Healthcare and Cloud Computing Together at Last

65  For years, the healthcare industry was thought to be the very last sector to embrace cloud computing. With HIPAA compliance, storing private patient data in the cloud seemed much too risky from a security and legal standpoint. However, with a government issued mandate to migrate patient data to electronic heath records by 2015, the cost-effectiveness of the cloud was simply too logical to not entice independent practitioners and small healthcare entities now burdened by the need to invest technology and tech-savvy personnel. If only there was a way around the security and privacy concerns.

Wish granted. In January of 2013, the U.S. Department of Health and Human Services introduced a few revisions to the regulations administered under the Health Insurance Portability and Accountability Act of 1996. Labeled the “Final Omnibus Rule,” this update spelled out the legal framework to be used by healthcare organizations working with cloud service providers.

With a signed Business Associate (BA) agreement, a cloud service provider accepts the responsibility to protect patient data under HIPAA law. This expanded definition of BA means that the government can now penalize cloud service providers accountable for data breaches.

Although many healthcare organizations had already entrusted certain cloud service providers with their data, only the HIPAA covered entity (the healthcare organization) was penalized in the event of a breach prior to this ruling. While the HIPAA covered entity is still responsible for oversight, this shared accountability with the cloud service provider has expanded responsibility and has led to an influx of healthcare organizations and cloud service providers working together, worry-free, in perfect harmony.

CLICK HERE for a free network assessment.

4 Easy Ways to Boost Your Web-Surfing Security

The internet has become more of a necessity than a luxury. With social networks becoming more popular and the usage of the internet becoming more widespread, it’s important to make sure that you’re secure online.

Here are 4 easy ways you can protect yourself online.

 

#1) Don’t Overshare

When you’re spending lots of time on your favorite social networks, it can be tempting to post lots of personal information, including your location and your full name. But sharing those kinds of things can really compromise your privacy!

Check out the privacy settings for your online profiles and make sure that your personal information is not available to the public.

 

#2) Watch Out For Scammers

Have you ever received an email from a random person stating that you were an heir set to receive a huge fortune?

Or maybe you’ve received an email from someone you don’t know that included a sob story and a desperate plea for financial help.

Either way, these types of emails are scams – the scammers use your sympathy or excitement against you, get your credit card information, and steal your money or your identity.

Make sure that you are careful about which emails you take seriously and respond to. Remember – pretty much anyone can email you. Make sure you use discretion so you can keep your money and information secure.

 

#3) Protect With Passwords

Many popular websites require you to register, create a password, and log in to gain full access. While some people see this as an inconvenience, it’s truly a good way to keep your data secure and private.

Be sure that, when you create a password, you make it one that’s difficult to guess. Use varied capitalization, use numbers, and try not to use a dictionary word. That way, you can feel confident that your accounts are safe from hackers.

 

#4) Safe Shopping

It’s important to follow best safety practices when you’re shopping online. After all, you’re likely using your credit or debit card. You don’t want that information to get into the wrong hands! Make sure that you never enter your credit card on a page that is not encrypted. When a page is encrypted, the web address will begin with “https” instead of “http.”

Also, make sure you never enter your social security number. No seller should ever need that information – if they do, it’s likely that they’re trying to scam you

Another good practice is to check out the seller’s reviews and policies. You can shop a lot more confidently if you know other people have had a good experience purchasing from the seller.

 

Why stop there? It’s good to make sure you’re secure when you’re casually using the internet, but it’s also important to make sure that your company networks are secure. I mean, you could lose your money, your clients, or even your business if a hacker accessed and used your data!

Here at Cognoscape, we’ve got the security solutions you need to gain peace of mind and keep your critical information safe. Contact us today, and let’s work together to prevent security breaches.

Keep Your IT Guy and Outsource IT Services Too

59 Everyone in the office loves Eric. Sporting a different ironic t-shirt everyday, Eric is the one we call when technology spits in our face. Whether it’s a slow system, a bug that needs to be squashed, a website issue, or a crash that results in unexpected downtime and data loss, Eric is right there. Not only does he get to the bottom of any issue but he also rights the ship like he’s some sort of miracle-working captain who just happens to have a pretty wickedly funny Peter Griffin from Family Guy impersonation.

But business is growing and Eric is overworked. Eric has certain skills that you’d love to use to develop innovative applications and revenue-generating projects– but he’s too busy running around fixing things that break. Or he’s performing the most mundane and routine tasks day-in-and-day-out just to keep things secure and running smoothly.

You get a sense that Eric’s overburdened and he’s saddled with too many responsibilities. His demeanor has changed from pleasant to moody. He’s listening to angrier metal and punk music and you’re noticing cracks in his work. You fear Eric is being pulled in too many directions and the reliability of your server, network, and applications, as well as the integrity of your data, are all at risk.

Someone who has watched a bit too much of Donald Trump on The Apprentice might think Eric should be fired. We’re not going to fire Eric. But we’re also not going to hire a full-time salaried Robin to his Batman or Cheech to his Chong. We’re going to help Eric by exploiting IT automation and managed services to handle many of the monotonous tasks making Eric hate his job right now.

Let’s help Eric…..

  • Focus Primarily on Cost-Cutting and Revenue Increasing Projects: First things first, Eric has to realize that he can’t do everything himself. Where are his skills best used? Whether it’s processes that help drive down costs or ones with the potential to raise revenue, evaluate the projects in the queue and rank them by what impacts the bottom line the most. Once that’s done, look at the day-to-day processes designed to keep things running securely and efficiently. What can be off-loaded from Eric? Determine which of those tasks can be automated either through the cloud or managed services.
  • Take to the Cloud: Some IT people fear the cloud spells the end to their job security. Meanwhile, the cloud can actually help them take on a more prominent contributing role in the company’s success. The cloud should be seen as another tool that further eliminates the mundane yet necessary daily drudgery from their workday. Those who work WITH the cloud will find that they have more available time to take on more meaningful cost cutting or revenue generating projects.

Use a Managed Service Provider: Using outsourced managed services not only alleviates much of Eric’s pressure and stress, but also boosts productivity and gives the company a much improved ROI (Return-on-Investment) on their technology investment. While technology has gotten easier for the end user, it has become more complex on the backend with the advent of virtualization, cloud computing, and advanced infrastructure. Using an MSP gives Eric access to a trusted advisor, a 24/7 help desk, remote monitoring and management tools, mobile device management tools, and much better disaster recovery and business continuity solutions. All without the overhead that comes with hiring more help for Eric. MSPs offer a consistency to not just your end-user but also your main IT guy who will certainly appreciate the help.

CLICK HERE for a network assessment.

4 Steps To Improve SMB Data And Network Security

 TO STAY SECURE – A GOOD DEFENSE IS THE BEST OFFENSE

SMBs must understand that the time has come to get serious with their security. Sadly, many small businesses have a false sense of security. In the McAfee/ Office Depot joint survey of 1000 SMBs, over 66% were confident in the security of their data and devices despite admitting to obvious flaws.

Cybercrime is only one cause of compromised data. There are 3 primary causes of breached security at businesses according to the June 2013 Symantec Global Cost of a Data Breach study. Only 37% are attributed to malicious attacks. The remaining 64% are human error and technology errors. 56

Data breaches aren’t always about bad people doing bad things. Many are the result of good employees making mistakes or of technology failure. SMBs don’t necessarily need a large budget or dozens of employees to adequately protect sensitive data. A secure environment is possible even on a SMBs budget. Here are a few steps to improving data and network security.

STEP 1

KNOW ALL DEVICES CONNECTING TO YOUR NETWORK

Keep a frequently updated list of every device that connects to your network. This inventory is especially important given today’s BYOD (Bring-Your-Own-Device) workplace where employees can access your network through several different devices. Knowing what these devices are and ensuring they’re all configured properly will optimize network security.

All it takes is a regularly scheduled review to add or remove any devices and affirm that every endpoint is secure. Much of thisprocess can be inexpensively automated through a Mobile Device Monitoring (MDM) tool. A MDM tool will approve or quarantine any new device accessing the network, enforce encryption settings if sensitive information is stored on such a device, and remotely locate, lock, and wipe company data from lost or stolen devices.

STEP 2

EDUCATE & TRAIN EMPLOYEES

57 Every employee should participate in regular general awareness security training. This will not only reduce security breaches directly tied to employee error or negligence but also train employees to be on the defense against cybercrime. Employees are critical to your security success and the prevention of data breaches. Hackers commonly break into networks by taking advantage of unknowing employees. Phishing attacks – legitimate looking emails specifically crafted to mislead recipients into clicking a malicious link where they’re asked to provide their username and password – are still successfully used by hackers to capture login credentials.

If a large company makes the news for a data breach tied to an infected email, be sure to share that news with employees with a warning. Come up with fun ways to teach employees how to identify spear-phishing email attempts and better secure their systems and devices.

It is also important to have a security policy written for employees that clearly identifies the best practices for internal and remote workers. For example, password security is critical and passwords should be frequently updated to a combination of numbers, lower case letters and special characters that cannot be easily guessed. Security policy training should be integrated into any new employee orientation. This policy should be updated periodically. More important than anything, this security policy must be enforced to be effective.

STEP 3

PERFORM AN AUDIT OF SENSITIVE BUSINESS INFORMATION

If you want to keep your most sensitive business information secure, it’s important to know exactly where it’s stored. A detailed quarterly audit is recommended.

STEP 4

USE CLOUD AND MANAGED SERVICE PROVIDERS

Overall, the cloud is likely a more secure data solution for small business. Any conception that the cloud isn’t safe is outdated. Most of 2013’s security breaches were the result of lost or stolen devices, printed documents falling into the wrong hands, and employee errors leading to unintended disclosures. It’s fair to speculate that many of these breaches wouldn’t have occurred had this information been stored in the cloud rather than computers, laptops, and vulnerable servers.

SMBs with limited budgets are actually enhancing their security by moving to the cloud. Since there is no way a SMB can match a large enterprise’s internal services, moving services like emails, backups, and collaborative file sharing to the cloud not only reduces total-cost-of-ownership, but gives access to top-level security to better defend against internal and external threats.

Meanwhile, a Managed Service Provider (MSP) can assume responsibility for security measures like the administering of complex security devices, technical controls like firewalls, patching, antivirus software updates, intrusion-detection and log analysis systems.

MSPs are also capable of generating a branded risk report for any potential client or business partner reviewing your security measures. This third party manual assessment of your network security can instill confidence in prospective business partners by proving to them that any possible security risks or vulnerabilities will be properly managed and addressed.

CLICK HERE for a free network assessment.

Top 3 Benefits of Network Security Services

If you’re running a business, you need to make sure that your network is secure – there’s no question about it.

Imagine. What would happen if a hacker infiltrated your network and accessed your critical data? You could lose that data or, even worse, you could lose your company!

Don’t leave your company vulnerable and risk losing everything you’ve worked so hard for. There are several ways your company can benefit from network security services – here are the top 3.

 

#1: Peace of Mind

It can be a challenge to safeguard your business from security threats since hackers are constantly devising new ways to steal data and wreak havoc on businesses.

So, what can you do about these security threats?

Luckily, you don’t have to face them alone. By taking advantage of network security services from Cognoscape, you can gain the peace of mind that you need. You’ll be able to sleep well at night knowing that your network is not at risk and your valuable company information is safe from harm.

 

#2: Productivity

When you aren’t dealing with security breaches and network security issues, you’ll be able to empower your employees to be more productive. You’ll also save your software and hardware from harm caused by security breaches.

Instead of dealing with downtime and the stress of losing critical data, you and your employees can focus on your job duties. That way, everyone can work as efficiently as possible instead of being unnecessarily disrupted.

 

#3: Compliance

Every company has certain regulations in place that are set to improve efficiency.

Here at Cognoscape, we understand that adhering to the security compliance regulations for your industry is not an option – it’s a necessity. You can trust that the security solutions you’ll receive from Cognoscape will meet all of the security compliance regulations necessary.

 

It’s easy to see how network security can lift a huge burden from your shoulders and improve your company processes. Contact Cognoscape today for a network security solution, and let’s work together to help your business succeed.

Is Your Business Safe From Cybercrime? 4 Questions to Consider

Did you know that 50% of small business owners think their businesses are too small to be targeted by the thieves of the virtual world? Contrary to popular belief, 72% of hacker attacks often happen to smaller firms – firms with less than 100 employees! So how prepared is your SMB? Here’s a checklist to help you find out how vulnerable you are to these attacks.

48 1. Do you have Antivirus protection? – An antivirus software program can protect you from threats that originate from emails such as phishing and virus attacks. However, the most striking fact is that 61% of small businesses don’t install any antivirus software! If you are one of them, then it’s time to change!

2. How sturdy is your Firewall? – A good firewall system protects your computers from the variety of threats that exist in the virtual world. Examples include harmful cookies, viruses, worms and other such malicious programs used by hackers.

3. Do you use a Spam filter? – Using a simple spam filter for your emails keeps junk out of your inbox. The bonus to having a good spam filter is that your employees save time, as they are not distracted by irrelevant emails, but the major perk here is that the potential virus and phishing threats are lessened as spam emails are unlikely to be opened.

4. Do you do backup your data regularly? – Agreed – backups don’t really protect your data, but they are the only way to recover it if data loss does happen. So, be sure you have a regular and reliable backup plan in place – and it is actually being deployed.

Data loss can prove very costly—especially to SMBs, sometimes even resulting in them having to close down. Prevention is certainly better than a cure in such cases. Stop cybercrime before it happens. CLICK HERE for a free network assessment.

Understanding How Data Loss Happens – The Four Main Reasons

43 Small business owners are often worried about data loss. Rightly so, because data loss has the potential to wipe out a business. We have identified the most common forms of data loss so you can see how they fit into your business and assess the risks related to each of these pitfalls.

1. Human Error – Human error – by way of unintentional data deletion, modification, and overwrites – has become much more prevalent in recent years. Much of this is the result of carelessly managed virtualization technology. While virtualization and cloud computing have enabled improved business continuity planning for many businesses and organizations, humans must still instruct this technology how to perform. The complexity of these systems often presents a learning curve that can involve quite a bit of trial and error. For instance, a support engineer may accidentally overwrite the backup when they forget to power off the replication software prior to formatting volumes on the primary site. They will be sure to never do that ever again, but preventing it from happening in the first place would be more ideal.

2. File Corruption – Unintended changes to data can occur during writing, reading, storage, transmission and processing – making the data within the file inaccessible. Software failure is a leading cause of data loss and is typically the result of bugs in the code. Viruses and malware can also lead to individual data files being deleted and hard drive partitions being damaged or erased.

3. Hardware Failure – Storage devices may be at risk due to age, or they may fall victim to irreparable hard-disk failure. Viruses and hackers can also potentially shut down a hard drive by inserting undeletable malicious code and huge files via open, unprotected ports. If these malicious programs cannot be deleted, the entire hard drive may have to be reformatted, wiping out all the data.

4. Catastrophic Events/Theft – The threat of catastrophic events such as fire, flooding, lightning and power failure is always a concern. Such events can wipe out data in a millisecond with no warning. Theft is also a data loss risk that companies must address. While advances in technology like anytime/anywhere connectivity, portability and the communication/information sharing capabilities of social media and crowdsourcing have revolutionized business – the risk for theft is even greater due to this increased accessibility. More people are doing daily business on their laptop, iPad and mobile phones. They are also carrying around portable media like thumb drives, USB sticks and CDs. Physical theft of any of these devices can spell big trouble.

Data loss is as unique as the various sources from which it comes. The key is to identify the areas in which your business is weak and work towards a mitigation plan for each one of them. An MSP can act as a trusted partner in such cases, holding your hand through the process of safeguarding your data.

Prevent data loss with Cognoscape. CLICK HERE for a free network assessment.

Four Key Components of a Robust Security Plan Every SMB Must Know

41 Most businesses are now technology dependent. This means security concerns aren’t just worrisome to large corporate enterprises anymore, but also the neighborhood sandwich shop, the main street tax advisor, and the local non-profit. Regardless of size or type, practically any organization has valuable digital assets and data that should not be breached under any circumstances.

This makes it the responsibility of every business, especially those collecting and storing customer/client information, to implement a multipronged approach to safeguard such information.

Yes, we’re looking at you, Mr. Pizza Shop Owner who has our names, addresses, phone numbers, and credit card information stored to make future ordering easier and hassle free.

 

Today’s SMB Needs a Robust Security Plan

Protecting your business and its reputation comes down to developing, implementing, and monitoring a robust security plan that adequately addresses everything from physical access and theft to the threat of compromised technology security.  This involves defining and outlining acceptable uses of your network and business resources to deter inappropriate use.  Here are four key components to consider.

  1. Network Security Policy: Limitations must be defined when it comes to acceptable use of the network.  Passwords should be strong, frequently updated, and never shared.  Policies regarding the installation and use of external software must be communicated. Lastly, if personal devices such as laptops, tablets, or smartphones are accessing the network, they should be configured to do it safely, which can be done easily with a reliable Mobile Device Management (MDM) solution.

 

  1. Communications Policy:  Use of company email and Internet resources must be outlined for legal and security reasons.  Restricting data transfers and setting requirements for the sharing or transfer of digital files within and outside of the network is recommended. Specific guidelines regarding personal Internet use, social media, and instant messaging should also be clearly outlined. If the company reserves the right to monitor all communication sent through the network, or any information stored on company-owned systems, it must be stated here

 

  1. Privacy Policy: Restrictions should be set on the distribution of proprietary company information or the copying of data.

 

  1. Inappropriate Use: Obviously, any use of the network or company-owned system or device to distribute viruses, hack systems, or engage in criminal activity must be prohibited with the consequences clearly noted. Any website that employees cannot visit should be identified if not altogether blocked and restricted. For instance, downloading an entire season of True Blood from a Bit Torrent site isn’t an acceptable use of company Internet resources. Every employee must know these policies and understand the business and legal implications behind them.  Companies must also make sure these policies are clear and understood by all, and most importantly, strictly enforced.

CLICK HERE for a free network assessment

 

 

Five Major Benefits of the Cloud for the Healthcare Sector

28 How Cloud Computing Enables Industry Advancements

When it comes to staying on top of industry trends, those in the healthcare sector utilizing cloud computing will undoubtedly have an advantage over those slow to adapt to change. The Internet is more widely used now by both patients and those providing health services.

Today’s patient desires anytime/anywhere access to health-related information and physicians may need access to digitized health data such as MRI scans, ultrasound images, or mammograms. Patient information must also be accessed for clinical decision-making such as potential prescription drug interactions or the American Recovery and Reinvestment Act of 2009 (ARRA) funded community health information exchanges (HIEs) that enable health providers and insurers to share a patient’s medical records with his or her permission. The cloud supports all of these.

In many ways, cloud computing levels the playing field as its affordable benefits are available to anyone from a small physician’s office or non-profit to large organizations or insurers. This fosters an all-inclusive collaboration that isn’t restricted to only large institutional players.

Major Benefits of the Cloud for the Healthcare Sector

  1. Security – Ironically, the biggest concern most healthcare entities have about taking to the cloud is one of its biggest strengths. Recent updates have made CSPs as responsible and liable for HIPAA compliance as the healthcare institutions that hire them. CSPs must ensure that data is encrypted, backed up, easily recoverable, and secured with permission-based access.
  2. Costs – Reduced costs are an incentive for healthcare entities to take to the cloud. Costs are dramatically cut since the cloud moves everything into a virtual environment, eliminating the need for costly hardware, software, maintenance, data center space, and IT labor. Pay-as- you-use fees requiring little-to-no capital investment replace these often overwhelming up-front capital expenses.
  3. Scalability – With the 2015 HER conversion deadline nearing, and the fact that health service providers are generally required to maintain patient medical records for at least six years, it’s easy to anticipate that managing such a high volume of patient data will inevitably stress any on-site IT infrastructure. But the cloud presents a scalable alternative where additional server or storage capacity is available as needed.
  4. Mobility – The cloud improves a physician’s ability to remotely access readily available patient information. This enables even the busiest physician to review a patient’s medical records or test results even after they leave the office.
  5. Sharing – Cloud computing keeps physicians better connected to not just their patients but their colleagues as well. Patients will notice benefits to medical professionals being able to share patient information online – for example, referrals to specialists will be more timely, there will be less paperwork to fill out with each office visit, and no unnecessary repeat diagnostic tests.

Are You Ready for This Transition?

The transition to cloud computing is underway in the industry. For healthcare service providers, it is no longer a question of if they will transition to the cloud, but when they can start benefiting from its potential savings and all of its capabilities.

Healthcare is a heavily regulated industry and cloud computing will continue to evolve to meet the industry’s growing security requirements and regulatory mandates. Many legitimate CSPs familiar with the healthcare sector already have strict security protocols in place to comply with regulations and will not hesitate to sign a BAA when asked. It is best to choose a CSP cautiously. Avoid any CSP who refuses to sign a BAA and carefully evaluate even those who do to get a feel for their stability, level of service, and delivery on promises.

Taking care of people – not your IT infrastructure – is your core service. Why not put the money being spent right now on hardware, software and equipment back into patient care while actually strengthening patient data integrity and security? Contact us today if you’d like to learn more about HIPAA compliant cloud-based technology.

CLICK HERE for a free network assessment.

HIPAA and the Cloud – Moving Toward 2015

29 In the healthcare sector, the storing and sharing of sensitive digitized patient data has become a significant undertaking and is a heavy burden on resources. Preparation for a complete conversion from paper medical records to electronic health records (EHR) by 2015 has independent practitioners and small healthcare entities making significant investments in equipment, hardware and software, and tech-savvy personnel. Rather than focusing on the delivery of core patient care services, they must now worry about IT infrastructure issues, underlying network constraints and data center accessibility as well. This is problematic as very few medical offices or small health service organizations can afford to employ dedicated IT staff.

In this context, it is obvious that cloud-based solutions, which consolidate and outsource computing resources to external entities, would provide substantial relief to healthcare service providers. Data stored in the cloud is available on-demand and requires no expensive equipment, physical home or hired staff to manage and maintain it.

But while other business sectors have fully embraced the cloud for cheaper, more flexible, scalable and secure computing, many in the healthcare sector have yet to entertain putting patient data into the cloud. HIPAA-driven security and privacy concerns have been a serious deterrent.

This is about to change. Recent modifications to the HIPAA Privacy, Security, Enforcement and Breach Rules have made it clearer that data center operators are to be classified as business associates under HIPAA. This means cloud-service providers are required by law to report and respond to data breaches and uphold their obligation to properly protect and secure patient info.

These modifications are a game changer because they now assure covered entities such as doctor offices, hospitals, and health insurers that they can remain HIPAA compliant while adopting cloud technology.

Cloud Computing in Healthcare Sector Projected to Grow

According to recent report by the research firm Markets and Markets, although the healthcare sector has been notoriously slow when it comes to adopting new technology trends, the cloud computing market in this sector is projected to grow to $5.4 billion by 2017.

Breaking Down HIPAA and the Cloud

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was upgraded in 2009 with the Health Information Technology for Economic and Clinical Health (HITECH) ruling addressing the growing use of digitized medical records. HITECH was introduced to provide federal funding to deploy HER and establish a protocol for protecting the electronic storage and transmission of Protected Health Information (PHI). [PHI is defined as any information obtained, used or disclosed in the course of providing a healthcare service–treatment, payment, operations or medical records–that can be used to identify an individual.]

Compliance with HIPAA requires the reporting of any potential unauthorized PHI access. Because any impermissible access, use, or disclosure of PHI can severely damage an organization’s reputation, as well as levy penalties varying from $100 to $50,000 for first time offenders, it is understandable that many in the healthcare industry have chosen to avoid migrating patient data to the cloud unless they’re absolutely certain that a cloud-service provider (CSP) is HIPAA compliant.

Cloud-Service Providers as HIPAA Business Associates

Over the past five years, there has been much confusion whether cloud-service providers were classified as business associates (BAs) under HIPAA. The Department of Health and Human Services holds BAs accountable for certain required privacy and security obligations to protect PHI data, upholding them to a signed Business Associate Agreement (BAA). If confidential health data is compromised, the Associate is liable for responsibilities on their end.

The HIPAA privacy rule defines a BA as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”

Since most CSPs “maintain” PHI on behalf of either the covered entity or another BA that subcontracts them, one would assume they’d be deemed a BA themselves. But that hasn’t always been the case due to some ambiguous language that originally accompanied the regulation, language that was only just recently modified to expand the scope of BAs as defined by HIPAA. Capture4

As you can see, this language easily leaves “access on a routine basis” up to interpretation. For instance, although it states that HIPAA requires those accessing PHI data on a routine basis be treated as BAs, some CSPs felt they were mere “conduits” of protected data – not very different than courier services or postal services, having only random or infrequent access to public health information as they transport/share it with others. These CSPs would often argue that a signed BAA wasn’t necessary, thus avoiding the added due diligence or security control requirements and liability.

Take a high-volume Platform-as-a-Service (PaaS) for example. Here the CSPs primary role is to provide storage services that enable the covered healthcare entity’s staff, such as a doctor’s office, to routinely look at data stored remotely. While the CSP providing the PaaS bears responsibility for maintenance and upgrades to the hardware, software and the operating system, they don’t touch the actual PHI data all that much. Therefore, a CSP offering PaaS doesn’t necessarily have the same level of PHI access as a cloud provider using Software-as-a-Service (SaaS) who must grant their personnel daily access to PHI.

A similar argument could be made for a CSP who maintains encrypted PHI for a covered healthcare entity but doesn’t hold the encryption key.

This uncertainty was the reason for much of the healthcare sector’s reluctance to take to the cloud. If a cloud-service provider (CSP) didn’t feel the need to sign a BAA, and the patient info they managed was breached, the covered healthcare entity, not the CSP, would be fined. Capture5

The new HIPAA Omnibus Rule further clarifies that BAs and subcontractors of BAs are directly liable for compliance with certain HIPAA Privacy and Security Requirements. This has calmed skeptics, resulting in a healthcare industry now actively looking to cloud-based solutions.

Protecting personal information and cloud security are a must by 2015. CLICK HERE for a free network assessment and choose Cognoscape for your HIPAA compliant managed IT services.