Next month we’ll also be breaking ground at the Mid-Michigan data center to add 2 additional 1-megawatt generators for additional backup capacity.  This $1.5M investment will continue to deliver N+1 (Tier 3) generator backup for all systems as we continue to grow the power footprint of the data center.

New Emergency Broadcast System
One of the areas we’ve been focused on improving is the time it takes to notify our clients of a client-impacting event at the data center.  We took two significant steps over the last 6 months to improve our client-facing communications with a focus on rapid information and communication availability:

1. We outsourced our VoIP phone system and Exchange server to a trusted partner so our communication tools will work independently of any data center issue that may arise.
2. We created an Outage Alarm system that can e-mail, text and call our clients in the case of an outage with just a few clicks.  This custom iPad application sits in each data center NOC connected to a 4G wireless network.  This new system dramatically shortens the time it takes to inform our clients of any major incident at the data center.

Our transparency goal is to ensure we inform you of any issues before your customers or users notify you, so you’re in complete charge of the communications with your users.  Our emergency broadcast system allows us to provide very quick communication to you of an issue while allowing our operations team to stay focused on fixing the issue as quickly as possible.

Admittedly, we’re still learning how quickly to send out an alert message.  In the past few months, we have been a little too quick to use the system on what turned out to be minor issues with minimal client impact, but scared a number of our clients with broader than necessary alerts.  I apologize for the over-communication.  We’re working out the timing and breadth of using these alerts.

OTPortal Enhancements
Recently we added features to let you request and track firewall rule changes more easily, copy old firewall rule changes as a starting point for new rules, and have new firewall rules “expire” on a certain date, so that temporary rules don’t accidentally become permanent ones. This can help with security; we don’t want to leave ports or services open after they are no longer needed.

In the next 90 days, we’ll be announcing additional capabilities to the portal to make it easier to control your servers:

• The ability to view a list of your servers, and enable or disable access to common services, like FTP and HTTP for each one without needing to understand firewall rules to request these changes.
• Cloud Server Controls: You will be able to start, stop and restart cloud servers through the portal. These actions can be done immediately, or scheduled in the future.
• Cloud Server Snapshots:  You will be able to revert snapshots for cloud servers. If you are about to install new software, you will be able to easily take a snapshot of the server beforehand. If anything goes wrong with the install, you can easily revert back to that snapshot. Snapshots are temporary and expire (and are automatically deleted) after 24 hours. They cannot be used as long-term backups.

We have more upgrades in the pipeline based on some great suggestions from our clients on how we can improve the portal experience and make it more efficient for you to use.  We appreciate the feedback.  Please keep sharing your suggestions with us.  We find it very helpful in improving the portal user experience.
 
Security Services:
Is data security a concern?  If so, schedule a call with one of our systems engineers to discuss the options you can leverage to secure your servers, network and data.  Security tools like Daily Log Review and Monthly Vulnerability Scanning can take the worry out of attempted breaches and let you sleep better at night.

Daily Log Review collects your server logs daily and analyzes them for anomalies, informing you if immediate action is necessary to protect your data.  Monthly Vulnerability Scanning checks your firewalls, networks, open ports and web applications for holes that hackers can get through and provides you a monthly action report for any open vulnerabilities.

Webinars and White Papers:
Please join us for any number of our upcoming educational webinars.  We have a new series on data encryption starting June 4th, as well as an informational series on disaster recovery recorded at: http://www.onlinetech.com/events/webinars.  We also have a new mobile security whitepaper available at: http://www.onlinetech.com/resources/white-papers.

Net Promoter Score:
Finally, thank you to all of our clients that filled out our one-question survey over the last 6 months as part of our Net Promoter System (NPS) to track and measure client satisfaction.  We received a lot of really good feedback – both on what we’re doing well and where we can improve.  We ended 2012 with impressive results – an NPS score of 80% which sits with the best across most industries for customer satisfaction scores.

We look forward to continuing to serve you and deliver one of the best hosting experiences in the business.

Sincere Regards,
Mike Klein
Co-CEO
Online Tech LLC

The post Update from Online Tech: Major Data Center Initiatives & Investments appeared first on Managed Data Center News.

Online Tech’s Director of Operations, Jason Yaeger, participated in a rapid fire Q&A session this morning at the Midwest Technology Leaders conference in Plymouth, Michigan. Matt Roush introduced Online Tech as being a long time home of innovation in the state of Michigan. Jason discussed how Online Tech has managed innovation in client relations and private cloud environments:

Online Tech has taken the initiative to communicate and understand what our clients’ pain points are. We recognize that your business requires uptime 24/7. After looking across the industry and acknowledging the frustration that comes with a lack of communication, Online Tech has now developed an Emergency Notification Systems that goes out to our clients within seconds of any outage.

Online Tech is Michigan’s most trusted provider of private cloud environments. We recognize that 75% of companies will be outsourcing to the private cloud environment in the next couple of years, with 25% of companies already there. Online Tech is making the selling process of those environments easier on our clients.

About Jason Yaeger
Most recently, Jason was the recipient of the 2012 Crain’s Detroit Business CIO of the Year, exemplifying innovation in technology strategy, industry leadership and a track record of “going beyond the call of duty.”

Jason Yaeger is also Online Tech’s Risk Management and Security Officer. Jason has guided the company through the successful completion of many audits, including SAS 70 Type I, SAS 70 Type II, SSAE 16, HIPAA and PCI.

Jason also led the investment in energy efficient improvements last year on Online Tech’s Mid-Michigan data center facility. As a result, Online Tech became the first Michigan data center operator to earn the U.S. Environmental Protection Agency’s ENERGY STAR certification, putting Online Tech in the top 25 percent of facilities in the nation regarding energy performance. Read Online Tech Earns EPA’s ENERGY STAR Certification for Superior Energy Efficiency to learn more.

Read more about private clouds:
Private Cloud Computing: A Game Changer for Disaster Recovery
Private cloud computing offers a number of significant advantages – including lower costs, faster server deployments, and higher levels of resiliency. What is often over looked is how the Private Cloud can dramatically changes the game for IT disaster recovery in terms of significantly lower costs, faster recovery times, and enhanced testability. … Continue reading →

Pairing Cloud Computing Benefits with Security and Compliance
The added business value of cloud computing is multi-faceted, as Online Tech’s co-CEO Mike Klein outlined in a previous article, The Six Benefits of Cloud Computing, which I’ll summarize here: Lower Costs Pooling of computing resources means better efficiency and … Continue reading →

Precautions with the HIPAA Cloud for Healthcare Software as a Service (SaaS) Companies
A recent Google search brought me to a health IT blog, Life as a Healthcare CIO, and the post entitled The Reality of SaaS. The author discusses whether or not SaaS/cloud computing is appropriate for EHR (electronic health record) hosting … Continue reading →

The post 2013 MTL: Managing Innovation in Client Relations & Private Clouds appeared first on Managed Data Center News.

Keynote: Competencies of the New CIO
Speaker: Larry Bonfante- CIO, United States Tennis Association (USTA)

CIOs today must be more than a provider of technology and services. They must be able to engage with the consumer, board members and senior executives as business executives and thought leaders themselves.

Most CIOs have grown up in the IT realm, they know how to leverage that IT to help business, but the third leg (missing leg) is “human dynamics.” Today’s CIOs need strong relationship management and marketing skills, which are qualities that don’t always come easily to a CIO. Being the CIO of an organization today is a front-facing role and not just sharing IT knowledge.

People should be passionate about the organizations they work for. How many employees take their “souls” off and hang them at the door and put it on when they leave the office? We need our CIOs to bring their whole person and soul to the job.

Organizations need a vision to inspire people and find what makes their people “tick.” It needs to help people understand the link between their efforts and the company vision. It needs to become their vision and not just one hoisted on them.

The main purpose of IT is to drive business value. CIOs shouldn’t be in the business just for the sake of technology being “cool.” IT is about being the very fabric of the business and integrated with it.  IT needs to be part of the decision-making of the business. If you woke up your CIO at 2am, what would their answers be to the following questions:

• What matters? What are you striving for?
• How are the things we doing in IT enabling those outcomes?
• If we are doing things that don’t matter, why are we doing them?

When it comes to communication, even if you think you have communicated enough, communicate some more! The key to communication is listening. CIOs need to become better listeners so they can become better communicators.

CIOs of yesterday were often easy to pick out of a crowd, because…

1. They dress different than everyone else
2. They haven’t built relationships with anyone in the room
3. When they open their mouth, they speak “geek speak”

Today’s CIO need to speak to people in clear English. When entering the boardroom, they need to be able to speak business in the language of board members and truly fit in. Tailoring the message to the audience in the room is key.

Everyone looks at life through their own lens and constantly ask, “What’s in it for me?” If CIOs are going to be effective relationship managers, the question needs to be: “What’s in it for them?” When you’re a leader, it’s never all about you. Leaders build their team and consistently give others credit, it’s about serving others. It is critically important to work members of your team as individuals and do what is effective for them.  CIOs owe it to people to develop them to the best THEY can be.

The post 2013 Midwest Technology Leaders Keynote: Competencies of the New CIO appeared first on Managed Data Center News.

Two weeks from today marks the start of the 9th annual Internet Retailer Conference & Exhibit (IRCE) in Chicago. We’ll be there at booth #108, among the 200 speakers and 9,500 executives related to e-retail.

Topics range from creating a global presence using e-commerce, to e-marketing tips to boost traction on search, to focusing on B2B sales and marketing. Social commerce, e-commerce technologies, and online payment processes will also be hot button topics throughout the exhibit. Here’s just a few of the 220 speakers that will be presenting at the IRCE:

Mindy Grossman

Al Gore
Al Gore will be giving his address, The Global View: The Internet, Business, and The Worldwide Opportunity, on June 5th, 9:45-10:15am. He’ll be giving insight into how the internet’s ubiquitous nature can help companies compete on a global level. Being on the board of directors of Apple, as well as a senior strategic advisor to Google, this is an incredible chance to hear one of the leading experts talk about what the future of online business can be.

Each day will have 5 different tracks to follow, with a total of 120 sessions. Squeezing all these speakers and sessions into a three day conference means you’ll never have time to see it all, so be sure to keep an eye on the blog throughout the conference. We’ll be live-blogging each day to make sure you get everything you can out of this wonderful opportunity.

Also, don’t forget to stop by and see us at booth #108, so don’t hesitate to visit us. We’ll be showing off our wide array of PCI compliant offerings. Whether you have questions about compliant colocation, managed servers, or clouds, we can answer them for you, and help set you up with a solution that fits your project.

Resources:
http://irce.internetretailer.com/2013/agenda/#/overview
http://www.onlinetech.com/events/internet-retailer-conference-a-exhibit-irce-2013
http://resource.onlinetech.com/internet-retailer-conference-exhibit-irce-2013/

The post PCI Compliant Hosting at the Internet Retailer Conference & Exhibit (IRCE) appeared first on Managed Data Center News.

The first and most important decision your organization can make regarding disaster recovery is deciding on the geographical location.  There are many things to consider including the probability and severity of natural disasters, other weather conditions like temperature, power structure of the area, and availability of a knowledgeable workforce.
The state of Michigan offers many positives in all of these areas.  Let’s take a look at the top 5 reasons why Michigan is a good disaster recovery location.

1.  Low Probability of Natural Disasters – It is hard to predict when and where a natural disaster will hit.  However, there are geographical locations that are more prone to natural disasters than others.  For example, the state of Florida and Texas has a high probability of hurricanes while California has a high probability of earthquakes.

There is an extremely low risk of natural disasters in the state of Michigan and it is one of the safest states in terms of natural disaster.  The NOAA (National Oceanic and Atmospheric Administration) found that the Great Lakes region has a low probability of hurricanes or tropical storms.

According to their research, the region experiences hurricane or tropical storm remnants, on average, twice a decade.  And in the majority of instances, the storms diminish to rain storms by the time they reach the region.  In the case of earthquakes, the U.S. Geological Survey (USGS) predicts that Michigan has less than 1% chance of having an earthquake in the next 50 years.

2. Low Severity of Natural Disasters – Another consideration regarding natural disasters is the severity or impact that a natural disaster can have on a region.  For example, a more densely populated area, such as the East Coast, will experience greater devastation than less populated areas.  Hurricane Sandy was a great example of how populated East Coast cities suffered with power outages, flooding and fuel shortages.

According to FEMA’s website, the state of Michigan has only declared disasters a total of 33 times.  Only seven other states declared disaster less times including South Carolina, Utah, Wyoming, Connecticut, Delaware, Maryland, and Rhode Island.  Yet, four of these states rank in the top 10 of population density(1).  Therefore, Michigan offers less disasters and lower population density than most states.

“The natural disaster we do have is a tornado,” says Yan Ness.  The good news, bad news about a tornado is that the swath of damage of a tornado is measured by hundreds of yards, not miles like a hurricane.  So, in Michigan 50 miles is adequate for disaster recovery separation.  You can have equipment in one location and backup equipment 50 miles away.  This allows employees to quickly travel to the backup site in less than an hour if disaster strikes.

3.  Two Separate Power Grids – A down utility grid could cause significant power outages following a natural disaster.  So, it is very important to consider a location that can offer you a strong power grid as well as the opportunity to use multiple power grids for increased availability and reliability.

According to Ness, since Michigan used to have a lot of auto plants that needed power, Michigan has a large capacity of power along with a very robust, sizable power grid.  One unique thing about Michigan is that the state has two separate power grids.  Michigan has two separate power companies – one serves the northern half of lower Michigan and the other serves the southeastern and southern half of Michigan.

Online Tech has data centers located in both power grids. So even though you are in one state you can drive between the data centers that are completely powered by different grids, different companies; yet they’re still connected by very cost effective fiber.

4. Cool Temperatures – Michigan’s year round cool climate is ideal for disaster recovery locations.  With cool temperatures, Michigan data centers do not need to rely as heavily on powered cooling as data centers in the south.  Michigan’s average heating day is 62 degrees which allows data centers to use free cooling about 90% of the time.  This helps Michigan data centers to lower utility costs but cool temperatures can also reduce the risk of servers overheating and potential hardware failure affecting data availability.  Read more about the benefits of Michigan cool climate Michigan – The Next Cool Thing for Data Centers.

5. Well-Educated Workforce – A disaster recovery location should also have access to a knowledgeable, educated workforce.  After all, people are the ones who support a disaster recovery site.  Michigan boasts the 4th largest high-tech workforce in the U.S. and ranks as one of the top technology centers in the nation.  Michigan residents also have access to 27 colleges and universities that offer degrees in science, engineering and technology.

(1) www.worldatlas.com

The post Top 5 Reasons Why Michigan is a Good Disaster Recovery Location appeared first on Managed Data Center News.

The most frequently stolen items included laptops, desktops and mobile media (USB drives, CDs/DVDs, backup tapes). When it came to business associates, they accounted for 58 percent of the records breaches, and were implicated in 21 percent of the breach cases.

Business Associate Breaches; Source: HITRUSTAlliance.net

With numbers like these, physician practices and health system CIOs should be aware of the possible areas of IT risk in order to secure PHI (according to HITRUST) – for each of the following areas, I’ve provided resource links and tips:

Information Security Policies and Procedures
Establishing a set of standards that are custom to your organization can help guide user behavior toward more secure practices. Policies are necessary to abide by the HIPAA Security Rule’s Organizational, Policies and Procedures and Documentation Requirements standard 164.316(a) for covered entities:

Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in § 164.306(b)(2)(i), (ii), (iii), and (iv) [the Security Standards: General Rules, Flexibility of Approach].

Security policies should address password management, PHI storage/use, encryption, PHI exchange procedures, privacy filters, etc. For a list of example HIPAA resources, including policies, procedures and training materials from a variety of established medical centers and university health systems, visit HIPAA Resources: Policies, Procedures and Training Materials.

Endpoint/Mobile Security
This involves protecting networks when connecting remotely via any number of devices, including laptops, desktops, servers, phones and tablets. Connecting remotely via a VPN (Virtual Private Network) that requires two-factor authentication (username/password, and a secondary form of authentication, typically via a cell phone call or text) may provide more assurance against the risk of unauthorized access to sensitive healthcare data. Other security services like firewalls, antivirus and patch management may also help secure endpoints.

Learn more about two-factor in our upcoming webinar, The Affordable Way to Maintain Security and Compliance with Two-Factor Authentication, June 4 @2PM ET, or check back after for a recording of the presentation.

The BYOD (Bring Your Own Device) movement in the healthcare industry calls for a mobile security policy. Read our Mobile Security white paper on how to keep devices and mobile apps secure, as well as a BYOD case study of a mobile security architecture designed and implemented successfully within a hospital environment.

Encrypting devices, email and other healthcare data is another industry best practice and addressable standard of HIPAA technical safeguards that require access control:

A covered entity must, in accordance with §164.306… Implement a mechanism to encrypt and decrypt electronic protected health information.” (45 CFR § 164.312(a)(2)(iv))

Join our upcoming webinar Encryption – Perspective on Privacy, Security & Compliance to learn more, or read about Encrypting Data to Meet HIPAA Compliance.

Network Security
Sensitive IT infrastructure including managed servers, cloud, power and networks should be protected by restricted access, and routers, switches and devices should meet HIPAA compliant requirements to protect ePHI (electronic protected health information) found on networks. Firewalls and Intrusion Detection Services can work to identify security breaches and notify you or your hosting provider to take action.

Staff Training and Security Awareness
HIPAA security awareness and training is another administrative safeguard required by the HIPAA Security Rule – not only is a staff training program required, but periodic retraining is necessary whenever new policies or procedures, significant software or hardware upgrades, new security technology, etc. are implemented within an organization.

Business associate training is also important, as they were implicated in 21 percent of HIPAA breach cases, as mentioned earlier. Check that your vendors have a delegated security and risk officer, and that training is updated/established for new employees.

Breach Response
The HIPAA breach notification rule dictates that covered entities must notify affected individuals/the media/the HHS (if affecting more than 500 state residents) of a data breach no later than 60 days after discovery. Business associates are also required to notify covered entities no later than 60 days.

As a healthcare CIO, check your vendor contracts, or business associate agreement (BAA) for terms on their roles and responsibilities when it comes to breach notification policy to ensure you’re on the same page, and you can gather the documents and information you need to accurately report to the OCR. To find out what the recent HIPAA omnibus rule dictates for BAAs, read Final HIPAA Omnibus Rule: Business Associate Agreements & Roadmap to Compliance.

For a list of information that the OCR requests shortly after a self-reported HIPAA breach, including documentation, risk assessments, policies and procedures and more, read OCR Audit Requirements Following a Self-Reported HIPAA Breach.

Third-Party Assurance
Your third-parties may be your business associates now that the final omnibus rule has widened the scope of who may be audited and fined for not meeting HIPAA compliance. Think it’s not your problem? Think again – the new rule document states that the “proposed changes would make covered entities and business associates liable under § 160.402(c) for the acts of their business associate agents, in accordance 61 with the Federal common law of agency, regardless of whether the covered entity has a compliant business associate agreement in place.”

As I initially wrote about in How the Final Omnibus Rule Affects HIPAA Cloud Computing Providers, cloud service providers and HIPAA hosting providers now fall under the definition of a business associate. Covered entities can ensure their third-parties can meet HIPAA by reviewing their independent audit reports measuring their security standards and practices against the OCR HIPAA Audit Protocol. Anything less than fully compliant is a risk your organization can’t afford to take.

Access Control
A HIPAA standard that helps meet technical safeguards, access control refers to restricting PHI system access to only authorized persons or software. The specifications include:

1. Unique User ID – Just as it sounds, assign a unique username or code to track users.
2. Emergency Access Procedure – This should be in the established policies and procedures that allows access to ePHI as needed in an emergency.
3. Automatic Logoff – Establish a way to terminate electronic sessions after a predetermined time of inactivity.
4. Encryption/Decryption – See Endpoint/Mobile Security.

Physical Security
HIPAA Security Standards for physical safeguards, specifically facility access controls, requires the implementation of:

…policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.

Restricting physical access to servers should be on your list of IT security – only authorized personnel should have building access to where your data is stored or processed, and dual factor authentication with the use of badges and biometrics (fingerprint recognition) can assist in tighter access control. Environmental controls can also be managed with surveillance, monitoring and alarm systems, as well as policies for visitors.

For more on using the cloud and secure hosting for HIPAA compliant solutions, read our HIPAA Compliant Hosting white paper. Questions to ask your HIPAA hosting provider, data center standards cheat sheet and a diagram of the technical, physical and administrative security components of a HIPAA hosting solution (including HIPAA compliant clouds) are included.

Or read our Mobile Security white paper for how to secure electronic protected health information (ePHI) while using mobile devices in the workplace, ideal for any healthcare organization interested in implementing a secure BYOD (Bring Your Own Device) environment.

Still have questions? Contact us or chat now.

References:
A Look Back: U.S. Healthcare Data Breach Trends (PDF)
HIPAA Security Standards: Physical Safeguards (PDF)
Breach Notification Rule

The post HIPAA Security Checklist for Healthcare Organizations appeared first on Managed Data Center News.

The patch for Internet Explorer is meant to resolve eleven different vulnerabilities found within the browser. These vulnerabilities could result in remote code execution if the user lands on a specially made web page using Internet Explorer, allowing the attacker to gain the same rights as the user. This affects Internet Explorer 6-10 on Windows clients.

The other critical update resolves one vulnerability disclosed to take the place of a temporary fix Microsoft announced last week. It also allows remote code execution if a user views a malicious website within the browser. This vulnerability may only affect Internet Explorer 8, which is an older version of the browser, but it happens to currently be the most used version. An attacker that exploits this vulnerability could end up with the same rights as the user. Microsoft mentions that one way to lower the effect of remote code execution attacks is to configure user rights on a basis of need. If a user isn’t dependent on certain administrative rights in order to fulfill their duties, it would be best to pare down their access.

The updates labelled important are split into a few different groups:

Denial Of Service:
MS13-039 is an update to all supported editions of Windows 8 and Windows Server 2012. The vulnerability could allow a DoS situation if an attacker sends a specifically made HTTP packet to an affected server or client. Microsoft is resolving this by correcting the way that HTTP.sys handles certain HTTP headers. This patch will require a restart.

Spoofing:
This update is for a vulnerability within the .NET Framework. Successfully exploited, an attacker could change the contents of an XML file without affecting the signature of the file. It would allow them to function as an authentic user. Microsoft is re-evaluating how the .NET Framework validates signatures in XML files and policy requirements for authentication.

Remote Code Execution:
There are three different ‘important’ vulnerabilities that are resolved that could allow an attacker the rights of an appropriate user. The patches affect Microsoft Publisher, Microsoft Lync, Microsoft Word 2003, and Microsoft Word Viewer. These updates may require the user to restart.

Information Disclosure:
Two patches resolve information disclosure vulnerabilities. The first is for Microsoft Visio, and was fixed by Microsoft changing the way the XML parser resolves outside entities within specially made files. This vulnerability would not be able to change the rights of an attacker, but would be able to give them more information that could aid in further compromising the system. The other patch is for Windows Writer. An attacker could successfully exploit this vulnerability by having a user visit a website and click on a specially crafted URL. The attacker could then override proxy settings for Writer, and overwrite files within that system. Both of these updates may require a restart.

Elevation of Privilege:
The last update is to fix an elevation of privilege vulnerability within Windows XP, Vista, Windows Server 2008, Windows 7, Windows 8, Windows Server 2012, and Windows RT. This exploit would allow the elevation if an attacker ran a specially crafted application on the system. They would have to have proper login credentials in order to perform this exploit, and would also need to be locally logged in. This update will require a restart.

Resource:
Microsoft Security Bulletin for May

The post May Microsoft Security Updates appeared first on Managed Data Center News.

For the first one of the series, join Chris Heuman, Practice Leader for RISC Management and Consulting for a discussion on the value of encryption for HIPAA, PCI and many other regulatory frameworks and the successful components of a data security program that integrates encryption. Find out how you can sign up online for Encryption – Perspective on Privacy, Security & Compliance.

The second in the encryption webinar series features Mark Stanislav, Security Evangelist at Duo Security as he discusses encryption for Linux, and Farooq Ahmed, Software Development Manager of Online Tech who will cover encryption for Windows. Sign up for Encryption at the Software Level: Linux and Windows.

For the third and final encryption webinar, join Steve Aiello, Systems Support Manager at Online Tech for a presentation on encryption at the hardware and storage level.

Title: Encryption at the Hardware and Storage Level
When: Tuesday, June 25, 2013 @2PM ET
Register: Find the GoToMeeting link at our website.
Description: Join Steve Aiello, Systems Support Manager at Online Tech for an informative webinar on encryption at the hardware and storage level.  Steve will discuss how encryption can be applied at various levels from the hardware and storage perspective. Impacts on performance, backup, security, and available resources may suggest very different encryption implementations.

This webinar explores the variety of places where encryption can be employed to mitigate risk of data loss or breach, and some of the considerations for choosing the most appropriate method to employ.

Steve Aiello, Systems Support Manager, Online Tech
Steven Aiello is a Systems Support Manager with Online Tech, the Midwest’s premier managed data center operator. His certifications include CISSP (Certified Information System Security Professional), ISACA CISA, VMware VCP ( VMware Certified Professional), Cisco CCNA ( Cisco Certified Network Associate), Comptia Security+, and Certified Incident Responder (New Mexico Tech).

Steve is also presenting at Security B-Sides Detroit on securable infrastructures, June 7-8. Security B-Sides is a grassroots, DIY, open security conference bringing together a large number of IT and security professionals. Learn more about the event in Online Tech Presents on IT Security at Detroit B-Sides Security Conference.

The post Encryption at the Hardware and Storage Level appeared first on Managed Data Center News.

For the first one of the series, join Chris Heuman, Practice Leader for RISC Management and Consulting for a discussion on the value of encryption for HIPAA, PCI and many other regulatory frameworks and the successful components of a data security program that integrates encryption. Find out how you can sign up online for Encryption – Perspective on Privacy, Security & Compliance.

The second in the encryption webinar series features Mark Stanislav, Security Evangelist at Duo Security as he discusses encryption for Linux, and Farooq Ahmed, Software Development Manager of Online Tech who will cover encryption for Windows.

Title: Encryption at the Software Level: Linux and Windows
When: Tuesday, June 18, 2013 @2PM ET
Register: Find the GoToMeeting link at our website.
Description: Join Farooq Ahmed, Software Development Manager for Online Tech and Mark Stanislav, Security Evangelist for Duo Security, for an informative webinar on encryption at the software level for Linux and Windows.  Farooq and Mark will discuss how encryption can be applied at various levels, from the software application code.

Impacts on performance, backup, security, and available resources may suggest very different encryption implementations. This webinar explores the variety of places where encryption can be employed to mitigate risk of data loss or breach, and some of the considerations for choosing the most appropriate method to employ.

Mark Stanislav, Security Evangelist, Duo Security
Mark Stanislav is the Security Evangelist for Duo Security, an Ann Arbor-based startup focused on two-factor authentication and mobile security. With a career spanning over a decade, Mark has worked within small business, academia, startup, and corporate environments, primarily focused on Linux architecture, information security, and web application development.

Mark earned his Bachelor of Science Degree in Networking & IT Administration and his Master of Science Degree in Technology Studies, focused on Information Assurance, both from Eastern Michigan University. Mark also holds his CISSP, Security+, Linux+, and CCSK certifications.

Farooq Ahmed, Software Development Manager, Online Tech
Farooq Ahmed is Online Tech’s Software Development Manager and is the Chief Architect of OTPortal, Online Tech’s feature-rich dashboard which delivers on-demand access to server monitoring, management and customer support 24×7.

His career spans more than 14 years with analysis, design and .Net development with VB.Net and C#. Farooq has designed components for online payment systems and the banking industry. Farooq earned a Master’s in Computer Science from the University of Karachi.

Stay tuned for info on our third encryption webinar! And read more about encryption in:

Federal Health IT Budget Increases by 28 Percent: Encryption, Mobile Security & EHR Safety
The proposed federal fiscal 2014 budget calls for a 28 percent increase to support further development of health IT initiatives while taking over where HITECH funding stops (ending in fiscal year 2013). The Office for Civil Rights’ (ONC) funding will … Continue reading →

2013 State of HIPAA Encryption & Authentication for Healthcare
According to the Healthcare Information Security Today report, 2013 Outlook: Survey Offers Update on Safeguarding Patient Information, most healthcare organizations believe that encryption would greatly improve their data security. Forty-one percent plan to encrypt all mobile devices and removable media, … Continue reading →

Encrypting Data to Meet HIPAA Compliance
To address the question of whether or not to use data encryption when it comes to meeting HIPAA compliance and keeping patient health information (PHI) protected, let’s revisit the Health Insurance Portability and Accountability Act of 1996 (HIPAA): … Continue reading →

The post Encryption at the Software Level: Linux and Windows appeared first on Managed Data Center News.

With three Michigan data centers, Online Tech has been utilizing Michigan’s cool air temperatures to help lower their data centers costs.  “We naturally use less energy because it is cooler in Michigan,” says Yan Ness, Online Tech Co-CEO.

As Michigan – The Next Cool Thing for Data Centers mentions, Michigan’s year round cool climate is ideal for data centers.  As Ness points out that Michigan’s average heating day is 62 degrees and free cooling kicks in around 50 degrees.  So, air conditioning units can take advantage of the environment, even in the spring and fall, about 90% of the time in Michigan. “This is why Michigan is a great place to have data centers.  We should bring all servers all over the south up here and put them in our buildings,” says Ness.

Online Tech has been utilizing free cooling in their Michigan data centers for a few years.  In 2011, Online Tech invested over $1 million dollars into the Mid-Michigan data center incorporating higher energy efficiencies.  Old air conditioning units were upgraded to new units that were suitable for free cooling and more energy efficient.  “The savings has almost paid for the equipment,” says Ness.

Online Tech’s Michigan data centers not only incorporate free cooling to lower cooling costs.  All of our Michigan data centers are designed using hot/cold aisle containment and hot/cold configuration.  At the end of each row cabinets, a hidden plastic container directs all of the cold air into the center of the servers.  This maximizes the use of the cold air to cool the equipment and lessen the amount of cold air escaping.

Also, servers are organized in a hot/cold aisle configuration.  This hot/cold aisle layout lines up servers racks in alternating rows with server hot air exhausts pointing in the same direction and improves airflow management.

If you are interested in learning other ways to make your data center more efficient read Investing in Data Center Efficiencies – Part One and Investing in Data Center Efficiencies – Part Two.

The post Online Tech’s Michigan Data Centers Use Free Cooling appeared first on Managed Data Center News.

Title: The Affordable Way to Maintain Security and Compliance with Two-Factor Authentication
When: Tuesday, June 4, 2013 @2PM ET
Register: Online with GoToMeeting
Description: Never suffer from weak passwords again. According to Mandiant, 100% of security breaches involve stolen credentials. Not a week goes by without news of another high-profile security breach– trusted websites like LinkedIn, LivingSocial, Evernote, and more. And in a cascade of damage, when these sites are breached, passwords are stolen and can be reused to access additional accounts. The impact on your business and the professional reputation of your business can be disastrous.

If you must meet industry compliance standards such as HIPAA compliance or PCI DSS compliance, two-factor authentication is a best practice to fulfill authorization and authentication requirements. Join Dug Song, CEO of Duo Security and Jason Yaeger, Director of Operations/Risk Management & Security Officer of Online Tech as they discuss how to employ two-factor authentication to protect your data and your business.

Dug Song, CEO of Duo Security

Dug has a history of leading successful products and companies to solve pressing security problems. Dug spent 7 years as founding Chief Security Architect at Arbor Networks, protecting 80% of the world’s Internet service providers, and growing to $120M+ annual revenue before its acquisition by Danaher.

Before Arbor, Dug built the first commercial network anomaly detection system (acquired by NFR / Check Point), and managed security in the world’s largest production Kerberos environment (University of Michigan).

Dug’s contributions to the security community include popular open source security (OpenSSH,libdnet, dsniff), distributed filesystem (NFSv4), and operating system (OpenBSD) projects, and co-founding the USENIX Workshop On Offensive Technologies (WOOT).

Jason Yaeger, Director of Operations/Risk Management & Security Officer, Online Tech

In his three years at Online Tech, Jason has guided the company through successful completion of many audits, including SAS 70 Type I, SAS 70 Type II, SSAE 16, and HIPAA. In addition to overseeing operations across all of Online Tech’s data centers, Jason is also the Vice President of the Southeast Michigan Chapter of 7×24 Exchange.

Prior to Online Tech, Jason was Director of Internet Operations at 20/20 Communications where he spent 8 years developing the company’s wireless and internet initiatives.

More About Two-Factor Authentication:

Evernote Adds Two-Factor Authentication
On Saturday the online SaaS (software as a service) note-collecting Evernote posted a blog with subsequent email stating that they had discovered and blocked unauthorized activity on their network. In response to the attack, they reset the passwords of the … Continue reading →

Two-Factor Authentication Helps Fight Unauthorized Access
Access is a huge security concern for every company, no matter the industry. Thus, having an extra layer of technical security in place that employees must go through in order to access a company’s network can help reduce the risk … Continue reading →

Simple Security Improvements with Your Mobile Device
Two, 2-minute security improvements to secure your account My inbox receives between 100 and 200 work emails daily – so far, as of writing this at 4:11pm, I’m up to 155. I won’t share my personal email stats – it … Continue reading →

The post Upcoming Webinar: The Affordable Way to Maintain Security and Compliance with Two-Factor Authentication appeared first on Managed Data Center News.

When: Friday – Saturday; June 7-8, 2013
Where: Renaissance Conference Center, GM Renaissance Center, Tower 300 Level 2, Detroit, MI 48243
Cost: Free
Schedule: View Calendar of Talks
RSVP: Via EventBrite.com

Read on for more about Steve’s talk Saturday, June 8 at 10 AM ET:

Title: Building Securable Infrastructures

Abstract: This session asks the question: “How do I design my environment to be securable?”  Until computing systems are designed and built with security and in mind we will be trapped in a cycle of post implementation Band-Aid style fixes.  Without designing infrastructures from the ground up with security in mind and real attempt to defend against directed attacks will be largely unsuccessful.

• How do we evaluate products in a systematic manor to eliminate vulnerabilities we invite into our environments?
• Where is money more wisely spent: on developing quality security policies and guidelines? Or on buying, configuring, and maintaining security products?
• What are critical questions that we should be asking our vendors when we are evaluating new products for our environments?

Speaker bio: Steven Aiello is a Systems Support Manager with Online Tech, the Midwest’s premier managed data center operator. His certifications include CISSP (Certified Information System Security Professional), ISACA CISA, VMware VCP ( VMware Certified Professional), Cisco CCNA ( Cisco Certified Network Associate), Comptia Security+, and Certified Incident Responder (New Mexico Tech).

Other talks include topics such as:

The Ever-Evolving Threat Landscape – This talk covers how the threat landscape has changed in the past decade, as well as exemplifying the advanced capabilities of malware.
In Case of ZOMBIES Break Glass – Exactly what it sounds like. How to survive real scenarios that may bring about the zombie apocalypse.
So You Want to Hire a Penetration Testing?: 10 Tips for Success - Mark Stanislav of Duo Security describes the process of hiring and working with an Ethical Hacking (EH) services company.

Steve presented on IT disaster recovery and business continuity for a webinar series earlier this year. View all three webinars and slides.

About B-Sides
Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.

The post Online Tech Presents on IT Security at Detroit B-Sides Security Conference appeared first on Managed Data Center News.

Speaker Niel Nickolaisen, the CIO of Western Governers University is going to be detailing some IT best practices that leaders can implement to determine what objectives to focus on, and how to boost their IT performance to give their customers the best possible customer service. This talk is going to be chock-full of case-studies, true to life examples, and executable processes that can help revitalize your IT department.

Adriana Karaboutis, VP and Global CIO for Dell, is also going to be at the symposium. Her talk, The CIO as Innovator: How to Create True Business Value, is going to give some insight into how she translated her position at Dell by focusing on agility and innovation. This should be really informative for any CIOs looking to meet their goals and create value that can be felt by the entire business.

Another CIO you can hear at the conference (and one I’m particularly excited to hear from) is David Behen, CIO of the State of Michigan. Back in February we heard David Behen speak at Eastern Michigan University about some of the IT initiatives currently planned or implemented within the state.

He explained that the state of Michigan is focused on improving four key areas:

• Cybersecurity
• Health IT
• The Michigan.gov website
• Data centers

Behen was also quoted as saying that “the state of Michigan is the ideal place for data centers.”

He’s right, too. Michigan has one of the lowest incidences of natural disasters in the united states (second only to Alaska). Also, Michigan has milder summers and colder winters than other parts of the country. The ability to cool your data center with less power, coupled with the generally lower cost of electricity means your data center isn’t going to break the bank the way it may in other states.

The symposium will be held at The Inn at St. John’s in Detroit on May 21-22. If you’re going to be there, don’t forget to come say hello to us. We’ll be exhibiting our extensive range of hosting solutions. Whether it’s colo, compliance, or cloud, we’ve got the hosting service you need for your mission critical applications.

Resources and Other Reading:
Midwest Technology Leaders Detroit 2013
Choosing Your Data Center Location: Why Michigan?
Michigan – The Next Cool Thing for Data Centers

The post 2013 Midwest Technology Leaders Symposium Next Week in Detroit, Michigan appeared first on Managed Data Center News.

According to the Washington Post, the unclassified alert was issued by the Depart. of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team or ICS-CERT, and released on a computer network accessible only to authorized industry and government users (hence why you won’t find a link to the report here).

NYTimes.com reports a key distinction in the latest warnings about the potential new attacks as attempts to destroy, rather than just obtain or steal information from U.S. companies. While the majority of previous attacks have been motivated by gaining competitive advantages by stealing trade secrets, the newest threats appear to be motivated by the intention to shut down industrial machinery and energy delivery.

The article also reports that senior officials briefed on the latest attacks claimed they targeted the administrative systems of 10 major unnamed U.S. energy companies. Another U.S. official reports the warning was released after intrusion to a corporate system that deals with chemical processes. The Washington Post also reports that foreign adversaries have been probing the computer systems that operate chemical, electric and water plants.

In February, an executive order was issued to direct federal agencies to provide timely information about threats to cybersecurity to the industry to enable proactive measures to protect their company and consumers, as well as critical infrastructure. The latest warning points out that the most likely targets, such as phone networks and electric utility grids are privately owned entities and not federally-run.

What is currently going on with federal cybersecurity? NYTimes Tech Blog, Bits, reports that the Dept. of Homeland Security has recently lost four top cybersecurity officials as they departed from office in the last four months – including Richard Spires, the former CIO of DHS, who did not provide a reason for resignation after being on administrative leave since March 15, according to the Washington Business Journal. The agency reports needing to expand its workforce by as many as 600, citing a need to employ a large number of skilled hackers to keep up with developing threats.

Back in last November, I wrote an article, Another Dead End for U.S. Cybersecurity? on the struggles of passing a cybersecurity bill in Senate that would set standards for companies that operate critical U.S. infrastructure, including power grids and chemical plants. While the executive order recently administered may supersede the twice-stalled and once-revised bill, significant time (potential R&D time) has been lost in thwarting bipartisan attempts in national cybersecurity.

NYTimes.com reports that there are no clear technical security standards outlined in the warning from last week other than to adhere to best practices that “many computer professionals already advise.” So, why not read up about our technical security services and also industry best practices, from daily log review to two-factor authentication for VPN (Virtual Private Network) to web application firewalls (WAFs).

Encrypting data, whether at rest or in transit, is another best practice that can enhance data privacy while meeting federal and industry data security compliance standards. Join our upcoming Encryption – Perspective on Privacy, Security & Compliance webinar on June 11 and submit your security questions in advance for a chance to discuss encryption with security professional Chris Heuman, Practice Leader for RISC Management and Consulting.

Finally, a comprehensive business continuity and IT disaster recovery plan can help protect your business against any type of business interruption, including the threat of potential cyber attacks. Prepare for the unexpected with these disaster recovery resources:
Business Continuity and Disaster Recovery
Seeking a Disaster Recovery Solution? Five Questions to Ask Your DR Provider
State of Michigan & Michigan Businesses Firm Up IT Security with Disaster Recovery Plan

References:
Cyberattacks Against U.S. Corporations Are on the Rise
Tough Times at Homeland Security
U.S. Warns Industry of Heightened Risk of Cyberattack
Richard Spires Resigns as DHS CIO After Taking Administrative Leave

The post Seek and Destroy: U.S. Energy Firms Warned of Recent IT Threats appeared first on Managed Data Center News.

Title: Encryption – Perspective on Privacy, Security, & Compliance
Register: GotoMeeting via Online Tech
When: Tuesday, June 11, 2013 from 2-3PM ET
Description: HIPAA, HITECH, the Omnibus Rule, PCI-DSS, and many other regulations and frameworks speak to the importance or requirement of encryption. Adequate encryption of regulated and sensitive data can help your organization meet or exceed the privacy and information security regulatory requirements you face, if it is implemented correctly.

Join Chris Heuman, Practice Leader for RISC Management and Consulting, for an informative webinar on the value of encryption and the successful components of a data security program that integrates encryption. Chris Heuman will discuss the legal safe harbors for suitably encrypted data, typical encryption methodologies, how to document your choices and implementation, and how to demonstrate a successful program to an auditor.

View other upcoming events!

Christopher Heuman CHP, CHSS, CSCS, CISSP – Practice Leader, RISC Management & Consulting 

Prior to consulting, Chris Heuman  worked in healthcare organizations in an information systems and data security capacity for over 20 years. Chris held increasingly responsible positions in healthcare IT from systems and network administration to project management, infrastructure management and information security. Prior to founding RISC Management, Chris developed consulting programs focused on information security and compliance specifically for healthcare institutions as a Director of Engineering Services at mCurve, and Practice Leader for Compliance and Security at ecfirst. Through his practical experience and certifications as a Certified HIPAA Professional (CHP), Certified Security Compliance Specialist (CSCS) and Certified Information Systems Security Professional (CISSP), Chris is uniquely experienced to assist healthcare organizations in understanding and meeting the myriad compliance and security regulations and requirements they face.

As the Practice Leader at RISC Management, Chris helps healthcare providers and healthcare technology organizations by providing services in the areas of risk analysis, vulnerability assessment, business continuity management and planning, business impact analysis, disaster recovery planning, social engineering tests, data loss prevention, education and training, project management and consensus building at all organizational levels. In addition, Chris has presented training programs in the HIPAA, HITECH, compliance and security space, and has been a featured presenter for statewide healthcare organizations, for Health Information Exchanges, as a guest speaker for MBA programs, and has delivered tailored training to dozens of healthcare-related organizations and accreditation bodies.

For more information, Chris can be contacted at Chris.Heuman@RISCsecurity.com or through www.RISCsecurity.com.

More About Encryption:

Federal Health IT Budget Increases by 28 Percent: Encryption, Mobile Security & EHR Safety
The proposed federal fiscal 2014 budget calls for a 28 percent increase to support further development of health IT initiatives while taking over where HITECH funding stops (ending in fiscal year 2013). The Office for Civil Rights’ (ONC) funding will … Continue reading →

2013 State of HIPAA Encryption & Authentication for Healthcare
According to the Healthcare Information Security Today report, 2013 Outlook: Survey Offers Update on Safeguarding Patient Information, most healthcare organizations believe that encryption would greatly improve their data security. Forty-one percent plan to encrypt all mobile devices and removable media, … Continue reading →

Encrypting Data to Meet HIPAA Compliance
To address the question of whether or not to use data encryption when it comes to meeting HIPAA compliance and keeping patient health information (PHI) protected, let’s revisit the Health Insurance Portability and Accountability Act of 1996 (HIPAA): … Continue reading →

The post Upcoming Webinar: Encryption – Perspective on Privacy, Security & Compliance appeared first on Managed Data Center News.

That’s how guest host Adam Goslin opened the latest in Online Tech’s “Tuesday at 2” webinar series, PCI DSS Guidance for Mobile Security.

The COO of High Bit Security lent his expertise to an hour-long presentation on PCI mobile payment guidelines as they relate to PCI DSS (Payment Card Industry Data Security Standards) and PA DSS (Payment Application Data Security Standards) compliance.

“The mobile arena is one that has been exploding over the last couple years and is sure to provide non-stop challenges to those organizations that are interested in making available mobile payment applications to support or supplement their existing communication with their customers,” Goslin said.

Data security for mobile payments continues to evolve while transactions are anticipated to hit the $1.3 trillion mark by 2015. In February 2013, the PCI Security Standards Council (SSC) released a document covering security guidelines for merchants accepting mobile payments to protect credit card information.

In the webinar, Goslin reviews – for merchants and developers – the highlights and pitfalls contained within that supplement, designed to educate merchants on the factors and risks of using mobile devices, along with other challenges related to PCI compliant mobile payment processing.

Goslin breaks down the documentation scenarios that the PCI guidelines cover and defines the security risks of the mobile platform in general and to the payment transaction process specifically. He also dives into merchants’ responsibility as it relates to the security of mobile devices used for transactions.

In a section of the webinar discussing the implementation of a secure payment solution, Goslin says, “you want to make sure you’ve done everything in your power to make that solution as secure as possible,” and discusses each step in that process.

Goslin also covers tips to merchants for selecting the right payment-acceptance solution.

To watch a full replay of the webinar, click here.

Looking for more information on PCI hosting requirements, recommendations, and the foundation of a secure PCI compliant data center?

Download our PCI Compliant Hosting white paper now for a complete guide to PCI hosting with IT vendors.

Related Articles:
Customer Privacy in Cloud Computing Contracts Key for PCI Compliance
On January 31, the Payment Card Industry Security Standards Council issued its new set of card data security guidelines for merchants and payment providers. The supplemental document addresses increasing risks to e-commerce environments and how online businesses should work with … Continue reading →

PCI Compliance Supplement Gives Tips For Merchants
Last month the Payment Card Industry Security Standards Council (PCI SSC) released their Information Supplement: PCI DSS E-Commerce Guidelines. These guidelines were focused on e-commerce merchants, and how to keep compliant whether outsourcing payment processing, keeping it in-house, or creating … Continue reading →

PCI Compliant Requirements & PCI Compliant Services Matrix
The PCI DSS (Payment Card Industry Data Security Standards) require the use of certain technical security services. Below is a matrix of the requirements paired with actual PCI compliant services that fulfill them. Click on each PCI compliant service to … Continue reading →

The post PCI DSS Guidance for Mobile Security Webinar: “Welcome to the Wild, Wild West of Security” appeared first on Managed Data Center News.

Impact of Health Reform
Seema Verma, SVC Consulting, Indiana Health Reform Lead Affordable Care Act: Impact on the Indiana Market

Seema covered several areas of penalties coming out of the ACA, including both the individual and employer mandate. The penalty for the individual mandate is low to begin with and going up over time, with there being some exemptions from the mandate such as religion.

The employer mandate will really affect those with more than 50 full-time equivalent employees. Employers could be subject to penalties if full-time employees receive premium tax credit. Employers will be very cautious about not expanding beyond 50 employees, causing potential issues in the business world.

What does the market look like in 2019?
There could be a huge rise in public programs, specifically with the Medicaid expansion. More and more employers will be dropping insurance programs and we will see a rise in individual insurance plans.

There will be several upcoming changes to the insurance market, some of which will limit insurance companies profits and also the increase in health insurance premiums.

With a community rating premiums will be based on age, location, and smoking status, no pre-existing condition exclusion allowed. Those that are healthier will be faced with higher rates, while lose who are less healthy will face lower premium rates.

Seema discussed several key facets surrounding the upcoming healthcare exchanges next year. One of the early concerns with the exchanges was that the ACA mandates that each states’ exchange offer at least 2 multi-state plans.

She noted in her slides that the key challenges for exchanges will include:

• Federal government running the majority of exchanges
• Exchanges begin enrollments starting October this year
• Defined open enrollment periods
• Interfaces between states and exchange yet to be established or tested
• Will they lower costs?
• How will insurers participate?

The biggest “Crystal Ball Prediction?”:
It will take several years to fully understand the impact of the ACA.

Future of Public Health in Indiana
Dr. William VanNess, State Health Commissioner

Core Values and practices for Indiana State Department of Health (ISDH) include:

• Health promotion and prevention
• Vaccines-providing for those who cant’ afford
• Equitable care throughout community health centers
• Vital records
• Health protection. ISDH is going to great lengths to make sure that water, indoor air and food are all clean
• Collaboration with local health departments
• Data collection, analysis and information dissemination

Governor Pence told the ISDH to read Good to Great by Jim Collins and check to see that they were on the right track for the next five years. Dr. VanNess set out to find what still works and what needs to change. His team got together, went through the book and found several areas they wanted to focus on in the state of Indiana.

Infant mortality was one of the biggest concerns that jumped out to Dr.VanNess. He delved in and looked at what was causing such a high infant mortality rate and found several factors that led to it and set about to correct. He visited several counties comparing numbers and found that an Amish county had less than a 2% infant mortality rate.

Creating a healthy Indiana overall was another goal that came out of the five year plan and to do so, it really comes down to lifestyle choices. Obesity and smoking are huge health concerns within the state, and again, it came down to lifestyle choices and setting out to educate patients in order to change that.

A final piece included in their five year plan was the immunization rate of 19-35 month olds. With the implementation of CHIRP, hospitals and physician efforts to meet a requirement in Stage 1 of meaningful use will be aided.

Future of Public Health in Indiana:
We still don’t know everything that the Affordable Care Act is going to bring. There are roughly 2,000 blanks that still need to be filled in with ACA.

About Indiana HIMSS
The Indiana Chapter of HIMSS is one of over forty affiliated chapters of the Healthcare Information and Management Systems Society, the largest health care information systems professional organization in the nation. Our purpose is to bring health care professionals together to promote the exchange of experiences and knowledge among colleagues, and to assist members in their professional growth. We accomplish this objective by presenting educational seminars/conferences, networking opportunities, and a forum for the exchange of ideas among those committed to the goal of improving patient care through the effective use of information technology.

Chapter members come from diverse backgrounds, all involved in some aspect of health care information systems and management. Our members consist of professionals from hospitals and clinical organizations, third-party payors, administrators, information technology vendors, consultants, management engineers, telecommunications professionals, physicians, nurses and medical informatics professionals – essentially anyone interested in the trends of health care information and management systems.

The post Indiana HIMSS Spring Conference: Health Reform and Future of Public Health appeared first on Managed Data Center News.

Keynote Address:
Troy Trygstad, PharmD, MBA, PhD
Vice President, Pharmacy Programs
Community Care of North Carolina
Medication Management Innovations

Troy is still a part time pharmacist in North Carolina. He thinks there is great opportunity to improve the health trajectory where patients go about their daily lives.

Putting the Affordable Care Act aside altogether, the following are health systems trends and trends of health reform that are occurring and needed to occur anyways:

• Reduced cost shifting and increased sharing
• Increased focus on prevention
• Increased accountability
• Increased cross-setting, and inter-entity collaboration
• Increased capture, exchange and application of data

So what is the result of all this? There is a rise in questions such: what are we doing for patients when they aren’t in the four walls of my hospital or office? There is a huge shift in how patients not interact with the healthcare system and how they want to receive their health information.

He noted that healthcare is very likely the next fiscal cliff pointing towards inadequate, misaligned, or non-existent payment systems for pharmaceutical care. Higher healthcare spending is not necessarily associated with better quality. Troy went on to discuss payment systems in the healthcare and what we can expect to see in the future in regards to the various payment systems.

Troy through a trivia question out to the audience and asked if anyone knew the significance of the following date:

April 12, 1955

Several people jumped on their Smartphone’s and one brave soul responded that it was the day the polio vaccine was announced.

Troy was proving the point that information is right at our fingertips. The Internet has become our extended care team. It is where people go when they need health care information and non-healthcare information. Consumers are going to want instant access to their health information. Just send me a text when the results are ready would you?

Health Information Technology Trends that are occurring:

• EMR/HIS gold rush starting to easy up – The focus is now on leveraging data and value added and plug-in products
• Vertical and horizontal integration of PHI
• Big Data – Population health and quality measure are driving priorities; refocusing of positive predicative value; and logistics
• Patient empowerment is starting to emerge more and more in regards to personal health records, records portability, virtual care, devices, pricing transparency and new settings of care

About Indiana HIMSS
The Indiana Chapter of HIMSS is one of over forty affiliated chapters of the Healthcare Information and Management Systems Society, the largest health care information systems professional organization in the nation. Our purpose is to bring health care professionals together to promote the exchange of experiences and knowledge among colleagues, and to assist members in their professional growth. We accomplish this objective by presenting educational seminars/conferences, networking opportunities, and a forum for the exchange of ideas among those committed to the goal of improving patient care through the effective use of information technology.

Chapter members come from diverse backgrounds, all involved in some aspect of health care information systems and management. Our members consist of professionals from hospitals and clinical organizations, third-party payors, administrators, information technology vendors, consultants, management engineers, telecommunications professionals, physicians, nurses and medical informatics professionals – essentially anyone interested in the trends of health care information and management systems.

The post Indiana HIMSS Spring Conference: Innovations in HIT (Health Information Technology) appeared first on Managed Data Center News.

CIOs consider the lack of staffing resources as the most significant barrier to implementing IT systems, and more than 50 percent say they expect an increase in IT staff within the next 12 months. However, more than six out of 10 say they’re concerned about their organization’s skills and ability to capitalize on their technology investments.

The lack of financial support is a secondary barrier to successfully implementing IT.

People are an important part of the IT puzzle – finding the particular expertise needed to run secure systems housing protected health information (PHI) takes time and resources. Partnering with a hosting provider that can provide their HIPAA audit report on compliance verifying they conduct regular business associate training of their tech staff satisfies a few healthcare CIO concerns:

1. CIOs don’t need to worry about hiring as many in-house IT personnel to manage their servers if they use the managed services/support of a hosting company.
2. It’s more cost-effective to have a fixed rate for infrastructure and management rather than dealing with fluctuating and unpredictable costs to manage in-house IT (read Leasing vs. Building a Data Center).
3. If your hosting provider has already undergone an independent HIPAA audit, you don’t have to pay your auditors to conduct one.
4. With a HIPAA compliant hosting provider, you know they’ve put in the work needed to meet compliance, including investing in their data center and hosting solution security.

For a complete guide to HIPAA technical, administrative and physical security, read our HIPAA Compliant Hosting white paper. This white paper explores the impact of HITECH and HIPAA on data centers. It includes a description of a HIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria.

You might also like:
Healthcare Data Breach Leads to Prison Time; Class Action Lawsuit
For two years, a former emergency department worker of Florida Hospital Celebration gained unauthorized access to more than 763,000 electronic patient health records and sold 12,000 of them to a co-conspirator (and operator of two chiropractic centers) to solicit patients … Continue reading →

Ensuring Business Associate Compliance: Are You Doing Your Due Diligence?
Business associates should be required to provide some type of evidence or proof of compliance to their covered entities. – Healthcare Information Security Today: 2013 Outlook Survey This quote comes from a study that reports only 32 percent of survey … Continue reading →

Overcoming Healthcare CIO Challenges with Secure & Scalable HIPAA Hosting
McKesson’s Understanding Your CIO article catalogues a list of statistics derived from surveys, polls and interviews of healthcare CIOs. It’s a very informative snapshot of the position’s latest responsibilities and concerns as the healthcare IT landscape rapidly evolves due to … Continue reading →

References:
Understanding Your CIO
2013 HIMSS Leadership Survey

The post Tackling Healthcare CIO Challenges: Securing Infrastructure, IT Expertise and Costs appeared first on Managed Data Center News.

Online Tech is doing our part to celebrate Compliance Week by spending some time with our friends down in the Indy-city for the Indiana HIMSS spring conference today. With the focus of today’s conference being innovation, compliance week couldn’t have come at a better time.

Health IT, with hot topics like BYOD and mobile health are paving the way for different ways for patients and physicians to think about healthcare responsibility and management, which brings compliance struggles into the limelight. Couple that with the Health and Human Services (HHS) decision to hold Business Associates (BA) responsible for their spoke in the HIPAA compliance wheel, and all eyes should be on the compliance guidelines.

With all the importance put on having each company and their BAs compliant, it’s hard to hear that 68% of healthcare directors and IT managers who responded to the Healthcare Information Security Today 2013 Outlook Survey aren’t confident in the security measures controlled by their BAs. Here are a few tips that could help lower that statistic:

Get The Audit Report
This is step one when you’re shopping around for a HIPAA compliant hosting provider. Any prospective provider should have been independently audited and will have a report to share with you. Do your due diligence and check that report. While it isn’t going to guarantee your total compliance, you need to know your patient’s data is being secured, even if you aren’t there to secure it.

Get a BAA Signed
This isn’t negotiable. Hosting providers for healthcare companies are considered Business Associates, and as such need to sign a Business Associate Agreement (BAA) with you, clearly stating what duties they’ll be performing, and what physical, administrative, and technical safeguards they have in place for your PHI. Word from the wise:

If you use a cloud service, it should be your business associate. If they refuse to sign a business associate agreement, don’t use the cloud service. – David S. Holtzman of the Health Information Privacy Division of OCR during a speech at the Health Care Compliance Association’s 16th Annual Compliance Institute.

That should be true of any hosting solution and provider you consider working with.

So celebrate getting compliant along with us and the Society of Corporate Compliance and Ethics. Read our HIPAA white paper. Check out our HIPAA hosting resources. Most importantly, let us know what you’re doing to keep compliant throughout the year!

Resources:
Society of Corporate Compliance and Ethics
www.indianahimss.org
HHS: Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules (PDF)

The post Celebrate Corporate Compliance and Ethics Week! appeared first on Managed Data Center News.

Online Tech is very proud to have our Director of Operations Jason Yaeger speaking on a CIO panel at the conference. Jason has received the 2012 Crain’s Business CIO of the Year award, and spoke just two weeks ago at the 7×24 Exchange Southern California Chapter’s meeting.

We’re also going to be at the Midwest Technology Leaders conference showing off the breadth of our hosting services, ranging from cloud hosting and disaster recovery to colocation. Need to be HIPAA, PCI or SOX compliant? We can set up a compliant solution no matter what type of service you’re after.

There are also going to be other really great speakers at the event. Here’s just a taste of what you’ll see:

Dell Keynote – Adriana Karaboutis, VP & Global CIO, DELL

From the auto industry to the tech industry and everything in between, the transformational CIO no longer focuses only on system performance and efficiency, but on providing an adaptable and flexible environment to create value and enable CEOs to meet their strategic goals. Innovation and agility are the cornerstones of the most successful IT organizations. Hear from Dell VP & CIO Andi Karaboutis about how she transformed her organization to focus more on innovation and agility in order to drive business value.

Reinventing Michigan through IT, David Behen, CIO State of Michigan

Michigan Department of Technology, Management and Budget CIO David Behen will talk about “Reinventing Michigan Through IT.” Behen will discuss the department’s goals and mission, the State’s key IT metrics, IT Investment Fund projects, Michigan’s Cyber Range and Cyber Security.

If you’d like more information about the Midwest Technology Leaders symposium, visit their site here. While you’re there come say hello to Online Tech  and we can talk to you about your mission critical applications, and how we can keep you up and running.

The post Online Tech Exhibits Secure Hosting the 2013 Midwest Technology Leaders Symposium appeared first on Managed Data Center News.

A few fast facts about the growing IT industry in Michigan:

• Despite major job reductions in many Michigan industries as a result of the recent recession, the number of IT firms and jobs expanded from 2005-2009. IT jobs grew at a five percent growth rate over the last two years.

• The DTMB and Bureau of Labor Market Information and Strategies Initiatives predicts that the IT and media cluster will outpace most Michigan industries in job expansion over the next 10 years.

• Between 2008-18, IT industry employment is expected to grow by 13.7 percent, over twice as fast as total job expansion in Michigan.

• Of the entire IT and media cluster industry structure, IT support services account for 79 percent.

With the growing demand for IT workers comes the need for an educated workforce in the region – many graduates leave the state and contribute to the current workforce’s lack of technical skills. When it comes to measuring the labor supply in the IT industry, approximately 7,000 tech degrees or certificates were granted in Michigan in 2010, increasing 10 percent from the relatively flat from 2006-09. The top career by number of program graduates is Computer Systems Network and Computer and Information Science.

One sector of that IT industry is the managed data center business that is expected to grow by $18.5 billion by 2015 with a range of hosting services, including colocation, managed servers, cloud computing and disaster recovery. In 2012, Michigan ranked fourth in the country for new major corporate expansions, growing nearly 300 percent from 85 new building/expansion projects in 2011 to 337 in 2012.

Contributing to that corporate expansion, Online Tech has invested $1 million in our Mid-Michigan data center and will be investing another $1 million this year. We’re also planning to expand across the Midwest – check out our current career opportunities!

We’re hiring in both Mid, Southeast Michigan, Indiana and Ohio:

Infrastructure Manager (Mid-Michigan)
The Infrastructure Manager is responsible for the budget, people, processes, and systems for our data centers, network, cloud, and storage systems.

Account Executive (Southeast Michigan)
Grow the customer base for one of the fastest growing, most highly regarded high tech companies in Southeast Michigan. As an Account Executive, you will be responsible for acquiring new customers and expanding existing customer relationships. This position reports directly to the Director of Sales. With an uncapped compensation plan and with a Michigan territory, you can achieve your goals and also be home every night.

Account Executive (Indiana and Ohio)
Grow the customer base for one of the fastest growing, most highly regarded high tech companies in the Midwest. As an Account Executive, you will be responsible for acquiring new customers and expanding existing customer relationships. This position reports directly to the Director of Sales, and it comes with a competitive total compensation package that includes both a base salary component and an uncapped commission component.

Senior Sales Engineer (Indiana and Ohio)
The Senior Sales Engineer role is primarily responsible for supporting our Account Executives by developing technical solutions to meet our customers’ requirements and working with our operations team to kick off the order deployment process. The job focuses on new and existing customers in the Indianapolis and Columbus markets, and it has the opportunity to expand into a broader set of sales responsibilities, including managing the commercial aspects of our customer relationships and prospect development.

Related Articles:

Michigan Data Centers Contribute to State’s 4th Nationwide Ranking for Corporate Expansion
According to Mlive.com, Michigan ranked fourth in the country for new major corporate facilities and expansions in 2012. Site Selection magazine’s annual Governor’s Cup reports that Michigan increased from 85 qualified new building/expansion projects in 2011 to 337 in 2012 … Continue reading →

Online Tech Shares Michigan Data Center Perspective at 2013 Governor’s Economic Summit
Online Tech co-CEOs Yan Ness and Mike Klein will be attending the 2013 Governor’s Economic Summit next week in Detroit, Michigan to collaborate with other state leaders and contribute a Michigan hosting provider‘s perspective. Governor Rick Snyder will lead a … Continue reading →

The post Michigan Data Centers Fuel State IT Industry Job Growth appeared first on Managed Data Center News.

For example: if your PCI hosting provider lists ‘log monitoring’ as a managed service within your PCI compliant hosting package, it might not actually fulfill the complete requirement. PCI standard 10.3 requires that you:

Record at least the following audit trail entries for all system components for each event – a whole list of events follow, including user ID, type of event, data and time, success or failure indication, etc.

But the requirement 10.6 also requires log review:

Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS).

Going beyond automated logging, which a PCI-ready hosting provider might offer, is the need for either you or your provider to review and analyze logs daily. This is a time-consuming burden that might be better outsourced if possible – which is possible, as long as you avoid the PCI-ready solutions out there that don’t actually give you everything you need, such as daily log review.

Offsite backup and disaster recovery are two services often overlooked by those that need to meet PCI compliance, despite the clear requirements for a data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision procedures, and application and data criticality analysis (9.5 and 12.9.1).

PCI requirement 9.5 calls for backups to be stored in a secure location and preferably in an offsite location/facility, or data center. Auditors need to review the physical security of a PCI compliant data center to ensure proper authorization, control access and environmental controls are all in place for the highest standards of security.

Why pay for an incomplete solution and have to fill in the gaps? Don’t settle for PCI-ready, strive for fully PCI compliant with all of the essential managed services, and know which PCI standards your provider can fulfill vs. where you need to pick up the slack.

This handy chart of PCI compliant services matched with each of the PCI requirements can help you determine what can be solved with a PCI compliant hosting solution:

PCI Requirements	PCI Compliant Services
10.6: Review logs for all system components at least daily. 10.3: Record at least the following audit trail entries for all system components for each event – including user ID, type of event, data and time, success or failure indication, etc. 10.7: Retain audit trail history for at least one year, with a min. of three months immediately available for analysis (online, archived, or restorable from back-up).	Daily Log Review Monitoring and analyzing user and system activity can help detect patterns of normal use and potentially malicious users. Daily log review is the process of regularly reviewing and reporting on log activity.While some providers may offer logging (tracking user activity, transporting and storing log events), Online Tech provides the complete logging experience with daily log review, analysis, and monthly reporting.
10.5.5: Use file-integrity monitoring or change-detection software on logs to ensure that existing log data cannot be changed without generating alerts. 11: Deploy file integrity monitoring tools to alert personnel to unauthorized modification of critical system files, configuration files or content files. Configure the software to perform critical file comparisons at least weekly.	File Integrity Monitoring (FIM) Monitoring your files and systems provides valuable insight into your technical environment and provides an additional layer of data security. File integrity monitoring (FIM) is a service that can monitor any changes made to your files.
6.6: For public-facing web applications, ensure:Verify that public-facing web applications are reviewed (using either manual or automated vulnerability security assessment tools or methods), as follows: At least annually and after any changes By an organization that specializes in application security That all vulnerabilities are corrected, and the application is re-evaluated after corrections Verify that a web-application firewall is in front of public-facing web applications to detect and prevent web-based attacks.	Web Application Firewall (WAF) Protect your web servers and databases from malicious online attacks by investing in a web application firewall (WAF). A network firewall’s open port allows Internet traffic to access your websites, but it can also open up servers to potential application attacks (database commands to delete or extract data are sent through a web application to the backend database) and other malicious attacks.
8.3: Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties.(For example, remote authentication and dial-in service (RADIUS) with tokens; or other technologies that facilitate two-factor authentication.	Two-Factor Authentication Online Tech offers two-factor authentication for VPN (Virtual Private Network) access as an optimal security measure to protect against online fraud and unauthorized access for clients that connect to their networks from a remote location.
11.2: Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).	Vulnerability Scanning Vulnerability scanning checks your firewalls, networks and ports. It is a web application that can detect outdated versions of software, web applications that aren’t securely coded, or misconfigured networks.
6.1: Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release.	Patch Management Why is patch management so important? If your servers aren’t updated and managed properly, your data and applications are left vulnerable to hackers, identity thieves and other malicious attacks against your systems.
5.1: Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). 5.2: Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs.	Antivirus Antivirus software can detect and remove malware in order to protect your data from malicious attacks. Significantly reduce your risks of data theft or unauthorized access by investing in a simple and effective solution for optimal server protection.
4.1: Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC,SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.	SSL Certificate In order to safely transmit information online, a SSL (Secure Sockets Layer) certificate provides the encryption of sensitive data, including financial and healthcare. A SSL certificate verifies the identity of a website, allowing web browsers to display a secure website.

References:
Payment Card Industry Data Security Standard, Requirements and Security Assessment Procedures, Version 2.0 (PDF)

Other PCI DSS resources:
PCI Compliant Hosting FAQ
Four Ways to Gain Transparency with PCI Hosting Providers
PCI Compliant Hosting White Paper

The post PCI-Ready? Not Enough for Fully Compliant PCI Hosting appeared first on Managed Data Center News.

Government Panel
Panelists: Marla Blow, Associate Director, Cards and Prepaid Markets Division, Consumer Financial Protection Bureau
Patti Poss, Chief of the Mobile Technology Unit, Division of Financial Practices, Bureau of Consumer Protection, Federal Trade Commission
Maximilian D. Schmeiser, PhD, Economist, Consumer Research Section, Consumer and Community Affairs, Board of Governors of the Federal Reserve System
Moderator: Jason Oxman, CEO, ETA

All the vendors in attendance at the show are behind every consumer transaction in the industry.

The panel was an introduction to the government bodies that are involved within the industry. Each panelist explained what they did and their role within the payments industry.

Patti: With the Mobile Technology unit and it works across the consumer safety program. The FTC has been focusing on mobile technology for a while now. The FTC has broad jurisdiction across the industry. Mainly focus on protecting consumers from unfair and fraudulent actions within the industry.

Marla: CPD has been around for about two years. Clarity within the market, making sure institutions are playing by the rules, ensuring there is a level playing field. Making sure banks and nonbanks are held to the same standards. Within the bureau, she works with policy specifically.Think about privacy and work with the FTC on privacy issues. Mobile, payments, credit cards debit cards, retail checking accounts.

Max: Heading the boards efforts for consumers move to mobile financial transactions. Corresponding reports, access consumer financial services 2013 (Google). Works with several federal reserve groups that monitor financial transactions. On a group that watches issues with mobile financial services. Strong interest in anything that touches the US financial payments. monitor payment trends. Collaborate with other regulators on issues related to mobile payments.

What should the industry be doing? What gaps do you see in the industry?

Patti: Just because there is a new medium doesn’t mean there are no rules there. In regards to online and mobile payments.

Marla: How mobile payments are different from traditional transactions. Mobile brings more people to the table, thus making regulations more tedious and time consuming. Particularly for merchants who don’t technically read the regulations around the financial transaction areas.

Where are we in the educational effort in relation to mobile payments in regard to consumers? What are their concerns? What does that tell us about what the industry should be doing?

Max:  Consumers are aware of it’s existence, but are not sure how or where they can make such payments. Main reasons some people don’t use it:

1. Security – Concerned with it broadly (maybe not accurate)

2. Just don’t see any benefit – appears to complicated for them. They like the ease of traditional payment methods.

Patti: We looked at three areas that offer potential with mobile payments for consumers:

1. What happens when something goes wrong? – Do consumers have the correct info and know who to go to when something goes wrong, and do they know what sort of liability are they taking on?

2. Security – Is the information secure and how they are protecting consumers sensitive financial information?

3. Privacy – Lots of joint partnerships that can develop, but that comes in exchange for data. Who gets the data? Do the consumers know who has the data?

Marla: Questions have been raised as to how to best notify the consumers of the terms they are accepting and how those agreements appear on a small mobile screen. Trying out figure out if  there is a better way to get information to consumers so they can more readily digest terms and conditions.

There is a micro and macro level market going on with the mobile payment space. There is obviously concern with protecting privacy when a consumer uses their phone to make a payment, but does not want to receive tons of marketing notifications from those vendors in the future. How well is the industry walking that line?

Patti: There is a general framework I will talk about to answer that.

• Privacy by design – Are merchants thinking about privacy as they are really developing their products or are they slapping it on at the last minute? Do you know where the data flow is going and coming from.

• Simplified choice – Do you have pages and pages for consumers to read so they know where their data is, or can you boil it down and make it clear and easily understandable for consumers to read.

• Transparency – Is there somewhere consumers can go to actually learn about what you are doing with their data

Max: There is some inconsistency between consumers in what they say and what they do. They say they absolutely will not give up their information and location to receive offers from merchants, but then when they are at the point of sale and they are on their apps, they do end up giving up that information.

Looking for more information on PCI hosting requirements, recommendations, and the foundation of a secure PCI compliant data center?

Download our PCI Compliant Hosting white paper now for a complete guide to PCI hosting with IT vendors.

Still have questions? Contact us or chat with us now. Find out more about our fully compliant, PCI hosting solutions, or submit a quote request for your project today.

The post 2013 ETA Expo: Government Panel Discussion appeared first on Managed Data Center News.

Keynote: Big Change and Pocket Change: Staying Ahead of Change in the Payments Industry
Speaker: David Nelms, Chairman & CEO, Discover Financial Services

Key players in the card industry have left and become independent entities and brands. The payments industry has had the largest number of mergers and acquisitions of any other industry. Technology and regulations have also changed within the industry. Discover went from being a domestic network in 1998 to a global network by 2012. David encouraged others in the industry to welcome these kinds of advances across the board.

Global payments have nearly doubled in ten years from $17 to 36 trillion. Global card transactions have simply become a bigger slice of a bigger pie. The use of cards for transactions now outdoes the use of cash and checks combined.

He went on to discuss that change is the sign of a healthy industry and with change comes opportunity. The payment industry is not the first to experience such change. David compared  the television industry to the payment card industry. Over time, several barriers to entry were eliminated and new affiliates could ultimately go directly to the consumer, bypassing several channels.

Payments Value Stream used to look like the following:

• Networks
• Acquirers
• Merchants
• Consumer

As an industry, the payment industry is doing a good job of creating innovation, choices and added value for consumers. Consumers want ease of use, relevancy and security. New players, new technology and a lot of uncertainty are consistent components of the industry.

Big Trends Happening in the Payment Industry:

1. Mobile technologies – Smartphones are the hub and center of the consumer’s universe. Phones will become way of payment at the point of sale. There will be battles over security and control.
2. Physical Cards – Physical cards will still be with us for a long time.
3. Commerce and payments are beginning to blend. Consumers are being offered more and more  ways to pay and the point of sale is going mobile.
4. EMV is coming to the US
5. Retail banking is moving from branches to internet and mobile.
6. Information is more valuable and enabling. Consumers digital footprints are now moving to the cloud. Industry players are trying quickly to learn about consumers behavior and patterns based on that information.
7. Partnerships are just as important as ever.

Discover wants to be the best partner in the industry. It is an alternative network for alternative payments in the US.  Discover is also partnering with other networks around the world.

David discussed some of Discover’s partnerships, some of which include PayPal and RuPay. Through partnerships, Discover is able to create benefits for consumers that include: complete financial flexibility, security and simplicity. For merchants, they offer simplified setup and new business.

The payment industry is growing and attractive. They have survived and are thriving as they move forward. The changes in the industry change rapidly whether it be from participants, technology, consumer behavior to regulations.

Key lecture takeaway:
Embrace change and look for ways to add more value.

David Nelms, Chairman & CEO, Discover Financial Services

David W. Nelms is Chairman of the Board of Directors and Chief Executive Officer of Discover Financial Services.  He is responsible for all Discover® branded financial services, including credit cards and banking products, including Discover Student Loans and Discover Home Loans; the Discover Network, a comprehensive payments network that supports multiple card products, issuers and processors; PULSE, one of the nation’s leading PIN debit networks; and Diners Club International, a global payments network.  He is also Chairman of Discover Bank, the issuing bank for the Discover card brands.

Before his appointment at Discover in September 1998, Mr. Nelms served as a Vice Chairman of MBNA America Bank.  Prior to that, he held management positions at Progressive Insurance, General Electric Company and in the consulting industry.

Looking for more information on PCI hosting requirements, recommendations, and the foundation of a secure PCI compliant data center?

Download our PCI Compliant Hosting white paper now for a complete guide to PCI hosting with IT vendors.

Still have questions? Contact us or chat with us now. Find out more about our fully compliant, PCI hosting solutions, or submit a quote request for your project today.

The post 2013 ETA Expo: Staying Ahead of Change in the Payments Industry appeared first on Managed Data Center News.

All of these individual ideas can make a difference. But what is that “big idea” that could make a significant impact on the environment and drive innovation to create even more efficiencies?

“The best thing is to fill the data centers,” says Yan Ness, Online Tech Co-CEO.

Ness gives the example of how much energy resources are actually consumed by a mid-sized company to run their servers.

A 100-employee company would typically have around 15 servers to manage their email, store files, and run their applications. Each server uses the same energy, equal to a 300-watt light bulb. If you add up 15 300-watt light bulbs, running 7X24, that’s equivalent to driving a car 250,000 miles every year.

It is very likely that these companies are not running as efficient as possible. The companies may not realize how much energy is being consumed or they are unable to financially justify investing in more efficient equipment. So, what would happen if we move the 15 servers into a specialty data center?

We would automatically see more energy efficiencies just by moving this equipment out of the closet and into more efficient data centers. Then if we would move those 15 servers into a data center’s cloud, 90% less energy would be consumed.

Once all of the data centers are filled, something interesting will happen. All sorts of ingenuity around making data centers more efficient will grow even more because it makes financial sense to do so.

What do you think?  Does Ness have the “big idea” by filling up the data centers?

Incorporating Energy Efficiencies in Data Centers
The Next Generation Data Center:  How Michigan Data Centers Fit the Bill
Investing in Data Center Efficiencies – Part One
Investing in Data Center Efficiencies – Part Two
Michigan – The Next Cool Thing for Data Centers
Could Wind Farms Power Michigan Data Centers?

The post Let’s Save the Planet by Filling Up the Data Centers appeared first on Managed Data Center News.

Keynote: 
The Mobile Commerce Revolution
Speaker: Michael Abbott, CEO, Isis

Mike opened his presentation by explaining that mobile technology isn’t new thing, it’s been around for over 10 years. Nokia was already experimenting with mobile technology in the early 2000’s…

So… ‘why now?’ Why is this technology coming to the forefront now?

Abbott notes that mobile phones are our personal representation. Find someone under 25 who has a landline. It’s virtually impossible. A decade ago, cameras weren’t on phones. By the end of this year half of all the pictures taken in the us will be taken on a mobile phone.

Why does the consumer want this technology?

Mike shared the example of consumers sifting through coupons on the weekends. They first had to search out coupons from the  stores they wanted to shop at and then they had to match the  coupons in the aisles of the grocery store. Is that really 21st century technology? Is that what we should be doing right now? Instead of your wallet being a repository for receipts, with mobile technology, it can become a two way communication channel. Putting the consumer/merchant back in control. That’s the goal of mobile payments.

Mike showed the audience a slide of statistics, breaking down where consumers are at in the adaption process of mobile technology showing that:

• 86% of consumers polled were interested in adopting a Mobile Wallet
• 73% want to add retail coupons to their Mobile Wallet.

What is it going to take for consumers to adopt a mobile wallet?

It’s not a technology problem, it’s a business system problem. A four-sided market needs to be developed to include the following:

Mobile Operators

• Need standards everyone can adopt
• Needs to be scalable
• Build a supply chain
• Create a reason to invest.

Banks

• They want something secure
• They need it to represent scale
• And they want something that is better than using cards

Merchants

• They want communication with their customers
• It needs to be for all vendors, not just can’t just be for the big guys

Consumers

• They want what they have right now in their wallet, but on their mobile  phones
• It needs to make their life simpler.

Isis is a platform for the industry in mobile technology. How that works:

For banks: They want to be sure they are secure and one-to-one communication channel. Isis does not want to push their brand in front of their partners, because consumers still want to still see their card brand in their mobile wallet.

For Merchants: They want a rich two-way communication channel with their consumers, delivering loyalty cards and coupons automatically that the consumer has selected.

Mobile Tips From Isis

• Choice – Everything must be built on choice for the consumer. From their choice in carrier to their choice of the cards they keep in their wallet. At the end of the day, the consumer should always be in charge of their choice.
• Privacy – Privacy means good business. Consumers need to feel secure with their wallet. Your wallet doesn’t spy on you today, it shouldn’t do that tomorrow.
• Security – Easy to create something with billions of apps, but if you are going to transfer from plastic cards to mobile wallet, it MUST be secure.

In wrapping up his keynote address, Mike pointed out that consumers want what they already have, but in an easier to use format. Businesses can use mobile technology and make it contextually and time relevant to the consumer at point of sale. They’re making the world clickable and your phone is becoming your mouse.

What we learned as key takeaways:

1. Control – The consumer is being put in control of everything in their wallet.
2. Simplicity- Consumers want simplicity and want to be able to know how to pay with their phone first.
3. Magical- Consumers think the technology is awesome
4. Viral – Al it takes is one time to teach the consumer and after that they “get it” and it goes viral because they show others.

How other companies can get in the game:

1. Go contactless now
2. Rethink your value propositions – It’s all about partnerships. No way a central corporation can plan out the technology on a large scale.
3. Start small. Think big. Scale fast.  – Everything Isis does in regards to their technology starts small and they perfect that technology. When they get the right “elixir:, they can scale it out fast.

Looking for more information on PCI hosting requirements, recommendations, and the foundation of a secure PCI compliant data center?

Download our PCI Compliant Hosting white paper now for a complete guide to PCI hosting with IT vendors.

Still have questions? Contact us or chat with us now. Find out more about our fully compliant, PCI hosting solutions, or submit a quote request for your project today.

Or download our Mobile Security white paper for more on how to secure data with mobile devices and mobile applications.

The post 2013 ETA Expo Keynote: 
The Mobile Commerce Revolution appeared first on Managed Data Center News.

This data breach exemplifies the major financial consequences of a misconfigured server, as I wrote about last April in Server Hack Leads to HIPAA Violation by Utah Department of Health. The Salt Lake Tribune reports that a server containing Medicaid data was compromised after it was placed online without changing the vendor-supplied password.

The data was unencrypted; a best practice particularly when it comes to abiding by the Health Insurance Portability and Accountability Act (HIPAA), the laws created to protect patient data. Read more about encryption in Encrypting Data to Meet HIPAA Compliance.

Changing vendor passwords is another general best practice when it comes to security, particularly with servers containing protected health information (PHI). This is a basic security practice that all IT staff should be aware of – particularly in the healthcare industry, but also for any company that is security-conscious.

To meet HIPAA compliance, the standard for Security Awareness and Training (164.308(a)(5)) is part of implementing the Administrative Safeguards required by the HIPAA Security Rule. Acknowledging that many security risks and vulnerabilities are internal, the standard requires:

Implement a security awareness and training program for all members of its workforce (including management).

The rule requires training of the entire workforce by the compliance date of the Security Rule, with additional periodic retraining whenever any environmental or operational changes occur that may affect the security of sensitive data. With any new policies and procedures, upgraded software or hardware, new security technology, etc., security retraining is required. Read more on Staff Training as part of the Administrative Security tools required to keep data secure.

These security practices apply even if you decide to outsource your IT operations to a hosting company – if you’re seeking a HIPAA compliant hosting provider to maintain your servers, choose one that has undergone an independent audit to verify they can provide the optimal level of security needed in their data centers and throughout their company.

Read more in our HIPAA Compliant Hosting white paper for a complete guide to the technical, physical and administrative security required to meet compliance.

Read more about data breaches and resolutions in:

Healthcare Data Breach Leads to Prison Time; Class Action Lawsuit
For two years, a former emergency department worker of Florida Hospital Celebration gained unauthorized access to more than 763,000 electronic patient health records and sold 12,000 of them to a co-conspirator (and operator of two chiropractic centers) to solicit patients … Continue reading →

2013 State of HIPAA Encryption & Authentication for Healthcare
According to the Healthcare Information Security Today report, 2013 Outlook: Survey Offers Update on Safeguarding Patient Information, most healthcare organizations believe that encryption would greatly improve their data security. Forty-one percent plan to encrypt all mobile devices and removable media, … Continue reading →

HHS Wall of Shame: Forty Percent of 2013 HIPAA Breaches Involved Business Associates
Of the HIPAA data breaches reported in 2013 so far, nearly 40 percent have involved a business associate. A look at the overall percentage of business associate involvement with data breaches dating back to 2009 reveals that almost 30 percent … Continue reading →

References:
Financial Pain Ensues When Custodians of Health Fail to be Good Stewards of Privacy
Report: Utah’s Health Data Breach Was a Costly Mistake

The post Utah Healthcare Data Breach Costs the State $9 Million appeared first on Managed Data Center News.

But, where do you start?

Map out your needs
Steve Aiello mentioned in his webinar series that the best starting point is to find out where the sources of income are for your business. He proposes that the best way to do this is to map out your company’s departments, dependencies, and processes first. This is going to give you a clear and concise idea of where the effect will fall, depending on different causes. It’s also a good time for a company to take stock of their processes, to ensure you’re running everything as efficiently as possible within your framework. Within the planning, you’ll also want to find out what aspects of your business are most time sensitive to have up and running.

Look at your options
When you’re thinking about IT disaster recovery specifically, there are lots of facets that your company may need. For instance, in the event that your company is situated in a location with a high incidence of natural disasters (the east coast gets bombarded with hurricanes, California has their earthquakes, and don’t get me started on tornado alley…), it would do you well to have an offsite backup that’s farther away from your site. That way if one location goes down, the other can take the load and keep your company up and running while you clean up.

Another great aspect to look at when considering the location of your backup, is cost. Putting backup data in a location with cooler temperatures means not having to rely on powered heating for as much of the year. That can really help when your disaster recovery budget is tight. Another money saving option is placing your disaster recovery solution in the cloud. Not only can you spin up servers much faster than a more traditional IT infrastructure, but it allows the flexibility of only paying for the bandwidth and power that’s necessary. This way you don’t have to pay for resources you aren’t going to use, or find yourself stuck without the power you sorely need (especially in a crisis situation).

Consider outsourcing
Even with your data center in-house, outsourcing your disaster recovery solution can be helpful in many ways. Instead of having to shoulder the burden of managing your offsite backup, a hosting provider can provide the facility that will be way more cost-effective and less time intensive.

Having staff from a hosting provider manage your services can also mean not having to spend the time and resources training your own IT staff. Not to mention, in a disaster situation there are likely to be many different things your staff is going to be concerned with – taking a thing or two off their plate when it really counts can mean a little less sleep lost for you and them (and I can’t think of anything more important than that).

Here are some other resources that may be helpful when considering disaster recovery strategies:

Disaster Recovery Webinar Series
Join Online Tech’s Systems Support Manager Steve Aiello as he leads a three-part webinar series on the topic of disaster recovery.

Seeking a Disaster Recovery Solution? Five Questions to ask your DR Provider
Disaster recovery plans have become crucial for nearly every industry that relies on connectivity and uptime for business survival.

PCI Compliant Disaster Recovery
Within PCI DSS (Payment Card Industry Data Security Standards), there is a standard dedicated to having the merchant create an incident response plan in order to act quickly and surely in the event of a breach.

The post Business Continuity and Disaster Recovery appeared first on Managed Data Center News.

Lowering the Carbon Footprint
I had a chance to sit down with Yan Ness, co-CEO of Online Tech to discuss his thoughts on how the data center industry has impacted their carbon footprint. Watch the video below:

Every piece of hardware consumes some energy.  And for data centers this hardware consumes a lot of power.  As a result, the data center industry has begun using technology to make hardware more efficient.  “We can do more today than we could three or five years ago,” says Ness.  “We use less energy to do more work.”

Ness also uses the following example: If you take all the hundreds of companies who are consuming energy to power their servers and air conditioning and move them into a centralized location there are important advantages. First, the data center is much more efficient than any of the office buildings that were running their servers. Secondly, there is one centralized company paying for all of the power consumed by the servers and other equipment. Now, it makes economical sense for that data center to make capital investments and become more energy efficient; whereas it would be very unlikely that any of these companies could make these types of investments.

Data centers are in the business to store data. It does take power to run the servers, run the equipment, and run the air conditioning to keep the servers cool. And this power costs money. What people fail to consider is that it is in the data center industry’s best interest to become as energy efficient as possible. There is a direct benefit to constantly monitor the energy use of their facilities and make investments to improve efficiencies since it affects the bottom line.

Data Center Energy Efficiencies
The data center industry has made great strides in incorporating technology and investing in capital improvements to lower their carbon footprint. In 2012, Online Tech invested $1 million dollars into their Mid-Michigan data center and received an EPA ENERGY STAR certification for their energy efficiencies. This improvement resulted in Online Tech being in the top 25 percent of facilities in the nation regarding energy performance. Read how Online Tech has incorporated other energy efficiencies in their Michigan data centers.

Related Articles:
The Next Generation Data Center: How Michigan Data Centers Fit the Bill
Wouldn’t it be cool to have a time machine like Marty McFly in “Back to the Future” to see what technology will be in 20 and 30 years from now? Unfortunately, that’s only possible in the movies. In What will … Continue reading →

Could Wind Farms Power Michigan Data Centers?
Globally, data centers are seeing increases in their power consumption as well as higher energy costs. If you combine these factors together, you can understand why CIOs and data center operators are looking to alternative energy resources to reduce energy … Continue reading →

Online Tech Expert Interview: What is High Availability?
Using a High Availability (HA) architecture can greatly reduce the risk of losing revenue and customers due to a loss of Internet connectivity or loss of power. However, how much do you really understand about a high availability infrastructure? What … Continue reading →

The post How the Data Center Industry Lowers the Carbon Footprint appeared first on Managed Data Center News.

• PCI Cloud Hosting
• PCI Managed Servers
• PCI Colocation
• PCI Disaster Recovery

Read our previous article featuring an interview with one of the Compliance Day conference speakers Randy Gainer, partner with Davis Wright Tremaine LLP, about cloud service providers and the challenge of PCI cloud computing in Cloud-Based Mobile Payment Considerations at ETA Expo: PCI Compliant Cloud is Essential.

Other notable presentations on Compliance Day, April 30, include:

The Future of PCI: Securing Mobile Payments in a Changing World
Speaker: Troy Leach, Chief Technology Officer (CTO), PCI Security Standards Council

This session will provide an overview of what’s ahead with the release of the latest version of the PCI DSS mobile standards, as well as how to use the new PCI SSC mobile resources to ensure compliance. It will also shed light on today’s mobile payment environment as well as the associated risks and challenges when it comes to securing payment card data. Read our PCI Compliant Hosting white paper or our Mobile Security white paper for more about compliance and IT.

The session will also address the relationship between PCI standards and EMV (the global standard for credit and debit payment cards based on chip card technology; EMV stands for Europay, MasterCard and Visa, the original developers of the EMV specifications in 1994). Additionally, the discussion will cover new technologies available to reduce security risks and how to take advantage of them when planning for PCI in your business.

Other sessions focus largely on the theme of tackling mobile device security and mobile payment processing with The Future of Device Security and Card Brand Panel, featuring experts from all four card brands.

Not attending the ETA expo? Even if you are, sign up for our upcoming free webinar next week on PCI DSS Guidance for Mobile Security featuring guest Adam Goslin, COO of High Bit Security and Online Tech as we review the challenges and details of the recent PCI mobile guidelines as they relate to PCI DSS and PA DSS compliance. Submit your questions in advance:

Title: PCI DSS Guidance for Mobile Security
When: Tuesday, April 9 @2PM ET
Register: Visit the Event page for registration link.
Description: In February, 2013, the PCI Security Standards Council released a document covering Mobile Payment Acceptance Security Guidelines.  High Bit Security COO, Adam Goslin, will review the highlights of the recent guidelines, detailing some of the clarity and pitfalls contained in the recent mobile guidance from the PCI SSC, including impacts to PCI-DSS and PA-DSS compliance.

Adam Goslin, COO, High Bit Security, LLC
Adam has an IT career that spans more than 15 years, going on to found High Bit Security, a national security services provider, providing penetration testing solutions to clients who need to protect sensitive data in industries such as Healthcare, Credit Card, Financial, or companies that otherwise store Intellectual Property or Personally Identifiable Information. High Bit Security also provides security consulting services to our clients to assist them with their compliance objectives across PCI-DSS, PA-DSS, or simply wish to perform a security best practices audit of their organization. www.HighBitSecurity.com

Read more about mobile PCI compliance in:

PCI Webinar Recap: Updates to PCI-DSS Compliance for E-Commerce and Cloud Computing Security
On February 26th, Adam Goslin, COO of High Bit Security, joined us for the webinar Updates to PCI-DSS Compliance for E-Commerce and Cloud Computing Security. In the hour-long discussion Adam really dug into the specifics of the supplements that came … Continue reading →

New Industry Guidelines for Secure, PCI Compliant Mobile Payments
The PCI SSC (Payment Card Industry Security Standards Council) is looking alive this year, rolling out supplemental guides to help clarify a number of evolving PCI technical issues, including: PCI Cloud Computing E-commerce Security ATM Security Mobile Payment Acceptance Security … Continue reading →

References:
About EMV
2013 ETA Compliance Day (PDF)

The post PCI DSS Compliance Day at the 2013 ETA Expo Tackles Mobile Security Challenges appeared first on Managed Data Center News.

Lower Costs
Pooling of computing resources means better efficiency and use of the entire shared IT infrastructure, since only what is needed is distributed to applications on-demand.

Lower Maintenance Costs

1. Save on hardware upfront and maintenance costs since the cloud uses less physical resources.
2. If you outsource to a cloud service provider (CSP), you save on server, storage, network and virtualization staffing.

Cap-Ex Free Computing
The cloud allows you to eliminate the capital expense associated with building the server infrastructure.

Faster Deployment
Instead of installing and networking a new hardware server, a new server can be brought up and destroyed in a matter of minutes with the cloud.

Scalable
By buying the minimal amount of resources needed, you can easily add storage, RAM and CPU as application demands grow.

Resiliency and Redundancy
With a private cloud, you get automatic failover between hardware platforms, as well as disaster recovery services that bring up your server set in a separate data center in the event of an anomaly at your primary data center.

Yet even with these benefits, concerns around data and application security cause CIO hesitation in adopting the cloud for mission-critical support. The following articles offer insight on cloud security, from the e-commerce, retail and banking industries that deal with credit cardholder data, to the healthcare industry that deals with protected health information (PHI) of patients.

Overcoming Healthcare CIO Challenges with Secure & Scalable HIPAA Hosting
Big data is the big thing nowadays – analyzing and applying the mass amounts of health information collected daily is one way to improve patient care; an important objective not only due to the obvious but also necessary to keep up with the evolving healthcare payment model as it moves away from pay-per-service to patient health improvement.

But supporting all this big data and processes requires a robust IT system – one solution is a high-capacity HIPAA cloud; ideal for massive storage or synchronization. The cloud is highly scalable and grows with changing storage requirements. If outsourced, ask your HIPAA cloud provider if they also provide IT disaster recovery, a HIPAA requirement. … Continue reading →

State of Cloud Security: Vetting Applications and Cloud Providers for Compliance and Security
Only 43 percent of organizations audit or assess cloud computing resources before deployment. While vetting cloud computing providers for security may seem time-consuming, organizations should ask if their cloud infrastructure as a service providers (IaaS) can provide an updated audit report of their services and data center facilities. What types of audits should you look for in a cloud computing/data center provider?

SSAE 16
The Statement on Standards for Attestation Engagements No. 16 replaced SAS 70 in June 2011. A SSAE 16 audit measures the controls relevant to financial reporting; it verifies that the controls and processes set in place by a data center are actually followed. There are two types:  … Continue reading →

Your Cloud Hosting Provider May Be PCI Compliant But That Doesn’t Mean You Are
Compliance is non-transferable, is the jist of the PCI SSC’s recent supplement on PCI cloud computing guidelines for merchants (e-commerce, retail, franchise and anyone that deals with credit cardholder data). Directly referencing merchants that work with cloud service providers (CSP’s), the supplement lists a number of challenges of working with CSPs, one being important enough to single out in standard 5.1:

What does “I am PCI compliant” mean? Essentially, even if you contract with a cloud hosting provider that has successfully achieved an attestation of compliance with PCI DSS version 2.0, meaning they were independently audited and reviewed by a Qualified Security Assessor (QSA), this does not mean you as the merchant/client automatically achieves PCI compliance. A PCI cloud computing service provider can fulfill a number of the PCI technical requirements, but you still need to do due diligence to maintain your organization’s security and compliance. … Continue reading →

The post Pairing Cloud Computing Benefits with Security and Compliance appeared first on Managed Data Center News.

This can have its own set of challenges, however. The responsibility for PCI compliance is ultimately on the merchant, making the decision of who to work with an important and difficult choice. Hopefully these tips can help make that process a little easier.

Get the audit reports
When shopping around for a PCI compliant hosting provider, doing the due diligence to make sure they’ve followed all the necessary guidelines will save time and money when your auditor comes to call. Any potential providers should have a PCI DSS Report on Compliance (ROC) from their independent audit available to share with you. Not only will it provide you with explicit processes they use to keep them compliant, but the ROC can then be given to the QSA (Quality Security Assessor) to make your own audit simpler and quicker.

Keep your service providers organized
Organization is going to go a long way, no matter what subject we’re talking about. However, in regards to PCI hosting providers, having a concise list of providers that you work with, complete with contract information, is imperative. This list is going to make it easier for you to track the provider’s audit records, to ensure that they can prove to you ongoing compliance. Be sure to update that report any time a provider is added, removed, or if the contract has changed.

Get accountability in writing
PCI hosting providers should have a process in the event of a data breach. This plan should include a time frame for merchant notification. It should also include both the process of storing, and of destroying data once the contract has expired. Understanding how your data is being disposed of can keep you and your service provider from ending up with a fate similar to Walgreens, who was found in California last year with a mixture of hazardous waste and PHI in their dumpsters, and had to pay over $16 million in fines.

Monitor your provider’s compliance
As we’ve said countless times before: compliance isn’t just a check in the box, but a constant process to provide ongoing security to customers. While it would be easy to simply see that a hosting provider has been independently audited, it is crucial to continue checking back in. This way you have transparency into details of the provider’s workings that are important to your business – things like their dates of compliance and audit reports, for example. Simply put, having a good relationship with your hosting provider can help your business run more smoothly, and could keep you from the nasty costs and customer dissatisfaction that comes with a data breach.

To a business owner, the safety of customer data should be paramount to all other concerns. PCI compliant hosting providers can work together with merchants to keep that data protected without the extensive costs and resources associated with in-house hosting. But not all service providers are the same. So take the time to truly qualify your service provider. Not only can it save you time and money in the long run, it might save you some sleepless nights too.

Other Reading:
Who Needs PCI Compliance, Exactly?
PCI Compliance Breakdown: A Tale of Two Servers
Tackling PCI Compliance Challenges in the Cloud

The post PCI Compliant Tips: Working With a Hosting Provider appeared first on Managed Data Center News.

The Evolving Congressional Landscape
Speaker: Kimberly Brandt, Chief Oversight Counsel, Senate Finance Committee, Minority Staff
*All views are her own and not Senator Hatch’s or the Finance Committee’s.

What does the Senate Finance Committee Do?
Quick Facts on the Senate Finance Committee:

• Largest committee in the Senate
• 24 members  (Including chair and ranking member: 13 Democrats and 11 Republicans)
• One of the most powerful committees in congress
• Oversee 50% of the federal budget
• Confirms over 80 presidential nominations
• Jurisdiction of Department of HHS – Centers for Medicare and Medicaid.

What the Senate Finance Committee does:

• Legislative Hearings – Markups and approval of legislation such as Patient Protection and Affordable Care Act
• Oversight Hearings – deals with fraud, waste and abuse issues and the implementation of PPACA
• Confirmation Hearings  – The Senate Finance Committee confirms:

• Secretary of HHS,
• CMS Administrator
• Inspector General of HHS

The three biggest priorities for 113th congress include:

• Healthcare Patient Protection and Affordable Care Act (PPACA)
• Implementation Tax
• Reform Entitlement Reform – which is a huge issue with Medicare, Medicaid and Social Security hurrying towards insolvency.

The Senate Finance Committee will also be conducting investigations on Physician Owned Distributors (PODs). There are concerns related to conflict of interests in regards to PODs that may place personal profit ahead of care. The OIG issued a Special Fraud Alert concerning POD’s. Some of the arrangements are suspect and they want to be sure the arrangements are legal.

There is a high level of regulations as a result of PPACA. Lots of regulator reform and burden issues will continue to be an area of focus surrounding adoption and implementation of PPACA. Fraud and abuse issues are on the rise and a strong focus will be on health reform anti-fraud provisions.

The focus is shifting from complete repeal of PPACA, to targeted repeal between Democrats and Republicans. There have been numerous oversight efforts related to PPACA provisions. Most recently over $1 billion was cut from exchanges related to co-op loan programs due to the fiscal cliff deal.

In regards to the implementation of the PPACA exchanges, 33 states are going to participate in the federal exchanges, while 18 states and D.C. are going to run their own exchanges. These numbers were unexpected and it was actually thought that it would go the other way.

There is great concern regarding the costs of implementing PPACA. So far, HHS has given states more than 3.5 billion to build the technology and infrastructure to operate the health insurance exchanges, yet the IRS and HHS systems are insufficient. $300 million is needed to be sure that the IRS has the right technology and infrastructure in place this year.
For more information visit:
www.finance.senate.gov

Related Articles:
2013 HCCA: Latest Trends in Data Breach Threats
2013 HCCA: Mobile Threats and How Healthcare Can Reduce Risks
2013 HCCA: Cyber Compliance

The post 2013 HCCA: The Evolving Congressional Landscape appeared first on Managed Data Center News.

Only a week left until the 2013 ETA (Electronic Transactions Association) Annual Meeting & Expo in New Orleans. This conference is going to be held at the New Orleans Convention Center from April 30-May 2, and is expected to have over 3,000 industry executives to learn from and collaborate with.

Compliance is one of the many subjects being highlighted at the expo. Compliance Day will be held on April 30th, and will have over a dozen different speakers, both on panels and running sessions devoted to compliance in the payments industry.

One of these speakers is Randy Gainer, a partner with Davis Wright Tremaine LLP, who I had the pleasure of speaking with in regards to his session on challenges associated with cloud-based mobile solutions. Having focused on data breach litigation for over 9 years, and with over 20 years working for Davis Wright Tremaine LLP in the IT sphere, he has great insight into key areas of prevention and risk throughout the payments industry.

Gainer explained that there is a shift in focus when moving to the cloud. Instead of taking care of an infrastructure in-house, businesses are increasingly relying on outsourced cloud service providers (CSP) for the security of that core infrastructure. This can be a huge plus for businesses that no longer have to deal with the challenges of creating and maintaining that foundation, including merchants and mobile payment providers.

However, Gainer attests that it doesn’t remove security from the considerations of the company. Instead, the focus should change to securing the applications that will be placed on the cloud infrastructure, after ensuring that the CSP meets PCI DSS compliance for their part in the puzzle.

Outsourcing to a CSP means finding the right provider to partner with. A good CSP should fundamentally have at least two independent audit reports available for your review. The first is PCI DSS Level 1 report on compliance, prepared by an independent, qualified QSA (Qualified Security Assessor).

The second audit report is the SOC 2 Type II (not to be confused with SOC 1 or SSAE 16) developed by the AICPA (American Institute of Certified Public Accountants) specifically for technology vendors handling sensitive information. (Gainer notes that it’s important for a merchant to perform their due diligence on the CPA as well).

With many businesses not really sure how best to assess cloud security, Gainer explains that companies have, in the past, started small. That involved putting less critical data in a cloud environment first, where security is not as large of a concern. That doesn’t mean that there aren’t any secure cloud providers out there. “There are a subset of cloud vendors who have stepped up, and are securing sensitive data in the cloud,” Gainer mentions.

So, what can we expect in the future? Gainer says that we’re still in the early days of PCI compliant cloud adoption. But there is promise. The supplements that came out earlier this year by the PCI SSC push an important point: you can meet PCI DSS compliance with a cloud service provider.

“It’s encouraging to me – it helped rebut the myth that it just can’t be done in the cloud. It’s a useful change to the [PCI] SSC],” stated Gainer, who cites the apprehension associated with perceived cloud insecurities. “It has the potential to be as good, and probably better than in-house platforms.”

If you’re going to be at the ETA Meeting & Expo next week, Randy Gainer’s talk, Legal and Technical Security Challenges for Cloud-Based Mobile Payment Solutions, looks to be very informative. Any merchants who need a compliant environment and are already working or plan to partner with a CSP do not want to miss this learning opportunity. He will be speaking 3:15-4pm on Tuesday April 30th.

Also, don’t forget to come say hello to Online Tech in booth #1237 between sessions.

Randy Gainer, Davis Wright Tremaine LLP

Randy Gainer litigates information technology, intellectual property, communications, and media cases as Partner for Davis Wright Tremaine LLP. He also advises business leaders regarding steps they need to take to comply with data security laws and industry standards, privacy requirements, and data breach notification statutes, and assists businesses conducting information system risk assessments.

Please note that Randy Gainer has no business relationship with Online Tech other than the generous sharing of his domain expertise.

Find out how to handle mobile app and device security in by reading our Mobile Security white paper. This white paper explores approaches to mobile security from risk assessment (what data are truly at risk), enterprise architecture (protect the data before the devices), policies and technologies, and concludes with an example of a mobile security architecture designed and implemented within a hospital environment in which both enabling caregivers and protecting privacy, integrity, and confidentiality are paramount.

Looking for more information on PCI hosting requirements, recommendations, and the foundation of a secure PCI compliant data center?

Download our PCI Compliant Hosting white paper now for a complete guide to PCI hosting with IT vendors.

Related Articles:
PCI Compliant at the ETA Annual Meeting & Expo
Four Ways to Gain Transparency with PCI Hosting Providers
Risk Assessments for the PCI Compliant Cloud

The post Cloud-Based Mobile Payment Considerations at ETA Expo: PCI Compliant Cloud is Essential appeared first on Managed Data Center News.

Advanced Discussion Group: The Latest Trends in Data Breach Threats
Speaker: Ted Kobus, Co-Leader, Privacy and Data Protection, BakerHostetler

Ted directed an open roundtable discussion among twenty or so audience members who worked within either a compliance, government or consultant role surrounding data breaches.

Those that worked on the compliance side of a data breach were asked to share what their role entailed after a breach occurred and how they move forward providing information to appropriate parties in the wake of a breach. All were in agreement that their position required heavy lifting on the side of analysis in order to determine:

• What sort of data had been breached
• How much data had been breached
• What sorts of organizations needed to be involved in the aftermath of the breach
• What portion of the general public was affected by the breach
• Which stakeholders needed to be involved in the decision making process to move forward

There was some volleying back and for the between the audience on whether or not it is better to push a notification through when there had been a breach before sufficient facts and evidence had been collected, and then back track if the breach was not as big as initially anticipated. Or whether it was better to gather as much information as possible and answer the items bulleted above before making any sort of public facing announcement.

The discussion went on to include the focus of CEOs versus Compliance Officers in the wake of the breach. For most CEOs of an organization, reputation, operations and financials are going to be their primary point of focus in the wake of a breach, but will take a backseat during the initial breach investigation.

Questions circled back around to whether or not is right or wrong to push out notification of the breach, before all of the information is collected. After a bit of deliberation on the key questions to ask, most audience members agreed that the following questions should be answered before any type of notification is pushed out the door.

• How did the breach happen?
• What is the organization going to put in place so that it does not happen again?
• What data was breached and how much?
• Was it encrypted?
• Who from the general public are you going to be hearing from?

With the answer to those questions in place, the notification and communication that ensues between the organization, affected public and media will be much smoother to deal with from the PR side of the situation.

Ted noted that the two biggest aspects of the Final Rule to make note of for every organization was compliance and documentation.

Key discussion takeaway?

Your organization must make developing a culture of compliance its first priority. It will make life easier on everyone in the organization in the event of a breach investigation.

Related Articles:
2013 HCCA: The Defining Moments of a Data Breach
HHS Wall of Shame: Forty Percent of 2013 HIPAA Breaches Involved Business Associates
Healthcare Industry Loses $7 Billion Due to HIPAA Data Breaches

The post 2013 HCCA: Latest Trends in Data Breach Threats appeared first on Managed Data Center News.

Where: T5 Data Center, El Segundo, CA
Time: 3:30-6PM
Date: Tuesday, April 23, 2013
Description: With so much confusion surrounding compliance issues, please join us for an in-depth discussion about auditing and compliance in the data center including understanding how SAS 70; SSAE 16, SOC 1, 2 & 3 reports impact the data center as well as comparing, contrasting and elucidating the features of PCI DSS and HIPAA. Find out how auditing and compliance impact processes, design and operations. After the panel, tours will be conducted of T5’s new data center.

Panelists include:

Lynn McIntier, IT Audit Senior Manager at SingerLewak LLP
SingerLewak LLP is a regional accounting and consulting firm. Lynn was previously Senior Manager of IT Consulting & Audit at Moss Adams LP as well as IT Manager at Irving Tanner Company. Lynn is a expert in audit related to IT operations and brings a wealth of experience to the panel discussion.

Marcy Maxwell, Director, Security Operations and Business Controls, Digital Realty
Marcy brings 18 years of industry security experience to the panel discussion from her positions at AboveNet, 365 Main and Digital Realty. Marcy is responsible for driving operational consistency for Digital Realty’s security operations across the portfolio of 22.6M square feet, which includes Security Policy, Emergency Response training programs, and the annual SOC 2 program.

Jason Yaeger, Online Tech’s Director of Operations, Risk Management and Security Officer
He has guided the company through the successful completion of many audits including SAS 70 Type I, SAS 70 Type II, SSAE 16, SOC 1-3, HIPAA and most recently PCI. He will share how these audits and compliance standards affect not only operations and processes, but also other design implications. He is also Vice President and founding member of 7×24 Exchange Southeast Michigan Chapter.

For more about data center standards and audits, read:

Data Center Standards Cheat Sheet – From HIPAA to SOC 2

The post Data Center Compliance – It’s Mission Critical! Online Tech Presents on HIPAA & PCI appeared first on Managed Data Center News.

Mobile Threats and How Healthcare can Reduce Risks
Speakers: Rick Cam, President & Co-Founder, ID Experts
Ted Kobus, Co-Leader, Privacy & Data Protection, Baker Hostetler

Rick and Ted opened with a couple of questions for the audience:

• How many of your organizations allow use of personal mobile devices in your practices?
• Does your organization have policies and best practices in place for using those devices?
• How many are in compliance roles within your organization that set those policies and standards?

They cited a study that had been conducted to find how many organizations allow their employees to bring their own devices (BYOD) to work. Roughly 81% answered that their employees can bring their own device to work. 53% of those surveyed are allowed to use unsecure wi-fi access. They continued by asking how many people in the room had longer than a 4-digit password for the cell phones and tablets. Ted and Rick went on to explain that most password policies within organizations are inconsistent across the board for devices that are used for or contain PHI (protected health information).

While they noted that cell phones and tablets are a great platform for collaborating and sharing information across organizations, how organizations deal with inconsistencies in their policies will determine how well they are able to mitigate risks in relation to a BYOD policy for employees.

Creating BYOD policies are necessary for organizations to mitigate risk and there are several ways to go about implementing those policies and creating a culture of compliance. Treating the device as corporate property is the quickest way to begin installing a culture of compliance in an organization where BYOD policies are in place. Employees wouldn’t be quick to share a company-owned phone or laptop with their spouses and children.

Another solution to mitigate the risk that is inherent with these devices is to install encryption. Ted and Rick shared several examples where devices had been stolen and encryption could helped prevent the breach of PHI data if they had been in place and turned on. Just because the device requires a password, does not mean that the device is encrypted.

An audience member raised the question as to whether a BYOD is really in the best interest of an organization. The audience member pointed out that their organization issues every employee a company owned iPhone that is encrypted, but several employees still insist on being able to use their own device and they wanted to know how to deal with those kinds of situations when they arise.

Ted and Rick suggested having an organization wide training day for policies and best practices for the use of personal devices, citing that a CEO is not going to want to attend an entire of training and that may trickle down encouraging employees to simply use the organization issued device.

BYOD policies, information that may have been on one device gets moved to another device. Encrypting individual files vs. encrypting the entire device. Just because there is a password on it does not equal encryption.

Text messaging is another issue for many organizations at this point in time and the usage of text messaging is growing rapidly. Many organizations, again, have not yet identified all of the risks associated with sharing information via text message. By educating people to slow down and check the information they are sending, organizations will be a step ahead and better able to mitigate risks associated with text messaging.

Key lecture takeaway?
“The only thing worse than not having a policy? Not following your policy.”

Find out how to handle mobile security in your workplace by reading our Mobile Security white paper. This white paper explores approaches to mobile security from risk assessment (what data are truly at risk), enterprise architecture (protect the data before the devices), policies and technologies, and concludes with an example of a mobile security architecture designed and implemented within a hospital environment in which both enabling caregivers and protecting privacy, integrity, and confidentiality are paramount.

Related Links:
Global Mobile Trends See Rise in BYOD; Policies Lag
Mobile Security White Paper: Policies, Technology & BYOD
Protecting Health Information in the Era of Mobile Devices: The Practicalities & Problems of BYOD
Recommendations for Mobile Health IT Advancement
Securing Smartphones: Simple Steps to Avoid a Data Breach

The post 2013 HCCA: Mobile Threats and How Healthcare Can Reduce Risks appeared first on Managed Data Center News.

The Defining Moments of a Data Breach
Speakers: John Ford, Principal, Sienna Group LLC
Kurt Long, CEO, Founder, FairWarning Inc.

Kurt and John have teamed up several times to give this presentation and the following presentation was a dialogue between both Kurt and John on dealing with healthcare data breaches.

Kurt – Data breaches with a healthcare organization take on many forms. Research shows that most organizations are not well prepared to detect and combat data breaches.

John – Fraud is a huge issue. In many of the fraud scenarios, it pertains mainly to patient data. Healthcare fraud in the U.S. costs the industry $80 billion to $225 per year. The key to lowering the number is to catch the criminal behavior at the point of origin.

Kurt – Organization today are dealing with much more heightened issues pertaining to a data breach. There are several types of “follow-up” crimes that can come out of a data breach of patient information. Kurt highlighted the following:

• IRS tax fraud
• Identifying theft – creating false financial information is very common with deceased patients.
• Racketeering
• Mail fraud
• Immigration fraud
• Creation of “shell” businesses for the purpose of money laundering

Organized criminals have noticed that health care providers have incredibly critical information pertaining to an individuals’ financial information and their systems often have major privacy and security vulnerabilities.

John – Most people are not prepared for data breach that occurs through organized crime. Those types of organizations typically receive a call from law enforcement (considered an external notification) and in those cases, everything comes to a grinding halt for about 48 hours while executive and operational teams are deployed to investigate the source of the breach.

The general theme at that point in time is to develop a breach response plan. Most people do not have an adequate plan that they test prior to any sort of breach and are scrambling to put one in place.

Organizations need to have a plan already in place because time is not your organization’s time in a situation that big. Upon notification of the breach, the organization will be pressed for an explanation from everyone; from the media to patients and providers.

John listed the key issues to address at that time of a breach:

• Learning how the internal breach occurred
• Figuring out why the breach was not detected to begin with
• Understanding the scope of fraud as a result of the breach
• Steps patients and providers should be taking as a result of the breach
• What the organization is doing as a result of the breach

Having a well-crafted plan in place for a data breach will be imperative for your organization. The plan must include a method for active user activity monitoring and thorough log correlation and analysis.

Kurt – By using constructive knowledge leading up to a data breach and proactively taking the correct steps trying to implement the correct processes, you may be immune to civil penalties.

John – Modern strategies out there to impede fraud and future strategies will strive to stop the fraud at the point of origin.

Encryption and authentication are not going to help after a breach. The organization has to go out and find the answers and track down the user logs, essentially shutting the businesses down for 105 days while they try to figure out where the breach came from.

Take-away points from the presentation:

• Healthcare organizations have unique vulnerabilities to data breaches and fraud given the type of sensitive data the record contain and the wide-spread access to the care-providing functions
• Criminal organizations are maturing and beginning to target the vulnerabilities of healthcare organizations with the intent to commit fraud
• The current model of backtracking to figure out where a breach came from is inefficient  and does very little to actually pinpoint the issue
• Healthcare organizations need to do a better job at monitoring user activity to detect abuse of the system and more efficiently find information in the event of a breach. Learn more daily log review and file integrity monitoring (FIM) and how these technical services can help your organization prevent or remediate effectively after a data breach.

Related Articles:
2013 HCCA: Hidden Liabilities in the EHR
2013 HCCA: Cyber Compliance
2013 State of HIPAA Encryption & Authentication for Healthcare

The post 2013 HCCA: The Defining Moments of a Data Breach appeared first on Managed Data Center News.

Hidden Liabilities in the EHR
Speakers: Catherine Gray, Director Corporate Compliance, Vidant Health
Yolanda Whichard, Medical Internal Auditor, Office of Audit and Compliance, Vidant Health

Catherine stimulated thought on some of the pitfalls and issues of EHR (electronic health record) systems within hospitals and physician offices. Vidant Health systems works with ten hospitals from small to full-fledge academic hospitals, serving 29 counties in North Carolina.

The biggest pitfalls she points out with some EHR systems are:

• Data is in multiple locations, lots of duplications, readers may miss new information just because there is so much information in so many places.
• Most nursing documentation is captured in flow sheets that carry multiple dropdown boxes. With dropdown boxes, it becomes very hard to capture unique health items for the patients.
• Academic medical institutions occasionally carry forward notes that were made by medical students.
• User login and user electronic signature should link to credentials, but don’t necessarily do so each time a care provider logs into their EHR systems. Some programs also won’t recognize credentials when an order is placed. If this happens, Medicaid will deny the order until they receive the care provider’s credentials through the system.
• Some patients see EHR as a barrier between patients and their physicians. Particularly it is a long-term doctor-patient relationship, the patient may not feel as if the doctor is listening if they are continuously entering data in a computer.
• EHR systems are easier, not necessarily faster when shifting through medical information for a patient.
• There is a certain amount of fear with fields that auto-populate. The information must be evaluated before it’s finalized and sent anywhere or carried forward.
• Copy and paste features should be used for information that is consistent. Some information that is copied and carried forward in a patient’s EHR file may be coming from information outside of the EHR.

The information is meaningful and reflects the quality of care you give. Patients have access to their information now more than ever; it is key to make it meaningful for them.

The second speaker, Yolanda went on to discuss contractual landmines that may arise in purchasing an EHR system. You cannot trust every contractor of EHR systems you run across. You need to be sure you have covered the following areas in your contract with your EHR provider:

• Liability shift
• Data ownership
• Indemnifications
• End user license agreement
• Fees (future upgrades and enhancements/ support and maintenance)

Interoperability is key to have between all EHR systems. It has been documented in certain cases, where a patients medical information was deleted from one section of an EHR system, but was not deleted from another section of an EHR. The particular case that was discussed, resulted in unnecessary surgery for one patient.

For a complete guide to HIPAA technical, administrative and physical security, read our HIPAA Compliant Hosting white paper. This white paper explores the impact of HITECH and HIPAA on data centers. It includes a description of a HIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria.

Related Articles:
Federal Health IT Budget Increases by 28 Percent: Encryption, Mobile Security & EHR Safety
Liveblogging from HIMSS 13: Managing Privacy and Security Challenges of Patient EHR Portals
Safeguarding Patient Data in EHRs

The post 2013 HCCA: Hidden Liabilities in the EHR appeared first on Managed Data Center News.

Cyber Compliance: What Every Compliance Professional Needs to Know about Cyber Risks and Cyber Vigilance
Speakers: David Childers, President and CEO, Compli
Vivek Krishnamurthy, Associate, Foley Hoag LLP

David – Cyber crime is the highest growing economic crime and has become more lucrative than dealing drugs. Historically data breaches and cyber crime was reserved for large organizations and banks, because data was most plentiful there. The scene has changed now.  Mid-level folks with RF scanners are now going into bars stealing identities.  Reputation damage and risk is 5-7 times more impactful to an organization’s base market than an economic crisis. At $194 per record lost, it gets costly if you add up how many records you lose. Brand damage, share price, employee morale and business relations goes down.

Why cyber crime? And why is it a problem? You had to be a criminal and coder originally to really pose as a cyber threat. Malicious intent and ability to code were needed, and that’s not the case anymore. Malware as a service companies exist outside of the company. Espionage exists in corporate and government settings. Some people are going to mess with systems because they believe the companies are doing something they don’t approve of. And finally, terrorists are beginning to use cyber crime more and more.

Vivek- Health records are huge sources of information and personally identifiable info that is important to a cyber criminal. All you need to steal someone’s identity and finances can all be contained within health records.  Cyber terrorists increasingly are targeting critical systems. Healthcare is at risk of being a target in the eyes of those who want to wreak havoc on control systems and network controls. If your IV pump can be controlled remotely, that poses a huge threat. Everyone needs to be attuned to these kinds of motivations and how it could affect them.

David- Activism can come from your own employees. Who is the internal cybercrime risk? Disgruntled employees are a huge risk for any organization. It is important to get them out of your system as quickly as possible.

Major organizations such as CIA, FBI, NASA… all got hacked last year. There is no such thing as complete IT security. It is key to know who your cyber neighbors are when operating in the cloud. Everyone needs to also create a human firewall at this day in age. Educate your team: what, why, how. People are the weakest link to your system. Increase your threat awareness and stay vigilant. Cyber governance, means cyber vigilance. The groups trying to get your information are coming from all over. They are competing with one another. It’s possible that the threat could be coming from a terrorist or even someone disgruntled with your organization.

Vivek- Relevant to data breaches, HIPAA is the main framework and the keystone federal law. What does HIPAA have to do with us? HIPAA Security Rule:

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.

When HIPAA was being drafted by HHS, people were concerned with work stations being left unlock or an employee who left and was possibly disgruntled.

Vivek highlighted the following emerging “Reasonably Anticipated Threats”:

• Operating system flaws
• Flaws in EMR system
• Patient Information Apps
• Networked medical devices and control systems
• Mission critical IT systems on the cloud. What happens on a cloudless day?

Lots of people are movie to the cloud. Responding to the threats is key. You need to have someone in your organization who is constantly vigilant and developing and implementing cyber incident response protocols and procedures.

Social engineering attacks are also  on the rise. All of us have several accounts across the internet, whether they be social network accounts, shopping accounts or bank account. All have a lost password recovery feature. One may ask you for the last 4 digits of your credit card and another site may ask you for the first four digits. A savvy hacker will search that out and use it against you.

Once a data breach has occurred, local law enforcement and FBI are who you want to work with, but if you believe you are being hacked, the US Secret Service is who you want to work with. There are over 30 offices of secret service able to help if you believe you are being hacked.

The post 2013 HCCA: Cyber Compliance appeared first on Managed Data Center News.

Online Tech’s HIPAA hosting solutions include:

• HIPAA compliant colocation with high availability power and offsite backup options.
• HIPAA compliant dedicated servers with fully managed services.
• HIPAA compliant private clouds with fully managed services.
• HIPAA compliant disaster recovery and offsite backup.

Good morning from HCCA! Online Tech is exhibiting at booth #919.

Mike Kroon Exhibiting HIPAA Hosting Solutions at HCCA

Stop by, say hello and take a peak at our water front view of the harbor!

HCCA View of the Harbor

Try your hand at the HCCA wheel of fortune for your chance to win prizes right around the corner from us.

HCCA Compliance Institute Wheel of Fortune

The post Liveblogging: 2013 Health Care Compliance Association Compliance (HCCA) Institute appeared first on Managed Data Center News.

Social Media and Healthcare
Speaker: Matt LaMond, TranscriptionGear.com, Founded Social Presence back in 2009

With the rapid growth of social there is an overwhelming rise in the amount of information shared among individuals, businesses and organizations. Simply look at the upcoming implementation of EHRs. There are questions and concerns surrounding social media, particularly for those in the healthcare industry who do not have a social media presence and are looking to get involved.

Matt opened up by sharing the most frequent questions he receives in regards to social media from those who do not yet maintain a presence:

• Does social media really have an influence?
• Is the influence of social media good or bad?
• Can anyone hop on board and join social media?

One of the biggest upsides social media presents to individuals in particular is the ability to resolve issues with national brands promptly through social. No brand or organization wants bad press, and social media offers up a platform for prompt response and resolutions for customers. It can shine a positive light on an organization’s response time and customer service experience.

However, there are several downsides to social media in terms of privacy and personal information. Before the rise of social media, there was concern over giving out email addresses, phone number and addresses. With the dawn of social media, we don’t think twice about sharing that information any more.

Matt raised awareness on just how much information someone can pull from simple status updates and photos to Facebook. Take someone posting an ultrasound photo to Facebook for example. While someone is probably incredibly excited about sharing that photo innocently enough, that doesn’t mean everyone viewing it will use it innocently enough. Consider this, with that one picture you could potentially have just provided the following information:

• You will be out of your house for x amount time to deliver the baby
• What hospital you will be at in a specific state or town. Same went for the example he gave for a picture someone posted while attending a funeral.

Connecting social media and your healthcare organization or business requires a little more caution and due diligence than it would if you were just using it as an individual.

Several keys points raised to consider for any healthcare organization looking to build a social media presence were:

• The regulation components associated with an online presence and healthcare
• Protecting the integrity of yourself, business or organization in the public eye
• Protecting the integrity of your patients and their information
• Protecting the general population. The most important task to perform before pushing out any information to social media on your organization’s behalf is to review, review, REVIEW. Have multiple set of eyes within your organization read over it before you push it out the door if possible. Once you release the information to the web, it is almost impossible to pull it off without legal action.

Big data is one of the major benefits of social media. Through a simple search, you can pull key demographics, improve accessibility to information, disseminate information quickly, identify outbreak trends and educate and enlighten.

Look at the influenza outbreak that occurred late in 2012. Google actually mapped out, based on tweets on the influenza, the location of all outbreaks. See link: http://healthmap.org/en/. By having access to this kind of information, hospitals could potentially prepare and estimate the number of patients they may see based on location and density of outbreak point.

The breakdown of how America search for health information:

• 34% use social media
• 46% using health portals
• 67% using search engines
• 21% use wikipedia
• 36 % Want to see what other consumers say about medicine or treatment

This is a great example of real people wanting to communicate and know how a treatment worked for another human being.

Matt asked the audience if anyone felt overwhelmed with the amount of information he was throwing out on the scale and magnitude of what social media could for healthcare.  He reminded everyone that no one really knows exactly what they’re doing with social media.

Social media is really a conversation and people you know are already using it to communicate. People are attracted to social media and want to find you, because they are looking for a “person just like them” more than authority figures in business and government. If entering the social media realm, seek to have a dialogue with your consumers. Transparency, honesty, trust and transparency are key components to any successful presence.

Resources for monitoring what is being said about your organization:

• Technorati.com/watchlist – watches for terms and updates you on what’s happening
• Google.com/alerts – email updates for company and keyword alerts.
• Yahoo.com – alerts on any occurences of defined terms and names

If you find you are gaining bad press, Matt urged the audience to deal with it right away. He stressed that you should draft a response strategy beforehand and back it up with visible action. Best advice for beginning a social media presence? Be consistent and keep it simple.

Related Articles:
2013 IHIMA: Meaningful Use
2013 IHIMA: Corporate Compliance for Healthcare
Liveblogging: HIPAA Hosting at the Indiana Health Information Management Association Meeting

The post 2013 IHIMA: Social Media and Healthcare appeared first on Managed Data Center News.

State and Federal Legislative Update
Speaker: Brian Tabor, VP Government Relations, IHA (Indiana Hospital Assoc.)

Brian Tabor addressed the crowd with the latest changes in the Indiana state government with new Gov. Mike Pence ( R ), Lt. Gov. Sue Ellspermann ( R ) and the new Republican majority in the legislative branch and what that means for the bills and legislation currently on the table.

In terms of healthcare, there has been a strong state focus from Indiana and what they are working on in their own backyard in relation to the national healthcare landscape.

Brian works with over 150 state legislators and several agencies to represent hospitals and those with specific roles between the government and hospitals. He noted that it has been key to have senators and representatives who have a background in healthcare. He mentioned Rep. Tim Brown, an ER physician, who handles a lot of the healthcare relations and concerns that pass through the Indiana Legislature and is now Chair of the House Ways and Means Committee.

The biggest issues currently facing those working in hospitals in Indiana in regards to the either new legislation and HITECH are:

• Renew Hospital Assessment Fee program
• Expand coverage – Medicaid expansion, part of affordable care act
• Defend against threats – Added regulatory reporting

What are they following and advocating? He mentioned that while IT issues are a concern for the state, they fell to the second tier in regards to the issues stated above.

Brian went on to discuss several bills going through the IN legislative branch that could affect healthcare for patients. A few he touched on were:

Children and Hoosier Immunization Regulatory Program (CHIRP); in which, among other provisions, the bill introduced would require ALL providers to report ALL immunizations within 72 hours or face a $1,000 fine.

Senate Bill 272 (INSPECT) – A proposal that was made during a committee meeting which would require all legend drug prescriptions to be entered into INSPECT. Several concerns have been raised around INSPECT, mainly dealing with patient privacy and confidentiality, but some concerns were raised for the real time reporting and entry of the information collected.

There has been much press lately at a federal level as to examining the strategies that are going to be needed to fully adopt health IT. Five areas where there are questions remaining for some at the federal level focus on the following:

•     Lack of a clear path to interoperability
•     Increased costs of moving to EHR
•     Possible lack of oversight
•     High risk of patient privacy
•     The sustainability of the entire program

Brian C. Tabor, VP Government Relations, IHA (Indiana Hospital Assoc.)

Brian C. Tabor is Vice President of Government Relations at the Indiana Hospital Association. As such, he oversees all of IHA’s state and federal legislative initiatives and health policy development.

Prior to joining IHA in 2008, Tabor worked at the Indiana House of Representatives where he served as the majority caucus policy director. He has worked for and around the Indiana General Assembly for almost 15 years, also serving as a fiscal analyst for the Indiana State Senate. He earned a bachelor’s degree in political science and a master’s degree in agricultural economics from Purdue University.

For a complete guide to HIPAA technical, administrative and physical security, read our HIPAA Compliant Hosting white paper. This white paper explores the impact of HITECH and HIPAA on data centers. It includes a description of a HIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria.

Related Articles:
2013 IHIMA: Meaningful Use
2013 IHIMA: Corporate Compliance for Healthcare
Liveblogging: HIPAA Hosting at the Indiana Health Information Management Association Meeting

The post 2013 IHIMA: State and Federal Legislative Updates on Healthcare and HITECH appeared first on Managed Data Center News.

This session is about a lawsuit involving the breach of protected health information (PHI):

The Future is Here: Lawsuits by Patients for Unauthorized Disclosure of Protected Health Information
Speaker: Neal Eggeson, JD

Neal gave his opening statement for a lawsuit in which he represented a young man a few years back in Bloomington, IN. His client had been diagnosed with HIV several years before and throughout his entire treatment process had only told 5 people about his status; His mom, doctor, counselor and two partners.

A few years down the road, the young man received a notice from IMA that he was being sued for an unpaid medical bill of roughly $330. His doctor and insurance had never made any mention of the unpaid billed. After looking at the lawsuit document, he noticed that his diagnosis was right there on the page for IMA’s attorney, administrative assistants, courthouse clerical staff and anyone else to see since lawsuits are open public record.

The jury in the case ruled that IMA dropped the ball on protecting private patient information and was charged for a settlement of $1.25 million over a $330 unpaid medical bill simply because it listed the patient’s diagnosis on the claims page.

Neal made it clear that he was not suing IMA for a violation of HIPAA, he was suing because IMA dropped the ball on their duty to protect private patient information.

It was the first lawsuit in the country after implementation of the privacy rule and the first lawsuit in the country to return a seven-figure verdict against the provider for that particular privacy breach.

Always remember, do not assume that:

• HIPAA’s bar against private causes of action will protect you
• The medical community will protect you
• That disclosures to your attorneys are protected

Read the court case here (PDF).

Related Articles:
2013 IHIMA: Meaningful Use
2013 IHIMA: Corporate Compliance for Healthcare
Liveblogging: HIPAA Hosting at the Indiana Health Information Management Association Meeting

The post 2013 IHIMA: Lawsuits by Patients for Unauthorized Disclosure of Protected Health Information (PHI) appeared first on Managed Data Center News.

The following session covered meaningful use with healthcare professionals:

Meaningful Use
Speaker: Jeff Short, JD, Hall Render, Killian Heath and Lyman

Jeff highlighted the key core objectives that will be coming in every stage of meaningful use. One of the biggest changes to affect healthcare professionals is the change to e-copy and online access found in Stage 1 that will be effective as of 2014.

This change will require that healthcare organizations provide patients with an e-copy of health information upon request. Electronic access to health information must be provided where patients will have the ability to view and download records from online.

Other items in the core set of objectives that Stage 2 will address for eligible hospitals:

• Demographics- patient demographics must be stored in EHR’s
• Labs – incorporate lab results for 55% of data you can run reports against
• Patient List – be able to generate patient list by specific condition
• Patient access- provide online access for 55% of patients with 5% actually  accessing it. Can get creative on how patients access it. Could have them fill out something online. Joint community portals
• Summary of Care – provide summary of care of 50% of transition of care and referrals with 10% sent electronically.

The heaviest emphasis for a Stage 2 core objective was for security analysis. Hospitals must conduct and review a security analysis and incorporate it into their risk management process. Jeff could not emphasize enough that you HAVE to have a security analysis and it MUST have some rigor to it.

Every single data breach write-up he has read has stated that the hospitals in question said that they had performed a security risk assessment, when they in fact had not. Simply put, performing a security analysis is the right thing to do because it protects your patients’ data. You’re also protecting yourself from the state attorney general. You have to perform the analysis to comply with HIPAA. They are already beginning to write people up for HIPAA violations. Fines are beginning to seven figures now for even minor breaches.

He mentioned that there is some discrepancy between whether or not you have to use an external auditor or whether you can do an internal audit and attest that you have met the requirements. While it is noted that you can do an internal audit, it is simply smarter and safer to have an outside vendor perform your audit.

Jeffrey Short

Jeffrey W. Short, JD, Hall, Render, Killian, Heath & Lyman, P.C.

Jeffrey W. Short advises large and small companies on legal issues relating to computer hardware, computer software, technology, privacy, copyright, trademark, and the Internet. Mr. Short concentrates his practice on information technology and privacy issues relating to health care entities, including hospitals, physician groups, and pharmaceutical companies. Specifically, Mr. Short assists his clients in the procurement of technology by drafting and negotiating the necessary agreements including software development, software licensing, and IT consulting agreements. In addition, Mr. Short has vast experience in the development of protection policies, not only in the technology arena, but also in the areas of intellectual property and the Internet. Mr. Short routinely assists local and national clients on privacy issues including HIPAA compliance. Mr. Short has made numerous speeches relating to HIPAA and technology procurement in health care, including speaking at the 2001 National HIPAA Summit.

About the Indiana Health Information Management Association
The Indiana Health Information Management Association (IHIMA) is a non-profit healthcare professional association representing over 2,000-credentialed Hoosiers. IHIMA is an affiliate with American Health Information Management Association (AHIMA) as a Component State Association. Our purpose is to commit to excellence in the management of health information for the benefit of patients and providers.

The post 2013 IHIMA: Meaningful Use appeared first on Managed Data Center News.

This educational session details dealing with corporate compliance in the healthcare industry.

Elements of an Effective Compliance Program
Speaker: Marsha Shepard, RHIA; Director of Corporate Compliance Memorial Hospital & HCC; Jasper, IN

“We all live in compliance as IHIMA professionals,” Marsha pointed out at the beginning of her speech. Throughout the lecture, she repeatedly mentioned that achieving compliance is a team effort and collaboration throughout an organization – from working internally with everyone from the Board of Director to remotely contracted employees and externally with auditors and consultants.

Compliance is a choice for organizations, but there will be strong consequences for not following. She humored the audience by likening compliance to stopping at a stop sign. Just because the laws are in place to do so, doesn’t mean that an organization or everyone in an organization will comply.

A strong compliance program for any organization should include the following 3 P’s:

• Provide direction and answers
• Prevent, detect and report any unethical or illegal behavior
• Promote integrity

With HIPAA and HITECH, your role as an organization, from a high level perspective, should be to:

• Remain honest, respectful and ethical throughout your business conduct
• Identify and prevent illegal and unethical behavior
• Improve quality of care
• Develop a culture of reporting without retaliation
• Follow compliance policies and procedures

Social media has raised flags within the healthcare world in relation to HIPAA. Marsha said she knew of four people who had been turned in for abuse of social media in the hospital environment. With the age of smartphones, there is a huge need for secure apps that allow doctors and staff to share information back and forth in real time, but she cautioned that until the security is in place, “Just because it’s easy, doesn’t mean it’s right.” There needs to be social responsibility and respect in regards to all social media in the healthcare environment.

With all the changes and laws being hurled at healthcare organizations, it can feel like an organization is moving at 100 MPH. If an organization is to achieve compliance, they must slow down.

She laid down five questions that an organization should ask when looking to form a compliance program:

• Where are you going and why is implementing compliance key for your organization?
• What is your organization’s commitment to compliance?
• Why is it necessary to adhere to the organization’s policies and procedures as well as applicable laws and regulations?
• What duty do employees have to report concerns or misconduct?
• Do you know your organization’s compliance program, including reporting and/or mechanisms and the organization’s commitment to non-retaliation?

Not all compliance programs are going to be the same and compliance officers may wear many “hats” within their organization. Conducting a risk assessment with an outside auditor or consultant on an annual basis is highly recommended.

To achieve success within any compliance program, the organization should:

• Know their strengths
• Communicate early
• Keep a good hand on the situation
• Maintain and build trust

For a complete guide to HIPAA technical, administrative and physical security, read our HIPAA Compliant Hosting white paper. This white paper explores the impact of HITECH and HIPAA on data centers. It includes a description of a HIPAA compliant data center IT architecture, contractual requirements, benefits and risks of data center outsourcing, and vendor selection criteria.

About the Indiana Health Information Management Association
The Indiana Health Information Management Association (IHIMA) is a non-profit healthcare professional association representing over 2,000-credentialed Hoosiers. IHIMA is an affiliate with American Health Information Management Association (AHIMA) as a Component State Association. Our purpose is to commit to excellence in the management of health information for the benefit of patients and providers.

The post 2013 IHIMA: Corporate Compliance for Healthcare appeared first on Managed Data Center News.

According to AMI’s 2009 U.S. Small Business Annual Overview study, 70% of small U.S. businesses have experienced a data loss in the past year due to technical or human disasters.   Even with this high percentage of data loss, very few SMBs have disaster recovery plans.  Over half of Symantec’s SMB disaster preparedness survey respondents said that they do not have a disaster recovery plan in place. Surprisingly, 41% respondents said that it never even occurred to them to put a disaster recovery plan together in the first place.

Why Have a Disaster Recovery Plan?

As a Michigan SMB business owner do you need a disaster recovery or business continuity plan?  You can ask yourself one simple question, “Can my business continue to function without <insert specific software application or system, communication service, data, etc.>?”

The next thing to consider is if it is financially worth using a disaster recovery solution. Ask yourself how much money would you lose if you were down one hour?  One day?  You need to consider the cost of being unable to operate your business over a period of time.  Consider the number of lost transactions and the future loss of customers going elsewhere. Your disaster recovery solution should not be more expensive than the loss from the disaster, unless your business would fail as a result of the outage.

A disaster could have a tremendous financial impact on Michigan SMBs.  This is especially true during a recession when competitors are looking for every opportunity to win your customers.

Financial reasons alone should encourage Michigan SMBs to develop a disaster plan, but there are other reasons as well.

• Competitive Advantage – Having a disaster recovery plan and solution in place can be a competitive advantage.  For example, you own a Michigan real estate business and you are backing all of your data to an offsite disaster recovery service provider and your competition is not.  Then a disaster occurs.  You would be able to get your business back up and running while your competition would have a much harder time getting back to business.

• Reputation – Even if your Michigan business survives a data loss, there is no guarantee that your reputation would still be intact.  Once a customer loses trust with a business, it is very difficult to get it back or it requires a lot of time and money to regain the trust.  And in today’s competitive marketplace, your competition can easily take your customers from you.

• HIPAA, PCI, SOX Compliance – Disaster recovery plans are critical to be in compliance with business regulations like HIPAA, PCI and SOX.  Non compliance could result in monetary fines, loss of business licenses and even prison time.  Well documented disaster recovery policies and procedures that are available for customers, vendors, and partners could be the difference of winning or losing your next project.  As one small business owner described it, “We get most of our business from insurance companies. They are very clear about how long we need to keep records and how their customers’ data can and cannot be used. If we didn’t meet these requirements we wouldn’t have their business. It’s just that clear.”

Example of Data Retention Regulations & Impact of Non-Compliance

Source: Disaster Recovery Planning How Planning for a Disaster Can Save Your Business

• Peace of Mind – Having a disaster recovery plan and solutions in place will give you a peace of mind.  You can sleep better at night knowing that your business data and systems are protected in the case of a data loss or disaster.

Data Recovery Solutions for Michigan SMBs

According to a survey that was developed to examine how U.S. small businesses prepare for disasters, 94% of the businesses take steps to backup their financial data. However, six out of 10 of the businesses surveyed said they are only storing their backed up data onsite only.

Although this onsite data storage provides some protection, it has one distinct disadvantage over offsite data storage.  Onsite data can be destroyed in a catastrophic event like a fire in the building, a water main bursting or tornado.  In addition, onsite servers can also be stolen or the collected data could be lost on them.

Using a third party disaster recovery service provider or a colocation provider offers Michigan SMBs added protection and the peace of mind in the case of a catastrophic event.

Colocation data centers offers Michigan businesses an alternative to setting up their own disaster recovery site.  With colocation you are setting up your network, servers, data storage, etc. at a third party location.  You still can have control over your servers and other equipment, while reducing costs like power, cooling and personnel.

Using an offsite backup service provider is another option for Michigan businesses.  All of your critical data can be electronically backed up to a traditional, secure data center facility or by using the cloud. Disaster recovery in the cloud is the most reliable solution that costs less than half of the production environment.

Online Tech clients can also use our most advanced and comprehensive disaster recovery option – SAN-to-SAN Replication.  This offers our clients even faster recovery times and a solution that can failback gracefully to production once the disaster event is over.

Related Articles:
Using a Michigan Colocation Provider for Disaster Recovery
Seeking a Disaster Recovery Solution? Five Questions to Ask Your DR Provider
PCI Compliant Disaster Recovery

The post Why Michigan SMBs Need to Create a Disaster Recovery Plan appeared first on Managed Data Center News.

Find a list of our past awards by reading about our company, and find out more about our Michigan data centers. We’re attending the award ceremony in Auburn Hills, Michigan this morning. The award ceremony features speakers:

• Jennifer Kluge, Publisher, Corp! Magazine
• Sharon Miller, Vice Chancellor of External Affairs
• Hajj Fleming, Personal Brand Strategist, President and Founder, Brand Camp University
• Emcee: Matt Roush, WWJ Newsradio 950

2013 Corp! DiSciTech Awards

Matt Roush, Tech Editor of GLITR (Great Lakes Innovation and Technology Report) Emcees the DiSciTech awards:

Matt Roush at the DiSciTech Awards

The post Online Tech Wins 2013 Corp! DiSciTech Award; Recognized for Michigan Technology Leadership appeared first on Managed Data Center News.

Check our blog for updates over the next few days as we liveblog some of the most compelling health IT educational sessions.

The Annual Meeting features sessions on corporate compliance, accountable care organizations (ACOs), disclosure of protected health information, HIPAA/security final rule updates and more.

Our HIPAA hosting solutions for healthcare and related organizations include:

• HIPAA compliant colocation with high availability power and offsite backup options.
• HIPAA compliant dedicated servers with fully managed services.
• HIPAA compliant private clouds with fully managed services.
• HIPAA compliant disaster recovery with comprehensive cloud-based solutions.

About the Indiana Health Information Management Association
The Indiana Health Information Management Association (IHIMA) is a non-profit healthcare professional association representing over 2,000-credentialed Hoosiers. IHIMA is an affiliate with American Health Information Management Association (AHIMA) as a Component State Association. Our purpose is to commit to excellence in the management of health information for the benefit of patients and providers.

The conference is just getting started. Everyone is setting up and grabbing Starbucks. Opening ceremony and exhibitor introductions begin at 8:30. Education sessions start at noon. Will be blogging about Corporate Compliance by Marsha Shepard, RHIA. Stay tuned!

Online Tech’s Bill Ryan at IHIMA – Exhibiting HIPAA Hosting Solutions

The post Liveblogging: HIPAA Hosting at the Indiana Health Information Management Association Meeting appeared first on Managed Data Center News.