A HIPAA compliant Cloud Strategy - WIN WIN
Upcoming SlideShare
Loading in...5
×
 

A HIPAA compliant Cloud Strategy - WIN WIN

on

  • 3,651 views

This presentation helps viewers learn more about how a Cloud strategy can help nonprofits with HIPAA compliance.

This presentation helps viewers learn more about how a Cloud strategy can help nonprofits with HIPAA compliance.

Statistics

Views

Total Views
3,651
Views on SlideShare
3,649
Embed Views
2

Actions

Likes
1
Downloads
27
Comments
0

1 Embed 2

http://www.linkedin.com 2

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Today I am going to talk about cloud computing - cloud computing that is suitable for sole practitioners and small offices and clouding that is HIPAA compliant. I am limiting my presentation to specific type of Cloud offering - ‘software as a service’ or SaaS - - specifically Microsoft’s SaaS offering – called Office 365.We’re only looking at Office 365 because right now, it is the only HIPAA compliant Cloud SaaS for multiple office services - email, calendar, document sharing/collaboration and storage. There are other HIPAA compliant cloud offerings, mostly for application delivery and document storage, but no other Cloud product offers such a wide range of products in a HIPAA compliant form.There are two other cloud service models, but we won’t be addressing them in this presentation. [Cloud Platform as a Service (PaaS) and Cloud Infrastructure as a Service (IaaS)]. I have a list of 10 rated providers of Cloud SaaS, including Office 365, and I will share the list as a handout at the end of this talk.We are going to answer 3 questions today – What is Cloud Computing, What is a HIPAA compliant cloud offering? And what is Office 365 and how is it HIPAA-compliant?
  • OK, just one slide on all three Cloud Service Models.We’re focused on the top level, SaaS or software as a service. You can see from the chart that in this model, the provider does everything for you, you only configure and use the applications that are delivered to you. Like creating folders in your email client. Or using a particular font in your word processing application.Most PaaS and all IaaS models require trained IT staff on-site or on a contract to manage.
  • So what is ‘software as a service’ Cloud Computing?1) Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a metered service over a network (typically the Internet).2) Cloud computing is a marketing term for technologies that provide computation, software, data access, and storage services that do not require end-user knowledge of the physical location and configuration of the system that delivers the services. You all have electricity in your offices? We can draw a parallel between cloud services and PECO electricity service, where end-users consume power without needing to understand the component devices or infrastructure required to provide the service. You can cloud compute without understanding (or supporting or servicing) the infrastructure that provides you those cloud services.3) Cloud computing providers deliver applications via the internet, which are accessed from any Internet-capable device: web browsers,desktop and mobile apps, while the business software and data are stored on servers at a remote location.4) You already cloud computeif you use web-based email, Google calendar, Google docs, Dropbox, or a photo sharing site like Snapfish or Picassa.
  • What are the advantages of Cloud Computing?One of the major advantages of Cloud computing is the flexibility that it offers. Cloud computing means that people can access the files and data that they need even when they're working remotely and/or outside office hours. With internet-access, information is available from home, on the road, from clients' offices, from a smartphone, from thin and thick clients -> information is accessible from the Cloud onmany different devices, at any time. Thin clients: mobile phones, tablets, laptopsThick clients like workstations2) Everyone can also work collaboratively on files and documents, even when they're not physically together. Documents can simultaneously be viewed and edited from multiple locations. You’d have to host a SharePoint server (>4K for hardware alone) to get this functionality in-house.3) Cloud computing can be very quick and easy to get up and running. Salesforce.com, Dropbox, Gmail, Snapfish, Skydrive.com – these are all Cloud SaaS. Open a browser, create an account, login and you’re in the Cloud. The hardware and software is managed by someone else, someone much better suited to the task. All you have to do is learn the application. IT savings using Cloud services are predicted to be 60%. 4) Software as a service is often cheaper than buying licenses outright. With cloud computing, you subscribe to the software, rather than buying it outright. This means that you only need to pay for it when you need it, and it also offers flexibility, in that it can be quickly and easily scaled up and down according to demand. You’re paying per user, per month in most cases. When your business increases or decreases, you will adjust your monthly subscription. 5) A major advantage of using cloud computing for many companies is that because it's online, it offers virtually unlimited storage compared to server and hard drive limits. Needing more storage space does not cause issues with server upgrades and equipment - usually all you need to do is increase your monthly fee slightly for more data storage.
  • You need broadband Internet. Without broadband, cloud services will drain your time and bandwidth, and some may not work at all.You will most likely have to increase your bandwidth capacity to a significantlyhigher levelThere are tools to extrapolate future usage.Business class services, with SLAs guaranteeing 98% or better uptime, are the better providers.You are dependent on the companies that host cloud applications to maintain them and to keep user data intact and protected. This is where SLAs, ratings and customer reviews are useful.If you don't have access to the Internet (due to travel, computer issues, network outages, and so on) you don't have access to your files, documents, and other important systems.Silver lining? When the Internet is down at work, everyone works from any other location – Starbucks, home, car, etc.Internet access required by cloud services means opening a browser. No complicated and costly VPNs to manage, no 10 page protocol to follow. Just open a browser, navigate to your Cloud URL, login and get to work.
  • Besides the flexibility, ease of use, sharing, storage, reduced IT costs? Because as healthcare providers you must be HIPAA compliant and the Cloud can solve a lot of your HIPAA concerns.How many of you discuss patients in email? How many of you create files using patient names or other identifying information? Who uses Dropbox for file storage? Do you encrypt your files and folders on your hard drive? Who has security, back up and disaster recovery in place for your computing devices?
  • When you bill payers electronically, you are considered a covered entity under HIPAA and are subject to all the HIPAA regulations, no matter how small your practice, even if you are a sole practitioner. Medicare is required, under the HIPAA regulations, to accept paper trans-actions from you after October 16, 2003 if your practice employs ten or fewer FTE’s and if you do no electronic billing.The HIPAA Security Rule applies to all health plans, healthcare clearinghouses, and to any healthcare provider who transmits protected health information (PHI) in electronic form. According to the U.S. Department of Health and Human Services, those that fall under this category are known and referred to as Covered Entities (CE). http://www.onlinetech.com/secure-hosting/hipaa-compliant-hosting/resources/who-needs-to-be-hipaa-compliant.The following is a more specific list of who needs to be HIPAA compliant:Covered healthcare providers (hospitals, clinics, regional health services, individual medical practitioners) that carry out transactions in electronic formHealthcare clearinghousesHealth plans (including insurers, HMOs, Medicaid, Medicare prescription drug card sponsors, flexible spending accounts, public health authority, in addition to employers, schools or universities that collect, store or transmit EPHI, or electronic protected health information, to enroll employees or students in health plans)Their business associates (including private sector vendors and third-party administrators)
  • From Microsoft – “please note that our customers often ask whether a service is "HIPAA compliant" but the truth is, a service on its own can't "be compliant" with HIPAA. A service is one component of how a customer manages its compliance obligations, so a service can support compliance, but isn't itself compliant. Other components include rules or policies customer puts in place in its configuration of the service, people and processes. That being said, we have features that you can use to support their HIPAA compliance, and we rely on you to ensure compliance by integrating our feature-set with your organization's policies and practices. Microsoft Online Services is a conduit of information that includes technical and organizational safeguards to help customers maintain security and prevent unauthorized usage, and Microsoft personnel do not routinely access customer data.”Who has to be compliant? Your Cloud hosting provider AND you! The Cloud host is your BA or business associate. But you are the CE, the covered entity. What has to be compliant? PHI, Patient Health Information. This data must be secure and private. http://resource.onlinetech.com/five-questions-to-ask-your-hipaa-hosting-provider/
  • HIPAA compliant hosting provides the physical, environmental, network and infrastructure security to meet HIPAA compliance standards by making sure PHI is always available and secure. All data centers, products and services must pass a complete, independent HIPAA audit by a Certified HIPAA Security Specialist (CHSS). Data centers need to be compliant across all citations of the HITECH act and the 136 audited components.
  • How to pass a HIPAA compliance auditDocument data management, security, training and notification plans.Use a password policy for access.Encrypt PHI (protected health information), whether it is in a database or in files on a server. Although not required by HIPAA, it is strongly suggested and considered best practice to do so while stored in the database, and especially during transmission.OTHER encryption factors:Always use SSL for web-based access of any sensitive data.Encryption techniques and mechanisms of sensitive information should be known to only a select few.Content such as images or scans should be encrypted and contain no personally identifying information.Don’t use public FTP – use an alternative method to move files. Stop using Dropbox! (Patient Names can be exposed in documentfilenames, documents are encrypted however) http://www.hipaasecurenow.com/index.php/dropbox-is-not-hipaa-compliant/ Only use VPN access for remote access.Use login retry protection in your application. (How many login retries are acceptable)Document a disaster recovery plan.Save money and time by hosting with a company that already has a BAA in place – that way your auditor can review the document instead of conducting another audit on top of yours.One important distinction between a business associate’s (BA) audit and a covered entity (CE) is that as a healthcare organization dealing with PHI, you still need to undergo an audit to check your company’s processes and procedures. Your IT hosting company may provide the technology to transmit and store your patients’ PHI, but you are still held accountable by HIPAA standards.
  • We’ve learned what a ‘software as a service or SaaS’ Cloud is. And we’ve covered the big picture of what’s involved in HIPAA compliance of a BA (business associate) and a CE (covered entity).Now let’s turn to Microsoft’s Office 365.
  • Office 365 is the familiar Microsoft Office collaboration and productivity tools (SharePoint server and Microsoft Office) delivered through the cloud. Everyone can work together easily with anywhere access to email, web conferencing, documents, and calendars. It includes business-class security and is backed by Microsoft. Security: Active Directory authentication and authorizationUptime: Microsoft provides a financially-backed 99.9% uptime guarantee.Flexibility, Scalability, ROI: access from any device, scale up or down, no more IT costs
  • A comparison of Office 365 with the other highly rated Cloud SAAS offerings.If we consider web based software which include email and collaboration software, the number of providers is drastically reduced to less than 10 solutions, the prominent ones being IBM LotusLive, Zimbra, HyperOffice and Zoho. (See URLs in the handout, at the end of this presentation).
  • Many businesses have crucial data like customer or inventory information locked up in outdated software and old, unreliable servers. A Cool bonus allows you to movedata out of outdated systems and into Access 2010 and upload it to Office 365. This way, you can manage and update your data from anywhere. Access 2010 can import just about any data – text file, Excel file or older Access version. Even corrupted databases!
  • Q. What is the difference between Office and Office 365?A.Office is productivity software (including Word, PowerPoint, Excel, Outlook, and OneNote) that is installed on your desktop or laptop computer. Office 365 is an online subscription service that provides email, shared calendars, the ability to create and edit documents online, instant messaging, web conferencing, a public website for your business, and internal team sites—all accessible anywhere from nearly any device.Customers with Office 2010 installed on their computer can quickly configure their software to work with Office 365. These users can easily retrieve, edit and save Office docs in the Office 365 cloud, co-author docs in real-time with others, quickly initiate PC-to-PC calls, instant messages and web conferences with others.Office 365 is also compatible with Office 2007 and newer editions of Office and select Office 365 plans include Office Professional Plus.
  • Cloud services tend to save money in overall IT costs in the amount of tech support and maintenance they require. In other words, they cost more per month, but save money in the number of IT consulting hours you need.I would recommend a P1 plan for a small office, with from 1-50 users. If you already have Office Pro installed, it’s a seamless integration between your locally installed copy of MS Office, and your new Cloud site.
  • Today I am going to talk about cloud computing - cloud computing that is suitable for sole practitioners and small offices and clouding that is HIPAA compliant. But I am also going to limit my presentation to ‘software as a service’ or SaaS - - specifically Microsoft’s SaaS offering – called Office 365.We’re looking only at Office 365 because right now, it is the only HIPAA compliant Cloud SaaS for email, calendar, document sharing/collaboration and storage. There are other HIPAA compliant cloud offerings, mostly application delivery and document storage, but no other Cloud product offers such a wide range of products in a HIPAA compliant form.There are two other cloud service models, but we won’t be addressing them in this presentation. [Cloud Platform as a Service (PaaS) and Cloud Infrastructure as a Service (IaaS)]. I have a list of 10 rated providers of Cloud SaaS, including Office 365, and I will share the list as a handout at the end of this talk.We are going to answer 3 questions today – What is Cloud Computing, What is a HIPAA compliance cloud offering? And what is Office 365 and how is it HIPAA-compliant?

A HIPAA compliant Cloud Strategy - WIN WIN A HIPAA compliant Cloud Strategy - WIN WIN Presentation Transcript

  • Cloud computing with HIPAA-compliant Office 365
  • SaaS - Software as a Service PaaS - Platform as a Service IaaS - Infrastructure as a Service Who controls what? Network Servers Operating Storage Application Configuration System sSaa Provider Provider Provider Provider Provider Consumer SPaa Provider Provider Provider Provider Consumer Consumer SIaaS Provider Provider Consumer Consumer Consumer Consumer
  • Delivery of services, not softwareNo end-user support required Accessed anytime, from any device View slide
  • Collaboration and sharing Flexibility Easy to use Less cost, less IT labor Unlimited StorageComputing from an Internet-ready device, where sharedresources, software, and information are provided as a metered service over the Internet. View slide
  • “When you bill payerselectronically, you areconsidered a coveredentity under HIPAA and aresubject to all the HIPAAregulations, no matter howsmall your practice, even ifyou are a sole practitioner.”
  • Not a serviceNot hardware orsoftware Rules and Policies!
  •  Document everything Strong Password policy Encrypt PHI Don’t use public FTP VPN remote access only Login Retry protection Disaster recovery plan Host with a compliant company
  • Public and private websites, Outlook email andcalendar, shared documents, web-conferencing
  • Security Uptime Scalability
  • Critical data on old DBs? Want to share data?Access from any device?
  • Uses Exchangefor email
  • Team site isSharePoint
  • • If you bill electronically, you are bound by HIPAA rules, no matter how small a company you are.• All software, devices, mode of connection and hosting services have to be compliant.• Office 365 offers compliance for email, video conferencing, document hosting, storage, sharing, collaboration.• Office 365 offers secure login (Active Directory) and encryption for uploading/downloading.• Cloud services can help you with compliance, and it’s a good time to move to the Cloud.
  • Office 365 site with cost estimatorComparing Office 365 Plans P and EHow Microsoft Office 365 supports HIPAA complianceMaking Office 365 more secure, more compliantSmall Office HIPAA complianceHIPAA and DHHS regulatory sample documentsComparison of Office 365 and Google Apps