Recently in compliance Category

Speaking with Peter Davis, Partner Channel Manager in the Southeast for XO, about MPLS and HIPAA. XO recently held a webinar describing how their MPLS Solution can enable healthcare organizations to be HIPAA compliant.

The wording here is important. Transport is neither compliant or not. It is the end devices and users that must be HIPAA compliant. In other words, how the data is handled end-to-end has to be compliant, not the pieces and parts. 

When speaking with Hospital HIPAA Administrators it is important to remember that part of compliance is security and part is procedure. The procedure part has to do with how all medical records (physical and virtual) are handled and secured, whether on-premise, in transit, at a data center, ona  server or in a file cabinet.

With off-site data storage, the best solution for access is a private line, a Layer 2 VPN, or an MPLS network. Why? Segmentation of traffic. Security of data flow. Less chance for a lapse in security. 

The data needs to be securely stored and backed up. EMR firms have to sell a fairly expensive proposition due to all the safeguards and redundancy that goes with accessing medical records from a remote server. 

In many ways, the telecom agent can sell numerous pieces of the puzzle through XO (or other carriers or VAR's). 

• The transport - private line, metro Ethernet, Layer 2 VPN, or MPLS.
• The data center - collocation for servers and networking gear
• Data storage and backup

HIPAA is more involved with procedures in place (and to be followed) on the storage, access and security of medical records  than on the technology used to secure, store or transport those same medical records.

If you are looking for more info on MPLS, XO has an MPLS video series on YouTube and TCA has a stored webinar for its members on its website.

Qwest sent me an invite to a webinar: PCI MOVING FORWARD: Best Practices to Achieve and Maintain Compliance.

PCI compliance is a constantly changing security requirement for all businesses that process, store or transmit consumer credit card information. Shifting parameters, looming deadlines and increasing responsibilities all pose a challenge to becoming compliant and staying that way. This joint webinar between Qwest Business and Cisco Systems will introduce ways to reduce risk and shorten the journey to compliance.

Date: Wednesday, September 10, 2008

Time: 10:00 a.m. Pacific/1:00 p.m. Eastern

Register here: www.pcinext.com/partner

Elizabeth Bowles at Aristotle.Net gave a session on e-Commerce that included some PCI DSS stuff. PCI DSS is like HIPAA in a lot of ways: buzz but no one has a handle on it. There's more myth than fact, but who is going to sift through the hundreds of pages of law?

In most of these laws (HIPAA, PCI, SOX) it is a matter of securing data. Not encrypting it, but securing it - even in the physical form like file folders and paper. For example, if someone walks away with my yellow file folder filled with patient info is that any different that someone walking away with a PC (or server or laptop) with patient records or a DVD back-up copy? Not really. And we have had some doozy events lately including TJ Maxx, Sweetbay Supermarkets, and AT&T laptops.

PCI DSS - Payment Card Industry Data Security Standard - is a compromise by VISA, MC, AmEx, DiscoverCard, and JCB Int'l to standardize the disparate security requirements. It is "intended to provide a baseline for best practices in card security". That's the best way to describe it really. MasterCard has the SDA - "Site Data Protection" Program and VISA has its CISP - "Cardholder Information Security Program".

Typically, e-Commerce merchants do not sell more than $1M per year, which makes them a Level3 CC Merchant. Bowles states, "Although Level 3 merchants and service providers do not yet have to be PCI DSS compliant, there are other requirements: Level 3 merchants must fill out an annual PCI Self-Assessment Questionnaire and Level 3 service providers must have a quarterly network scan performed by an Approved Scanning Vendor (ASV) .... 56% of Level 3 merchants are PCI DSS compliant."

Firewall, software patching, and password security are three main ways to stay on top of this. CIO.com has a series of articles to help you get up to speed, since the PCI Compliance deadline just passed. VISA has 12 Steps to Compliance on its site.

I'd like to hear your thoughts on PCI and other Compliance issues. It seems like a lot of this is due to lack of common sense and policy management. When I was working in CHI, there was a department in charge of information security that had final say on many issues including data security and compliance. Who is in charge of that at your company? Or will someone be reading your medical history or your salary and raise info on the web soon?