Maintaining Compliance is an Ongoing Process

Written by Art Salazar on Wednesday, September 6th 2017 — Categories: HIPAA Compliance, Security

You did it — you passed your PCI (or SOX, HIPAA, GLB, etc) audit! But the work isn’t over. A recent Verizon study found that most companies fall out of PCI compliance after just nine months. And it doesn’t stop with PCI, either. Many companies work hard around audit time to ensure they can report compliance for the audit period and advertise their security, only to falter once the audit is complete.

For PCI, that also means being able to continue doing business with credit card companies. For other standards like HIPAA and SOX, it means avoiding hefty fines and legal consequences.

Unfortunately, simply checking the compliance boxes doesn’t mean you’re safe for the foreseeable future. You need to maintain compliance at all times throughout the year, not just when the auditors are knocking on your door.

Continue Reading...


Security and Compliance Are Different Areas of Risk Mitigation

Written by Joe Kozlowicz on Monday, April 10th 2017 — Categories: HIPAA Compliance, Security

While many organizations combine Security and Compliance under a single banner, and there is nothing inherently wrong with having a Chief Security and Compliance Officer or managing risk mitigation under a single umbrella, the fact is that compliance and security measures are two overlapping but inherently different practices of information security.

Compliance standards often change quickly and require quite a bit of work to ensure enforcement across an entire organization. Audit trails, regulator inspections, minimum mandates…they have to be tracked and adhered to 24/7. But meeting compliance standards often puts blinders on a security administrator.

Simply meeting a compliance measure — or even four or five — does not mean that your infrastructure is up to snuff with security best practices. Nor does following industry standards of security guarantee that you’ll meet your next compliance audit.

Continue Reading...


How to Prepare Now That OCR HIPAA Audits Are Here (for Business Associates, Too)

Written by Joe Kozlowicz on Tuesday, August 16th 2016 — Categories: HIPAA Compliance

After years of waiting, the Office for Civil Rights (OCR) has finally sent out its initial round of notice letters for HIPAA audits. This first batch consists of 167 covered entities, who will have to answer a list of audit questions and provide a complete list of their Business Associates (BAs). BAs are where hosting partners come into play: a HIPAA compliant data center must sign a Business Associates Agreement with each covered healthcare provider. The OCR will be using these lists of BAs to choose around 30 BAs to audit, starting in September.

Even if your organization did not receive an audit letter, know that up to 50 more covered entities and BAs will face on-site comprehensive audits by OCR in early 2017. Now that OCR audits are upon us, how can healthcare providers and their business associates prepare?

Continue Reading...


Document, Document, Document: Change Management & More in the Data Center

Written by Joe Kozlowicz on Tuesday, March 22nd 2016 — Categories: Data Center Design, HIPAA Compliance, Security

In the IT world, if it isn’t logged or documented, it might as well never have happened. Without properly keeping track of change management, even for routine processes, it can be impossible to discover why a system stopped working, or worse. Technicians might be stuck halfway through a switch upgrade, unable to retrace their steps when they realize the equipment install won’t work. Or an entire organization could be held accountable under the law because they failed in their compliance.

IT documentation, in other words, is an essential if occasionally painstaking piece of data center operations. At Green House Data, we document everything we possibly can. Outside of support or internal emergency responses, which are always tracked in a ticket, planned changes must undergo a five-step process in order to keep track and learn from the change.

Continue Reading...


The 3 Classes of MARS-E for ACA Compliance

Written by Kristina Sink on Wednesday, August 19th 2015 — Categories: HIPAA Compliance

The Patient Protection and Affordable Care Act of 2010 (ACA) requires each state to have a health insurance Exchange, a marketplace where consumers can easily shop around for health insurance and find the best option for them by comparing price, benefits, services, and quality. In order to obtain Health Insurance Exchange (HIX) compliance, Section 1561 requires that certain security standards and protocols be met by these Exchanges in order to make every effort to protect and ensure the confidentiality, integrity, and availability of the system and its users.

These Minimum Acceptable Risk Standards for Exchanges (MARS-E) are separated into three different classes: technical, operational, and management. These classes consist of nineteen various control families, handling everything from Personally Identifiable Information (PII) to Protected Health Information (PHI), and Federal Tax Information (FTI).

Continue Reading...


Does Your Company Have The Wrong Attitude Toward Compliance Requirements?

Written by Kristina Sink on Wednesday, July 22nd 2015 — Categories: HIPAA Compliance, Security

If you find yourself dreading the thought of another audit, viewing it as more of a hassle than anything else, you may be suffering from the widespread but little known "Compliance Fatigue".

Continue Reading...


OCR HIPAA Audits Are Coming. Are You Prepared?

Written by Kristina Sink on Wednesday, May 20th 2015 — Categories: HIPAA Compliance

The Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules. After years of testing and delays, the second round of HIPAA audits are finally materializing, and are expected to be more comprehensive while focusing on the real-world application of policies and procedures across the entire organization and their business associates (BAs).

This program puts to the test the processes, control, and policies of covered entities (CEs) and BAs in accordance with the HITECH Act audit mandate. The OCR has published its entire audit protocol on their website, which completely outlines the procedures auditors must follow when conducting a program audit, making it easier to prepare.

Is your health organization ready for the OCR auditor?

Continue Reading...


How Vital is Your Cloud Data Center Location?

Written by Joe Kozlowicz on Tuesday, April 14th 2015 — Categories: Cloud Hosting, Cloud Hosting, Data Center Design, Disaster Recovery, HIPAA Compliance, Networking and Fiber

As faster network speeds, MPLS networks between data centers, and software-defined technologies proliferate, it becomes easier than ever to host some applications across the country—or even across the world—without any negative impact.

However, for other cloud computing uses, data center location can have major implications when it comes to performance, compliance, and disaster recovery. There are two camps on the issue of data center locations for cloud infrastructure: yes, it matters, and no, it doesn’t make much of a difference.

Continue Reading...


Keep Your Encryption Keys on the Chain with Key Management

Written by Joe Kozlowicz on Wednesday, February 11th 2015 — Categories: Cloud Storage, HIPAA Compliance, Security

Security is already high on the totem pole of IT priorities, but with 2015 kicking off with a massive Anthem health breach, encryption is a hotter topic than ever.

Many compliance mandates require or encourage some form of encryption, including the commonly encountered PCI and HIPAA standards (the HIPAA Security Rule, while it doesn’t require encryption, does require you to prove, in writing, why you believed encryption wasn’t necessary in your special case. Which, let’s be honest, if you are disclosing a large breach to the public as required, encryption was probably necessary).

There are many encryption methods and vendors on the market, but all of them require access to an encryption key in order to unscramble encoded data.  If a malicious agent gets their hands on this key, it’s game over for your encrypted information.

This means that every enterprise needs a secure, organized system to manage all of their encryption keys. As data sets are updated with new keys, new data is added, different encryption systems are introduced, and user access is modified, encryption key management becomes even more essential.

Continue Reading...


Cost-Effective Uses for HIPAA Cloud: Vendor Neutral Archiving and Enterprise Content Management

Written by Joe Kozlowicz on Tuesday, September 9th 2014 — Categories: Cloud Hosting, Cloud Storage, HIPAA Compliance

Healthcare providers who are researching and implementing new digital tools and electronic health records (EHRs) realize that infrastructure costs can increase quickly, especially for large file sets like medical imagery.

Some organizations may find that cloud and colocation may not be cost effective as they still have in-house infrastructure; others may be looking for a disaster recovery solution or new systems or software that must work together with the current Picture Archive and Communication System (PACS) or EHR environment.

By combining existing patient record systems with Vendor Neutral Archiving (VNA) and Enterprise Content Management (ECM) tools hosted with a compliant cloud vendor, providers can enable a central repository of patient information in an economical and powerful manner.

Continue Reading...

Chat Now