Keeping up with HIPAA

The fact is, as technology continues to grow and change rapidly, so do rules and regulations that are intended to save us from ourselves.

We’ve heard about the Health Insurance Portability & Accountability Act (HIPAA), the government act put in place to essentially, keep your private information private. HIPAA was put in place in 1996…a long time ago (in technology years), so in 2009 the government had to step up security of Protected Health Information (PHI) under the American Recovery and Reinvestment Act with regulations contained in what is called the Health Information Technology for Economic and Clinical Health (HITECH). I believe they came up with the acronym first because it’s just too perfect.

HITECH essentially means, if you’re using any form of shared technology related to the healthcare industry, you need to comply to strict regulations of security.

Understanding The Web (of involvement)

If you look at the number of hands that touch private medical records, you’ll find it goes way beyond the doctor, the nurse and the receptionist. Almost half of the HIPAA data security breaches in one year trace back to a business associate. That could be 7-10 layers from the actual patient. For instance, the lab tech’s data entry associate’s resident intern. Guess what happens when there’s a breach that’s not even close to the original doctor or medical expert, they, or the lab, are the ones who will be fined tens of thousands to hundreds of thousands of dollars.

Don’t take any chances. If it affects the healthcare industry monetarily, it may trickle down to the patient bills and co-pays to absorb those costs.

If you’re in the healthcare field, or your business has any association to the healthcare industry, then the first order of business is to educate your entire team. If anyone is in and around the healthcare field they should sign off, acknowledge and understand how to keep medical records from being compromised.

Encryption, Encryption, Encryption

One more time…Encryption. You can be saved by encryption. If you have encrypted PHI that’s within the requirements of the HITECH Act, then you’re not liable. That’s because encrypted information is currently the most secure way of handling sensitive, private information.

Since the Bring Your Own Device (BYOD) element is added to the mix it’s even more imperative that everything meets HIPAA compliance standards. An encrypted secure messaging system will be the closest thing you can get to guaranteeing that all PHI is secure and confidential.

Look To The Cloud

Cloud storage for high-resolution medical imaging not only provides a great storage option that’s less time consuming than other means of backups, but it can also be a tremendous money-saver. When looking for a cloud service provider for your storage, there are a few things to consider.

  • Does the provider offer the right back-up system and infrastructure for your needs?
  • Is the provider HIPAA compliant beyond just saying they are?
  • Does the provider offer the security needed for medical imaging storage with protection put in place that deters hackers or leaks in security?
  • Does the provider offer an SLA that still ensures data ownership to the client?

These are tough questions to ask of any cloud service provider, so don’t expect the perfect answer, but DO expect the provider to be willing to share all their information that will make you feel comfortable about putting sensitive medical records in the cloud.

Don’t Put All Your Medical Data in One Basket

Besides cloud storage you need to consider your backup plans and data recovery. The biggest identifier should be, are the backups secure and safe from malware.

There is so much to cover to be HIPAA compliant. But instituting the above practices and making yourself knowledgeable about keeping PHI secure is the greatest thing you can do to protect your company and our information.

Posted in Backup, BYOD, Cloud Computing, Datavaulting, HIPAA, Mobile, Security | Tagged , , , , , , , | Leave a comment

The Reality of BYOD Security

It doesn’t matter if you’re the CEO, CFO, CIO or the CBP (Chief Button Pusher), every one in any business is capable of unintentionally compromising security. Every business now deals with Bring Your Own Device (BYOD) issues at some level and we’re all responsible – from the top on down. So how do you manage all that business data on everyone’s personal device and keep it safe?

You’ve got to walk the walk… It’s important for every employee to respect and be diligently mindful of the policies that are put in place. If you’re the one who dismissively downloads a seemingly harmless, un-authorized application on your phone, then you’re the one who could potentially lose your job if data is compromised. Policies are put in place to protect the company, but inevitably it protects the employee. How can we protect our vital work information while using the same device that we let our children borrow for long car rides?

Think about the other “secure” items in your life. If you have firearms in your home, you (hopefully) have them contained and locked. If you have cleaners, bug sprays or other contaminants, you have them contained in child-proof cabinets. If you have important legal papers, you most likely have them contained in a safe-deposit or firebox. But do you have important digital business documents, business applications or business designs on your device, mobile or other, and let anyone have access to the information that could potentially destroy or leak your work?

Why take the risk? There are various types Mobile Device Management (MDM) programs to compartmentalize, or contain, your work life from your home life. Keep your two lives separate on one device without fear of security issues if your phone is lost or stolen. At that point, all IT needs to do is shut that part off and wipe it clean. And if your 10 year old wants to play some games on your device, you and your work are secure.

MDM, now folded into overall Enterprise Mobility Management (EMM), need not only be developed and policies drawn up, but also needs to be updated annually. Whether you have MDM in place now or not, it should always be considered as part of an ongoing management system. Policies can’t be put in place and left alone. Technology changes rapidly and new malware is produced faster than the products themselves are being produced. Annual upgrades and policy changes are key.

There isn’t one application or one policy that fits all businesses so you need to do some research. The MDM platform that works best for your business to successfully manage BYOD is something that can’t be glossed over. All employees can be helpful in drawing up policies if included in the conversation with the IT department. Every department has a different function and the IT group needs to know what is going to work, all around, so information in separate containers can still be shared. There are some basic core functions to consider in MDM:

  • Define your inventory of devices being used
  • Choose a platform that can encompass all devices with remote capabilities
  • Define the software to be distributed which includes applications
  • Consider what kind of security management is needed
  • Include all levels of data protection
  • Have help and support for your users available

These are general categories to consider with a myriad of sub-categories and options that are determined by whatever MDM will suit your business.

Don’t ignore or dismiss all the dangers in our new Bring Your Own Device world. We’re all held accountable for making sure our devices are secure to protect our work and home. Critically analyze and determine what’s being used, how it’s being used, how it can be potentially be compromised and what’s needed to prevent security leaks and potential loss of data.

Posted in BYOD, Mobile, Security | Tagged , , , , , , | Leave a comment

SLAs – Who’s being served?

Life insurance, car insurance, homeowners insurance, business insurance, health insurance…Think there’s a pattern here? Let’s cut to the chase. A Service Level Agreement (SLA) is basically, insurance for your cloud data service. One would assume that your business data with a cloud service provider is at least as important as your home or car. Wouldn’t you feel better if you had some guarantees and parameters set that protect you? Of course, SLAs not only hold accountable, but also protect the service provider. When you and the provider are protected there’s no guesswork, no finger-pointing and no misunderstanding. So, if there should be a problem, the problem is readily solved. And yes, dealing with insurance companies can be a pain, but dealing with a service provider who is offering you the best deal they can, is completely different.

It’s true, not everyone has insurance and there are varying levels of insurance. You have to weigh the real need with your level and type of business. It’s not an all or nothing proposition. Every time we buy a big priced item from a couch to a washer to a mobile phone, you’re asked, ‘do you want a warranty with that?’ I bet, depending on what you’re buying and how it’s being used, you may mull over whether or not to get the warranty or to take your chances. Warranties and insurance policies essentially give you overall peace of mind just in case something should happen.

Do you really need that service agreement for your IT? Let’s address the realities of what SLAs mean to the provider and customer and how they address the most important component – uptime.

  •  SLAs are a two way street: Agreements, generally, protect both the customer and the service provider. After all, we’re both in business to make money and provide the best service and/or product to stay ahead in our industries. So, don’t expect a one-sided agreement that puts either customer or provider at zero risk.
  • SLAs have caveats: There are service interruptions that are the provider’s fault and the customer has to deal with the downtime, potential loss of revenue and the overall anxiety that we all feel when servers go down. The provider must assume responsibility and liability. Then there are service interruptions ‘outside of the provider’s reasonable control.’ Just make sure you read the fine print. It could mean natural disasters. In that case, no one, the customer, nor the provider has any control over interruptions when dealing with those circumstances. Finally, there’s everything in between. We know what we can and can’t handle and will have stipulations and disclaimers just like the customer has disclaimers, setting parameters on offers to the general public. Both the provider and customer have restrictions and the agreement should fit both parties the best it can.
  • SLA guarantees: The reality is, there are no guarantees. When a product touts a one hundred percent guarantee, there are still stipulations and disclaimers in the fine print. You may ask yourself, so why do businesses bother making that statement? Good businesses will always attempt a one hundred percent guarantee and satisfaction rate.

Uptime in the cloud cannot have a one hundred percent guarantee without some sort of fine print. Measure great service by the people and how they work with you, how they problem solve and how they continue to offer you the best. Remember, SLAs are an agreement between you and the provider and both parties need to take care of themselves so they can take care of one another.

Posted in Cloud Computing, Metrics, Service Level Agreements | Tagged , , , | Leave a comment

Reducing Risk in the Enterprise

At Datotel we routinely conduct risk assessments on our own operations, as well as assisting our clients to complete risk assessments on their environments.

Our objectives are generally to identify the risks in the environment; whether that be risks related to confidentiality, security, privacy, reliability or availability. From these identified risks, plans are then developed to address and mitigate those identified risks.

Whether you’re a financial institution, healthcare agency or a firm with no mandated regulations you should ensure you at least have some of the basic risks identified and covered. Continue reading

Posted in General, Security | Tagged , , , | Leave a comment
  • Keeping up with HIPAA:

    The fact is, as technology continues to grow and change rapidly, so do rules and regulations that are intended to save us from ourselves. We’ve heard about the Health Insurance Portability & Accountability Act (HIPAA), the government act put in … Continue reading

    ...more
  • Admin Terms of Use Contact Us