HIPAA Compliance and Ransomware: What You Need to Know

If you work in the medical field or for a health care provider, chances are you’re very familiar with HIPAA guidelines and how they pertain to patient care. But are you familiar with how HIPAA affects your IT environment? When it comes to HIPPA and patient care, most people are already familiar with the HIPAA Privacy Rule, but how familiar are you with the HIPAA Security Rule? Due to recent events regarding ransomware and the Erie County Medical Center, HIPAA compliance – along with data security – has become more important than ever.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates the use and disclosure of Protected Health Information (PHI). This applies to (but is not limited to) health insurers, medical service providers, health clearing houses, and employer sponsored health plans. From April of 2003 until January of 2013 there were over 91,000 HIPAA complaints, which led to 22,000 enforcement actions. As if going through legal litigation isn’t bad enough, violators also pay a pretty penny per HIPAA violation. In 2010, Cignet Health of Maryland was fined 4.3 million dollars for simply not providing patients copies of patient medical records when requested.

How can HIPAA compliance affect your daily operation?

Now that we’ve established how important HIPAA is, lets break down how this may affect your operations on a day-to-day basis. To do this, I’m going to refer back to ECMC. When ECMC was initially hit with the cyberattack, they were given an option to settle for 1.7 bitcoin (which is the equivalent of $4,644 U.S. dollars). This may not seem like an astronomical amount of money; however, the $4,644 dollar figure was in reference to each infected machine. If you take into account how many machines a small- to medium-size office may have (likely around 10 to 15), you’re looking at a starting point of around fifty thousand dollars and up (now the fee seems a bit more severe). On top of the monetary losses, you also must take data security, HIPAA fines, down time, productivity loss, and reputation into account.

Hopefully now we see how the consequences from not being HIPAA compliant, but how does HIPAA compliance help protect your data?

The first step in becoming HIPAA compliant, from an IT perspective, is to have an audit of your environment completed. This way a managed service provider can provide a detailed scope of your environment, along with an IT roadmap, which will help you to plan for future expenses and potential issues. During the audit, multiple scans of the environment will be run. Some of the scans will make sure your hardware and software is up to date, and will also check for any security vulnerabilities or possible holes in your infrastructure configuration management.

After the audit has been completed, an engineer will sit down with you and explain his finding and recommendations. Sometimes the recommendations may be very minute in scale and will be able to be implemented in a very short amount of time. On other occasions the engineer may find larger holes or more serious issues which may need to be addressed in a more urgent matter.  As an example, a main part of being HIPAA compliant is having a full off-site backup. If the audit is completed and no backup is found, an engineer will sit down with you and provide you with a detailed proposal which will help you protect your data in the event that you are ever attacked by a malicious software and data loss does indeed occur.

As technology continues to advance and hackers become more sophisticated, data security increasingly becomes a top priority for organizations like yours. We’ve seen foreign countries/governments “hack” U.S. computers with the explicit interest of stealing intellectual property and extorting money from U.S. business. A HIPAA security audit is great way to make sure this doesn’t happen to you.

Free HIPAA Security Checklist

How to Plan a Successful VDI Implementation

Implementing a New Technology

Implementing VDI, whether hosted (Desktop as a Service) or on-premise is big undertaking involving a lot of change.  Managing that change is crucial to the success of the initiative. When implementing any new technology for the first time, there are several things to consider.
VDI Implementation

Evaluate: First, evaluate your current processes, procedures, and practices.  What’s working well, what isn’t?  Where can you improve? Decide where technology will make the biggest impact in the way you work.  Target the areas that will have the biggest payoff on your investment dollar – the best ROI.

Strategize: Next, think about your optimal business situation. What are your goals? Where is your company headed – ideally? How will you get there? What are the gaps between where you are today and where you want to be?  Identify the technologies that will take you to the next level.

Plan & Implement: Once you’ve identified the areas of improvement and decided on a technology solution to close the gap, you need to form an implementation plan. Identify and prioritize your “quick wins” to build momentum and buy-in from staff and management.

Educate, Communicate and Document: With any new technology or way of working there will be questions, concerns, and skepticism. Staff development, training, and good communication are essential to the success of any new initiative. Bring everyone up to speed and keep them informed, and the change will be much easier to manage.

Continuous Improvement: Once your implementation is completed you’re certainly not finished. Look for other opportunities to build on your success. Uncover ways to continually improve (Kaizen). Especially when it comes to technology, you can’t stand still or you’ll be left behind.

Getting Started

We take a Crawl – Walk – Run approach to VDI implementation.

Crawl
Start with a demo. This is your proof of concept. Does this technology really work? If it does work, will it provide me the performance that I need? At Advance2000, demo accounts are free and a good way to vet the solution without spending any money – just a little time.

Walk
The next step I’d recommend is a pilot. By a pilot, I mean a small implementation for a project or the office. This is a real test. You should set up goals and metrics for the pilot; you can measure uptime and test support. Then verify the actual performance: does it meet or exceed your expectations? What questions and problems do you encounter? Is it easy to use? And what training is needed?

Run
Finally, once you are satisfied and believe that all is good and this new endeavor will save you time and money, plan a full implementation that can be a single project or involve your entire company.

Migrating to a Hosted VDI Solution

There are 7 steps to a successful VDI implementation:

  1. Decide on an approach
  2. Infrastructure plan – hardware
  3. Software integration
  4. Communication plan
  5. Training plan
  6. Wrap up
  7. Measure success

Decide on an Approach

How are you going to implement VDI?  There are three approaches that we see used frequently: by project, by department, or by office. (Or you might use some combination of these three.)

Some firms start with a single project as a pilot and then once that project is running well, move a second project to the cloud. They continue to migrate to VDIs – project by project – until most of the work is being done on VDI. At that point, you will have most of the firm in the cloud. You can then migrate the rest of the company using one of the methods described below.

One option is migrating by department. Sometimes it’s easier to move entire departments to the cloud. Departments like HR, accounting, and other independent departments can move to VDI without disrupting the rest of the firm. This approach is usually less disruptive to the projects, as well.

For a multi-office company, you can migrate to VDI office by office by cutting over their desktops and storage one office at a time. You can even space it out and do one office per month. This approach can be difficult if you collaborate a lot between offices, but if each office is independent it works well. Make sure you don’t make the migration longer than necessary. If VDIs provide a measurable benefit, you want to take advantage as quickly as possible.

Infrastructure Plan

The next step is to identify and formulate an infrastructure plan. You need to determine which assets are going to be virtualized and run from the data center. Conduct an inventory of the types and quantities of desktops and servers you operate so you can determine what you need in the data center to support your staff.  What kind of bandwidth and firewalls do you need to connect to your VDIs? Keep in mind that data circuits can be one of the longest lead time items on your implementation schedule.

Next, build the VDI Infrastructure in the data center, migrate your data, set a date, and plan the cutover on a weekend.  The following Monday morning everyone should be prepared to use the new technology.

Lastly, determine what to do with older desktops and laptops. You can keep them and run them until the wheels fall off, sell them, trash them, or give them away to employees or charity.

Don’t forget to follow up and make sure that everything is working well.

Infrastructure Plan Overview:

  • Circuit upgrades (long lead time)
  • Server inventory
  • Desktop inventory
  • Set up virtual infrastructure in data center
  • Copy all data to the data center
  • Verify data is synchronized
  • Complete WAN upgrade
  • Set cutover date
  • Deactivate local servers
  • Do the final data sync to the cloud
  • Setup cutover – usually over a weekend
  • Test all systems – printers, scanners, etc.
  • Go live!
  • Follow up: uncover issues / develop a punch list / troubleshoot

Software Integration

Make sure all your software works well on a VDI. Verify that your software can legally run on a VDI.  Some software manufacturers strictly forbid use on a VDI or in a virtualized environment. Test all programs to make sure that the performance is good. If you have any software that requires special hardware (dongles, card readers, cameras, etc.), verify it works on a VDI and that you have any necessary interface hardware needed.

Communication Plan

Good communication can make or break any technology initiative. Take time to tell staff what to expect, keep them informed throughout the process, and follow up after the completion of the initiative.

What exactly should you communicate to your staff?

Here are some ideas:

  • What is a VDI?
  • Why are we using VDIs?
  • What is the plan to migrate to VDI?
  • What can you expect, how will we work differently?
  • Share your migration plan and milestones
  • Conduct a post cutover Q&A
  • How will you get help / support?

Good communication will ensure your success.

For some extra help communicating about your new initiative and answering staff questions, click here to check out our comprehensive post on VDI FAQs.

Training

Conduct training to help staff use their new tools. Make sure to document all the training in either written or video formats so people can review the material on their own time.

Ideas for training:

  • Login procedures
  • Access VDI from outside office
  • How do I get support / help?
  • New procedures or processes – how will you work differently
  • Troubleshooting problems

Webinars and screen capture are easy ways to conduct training and document the new information.  During the presentation, record the webinar and save it to the network so that others that missed or want to review the information can access it.

Wrap up

Have you covered your bases? Make sure that you’ve addressed all the questions and concerns of your users. Start a list of questions or issues and address them before project closeout. Are there any unforeseen items or changes that need to be addressed? Maybe there are special security concerns or integration with another office system that was overlooked. Take the time during your training and communication to discuss problems and concerns and resolve each one.

Measuring success

Once you’ve completed the implementation, how do you measure success? Go back to your original implementation plan and review the goals and objectives you had for the VDI initiative.

What business problem were you trying to solve?

  • Improved mobility?
  • Reduced cost or maintenance expense?
  • Improved collaboration?
  • Reduced capital expense?
  • Rapid deployment?

Did you meet your expectations? Are your users happy?

All technology initiatives must align with and support the company’s business goals. Did you accomplish that? If you did, congratulations on a successful VDI deployment. If not, where did you fall short?

Getting Started

Are you ready to get crawling with VDIs?  Contact us today and we’ll set up a free demo for you.

Moving to a Private Cloud Ebook