Here’s an excerpt from section 4.1. on the benefits of outsourcing HIPAA hosting:

Save on Costs

Why would a covered entity with sensitive data outsource their hosting solution to a third-party? A HIPAA compliant hosting provider that has already passed an independent HIPAA audit can save time and money by eliminating the need to audit your vendor in addition to your own business. While it does not release you of the obligation and responsibility of meeting compliance, it helps you more readily achieve compliance and mitigate risk.

Additionally, managed hosting allows your IT team to focus on the applications directly related to your business, not on the day-to-day details involved with server updates, data center infrastructure, network management and security which can more readily be outsourced to a trusted provider.

Security

A HIPAA compliant hosting provider can provide the latest tested and audited technology to help achieve compliance and secure your ePHI. With a variety of required and recommended security methods, you can trust experienced, certified professionals to maintain, monitor and accurately generate logs of activity on your servers.

Outsourcing allows you to benefit from the various levels of security that a quality hosting provider should have in place. These advantages include physical security, environmental controls, logged access and video surveillance, and multiple alarm systems to detect unauthorized access.

Network security includes protection of sensitive infrastructure, including managed servers, cloud, power and network infrastructure built with redundant routers, switches and paired universal threat management devices to protect sensitive information.

While the HITECH Act requires private accessibility on request by your patients, your outsourced hosting provider should never access PHI, but instead build, maintain and monitor the secure infrastructure that your sensitive information is stored and transmitted in.

Availability

The use of high-availability (HA) solutions in a fully redundant and compliant data center can allow clients to increase their uptime and PHI availability. Using an HA infrastructure can reduce the risk of business downtime due to a single point of failure. Outsourcing to a HIPAA hosting provider means your business can take advantage of your data center operator’s design of power connections, UPS (Uninterruptible Power Supplies) systems, generators, air conditioning and networks.

Flexibility

Outsourcing allows you to benefit from the latest virtualization technologies, such as fifth-generation VMware that dominates the market for applications that require a high degree of scalability. Choosing a high-performance managed cloud allows for the ability to scale servers up and down as needed to respond to the demands of end-users with fast deployment time.

To read about the Risks of Outsourcing, download our HIPAA white paper today.

2012 Healthcare Data Breach Update

Of the 425 reported breach events to the OCR (Office of Civil Rights), two-thirds of all large breach cases involved loss or theft of information and more than half of these large breaches involved electronic devices.

While a BAA (business associate agreement) can help a healthcare organization maintain control and insight into privacy and security practices involved with handling their ePHI (electronic protected health information), risks of storing and transporting ePHI are also of concern, as exemplified by the reported 5 million individuals affected by a breach caused by backup tapes being stolen from an employee’s car.

About 1 million have been victims of lost backup tapes in office renovation situations, and 400,000 affected by theft of a laptop from an employee’s car. Desktop computer theft from offices has affected 943,000 more, and 63,000 have been affected by theft of a portable media device from an employee’s car.

What’s the solution to this seemingly prevalent problem with ePHI? Revert to paper records in a healthcare vault with multiple doors and lock combinations? Restrict ePHI to existing only on non-mobile electronics? Demand counter-reform in the face of federal reform with the advent of EHR system implementation?

The answer is fairly simple but often ignored ‘best practice’ advice.

Aside from the common sense lesson of ‘don’t leave your electronics in your car,’ David S. Holtzman from the OCR recommends storing data on a secure network, not a mobile device. Instead of losing data when you lose your phone or laptop, the data should be stored in a HIPAA compliant data center with standardized network security in place.

Sensitive infrastructure, such as servers, power and network should be protected by restricted access. Using an Intrusion Detection Service (IDS) and monitoring can help notify administrators of a potential breach, and give you the tools to resolve an issue, including times and user activity on a server and network.

As a second choice and additional layer of protection, Holtzman recommends encryption to protect the data, with the cost ranking up as minimal compared to breach fines. For detailed data on the minimum and maximum fines for breaches by type, visit What is a HIPAA Violation?

Looking for more information on HIPAA IT requirements, recommendations, and the foundation of a secure HIPAA compliant data center?

For the full schedule with times, speakers and location, check out Spring into IT.

Stay tuned for live coverage of the presentations!

8:30 A.M. – You Are Vulnerable: How Not to be a Data Breach Statistic
Speaker: Adam Goslin

There’s been an increase of small-scale breaches involving small to medium-sized businesses. Recent breaches also involve lost or stolen devices (mobile phones or laptops). Encryption allows people a false sense of security – there are many other ways that security can be breached.

Mobile threats are also increasing with the use of mobile devices. Critical infrastructure attacks are also increasing – this includes malware that is designed to attack buildings. Breach costs are now averaged at $194 per record – this includes loss of business, remediation and more.

Only 10 percent of software developers and IT were documenting their security protocols.

Vulnerability Scanning

• Relatively inexpensive
• Automated, pre-configured scan that will look for any configured, and known incompatibilities on your network

Penetration Testing

• Significantly more expensive, but provides more coverage over networks, all devices, wireless systems and more
• Detailed website and application testing
• Performed and evaluated by a certified security engineer
• A detailed report includes what was found, where it was found, and what the issue means, as well as specifics on how to resolve the issues

A few ways to test the security of an organization include external hacking (ethical hacking) to find vulnerabilities of a system and social engineering – attempting to gain access to a system face-to-face.

9:00 A.M. – Compliance Reporting and Remediation with VMware
Speaker: Brian Foley

Introducing vCenter Configuration Manager

Customer concerns include: lacking visibility into their environment, dealing with change management issues, industry compliance standards, ensuring systems are patched.

VCM is cloud-ready, with quick-time-to-value to meet compliance requirements – compliance standards are built into the system.

Benefits include:

• Correlate performance to change with change management logs.
• Allows you to create and customize your own compliance rules, as well as a number of predefined compliance standards that can check your current system against.
• VCM also gives real-time and historical graphs of your degree of ongoing compliance, and allows for accelerated auditing with automated compliance.

9:30 A.M. – HIPAA at 16
Speaker: Joe Dylewski

HITECH was created in order to enforce the implementation of EMR (electronic medical record) systems by providing incentives for healthcare organizations. Meaningful use was created for physicians to prove the systems were being used. The maximum breach penalty was increased to $1.5 million.

Spring into IT Seminar Speaker Joe Dylewski

10:00 A.M. – Data Security in the Cloud
Speaker: Steve Aiello, CISSP

Cloud computing security is a corporate strategy. Most of the vulnerabilities and threats have been around for a long time. Security concerns have risen due to the major attacks on Sony, PBS, CIA, FBI, PayPal and other large corporations. Just because you’re compliant, it does not mean you are secure.

What is Security? It’s the CIA Triad – includes the confidentiality, availability and integrity of the data.

• Confidentiality – Keep information private. Determine what’s intellectual property to your company, and what needs to stay secure.
• Integrity – Keeping your data intact/accurate.
• Availability – Your data is there when you need it.

Question to ask your company: Where can you reinvest cost-savings from using cloud technologies to improve overall security?

Something to consider: the introduction of external parties/providers shouldn’t lessen your security profile. Questions to ask about your vendor:

• Is your cloud provider audited regularly?
• Will they share the results of their audit?
• Do they have processes in place to pass on that tribal knowledge?

Provider offerings that increase security:

• WAF
• Encryption
• Unique user IDs
• Two-factor authentication
• Applications
• And more

Cloud Options vs. Security

• The lower down the cloud stack the service providers tops, the more security you as a user absorbs

Potential targeted technology:

• Hypervisors
• Orchestration Tools
• Administrative Machines
• API Endpoints
• Virtual Machines
• Applications

10:30 A.M. – Two-Factor Authentication
Speaker: Chris Schmitt

Factors of authentication include something you are (biometrics), something you own (card), and something you know (pin number). Two-factor is required for PCI compliance.

Ideal for protecting sensitive data – it’s important to have wide integration with the two-factor tool you choose. TFA solves the problem of a weak password – it provides an extra layer of security, and helps with access control. TFA doesn’t solve regulatory financial compliance.

When picking a TFA solution, focus on simplicity and management – the ability to sign up all users at one time and easily manage them is ideal. Online Tech uses Duo Security, an Ann Arbor-based tech company. Uptime availability is also important.

11:00 A.M. - How to Properly Configure a High Availability Server Rack
Speaker: Noah Wolff

[This will be video-taped and posted after the seminar concludes].

High availability is the percentage of time a system is available – do you need it? Consider the costs/consequences of downtime and your mission critical applications.

Common HA misconceptions – having a UPS is enough, having two firewalls is enough, power supplies on a server is enough, and collocating in a data center is enough (although a DC may provide HA, you may not be taking advantage of it).

Reasons to go HA – ease of maintenance, a single point of failure can affect your uptime and downtime can mean a loss of clients and business.

HA does not protect you from security breaches or human error. Backup is still important, even if you do have HA. DR assumes multiple points of failure. HA does cost more, and does not cover all possible sources of failure.

The most common mistake with configuring for HA is the failure to test it.

Noah Configuring a HA Server Rack

12:00 -The Mobile Explosion: What Does it Mean for You, Your Business, and Michigan’s Economy
Speaker: Linda Daichendt

Mobile is today’s primary consumer device – 5.3 billion have mobile devices of some kind, and 1.1 billion have tablets or laptops. We have 103.9% mobile subscriptions per capita, meaning more subscriptions than our entire population.

Consumption of the internet via mobile phones has increased over 1200% in the last few years. When it comes to marketing, the average response rate to a mobile offer is between 12-15%. Depending on the type of business (consumer-based), some markets have seen over 60% response rates.

Linda Daichendt's Keynote Speech on Mobile Trends

Check back to our blog in the next week for a full blog post on the mobile trends, statistics and latest technology presented by Linda.

If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service.

- David S. Holtzman of the Health Information Privacy Division of OCR during a speech at the Health Care Compliance Association’s 16th Annual Compliance Institute.

The OCR, Office of Civil Rights, is the federal enforcer of HIPAA/HITECH. This definitive statement straight from the governing body puts to rest the question about whether or not cloud providers should be considered business associates for covered entities in the healthcare industry, as well as the question of whether a business associate agreement is required or not.

Holtzman’s speech included a specific example of a recent HIPAA violation involving the Phoenix Cardiac Surgery physician practice. Protected health information (PHI) was found posted on an Internet-based calendar, openly available to the public. The practice was using a public cloud-based application that did not have any privacy or security controls.

The lessons learned, according to Holtzman, include the physician’s lack of security and privacy controls, as well as the failure to consider cloud providers to be business associates and sign a business associate agreement (BAA).

Why is it imperative to sign a BAA with a HIPAA cloud provider, as a healthcare organization concerned about PHI security and HIPAA compliance?

Ownership
Who has access to data and rights to your data should be clarified in the BAA with your cloud provider – some cloud providers may include provisions in your contract that give them ownership and control of your data while hosted in their environment. Loss of ownership and control may mean your PHI can be left vulnerable to a breach.

Location
HIPAA security standards apply to covered entities within the United States; if your data is being hosted overseas, the same privacy and security laws may not apply. Know where your data lives and assess the physical, logical and network security of the data center or hosting facility. Read more about Data Center Security and Secure Hosting.

Breach Notification
A clause in your BAA should address breach notification in the event of a data leak – if your cloud provider is aware of a breach, they should have a plan in place that outlines a timeline of notifying the covered entity and their next steps. The OCR requires multiple documents within ten days of a breach – check that your cloud provider is aware of and has the information or ability to help you collect and/or create those documents.

Security and Privacy Controls
Does your cloud provider have documented policies and procedures in place that include employee training on how to securely handle PHI? The obligations and responsibilities of the cloud provider should be outlined in your BAA clearly.

Protocol After Termination
After contract termination with a cloud provider, the terms of data destruction and/or how to return the data to the covered entity should be addressed. Keeping copies of sensitive information within your organization is key to maintaining the data confidentiality and access limitation.

The OCR’s HIPAA audit pilot program launched late last year was intended to identify areas of improvement for covered entities when it comes to data security. With this field research, the OCR can provide more useful guidelines for other healthcare organizations, including the necessity of signing of a BAA with cloud vendors.

Recommended Reading
What’s in a Business Associate Agreement?
Online Tech’s BAA Breach Notification Clause
Five Questions to Ask Your HIPAA Hosting Provider
Who Needs to Be HIPAA Compliant?

References:
HIPAA Audits Wrapping Up at Year’s End as Federal Funding Winds Down – Health Law Resource Center, Bloomberg BNA

Looking for more information on HIPAA IT requirements, recommendations, and the foundation of a secure HIPAA compliant data center?

Mobile Security

There’s no question that our society is embracing the technology that is in front of us. You can go back almost 25 years and in 5 year gaps, see the massive innovation and technological impact that our society is seeing on an everyday basis. In the US today, more than 50% of cell phone purchases are now smartphones, up from 21% two years ago. With this massive increase in mobile computing, security has become the focal point. However, it has seemed that security is always on the tail end of the explosion in the mobile computing sphere.

This past January, a story broke out about a man who forgot his passport as he was entering customs to enter the United States from Canada. Realizing he had a scanned image of his passport on his iPad, he then proceeded to hand his iPad to the customs agent in hopes of it being enough to get him into the United States. After a few minutes of deliberation and some awkward looks, he was allowed into the United States with his scanned image of his passport in hand towards his destination. According to border officials, these types of situations are usually handled on an individual basis and can go many different ways, but this type of thinking by this man is a possible realization of things to come.

With the technology available, there is an opportunity to have documents with us at all times when we need them. Not only could this result in us having access to our music, videos and pictures at a moments notice, but personal documents as well. This could pose a huge security risk to ourselves.  There is always someone trying to manipulate systems in place for their own benefit. People have created fake passports, fake IDs, and have found many loopholes in systems. These types of malicious activity happen all the time and are a continuing and growing threat to our everyday life.

In an everchanging world, more and more of these types of cases will be coming up in the near future. There are already talks and technologies in place where your phone could become a personal wallet to make transactions with the flick of a wrist. It wouldn’t surprise me if there comes a day when we’ll have scans of all of our sensitive documents (SSN Cards, birth certificates, financial documents) all on our tablets for identification purposes and having a paper copy becomes obsolete. If this becomes the norm of mobile computing, there needs to be measures on all ends of the spectrum to better secure ourselves.

This first and foremost starts with the user. Whether that’s having some sort of Disaster Recovery plan to all of your files, or implementing a Two-Factor Authentication solution to the mix, there are ways where you can keep yourself better protected. Until there are full security measures in place among everyone and is implemented by everyone, security will always be a huge factor to the future of mobile computing as it stands today.

On the topic of Mobile Security, Linda Daichendt from the Mobile Technology Association of Michigan will be the keynote speaker at our Spring into IT event on May 11th discussing: “The Mobile Explosion: What Does it Mean for You, Your Business, and Michigan’s Economy”.

For more information on mobile security, check out Mobile Security: How Safe Is Your Data? and Mobile Security: Are Your Apps Safe?

Sources:
http://blog.nielsen.com/nielsenwire/online_mobile/smartphones-account-for-half-of-all-mobile-phones-dominate-new-phone-purchases-in-the-us/
http://www.theglobeandmail.com/news/national/flash-of-an-ipad-gets-man-past-border-security/article2290029/

Michigan Business Network

Yan Ness, CEO of Online Tech, will be on the Michigan Business Network, 10 A.M. ET tomorrow morning. Be sure to tune in and listen online!

If you happen to miss a show, you can always listen to podcasts of previous programs by using the Michigan Business Network’s Broadcast Schedule. We’ll post a link to the podcast after it airs.

Yan will discuss our upcoming Spring into IT seminar scheduled for this Friday morning, with seminar sessions running from 8 A.M. to 1 P.M. ET at our newest Ann Arbor data center.

It’s free to attend, and online registration is still open. Please join us for just one session or stay for the special noon keynote on mobile technology.  Register online today.

As we roll into spring, Online Tech continues to raise the bar on the security, reliability and compliance of our data centers and services.  Here is a brief list of some of the capabilities we’ve added over the first four months of this year:

Audits and Compliance:
As you may know, we continue to invest heavily to ensure we meet the top tier of data center standards.  In the recent months, we’ve successfully completed three new audits:

• SOC 2 & SOC 3 Audits – Online Tech was the first multi-tenant data center in the country to complete this much more stringent AICPA audit. SOC 2 is a more objective standard for high quality data center operators and we passed the audit with flying colors.  You can read more on this audit at: http://www.onlinetech.com/secure-hosting/sarbanes-oxley-sox-compliant-hosting/soc-2-a-soc-3-hosting
• PCI Audit – In February we completed one of the most technically demanding audits for security in the Payment Card Industry (PCI).  PCI compliance is required for any company that receives, processes or stores credit card information on their servers.
• Energy Star Certification – With our investments last year in our Mid-Michigan data center, we achieved the EPA’s Energy Star Certification for energy efficiency.  The Mid-Michigan data center performs in the top 25 percent of data centers nationwide for energy efficiency and meets strict performance levels set by the EPA.

Data Center Infrastructure:

• New Fiber into Mid-Michigan – We’ve added another optic path to our Internet providers in Mid-Michigan – increasing the redundancy and resiliency of our Internet connections.
• Comcast Fiber in Mid-Michigan – Comcast has also installed fiber into Mid-Michigan. Comcast Business Class is an additional connection option for our clients that need high speed direct connection to our data centers.
• We also added a redundant dark fiber circuit between our Ann Arbor data centers.  This second path takes an entirely different route through the Avis Farms office park – providing a more resilient connection between the two data centers.

New Network Security Services:
In the next 90 days, we will be rolling out an enhanced set of network services to meet PCI security requirements. The first of these services is two-factor VPN authentication.

• Two-factor VPN Authentication– We teamed up with Duo Security to provide a simple, mobile phone-based authentication method that is much more convenient and easier to use traditional two-factor systems. The security measure adds an extra layer of protection to critical VPN connections by requiring a secondary authentication method to achieve network access.  If you have critical data such as financial or healthcare information on your servers, we recommend you take a look at two-factor VPN authentication.

Website & Seminars:

• Spring into IT Seminar- This Friday, May 11^th, we’re bringing in the experts on Mobile Computing, Cloud Security, HIPAA, PCI Compliance, and Network Security for a morning of technical seminars at our Ann Arbor 2 data center.  We’d love to have you join us.  You can register at: http://www.onlinetech.com/resources/events/seminars/spring-into-it
• New Web Site & Blog – We launched our new website at the beginning of this year and we’d love your feedback.  Something confusing?  Something you love?  Let us know.  We appreciate your feedback because it helps us continue to better serve you.

Net Promoter Score:

• We started using the Net Promoter System (NPS) from the book “The Ultimate Question 2.0” by Fred Reichheld to track and measure client satisfaction. We want to consistently deliver excellent client service through our metrics, accountability and visibility.

As you can see, we’re working hard to earn our reputation as one of the top mission-critical data center operators in the country.  We look forward to continuing to serve your hosting needs.

Best Regards,

Mike Klein
President & Chief Operating Officer
Online Tech Inc.

Spring into IT

Spring into IT May 2012

This Friday, we’re bringing in the experts to launch technical discussions and provide tactical knowledge around topics like cloud computing security, HIPAA compliance, how to properly configure server racks, how to comply with PCI DSS standards, and more.

Don’t miss our special noon keynote speaker, Linda Daichendt, Executive Director of the Mobile Technology Association of Michigan, and her presentation on “The Mobile Explosion: What Does it Mean for You, Your Business, and Michigan’s Economy.”

Stay for a few sessions, breakfast or lunch, or join us for the morning for great networking opportunities. Sign up online and view the seminar schedule and location here.

HIPAA Compliant Data Centers White Paper

CIO’s, CEO’s, physicians, healthcare SaaS (Software-as-a-Service providers) and any other IT decision-maker or influencer should download and read this paper.

This is a comprehensive, detailed document for anyone seeking more information about the implications of HIPAA/HITECH on data centers, the role of business associates, specific technology requirements and recommendations, and more.

We consulted with a Certified HIPAA Security Specialist (CHSS) and internal engineers to create a diagram comparing each HIPAA standard to our applied technology to create a secure and private hosting environment. We’re serious about compliance, and we want to share our research and knowledge to educate the industry to make more informed hosting decisions. Download the white paper today.

Data Security Scholarships

Stay tuned for more about this great opportunity for tech-minded students interested in health IT, cloud computing, data security, disaster recovery, colocation and a variety of other topics. We’ll post a detailed blog tomorrow about how to sign up and what you’ll need to enter the scholarship program.

IMN Data Center Forum in NYC

Online Tech will be attending the Second Annual Spring Forum on Financing, Investing and Real Estate Development for Data Centers at the end of May, in New York City, New York.

Online Tech CEO and President Mike Klein will be leading a session on Evaluating Data Center Business Models, May 24 at 8:30 A.M. Find out more about session and panel here.

Science

Cancer Genomics Hub

The National Cancer Institute is funding a $10.5 million project managed by UC Santa Cruz for a supercomputer that will store the genetic codes of malignancies from 10,000 patients with the intent of revealing mutations that trigger uncontrolled cell growth. The Cancer Genomics Hub (CGHub), said to be the world’s largest repository for cancer genomes, will sift through the large amount of data attempting to find gene mutations that cause tumors and make it easier to make cross-dataset comparisons – significantly accelerating the time it takes to analyze and produce results from data sets.

To get an idea of why big data is so big – according to the Oakland Tribune, each tumor’s DNA record is 300 billion bytes (1 gigabyte), which has to be compared to a normal genome (billions of bytes), plus the sequence data from RNA – all adding up to nearly a terabyte for each case.

Healthcare

Not only does big data have major implications for scientific breakthroughs, the aggregate and analysis of healthcare data sets can improve patient care. Digital records stored in electronic medical record or electronic health record systems (EMR/EHRs) can be mined to detect patterns in care. These patterns can help advance the healthcare industry by assisting in the automation of processes in the workflow of patient care, and get the industry up-to-speed with the technological advancement of other industries.

Hospitals and healthcare software companies also need storage-intensive hosting solutions for systems such as PACS (Picture Archiving and Communications Systems) that store and process medical imaging, including X-rays, MRIs, CAT/CT scans and others. A high-capacity HIPAA cloud with a managed SAN (Storage Area Network) can offer a scalable solution to healthcare’s big data needs.

Social Media

Social media involves the countless amount of user-generated data collected from various sources, including mobile phones – demanding an intelligent way to manage and analyze the content. DataSift is a U.K.-based startup launched to handle the vast amount of social media data by analyzing feed data based on pairing related quantifiers and keyphrases.

The company intends to take monitoring and data analysis to measure the level of intent-to-buy to help sales teams and companies build financial models based around customer conversations. The last week of April was even declared Big Data Week by the Head of Client Services at DataSift and sponsored by Oracle and EMC, with meetups and communities in three countries to discuss big data innovations and startups.

While brands have been long tracking social media for mentions and support-related issues, entrepreneurs are taking it a step further by developing new and more meaningful ways to analyze big data in social media to shape and influence business decisions.

Twitter recently announced its plan to team up with UC Berkeley School of Information to develop and teach a class entirely about analyzing big data, aptly named, Analyzing Big Data with Twitter. The course description details the topics, including applied natural language processing algorithms such as sentiment analysis, large scale anomaly detection, real-time search and more. Students will get advising from Twitter engineers on programming-intensive projects that include building apps and social media data analysis.

Beyond the hype, big data has the potential to put hard facts and real figures behind scientific research, business development and healthcare management.

References:
Cancer Genome Data Center Raises Hope for Cures
DataSift Exploits Big Data for New Insights Into Customers
Twitter Teams Up with UC Berkeley to Teach Students About Big Data
White House Launches Government-Wide Investment in Big Data
World’s Largest Hub for Cancer Genomes Opens
Cancer Genomics Hub – UC Santa Cruz

Governance
NIST refers to the organizational controls over policies, procedures, standards of development, and the design, implementation, testing, use and monitoring of deployed services. In short, they explain that while the cloud requires less capital investment, it still requires a high level of employee training and administrative oversight to maintain security.

Governance also refers to proactive risk management in the form of deploying audit tools to determine how data is stored, protected and used. Securing an audit trail of user/system activity  is also a PCI DSS requirement (10.5), and recommended for HIPAA compliance. The use of file integrity monitoring and log monitoring can provide continuous records of activity and alert you to any abnormal use to help prevent a breach.

Compliance
While NIST recognizes the complexity and breadth of compliance regulations varying by industry, region and governing body, the take-home message is that organizations are ultimately held accountable for the security and privacy of data that is held by a cloud provider on their behalf.

NIST doesn’t come out and say cloud providers need to abide by the same standards that, for example, covered entities or health organizations in the healthcare industry need to follow. They also recognize that “the degree to which they will accept liability in their service agreements, for exposure of content under their control, remains to be seen.” This statement is more a reflection of current industry trends in compliance, instead of endorsing a standard that cloud providers should follow.

But if the organization is responsible for the security and privacy of data held by a cloud provider, then it’s up to the organization to do a thorough assessment of their cloud provider’s security controls and knowledge of industry standards.

Another aspect of compliance is data location – if outsourcing, be sure to tour their data center facilities to know exactly where your data will live, and what kind of security is in place to protect it. Download our HIPAA compliant data centers white paper for a complete guide to HIPAA hosting.

Trust
Direct control over security and privacy is transferred to the cloud provider, obviously demanding a fair amount of trust between the organization and provider. NIST recommends ensuring visibility into a cloud provider’s security and privacy controls and their performance over a period of time. NIST also recommends establishing cohesive and exclusive ownership rights over data.

Insider access can also lead to threats such as fraud and theft – ask your cloud provider if they do background checks on employees, and if they are properly trained on how to handle sensitive data.

Establishing data ownership and access, gaining visibility into security controls and conducting a risk analysis or assessment is fundamental to risk management. Prior to undergoing a third-party audit, a cloud provider should conduct a risk assessment of any potential vulnerabilities, whether alone or with the help of a security consultant. Find out what’s in a HIPAA risk analysis (helpful for healthcare organizations and anyone concerned with security).

Stay tuned for future blog posts on other cloud security recommendations, including Architecture, Identity and Access Management, Software Isolation, Data Protection, Availability and Incident Response.

References:
Guidelines on Security and Privacy in Public Cloud Computing (PDF)

Spring Into IT 2012

Online Tech will host a spring tech seminar next Friday, May 11 from 8 A.M.-1 P.M. at our Ann Arbor 2 data center location. Presentations by tech, security and compliance professionals include topics such as mobile technology, cloud security, and the implications of meaningful use on HIPAA for healthcare IT.

Attend for one session or the entire morning to take advantage of networking opportunities and knowledge-sharing presentations. Sessions and speakers include:

Seminar Schedule
8:00am- Registration, Networking and Breakfast

Seminar Track 1

• 8:30am – Adam Goslin, High Bit Security, You Are Vulnerable: How Not to be a Data Breach Statistic
• 9:30am – Joe Dylewski, Health Care Management, HIPAA at 16
• 10:30am – Chris Schmitt, Online Tech, Two-Factor Authentication to Protect Sensitive Data
• 11:00am – Noah Wolff, Online Tech, How to Properly Configure a High Availability Server Rack

Seminar Track 2 

• 9:00am – Brian Foley, VMware, Compliance Reporting and Remediation with VMware
• 10:00am – Steve Aiello, Online Tech, Data Security in the Cloud
• 11:00am – Adam Goslin, High Bit Security, Payment Card Compliance- What Does it Mean and How to Comply Effectively

12:00pm – Linda Daichendt, Mobile Technology Association of Michigan, The Mobile Explosion: What Does it Mean for You, Your Business, and Michigan’s Economy

1:00pm – Lunch

Registration will begin at 8:00 A.M. with presentations starting at 9:00 A.M and a noon keynote on Mobile Technology Trends to conclude our seminar. Coffee and a continental breakfast will be served in the morning and gourmet pizza for lunch.

Seating is limited, so please be sure to reserve your seat for topics of interest by completing our online form.

Ann Arbor Data Center Tours

About Our Ann Arbor Data Center

Our newest Ann Arbor data center is a 19,500 square foot facility with 10,000 square feet of 12″ raised floor and high availability Internet connectivity. With diversified utility and network feeds, our data center is perfect for production and disaster recovery projects.

Open House 2011

Like our other data centers, our Ann Arbor, Michigan data center is independently audited and found to be SAS 70, SSAE 16, SOC 2 & SOC 3 and HIPAA compliant. Visit Ann Arbor Data Center for detailed specifications on the power, network infrastructure, security, and cooling capacity.

Previous events at our Ann Arbor data center location include a UM Ross School of Business cloud computing seminar and our data center open house – view photo slideshows of both on our OT Flickr.

If you’d like to host your next event at our data center, contact us by emailing contactus@onlinetech.com.

IMN Data Center Forum May 2012

Online Tech will be attending the Second Annual Spring Forum on Financing, Investing and Real Estate Development for Data Centers at the end of May, in New York City, New York. The event is hosted by the Information Management Network (IMN), global organizers of institutional finance and investment conferences.

The forum will include panel discussions on the Macroeconomy & Data Centers, the President/CEO panels and Mergers, Private Equity & IPOs.

Online Tech CEO and President Mike Klein will be leading a session on Evaluating Data Center Business Models, May 24 at 8:30 A.M. The session will cover the following industry topics and emerging trends:

• As colo players expand & wholesale players come down market and sell racks what is the distinction?
• Can new players enter the wholesale market? What is the price tag?
• Comparing power pricing & lease pricing models and methodologies
• Impact of the cloud
• Building a shell vs. providing power and cooling vs. providing colocation/managed services
• Customer target and employee skill sets of different approaches
• Revenues and expenses of different approaches
• Transitioning to managed services: How much does it cost? How much revenue will it pull in?

Panel participants include C.J. Brucato III, Partner of Abry Partners, LLC; Carl Strang III, Managing Member of the 6/10 Corp.; Phil Horstmann, CEO of Ascent, LLC; Jonathan A. Schildkraut, Managing Director, Equity Research-Telecom Services & Data Center Services of Evercore Partners; and Drew Leonard of Savvis.

Available panel participant biographies:

Mike Klein, President, Online Tech

Mike is a serial entrepreneur with more than 30 years of high tech business leadership, technology, and startup experience including CEO of Interlink Networks, Managing Partner of CompanyCrafters, and CEO /Founder of Steeplechase Software, an INC 500 Company which he sold to Schneider Electric. Prior to becoming an entrepreneur, Mike spent the first decade of his career working in sales, strategic marketing, product development at Motorola Semiconductor and Rockwell International.

Jonathan A. Schildkraut, Managing Director, Equity Research-Telecom Services & Data Center Services of Evercore Partners

Jonathan Schildkraut is a Managing Director in the Equity Research group, leading the equities coverage of Telecom Services companies, including data center operators, RBOCs, CLECs, alternative backbone providers, and tower operators. In 2010, Mr. Schildkraut was recognized in FT Starmine’s annual Best Brokerage Analysts awards, where he ranked #1 in earnings estimates for Wireless (includes Towers), and #3 in earnings estimates for Diversified Telecom. In 2009, he ranked #1 in earnings estimates for Diversified Telecom, and #3 in earnings estimates for Wireless (includes Towers). In 2008, Mr. Schildkraut was recognized in Forbes’s Best of the Brokerage Analysts awards, where he ranked #3 in Telecommunications. Mr. Schildkraut has been in the telecommunications industry since 1997.

Drew Leonard of Savvis

Drew Leonard has over 16 years in the Telecom and Data Center industry. As Vice President of Colocation Product Management for Savvis, Drew is responsible for enhancing colocation services, growing the business through new client and market opportunities, and ensuring that customers receive the most current and cost effective solutions. Prior to joining Savvis, Drew was Director of Product Marketing at Switch and Data Facilities, and Director of Marketing at PAIX. As a seasoned marketing professional for these Data center and internet exchange providers, Drew’s primary focus was developing detailed strategic marketing plans leveraging market and revenue opportunity through market sizing. Drew has continued to specialize in market sizing, market share analysis, strategic planning, market-based pricing, product development, channel marketing, and sales development. Drew has a Bachelor of Science degree from the University of California.

The diagram below shows elements of a HIPAA compliant hosting architecture.

To create this, we worked with Certified HIPAA Security Specialists and Certified HIPAA Professionals who matched each HITECH standard, specification, and implementation with a common technology application to meet Security Rule compliance.

Each element is described further in our HIPAA Compliant Data Centers white paper.

HIPAA Compliant Data Center Architecture

Get access to our HIPAA Compliant Data Centers white paper today! Download now.

Protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI) is the essence of the HIPAA Security Rule1. Since data centers typically store, transmit, or process ePHI, they must comply with the HITECH standards and citations to meet HIPAA compliance. The same risk analysis, administrative safeguards, physical safeguards, technical safeguards, and ongoing due diligence apply just as much in the data center as in a provider’s facility.

While there is some debate about the responsibilities of business associates for the protection of ePHI, all indications point toward business associates being held as responsible as covered entities. Consider the latest notice of proposed rulemaking that speaks to the extension of responsibilities from covered entities to business associates:

As with the Privacy Rule, the Security Rule requires covered entities to have contracts or other arrangements in place with their business associates that provide satisfactory assurances that the business associates will appropriately safeguard the electronic protected health information they receive, create, maintain, or transmit on behalf of the covered entities.

Moreover, both covered entities and business associates should bear in mind that prosecution by the Office of Civil Rights (OCR) under HITECH is not the only legal concern. The last year has witnessed an increase in state and consumer lawsuits against both covered entities and business associates. In January 2012, Minnesota Attorney General filed a lawsuit against Accretive Health, for failing to protect the confidentiality of over 23,000 patient healthcare records.

The safest and most diligent practice to protect ePHI is to ensure that the same policies, risk management, safeguards, and ongoing compliance governance standards are followed no matter where ePHI resides. This means that data centers, whether in-house or outsourced, need to fully embrace complete responsibility for ePHI.

In the areas of administrative safeguards, such as ongoing HIPAA awareness and training for all employees, healthcare providers tend to be stronger. In the areas of technical safeguards and PHI availability, professional data center companies that invest extensively in redundant facility infrastructure and security may be the safer bet.

Ideally, either a healthcare provider would have infinite resources to build and maintain multiple, high-availability data centers or a data center hosting business associate would have a thorough understanding of HIPAA compliance including a HIPAA security risk analysis and management, policies, training of all employees, and ongoing HIPAA compliance audits. While both ideals exist, they are in the minority.

In these cases, the weighing of the pros and cons falls back to the risk analysis and management to choose the best option that will maintain ePHI confidentiality, integrity, and availability.

Read more in our free HIPAA Compliant Data Centers white paper - download it today!

References:
HIPAA Security Series: Basics of Risk Analysis and Risk Management (PDF)
U.S. Dept. of Health and Human Services, Federal Register Part II
Attorney General Swanson Sues Accretive Health for Patient Privacy Violations

The simplest example may be the use of an ATM/debit card – this combines two factors; one is something you own (the card) and the other is something you know (the PIN number).

Employees and other users may need to log into a private network to access data from a remote location, a VPN (virtual private network). In this scenario, one authentication factor includes logging into a web-based system with a username and password. The second authentication factor may include the use of a cell phone – with a smartphone, you can register your phone number with the system and receive a request to approve.

Or, by using a passcode via text message, you can log into the system with the randomized numbers sent to your phone. You can even answer a phone call and press a key in order to authenticate you are the authorized account holder.

There are other authentication factors that can be used – for example, biometrics requires something specific to you, from a fingerprint to voice recognition. Or, you can use something physical you own, like a keyfob.

Who’s Using Two-Factor Authentication?

One example of a company using two-factor is Google – they’ve implemented their version called “2-step verification” for Google account holders. After signing into your account with your email address and password, Google requires you to enter a verification code sent to you via text message or generated by your smartphone.

Google's 2-Step Verification

Any organization concerned about security should consider implementing two-factor authentication for their VPN (virtual private network), regardless of their compliance requirements. Two-factor authentication lowers your risk of a data breach caused by unauthorized remote access to sensitive data.

PCI DSS Compliance Requirements

Two-factor is required by PCI compliance. The Payment Card Industry Data Security Standards (PCI DSS) mandate that organizations who “hold, process, or pass cardholder information” meet a minimum level of security. Part of this security is protecting remote access logins with strong authentication. PCI requirement 8.0 states organizations must assign a unique ID to each person with computer access.

Specifically, section 8.3 requires organizations to implement two-factor authentication for remote access to the network by employees, administrators, and third parties. To achieve compliance with this requirement, you should use technologies such as remote authentication and dial-in service (RADIUS) or terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.

Two-Factor Authentication for HIPAA Compliance

Two-factor authentication is also recommended in order to meet HIPAA compliance, as it adds an extra layer of security that can prevent unauthorized access.

A recent article from ModernHealthcare.com demonstrates the need for strong authentication in the healthcare industry. The Privacy and Security Tiger Team of the Health IT Policy Committee is proposing rules for Stage 2 meaningful use that will govern security recommendations to authenticate the identity of patients as they log into their patient portals to download or view their personal health records.

While the policy committee intends to propose a rule requiring at least single-factor authentication while accessing records via a patient portal, two-factor authentication can offer significantly more security with minimal effort and cost.

Related Resources

Two-Factor Authentication FAQ

Read our Two-Factor Authentication for VPN Login FAQ for further information.

Find other PCI compliant resources here. And watch this webinar or read the transcript, PCI Compliance: Detailed Requirements, for a comprehensive overview of the required technology to achieve PCI DSS compliance.

References:
PCI DSS Quick Reference Guide: Understanding the Payment Card Industry Data Security Standard Version 2.0 (PDF)
Defender 5: The Right Way to Prove, Identify and Establish Trust from Quest Software
Federal Privacy Work Group Wants EHRs to Verify Patient ID

More specifically, the majority of the budgets are allocated for private cloud hosting solutions, at 24 percent, as deduced from the survey of 1,682 IT and business executives.

2012 Cloud Computing

When it came to what type of cloud activity the respondents expected to conduct over the next five years, 27 percent planned to perform the majority of their IT operations in the cloud. Thirty-five percent stated only a few selected IT operations would be performed in the cloud, while 21 percent plan to limit their cloud activity to private clouds. Additionally, 63 percent agree or strongly agree there will be long-term cost savings realized after adopting the cloud, despite higher short-term costs for implementation.

Again, security comes into play when it comes to hurdles to adopting the cloud (70 percent). Access to information is next at 40 percent, while concerns about information governance is third at 37 percent.

What can help ease security concerns for companies looking to outsource their private cloud? Check their audit history for dates and scope of compliance – from a SOC 2 report that measures the security, availability, confidentiality and other attributes of a data center operator/cloud provider to any number of industry-specific compliance audit reports, including PCI compliance and HIPAA compliance to ensure a provider is following national standards for security. Read our white paper; a comprehensive guide to HIPAA compliant data centers for more about how to secure ePHI (electronic protected health information) in the cloud.

As for concerns about information governance, your cloud contract should outline who actually has access, rights, and the right to grant access to your data. Knowing where your data lives is also important – the compliance standards of the audit reports previously discussed do not need apply if the data is transferred out of the country, meaning security may not be guaranteed if your data is overseas.

Security concerns may be a motivator for the deployment of private clouds, and the expected continuing trend in the next 18 months, at 33 percent.

References:
2012 Cloud Computing Key Trends and Future Effects (PDF)
More Than One-Third of IT Budgets Now Spent on Cloud: Survey

Cloud Computing: Approach Innovatively and Understand Trends featured speaker presentations, networking and data center tours. Speakers included:

• Mike Klein, COO & President of Online Tech
• M.S. Krishnan, PhD., Joseph Handleman Professor of Information Systems and Innovation at the Ross School of Business, University of Michigan; Faculty Director of India Initiatives; Professor of Business Information Technology
• Gary Baker, CIO at Society of Manufacturing Engineers & Co-host of Internet Advisor Radio Program at WJR

Download Online Tech’s A Brief Overview of Cloud Computing (PDF).

Our Ann Arbor 2 data center is located south of Ann Arbor, Michigan in Avis Park. With close proximity to major highways and the University of Michigan, this facility offers an ideal location for high availability production and disaster recovery.

The 19,500 square feet facility includes 10,000 square feet of 18” raised floor and offers high availability fiber Internet connectivity, and high availability heating and cooling systems. It also offers geographic separation from our Mid-Michigan data center, providing diversified utility and network feeds, perfect for production and disaster recovery projects.

Read more about our data center, including detailed specifications.

HIMSS Greater Chicago Chapter

The event, Health IT: What’s Next in Digital Health?, will feature speaker Kareem Saad from Dell to present on key health IT innovations changing the healthcare landscape, as well as Steve Lieber from HIMSS to provide insight on the widespread national adoption of health IT, and related topics from HIMSS ‘12.

GCCHIMSS.net describes the event topics:

Health IT is transforming our healthcare system. Healthcare reform, industry consolidation, and demographic changes have spurred a significant increase in the U.S. healthcare industry’s use of technology to improve health and enhance the patient experience while trying to help control the ever-increasing cost of care. New players are emerging and cloud computing, social media, and mobile technology solutions targeting patients and healthcare providers are creating new opportunities.

We’re one of those cloud computing providers, continuously improving and developing our solutions to achieve optimal security delivered with responsive management and client service. Online Tech provides fully compliant HIPAA hosting solutions for healthcare organizations, healthcare SaaS (Software-as-a-Service) providers, and other related organizations in our HIPAA compliant data centers.

We invested in and passed a third-party audit designed to test everything –  including our technology, policies, procedures, employee training, security measures, access controls and more, in order to ensure we can offer fully compliant HIPAA cloud hosting, colocation and managed servers. And, we’ll sign the business associate agreement (BAA) with every healthcare client. For a comprehensive guide to HIPAA compliant data centers for covered entities and business associates, read our recently published HIPAA Compliant Data Centers White Paper.

The meeting will be held at the Tripp Lite World Headquarters at 1111 W. 35th Street, Chicago, Illinois. Register online and view directions to the headquarters here.

About GCC HIMSS
We are a diverse group of experienced healthcare professionals working in the greater Chicagoland area. We work at hospitals, corporate health systems, consulting firms, vendor organizations, universities, and a wide variety of other organizations. Many of us are the decision makers in our organization. Our members range from CEOs, CIOs, and other senior executives to analysts and students. We have technical members and clinical members. The majority of GCC’s members have well over ten years of experience in the healthcare field.

The Ultimate Question

We hope to implement the Net Promoter System over the course of the next year. In order to do so, we’ll be collecting data bimonthly with the help of our clients.

It’s all based on a simple question:

“On a scale of 0 to 10, would you recommend Online Tech to a friend or colleague?”

0 = You wouldn’t recommend Online Tech
10 = You would definitely recommend Online Tech

By asking this question, Online Tech will be able to gather information and pinpoint areas in our company where we can improve the entire customer experience.

Every morning, our company holds a huddle to discuss client-related metrics and help resolve any client issues. We want to gather feedback from our clients at any point in time, good or bad.

If you’ve had a positive experience with us recently, tell us about it. If you’ve had a less than stellar experience with us, we want to know about those, too! Send us an email at feedback@onlinetech.com with your score based on the scale mentioned earlier and any other comments you would like to share with us. We want to hear from you during this process –  without your feedback, it wouldn’t be possible.

Online Tech will provide more information about the Net Promoter Score as we fully implement the system this year. If you are interested in learning more about the Net Promoter System and about other companies that have implemented the system, visit www.netpromoter.com. Be sure to check back here frequently over the next few months to read more about our efforts in using the Net Promoter System to continuously improve our business practice.

HIPAA Compliant Data Centers Cover

Our HIPAA compliant data center white paper is finally released! Here’s an overview of what you’ll find in the 36-page document:

Executive Summary

Evaluating outsourcing options to allow industry experts to manage parts of the healthcare IT components is an obvious part of the equation, and the intensive capital expense, human resource, security, and maintenance demands specific to data centers make these prime candidates for cost savings.

However, balancing the resource benefits of outsourcing data center and hosting services with the risks of engaging an off-premise business associate is daunting in the wake of increasing PHI (protected health information) breaches and penalties. Ultimately, finding the best blend of resources that can fulfill the availability, integrity, and confidentiality requirements to protect ePHI (electronic protected health information) – and thereby protecting the patients, covered entities, and business associates – is the challenge at hand.

This white paper explores the impact of HITECH and HIPAA on data centers. It includes a description of a HIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria.

HIPAA Compliant Data Centers Table of Contents

Main topics include:

• Impact of HITECH/HIPAA on data centers – why compliance is more important than ever for business associates and covered entities
• What is a HIPAA compliant data center? – what documents to look for to do your due diligence as a covered entity
• Administrative safeguards
• Physical safeguards
• Technical safeguards
• Business associate agreements – the extensive documentation OCR requires in the event of a data breach; what to look for in a business associate contract
• Outsourcing vs. in-house hosting
• Benefits of outsourcing hosting
• Risks of outsourcing – comprehensive guide on HIPAA violations and associated penalties
• Vendor selection criteria
• HIPAA compliant business associates
• And more!

HIPAA Compliant Data Center Architecture

The white paper also includes a comprehensive diagram depicting the essential elements of a HIPAA compliant data center architecture, complete with everything you need to have a fully compliant HIPAA hosting solution, including detailed descriptions of each requirement and recommended technology.

Each standard was matched with a common technology application to meet the HIPAA Security Rule. Use this diagram to help you make IT decisions when it comes to selecting a vendor and compliant technology.

View the full white paper content and download the PDF.

HIMSS Analytics: Due Diligence with Business Associates

While 98 percent of respondents require third-party vendors to sign a BAA (business associate agreement), only 50 percent require their business associates to show proof of employee training in HIPAA/security policies. The second most commonly practiced method of due diligence is ensuring business associates have a formal breach notification plan in place.

When it comes to breach notification plans, it is essential to have a clause in place that specifically details the timeline by which the business associate will notify the covered entity when a breach is suspected. Online Tech’s breach notification clause states:

2.5. Business Associate shall notify Client in writing of any Breach involving Unsecured PHI within five (5) business days of becoming aware of such Breach. All reports of Breaches of Unsecured PHI shall be made in compliance with HITECH Act § 13402 and the regulations issued thereunder.

A Breach will be treated as discovered as of the first day that such Breach is known or reasonably should have been known by Business Associate. Business Associate shall notify Client within seventy-two (72) hours of any suspected or actual Security Incident or breach of security, intrusion or unauthorized use or disclosure of PHI and/or any actual or suspected use or disclosure of data in violation of any applicable federal or state laws or regulations.

The third most commonly used method is ensuring business associates “use tools to secure patient information.” While the report doesn’t offer any additional details around what “tools” they’re referring to, it may vary from one HIPAA hosting provider to another, as the HIPAA rules do not require any one method of achieving the same security standards.

Seventy-six percent checked to ensure their third-party vendor had a plan to identify breaches, different from the 82 percent that sought out business associates with a breach notification plan. Identifying breaches can be achieved with comprehensive monitoring systems that generate logs of activity on servers, as well as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) that can help pinpoint any attempts at unauthorized access to servers that contain ePHI (electronic protected health information).

Checking for proof of employee background checks and periodic risk analyses both ranked at 56 percent in covered entities’ due diligence of business associates. While low on the list, employee background checks are key when it comes to data breach cases.

According to the HIMSS Analytics Report, the most common perpetrators of security breach incidents are employees (79 percent). Although down from 2010’s 94 percent, this still accounts for the majority of PHI breaches within an organization. While this may be attributed to other factors such as lack of employee training, background checks should be implemented regardless for optimal PHI security.

The U.S. Department of Health and Human Services requires covered entities to conduct periodic risk analyses (read What’s in a HIPAA Risk Analysis?). An emphasis on ‘periodic’ is in order, since, like any audit or analysis, a one-time report only measures the security of an organization during a certain snapshot of time. For assurance of ongoing compliance, check their analysis and the scope of their analysis to do your due diligence.

To get educated on what you need to know about third-party vendors to stay compliant, read our E-Tip, Five Questions to Ask Your HIPAA Hosting Provider. Read our other HIPAA-related E-Tips too.

The first morning kicked off with a panel discussion of the Consumerization of IT: Mobile Infrastructure, Support, and Security. Chris Seper, CEO of MedCity Media, started us off with a 30,000 foot view of the healthcare IT landscape of tablets, smartphones, and BYOD being used to access applications daily. The great news is the PHI is readily at hand. The challenge is managing the security and privacy that mobile devices add to the responsibility of providers and vendors in the industry to protect us.

Dr. Marie-Michelle Strah of Applied Information Sciences emphasized the need for enterprise information management as the key framework for managing security. Securing the device is not the point. There’s no technical silver bullet for security, and being able to step back and see the forest is critical. Every mobile device adds another endpoint that needs to be addressed: the more endpoints, the greater the risk.

Kirk Larson, VP & COP of Children’s Hospital Central California shared his successful implementation of a BYOD policy leveraging VMware’s VDI to ensure no PHI is stored on devices.

Larson takes a pragmatic approach to BYOD in the healthcare space by recognizing that relinquishing a sense of control in what types of devices are used in the hospital is realistic for the digital world, but he still manages to secure PHI with the VDI paradigm with relative ease since there is only a single image security profile to manage despite the wide variety of devices used in the hospital.

His big eye-opener during various device implementations? Most care providers returned their iPads within 24-48 hours of receiving one. Turns out they are great for reading static content, but if you actually want to use it to interact and input information, something with a separate keyboard is widely preferred.

After a lunch for the morning workshop participants, conference chair Tom Gomez welcomed attendees back for the keynote panel, Prioritizing HIT Issues and Challenges in 2012 and Beyond with:

• Andy Crowder, CEO of JC Solutions Group
• Brian Comp, CTO of Orlando Health
• Kirk Larson, VP & CIO of Children’s Hospital Central California
• Elizabeth Lindsay-Wood, Tampa General Hospital
• Joanne Rohde, CEO of Axial Exchange

The panel discussed what keeps CIOs up at night and how to reduce stress while innovating and still meeting compliance. All easier said than done!

Tushar Hazra from EpitomeOne discussed interoperability and the key criteria for big data to help make decisions before the afternoon break.

Rick Moore, CIO & CISO of the National Committee for Quality Assurance; Terrel Herzig, UAB Health System; Deborah Lafky Center for Strategic Health Innovation; and Chad Peterson Sinaiko of Altegra Health discussed Security Integration into Each IT Business Decision. The critical need for a risk assessment as the fundamental cornerstone of healthcare IT security was emphasized, as well as leveraging existing security models and standards as a good starting point (i.e. NIST). Deborah Lafky pointed out efforts by the ONC Tiger Team to get a preliminary sense of the degree of overlap between the HITECH standards and citations that make up the HIPAA Security Rule and other standards, such as NIST, and found a roughly 66% overlap.

Next, Shahid Shah, a.k.a. the Healthcare IT Guy and blogger of www.healthcareguy.com, moderated a panel with Ron Cowan, VP Information Management & CIO of Lewistown Hospital; Edith Dees, VP & CIO of the Holy Spirit Health System; and myself as we discussed PHI in the Cloud. We discussed the importance of contract elements, policy documentation, audit standards, and other key aspects to consider when thinking of putting PHI in the cloud. Ron and Edith pointed out how the cloud allows them to implement the same technologies and standards as the largest hospitals, even without the benefit of local HIT resources. They shared lessons learned the hard way in vendor selection. I illuminated some of the lesser known variations of data center audits and key questions to ask business associates in the cloud space.

Bob Havasy rounded out the afternoon with a compelling presentation about the quantifiable self as it relates to motivating and tracking healthcare outside the walls of the hospitals with the ubiquitous mobile devices every person seems personally attached to. He shared examples of how leveraging these technologies can have a powerful impact on a person’s health awareness and success in making healthy lifestyle changes, as well as the importance of being agile and failing quickly in the development of new technologies.

The conference focuses on healthcare IT as the industry evolves, including the latest implications of ARRA (American Recovery and Reinvestment Act of 2009) and meaningful use changes and how it affects practices and hospitals. Other presentations will focus on electronic protected health information (ePHI) security, using EHR systems for health information exchange (HIE), healthcare delivery reform and other topics on improving patient care with data technology.

Online Tech’s Director of Healthcare Vertical, April Sage, CPHIMS, will be speaking on the panel The hCloud at 30,000 Feet: Cloud Computing Solutions for Mobile Healthcare. The panel will discuss how HIPAA cloud hosting can offer a way for mobile devices to capture, store and process healthcare information securely, supporting a range of healthcare applications. The panel will also discuss how mobile devices will have the ability to extend to previously inaccessible communities in order to help patients in remote locations.

Moderated by Judy Hanover, the Research Director at IDC Health Insights, other healthcare cloud computing panel speakers include:

• Jayne Bassler, VP & Associate CIO of the Florida Hospital
• Ari Entin, Director of IT at the Miami-Dade County Health Department
• Mary Carroll Ford, VP & Chief Information Officer of the Lakeland Regional Medical Center

The conference’s keynote speakers include:

• C. Martin Harris, MD, CIO & Chairman IT Division of the Cleveland Clinic will present Clinical Transformation: Experience of One System
• Jonathan Perlin, MD, PhD, President of Clinical & Physician Services and CMO of the Hospital Corporation of America

Location:
Hyatt Regency Pier Sixty Six
2301 SE 17 Street Causeway
Ft. Lauderdale FL 33316
954-525-6666

Find more information about the conference, including agenda, venue, sponsors, whitepapers and more here.

About the Institute for Health Technology Transformation

The Institute for Health Technology Transformation is the leading organization committed to bringing together private and public sector leaders fostering the growth and effective use of technology across the healthcare industry. Through collaborative efforts the Institute provides programs that drive innovation, education, and provide a critical understanding of how technology applications, solutions and devices can improve the quality, safety and efficiency of healthcare.

April Sage, Director of Healthcare Vertical at Online Tech

April has been involved in the IT industry for over two decades, initially founding a company teaching technology. In the 2000s, April founded a bioinformatics company supporting biotech, pharma, and bioinformatic companies in the development of research portals, drug discovery search engines, and other informatics software systems.

In her current position as Director, Healthcare Vertical of Online Tech, April focuses on HIPAA compliant solutions for the healthcare industry including dedicated hosting, cloud computing, and disaster recovery.

The HHS does recognize any ‘HIPAA certification’ program as legitimate. When they come to inspect and audit, they will likely not care if you have a ‘HIPAA certified’ seal on your website. They care about the security and design of your controls to protect PHI to the best of your ability, and the actual policies and procedures your organization abides by.

While many use ‘certified’ and ‘compliant’ interchangeably to mean the same thing, they cannot be used to describe data centers, hosting providers or any service provider acting as a business associate to a covered entity that needs to achieve their own compliance. For example, it’s not ‘HIPAA certified data centers,’ it’s ‘HIPAA compliant data centers.’ Or ‘HIPAA compliant hosting,’ not ‘HIPAA certified hosting.’

This article, from ZDNet is properly titled Will Your Cloud Be HIPAA Compliant? Yet, despite its title, ‘certified’ appears everywhere in the article as it refers to data center providers:

But at least one person commenting on the article seems to understand the difference:

So for service providers in the healthcare industry – and for healthcare organizations that contract out to them, please take heed: the correct term is “HIPAA compliant” not “HIPAA certified.” Be wary of those that claim to be certified – because chances are, they might not really know what they’re talking about at all.

Klein will join other technology and business professionals in the discussion about cloud hosting, including:

M.S. Krishnan, PhD., Joseph Handleman Professor of Information Systems and Innovation at the Ross School of Business, University of Michigan; Faculty Director of India Initiatives; Professor of Business Information Technology

Gary Baker, Director of IT/CIO for the Society of Manufacturing Engineers (SME), previously SVP & CIO at Gale, a part of Cenage Learning and VP of IT Delivery at Borders Group.

They will be also be presenting Cloud Computing: Approach Innovatively and Understand Trends to the Ross School of Business Alumni Club of Southeast Michigan on Thursday, April 19th, 2012, hosted at Online Tech’s Ann Arbor 2 data center. There will be tours of the data center at the event and networking. For more information and to register, visit the event page.

About the Internet Advisor Radio Program

Foster Braun and Gary Baker co-host the Internet Advisor radio program (www.internetadvisor.net) on WJR 760AM – Detroit. Now in its 15th year, the program is on 4-6 pm ET on Saturdays. Internet Advisor is also syndicated on the Michigan Talk Network.  The goals of the program are to promote good Internet resources and solutions audiences located in Southeastern Michigan or the Midwest, and help listeners have a better online experience. WJR is known as the “Great Voice of the Great Lakes” and is one of the 12 original 50,000 watt, clear channel super stations.

Mike Klein, President, Online Tech

Mike is a serial entrepreneur with more than 30 years of high tech business leadership, technology, and startup experience including CEO of Interlink Networks, Managing Partner of CompanyCrafters, and CEO /Founder of Steeplechase Software, an INC 500 Company which he sold to Schneider Electric. Prior to becoming an entrepreneur, Mike spent the first decade of his career working in sales, strategic marketing, product development at Motorola Semiconductor and Rockwell International.

M.S. Krishnan, PhD., Joseph Handleman Professor of Information Systems and Innovation at the Ross School of Business, University of Michigan

Dr. M. S. Krishnan (“Krishnan”) is Mary and Mike Hallman e-Business Fellow, Area Chairman and Professor of Business Information Technology at the University of Michigan Business School. Dr, Krishnan is also a Co-Director of the Center for Global Resource Leverage:India at the Michigan Business School. Dr. Krishnan received his Ph.D. in Information Systems from the Graduate School of Industrial Administration, Carnegie Mellon University in 1996. He has co-authored the book “The New Age of Innovation: Driving Co-Created Value with Global Networks” with C.K.Prahalad.

Gary Baker, Director of IT/CIO for the Society of Manufacturing Engineers (SME) and Co-Host of the Internet Advisors Radio Program

Gary Baker has had a long career working with computers and promoting technology development in Michigan. In the fall of 1997 when Foster called his ISP, Online Technologies Corporation (now Online Tech), and asked for help with some connection issues he talked with Gary, who was President and one of the founders. Their conversation and the whole idea of helping people enjoy their computer and online experience grew from there into the Internet Advisor show in early 1998 and an alliance that has become Detroit’s longest running locally produced technology talk show since then. Gary also appeared as the Internet Advisor on Channel 7 Action News, WXYZ-TV in Detroit, every Thursday morning from October 2000 to October 2002.

Gary is currently the Director of IT/CIO for the Society of Manufacturing Engineers (SME) and previously was the SVP & CIO at Gale, a part of Cengage Learning and VP of IT Delivery at Borders Group in Ann Arbor. He was also a partner in Arthur Andersen’s Business Consulting, Director of IT Transformation Services at AlixPartners and an executive in EDS at GM. Gary is a sought after lecturer on IT topics and new processes and technologies locally and nationally.

Though it feels like HIMSS 12 was just a few weeks ago, we’re looking forward to exhibiting at next year’s HIMSS 13 event, and we’ve already booked our booth (#1369)! The annual HIMSS conference is one of the largest healthcare IT and management systems conferences in the world, bringing healthcare industry professionals and exhibitors together from around the nation.

Located in New Orleans, HIMSS 13 will be held at the Ernest N. Morial Convention Center next to the Mississippi River. As the nation’s sixth largest convention center, we’re anxious to see if HIMSS 13 will break their record of attendees again – HIMSS 12 attendees of 37,032 broke the HIMSS 11 attendance of 31,500.

HIMSS 13 Exhibition Floor

Online Tech is an official gold corporate HIMSS member. And once again, Online Tech will be exhibiting our HIPAA hosting solutions for healthcare organizations, healthcare Software-as-a-Service (Saas) and other related organizations at Booth #1369. Find out more about our HIPAA cloud hosting, HIPAA managed servers, HIPAA colocation and cloud-based disaster recovery solutions.

We’re one of the first and few 100% HIPAA compliant hosting and HIPAA compliant data center providers that have undergone an independent audit by a CHP (Certified HIPAA Practitioner) and CHSS (Cerified HIPAA Security Specialist) and can provide a copy of our audit report to clients under NDAs (non-disclosure agreements).

We also sign business associate agreements (BAAs) to clarify our role and responsibilities when it comes to protecting your personal health information (PHI) and breach notification policies.

Ernest Convention Center Lobby

For more HIPAA hosting resources:

• 100% HIPAA Compliant
• What is HIPAA Compliance?
• What is a HIPAA Violation?
• HIPAA Compliant Case Studies
• Who Needs to be HIPAA Compliant?
• Benefits of HIPAA Compliant Hosting
• HIPAA Glossary of Terms
• HIPAA Resources: Policies, Procedures and Training Materials
• HIPAA FAQ
• Five Questions to Ask Your Business Associates
• Five Questions to Ask Your HIPAA Hosting Provider

Check back often for more information about HIMSS ’13, including helpful links and the latest announcements about speakers, exhibitors and attendees!

Ernest Convention Center Exhibit Floor

About HIMSS

HIMSS is a cause-based, not-for-profit organization exclusively focused on providing global leadership for the optimal use of information technology (IT) and management systems for the betterment of healthcare. Founded 51 years ago, HIMSS and its related organizations are headquartered in Chicago with additional offices in the United States, Europe and Asia.

HIMSS represents more than 44,000 individual members, of which more than two thirds work in healthcare provider, governmental and not-for-profit organizations. HIMSS also includes over 570 corporate members and more than 170 not-for-profit organizations that share our mission of transforming healthcare through the effective use of information technology and management systems.

HIMSS frames and leads healthcare practices and public policy through its content expertise, professional development, research initiatives, and media vehicles designed to promote information and management systems’ contributions to improving the quality, safety, access, and cost-effectiveness of patient care. To learn more about HIMSS and to find out how to join us and our members in advancing our cause, please visit our website at www.himss.org.

References:
HIMSS 12 Breaks Previous Attendance Records
New Orleans Ernest N. Morial Convention Center

Here’s a rundown of what I could pinpoint through a review of the official federal register document, 42 CFR Parts 412, 413 and 495, Medicare and Medicaid Programs; Electronic Health Record Incentive Program – Stage 2.

Encryption

In Stage 2, the proposed rule is to highlight the importance of encryption while conducting a security risk analysis. While the proposal does not seek to make encryption a requirement under the HIPAA Security Rule, awareness of encryption and the security of data at rest will be emphasized as a key measure in the review of a security risk analysis/assessment.

The federal register acknowledges that a recent HHS analysis of reported shows nearly 40 percent of large breaches were due to lost or stolen devices – encryption could secure data on any device and prevent data leaks.

Data Accessibility by Patients

In Stage 1, a core objective requires eligible hospitals to provide patients with an electronic copy of their health information upon request. Stage 2 ups the ante by requiring hospitals to provide patients with timely electronic access to their health information within 4 business days of information being made available to the hospital.

Stage 2 proposes an online patient portal or personal health record (PHR) be available to allow patient access to lab results, problem list, medication lists and allergies. This provision would call for the integration of a patient portal system into the IT infrastructure of any eligible hospital, increasing the need to streamline and support an always-available system.

But what if there was hardware failure, or a natural disaster that affected your data and application availability? In the event of a disaster, a formal disaster recovery plan can ensure your data will be readily available to meet future meaningful use requirements. Cloud-based disaster recovery can provide recovery time objectives of four hours, meaning patient data can be recovered and available on a timely basis.

Medical Imaging Accessibility

A new core objective for Stage 2 proposes that imaging results and information are accessible through Certified EHR Technology. By making medical imaging results (CAT Scans, CT Scans, X-Rays, etc.) available through an EHR system, the provision intends to reduce unnecessary costs and radiation exposure from tests repeated only because a prior test is not available to the provider.

Making medical images accessible through these systems means the need the invest in high-capacity data storage. A high-capacity HIPAA cloud hosting solution can provide massive storage or synchronization with scalability to grow as your storage needs require.

The Stage 2 meaningful use proposed changes may affect the certification process for EHR systems. As Kyle Murphy writes in What Does ONC Mean by a Certified EHR? - to demonstrate meaningful use, you need a certified EHR system; to create a certifiable EHR system, you need to know how to meet the different stages of meaningful use.

References:
Medicare and Medicaid Programs; Electronic Health Record Incentive Program – Stage 2 (PDF)

A configuration error at the authentication level of a server allowed hackers from Eastern Europe to access 25,000 social security numbers and the personal records of over 181,000 individuals collected by the Utah Department of Health (UDOH). The server was managed by the Utah Department of Technology Services (DTS). In the process of moving Medicaid claims records to a new server, hackers were able to access ePHI despite the DTS’s security system, resulting in the latest HIPAA violation.

Hackers removed 24,000 files from the server – according to the UDOH, one file can potentially contain claims information on hundreds of individuals. The UDOH reports that the DTS servers have multi-layered security systems containing perimeter security, network security, identity management, application security and data security, but the question remains, would they pass a HIPAA audit of their controls?

The UDOH claims that the DTS has process in place to secure their data, but the “particular server was not configured according to normal procedure.” This may have simply been an oversight by DTS staff, but it also raises the question of whether or not their employees are trained in HIPAA security policies and procedures.

An IT or data center organization that handles ePHI on their servers need to have multiple layers of security, including staff trained to implement technology in accordance with HIPAA standards. The DTS should have an appointed security and risk management officer employed to oversee training, with documented dates of completion.

The UDOH blog states the DTS has implemented new processes to prevent a future breach, including improving security controls related to implementing computer hardware and software, and increasing network monitoring and intrusion detection capabilities.

In a previous blog, I wrote about What to Look for in a Cloud Hosting Provider, highlighting the U.S. General Services Administration (GSA)’s Dave McClure’s criteria for a secure cloud hosting provider. One criterion included the need for continuous monitoring with real-time alerts instead of post-breach audits. The same holds true when seeking a HIPAA hosting or HIPAA cloud hosting provider – network monitoring can alert IT staff of any unauthorized access to a server and allow them to move quickly to remediate.

For more on HIPAA violations, including violation types, minimum and maximum penalties, and common mistakes made by companies resulting in a data breach, read What is a HIPAA Violation?

References:
Impact of Medicaid Data Breach on DTS Server Widens
Data Breach of 24,000 Medicaid Claims by Hackers
Medicaid Hacked: Over 181,000 Records and 25,000 SSNs Stolen

Following the recent launch of our revamped and expanded HIPAA hosting section of our site, our PCI hosting pages provide everything you need to protect cardholder data with our full attestation of compliance with PCI DSS v.2.0.

Click through below for details.

PCI Compliant Hosting Screenshot

Get the facts about PCI and what you need to be PCI compliant:

• What is PCI Compliance?
• PCI Compliant Case Studies
• Levels of PCI Compliance
• PCI Compliant Hosting Guide
• Who Needs to Be PCI Compliant?
• PCI Glossary of Terms
• Benefits of PCI Compliant Hosting
• Risk Assessments for the PCI Compliant Cloud

Or watch our three-part PCI compliance webinar series with a PCI overview, detailed requirements and penetration testing discussion.

• PCI Compliance: Detailed Requirements
• PCI Compliance: Overview
• PCI Compliance: Penetration Testing

Read about our Two-Factor Authentication service for VPN login in our FAQ.

The PCI Security Standards Council provides a template for an attestation of compliance:

Executive Summary

• Entity’s payment card business description
• High level network diagram

Description of Scope of Work and Approach Taken

• How the assessment was made
• Environment
• Network segmentation used
• Details for each sample set tested
• Any international entities requiring compliance with PCI DSS
• Wireless networks or applications
• Version of PCI DSS used to conduct assessment (2.0 is the latest)

Details About Reviewed Environment

• Network diagrams
• Cardholder data environment
• List of hardware and software in the cardholder data environment (CDE)
• Service providers
• Third-party applications
• Individuals interviewed
• Documentation reviewed
• Reviews of managed service providers

Contact Information and Reporting Date

Quarterly Scan Results

• Including the four most recent ASV (approved scanning vendor) scan results

Findings and Observations

• Requirements and sub-requirements
• Explain N/A responses
• Validation of all compensating controls

When it comes to documenting details about your reviewed environment, any of your managed service providers/PCI hosting providers should be able to produce their own attestation of compliance report to inform your company about their controls and security. This can save you the time it takes to review and report on their compliance as it affects your company and cardholder data.

References:
PCI DSS Quick Reference Guide (Version 2.0) (PDF)

Cloud Hosting Security

Security is a major concern when it comes to the cloud, but certification could help – while 47 percent of government respondents cite security as their most significant concern, nearly 80 percent claimed they would be more confident if cloud services were certified by a government entity.

Cost is the main driver for both government and the private sector to move to the cloud, with 73% and 75% respectively claiming it was necessary to realize cost reductions and savings in order to move to a cloud environment.

But how significant would those savings need to be in order to make the transition? At 43%, the private sector only needs 1-10% reduction in IT or non-IT costs to switch over, while the public sector appears to be confused, with 29% claiming they didn’t know what percent reduction in budgetary costs they needed in order to make a cloud decision.

In addition to cost, technical drivers, such as flexibility, scalability, simplicity, security and advanced technology, were ranked as either important or extremely important by 79% of government respondents, and likewise by the private sector.

Cloud Drivers

Strategic factors, such as process transformation, linkage to business/organization partners, speed to market/implementation and a focus on core competencies were ranked as important or extremely important by 77% of private businesses. This extends the benefits of cloud computing to a broader business perspective as companies prepare for long-term growth and reorganize priorities in order to realize increased efficiency.

What does a government (and as should any company concerned with security) look for in a cloud provider? Dave McClure, Associate Administrator of the Office of Citizen Services and Innovative Technologies at the U.S. General Services Administration (GSA) lists a few:

• “Cloud service providers face a long and tough accreditation and authorization process” including an assessment of access controls and tests to determine the level of knowledge a cloud provider has about relevant potential risks.
• Continuous monitoring with real-time alerts instead of post-breach audits is important in order to be “on top of any breach as fast as we can be,” according to McClure.
• For optimal security, multiple levels of technical controls, operational controls and policy controls are necessary to eliminate risk from all angles. Similar to the pillars of HIPAA safeguards that require policies regarding administrative, technical and physical security, complete data protection requires vigilance and cohesion in many different areas of an organization.
• McClure also is concerned with the managed cloud – he says he is looking for providers that have a clear vision when it comes to integrating and managing the cloud within a legacy environment, more commonly known as hybrid clouds. Hybrid clouds integrate different types of IT infrastructures to support a highly customized IT environment with cloud servers used to support some services but not all.

The study provides some excellent closing insights/tips for a range of professionals, including government leaders, government IT professionals, cloud vendors and more. Recognizing the new security challenges presented by the cloud, the study advises government leaders (or business leaders) to find an effective and accurate way to audit several areas under the cloud, including:

• Internal audits
• Global security
• Regulatory implications of data privacy
• Storage, colocation and more.

The study urges professionals to ask the following questions as they navigate the cloud vendor selection process:

• How can you ensure all regulatory requirements are met?
• What internal controls over data security need to be implemented?
• How will the data breach/disclosure process play out?
• What is the process for sharing data encryption keys internally and with a vendor? etc.

For more on the cloud, check out our comprehensive Cloud Wiki and our informative Cloud Computing E-Tips.
References:

KPMG Global Study of Governments’ Adoption of the Cloud (PDF)

Although the company has locations throughout the U.S., Canada, U.K., Europe and Asia-Pacific regions, the hackers reportedly only hit the North American portion of its network, according to MSNBC.MSN.com.

The company reports the cardholder data accessed is enough to make online purchases and potentially clone credit cards to commit fraud, despite not having access to names, addresses or social security numbers. The breach could potentially affect Visa and MasterCard cardholders, as well as Discover Financial Services and American Express. The company has launched a site, 2012 Information Security Update, to offer insight into the incident and tips for both cardholders and merchants on what to look out for and how to further protect themselves from fraud.

The unauthorized intrusion in the company’s processing system was discovered in early March, and the cards were exposed between Jan. 21 and Feb. 25. A recent update reveals the company is still investigating and states the total cost of the breach is unknown, while they are working to achieve compliance with Visa’s PCI DSS compliance requirements.

Effects of a PCI Compliance Data Breach

Visa recently removed Global Payments from its comprehensive Global Registry of Service Providers (PDF) that are official PCI DSS validated entities, although they still allow the company to process Visa card payments. MasterCard has yet to remove the company from their list of compliant processors as they are awaiting the investigation results.

What are the other consequences of a PCI data breach? MarketWatch.com reports that another credit card processor company that suffered a 40 million account breach in 2005 eventually sold their assets to another company after being dropped by multiple credit-card networks.

“Clearly not being PCI compliant has financial liability,” Global Payments Chairman and Chief Executive Garcia said, according to MarketWatch.com when questioned about the company’s lack of PCI compliance and its effect on costs for future merchant clients.

Taking risks when it comes to meeting PCI compliance standards can result in major business and reputation loss, in addition to remediation costs. Get started on the path to compliance by partnering with a PCI hosting provider that can attest to full PCI compliance (read their full report to determine the scope of requirements they cover and what your company still needs to cover). A PCI compliant hosting provider can cover many of the technical requirements you need to lighten the burden of compliance by keeping cardholder data safe within fully audited PCI compliant data centers.

Read more about the Levels of PCI Compliance to determine what kind of merchant you are based on your transaction volume, and what you need to do in order to achieve compliance. What is PCI Compliance? lists the 12 requirements that your company needs to have in place.

And our PCI Glossary of Terms defines the basic PCI hosting-related terms you need to understand any PCI document. Contact us if you still have questions, or ask your questions via Chat now.

References:
Global Payments: Under 1.5 Million Account Numbers Hacked
Global Payments Still Tallying Data Breach Costs
Visa’s Global Registry of Service Providers – PCI DSS Validated Entities (PDF)
About Global Payments Inc.
Card Firm Says Systems Now Secure

Q: What is the association of NIST w/ an independent HIPAA audit?
A: NIST is the National Institute of Standard and Technology. ATMP, utilizing SecureGRC, leverages NIST guidance when conducting HIPAA Risk Assessments.

Q: Is it possible to be HIPAA compliant without an HROC (HIPAA Report on Compliance – or without a HIPAA risk assessment?
A: No. 45 CFR 164.308(a)(1)(ii)(a) is a required Implementation Specification under the HIPAA Security Rule, Security Management Process Standard. An HROC is not a required document. However, organizations must be able to produce evidence that they have completed an assessment and resolved any deficiencies or vulnerabilities. An HROC demonstrates the auditable steps that an organization took in that process.

Q: Can you explain where the HITECH act specifies antivirus is “required”?
A: “Protection from Malicious Software,” 45 CFR 164.308(a)(5)(ii)(b), is an Addressable Implementation specification under the HIPAA Security Rule, Security Awareness and Training Standard. Addressable does not equate to Optional.

“Protection from Malicious Software” is one of the key HIPAA Implementation Specifications as it speaks to the Confidentiality, Integrity, and Availability of Electronic Protected Health Information.

Q: What about offsite backup and/or disaster recovery?
A: The ability to store a recoverable set of Electronic Protected Health Information (ePHI), and test that process, are critical components that are governed by multiple HIPAA Implementation Specifications and Standards:

Contingency Plan Standard, 45 CFR 164.308(a)(7)(i)

• Data Backup Plan (Required) – 45 CFR 164.308(a)(7)(ii)(A)
• Disaster Recovery Plan (Required) – 45 CFR 164.308(a)(7)(ii)(B)
• Emergency Mode Operation Plan (Required) – 45 CFR 164.308(a)(7)(ii)(C)
• Testing and Revision Procedures (Addressable) – 45 CFR 164.308(a)(7)(ii)(D)

Device and Media Controls Standard, 45 CFR 164.310(d)(1)

• Data Backup and Storage (Addressable) – 45 CFR 164.310(d)(2)(iv)

In addition to the Standards and Implementation Specifications listed, there are many others that factor into the procedures and safeguards that are implemented in the Backup and Recovery Process.

Q: What about a firewall?
A: A firewall can be considered in multiple Standards and Implementation Specifications across the HIPAA Administrative, Physical, and Technical Safeguards. Remember that the purpose of a firewall is to restrict access to networks through a selective process of blocking inbound traffic.  In some cases, firewalls or content filters will also block outbound traffic.

While HIPAA does not call for the direct implementation of firewall technology, in most cases, it is the most reasonable and practical approach to addressing the requirements laid out in the HIPAA regulations.

Q: What methodology did you use to come up with the 136 audited components for ATMP’s independent HIPAA audit?
A: In the development of the assessment methodology, a combination of technical, health care, and HIPAA knowledge was used. HIPAA is very clear in some areas and provides guidance in other areas. An objective risk based approach was integrated in the overall assessment process making it adaptable to any Covered Entity or Business Approach.

Q: Can you explain why there is no such thing as “HIPAA certified”?
A: Unlike other compliance standards such as ISO and SOX, HIPAA has not yet implemented a single audit standard. The industry relies on individuals and organizations who possess background in Information Technology, Health Care, and HIPAA to reasonably guide Covered Entities and Business Associates through the compliance process.

One of the main reasons that HIPAA has not implemented a single audit standard is due to the fact that one set of regulations governs all health care entities and their business partners. In other words, unlike PCI, HIPAA does not have a subset of requirements in place, based on the size of the organization. HIPAA, in its original and current state, was designed to be a flexible, scalable, and vendor neutral architecture for compliance.

Q: How many audited components go with each standard/citation ?
A: Based on the size and type of organization, we have adopted the following framework:

Defined Scope of HIPAA Compliance

Still have other HIPAA-related questions? For more HIPAA hosting resources, see our HIPAA FAQ and HIPAA Glossary of Terms.

Joe Dylewski, President, ATMP Group

Joseph Dylewski is a twenty-five year Information Technology Professional veteran, a Certified HIPAA Professional (CHP), and a Certified HIPAA Security Specialist (CHSS) with ten years spent exclusively in the Healthcare Industry. In addition to holding positions as a Project Manager and Director of Information Technology, Joseph has also served as a Healthcare IT Services Practices Director and Account Manager with a proven track-record of successfully delivering end-to-end IT application and infrastructure project services. Joseph also currently serves as an Assistant Professor at Madonna University.

Online Tech’s HIPAA hosting solutions are fully audited and compliant to provide complete PHI protection for many different healthcare organizations. We’ll be presenting on a panel, “PHI in the Cloud” to discuss cloud hosting audits, contracts and compliance checklists.

3:17 PM ET – Sunny skies in Florida:

HIT '12 Conference on Healthcare Information Transformation

HIT '12 Conference on Healthcare Information Transformation

Online Tech’s HIPAA hosting booth set up and ready for tomorrow!

Online Tech HIPAA Hosting Booth

Online Tech Systems Administrator Chris Schmitt will speak at the event on Hyper-V Briefing. Chris will discuss the current state of the art in Hyper-V deployments and future features of Windows Server 8.

Other highlights of the event include:

Topic: How-To: VMware Command Line – GUIs are for Wimps
Speaker: VMware vExpert Rodney Mach of HiperLogic
Objectives: Manage your VMware environment at the command line, which opens up automation and reporting opportunities that aren’t possible via GUI. Learn how to create scripts from scratch and modify scripts online, as well as other tips, ticks and tools to successfully manage VMware via command line.

Topic: vCenter Site Recovery Manager in the Real World
Speaker: Senior Server Engineer at a Mid-Michigan Insurance company Tim Wade
Objectives: Real world implementation examples from the inside, including private cloud infrastructure, SAN storage and IT disaster recovery.

The event will be held 6-8pm at Aubrees Tavern in Ypsilanti, Michigan. RSVP is required – find more event information and sign up here: http://aavmug.ning.com/events/aavugapril192012

About The Ann Arbor Virtualization Users Group (AAVUG)

The Ann Arbor Virtualization Users Group is an informal group of people who meet to share Virtualization solutions and ideas. Members with different degrees of knowledge learn from and support each other. AAVUG is a learning center, an open forum for new Virtualization enthusiasts as well as die hards. Events/meetings are held bi-monthly and include tips, help sessions, technology briefing and occasional demonstrations of hardware and software.

Cloud Computing

From a personal perspective, I can say that cloud computing is definitely the future and is here to stay. I can remember a few years ago when I would use my school’s email address and attach papers and homework to emails and send them to myself in order to print later that day, using it as a means to access my data at another computer. That’s the reason why the cloud is popular among personal users. Having that freedom to access data in multiple locations is the new wave of computing and is slowly being enveloped by today’s society.  We are seeing the cloud being used in everyday personal use more and more as Apple’s iCloud, Windows SkyDrive and Dropbox become increasingly integrated into some of our favorite websites and programs.

From a enterprise perspective however, we have seen, for quite some time, that many believe the cloud is not a viable option for their business.  As long as I can remember, there has always been a fear among organizations/companies about moving into a cloud environment. Whether it’s security, privacy or compliance, there has always been hesitation when considering if the cloud is right for your business.

With regards to security, big organizations have always had an uneasy feeling when it comes to cloud computing. Old traditional security architectures will not work in a cloud environment. When dealing with clouds, you also have to understand virtualization and make sure it’s secure and configured properly. While these are very easy to transition to, there is some planning that needs to be done to ensure the transition goes smoothly.

With security being discussed, compliance also comes into play. Whether it’s with PCI DSS, HIPAA or SOX compliance, it’s always a factor in any computing spectrum. Each type of compliance has its own guidelines, policies and procedures that need to be followed and in place to achieve said compliance. With all of the fines that could be placed on your own organization for not abiding by those rules, it’s essential that when looking at a cloud provider (or any sort of data/web hosting provider for that matter) to put in the research to determine their level of compliance.

Even with these added issues, I think that you’ll soon see organizations finally turn the other cheek and see the benefits (lower costs and scalability) and begin to lose this fear of “the cloud” and look at it as not “Should we use it?”, but “How can we use it?” Now is the time for it to thrive in the enterprise market, and I believe 2012 is the year for it to make its mark.

April Sage, Director of the Healthcare Vertical at Online Tech, will be speaking on a panel about PHI (protected health information) in the Cloud.

PHI in the Cloud will discuss:

• Negotiating contracts with cloud vendors
• Making business decisions based on ROI and vendor delivery
• Auditing-site visits
• SAS 70, SSAE 16, SOC and other cloud vendor/data center audits
• Offsite backup, IT disaster recovery and data destruction
• Creating your checklist to ensure your HIPAA cloud hosting solution is fully compliant

The panel will be moderated by Shahid Shah, CEO of Netspective, Managing Editor of HITSphere and Chief Blogger of HealthcareGuy.com. Other speakers include:

• Edith Dees, VP/CIO of Holy Spirit Health System
• Ronald Cowan, VP of Information Management/CIO of Lewistown Hospital

How do we fit into the healthcare IT picture? Online Tech provides a variety of compliant and audited HIPAA hosting solutions including HIPAA cloud hosting, HIPAA colocation and HIPAA managed servers for healthcare organizations and healthcare software providers that need their applications and data hosted in compliant data centers.

View more about the conference panels and other workshops here.

April Sage, CPHIMS, Director Healthcare Vertical, Online Tech
April Sage has been involved in the IT industry for over two decades, initially founding a technology program in the pre-Windows era teaching DOS, WordPerfect, and FoxPro. In 2000, April founded a bioinformatics company that supported biotech, pharma, and bioinformatic companies in the development of research portals, drug discovery search engines, and other software systems.

Since then, April has been involved in the development and implementation of online business plans and integrated marketing strategies across insurance, legal, entertainment, and retail industries until her current position as Director Healthcare Vertical of Online Tech.

2012 ENERGY STAR Certification

What is ENERGY STAR? ENERGY STAR is a federal joint program of the U.S. Environmental Protection Agency and U.S. Department of Energy to promote energy efficient products, services and buildings to significantly reduce greenhouse gas emissions and save on energy costs. The program has been adopted internationally as the official standard for energy efficient consumer products and services across Europe and Asia.

ENERGY STAR energy performance ratings can apply to all types of buildings, including hospitals, schools, banks, data centers and many others. According to the U.S. Energy Information Administration, commercial buildings alone account for 18% of total energy consumption.

Data center facilities, power and energy expenses account for 70-80 percent of total operational costs, though variable by region, according to a Forrester report. Compared to the 30 percent of a typical commercial building’s annual budget, according to BOMA/Kingsley, the energy required to cool, heat and operate a data center is immense.

Online Tech is also featured in the Energy Star online building registry as an officially certified green data center operator. Our Mid-Michigan data center was originally built by EDS as General Motor’s disaster recovery data center – equipped with dual power from diverse routes, a pooled UPS system, multiple Internet Service Providers (ISPs) with diverse fiber feeds into the data center, multiple levels of physical security, including two-factor authentication, and 400 tons of cooling capacity with full N+1 redundancy.

Online Tech's Mid-Michigan Data Center

Find more detailed specifications about our Mid-Michigan data center and all of our Michigan data centers.

For more information about ENERGY STAR Certification for Industrial Facilities:
www.energystar.gov/labeledbuildings

HIT '12

The tagline is Leveraging IT to Improve Healthcare Delivery, with a focus on how implementing new technology can lower costs, increase efficiency and improve patient care. The conference will examine the challenges of implementing health IT infrastructures and new technology, including security and privacy issues and federal regulations/meaningful use guidelines.

The top 12 issues to be covered at the conference concern healthcare IT executives:

1. Prioritizing HIT issues in 2012 and beyond
2. IT innovation in the time of compliance
3. The challenges of ICD-10 implementation
4. Storage growth; keeping up with demand
5. Moving from data to analytics/business intelligence
6. Health information exchanges: architecture, applications, connectivity
7. Creating a mobile plan and infrastructure
8. Making information available anytime, anywhere
9. Meaningful use stage 2 and beyond—optimizing IT strategies
10. Considering the cloud for EHRs—or not
11. Integrating inpatient and outpatient information systems
12. Protecting data and privacy

How do we fit into the healthcare IT picture?

Online Tech provides a variety of compliant and audited HIPAA hosting solutions including HIPAA cloud hosting, HIPAA colocation and HIPAA managed servers for healthcare organizations and healthcare software providers that need their applications and data hosted in compliant data centers. Our audited solutions can help you achieve HIPAA compliance and create an IT system within federal regulations.

Find more information about the event, including location, attendees and speakers here.

The awards are given to honorees in Science & Technology, including Michigan companies or organizations that work in alternative energy,  advanced electronic and controls, advanced manufactoring, software, life sciences and more.

Awards are also distributed to those in the website, digital marketing, search engine optimization (SEO), blogs, webinars and other related digital industries.

The awards event will open with comments from Jennifer Kluge, Corp! Publisher and keynote speaker Linda Daichendt, Executive Director of the Mobile Technology Association of Michigan. The speech will cover mobile technology and its impact on Michigan business, with discussions on:

• How is mobile technology changing the way we live and the way business is conducted?
• What is the current state of the mobile industry, its future, and its’ impact on Michigan’s economy?
• How is mobile technology impacting specific verticals, and what opportunities does it provide – particularly in Michigan?
• What are the challenges that Michigan must overcome to become a national leader in the mobile technology sector?
• What do consumers really think about mobile, and how are they using it?
• What are the options that companies can use to incorporate mobile into their business operations and marketing strategies to benefit themselves and/or their clients?

Online Tech will also be featured in Corp! Magazine’s March/April Special Edition ePublication, to be released March 29th.

Find out more about the DiSciTech event, including location, time and registration.

For more on mobile technology, try reading:
Mobile Health App Regulations: FDA & HIPAA
The Rise of the Healthcare App Industry
Federal Mobile Strategy: Increasing Access to Mission-Critical Data & Streamlining IT
Mobile Security: Are Most Apps Safe?

Speaking on Michigan’s economic gardening success stories, Yan will join other panelists at the workshop, including:

• Bonnie Alfonso, President and CEO of Alfie Logo Gear for Work and Play
• Robert D. Fowler, President and CEO of Small Business Association of Michigan (SBAM)
• With a keynote by Mark Lange, Executive Director of the Edward Lowe Foundation.

Yan will speak about why Michigan is good for business and promoting local entrepreneurship, with a focus on the advantages of starting Internet/tech companies, including cost-efficiency with great IT infrastructures that support fiber connectivity in Michigan data centers.

Attendees will include 80-100 small business owners and local business developers. The event will be held tomorrow morning in Grand Rapids, Michigan, at the Amway Grand Hotel. Find more information at Crain’s Events, including directions, contact information, sponsorship opportunities and fees.

SBAM on Entrepreneurship:
The Small Business Association of Michigan is an outspoken champion of the new economic development strategy in Michigan. Economic Gardening is a principle pushed to the forefront by SBAM that focuses state resources on growing and sustaining local, Michigan based companies.

What’s the Theory of Economic Gardening in Michigan?
As SBAM’s perspective states, the economic gardening strategy is based on growing a local economy by investing in the people, companies and ideas in your community. The theory supports encouraging entrepreneurs to launch new companies or help them grow small existing businesses and networks to support the state economy and continue self-sustained growth.

For further reading, the Michigan Environmental Council has a great report discussing the theory of economic gardening.

Read more about Online Tech In the News for the latest headlines we’re making in Michigan and beyond. Or get more details on our Michigan data centers, including features, locations and compliance.

Ann Arbor 2 Data Center

Last December, we tested the waters of just such an event with an open house for our newest location. Guests were able to mingle and network while enjoying food and tours of the facility. Several breakout sessions were held in our various conference rooms led by industry experts and insiders. See photos from the event on the OTFlickr and more information about the event.

Online Tech Data Center Open House 2011

This year we are looking to utilize the space and bring more of our own seminars in house. Several outside groups have expressed interest in utilizing the meeting space to host their own seminars and events in our Ann Arbor 2 location (our newest Ann Arbor data center) this year:

• The Michigan PowerShell Group will be hosting their meeting at the data center today during the International PowerShell User Group Day on March 19th at 6:00 P.M. ET.
• On April 19th, the Ross School of Business Alumni Club of Southeast Michigan will hold their Cloud Computing Seminar on innovation and trends at the Online Tech’s newest Ann Arbor data center. M.S. Krishnan, Ross Professor and Executive Education instructor, as well as Gary Baker and Online Tech’s President and COO Mike Klein will be presenting. Get more information on the event.

Our newest data center boasts a sleek, modern and (dare I say it?) artsy office area. With several high top work stations, laid back sitting areas and various sized conference rooms, our Ann Arbor 2 data center has become a place to meet, mingle and manage.

Planning an event at a data center is really no different than any other venue. Once you have a great location that speaks for itself, just throw in a presentation, food and people for a great mix. Easy.

References:
Open house photos by Noah Wolf of OT Operations.

The penalties and fines for a HIPAA violation range from monetary to potential imprisonment for criminal offenses:

Source: American Medical Association, www.AMA-ASSN.org

Another category of a HIPAA violation includes covered entities and individuals that knowingly breached the HIPAA rules (criminal). A HIPAA breach committed with intent to sell, transfer or use individually identifiable health information for personal or financial gain, or malicious harm, can result in fines of $250,000 and imprisonment for up to ten years.

I wrote more on the topic of common mistakes and the preventative measures any covered entity can take to eliminate the risks that may lead to a data breach here:

What is a HIPAA Violation?

Find real cases and read more about the events, repercussions, and impact of a data breach:
Total Cost of a HIPAA Violation: 18.5 Million
Michigan HIPAA Violations
Sutter Health HIPAA Breach: Lessons Learned
Military Healthcare Contractor’s HIPAA Breach Followed By a $4.9 Billion Lawsuit

Who was affected: Over 1 million members of the BCBST had their information stolen, including names, SSNs, diagnosis codes, birthdates and health plan IDs.

What: 57 unencrypted hard drives were stolen from a leased facility in Tennessee, out of a data storage closet. According to the resolution agreement, the BCBST were relocating staff from the facility and had not yet moved the servers from the closet to their new location.

Charged with: The OCR (Office of Civil Rights, official HIPAA-enforcement entity) found the BCBST failed to have ‘adaquate facility access controls,’ according to their press release. This put them in violation of implementing the appropriate physical safeguards as listed in the HIPAA Security Rule.

They were also found in violation of the administrative safeguards by failing to perform a security evaluation after operational changes.

What they could have done differently: Encrypt all data at rest, including their archived data stored on hard drives. This is a strongly recommended best practice for healthcare organizations that need to meet HIPAA compliance.

They also could have chosen to store their data in a secure, offsite location that had the appropriate physical safeguards/access controls, another important feature of HIPAA compliant data centers.

When: BCBST was alerted October 2, 2009 of an unresponsive server at the facility, but didn’t investigate until October 5, 2009. Official completion date of review, audit and affected individual notification was October 29, 2010.

How much did it cost them: Although the settlement case required BCBST to pay HHS 1.5 million, the company has spent nearly $17 million in investigation, notification and protection costs to date, bringing the total to 18.5 million. Affected individuals received free credit monitoring services, free identity monitoring, consultation, and restoration.

What are their next steps: BCBST encrypted all of its at-rest data, which they claim to be “a voluntary effort which goes above and beyond current industry standards.” While it might not be explicitly required by HIPAA standards, it’s pretty close (read Encrypting Data to Meet HIPAA Compliance for tips) :

A covered entity must, in accordance with §164.306… Implement a mechanism to encrypt and decrypt electronic protected health information.” (45 CFR § 164.312(a)(2)(iv))

BCBST entered a 450 day corrective action plan, which includes sending their written PHI security policies and procedures to HHS, monitoring their employees to ensure they’re trained and following HIPAA compliant policies and procedures, and conduct a risk management plan.

For more on HIPAA violations and the effects of data breaches, try reading How a HIPAA Breach Can Negatively Impact Your Business, or Sutter Health HIPAA Breach: Lessons Learned.

References:
HHS Resolution Agreement
BlueCross, HHS Reach Settlement in 2009 Hard Drive Data Theft
Eastgate Hard Drive Theft
HHS Settles HIPAA Case With BCBST for $1.5 Million

Cloud computing may be a solution for public health information systems. Through shared computing resources, public health departments could reap the benefits of electronic reporting within federal funding constraints.

…public health would have a new computing infrastructure to support connections with healthcare for meaningful use. Remote hosting and shared systems would overcome the problem of insufficient funding and infrastructure for public health systems.

Cloud Computing for Health IT

The article focuses on the issue of integrating meaningful use requirements into the mandatory automation of EHRs (electronic health records), and several common industry challenges that healthcare organizations face, including:

• Different types of IT systems
• Diverse and numerous service providers
• Costs of becoming compliant within requirements

EHR Implementation: Costs and Controversies

In a survey conducted by the Association of State and Territorial Health Officers, 77 percent of respondents cite a lack of funding as the main demotivating factor in EHR implementation. One common misconception is that EHR systems aren’t beneficial in any way or even cost-effective in the long run – a recent NYTimes.com article is more infamously misconstrued as sending the wrong message on the topic.

The article cites a Health Affairs study that concluded the amount of tests ordered by doctors goes up with the use of digital records systems, implying that EHR systems lead to an influx of expenses not seen with the use of paper records, and are unlikely to cut healthcare costs. The study has been criticized for its limited data set and basis on correlation, not a controlled test, by field experts and the media, and even in a blog post written by the very author of the article, Steve Lohr.

Lohr writes a great blog post in response to the outcry over his NYTimes article [including widely circulated criticism from Farzad Mostashari, the National Coordinator for Health Information technology) that goes on to provide a quote from a doctor cut from the article for space: “An electronic health record is only part of the solution. The real gains come from improving the quality of the information the doctor receives, so it is more accurate, complete and timely.”

He goes on to make the point that healthcare, as an economic system, is based on a fee-per-service incentive model, and not on actually making patients healthier. EHRs are part of the plan to change the current system to provide incentives based on the health of patients, not just the amount of services rendered, to ensure overall, permanent cost-savings.

This then developed into a larger discussion on the state of American healthcare and costs that isn’t relevant here, but he makes a great point that the debate is not about whether or not the technology should or should not be adopted, but rather how it should be adopted – there is ultimate consensus that EHRs will and do improve healthcare workflow efficiency.

So what is the actual impact of a fully functional EHR system on healthcare organizations’ operations and communications?

EHR Benefits

According to HealthIT.gov and the scholarly article “Systematic Review: Impact of Health Information Technology on Quality, Efficiency and Costs of Medical Care,” the top three positive impacts include the quality of communication with other providers (92 percent), prescription refills (95 percent) and, as the top contender, timely access to medical records (97 percent).

How Does Cloud Computing Fit into the Picture?

If healthcare organizations have a limited budget for EHR system implementation due to related costs of supporting a change in their IT infrastructure, then cloud computing can offer a viable solution by eliminating capital costs and providing on-demand network access.

To take full advantage of cost-savings and remove the barrier of not having time or personnel to manage a new IT infrastructure, outsourcing to a HIPAA cloud hosting vendor just makes sense. As a healthcare company that handles PHI (protected health information), by law, you need to meet HIPAA compliance standards for your data hosting solution and the data centers your PHI is hosted in. If you need to change your IT infrastructure and still meet compliance under budget, a HIPAA hosting provider can help, provided they are knowledgeable about the law and physical, network and technical security requirements.

Security in the cloud is another issue the AJPH article addresses by verifying that cloud applications can meet HIPAA compliance security requirements by means of a number of methods: VPNs (virtual private networks) to encrypt data transmissions and firewalls. Antivrus and OS patch management is also required.

In addition to being a cost-effective and secure solution, cloud hosting services can provide ease of data sharing with other users across networks for real-time collaboration and more efficient workflows, saving time, and theoretically, improving patient care.

References:
Digital Records May Not Cut Health Costs, Study Cautions
The Benefits of Electronic Health Records (EHRs)
Systematic Review: Impact of Health Information Technology on Quality, Efficiency and Costs of Medical Care
Recent Study: Get the Facts

The sub-requirements fall under the main requirement #12: Maintain an Information Security Policy – meaning a merchant must maintain a policy that addresses information security for all personnel, including internal employees, contractors and consultants. The sub-requirements 12.8-12.84 include language that specifically refers to service providers.

According to my earlier blog post and Verizon’s 2011 PCI Compliance Report (PDF), this is one of the most difficult PCI DSS requirements for most organizations to achieve, with only 39 percent of merchants at full achievement.

Find out more about PCI DSS and what you need to achieve compliance – read our Two-Factor Authentication FAQ.

Recommended links:
PCI Glossary of Terms
Levels of PCI Compliance
Who Needs to be PCI Compliant?

References:
Contracting for PCI DSS Compliance from The SANS Institute (PDF)
PCI DSS Requirements and Security Assessment Procedures, Version 2.0 (PDF)

Example of Patient Check-in Workflow

The AHRQ is seeking budget approval to conduct field assessments and collect data in order to create an updated workflow toolkit for healthcare IT – the last toolkit was updated in 2008. Although dated, the real issue may be the lack of awareness of the toolkit and the need to evaluate internal workflow prior to the vendor selection process.

While the HHS has fairly decent resources available, they’re not always easy to find. And with the latest federal HIPAA audit program and action taken against business associates involved in data breaches, any industry that touches PHI are now paying more attention to the laws to avoid the penalties and fees associated with a breach than they were back in 2008.

The workflow diagram to the right shows the detailed steps taken during a patient check-in.

Just a few examples of clinic workflows include:

• Answering phones
• Appointment systems
• Ordering and reporting diagnostic testing
• Ordering medications
• Making referrals
• Billing and coding

HIMSS has an informative slideshow detailing the ARHQ’s Workflow Assessment Toolkit, developed specifically for health IT in ambulatory care, answering the question of why is it important to understand your workflow when planning, implementing, and using health IT.

The first answer is to avoid potential problems down the road when it comes to disrupting clinical and administrative workflows – implementing an EHR system and other technologies creates changes in patient care, billing and other processes. Planning ahead can help with the process overhaul, but I believe healthcare organizations should not only plan for these changes, but also plan to create an entirely new set of processes and train their employees in them, whether that means using the expertise of their vendors or hiring new, experienced personnel.

The second answer refers to assisting in vendor selection. Making an IT overhaul, for security, efficiency and legal reasons, requires asking the question, how can we work smarter? And, what can we eliminate or change for the better? Whether that’s consolidating points of contact or steps taken, eliminating the middle man, or choosing a HIPAA compliant hosting provider that can effectively manage your services while you focus on your own business or patients, you need to make a Keep, Throw Out and Overhaul list of processes prior to signing a contract. How can you go out and get what you need if you aren’t quite sure what that is?

If you need some assistance with workflow flowcharts, the ARHQ has examples and guides on how to define a process here.

References
AHRQ: ‘Disappointing Results’ Often Seen in Health IT Deployment
Workflow Assessment for Health IT in Ambulatory Care (PDF)

PCI Compliance Status Breaches

Challenges to Meeting Compliance
The report lists a number challenges that serve as barriers to meeting full PCI compliance and the full set of requirements. Those challenges include:

What were the most difficult requirements to achieve?

Only 37 percent of organizations met the PCI requirement #11 – regularly test security systems and processes, and 39 percent were able to maintain a policy that addresses information security, requirement #12.

The most challenging sub-requirement, according to the report, was under #10 – tracking and monitoring. #10.5.5 requires organizations to use file-integrity monitoring (FIM) or change detection software on logs to ensure that existing log data cannot be changed without generating alerts.

The two requirements that were achieved by most organizations were #7 – restrict access to data by business need-to-know and #4 – encrypt transmission of cardholder data and sensitive information across public networks.

Another approach to meeting PCI compliance includes reducing scope by meeting certain milestones and thus reducing potential risk to cardholder data. Eighty-eight of organizations met goal #1 – remove sensitive authentication data and limit data retention. Stored sensitive data can be a liability to any organization and decrease their ability to meet compliance requirements.

What are the top causes of a PCI breach?

The report also details the top “threat actions,” meaning the cause or action that contributed to PCI breach incidents. The top five are as follows:

• 44% sent data to external sites/entities (malware)
• 44% allowed remote access or control (malware)
• 43% was due to the exploitation of default or guessable credentials (hacking)
• 42% was due to the exploitation of backdoor or command and control channel (hacking)
• 36% was a result of physical tampering (physical skimmers for the intent of fraud)

While no data center or PCI compliant hosting provider can make an individual merchant PCI compliant, they can help your organization by having PCI compliant controls already in place when it comes to certain technical requirements. Remember, due diligence is always required when you partner with a PCI hosting vendor – check their PCI audit report to determine the full scope and understanding of their compliance; don’t just take their word for it.

Read more about PCI security requirements in our FAQ for Two-Factor Authentication.

References:
Verizon 2011 Payment Card Industry Compliance Report (PDF)

Guest Speaker: Satish Malnaik, CEO of NextServices
Moderator: April Sage, CPHIMS, Director of Healthcare Vertical
When: March 13, Tuesday 2 P.M. ET

Register today!

As the healthcare industry picks up momentum toward meaningful use, practical implementation and HIPAA compliance questions have risen to the forefront of consideration.

• Should new systems be hosted in-house?
• Do I outsource just the EHR/RCM system or the entire solution as a platform?
• Are clouds safer or riskier for PHI security?
• What about for PHI availability?

During this informative webinar, Satish Malnaik, CEO of NextServices, and April Sage, Director of Healthcare Vertical for Online Tech, will compare cloud vs. traditional server-based EHR/RCM systems.

Questions and discussion points are encouraged and welcomed from webinar attendees in advance and during the webinar. Sign up and submit your questions.

Looking for more information about HIPAA compliant clouds? Find out more about in our HIPAA hosting section of our site.

Or browse through our previously recorded and transcribed webinars for more on cloud hosting and HIPAA compliance.

Satish Malnaik, Chief Executive Officer, NextServices 
Satish Malnaik is an entrepreneurial enthusiast, CEO and Co-Founder of NextServices, a company that enables seamless healthcare delivery by providing an innovative platform that blends technology, healthcare analytics and knowledge-based services for medical facilities and providers.

These days, he is fascinated with the change and evolution of the development of healthcare technology as well as cloud-based platforms that focus on better capturing, transporting, integrating and managing data. Prior to co-founding NextServices, Mr. Malnaik worked in various E-business, ERP and technology initiatives for Fortune 100 clients, such as Thomson Healthcare (Thomson Reuters), and consulting with firms such as BearingPoint (formerly KPMG Consulting).

Mr. Malnaik received his MBA from the University of Michigan Ross School of Business and he also holds a master’s degree in Engineering (MS) from the University of Toledo, Ohio. Prior to that, he completed his undergraduate degree in Engineering (BE/ BS) from The University of Mumbai in India. Satish is currently serving in an advisory role on the Strategic Advisory Board at N-Squared Growth Capital (NY) and on the Advisory Council at DDW (AGA). Previously, he also served on the Advisory Board of Billing Services at ADP®AdvancedMD and as a mentor at the Ross School of Business on Financing Research Commercialization practicum for new technology and innovation.

April Sage, CPHIMS, Director Healthcare Vertical, Online Tech
April Sage has been involved in the IT industry for over two decades, initially founding a technology program in the pre-Windows era teaching DOS, WordPerfect, and FoxPro. In 2000, April founded a bioinformatics company that supported biotech, pharma, and bioinformatic companies in the development of research portals, drug discovery search engines, and other software systems.

Since then, April has been involved in the development and implementation of online business plans and integrated marketing strategies across insurance, legal, entertainment, and retail industries until her current position as Director Healthcare Vertical of Online Tech.

While this is a definite step in the right direction for the OCR’s attempts in spreading awareness with an easier-to-understand and more practical approach, I hope they continue to delve even deeper into educating the public about HIPAA.

Transcription of the main points of the video below:

How do you get started on creating a security plan for your office?

1. Experts recommend beginning with a risk analysis – a risk analysis can help you develop establish the safeguards you need at your practice.
2. Develop and put into place administrative safeguards – those are office rules and procedures that keep your data secure. For example, you need to decide what information each staff person should have access to.
3. Your plan needs to include physical safeguards – like, positioning computers and printers out of patient areas; security locks, or an alarm system.
4. Install technical safeguards – this can include hardware, software, and any other technology that limits access to electronic health records. For example, a software program that keeps computer viruses out of your information system. Or tracks who accesses patient information and who makes changes to patient records.
5. Encrypting health records stored on computer hard drives is a vital step in keeping information confidential.

Keeping your health information secure is an ongoing process – making security part of your office routine requires diligence. But it’s the only way to protect your patients’ information and to protect your practice from fines and penalties.

Visit our HIPAA compliant resource section of our site for additional resources, including HIPAA Compliant Case Studies, Five Questions to Ask Your HIPAA Hosting Provider and Tips for Passing a HIPAA Audit.

References:
HHS on YouTube