Atlantic.Net Blog

Common Mistakes Made During Cloud Migration

  • Cheaper Rather than Better
  • Throwing Out Traditional Equipment
  • Failing to Make Applications Cloud-Ready
  • Not Taking Big Data Into Account
  • Assuming All Clouds Are the Same

Cheaper Rather than Better

In the above video, Atlantic.Net CEO Marty Puranik notes that companies have been more focused on cheaper solutions in recent years, especially given the impact of the Great Recession; but excessive focus on price is a mistake. All of the great advancement that humanity has achieved arose from a focus on better rather than cheaper, he stresses.

Having tunnel vision for anything but price is just one of the mistakes made byorganizations when they migrate to the cloud. Tech reporter Jeff Bertolucci talked about typical problems that arise in his InformationWeek article “10 Cloud Migration Mistakes to Avoid.”

Four of the errors that he highlights are throwing out traditional equipment, failing to make applications cloud-ready, not taking big data into account, and assuming all clouds are the same.

Throwing Out Traditional Equipment

Many organizations don’t know exactly what to do with their hardware once they switch systems over to cloud.

“A common mistake that enterprises make is either to throw out their old hardware or pay someone to remove it,” said Bertolucci. “[Since] the market for used IT computers and other gear is north of $300 billion, … enterprises should try a hardware exchange to recoup some IT budget cash.”

Failing to Make Applications Cloud-Ready

Often companies don’t perform the testing to see how they might need to adjust applications for optimal cloud performance. Recognize that you may need to make some tweaks in order to get the most out of your new environment.

Not Taking Big Data into Account

We are constantly reminded in the technology press that big data is extraordinarily valuable. However, transferring cumbersome apps and huge amounts of data can be tricky. Some firms even mail their disks to the hosting provider, says Bertolucci.

“Another thorny issue is finding the most affordable way to sync on-premises and cloud environments,” he adds. “The bottom line: Pre-move preparation is the best way to achieve smooth cloud migration.”

Assuming All Clouds Are the Same

Finally, you want to be aware that there really is no “the cloud.” Cloud computing is an infrastructural approach that is implemented in different ways by different providers.

For example, Puranik explains above how Mellanox technology helps us keep prices 30-40% lower than the competition while delivering about twice the performance.

Cloud Hosting: Igniting Small Business Potential

  • Same Technology for David and Goliath
  • How Cloud is Reimagining Small Business
  • Take Action

Same Technology for David and Goliath

Enhanced access is a fundamental property of the cloud. What that means is not just that more users can access the environments supported by the virtual servers but that the playing field is leveled due to the lower price. In other words, cloud is underdog-ready. Small business now can take advantage of the same big data platforms and real-time analytic tools as enterprises.

Read More

The Role of Business Associates in HIPAA Compliant Hosting

  • HITECH and the Role of Business Associates
  • Business Associate Definition
  • Examples and Wide-Ranging Scope

HITECH and the Role of Business Associates

A HIPAA compliant system must be designed conscientiously to include the various security and privacy technologies discussed in the above video.

Read More

Compassion and Humanity: Ubuntu LTS for Linux SSD Cloud

Developed and managed in conjunction by the open source community and Canonical, Ubuntu is one of the most popular distributions of the Linux operating system. The name itself is a nod to the synergistic, “share and share alike” philosophy that is considered a pillar of the open source movement. Ubuntu is a word used in Xhosa and Zulu that is roughly translated as humanity, compassion, or the whole is better than the sum of its parts.

Read More

Imagining the Internet of Things

How much do we want data to flow? It’s a more confusing question than you might think. The third platform of computing (the realm of the cloud) has made it possible for us to integrate systems and process data from multiple devices seamlessly in real-time. In many ways, that scenario is wholly positive. In others, it’s cause for concern.

Read More

Cloud VPS vs. Traditional VPS vs. Private Cloud

VPS Changing with the Cloud

A critical concern when exploring hosting solutions is deciding whether you want to go with the innovative, newer option or to stick with the traditional model. Cloud has grown astronomically in recent years. Perhaps 2014 was the year that cloud graduated from test projects and startups to enterprise acceptance, with General Electric announcing that it was already running 90% of new applications through the public cloud.

Read More

How to Become HIPAA-Compliant

One of the problems with our increasingly technological world is that the speed at which our devices and services upgrade and make older versions obsolete can be dizzying. It feels like only an instant before the latest smartphone or flatscreen TV is being replaced with the bigger, better, faster model.

The same holds true in the world of hosting, data information, and server management. And while it can be tough to keep up for any type of business, it’s crucially important if your company is involved with health care IT and has to maintain HIPAA Compliance.

There are several aspects of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), but as it pertains to health care IT and the focus of this article, HIPAA compliance comes from your company’s ability to adhere to the strict national standards regarding electronic health care transactions, and identifying information for health care providers, employers, and health insurance plans.

As one might imagine with such a large piece of national legislation, there are a myriad of minimums that your company’s systems and operations must meet. And as one might also imagine, understanding and implementing exactly how said systems and operations must operate to be HIPAA compliant can quickly become quite a daunting task. Having a quick, clear, and easy 10-step HIPAA compliance checklist to run through can be a major help, which is we are doing in this article. We will also take a look at a series of hosting questions asked by an healthcare client interested in learning more about the specifics of compliance.

  • 10-Step HIPAA Checklist
  • Spotlight: HIPAA Technology Provider Questions
  • The Right HIPAA Information Technology Answers

10-Step HIPAA Checklist

If you want to know how to become HIPAA compliant, there are specific standardized technologies that you should have in place to properly protect Personal Health Information, or PHI, and avoid violations. We’ll dive more into the technological side in the spotlight section detailing a conversation with a client below.

In addition to those technical specifications, here are 10 additional actions you want to take as general HIPAA administrative safeguards. Although these tactics should not be considered exhaustive, each one will effectively reduce your liability and make it less likely that you will become a target of the Department of Health and Human Services (HHS):

Step #1 – Create a Security and Privacy Policy

“Healthcare organizations must develop, adopt and implement privacy and security policies and procedures,” said Becker’s Hospital Review. “They must also make sure that they are documenting all their policies and procedures, including steps to take when a breach occurs.”

This is particularly important in today’s world, where cybercrime, in the form of brute force attacks, Distributed Denial of Service (DDoS) Attacks, and other forms of hacking have resulted in some of the biggest data breaches in history. And with the recent gigantic Anthem data breach, having air-tight security safeguards in place is paramount, as are having the proper protocols in place in the unfortunate event of a hack or breach.

Step #2 – Name a Privacy and Security Officer

Name one or two people who are knowledgeable on HIPAA compliance requirements for these roles. One of the most crucial aspects of being HIPAA compliant is ensuring that your data remains safe, secure, and most importantly, confidential. It makes sense that the person, or people, in charge of that data is an expert in the field. They can also help you set up air-tight policies (as mentioned in step #1 above) and implement the best possible procedures in case of an attack or system error.

Step #3 – Perform Periodic Vulnerability Reviews

You want to check and test your exposure to risk on a regular basis. If you find anything amiss, of course you need to correct it. Policies should be adjusted based on information from these assessments as well. After all, a chain is only as strong as its weakest link, so while even if the vast majority of your systems and are air-tight, it would only take one small mistake or oversight to cause massive problems. Hackers, cybercriminals, and even inadvertent employee mistakes could all spell major problems and possible violations if not shored up immediately.

Step #4 – Create a Specific Policy for Email

The HHS Office for Civil Rights, or OCR, has stated it wants to see user guidelines that are crafted to the particular situation, as exhibited by specific mobile and email policies. Interestingly enough, it does not state anywhere in the OCR regulations that PHI must only be sent and/or received via encrypted email, but it’s worth pointing out that your email system is HIPAA compliant and with the encryption of all messages. In addition, you can protect yourself from investigations with encrypted email.

In today’s world, email encryption is a relatively fast, easy, and painless process to implement, and many providers will offer it free of charge. It’s very much the time to look into, but if you decide that email encryption is not right for you at this point in time, you must at the very least inform your patients that asking for records through email puts them at risk.

Step #5 – Create a Specific Mobile Policy

Mobile devices are everywhere, and they get more omnipresent each and every year. Every side of the health care world, between providers and patients, uses mobile devices to check email and log into profiles. As such, it will greatly benefit you to create a strong policy to safeguard health data on mobile devices, such as smartphones and laptops, which are particularly susceptible to physical theft. The policy should address also what happens when a new device is added to or removed from the network.

Step #6 – Train Your Staff

While not everyone on your team must be an industry leading expert in the finer technicalities of HIPAA (save those hires for your Security and Privacy Officer positions, as mentioned in Step #2), it will behoove you if your staff is comfortably familiar with the basic parameters of HIPAA. It has been shown numerous times by numerous studies that employees are consistently one of the biggest risks to a company’s cybersecurity – usually through a lack of knowledge of the proper protocols. Nobody wants to be the cause of a HIPAA violation, so it’s in your best interest to provide training to any new people who join your staff and occasional reviews (some say every six months) for continuing employees.

Step #7 – Develop a Privacy Notice

Communication is key, and that goes double for privacy. Having a clear, concise privacy policy is important, as is getting that policy out there for all to see. Make sure that your privacy policy is posted on your website and is easy to find. The same policy should be handed out to patients, and they should sign that they’ve received it. Also, don’t be afraid to view your privacy policy as a living, breathing document – if certain events, either in your company or in the health care industry at large, necessitate the need for changes, update the policy. And when you do, get new signatures from your patients to ensure they understand what’s been updated.

Step #8 – Solidify Business Associate Relationships

Odds are your business isn’t an island – you have a team of business associates that you work with on a regular basis. Even though they aren’t full time employees, you still need to make sure they adhere to any policies you’ve set forth. Harking back to the chain analogy used in Step #3, if your associates aren’t a strong link, it’s a problem. You need to make sure that a strong business associate agreement is signed with all relevant parties – including those that handle PHI, such as shredding companies.

Step #9 – Establish a Protocol for Possible Breaches

It’s critical to have a step-by-step system whenever you think a breach might have occurred. Even the most safeguarded and up-to-date systems are susceptible to breaches, so always view cybersecurity as two sides to the same coin – it’s important to invest and spend time on infrastructure and policies that will help prevent breaches and other forms of attacks, but the flip side is to always know that a breach is always a distinct possibility.

“The Risk of Harm Standard and the risk assessment test can be used to determine if a breach has occurred,” noted Becker’s. “If a breach has occurred, it is essential that the healthcare organization document the results of the investigation and notify the appropriate authorities.”

Step #10 – Make Sure the Privacy and Security Policies are Followed

Preparation is only half the battle – and important half to be sure, but what good is the best-laid plans if they aren’t followed? Ensuring that they are actively followed is critical. It needs to be a part of your company’s DNA and breathed into each and every operation your company undertakes. In addition to making sure the policies are well-known and followed by all your team members and all business associates, it should also be known that failure to adhere to said policies come with penalties. Make sure the consequences of failing to comply with your HIPAA compliance policies are both well-known and strict enough to ensure your staff does everything possible to follow them.

Spotlight: HIPAA Technology Provider Questions

This section spotlights a recent and actual question-and-answer exchange we had with a prospective healthcare client – we’ve of course anonymized and edited it for privacy. For brevity, we’ll skip the introductions and jump right into the Q&A. We hope this gives you some insight into some of the more technical aspects of HIPAA compliance, and how any company worth your time will have strong answers to each of these types of questions.

Healthcare Client:

Have you been independently audited against the OCR HIPAA Audit Protocol?

Hosting Consultant:

Yes, I have attached our HIPAA audit for your review.

Healthcare Client:

What particular IT services meet HIPAA compliant security standards for protecting PHI?

Hosting Consultant:

The following services fully meet HIPAA complaint security standards with regards to Personal Health Information, or PHI: Fully Managed Hardware Firewall; Encrypted VPN’s; Intrusion Detection System; Fully Managed Daily Encrypted Backup; Private Dedicated Server Environment with Self-Encrypted Storage (Virtualized or Non-Virtualized); and Anti-Virus Software.

Healthcare Client:

Do you have documented policies and procedures?

Hosting Consultant:

Yes, but the Policies and Procedures are Proprietary Information. We only release the HIPAA Audit, BAA, DR Document, and SSAE 16 (SOC 2, Type 1 & 2) audit. (All are attached.)

Healthcare Client:

Are your employees trained?

Hosting Consultant:

Of course.

Healthcare Client:

Do you have a thorough BAA (Business Associate Agreement) with documented and communicated policies?

Hosting Consultant:

Yes, and it is attached for your review.

Healthcare Client:

What is the difference between regular server hosting and HIPAA compliant server hosting (structure-wise)?

Hosting Consultant:

The only fundamental difference is that HIPAA compliant hosting requires an Intrusion Detection System. It also requires all of the services listed above in the question regarding services meeting PHI protection protocols. HIPAA compliant hosting can include a Virtualized Private Dedicated Server environment but it cannot include Public Cloud / VPS hosting services.

Healthcare Client:

Why is the HIPAA compliant server hosting more expensive than regular server hosting?

Hosting Consultant:

Because of the technologies listed above and because you cannot remove any of these items from the hosting platform as you can with a non-HIPAA hosting environment.

The Right HIPAA Information Technology Answers

Every healthcare company must ask for advice when they work with IT providers, since any issues with the provider would pose a risk to their patients’ health information. After all, even going through a minor HIPAA violation can be disastrous to a health care IT organization.

Atlantic.Net is a trusted HIT provider. Our clients trust us because we are experts on the subject and are fully transparent in all communications, as evidenced by this customer testimonial below:

“Atlantic.Net’s reputation for 100% up-time, their secure infrastructure and expertise in Healthcare IT were key components in finalizing our partnership,” said Complete Healthcare Solutions Vice President Joseph Nompleggi.

Feel free to contact us today to see if we can help you meet your HIPAA compliance needs.

By Moazzam Adnan

Stay Connected With Us