Tag Archives: Cloud Computing

Considerations For Healthcare in the Cloud

Posted on by

Healthcare organizations are in the midst of a massive transition, updating decades-old systems to fall into line with compliance and reconsidering the way they manage, store, and exchange data. This mass migration often includes moving infrastructure to the cloud and redoing EHR systems.

Cloud computing is sometimes looked on with suspicion by healthcare professionals, especially after several very public breaches in recent months. However, new HIPAA rules governing cloud services and patient privacy have made it easier for organizations to transition with confidence.

Even with this improved definition and numerous available cloud services, there are pitfalls that may be faced in the transition period, especially as companies learn and grow. I’ve listed some of the considerations that any organization should keep in mind when migrating and looking to gain more agility through the cloud.

Know Your Service

Before committing to migration to AWS, Azure, or another cloud platform, know what these IaaS providers will be giving your organization. Establishing a good service agreement requires an intimate knowledge of your organization’s needs. Consider which applications and functions are the most essential to your cloud services and build out your priorities from there. Finally, keep in mind that your needs may change over time. A periodic update of what matters from your cloud services will keep your business poised to get the most out of the service you are paying for.

Know Your Security

One of the biggest sticking points when transitioning to the cloud in a healthcare environment is security of personal data. It is easy to design a cloud infrastructure that fulfills your needs while also being very secure, but this does take some level of planning beforehand. These cloud providers may very well have specialized compliance plans in place for healthcare organizations, so ask about both your options and how they have served similar groups in the past. They may even have experts able to walk you through the migration process in as safe and expedient of a manner as possible.

Know Your Price

Total cost of ownership (TCO) can be surprisingly high for some subscription-based services, and knowing the financial burden of migrating to the cloud is as valuable as knowing security risks and the like. Design is huge here, and as with my first point, any organization looking to adopt a cloud infrastructure will need to be carefully audited to ensure that there are no excess costs. Scalability is also important, and a good cloud design allows for an organization to add more or dial back as needed.

Know Your Performance

Your network is defined not only by how data is stored, but by how quickly it can be moved and retrieved. Slow networks can be frustrating at best, and in a healthcare environment, can even risk lives. Consider both application structure and the location of the data when designing a cloud environment to maximize performance. Ensure that key applications and workloads receive priority. Fortunately, good architecture is easy to implement into the overall structure of the cloud.

Pillars of a Strong Compliance Culture

Posted on by

While professionals in a variety of industries have strived to adapt to changing regulatory standards, getting an entire company on board is a far different matter. Compliance officers have taken it upon themselves to become well-informed about the subject matter and the near-constant barrage of changes that affects it.

That said, a compliance officer trying to single-handedly bring a business up to regulatory standards is akin to trying to extinguish a fire with an eyedropper. Even if one person tries to implement all of the changes necessary, they are, in fact, only one person. Not only does the entire team need to get involved, but the entire team needs to be invested as well. Education is only effective if employees are willing to put operations in practice and audit their own behavior. Getting them to care is perhaps one of the greatest challenges a compliance professional faces.

For any compliance program, the first step to making it relevant is to start a program that has been tested with other industries. While compliance is certainly necessary to obey the law, it also confers other benefits and allows a company to stay competitive. If a firm is able to comply particularly well, it can even strive to obtain a HITRUST certification and distinguish themselves further.

Once a company has established industry best practices, it’s time to look at how personnel are trained to achieve compliance. Training is a good first step, but compliance officers must find a way to engage employees effectively. The good news is that processes that lead to good compliance can also lead to increased productivity for employees. Try to simplify workflows and eliminate tasks that lead to possible compliance issues. Employees will be more supportive of changes if they feel that they benefit from them as well.

And employees should be incentivized for practicing good compliance. Establish both good compliance practices and well-defined rewards for following them. Structure any incentive to fit into the everyday workflow of employees and make them aware of how they can contribute.

Organization is also key. Data should not just be kept safe, it should be sequestered and stratified as needed. Whether digital or traditional, part of compliance culture should cover the way data is handled, backed up, and disposed of. Still, this is something that every employee has to be a part of, from c-suite executives right down to new hires. Don’t start a training program meant to elucidate the finer points of data safety and then not follow it up with anything.

Each employee may need a specialized approach to compliance. While anybody can fall victim to something like a phishing scheme, differences in data access means that a selection of training programs and follow-ups is necessary to cover common issues. Tailoring these initiatives to risk levels helps a company create an experience unique and relevant to everyone.

A skilled compliance officer can change the course of an organization through creating a culture based on compliance. Even as companies scramble to keep up with new regulatory environments, many are realizing that making these changes sooner rather than later can have a lasting impact and generate a significant competitive advantage.

The New Age of Data Compliance

Posted on by

The constant advance of tools necessary to generate and share data has created an environment in which developments are made by increments and security measures struggle to keep up with the latest variety of cyber attack. Indeed, many corporations have fallen victim to these new threats, and even a small breach can cost a company dearly in both money and reputation. Perhaps the most egregious example of this has been the recent Equifax breach, which compromised customer information and sparked a discussion about the efficacy of cybersecurity.

As they say, an ounce of prevention is worth a pound of cure, and that’s where information compliance comes in. It’s worth noting that compliance is not the same thing as cybersecurity. While security is IT-centric and often a futile effort due to the ever-changing nature of threats, compliance simply involves promoting best practices in corporate communities to prevent a potential breach. A staggering number of cyber attacks are made possible due to the negligence of employees, and it’s up to corporate leadership to ensure that all are informed of the ways they can prevent a click from turning into a catastrophe.

The benefits of compliance are manyfold. Again, the difficulty in implementing security solutions that account for a business’s needs, budget, and information distribution means that compliance is more important than ever. This is also due to in-house IT often being outmoded; there’s a good chance that, if your company does not work in technology, that better out-of-house options are available. Additionally, reducing the risk of a cyberattack is valuable from a legal standpoint. Compliance also helps provide thorough documentation that allows for a better response in the event of an attack.

So how does a business leader implement good compliance practices in an impactful way? It can often be difficult to steer an entire business in this direction, especially considering that one case of negligence can lead to disaster. Many make the mistake of believing that any such initiatives should be IT-led when in fact the department should just guide teams in the right direction rather than wasting time micromanaging the entire effort.

Education is an important step in the right direction. Even with thorough countermeasures in place, a simple email phishing scheme can spread quickly if not avoided. Recognizing fraudulent emails is a great topic of conversation, as is creating strong passwords. This may require giving employees access to certain files or documents on an as-needed basis. It may seem like an unnecessary hassle, but it cuts down on vulnerability and allows for the original threat to be isolated and tracked.

Of course, even if all of this information is imparted to employees, there’s still the matter of convincing all staff members to abide by it. I cannot stress enough the importance of a business being “all-in” when it comes to compliance. Therefore, change should start with leaders and work its way down. The tools necessary to ensure compliance should also improve the quality of an employee’s life; if they are forced to take extra steps, they are far less likely to adopt these new measures. Thoroughly research solutions to compliance and work to automate as much as possible. Check websites pertaining to your industry for more information about compliance guidelines and ways to safely share information. Governmental regulations should also be researched and observed.

Ensuring proper compliance can be a difficult task, but far worse is the prospect of lost or corrupted data. It is up to corporate leaders to choose to adopt a culture of compliance and enforce the standards that continue to become more and more necessary in the wake of devastating cyber attacks.

Compliance In The Cloud World: Challenges and Opportunities

Posted on by

[et_pb_section admin_label=”section”][et_pb_row admin_label=”row”][et_pb_column type=”4_4″][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

The following is a podcast recorded by Scott Maurice. Listen here, or read the full transcript below!

[/et_pb_text][et_pb_audio admin_label=”Audio” audio=”http://scottmaurice.com/wp-content/uploads/scottmaurice-com/sites/521/scott_podcast.mp3″ background_layout=”dark” use_border_color=”off” border_color=”#ffffff” border_style=”solid” /][et_pb_text admin_label=”Text” background_layout=”light” text_orientation=”left” use_border_color=”off” border_color=”#ffffff” border_style=”solid”]

Hi, my name is Scott Maurice. I am managing partner and cofounder of Avail partners in Seattle. We’re a technology business and consulting practice that specializes in helping clients and business leaders achieve their strategic objectives. We leverage the technologies that are available to us in this new cloud age to do that.

What we’re going to be talking about today is compliance in the cloud world; some of the challenges and some of the opportunities that are presented with the advent of utility computing and the cloud economic model. We’re going to be talking about how compliance is different than security, and we’ll also be talking about how to think about and leverage compliance as a competitive advantage and as a strategic objective as opposed to a burdensome program that you are susceptible to.

The cloud presents new challenges with respect to compliance. However, it also presents certain very strategic opportunities. One of the most difficult things to deal with when faced with regulatory compliance is establish that, one, I am compliant at a point in time, and that’s easily facilitated with an audit, typically, and two, which is more challenging, how do I maintain a state of compliance for an ongoing period, and how am I assured that compliance is in fact in place? In other words, how to I ensure that I’m compliant with the law without having some defined audit period and going back and proving that, at certain snapshots, whether that is annually or biannually or semiannually, that I am compliant at that juncture, or have been compliant over an audit period.

In terms of risk mitigation and data protection, you really do want to ensure that you are consistently compliant. In other words, the first time you fail to be compliant with a datum, you know about, can remediate it quickly, and prove that you’ve restored your compliance. So the cloud presents challenges in that regard because some of the traditional quick and dirty methods for ensuring compliance of data and data protection is simply by saying, “Hey, I secured the entire storage subsystem because it’s all under my control, or the entire server is under my control.” Those paradigms do not translate directly into a computing utility environment or a cloud environment.

That’s the challenge. How do I ensure compliance in something that is not under my direct control? The opportunity, however, is a lot more satisfying. One, you have to realize that fact that it is rare to find enterprises, especially in the mid market, that have the expertise in-house and the wherewithal and resources to continually ensure that data is protected, that permissions are enforced, that policies are enforced. It is a full time job. It can be very daunting, and it can be very expensive. So I guess the first part of the opportunity is realizing that, even if I do have all of the assets under my direct control, I’m not necessarily in the best position to ensure ongoing or continuing compliance because I don’t have the expertise, the resources, or it may not be in my financial best interests. That may be a deal killer. Upon that realization, opportunities present themselves with cloud providers and utility computing providers, where there are individuals that are dedicated to just that function.

Along with that, because they are service providers in that regard and not enterprises where they’re running this as part of a cost center, there are economies of scale that can be garnered from leveraging that kind of service. They have streamlined and optimized their service particularly, for one set of compliance regulations or another. There are specific data protection practices and rules that they can set up and enforce. And they have the capability to hire, retain, and provide training for human capital resources to be dedicated to that work. And so, when you share that burden across multiple organizations, it does represent an economy of scale, especially in the mid market to be able to facilitate an ongoing if not complete information security and protection program. That is a rare opportunity that has only surfaced since we’ve been in this cloud environment.

That’s a little bit about the challenge and the opportunities that’s available to us by leveraging some of these third parties that are dedicated specifically to security compliance.

Any organization can take steps to onboard a third party or organization that can help them ensure compliance. Some of those steps involve understanding what compliance regulations they are susceptible to. Many organizations are not immediately aware of the fact that they have a compliance issue or may have miscategorized the compliance that they fall under. Step one is understanding what rules, what compliance you’re striving for. Two, which is equally as important, is understanding the value of such compliance. Often, in regulated industries, it is highly competitive. Because it is so daunting to effectively manage a compliance program, being able to onboard one quickly and effectively can be a strategic advantage. So, to what extent are you advantaged by having an information security compliance program instituted very quickly and with complete professionalism. Understanding that is the second step.

The third step is going through a market intelligence process and a reevaluating process to determine which of the many third parties that are out there can help you accomplish your mission most directly. Often, there are several good candidates, and the differentiation between those parties with respect to any given organization, is really more about the cultural fit, how to work together. Compliance is largely a human, capital-driven exercise so you do have to work well with that third party. That has everything to do with one, your corporate objective, and two, your corporate culture. That third step in terms of really evaluating the different providers and the different options there can be daunting, but it does go back to having a singular focus on your objective, your mission, and what provides a strategic advantage in your industry and how it helps you drive your corporate objective, whether that’s revenue attainment or improving patient outcomes or public policy, etc. So those are three solid steps.

The third one can be fairly daunting because there are a lot of providers out there, but there’s also a lot of information to help you make that evaluation quickly and succinctly. And as a final step, I think that oftentimes we are just human beings. We are reluctant to relinquish control of things that we are accustomed to controlling. So for any organization that is not either born in the cloud or willing to undertake a transformation, if you have an environment that’s been around for some period of time and has been working, and you haven’t had an exposure yet, it can be daunting to let some of those things go. But that fourth step is really evaluating those things that can be done better, faster, cheaper, more completely by a third-party organization as opposed to retaining it in house.

And with my clients, what we’ve experienced is that often, the tradeoff between relinquishing that control is the immediacy of accomplishing a goal. Many compliance regulations have an audit period that looks back. That lookback period can be six months to a year, maybe longer, and often there are multiple domains for which that period is enforced. Accomplishing that lookback period and audit for multiple domains can lead to higher levels of attestation, where you can have it attested to that you are more completely secure or compliant with a set of regulations the further back you look and the more domains you can incorporate. For an organization just starting out, they may not have been prepared for an audit period that goes back six months. They may not have been ready six months ago, or a year ago. Often, third-party organizations have environments that are prebuilt, in which they host or manage a client’s workloads, especially with the utility computing advantageous in the cloud environment.

And they can provide that lookback period, even though you may not have been a client at that time, by immediately moving your workloads, moving your data, moving that information, to a compliance-ready environment, can immediately provide a lookback period for certain for all of the domains that are compulsory for your compliance regulations. There’s definitely a distinct advantage to leveraging that very quickly and saying, “I don’t have to wait another six months or a year before I can make the attestation of compliance a competitive advantage for me. Because I’ve moved my workloads and migrated into a compliance-ready environment that already has the attestation, I can begin to use it very very quickly.” So the advantage can be realized sooner rather than later.

The future of third party organizations and their evolution as they continue to adapt to continue to serve clients as compliance changes and as the business landscape changes are multiplicative. They necessarily have to differentiate themselves within either a vertical or industry or with respect to that specific compliance or an aspect of that compliance. Oftimes, there are things that are very daunting that a third party organization has the resources to tackle with great aplomb and also for the huge benefit of their clients. The evolution of these things is better accomplished by these third party organizations because of the resources that they can bring to bear, but in no small part due to the research and development of new technology.

So, a lot of the buzzwords we hear bandied about like “artificial intelligence” or “blockchain” when it comes to encryption and security, these are things that require a lot of time, a significant amount of expertise, and they do require financial resources in order to bring them to bear. These third parties are often in a much better position to be able to do that very quickly and vet those things across a broad spectrum of clients than any given enterprise, especially in the mid market. So I think what we’ll see is early adoption by a lot of these third party organizations that are providing that compliance and providing that data protection. We’ll see that early adoption from them, and it will be more stable as they roll it out. They’ll incorporate those technologies into packaged solutions for data protection in a specific use case.

For example, in the medical field, if you’re under HIPAA regulations but would like to provide instant messaging between medical professions and have sensitive data passed through that messaging platform, that can be a huge issue. It’s such a huge issue that most enterprises in the healthcare space don’t provide instant messaging. But that is something where a product with a specific utility where a benefit can be realized very quickly; a doctor or nurse can exchange sensitive data over a secure messaging platform and ensure that that data is not being compromised. Technologies like artificial intelligence that apply fuzzy logic to know when to take out sensitive pieces of information and when to leave them in. Things like blockchain, to be able to validate that data was not compromised when in transit. Encryption technologies, to ensure that the data while it rests and in flight, was secured and not compromised, these are technologies that are difficult to research as an enterprise and develop together. When you apply it to a broad spectrum of clients and have that offered as a singular product, it becomes far more feasible.

So I think that’s what we’ll see. They’ll evolve to incorporate those new technologies everyone is talking about more rapidly than the enterprises will be able to do. And they’ll do it more completely, so they’ll be able to offer a utility that is functional for the end user, as opposed to a set of technologies that then have to be rolled into a larger infrastructure or application architecture.

The last thing that I would like to say, just to round things out, is that clients and security are often conflated. That can be a huge distraction. Keeping something secure inherently means limiting access to it. Compliance is not about limiting access, it’s about ensuring the access to information is well regulated. I would be careful, for any mid market organization or any organization at all, not to conflate security and compliance. Often, we use security measures to ensure compliance, and to ensure that data is protected as it is being shared and that it’s being shared appropriately. We can validate that there is good behavior and catch bad behavior and remediate it quickly. Certainly, a lot of security tools are leveraged for that, but simply leveraging security or implementing security practices or security toolsets without a specific goal, the framework of the compliance regulations, can be a fruitless endeavor, be incredibly expensive, and ultimately, if there is no specific goal, it can lead to a lack of differentiation and competitive advantage.

I would just caution anyone who is faced with a compliance situation not to conflate compliance with security; they’re not the same thing. Pursue a compliance program as a strategic initiative, a differentiator in your industry or market, and as a competitive advantage against competitors. There’s certainly not a faster way, in my experience, to do that than to leverage the cloud environment and a team of experts that are available on demand from a third party and provide attestation sooner rather than later.

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]

Gartner’s Guesses—Predictions for IT in 2018

Posted on by

As another year begins to draw to a close, industry experts are already looking to the future. The IT industry has been dynamic over the past few years, with innovations such as improvements in cloud computing, machine learning, and even IT management propelling it forward. At the recent Gartner Symposium/ITxpo 2017 in Orlando, FL, Gartner took a shot at the future of IT, painting a picture of the industry as being more integrated with business than ever. IT is now so central to operations that businesses can no longer afford to isolate their departments, and Gartner knows this.

Since IT is often a means of improving products/services and generating additional revenue, Gartner’s central point was that professionals in the industry will need to have a working grasp of business tactics and company goals. From there, they can set up IT departments that maximize technology usage to meet these goals. CIOs, Gartner believes, will become more integrated than ever into business operations and become important collaborators for the companies they work for.

One trend that Gartner discussed was cryptocurrency. Starting as a technological curiosity, cryptocurrencies such as Bitcoin have since attracted significant interest for their value in facilitating swift and secure transactions. While working cryptocurrency into business models has proved to be slow going, Gartner predicts that over $1 billion in business value will be derived from it by 2020. They were also optimistic about the future of IoT-enabled devices, predicting an upsurge in these products with smartphone integration.

However, there were other trends that Gartner was less bullish about. The aforementioned prediction of IoT devices came with the caveat that that billions of dollars will be necessary for companies to safely harness this technology. IoT devices are almost famously difficult to completely secure given network decentralization, and their usage would divert funds that would otherwise be spent to improve cybersecurity.

The use of AI was also the subject of controversy for Gartner, with the company citing it as a potential contributor toward a future age of digital mistrust. While they praised the ability of AI to help inform business decisions, they also believe that its use on the web will hasten the spread of false information. This has social and financial implications, with Gartner stating that a major fraud as a result of these prolific falsehoods will occur by 2020. Commercial projects to detect and halt fake news have already begun, and a tenfold increase in these projects is predicted in the coming years.

Still, IT is slated to prosper. As its role in business changes and it becomes more integral to operations, the industry is expected to grow, with a predicted 2.3 million jobs being created as opposed to 1.8 eliminated. Early adoption is, as always, important in the IT sector, and one of the latest trends, visual and voice search, may be the next big investment. Both are growing quickly, and large tech companies are expected to invest in improving their visual and voice query offering through the use of AI.

There is a lot on the horizon for IT. While these improvements will undoubtedly be a boon for the companies and individuals that harness them, a level of caution is necessary. Much of this technology is relatively untested, posing security and operational concerns for businesses. Now more than ever, a need for skilled professionals is arising to ensure that companies are able to adopt in an efficient and safe manner.