Hospitals get ready for HIPAA security compliance [part 3]
February 29, 2008 at 6:29 pm (archive email, business, cms, corporate, data retention, electronic communication, electronic document retention, electronic privacy, Email Archiving, email backup, email compliance, email management, email retention, email security, email storage, health care, health information, health records, healthcare, HIPAA, hipaa compliance, hipaa privacy, hipaa security, medical records, message archiving, news, privacy, thoughts, tony trenkle)
Ellen Messmer of Network World reports that lately hospitals have had more to worry about than just preparing for upcoming HIPAA security audits. “Health care organizations feel under increasing attack from the Internet,” Messmer writes, “while security incidents involving insiders and disappearing laptops with sensitive data are piling up.” Dr. John Halamka, CIO at both Beth Israel Deaconess Medical Center and Harvard Medical School in the Boston area, was quote as saying: “there is definitely an uptick in attacks. Privacy is the foundation of everything we do. We don’t want to be the TJX of health care.” She then turns to Don Jackson, researcher at Atlanta-based security services firm SecureWorks, who says: “health care organizations store a lot of valuable personal, identifiable information such as Social Security numbers, names, addresses, age, in addition to banking and credit-card information.” Jackson explains how cyber attacks are potentially beneficial to the pockets of criminals who obtain health insurance credentials to use in the “counterfeit document racket, especially in Central and South America.”
At least in terms of electronic communication, it might be time for some hospitals to turn to outsourced email archiving. Encryption, security, and access are all issues for health care providers right now, and these are three issues that email archiving services are well equipped to handle. It is time for hospitals to address the quality and success of their electronic patient data backup and protection. With HIPAA security audits right around the corner, the time to wait before integrating an email compliance solution is really over.
Next generation email archiving? [part 1]
February 26, 2008 at 4:12 pm (archive email, business, corporate, data retention, disaster recovery, e-discovery, e-discovery amendments, edd, eDiscovery, electronic communication, electronic data discovery, electronic discovery, electronic document retention, Email Archiving, email compliance, email litigation, email management, email retention, email storage, exchange 2007, frcp, governance, legal, message recovery, news, politics, thoughts)
I came across an interesting article earlier today on Computer Technology Review regarding the current & future expectations of an email archiving solution in light of modern FRCP eDiscovery requirements. William Tolson has compiled an expert list of capabilities to be considered when choosing an email archiving solution that I feel all U.S. Businesses should review. I am posting an excerpt of his writing below along with the capabilities he feels are pertinent in meeting the demands of regulatory and legal compliance:
“Email archiving solutions should address critical customer requirements around email information archiving, eDiscovery, regulatory compliance, business continuity, and storage optimization. Enterprise-class solutions provide legal search work flow, immediate mailbox and message recovery, disaster recovery, email archiving, and self-service search and access in one solution. By leveraging cost-effective storage, these solutions also optimize email storage and reduce overall infrastructure costs. Next generation email archiving solutions deliver rapid, comprehensive search across millions of emails for litigation ready production and provide the following capabilities:
Rapid eDiscovery: Auditors and legal staff must be able to quickly perform sophisticated search and discovery across centrally managed mailboxes to meet compliance requirements.
Automated, Exchange Disaster Recovery: Reliably protect Exchange information through non-invasive, continuous application shadowing. This process preserves the consistency and integrity of Exchange data and enables “one-click” full email data and service recovery when needed.
Mailbox Storage Management: Reduce storage requirements on the Exchange Server by migrating or “extending” attachments based on policies of age, document size, or mailbox size.
Self-service search of archived data: Seamless self-service access to end-user archived data, enabling them to find potentially lost or deleted messages without IT assistance.
Enhanced support for Exchange 2007: Live Communication Server (IM) and 64 bit Servers – extends content management to include instant messaging and takes advantage of new Exchange 2007 features for disaster recovery, folder level retention, and mailbox level journaling.
Automated PST File Archiving: New “crawler” automatically searches and retrieves PST files from servers, desktops, and laptops based on administrator-defined policies.
Active Directory Integration: Leverages roles defined in Active Directory and provides a version history of Active Directory, including distribution lists. Contents of distribution lists are viewed as they appeared when an email was originally sent or received.
Public Folder Archiving: Performs archiving and continuous data protection for Public Folders and allows auditors to search all Public Folder content and re-create chain-of-custody for compliance and legal discovery.
Scalable Storage & Reduced Archive Storage Requirements: Designed to deliver improved scalability and performance for the archive server with support for multiple databases and extensible storage volumes.
Each of the above criteria is highly relevant in ensuring a smooth email litigation process should such a situation arise. However, does relevancy equal necessity? Which of these factors are truly “business critical”? How essential is having support for Exchange 2007? Does a company need public folder archiving? When does storage really become a problem? Are the above capabilities best used in an in-house or an outsourced email archiving solution? I believe it is important for a business to understand what they need to comply with corporate regulations and legal requirements without spending money and time on things that are simply not necessary. What are the intricate parts of an email archiver that you truly NEED to satisfy compliance? I would like to address this topic in full soon. Stay tuned.
Google to store electronic patient medical records?
February 25, 2008 at 8:28 pm (advertising, archive email, business, cms, corporate, data retention, electronic communication, electronic document retention, Email Archiving, email audit, email security, google, governance, health care, health information, health records, healthcare, HIPAA, hipaa compliance, hipaa privacy, hipaa security, legal, medical records, message archiving, news, politics, thoughts)
I noticed today on Med Tech Sentinel that Google is about to begin experimentation with electronic patient medical records. Douglas Cress writes: “the Cleveland Clinic will facilitate Google’s potential domination of the electronic personal health record (PHR) space. Google chose the Clinic because they offer 100,000 patients the tools to manage their medical records online and coordinate with doctors using a PHR suite called eCleveland Clinic MyChart. An invitation will be extended to 1,500 – 10,000 of these users.” Google will use this trial to determine the level of its security in exchanging “patient medical record data including prescriptions, conditions, and allergies.” C. Martin Harris, Chief Information Officer of the Cleveland Clinic, said: “this collaboration is intended to help Google test features and services that will ultimately allow all Americans (as patients) to direct the exchange of their medical information between their various providers without compromising their privacy.
I believe the term of the day is: “HIPAA compliance.” This two word phrase is beginning to make the news in a big way. On one hand you have the CMS (Centers for Medicare and Medicaid Services) ready to conduct stringent HIPAA security audits of hospitals, and now on the other hand you have Google looking to become the top player in the electronic medical records arena. At the root of Google’s potential conquest is the technology and desire for patients to manage their personal health care records. This need is owed in large part to HIPAA, which ensures that the privileged relationship between doctor and patient is upheld. According to HIPAA, electronic patient health care data must be retained and kept secure in order for a health care provider to be deemed HIPAA compliant. However, providers such as the Cleveland Clinic have begun offering personalized tools for patients to manage their health records online. This new trend is certainly a fine idea and on part with a continuously evolving society, but are there some risks to be noted here? Are there reasons to be cautious of what Google is doing?
Firstly, what is in this for Google? I mean, nothing this noble could come for free, right? Of course not, and the concept to be aware of here is called “targeted marketing.” I am posting an additional excerpt from Douglas Cress below because I think it is important to read:
“Anyone who has spent any time on the Internet (or sorting through spam in their email in-box) should have a sense of how profitable medicine is on the Internet. Based on some cursory keyword research, and my rough calculations, Google is earning $20 million in annual revenues from the keyword ‘Viagra’ alone. ‘Ambien’ costs $2.43 -$3.65 per click; local queries like ‘Brooklyn dentist’ cost $3.71 – $4.98 per click. If Google delivers on their promise of a web portal with 24/7 access to health care information – and they’re certainly well positioned to, with their global web-based architecture and a focus on security – the upside could be tremendous. Google will have the ability to offer a free service supported by advertisers. Think GMAIL for medicine – with ads for doctors, pharmacies, drugs, and devices peppered beside your personal health records and delivered using the same contextual advertising Google is known for.”
This means that much to the delight of health care advertisers your medical records information will be used to assist in the campaign of targeted ads. There is also the issue of Google security here, is a simple password alone really enough to make you feel confident that your electronic health care data cannot be breached? What if your information is hacked? It’s true that it is possible for any system to be tampered with but would you feel more confident in a security provider that specializes solely in that field, or a gigantic corporation that merely uses it as an additional service? Will Google work on encryption? Will Google’s program only be compatible with health care providers that currently offer patients with the tools to manage medical records? If not, how would it work? If Google succeeds and takes this mainstream, how will this affect the email archiving industry? Will health care professionals flock to Google for their HIPAA email compliance needs? Stay tuned.
White House still under scrutiny for email retention policy
February 22, 2008 at 5:25 pm (archive email, business, citizens for responsibility and ethics, Colleen Kollar-Kotelly, company email policy, corporate, data retention, electronic communication, electronic document retention, Email Archiving, email backup, email compliance, email management, email retention, email security, freedom of information act, Kollar-Kotelly, legal, message archiving, news, politics, white house)
Brian Fonseca of Computerworld reports that “District Court Judge Colleen Kollar-Kotelly this week issued an order enabling the Washington-based Citizens for Responsibility and Ethics watchdog group to perform limited questioning of White House officials.” The group had filed suit against the White House Office of Administration last May “seeking access to White House e-mail under the federal Freedom of Information Act.” The discovery ordered by Kollar-Kotelly was issued to “determine whether the Office of Administration is subject to the Freedom of Information Act.” This will be a situation to keep an eye on as the office contends “it is not subject to FOI requests.” Additionally, Fonseca provided insight from Mike Osterman, president of Black Diamond, Wash.-based Osterman Research Inc., who said: “many businesses operate under the false assumption that e-mail is not a business record. A lot of people are not implementing e-mail archiving [processes]; they’re saving e-mail, but not in a cohesive or consistent way. Companies can say ‘Yes, we need to archive,’ but [the process] must be policy driven and taken out of users’ hands.”
Even though I probably shouldn’t, I still find it fairly remarkable that the White House simply cannot respond about the whereabouts of many missing emails. With the advent of internet technology there seems to be this general attitude that electronic communication does not have to be held up to the same standard as traditional paper documents. Many corporate executives and government officials seem to think they can pretend conversations never happened by simply deleting email backup tapes. In theory paper copies could just be burned up, but it seems that the ease of conveniently “losing” emails is what makes it so much more noticeable. It does not require a lot to act as if nothing ever happened. However, with industry regulations and legal expectations tightening the grip on corporate behavior, abusing the age of email messaging is only going to get harder to do. It is high time for all organizations to integrate an email archiving solution, especially when the center of the American universe is being thrown into the grand spotlight for this exact reason.
Does an employees use of email affect compliance with Sarbanes-Oxley?
February 21, 2008 at 9:09 pm (archive email, business, company email policy, corporate, data retention, Email Archiving, email compliance, email retention, email security, email surveillance, legal, message archiving, news, politics, sarbanes-oxley, sox, thoughts)
According to an article written by Paul Chen for the Sarbanes-Oxley Compliance Journal, the answer is absolutely. Chen discusses how “with regulations like SOX in place, organizations must take special precautions to ensure their employees do not send and receive damaging emails via their workplace account.” However, citing a recent survey on corporate email usage conducted by Harris Interactive, Chen says that “nearly half the people polled say they have sent or received jokes, comical pictures/videos, and stories of a questionable tone, while one in five say they have sent or received a password or log-in information via email.” Amazingly, Chen says that the survey also found that “92% of these employees do not have believe that they have ever sent a risky email, which demonstrates that there is a substantial discrepancy between perceived and actual risks posed by email exchange.”
The Sarbanes-Oxley (SOX) act, as described by Chen, requires all public companies to retain their business records, including email, for at least five years. Since Sarbanes-Oxley does NOT specify which documents are relevant and which are not, it makes the practice of email retention significant for all public companies. Businesses cannot afford to preserve only select electronic communications. But with that being said, I have several questions in regards to the survey conducted by Harris Interactive. If the survey results are truly accurate, what does this say about company email policies? Are organizations effectively communicating the use of business email for personal reasons? How about what language is considered proper? Or how about the tolerance of humor? And if a company DOES have this policy circulating around, then why are so many employees ignoring it? Apathy? No fear of consequences? The survey results say that nearly all the employees polled do not believe that they have ever sent a risky email. Therefore it seems that most employees are not even aware that they are doing anything wrong. I believe that companies need to lay out specific rules within the employee email policy and hold review sessions to make sure that the rules are being followed. Additionally, I think that consequences are necessary and should be mandatory to enforce the rules. With SOX email compliance such a crucial item on the business agenda, more companies should be taking the time to make sure that their employee email policy is stringently regulated.
Cayman Islands to host seminar on email archiving and disaster recovery
February 21, 2008 at 5:04 pm (archive email, business, cayman islands, corporate, data retention, disaster recovery, e-discovery, edd, eDiscovery, electronic communication, electronic data discovery, electronic discovery, electronic document retention, Email Archiving, email backup, email compliance, legal, message archiving, news, politics, seminar, thoughts, white paper)
Caymanian Compass, the Cayman Islands’ leading newspaper, reports that a seminar on email archival and disaster recovery will take place on February 21st at the UCCI (University College Cayman Islands) Executive Training Center. According to Rob Eyers, responsible for enterprise business development at Kirk iSS, “Public and private sector organizations in the Cayman Islands are facing similar challenges to their counterparts in other offshore jurisdictions.” He then adds: “the increased use of technologies such as email, sms, instant messaging, Microsoft Office and a range of other types of electronic communications have resulted in substantial growth in data within the enterprise and in turn created a significant data management problem for the IT Department. With 83% of business communication now being electronic, organizations need a solution to reduce the cost of storing, managing, and discovering this electronic tidal wave of business information.”
There are a couple of points I would like to make here. Firstly, there has been a recent surge in the amount of educational resources regarding eDiscovery and email archiving. Within the past month alone I have written about professional research papers, legal guidelines, reports, conferences, and even a judicially acclaimed reference on the topic. What is the significance here? I believe that both industry leaders and experts are finally recognizing the sheer volume of companies that are simply unprepared to deal with the pressures of satisfying an ever strengthening corporate & legal governance. Education and integration of email archiving solutions will continue to be a process, but there is little doubt that progress is being made. Secondly, the geography of email archiving and the locations that might be subject to email compliance regulations in the near future will be interesting to keep an eye on. That this seminar is taking place on the Cayman Islands, a British overseas territory, is a sign of society and corporate governance moving in a specific direction.
Simplicato's Weblog 