How Regulatory Compliance Can Make for Better Security Practices

Email Print Digg This Add to del.icio.us

Most likely, all of us have read about, attempted to implement or were priced out of IT architectures because of security and regulatory compliance costs. While regulators believed they were acting in our best interests, they failed to understand the implications of their decisions. They did not understand the costs involved in redesigning IT operations and security around the letter of the law. Organizations and industries quickly realized that the tasks at hand would either break them to implement or break them through fines.

But through all shifts in technology, innovation is born out of the need and desire to survive.

This article will look at what the health care industry is doing to meet HIPAA compliance, save on IT costs and ensure security is baked in as well.

There are a multitude of SaaS (cloud or ASP) offerings across the health care industry. Many small practices cannot afford traditional IT, regulatory compliance and security services. With a SaaS solution, health care providers can focus on the business, rather than the technology, used in the business process.

Some of the key advantages are:

• Data is stored in advanced, physically separate data centers.
• Data is centralized in robust databases, which the business does not have to manage.
• Minimal IT resources are required at your facility.
• Data is always backed up.
• No need to worry about HIPAA and state privacy data storage issues at your facility.
• The software is always up-to-date.
• No additional fees are charged for routine enhancements.
• No additional fees for HIPAA-mandated changes (such as NPI, ICD-10 or X12 5010).
• No need to download any software or configure any hardware.
• Access is browser based, via common browsers, such as Internet Explorer and Firefox.
• The application is compatible with Windows, Linux and Mac platforms.
• Data is accessible from any location deemed acceptable to the business.

What about security?

Most SaaS venders host services and data in separate data centers built on separate power grids. One data center serves as the primary data center; the second data center serves as a backup to the primary, should a natural disaster cause a disruption at the primary site. Although the provider is a multi-tenancy operation, strict controls are in place to ensure data does not "bleed" into areas it should not. SaaS vendors also stake their reputation on providing a secure environment. It may not be perfect, but it's certainly better than what a small business could achieve independently. Controls will vary from one provider to the next, and most SaaS vendors will give you the details of their security controls when you are engaged with the sales rep.

HIPAA Compliance

Data centers are manned 24 x 7 x 365 (every day, all year long) and monitored with motion detection-triggered digital security cameras and other physical security measures. Computer equipment will most likely be locked in steel cages; biometric scanners (palm) and traditional lock and key control access typically are used to gain access to the equipment.

Significant Features Found in Data Centers Used for Health Care Providers

• Redundant power supplies
• 24 x 7 x 365 monitoring and management
• Redundant network equipment
• Redundant climate control
• Early warning fire detection systems
• Redundant Internet connections
• Data stored in databases, such as Oracle

Given the liability of housing health care data and the significant costs related to security, IT operations and regulatory compliance, it is a no brainer why we're seeing small, medium and large health care businesses moving to the new computing models.

I asked one small health care provider who operates a dental surgery office with fewer than 10 employees how he deals with IT, security and regulations. Here is what he had to say.

After we spent countless thousands of dollars on laptops, a server, software and an annual IT services contract, we then found out that we had to adhere to HIPAA. Given that the costs associated with meeting compliance we knew it would cost so much that we couldn't operate the practice. We had no other choice than to look at SaaS offerings. There was no way we could ever afford what the SaaS model has to offer if we tried by ourselves.

When asked what was the one thing that he liked best about the new SaaS solution, he said,

"One of the best things that happened is that we no longer have to worry about data at rest in the SaaS model. This took a huge HIPAA burden off our backs. I actually sleep better at night knowing that the provider has taken on that risk on my behalf."

When asked about how the SaaS model has impacted operating his business, he went on to say, "I was concerned that there would be a steep learning curve. Especially given all the functionality we were given in this new system. After about a week, we were extremely pleased with the solution and even gained functionality that we previously wanted but could not achieve. My experience has been great thus far, but I would like you to ask me again in a year just to be sure." As with any SaaS provider, it is important to understand that while you can shift risk on to your provider, you cannot shift responsibility. At the end of the day, you are responsible for the data and how it is used/abused. It is very important to understand the SLA and your options, should something go wrong. Be sure that insurance coverage is sufficient and appears somewhere in the contract language. In many cases, having a lawyer who specializes in technology look over your contract may be a very good idea.

Follow Enterprise IT Planet on Twitter

Email Print Digg This Add to del.icio.us