Recently in privacy Category

Speaking with Peter Davis, Partner Channel Manager in the Southeast for XO, about MPLS and HIPAA. XO recently held a webinar describing how their MPLS Solution can enable healthcare organizations to be HIPAA compliant.

The wording here is important. Transport is neither compliant or not. It is the end devices and users that must be HIPAA compliant. In other words, how the data is handled end-to-end has to be compliant, not the pieces and parts. 

When speaking with Hospital HIPAA Administrators it is important to remember that part of compliance is security and part is procedure. The procedure part has to do with how all medical records (physical and virtual) are handled and secured, whether on-premise, in transit, at a data center, ona  server or in a file cabinet.

With off-site data storage, the best solution for access is a private line, a Layer 2 VPN, or an MPLS network. Why? Segmentation of traffic. Security of data flow. Less chance for a lapse in security. 

The data needs to be securely stored and backed up. EMR firms have to sell a fairly expensive proposition due to all the safeguards and redundancy that goes with accessing medical records from a remote server. 

In many ways, the telecom agent can sell numerous pieces of the puzzle through XO (or other carriers or VAR's). 

• The transport - private line, metro Ethernet, Layer 2 VPN, or MPLS.
• The data center - collocation for servers and networking gear
• Data storage and backup

HIPAA is more involved with procedures in place (and to be followed) on the storage, access and security of medical records  than on the technology used to secure, store or transport those same medical records.

If you are looking for more info on MPLS, XO has an MPLS video series on YouTube and TCA has a stored webinar for its members on its website.

I'm seeing a lot of news in our space but not enough time to cover it all or analyze it, so here's just the headlines:

DPI (deep packet inspection) by cable being investigated by Congress. It scares the crap out of Boucher (ARS). Cox, Comcast, NebuAd  = new privacy law being debated (NYTimes).

Broadband download caps: in the news all week because apparently TWC said that without caps, they won't upgrade any more. Well, I have news for them: if they don't upgrade they will lose customers. Can you say FiOS, WiMAX, U-Verse, and now Wildblue is testing 18MB service.  ARS notes there are caps even when not explicit like TWC.  VZW and others have usage limits built into the acceptable usage policy.

Clearwire is being sued - class action status - for ETF (early termination fees) and network quality issues (can you say: false advertising on network performance?). (see here and my twitter pal @morisy).

And speaking of Caps (no, not hockey, how about Comcast battling it out with the former FCC chief's ruling that cable companies can only have a maximum of 30% of the entire market? If we applied that to telecom - and why shouldn't we? - we would have to break up Ma and Pa Bell (Verizon and AT&T). Please note: I am all for that.  Meanwhile Comcast's defense is Freedom of Speech.

Lastly, Facebook exec becomes new CEO at MySpace. Too little, too late? And Yahoo! is closing down GeoCities free hosting services, which it bought in 1999 for $3.5B. The analysis of the deal is on Fred Wilson's blog. Worthwhile read for start-ups about what VC deals look like.

Ouch! KMPH Fox 26 reports that, "More than a dozen Web users are suing a Silicon Valley startup that created technology allowing their surfing habits to be tracked. The lawsuit was filed in federal court in San Francisco this week against NebuAd and six Internet service providers that used its product. The 15 plaintiffs are demanding more than $5 million in damages."  NebuAd used Deep-Packet Inspection (dpi) to gather info of ISP customers to better target advertising. That upset users and it ended up in front of Congress. NebuAd execs jumped ship. So did clients. Same thing happened at the similar UK-based company, Phorm. Execs there jumped ship this week.

So DISH Network keeps upgrading my DVR software without my asking. Tonight, I go to record a pay-per-view movie and the dialog box says, "You only have 24 hours to watch this movie before we remove it from your DVR."  Well, that stinks. We used to buy them and watch them at our leisure - usually within a week.

DISH has increased prices across the board. They will lose AT&T as a distribution arm in February of 2009. Will AT&T take its 1M subs to DirecTV? DISH has been  losing subscribers. (Are they the Sprint of TV?) And Echostar lost the patent suit against TIVO. They also have the DTV conversion coming. All this and they add DRM? Do they *want* to chase away subscribers?

Sure, adding MPEG-4 and 1080p content is great. (I just got an HDTV), but I don't want them messing with my DVR. I paid for the movie, what do they care about my time shifting it?  It's time to look at Bright House digital TV packages and save some money.

As businesses increasingly rely on technology to store and maintain data, including customer records, the risk of identity theft also is increasing. The Federal Trade Commission ("FTC"), together with federal banking regulatory agencies and the National Credit Union Administration, has adopted new regulations intended to combat identity theft. Known as the Red Flag Rules, these new regulations require financial institutions and creditors to develop and implement a written identity theft prevention program to identify and combat identity theft in connection with new and existing customer accounts.

If you are an operator that provides service in advance of payment, then your company is a "creditor" because your company regularly extends, renews or continues credit or defers payment for goods or services. The Red Flag Rules apply to each "covered account," which is a customer account involving multiple payments or transactions for which there is a foreseeable risk of identity theft. By contrast, a single, non-continuing transaction, where no ongoing relationship exists, is not a covered account. The Red Flag Rules may also apply to some of your business customers.

All companies subject to the Red Flag Rules are required to implement a written customer protection program by November 1, 2008. This program must be designed to detect a "red flag", which is a pattern, practice or specific activity that indicates the possible existence of identity theft. The FTC has identified five categories of Red Flags and provided a list of examples of the types of red flags that fall under each category. If you are providing interconnected voice or VoIP services, the Red Flag compliance program can be combined with your CPNI program required by the Federal Communications Commission's rules.

The customer protection program must include policies and procedures for: (i) detecting warning signs or "Red Flags" of identify theft, (ii) responding to any such Red Flags in a manner that will prevent or mitigate the identify theft, and (iii) updating the Program. The customer protection program must be managed by the Board of Directors or senior employees of the company if there is no Board of Directors. Also, the customer protection program must provide for staff training and oversight of your company's service providers.

Thank to Attorney Stephen E. Coran of Rini Coran, PC for providing this info.