The ABC’s of Data Security

By Dr. Ravi Raheja

As hospitals and practices race to implement electronic medical record systems, their IT departments have less time to work with other technology projects. While the benefits of working with a hosted call center are abundant, call-center IT is not on the priority list of the information technology division of any organization. One way to work around this is by using hosted products or SaaS (software as a service) solutions. These hosted solutions decrease or completely remove the burden of maintaining call center functionality.

Benefits of a Hosted Solution: There are several key benefits of using a hosted solution, including:

  • Decreased cost: In general, hosted solutions have a lower up-front investment. This benefits organizations that do not have a large capital budget.
  • Increased speed of deployment: Companies that provide hosted solutions specialize in implementing their products. This enables call centers to get functions and features in a relatively short time frame. It also prevents the call center from having to get onto their own IT’s priority list to get the project started.
  • Increased flexibility: Most hosted solutions are Web-based. This inherently allows better remote access and easier updates to the system. Quality hosted solutions also provide a variety of configuration options that allow the client to customize the software to meet their individual needs.

Data Security: While using a hosted product minimizes many complications, organizations must ensure that their data is not only available 24/7, but that it is properly secure and managed in accordance with HIPAA standards. In the case of hosted call centers, the product vendor is relied upon to provide the proper infrastructure and security to maintain compliance with HIPAA. As such, it is important that medical organizations know what to look for and the questions to ask when they are considering a hosted solution or SaaS.

Hosted solutions are involved in two main aspects of security, the security of the actual server and the security of the data center. Both of these aspects have standards that can be followed to ensure that the hosting company is providing the high level of quality security required of a medical system.

The Digital Dozen of Server Security: The PCI Security Standards Council originally developed a framework of specifications and tools to certify the safe management of credit card data. At the cornerstone of this framework is the PCI Data Security Standard (PCI-DSS). PCI-DSS is comprised of twelve requirements designed to ensure the security of data hosted on a server.

As medical systems have inherently sensitive data, these same requirements are now utilized in quality medical IT systems. Medical practices interested in working with a hosted call center should verify that the twelve PCI-DSS requirements are being followed:

  1. Install and maintain a firewall configuration to protect PHI (protected health information).
  2. Do not use vendor-supplied defaults of system passwords and other security parameters.
  3. Protect stored PHI.
  4. Encrypt transmission of PHI across open, public networks.
  5. Use and regularly update antivirus software or programs.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to PHI by business on a need-to-know basis.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to PHI.
  10. Track and monitor all access to network resources and PHI.
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for employees and contractors.

Certified and Audited Data Center Security: Just as there are standards for the security of the server, there are standards for the security of the data center. The data center, where all the data is housed, must have a variety of security safeguards in place in order to properly protect the data it stores.

  • Independent auditing: Annual auditing of all systems of service should be completed.
  • IT staff that is ITIL certified: ITIL is a framework for identifying, planning, delivering, and supporting IT services. Having ITIL certified staff ensures the delivery of appropriate services and continual developments to meet business goals.
  • SSAE-16 certification: A highly regarded certification for data centers is SSAE-16 certification, signifying centers that meet the qualifications and adhere to a strict set of international standards. Due to the stringent auditing involved, choosing an SSAE-16 service provider ensures the highest levels of transparency and accountability.
  • ISO 9001:2008 certified and registered: This family of standards is designed to ensure that companies meet the needs of customers while complying with statutory and regulatory requirements. Certified through an independent auditor, the certification is based on an extensive sample of its sites, functions, products, services, and processes.

Other Critical Considerations: While highly technical and management standards are vital to data safety and security, do not overlook the importance of two other security-focused standards that a hosted call center should have in place:

  • Data hosted and stored in the continental United States: Not all countries adhere to the same strict standards as the United States. If you need to follow US security standards, it is important to make sure that the data is continually hosted and stored in the US to avoid data and privacy corruption.
  • Disaster recovery plan: Make sure a plan has been developed to optimize server up time and provide a backup server that is less likely to encounter the same circumstances as the primary.
    • Backup server in another physical location on the opposite coast
    • Live database replication to backup server – within seconds
    • Daily and hourly database dumps
    • Replication logs of every data change can be re-run to rebuild databases.

Seven Questions to Ask: Medical organizations interested in working with a hosted IT solution should have a basic understanding of the standards and certifications discussed. By simply asking potential service providers the following questions, you can identify how secure your data will be.

  • Do your servers meet all twelve PCI-DSS standards?
  • By whom and how often is your data center audited and certified?
  • Is your IT staff ITIL certified?
  • Are your data centers SSAE-16 certified?
  • Is your data center ISO certified?
  • Is your data hosted and stored in the continental United States at all times?
  • What is your disaster recovery plan as it relates to data?

Dr. Ravi Raheja is CEO and director of sales and technology at TriageLogic. Please contact him with questions or comments at ravi.raheja@triagelogic.com

[From the April/May 2013 issue of AnswerStat magazine]