Archive - Healthcare IT RSS Feed

Should an MSP Grow by Going Vertical?

targets

Vertical markets are a great way to expand your business. Going after more and more clients no matter their industry is also a great way to expand your business. And doing both at once isn’t a bad approach either.

So how do you figure out what to do? As an MSP professional that is really your call. Rather than telling you what to do, we’ll talk about the value, and the protective value, of being a vertical MSP.

A big reason to go vertical is that you aren’t just selling your expertise in managing and securing general-purpose systems. Instead you can make these systems shine in particular industries, such as finance, public companies and healthcare – all three of which require compliance expertise.

Let me ask a simple question. IF you are selling to a college, and have educational expertise, do you have a better chance of sealing the deal than a general business MSP? Of course you do. You have a massive advantage in getting this new business. In a case such as this, would you rather be a commodity or an expert?

Continue Reading…

Hidden HIPAA Traps

hospital

How You Can Become a Healthcare MSP Master

Many industries have compliance rules, but few are as strict as the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

While HIPAA is a set of U.S. regulations, many countries have similar rules.

When it comes to these complex rules, healthcare companies can’t always go it alone. It helps to have a trusted partner who is expert in all things HIPAA, such as an MSP with a vertical health care focus.

The good news for MSPs is that your HIPAA expertise lets you sell services at a premium – compliance is just that important.

Continue Reading…

Eight Steps to Better Security with Patch Management Automation

patch-management-and-securityHow do you make a hacker happy? Make sure your systems aren’t patched with the latest fixes. Verizon’s 2015 Data Breach Report revealed that 99.9% of vulnerability exploits happen more than a year after the specific vulnerability was reported. In fact, 97% of the attacks in 2014 were from a list of ten published vulnerabilities – and there were patches available to fix those vulnerabilities. Better patch management could have significantly lowered that number. Patch management is critical for IT managers in all industries, but let’s use the healthcare industry as an example.

Security Breaches Are Costly

In a 2015 survey, healthcare executives reported that in the last two years 81% of their healthcare facilities had been compromised – and less than half felt they were properly prepared to prevent future attacks. In 2013 alone, it is estimated that breaches cost healthcare facilities $1.6 billion and affected millions of patients.
Continue Reading…

Security and Healthcare IT: A HIPAA Compliance Questionnaire

Healthcare Security

As an MSP in the modern market you’ve likely heard the acronym “HIPAA” thrown about. If any of your customers are healthcare providers, clearinghouses, or businesses that deal with electronic protected health information (ePHI) then you have almost certainly heard of HIPAA compliance.

HIPAA, or the Health Insurance Portability and Accountability Act, is a set of regulations in the United States which apply to all people who have access to the data and or networks which contain ePHI. If you only manage a network for a client who handles ePHI, and even if you never access the information, you will still count as a “business associate” under the act, are legally required to be compliant with the act, and can be held liable in the event of a data breach.

This means that if you do, or intend to, support clients in the field of healthcare, then you need to be HIPAA compliant. Even though HIPAA is a piece of U.S. legislation, many countries have similar pieces of legislation with similar requirements.

This leaves us with a key question: What does HIPAA compliance require when it comes to IT security, identity, and access management?

Fortunately, I’ve boiled the answers to this question down into a list of simple yes or no questions you can ask your client. If the answer is no, consider that a bad sign.

Security Policies and Procedures

Policies must be established to handle and manage all security violations. You can ask your clients questions like:

  • Are your employees aware of the penalties that will ensue from security violations?
  • Are internal penalties in place for employees who violate security procedures?
  • Do all your users know what to do in the event of security incidents or issues?
  • Is there a process in place to document, track, and address security issues or incidents?
  • Is there someone tasked with checking all security logs, reports, and records?
  • Do you have a security official in charge of a password and smart security policy?
  • Have you ever undertaken a risk analysis?

Access Management

Access to ePHI must be restricted to those who have permission to access it. You can ask your clients questions like:

  • Do you have measures in place to authorize or supervise access to ePHI?
  • Are there processes for determining the validity of access to ePHI?
  • In the event of employee termination, is their access to ePHI blocked?

Security Awareness Training

HIPAA requires that a security awareness training program must be established for all staff. You can ask your clients questions like:

  • Are employees regularly reminded about security concerns?
  • Do you hold meetings about the importance of password, software, and IT security?
  • Are your employees aware of the process surrounding malicious software?
  • Do you have procedures for regular review of login attempts?
  • Do those procedures check for any discrepancies or issues?
  • Have you established procedures to monitor, manage, and protect passwords?

The Worst Case Scenario

There should be a plan in place for the protection and use of ePHI in the event of an emergency or disaster. You should ask your clients questions like:

  • Are there tested and revised plans in place for an emergency?
  • Have the applications and data needed for these emergency plans been analyzed?
  • In the event of a disaster (I.T.E.O.A.D.), can copies of ePHI be made or retrieved?
  • I.T.E.O.A.D… Can all ePHI be restored or recovered?>
  • I.T.E.O.A.D… Will your ePHI be protected?
  • I.T.E.O.A.D… Can critical ePHI related business functions be completed?

Contracts for Business Associate

Business associate contracts are critical for both ITSPs and MSPs involved who work in the healthcare setting. While not signing an agreement can provide a slight amount of protection from being liable under the law, detailing and signing off on your agreed-upon duties and liabilities can provide significantly more protection in the event of an investigation, audit, or breach. Documentation is key when it comes to protecting yourself.

Technological and Physical Protection

Procedures that limit physical access to facilities and equipment that house ePHI data need to be in place. Additionally, it is just as critical that procedures must ensure all ePHI is only accessible to employees who have permission to do so.

As someone working from an it position, it is your responsibility to ensure that access to applications and data containing ePHI is limited only to authorized users. This is where authentication becomes critical.

One method you can discuss with your client is known as multi-factor authentication (MFA). With MFA, users log in with a password as well as an additional security factor like a fingerprint scan or one-time use code from a secure mobile app. MFAs advanced level of security also allows businesses to explore other productivity and security solutions like single sign-on (SSO), which allows for a single credential to provide access to others. For many businesses which are required to comply with HIPAA regulations, multi-factor authentication and single sign-on are both convenient and practical solutions to many of their compliancy woes.

For a helpful HIPAA security checklist: Click Here
For more information on Multi-Factor Authentication: Click Here
For more information on Single Sign-On: Click Here

Author: Harrison Depner

Strategic Issues in Systems Management Part 2: Mobile

Kaseya BYOD containerization

If there is one IT issue C-level managers understand it’s the connection between mobile devices and workforce morale, productivity and agility. After all, most of them are big smartphone users themselves. That raises the question of what to do about BYOD.

One challenge is platform diversity. Gone are the days when IT could enforce a Windows-only or Internet Explorer-only standard.  So IT has the management challenge of how to bring all these devices together in a single holistic view with a common set of metrics and controls despite their differing technical attributes. The other alternative — having a different management view for every platform — defeats the purpose of unified system management and in fact would be unworkable.

Continue Reading…

Strategic Issues in Systems Management Part 1: Compliance and Security

IT directors looking to engage their company’s C-level leadership on issues of strategic relevance might wish to consider systems management as a worthy topic. Few other activities offer as much enterprise leverage — whether you’re talking compliance, security, mobile, or distributed environments. Here is part one we are going to look at compliance and security:

Compliance

Systems management is how you enforce compliance when handling information across the enterprise — and a key part of that is policy automation. The ideal scenario is a single dashboard that provides one unified point of control over all IT assets, including remote endpoints such as employee laptops, tablets, and mobile phones. Policy automation, as part of that scenario, means you assert control in a scalable, auditable and timely way — especially if your management tools come with “out-of-the-box” scripts you can tailor rather than build from scratch. Such “out of the box” system management can, for example:

  • Assign multiple policies to each machine
  • Determine which policies are obeyed or ignored if a conflict arises
  • Check that each machine assigned one or more policies is in compliance
  • Show policy status across the organization on a consolidated dashboard
  • Enable manual policy overrides

Security

One of the fastest ways for IT can attract C-level attention, and not in a good way, is to be the target of a successful cyber attack. Yet, even though data security is an obvious strategic concern, there’s a temptation to regard the issue as “handled” once a tactical solution, namely data security software, has been adopted. The reality is, however, that addressing data security at a strategic level calls for marrying data security with comprehensive systems management.

In fact, system management and data security solutions have a complementary relationship. Data security solutions can, for example, detect wireless intrusion, control system access, manage passwords and protect against viruses and spyware. What it can’t do (but good system management can) is provide a single holistic view of system health, including any security alerts generated by the data security software. That also includes monitoring suspicious spikes in utilization of bandwidth or other resources — conditions that might indicate an attack in progress. And it can also provide detailed logging of critical events across all IT, which, among other things, would be vital for reconstructing everything that occurred leading up to a security event. But perhaps most importantly, what good system management is uniquely qualified to do is monitor the software update status (including virus signature updates) and enable patches to be applied easily and automatically across the entire enterprise as needed.

Join us for Part 2 when we talk about how to handle BYOD and most importantly how to secure employees’ personal mobile devices within enterprise system management — without ruffling employee feathers over privacy or ruffling the business’ feathers over data security.

 

image: getty images

IT Disaster Recovery: Electronic Medical Records Held for Ransom

The idea that electronic medical records are stored with military-grade encryption as part of medical IT disaster recovery ought to be a source of comfort to the people to whom they belong. However, it isn’t as reassuring when hackers are doing the encryption.

Continue Reading…

IT Disaster Recovery Plans for Hospital Administrators

IT disaster recovery

Hurricane Sandy caused devastating effects to both personal and business operations. Coping with its aftermath has been particularly tough for those business professionals whose responsibility is dealing with IT disaster recovery. At Bellevue, New York City’s flagship public hospital, the challenges were nearly insurmountable.

Bellevue planned to stay open during Hurricane Sandy. However, as conditions in the hospital deteriorated in the days following landfall, hospital staff and members of the National Guard evacuated Bellevue’s approximately 725 patients.

Prior to the evacuation, the storm surge flooded elevator shafts, knocked out landline and wireless communications and disrupted the hospital’s supply of running water. The storm surge also flooded the basement and shut down the pumps supplying Bellevue’s backup generators. It was in darkness that hundreds of critically ill patients were successfully evacuated and transferred to other hospitals.

Continue Reading…

Mobile Device Management for the Healthcare IT Industry

Mobile device management in healthcare is on the rise, driven by a new generation of ever-more capable mobile devices, higher bandwidth and higher availability wireless coverage, and the demand from clinicians and patients for more convenient application access. This is an issue which is important to hospital CIOs and healthcare providers.

Continue Reading…

Remote Access for Supporting and Securing Hospital IT Operations

Hospitals typically have lean IT staffs tasked with supporting hundreds of employees across multiple departments using dozens of different applications from many different software vendors. Each of these applications routinely requires remote access for maintenance, patches, troubleshooting and software upgrades. In addition to supporting the ongoing operation of the hospital, IT staffs must manage these activities without compromising hospital IT security.

Continue Reading…

Page 1 of 212»
-->