Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

Transcription

1 Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

2 Table of Contents Introduction Data Backup: The Most Critical Part of any IT Strategy Hosted and Automatic Encryption File Sync and Share: Balancing Accessibility and Security Proactive Maintenace and Monitoring: Keeping Systems Running HIPAA Compliance: A Health Care Must... 8 Conclusion... 11

3 Introduction The health care industry is presented with a unique set of IT challenges. Central to these are several areas in which CMIT Solutions specializes: data backup, hosted that comes with automatic encryption processes, file sync and share that provides the perfect balance between employee accessibility and data security, and proactive monitoring and maintenance that can ensure that your business is not affected by system downtime. Baked into all of these options is compliance procedures that meets the rigorous standards set forth by the HIPAA Omnibus Rule. HIPAA the Health Insurance Portability and Accountability Act was enacted in 1996 to protect health insurance coverage for workers and their families and establish national standards for electronic health care transactions pertaining to providers, employers, employees, and plans. HIPAA includes several facets, including the Privacy Rule, Security Rule, Enforcement Rule, Transactions and Code Sets Rule, and Unique Identifiers Rule. With health care technology changing rapidly, however, several amendments, enhancements, and changes were made to HIPAA, the most important of which the new Omnibus Rule took effect on September 23, But while all of CMIT Solutions health care-specific offerings satisfy HIPAA requirements, our clients require more than just checking a box. They require a trusted IT partner that can handle all aspects of technology infrastructure, leaving them free to focus on what s important to them: Acquiring and retaining clients. Managing costs in today s competitive environment. Hiring quality employees. And, above all, delivering a superior level of patient care. Read on for more on the custom-tailored services CMIT Solutions employs for those in the health care industry.

4 1. Data Backup: The Most Critical Part of any IT Strategy In the health care industry, strong backups are a necessity losing your data means losing protected health information, which not only breaks the professional and ethical duty doctors and other practitioners have to their patients but could also expose you to civil and criminal penalties. That s why, at CMIT Solutions, we specialize in regular, remote, and redundant storage of your data with elite levels of security automatically built in. We recommend automated backups with an offsite host. This approach requires little to no human involvement, resulting in decreased human error and overhead. This can also help to avoid situations where data backups are located in the same physical location as the primary data, which in the event of fire, flood, or other disaster can result in loss of information. CMIT Guardian, our backup solution, fulfills the following needs: Image-based backups that can support multiple versions of older software. Legacy applications still carry significant weight in the health care industry, and our backups can ensure that stored data is compatible with the many different programs you re required to run. Extra encryption to satisfy stringent industry regulations and potential audits. In general, our client s data is encrypted for secure online transmission (ensuring its safety during transfer from your office to the data center) and encrypted again in storage. And since health-care professionals handle protected health information and deal with sensitive medical data, they are held to extremely high standards under HIPAA. Disaster recovery plans that can eliminate downtime and keep you working. Working at such a fast pace means health care businesses have to be ready for anything. A good disaster recovery plan is critical to long-term success most of the time, it s not a matter of if but when something will go wrong.

5 2. Hosted and Automatic Encryption CMIT Solutions hosted goes above and beyond the competition, offering a cloud-based service that is HIPAA compliant and operated out of US-based data centers that are certified using the National Institute of Standards in Technology. Our service provider abides by a Business Associate Agreement, completes required HIPAA training, and submits to annual security and privacy reviews. Our optional archiving service differs from most other vendors in that it complies with HIPAA requirements that data cannot be tampered with. It also employs a user-friendly policy-based encryption service that automatically scans every to detect whether protected health information is included. When that of information is present, our hosted service automatically encrypts the before transmitting it, instead of tasking busy staff members or unwieldy third-party tools to manually encrypt s. According to a Kaiser Permanente survey cited by the USA Today in July, 1/3rd of US patients contact their doctors via , and doctors get the majority of their s between 10:00 and 11:00 AM. Every one of those s carries with it a potential HIPAA violation and litigation threat. If you re not encrypting and archiving your s, you are making yourself vulnerable. Necessary encryption to protect information from disclosure. This does more than just satisfy you and your clients need for privacy it also keeps you in line with federal and state regulations while, if followed properly, also shielding you from potential legal action. Automated administrative processes to pre-screen communications. Because basic content filters can t catch everything even if they could, they are not well-versed in the language of the health-care industry. Evolving functionality to meet mobility needs. Employees of small to medium-sized businesses now average three devices per person. It takes a fresh approach to satisfy those needs. Robust archiving and search functionality to satisfy compliance audits. HIPAA can require health care operations to produce every sent in a certain time upon demand. That means your of choice must be protected, encrypted, archived, and searchable.

6 3. File Sync and Share: Balancing Accessibility and Security One of the biggest challenges in the health care industry is balancing availability to data with its security. To do their jobs properly and efficiently, employees need to be able to access patient records, scheduling software, and other protected information all day, every day. But under HIPAA regulations, that data must also be protected at levels higher than usual. That's where good file sync and share comes in. CMIT s unique hybrid approach leverages both on-premises and cloud storage, allowing for seamless access to file from any location, on any device. Secure file access. We can help you maintain security and compliance over the access and sharing of files, with updated protocols, protected networks, and stringent controls. File sharing that gets the job done. Health care practices often require several different levels of data access for doctors, nurses, assistants, and administrative employees. Our services allow for 100% visibility to all storage devices, allowing co-workers to view, access, edit, and share files to complete all required tasks. Centralized permission controls. This allows for access permissions that are uniformly enforced across all folders, devices, and systems. We can also provide robust audit reporting to monitor usage and access changes across the entire user base. Single sign-on and password management. Say your office takes 15 different types of insurance that s 15 different sign-on credentials your employees have to memorize in order to efficiently share documents and data. We offer single sign-on and password management to make access easier and to prevent any inadvertent data breaches because of lost or compromised passwords.

7 4. Proactive Maintenace and Monitoring: Keeping Systems Running When conducting a HIPAA risk assessment, CMIT Solutions finds that health care practices already employing proactive monitoring and maintenance have up to 25% of their compliance requirements already satisfied. That s a major edge in a crowded, competitive field. What does proactive mean? Everything you need to keep your systems running: Monitoring Software. Installed on each device on your network, monitoring agents alert qualified domain engineers whenever an outof-tolerance condition is observed and needs to be handled. Network Operations Center (NOC). Staffed by over 300 engineers looking to outsmart tech problems, the NOC is available 24/7 to remotely remediate issues and respond to alerts. NOC engineers also perform a comprehensive preventative maintenance schedule and apply all appropriate white-listed software updates. A detailed log is maintained so problems may be diagnosed and corrected in the context of a company s complete IT history. Help Desk. A fully staffed US-based help desk responds to a wide range of end-user issues and questions. From helping to get a new printer set up to helping a novice spreadsheet user solve a problem, this phone resource is responsive and service-oriented. On-Site Support. The above three elements of CMIT Marathon dramatically reduce the need for on-site support. But when the problem demands an on-site technician, a local tech is dispatched to save the day. Once on-site, the local tech is backed up by both the NOC and Help Desk staff.

8 5. HIPAA Compliance: A Health Care Must The most significant change associated with the HIPAA Omnibus Rule, which went into effect in 2013, concerns who must now comply with the Privacy and Security Rules that govern Protected Health Information (PHI). The Privacy Rule establishes national standards to protect individuals medical records and other information in regards to health plans, health care clearinghouses, and health care providers that conduct transactions electronically. The Rule also requires appropriate safeguards to protect the privacy of PHI, sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization, and gives patients rights to access and request corrections of their health records. The Security Rule establishes national standards to protect individuals electronic PHI that is created, received, used, or maintained by a Covered Entity (CE). The Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI. In the past, only Covered Entities any organization that accepts payments from insurance companies, Medicare, or Medicaid were required by law to follow rules pertaining to PHI. But now, Business Associates (BAs) of those CEs IT service providers, lawyers, accountants, data processers, and others who may be privy to PHI are also held to the same standard. Additionally, thirdparty subcontractors of those BAs are now defined as BAs, as well. These new regulations even apply to organizations that simply maintain PHI data and may never access it. Additionally, the Omnibus Rule implements revised policies and procedures pertaining to data breaches. Gone is the old harm standard that defined how breaches of PHI were handled, replaced by a new standard that states any impermissible use or disclosure of PHI, generally defined as a breach, is presumed to automatically require notification. There are three exceptions to this rule:

9 1) If the PHI is unintentionally acquired, accessed, or used by an employee acting under the authority of a Covered Entity or Business Associate. 2) If PHI is inadvertently disclosed from one person authorized to access it by his or her CE or BA to another person authorized to access it. 3) And if the CE or BA has a good faith belief that the unauthorized individual to whom the impermissible disclosure was couldn t have retained the information. Otherwise, breaches must be announced as follows: Covered Entities responsible for breaches affecting less than 500 people must notify the affected individuals and the CE s Business Associates within 60 days of the discovery of the breach. Breaches of this size must be reported to the HHS on an annual basis, no later than 60 days after the end of the calendar year in which the breaches occurred. In addition to the above methods, breaches affecting more than 500 people must also be reported to prominent media outlets serving the state or jurisdiction where the breach happened. Also, all notifications must be made within 60 days of the discovery of the beach. Penalties for PHI breaches have been significantly enhanced, as well. The American Recovery and Reinvestment Act of 2009 established a tiered civil penalty structure that remains subject to the discretion of the Secretary of HHS. Civil penalties can range from $100 per violation up to annual maximums of $1.5 million, with differing levels of assessment depending on the willful neglect exhibited by the HIPAA violation. In addition, criminal penalties are now a possibility for Covered Entities and specified individuals who knowingly obtain or disclose Protected Health Information. Prison terms can reach ten years for particularly egregious examples, including using individually identifiable health information for commercial advantage, personal gain, or malicious harm. 3 Remember not all incidents involving PHI are breaches. But all breaches begin as innocuous incidents, making diligence in the field of HIPAA compliancy a must. Other HIPAA compliance requirements include the following:

10 Updated Business Associate Agreements between covered entities, business associates, suppliers, vendors, and subcontractors that specifically protect the privacy and security of health information. Updated risk and security assessments that ensure your company and all business associates are HIPAA compliant. Conducting an analysis like this represents the first step in identifying and implementing policies and procedures that comply with and carry out the standards set out by the Omnibus Rule. A HIPAA risk assessment will also determine whether your company could pass an independent audit of the hundreds of HIPAA citations and components up for examination. Policies and procedures that maintain the integrity of login credentials and access; encrypt any and all data accessed on behalf of a covered entity; outline the proper storage and transmission of encryption keys; and dictate physical security for any systems that access personal health information. Ongoing training and education that satisfies HIPAA requirements for keeping employees up to speed on the changing compliance landscape. CMIT Solutions offers module-based training that employees can complete at their leisure, as their schedule permits. This checks required boxes while also helping business owners, employees, and patients.

11 Conclusion Technology is difficult enough for any small to medium-sized business owner but in the health care realm, it provides extra challenges. Our goal at CMIT Solutions is to make things easier for you by making technology simpler and easier to use. We aim to take the IT burden off your shoulders while helping you save time and money and we work to prioritize any major changes required under HIPAA compliance requirements so that you can budget your resources accordingly. Contact us today if you re ready to make your practice operate faster, smarter, and more secure.