Healthcare peeps, HIPAA\ HITECH has teeth and the fines handed out this year are HUGE.
The best example was Cignet Health Center, a group of clinics based in Prince Georges County, Md., that operates a health plan, was been fined $4.3 million for failing to turn over medical records to patients who requested them and failing to cooperate with the HHS probe. (Feb 2k11)
For my friends in EMEA, you're having issues around PHI as well. NHS Lost unencrypted devices with patient records.
Finally, for those of you who are obsessed with Celebrities, don’t let that spill over into your job! Personally, I could care less about what Miley Cyrus is doing next, but some people just can’t help themselves.
"The University of California at Los Angeles Health Services has agreed to pay a $865,000 fine and pledged to tweak their infrastructure after potentially violating the HIPAA regulation when several employees apparently accessed the health records of various celebrity patients at the hospital without valid justification.
So, if Healthcare IT shops can’t cut it when it comes to protecting PHI, or meaningful use around EHR, should the business turn to the Cloud?
From what I can see, part of the problem is some OLD legacy Healthcare apps can not run on x86 and do not support Virtualization.
So, maybe a few things need to happen:
- Assess the risk of apps that can no longer be maintained and will not meet compliance standards, versus the ease of migrating at least the front end of the legacy systems to a virtual platform
- There are a ton of healthcare apps that are cloud ready and work on mobile devices
o Approximately 60% of all doctors today use IPADS or similar devices (IDC)
- VMware has the infrastructure to support those apps and allow IT shops to build private cloud services that can be moved to public providers during periods of high demand
o And… ported back of course J
- For some small Healthcare Organizations, they are moving their services and patient data to Cloud Providers like NaviSite
o BTW: A lot of these orgs are adopting HITRUST as a certification process to meet HIPAA\ HITECH Compliance
The main concern is Trust, will Large Healthcare Organizations “Trust” cloud providers with Medical Records?
My guess is yes, they will in time. At VMware we are working on Trusted Cloud Solutions with other vendors to build an eco system that will let Consumers move their workloads with confidence to the cloud. The key will be if the Providers will allow the Consumers to validate that “Trust”. The Consumer holds the power, as my colleague and active QSA Davi Ottenheimer says, “If a service provider refuses to give you the log services or compliance support you need, it may be time to find another provider.”
When it comes to Healthcare, yes, the complexity of how regulated the vertical is when it comes to compliance could make it difficult for a Provider to offer those services. However, if we are really going to make the Journey to the cloud, Providers need to bake in cost efficient Security & Compliance solutions for consumers as part of their offering and open the kimono to let the Consumer Validate what is happening with their assets.
We would love to get your feedback on the comments above, hit us up here or:
- on the Security & Compliance Blog or the Virtualization Management Blog
- on Twitter: @georgegerchow and @vmwaremgmt
- on Facebook: IT Management
- at the Management Mastery site
- and at the Management Mastery Forum
As usual, please forgive me for any spelling and grammar errors. Spanish is my first language and like the rest of us, I am still learning.