Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Healthcare Cloud Spending To Ramp Up Over Next Few Years

Posted on October 4, 2013 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

For years, healthcare IT executives have wrestled with the idea of deploying cloud services, concerned that the cloud would not offer enough security for their data. However, a new study suggests that this trend is shifting direction.

A new study by market research firm MarketsandMarkets has concluded that the healthcare industry will invest $5.4 billion in cloud computing by 2017.  This year should see a particularly big change, with total healthcare cloud investment moving from 4 percent to 20.5 percent of the industry, according to an article in the Cloud Times.

The current US cloud market for healthcare is dominated by SaaS vendors such as CareCloud, Carestream Health and Merge Healthcare, according to MarketsandMarkets. These vendors are tapping into an overall cloud computing market which should grow at a combined annual growth rate of 20.5 percent between 2012 and 2017, the researchers say.

As the report notes, there are good reasons why healthcare IT leaders are taking a closer look at cloud computing. For example, the cloud offers easy access to high-performance computing and high-volume storage, access which would be very costly to duplicate with on-premise computing.

On the other hand, the MarketsandMarkets researchers admit, healthcare still has particularly stringent data security requirements, and a need for strict confidentiality, access control and long-term data storage. Cloud vendors will need to offer services and products which meet these unique needs, and just as importantly, change and adapt as regulatory requirements shift. And they’ll have to have an impeccable reputation.

That last item — the cloud vendor’s reputation — will play a major role in the coming shift to cloud-based deployments. If giants like AT&T, IBM and Verizon stay in the healthcare cloud business, which seems likely to me, then healthcare institutions will be able to admit that they’re engaged in cloud deployments without suffering a public black eye over potential security problems.

On the other hand, if the giants were to get cold feet, cloud adoption would probably slow substantially, and remain at the trickle it has been for several years. While vendors like Merge and Carestream may be doing well, I’d argue that the presence of the 2,000-pound gorilla vendors ultimately dictates whether a market thrives.

The HIPAA Final Rule and Staying Compliant in the Cloud

Posted on September 3, 2013 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is a guest post by Gilad Parann-Nissany, Founder and CEO of Porticor.

The HIPAA Omnibus Final Rule went into effect on March 26, 2013.  In order to stay compliant, the date for fulfilling the new rules is September 23, 2013, except for companies operating under existing “business associate agreements (BAA),” who may be allowed an extension until September 23, 2014.

As healthcare and patient data move to the cloud, HIPAA compliance issues follow.  With many vendors, consultants, internal and external IT departments at work, the question of who is responsible for compliance comes up quite often.  Not all organizations are equipped or experienced to meet the HIPAA compliance rules by themselves.  Due to the nature of the data and the privacy rules of patients, it is important to secure the data correctly the first time.

HIPAA and the Cloud
Do you have to build your own cloud HIPAA compliance solutions from scratch?  The short answer is no.  There are solutions and consulting companies available to help move patient data to the cloud as well as secure it following HIPAA compliance rules and best practices.

The following checklist provides a guide to help plan for meeting the new HIPAA compliance rules.

A Cloud HIPAA Compliance Checklist

1. Ensure “Business Associates” are HIPAA compliant

–          Data Centers and cloud providers that serve the healthcare industry are in the category of “business associates.”

–          Business Associates can also be any entity that “…creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity.”  This means document storage companies and cloud providers now officially have to follow HIPAA rules as well.

–          Subcontractors are also considered business associates if they are creating, receiving, transmitting, or maintaining Protected Health Information (PHI) on behalf of a business associate agreement.

–          As a business associate they must meet the compliance rules for all privacy and security requirements.

What can you do?

Ensure business associates and subcontractors sign a business associate agreement and follow the HIPAA compliance rules for themselves and any of their subcontractors. A sample Business Associate Agreement is available on the website.

What happens if you are in violation?

The Office of Civil Rights (OCR) investigates HIPAA violations and can charge $100 – 50,000 per violation.  That gets capped at $1.5 million for multiple violations.  The charges are harsh to help ensure that data is safe and companies are following the HIPAA rules.

2. Data Backup

– Health care providers, business associates, and subcontractors must have a backup contingency plan.

– Requirements state that it has to include a:

Backup plan for data, disaster recovery plan, and an emergency mode operations plan

– The backup vendor needs to encrypt backup images during transit to their off-site data centers so that data cannot be read without an encryption key

– The end user/partner is required to encrypt the source data to meet HIPAA compliance

What can you do?

If you handle the data backup internally, set a plan to meet HIPAA compliance and execute it.
If you have external backup solution providers, ensure they have a working plan in place.

3. Security Rules

–          Physical safeguards need to be implemented to secure the facility, like access controls for the facility

–          Develop procedures to address and respond to security breaches

–          There are an additional 18 technical security standards and 36 implementation specifications as well

What can you do?

Put a plan in place to protect data from internal and external threats as well as limiting access to only those that require it.

4. Technical Safeguards

Health care providers, business associates, and subcontractors must implement technical safeguards. While many technical safeguards are not required – they do mitigate your risk in case of a breach. In particular, encryption of sensitive data allows you to claim “safe harbor” in the case of a breach.

v  Study encryption and decryption of electronically protected health information

v  Use AES encryption for data “at rest” in the cloud

v  Use strong – and highly protected – encryption key management; this is the most sensitive and difficult piece on this list – consider to use split-key cloud encryption or homomorphic key management

v  Transmission of data must be secured: use SSL/TLS or IPSec

v  When any data is deleted in the cloud any mirrored version of the data must be deleted as well

v  Limit access to electronically protected health information

v  Audit controls and procedures that record and analyze activity in information systems which contain electronically protected health information

v  Implement technical security measures such as strong authentication and authorization, guarding against unauthorized access to electronically protected information transmitted over electronic communication networks

What can you do?

Adopt strong encryption technology and develop a plan to ensure data is transmitted, stored, and deleted securely. Develop a plan to monitor data access and control access.

5. Administrative Safeguards

For organizations to meet HIPAA compliance they must have HIPAA Administrative Safeguards in place to “prevent, detect, contain and correct security violations.”  Policies and procedures are required to deal with: risk analysis, risk management, workforce sanctions for non-compliance, and a review of records.

v  Assign a privacy officer for developing and implementing HIPAA policies and procedures

  • Ensure that business associates also have a privacy officer since they are also liable for complying with the Security Rule

v  Implement a set of privacy procedures to meet compliance for four areas:

Risk Analysis
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity”

Risk Management
“Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”

Workforce Sanctions for Non-Compliance
“Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity.”

Review of Records
“Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

v  Provide ongoing administrative employee training on Protected Health Information (PHI)

v  Implement a procedure and plan for internal HIPAA compliance audits

What can you do?

Develop an internal plan to meet HIPAA compliance and have a privacy officer to implement requirements.  Ensure that policies and procedures deal with analysis of risk, management of risk, policy violations, and sanctions for staff or contractors in violation of the policy.  Develop and maintain documentation for internal policies to meet HIPAA compliance as it will help define those policies to your organization and could assist during a HIPAA audit.

Gilad Parann-Nissany, Founder and CEO of Porticor, is a cloud computing pioneer. Porticor infuses trust into the cloud with secure, easy to use, and scalable solutions for data encryption and key management. Porticor enables companies of all sizes to safeguard their data, comply with regulatory standards like PCI DSS, and streamline operations.

Don’t Let a Business Associate Compromise Your HIPAA Compliance

Posted on August 5, 2013 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is a guest post by Kari Woolf, Senior Global Product Marketing Manager, Novell.
Kari Woolf - Senior Global Product Marketing Manager at Novell
Traditional healthcare organizations are no longer the only enterprises expected to comply with the strict rules and regulations of the Health Insurance Portability and Accountability Act (HIPAA). The U.S. Department of Health and Human Services (HHS) recently issued the final omnibus rule of HIPAA, which creates significant liability for many technology enterprises, as it has extended the requirement of HIPAA compliance to healthcare “business associates.”

Defining an “organization” and a “business associate.”

A healthcare organization is a healthcare provider, health plan or healthcare clearing house. A business associate is defined as any company that provides its services to healthcare providers, health plans or healthcare clearing houses. These organizations have always been required to comply with HIPAA. Under the new omnibus rule of HIPAA, business associates are now required to be HIPAA-compliant as well. Even companies that may not view electronic protected health information (ePHI), but store, transfer, conduct transactions or in any way manage files for healthcare organizations must comply, and healthcare organizations have to have a business associate agreement in place with those companies.

What does this mean for healthcare organizations?

Organizations often let their employees use cloud-based solutions because they believe sharing internally is not in violation of any HIPAA ordinance. However, any time a file is shared via the cloud it is then in the hands of a company that could be considered a business associate. In most cases, these business associates are not HIPAA-compliant, creating an unnecessary risk for the organization.

The business associate might get in trouble—but the healthcare organization is almost sure to get in trouble. HIPAA regulators are cracking down on traditional healthcare organizations. HHS recently announced the first HIPAA breach settlement involving less than 500 patients at the Hospice of North Idaho (HONI). According to the HHS resolution agreement, HONI did not evaluate the likelihood and impact of potential risks to the confidentiality of ePHI maintained in and transmitted using portable devices. This resulted in a $50,000 fine, a two year probation period and extensive reporting requirements for up to six years.

What can healthcare organizations do?

Regardless of any regulations, organizations must enable employee access to important materials from whichever devices or locations employees need to work from. This challenges IT to maintain control of ePHI while still enabling employees to access and share files.

An on-premise solution is a viable option for these organizations to remain HIPAA compliant. Employee productivity and user experience don’t have to be abandoned, as a robust on-premise solution can enable a cloud-like, user-friendly experience with corporate data and files. Organizations can remain HIPAA compliant with certain, trusted cloud solutions, but IT needs to ensure that the cloud provider they choose has the enterprise experience to keep data safe, and with controls and restrictions that only allow the right people to access the right files. Consumer-focused cloud solutions like Dropbox won’t be sufficient for HIPAA compliance. SkyDrive from Microsoft, for example, just announced that IT can now see who has viewed and altered certain documents from the platform. While this is a step in the right direction, visibility alone does not prevent data breaches; it only serves as a notification after the fact, when it may already be too late.

Here’s a quick list of action items to help you maintain HIPAA compliance:

  1. Consider an on-premise solution: Reconsider whether the trouble of relying on a business associate is worth the benefit. On-premise solutions offer all the same capabilities that cloud solutions do, and in fact, most on-premise solutions are more mature and offer better features. Most importantly, they provide a secure foundation for accessing and working with ePHI.
  2. Conduct a full audit of third-party apps in use: Popular mobile apps like Dropbox, Evernote and even Gmail are not HIPAA-compliant. Using these apps constitutes giving ePHI to noncompliant business associates.  Employees may not realize this—they simply want to use the apps they’re familiar with. You need to police the issue. Not sure how to do this? A good mobile device management solution should have tools to help you.
  3. Use a mobile device management tool that can remotely wipe a device if it is lost or stolen: This empowers the network administrator to track and manage access to sensitive data. If a device with ePHI is compromised the network administrator can quickly and efficiently delete the data and minimize any risks. Better yet…
  4. Use your mobile devices as gateways, not destinations: Employees are going to use mobile devices, and there’s little sense in trying to stop them. Instead, make sure those devices don’t become the destination for your ePHI and instead act as a gateway. Employees can access files through their mobile devices without having the actual files on the mobile devices. On-premise solutions will keep ePHI in your data center without it being compromised through cloud storage and file-sharing services.    
  5. Audit mobile devices frequently: All organizations need to have an updated auditing schedule for mobile devices to ensure they are in compliance with any and all organization and regulatory requirements.
  6. Sign a business associate agreement with any outside organization that touches your ePHI: If a cloud vendor or other business associate won’t sign an agreement, find one that will or consider an on-premise solution.

Kari Woolf is a Senior Product Marketing Manager and Collaboration Marketing Lead for Novell. She has been with the company for more than 14 years in a variety of marketing and communications capacities. In addition to her high tech marketing experience, she served as an account manager and content director for a creative agency specializing in live events. She holds a Bachelor of Arts degree in Political Science from Brigham Young University.

Verizon Launches HIPAA-Compliant Cloud Services

Posted on October 4, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Last month, I shared some of Verizon’s big plans for the medical space with you, including their desire to become the industry’s default carrier of secure healthcare data.  This week, Verizon has launched its cloud service line, and I wanted to share some of the details on how it’s set up with you.

Verizon’s Enterprise Solutions division is offering five “healthcare-enabled” services, including colocation, managed hosting, enterprise cloud, an “enterprise cloud express edition” and enterprise cloud private edition. In addition to the services, Verizon provides a HIPAA Business Associate Agreement which, one would assume, is particularly stringent in how it safeguards data storage and tranmission between parties.

The new Verizon services will be offered through cloud-enabled data centers in Miami and Culpeper, Va. run by Terremark, which Verizon acquired some time ago. Security standards include PCI-DSS Level 1 compliance, ITIL v3-based best practices and facility clearances up to the Department of Defense, Verizon reports.

In addition to meeting physical standards for HIPAA compliance, Verizon has trained workers at the former Terremark facilities on the specifics of handling ePHI, Verizon exec Dr. Peter Tippett told Computerworld magazine.

You won’t be surprised to learn that Verizon is also pitching its (doubtless very expensive) health IT consulting services as well to help clients take advantage of all of this cloud wonderfulness.

Not surprisingly, Verizon notes in its press release that “each client remains responsible for ensuring that it complies with  HIPAA and all other applicable laws and applications.”  If I were Verizon, I’d be saying that too, and doubtless states the obvious. That being said, it does make me wonder just how much they manage to opt out of in their business associate agreement.  Call me crazy, but I think they’d want to leave as much wiggle room as humanly possible.

The bigger question, as I see it, is how big the market for these services really is at present. According to the Computerworld story, only 16.5 percent of healthcare providers use public or private clouds right now. Verizon may be able to turn things around on the strength of its brand alone, but there’s no g uarantees. I guess we’ll have to wait and see.