IT Consulting Companies Houston

Cloud computing can and does mean different things to different people. The common characteristics most share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and dislocation of data and services from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. The National Institute for Standards and Technology (NIST) Cloud Computing Guidelines on Security and Privacy document lets the cloud service provider off the hook for security. It's hard for the customer to see what insider threats might occur, how virtualization security is being handled and most of the providers are loath to document what controls they have put in place if any. In the end, who is responsible for Cloud Security? END USERS, says the NIST!

Where would you rather drop your wallet - on the hallway of your home, or on a busy sidewalk downtown?

Similarly:

- Where would you rather have a tire blowout? On your driveway or on a public street?

- Where would you rather throw away a hard disk you haven't completely erased - or paper documents poorly shredded - in your private dumpster, your fireplace, someone else's dumpster, or a public recycle bin?

- Where would you rather talk about corporate secrets? In your conference room, or your ISP's conference room?

- In which scenario will greater loss of life occur? One plane out of one - with 300 passengers aboard - crashes, or one of 300 planes - each with 1 passenger aboard - crashes? Where is your laptop less likely to get stolen, your shoulder less likely to be surfed, your body less likely to catch a cold?

- Where would you rather use your password to log in - taking the risks that accompany that action - from your desk to your server room in the same building occupied exclusively by you, or from your desk to another company's server room in another city?

Clouds offer the cost benefits that they do - which go almost entirely to their owners - via the sharing of resources. The flip side of this coin - the exact same thing restated - is that they deny any and all benefits availed by the use of the opposite - user-owned, dedicated resources.

So:

- Your switched traffic can now be sniffed, whereas it wasn't before

- You can not erase your hard disks when you are done using them, whereas you could before

- Your stuff can be seized by the FBI when your neighbor gets investigated, whereas it wasn't before

- Your security can't be known to be correct, whereas it -could- have before, had you spent the time to do so. Admittedly, nobody does, by and large.

Microsoft Houston

If you’re not working with a local IT specialist who is board certified in information security and licensed by the State of Texas, use the link above to schedule an initial consultation.

The biggest benefit by far - the dollars in  cost savings from the power and cooling reductions and from overbooking go to the cloud owner, not the customer. Learn the facts and get a professional involved before dedicating your proprietary assets to an environment that you have no control over.

HIPAA 5010 Grace Period and HIPAA Best Practices for CE’s

  HIPAA 5010 (aka HIPAA X12) is the new standard regulating electronic transmission of health care transactions, which is slated to start January 1, 2012. CMS (Center for Medicare and Medicaid Services) has granted a grace period of 90 days before enforcement of this new transmission standard in a CMS Statement dated Thursday, November 17, 2011. The official document can be viewed online: http://www.cms.gov/ICD10/Downloads/CMSStatement5010EnforcementDiscretion111711.pdf
The transactions specified in the HIPAA 5010 standards are as follows:
270/271 Eligibility Benefit
276/277 Claim Statuses
820 Payroll deductions and group premium payments for insurance
834 Benefit Enrollments & Maintenance
835 Health Care Claims Payment Advice
837 Health Care Claims (Professional, Institution, and Dental)
The following entities required to upgrade are physicians, hospitals, payers, clearinghouses, pharmacies and dentists. Software vendors will need to upgrade their products to support the new 5010 compliant transmission standard. Practices must communicate with their vendors to determine what technology upgrades will take place, plus any additional costs incurred for these upgrades. The Center for Medicare & Medicaid Services provides an implementation guide and more details on 5010, which can be downloaded online at http://www.cms.gov/ElectronicBillingEDITrans/18_5010D0.asp which will assist practices in conducting a gap analysis and compares the old 4010 standard to the new 5010 standard.
The American Medical Association provides a wealth of resources available for free at www.ama-assn.org/go/5010. The AMA’s preparatory fact sheet on planning and tactical implementation of the HIPAA 5010 standard is as follows:
1. Impact Analysis – Conduct an internal impact analysis to determine how much of a change the switch to 5010 will have on your current business practices and systems.
2. Contact your Vendors, Payers, Billing Service and Clearinghouse – Contact vendors for specific details regarding system upgrades, and ask them about when they expect their upgrades to be completed, and when they’ll be able to accept 5010
transactions.
3. Installation of Vendor Upgrades – Schedule the system upgrades according to your vendor’s readiness, and ensure the installation of upgrades is complete.
4. Internal Testing and Staff Training – Once upgrades are completed, conduct internal testing of your systems to ensure you can generate and handle the 5010
transactions. Leave a margin of time for issue resolution and staff training on the
new system.
5. External Testing with Clearinghouse, Billing Service and Payers – Contact your vendors to conduct external testing with them to ensure you can send and receive transactions properly.
6. Make the Switch to 5010 – After completing external testing, you may switch to
using only 5010 transactions.
Any claims or bills your practice submits after Jan1, 2012 that are not in compliance with the new HIPAA 5010 format will get rejected, but this grace period of enforcement will allow your practice to resubmit the appropriate HIPAA 5010 compliant format without being subject to a penalty. Smaller payers and Medicaid carriers will probably especially welcome this grace period. Physician groups, as well as hospitals, may have to continue to file some claims in the 5010 compliant format plus the current 4010 format, unless clearinghouses can translate claims back to the 4010 format.
HIPAA Best Practices for Covered Entities:

• Have sound company policies in place and well documented. This includes (but is not limited to) data management, security (administrative, physical, & technical), hiring policies as well as outsourcing to third party policy and guideline. Doing this from the ground up will save your practice money in the future by building a solid foundation to run your practice as well as tying into HIPAA compliance.
• Have a sound electronic usage policy in place, and require all staff to read the policy and sign / date it and keep this in personnel files.
• Document and follow a sound password policy (computer logins, access to ePHI (Electronic Protected Health Information), etc.
• Have a remote device policy in place. Laptops, smart phones, USB drives and other remote devices should be required to be encrypted. Encryption techniques and mechanisms of sensitive information should be known to only a select few in the organization.
• Document a disaster recovery plan as well as business continuity plan.
• Have an IT disposal policy in place (what you do with obsolete equipment). If you outsource your information technology, make sure they follow HIPAA guidelines. This includes, but is not limited to, doing DOD 5220.22-M (Department of Defense) wipes on the hard drives before redeploying a workstation that previously contained ePHI or other sensitive information on it. This includes copiers and fax machines, which have hard drives in them. You would be surprised at how many copiers and fax machines wind up being returned to the leasing company (after the lease expires) with sensitive data on that hard drive. Most of these copiers and fax machines are resold on the market after they have reached their operating potential, and data on the hard drive is easily recovered by anyone with the know how.

Houston HIPAA, EMR, EHR, PPM

With HITECH extending a Covered Entity's liability out to their Business Associates, how are you ensuring your Business Associates are compliant in order to mitigate risk to your organization?

You could similarly ask HOW does a CE maintain the "satisfactory assurances" required by the HIPAA Security Rule and the Privacy Rule. Having the contractual right to audit the BA's security procedures may only create more liability if it is never used, no audits or reviews done. Most BA's would not be eager to share their risk analyses with CE's. It is not realistic that you would be able to perform an onsite audit of all of your BA's. The only logical way is to survey them and ask for their Privacy and Security Policies and Procedures that would include training and how they protect data along will all of the rest of their compliance plan. The real issue is the storing of this data along with your data. The bottom line to a compliance plan is not only what you put in it to show due diligence but making sure the right people in your organization have access to it. There are cost efficient ways to do this and if you are not doing it and your BA is breached you can assure they will find you in willful neglect.

Houston Medical Journal

An alternative to actually requiring a copy of an annual risk assessment or conducting your own audits would be to require an annual attestation by an accredited third party auditor that confirms compliance for the BA. This might be acceptable to a BA who is reluctant to share actual audit data. Put a process in place to have the attestation reviewed by someone in your own IT Security Department, or compliance office, and keep it on file. The costs for such an exercise might likely be shared, but if the BA does business with a bunch of healthcare organizations, they'll likely absorb this as an overhead cost since they'd be required to do this across the board.