Health Data Management - - GROUP PRACTICES -

Data­Bank pro­vides se­cure data cen­ter, cloud, and in­ter­con­nec­tion ser­vices, of­fer­ing cus­tomers 100% up­time avail­abil­ity of data, ap­pli­ca­tions and in­fra­struc­ture. Our tech­nol­ogy so­lu­tions re­duce risk, im­prove per­for­mance and en­sure com­pli­ance. Data­Bank ac­quired Edge Host­ing, LLC in Septem­ber of 2017 pro­vid­ing ad­di­tional ex­per­tise in the de­liv­ery of cloud so­lu­tions and man­aged ser­vices, es­pe­cially for highly reg­u­lated in­dus­tries. Mark Houpt, Chief In­for­ma­tion Se­cu­rity Of­fi­cer, Data­Bank

Many health­care or­ga­ni­za­tions are hear­ing about Hy­brid IT. From a com­pli­ance and se­cu­rity per­spec­tive, is Hy­brid IT a good op­tion for health­care or­ga­ni­za­tions?

Ab­so­lutely, Hy­bridIT is a good op­tion for health­care or­ga­ni­za­tions. Hy­brid IT is not a new con­cept and what health­care or­ga­ni­za­tions may be sur­prised to find out is that they are prob­a­bly al­ready do­ing Hy­brid IT to some de­gree.

To be clear, Hy­brid IT is the con­cept that IT sys­tems are are lo­cated in house and at a provider. Some­times it is one en­tire ap­pli­ca­tion in house and an­other at the cloud provider. Some­times the sin­gle ap­pli­ca­tion will span back from a cloud provider into the or­ga­ni­za­tion’s data cen­ter. For ex­am­ple, the ap­pli­ca­tion may be at the provider, but the data­base is kept in house.

Re­gard­less of the model you fol­low, se­cu­rity and com­pli­ance con­cerns are of paramount im­por­tance, es­pe­cially within the health­care in­dus­try. One of the key things to en­sure in a hy­brid set up is that the bound­aries are clearly doc­u­mented and re­spon­si­bil­i­ties clearly de­fined. All too of­ten, when I am work­ing with health­care or­ga­ni­za­tions that are tran­si­tion­ing to a cloud provider, they think that the cloud provider as­sumes or takes over the re­spon­si­bil­i­ties for se­cu­rity. This is not ac­cu­rate and un­for­tu­nately, some­times a health­care or­ga­ni­za­tion has to look at the fine print to see what the provider is ac­tu­ally do­ing for them. When work­ing with a provider, ask the same ques­tions you would ask of your in­ter­nal teams. As­sess the provider in the same man­ner, or even with more scru­tiny, than your in­ter­nal teams. Find the provider that will work with you and dis­close this in­for­ma­tion eas­ily and fre­quently. Look to a provider that can pro­vide KPIs and other re­port­ing func­tions so that you know the provider side of the hy­brid model is work­ing for you.

How do fed­eral gov­ern­ment man­dates such as FISMA or FedRAMP af­fect HIPAA HITECH?

FISMA and FedRAMP only im­pact HIPAA HITECH if you are us­ing, stor­ing, pro­cess­ing, or qual­i­fy­ing fed­eral gov­ern­ment-owned data. If you are a health­care provider that has no in­ter­ac­tion with the fed­eral gov­ern­ment data, then com­pli­ance with those man­dates is off your radar screen. Of course, com­pli­ance with HIPAA and HIPAA HITECH is never off your radar.

If you are host­ing data owned by a fed­eral agency, then com­pli­ance with HIPAA is as­ton­ish­ingly easy. Don’t get me wrong, you can’t sim­ply as­sume HIPAA com­pli­ance if you are do­ing FISMA or FedRAMP. But the fact is that com­pli­ance with FISMA or FedRAMP re­quire­ments is more strin­gent in many ar­eas than HIPAA. For ex­am­ple, the FedRAMP re­quires for use of two-fac­tor au­then­ti­ca­tion and FedRAMP spec­i­fies the need for us­ing en­cryp­tion com­pli­ant with FIPS 140-2 where HIPAA does not spec­ify down to the de­tail that FedRAMP does. Also, the con­tin­u­ous mon­i­tor­ing re­quire­ments of HIPAA are vague, sim­ply stat­ing that they are “re­quired” to do so, whereas FedRAMP is spe­cific about which con­trols and their fre­quency which can be daily, weekly, monthly, or quar­terly. The one area a health­care provider should cer­tainly look to HIPAA over FISMA or FedRAMP is with breach no­ti­fi­ca­tion. As all health­care providers know, the DHHS is very pre­scrip­tive on this sub­ject.

About the Au­thor

Mark brings over 25 years of ex­ten­sive in­for­ma­tion se­cu­rity and in­for­ma­tion tech­nol­ogy ex­pe­ri­ence in a wide range of in­dus­tries and in­sti­tu­tions. Mark holds an MS-ISA (Mas­ters In­for­ma­tion Se­cu­rity and As­sur­ance), nu­mer­ous se­cu­rity and tech­ni­cal cer­ti­fi­ca­tions (CISSP, CEH, CHFI, Se­cu­rity +, Net­work+) and qual­i­fied for DoD IAT Level III, IAM Level III, IASAE Level II, CND An­a­lyst, CND In­fra­struc­ture Sup­port, CND In­ci­dent Re­spon­der, and CND Au­di­tor po­si­tions and re­spon­si­bil­i­ties. Mark is an ex­pert in un­der­stand­ing and the in­ter­pre­ta­tion of FedRAMP, HIPAA and PCI-DSS com­pli­ance re­quire­ments. Mark is an ac­tive mem­ber of ISC2, ASIS In­ter­na­tional, COMPTIA, IAPP, and ISACA, among other lead­ing na­tional and in­ter­na­tional se­cu­rity or­ga­ni­za­tions.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.