HIPAA Compliance in technical terms

Lets face it, the time is here, the first thing doctors and practitioners want to do with their brand new web systems is:

  • Register patients via a website or a web portal
  • Schedule in office appointments
  • Diagnose situations and make medical recommendations quickly
  • Access digital prescriptions

Securing the transmission of the information from the patient to the web site is fairly simple(it’s #1 — use web site secured with SSL).  However, what do you do with that information? Some basic options are:

  1. Store files on a web server and download later, this is old and not recommended, although when talking about PACS systems, this is necessary.
  2. Store the data in a database, and access the information using tools like BIRT or consume the data via web services.
  3. Email the information

The third option, email it to someone, is the most utilized choice because it is the easiest and requires the least additional software or infrastructure… everyone is already checking their email.  It also opens a whole can of worms in terms of “how do you make the email component meet HIPAA?

1. Storing the data in files requires that

  • The web site encrypt the files using vetted encryption methods
  • Downloads are made over a secure channel (i.e. Secure FTP – HIPAA Locker)
  • Both parties are included in a chain of tracking emails which verify the state of the file transfer.
  • Backup and trashing of any information is automated and verified by using system logs.

2. Storing the data in a database allows you to write software for remote access and management of that information, however

  • Transmission to and from the database needs to be secured using SSL
  • The software that provides management must be secure and meet HIPAA requirements in terms of access controls and auditing.
  • Encryption keys and database secure storage is also an issue which must be addressed.  Even though transmissions are encrypted, the storage might not be and is a high risk area for information leaks.

The first option is quite simple, but requires more technical knowledge on the part of the users and leaves a gaping hole as the end user has no way of tracking the disposal of the information.

The second option is how web applications are making their way into medical practices.  Centralized data repositories allow for Agile development methods to be utilized in order to design, develop and deploy complex database driven applications.

However, option 2 is technically complex requires more cost and effort to implement properly.  Web services and API’s are basic building blocks of mobile applications, but require advanced knowledge in order to properly utilize in commercial applications.

Option 3 is easy, but how do you make the email HIPAA compliant?  Well, this is a complex and costly topic, this is why we recommend using a web based Large File Transfer system, which is HIPAA compliant.

Securing data from your website

Below are the basic considerations to take when securing data from your website:

  • The data sent is encrypted using modern encryption techniques.
  • The data is not stored in a database which is not encrypted
  • The recipients receive the information, and the data is removed from the server
  • The recipients can access these messages securely (over SSL) and decrypt the data either in their email program or on a Web-based interface that supports decryption.
  • The provider handles backups and disaster recovery
  • Deleted messages expire from backup systems after a while.

Make your Web Forms HIPAA compliant Quickly

Skysoft’s Secure Forms service allows you to collect data from your web forms and deliver it to you via email, secure FTP, or database in a way that is both automatically HIPAA compliant and does not require any programming on your part:

  • We will acquire, certify and install the SSL for your web site so that transmissions are secured.
  • We will integrate your web forms with any system which provides an API into their environment.
  • We provide all of the web mechanisms in order to control and manage your dashboard.

5 Steps – Physical to Virtual Migration of Exchange 2010 Using Gbridge

In this blog, I will show you how to migrate a physical server running Exchange 2010 and Active Directory to a virtualized environment with some pretty simple steps.  Although there is some downtime due to the transfer of large files, this can be overcome by physically delivering the large files to your data center or server.  I am using VMWare Esxi 5.1 on a Dell 2950 server.

Things you will need

  1. VMWare Esxi
  2. VMWare Standalone Converter
  3. GBridge

Step 1 – Install Esxi on your hardware, configure the IP address on the machine, and test it to make sure you can access it over the internet.

Step 2 – Install VMWare Standalone Converter on the Live Exchange 2010 Server – In our case we were running Windows 2008 R2.

Create a new conversion job and convert the machine to the Esxi Host – Use the IP or the FQDN as the target and use the credentials you assigned during installation of Esxi.

If the files are large, we suggest physically taking the files to the VMWare Host, hooking up a USB, and transferring the files into Esxi via VMWare Client.

Modify any settings on the new Guest OS – Add or remove NIC’s, USB Drives, CD Rom and adjust memory and CPU as necessary.  We recommend that you do several reboots, and take a snapshot before moving further.  Sometimes the machine will break after a failed Snapshot.

Step 3 – On the TARGET machine (virtual machine at this point)

  • Dismount all databases using the Exchange PowerShell or the EMC
  • Stop all Microsoft Exchange Services
  • Download and install GBridge, after installation run the program and make sure that it doesn’t crash.

Step 4 – On the LIVE machine

  • Alert users that Exchange will be offline for xx period of time.
  • Disable the send Receive connectors.
  • Dismount all databases using Exchange PowerShell or EMC
  • Stop all Microsoft Exchange Services
  • Download and install GBridge, after installation run the program and make sure that it doesn’t crash.
  • In GBridge, create Secure Shares using the following image as a guide on the LIVE server. (SKYMAIL is the live database folder, Skysoft Folder is a Public Folder we have setup.)

Step 5 – On the TARGET Server (Note: We have a SPAM filter with email spooling in place so we don’t have to worry about losing emails, they spool for us to 30 days)

  • Rename the above folders the something else like SKYMAIL2 – ExchangeOAB2, etc…
  • Open GBridge and right mouse click on the Secure Share folder from the LIVE server and click AutoSync and Download it.  Now select the location of the folders you have renamed accordingly to have GBridge sync the LIVE (unmounted) database from the LIVE server to the TARGET server. (You may transfer these files via USB physically as an option)
  • After completion of all transfers
    • Make sure to change your MX Records – We didn’t have to do this because we point to our SPAM filter.
    • Modify DNS Server on TARGET machine with new IP configurations
    • Change HOSTS file if you have hard coded any host names.
  • Ping your server to make sure DNS has propagated, and check with MXTOOLBOX to make sure all IP configurations have taken place.
  • Reboot the server – Exchange will start all services and mount the databases as if if were the LIVE server, which at this point, IT IS!

Now your Exchange server has been migrated to a Virtual environment with no VPN, very little downtime, and no loss of emails.

Twitter Updates for 2012-10-02

Powered by Twitter Tools

Twitter Updates for 2012-09-28

  • Need a cloud server but don't have $800/month? 1K purchase & setup of your own server in our data center for only $200/month MANAGED! #

Powered by Twitter Tools

Twitter Updates for 2012-09-25

Powered by Twitter Tools

© Copyright Skysoft Incorporated