49

Is That Email A Phishing Scheme?

49Research has revealed that over half of all users end up opening fraudulent emails and often even fall for them. Phishing is done with the aim of gathering personal information about you, generally related to your finances. The most common reason for the large number of people falling for fraudulent emails is that the phishing attempts are often so well-disguised that they escape the eyes of a busy email reader. Here are a few tips that help you identify whether that email really came from your bank or is another attempt at defrauding you…

1. They are asking for personal information – Remember, no bank or financial institution asks you to share your key personal information via email, or even phone. So, if you get an email where they ask for your ATM PIN or your e-banking password, something’s amiss.

2. The links seem to be fake – Phishing emails always contain links that you are asked to click on. You should verify if the links are genuine. Here are a few things to look for when doing that:

  • Spelling – Check for the misspellings in the URL. For example, if your bank’s web address is www.bankofamerica.com, a phishing scheme email could misspell it as www.bankofamarica.com or www.bankofamerica-verification.com
  • Disguised URLs – Sometimes, URLs can be disguised…meaning, while they look genuine, they ultimately redirect you to some fraudulent site. You can recognize the actual URL upon a mouseover, or by right clicking on the URL, and selecting the ‘copy hyperlink’ option and pasting the hyperlink on a notepad file. But, NEVER ever, paste the hyperlink directly into your web browser.
  • URLs with ‘@’ signs – If you find a URL that has an ‘@’ sign, steer clear of it even if it seems genuine. Browsers ignore URL information that precedes @ sign. That means, the URL www.bankofamerica.com@mysite.net will take you to mysite.net and not to any Bank of America page.

3. Other tell-tale signs – Apart from identifying fake URLs, there are other tell-tale signs that help you identify fraudulent emails. Some of these include:

  • Emails where the main message is in the form of an image, which, upon opening, takes you to the malicious URL.
  • Another sign is an attachment. Never open attachments from unknown sources as they may contain viruses that can harm your computer and network.
  • The message seems to urge you to do something immediately. Scammers often induce a sense of urgency in their emails and threaten you with consequences if you don’t respond. For example, threat of bank account closure if you don’t verify your ATM PIN or e-banking password.

4. Finally, get a good anti-virus/email protection program installed. It can help you by automatically directing spam and junk mail into spam folders and deactivating malicious attachments.

CLICK HERE for a free network assessment.

48

Is Your Business Safe From Cybercrime? 4 Questions to Consider

Did you know that 50% of small business owners think their businesses are too small to be targeted by the thieves of the virtual world? Contrary to popular belief, 72% of hacker attacks often happen to smaller firms – firms with less than 100 employees! So how prepared is your SMB? Here’s a checklist to help you find out how vulnerable you are to these attacks.

481. Do you have Antivirus protection? - An antivirus software program can protect you from threats that originate from emails such as phishing and virus attacks. However, the most striking fact is that 61% of small businesses don’t install any antivirus software! If you are one of them, then it’s time to change!

2. How sturdy is your Firewall? - A good firewall system protects your computers from the variety of threats that exist in the virtual world. Examples include harmful cookies, viruses, worms and other such malicious programs used by hackers.

3. Do you use a Spam filter? - Using a simple spam filter for your emails keeps junk out of your inbox. The bonus to having a good spam filter is that your employees save time, as they are not distracted by irrelevant emails, but the major perk here is that the potential virus and phishing threats are lessened as spam emails are unlikely to be opened.

4. Do you do backup your data regularly? - Agreed – backups don’t really protect your data, but they are the only way to recover it if data loss does happen. So, be sure you have a regular and reliable backup plan in place – and it is actually being deployed.

Data loss can prove very costly—especially to SMBs, sometimes even resulting in them having to close down. Prevention is certainly better than a cure in such cases. Stop cybercrime before it happens. CLICK HERE for a free network assessment.

44

The Benefits of a Managed Service Provider

Managed Service Providers – or MSPs – are often recommended as a cost effective IT solution for small businesses. For a minimal monthly fee, MSPs provide a reasonably priced solution to the complex technology pains of small businesses. Here’s a look at the various benefits an MSP can offer your business…

  • Freed-Up Resources and a Renewed Emphasis on Core Business – Both business owners and internal IT staff would much rather focus on revenue enhancing tasks like product development or the creation of cutting-edge applications/services. This is one reason routine monitoring and maintenance tasks are often neglected by an internal IT person or team, which always proves to be detrimental much l44ater. Often misportrayed as a “threat” to an internal IT person or staff, MSPs can instead relieve internal staff of mundane network operations maintenance, repetitious monitoring of server and storage infrastructure, and day-to-day operations and help desk duties.
  • A True Partner Sharing Risks And Responsibilities -The goal of an MSP is to deliver on contracted services, measure, report, analyze and optimize IT service operations, and truly become an irreplaceable catalyst for business growth. Managed Service Providers not only assume leadership roles, they enable risk reduction, enhance efficiency and change the culture by introducing internal IT operations to new technologies and processes.
  • Access to Expertise, Best Practices and World-Class Tools and Technologies – MSPs have experience with a variety of businesses and organizations. Managed Service Providers can keep your business relevant and on track with continually evolving technology, support, and productivity demands. Let’s face it, no small or medium sized business can afford to fall behind with technology trends in today’s business world.
  • The Benefit of a Full-Time Fully Staffed IT Department at a Fraction of the Cost – Most small business owners live and die by proactive management. They just haven’t had the budget, resources or access to on-demand expertise to be proactive with information technology management. A Managed Service Provider gives business owners and overwhelmed internal IT staff affordable computer and server support, remote monitoring of critical network components like servers and firewalls, data backup and disaster recovery, network security, custom software solutions, and technology evaluation and planning.

Managed Service Providers can decrease the overall IT support costs by as much as 30% to 50%. Rather than being stressed about technology, business owners can instead get back to focusing on growing their business. All while enjoying the benefits of highly-trained IT experts boosting their network’s reliability and performance.

Choose Cognoscape as your MSP. CLICK HERE for a free network assessment.

55

Cybercrime and SMBs

 WHAT HAPPENS ON MAIN STREET STAYS ON MAIN STREET

When hackers breach the security of corporations it makes headlines, yet there is rarely a mention when cybercrime hits small to medium sized businesses (SMBs). Very few people are even aware that today’s cybercriminals are targeting SMBs, not just supersized global businesses. According to Verizon’s 2013 Data Breach Investigations Report, 71% of the data breaches investigated by the company’s forensic analysis unit targeted small businesses with fewer than 100 employees. Of that group, businesses with less than 10 employees were the most frequently attacked.

55EVERYONE IS A VICTIM WHEN IT COMES TO CYBERCRIME

The loss and exposure of confidential data from a cyber-attack is costly to both the people victimized and the businesses whose data was compromised.

For the victim, hackers typically retrieve personal information, bank account, credit card and social security numbers, resulting in identity fraud. The stress and time involved to reclaim their identity and get their financial house back in order is beyond measure.

For businesses, there are 47 state-specific DBN (Data Breach Notification) laws in effect in the United States. Adding to the complexity and costs of this process is the fact that laws and compliance obligations vary from state to state. A breach of customer data in Pennsylvania will have different breach notification and follow-up requirements than a breach involving a customer in Massachusetts. This means firms servicing customers and clients from more than one state are responsible for these duplicative legal, regulatory and compliance burdens.

CYBERCRIME COMES AT A HIGH PRICE FOR SMBs

According to research compiled by the Ponemon Institute in their 2nd Annual Cost of Cyber Crime Study, the average cost per breached record in the U.S. is anywhere between $150 to $200. This amount factors in the costs of the investigation and notification process, fixing the issue that led to the breach, possible liability and litigation costs, lost business, and the time and effort that go into damage control. In many cases, a damaged reputation may prove to be irreparable. Nearly two-thirds of victimized companies are out of business within six months of a significant cyber-attack, making cybercrime the death knell for many SMBs. This is because the consequences of cybercrime extend well beyond the actual incident and have long-lasting implications.

Small businesses obviously don’t have the same financial footing to rebound and carry on with business as usual in the way organizations like Target, Amazon, Apple, or Citibank can.

Symantec’s research found that customers affected by security breaches are generally less forgiving of smaller businesses, especially smaller online retailers, than larger companies. SMBs are contending not only with lost revenue and expenses, but also the possibility of never regaining the trust of customers, clients and business partners.

Symantec’s 2012 State of Information Survey found that nearly half of all SMBs admitted to a data breach damaging their reputation and driving customers away.53

The trend of cybercriminals preying on smaller businesses doesn’t seem to be waning. According to Symantec, the number of cybercrime attacks targeting firms with fewer than 250 employees jumped from 18 percent of all attacks in 2011 to 31 percent in 2012.

WHY CYBERCRIMINALS ARE ZEROING IN ON SMALL BUSINESSES

Large corporations have the resources to invest heavily in the most sophisticated security strategies and successfully stop most cybercrime attempts. A typical large enterprise may have over twenty in-house IT dedicated employees ensuring that every device connecting to their network is adequately protected.

In comparison, SMBs have neither the money nor the manpower of large enterprises and can’t afford the same level of security. Very few SMBs have fulltime IT dedicated personnel on hand to run routine security checks. Even those who do have in-house IT support often find that their internal resources are too bogged down with other tasks to properly address security upkeep.

A joint survey of 1000 SMBs conducted in September of 2013 by McAfee Internet Security and Office Depot further confirms how lax many SMBs are when it comes to protecting their data.54

Not only have SMBs become easy prey for cybercriminals, but their sheer abundance also makes them an alluring target. There are roughly 23 million SMBs in the United States alone. Half of that figure is comprised of home-based businesses. Even in a struggling economy, it’s projected that there are still an estimated 500,000 startups launching every month with only a handful of employees.

SMBs ARE NOT “TOO SMALL TO MATTER”

Since most cybercrimes affecting smaller businesses go unreported by the media, there is no sense of urgency by SMBs to prepare for cyber-attacks. Too many SMBs mistakenly view their operations and data as trivial to hackers. They feel that large online retailers, global banks, and government entities are much more attractive targets for hackers.

The goals and methods of cyber attackers are evolving and will continue to evolve. The era of one “big heist” for hackers is over. Cybercriminals today often prefer to infiltrate the data of many small businesses at once, stealing from victims in tiny increments over time so as to not set off an immediate alarm. This method takes advantage of those SMBs who are especially lax with their security processes and may not even realize there has been a security breach for days or sometimes even weeks. SMBs must end the “It will never happen to us” mindset. For instance, political “hactivists” have been responsible for a number of high-profile Denial-of-Service (DDoS) attacks in recent years. The goal of a hactivist is to disrupt the status quo and wreak havoc on the technology infrastructure of larger corporations and government entities. It’s a form of cyber anarchy: A “stick it to the man” philosophy spearheaded by groups like 4chan, Anonymous, LulzSec, and Anti-Sec.

An owner or Chief Information Office (CIO) at a SMB may read of these high publicized attacks in the press and not think anything of it. They aren’t Sony, Apple, or the Department of Defense, so why would a hactivist target their data? But it’s estimated that there are on average 1.29 DDoS attacks throughout the world every two minutes and such activity is much broader in scope than the press may lead us to believe.

SMBs- THE ACCESS RAMP TO BIGGER & BETTER DATA

One reason small businesses are more vulnerable is they’re often the inroad to larger better-protected entities. They are often sub-contracted as a vendor, supplier, or service provider to a larger organization. This makes SMBs an attractive entry point for raiding the data of a larger company. Since larger enterprises have more sophisticated security processes in place to thwart cyber-attacks, SMBs often unknowingly become a Trojan horse used by hackers to gain backdoor access to a bigger company’s data. There is malware specifically designed to use a SMBs website as a means to crack the database of a larger business partner.

For this reason, many potential clients or business partners may ask for specifics on how their data will be safeguarded before they sign an agreement. Some may require an independent security audit be conducted. They may also ask SMBs to fill out a legally binding questionnaire pertaining to their security practices.

Moving forward, a SMB that is unable to prove they’re on top of their infrastructure’s security will likely lose out on potentially significant deals and business relationships. More large enterprises are being careful to vet any business partners they’re entrusting their data to.

CLICK HERE for a free network assessment.

43

Understanding How Data Loss Happens – The Four Main Reasons

43Small business owners are often worried about data loss. Rightly so, because data loss has the potential to wipe out a business. We have identified the most common forms of data loss so you can see how they fit into your business and assess the risks related to each of these pitfalls.

1. Human Error - Human error – by way of unintentional data deletion, modification, and overwrites – has become much more prevalent in recent years. Much of this is the result of carelessly managed virtualization technology. While virtualization and cloud computing have enabled improved business continuity planning for many businesses and organizations, humans must still instruct this technology how to perform. The complexity of these systems often presents a learning curve that can involve quite a bit of trial and error. For instance, a support engineer may accidentally overwrite the backup when they forget to power off the replication software prior to formatting volumes on the primary site. They will be sure to never do that ever again, but preventing it from happening in the first place would be more ideal.

2. File Corruption - Unintended changes to data can occur during writing, reading, storage, transmission and processing – making the data within the file inaccessible. Software failure is a leading cause of data loss and is typically the result of bugs in the code. Viruses and malware can also lead to individual data files being deleted and hard drive partitions being damaged or erased.

3. Hardware Failure - Storage devices may be at risk due to age, or they may fall victim to irreparable hard-disk failure. Viruses and hackers can also potentially shut down a hard drive by inserting undeletable malicious code and huge files via open, unprotected ports. If these malicious programs cannot be deleted, the entire hard drive may have to be reformatted, wiping out all the data.

4. Catastrophic Events/Theft - The threat of catastrophic events such as fire, flooding, lightning and power failure is always a concern. Such events can wipe out data in a millisecond with no warning. Theft is also a data loss risk that companies must address. While advances in technology like anytime/anywhere connectivity, portability and the communication/information sharing capabilities of social media and crowdsourcing have revolutionized business – the risk for theft is even greater due to this increased accessibility. More people are doing daily business on their laptop, iPad and mobile phones. They are also carrying around portable media like thumb drives, USB sticks and CDs. Physical theft of any of these devices can spell big trouble.

Data loss is as unique as the various sources from which it comes. The key is to identify the areas in which your business is weak and work towards a mitigation plan for each one of them. An MSP can act as a trusted partner in such cases, holding your hand through the process of safeguarding your data.

Prevent data loss with Cognoscape. CLICK HERE for a free network assessment.

42

Four Tips for Your Hybrid Cloud Strategy

42It should come as no surprise that many small to midsize business owners take pride in overseeing every aspect of their startup business. Naturally, many are apprehensive when it comes to surrendering control of their servers, their data, and their applications. The downside of this need for control is that operating and maintaining everything onsite can be time consuming, super expensive, and it can make your business more vulnerable to failure related downtime and cyber threats. Although everything can be stored in the cloud at a fraction of the cost, many aren’t responsive to the idea of sharing the infrastructure their technology runs on. The great thing about the cloud is it’s not an all or nothing thing. This is exactly why so many small to midsize businesses have turned to hybrid cloud solutions. Just as they name implies, hybrid cloud solutions are both on and off premises. It’s the best of both worlds. An entrepreneur can still control certain aspects of the business on-site, but simultaneously exploit the cloud’s cost effectiveness and overall scalability. For example, a local server like Windows Server 2012 can be housed and managed on-site but that server, or just specific files, can still be backed up in the cloud with Microsoft Windows Azure and stored far away off-site. This provides a partial disaster recovery solution in the event of a hurricane, flood, fire, or just a basic server crash.

Here are four tips for developing your hybrid cloud strategy:

  1. Honestly assess the current IT strategy – Over time, as your business grows and technology advances, your well-planned and neatly arranged IT infrastructure transforms into a disorganized mishmash of different servers and disconnected software and tools. View this almost as the spring-cleaning of a cluttered garage. What systems or applications are critical to your business right now and which ones no longer support your current or future business initiatives?
  1. Know what you want to keep close – Every business will be different in this regard. Certain companies will prefer keeping large files in-house, in a more controlled private cloud, for easy access but may be okay with having their emails out there in the cloud or vice versa.
  1. See how others are leveraging a hybrid cloud environment – New services once only available to large enterprises are now available to SMBs. This presents an extraordinary opportunity to be more agile, flexible, and better suited for new business opportunities and growth. Remote monitoring, 24/7 support, and disaster recovery solutions can be easily integrated within a hybrid-computing environment – regardless of operating systems, server types, or mobile devices used.
  1. Staged implementation – Be sure to plan your hybrid cloud strategy as a multi-year plan that is deployed in phases. For example, in the beginning, private controlled access to a public cloud service can be granted to internal application developers experimenting with a new business initiative. Or a new customer relations management SaaS (Software as a Service) application can be implemented.

This is the year that even small or midsize enterprises are getting serious about cloud operations and a strategic mix of public cloud services and private cloud may make the transition easier.

CLICK HERE for a free network assessment

40

What You Can Learn From U.S. Regulator’s Business Continuity & Disaster Recovery Recommendations

U.S regulators have recommended that all fu40tures and securities firms review and update their current data backup, disaster recovery, and business continuity solutions. Prompted by closures in the equities and options market in the aftermath of Hurricane Sandy, Regulators including the SEC, FINRA, and the CFTC contacted firms to assess the impact Hurricane Sandy had on their operations The regulators asked each firm for specifics regarding any backup disaster recovery (BDR) and business continuity plan (BCP) they had in place prior to Hurricane Sandy. The responses they gathered were compiled to develop a list of best practices and lessons learned. The regulators have since gone on to suggest that all firms refer to these best practices and lessons as part of reviewing and improving upon their current BDR and BCP procedures. By doing this, the regulators hope that firms will be better prepared for similar events. Regulators feel that a comprehensive BDR and business continuity strategy will help firms improve responsiveness and minimize downtime. Managed Service Providers (MSPs) have always stressed the importance of the BDR and BCP solutions they offer to small-to-medium-sized businesses. That said, it doesn’t hurt to see what government regulators recommend to those handling our money. We’ve summarized portions of the full report, addressing only the parts that we feel can easily be applied to SMBs. The full report can be read here at http://www.sec.gov/about/offices/ocie/jointobservations- bcps08072013.pdf.

Widespread Disruption Considerations

True business continuity plans go beyond technology. What is the probability of a widespread lack of telecommunications during a disaster? We’re talking no Internet and no cell phone coverage. Large-scale events can knock out power and limit our access to drinkable water and food supplies. Getting around may be complicated. Roadways might be inaccessible and fuel may be scarce. Part of being prepared for the unknown is to assess how any plausible scenario would impact day-to-day operations and services. A critical component to business continuity planning is remote access. Every employee should have the ability to efficiently work from home if a disaster strikes or blocks access to the office. If there is no power or no Internet and phone, alternatives should be defined to carry out key operations.

Alternative Location Considerations

The implications of region-wide disruptions must be factored into the location choices for backed-up data centers. Keeping backups within close proximity may seem like a smart strategy to ensure they’re readily accessible, but this does you no good if it’s a region wide disruption. When it comes to supporting business critical activities at an alternative location, what will be the site’s staffing needs? How about office space, equipment, and available resources? Printed copies of the business continuity plan, contact lists, and other business documents and manuals should also be kept at the alternate site if electronic files can’t be accessed.

Vendor Relationships

Any critical vendor relationships should also have an adequate business continuity plan, as they may be affected by the same event as you. Vendors risk ratings should be considered based on the quality of their BDR and BCP strategies.

Telecommunications Services and Technology Considerations

The telecommunications infrastructure must be enhanced. Consider secondary phone lines, backup mobile phone services with different carriers, emergency Wi-Fi spots, and cloud technology.

Review and Testing

Annual full BCP tests should be conducted. If the business continuity plan changes often, more frequent testing is recommended. All personnel should be trained for their specific role in the plan.

CLICK HERE for a free network assessment.

Four Key Components of a Robust Security Plan Every SMB Must Know

41Most businesses are now technology dependent. This means security concerns aren’t just worrisome to large corporate enterprises anymore, but also the neighborhood sandwich shop, the main street tax advisor, and the local non-profit. Regardless of size or type, practically any organization has valuable digital assets and data that should not be breached under any circumstances.

This makes it the responsibility of every business, especially those collecting and storing customer/client information, to implement a multipronged approach to safeguard such information.

Yes, we’re looking at you, Mr. Pizza Shop Owner who has our names, addresses, phone numbers, and credit card information stored to make future ordering easier and hassle free.

 

Today’s SMB Needs a Robust Security Plan

Protecting your business and its reputation comes down to developing, implementing, and monitoring a robust security plan that adequately addresses everything from physical access and theft to the threat of compromised technology security.  This involves defining and outlining acceptable uses of your network and business resources to deter inappropriate use.  Here are four key components to consider.

  1. Network Security Policy: Limitations must be defined when it comes to acceptable use of the network.  Passwords should be strong, frequently updated, and never shared.  Policies regarding the installation and use of external software must be communicated. Lastly, if personal devices such as laptops, tablets, or smartphones are accessing the network, they should be configured to do it safely, which can be done easily with a reliable Mobile Device Management (MDM) solution.

 

  1. Communications Policy:  Use of company email and Internet resources must be outlined for legal and security reasons.  Restricting data transfers and setting requirements for the sharing or transfer of digital files within and outside of the network is recommended. Specific guidelines regarding personal Internet use, social media, and instant messaging should also be clearly outlined. If the company reserves the right to monitor all communication sent through the network, or any information stored on company-owned systems, it must be stated here

 

  1. Privacy Policy: Restrictions should be set on the distribution of proprietary company information or the copying of data.

 

  1. Inappropriate Use: Obviously, any use of the network or company-owned system or device to distribute viruses, hack systems, or engage in criminal activity must be prohibited with the consequences clearly noted. Any website that employees cannot visit should be identified if not altogether blocked and restricted. For instance, downloading an entire season of True Blood from a Bit Torrent site isn’t an acceptable use of company Internet resources. Every employee must know these policies and understand the business and legal implications behind them.  Companies must also make sure these policies are clear and understood by all, and most importantly, strictly enforced.

CLICK HERE for a free network assessment

 

 

28

Five Major Benefits of the Cloud for the Healthcare Sector

28How Cloud Computing Enables Industry Advancements

When it comes to staying on top of industry trends, those in the healthcare sector utilizing cloud computing will undoubtedly have an advantage over those slow to adapt to change. The Internet is more widely used now by both patients and those providing health services.

Today’s patient desires anytime/anywhere access to health-related information and physicians may need access to digitized health data such as MRI scans, ultrasound images, or mammograms. Patient information must also be accessed for clinical decision-making such as potential prescription drug interactions or the American Recovery and Reinvestment Act of 2009 (ARRA) funded community health information exchanges (HIEs) that enable health providers and insurers to share a patient’s medical records with his or her permission. The cloud supports all of these.

In many ways, cloud computing levels the playing field as its affordable benefits are available to anyone from a small physician’s office or non-profit to large organizations or insurers. This fosters an all-inclusive collaboration that isn’t restricted to only large institutional players.

Major Benefits of the Cloud for the Healthcare Sector

  1. Security – Ironically, the biggest concern most healthcare entities have about taking to the cloud is one of its biggest strengths. Recent updates have made CSPs as responsible and liable for HIPAA compliance as the healthcare institutions that hire them. CSPs must ensure that data is encrypted, backed up, easily recoverable, and secured with permission-based access.
  2. Costs – Reduced costs are an incentive for healthcare entities to take to the cloud. Costs are dramatically cut since the cloud moves everything into a virtual environment, eliminating the need for costly hardware, software, maintenance, data center space, and IT labor. Pay-as- you-use fees requiring little-to-no capital investment replace these often overwhelming up-front capital expenses.
  3. Scalability – With the 2015 HER conversion deadline nearing, and the fact that health service providers are generally required to maintain patient medical records for at least six years, it’s easy to anticipate that managing such a high volume of patient data will inevitably stress any on-site IT infrastructure. But the cloud presents a scalable alternative where additional server or storage capacity is available as needed.
  4. Mobility - The cloud improves a physician’s ability to remotely access readily available patient information. This enables even the busiest physician to review a patient’s medical records or test results even after they leave the office.
  5. Sharing – Cloud computing keeps physicians better connected to not just their patients but their colleagues as well. Patients will notice benefits to medical professionals being able to share patient information online – for example, referrals to specialists will be more timely, there will be less paperwork to fill out with each office visit, and no unnecessary repeat diagnostic tests.

Are You Ready for This Transition?

The transition to cloud computing is underway in the industry. For healthcare service providers, it is no longer a question of if they will transition to the cloud, but when they can start benefiting from its potential savings and all of its capabilities.

Healthcare is a heavily regulated industry and cloud computing will continue to evolve to meet the industry’s growing security requirements and regulatory mandates. Many legitimate CSPs familiar with the healthcare sector already have strict security protocols in place to comply with regulations and will not hesitate to sign a BAA when asked. It is best to choose a CSP cautiously. Avoid any CSP who refuses to sign a BAA and carefully evaluate even those who do to get a feel for their stability, level of service, and delivery on promises.

Taking care of people – not your IT infrastructure – is your core service. Why not put the money being spent right now on hardware, software and equipment back into patient care while actually strengthening patient data integrity and security? Contact us today if you’d like to learn more about HIPAA compliant cloud-based technology.

CLICK HERE for a free network assessment.

29

HIPAA and the Cloud – Moving Toward 2015

29In the healthcare sector, the storing and sharing of sensitive digitized patient data has become a significant undertaking and is a heavy burden on resources. Preparation for a complete conversion from paper medical records to electronic health records (EHR) by 2015 has independent practitioners and small healthcare entities making significant investments in equipment, hardware and software, and tech-savvy personnel. Rather than focusing on the delivery of core patient care services, they must now worry about IT infrastructure issues, underlying network constraints and data center accessibility as well. This is problematic as very few medical offices or small health service organizations can afford to employ dedicated IT staff.

In this context, it is obvious that cloud-based solutions, which consolidate and outsource computing resources to external entities, would provide substantial relief to healthcare service providers. Data stored in the cloud is available on-demand and requires no expensive equipment, physical home or hired staff to manage and maintain it.

But while other business sectors have fully embraced the cloud for cheaper, more flexible, scalable and secure computing, many in the healthcare sector have yet to entertain putting patient data into the cloud. HIPAA-driven security and privacy concerns have been a serious deterrent.

This is about to change. Recent modifications to the HIPAA Privacy, Security, Enforcement and Breach Rules have made it clearer that data center operators are to be classified as business associates under HIPAA. This means cloud-service providers are required by law to report and respond to data breaches and uphold their obligation to properly protect and secure patient info.

These modifications are a game changer because they now assure covered entities such as doctor offices, hospitals, and health insurers that they can remain HIPAA compliant while adopting cloud technology.

Cloud Computing in Healthcare Sector Projected to Grow

According to recent report by the research firm Markets and Markets, although the healthcare sector has been notoriously slow when it comes to adopting new technology trends, the cloud computing market in this sector is projected to grow to $5.4 billion by 2017.

Breaking Down HIPAA and the Cloud

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was upgraded in 2009 with the Health Information Technology for Economic and Clinical Health (HITECH) ruling addressing the growing use of digitized medical records. HITECH was introduced to provide federal funding to deploy HER and establish a protocol for protecting the electronic storage and transmission of Protected Health Information (PHI). [PHI is defined as any information obtained, used or disclosed in the course of providing a healthcare service--treatment, payment, operations or medical records--that can be used to identify an individual.]

Compliance with HIPAA requires the reporting of any potential unauthorized PHI access. Because any impermissible access, use, or disclosure of PHI can severely damage an organization’s reputation, as well as levy penalties varying from $100 to $50,000 for first time offenders, it is understandable that many in the healthcare industry have chosen to avoid migrating patient data to the cloud unless they’re absolutely certain that a cloud-service provider (CSP) is HIPAA compliant.

Cloud-Service Providers as HIPAA Business Associates

Over the past five years, there has been much confusion whether cloud-service providers were classified as business associates (BAs) under HIPAA. The Department of Health and Human Services holds BAs accountable for certain required privacy and security obligations to protect PHI data, upholding them to a signed Business Associate Agreement (BAA). If confidential health data is compromised, the Associate is liable for responsibilities on their end.

The HIPAA privacy rule defines a BA as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”

Since most CSPs “maintain” PHI on behalf of either the covered entity or another BA that subcontracts them, one would assume they’d be deemed a BA themselves. But that hasn’t always been the case due to some ambiguous language that originally accompanied the regulation, language that was only just recently modified to expand the scope of BAs as defined by HIPAA.Capture4

As you can see, this language easily leaves “access on a routine basis” up to interpretation. For instance, although it states that HIPAA requires those accessing PHI data on a routine basis be treated as BAs, some CSPs felt they were mere “conduits” of protected data – not very different than courier services or postal services, having only random or infrequent access to public health information as they transport/share it with others. These CSPs would often argue that a signed BAA wasn’t necessary, thus avoiding the added due diligence or security control requirements and liability.

Take a high-volume Platform-as-a-Service (PaaS) for example. Here the CSPs primary role is to provide storage services that enable the covered healthcare entity’s staff, such as a doctor’s office, to routinely look at data stored remotely. While the CSP providing the PaaS bears responsibility for maintenance and upgrades to the hardware, software and the operating system, they don’t touch the actual PHI data all that much. Therefore, a CSP offering PaaS doesn’t necessarily have the same level of PHI access as a cloud provider using Software-as-a-Service (SaaS) who must grant their personnel daily access to PHI.

A similar argument could be made for a CSP who maintains encrypted PHI for a covered healthcare entity but doesn’t hold the encryption key.

This uncertainty was the reason for much of the healthcare sector’s reluctance to take to the cloud. If a cloud-service provider (CSP) didn’t feel the need to sign a BAA, and the patient info they managed was breached, the covered healthcare entity, not the CSP, would be fined.Capture5

The new HIPAA Omnibus Rule further clarifies that BAs and subcontractors of BAs are directly liable for compliance with certain HIPAA Privacy and Security Requirements. This has calmed skeptics, resulting in a healthcare industry now actively looking to cloud-based solutions.

Protecting personal information and cloud security are a must by 2015. CLICK HERE for a free network assessment and choose Cognoscape for your HIPAA compliant managed IT services.