December 2017 – Two Ears One Mouth IT Consulting

HIPAA- The Who, When and What’s its primary purpose?

December 20, 2017 by Jim Conwell, posted in Business Practices, Cloud and IT Consultants, disaster recovery, IT Regulation

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Bill Clinton in 1996, it has since created some of the most sweeping changes in healthcare reform at that time and for many years after. HIPAA was designed to eliminate discrimination by protecting and securing patients’ health data. This law has since grown into a government regulation with a much larger scope and focus on information technology as it relates to healthcare. HIPAA’s three primary functions are:

Protect the privacy and provide security for Protected Health Information (PHI).
Increase the efficiency and effectiveness of the healthcare system.
Establish standards for accessing, sharing and transmitting PHI.

HIPAA was originally segmented into 3 primary components: the Privacy Rule, the Security Rule, and the Enforcement Rule. Several years later it was amended to include the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Omnibus Rule.

The Privacy Rule

The Privacy Rule was designed to protect and keep private all of our Protected Health Information (PHI). PHI includes information such as a patient’s street address, city, birth date, email addresses, social security numbers or any type of identifiable information obtained in the process of receiving care. Individuals may be charged with either civil or criminal penalties for violating HIPAA privacy rules.

The primary goal is to protect individuals’ PHI while promoting an efficient “flow” of information. It applies to covered entities, which are defined as hospitals, doctor’s offices, insurance companies or any organization that accepts health insurance. It also applies to business associates; organizations that create, maintain or transmit PHI on behalf of a covered entity. These entities must protect any PHI transmitted in any form: electronic, oral or written.

The Privacy Rule also allows for an individual’s personal right to access, review and obtain copies of their PHI. In addition, it authorizes the right to amend or request restrictions on the use of their PHI. As a part of the Privacy Rule, covered entities and business associates are required to appoint a privacy officer, complete workforce training on HIPAA compliance and construct business associate agreements with any entity with whom you are disclosing or sharing information.

The Security Rule

The Security Rule sets standards for covered entities and business associates for the security of electronic health information.

The Security Rule has three primary components:

Administrative safeguards– These begin the security management process by identifying a security officer and performing a risk assessment. The goal is to evaluate risk and make sure only authorized personnel can access PHI. Also, contingency and business continuity plans must be addressed and documented in the event of a disaster or disruption of business.
Physical safeguards – These cover facility access controls (badges), alarms and locks. Any PHI data must be encrypted at rest and in motion and have adequate passwords. The use of tablets, phones, etc. must also be considered.
Technical safeguards- These include audit controls (SSAE), which record and monitor transactions, password, pins or biometrics.

All security Information must be documented and accessible on demand. It is required to be updated and archived for 6 years.

The Enforcement Rule

The Enforcement Rule sets the standards for penalties in the event of a HIPAA violation or breach. Initially, there were very little violations reported or penalties assessed. Today, there are still not many penalties compared to the actual violations, which occur frequently.

Most common infractions include:

Unauthorized disclosures of PHI
Lack of protection of health information
Inability of patients to access their health information
Disclosing more than the minimum necessary protected health information
Absence of safeguards for electronic protected health information

The following are the covered entities required to take corrective action to be in voluntary compliance according to HHS:

Private practices
Hospitals
Outpatient facilities
Group plans such as insurance groups
Pharmacies

(source: hhs.gov/enforcement, 2013)

HITECH and the Omnibus Rule

In 2009 Congress passed an amendment to HIPAA: the Health Information Technology for Economic and Clinical Health Act (HITECH). This amendment was designed to reduce cost and streamline healthcare through information technology. HITECH expanded HIPAA and implemented new requirements for the protection of PHI in Information Technology.

In 2013 HHS office of civil rights issued “the final rule” or Omnibus as a means of implementing the changes of HITECH. HITECH changes included:

It allowed for changes requested to PHI by individuals and required direct approval before the sale of PHI.
Business Associates became directly liable and are required to provide items such as workforce training, privacy officer and risk assessment. HITECH also assigned liabilities to subcontractors of business associates.
All breaches to HIPAA must be reported to affected individuals as well as the secretary of HHS. An additional risk assessment must then be completed for each breach.
HITECH introduced a tiered approach to breach penalties with recurring infractions in the same year totaling up to $1,500,000. It also gave the state Attorney General the power to enforce HIPAA violations.

HIPAA is one of the most sweeping and all-encompassing changes to ever impact the Healthcare industry. It has evolved to regulate the use of Information Technology within the scope of healthcare in addition to protecting the privacy of a patient’s PHI. Unfortunately, like most government regulations, it is vague and very difficult to enforce. In contrast, it has created valuable safeguards for the protection of our personal health records and it has encouraged improvements to the flow and integration of healthcare data.

If you need assistance with any current IT projects (Cincinnati or remote), or risk assessment for your practice please contact us at:

Jim Conwell (513) 227-4131 jim.conwell@outlook.com www.twoearsonemouth.net

Project Management, Considering the OutSource

December 12, 2017 by Jim Conwell, posted in Business Practices, Cloud and IT Consultants, open-source software, Software Development

Project Management- Inside or Outsource?

Information Technology (IT) doesn’t deserve the credit for starting the Project Management (PM) process, but no business unit in the enterprises has developed it more. Since computers were introduced into business, and more with the advent of the personal computer, a well-defined process has to be required to keep these tools effective. A skilled Project Manager can guarantee the vision and goals of the project are maintained. In addition, the Project Manager will mitigate security risk and effectively and efficiently use all available resources. They will communicate expectations of responsibility to all team members and make sure the project is completed on time and within the budget.

PM challenges for IT

One reason IT is so challenged with effective PM is the diversity of its projects. Every other business unit is dependent on IT. In larger organizations, the IT will be working directly with finance, sales and the executive suite at the same time. All these groups have unique expectations for IT. Finance may question why the department isn’t running on the latest version of their Enterprise Resource Planning (ERP) software. Sales may wonder how they can use the corporate email to communicate their products and services to their prospects. These requests, in addition to internal infrastructure repair services, keep IT departments overwhelmed and in a reactive mode. These unique and diverse requests have driven IT departments to develop and utilize different PM methodologies some of which are detailed below.

PM Methodologies

Waterfall Method

– The waterfall method is the most common PM methodology as well as the easiest to implement. Each step is developed in a logical order with one step leading to the next. The current step must be completed before the following step begins. Although this method is easy to implement, it can get complicated as the customers need change. A change in the customer’s needs can create a roadblock and set the project off track.
PMI/PMBOK Method

– PM has become so vital to all businesses that a Project Management organization has evolved, the Project Management Institute (PMI). Some managers have taken PMI’s conventions and used them to develop a methodology. Their primary conventions, or steps in the project process, are: initiating, planning, executing, controlling and closing. While this creates a very broad methodology, these five standards are universally accepted.
Agile Method

-The Agile method is a product of the 21st century. It was created out of the need to collaborate with your customer through the project process. Agile collaboration is valued over following a rigid plan. Project objectives are developed by the customer and the final deliverable will most likely change the process. Agile has many flavors, or sub-categories, of its methods. The most popular Agile framework to date is Scrum. Scrum is a team-based process with the team led by the Scrum Master. A Scrum Master’s primary focus is to support the team by clearing obstacles and making sure the work is getting completed in the most efficient manner. The teams meet frequently and will break down segments of the project into units called sprints. Agile, and Scrum, allows for flexibility and quick development that many times lead to a satisfied customer.

While all these methodologies will work in IT projects, each has its own set of circumstances where it is the best fit. Many articles have been written about PM and its methodologies including online training and certifications. This free information is valuable, however, the greatest value comes from an seasoned project manager that has experience with successful implementations. Finally, the most important thing to know is that Project Management is a process, and as well know, processes can always be made better.

If you need assistance with your current IT project (Cincinnati or remote), please contact us:

.Jim Conwell (513) 227-4131 jim.conwell@twoearsonemouth.net www.twoearsonemouth.net

Project Management Consider the (Out)Source

December 12, 2017 by Jim Conwell, posted in Uncategorized

project-management-flow-chart Information Technology (IT) doesn’t deserve the credit for starting the Project Management (PM) process, but no business unit in the enterprises has developed it more. Since computers were introduced into business, and more with the advent of the personal computer, a well-defined process has to be required to keep these tools effective. A skilled Project Manager can guarantee the vision and goals of the project are maintained. In addition, the Project Manager will mitigate security risk and effectively and efficiently use all available resources. They will communicate expectations of responsibility to all team members and make sure the project is completed on time and within the budget.

PM challenges for IT

PM Methodologies

Waterfall Method– The waterfall method is the most common PM methodology as well as the easiest to implement. Each step is developed in a logical order with one step leading to the next. The current step must be completed before the following step begins. Although this method is easy to implement, it can get complicated as the customers need change. A change in the customer’s needs can create a roadblock and set the project off track.
PMI/PMBOK Method– PM has become so vital to all businesses that a Project Management organization has evolved, the Project Management Institute (PMI). Some managers have taken PMI’s conventions and used them to develop a methodology. Their primary conventions, or steps in the project process, are: initiating, planning, executing, controlling and closing. While this creates a very broad methodology, these five standards are universally accepted.
Agile Method– The Agile method was developed as a software tool in the early 21^st century. It was created out of the need to collaborate with your customer through the project process. Agile collaboration is valued over following a rigid plan. Project objectives are developed by the customer and the final deliverable will most likely change the process. Agile has many flavors, or sub-categories, of its methods. The most popular Agile framework to date is Scrum. Scrum is a team-based process with the team led by the Scrum Master. A Scrum Master’s primary focus is to support the team by clearing obstacles and making sure the work is getting completed in the most efficient manner. The teams meet frequently and will break down segments of the project into units called sprints. Agile, and Scrum, allows for flexibility and quick development that many times lead to a satisfied customer.

If you need assistance with your current IT project (Cincinnati or remote), please contact us:

.Jim Conwell (513) 227-4131 jim.conwell@outlook.com www.twoearsonemouth.net

COMPLIANCE, SECURITY AND GOVERNMENT REGULATION Can your business stay current?

December 4, 2017 by Jim Conwell, posted in Cloud and IT Consultants, IT Regulation, IT Security

In this time of IT security breaches, businesses of all sizes have become aware of the consequences of not having a solid IT framework and security policy. What previously was a concern for only large enterprises has now become a challenge all businesses share. Government regulation, such as the Health Insurance Portability and Accountability Act (HIPAA), have mandated compliance for the security of Protected Health Information (PHI) for any size of enterprise that stores PHI. A recent trend has been for large enterprise to relay their compliance and security requirements downstream to their suppliers which may be smaller businesses. One of the initial causes for this was the Target breach. Target, who was fully compliant with their regulatory environment,[1] (PCI DSS), was breached through an HVAC vendor. This Target business partner was primarily responsible for compromising credit card information for millions of its customers and causing large scale damage to Target’s finances and reputation. To learn more about the total cost of a data breach please see my previous article: https://twoearsonemouth.net/2017/11/22/preparing-for-the-cost-of-a-data-breach/ .

In addition to government regulation, industry associations have aligned to create a compliance standard for their data. One primary example of this is the PCI DSS previously mentioned above in regard to Target. PCI DSS develops a robust payment card data security process — including prevention, detection and appropriate reaction to security incidents. The PCI Security Standards Council originates the standards for compliance to all credit card information as well as an approved list of assessors who audit and validate an entity’s adherence to PCI DSS.

Businesses are not completely on their own to navigate through this complex regulatory and IT security environment. There have been a series of IT frameworks developed that an organization can use to reach their goals. These frameworks describe IT “best practices” which are written in general terms. Typically, businesses use them as a reference to achieve regulatory or security compliance. Below are some examples of the most common IT frameworks available today:

COBIT– A framework designed by Information Systems Audit and Control Association (ISACA) to provide management and business process owners with an IT governance model that aids in delivering value from IT and understanding the management of risk associated with IT.
ISO 27002– An IT security standard originated and maintained by the International Organization for Standardization (ISO) and the International Electro Technical Commission. (IEC)
ISO 38500– Similar framework to ISO 27002 for IT used by management and originated and maintained by the International Organization for Standardization (ISO) and the International Electro Technical Commission. (IEC)

IT security best practices at the highest level can be classified in 3 categories; physical safeguards, administrative safeguards and technical safeguards. Below is a brief description of each.

Physical Safeguards are tools such as alarm systems (video), key card systems, secure locks for offices and drawers where laptops and phones are stored, a guard or receptionist always at the front door and a secure IT server room.

Administrative Safeguards are processes that include creating a security officer and/or department, creating training programs to make all employees aware of what data needs to be protected and how it is protected, a company policy for storing and archiving of protected data and business continuity policies.

Technical Safeguards are IT tools such as Unified Threat Management (UTM) and Next-Gen firewalls, malware and virus protection software on servers and workstations, encryption of data in transit and at rest and a strong Business Continuity and Disaster Recovery (BCDR) plan that is tested on a regular basis.

Following these principles and best practices not only help to achieve a business mitigate risk but also make good business sense.

Contact us so that we may learn more about the IT challenges within your organization. We will provide an initial consult at no cost! We can provide best in class IT Project Management in Cincinnati or remotely.

Jim Conwell (513) 227-4131 jim.conwell@outlook.com www.twoearsonemouth.net

[1] PCI DSS is an acronym for Payment Card Industry Data Security Standard. PCI DSS is an industry based regulatory authority for the credit card industry.