Five Tips for Choosing FERPA-Compliant Cloud Hosting

08/20/14

By Laurie Head

AIS Network VP, Marketing Communications

Let’s say your school’s aging IT infrastructure is just not meeting expectations or perhaps you’re not altogether sure that it’s entirely FERPA-compliant.  You recognize that moving school data to a secure cloud may be the answer to multiple challenges that you face, but you are unsure about how you should approach the move.

For those who don’t already know, The Family Educational Rights and Privacy Act (FERPA) is a U.S. privacy law designed to protect student education records, including PII (personally identifiable information), with administrative, physical and technical safeguards.  Think HIPAA compliance for school records – because the concept is really not all that different.

To some school administrators, FERPA may seem like a barrier to migrating school records to the cloud.  But, indeed, it’s not.  In fact, moving data to the cloud is a cost-efficient option that is permitted by FERPA and even supported by the U.S. Department of Education, which was itself an early cloud adopter in the federal government.

But how do you move forward?  Unfortunately, FERPA does not elaborate on the process of selecting and managing relationships with secure cloud hosting providers.  So, if you are an educational institution either currently in the process of selecting a cloud hosting provider or deciding whether or not moving to the cloud is right for you, consider these five tips:

  1. Use best practices.  As you evaluate your needs, be sure to conduct a risk management assessment for your institution and make a list of security considerations such as privacy, legal and compliance issues that must be addressed.
  2. Do your due diligence on security during the cloud hosting provider selection process.  Review all appropriate administrative, physical and technical safeguards that the provider may use to protect the data, including data destruction policies.
  3. Contract with a FERPA-compliant cloud hosting provider.  Select a reputable provider who understands FERPA compliance and the importance of protecting PII from a potential breach.  An experienced, compliant hosting provider will help you pass your FERPA audits, enabling you to do your job better.
  4. Get compliance language into your contract.  Ensure that your written contract or service agreement with your hosting provider is specific with regard to how data is being safeguarded.
  5. Keep sensitive student records in the U.S.  While FERPA does not make distinctions based on state/ international lines, it’s important to remember that transferring PII and other education records across international boundaries may be risky.  Among the legal concerns, be aware that it is often difficult to enforce privacy laws outside of the U.S. and hold non-U.S. entities accountable for violations.

Of course, your school should also have prepared and implemented adequate information governance protocols with regard to FERPA as well as any additional applicable federal and individual state data privacy laws that may contain more stringent requirements for data protection.  Always consult with your organization’s legal staff to ensure that you have considered and addressed all applicable regulations.

For more government information, the U.S. Department of Education Privacy Technical Assistance Center is a great resource.  Access the “Frequently Asked Questions” document on their site.

In the meantime, let us know if we can help you take those first steps toward cloud adoption.  To begin, we can assist you in conducting a risk management assessment.

1 Comment »

Microsoft Azure Managed Services Debut

08/11/14

By Bill Peters

AIS Network Director of Business Development

As of August 1, Microsoft reseller partners like AISN can begin providing Azure* cloud services and selling Azure to customers via Microsoft’s Open Licensing program.  Previously, customers could only purchase directly from Microsoft and through Enterprise Agreements.

So, how can AISN’s Azure Managed Services help you?  Whether you’re already using Microsoft’s public cloud platform or want to be, or need guidance in choosing between Azure and Windows Azure Pack (for private cloud), we can give you a hand in assessing your needs.

Once implemented, we’ll optimize, manage and monitor your Azure environments, including your virtual machines, databases, media services, mobile services, application workloads and more. Our Azure Managed Services include:

  • Azure/ Azure Pack configuration, implementation and support services
  • Integration with legacy applications and on- or off-premises environments
  • Enhancement consulting
  • Cloud storage
  • Cloud backup and disaster recovery
  • Comprehensive remote monitoring and management, 24x7x365
  • Performance reporting and analytics, including remediation services (CPU and memory, system security, application log exceptions, etc.)
  • Continuous patching and security updates, with upgrade management
  • Administrative support
  • Production support

Thinking about a hybrid cloud solution?  AISN will also deliver compliant, secure hybrid solutions that run across Azure and on- or off-premises enterprise environments.

Look to AISN Azure Managed Services for:

  • Hybrid cloud infrastructure enablement, integration and management, including capacity optimization between Azure and on- or off-premises infrastructures
  • High security/ high compliance network connectivity and high availabililty
  • Deployment and management of environments for SharePoint, SQL Server and more
  • Easy migration of VMs, allowing you to extend your on-premises environment and have the flexibility to move workloads to the cloud
  • Development and test environment management for application projects
  • Azure Active Directory, enabling you to deploy and manage Secure Identity Services, using Active Directory across Azure and on-premises
  • Mobile app back-end storage management

Have a specific requirement that you don’t see mentioned?  Let us know and we will try to help you today.

* Microsoft Azure features HIPAA, PCI DSS, FedRAMP, SOC 1, SOC 2, ISO 27007 and UK G-Cloud compliance. 

 

1 Comment »

AISN Infographic: Why Healthcare is Moving to the Cloud

08/01/14

Why Healthcare is Moving to the Cloud

Why Healthcare is Moving to the Cloud

We are proud to share our new Infographic on why healthcare is moving to the cloud.  With so many healthcare organizations starting to utilize the cloud and virtualization, we are sharing some of the related trends.
 
First off, it’s no big surprise healthcare is moving to the cloud; many businesses and organizations benefit from it. Let’s face it – cloud benefits are significant! They include:

• Flexible and fast to grow and downsize IT resources
• Reduced CAPEX expenses; shifting expenses to an operational and more predictable cost
• Organizations can shift the focus from IT to their core business
• Increased accessibility to the IT infrastructure
• Better IT performance

But beyond that, for healthcare organizations, there are genuine benefits specific to the sector’s needs and concerns.  Our Infographic goes into greater detail but here are some highlights:

• Healthcare organizations are more confident about security in the cloud (94% of businesses reported that they saw an improvement in security after switching to cloud computing)
• Electronic Medical Records (EMR) are driving cloud growth. EMRs are less expensive, give better quality of care and patients prefer them.
• With EMR and the cloud, HIPAA compliance is less costly and aggravation is reduced.

 
Click on the infographic for an expanded, more detailed view.  We hope you find it as interesting as we do.  And, as always,  we welcome any comments or questions below.
 
For more information on AIS Network’s Cloud Services and Managed Services, see <here>.  
 
 

1 Comment »

HIPAA BAAs and How They Apply to HIPAA-Compliant Cloud Hosting

07/24/14

By Laurie Head

AIS Network VP, Marketing Communications

All HIPAA/HITECH-regulated organizations in the process of selecting a HIPAA-compliant cloud hosting provider should expect their chosen vendor to sign a HIPAA/HITECH Business Associate Agreement (BAA).*

But here’s the rub.  It’s easy to find a cloud hosting provider who says, “Yeah, we’ll sign a BAA.”  However, it’s quite another to find a provider who is a HIPAA BAA expert and can help you understand what your BAA means.  AISN is that expert.

It’s critical for organizations to understand that it’s not enough to say, “Yeah, we’ve got a signed BAA.  We’re good!”  Your BAA is not just a piece of paper that you read only when a problem arises.  You should understand what you’re signing.

Why?  Under the new rule, your exposure to penalties is increased.  You’re responsible for protecting your PHI and ensuring that any subcontractors you use are also compliant.  If the cloud hosting provider whom you have chosen to access your electronic Protected Health Information (ePHI) fails an audit or commits a data breach, responsibility also falls on you.  (For this reason, it’s smart to get a network vulnerability assessment from an independent auditor who does not maintain the vendor’s network.)

How can AISN help?  Unlike most generalist and commodity hosting providers, AISN is a HIPAA cloud hosting expert.  We provide clients with the assistance they need to understand and comply with HIPAA/HITECH throughout all facets of the engagement process.  Before any ePHI and apps are moved to the cloud, AISN helps you put in place an appropriate and effective BAA – a policy that is highly specific to the data that we protect and the cloud hosting and services that we offer.  Then, our experts will guide you through the process of understanding your own rights and responsibilities, as well as AISN’s, as established under the BAA.

Have some questions about BAAs and HIPAA cloud hosting?  We can help.  Contact us!

 

* A HIPAA Business Associate Agreement (BAA) is a written contract between a HIPAA-covered entity and a HIPAA business associate (BA).  It defines the responsibilities of each party to safeguard PHI in accordance with HIPAA guidelines.  To learn more, see the U.S. Department of Health and Human Services’ expanded definition: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

1 Comment »

Most Health Care Organizations Are Embracing the Cloud, HIMSS Survey Reveals

07/15/14

By Laurie Head

AIS Network VP, Marketing Communications

Our CEO, Jay Atkinson, had the opportunity to attend the annual HIMSS conference in Florida earlier this year and found it entirely exciting and educational.  For those of you who are not familiar with HIMSS, it’s a cause-based global enterprise that produces health IT thought leadership, education, events, market research and media services around the world.  It’s also quite an established group.  Having been founded in 1961, HIMSS encompasses more than 52,000 individuals, of which more than two-thirds work in healthcare provider, governmental and not-for-profit organizations across the globe, plus over 600 corporations and 250 not-for-profit partner organizations, that share the cause of transforming health and health care through the best use of IT.  

One of HIMSS’ latest endeavors is an inaugural, broad-reaching survey of health care organizations — all on the topic of cloud adoption and cloud services.  Released last month, the HIMSS survey found that nearly all cloud adopters in the health care industry plan to expand their cloud services at some level.  Areas for growth include archived data, disaster recovery and hosting operational apps and data.

I thought I would share some of the findings by reprinting the HIMSS press release in this blog:

80 Percent of Healthcare Organizations Embrace the Cloud

 

CHICAGO (June 16, 2014) – Results of the inaugural 2014 HIMSS Analytics Cloud Survey show the widespread adoption of cloud services among healthcare organizations across the U.S., with 80 percent of the 150 respondents reporting they currently use cloud services. The top three reasons for adopting cloud services include lower maintenance costs, speed of deployment and lack of internal staffing resources. The survey shows a positive growth outlook for cloud services as almost all healthcare organizations currently using cloud services plan to expand their use of these tools. To review the results in a visual format, download the infographic here: http://bit.ly/1nBsA6j

Half of the cloud adopters are hosting clinical applications in the cloud, primarily using Software as a Service (SaaS). Other typical cloud services include Health Information Exchange (HIE), hosting human resources (HR) applications and data as well as backup and disaster recovery.

“Cloud services have been long praised as a tool to reduce operating expenses for healthcare organizations.  The data presented in our inaugural survey demonstrates the healthcare industry’s eagerness to leverage this resource,” said Lorren Pettit, Vice President of Market Research for HIMSS Analytics. “With such a positive market outlook, we hope vendors will leverage the business intelligence gleaned from this report, continue working with providers to meet their needs, and help healthcare organizations provide the most cost-efficient care.”

Healthcare organizations take into consideration a number of factors when selecting a cloud services provider.  The top concerns for healthcare organizations seeking cloud services are the cloud services provider’s willingness to enter into a business associate agreement (BAA) as well as physical and technical security.

Even after a cloud services provider has been selected and the cloud services have been adopted by the healthcare organization, there are still challenges.  Two-thirds of healthcare organizations have challenges, including a lack of visibility into ongoing operations, customer service, as well as costs and fees.

Half of the respondents also identified performance issues, such as slow responsiveness of hosted applications as a problem, but were willing to work with their existing cloud service provider to resolve their issues, rather than switch to a new one.

Interestingly, a small fraction of respondents expressed a resistance to adopting cloud services (six percent). Of these respondents, nearly half cited security concerns as the primary barrier to their willingness to adopt cloud services.

“Many Healthcare CIOs and others have expressed their intention to use cloud services. However, there are some challenges related to use in healthcare and these are what we hoped to uncover,” said Lisa Gallagher, Vice President of Technology Solutions for HIMSS.  “Our next step is for the healthcare industry to work with cloud service providers to move forward together in addressing these challenges.”

To learn more about the findings for the survey, which examines the responses of 150 healthcare organizations – including medical practices, hospitals, and healthcare systems – visit the HIMSS Analytics website.

About HIMSS Analytics

HIMSS Analytics collects, analyzes and distributes essential health IT data related to products, costs, metrics, trends and purchase decisions.  It delivers quality data and analytical expertise to healthcare delivery organizations, IT companies, governmental entities, financial, pharmaceutical and consulting companies. Visit www.himssanalytics.org.

 

1 Comment »