This document discusses HIPAA and PCI compliance for cloud providers. It provides an overview of what HIPAA and PCI are, why compliance is important for cloud providers, common technology requirements and best practices, and key questions customers should ask providers regarding their compliance. HIPAA regulates the secure handling of patient health information, while PCI sets regulations for securely accepting credit card payments online or in person. The document notes that healthcare and credit card spending combined account for over 25% of the US economy, making compliance critical for cloud providers seeking customers in these industries.

1. HIPAA and PCI Compliance in the Cloud 8th International Cloud Expo June 8th, 2011

2. Agenda Introductions About CCS What is PCI What is HIPAA Why are PCI and HIPAA Important to cloud providers? Technology and Best Practices Other Compliance Key Questions for Providers Questions

3. Introductions Jeff Uphues Stacy Griggs VP of Sales & Marketing Cbeyond Cloud Services Senior Director of Customer Experience Cbeyond Cloud Services

4. About Cbeyond Cloud Services 3000+ Cloud Customers 58,000 Total Customers $450M Publically Traded NASD:CBEY 11 Years Old Public Cloud + Managed Dedicated Servers = Hybrid 2009 Microsoft Worldwide Hosting Partner of the Year 2010 Microsoft Hyper-V Cloud Provider of the Year Focus on SMB’s with complex technology needs

5. What is PCI Set of regulations that businesses must follow to accept credit cards – mandated by merchant processors. Applies to merchants that take payments on-line or in person. Non-compliance generally results in litigation, reputational damage and loss of ability to take credit cards. 2 Levels Audited by a QSA SAQ 4 Types of SAD A-D Basically 36 pages of detailed security information Topical for smaller merchants <1M annual transactions Must not store credit card data.

6. What is HIPAA Set of regulations enacted by congress for the secure handling of patient health information. Applies to medical offices, hospitals, research labs, pharmaceutical companies, drug stores and any other company that handles patient information. Civil and criminal penalties for non-compliance. Requires technical and physical safeguards to protect patient data. Documented policies and annual risk assessments About to become bigger with new proposed rule - would give people the right to get a report on who has electronically accessed their protected health information May 31, 2011 - http://www.hhs.gov/news/press/2011pres/05/20110531c.html

7. Why PCI and HIPAA are important for the cloud US Economy $14.7 T GDP in 2010 - Wikipedia Healthcare = 16% of GDP - Wikipedia Visa / Amex + MC = $410B in Q1/10 – NY Times May,2011 Annualized Credit Card Spending = 11% of GDP Collectively > ¼ of the economy Both spending categories are growing at >2X the pace of the general economy. Rapidly moving to the cloud If you aren’t providing PCI and HIPAA compliant service you are leaving ¼ of the economy to your competitors.

8. Technology Requirements and Best Practices Security! Firewalls Application Isolation (one primary function /server) WAF Log Management IPS Physical Building controls and logs CCTV and history Process, Policy and Review HIPAA – Business Associate Agreement Path to compliance - PCI SAQ or SAQ + QSA AOC - ROC

9. Other - less common areas of compliance Federal Information Security Act (FISMA) – Federal Government and Vendors Sarbanes-Oxley (SOX) – Public companies and their vendors Information Technology Infrastructure Library (ITIL) – Companies with advanced IT process especially European International Organization for Standards (ISO 9001) – Worldwide European Safe Harbor – Data protection standards for EU countries

10. Key Questions for Cloud Providers Show me your SAS70 Type II (SSAE16) How will you design a complaint infrastructure? What is the client responsible for and what is the vendor responsible for? Show me your privacy policy What's your SLA? How do you maintain a secure environment?

11. Contact Information Jeff Uphues Jeff.uphues@cbeyond.net 678-516-4751 Stacy Griggs Stacy.griggs@cbeyond.net 502-213-7738