Delivering Hosting solutions for HealtHcare Complex, Compliant Managed Hosting and Cloud Computing

[ Delivering Hosting Solutions for Healthcare ]

ii

contents
overvieW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 aDDressing tHe unique issues of HealtHcare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 tHe consequences of not complying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 tHe risk of a Data BreacH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 partnering to acHieve enD-to-enD compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

carpatHia.com

[ Delivering Hosting Solutions for Healthcare ]

overvieW
As those that work in healthcare IT know, the healthcare industry has some of the most complex IT needs of all industries that exist today. However, HIPAA and related healthcare IT requirements are some of the most nonprescriptive in the IT space, especially when compared to other standards such as PCI, which is used to protect payment card information in financial services organizations.
With more then 10 million individuals employed in the industry in the United States, protecting the privacy and confidentiality of a patients electronic medical health records from unauthorized access is paramount to achieving compliance with federal regulatory laws such as the Healthcare Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, the American Recovery and Reinvestment Act and other laws that apply to healthcare organizations.

carpatHia.com

[ Delivering Hosting Solutions for Healthcare ]

organizations subject to Hipaa, referred to as covered entities, or organizations delivering services to covered entities, known as business associates per the HitecH act include:
Healthcare providers such as doctors, hospitals, etc. Healthcare insurance and health plan clearing houses Businesses who self-insure Businesses that sponsor a group health plan and provide assistance to their employees on medical coverage Businesses that deliver services to other healthcare providers

per these regulatory laws, covered entities and business associates are required to ensure the following safeguards on patient data in order to remain compliant:
Administrative safeguards to protect data integrity, confidentiality and availability of electronic protected health information (PHI) Physical safeguards to protect data integrity, confidentiality and availability of electronic protected health information (ePHI) Technical safeguards to protect data integrity, confidentiality and availability of ePHI In addition, the HITECH Act was signed into law in 2009 and is intended to increase the use of Electronic Health Records (EHR) by physicians and hospitals. It stipulates that, as of 2011, healthcare providers will be offered financial incentives for demonstrating meaningful use of EHR. Incentives will be offered until 2015, after which time penalties may be levied for failing to demonstrate such use.

Meeting this array of requirements demands healthcare entities set up strong processes, methods and controls to assure auditors that security and integrity of PHI and ePHI is guaranteed, all while EHR are beginning to be used.

Meeting this array of requirements demands healthcare entities set up strong processes, methods and controls to assure auditors that security and integrity of PHI and ePHI is guaranteed, all while EHR are beginning to be used. Maintaining the security of patient data is a complex proposition that affects every employee of a healthcare facility, every area of its IT system, and all vendors, partners and insurers that work with the healthcare provider. These requirements become even more complex when organizations work with the single largest healthcare program in the world, TRICARE. TRICARE is the healthcare program serving uniformed service members, retirees and their families worldwide. Now, not only are healthcare organizations required to protect PHI and ePHI, theyre also required to support civilian and DoD IT requirements FISMA and DIACAP.

carpatHia.com

[ Delivering Hosting Solutions for Healthcare ]

addressing the unique issues of Healthcare

To ensure PHI and ePHI, covered entities and business associates must abide by the following standards.
REQUIREMENT 1. Breach Notification Policy 2. Security Management Process 3. Risk Analysis 4. Risk Management 5. Sanction Policy 6. Information System Activity Review 7. Assigned Security Responsibility 8. Workforce Security 9. Authorization and/or Supervision 10. Workforce Clearance Procedure 11. Termination Procedures 12. Information Access Management 13. Access Authorization 14. Access Establishment and Modification 15. Security Awareness & Training 16. Security Reminders 17. Protection from Malicious Software 18. Log-in Monitoring 19. Password Management 20. Security Incident Procedures 21. Response and Reporting 22. Contingency Plan 23. Data Backup Plan 24. Disaster Recovery Plan DESCRIPTION Define how Covered Entity will respond to security and/or privacy incidents or suspected privacy and/or security incidents that result in a breach. Describes processes the organization implements to prevent, detect, contain and correct security violations relative to its ePHI. Discusses what the organization should do to identify, define and prioritize risks to the confidentiality, integrity and availability of its ePHI. Defines what the organization should do to reduce the risks to its ePHI to reasonable and appropriate levels. Indicates actions that are to be taken against employees who do not comply with organizational security policies and procedures. Describes processes for regular organizational review of activity on its information systems containing ePHI. Describes the requirements for the responsibilities of the Information Security Officer. Describes what the organization should do to ensure ePHI access occurs only by employees who have been appropriately authorized. Identifies what the organization should do to ensure that all employees who can access its ePHI are appropriately authorized or supervised. Reviews what the organization should do to ensure that employee access to its ePHI is appropriate. Defines what the organization should do to prevent unauthorized access to its ePHI by former employees. Indicates what the organization should do to ensure that only appropriate and authorized access is made to its ePHI. Defines how the organization provides authorized access to its ePHI. Discusses what the organization should do to establish, document, review and modify access to its ePHI. Describes elements of the organizational program for regularly providing appropriate security training and awareness to its employees. Defines what the organization should do to provide ongoing security information and awareness to its employees. Indicates what the organization should do to provide regular training and awareness to its employees about its process for guarding against, detecting and reporting malicious software. Discusses what the organization should do to inform employees about its process for monitoring log-in attempts and reporting discrepancies. Describes what the organization should do to maintain an effective process for appropriately creating, changing and safeguarding passwords. Discusses what the organization should do to maintain a system for addressing security incidents that may impact the confidentiality, integrity or availability of its ePHI. Defines what the organization should do to be able to effectively respond to security incidents involving its ePHI. Identifies what the organization should do to be able to effectively respond to emergencies or disasters that impact its ePHI. Discusses organizational processes to regularly back up and securely store ePHI. Indicates what the organization should do to create a disaster recovery plan to recover ePHI that was impacted by a disaster. Discusses what the organization should do to establish a formal, documented emergency mode operations plan to enable the continuance of crucial business processes that protect the security of its ePHI during and immediately after a crisis situation. Describes what the organization should do to conduct regular testing of its disaster recovery plan to ensure that it is up-to-date and effective. Reviews what the organization should do to have a formal process for defining and identifying the criticality of its information systems. Describes what the organization should do to regularly conduct a technical and non-technical evaluation of its security controls and processes in order to document compliance with its own security policies and the HIPAA Security Rule. Describes how to establish agreements that should exist between the organization and its various business associates that create, receive, maintain or transmit ePHI on its behalf.

25. Emergency Mode Operation Plan

26. Testing and Revision Procedure 27. Applications and Data Criticality Analysis 28. Evaluation 29. Business Associate Contracts and Other Arrangements

carpatHia.com

[ Delivering Hosting Solutions for Healthcare ]

30. Facility Access Controls

Describes what the organization should do to appropriately limit physical access to the information systems contained within its facilities, while ensuring that properly authorized employees can physically access such systems. Identifies what the organization should do to have formal, documented procedures for allowing authorized employees to enter its facility to take necessary actions as defined in its disaster recovery and emergency mode operations plans. Discusses what the organization should do to establish a facility security plan to protect its facilities and the equipment therein. Discusses what the organization should do to appropriately control and validate physical access to its facilities containing information systems having ePHI or software programs that can access ePHI. Defines what the organization should do to document repairs and modifications to the physical components of its facilities related to the protection of its ePHI. Indicates what the organization should do to appropriately protect its workstations. Reviews what the organization should do to prevent unauthorized physical access to workstations that can access ePHI while ensuring that authorized employees have appropriate access. Discusses what the organization should do to appropriately protect information systems and electronic media containing PHI that are moved to various organizational locations. Describes what the organization should do to appropriately dispose of information systems and electronic media containing ePHI when it is no longer needed. Discusses what the organization should do to erase ePHI from electronic media before re-using the media. Defines what the organization should do to appropriately track and log all movement of information systems and electronic media containing ePHI to various organizational locations. Discusses what the organization should do to backup and securely store ePHI on its information systems and electronic media. Indicates what the organization should do to purchase and implement information systems that comply with its information access management policies. Discusses what the organization should do to assign a unique identifier for each of its employees who access its ePHI for the purpose of tracking and monitoring use of information systems. Discusses what the organization should do to have a formal, documented emergency access procedure enabling authorized employees to obtain required ePHI during the emergency. Discusses what the organization should do to develop and implement procedures for terminating users' sessions after a certain period of inactivity on systems that contain or have the ability to access ePHI. Discusses what the organization should do to appropriately use encryption to protect the confidentiality, integrity and availability of its ePHI. Discusses what the organization should do to record and examine significant activity on its information systems that contain or use ePHI. Defines what the organization should do to appropriately protect the integrity of its ePHI. Discusses what the organization should do to implement appropriate electronic mechanisms to confirm that its ePHI has not been altered or destroyed in any unauthorized manner. Defines what the organization should do to ensure that all persons or entities seeking access to its ePHI are appropriately authenticated before access is granted. Describes what the organization should do to appropriately protect the confidentiality, integrity and availability of the ePHI it transmits over electronic communications networks. Indicates what the organization should do to maintain appropriate integrity controls that protect the confidentiality, integrity and availability of the ePHI it transmits over electronic communications networks. Defines what the organization should do to appropriately use encryption to protect the confidentiality, integrity and availability of ePHI it transmits over electronic communications networks. Defines what the requirements are relative to establishing organizational policies and procedures. Discusses what the organization should do to appropriately maintain, distribute and review the security policies and procedures it implements to comply with the HIPAA Security Rule. Purpose is to implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. The purpose is to ensure that reasonable and appropriate safeguards are maintained on electronic protected health information created, received, maintained or transmitted to or by the plan sponsor on behalf of the group health plan. The purpose is to implement security measures sufficient to reduce risks and vulnerabilities of the wireless infrastructure. The purpose is to establish management direction, procedure, and requirements to ensure safe and successful delivery of e-mail. The purpose is to explains Company's analog and ISDN line acceptable use and approval policies and procedures.

31. Contingency Operations

32. Facility Security Plan 33. Access Control and Validation Procedures 34. Maintenance Records 35. Workstation Use 36. Workstation Security 37. Device and Media Controls 38. Disposal 39. Media Re-use 40. Accountability 41. Data Backup and Storage 42. Access Control 43. Unique User Identification 44. Emergency Access Procedure 45. Automatic Logoff 46. Encryption and Decryption 47. Audit Controls 48. Integrity 49. Mechanism to Authenticate Electronic Protected Health Information 50. Person or Entity Authentication 51. Transmission Security 52. Integrity Controls 53. Encryption 54. Policies and Procedures 55. Documentation 56. Isolating Healthcare Clearinghouse Function 57. Group Health Plan Requirements

58. Wireless Security Policy 59. Email Security Policy 60. Analog Line Policy

carpatHia.com

[ Delivering Hosting Solutions for Healthcare ]

61. Dial-in Access Policy 62. Automatically Forwarded Email Policy 63. Remote Access Policy 64. Ethics Policy 65. VPN Security Policy 66. Extranet Policy 67. Internet DMZ Equipment Policy 68. Network Security Policy

The purpose is to implement security measures sufficient to reduce risks and vulnerabilities of dial-in connections to the enterprise infrastructure. The purpose is to prevent the unauthorized or inadvertent disclosure of sensitive company information. The purpose is to implement security measures sufficient to reduce risks and vulnerabilities of remote access connections to the enterprise infrastructure. The purpose is to establish a culture of openness, trust and integrity in business practices. The purpose is to implement security measures sufficient to reduce the risks and vulnerabilities of the VPN infrastructure. The purpose is to describes the policy under which third party organizations connect to Company's networks for the purpose of transacting business related to Company. The purpose is to define standards to be met by all equipment owned and/or operated by Company located outside Company's corporate Internet firewalls. The purpose is to establish requirements for information processed by computer networks.

the consequences of not complying

While complying with HIPAA used to be perceived as optional, the HITECH Act of 2009 gave HIPAA compliance some long-awaited teeth. Today, both HIPAA and the HITECH Act have consistent enforcement under the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Just ask Cignet Health. Last year, for the first time in history, federal officials issued a civil monetary penalty (CMP) to a healthcare organization for violations of the HIPAA privacy rule. When Cignet Health of Prince Georges County, Md. failed to provide 41 patients with access to their medical records and then failed to cooperate with federal investigators, HHS imposed a CMP of $4.3 million for the violations. In a Notice of Proposed Determination issued Oct. 20, 2010, the OCR found that Cignet violated 41 patients rights by denying them access to their medical records when requested between September 2008 and October 2009. These patients individually filed complaints with OCR, initiating investigations of each complaint. Because the HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patients request, Cignets CMP began at $1.3 million. Making matters worse for Cignet, OCR also found that the medical service provider failed to cooperate with OCRs investigations on a continuing daily basis from March 17, 2009, to April 7, 2010. OCR found that the failure to cooperate was due to Cignets willful neglect to comply with the Privacy Rule, which states that covered entities are required under law to cooperate with the Departments investigations. Based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the HITECH Act, Cignets fine was increased by an additional $3 million. This steep $4.3 million penalty sent a clear message to healthcare entities: HHS is serious about enforcing individual rights guaranteed by HIPAA.

carpatHia.com

[ Delivering Hosting Solutions for Healthcare ]

the risk of a Data Breach

The Cignet case is of course an extreme, and the organization knowingly violated patient rights, but what about a data breach? Because PHI records typically contain highly personal data such as a persons name, birthdate, Social Security number, insurance information and medical history, it should come of no surprise that healthcare data theft is the fastest growing criminal enterprise today. In fact, according to a recent study by the Ponemon Institute, 96 percent of all healthcare providers say they have had at least one data breach in the last two years, and the frequency of data breaches in healthcare have increased 32 percent in the past year1.

According to a recent study by the Ponemon Institute, 96 percent of all healthcare providers say they have had at least one data breach in the last two years, and the frequency of data breaches in healthcare have increased 32 percent in the past year.1 The economic impact of an incident tends to cost an average of $2.2 million per organization.

However, not all data breaches are the result of malicious intent. Rather, the vast majority are the result of unintentional actions of employees or thirdparty vendors. From lost or stolen laptops, to misdirected emails and faxes, sensitive information can be exposed at any point in the process. And while the cost of healthcare data breaches has been hard to quantify, the economic impact of an incident tends to cost an average of $2.2 million per organization, up 10 percent year over year. In addition to the actual loss of money, most organizations also suffer from time and productivity loss, brand or reputation diminishment and/or loss of patient goodwill, thus resulting in patient churn. Unfortunately, while almost half of IT respondents in the survey said they were confident in their ability to identify major data breaches involving patient information and determine the root causes of the breaches, only 29 percent said they were confident that they could prevent or curtail major data breaches involving patient information.

http://www2.idexpertscorp.com/ponemon-study-2011

carpatHia.com

[ Delivering Hosting Solutions for Healthcare ]

partnering to achieve end-to-end compliance

Ultimately, the Ponemon Institute study revealed respondents concerns about the need to invest in secure technologies to protect patient data. Thats where compliant hosting partners come in. It can often become overwhelming for a healthcare provider to ensure that all systems and processes meet the criteria for HIPAA and the HITECH Act, and even when the minimum criteria are met, it doesnt necessarily mean that PHI is secure. Whether or not its known that gaps exist, its still the responsibility of the covered entity or business associate to ensure PHI is protected and that incident response measures are in place so the organization is adequately prepared to handle data breaches. To assist, the National Institute of Standards and Technology (NIST) provides the conformance tests, tools and resources needed to support and test the implementation of standards-based health systems. However, its still essential for healthcare providers to partner with established, expert and proven services providers who can ensure their migration, implementation and operations and maintenance fulfill their promises.

key skill-sets and assets include:

Professional services that go beyond technical proficiency A healthcare-friendly partner with a proven track-record An ability to work seamlessly with other integrators, as well as plug into existing programs (or frame new ones) with minimal start-up efforts An appropriate infrastructure with true physical isolation, from hardened facilities to data vaults and environmental services A Defense-in-Depth approach that includes physical and logical access and policy controls; an environment that supports not just cloud services, but colocation and managed service requirements; and security that goes beyond regulatory or mandated standards, to industry best-ofclass procedures Multiple facility fail-over provisions that support the organizations plan across regions Continuous monitoring, including operational and security staffing thats 24x7x365, as threats dont keep a schedule Compliance for mandates like HIPAA, FISMA, PCI DSS, and DIACAP, so theres no question of coverage for any application or data environment within that infrastructure At Carpathia, we understand the challenges IT security professionals face in managing risk and securing information. Weve oriented our entire business model around delivering solutions and data centers that map to HIPAA mandated controls to protect electronic medical records from unauthorized access. With Carpathias industry-leading compliant solutions, healthcare customers can experience end-toend compliance in the hosting environment that best suits the unique needs of each. Since HIPAA is not a prescriptive set of IT standards, its very key that the IT service provider working with a healthcare organization selects an established baseline to build policy from. Carpathia has elected to follow many of the same controls and requirements used in federal IT systems (FISMA). These are derived from NIST special publications in the 800 series of documents, which has the additional bene-

carpatHia.com

[ Delivering Hosting Solutions for Healthcare ]

fit of systems that meet both FISMA and DIACAP requirements should the organization start delivering services to the government. Carpathia has historical precedence in engineering and hosting HIPAA compliant systems for medium and small companies, system integrators, development companies and small A8 business. Clients such as INRange Systems and Portal | Ascend rely on Carpathias compliance experience and expertise to ensure their information systems achieve and maintain healthcare compliance mandates throughout the lifecycle of their systems. Carpathias suite of services is designed for organizations seeking scalable, secure, robust and enterprise-grade hosting solutions that can be quickly provisioned or tailored to meet unique requirements. From fully managed environments, to cloud solutions, to colocation services, Carpathias comprehensive solutions portfolio helps healthcare entities of all sizes meet their application performance and operational support requirements. Our services platform blends people, process and technology to provide a unified delivery platform, allowing us to deliver colocation, managed and cloud services in an integrated customer solution across all of our data centers. This dynamic delivery platform scales to meet customer demand for managed services and is built on top of a private cloud computing platform, utilizing the latest advances in virtualization technology. Backed by its E3 Promise, Carpathia consistently delivers an experience that exceeds customers expectations. For more information, visit www.carpathia.com/healthcare.

Carpathia Hosting is a leading provider of managed hosting services, providing secure, reliable and compliant IT infrastructure and management for some of the worlds most demanding enterprises and federal agencies. Founded in 2003, Carpathia is a growing, profitable business run by a seasoned management team with deep experience in delivering enterprise hosting solutions including colocation, managed services and cloud computing. Carpathias suite of services is designed for organizations seeking scalable, secure, robust and enterprise-grade hosting solutions that can be quickly provisioned or tailored to meet unique requirements. Backed by its E3 Promise, Carpathia consistently delivers an experience that exceeds customers expectations. Carpathia was named to the Inc. Magazine 500|5000 list in 2011 as one of Americas fastest-growing companies. Contact Carpathia at 1.888.200.9494, or visit Carpathia.com for more information.

carpatHia.com

21000 Atlantic Boulevard | Suite 500 | Dulles, VA 20166

703.840.3900 / 1.888.200.9494