Meet Health IT Business Development Expert: Peggy McShane

Peggy McShane, Managing Director, Segue Health

Peggy leads business development and client account management for the Federal, Commercial, and Non-Profit health market segments to define innovative services and solutions, with the ultimate goal of supporting emergent health systems transform health data into practical and useful information. Peggy's background in health and health IT includes: a ten-year career in the hospital setting as a Director of Medical Records; a ten+ year career as a health and health IT consultant with Booz Allen Hamilton; and a five-year career as the business owner of Net New Growth, LLC.

(Bio cont.)

• Federal, Commercial, and Non-Profit Health Business Development
• Health and Health Information Technology (IT) Consulting Expertise
• Past President, Health Information Management and Systems Society (HIMSS) National Capital Area (NCA); Co-Chair, HIMSS National Small Business and Diversity Roundtable

As the Managing Director of Segue Health, Peggy leads business development and client account management for the Federal, Commercial, and Non-Profit health market segments. As part of this leadership, she works with Segue’s ownership and technology teams to define innovative services and solutions, with the ultimate goal of supporting emergent health systems transform health data into practical and useful information.

Peggy has an extensive professional background in health and health IT, including: a ten-year career in the hospital setting as a Director of Medical Records; a ten+ year career as a health and health IT consultant with Booz Allen Hamilton; and a five-year career as the business owner of Net New Growth, LLC. In November 2012, Net New Growth, LLC merged with Segue Technologies, Inc. to form “Segue Health.”

Peggy holds a Bachelors of Science in Health Records Administration from York College of Pennsylvania, a Masters of Science in Information Management from Marymount University, and a Masters Certificate in Strategic Marketing from Tulane University. As a health IT focused professional, Peggy was one of the first in the nation to receive the Certified Professional in Health Information Management Systems (CPHIMS) from HIMSS.

Health IT Webinars:

Implications of Recent Medicare Announcements on Trends in Physician Payment Methods

Recent announcements by Medicare regarding pilot programs and 2013 payment changes represent developments in methodologies and policy changes that will impact Medicare physician payment in the future. This webinar explores these recent announcements and the underlying trends that will likely have a dramatic impact on physician payment in the future.

Watch the video recording and view the slides.

Overview of the SCOTUS Decision and Its Impact on Healthcare IT

This webinar discusses the broader implications of the recent Supreme Court decision on healthcare and how it will affect meaningful use for covered entities and business associates alike.

Watch the video recording and view the slides.

Healthcare Security Vulnerabilities

This webinar will review several REAL healthcare related security engagements, provide an overview of the IT Security world today, provide insight into the hacking community, discuss several proactive methodologies for mitigation of security vulnerabilities and explain the shortcomings of some security testing methodologies.

Watch the video recording and view the slides.

Health IT Articles

Technical Solutions to Meet the OCR HIPAA Audit Protocol

Announced this summer, the Office for Civil Rights (OCR) created its own set of guidelines for auditing covered entities pursuant to the HITECH Act audit mandate. As the governing entity of HIPAA law, the OCR determines if an organization is … Continue reading →

Addressing the Top IT Security Issues of 2012

Trustwave’s 2012 Global Security Report produced several key findings on data breaches and security issues across many industries. Here are a few of the findings, with resources to help remedy them: Customer records made up 89 percent of all breached … Continue reading →

2012 State of Mobile Health IT

The 2nd Annual HIMSS Mobile Technology Survey, sponsored by Qualcomm Life, found that over 90 percent of respondents reported physicians using mobile technology in their everyday operations. Eighty percent of physicians use mobile technology to provide patient care, and nearly … Continue reading →

…(continue reading)

Meet Healthcare Disaster Recovery Expert: Chris Heuman

Christopher Heuman CHP, CHSS, CSCS, CISSP, Practice Leader, RISC Management & Consulting

Prior to consulting, Chris Heuman  worked in healthcare organizations in an information systems and data security capacity for over 20 years. Chris held increasingly responsible positions in healthcare IT from systems and network administration to project management, infrastructure management and information security. Prior to founding RISC Management, Chris developed consulting programs focused on information security and compliance specifically for healthcare institutions as a Director of Engineering Services at mCurve, and Practice Leader for Compliance and Security at ecfirst.

(Bio cont.)

Through his practical experience and certifications as a Certified HIPAA Professional (CHP), Certified Security Compliance Specialist (CSCS) and Certified Information Systems Security Professional (CISSP), Chris is uniquely experienced to assist healthcare organizations in understanding and meeting the myriad compliance and security regulations and requirements they face.

As the Practice Leader at RISC Management, Chris helps providers and healthcare technology organizations by providing services in the areas of risk analysis, vulnerability assessment, business continuity management and planning, business impact analysis, disaster recovery planning, social engineering tests, data loss prevention, education and training, project management and consensus building at all organizational levels. In addition, Chris has presented training programs in the HIPAA, HITECH, compliance and security space, and has been a featured presenter for statewide healthcare organizations, for Health Information Exchanges, as a guest speaker for MBA programs, and has delivered tailored training to dozens of healthcare-related organizations and accreditation bodies.

Chris can be contacted at This email address is being protected from spambots. You need JavaScript enabled to view it.

Disaster Recovery Webinar Series:

Online Tech's Systems Support Manager Steve Aiello led a three-part webinar series on the topic of disaster recovery, from case studies to technical implementation.

Business Continuity in Lean Times

Businesses have a responsibility to their stakeholders to think about their long-term viability - Steve provides an overview of disaster recovery and business continuity with real company examples and the benefits of developing a business continuity plan.

Watch the video recording and view the slides.

Disaster Recovery in Depth

This webinar transitions from theory and thought processes into practical application of disaster recovery. It covers various disaster response options including:

• Hidden Benefits of BC / DR planning
• Disaster Case Studies
• Staffing / Facilities Recovery Strategies
• Processes organizational design
• Facilities design that facilities DR
• IT tools available to increase availability

Watch the video recording and view the slides.

Technical Disaster Recovery Implementation

Ths webinar transitions from theory and thought processes into the implementation of technical disaster recovery. We identify the technical requirements necessary utilizing the business continuity concepts and technical strategies.

Watch the video recording and view the slides.

Disaster Recovery Articles

Disaster Recovery for HIPAA Applications - It's All About Availability of PHI

HIPAA – The Health Insurance Portability and Accountability Act focuses on three key criteria for handling Protected Health Information (PHI):  availability, confidentiality and integrity. This blog post focuses on availability as it applies to HIPAA applications and HIPAA data. Availability … Continue reading →

Benefits of Disaster Recovery in Cloud Computing

There are a lot of benefits with cloud computing – cost-effective resource use, rapid provisioning, scalability and elasticity. One of the most significant advantages to cloud computing is how it changes disaster recovery, making it more cost-effective and lowering the bar for enterprises to deploy comprehensive DR plans for their entire IT infrastructure.  … Continue reading →

Risks on the Rise: Making a Case For IT Disaster Recovery

According to the Forrester/Disaster Recovery Journal Business Continuity Preparedness Survey from 2011 Q4, the top increasing risks cited by a survey of decision-makers or influencers when it comes to IT planning and purchasing for business continuity were as follows: (48%) … Continue reading →

…(continue reading)

Meet HIPAA Law Expert: Brian Balow

Brian Balow, Attorney, Dickinson Wright

Brian Balow concentrates his practice in the areas of IT, healthcare law, and intellectual property. Brian has worked with Fortune 100 clients over the last 15 years on IT-related matters, including the drafting & negotiation of agreements, formulation & implementation of policies & procedures for the management of IT (including outsourcing-related issues), counseling & advising on privacy & data security issues, and assisting clients in favorably resolving disputes with IT vendors (including disputes with the BSA and SIIA).

(Bio cont.)

More recently, Brian has spoken and written extensively on healthcare IT and telemedicine issues (including HIPAA/HITECH issues). In 2012, Brian presented on social media in healthcare issues at HIMSS12 in Las Vegas and to the National Council of State Boards of Nursing in Idaho, on regulation of mHealth technology at the SoCal HIMSS Health IT Innovation Summit in Yorba Linda, California, and on BYOD issues at the HIMSS mHealth Summit in Washington, DC.  In December of 2011, Brian contributed the chapter entitled “Allocation and Mitigation of Liability” to the ABA Health Law Section’s “E-Health, Privacy, and Security Law” treatise.

Brian is a 1988 cum laude graduate of the University of Georgia School of Law, where he was twice a scholarship recipient and was Managing Editor of the Georgia Journal of International and Comparative Law. Following graduation, Brian served as a judicial law clerk to the Hon. James Harvey in the United States District Court, Eastern District of Michigan.

Webinar featuring Brian Balow:

No More Excuses: HHS Releases Tough Final HIPAA Privacy and Security Rules

On January 17, 2013, the Department of Health and Human Services released its long-anticipated modifications to the Privacy, Security, Enforcement, and Breach Notification Rules under HIPAA/HITECH.

These modifications leave no doubt that covered entities, business associates, and their subcontractors must understand the application of these Rules to their operations, and must take steps to ensure compliance with these Rules in order to avoid liability.

The webinar discusses of the modifications, their impact on covered entities, business associates, and subcontractors, and mechanisms for minimizing the risk of HIPAA liability.

Watch the video recording and view the slides.

Articles on the Final HIPAA Omnibus Rule

How the Final Omnibus Rule Affects HIPAA Cloud Computing Providers

The long-awaited final modifications to the HIPAA Privacy, Security, Enforcement and Breach Rules were introduced Thursday. The 563-word document outlines the changes that were initially slated for implementation last summer (remember the omnibus rule?). So how do these modifications affect … Continue reading →

HIPAA Omnibus Rule Narrows the HIPAA Hosting Market

The final HIPAA omnibus rule released late last week holds business associates (BAs) and subcontractors (the BA of a business associate) directly liable for compliance with the HIPAA rules, and sets a deadline for compliance with the new modifications. There’s … Continue reading →

…(continue reading)

Download the Mobile Security white paper 

View the full white paper below.

1.0. Executive Summary
     1.1. Mobile Growth in National Market
     1.2. Mobile Use in the Workplace
2.0. Mobile Security Issues
     2.1. Mobile Device Security Risks
     2.2. Types of Mobile Security Risks
3.0. Compliance and Mobile Devices
     3.1. Compliant Environments
     3.2. PCI DSS Recommendations for Mobile Devices
     3.3. HIPAA Recommendations for Mobile Devices
4.0. Data Security Tools
     4.1. Technical Security
     4.2. Physical Security
     4.3. Administrative Security
           4.3.1. Mobile Use Policies
5.0. Outsource vs. In-House Hosting
     5.1. Benefits of Outsourcing Hosting
     5.2. Risks of Outsourcing
6.0. Vendor Selection Criteria
     6.1. Audited Data Centers and Secure Hosting Solutions
           Reports on Compliance
           Key Data Center Audits
           Business Associate Agreement
           Staff Security Training
     6.2. Other Key Data Center Considerations
           Ownership
           Geographical Location
           Disaster Recovery
           High Availability
           Cloud Computing
           Server and storage devices
           Room to Grow
           Managed Services
7.0. Conclusion
8.0. References
     8.1. Questions to Ask Your Secure Hosting Provider
     8.2. Data Center Standards Cheat Sheet 
     8.3. Mobile Security Checklist
     8.4. BYOD Case Study
9.0. Contact Us

1.0. Executive Summary

The integration of diverse mobile devices throughout the work environment is both inevitable and enabling. Workflows previously tied to less portable devices can now enjoy free access wherever a wireless signal allows.

But enabling access also presents security, privacy, and confidentiality concerns. Industries that rely on sensitive data such as healthcare, financial, and insurance have heightened risks and concerns. Addressing security concerns is nothing new for these industries, but mobile technologies present a dizzying array of uniquely configured, user-selected hardware and software.

It’s a good bet that the selection of phone, carrier, and apps is driven more by usability than security. Information and security officers have a thinner tightrope to walk when enabling and protecting customers.

So what to do? This white paper explores approaches to mobile security from risk assessment (what data are truly at risk), enterprise architecture (protect the data before the devices), policies and technologies, and concludes with an example of a mobile security architecture designed and implemented within a hospital environment in which both enabling caregivers and protecting privacy, integrity, and confidentiality are paramount.

1.1. Mobile Growth in National Market

An increase in mobile device and application demand has skyrocketed over the past few years, with users investing primarily in smartphones – the worldwide smartphone market has grown 42.5 percent year over year in the first quarter of 2012. ^[1]

With mobile device use increasing, applications have also grown in number. Gartner predicts more than 80 billion mobile apps will be downloaded in 2013, growing to more than 300 billion in 2016. ^[2]

In step with the demand, the worldwide application development software market is predicted to reach more than $9 billion by the end of 2012. ^[3] Gartner reports cloud technology, mobility (specifically smartphones and tablets) and open source software tools will continue to drive app development.

1.2. Mobile Use in the Workplace

Mobile device use has shaped the communication landscape and subsequent workflow of certain industries, specifically, healthcare. Forty percent of consumers reported they would pay for mobile remote patient monitoring, using smartphones as hubs that would monitor chronic diseases. ^[4] Remote patient monitoring via a mobile device reduces the need for more costly custom medical devices, and cuts down on diagnosis error and medication overuse.

Further streamlining patient care, 40 percent of physicians report they could eliminate up to 30 percent of office visits by using mobile health strategies. ^[5] Mobile devices also extend the reach of care beyond geographical limitations – rural health care in remote locations has improved due to imaging and monitoring capabilities afforded by applications, that otherwise would not be available to these areas.

Every industry can realize the benefits of mobile device use: 

• Increased productivity – The ability for remote access allows employees to work from anywhere outside of normal business hours or locations. Preparing in advance for the workday is easier with mobile devices and remote connections.
• Personal – Highly customizable and often toted around everywhere, mobile devices have a higher engagement rate due to ease of usability and convenience, making it ideal to use for work purposes.
• Streamlined workflow – By virtualizing the desktop environment and creating a secure connection between the device and the network systems, mobile devices can access critical applications from any location. A more efficient, paperless workflow can be realized with virtualization and device support.
• Better client experience – Employees that provide a support function to clients may be able to respond to requests faster, particularly outside of regular office hours, allowing for improved client satisfaction.

2.0. Mobile Security Issues

With the use of personal mobile devices in the workplace come security issues around device use, data exchange and storage, connectivity and more. The security risks raise the need for IT staff to standardize device use and establish, implement and train users on mobile device policies.

According to Symantec’s Internet Security Threat Report, there has been a 93 percent increase in mobile malware development since 2010. ^[6] 

Half of the total attacks were directed at small and medium-sized businesses (SMBs) with fewer than 2,500 employees, and 17 percent hit companies with fewer than 250 employees.

To hackers, smaller organizations are seen as an open door to larger organizations due to partnerships. In the case of franchises, franchisees can be gateways into the larger corporate network. With limited resources to invest in proper security, or due to a lack of security knowledge and culture, they are often left vulnerable.

Industries with the greatest percent of stolen identities included healthcare, computer software and IT sectors, with healthcare at 43 percent. 

2.1. Mobile Device Security Risks

Mobile devices introduce several risks and points of entry, including insider threats, malware, spear phishing and more as described in section 2.2.

A recent report by Trend Micro, a content security software provider, reports that mobile malware growth targeting Androids has escalated from 40,000 to 175,000 malicious apps between July and September 2012. ^[7] Most of this is attributed to adware, which collects user information without user consent.

Mobile malware development has risen in accordance with the increase in mobile device sales. Unfortunately, with the advent of easily downloadable apps and the frequent use of devices, users may not realize that certain apps can be malicious. Mobile users should use the same precaution and security services available to personal computers and networks to protect against mobile malware.

2.2. Types of Mobile Security Risks

The U.S. Department of Homeland Security has posted a bulletin warning the public about mobile device security risks, and the several points of entry that could leave an organization or individual vulnerable to an attack. ^[8]

• Insider – Employees can introduce a threat if they were to transfer information by use of portable media or the cloud. The most common method of data exfiltration involves network transfer by email, remote access channel or file transfer.
• Malware – Many different types of malware are designed to steal user information, including keystroke loggers that can record passwords and other mobile activity and remote access Trojans that allow hackers to access your phone by masquerading as a credible program or file. They gain access to smartphones via website links or as a text message sent to appear as a system update.
• Spear Phishing – Malicious attachments are sent via email or links and targeted at management, administrators and other key personnel, bypassing email filters and antivirus software in attempts to penetrate a network.
• Web – Silent redirection, obfuscated JavaScript and even search engine optimization are a few web behaviors used to gain access to a network. Web servers with injection flaws or broken authentication may also lead to a data breach.
• Equipment Loss – Mobile devices are easily lost due to size and transportability – as more and more sensitive data is stored directly on the device, theft and loss of the devices leads to data breaches due to poor physical security mechanisms and hardware encryption.

3.0. Compliance and Mobile Devices

The prolific increase in endpoints is inherent in mobile device use and brings new security risks and compliance concerns in industries such as e-commerce and healthcare that transmit, store, or process sensitive digital data. Each industry has different regulating entities and expectations for proving due diligence and achieving compliance. Balancing the potential benefits of innovations in the mobile space with the increasing stakes that sensitive digital information adds new dimensions to risk analysis.

In e-commerce and e-retail applications, for example, businesses will need to comply with the standards of PCI DSS (Payment Card Industry Data Security Standard) established by the large credit institutions (Visa, Mastercard, Discover) in order to enjoy the use of merchant accounts for online transactions. The PCI DSS compliance audit is a point-in-time audit, assessing the security of a business at that moment in time.

In the healthcare industry, the Department of Health and Human Services has established the HIPAA (Health Insurance Portability and Accountability Act) Security Rule as a result of the ARRA to describe how the health information should be protected. The Office of Civil Rights is the entity that audits healthcare providers (covered entities) and applies penalties for violations. The FCC regulates communications, and, where mobile devices are used as medical devices, the FDA has achieved regulatory rights to oversee the safety of the patients they interact with.

Publicly held companies, or those that touch financial and insurance industries, must meet Sarbanes-Oxley (SOX) compliance requirements. The AICPA’s SSAE 16 Type II audit, also called SOC 1, is a period-of-time assessment by an independent auditor for how well a company meets its self-described financial controls. The AICPA’s SOC 2 audit is also a period-in-time audit, but sets a common standard of controls specific to the security, availability, confidentiality, processing integrity, and privacy of sensitive data.

Businesses that serve clients across multiple verticals and industries are facing a complex tapestry of compliance and regulatory requirements which require significant investment in understanding, implementing, auditing and maintaining these environments. Imagine a business that wants to develop a mobile application that accepts patient payments. This business needs to fulfill the compliance requirements for PCI DSS, HIPAA, FCC, and possibly Sarbanes-Oxley. How about a business writing mobile apps that monitor patient health and make recommendations based on patient behavior? This would definitely be subject to HIPAA and FCC compliance, and possibly FDA compliance, depending on the type of recommendations made.

Companies that are developing mobile apps will likely have enough intimate knowledge of their software and systems to make assessments and take adequate precautions to meet whatever compliance regulations they are subject to. However, as they partner with other vendors for usability design, data storage, and hosting services, they are also responsible for ensuring that their entire network of associates is cognizant and capable of meeting the same requirements. A good place to start for any company in a regulated space is to ask their partners for written documentation of third-party compliance audits for the respective industries they serve. Those that understand what’s at stake will be able to provide the relevant audit reports.

3.1. Compliant Environments

Where does your data live? If you deal with sensitive data such as patient health information or credit cardholder data, avoid keeping it on your mobile device whenever possible. Even temporary storage of sensitive data is risky. If you lose your smartphone or laptop, you could be held liable to a data breach and compliance violations that may cost your organization litigation, remediation, and other fees. If there is absolutely no way to avoid sensitive information on the device, ensure that appropriately strong encryption is used. 

In May 2012, 63,000 patients were affected by stolen portable media devices. ^[9] Howard University Hospital’s contractor had a password-protected laptop stolen from a vehicle in late January, affecting 34,503 patients. Now the hospital requires encryption on all employee laptops. Another case of a stolen laptop from a local physician office at the Our Lady of the Lake Regional Medical Center contained records for 17,000 former patients in March. ^[10]

The portability of mobile devices allows for easy theft or loss, and many organizations that don’t implement mobile security policies also do not provide proper security training for their employees. User behavior and acceptable use policies, such as never storing sensitive data locally, can significantly cut down on the risk of a data breach.

In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices. ^[11] - Office for Civil Rights Director Leon Rodriguez

David S. Holtzman of the OCR (Office for Civil Rights) also recommends reducing the risk of a data breach by using network or enterprise storage as an alternative to local devices, as well as encrypting data at rest on any device or desktop that stores sensitive information. ^[12]

With a secure remote connection to a secure network (and encryption), users can access sensitive data with their mobile devices without compliance concerns. (For a diagram of a HIPAA and PCI compliant data center environment, please see Compliant Data Centers, pg. 19).

3.2. PCI DSS Recommendations for Mobile Devices

PCI DSS (Payment Card Industry Data Security Standards) is a detailed list of technical, physical and administrative security requirements for merchants – organizations that deal with credit cardholder data (merchants).

Created and enforced by the major card issuers, the standard is now evolving with the development of new technology and mobile device capabilities. The PCI SSC (Payment Card Industry Security Standards Council) has released new security recommendations for both merchants and developers to meet mobile device payments, specifically for smartphones, tablets or PDAs.

The PCI SSC recommends that data is encrypted before it reaches a mobile device, which can be achieved by validating a PCI P2PE (Point-to-Point Encryption) solution, as seen below. ^[13] In this case, encrypted data would flow from either an approved PED (pin entry device), or an approved secure card reader to the mobile device, and then to a P2PE solution provider.

The PCI SSC also recommends that data storage should be temporarily stored in a secured storage environment before processing and authorization. A PCI compliant data center can provide a secure environment (See PCI Compliant Hosting Stack, pg. 20).

Data should be encrypted or rendered unreadable if it is ever stored on the mobile device after authentication. Encryption should meet PCI DSS standard 3.5 to limit application, personnel and process access to the keys. ^[14]

Lastly, preventing account data from being intercepted upon transmission out of the mobile device can be achieved by preventing unauthorized logical device access by implementing certain design features, including secure lock screens and time-sensitive sessions requiring logins. Creating server-side controls can also help prevent interception, including:

• An updated access control list.
• Ability to monitor system events.
• Ability to track and monitor patterns of events to determine normal from abnormal events.
• Ability to report abnormal events that could indicate a system breach or data leak; including encryption key changes, invalid login attempts, app updates and more.
• Enable the ability to remotely disable payment applications.
• Use GPS or other location apps/technology to detect theft or loss, and require re-authentication of the user/device.
• Ensure any supporting systems are compliant with PCI DSS.
• Prefer online transactions whenever the mobile payment-acceptance app on the host is inaccessible in order to prevent offline transactions/storage of transactions.
• All mobile payment apps should conform to secure coding, engineering and testing as required by the Payment Application Data Security Standard (PA-DSS).
• Protect against known vulnerabilities by evaluating updates, checking the source, and applying updates in a timely manner.
• Protect against unauthorized applications on the mobile device.
• Protect devices from malware.
• Protect devices from unauthorized attachments.
• Document device implementation and use.
• Support secure merchant receipts – mask the PAN (Payment Account Number) and never use email or SMS to send PAN or SAD (Sensitive Account Data).
• Provide an indication of secure state, similar to an active SSL session in a browser.

3.3. HIPAA Recommendations for Mobile Devices

HIPAA (Health Insurance Portability and Accountability Act) sets the national standards for the security of electronic protected health information (ePHI) with security and privacy safeguards to be implemented by healthcare organizations and business associates. The Office of Civil Rights has released the OCR Audit Protocols to guide covered entities (healthcare providers) and their business associates in their risk assessment and management plans. As mobile environments cross the hospital threshold, HIPAA audits will need to adapt to incorporate ePHI protection with these new mobile endpoints.

While the healthcare industry is currently working on HIPAA compliance recommendations for mobile devices and enforced by the Office for Civil Rights, the FCC is another federal agency that also regulates the mobile industry. The FCC has created a mHealth Task Force from a group of the nation’s leading mobile healthcare IT industry, including federal and academic experts. Preliminary recommendations are not technical in nature but instead focused primarily on agency initiatives to increase collaboration and outreach.

The FDA is also entering the mHealth space as an enforcing authority. As mobile devices become tools to monitor, report, or suggest actions based on a patient’s health, they become subject to FDA regulation like other medical devices. For more information on FDA Regulation of Mobile Health Devices, listen to http://www.onlinetech.com/events/fda-regulation-of-mobile-health-devices.

See the Technical Security, Compliant Data Centers and HIPAA Compliant Hosting Stack below for details on how to create a secure HIPAA compliant environment.

4.0. Data Security Tools

Mobile security involves much more than the specifics around security the devices themselves. It begins with a qualified risk assessment of the entire architecture and infrastructure with a careful evaluation of the appropriate levels of security that should be applied. Companies that begin at the device level are often quickly overwhelmed trying to manage the security of hundreds of different hardware and software combinations.

By the time a mobile application can be appropriately protected and functional across every hardware and software combinations, a whole new set of devices and platforms will be on the market. Smart mobile security is about keeping sensitive information off of the devices wherever possible. Sophisticated virtual desktop environments and a Software-as-a-Service (SaaS) model can support a huge variety of disparate platforms with only one or a small handful of security profiles to manage across all of them. Best practices in these approaches are emerging from leaders in every industry.

This isn’t to say that technical security tools shouldn’t be employed to provide mobile security. After a secure and compliant architecture for a mobile application has been determined, it’s time to apply the appropriate technical security protections. Some examples follow.

4.1. Technical Security

Secure hosting solutions require a multi-layered approach with the use of several different security tools. Not only do these tools help your company meet various compliance standards, but they also strengthen the security framework of your systems and minimize your overall risk of data loss.

4.2. Physical Security

Implementing strong access controls to protect your physical servers that contain sensitive data (and only accessed through your mobile device through a secure, remote access service) is another layer of security that ensures only authorized users access your data.

Within a data center, strong facility controls can translate to implementing the following:

• Two-factor authentication - If not personally escorted, anyone in the data center should be wearing a badge to identify them and need at least two forms of identification for access such as badge and access code, or biometric fingerprint scanner and badge. If you go for a data center visit and are not asked to sign-in and wear a badge, security should be considered less than adequate.
• Prolific use of video surveillance - Ask to see the video logs and how long they are kept (should be at least 90 days).
• Visitor logging - The entries in the logbook should directly match the video surveillance tapes. Ask when the last independent auditor confirmed the match of visitor logs with the video archives. Ask who the auditor was and investigate the auditor's company to confirm their credibility.
• Procedure Documentation - Ask to review the documentation for the procedure to allow access by unannounced visit, phone call, or email. Don't just ask the security or compliance officer - ask anyone. If there is a consistent policy and procedure in place, you should get a consistent and reassuring answer.

4.3. Administrative Security

Administrative security includes the audits, policies, staff training, and, for HIPAA-specific requirements, business associate training. Equally important as ensuring the physical and technical security of your data environment, administrative security addresses the business-facing concerns of partnering with a third-party hosting provider. Within your organization, administrative security can also include educating and managing employee behavior and mobile device use in order to keep security intact.

4.3.1. Mobile Use Policies

Devising a set of mobile device/BYOD (Bring Your Own Device) use policies is one way of establishing standards for security and uniform use company-wide. Based on best practices, your policies should address the following:

Activate remote management and tracking settings and applications. By using a remote wipe feature on your phone or downloading an application that has the same capability, you can significantly reduce the risk of sensitive data (which should really be located on a secure network, not your device) from falling into the wrong hands. Limiting the scope of risk is part of an incident response plan process. By having the capability to remotely delete data off of a lost or stolen device, you can reduce the risk of data misuse.

With an iPhone, you can enable Find my iPhone, an app that attempts to locate your lost or stolen iPhone and pinpoint the location on Google Maps. Choose to remotely send a message to your phone or activate a sound to help locate or draw attention to your device.

For Android phones, third-party apps can be used for remote wipe, such as the free Mobile Defense app. ^[15] This app can also locate your device with the exact address displayed on an embedded interactive map. Mobile Defense will also email you if someone tries to swap out your SIM card as part of their security measures.

Update software frequently.

As new mobile malware develops, updating mobile software to protect against the latest malicious code is important for any user. Make frequent updates a part of company policy as a simple precaution against running old operating systems that are left open to known vulnerabilities.

One example is a short piece of code that targeted a Samsung Galaxy S3 smartphone - if a user visited a web page with the embedded code while browsing on their phone, their phone would be wiped without permission. ^[16] This code could be sent via a text message as well. Samsung released a software update and urged customers to download it as soon as possible in September 2012.

Similar to your computer software or Internet browser, taking a minute to download the latest update can save your organization from a potential data breach and the subsequent headaches. Using the services of a managed hosting provider can also help with keeping servers up-to-date with timely patch management.

Use two-factor authentication for remote access to networks.

Two-factor authentication for VPN (Virtual Private Network) access is an optimal security measure to protect against online fraud and unauthorized access for clients that connect to their networks from a remote location.

Instead of accessing critical data or applications locally on your mobile device, it is significantly more secure to restrict access to a remote network that provides the same services, but housed in a secure environment. That way, when you lose your smartphone, you will not lose any data, and implementing two-factor adds an extra layer of authentication needed to authorize your identity before connecting to a network.

The first factor involves a username and password login - the second factor requires the use of your phone. Depending on the software used for authentication, you may have these methods as a choice of your second factor: ^[17]

1. Push authentication - login and transaction details are sent to your smartphone, and with one tap of the ‘Approve’ button, you will have completed the second authentication factor to achieve network access.
2. Smartphone passcode - a generated login passcode works on all smartphone platforms.
3. Text message - login passcodes are sent via text message - enter this passcode online to authenticate the second factor.
4. Phone call - answer a phone call and press a key to authenticate.

Use audited applications.

Particularly important for mobile use in the healthcare industry, any application that creates, stores, accesses, sends or receives electronic protected health information (ePHI) must meet HIPAA security standards. Application service providers must also meet SSAE 16/SOC 1 standards of compliance.

Create secure passwords and update them frequently.

Many a data breach has occurred due to the use of default or easy-to-guess passwords. Establishing a password policy in your organization can help protect mobile devices and network access attempts by hackers. Ensure your passwords are at least eight or more characters, and vary the complexity of your password by including symbols and numbers. A good password policy requires frequent updating of passwords, every 90 days. Microsoft’s password strategy and password checker are great resources to help you create an effective password policy. ^[18]

Implement lockouts and set reentry times.

Set devices to lock your account after a certain number of failed login attempts, and set automatic lockout after a certain amount of time in order to keep data protected during downtime. Lockout should require re-entry of your password for access.

5.0. Outsource vs. In-House Hosting

For mobile app developers wanting to create apps that mission critical industries can rely on, investing in and maintaining high-availability hardware, power, network, and server infrastructures is essential, but capital intensive. Couple this with the resources that auditing, security, and server administration adds, and it’s easy to see why mobile app developers often turn to hosting partners.

The benefits of outsourced hosting must be weighed against any risk added by a hosting partner. Ideally, the hosting partner will improve security, availability, and compliance in addition to managing the maintenance of the server and underlying infrastructure.

5.1. Benefits of Outsourcing Hosting

Choosing where to host a mobile app that needs to meet security and compliance requirements is not an easy task. The right decision should help you sleep better at night - not stay awake longer. Look for cost savings over the capital and maintenance costs of managing your own hardware and infrastructure in addition to a true partner in compliance and security.

Save on Costs

Managed hosting allows your IT team to focus on the mobile applications directly related to your business, not on the day-to-day details involved with server updates, data center infrastructure, network management and security which can more readily be outsourced to a trusted provider.

If you’re developing or providing services for the healthcare or e-commerce industry, you also need to ensure you can meet compliance requirements for securing data. Compliance can be a costly and time-consuming process to invest in. Outsourcing your hosting solution to a third-party can save on resources if they’ve undergone an independent audit confirming their ability to comply with HIPAA or PCI compliance. While it does not release you of the obligation and responsibility of meeting compliance, it helps you mitigate the risk of a data breach.

Security

A managed hosting provider can provide the latest tested and audited technology to secure your applications and data. With a variety of required and recommended security methods, you can trust experienced, certified professionals to maintain, monitor and accurately generate logs of activity on your servers.

Outsourcing allows you to benefit from the various levels of security that a quality hosting provider should have in place. These advantages include physical security, environmental controls, logged access and video surveillance, and multiple alarm systems to detect unauthorized access.

Network security includes protection of sensitive infrastructure, including managed servers, cloud, power and network infrastructure built with redundant routers, switches and paired universal threat management devices to protect sensitive information.

Availability

The use of high-availability (HA) solutions in a fully redundant and compliant data center can allow clients to increase their uptime and application availability. Using an HA infrastructure can reduce the risk of business downtime due to a single point of failure. Outsourcing to a managed hosting provider means your business can take advantage of your data center operator’s design of power connections, UPS (Uninterruptible Power Supplies) systems, generators, air conditioning and networks.

Flexibility

Outsourcing allows you to benefit from the latest virtualization technologies, such as fifth-generation VMware that dominates the market for applications that require a high degree of scalability. Choosing a high-performance managed cloud allows for the ability to scale servers up and down as needed to respond to the demands of end-users with fast deployment time.

Compliant Data Centers

If you’re developing or providing services for the healthcare or e-commerce industry, you also need to ensure you can meet compliance requirements for securing data. By outsourcing, you can take advantage of your managed hosting provider’s investment in independent audits and reports relevant to your target industry. For e-commerce and retail, look for a managed hosting provider that has passed an independent PCI audit against the PCI DSS standard. For healthcare, look for a managed hosting provider that has invested in an independent HIPAA audit against the OCR HIPAA Audit Protocol.

A managed hosting provider also invests in maintaining and upgrading their data centers and hosting environments, allowing you to focus on your core business objectives. What does a compliant data center look like? Review the HIPAA and PCI compliant diagrams below for complete overview of the technical, administrative and physical security requirements your hosting provider should offer:

PCI Compliant Hosting Stack

HIPAA Compliant Hosting Stack

Trained Staff

The technical and physical security of your data environment is only as secure as the people that run it. Staff training cuts down on human error, promotes security awareness and may prevent or allow for early detection of a data breach.

Documented policies and procedures are only effectual if employees are made aware of and trained on a regular basis. Check the last dates of employee training as well as the scope of training across the entire hosting company, and inquire about hiring policies to ensure that your data is in safe hands.

5.2. Risks of Outsourcing

However, the risks of outsourcing managed hosting to a service provider can mean extending your circle of trust to include a third-party vendor. These service providers may open your company up to the potential risk of a data breach or compromised application, and depending on your industry compliance standards, there are different financial and business consequences that may occur as a result.

Healthcare Data Breach Fines and Penalties

For the healthcare industry, the fines and penalties for a HIPAA violation (a data breach, whether lost or stolen) range from $100 per violation with a maximum fee of $25,000 for repeat violations to $50,000 per violation with a maximum fee of $1.5 million. ^[19]

The fine amount varies by different classification levels dependent on violation criteria, with minimum and maximum penalties for first-time/repeat violations and annual fees:

HIPAA Violation Types and Penalties ^[20]

Another category of a HIPAA violation is determined by covered entities and individuals that knowingly breached the HIPAA regulations – for these, criminal penalties apply.

The maximum offense is a HIPAA breach committed with intent to sell, transfer or use individually identifiable health information for personal/financial gain or malicious harm, resulting in fines of $250,000 and imprisonment for up to ten years.

Ultimately, covered entities are held responsible when it comes to monetary and reputational consequences, although responsibility will extend to include business associate in recent proposed revisions to the HIPAA rules.

PCI DSS Data Breach Penalties

According to the PCIComplianceGuide.org:

The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.

According to the PCI Security Standards Council, if you are not compliant with PCI DSS, you could damage your reputation and ability to conduct business. Data breaches also could lead to loss of sales, relationships, good standing in your community, and depressed share prices if you are a public company. Other consequences include lawsuits, insurance claims, cancelled accounts, payment card issuer fines and government fines. ^[21]

6.0. Vendor Selection Criteria

6.1. Audited Data Centers and Secure Hosting Solutions

Reports on Compliance

As the number of reported data breaches and the cost of these data breaches rise, it becomes imperative for companies to choose a third-party managed hosting provider that has invested in a number of independent audits and can provide a copy of their audit report to ensure they are following compliant policies and procedures.

See below for more on each audit standard and what it means.

Key Data Center Audits

These key data center audits can give you guidance and insight into a vendor’s ongoing compliance and level of operating standards, as well as the quality of service you can expect to receive.

SAS 70 ^[22] - Now expired, the Statement on Auditing Standard No. 70 was originally used to measure a service provider’s controls related to financial reporting and recordkeeping. Two types are recognized by the AICPA (American Institute of CPAs) - Type 1 reports on a company’s description of their operational controls, while Type 2 includes an auditor’s opinion on how effective these controls are over a specified period of time. In both cases, keep in mind that the audited company gets to specify the controls that they will be audited against. Some specify only a handful of weak controls. Others specify dozens of strong controls. Make sure you read the details of the controls.

SSAE 16 - The Statement on Standards for Attestation Engagements No. 16 replaced SAS 70 in June 2011. A SSAE 16 audit measures the controls relevant to financial reporting. Type 1 reports on a data center’s description and assertion of controls, as reported by the company. Type 2 provides a description of an auditor’s test the accuracy of the controls and the implementation and effectiveness of controls over a specified period of time. No two SSAE 16 audit reports are the same as there is no standard of controls. Make sure you read the details of the controls.

SOC 1 ^[23] - One of the three new Service Organization Controls (SOC) reports developed by the AICPA, this report measures the controls of a data center as relevant to financial reporting. It measures the same controls as an SSAE 16 audit.

SOC 2 ^[24] - Most beneficial for clients partnering with a managed hosting provider, this report is a very detailed account of the technical aspects as they relate to controls specifically concerning IT and data center operators. The five controls include security, availability, processing integrity (ensuring system accuracy, completion and authorization), confidentiality and privacy. There are two types: Type 1 reports on a data center’s system and suitability of its design of controls, as reported by the company. Type 2 includes everything in Type 1, with the addition of verification of an auditor's opinion on the operating effectiveness of the controls. This is the first AICPA audit to begin standardizing controls so there is less variety between reports. However, since every audit, auditor, and company are different, it is wise to read the details of the report – don’t take it for granted.

SOC 3 ^[25] - This report includes the auditor’s opinion of SOC 2 components with an additional seal of approval to be used on websites and other documents. The report is less detailed and technical than a SOC 2 report.

PCI DSS ^[26] - The Payment Card Industry Data Security Standards was created and implemented by major credit card issuers and it applies to companies that collect, store, process and transmit cardholder data. Data center operators that host cardholder data need to have undergone a PCI audit to achieve an attestation of compliance report (the latest version is 2.0), and they should have a full understanding of what technical components can help your company meet the PCI requirements.

HIPAA - Mandated by the U.S. Health and Human Services Dept., the Health Insurance Portability and Accountability Act of 1996 specifies laws to secure protected health information (PHI), or patient health data (medical records). When it comes to data centers, a hosting provider needs to meet HIPAA compliance in order to ensure sensitive patient information is protected. A HIPAA audit conducted by an independent auditor against the OCR HIPAA Audit Protocol can provide a documented report to prove a data center operator has the proper policies and procedures in place to provide HIPAA hosting solutions. No other audit or report can provide evidence of full HIPAA compliance.

As with any type of audit, covered entities must review each individual compliance reports to determine the full scope and depth of their applicability. Each SSAE 16 or HIPAA audit is unique to each hosting provider.

Business Associate Agreement

Key to the healthcare industry, a business associate agreement (BAA) is a contract that defines roles and responsibilities between a healthcare organization (covered entity) and a third-party service provider. The lack of a BAA implies negligence and may fall under the HIPAA violation category of Willful Neglect. Check to make sure your business associate has a thorough BAA with documented policies that discuss how they handle PHI, from breach notification to contract termination and data ownership.

Part of your due diligence as a covered entity is to understand your hosting provider’s documented policies and procedures when it comes to securing your data and handling a data breach. Check for their timeline to notify covered entities in their breach notification policy - they are required by law to do so in a timely manner, and subsequently, covered entities must notify affected individuals within 10 days. ^[27]

Another key clause of a BAA should have terms and effective dates, with language around how PHI will be handled after termination, including the return and destruction of data. Data ownership, access and rights should also be discussed in the agreement.

Staff Security Training

Your secure hosting provider should have documented internal processes and policies that are considered best practice. Within their organization, they should have an appointed Risk Management Officer that oversees that the custom policies and procedures are being followed and are in compliance with the HIPAA regulations, for healthcare clients, and in compliance with PCI DSS, SOX, etc.

The Risk Management Officer also conducts employee training to educate and implement security policies and procedures that affect the day-to-day operations of their organization. Employee training is important when it comes to any third-party service provider, as many data breaches are a result of human error, or an employee mishandling sensitive data, and not hacker-related. Ask your managed hosting provider for the most recent date of their security policy training and percent of employees that have completed training during the vendor selection process.

6.2. Other Key Data Center Considerations

Ownership

As stated earlier, data ownership is especially important to review in your hosting contract. Some providers reserve the right to access, allow access, and claim ownership of your sensitive information while it is hosted on their servers or in their environment. This is an issue that can occur especially in the cloud, as some cloud vendors may claim legal ownership of the data once in their possession.

Another consideration is ownership and operation of the data center(s). Some hosting providers will provide a service that is run in data centers owned and operated by different companies - this further extends the “chain of trust” to include potentially unknown third-parties. If you have no way of knowing who has access to or controls the environment that houses your servers, let alone their level of compliance, you are putting your data and business at risk.

Geographical Location

Hosting facility location is another important consideration, as data centers located in certain regions are more susceptible to natural disasters, risking the complete destruction of your data. Choosing a data center located in a neutral, low-risk region such as the Midwest is one step closer to complete data safety.

Another factor is climate - a region that allows a data center operator to take advantage of natural cooling for most of the year also allows you, as the client, to take advantage of their operating cost-savings. It also reduces the risk of overheating and potential hardware failure that could affect your data availability.

Knowing where your data lives is a key consideration - if your data leaves the country, do you still have control of it? Data centers operating outside of the country do not have to comply with certain compliance expectations, as many are set and enforced within the United States. Once your data travels overseas, it is possible you will be put at risk of a data breach since international vendors are not required to observe our federal security regulations.

Disaster Recovery

Preserving the integrity of information means putting formal data backup and recovery plans in place to ensure data can be accurately and quickly accessed in the event of a disaster or failure. Location is important when it comes to offsite backup and disaster recovery - a copy of your data in a separate location can preserve the integrity of your information.

On-demand data access requires high availability hosting and infrastructure. Choosing a data center operator with a well-designed geographical separation between their data centers helps availability, as well as having multiple power grids to further boost utility resiliency should one power provider experience a prolonged outage.

High Availability

A high availability (HA) hosting infrastructure is imperative to ensuring data is always accessible. HA solutions increase uptime and availability and lower risks. It’s not a matter of “if” something fails, it’s planning for “when” failures happen - and they will. In your evaluation of any data center - yours or a third-party – you should endeavor to identify all of the single points of failure. It’s worth an outside opinion if reviewing your own data center (nothing beats an independent pair of eyes) and when visiting a potential data center hosting provider - ask the hard questions whenever you suspect complete redundancy is not in place.

With HA protection in place, providers can hedge against the loss of electrical power, network connectivity disruptions, router failures, firewall attacks, cooling problems, and have peace of mind knowing data is protected, available, and safe.

A managed hosting solution takes into account several design factors to ensure no single points of failure exist. This is true for the data center infrastructure layer components, as well as the individual servers and components in the rack.

The major design points for a successful secure and reliable hosting implementation include building in redundancies in critical equipment and infrastructure, including:

• Power connections - Dual independent power feeds are run from disparate circuit breakers, to two separate power supplies in the server. Each power supply on a server is plugged into separate power strips in the rack. Power strips with digital amp load readouts aid in monitoring power levels and help avoid tripping a circuit breaker, which would shut down the entire power strip.
• UPS systems - Uninterruptible Power Supplies (UPS) clean and distribute power and provide backup power through a bank of batteries in the event of a power outage. The clean power from the UPS is stable; therefore, any fluctuation in power, both power surge and brown-out, is regulated by the UPS.
• Generators - Each UPS is fed with one or more power feeds from the utility company. The utility power feed is wed to multiple generators that run on either diesel or natural gas. If utility power is lost, the UPS maintain stable power to the racks while the generators start and provide backup power. Fuel supply contracts must be in place from several vendors, and fuel delivery SLAs must be in place.
• Air conditioning – N+1 redundant cooling is in place with environmental monitoring, and scheduled maintenance plans to ensure the data center climate remains in the safe zone.
• Network connections, switch and firewalls - The network connectivity in a managed cloud is designed to replicate the same redundancy as the power distribution so the network and Internet connectivity offer no single source of failure. Each server in the cloud should have at least two separate Network Interface Cards (NICs) that allow the server to connect to the redundant HA network infrastructure. Each NIC in the server is connected to different network switches, which disperse the network connectivity to all servers contained within the cloud.

Each network connection is connected to a pair of redundant firewalls, which protects traffic on each segment of the network from intruders and security threats. Additionally, each firewall connection is connected to separate routers and network access switches. These routers are then connected to multiple Internet Service Providers (ISPs) to provide diverse network paths to and from the Internet.

Cloud Computing

Server and storage devices

A high performance managed cloud relies on top notch technology for server hosts and SAN storage. Virtualization technologies like VMware (in its fifth generation) dominate the market for applications that require a high degree of resiliency, security, and scalability. The ability to scale up and down servers as needed also introduces flexibility into the managed cloud architecture, so that clients can be responsive to the needs of their end-users.

VMware backed by name-brand SAN and server technology create the server and storage platforms necessary to deliver highly available cloud solutions. Regardless of which brand of hardware is chosen, using multiple server hosts allow VMware to failover to secondary hosts in the event of a hardware failure, keeping critical systems online in the cloud.

And finally, a SAN with multiple redundant controllers and high-speed RAID disk systems are designed to meet the performance and availability needs of virtualization environments for today’s demanding applications. Today’s SANs’ combine intelligence and automation with fault tolerance to provide simplified administration, rapid deployment, enterprise performance and reliability, as well as seamless scalability.

Room to Grow

When choosing a managed hosting company, you want to partner with a business that can give you room to grow. On-demand resources can be deployed rapidly with a managed cloud solution, meaning you can easily scale servers up and down as needed.

Managed Services

With a managed hosting provider, you can take advantage of their managed services to ease the burden on your own IT staff and resources. An investment in managed hosting services means a trained and professional IT team can perform maintenance and updates, freeing up your IT staff to focus on developing your core business and applications. Some of the managed services available when you outsource include:

• Patch Management - Ask your potential vendor if they provide OS patch management as a managed service. Why is patch management important? If your servers aren’t updated and managed properly, your data and applications are vulnerable to hackers and all types of malicious attacks against your systems. Your hosting provider should provide notification of outstanding updates, path installation assistance and offer different levels of patch management for optimal security.
• 24/7 Emergency Response - In the event of unauthorized access or a disaster/failure, your hosting provider should have a responsive, trained support team ready to report and remediate the issue.
• Proactive Server Monitoring - With a remote server monitoring service, you should be able to check the status of your servers even if you’re not located at the data centers. Your hosting provider should have a monitoring service that allows you to check your current disk space or bandwidth usage, and your application, web and database performance, all through a single-pane-of-glass portal.

If you choose to keep your hosting in-house, it is likely you may not have the resources or budget to accommodate all of the features listed above, including the investment in capital and hardware. Keeping operations in-house may require training or hiring of new staff to manage server hardware, storage, virtual servers or data center infrastructure as you work to implement different technologies to achieve data and application security. One example is building an offsite disaster recovery solution – some cloud hosting providers could provide a disaster recovery solution at a significantly lower cost compared to the cost of building it internally.

7.0. Conclusion

Mobile devices and applications have bolstered the productivity and efficiency of workflows across diverse industries while introducing new security risks and integration challenges.

Designing, building and maintaining multiple layers of safeguards with attention to industry security compliance standards such as HIPAA and PCI is essential to making a BYOD environment work in any organization.

Implementing appropriate physical security controls, and selecting key hardware and software for technical security are the first steps toward protecting your data and applications. Investing in administrative security (often overlooked when addressing technology integration) is equally important to address the business-facing concerns of mobile device use, including required and recommended audits, reports, policies, and staff training.

Initially storing data and applications on servers in a secure environment instead of locally on a device can significantly limit risks, while customizing and establishing mobile device use policies and procedures can also reduce the risk introduced by human behavior.

Keeping data privacy, integrity and confidentiality intact while reaping the benefits of mobile device use is possible with the right combination of the proper security tools. Using an audited third-party vendor can also achieve the same results with fewer burdens on your resources. Ultimately, careful planning and informed decisions can strike a balance between security and leveraging the benefits of a mobile device workplace.

8.0. References

8.1. Questions to Ask Your Secure Hosting Provider

1. What specific technical, physical and administrative security controls are used to protect my applications and data? Are they considered best practice in the industry for mobile security?

____________________________________________________________________________

____________________________________________________________________________

____________________________________________________________________________

2. Who performed your independent audits (SSAE 16, SOC, HIPAA and PCI) and do you provide copies of your audit reports?

____________________________________________________________________________

____________________________________________________________________________

____________________________________________________________________________

3. If disaster strikes, how long will it take before my data is available again?

____________________________________________________________________________

____________________________________________________________________________

____________________________________________________________________________

4. Do you have documented policies and procedures?

____________________________________________________________________________

____________________________________________________________________________

____________________________________________________________________________

5. Do your employees undergo security training and when were they last trained?

____________________________________________________________________________

____________________________________________________________________________

____________________________________________________________________________

6. For healthcare companies - do you sign a BAA (business associate agreement) with documented and communicated policies?

____________________________________________________________________________

____________________________________________________________________________

____________________________________________________________________________

8.2. Data Center Standards Cheat Sheet

SAS 70

The Statement on Auditing Standard No. 70 was the original audit to measure a data center’s financial reporting and recordkeeping controls. Developed by the AICPA (American Institute of CPAs, there two types:

● Type 1 – Reports on a company's description of their operational controls

● Type 2 – Reports on an auditor's opinion on how effective these controls are over a specified period of time (six months)

SSAE 16

The Statement on Standards for Attestation Engagements No. 16 replaced SAS 70 in June 2011. A SSAE 16 audit measures the controls relevant to financial reporting.

• Type 1 – A data center’s description and assertion of controls, as reported by the company.
• Type 2 – Auditors test the accuracy of the controls and the implementation and effectiveness of controls over a specified period of time.

SOC 1

The first of three new Service Organization Controls reports developed by the AICPA, this report measures the controls of a data center as relevant to financial reporting. It is essentially the same as a SSAE 16 audit.

SOC 2

This report and audit is completely different from the previous. SOC 2 measures controls specifically related to IT and data center service providers. The five controls are security, availability, processing integrity (ensuring system accuracy, completion and authorization), confidentiality and privacy. There are two types:

• Type 1 – A data center’s system and suitability of its design of controls, as reported by the company.
• Type 2 – Includes everything in Type 1, with the addition of verification of an auditor's opinion on the operating effectiveness of the controls.

SOC 3

This report includes the auditor’s opinion of SOC 2 components with an additional seal of approval to be used on websites and other documents. The report is less detailed and technical than a SOC 2 report.

HIPAA

Mandated by the U.S. Health and Human Services Dept., the Health Insurance Portability and Accountability Act of 1996 specifies laws to secure protected health information (PHI), or patient health data (medical records). When it comes to data centers, a hosting provider needs to meet HIPAA compliance in order to ensure sensitive patient information is protected. A HIPAA audit conducted by an independent auditor against the OCR HIPAA Audit Protocol can provide a documented report to prove a data center operator has the proper policies and procedures in place to provide HIPAA hosting solutions.

No other audit or report can provide evidence of full HIPAA compliance.

8.3. Mobile Security Checklist

• Establish mobile device use policies and procedures.
• Conduct mobile device and general security training for all employees.
• Do your due diligence in vetting your managed hosting provider (ask them the questions in 8.1 and review all audit reports).
• Implement best practice technology to secure your hosting environment.
• Follow mobile security best practices, including creating secure passwords, enabling tracking and remote wipe device, data encryption, etc.
• Never store sensitive information locally on a mobile device.

8.4. BYOD Case Study

One successful example of implementing a compliant BYOD (Bring Your Own Device) environment was presented at Online Tech’s Fall into IT 2012 technology seminar. Kirk Larson, Vice President and Chief Information Officer (CIO) at Children’s Hospital Central California, explained how he leveraged a virtual desktop infrastructure to integrate mobile device use seamlessly into the hospital’s workflow.

Who: Children’s Hospital Central California, a 348 bed pediatric hospital in California’s Central Valley, with a medical staff of 525 physicians practicing in over 40 subspecialities. The hospital is one of the 10 largest children’s hospitals in the U.S. Children’s performs more than 11,000 surgeries a year and sees more than 67,000 emergency room visits annually.

Technical environment: Children’s environment runs Dell, VMware, NetApp, Cisco, and manages .5 PB (petabytes) of data, 10,000 network elements, 8,500 user accounts and 300 servers. Like most operations, they are a Microsoft Windows shop, Lenovo, HP, Panasonic, etc. On the application side, the hospital uses Meditech 5.65 client/server, and is meaningful use stage 1 certified. They use Lawson for their ERP (Enterprise Resource Planning) and Picis in operating rooms.

Electronic healthcare system implementation: In 2011, the hospital went live with Advanced Clinical Systems (ACS.) This included electronic nursing documentation and CPOE (computerized physician order entry). This fundamentally changed the way care was delivered and changed requirements for ITS (information technology services) based on an increase in both users and different devices.

Virtual Desktop Infrastructure: The hospital had three concerns: the security around mobile devices; the exponential increase in number of clinical users; and resource effectiveness (how to best leverage the resources they already have, and the resources they will require over time.) Children’s decided to leverage their virtual desktop infrastructure (VDI) to support these concerns. The hospital was one of the first hospitals in the nation to use VMware View Client for iPads, which allows for secure access to a virtual desktop with the ability to deliver services from your cloud. ^[28]

What are some BYOD issues?

• Multiple device preferences - From tablets to laptops to smartphones, different employees use different types of devices for different purposes.
• Different applications works differently with different devices - Not all vendors have caught up with the capability of today’s mobile devices. Using tablets in healthcare is good for static data review (i.e. x-rays,) but if tablets are relied on for heavy data entry, the screen and keyboard may not be the best device for the task.
• Different workflows - A dietician may favor an iPad because he or she is reviewing data instead of entering data. An iPad’s design allows for ease of viewing images and data, despite not being suitable for extensive data entry.
• Cost - The initial reaction is that there will be cost savings in buying devices, licenses, antivirus software, etc., since people will be using their own. While this is true to an extent, there is additional investment in the VDI on the backend. So, there is a net savings, but there are still costs and the program will not eliminate all devices from the IT budget.
• Safeguarding of data - Using BYOD, it is essential that data is safe and secure, and should never reside on the actual device.

What was their solution?

The hospital leveraged their existing VDI environment. By installing a VMware view client on a device, users can securely access their virtual desktop on the backend. Although they run Windows, if a user’s device preference is an iPad, the user can install the client and access their Windows-based desktop from their Apple device. Regardless of where and from which device a user accesses the virtual desktop, the familiar look and feel of the application allows for consistency throughout the IT environment. The follow-me feature allows users to switch between hospital-provided and personal devices while maintaining their open applications.

BYOD Policies

The hospital rolled out their BYOD environment in early 2012 in a pilot phase. Their mobile device policies were developed with input from their end user community and the IT team engaged them in the process of creating the environment.

One policy example is the defining of IT support for a BYOD environment. ITS supports device connectivity to the VDI, but not the device itself (i.e. helping with iTunes). While the BYOD environment was designed with physicians in mind, any clinical user can access this resource.

One physician concern was the question of what type of images and content should be available and displayed on the mobile devices. Physicians also wanted the full versatility of using any type of device securely in the workplace, and they did not want to be limited to using a certain type or model of device.

Considerations: Customer Support

• Users have multiple device preferences - BYOD enables the same customer experience on different devices
• ITS team will see multitude of devices - Offer high level training but focus on connectivity
• Device will be used outside of the hospital - Enforce the same infection control measures
• Cost of devices - BYOD shifts many costs out of IT

Considerations: Applications

• Applications work differently on different platforms - Device strategy might be ahead of software vendors
• Not all applications may be needed or wanted on BYOD
• Should exempt and nonexempt employees have the same access? From a policy perspective, the answer is no. Sometimes leveraging policy instead of technology is preferable.
• Accessing one common VDI image - Ensure buy-in on what initial image includes.

Considerations: Infrastructure

• Potential spike in number of VDI sessions - Provision sessions in advance or limit sessions.
• Potential decrease in number of purchased devices - Initial cost savings, but some reinvestment in VDI necessary.
• How best to leverage VDI - Some user training is necessary.

Considerations: Security

• Allowing user purchased devices on network - Partition existing network or create separate network.
• Confidential data - Adopt VDI or similar solution that prevents data from being on the device.
• How device is used - Leverage policy in addition to technology.

Concluding Thoughts: Things to Think About with BYOD

Prepare to lose some sense of control with BYOD. Users will bring in a variety of devices, and IT has to be prepared to host whatever they choose to use. It’s important to set ground rules on what to support; i.e. supporting only the connectivity of the device. Consider scalability and how to support an exponentially growing number of sessions and users. Securing data is easier when data is never stored locally on the device, so if the device is stolen or lost, data cannot be accessed or lost.

Kirk Larson, Vice President and Chief Information Officer, Children’s Hospital Central California

Kirk Larson is the Vice President and Chief Information Officer of Children’s Hospital Central California, one of the 10 largest pediatric hospitals in the country. Kirk has spent his entire career in healthcare and / or technology. He has consulting experience with the Big Five firm Arthur Andersen; vendor experience with the largest pure play HCIS company, Cerner Corporation; and provider experience as the CIO of two different hospitals in California.

Kirk holds a Master of Business Administration and Master of Health Services Administration from the University of Michigan, and a Bachelor of Science in mathematics from North Central College.

View Kirk’s full presentation, BYOD: From Concept to Reality, with respective slides:

http://www.onlinetech.com/events/fall-into-it

9.0. Contact Us

Contact us for more information if you still have questions about mobile security, secure hosting, or our compliant data centers.

Visit: www.onlinetech.com

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Call: 734.213.2020

…(continue reading)

Online Tech’s Midwest Advantage: Dedicated to Serving Our Neighbors

Visit the resources in our Midwest technology library to learn more about the wide range of hosting solutions we offer, including colocation, managed dedicated servers, cloud hosting and disaster recovery. 

Have questions? Call us at 734.213.2020, email This email address is being protected from spambots. You need JavaScript enabled to view it. , or use our handy Contact Form. Or, Chat with our team now.

Midwest Resources
	Midwest Technology Topics How Midwest Colocation Can Benefit Your Business Making Long Distance Colocation Easy Midwest Data Center Disaster Recovery What to Look for in a Midwest Disaster Recovery Provider Michigan Hosting Providers Offer Cost-Effective IT Security for SMBs Michigan Cyber Initiative Reports 'People' As Weakest Link in IT Security Michigan Disaster Recovery & Hurricane Sandy: Podcast Online Tech Raises Capital to Expand Across the Midwest Press Release
	Presentations BYOD (Bring Your Own Device) Case Study The Impact of Compliance The Mobile Explosion: What Does it Mean for You, Your Business, and Michigan's Economy The Promises and Challenges of Mobile Health
	White Papers HIPAA White Paper - Learn about the specific HIPAA requirements for HIPAA hosting with IT vendors. PCI White Paper - Learn about PCI hosting requirements, recommendations, and the foundation of a secure PCI compliant data center.
	Webinars Applying OCR Audit Standards to HIPAA Risk Assessments It's About the Data, Stupid! Real World Mobile Security FDA Regulation of Mobile Health Devices Using Cloud EMRs to Achieve Meaningful Use on a $0 Budget Incident Response and 2012 Cyber Threats & Security

…(continue reading)

Online Tech’s Deep Michigan Roots: Economic Gardening at its Finest

Established in 1994, Online Tech has evolved to become one of Michigan’s largest managed data center operators, providing multi-tenant hosting. We’re dedicated to serving local Michigan businesses and provide a significant advantage over East and West coast providers with the strategic design of our facilities - find out why by visiting Michigan Data Centers.

Have questions? Call us at 734.213.2020, email This email address is being protected from spambots. You need JavaScript enabled to view it. , or use our handy Contact Form. Or, Chat with our team now.

Michigan Resources
	Michigan Technology Topics Improving Michigan Healthcare IT Security Michigan Disaster Recovery Michigan Hosting Providers Offer Cost-Effective IT Security for SMBs Michigan Cyber Initiative Reports ‘People’ As Weakest Link in IT Security Advancing Michigan Business with Cloud Computing Michigan HIPAA Violations How Michigan Colocation Can Benefit Your Business
	Presentations BYOD (Bring Your Own Device) Case Study The Impact of Compliance The Mobile Explosion: What Does it Mean for You, Your Business, and Michigan's Economy The Promises and Challenges of Mobile Health
	White Papers HIPAA White Paper - Learn about the specific HIPAA requirements for HIPAA hosting with IT vendors. PCI White Paper - Learn about PCI hosting requirements, recommendations, and the foundation of a secure PCI compliant data center.
	Webinars Applying OCR Audit Standards to HIPAA Risk Assessments It's About the Data, Stupid! Real World Mobile Security FDA Regulation of Mobile Health Devices Using Cloud EMRs to Achieve Meaningful Use on a $0 Budget Incident Response and 2012 Cyber Threats & Security

As the leader in the state’s multi-tenant hosting market, we continue to make investments to sustain a 30 percent plus annual growth and support our clients in many diverse industries.

Visit the resources in our Michigan technology library to learn more about the wide range of hosting solutions we offer, including colocation, managed dedicated servers, cloud hosting and disaster recovery.

…(continue reading)

…(continue reading)

Online Tech is the ideal Illinois data center disaster recovery provider, with our fully compliant and secure Michigan data centers strategically situated 53 miles apart and located on two separate power grids.

With over 60,000 square feet of data center space, our Michigan data centers are conveniently located in Ann Arbor and Mid-Michigan and interconnected through Gigabit fiber. Our facilities are close enough to Illinois businesses for easy travel, but distant enough for the ideal disaster recovery solution.

All critical equipment is N+1, or fully redundant. Using multiple Internet Service Providers (ISPs), connectivity takes fully redundant paths with automatic failover between providers and circuits should anomalies occur with any Internet connection. Each data center boasts 100 percent fully redundant Cisco networks with automatic failover.

Online Tech offers several complete Illinois data center disaster recovery solutions, including:

Offsite Backup

Online Tech delivers a comprehensive range of solutions for Illinois data center disaster recovery needs, including budgetary and recovery time objectives (RTO), starting with offsite backup as the baseline for data protection. Whether you’re using colocation, managed servers, or cloud computing, you can backup your data offsite to another Online Tech data center for a simple monthly fee.

Disaster Recovery in the Cloud

Disaster recovery options open up for our cloud computing clients. Our managed cloud and private cloud clients can replicate their entire environment to a disaster recovery cloud with no special configuration or programming with our comprehensive disaster recovery solution, DR Now! DR Now! delivers 4 hour recovery times.

SAN-to-SAN Replication

Our most advanced and comprehensive disaster recovery option allows our private cloud clients to leverage our SAN-to-SAN replication for even faster recovery times and a solution that can failback gracefully to production once the disaster event is over.

Need help deploying an Illinois data center disaster recovery solution? Contact us today.

…(continue reading)