Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
414
Views
5
Helpful
6
Replies

OnPlus & HIPAA compliance, related compliance "thoughts"? (maybe slightly OT)

davebainum
Level 1
Level 1

‎10-04-2011 10:00 PM

Ok, maybe this is slightly off-topic, but I'm betting that fellow Beta's and Cisco can help chime in on this in an interesting way:

Our company generally steers clear of the medical/clinical vertical (e.g. doctor's offices, dentists, etc.) for a number of reasons.  We recently, somewhat begrudgingly, signed on a tiny little medical office mainly because they're a nearby to us, and we want to be community-minded etc.. They are a small firm who doesn't even have a broadband Internet connection yet (believe it or not).  Anyways, he had declined our standard MSP offerings etc. - and I kind of get the feeling that the Dr. mainly just wants some informal consulting from us, so that he can go ahead and just build n' buy his own solution(s) at the lowest cost (example: he's already bought two new laptops from Costco on his own accord).  And yes, for those wondering, when we found this out - we already politely told this person that he may want to consider a lower-cost IT provider such as Geek Squad etc., if the "lowest price prevails" is going to be the overall approach he's going to take towards IT in general - since we don't really want to be in the business where we only hear from a client for 1-2 hours a year while they do their own IT experimentations unbeknownst to us... But despite my frank warnings that we may not be the best company to fit his budget or expectations over the longer term- he's still interested in having us "consult" for him, so we're at where at, at least for the time being...

That said, he's raising the "HIPAA question", which I wanted to then toss out there to the broader group, because there's an OnPlus-related question (and/or idea) potentially in there, as well as a broader compliance-based kind of question as well.  Coincidentally, this same week, we also got a strong lead from an Ameriprise franchisee who is opening a new office later this year - which may also raise related compliance (e.g. SOX, GLB, etc.) questions. 

So - here's the "HIPAA" question, as well as my broader Compliance questions, as it relates to OnPlus further below:

My general sense is that HIPAA, like any compliance standard, is more about processes and people, ongoing vigilance/logging & monitoring, as well as knowing how to address or respond to incidents (as well as any audit or information requests, should they occur) - than just being limited to actual specific products or services, and ensuring that those are HIPAA compliant.  E.g. with the exception of specific, narrowly-defined services (e.g. Cloud E-Mail) - I don't believe that most general purpose IT Services firms are going to "gurantee" that anything & everything done on the client's network or PC's is going to be HIPAA compliant - is that a correct assumption, or am I totally off base?  Again, we tend to avoid servicing the medical vertical like the plague.  I would imagine there may be some IT providers who specialize in servicing medical offices who may "guarantee" HIPAA compliance or help with HIPAA compliance - but do most - or any - other IT providers to SMB's really "guarantee" HIPAA compliance? 

I could see how a medical software company (or services company - e.g. hosted email) could potentially claim that they are HIPAA compliant, or a HIPAA-compliant vendor, because they can say that their specific solution adheres to it.  At the more local level - I could also envision that an IT firm can certainly advise or recommend (and perhaps, only propose or sell) specific products or services that are known to be HIPAA compliant - in addition to helping the office create or adopt policies that help the office remain HIPAA compliant.  For instance, advising the office to not-send patient or insurance/billing confidential data in plaintext email, not using FAX-to-Email services, ensuring that any patient data stored locally is properly secured and encrypted, etc., those would all be required by HIPAA as well as just common IT security sense.  But I wouldn't imagine that the typical general-purpose SMB IT company could say, for instance, that with 100% certainty, that anything that is done, or potentially done, on that office's PC's or using their Internet connection is automatically going to be HIPAA compliant, just by virtue of the fact that the IT company originally set up the networks and PC's for that office - because compliance is mainly about people, behaviors, and practices - not just the actual technology, software, or services used.  So, the Dr. (or whoever else) could potentially choose to use or buy services from elsewhere that happen to NOT be HIPAA compliant.  Or, a disgruntled (or potentially clueless) employee could just decide to post personal patient information on an Internet blog from an Internet-connected PC - again, HIPAA violation - but there's no way to necessarily prevent it, or otherwise "guarantee" that anything & everything that happens on that network is going to be 100% HIPAA compliant...

The IT company could, however, certainly help the office create solutions based on best practices - and then some office or people-oriented best practices or "to-do's" (or DO-NOT-do's), to help them remain HIPAA compliant.  The IT company could also help them audit for HIPAA compliance, much like an IT security or network audit.

At least, all of that's my view of the HIPAA world, with my limited HIPAA and medical-vertical knowledge.  Am I off base on this, or not so much?

Finally - here's the OnPlus question - I wonder how OnPlus could help - either in its current and/or future incarnation(s) - to demonstrate compliance with HIPAA and/or other compliance requirements.  It obviously is very strong and/or has strong potential in the Logging & Monitoring arena, which I know is a hotbutton issue for more rigorous compliance requirements such as SOX - they really want to see that there are mechanisms in place for monitoring and instrumenting pretty much any critical system, segregation of duties, etc., etc.  Obviously in the SMB space, you're perhaps not as likely to run into SOX - but HIPAA is certainly likely to apply - and possibly some of the financial ones for the Ameriprise example.  I've also seen instances in my professional past, that where a larger public company bought or acquired another smaller, privately-owned one - that the acquisition transaction actually triggers a SOX compliance review process and/or requirement for the party who is being acquired - because they now have to ALSO become SOX compliant as a result of the aquisition.  (That was always a fun culture shock to watch, particularly when a single person was being used to being the System Administrator, DBA, Developer, Account Credentials person, etc. all in one!)

So, I wonder how - or if - OnPlus could potentially help in demonstrating HIPAA or other compliance - obviously, in tandem with having other appropriate practices and tools in place - as well as avoiding the ones that are known to be "no-no"'s - such as plaintext emails with confidential data, FAX to email, etc..

Anyways - thanks for reading, and I appreciate your advice & perspective...

Regards,

-- Dave Bainum, PMP* (dbainum@ritetech.net)

RiteTech LLC / www.ritetech.net / Tel. +1 (703) 561-0607

[*PMP=PMI Certified Project Management Professional]

0 Helpful
6 Replies 6

Marc Bresniker
Level 1
Level 1

‎10-04-2011 10:15 PM

Great questions and suggestions here Dave, I will work with the team to investigate this and provide feedback on the topic. We may end up providing guidance towards scenarios that have a HIPAA requirement vs. a simple yes no answer. We'll need to work with some industry focused individuals inside and outside of Cisco.

-Marc

0 Helpful

Brian Bergin
Level 4
Level 4

‎10-05-2011 04:54 AM

We’ve provided IT services for medical practices (and many other types of firms) for years and one thing I can tell you is there is no way to guarantee anything, let alone total HIPAA compliance. One document I highly recommend, if you’ve not already read it, is http://aspe.hhs.gov/admnsimp/final/fr03-8334.pdf. It’s very long and very dry reading, but worth a look at.

The key, as we understand it, is to implement ‘industry standard’ steps to prevent unauthorized access to data. You talked about not using fax-to-email systems; however, there is no way to even know where a fax is going let alone if it’s a fax-to-email system when a patient requires records be faxed to another doctor’s office or to a pharmacy, etc…, you just dial the number provided and have to assume that the other side is doing what they’re supposed to be doing. As for a practice using electronic fax services, there are lots of them, like Worldsmart (though I’m not endorsing them, just an example), where inbound faxes are stored in the cloud and you get an e-mail notice that a new fax is waiting but then you have to log in via https and view/download (normally as a PDF) the fax. I would consider that safe as there’s no personally identifiable information in the notification e-mail only that there is a fax available for retrieval, but I would agree 100% that if the fax vendor automatically delivers faxes via e-mail and those faxes are not encrypted then that would create a problem (though see what I say later about the disposal of paper if you use an actual fax machine with printed faxes, that’s a bigger concern than almost anything else, IMHO).

One thing we insist on is that backups are encrypted with at least 128-bit AES, if not 256-bit, and that access to the “key” is limited to a very few individuals that way should a backup device, usually an external HDD, be stolen while off-premises the best one could hope for is to wipe it and have a “free” (albeit stolen) device.

Access to patient data is generally controlled by the EMR software so that only necessary personnel have access to patient records and that, say those making appointments, can only do that not access the notes from the last visit and that very few, if any, employees can delete EMR records – we have one practice where only one account has “full” access and the owner of the practice doesn’t even use that account so he can’t delete anything either.

There are other things you cannot control that are totally dependent on the EMR software. Most of the software packages I’ve run across store “attachments” as independent files in a folder structure so, for example, when a digital x-ray is taken at a dentist’s office and added to the patient record the actual x-ray is stored in a specific location on the file server and not in the SQL database so there’s no way to encrypt it or stop physical access to the file by the user(s) who require access to it so if they’re savvy enough they could find ways outside the EMR product to delete such a file. Yes, there are ways to use Group Policies to prevent access to Windows Explorer and the like but when there are other valid reasons to have access to it, say for browsing for letters, spreadsheets, etc…, you have to weigh the pluses and minuses. Also, §164.306 talks about how data should be transmitted but doesn’t talk about encrypting locally stored data so since few, if any, EMR products, most are major, national vendors, we’ve seen are encrypting these attachments one can only assume they know what they’re doing. That’s part of what a practice pays the EMR product vendor to do.

BTW, back to paper/faxes, one of the easiest ways to break HIPAA is to not properly dispose of printed patient records. Have them find a reputable document disposal agency who comes by and picks up and manages this type of waste and basically anything that has anything printed on it goes in the pickup bin to be safe, even if it’s a mailing for a free cruise, get rid of it properly and not in the trash.

BTW, you can do things like prevent access to USB drives, CD/DVD burners, etc… but the second you do that you’ll get a patient who brings their records on a disc or thumb drive and then you have problems there so at the very least you’ll have to leave one system/user with access to external media and of course you will need to make sure that person is there every business hour so you’ll really have to have several so the problems for providers in HIPAA are tremendous just to see patients. I’ve yet to meet a doctor who loves them and I regularly watch patients just blindly sign the practice’s privacy policy which could say “blah blah blah” and they’d never even know it because they didn’t read it.

In the end, just as with power protection, backups, etc… there’s nothing in IT that anyone can or should ever guarantee. Nothing is perfect and make it clear, in writing, to medical customers, that you cannot and never will guarantee HIPAA compliance and that anyone who says they can guarantee it is full of it. Unless the customer is in Fort Knox, someone could break in and walk out with a server and get access to a lot of information pretty quickly so take reasonable steps, create check lists (there’s one at http://hipaanews.org/checklist.htm along with an outline of what you need to do at http://hipaanews.org/outline.htm, but there are lots of others), and encourage the practice to stick with them, but in the end you can only do so much, if they ignore the lists you need to put it in writing that what they’re doing is wrong to cover your end or fire the customer if it’s not worth the hassle.

mrn
Cisco Employee
Cisco Employee

‎10-05-2011 05:04 AM

@Dave:

Thanks for all the useful info gathered from your experience.

One thing that I think is kind of interesting about HIPAA compliance is the total absence of enforcement. There have been a few high-profile cases, but they have usually been egregious violations of confidentiality, such as selling patient info to tabloids. Day-to-day ignorance of standards seems to go unnoticed.

I've been in plenty of practices where there are blatant violations right and left, and they justifiably feel no concern about it. Other practices bend over backwards to conform, but their motivation is generated internally, not externally.

In my wife's practice, AFAIK, the only time they have had any sort of informal audit of HIPAA conformance was when their provider network did a startup inspection, and the HIPAA component of that was cursory. Once they were open for business, they will never have another official look at the practice. It's kind of strange, because even the fire inspectors come around once a year or so.

- Mark

0 Helpful

Marcos Hernandez
Level 8
Level 8
In response to mrn

‎10-05-2011 05:22 AM

Mark, that may be true at a provider's level (i.e. doctor's office), but I can tell you that  auditing and enforcing at an infrastructure level is a very real thing. I am talking about IT infrastructure of course, more specifically, data center compliance. There is a whole industry around it (which there is no denying, has been very opportunistic), and we are part of it.

Ultimately, the OnPlus service will need to answer the questions on IT compliance (for the parts it covers, of course), leaving the enforcement of the actual business processes up to the customer. My experience so far is that a paranoid approach to security helps a big deal. The compliance badges will follow (HIPAA, SOX, PCI, etc.), and for the most part, will be "awarded" if the following things are properly designed:

  • Secure multitenancy (customers and VARs can't see/access each other's stuff)
  • Data encryption and data security (especially for data at rest)
  • Secure 3rd party integration (API security)
  • Secure reporting
  • Redundancy and Disaster Recovery (DR) of data

From the experience of working on this product and you guys, I am confident this is the case. Security has always been top of mind in the design of Small Business Cloud Solutions.

Marcos

0 Helpful

davebainum
Level 1
Level 1
In response to Marcos Hernandez

‎10-24-2011 08:20 PM

Great answers & discussion, all.

I'm certainly not a HIPAA expert, but I can definitely see where the OnPlus, in tandem with other tools or techniques, could definitely help with responding to security incidents, in investigations, and/or in compliance audits.

As probably in a lot of cases within the SMB, a lot of times an end-client doesn't "get religion" about security until they've had a pretty bad incident or loss of some sort - whether it's a hacking incident, virus, disgruntled employee, or some other lapse or breach that put them under a bad spotlight, usually by a party much larger than them (e.g. an insurance company or other large agency) and/or which potentially puts them in a bad light by one or more of their most important client(s).

Another huge potential driver are the mandatory disclosure laws becoming common in several states, that basically dictate that an organization has to notify their clients of any breach that occur.  It certainly makes sense that those protections (disclosure) exist, however I don't think a lot of SMB's are aware that they exist or are necessarily taking adequate precautions - such as having firewalls with some sort of logs and behaviors that are periodically reviewed.

We still find way too many SMB's who think that the $99 D-Link firewall from Best Buy is somehow adequate and "acceptable" because it works just fine at home. We had a rather extended argument with a (now-former) client who was really struggling to understand that the $1000 Sonicwall firewall we essentially insisted upon during a major Internet and network upgrade project earlier this year was such a better device than the $99 D-Link that it replaced.  They then wondered how a virus could somehow "get through" the $1000 firewall when an employee, about 2 months later, somehow clicked on a bad link going to malware which then disabled their PC... So part of the challenge is that there's still a large amount of lack of awareness, mystery/superstition, and (I think, too) "distrust" about IT security, the benefits that it potentially brings, and/or the sense of urgency that really should be afforded to it, as a discipline.

Anyways, just my $0.02... ;-)

-- Dave Bainum, PMP* (dbainum@ritetech.net)

RiteTech LLC / www.ritetech.net / Tel. +1 (703) 561-0607

[*PMP=PMI Certified Project Management Professional]

0 Helpful

Brian Bergin
Level 4
Level 4
In response to davebainum

‎10-26-2011 08:47 AM

Honestly, the $1,000 Sonicwall isn’t the solution either - especially in a Cisco forum ;-). You can toss all the most expensive hardware and software security you want at a situation and users are still going to be users and breaches are still going to happen. Infections are still going to happen. There’s a window of opportunity between when malware is released into the wild and when perimeter or local-PC-based protection will detect it. Worse yet, many EMR products all but require that users have full admin rights to their PCs (I fight this constantly with a major dental EMR provider daily and have to run a script every few minutes to jury rig the registry to allow it to run as a standard domain user not a local administrator) making it all too easy for a user to install anything they “wish” even if they don’t really wish to do so, a simple ignorant click and bingo, they’re infected.

Even that being said, general users can infect a PC too. The key for security isn’t necessarily a $1,000 Sonicwall or a $5,000 Cisco ASA with their security module, the key is multi-layer security and lots and lots of training. The Sonicwall didn’t make them any more or less HIPAA complaint as perimeter protection is only perhaps 20% of the battle and even then they have to be maintained and properly configured. I’m not suggesting you didn’t properly configure the Sonicwall, but a $100 firewall with no ports opened is just as safe as a $1,000 firewall with no ports opened if you don’t buy into the IDS, antivirus, site filtering, etc… that tends to cost an arm and a leg and that are a very hard sell to SMBs in this economy. I see the financial books of our medical customers and believe me, they’re not getting rich. For what the EMR vendors charge for a practice with 3 doctors is what many Americans take home in a year!

Computer-level protection is yet another battle. Symantec, for example, fights internally on how to “properly” configure EndPoint Protection (they know I’m not happy about this so this isn’t news to them should this get back to them). Their product management puts out SEP configured one way while their Security Response Team recommends an entirely different set of options. Who’s right? Honestly, Cisco has the same problem. ESW-series switches come so locked down they’re unusable in most SMBs, but what are you to do when you hook a WAP to an ESW and the first 2 users can use the LAN but the 3rd is blocked? You unlock Cisco’s security but then are you violating HIPAA because you’ve deviated from vendor-supplied security protocols? It’s a “can’t win for losing” scenario. IMHO, Cisco needs to get standards in check. First, don’t put switches out there so locked down they’re unusable by a small business (and that are locked down tighter than their enterprise counterparts). Drop DES and 3DES support totally as well as WEP (and perhaps even WPA), all of which have been breached. Make it all but impossible to enable a WAP without at least WPA2-AES and a 20 character pass phrase and find a way to make antivirus, IDS, and other enterprise level security options available at reasonable costs and performance ($700 for many small businesses is not considered reasonable, $300-$400 would be). They also have to be reliable. The TrendMicro add-on to RV082’s, for example, slow things down so much that not one customer of ours who tried it left it enabled, not to mention that it wasn’t cached so if TM was off-line or unreachable the believed protection was non-existent.

In the end, id10t end users are going to still make id10t mistakes. You can’t stop them all. I tell customers constantly that there is no such thing as perfect security and that anyone who comes into their office offering to totally secure their LAN should be shown the door quickly. They can fire us, that’s fine, but let it be for a legitimate reason, not because some snake oil sales rep says they can guarantee security. They’ll have skipped town so quickly after a breach that any guarantee wouldn’t be worth the time or energy to sue over.

One final thing. The issue of disclosure upon a breach. Find me one small business who has time to shuffle through firewall or software logs to look for breaches. I’m betting there are so many breaches that go unnoticed every year that it’d make everyone’s head spin. What we need is inexpensive log analyzers to look for suspicious activity for small businesses. It’s something OnPlus could add, but then again, the problem is every products’ syslog entries are a bit different and I’ve yet to see EMR software that does syslogging so you’d have to look at the proprietary logs of each EMR product as well. HIPAA is a no-win law, rarely enforced, and I doubt a single medical practice is in 100.0% compliance with it. It’s simply such a poorly written law that short of a blatant breach there’s no way to enforce it.

0 Helpful
Customers Also Viewed These Support Documents