Tech, will be speaking about cloud computing at IMPACT 2012 on February 7 in Auburn Hills, Michigan.

Featuring sales, marketing, finance, human resources and public sector experts, IMPACT 2012 is an informative networking conference on current economic and technology trends, hosted by Automation Alley.

Klein will be speaking at a panel discussion, A Day in the Clouds: Is Your Future Cloudy? Moderated by Peter Marsack, VP of Computer Solutions, the panel will cover cloud computing definitions, cloud services available and the benefits and costs of the cloud for businesses.

Other panelists include:

• Mark Farneth, President of Radley Corporation, will discuss the transition from traditional corporate computing to cloud computing, as well as why they use Online Tech for their private cloud hosting services.
• Jamie Hamilton, VP of Software Engineering at Quicken Loans
• James White, Senior Enterprise Solution Advisor at Secure 24.

The IMPACT 2012 event overview details what you will gain from attending the conference:

• Insight from industry leaders on how to navigate business challenges in 2012
• Real-world insight on accessing capital and maximizing profitability in your business
• Tangible tactics to increase sales and generate revenue
• Grow your professional network by connecting with fellow Automation Alley members representing a variety of industries
• Tips for creating powerful marketing initiatives the generate sales
• Strategies to motivate your employees and create a productive work environment

Exhibitors
Various companies and organizations will also be exhibiting at the event, including chambers of commerce, universities, banks, IT vendors and more. View a full list of exhibitors.

Registration
Pre-registration and door fees vary, and sponsorships are available for exhibitors (includes a vendor booth and admission). Register online for the conference today.

Mike Klein, President, Online Tech

Mike is a serial entrepreneur with more than 30 years of high tech business leadership, technology, and startup experience including CEO of Interlink Networks, Managing Partner of CompanyCrafters, and CEO /Founder of Steeplechase Software, an INC 500 Company which he sold to Schneider Electric. Prior to becoming an entrepreneur, Mike spent the first decade of his career working in sales, strategic marketing, product development at Motorola Semiconductor and Rockwell International.

About Automation Alley

Automation Alley, Michigan’s largest technology business association, drives growth in Southeast Michigan’s economy. Automation Alley is a non-profit organization that drives growth and economic development through a collaborative culture that focuses on workforce and business development initiatives. Automation Alley attracts the creators and consumers of diverse technologies from a variety of industries around the world.

About Radley Corporation

Radley is a global ecommerce and data collection software development company that has successfully transitioned from traditional on premise software products to On Demand cloud computing. Mark sits on the Board of Directors at Radley and actively participates in the business planning and product development cycles within the company. Prior to Radley, Mark held several project management, consulting and technical and positions at Compuware Corporation and ADP Network Services.

Following up from last week’s question #1, the second most important question to ask a Business Associate is:

Who performed your independent HIPAA audit and do you provide copies of the audit report?

Pandora App Redistribution of User Information

For example, if you download an app from the Android Market, a screen will appear asking you to accept the permissions of this app having access to certain components and programs on your phone.

Apple takes a similar approach, except they approve permissions before they even put the app on their App Store.

Each of these methods has its pros and cons that may put users in jeopardy. Android puts more reliance on permissions of apps to its users while Apple takes that measure for you, but they are not perfect and some slip through the cracks.

Lookout, a U.S.-based security firm did a study in 2010 and found that over 300,000 apps on both iPhone and Android were stealing user data without user knowledge. Most of those privacy breaches were due to advertisement kits installed on the applications. These kits provide a little extra revenue to developers since information from the app is sent to third-party advertisers and used to target specific ads to its users.

They also pointed out that one specific Android wallpaper app,“Jackeey,” was stealing personal data from its users, including:

• Location
• Phone Number
• Voicemail Passwords

This information was then sent to a website hosted in China. This particular app was downloaded somewhere between 1.1-4.6 million times.

Here are a couple of precautionary tips when it comes to downloading apps on your phone:

• Make sure the app is created and distributed by a verified developer. Make your best judgment on what you download.
• Review the permissions that the app is requesting from your phone – does this app really need access to my contacts, location or text messages?

There’s a great resource on Wall Street Journal’s website that has an interactive diagram in which you can see some of the most popular apps on your iPhone and Android (I’m sure there’s a good chance one of these apps is on your phone right now), and how they distribute your information.

For example, Pandora (seen in the photo above) shows that it requires your Phone ID (Red), Location (Purple), and Age/Gender (Blue), and then sends those resources to multiple advertising companies and groups.

Users need to be aware of what apps they are downloading to their phone. To users who are employed with companies that deal with compliance regulations such as HIPAA (PHI, EMR) and PCI (CHD), it’s even more important due to heavy fines and potential legal action if any of that information is accessed. You don’t want to be that person that costs your company thousands of dollars because you needed the latest wallpaper app, do you?

Sources:
Android Wallpaper App That Steals Your Data Was Downloaded By Millions
Mobile App Security: 5 Ways To Protect Your Smartphone
Mobile Apps Stealing Personal Data
WSJ Interactive Diagram

Availability means that PHI is always available, accessible and never lost.  When a patient arrives at the emergency room at three o’clock in the morning, the electronic health records need to be available so the physician can address the emergency with all of the patient’s records at her fingertips.  Patient records in the health care world is no longer a 9-5 job – and one of the main drivers behind electronic health records (EHR) is the portability and availability of patients’ records to health care providers around the clock.

Availability also means that PHI isn’t lost.  HIPAA and the HITECH Act make Covered Entities and Business Associates responsible for making sure PHI isn’t lost.  For electronic records, this means offsite data backups are imperative and offsite disaster recovery is strongly recommended.

So what does “availability” mean from a computing and application infrastructure?   I like to look at availability from 2 perspectives:

1. Disaster Prevention – putting all the tools in place to minimize the probability of an outage in the data center infrastructure, server hardware, software and network connectivity.
2. Disaster Recovery – assuring that the applications and data can be recovered and restored in a reasonable timeframe to continue running the business and making patient data available if there is a disaster in the primary data center.

Disaster Prevention is typically thought of in terms of “High Availability” – or redundant systems to assure that there is no single point of failure on the delivery of the application or data.  Examples of high availability at the data center level include high availability power delivery through redundant generators, uninterruptible power supplies (UPSs), power distribution units (PDUs), and redundant power supplies in the servers.  With high availability power, the failure of any element (generator, UPS, or power supply) does not affect the availability of the application – since the entire infrastructure is redundant.

Redundancy can also be delivered in the cloud server platform.  For example, unlike many public clouds, Online Tech’s managed cloud servers are running on redundant hardware hosts with multiple power supplies, multiple network connections to SANs, redundant controllers and redundant RAID drives.  Again, any hardware failure or even complete shutdown of a hardware hosts will not affect the availability of the application and the PHI data.

Disaster Recovery is typically thought of in terms of Recovery Time Objective (RTO) and Recovery Point Objective (RPO).  RTO is the amount of time it takes to spin up the servers, network, application and data as a separate data center in the case that the application is shut down from a disaster.  RTOs can range from minutes to weeks depending on the technology selected.  RPO is defined as how close to the disaster the data can be recovered, which is tied to how often the data is backed up.  If backups are made every night, then the RPO is 24 hours (up to 24 hours of data can be lost). If continuous replication is used, the loss may be as short as a few minutes.  The shorter the RTO and RPO, the better for most businesses.

As a minimum, we recommend that all HIPAA applications use offsite backup for their data.  That way, if the production data center has a disaster or is destroyed, the PHI isn’t lost.  The backup is stored at a second data center that is located a significant distance away to assure the same disaster doesn’t strike both sites.  In the Midwest, for example, best practices dictate a geographic separation of 50 miles between data centers.  Online Tech’s data centers are 53 miles apart on separate power utilities and are interconnected with high speed fiber to assure timely replication between sites.

For critical PHI, we recommend warm site disaster recovery between data centers.  Several years ago, warm site disaster recovery was difficult and expensive to achieve.  However, with the advent of cloud computing, disaster recovery has become very cost-effective.  DR Now!, our cloud disaster recovery service provides offsite disaster recovery for cloud servers with a four hour RTO that starts at just $99 per server.

So when you think about meeting the HIPAA availability requirements for your health care applications and PHI, I’d suggest you think about it in terms of disaster prevention (high availability) and disaster recovery and ask yourself two key questions:

1. Is your application hosted in a high availability environment where the power infrastructure, servers and network infrastructure can sustain failures without impacting your application and PHI data?
2. How will your application and PHI data survive a disaster in your production data center?  Do you need only to recover your data with offsite backup, or do you need your application and data to be back online in as short a time as possible?

How you answer these questions will be critical to how you comply with the availability criteria of HIPAA and the HITECH Act.

Each quarter I like to share with our clients the major initiatives we’re undertaking at Online Tech, and a look at what is in store for the near future.

Last year, we grew over 26%, added a new data center, and invested in a number of improvements to our data centers and service offerings.  Some of our 2011 initiatives included:

• A $1M investment in our Mid-Michigan data center, including the complete replacement of the Uninterruptible Power Supplies (UPS).  The in-line UPS retrofit was achieved with no downtime and increased the capacity to a full 1 MW at the data center floor.
• We remodeled the office and entry areas of the Mid-Michigan data center and now have a kitchen area and conference rooms available for our clients’ use.
• We opened a third data center, Ann Arbor 2, in the same Avis office park as our Ann Arbor 1 data center was filling up.  The new data center went live in November and adds another 10,000 square feet of raised floor and 300 KW of capacity to our footprint.
• We completed our first SSAE 16 Type II (SOC 1), SOC 2, SOC 3 and HIPAA audits and reports last year.  Online Tech was the first data center operator in Michigan to complete its SSAE 16 Type II (SOC 1) audit. We are one of a handful of data centers nationally who invested in a SOC 2 and SOC 3 audit which is much more stringent and focuses on privacy and security controls. We are also one of very few data centers across the country found to be fully HIPAA compliant across all 54 citations of the HITECH act. Online Tech shares audit reports with clients under NDA – every hosting provider should. You can learn more about the latest set of data center audits from this blog post.
• Our new multi-tenant managed cloud computing offering was released last year.  Rather than competing against low-end public clouds like Amazon and Rackspace, we designed our managed cloud offering to run mission critical applications.  The uptake of server deployments has ramped very quickly since the product release and allows clients to leverage the flexibility and scalability of the cloud.
• HIPAA compliant cloud – through the design and audit process, both our multi-tenant managed cloud and private cloud offerings are HIPAA audited and 100% compliant.
• DR Now!  - Last quarter, we introduced the first cost-effective disaster recovery solution for cloud computing.  Our managed and private cloud clients are able to get complete disaster recovery in a second data center with a 4 hour recovery time, starting at $99 per server.  Fast, automatic disaster recovery is one of the demonstrated benefits of deploying cloud computing.

It was nice to see so many of you at our Ann Arbor 2 open house last month.  Over the holidays, we were able to take a deep breath and start planning for what we hope will be an exciting 2012.  Some of the plans on our first quarter horizon include:

• Rolling out a new website.  Along with a cleaner, easier-to-navigate site, we’ve added a number of resources to the new site that you might find helpful, including information on HIPAA compliance, PCI compliance and SOX compliance.
• We are completing our PCI (Processing Card Industry) audit and will be listed on the Visa’s Global Registry of Service Providers.  PCI compliance is required for companies that process, transmit or store credit card data across the Internet.
• We are announcing additional fiber optic capability in our Mid-Michigan data center that enhances the connectivity to the Ann Arbor data centers and adds direct fiber connections to additional Internet service providers.
• Comcast has just finished installing a fiber connection into the Mid-Michigan data center – to provide cost-effective high-speed data connections from anywhere in Michigan to our data centers.
• Finally, if you’re going to be at the February HIMSS health care IT conference in Las Vegas, please stop by – we’ll be in booth #13528, where we’ll be discussing our HIPAA audited hosting capabilities. Our HIPAA auditor and one of the foremost legal experts in HIPAA compliance and the HITECH Act will be at our booth to answer your HIPAA questions.

We wish all of our clients continued success into the new year and we look forward to continuing to serve your hosting needs.  As always, I welcome your feedback on how we can improve our services and the value we deliver.  Feel free to drop me an e-mail or call anytime.

Best Regards,

Mike Klein
President & Chief Operating Officer
Online Tech Inc.

But when it comes to securing your mobile devices and meeting strict HIPAA compliance standards, physicians and other healthcare professionals may not realize the security precautions they need to take to prevent a data breach and HIPAA violation.

One example of recommended best practices can be found in Yale University’s HIPAA guide for mobile device security (intended for its covered components, such as the Schools of Medicine, Health Services, etc.) including:

Smartphone Security

• Passwords – Yale recommends users have a password with a minimum of four characters. They also recommend implementing a lock-out setting after 10 failed attempts to enter a password.
• Encryption – Data must be encrypted at rest and in transit, including backup data.
• Message Storage – The storage limit is capped at 200 messages at one time or 14 days of messages.
• Applications – All applications that create, store, access, send or receive PHI must meet HIPAA security standards. Yale also has a Security Design Review service that can check out any custom developed apps for compliance (although the website really needs to update its language regarding Application Service Providers and the required SAS 70 Type II documentation – SSAE 16/SOC 1 have since replaced the SAS 70 standard).
• Software – Apply security updates frequently and use the most recent OS available.
• Remote Management and Tracking – Mobile devices must have a remote deletion and tracking feature or you have to sign up for a service that can wipe it if it is stolen or lost. For the iPhone, that can mean installing the Find My iPhone app. Yale provides a comprehensive  guide to locating and wiping iPhones, Blackberrys (read this, grammar nerds) and other smartphone devices.
• No Circumvention – This refers to protecting the security of mobile devices by prohibiting users from using unauthorized software and hardware, etc.
• Wireless – Yale requires the use of VPN services when using digital cellular to connect to the Yale network and if not using one of Yale’s cell carriers. For Bluetooth™, passwords or PINs are required to secure connections.
• Thumb Drives and Other Portable Media Devices – Storing PHI is prohibited unless the devices meet the Yale encryption standards.
• File-Sharing – Users that need to send or exchange PHI outside of the network have to use a secure file transfer tool, or secure file transfer protocol (SFTP).
• Servers – Naturally Yale recommends using their IT department-owned servers to store all PHI. Their requirements are aligned with the HIPAA breach notification rules that require reports of data breaches if it affects 500 or more patients.
• Privacy Filters – Computer screens that display PHI must have privacy filters installed if they’re viewable by the public.
• Device Disposal – When upgrading or getting rid of your mobile devices, you must first securely destroy or delete PHI.
• Email – Configuring email accounts to auto-forward to a non-Yale email account is prohibited if the email account may have PHI in its inbox.

This is a great start when it comes to documenting and specifying the security measures your organization needs to take, but don’t just copy and paste these policies. Every company has different needs that require a customized plan to keep PHI safe.

Also, not every device is created equal. Last year, BGR.com found a major security flaw in the security lock design of AT&T’s Samsung Galaxy S II cellphone that left it open to a simple workaround, allowing users to bypass the PIN or unlock feature. If you tap the lock button to wake it, wait for it to time out and go black, then tap the lock button again, the phone is suddenly accessible and the PIN rendered useless.

Make sure you know your device and its features, and deploy similar security measures as found above to stay compliant even on the go.

For more on IT security and best practices, read HIPAA Compliant IT Security and Best Practices. Or for more about smartphone security, read Mobile Security: How Safe is Your Data?

References:
Yale University’s HIPAA Security Updates and Reminders
Major Security Flaw Lets Anyone Bypass AT&T Samsun Galaxy S II Security

#1 What timeframe does your BAA promise clients for PHI breach notification?

As a data center hosting partner to hospitals, physician groups, and health IT companies, we want to be a trusted Business Associate. We consulted experienced health care attorneys and HIPAA auditors to fully understand our responsibilities. Together we created a Business Associate Agreement (BAA) that reflects HHS requirements for timely breach notifications. We’ll share the exact language with you below.

Why preparing for PHI breach notification is critical for Business Associates
Speaking from our own experience, Online Tech serves the health care industry with colocation, managed servers, private and managed clouds, and disaster recovery. A lot of PHI flows through our networks and resides in our servers, clouds, and storage. 62% of the breached records reported to HHS, or 4.4 million, involved a Business Associate. The costs of a PHI breach to patients, Business Associates, and Covered Entities are high with HHS penalties, and lawsuit damages of $1000 per breached patient record.

Anything short of 100% HIPAA compliance puts any Business Associate, their clients, and their patients at undue risk. We weren’t comfortable assessing our own state of HIPAA compliance, so we invested in the expertise of independent health IT security specialists, auditors, and attorneys.

What timeframe does Online Tech’s BAA promise for PHI breach notification? ?
HHS requires extensive documentation within 10 days of a PHI breach — documentation that must be prepared well in advance. Online Tech’s preparation included an independent risk assessment, remediation, and complete HIPAA audit of all 54 HITECH citations across our company policies, procedures, facilities, and HIPAA security training by Certified HIPAA Security Specialist Joe Dylewski, president of ATMP Solutions. Our BAA was prepared in accordence with HITECH requirements with the help of experienced health care attorneys Brian Balow and Tatiana Melnik from Dickinson Wright.

Click here for Online Tech’s BAA Breach Notification Timeframe Clause.

Next week, we’ll discuss preparing for an independent HIPAA audit and the end deliverables.

Related resources:
BAA Breach Notification Clause
OCR Audit Requirements Following a Self-Reported HIPAA Breach
Who Needs to be HIPAA Compliant? 
HIPAA Resources: Policies, Procedures & Training Materials
HIPAA, HITECH, BAAs and the Law: Concerns & Best Practices
What’s in a Business Associate Agreement?
HIPAA Compliant IT Security and Best Practices

For more information on HIPAA Compliant hosting, contact us at 877.740.5028 or himss@onlinetech.com

IT professionals claim they dodged this. In fact, they claim they benefit from this. All of this digitization will call for more and more of their expertise. As everyone digitizes everything, the world needs more servers, more storage, more memory, more connectivity, more software and more people who can make it all work.

But I can imagine now a discussion in the decimated old-guard leaders of the newspaper industry.  “The ever-growing and aging population will consume ever-increasing quantities of news.”  They were right that more and more people wanted to consume more and more news content.  But they completely missed that it wouldn’t be in print.  It would be in a new form.  One they didn’t anticipate and that came on faster than they predicted.  Hence they failed to exist.  Their newspaper had been virtualized.

IT professionals are right that there will be an ever-increasing demand for digital content.  But they are wrong to assume that means their skills will remain relevant as that happens.  In fact, I predict that many of the IT skills currently in demand will experience a similar trend as those who ran printing presses in the 80s for those same old-guard newspapers.

Why do I think this?  Because the same thing that happened to newspapers is happening to IT equipment. Servers, storage and networks are all being virtualized – which is exactly what a digital version of a newspaper is.  It’s a virtual newspaper.  And what happens when you virtualize something?  That metamorphosis results in a transformational change.  Transformation is both highly creative but also very destructive.  Once something is virtualized, it can be instantly transported across the globe, instantly searchable, modifiable by software so it can be customized, along with a plethora of other traits.  Those traits add so much value it makes the physical rendition completely obsolete.

Virtualizing a server is essentially digitizing the server hardware. I don’t see any reason why that won’t be as transformational to the IT industry as virtualizing a newspaper was to newspapers or virtualizing photos was to Kodak.

Here’s your guide to the four different levels of PCI compliance as mandated by the major payment card brands, Visa and Mastercard, as well as action items for each:

Now, how do you know which SAQ (Self-Asssessment Questionnaire) to fill out? Find which merchant type best fits your company profile:

You’ve narrowed down what level and type of merchant you are, so now what? Read up about the 12 requirements to meet PCI Compliance with What is PCI Compliance? or watch a webinar on the detailed requirements of PCI compliance.

References:
Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire
Levels of PCI Compliance

HIMSS

Online Tech will be exhibiting in Las Vegas at the 2012 Annual HIMSS Conference & Exhibition, Feb. 20-24 at the Venetian Sands Expo Center.

Drawing in more than 30,000 attendees, HIMSS 12 is one of the largest healthcare IT and management systems conferences in the world, bringing healthcare industry professionals and exhibitors together from around the nation.

Online Tech will be exhibiting its audited HIPAA compliant hosting solutions for healthcare and related organizations at Booth #13528, including:

• HIPAA compliant colocation with high availability power and offsite backup options.
• HIPAA compliant servers with fully managed services.
• HIPAA compliant private clouds with fully managed services.
• HIPAA compliant disaster recovery with comprehensive cloud-based solutions.

Please stop by and contact us if you’re also planning to be at the show!

A full list of exhibitors providing healthcare IT products and services can be found through the HIMSS Online Buyers Guide.

Farzad Mostashari, MD, ScM Speaking at HIMSS 11

Featured keynote speakers include:

• Biz Stone - the Co-founder of Twitter will speak on how social media can influence the changing healthcare landscape.
• Farzad Mostashari, MD, ScM – the National Coordinator for Health Information Technology will share top level insight about the latest on healthcare reform.
• Donna Brazile - Renowned Political Strategist and Commentator Vice Chair of Voter Registration and Participation, Democratic National Committee
• Dana Perino - Political Commentator and Former White House Press Secretary
• Dan Buettner - Founder of Blue Zones and World-Renowned Explorer

HIMSS 12 will also feature more than 400 educational sessions, networking events, pre-conference workshops, knowledge center sessions and symposia on the following topics:

• ICD-10: Is Your Organization Ready?
• Accountable Care Organizations (ACOs): Health IT – Connecting Systems, Connecting People, Changing Care
• Achieving Meaningful Use: Achieving and Sustaining the Meaningful Use of Health IT – The Go Forward Plan
• Clinical Engineering and IT Leadership: Critical Ingredients for Medical Device Connectivity
• Health Information Exchange (HIE): The Year of Implementation, Collaboration & Beyond
• Nursing Informatics: Nursing Informatics Leadership – Delivering Value with HIT
• Physicians’ IT: The Health IT Balancing Act: Managing the CMIO Workload
• Performance Measurement and CDS Symposium: Meaningful Use Improves Quality Care
• RFID & RTLS in Healthcare: Business and Technical Essentials for Improving Patient Care and Safety
• Secondary Use of Data Symposium: Create Value from the Data

For more information about the event, visit www.himssconference.org.

About HIMSS

HIMSS is a cause-based, not-for-profit organization exclusively focused on providing global leadership for the optimal use of information technology (IT) and management systems for the betterment of healthcare. Founded 50 years ago, HIMSS and its related organizations are headquartered in Chicago with additional offices in the United States, Europe and Asia. HIMSS represents more than 38,000 individual members, of which more than two thirds work in healthcare provider, governmental and not-for-profit organizations.

To learn more about HIMSS, please visit www.himss.org.

Stratfor is a private international affairs research firm that may have not encrypted data before storing it in its database, allowing hackers to access and release customer credit card numbers. As a result of lax online security, the firm’s website was taken down and lost a month’s worth of subscriptions – forcing the company to draw on its savings to survive.

The PCI DSS (Payment Card Industry Data Security Standard) is regulated by major industry card-issuers, including VISA, American Express, Discover, MasterCard and JCB International, and applies to companies that accept, store, process and transmit cardholder data.

The second goal of the 12 requirements is to Protect Cardholder Data. Within this goal, requirement #3 states the company must protect stored cardholder data, while Requirement #4 explicitly states:

Encrypt transmission of cardholder data across open, public networks.

PCI Requirements

Detailed requirements of encryption include using industry best practices to implement strong encryption for authentication and transmission over wireless networks or networks connected to the cardholder data environment. When it comes to outsourcing a hosting solution, your PCI compliant hosting provider should provide evidence that the network is secure and encrypted.

The provisions also strictly forbid sending unprotected PANs (Primary Account Numbers) by email, instant messaging, chat, etc.

Stratfor’s subsequent steps will be to limit the scope of compliance by outsourcing credit card processing to a vendor. They are also revamping their website, email and internal systems with the help of an Internet security firm.

Zappos, the online shoes and apparel retailer owned by Amazon, most recently suffered a data breach that may affect more than 24 million customers. An internal email to their employees reports that a hacker gained access to their internal network through one of their servers located in Kentucky.

Although they report that no credit card or payment information was accessed, they are urging customers to change passwords on their online accounts. Names, contact information, password hashes and the last four digits of their credit card numbers were accessed. The company has not released any other details about the incident due to the ongoing investigation.

Need more information about PCI compliance? Watch our pre-recorded PCI webinar series hosted by Online Tech and led by expert Adam Goslin, co-founder of High Bit Security.

• PCI Compliance: Overview and First Steps to Success
• PCI Compliance: Detailed Requirements Walkthrough
• PCI Compliance: Penetration Testing and Enhancing Security for Network and Applications

References:
Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures Version 2.0
Stratfor Relaunches Web Site in Wake of Attack
Zappos Latest Company Hit by Data Breach
Zappos Hacked; Notifying 24+ Million Zappos.com and 6pm.com Customeres of Breach and to Reset Passwords

A recent survey conducted by IDG Research Services found that more than half of IT executives have a limited process automation, meaning they still have several manual processes when it comes to managing their IT assets.

The report also acknowledges that companies with higher levels of process automation and data/process integration are more likely to rate their processes as better when it comes to efficiency, cost-effectiveness and freeing up their IT team’s time.

The survey also reports that companies typically have three or four different installed solutions for monitoring and managing their IT assets and services, with minimal integration and some reported gaps. More than half are working with multiple IT vendors although they report they would prefer not to – it can be difficult to monitor, integrate and manage all of their needed solutions.

Online Tech’s managed hosting solutions offer comprehensive IT disaster recovery, offsite backup, remote server monitoring and more for colocation, managed dedicated servers and cloud hosting services.

OTPortal: Client Hosting Portal

Our OTPortal is an easy-to-use, secure client hosting portal designed as an all-inclusive dashboard detailing everything you need to know about your server, from bandwidth to firewall rules.

The portal allows for optimal process, service and asset integration to cut down on the time it takes to manage your IT services, streamlining your business operations and giving you more time to focus on your own company.

The IT convergence report also details some trends that will demand more of IT teams and require more integration. A few notable trends include:

• Remote access – Evolving working habits and schedules means critical applications and data need to be accessible and available nearly 24×7. A fully redundant data center built for high availability is ideal since it provides automatic failover and protected power to keep servers up and running.
• Full compliance – Industry and government regulations such as PCI DSS compliance and HIPAA compliance are demanding IT services to all meet pre-defined standards for optimal security and privacy of sensitive data. Noncompliance can result in major legal and security fines and damage to your business.
• Mobile support – With the use of personal devices in a work setting come the security concerns around transmitting or storing sensitive data. The issue of integrating and managing mobile applications and data is now a necessity.
• Cloud computing – Complex IT infrastructures require a computing solution that can support many applications and easily scale up or down as needed. Compliance concerns may be eased with private clouds, while managed clouds take the burden off of internal IT staff and allow them to focus on other projects.

References:
The Convergence of IT Operations Management

Mobile Device Security
The infamous Ponemon Institute study on data breaches reports that 81 percent of healthcare organizations use mobile devices to collect, store and transmit patient data. Yet 49 percent take no security precautions to ensure those devices and patient data are protected, and less than 24 percent use encryption.

Mobile Device Security

According to a Jackson & Coker report, four out of five physicians use smartphones, tablets and other mobile devices and apps in daily practice in order to collect patient data from patient exams and easily enter it into their digital EHR/EMR (electronic health or medical records) systems.

The top three healthcare specialties that use mobile devices most frequently include:

• 40% Emergency department physicians
• 33% Cardiologists
• 31% Urologists and Nephrologists

However, the use of mobile devices can increase the potential for a HIPAA breach, especially if the device is lost and not protected by a PIN or encrypted – see our previous blog post on Mobile Security: How Safe is Your Data? for more information.

Another way to protect sensitive data is to have it removed from devices before being transferred from a healthcare facility. A combination of technical security and establishing proper policies and procedures is important to keep up with HIPAA compliant standards.

Read more about our recommended security measures to achieve HIPAA compliance and pass an audit, and about the rise of mobile devices in the healthcare industry.

Business Associate Agreements
To save on capital costs and take advantage of expert knowledge, many turn to professional organizations that offer services to healthcare providers, including data hosting and billing companies. To a covered entity (a physician’s office or hospital collecting patient data), these companies are known as business associates.

But carefully choosing a vendor is extremely important to keeping compliance – business associate-related data breaches topped 62% of total number of patient records breached according to the Dept. of Health and Human Services.

Business Associate Agreements

How do you know your HIPAA hosting provider is credible? Ask them if they’re willing to sign a business associate agreement, or BAA, which is a contract that clearly outlines each party’s responsibility when it comes to data protection.

According to an InformationWeek.com article, only a third of organizations transferring patient data externally had signed data-sharing contracts with all of their contractors.

Online Tech signs a BAA with every healthcare client with patient data since we have possible access to or could affect the availability of patient data on their servers in our data centers. Although we never access patient or client data, the signed document codifies our commitment to follow HIPAA compliant rules.

Read more about business associates and business associate agreements.

Internal Operations
Check out your own staff and internal operations – often human error or mistrained/not-at-all-trained employees can be the root cause of a HIPAA violation. Those with access privileges can mishandle sensitive data.

In the case of the TRICARE/SAIC military healthcare contractor incident, an employee drove off government property and left their car unattended, during which time a thief made off with 4.9 million patient records on unencrypted backup tapes. A resulting lawsuit points out the DoD’s lack of employee training as one of the major offenses.

A survey report by PricewaterhouseCoopers (PwC) shows that slightly more than half of respondents reported a privacy or security issue in the past two years attributed most incidents to the improper use of patient health information by employees. Employee training on HIPAA policies and procedures as they affect day-to-day operations is key to eliminating any points of weakness within a company.

Online Tech was found to be 100% HIPAA compliant as a result of our HIPAA audit, and has undergone complete HIPAA employee training in our updated policies and procedures.

Watch our informative webinar, Impact of HIPAA Compliance on Business Associates, for more information from the perspective of our Director of Operations and Risk Management and Security Officer on the day-to-day operations of a HIPAA compliant data center.

References:
80% of Doctors Use Mobile Devices At Work
Smartphones Partly to Blame for HIPAA Compliance Issues
Integrated Security Reduces Health IT Data Breaches
Staying Vigilant Key to Meeting Regulatory Compliance Standards

NYTimes Spam Email

But more research reveals that many users received the same email and an earlier statement from the New York Times reported the emails were a result of spam, although they did not directly name the source, according to Gigaom.com. Search Security and the Wall Street Journal reported on a data breach that affected several companies, including J.P. Morgan Chase & Co. and TiVo back in April of last year.

The one common factor between the two separate incidents? All of these companies employ third-party email marketing campaign management by Epsilon Data Management LLC, a division of Alliance Data Systems Corp.

In April, Epsilon reported hackers had breached its system security and accessed names and email addresses, including personal information of more than 40 companies (Search Security reports 150 companies, including major banks, retailers and other firms). The company uses customer information to send targeted email promotions to customers of many ecommerce organizations, including Target, Best Buy, the Home Shopping Network and more.

Gigaom.com’s further research shows that the message was sent by bfio.com, a mail server registered to Epsilon Data Management.

Although no credit cardholder data or bank account numbers were accessed, this is a great concern of many of Epsilon’s clients, considering the financial and ecommerce nature of their industries. While spam emails were the only consequence of this instance, similar data breaches in which more sensitive information is accessed can result in a major PCI or HIPAA violation, and significant financial losses.

Read more about Who Needs to be PCI Compliant? and Who Needs to be HIPAA Compliant? if you’re not sure whether or not your company needs to meet national security standards.

References:
Breach Brings Scrutiny
Massive Epsilon Email Breach Could Lead to Email Attacks, Spam
Update: New York Times Email List Spammed – By the New York Times

Business associates (BAs) don’t always have the mindset that an independent HIPAA audit in advance of a problem is worth budgeting for. And it might be that covered entities (CEs) aren’t ready to insist that BAs undergo a HIPAA audit in prevention of a future breach. Yet, more patient records are affected by data breaches that involve BAs than those that don’t, according to current statistics.

Business Associates - Why Invest in a HIPAA Audit?

Even though BAs were only involved in 19% of the total breaches, BA-related HIPAA breaches were responsible for 62% of the total number of patient records breached, or 4.4 million or more patient records breached than those that only involved a CE (from the HHS wall of shame).

With penalty fees averaging $1000/patient record, most BAs would be put out of business for a breach of several hundred records. For example, NYTimes.com wrote about a nonprofit health consultant who has already spent $300,000 in legal and security fees following the theft of an employee’s laptop that contained 13,687 patient records. Additionally, his company had to deal with the aftermath of notifying and compensating affected patients with free credit monitoring. A separate incident with Sutter Health, a nonprofit health system based in California, is now facing two class-action suits, each seeking $1,000 for each patient record breached.

As the number of reported breaches rise, independent audits are becoming more of a necessity to protect businesses from the growing costs of a breach. According to the Poneman Institute, the number of reported data breaches is up 32 percent this year from last year, costing the healthcare industry an estimated $6.5 billion in 2011.

An audit and an initial risk assessment can help your business pinpoint any areas of weakness in security and privacy policies, practices and procedures. Working with the experts to remedy any issues can make your company more resilient and prepared when it comes to protecting sensitive data and avoiding legal and security fees.

For more on HIPAA violations, business associates and how to stay compliant, watch our webinar on HIPAA, HITECH, BAAs and the Law: Concerns and Best Practices.

References:

Digital Data on Patients Raises Risk of Breaches
Second Annual Patient Privacy Study Released
Breaches Affecting 500 or More Individuals

SAS 70
The Statement on Auditing Standard No. 70 was the original audit to measure a data center’s financial reporting and recordkeeping controls. Developed by the AICPA (American Institute of CPAs, there two types:

• Type 1 – Reports on a company’s description of their operational controls
• Type 2 – Reports on an auditor’s opinion on how effective these controls are over a specified period of time (six months)

SSAE 16
The Statement on Standards for Attestation Engagements No. 16 replaced SAS 70 in June 2011. A SSAE 16 audit measures the controls relevant to financial reporting.

• Type 1 – A data center’s description and assertion of controls, as reported by the company.
• Type 2 – Auditors test the accuracy of the controls and the implementation and effectiveness of controls over a specified period of time.

SOC 1
The first of three new Service Organization Controls reports developed by the AICPA, this report measures the controls of a data center as relevant to financial reporting. It is essentially the same as a SSAE 16 audit.

SOC 2
This report and audit is completely different from the previous. SOC 2 measures controls specifically related to IT and data center service providers. The five controls are security, availability, processing integrity (ensuring system accuracy, completion and authorization), confidentiality and privacy. There are two types:

• Type 1 – A data center’s system and suitability of its design of controls, as reported by the company.
• Type 2 – Includes everything in Type 1, with the addition of verification of an auditor’s opinion on the operating effectiveness of the controls.

SOC 3
This report includes the auditor’s opinion of SOC 2 components with an additional seal of approval to be used on websites and other documents. The report is less detailed and technical than a SOC 2 report.

Recommended Reading:
A SOC of A Different Color: Critical Differences Between SOC 2 and SOC 1/SSAE 16
What’s the Difference Between SAS 70, SSAE 16 and SOC?

HIPAA
Mandated by the U.S. Health and Human Services Dept., the Health Insurance Portability and Accountability Act of 1996 specifies laws to secure protected health information (PHI), or patient health data (medical records).

When it comes to data centers, a hosting provider needs to meet HIPAA compliance in order to ensure sensitive patient information is protected.

A HIPAA audit conducted by an independent CHP (Certified HIPAA Practitioner) and CHSS (Certified HIPAA Security Specialist) can provide a documented report to prove a data center operator has the proper policies and procedures in place to provide HIPAA hosting solutions.

No other audit or report can provide evidence of full HIPAA compliance.

Recommended Reading:
Five Questions to Ask Your HIPAA Hosting Provider
Encrypting Data to Meet HIPAA Compliance
Detailed 2011-2012 HIPAA Audit Program

PCI DSS
The Payment Card Industry Data Security Standard was created by the major credit card issuers, and applies to companies that accept, store process and transmit credit cardholder data.

When it comes to data center operators, they should prove they have a PCI compliant environment with an independent audit. They should also know what services can help your company fulfill the 12 PCI requirements.

Recommended Reading:
PCI Compliance and Virtualization: New Recommendations
Guide to Becoming PCI Compliant: Build and Maintain a Secure Network
Guide to Becoming PCI Compliant: Protect Cardholder Data

The federal government has already paid out more than $872 million in incentives to Medicaid/Medicare health organizations and individual providers that have adopted a meaningful use EHR system.

Here are 5 must-read articles explaining HIPAA compliance and what it means for your business in 2012:

1. HIPAA Compliance: Are You Ready for Jan. 1 2012? - This article provides a timeline of important dates in benefits and compliance deadlines.
2. Unhealthy: 2011 Saw Surge In HIPAA Compliance Issues – This article reviews HIPAA trends in 2011 showing that health related data is becoming less secure while enforcement is growing more stringent.
3. HIPAA & Health IT: $872 Million in Incentives - This article explains what you need to do qualify for HIPAA/EHR benefits based on the American Recovery and Reinvestment Act of 2009.
4. Health organizations not prepared for HIPAA audits – This article shows that health organizations are lagging behind regulations and the Dept. of Health and Human Services Offices is already conducting random, on-site audits.
5. 2012 Health IT Spending & Trends – This articles breaks down Health IT spending in major tech investments as well as shows the advantages of virtualization in healthcare.

More HIPAA compliance/health IT resources:
Data Center Industry News: HIPAA Compliance - For the latest on Health IT industry news and compliance updates.
HIPAA Compliant Case Studies – Real Companies and Real HIPAA Hosting Solutions

Simply login to OTPortal at https://customer.onlinetech.com and open the Systems Tab. The Bandwidth Usage section gives you a snapshot view of your bandwidth for the current month, as well as the previous few months.

For a more detailed view of your usage, click the Real-time Chart button. This will open a page with an interactive graph showing your bandwidth over the past month. On this page, you can easily check your usage over a variety of time periods.

For a concise listing of your bandwidth usage, you can click the History button on the Systems Tab/Bandwidth Usage section. The Bandwidth Usage History page shows a color-coded listing of your usage on a weekly basis, grouped by month. All months or weeks with a green check indicate usage below your contracted limit. Yellow warning icons indicate weeks or months with overages.

If you need to add additional bandwidth to your contract, you can easily do that right in OTPortal.

• Simply click the Add Bandwidth button on the Systems Tab/Bandwidth Usage section.
• A pop-up window will appear where you can specify the amount of bandwidth to add.
• Click Add to Cart to begin the ordering process.
• If you have the Buyer role in OTPortal, you’ll be able to approve the order immediately. If you don’t have the Buyer role, OTPortal will display the name of the person authorized to approve the order.

Additional information about OTPortal is available in several training videos, found right on the site itself. If you have specific questions or need help, please contact us at support@onlinetech.com, or by calling 734-213-2020 and selecting Option 3.

While there haven’t been too many changes to PCI DSS compliance in the last year, it is important to keep up with all of the standards because your business depends on it.

Here are 5 must-read articles explaining PCI compliance and what it means for your business in 2012:

1. PCI and Cloud Computing: Cloud Computing Compliance Guide – This article explains what you need to know about PCI compliance with cloud providers, web security in the cloud, and log management.
2. Simplifying PCI Compliance with Tokenization – This article takes you through the latest update on PCI DSS compliant standards, tokenization, and its impact on the scope of the guidelines.
3. The Six Principles of PCI Compliance – Second in a series on PCI compliance, this article explains the six objectives of PCI DSS, what to look for in a PCI compliant data center, and how to maintain PCI compliance for your company.
4. PCI Virtualization Report Cites Challenges with PCI Compliance in the Cloud – This article describes the virtualization guidance by the PCI Security Standards Council (PCI SSC) and shows while cloud-based compliance can be challenging, it is possible with the right hardware and policies.
5. Fend Off Hackers with PCI Compliant Hosting & Virtual Private Firewall Security – This article sums up the history of hacking attacks in 2010 and how ICS and IPS can help identify and protect against security breaches.

More PCI compliant resources:
Levels of PCI Compliance - Do you know what level your business falls under when it comes to meeting PCI compliance? Details on the standards and requirements by company size and transactions.
What is PCI Compliance? – Find details on the 12 requirements of PCI compliance.

Simply login at https://customer.onlinetech.com. Immediately after logging in, you will be on the Status page, which gives you a quick overview of what’s happening at Online Tech.

The Messages section shows you a customized view of OTTalk, our internal communications tool. Online Tech Operations staff uses OTTalk to keep each other, and you, the client, updated on what’s happening in the data centers and with your account.

If you have our OTMonitor service, the status of your monitored servers and devices is displayed in the OTMonitor section, directly below the Messages section. If you have a dedicated or cloud server with Online Tech, you automatically have OTMonitor. For colocation clients, OTMonitor is optional.

Also included on the Status page is the Support Requests section, showing a color coded listing of your support tickets. A ticket that has been submitted, but not yet acknowledged by Online Tech support staff is shaded red. Tickets that are being worked on are yellow. Those that are completed are shaded green. You can click the Open button (the white arrow on the small round button) to view the details of any ticket.

Below Support Requests is the News from OT section. Here you’ll find information on upcoming webinars and other announcements from Online Tech. Additional information about OTPortal is available in several training videos, found right on the site itself. If you have specific questions or need help, please contact us at support@onlinetech.com, or by calling 734-213-2020 and selecting Option 3.

With historical records of current and past order forms, Internet bandwidth and support tickets, managing your account is a simple undertaking.

As an Online Tech client, you can use OTPortal to easily see any firewall rules you have on our firewall. Login to OTPortal at https://customer.onlinetech.com, open the Systems tab, then scroll down to the Firewall Rules section.

Here you’ll find a listing of your firewall rules. If you need to contact an Online Tech Support engineer regarding any of your rules, you’ll need to reference the ID and Sequence numbers.

To request a change, including adding a new rule, click the Request Firewall Change button. A new window will pop-up prompting you for details on the change. Fill in any of the fields on the page, or simply describe the change you would like to have made, and an engineer will contact you for further information. Click Submit, and your request will be entered as a new support ticket in OTPortal, where you can track it on the Status page.

Additional information about OTPortal is available in several training videos, found right on the site itself. If you have specific questions or need help, please contact us at support@onlinetech.com, or by calling 734-213-2020 and selecting Option 3.

View more OTPortal features in order to take full advantage of our custom client portal system.

One month’s use of the server at this price would cost a ridiculous $729,992.70 – more than the cost to purchase an entire mainframe and host it in a high-end data center for 5 years. Admittedly, it is a far-fetched scenario for the spot demand for Amazon cloud servers to stay that high for an entire month, but it raises some interesting questions about the predictability and usability of the Amazon cloud.

I found this discussion thread on the Amazon Cloud forum to be both informative and puzzling.

This left me with a couple of takeaway points:

1. The Amazon cloud isn’t as straight-forward to use as mission critical cloud servers that companies like Online Tech offer.  To use Amazon, you have to design your software around their architecture, availability zones, etc.
2. The basic on-demand model charges by a complex set of computation factors such as CPU clock hours, I/O requests, API requests and others – all of which are very difficult to predict in an application.  Amazon posted this slide deck to encourage you to “model, measure, monitor, multiply and master”- the cost model associated with the Amazon cloud. Looking at the slide deck had me walking away less confident that I was able to model the pricing without an engineering investment to figure it out.
3. While the on-demand model is complex enough, the spot market pricing for Amazon EC2 instances is even less predictable, as the forum post discusses.

At the end of the day, it’s difficult to be convinced that this is truly “spot market” pricing when only one party controls the supply side of the market. I’m left with the feeling that playing the spot market for Amazon cloud servers is like gambling against the house – only one party is truly in a position to win.

While this may sound like I’m slamming Amazon as a competitor, the reality is that we rarely compete.  Amazon has different goals, market and business plan for their cloud servers than we do. Users design to the Amazon cloud to leverage the automation capability, and thus need to buy into their system architecture. Clients leverage our easy-to-use, high availability cloud servers for mission critical applications that they want to run over the long haul.

What do the provisions call for?
A plan to reduce the resources needed for servers and data centers. The components of the plan include a reduction in:

• Square feet of floor space
• Power and cooling utilities
• Investments in capital infrastructure (measured in cost per megawatt of data storage)
• Number of applications
• Full-time personnel/cost of labor

The provisions also call for a performance plan that measures and sets standards for server and data center operations, including the implementation of a strategy for the following:

• Desktop, laptop and mobile device virtualization
• Cloud computing transitions for lower costs and greater security
• Use of cloud computing and data center security services managed by the private sector
• Reporting standards to measure data center infrastructure aspects, including space, power, cooling, age, cost, capacity, efficiency, etc.

The section also calls for reports from the CIO on the division’s cost-savings as a result of transitioning to cloud computing to be presented to Congress in March of each fiscal year, starting in 2012 and reoccurring through 2016. Hopefully a close analysis of investments and the resulting numbers/reduction of security breaches will provide a more comprehensive framework for annual cloud computing and data center re-strategizing to continue the advancement of the DoD’s IT infrastructure and operations.

Back in August, I blogged about the federal cloud computing strategy proposed by CIO Vivek Kundra with intentions of allocating $20 billion of the total $80 billion IT budget for cloud computing migration alone. The goal is similar to the DoD’s NDAA strategy – consolidate and reduce data center and energy expenditure. Kundra’s Federal Cloud Computing Strategy (official document) outlines the cloud as a fundamental shift in IT and offers case studies and more guidance for cloud migration.

Data breaches may have prompted the NDAA’s new security provisions and attention to standardized data center and server practices. The DoD suffered a major HIPAA violation in September when stolen backup tapes exposed 4.9 million patients and their health records. A resulting lawsuit filed fines of $1,000 per individual, totaling to $4.9 billion. One order among the 11 in the lawsuit requires defendants “set up proper systems and procedures to maintain the privacy of protected information.”

HIPAA, the Health Insurance Portability and Accountability Act of 1996, sets the standards for protecting sensitive patient data that is stored, processed or transferred by healthcare organizations and other companies that deal with patient information. The law specifies that healthcare organizations should implement and follow certain policies and practices in order to preserve the integrity, confidentiality and availability of data.

For more about HIPAA and to find out if/how your company is affected by the law, read our HIPAA FAQ. Or if you’re interested in learning more about cloud computing security, watch an informative video or read the transcript of Private Cloud Security: How Your Data Security Changes in the Cloud presented by our Director of Operations, Jason Yaeger.

References:
National Defense Authorization Act for Fiscal Year 2012 (PDF)
New DoD Plan Could Be Big Boost for Clouds

Nearly 90 percent of healthcare IT decision-makers are planning significant investments in hardware, software and other solutions within the next six months. A study by CDW IT Monitor reveals the spending habits and plans of certain key corporate industries within the IT sector – including healthcare, manufacturing and retail industries.

Within the IT budget, the report lists the major tech investments that were put off in 2011 and slated for actualization in 2012, including:

• PCs (60%)
• Security (55%)
• Cloud Computing (50%)
• Virtualization (41%)
• Mobility (39%)

Research firm BCC (Business Communications Company) estimates that the total clinical healthcare IT market is projected to grow from $7.4 billion in 2011 to nearly $17.5 billion in 2016 – increasing at a compound annual growth rate (CAGR) of 18.7 percent over the next five years.

A study of the clinical healthcare technologies market shares from 2010-2016 show a projected growth in the dedicated hardware spend, growing from 28.7 percent in 2011 to 34.2 percent in 2016.

Additionally, government IT consultants and research subsidiary Deltek issued a report on the federal health IT market from 2011-2016 predicting that the federal health IT spending budget will increase from $4.5 billion this year to $6.5 billion in 2016 – showing a growth of 7.5% year over year for the next five.

With this growth comes an improved hiring outlook to support IT investments – 20 percent of IT management plan to hire staff within the next six months. In addition to hiring, some companies may take advantage of outsourcing IT or hosting solutions for its cost-effectiveness, professional management and support.

2011 Health IT Trends -To Continue in 2012?
In a review of 2011 health IT trends, SearchHealthIT.com lists cloud computing and health data privacy and security (HIPAA compliance) as #4 and #5 on their Top 10 Health IT Trends of 2011. Another SearchHealthIT article suggests that healthcare companies start out with server virtualization by testing their noncritical applications (ones that don’t affect patients) in the cloud first, then advancing to accommodate a private cloud.

Other advantages of virtualization in healthcare include:

• Interoperability – Virtualization can help when it comes to combining patient data information into one system to allow for information exchange and patient access, also known as EMR (electronic medical records) or EHR (electronic health records) systems.
• Remote access – Virtual desktop deployment without hardware dependence can allow healthcare employees and physicians to manage business applications from many different mobile devices, increasing the immediacy and streamlining of patient care by increasing access.
• Compliance – A solid disaster recovery plan is recommended to comply with HIPAA compliance regulations. When it comes to disaster recovery, virtualization allows for faster network replication from an offsite location or data center, which in turn effects data recovery times and accuracy.

A white paper by Thomson Reuters, A Path to Eliminating $3.6 Trillion in Wasteful Healthcare Spending, outlines strategies to improve and streamline healthcare organization business processes and systems to lower healthcare costs and wasteful spending. Among the strategies include systems improvements and care coordination, including the goal to better link providers – the paper suggests that healthcare organizations build EMR systems to create increased and efficient connectivity among provider.

Get more details on HIPAA compliant hosting and recommended IT solutions to help your healthcare organization meet compliance.

References:
Show Me the Money: Federal Health IT Budget to Skyrocket
Federal Health Information Technology Market 2011-2016
BCC Research Market Forecasting Report: Healthcare Information Systems
How Virtualization Implementation Catalyzes Private Cloud Growth

This multi-part series on HIPAA safeguards and compliance includes a detailed description of key activities and questions you can ask yourself as a checklist to ensure you meet the standards. The safeguards include:

• Administrative Safeguards, Security Management Process (164.308(a)(1))
• Assigned Security Responsibility, Identifying a Security Official (164.308(a)(2))
• Workforce Security, Implementing Workplace Policies and Procedures(164.308(a)(3))
• Information Access Management,  Implementing Policies and Procedures for Access Authorization (164.308(a)(4))
• Security Awareness and Training, Implementing Security Awareness and Training (164.308(a)(5))

The first part in this series describes the Administrative Safeguards that include implementing company policies and procedures related to security controls to meet HIPAA compliance.

Administrative Safeguards (164.308(a)(1))

• Identify Information Systems with PHI
  • Action: Identify information systems, hardware and software used to collect, store, process or transmit PHI. Review your business functions to verify ownership and control of your information system components.
  • Ask yourself: Do you take regular inventory of your hardware and software (including removable media and remote access devices)? Is your system configuration documented? And have you identified your information type/use and how sensitive your information is?
• Conduct A Risk Assessment
  • Action: Conduct a thorough assessment of any potential risks and vulnerabilities of PHI, and follow a standard risk assessment methodology (see Appendix E: Risk Assessment Guidelines, Page E-1).
  • Ask yourself: What are the current and planned controls? Is your facility or your data hosting facility in a region prone to natural disasters? Has hardware and software been checked for enabled security settings?
• Implement a Risk Management Program
  • Action: Implement security measures to comply with 164.306(a).
  • Ask yourself: Do your current safeguards protect the confidentiality, integrity and availability of PHI, including anticipated threats or hazards to the security/integrity of PHI? Have you checked this compliance against your policies and procedures?
• Acquire IT Systems and Services
  • Action: Implement technology, hardware, software and services as needed to protect PHI – match your IT solution to your environment and take into consideration how sensitive the data is, your security policies, procedures and standards, and the resources you have available for operation, maintenance and training.
  • Ask yourself: How will the new security controls work within your existing IT infrastructure? Have you done a cost-benefit analysis of investment vs. identified security risks? Has a staff training strategy been developed?
• Create and Deploy Policies & Procedures
  • Action: Implement new risk mitigation controls by department, including management, operational and technical. When creating your policies, establish roles and responsibilities per control for certain individuals or departments.
  • Ask yourself: Do you have a documented plan for system security and a formal contingency plan? What’s your employee communication plan? And are the policies and procedures reviewed and updated when major changes take place in your company or as needed?
• Develop and Implement a Sanction Policy
  • Action: Create a policy that addresses any employee offenses that compromise the HIPAA regulations and safety/privacy of PHI, including reprimands, termination, etc.
  • Ask yourself: Is there a documented and formal process in place addressing PHI and system misuse, abuse and fraud? Have employees been alerted about policies regarding sanctions for the misuse and disclosure of PHI?
• Develop and Deploy the Information System Activity Review Process
  • Action: Implement procedures to review records of system activity, like audit logs, access reports and security incident tracking reports.
  • Ask yourself: How often will reviews occur and results analyzed, and who will be responsible for it? Where will audit information reside?
• Develop Appropriate Standard Operating Procedures
  • Action: Figure out what kind of audit data and monitoring you need to derive exception reports.
  • Ask yourself: How will exception reports or logs be reviewed, and where will monitoring reports be filed and maintained?
• Implement the Information System Activity Review and Audit Process
  • Action: Activate review process and begin auditing/logging activity.
  • Ask yourself: What needs to be implemented to assess the effectiveness of the review process? What’s the review process revision plan when needed?

If you found this guide useful, check back soon for other HIPAA safeguard descriptions and guides. Or if you need other resources, read our HIPAA Hosting FAQ or our HIPAA Glossary of Terms.

References:
NIST’s Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

A lot of sensitive information is easily accessible on our phones these days, especially with the trend of using personal devices in workplace environments. Corporate emails, social media accounts, and bank apps are on our phones to check at our own convenience on a daily basis with most of our passwords saved on each account for easy access. What would happen if SOMEONE ELSE had access to that kind of information? To YOUR personal information? To YOUR company’s sensitive information?

If your company stores, transmits or processes PHI (Protected Health Information) or CHD (Cardholder Data), you need to be aware of the dangers of that data landing in the wrong hands due to poor mobile phone security. Not only that, but both HIPAA and PCI compliance regulations assign large fines and penalties in the event of a data breach.

Smartphone Pin Screenshot

Take this incident as an example – back in February 2011, my smartphone fell out of my pocket into the snow and I was unable to find it after an hour or so of digging. One month rolls by and someone had called in to say they found it in the snow. Fortunately, that person turned it in, but that’s not always how these types of stories end. Someone could have picked up my phone, and if I had no type of security measures in place, they would have had immediate access to ALL of my sensitive information.

The only thing that kept me safe from somebody accessing all of my personal information was implementing a PIN on my phone. Without it, ANYONE could have had access to anything I had stored on my phone within a few minutes of finding it. Bank accounts, confidential emails, personal information on social sites…the possibilities are endless.

However, there is even opposition from some consumers on putting these kinds of security measures into place! A study by Confident Technologies showed that 44% of smartphone users said it was too much of a hassle to lock their phone with a PIN or password, and 30% said they weren’t too worried about security. Yes, it can be a pain to enter your PIN or password every time you access your phone, but it’s worth it in the long run in order to avoid a situation in which your sensitive data could be accessed and misused.

Despite consumer response, mobile security is still getting better as some companies are starting to offer services that wipe phones remotely and even locate them via GPS if they are lost or stolen. However, we as consumers need to implement our own security measures to ensure our information is in the right hands and above all, safe and secure.

Sources:
Most Consumers Don’t Lock Mobile Phone Via PIN
10 Combinations Dominate iPhone Passwords
Smartphone Statistics and Market Share

You might have known that SSAE 16 is also called SOC 1. It’s just an alternative label for exactly the same thing.

And this might lead you to believe that the SOC 2 audit report is closely related to SOC 1 … but this couldn’t be further from the truth. The “little” difference between SOC 1 and SOC 2 amounts to a significant difference to companies who are using the reports as part of their due diligence to research prospective vendors. SOC 2 finally addresses the industry need for a consistent set of criteria against which companies can be measured and compared.

Oh, you didn’t know that SAS 70, SSAE 16/SOC 1 were arbitrary measurements? It goes something like this – before an auditor steps foot into a company to be audited, the company gets to decide what they want to be audited on. It’s like getting to say what questions you want on your final exam. Companies are likely to specify those controls that are in their sweet spot, and that they know they will pass. Companies are likely to omit controls that are weak and ineffective.

What’s worse is that there’s no consistency in audit scope. Some companies specify a mere handful of controls to be audited, while others document exhaustive procedures that they are audited and reported on. Even though any company that passes a SAS 70 or SSAE 16/SOC 1 audit can claim Sarbanes-Oxley (SOX) compliance, only a detailed scrutiny of the independent audit report will reveal what the company has elected to have audited, and the auditor’s opinion. No two SAS 70 or SSAE 16/SOC 1 reports are the same! See the problem?

But wait, it still gets worse for companies who are using SAS 70 or SSAE 16/SOC 1 reports as due diligence for vendor selection. By definition, SAS 70 and SSAE 16/SOC 1 review financial and accounting controls of a service provider. So, when you review one of those reports, you’re getting confirmation that they keep their books well. While this may be one measure of honesty, wouldn’t you really care about the processes that you will be hiring them for? For example, if you were evaluating Online Tech as a hosting provider, would you rather see an independent audit report about our financial and administrative procedures, or an independent audit report about how we control the privacy, security, availability, integrity and confidentiality of our data center facilities and server hosting solutions?

This is where the SOC 2 audit and report comes in. Don’t be fooled into thinking that SOC 2 is a next level up from SOC 1. SOC 2 is a COMPLETELY different species. Here’s why. SOC 2 is the first and only audit and report that sets a pre-defined, consistent set of criteria specifically around the services that a company provides. That means that when you read and compare the SOC 2 reports from two different companies, you can finally compare apples to apples. And what’s even better, you get to compare the processes directly related to the services they will be providing you. While SAS 70 and SSAE 16/SOC 1 are designed to measure financial controls, the SOC 2 audit is designed to measure Service Organization Controls related to:

1. Security
2. Availability
3. Processing Integrity
4. Confidentiality
5. Privacy

Alright, so you get that SOC 2 is a completely different audit than SOC 1. Ready for the next “gotcha”? There are actually two types of SOC 2 audits: a Type I and Type II. Just like in SAS 70 and SSAE 16/SOC 1, the Type I report just means that the company has stated that the controls are in place and functional. The Type II report is the real measurement and auditor validation that the stated controls actually ARE in place and actually ARE working. Put this all together, and the net is, you want to compare vendors who will share a copy of the independent SOC 2 Type II report.

Some cautionary tales: not all companies that position themselves to have “compliant solutions” are really independently audited. How do you know? Ask for a copy of the independent audit report. Expect that these will only be shared under an NDA (Non-Disclosure Agreement), but that’s fair considering that these reports describe the heart and soul of how a service organization runs its business. You might find that some companies won’t even provide their independent audit reports under NDA. Big warning sign. If a service-oriented company refuses to share their audit reports with a prospective customer, it’s impossible for you to prove to your board, shareholders, customers and regulators that you did your own due diligence. And for some industries, the stakes are too high to take this kind of a chance.

If you want an objective, relevant measure of how your vendor will be able to provide a secure, available, confidential and private solution of integrity, there is only one independent audit report to ask for: SOC 2 Type II. At the end of the day in our industry, when investors and clients want proof that a data center is going to be able to meet SLA obligations for server, data, and application uptime, they need to know that the processes and controls around security, availability, processing integrity, confidentiality and privacy are rock solid – not that a data center’s financial controls have passed review.

More references:

SOC Report Comparison
American Institute of CPAs
UHY Advisors
Principal of UHY Advisors, David Barton’s blog

Forty-one percent of respondents reported the need to upgrade infrastructure, networking, Internet technology/web portals and storage in order to comply with meaningful use requirements. Meaningful use refers to the CMS’s (Centers for Medicare & Medicaid Services) requirements for using EHR systems, including the required use in a meaningful and effectual manner, such as e-prescribing, clinical quality measures and others.

When asked about what percentage of their annual IT budget would be spent on EMR or EHR systems this year, 20 percent reported they’d be spending 21 to 30 percent of their budget, while 10 percent will spend 31 to 40 percent of their total budget.

Although an unsurprising 54 percent reported the expense as the top barrier to adopting an electronic medical record system, the second reason was due to negative reactions to using new systems and processes from doctors and other clinicians (30 percent), echoing the government’s concern in the healthcare industry’s technical advancements.  The third barrier is the lack of time (25 percent) and fourth is the potential for disruption in patient care and other processes while implementing systems (24 percent).

When it came to priority ranking of EMR system criteria, the first two included the interoperability/integration within their existing infrastructure (57 percent) and upfront costs (45 percent). However, the third most important criteria was the ease of ongoing maintenance (34 percent), suggesting a number of healthcare professionals and organizations may not have the time or resources required to maintain and upgrade systems.

Another survey statistic that supports the desire for easy system implementation is the 60 percent of respondents that have or will be implementing a comprehensive system from a single vendor, as opposed to the 11 percent that choose to implement a combination of homegrown apps and third-party systems.

The survey also notes the 31 percent of healthcare providers that claim their systems already comply with meaningful use requirements – the article suggests that while these systems may be certified from their vendors as compliant, the healthcare organizations have a responsibility to integrate the system into their existing infrastructure and develop processes that also need to be compliant (this includes employee training). The confusion around owning a compliant technology or system vs. actually being a compliant organization is a common one in the healthcare industry.

Another example of owning or outsourcing a compliant solution vs. actual compliance includes HIPAA compliance. Healthcare providers seeking a HIPAA hosting solution or HIPAA compliant data centers to house their patients’ sensitive protected health information (PHI) often believe they can merely purchase a package to meet HIPAA compliance.

However, there is no HIPAA audited or compliant package that can guarantee your organization is automatically compliant – the healthcare organization is still independently responsible for their policies, procedures and staff training to prepare for passing a potential HIPAA audit. While you can buy tools to help you achieve compliance, you cannot bypass the security precautions that can lead to a data breach or leak. With human error often topping the list as a cause of HIPAA violations, it’s important to take the time to teach and implement best security practices for ultimate prevention. Still have HIPAA questions? Head over to our HIPAA FAQ!

What’s next when it comes to health IT plans in the next upcoming two years? Sixty-two percent are planning or evaluating patient web access to their personal health records, and 58 percent are looking to implement business intelligence tools for analyzing medical data.

References:

CMS EHR Meaningful Use Overview
InformationWeek’s Research: Healthcare IT Priorities Survey

And when it comes to sensitive data and national industry compliance standards, such as HIPAA and PCI DSS compliance, your company can’t afford to suffer a data breach or theft, as the fines and estimated financial loss per data breach record continues to rise each year.

The above video was a concept exploit of the recent vulnerability MS11-83.  The theory behind MS11-83 is that you can send specially crafted UDP packets to a target machine and gain access to it, whether the port is closed or not.

By comparison, the much talked about Stuxnet variant “Duqu” uses a Win32k TrueType font parsing engine vulnerability to inject itself into target machines.  Unlike MS11-83, Duqu is a real-world example of the exploit that has the ability to cause considerable damage and spread itself by embedding itself into Microsoft Word documents sent as email attachments or even USB keys.

In each of these cases these vulnerabilities are known, and fixes have been released (though in Duqu’s case, there is only a temporary patch), and have been disseminated down to WSUS servers and individual computers worldwide.  While MS11-083 has been patched within a week, Duqu was detected in the middle of October, with Microsoft releasing an advisory three weeks later.  This exemplifies the importance of immediate patch management.  One can little afford to not keep their public facing servers up-to-date with the latest patches.

Security is a paramount concern of clients, but so is the stability of your IT operations. Clients often mix and match patching levels to balance these two concerns. At Online Tech, we offer three different levels of patch management, notify clients of outstanding updates waiting to be applied, and offer any assistance with patch installation to ensure comprehensive security measures are implemented accurately and timely.

References:

Microsoft Security Bulletin MS11-083 – Critical
Microsoft Security Advisory: Vulnerability in TrueType Font Parsing Could Allow Elevation of Privileges
JFY: ms11-083
Duqu Exploits Same Windows Font Engine Patched Last Month, Microsoft Confirms

According to TechRadar.com, the shortage has dramatically increased prices to as much as 150 percent, due primarily to the closure of many manufacturing plants. In addition, Digitimes reports an estimated 70 million HDD shortage for laptops and desktop computers in the fourth quarter of 2011. While computer and laptop demand is currently at 180 million, there are reportedly only enough hard drives available for 110-130 million.

Even Apple is feeling it – estimated shipping times have increased significantly from 1 to 3 days to 5 to 7 weeks for customized iMac products with 2TB hard drives, according to AppleInsider.com. Intel recently reported its Q4 revenue will fall from $13.7 billion to $14.7 billion due to the lack of hard drive supply, which has trickled down from fewer personal computers and servers to fewer semiconductors.

However, a recent NYTimes.com article highlights the potential opportunity the shortage has presented for the company: Intel is now looking to push sales of solid-state hard drives, the type used in ultrabooks (MacBook Air-like devices). The company’s future venture includes research to add touch screens to ultrabook devices, similar to tablets.

ComputerWorld.com reports that a rep from Lenovo, a Chinese multinational computer manufacturing company, has stated that PC orders are being placed for a supply that doesn’t exist. Their solution includes replacing unavailable drives for a different, “off-spec” drive. And even after swapping drives, customers will have to wait an extra 45-60 days.

The company hit hardest by the Thailand floods is Western Digital, the largest producer of hard drives, with an estimated 75 percent of its production shut down temporarily.

While Gartner reports the worldwide disk storage market growth in Q2 of 2011 is up nearly 12 percent from last year, as well as the disk market storage market for external cloud computing deployment up 56 percent from 2010, only time will tell what the major impacts on revenue will be in the next two years.

Sources:
Impact of Hard Drive Shortage to Linger Through 2013
Intel Sees Opportunity in Shortage of Drives
2TB Hard Drive Shortage Hits Apple’s BTO iMacs with 5-7 Week Wait
Hard Drive Shortage Pushes Prices Up 150%
Floods Forces Shutdown of Western Digital’s Thailand Plants

We’ve done HIPAA, SAS 70, SSAE 16, SOC 1/SOC 3 audits, but PCI DSS does the deepest dive, by far. PCI includes source code reviews, requires custom penetration testing and well-documented procedures, policies and change management processes.

PCI is also very prescriptive about the technology you must deploy, compared to other compliance standards. For example, HIPAA requires you to logically secure data, but it doesn’t specifically state the use of a firewall. The PCI audit specifically states that you must use a firewall and numerous other technologies to logically protect cardholder data. It’s those prescriptive solutions that drive up the cost of passing an audit. Here’s an explanation of Web Access Firewall (WAF) and the Annual Penetration Testing:

• Web Access Firewall – This is a piece of software that watches the web activity to and from your website in order to prevent nefarious activity. This software actually looks at the web page, not the network traffic, and does pattern matching to make sure credit card numbers are not displayed etc. Deploying a WAF requires someone familiar with both the PCI rules and your application. That person then writes a configuration that tells the WAF how to examine the application’s web pages to check for sensitive credit cardholder data. Every time the programmers make a change to the application, the WAF configuration has to be updated. It’s an expensive tool that requires an expert to use. It can cost thousands to tens of thousands of dollars per year to license and maintain the technology for a PCI application.
• Annual Penetration Testing – PCI requires an internal and external penetration test each year, and after any major change to the application. These tests use both technology and manual review of the application source code to assure there are no threats to sensitive cardholder data.The technology consists of a scanner that examines the ports and attempts various attacks such as SQL injection on the application. Similar to WAF, the scanner has to be custom-configured based on the application. The external test is designed from outside the network.  The internal test is done from inside the network, which is where a hacker may be attacking your application.

PCI also requires file integrity monitoring to ensure configuration files are not nefariously modified, SSL certificates to secure web traffic and dual-factor authentication for administrators. All of these technologies require staff to research, select, install, configure, monitor and maintain the increasing TCO (Total Cost of Ownership) of PCI.

But it’s worth it. In today’s world, data is your business. You can’t operate without it, so we welcome the protections prescribed by PCI regulations in order to provide PCI compliant hosting.

PCI also requires a robust and complete suite of documentation, procedures, policies and change management which further increase the TCO. But that’s for another blog entry…

This obviously doesn’t scale well enough for us. We have multiple data centers and plan to add more throughout the Midwest.  To deliver our promise of compliant computing for as many environments as possible, we had to find an industry-leading, unique and highly efficient method for performing these and other audits.

We hired a nationally-known auditing firm to develop a one-of-a-kind super audit. This super audit is a super-set of all of the audits with the redundant items removed. As a result, we now have one very large audit throughout the year that can be used to generate a full suite of reports: HIPAA, PCI, SSAE 16, etc. The result? We spend less time while experiencing less intrusion, resulting in a better audit.

We then looked at the body of audit points to identify a number of automation opportunities and turned them over to our development team. They added various tools to OTPortal such as the Walkthrough Manager and the Firewall Rule Change Manager to simplify and automate many of the functions the audit requires. We gave our auditors access to these systems to make it easier for them to audit without having to visit our data centers and to save staff time.

Our investment in the super audit and automation allows us to deliver audited, compliant hosting much more cost-effectively than many companies are able to achieve themselves.

The PCI Security Council (PCI SSC) recently released a set of guidelines and recommendations on configuring virtualized environments to meet PCI requirements in June. The council acknowledges there is no one-size-fits-all hosting solution that allows all businesses to meet the PCI requirements, but they do address potential new risks that may be associated with virtualization technology.

According to Onestopclick.com’s article on PCI Compliance and the Public Cloud, some experts suggest using a separate secure server for transactions while using a cloud platform for other business operations. However, the PCI SSC suggests some public clouds have certain characteristics that may introduce challenges in defining scope and responsibilities when it comes to meeting PCI compliance, including the fact that the hosted entity may have limited knowledge of other tenants in their hosted environment and limited control over CHD storage. In a private cloud, dedicated hardware provides more security and control by allowing the tenant to know where their data lives.

As a result, the PCI SSC states the burden of PCI compliance falls upon the cloud provider and their own controls and assessment of their own environment’s compliance. When searching for a PCI compliant hosting provider and solution, merchants should review which controls are in place to meet the requirements, what is included in the scope of their assessment and details of what is not covered, and what is ultimately the merchant’s own responsibility.

The PCI SSC also recommends conducting a risk assessment of their virtual environments to comply with PCI standards, including the following key elements:

• Define the Environment
  Components, physical security/site details, traffic flow, component visibility, virtual and physical hardware components, etc.
• Identify Threats
  One example is new types of malicious code or logical attacks targeting virtual components (hypervisor) or unsecured communication channels between shared hardware components.
• Identify Vulnerabilities
  While the PCI SSC acknowledges vulnerabilities may result from the complexity of virtualization layers, shared environments and lack of visibility, they also point out that vulnerabilities are not limited to technical issues – mistrained staff, operational processes errors, lack of control monitoring and more can be responsible for a point of weakness.
• Evaluate and Address Risk
  With all threats, vulnerabilities and environmental aspects considered, a risk assessment’s ultimate goal is to determine if any additional controls (on top of existing PCI compliance requirements) need to be implemented to protect CHD and avoid a PCI compliance breach.

For more on PCI compliance, see our prerecorded PCI compliance webinar series, including a PCI overview, detailed PCI requirements and PCI penetration testing and enhancing network and application security, led by a PCI compliance expert, Adam Goslin of High Bit Security.

Sources:
PCI Compliance and the Public Cloud
Information Supplement: PCI DSS Virtualization Guidelines

A covered entity must, in accordance with §164.306… Implement a mechanism to encrypt and decrypt electronic protected health information.” (45 CFR § 164.312(a)(2)(iv))

If you choose not to encrypt data, the HIPAA Security Rule states you must implement an equivalent solution to meet the regulatory requirement. The law leaves encryption open to interpretation since covered entities vary when it comes to network and network usage, depending on the type and size of business.

While HIPAA and HITECH address the security and privacy of PHI with more of a policy and procedures-oriented approach with no strict parameters for what type of technology to use, encryption is typically considered a best practice when it comes to protecting sensitive data.

A few recommendations when it comes to data encryption:

• Don’t use public FTP (File Transfer Protocol) if you need to transfer patient data to and from payers or other business associates.
• To err on the safe side would be to combine two methods of encryption – send encrypted files over an encrypted connection.
• When it comes to remote access to applications and data in cases of telecommuting or working from remote locations, use a VPN (Virtual Private Network). This network creates a temporary encrypted connection that only exists during the time of use.
• Always use SSL (Secure Sockets Layer) for web-based access to any sensitive data.
• Keeping sensitive data on a portable device is not recommended – it is better to store your data in an offsite location with a secure environment, such as a HIPAA compliant data center with the proper physical and network security in place to protect PHI and prevent a data breach. This is a lesson learned as shown by the case of the Sutter Health HIPAA breach due to a stolen unencrypted desktop PC. An audited HIPAA hosting solution can also offer greater protection with additional security measures such as a virtual or dedicated firewall, backup, antivirus and OS patch management.
• However, if a portable device needs to be encrypted due to stored sensitive information, file/folder level encryption and full disk encryption (FDE) are both options to keep data safe while stored locally.
• When it comes to mobile devices that store data including CD’s, DVD’s, USBs, iPods and Blackberry’s, encryption of the data on the device can help protect against a HIPAA breach. Other options include putting in place a policy for mobile device use and PHI storage, limiting certain data from being stored on the devices, or implementing access controls to the device, including password protection.
• Data at rest needs to be encrypted as well – this includes data stored on disk drives, backup tapes, or servers since they can be accessed from remote locations and in the physical location if not properly locked/secured.
• Following the NIST (National Institute of Standards and Technology) standard, called the Advanced Encryption Standard (AES) for encryption is considered another best practice.
• Other methods that can help you determine if you need encryption include completing a HIPAA risk assessment, performing a gap analysis to find out what you’re missing in your current security environment, and developing and documenting solutions to become more resilient to the risk of a data breach.

Find out more about the Benefits of HIPAA Compliant Hosting and basic definitions in our HIPAA Glossary of Terms. Get examples of HIPAA training, privacy policies, procedures and forms from established HIPAA compliant medical centers and universities in our HIPAA Resources section.

Sources:
Advanced Encryption Standard (AES)
Encryption White Paper (.doc)

Back in August, I blogged about the upcoming 2011 HIPAA Violations and Audits, and news of the government’s $9.2 million contract with auditing firm KPMG to complete 150 on-site audits of covered entities by December 2012.

The OCR officially launched its HIPAA Audit Program, starting in November 2011.

If you’re not even close to being HIPAA-ready and need HIPAA hosting guidance, check out our HIPAA compliance blog category, HIPAA FAQ, or watch our recent HIPAA webinars to get educated on what you need to be HIPAA compliant.

Take our Linkedin poll (it’s only one question).

The major causes of healthcare data breaches include lost or stolen devices (nearly 50 percent), third party/business associate mistakes (46 percent) and unintentional employee actions.

The prevalence of business associates as the source of a data breach highlights the importance of vetting your vendors thoroughly for HIPAA compliant hosting – although passing a HIPAA audit of their own does not make your organization completely compliant, it does mean your data hosting solution and provider has the proper technology, policies and procedures in place to protect your company from a data breach.

The use of mobile devices in the healthcare industry is another contributor to data loss – while 80 percent are using them to gather, transmit and store patient information, half of them are not securing them.

How can your organization secure sensitive protected health information (PHI) during transfer, storage and transmittal? Online Tech recommends data encryption, virtual or dedicated firewalls, offsite backup and antivirus to meet HIPAA/HITECH standards and keep data safe.

The study also reports that fifty-five percent of respondents agreed that concerns about the ongoing HIPAA audits enforced by OCR and the onsite investigations have affected changes in their patient data privacy and security policies and procedures.

Negative Impacts of Data Breach

What are the consequences of a data breach that healthcare organizations must suffer?

• 81% Diminished productivity and lost time
• 78% Brand or reputation diminishment
• 75% Loss of patient goodwill
• Potential result of consequences: patient churn, representing an average loss of $113,400 per customer/patient, an increase from $107,580 from last year’s study.

How are these data breaches discovered?

• 51% Employees
• 43% Audit/Assessment
• 35% Patient compliant

Although investing in the proper HIPAA compliant technology, policies and procedures can be a costly, time-consuming process, the study also shows that healthcare organization are at risk of non-compliance, based on their current practices. The study also shows a significant financial loss and other serious consequences that can negatively impact business survival.

Need more HIPAA hosting information and recommended best practices to meet compliance? Answer questions like What services from Online Tech help make me compliant? and What’s the best way to encrypt PHI? in our informative HIPAA FAQ. Or read up on a few HIPAA hosting case studies that detail real companies with real HIPAA challenges, and their solutions that helped them be successful today.

Sources:
Second Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute
Healthcare Data in Critical Condition
Health Data Breaches Cost $6.5 Billion Annually

Online Tech Open House

Last Chance: RSVP to attend Online Tech’s New Ann Arbor, Michigan Data Center Open House – Friday (tomorrow) 3-7pm!

Aside from ongoing data center tours, refreshments and wine, you’ll get the latest on IT compliance from a Certified HIPAA Practitioner (CHP), a health IT and HIPAA compliance attorney and PCI compliance experts. Come with questions for the Q&A session about your own company or organization and get advice from industry professionals.

Interested in cloud computing, disaster recovery and cloud security? We’ll have VMware experts speaking on cloud compliance, Dell reps presenting EqualLogic: Fully Loaded with vSphere 5, and an introduction to Online Tech’s latest cloud-based disaster recovery solution, DR Now!

Stay for an hour or four – RSVP and reserve a seat at one of our presentations today. Get the address & details here.

In 2010, only 10.1 percent of office-based physicians have a fully functional EMR/EHR system in place, up 32 percent in 2009. Nearly 25 percent have adopted a basic system, showing a minor increase from the 22 percent in 2009. Additionally, 50 percent of office-based physicians have any type of EMR/EHR system, although not fully functional.

NAMCS Survey Results

According to the scholarly publication by the National Center for Health Statistics accompanying the survey, ‘fully functional’ is defined as systems with the following basic functionalities:

• Patient demographic information
• Patient problem lists
• Clinical notes
• Orders for prescriptions
• Viewing laboratory and imaging results
• Medical history and follow-up
• Orders for tests
• Prescription and test orders sent electronically
• Drug interactions or contraindications warnings
• Highlighting out-of-range test levels
• Electronic images returned
• Reminders for guideline-based interventions

The need for EMR/EHR awareness and technical support is growing at a rapid pace, demanding more clinical IT staff training and additional resources. With the advent of electronic systems, data protection and security concerns become paramount, as the Department of Health and Human Services has indicated with its latest investment in HIPAA compliance enforcement and scheduled, ongoing HIPAA audits.

Find out more about HIPAA hosting and who needs to be HIPAA compliant. Or, answer all your health IT, HIPAA and HITECH questions with our HIPAA FAQ.

Source:
Electronic Medical Record/Electronic Health Record Use By Office-based Physicians: United States, 2009 and Preliminary 2010 State Estimates

Kapnick Insurance Group

Seminar and presentation topics include data and intellectual property safety, what to do if it is compromised, how much a data breach will cost, and what companies can do to adequately protect themselves from a data breach.

Other panel topics to be discussed include:

• What to do after you’ve been hacked
• How to comply with numerous federal regulations, such as HIPAA compliance, HITECH, PCI compliance and state laws governing breach notification rules

The data security panel discussion is open to the public, and will be held December 12, 2011 from 7-9:30pm. Kapnick Insurance Group’s office is located at:

1201 Briarwood Circle
Ann Arbor, MI 48108

Other panel discussion participants include:

• Mark Ford, Privacy and Security Consultant of Deloitte Touche
• Joseph Dylewski, HIPAA Expert and Consultant of ATMP Solutions
• Adam Goslin, IT Security Services/PCI Consultant of High Bit Security
• Stephan Tupper, Attorney
• Dykema Gossett, Privacy Practice Leader

The panel will be moderated by Stewart Nelson, Account Executive of Kapnick Insurance Group, and a Q&A session will be held after the initial panel discussion.

Who should attend? The data security panel discussion is suited for business owners, executives, managers and IT professionals from any company that store sensitive information or data.

For bios, contact information and driving directions, visit the panel discussion registration.

Watch an informative video on Private Cloud Security: How Your Data Security Changes in the Cloud, or view a comparison of a managed cloud vs. a public cloud when it comes to security and other benefits.

When asked how critical the global EMR markets are to their company’s long-term and short-term strategy, 71 percent recognized the EMR markets as a short term growth opportunity and 100 percent view them as a growth opportunity in the long term.

The survey anticipates four major trends that will have the greatest impact on EMR growth:

• Nearly 71 percent rate government incentives as a driver behind effective health IT adoption.
• The survey notes a shortage of clinical IT specialists will also contribute to the transition to outsourcing and cloud-based EMR solutions. The EMR systems will require more clinically trained IT resources.
• Health system networking will also create the largest challenge, due to the large variety of geographic regions.
• Another major issue that will affect the pace of EMR adoption is global economic recovery.

The connection between government funding and outsourcing is the need for increasing support costs and lack of IT resources – hospitals in North America are barely able to offset the costs of adopting and supporting EMR systems, even with incentives. As a result, healthcare companies are turning to outsourced and cloud solutions to reduce overall costs.

While the survey recognizes the capability of cloud computing to reduce costs, increase efficiency and help with EMR deployment, it also quotes an IDC survey stating 54 percent of organizations are still researching and evaluating the cloud, while 21 percent are actually using the cloud for applications. Despite slow adoption rates, the survey shows an expected overall increase in spending on clinical IT over the next five years.

A major inhibitor of EMR adoption include concerns around security and data sharing. Knowing where your data resides and maintaining control is important when it comes to reducing security risks. It’s important to review your contracts with your cloud hosting provider to ensure you’re following HIPAA compliant practices for optimal protected health information (PHI) security.

Get more information about cloud security from our E-Tip, Top 5 Tips for Cloud Computing Security – one tip is to invest in dedicated hardware and increased IT security measures, such as managed firewalls, and intrusion detection and prevention systems. Not sure what HIPAA hosting should entail? Check out our HIPAA FAQ for answers.

Source:
Accenture’s Overview of International EMR/EHR Markets (PDF)

Ann Arbor 2 Data Center

If you’re around the Ann Arbor or Detroit area, stop by our open house Friday, December 2, 2011 from 3-7 p.m. at our newest Ann Arbor data center to celebrate and take advantage of a great information-sharing and networking opportunity for those interested in learning about the latest developments in the IT and compliance industries.

The event will include presentations from Dell, Comcast and VMware representatives, as well as PCI compliance and HIPAA compliance industry experts. Q&A sessions will follow, as well as data center tours and complimentary wine, cheese and desserts. Also, don’t miss the presentation launch of our latest cloud disaster recovery product, DR Now!

Open House Agenda

Please RSVP to reserve a ticket and contact us for more information. For event details, data center address and RSVP form, please visit our registration page. Reserve individual presentation seats and customize your schedule to do the following:

• Tour the Data Center
• Ask Dell about EqualLogic SANs & servers
• Ask VMWare about Cloud Computing & Cloud Security
• Ask Comcast about Metro Ethernet and other business services
• Learn about HIPAA compliance from a CHSS (Certified HIPAA Security Specialist) /CHP (Certified HIPAA Practitioner) and Health IT Attorney
• Learn about PCI compliance and penetration testing
• Learn about IT Disaster Recovery options

Our newest Ann Arbor data center is a 19,500 square foot facility with 10,000 square feet of 12″ raised floor and high availability Internet connectivity. With diversified utility and network feeds, our data center is perfect for production and disaster recovery projects.

Like our other data centers, our Ann Arbor, Michigan data center is independently audited and found to be SAS 70, SSAE 16, SOC 2 & SOC 3 and HIPAA compliant. Visit Ann Arbor Data Center for detailed specifications on the power, network infrastructure, security, and cooling capacity.

A couple key points and lessons learned are noted:

Encryption: the breach was a result of physical theft at the Sutter Medical Foundation’s administrative offices. A rock used to break the window allowed a thief to make off with an unencrypted desktop computer housing a patient database of information (although the company was in the process of encrypting their data at the time of theft, starting primarily with hand-held devices). Encryption is viewed as a common and recommended best practice in cases of sensitive data storage, and is a must for HIPAA covered entities.

Data Storage: Keeping a large amount of protected health information (PHI) unencrypted and easily accessible on a desktop computer is not considered the most secure form of data storage. As I blogged about in early August (see 2011 HIPAA Violations infographic), HHS.gov records show the most common type of HIPAA violations by number of instances is due to physical theft (49 percent). Cloud computing, whether the private cloud or the managed cloud, can offer increased security with the use of firewalls, Intrusion Detection and Protection Systems (IDS/IPS), access authentication and more.

Patient notification: Although the data theft was stolen over the weekend of October 15, the patients and the public were not notified until a month later (last Wednesday). In addition, according to ModernHealthCare.com, a Sutter Health spokeswoman is not planning to notify the 3.3 million affected patients directly, and some patients might not receive notice by mail until early next month.

Earlier this year, the TRICARE/SAIC HIPAA breach affected a record 4.9 million military patients of the San Antonio area – the stolen military backup tapes were also unencrypted.

HIPAA compliance is a result of a combination of technology, policies and procedures – if you’re uncertain about what HIPAA hosting for your protected health information (PHI) should entail, see our HIPAA FAQ for more answers.

Sutter Health: Stolen Computer Contained Info on 4.2 Million
Medical Record Theft at Sutter Health Part of Wider Problem

The deadline extension comes in the wake of a recent survey by the Medical Group Management Association (MGMA) as reported by HealthcareITNews.com which found that only 4.5 percent of respondents would rate their 5010 implementation as fully complete. This discrepancy between time before the original deadline and the actuality of HIPAA covered entity readiness called for action, and the CMS responded with news of the enforcement delay.

The specific office that handles HIPAA compliance enforcement is the Office of E-Health Standards and Services (OESS), within the U.S. Department of Health and Human Services (HHS). The CMS press release reports that the OESS will continue to accept HIPAA 5010 complaints during the three month period, but enforcement will not begin until after March 31.

However, no penalties will be applied between January and March if the covered entity takes corrective action to resolve complaints, or shows a good faith effort toward HIPAA compliance.

The OESS also urges HIPAA covered entities to contact and schedule the compliance upgrade with their trading partners on a timely basis to meet the new enforcement deadline. This is also a good time to check with your third-party hosting provider if they are providing HIPAA hosting services to avoid any upcoming penalties (see 2011-2012 HIPAA Audits Have Begun: Are You Ready to Prove HIPAA Compliance? for information and tips on the ongoing HIPAA audit schedule and process).

The American Medical Assocation (AMA) also provides a preparatory fact sheet on planning and tactically implementing HIPAA 5010 on a schedule, which you can find on my other blog post, HIPAA 5010 Deadline Approaching: Taking Steps toward Implementation.

The CMS provides more resources on ICD-10 (standards for diagnosis and inpatient procedure coding) and HIPAA 5010 on their site. This handy fact sheet (PDF) from CMS also provides a summary of the upgraded standards (although the deadline portion still needs to be updated).

Source:
CMS To Delay Enforcement of HIPAA 5010 Transaction Sets
CMS Press Release: Announcing 90-Day Period of Enforcement Discretion for Compliance with New HIPAA Transaction Standards

Legal Issues with Social Media

The 84-page, highly informative presentation includes social media updates and respective legal issues, as well as advice on revisions to social media policies – and a plethora of HIPAA breach statistics and advice on how to stay HIPAA compliant.

Other presentation highlights include:

• Statistics on the general use of YouTube, Facebook, Twitter and blogs by hospitals and healthcare
• Specific protected health information (PHI) leak incidents as a direct result of using social media in Midwest states, including Iowa, Michigan, Minnesota and Wisconsin
• Certain incidents that prompt the Department of Justice or Attorneys’ General to prosecute
• FBI cases specifically associated with HIPAA violations
• Appeals, settlements and status of ongoing HIPAA breach lawsuits
• Statistics on HIPAA complaints and the OCR’s role (either requiring corrective actions by covered entities or cases in which the OCR found no violation)
• Most common HIPAA complaint issues
• A basic overview of who is under HITECH breach obligations and required actions
• 2011 HIPAA breach facts and Midwest statistics by state
• The cost per HIPAA breach record according to breach type, and how it’s changed from 2009-2010
• Formulating a social media policy – who it protects, why it’s important to have, and how to maintain and enforce the policies
• Links to more resources and examples of established policies and best practices from clinics and medical centers

Download or view the PDF presentation, Social Media, Healthcare and the Law: 2011 Update.

Melnik also recently discussed the legal implications of BAAs (Business Associate Agreements) when patient information is shared, processed or stored between companies in Sharing PHI Data? Legal Implications of BAAs & Avoiding HIPAA Pitfalls, the third HIPAA webinar in a webinar series hosted by Online Tech, A to Z to Achieving HIPAA Compliance.

Tatiana Melnik, Attorney, Dickinson Wright PLLC

Tatiana Melnik is an attorney with the Dickinson Wright law firm where her practice focuses on information technology, healthcare information technology, intellectual property and privacy issues. Ms. Melnik sits on the Michigan Bar Information Technology Law Council, the Automation Alley Information Technology Committee, and is a Managing Editor of the Nanotechnology Law & Business Journal.

Ms. Melnik holds a JD from the University of Michigan Law School, and a BS in Information Systems and BBA in International Business, both from the University of North Florida. Ms. Melnik regularly writes and speaks on issues surrounding healthcare information technology.

In April 2011, Sony was attacked when hackers got access to over 77 million users’ personal information, including credit card numbers through its PSN Network.

Big or small, it’s inevitable that your company will experience some sort of disaster in its lifetime. However, having a plan in place can determine if you’ll be operational after the fact.

Here are some IT disaster recovery statistics:

• Less than 50% of all organizations have a business continuity plan in place.
• 43% of companies that do have a business continuity plan do not test it annually.
• 50% of businesses experiencing a computer outage will be forced to close within five years.
• 90% of businesses losing data from a disaster are forced to shut down within two years.

There are many different kinds of disaster recovery options (Onsite/Offsite Backup, Cold/Warm/Hot Site DR, SAN-to-SAN Replication, DR Now!) that can accommodate organizational needs. Each one of these options have their pros and cons, but having any sort of option in place is better than no option at all.

Disasters can come in a multitude of ways. Hurricanes, earthquakes, and tornadoes are just a few kinds of natural disasters that could strike your business at anytime without warning. Although utilizing Michigan Colocation is a viable option for its location and decreased risk of these kind of disasters, having a disaster recovery plan in place is still very essential.

When a disaster hits any company, time is of the essence and it’s critical to make sure that your company is sticking to the plan that you have in place. Those first few hours, minutes and  seconds are essential to a company and you need to have professionals and procedures in place to prevent any sort of disaster from getting out of hand.

We live in a world where technology is significantly shaping the way we do business. With our heavy reliance on technology, companies need to have a IT Disaster Recovery plan in place to ensure that your company will be able to survive any sort of disaster and stay afloat.

Tweeting about #HIMSS? Join us in the conversation on Online Tech’s Twitter.

Day 1: Monday, November 14, 2011

9:15 AM - After a tailgating party last night – complete with games, flatscreens, and great tailgating food, this morning’s early morning jog through downtown Indianapolis got the HIMSS Midwest Conference off to a healthy start.

The first play of the day now in session: Beyond Meaningful Use—Transforming our Healthcare System, presented by C. Martin Harris, MD, CIO and Chairman of the Cleveland Clinic.

11:50 AM - Dr. Martin Harris, head of Cleveland Clinic, shared the most expensive type of healthcare mistake at Midwest #HIMSS : incomplete medical records.

Day 2: Tuesday, November 15, 2011

10:14 AM - Check out Online Tech’s HIPAA hosting solutions at Booth 57 (complimentary coffee available!):

Midwest HIMSS Online Tech Booth

10:48 AM - Mike Kroon and Bill Ryan of Online Tech deep in conversation at the Midwest HIMSS conference:

Midwest HIMSS Conversation

11:15 AM - Online Tech Sponsors the 2011 Midwest HIMSS Fall Technology conference:

Online Tech Sponsors 2011 Midwest HIMSS Fall Technology Conference

11:30 – Learning about Social Media, Healthcare, & the Law @ #HIMSS Indy w/ attorneys Brian Balow & Tatiana Melnik.

1. In-house vs. outsource – The first step is to decide if you want to keep your IT in-house or outsource your IT services to a managed cloud or data center provider. If you have difficulty deciding, first answer – Do you have the expertise or experience with virtualization to do it yourself, or would it be best to outsource to a specialized company?
2. Determine IT costs and plan – Weigh your company’s current strategic IT mission and plan, cost, and the security and resiliency need for your applications. This is critical to the next two steps, when determining your server and platform specs.
3. Review specs of your host server – Decide on a uniform processor speed, since parity in all of your host server boxes is important. While it’s easy to add more RAM or a new processor, adding or replacing local disk can be more complex.
4. Review specs of your virtualization platform – Do you want the comfort of using a well-known brand name such as VMware, or do you need something more affordable like Microsoft’s Hyper-V? Consider your IT budget.
5. Consider using a SAN (Storage Area Network) – If you consolidate all of your data on your virtual servers to a single storage platform, you’ll have the capability to move virtual servers from one box to another, allowing for optimal use of your server resources. You can monitor, configure and manage automatically; as well as enable automatic failover to another host should one host fail.
6. Implement an IT disaster recovery plan – Determine what level of disaster protection your data needs – consider offsite backup in a separate location in the event that something happens to your primary site. If you’ve chosen an outsourced private cloud, your provider may have a cost-effective cloud disaster recovery plan available. SAN-to-SAN replication can also deliver fast recovery times and failback to production.

While setting up the cloud, whether a managed or a private cloud, the most important fact is your cloud doesn’t have to be built in one day – you always have the flexibility to customize, scale up or down, and add hosts to align with company demand. The great part about a cloud is the ability to grow without replacing old hardware or wasting capital.

Consider taking the first few steps to adopting the cloud to realize cost savings, fast server deployment, and disaster recovery options.

Get more details on The Road to the Private Cloud: How to Make the Transition.

Most businesses just don’t think it’ll happen to them – when in actuality, disasters happen more often than we think. A study by research firm Forrester dispels the myth that disaster declarations are rare occurrences with the statistic that 27 percent of companies had declared at least one disaster during the past five years, in a Global Disaster Recovery Preparedness Online Survey.

Disaster Declarations

Although 73 percent had no declarations of disaster, 14 percent declared one disaster event in the past five years, and 5 percent experienced more than five disasters. These companies had to not only declare a disaster, but they also had to recover operations at their recovery site.

Another myth the Forrester study dispels is the idea that natural disasters, like hurricanes, tornadoes and earthquakes, are the most common cause of downtime for a company. In actuality, power, IT and network failures are the most common causes.

The survey question asked, “What was the cause of your most significant disaster declaration(s) or major business disruption?” The respondents attributed downtime to power failure, IT hardware failure, network failure, IT software failure and human error as the top five most common causes, while floods, other, hurricanes, fires, etc. ranked lower on the list.

Causes of Downtime

If your disaster can be attributed to things you can control, like choosing a more reliable IT company to host your critical data and applications with, then it may be worth the initial investment. Symantec’s 2011 SMB Disaster Preparedness Survey estimates the average cost of downtime for a small-to-medium business is $12,500 per day.

What can you do to be prepared for a costly disaster in 2012?

Problem: Power Failures
Solution: Partner with an IT company that has a N+1 or redundant power infrastructure to avoid a power failure. Check to see if your data center provider has backup power sources – a pooled UPS, battery and generator power systems can be effective against outages.

Problem: IT Hardware & Software Failure
Solution: What causes hardware and software failure? While many factors play a part, lack of maintenance or improper maintenance of your hardware can lead to failures and downtime. Often you or your IT staff might not be able to pay full attention to all of the necessary upgrades, patches and fixes in a timely manner if you’re busy focusing on your applications or other business goals. Handing over the reins to a certified, experienced IT support team that devote their days to managing your servers can be the simple (and effective) solution.

Problem: Network Failure
Solution: Protect against network failure by choosing a quality, fully replicated network infrastructure design. Ask your IT company how often and closely they manage their networks – while the setup and design can be quality, the support provided is also important to ensure high availability of your data and applications.

Hosting your data at a company that offers multiple Internet providers (ISPs) with diverse entry paths can also help eliminate network downtime. In the event of a disaster, the network will automatically failover between providers to ensure you’re always connected without server interruptions.

Problem: Human Error
Solution: It happens. But why not cut down on it as much as possible by outsourcing your hosting project to a team of certified professionals that are dedicated to providing unlimited, 24×7 support? Make sure your data center hosting provider has an asset and change management system that can track and record all changes and corrective actions to the network, servers and OS so you can keep tabs on your server maintenance. Or, use a remote server monitoring system to have complete visibility into your server(s) status.

In addition to investing smart, your company needs a comprehensive IT disaster recovery plan in place. Choose a plan that is affordable and reliable with a fast recovery time – beware of traditional disaster recovery plans that require error-prone tape backup.

The Complete Solution: Disaster Recovery in the Cloud

Disaster recovery in the cloud is the latest and most reliable solution that also happens to cost less than half of the production environment. It’s considered more reliable because the entire hosted cloud (including servers, software, network configuration and security) are replicated to an offsite disaster recovery cloud.

Plus, it’s faster – recovering your servers, apps and data into a cold site environment is entirely replaced by only a few clicks to spin up the replicated servers. Online Tech’s disaster recovery cloud solution (DR Now!) has a warranted 4 hour recovery time objective, specifying the worst case availability in case of a disaster. Our SAS 70 and SSAE 16 audited data centers prove we follow standardized processes to cut down on human error and power, network, hardware and software failure.

Don’t gamble with your chances of declaring a disaster and potentially losing critical data and applications – protect your company by making an educated investment in an updated 2012 disaster recovery plan.

HIMSS 10

This Sunday, Online Tech is heading down to Indiana for the Midwest HIMSS Fall Technology Conference to join hundreds of healthcare and health IT professionals for breakout sessions, keynote speakers and vendor exhibits.

In addition, 54 percent of respondents to the study said their IT staff had no knowledge about the potential risks of open firewall ports in their cloud environments. These significant statistics show a major lack of security concerns among IT personnel that ultimately affect clients’ data and applications in the cloud.

Even more alarming are the 42 percent of the respondents that fear they wouldn’t know if their data or applications on their cloud were actually compromised or if a data breach occurred, involving an open port on a cloud server.

Cloud Security: Managing Firewall Risks

The study “Cloud Security: Managing Firewall Risks” analyzed responses from IT and IT security professionals working in the U.S. that use hosted or cloud servers (dedicated or virtual private servers). And these aren’t novice IT personnel – on average, the respondents had more than 10 years of experience and almost half worked at organizations with 5,000 employees across the globe. The majority of the respondents reported that their organizations used both public and hybrid clouds.

Transparency is also a prevailing issue. The study reports that 36 percent of respondents claim their organizations cannot manage access or generate reports efficiently, while 29 percent say they manage access through the cloud provider’s tools but can’t see any access reports.

My response  and advice to cloud users, as the Senior Systems Engineer at Online Tech:

Cloud security is and will always be a hot topic. Firewall rules and public cloud management ports are the major concern. If you are educated in what the cloud provider has in place, you can better determine their existing standards for security. Ask before you buy is the best thing you can do. With Online Tech, our dedication to transparency means every client can always see what open firewall ports they have through our client portal. The firewall rules are there for the client to both view and audit.

The client can request for firewall rules to be opened or closed after viewing them through our portal, meaning anything you need to block can be blocked. Port scans can be run from the outside to help you verify this as well. It is always a good idea to do port scans and secure your cloud servers as much as possible. Online Tech also has a built-in intrusion detection system to help identify and block attacks to your cloud server. You don’t want to be guessing here, and at Online Tech, we know this is important.

When it comes to management ports, it is all secured with SSL or VPNs. All staff access is segmented and protected via strict VPN and firewall rules. The least privilege and SSAE 16 standard processes that we have in place hold us accountable when it comes to staff access. Data traffic to SANs is on a private segment and can never be accessed from the outside.

If you have cloud security concerns, ask and you shall receive. This will help you make informed decisions and assess any potential risks.

Read our article on Cloud Computing Security and access our Cloud Computing Wiki for more information.

Sources:
Managing Firewall Risks in the Cloud
Cloud Security: Managing Firewall Risks
Cloud Computing Study: 67 Percent of Companies Vulnerable to Hack

• Who: Every covered entity and business associate is eligible (although the program site states that “Business Associates will be included in future audits,” suggesting they won’t be addressed in this audit). HHS.gov states that the OCR may consider covered individual and organizational providers of health services, health plans of sizes and functions, and healthcare clearinghouses may be considered as well.
  
• What: OCR is piloting a program to perform up to 150 audits of covered entities to assess privacy and security compliance.
• Why: To satisfy the American Recovery and Reinvestment Act of 2009 (ARRA) Section 13411 of the HITECH Act and to check compliance with HIPAA Privacy and Security Rules and Breach Notification standards.
• When: November 2011-December 2012.

Three Steps to the HIPAA Audit Process

1. Staged in a three-step process, the first step was developing audit protocols.
2. The second step will be the initial wave of audits in November 2011. This step will help shape how the rest of the audits will be conducted.
3. Finally, the third step will be the full range of conducted audits.

How Will the Audit Program Work?

1. Entities selected for an audit will be notified by the OCR and will have to provide documentation of privacy and security compliance efforts.
2. Every audit requires a site visit and an audit report.
3. Site visits will include interviews with key personnel and general observation of processes and operations to help determine compliance.
4. After the site visit, auditors will give the entity a draft report showing how the audit was conducted, audit findings, and what actions the entity is taking in response to the findings.
5. Before the report is finalized, the entity has a chance to discuss concerns and describe corrective actions taken to address those concerns.
6. Final OCR report will include the steps the entity has taken to resolve compliance issues and describe the best practices of the entity.

Simplified Audit Schedule

2011-2012 HIPAA Audit Timeline

What is the OCR Planning to Get From These Audits?
The OCR will use the audit reports to determine what types of technical assistance needs to be developed and what types of correction action are most effective.

Need More HIPAA Guidance?
If you’re not sure if your hosting solution is HIPAA compliant, or if your patient health information (PHI) is being secured in a HIPAA compliant data center, check out the Five Questions to Ask Your HIPAA Hosting Provider to get informed.

Looking for more information on the latest HIPAA ongoings? Check our HIPAA compliance blog category, HIPAA FAQ, or watch our recent HIPAA webinars to get educated on what you need to be HIPAA compliant.

But before you can do that, you need to sign a business associate agreement (BAA) with your business associate (BA), according to the HIPAA Privacy Rule. But what’s in a business associate agreement contract?

The U.S. Department of Health and Human Resources (HHS) has a sample business associate contract available on its site listing all the provisions for those that are curious.

While this shouldn’t be copied precisely and is more of a guide than a complete document, it does offer insight into the general terms that a BAA should address, with the addition of customized provisions specific to certain companies’ needs.

A summary of the primary provisions include:

• Obligations and Activities of Business Associate
  • No use or disclosure of protected health information (PHI) unless it’s permitted or required by law.
  • Must use proper safeguards to prevent use or disclosure of PHI.
  • Mitigation in the event of a data breach.
  • Must report any use or disclosure of PHI.
  • Ensures others (subcontractors) agree to the same BAA.
  • Allows CE access PHI.
  • Must create documented HIPAA policies and procedures.
  • Document any PHI disclosures.
• Permitted Users and Disclosures by Business Associate
• • Specifies when BA can use or disclose PHI on behalf of the CE.
• Specific Use and Disclosure Provisions (if applicable)
  • When or why a BA would disclose or use any PHI, to report law violations, with CE permission, or to provide any kind of data aggregation reports to the CE).
• Obligations of Covered Entity
  • The CE will notify the BA of any changes in permission (including restrictions or revocation) of the individual to use or disclose PHI.
• Permissible Requests by Covered Entity
  • Terms and effective dates
  • How PHI will be handled after termination (returned or destroyed)
  • Reasons for termination

If you’re a covered entity, protect your company and your patients/clients by signing a thorough BAA. As a best practice recommended for HIPAA compliance, it will only strengthen your ability to pass a HIPAA audit, should the auditors come to your door.

Have other questions about compliance and BAAs? Read our HIPAA FAQ to find answers about BAs, hosting and agreements.

Source:
Business Associate Contracts

An Ideal Location                                      

You need an ideal location for server colocation – if you’re concerned about uptime and server safety at all, you’ll need to find a data center located in a geographic region with minimal risk of natural disasters and overheating.

Michigan Colocation Offers Cool Climate

Data center efficiency also helps reduce operational costs. Facebook recently built one of their data centers near the Arctic Circle to take advantage of a climate that offers natural cooling resources. Michigan colocation is also ideal for its low risk of earthquakes, tornadoes, hurricanes, natural disasters, as well as its long winters – only four months have temperatures that average over 60 degrees Fahrenheit.

24×7 Technical Support

To ensure your servers are up and running, you need unlimited and responsive 24×7 technical support from a team of certified, experienced engineers. Managed server monitoring is also important to alert your staff and your colocation hosting provider staff of any potential server issues. Your colocation provider should also offer a troubleshooting and remediation service to identify root causes of any problems and for quick resolution.

Full Redundancy

A colocation facility with redundant Internet service providers (ISPs), uninterruptible power, and a well-designed network infrastructure will provide a quality environment to ensure a high level of uptime. Choosing a data center with multiple ISPs allows for automatic failover between providers should one provider be unavailable for any reason. N+1 power with UPS, battery and generator power systems can help protect your servers against outages and power spikes to avoid service disruptions.

Security

SSAE 16 & SOC Audited Colocation

Ask your colocation hosting provider if they’re SAS 70, Type II and SSAE 16 audited, and if they have a SOC 2 or SOC 3 report. This is a good indicator that your provider has the standardized processes and procedures to protect your data. If you need a PCI compliant environment (for customer credit cardholder data) or HIPAA compliant hosting (for patient health information), then you also need to ask your provider if they have the appropriate technology and procedures in place to meet compliance standards.

Ask if your provider has been audited to meet compliance by an auditor to protect against a potential data breach, requiring the use of firewalls, IDS (Intrusion Detection System), IPS (Intrusion Protection System), physical and logical security, etc.

Easily Scalable

Choose a provider that makes it easy for you to add more servers and services, like bandwidth. If your company suddenly needs room to grow, make sure your colocation hosting provider has the sufficient space, resources and business longevity to support your company’s future needs.

Server Transparency

For easy access and visibility into the status of your servers, your colocation hosting provider should have some type of remote server monitoring system to allow you to login and check your Internet bandwidth, order forms, support tickets, CPU usage, and other information to help keep your servers running optimally. This type of monitoring system allows you to have more control over your servers even if you can’t be at the data centers as well as access to your hosting provider’s tech team for their support.

Read more about the Benefits of Michigan Colocation, or our E-Tip on Michigan Colocation: Making Long Distance Colocation Easy.

Source:
Facebook Builds Data Center Near Arctic Circle

Time Warner Outage Tweet

Online Tech experienced an issue with our own Internet service from one of our many providers between 9-9:30 AM EST, and the outage affected only a small portion of the traffic coming to and from the data centers. Our operations team also received reports of a blip in a few of our clients’ service, but never received any alerts from both Online Tech’s internal and external monitoring systems. Additionally, it could not be traced back to our equipment.

Then we found out the outage affected nearly everyone. The outage affected multiple service providers and appeared to have occurred sometime after 6 AM PT, and is said to be resolved according to Time Warner Cable’s tweet.

Even the U.K. appears to have been hit with the “global outage,” according to Silicon.com – their own publishing site was affected, in addition to bit.ly, CBS interactive, and RIM’s Blackberry service. An article by BusinessInsider.com reports the outage lasted approximately 30 seconds, although some on Twitter claim nearly 20 minutes of downtime, as reported by TheBlaze.com.

According to TheRegister.CO.UK, some of the outages were a result of a problem with firmware in Juniper Network routers that corrupted BGP, or border gateway protocol, tables. Level 3 Communications, Time Warner’s transit provider, is reported to have housed the routers. According to Silicon.com, the outage has also affected other networks running Juniper routers with the majority of them seeing their devices core dump and reload. Level 3 has issued a statement:

“Shortly after 9 a.m. ET today, our network experienced temporary service interruptions across North America and Europe apparently due to a router software issue,” Level 3 said in a statement. “It has been reported that a similar issue may have affected other carriers as well. Our technicians worked quickly to address the issue and service is now fully restored.”

Juniper Networks has also acknowledged the routers had to be restarted when they crashed while performing a BGP update. They are offering a software fix and are currently working with their customers for deployment.

Time Warner Cable’s twitter is addressing individual issues, asking users to direct message them with their account information for assistance.

Last chance to sign up for the last webinar of our three-part HIPAA webinar series, starting at 2PM ET tomorrow!

Online Tech is hosting a series of free educational webinars titled “A to Z to Achieving HIPAA Compliance” running October 25 – November 8, 2011. This webinar series is helpful for healthcare organizations that interact with patient information or vendors of covered entities that need guidance on becoming HIPAA compliant.

Tatiana Melnik

Tuesday, 11/08/11 @ 2pm ET: Sharing PHI Data? Legal Implications of BAAs & Avoiding HIPAA Pitfalls

For the third webinar of the series, special guest speaker Tatiana Melnik will cover legal implications of BAAs (Business Associate Agreement) when patient information is shared, processed, or stored between companies. “Sharing PHI Data? Legal Implications of BAAs & Avoiding HIPAA Pitfalls” will start at 2 p.m. ET on Tuesday, November 8, 2011.

As an attorney with the Dickinson Wright law firm, Melnik’s practice focuses on information technology, healthcare information technology, and intellectual property and privacy issues. In addition to being a member of the Michigan Bar Information Technology Law Council and Automation Alley Information Technology Committee, Melnik holds a JD from the University of Michigan Law School and a BS in Information Systems and BBA in International Business from the University of North Florida. Melnik presents at the upcoming Midwest HIMSS conference in November and at the Annual HIMSS conference in February.

Register today – we encourage you to submit your questions about HIPAA compliance in advance for consideration during the webinar by emailing contactus@onlinetech.com.

If you’re looking for more HIPAA resources, try this list of HIPAA policies, procedures and training materials, or read our HIPAA FAQ.

Research firm Forrester conducted interviews of IT professionals to analyze the economics of data centers and the classic build vs. buy conundrum that arises when it comes time to provision for additional capacity, IT infrastructure and operations.

Online Tech's New Ann Arbor Michigan Data Center

Leasing a Data Center (Colocation)
What kind of advantages are associated with colocation that you don’t get with building a data center? Forrester reports that there are very few upfront costs, and most of the expenditure is operational, not capital.

• More predictable expenditure model with costs that increase consistently over the life of the data center
• Flexible – additional capacity can be scaled up as needed, no wasted extra capacity or build outs needed
• More accessible to space and power through a provider’s purchasing power
• Experienced and certified professionals lend their expertise of running a data center with high efficiency and high availability.

Building a Data Center
What kind of advantages are associated with building your own data center that you can’t get when you choose colocation? Mainly control:

• Complete control over an operating environment, including access, temperature, etc.
• Low risk of losing your lease
• Ability to leverage and share existing space

What kind of upfront costs are associated with building your own data center?
The detailed and practical costs of building your own data center include a fair amount of capital and upfront costs. But there are other often overlooked costs that add up quickly:

• Upfront planning, design and commissioning – ranging from 20-25 percent of total upfront construction cost.
• Base building shell and property – only applicable if you’re not starting with an existing building. According to the Forrester report, the estimated cost of building the data center shell plus physical security $200 per square foot.
• Fire suppression and detection – ranging from $20-60,000 to purchase agents, equipment and to install systems – including early smoke detection systems, FM-200, inert gas blends, etc.
• Building permits and local taxes – while these costs vary from region to region, a moderate national estimate is $70 per square foot in building permits and taxes.
• Data center infrastructure – includes purchasing and installing mechanical equipment and electrical equipment, ranging from $7-20,000 per kW of IT load.
• Network connection cost – you’ll have to pay for fiber on-site, which could run you $10,000 per mile, varying by many other factors.
• Power – this expense accounts for 70-80 percent of the total costs of running a data center, and is also highly variable by region.
• Data center staffing – around-the-clock monitoring, on-site maintenance and equipment optimization requires a dedicated and responsive operations staff, and accounts as the second largest expense after power.
• Annual facility and infrastructure maintenance – a more unpredictable cost of a data center ranging from 3-5 percent of the initial construction cost. Repairs and additions are expected around the third year of operation.

Find out more about Online Tech’s newest Michigan data center, offering Michigan colocation and other IT services.

Source:
Build or Buy? The Economics of Data Center Facilities

An increasing number of recent HIPAA violations are caused or involve a business associate – the Stanford Hospital breach was due to improper disclosure of PHI, and the TRICARE/SAIC incident was due to the theft of unencrypted backup tapes out of the trunk of an employee’s car.

Business Associates and HIPAA Violations

While most of the incidents were isolated – meaning different business associates are involved with each individual company, a few repeats were evident. Med Assets made up for 9.5 percent of the breaches reported with a business associate involved, meaning they affected 6 different companies listed.

Two separate incidents affected multiple covered entities – one set affected 4 different healthcare organizations and the other affected 3 different covered entities.

This data makes apparent the level of preparedness that business associates have when it comes to HIPAA security policies, procedures and training. When employees are improperly trained, they leave the business vulnerable to data theft, loss, hacking and/or simple security negligence within the IT environment, putting covered entities at great risk for a HIPAA violation and accompanying fines.

And when one IT vendor is responsible for PHI from many different hospitals, just one incident can have a significant damaging effect on an exponential amount of patients.

If you are outsourcing your data hosting, put research into finding a HIPAA hosting provider who is audited by a CHP (Certified HIPAA Practitioner) and CHSS (Certified HIPAA Security Specialist). Note, this doesn’t make your company HIPAA compliant, or any less responsible for implementing your own policies and procedures, but it does mean you have taken an active role in researching your vendors to prevent a data breach.

If you need more guidance on HIPAA policies, procedures and training materials, visit our HIPAA resources section today.

IMN Conference 2011

The 2011 IMN conference “Fall Forum on Financing, Investing & Real Estate Development for Data Centers” will be held at the Hyatt Regency Century Plaza next Wednesday and Thursday.

I was selected to moderate and speak at a five-person panel discussion on “Understanding the Data Center Market in Secondary Cities & Beyond,” a discussion on the differences between Tier 1 data center markets such as New York, Chicago and L.A. and secondary markets found in Michigan, Iowa and Nebraska.

IMN: Information Management Network

Each of the panel members, including CEOs and a Business Development Manager, will speak to their experiences with their home markets and the market dynamics they’ve witnessed. The panel will provide a discussion of the differences of the growing secondary and tertiary markets and the market dynamics of Tier 1 cities, as seen through the eyes of data center operators in the secondary markets.

The panel also intends to touch on advantages and disadvantages, data center requirements, buyer profiles and community impact in a secondary market.

The second annual IMN data center conference brings together senior executives from some of the most prominent data center owners, tenants, investors, capital and service providers, each with different perspectives on the evolving data center market.

Other topics at the conference include:

• Tiering & Redundancy: How Important are they in the Data Center Environment of Today?
• Demand Capacity Forecasting on a Facility/Entity Level
• Data Center Bankruptcy & the Impact on the Tenant
• Measuring how Much Tax, Power & Other Incentives are Really Worth?
• Power Rates, Build Times, Volatility, Contracts & Pricing
• Data Center CAPX & TCO
• Carrier Neutrality Vs. Bundled Services
• Modular Data Centers

See the IMN conference agenda schedule here for more detailed information.

SunGard built facilities in cities around the country such as Chicago and Philadelphia where users could converge when a disaster struck their primary data center. By loading their applications onto the DR servers and mainframes, users could attempt to recover their operations from “cold” servers.

These cold servers were bare metal servers – no operating system, no applications, no patches and no data. Once the tape backups and the IT recovery team finally arrive at the recovery site, the system recovery begins the time-consuming process of loading the system from the tapes. And as if that isn’t hard enough, tape backup is notoriously unreliable. Tapes have high failure rates when it comes to trying to read a tape from a different tape reader than it was written from.  It’s not unusual for tape readers to need recalibration just to recover the data on the tapes for DR purposes.

The typical cold site would allow for a 48 hour pre-scheduled annual disaster recovery test. Unfortunately, most of the users I’ve spoken with were unable to recover their entire system during the test window due to the time-consuming task of system recovery.  This leaves the remaining untested part of the DR plan tied to the “hope and pray” strategy – not a particularly comforting position to be in for a mission critical IT infrastructure.

Cold site DR is dead.

With the increasing demands for 7×24 IT availability, recovery time requirements have dramatically shrunk over the last decade. While 10 years ago, a 3-5 day disaster recovery time was acceptable, most businesses are now demanding 1-4 hour recovery times given their heavy dependency on their digital infrastructure and electronic assets. This requires an entirely new disaster recovery strategy.

Fortunately, fundamental shifts have taken place over the last decade that makes it far easier and more cost-effective to achieve significantly faster disaster recovery times. Faster, more cost-effective Internet connectivity, point-to-point networks, more cost-effective SAN storage and the advent of cloud computing have changed the rules for disaster recovery.

One of the most significant advantages to cloud computing is what the cloud delivers in terms of disaster recovery. Cloud Computing delivers faster recovery times and multi-site availability at a fraction of the cost of conventional cold site disaster recovery.

Cloud computing virtualization delivers a very different approach to disaster recovery. The entire cloud server, including the operating system, applications, patches and data is encapsulated into a single software bundle or virtual server. This entire virtual server can be replicated to an offsite data center and spun up in a disaster recovery cloud in a matter of minutes.

Since cloud servers are hardware independent, the operating system, applications, patches and data are safely and accurately replicated between data centers, removing the burden of reloading each component of the server. This dramatically reduces cloud server recovery times compared to conventional disaster recovery in which physical servers need to be loaded with the OS and application software, then patched to the last configuration used in production – all before the data can be restored.

Cloud-based disaster recovery delivers warm site recovery times more cost-effectively and without the drawbacks of conventional cold site DR approaches. It also enables much faster recovery point objectives (RPOs) – eliminating the risk of data loss when failing over the DR servers.

With cloud-based DR, the server replication is dramatically accelerated and network replication becomes the critical path to recovery, including IP address mapping, firewall rules & VLAN configuration. Solutions like Online Tech’s DR Now! cloud-based disaster recovery not only replicates the servers between data centers, but also replicates the entire network configuration in a way that recovers the network as quickly as the backed up cloud servers.

Cloud-based DR delivers a set of benefits that make it difficult to look back at cold site DR with any sense of nostalgia. Long live cloud-based disaster recovery!

According to the report, U.S. government requests for Google user and account data rose 29 percent when comparing the first six months of 2011 to the previous six months. A total of 5,950 user data requests from January to June 2011 affected 11,057 individual users and accounts. In addition, requests to remove content from Google products increased 70 percent – and in response, Google complied with 63 percent of those requests.

Data Disclosure in the Public Cloud

This raises the question of who has the ability to access, or grant access to your data hosted in a public cloud environment. Can the government simply call up Google or Amazon, submit a request for information and receive your data, whether confidential or not?

The Wikileaks incident back in December 2010 is a good example of government influence on hosting providers. The prolific theft and dissemination of classified cables detailing confidential government activities brought attention not only to the data, but the data host – Amazon EC2 servers. The official Amazon statement claims they kicked Wikileaks off of their servers due to a violation of terms of service, citing the fact that Wikileaks did not own or control rights to their information hosted on the cloud. Yet the question remains, would Amazon have shut them down if there wasn’t strong government opposition?

Trusting your critical business data and applications to the public cloud requires a public cloud provider to uphold certain service terms when it comes to granting access to your data. In a shared environment, do you really know where your data lives and who controls it? And is it worth taking the risk in order to take advantage of a utility pricing model?

Sources:
Google Reports Surge in Government Requests for User Data
Google Transparency Report: Government Requests
Google Transparency Report: Content Removal Requests
Why Did Amazon Web Services Shut Down WikiLeaks?

HIPAA 5010

Why is this deadline so important? Transactions not using HIPAA 5010 will be rejected, resulting in rejected claims and cash flow interruptions.

HIPAA 5010 history: The regulation was created in 2009 – level I compliance was effective by December 2010, and level II compliance was effective by December 2011.

• Level I compliance: “that a covered entity can demonstrably create and receive compliant transactions, resulting from the compliance of all design/build activities and internal testing.”
• Level II compliance: “that a covered entity has completed end-to-end testing with each of its trading partners, and is able to operate in production mode with the new versions of the standards.”

While the HHS allows the use of both the existing standards (2010A1 and 5.1) and the new standards, (5010 and D.0) for the time being, that fact will change come next year. The final deadline for all covered entities to fully comply with the latest HIPAA standard 5010 is January 1, 2012.

Who is required to upgrade? Physicians, hospitals, payers, clearinghouses, pharmacies and dentists are included. Software vendors also need to upgrade their products to support HIPAA 5010.

The new HIPAA 5010 version strives to clarify usage to remove ambiguity, create consistency across transactions, support NPI regulation and remove data content no longer used.

To make it easier for organizations and individuals to conduct a gap analysis, the CMS (Centers for Medicare and Medicaid Services) has documents available for download comparing old HIPAA standards to new HIPAA standards, side-by-side, including professional claims, institutional claims, remittance, claim status, eligibility and more. These can be found in the Electronic Billing & EDI Transactions > 5010 D.0 HIPAA Standards.

Who’s actually prepared for the 5010 switch? While the newest version of HIPAA has been around for a while, not everyone appears to be ready for the full switch. The Medical Group Management Associate (MGMA) announced a request for a HIPAA 5010 contingency plan from the Department of Health and Human Services (HHS), calling on the department to not penalize health plans that only meet the most critical data content requirements, and not the full list of requirements.

This request comes on the coattails of a MGMA study, as reported by HealthcareITNews.com, that reveals only 4.5 percent of respondents rate their 5010 implementation as fully complete, while 50 percent rate it as between 26 and 99 percent complete, and 40 percent rate it as less than 25 percent complete.

What steps should you take toward HIPAA 5010 implementation? The American Medical Association (AMA) provides a preparatory fact sheet on planning and tactically implementing HIPAA 5010 in time for the January 1, 2012 deadline:

1. Impact Analysis – Conduct an internal impact analysis to determine how much of a change the switch to 5010 will have on your current business practices and systems.
2. Contact your Vendors, Payers, Billing Service and Clearinghouse – Contact vendors for specific details regarding system upgrades, and ask them about when they expect their upgrades to be completed, and when they’ll be able to accept 5010 transactions.
3. Installation of Vendor Upgrades – Schedule the system upgrades according to your vendor’s readiness, and ensure the installation of upgrades is complete.
4. Internal Testing and Staff Training – Once upgrades are completed, conduct internal testing of your systems to ensure you can generate and handle the 5010 transactions. Leave a margin of time for issue resolution and staff training on the new system.
5. External Testing with Clearinghouse, Billing Service and Payers – Contact your vendors to conduct external testing with them to ensure you can send and receive transactions properly.
6. Make the Switch to 5010 – After completing external testing, you may switch to using only 5010 transactions.

For more HIPAA guidance, check out Tips for Passing a HIPAA Audit or sign up for our ongoing, free webinar series, A to Z to Achieving HIPAA Compliance. Or if you have other questions, check out our HIPAA FAQ.

Sources:
CMS 5010 D.0 Electronic Billing & EDI Transaction
HIPAA 5010 Implementation
HIPAA 5010 Contingency Plan Needed, Says MGMA
Preparing for the Next Version of HIPAA Standards: January 1, 2012 Compliance Date (pdf)

HIPAA Compliant Webinar Series

Don’t miss our second HIPAA webinar of a three-part series starting at 2PM ET tomorrow – there’s still time to register!

Online Tech is hosting a series of free educational webinars titled “A to Z to Achieving HIPAA Compliance” running October 25 – November 8, 2011.

This webinar series is helpful for operations employees of business associate organizations that would like more guidance on becoming HIPAA compliant.

Jason Yaeger

Tuesday, 11/01/11 @ 2PM ET: Impact of HIPAA Compliance on Business Associates – Changes to Company Policies and Day-to-Day Operations

The second webinar of the series, “Impact of HIPAA Compliance on Business Associates – Changes to Company Policies and Day-to-Day Operations” features Online Tech’s Risk Management Officer and Security Officer, Jason Yaeger and his experience guiding a company through a HIPAA audit. Yaeger will discuss the impact of HIPAA compliance on his role, company policies, and day-to-day operations for employees of a HIPAA compliant data center tomorrow at 2PM ET.

Register today – we encourage you to submit your questions about HIPAA compliance in advance for consideration during the webinar by emailing contactus@onlinetech.com. If you need more HIPAA resources, browse our HIPAA FAQ or get more information about HIPAA hosting.

Apparently, we’re not the only company seeing the benefits for cloud-based DR. There have been several recent announcements of cloud-based DR – where you can ship a copy of your virtual server image offsite to be run in a cloud server should you declare a disaster.

Nice approach if you’re trying to replicate a single stand-alone server.  But what’s missing from these server replication models for DR?

For most enterprise or more complex server configurations, the network configuration, firewall rules, VLANs and VPNs are a critical part of the infrastructure that needs to be recovered in a disaster.

Recovering a replicated cloud server is great leap forward. It removes a ton of work from reinstalling the operating system, applications, patches and data on a new server, and gets the server up and running quickly by turning on the replicated cloud server.

But without replicating the entire network and security configuration, the solution falls short. Before the recovery site can go live, the network configuration needs to be fully replicated at the DR site. This means that copies of the VLAN configuration, firewall rules, and VPN configurations all need to be available and put in place before the DR site can go live.

Rapid recovery time objectives (RTOs) can only be achieved if the entire server and network infrastructure are replicated at the DR site and stay in lockstep with the production site as configuration changes are made.

At Online Tech, we’ve spent a lot of time developing a solution we call DR Now!  DR Now! replicates the entire hosted cloud, including servers, software, network and security to a separate offsite disaster recovery cloud without any programming or special configuration. We can do this because we manage the production cloud servers and DR cloud servers at both sites.

So when you’re considering the benefits of cloud computing for disaster recovery, keep in mind that DR is not just about replicating the cloud server between data center sites. It requires careful consideration on how the entire compute infrastructure is replicated between data centers – including the entire network and security configuration.

For more resources on this topic, read our E-Tip, Benefits of Disaster Recovery in Cloud Computing.

Protecting confidential patient health information and preventing a HIPAA violation should be the top IT goal of all healthcare organizations, individual providers and software vendors. But hosting your critical data and applications with a provider requires trust and confidence in their ability to meet HIPAA compliance requirements.

What questions should you, as covered entity, ask your HIPAA hosting provider?

1. Have you been independently audited by a Certified HIPAA Practitioner (CHP) and Certified HIPAA Security Specialist (CHSS)? To verify your data center operator and hosting solutions are truly HIPAA compliant, they need to be 100% compliant across all 54 HIPAA citations and 136 audited components. Although covered entities need to assess their own policies and procedures to become HIPAA compliant, partnering with a HIPAA compliant IT vendor will greatly improve your chances of passing a HIPAA audit.
2. What particular IT services meet HIPAA compliant security standards for protecting PHI? Your HIPAA hosting provider should be able to answer this question with specific answers that detail recommended IT services – a private firewall, either virtual or dedicated, with VPN for remote access; data encryption following NIST standards; separate database and web servers for production, etc.
3. Do you have documented policies and procedures? Make sure you know your hosting provider’s policies when it comes to a data breach – they are required by law as a BA (Business Associate) to notify covered entities in a timely manner, and covered entities are required to notify affected individuals within 10 days. Not following these deadlines and procedures can result in costly lawsuits.
4. Are your employees trained? The recent military healthcare contractor HIPAA violation was attributed to an employee transporting PHI off of government property and leaving backup tapes unattended in the trunk of a car. The recent lawsuit states that their employees were either not properly trained or completely untrained in HIPAA compliant security procedures. HIPAA requires all employees to be trained in the proper security practices, including policies, physical security, logical security, risk response and reporting, passwords/workstation use, data protection and more.
5. Do you have a thorough BAA (Business Associates Agreement) with documented and communicated policies? Under HIPAA’s standards for penalties, the lack of a BAA implies negligence, which may fall under Willful Neglect – fines ranging from $10,000 to $50,000 for each incident and potential criminal charges. A BAA can also be valuable to define how the data is handled after service termination; a sample BAA from HHS.gov includes a provision requiring the BA to return or destroy all PHI received from the covered entity, emphasizing that the BA shouldn’t keep any copies of the PHI. If you don’t sign a well-thought out BAA with your hosting provider, they can potentially keep your data on file long after you leave them.

Sources:

Business Associate Contracts

HIMSS Fall Technology Midwest Conference

Online Tech will be attending the Midwest HIMSS Fall Technology Conference in Indianapolis, Indiana on November 13-15, 2011, hosted by the Midwest Area HIMSS (Healthcare Information and Management Systems Society).

The conference theme is Building a Winning Team – Strategies for Healthcare IT Success with several keynote speakers and breakout sessions focusing on the topics of clinical, technology and business healthcare.

Todd Park, CTO of the U.S. Department of Health and Human Services, will be speaking on Improving Healthcare through Technology Innovation.

Park co-founded a health IT company, Athenahealth in 1997. Prior to Athenahealth, he served as a management consultant with Booz Allen & Hamilton, focusing on healthcare strategy, technology and operations. Park also volunteered at the Center for American Progress focusing on health IT and health reform policy.

Other keynote speakers include:

• C. Martin Harris, M.D., M.B.A., FHIMSS; CIO of the IT Division of the Cleveland Clinic and Chair of HIMSS Board of Directors will speak on Beyond Meaningful use – Transforming our Healthcare System.
• Chuck Christian, FCHIME, FHIMSS; CIO of the Good Samaritan Hospital in Vincennes, Indiana, and 2011 HIMSS CIO of the Year will speak on Building a Winning Team for HIT Success.
• Nina M. Antoniotti, R.N., M.B.A., Ph.D.; Program Director of Marshfield Clinic’s Telehealth Network and past President of the American Telemedicine Association will speak on HIT and Accountable Care – the Role for Telehealth.

In addition to keynote speaker presentations, the conference will feature a large exhibition area for healthcare IT professionals and vendors, and serves as a great networking opportunity to share new technology and information on technology regulations, such as HIPAA compliance standards. Since Online Tech serves a number of healthcare and healthcare software organizations with HIPAA compliant hosting solutions (see our HIPAA compliant case studies), we’ll have our own booth at the exhibition (stop by if you’re around!).

HIMSS (Healthcare Information and Management Systems Society)

Founded 50 years ago, HIMSS is a not-for-profit organization focused on providing global leadership for the optimal use of IT and management systems to improve healthcare. With 50 chapters across the U.S., Canada and India and more than 38,000 individual members, HIMSS strives to be a local forum for healthcare system professionals.

Members consist of hospital and clinical organizations, IT system vendors, physicians, nurse and medical informatics professionals and more. Online Tech is a member of the Midwest HIMSS, which includes Michigan, Indiana, Illinois and Ohio chapters.

Online Tech recently passed a HIPAA audit by a Certified HIPAA Practitioner (CHP) and Certified HIPAA Security Specialist (CHSS) and was found to be 100% compliant across all 54 HIPAA citations and 136 audited components. That means we can verify we provide HIPAA hosting in our HIPAA compliant data centers with our private clouds, colocation, managed dedicated servers and IT disaster recovery solutions, for a variety of healthcare organizations and healthcare software companies.

Sources:
Fall Technology Conference 2011
HIMSS

Cloud Security

Data security and intellectual property rights in cloud computing are issues that should be addressed prior to signing with a cloud computing provider – outlining the agreements in a contract will help protect your company and your (or your clients’) data. The terms outlined in the JISC Legal’s Cloud Computing and the Law guide bring up a few critical points that may be overlooked by companies seeking a cloud contract:

Contract Termination – Do you know what happens to your data when you decide to leave your cloud provider for whatever reason? While a normal contract outlines the duration, renewal and steps by either party (client and provider) in order to terminate the service, it’s important to know where your data goes after you leave your cloud provider, especially if you are storing sensitive information such as health records.

Can you reliably account for their actions after you cancel services with your cloud provider, knowing that they have a copy of your (or your clients’) data?

This brings us to:

Possession of Data on Termination – The right to have your data returned after contract termination is one key, if not obvious, term that should be detailed in your cloud computing service contract.

Another critical term is the length of time that a cloud provider will keep the data available for retrieval. This can become an issue if a client isn’t aware of the time period and subsequently can’t access their data after termination. It can also be an issue if sensitive data is mishandled after your service agreement is no longer effective and security isn’t upheld.

Leaking or misuse of protected health information (PHI) can mean major federal penalties under HIPAA compliant security standards as enforced by HITECH, and one reason to seek a HIPAA hosting cloud solution provided by an audited data center operator. A HIPAA-trained IT staff will never access your protected health information.

The best way to ensure your data is protected is to know who controls it, which includes:

Who Has Access to Your Data – As your data hosting provider and in accordance with national data compliance regulations; they should not have any reason to be accessing your confidential information hosted on their servers. If your cloud provider is outsourcing any services to a third party, you should also be aware of their access controls and ability to touch your data.

Deletion of Data – Another important term of your contract is if and how data will be deleted from the cloud provider’s environment. Do you know if your data is still deemed your property, or does your cloud provider claim the rights after you use their hosting environment? Be sure to outline a permanent deletion procedure with your cloud provider when drafting your contract.

When it comes to data control and security, you need to do your part in being vigilant about your cloud hosting contract terms to protect the access and right to your data.

Read the Top 5 Tips for Cloud Computing Security for more on cloud computing security.

Sources:
New Toolkit: Cloud Computing and the Law from JISC Legal

HIPAA Compliant Webinar Series

Don’t miss our first HIPAA webinar of a three-part series starting at 2PM ET tomorrow!

Online Tech is hosting a series of free educational webinars titled “A to Z to Achieving HIPAA Compliance” running October 25 – November 8, 2011. This webinar series is helpful for healthcare organizations that interact with patient information or vendors of covered entities that need guidance on becoming HIPAA compliant.

Tuesday, 10/25/11 @ 2pm ET: Cost-Effective Protection Against HIPAA Enforcement

In the first webinar of the series, special guest speaker Joe Dylewski will discuss HIPAA enforcement and penalties in the event of a HIPAA violation and how to avoid a HIPAA breach using the most cost-effective methods.

Dylewski, a Certified HIPAA Security Specialist (CHSS) and Certified HIPAA Professional (CHP), has twenty-three years of IT professional experience with eight years spent exclusively in the healthcare industry. Serving as a former Healthcare IT Services Practice Director, Dylewski is now the current President of the ATMP (Applied Technology Methods and Practices) Group, offering HIPAA risk assessments and HIPAA compliance remediation solutions.

Register today – we encourage you to submit your questions about HIPAA compliance in advance for consideration during the webinar by emailing contactus@onlinetech.com.

If you’re looking for more HIPAA resources, try this list of HIPAA policies, procedures and training materials, or read our HIPAA Glossary of Terms.

The Cybercitizen Health U.S. 2011 study by Manhattan Research surveyed nearly 9,000 U.S. consumers in Q3 2011 about their digital health habits and found an additional 41 million users are interested in accessing EHR systems.

However, 141 million have reported not accessing their medical records via EHR systems, consisting of mainly an older, less educated and less technologically-inclined demographic. This group is less likely to use the Internet or have smartphones or tablets.

Mobile Phone EHR/EMR Use Increases

Yet over a quarter of U.S. adults used mobile phones for health information or tools last year, doubling from 12 percent in 2010. Eight percent of consumers have used prescription drug refill or reminder services on their cell phones, compared to only 3 percent in 2010. The growing use of technology to access health records shows a strong need to meet HIPAA compliance, the standardized security and privacy regulations designed to protect health data.

• (Need more guidance on how to become HIPAA compliant? Sign up for our free HIPAA webinar series, from Oct. 25-Nov 8).

Medical Graduates Show Favorable EHR/EMR Use

The rapidly growing trend of a younger population using technology more aptly and for health-related tasks is not only consumer-based – new healthcare industry graduates are using EHR/EMRs during medical residence training and are highly motivated to continue to do so.

A 2010 National Physician Survey from Canada reported 79 percent of medical residents had used or been exposed to electronic medical records to collect or access patient clinical notes during training.

In addition, 82 percent of family medicine residents and 75 percent of residents in other specialties expect to use EMRs for clinical notes instead of paper when they enter into practice. As the CanadianEMR.ca blog predicts, there may be a high likelihood that current practices won’t be able to attract new graduates for employment unless they have an EMR in place.

EMR Experience and Expectations

Current Meaningful Use Attestation Lagging      

By contrast, current healthcare organizations and individual providers have been slower when it comes to meeting meaningful use attestation standards. Although a total of 114644 are registered in an EHR system, only 8303 actually meet meaningful use standards and qualify for federal incentives.

A recent report from Frost & Sullivan, U.S. Hospital EHR Market, 2009-2016, shows that total EHR market revenues are expected to peak at $6.5 billion in 2012 due to new licensing and upgrades to hospital systems. This is a significant increase since 2009, when the EHR market earned revenues were at $973.2 million.

But with the trend of both healthcare consumers and young health industry graduates showing strong use and inclination toward EHR/EMRs, it’s predicted the rest of the established practices will need to play catch up in order to stay in the game.

Sources:

56 Million U.S. Consumers Access Medical Information From Electronic Health Records
New Graduates Highly Motivated to Use EMRs
Accepting the Inevitable, U.S. Hospitals Significantly Ramp up Use of Electronic Health Records, Finds Frost & Sullivan

They’re not only worrying about keeping client data secure and network infrastructure up among its employees, but also trying to maintain business applications internally. Allocating some of those responsibilities from your IT staff could really benefit you and your IT staff in the long run.

Michigan: Ideal Location for Colocation and Data Centers

Here are three reasons on how Michigan Colocation can benefit your business:

1. Location – Michigan is considered one of the best states in the country for Colocation Services. Why is it one of the best? Here are some facts:

• Cool Climate – Michigan is primarily cool for most of the year, with only 4 months out of the year being over 60 degrees. This results in free cooling for most of the year and more cost-effective data centers.
• Low Risk of Tornadoes, Hurricanes, & Earthquakes – Michigan has never experienced a hurricane, is highly unlikely to experience downtime from any seismic activity due to its location, and faces a significantly lower amount of tornadoes than most of the United States.
• Few Natural Disasters – From 1980 to 2009, Michigan had one of the fewest number of natural disasters that resulted in over $1 billion in damage.

2. Readily Available Support – Outsourcing to a Michigan Colocation provider gives you the option of having a support team in charge of your managed dedicated servers, saving your IT team time and most importantly, money. By paying an outside provider for their services, you’re not paying for power, space for your servers, air conditioning and extra IT staff in your company. Now you can you put that extra time and money into other areas of your business.

3. Security & Peace of Mind – When you choose a Michigan Colocation provider, you are providing your data to a company whose main goal is to secure your data and keep your company up and running. They live and breathe security and they take it very seriously when it comes to your data. Depending on what your company does, you may also have to follow strict policies, procedures and compliance regulations (HIPAA, PCI, SOX) with the data you have stored, and those can be steep hurdles to climb to achieve those standards. Not having those standards can result in major fines to your company.

Having a peace of mind that your data is secure and that your applications or website have 100% uptime is a good feeling for any business executive. Achieving that on your own is another story. It is definitely possible, but you’ll be putting a lot of time and resources into getting it done. Why not save that time and invest in a Michigan Colocation provider that can tailor to your business needs and can guarantee that your data is secure and always up and running? It becomes a Win-Win situation for both parties.

Want more information on Michigan Colocation? Check out our E-Tips where you can check out our Managed Colocation Guide, and find out What To Expect From Your Managed Colocation Provider.

The rules and regulations in the Code of Federal Regulations (CFR) that pertain to HIPAA dictate that Online Tech, as a business that deals with clients’ PHI, must:

1. Protect the availability, integrity and confidentiality of PHI
2. Have Business Associate Agreements (BAAs) with clients who have PHI
3. Report any violations of PHI misuse to the OCR (the Office of Civil Rights that audits, fines and charges companies and individuals for HIPAA violations).

We deploy all of the following technology internally that helped us pass our own HIPAA audit, and allows us to offer HIPAA compliant hosting solutions in our HIPAA compliant data centers (we also happen to offer and recommend these services to our clients that need to be HIPAA compliant):

• Private Firewall services (either a Virtual or Dedicated Firewall) with VPN for remote access
• Managed Cloud Server (good to ensure high availability and access to data and applications)
• Separate database and web servers for production
• Separate test server (while the same for web and database, it is not the same for production)
• Offsite backup at a minimum, although disaster recovery is better
• SSL certificates and HTTPS for all web-based access to PHI (to ensure secure connections)
• Set up private IP addresses
• Encryption – best practice to do while it is stored in the database and especially in transport. PHI should be encrypted to the NIST standard, Advanced Encryption Standard (AES).

HIPAA compliance is about more than just deploying the right technology; it’s also about your own policies and procedures. What are some best practices for your company to do to meet HIPAA compliance?

• Documentation – write out data management, security, employee training and notification plans.
• Implement a password policy.
• Don’t use public FTP (File Transfer Protocol) to move your files.
• Only use VPN access for remote access.
• Implement login retry protection in your application.
• Document a tested and detailed disaster recovery plan to recover data in the event of a disaster.

If you still have questions about HIPAA compliance, register for our educational webinar series on achieving HIPAA compliance.

We encourage you to submit your questions about HIPAA compliance and the auditing process in advance for consideration during the webinar by emailing contactus@onlinetech.com.

HIPAA Webinar Series: A to Z to Achieving HIPAA Compliance

Online Tech is hosting a three-part series of free educational webinars titled “A to Z to Achieving HIPAA Compliance” running October 25 – November 8, 2011. This webinar series is helpful for healthcare organizations that interact with patient information or vendors of covered entities that need guidance on becoming HIPAA compliant.

Speaker Joe Dylewski

10/25/11 @ 2pm ET: Cost-Effective Protection Against HIPAA Enforcement

In the first webinar of the series, special guest speaker Joe Dylewski will discuss HIPAA enforcement and penalties in the event of a HIPAA violation and how to avoid a HIPAA breach using the most cost-effective methods.

Dylewski, a Certified HIPAA Security Specialist (CHSS) and Certified HIPAA Professional (CHP), has twenty-three years of IT professional experience with eight years spent exclusively in the healthcare industry. Serving as a former Healthcare IT Services Practice Director, Dylewski is now the current President of the ATMP (Applied Technology Methods and Practices) Group, offering HIPAA risk assessments and HIPAA compliance remediation solutions.

Speaker Jason Yaeger

11/01/11 @ 2pm ET: Impact of HIPAA Compliance on Business Associates – Changes to Company Policies and Day-to-Day Operations

The second webinar of the series features Online Tech’s Risk Management Officer and Security Officer, Jason Yaeger and his experience guiding a company through a HIPAA audit. Yaeger will discuss the impact of HIPAA certification on his role, company policies, and day-to-day operations for employees of a HIPAA compliant data center.

Speaker Tatiana Melnik

11/08/11 @ 2pm ET: Sharing PHI Data? Legal Implications of BAAs & Avoiding HIPAA Pitfalls

For the third webinar of the series, special guest speaker Tatiana Melnik will cover legal implications of BAAs (Business Associate Agreement) when patient information is shared, processed, or stored between companies.

As an attorney with the Dickinson Wright law firm, Melnik’s practice focuses on information technology, healthcare information technology, and intellectual property and privacy issues. In addition to being a member of the Michigan Bar Information Technology Law Council and Automation Alley Information Technology Committee, Melnik holds a JD from the University of Michigan Law School and a BS in Information Systems and BBA in International Business from the University of North Florida. Melnik presents at the upcoming Midwest HIMSS conference in November and at the Annual HIMSS conference in February.

Get more information and sign up today.

Three key focuses include:

• Mission critical applications and the need for high availability cloud computing;
• How disaster recovery changes significantly in the cloud computing world; and
• Regulatory compliance including HIPAA compliance and PCI compliance, and how to support these standards in the cloud.

Get more information on cloud computing with Online Tech’s Cloud Computing E-Tips, or find Online Tech In the News.

Read the full video transcript.

The affected individuals that filed the lawsuit include a military spouse, her two children and an Air Force veteran. The suit specifically targets Secretary Leon Panetta for violating the Federal Administrative Procedures Act and the Federal Privacy Act of 1974. While the data breach is a clear HIPAA violation, the Privacy Act of 1974 details the code of fair information practices that controls the storage, use, maintenance and dissemination of information by federal agencies, meaning the Department of Defense is also held liable for more than just a HIPAA fine.

TRICARE HIPAA Breach & Lawsuit

At the time the incident was reported, details had not yet been released as an investigation was underway. Now the data breach appears to be attributed to physical theft – the backup tapes with PHI records dating from 1992 to 2011 were stolen out of the back of a car of a SAIC employee (Science Applications International Corp. – TRICARE’s contractor and business associate that provided offsite backup, storage and data security for the military insurance carrier, and also reported the breach).

Physical theft proves to be one of the most reoccurring causes of HIPAA breaches thus far, according to HHS data on HIPAA violations and as represented in an earlier blog post. Another factor that may have contributed is the type of backup the military contractor chose – tape backup. Considered a more traditional disaster recovery method, tape backup is highly error-prone and time-consuming, and, apparently, at risk for physical theft and subsequent HIPAA breaches.

One alternative is cloud disaster recovery, which can improve accuracy and recovery time objectives (RTO), and can be secured with encryption, logging, vulnerability and penetration testing, etc. to ensure your data is safely backed up. Virtualization also eliminates the possibility of physical data theft, as exemplified by the SAIC loss of backup tapes.

Among the 11 orders in the lawsuit, three include concerns around data security practices, systems and procedures:

• Prohibiting defendants from transporting any confidential records by non-secure means and unless the records are properly encrypted. – Transporting tape backup records in the trunk of a car may fall under ‘non-secure means.’
• Requiring defendants to set up proper systems and procedures to maintain the privacy of protected information. – Refers to implementing HIPAA compliant policies and procedures.
• Prohibiting defendants and SAIC from transferring any records until an independent expert panel finds that adequate information security has been established. – Similar to Online Tech’s recent HIPAA audit by an independent CHP (Certified HIPAA Professional) and CHSS (Certified HIPAA Security Specialist) to prove our fully HIPAA compliant hosting and HIPAA compliant data centers can provide proper data security for organizations that need to protect PHI.

Still concerned about HIPAA compliance and cloud security? Watch the webinar New Solutions for Security and Compliance in the Cloud to learn more. Or read our E-Tip, Benefits of Disaster Recovery in Cloud Computing and watch our webinar, HIPAA Compliance in the Cloud & in the Data Center to make an informed decision on your disaster recovery options.

Sources:
USDOJ: OPCL: Privacy Act of 1974
TRICARE Hit with $4.9 Billion Suit Following Breach

Leveraging Innovation

Online Tech’s CEO Yan Ness has been selected to speak at 7×24 Exchange’s Fall Conference “Leveraging Innovation” in Phoenix, Arizona.

According to 7x24exchange.org, the conference is designed for IT, data center, and disaster recovery professionals, network/telecommunication managers, computer technologists, facility or building managers, supervisors and engineers, vendors, consultants and anyone concerned with uninterrupted access to critical information.

The breakout session is titled “The Cloud and the Availability Spectrum.” Ness will discuss the challenges that companies face when choosing to adopt either the cloud or a disaster recovery plan, as well as share a case study of Online Tech’s own migration to cloud disaster recovery:

The potential of cloud computing to reduce recovery time and achieve better utilization of resources dedicated to disaster recovery has tantalizing appeal for businesses wanting to improve their resilience.

The problem is, expectations are often misaligned with the selected technologies or the path of getting from the current infrastructure to one that is truly capable of both failover and failback in the event of an actual disaster.

Progressing companies are often forced to learn painful lessons by piloting new systems: cloud first or disaster recovery first? Is there a path that can embrace both? How do we find out what we don’t know to ask?

Yan Ness from Online Tech shares the questions, challenges, and solutions generated during Online Tech’s own migration from “offsite backup” to true Active-Active availability with a cloud/disaster recovery infrastructure capable of continuity in a meaningful, realistic manner.

The Cloud and The Availability Spectrum: Disaster Recovery in the Cloud

7×24 is a leadership collective for professionals that design, build, use and maintain mission-critical enterprise information infrastructures. Read our recent press release for more information about Ness’s presentation and the conference.

Or read one of our E-Tips on the Benefits of Disaster Recovery in Cloud Computing and how the cloud changes conventional disaster recovery. Watch a webinar on Disaster Recovery in the Cloud – SAN to SAN Replication for a more technical overview.

Apple Cloud Data Center

Asmyco.com reports the total spend to have hit $1 billion last December, while the down payment for the 500,000 square foot cloud data center is estimated at $750 million.

With over a billion spent on cloud computing costs, including servers, storage equipment, personnel, R&D, bandwidth and more, Apple has been investing aggressively to keep iTunes, Apps, iCloud and its other cloud-based services on par with demand.

However, the NYTimes.com Bits blog reports numerous error messages while using the new iCloud software designed to sync multimedia across numerous devices. The problems are attributed to a major spike in traffic and simultaneous downloading of the new software update, but similar issues occurred during the first few weeks of the MobileMe launch several years ago.

Apple Cloud Data Center Spending

iCloud Icon

Will Apple’s iCloud introduce serious competition to Gmail, Google Docs, or Google Sync? The iCloud is Apple-only, meaning it doesn’t support a wide variety of Windows or other brand devices. Google Sync does allow you to use different devices, including Windows, Android, Blackberry, Noki and Apple devices. This difference could affect a wider audience, save the group of primarily only-Apple users.

Apple’s iCloud is consumer-facing, but what about cloud computing for businesses? Read more about the Benefits of Cloud Computing for Businesses to find out how the cloud is cost-effective, flexible and customizable to adapt to business needs.

Sources:
Customers Run Into Trouble in the iCloud
The Down Payment on iCloud
Apple Already Spent $750 million on the iCloud Building Alone?
Report: Apple Has Spent $750m on iDataCenter
iCloud for Business Travellers

Since the establishment of the meaningful use program on January 1, 2011, the federal government has paid out more than $872 million in incentives to Medicaid/Medicare health organizations and individual providers that have adopted a meaningful use electronic health records (EHR) system.

While a total of 114644 organizations and individual providers are registered in an EHR system, only 8303 meet the meaningful use standards for attestation.

What is meaningful use? The Centers for Medicare & Medicaid Services (CMS) website lists three main components form the American Recovery and Reinvestment Act of 2009:

1. The use of a certified EHR in a meaningful manner, such as e-prescribing.
2. The use of certified EHR technology for electronic exchange of health information to improve quality of healthcare.
3. The use of certified EHR technology to submit clinical quality and other measures.

HIPAA and Health IT Incentives

The EHR incentive program website provides a timeline of useful dates related to upcoming payments and deadlines:

November 30, 2011 – Last day for eligible hospitals and critical access hospitals to register and attest to receive an Incentive Payment for Federal fiscal year (FY) 2011.

December 31, 2011 – Reporting year ends for eligible professionals.

February 29, 2012 – Last day for eligible professionals to register and attest to receive an Incentive Payment for calendar year (CY) 2011.

Find more resources for HIPAA policies, procedures and training materials to help your organization achieve HIPAA compliance.

Sources:

CMS: $872 Million in IT Incentives Paid

New Funds Support Rural Hospitals’ Switch to Electronic Health Records

CMS EHR Meaningful Use Overview

Security - Quality data centers will invest the capital and time to undergo audits to ensure their physical security, logical network security, employee training and company-wide policies and procedures meet national standards. The older standard used originally for financial reporting, SAS 70 (Statement on Auditing Standard), is now replaced by SSAE 16 (Statement on Standards for Attestation Engagements) and SOC 2/SOC 3 reports to indicate data center excellence.

Managed hosting also provides timely software updates to ensure your servers are protected against any newly developed viruses or malware. Offsite backup is another critical service that could save your business in the event of a disaster by keeping your vital applications and data safe and available.

Expert support - An entire team of experienced, certified and responsive staff can provide 24×7 server monitoring and physical data center monitoring to stay aware of any potential issues.

While companies may not be prepared to invest in an in-house IT team, managed dedicated servers come with a high level of professional support, saving you time and money that can be better spent elsewhere. Cutting down on staff hiring and training can seriously help your bottom line and streamline business operations.

Reliable - When IT is not your industry focus, it can be a substantial burden as you try to manage your own servers. Worries about uptime can slow your business growth and become a distraction.

A managed dedicated server host can provide a quality data center infrastructure to ensure your servers are up and running. Since data centers are their business, they should already have uninterruptible power and network connections with no single point of failure. Why not take advantage of their investments?

Scalable - Dealing with outages when your business is outgrowing product or service demands can be a pain. Managed dedicated server hosts often have additional space available to support your expansion needs.

With the support of professional, experienced staff, you can flawlessly deploy new servers with full expert support. Other additional services can make tasks like updating or monitoring your bandwidth, disk space and CPU usage as easy as logging into a portal and sending requests to your host.

Read more about a fully managed dedicated server case study of a mobile marketing company that was experiencing downtime and needed a new managed server provider, and how Online Tech helped them achieve 100% uptime with quality support and service.

The HHS Security Standards Guide outlines nine mandatory components of a risk analysis that healthcare organizations and healthcare-related organizations that store or transmit EPHI (electronic protected health information) must include in their document:

1. Scope of the Analysis – Any potential risks and vulnerabilities to the privacy, availability and integrity of EPHI. This includes all electronic media your organization uses to create, receive, maintain or transmit EPHI – portable media, desktops and networks. Network security between multiple locations is also important to include in the scope of the analysis, and may include aspects of your HIPAA hosting terms with a third-party or Business Associate.
2. Data Collection – Where does the EPHI go? Locate where data is being stored, received, maintained or transmitted. Again, if you’re hosting health information at a HIPAA compliant data center, you’ll need to contact your hosting provider to document where and how your data is stored.
3. Identify and Document Potential Threats and Vulnerabilities – Identify and document any anticipated threats to sensitive data, and any vulnerabilities that may lead to leaking of EPHI. Anticipating potential HIPAA violations can help your organization quickly and effectively reach a resolution.
4. Assess Current Security Measures – What kind of security measures are you taking to protect your data? From a technical perspective, this might include any encryption, two-factor authentication, and other security methods put in place by your HIPAA hosting provider.
5. Determine the Likelihood of Threat Occurrence – Take account of the probability of potential risks to EPHI – in combination with #3 Potential Threats and Vulnerabilities, this assessment allows for estimates on the likelihood of EPHI breaches.
6. Determine the Potential Impact of Threat Occurrence – By using either qualitative or quantitative methods, assess the maximum impact of a data threat to your organization. How many people could be affected? What extent of private data could be exposed – just medical records, or both health information and billing information combined?
7. Determine the Level of Risk – HHS suggests taking the average of the assigned likelihood (#5) and impact levels (#6) to determine the level of risk. Documented risk levels should be accompanied by a list of corrective actions that would be performed to mitigate risk.
8. Finalize Documentation – Write everything up in an organized document – HHS doesn’t specify any format, but they do require the analysis in writing.
9. Periodic Review and Updates to the Risk Assessment – It’s important the risk analysis process is ongoing – one requirement includes conducting a risk analysis on a regular basis. While the Security Rule doesn’t set a required timeline, HHS recommends organizations conduct another risk analysis whenever your company implements or plans to adopt new technology or business operations. This could include switching your data storage methods from managed servers to cloud computing, or any ownership or key staff turnover.

HIPAA Risk Analysis Components

Looking for HIPAA resources from organizations that have HIPAA policies, procedures and training materials in place? View HIPAA resource links on our site, or watch an educational webinar on the legal implications of HIPAA, HITECH, BAAs and the law.

Source:
HIPAA Security Standards: Guidance on Risk Analysis from HHS.gov

2012 Data Center Expansion Plans

Click to View Full Size.

Google

• Dublin, Ireland: An energy-efficient, cloud computing data center on 11 acres of land with a $101 million investment. The natural cooling from Dublin’s climate saves energy by eliminating the need for chillers.
• Asia – Singapore, Hong Kong &Taiwan: A $200 million investment in three data centers to support increased demand of services via smartphones and tablet computers, and expectations to be operational in 1 to 2 years.
• Pryor, Oklahoma – Just opened a new $600 million, 130,000 square feet data center, and plans to open a second building for office space. Another energy-efficient project, the data center will be powered from a wind farm which will feed into the electrical transmission grid.

Microsoft

• Dublin, Ireland: Microsoft expects to expand its 19-acre, $500 million data center in Dublin by more than a third – similar to Google, the data center uses natural cooling without any chillers.
• West Des Moines, Iowa: $200 million facility originally started in 2008 but put on hold after the recession. The data center project started up again in 2010, and appears to be nearing completion.
• Boydton , Virginia: An expansion investment of $150 million and a planned second data center facility. With the first phase of its project requiring $499 million, Microsoft is trying to stay competitive in the cloud computing market.

Facebook

• North Carolina: Scheduled for completion by September 2013, the second data center for this social network giant will measure 300,000 square feet, same as its first data center that hasn’t even opened yet. Facebook purchased 150 acres of land and invested $450 million in their first data center. The data center will be energy-efficient and deploy evaporative cooling instead of a chiller system.

IBM

• Langfang, China: A cloud computing data center for Range Technology Development Co. Ltd. measured at 620,000 square meters and intended to serve business growth industries such as transportation, telecommunications, e-government and healthcare.  IBM’s data center business in China has reportedly tripled in the last four years.

What could be a cause of the rapid data center expansion planned for 2012 and beyond? DataCenterKnowledge.com reports that data center expansion and construction has been boosted by private equity firms and telecom company investments that have acquired established providers. A recent Data Center Market Insights survey shows over half of data center professionals planning to expand or build new data centers.

Online Tech also recently purchased a new Michigan data center located in Ann Arbor. Read our press release for more about our unique geographic advantage for IT disaster recovery and production.

Sources:
Facebook Building Second Massive Data Center in North Carolina
IBM to Build Asia’s Largest Cloud Computing Center
Google to Build Major New Data Center in Dublin
Google to Build Three Data Centers in Asia, Investment to Exceed $200M
Microsoft Steps Up Cloud Expansion Plans
Microsoft to Expand Scope of Iowa Project
Microsoft Lays Out Plans for Dublin Data Center Expansion
Google Brings Oklahoma Data Center Online
2011/2012 Data Center Market Insights

A few cyber security tips from Microsoft in celebration of NCSAM:

• Use automatic updating for all software to keep it up-to-date
• Use antivirus and antispyware software
• Never turn off your firewall (an important tip for organizations that need to be PCI or HIPAA compliant)
• Never email sensitive information (even if encrypted)
• Create strong passwords and diverse passwords for different sites and accounts

Continuing in the IT awareness theme, National Health IT Week was September 12-16, aiming to educate the healthcare industry on the importance of adopting ‘meaningful use’ electronic health record systems to improve patient care. Other health IT initiatives include the EHR (electronic health records) stimulus funding program rewarding organizations that went paperless and recognized HIPAA compliance standards.

Benefits of Health IT and HIPAA standards enforced by HITECH:

• Improves quality of healthcare delivery – faster and more accurate data access
• Increases patient safety
• Decreases medical and human errors

If you need more details about what a secure HIPAA hosting solution includes or what a HIPAA compliant data center can provide for your organization, contact us today.

Gartner’s predictions for the cloud email market growth within the overall enterprise email market is an eventual increase from its current 3 to 4 percent market share to 20 percent by 2016, and 55 percent by 2020. With its recent data center investments around the globe, it would appear Google is gearing up for projected growth. Google plans to invest 75 million Euros, or $101 million in a new data center in Dublin, Ireland on 11 acres of land. Just days before, Google announced expansion in Asia plans to build three new data centers located in Singapore, Hong Kong and Taiwan.

The expected benefits of using cloud email and applications are significant in cost savings – the U.S. Department of Energy’s conversion of its IT department to Google Apps estimates it will save $40 million in technology expenses over a period of five years. InfoWorld details current organizations already using email cloud computing in the government, automotive and hospitality industries, below:

Large Organizations Using Gmail

Google: Reportedly made more than two dozen updates to the platform within the past year, including:

• Security feature: ability to reset a user’s sign-on cookies
• System manageability: ability to manage policy by user groups

But Gartner’s predictions for Google obstacles include:

• Enterprises may reject Google due to needs too complex for the cloud.
• Internal routing, application integration and compliance may be difficult to handle in the cloud.
• Lack of transparency about proprietary code details concerning access control and privileged access
• Lack of transparency about the degree and form of offline backups used in disaster recovery

Microsoft: Plan to upgrade functionality to Exchange in the cloud before adding it to the on-premises version, and they report a great deal of interest from businesses in Office 365, their cloud productivity product.

Microsoft also announced similar plans to expand their data centers in Iowa, Virginia and Dublin, Ireland. But why Dublin for operating cloud data centers? Similar to Michigan, Dublin’s climate is ideal for natural data center cooling, thus cutting costs for power and cooling that normally dominate operation’s budget.

Have concerns about cloud computing security? Read up on the Top 5 Tips for Cloud Computing Security to keep your data safe. Or watch our recent webinar on New Solutions for Security and Compliance in the Cloud to understand how to meet compliance and security in virtualized and cloud infrastructure.

Sources:
Gartner Says Google Gmail is Now a Viable Alternative to Microsoft in the Enterprise Email Market
Gartner: Gmail threatens Microsoft in enterprises
Forecast: Clouds, Social Networks, Email Filters

2011 Data Center Market Insights

A rising trend toward data center outsourcing is gaining momentum as 62 percent of respondents reported they are currently outsourcing, testing, or planning to use a data center service provider. What accounts for the trend in using IT vendors? A few significant advantages include avoiding capital expenses, reallocating resources into operating expenses and helping to ease capacity, or provisioning planning issues.

Annual spending on data center products and services shows over half (57 percent) of respondents investing $1 million or more each year, and 24 percent of respondents invest $1-9.9 million a year. This data is complimentary to the findings of 51 percent of respondents either currently expanding or planning data center expansion in 2012.

The expansion also relates to the ability to keep up with service demands, and aligns with the top concerns and challenges of 44 percent of data center operators – data center scalability. Worries about keeping up with growing applications and audiences may be put to ease with the use of cloud computing services to improve speed-to-market and ease of deployment. The second top concern is data center capacity planning, at 42 percent, which, on average, can take 1-3 years to plan and deploy a data center, not to mention an investment of millions of dollars.

Concerns about scalability and capacity may provide insight to the 15 percent increase in cloud computing usage since 2010. Sixty-two percent surveyed are currently using or testing the cloud, while 28 percent have no future plans to deploy the cloud – down from 41 percent that had no future cloud plans in 2010, showing increasing comfort cloud adoption in 2011.

Online Tech’s CEO, Yan Ness, shares a few insights on the study and data center market changes:

“According to DataCenterKnowledge.com’s recent survey, 51% will be expanding their data center in 2012.

Of those that plan to do so, I’m sure the CFO, when asked for the CapEx, will ask if they should even be doing it themselves at all. Having to expand a data center is an event that can cause a company to question spending CapEx – is it really justified when outsourcing can move it to a predictable, monthly OpEx expense?

The report shows that 62% of data center operators are using or planning to use providers of colocation, managed servers and cloud hosting services. This is a significant increase from previous surveys on the subject. It also reflects how the service provider market is well-positioned to address the top concerns of today’s data center operators.

Decades ago, just about every company had their own power generation and a ‘Chief Power Officer.’ As power became a utility, every company ultimately ‘outsourced’ their power generation to the local utility.

The same trend is predicted for data centers. Companies who are not in the data center business are less inclined to spend CapEx on building out expensive data center infrastructures.”

Read more about a HIPAA compliant data center case study in which Michigan Multispeciality Physicians (MMP), a group of surgical physicians, outgrew their data center capacity – the pressures of electrical, heating, cooling and physical space issues confronted their Director of Information Technology with the decision to upgrade their existing data center, build a new one, or outsource to a managed data center provider. Find out why outsourcing was the best solution for MMP and how it worked for them.

HIPAA, HITECH, BAAs and the Law: Concerns and Best Practices

Legal Implications of HIPAA, HITECH, and BAAs: Pre-recorded Webinar

This webinar discusses the legal implications of HIPAA, HITECH, and BAAs and their impact on IT Infrastructure and those who support it. Moderated by April Sage, Marketing Director of Online Tech, with special guest speaker Tatiana Melnik of Dickinson Wright law firm.

Some of the major takeaway points:

1. Know the requirements, as well as the extent that your company needs to be HIPAA compliant.
2. Have a contract in place that sets certain parameters beforehand, including number of days to report a breach.
3. According to HIPAA, you must have a risk analysis, implement policies and procedures, and you have to train your employees.
4. While there is insurance available for HIPAA-related issues, there is no insurance that will cover you for a willful violation (knowingly breaking HIPAA law or committing criminal acts) against respective government fines or punishment.

Things you should never do:

1. Commit a breach – and it’s important to be prepared and have a plan ready in case a breach does occur.
2. Never write false policies or procedures that your company doesn’t actually follow. This includes plagiarized policy templates that do not reflect your actual workplace practices.
3. Don’t ignore the calls of the Department of Health and Human Services. You can suffer from major fines – one company was given a $3 million fine just for avoiding their calls, while their actual HIPAA violation fine was $1.3 million.

Webinar attendees were also given the opportunity to ask questions. Here’s some of the Q&A (view the full transcript):

Q: What’s a reasonable amount to expect to pay for a risk assessment or HIPAA audit?

A: Anywhere from $500 to $5,000 or $10,000, if you want the in-house training, all of the policies and procedures drafted for you, and if you need any additional services.

Q: Who should be responsible in a Healthcare organization for monitoring HIPAA? Should it be those primarily involved in Compliance? HR? Legal? IT? Everybody?

A: Actually, there is a requirement under HIPAA that each organization have a privacy officer. That is the person that is supposed to be in charge of monitoring these types of things. For example, if you are an organization that deals with HIPAA and you see patients, you are supposed to offer them a notice of privacy practices. It’s best for organizations to appoint one individual to monitor these types of developments because if you have multiple people, it gets very confusing.

Q: What’s the best way to handle PHI (protected health information) in email?

A: Don’t do it. Email is not a secure form of communication. Unless you’re sending encrypted email, you should not do it whatsoever.

This is just a sample of the discussion – view the slides, read the entire transcript and play the HIPAA webinar video on our site.

Tatiana Melnik, Attorney, Dickinson Wright PLLC

Tatiana Melnik is an attorney with the Dickinson Wright law firm where her practice focuses on information technology, healthcare information technology, intellectual property and privacy issues. Ms. Melnik sits on the Michigan Bar Information Technology Law Council, the Automation Alley Information Technology Committee, and is a Managing Editor of the Nanotechnology Law & Business Journal. Ms. Melnik holds a JD from the University of Michigan Law School, and a BS in Information Systems and BBA in International Business, both from the University of North Florida. Ms. Melnik regularly writes and speaks on issues surrounding healthcare information technology. Ms. Melnik will be speaking at the 2011 HIMSS Fall Technology Conference in Indianapolis on Social Media and Healthcare. Contact information is available at our site.