Tuesday, 31 October 2017

A Wake for the Fax Machine

A Wake for the Fax Machine - Paubox
The fax machine is a lot older than you might think. Its first commercial use was providing service between Paris and Lyon in 1865. That’s 11 years before the invention of the telephone!

Indeed, the trusty fax machine lived a long and eventful life. With the advent of Paubox SECURE 2017, the time has come for a remembrance of life for the fax machine.

We are going to hold a wake for the fax machine on Thursday, October 2nd at the Cowell Theater in San Francisco.

The Birth of the Fax Machine

The word fax is short for facsimile. A fax is the “telephonic transmission of scanned printed material, normally to a telephone number connected to a printer or other output device.”

While the first commercial use of the fax machine occurred in 1865, the inception of the fax machine took place almost 20 years earlier.

In 1846, Scottish inventor Alexander Bain worked on chemical mechanical fax type devices that were able to reproduce graphic signs in lab experiments.

From there, Italian physicist Giovanni Caselli invented the Pantelegraph (a hybrid of pantograph and telegraph) where its first commercial use happened in 1865.

For over 150 years, the use of the fax machine has been cumbersome, costly, and difficult to operate.

It wasn’t until 1964 when the Xerox Corporation introduced the first “commercial” version of today’s fax machine, LDX (Long Distance Xerography).

Two years later, Xerox invented the Magnafax Telecopier, a 46-pound behemoth that, ironically by today’s standards, was easier to use and could connect to a telephone line. The fax machine we’ve known until today was officially born.

The Golden Age of the Fax Machine

The fax market soon took off after Xerox’s 1966 Magnafax Telecopier. By the late 1970s, both national and international companies had entered the fax market, especially Japan.

The technological advances of fax machines led to faxes becoming a staple in business offices in the 1980s. This Golden Age lasted until the early 2000s.

The fax machine advanced from a document transmitter to a copier and scanner as well. In a pre-internet age, fax machines were revolutionary.

But sadly, all good things must come to an end. As the Internet emerged, the fax machine slowly phased out of modern businesses in favor of online alternatives.

Today, you can transmit documents in an email and deliver it to your recipient within seconds. This includes sending sensitive information such as credit card information or PHI in a secure manner through encrypted email.

Compared to the lightning speed of the world wide web, fax machines seem slow and outdated.

Some businesses do still have a fax machine, though they are more of a prop than anything else. But other businesses still rely heavily on the fax machine, such as the healthcare industry.

Did you know it costs nearly $250 billion to process 30 billion healthcare transactions each year, 15 billion of which are faxes?

It’s time for a serious upgrade.

3 Things I Will Miss About the Fax Machine

  1. The thrilling suspense of receiving a cover sheet without the proper information filled out. (It’s like receiving a gift from a stranger.)
  2. The delightful tune of a dial tone screech.
  3. Having to hang up the phone before sending a fax because there is only one phone line.

RIP Fax Machine, 1865 – 2017. You will be dearly missed, but the era of the fax machine is over. What took the fax machine a few minutes to accomplish takes only seconds with a secure email.

Healthcare, we need to talk. It’s time to shift away from the slow, outdated fax machine to a more modern, HIPAA compliant way to send patient information: encrypted email.

Monday, 30 October 2017

Three Sponsors Join Paubox SECURE Conference

We are excited to announce our corporate sponsors for our inaugural Paubox SECURE Conference. We love partnerships at Paubox and we value those who join us early in our journey.

Paubox SECURE

paubox secure logo
 

 

 

Paubox SECURE is a digital health security conference. We’re bringing together leaders in healthcare, cybersecurity and innovation in a unique event to drive learning and discussion around the challenges of IT security in healthcare.

Use code COMP for a complimentary ticket!
Sign up today.

Atlantic.net

atlantic.net logo

 

 

 

 

 

Atlantic.Net is a market-leading Cloud Hosting, Managed Hosting, Dedicated Hosting, and HIPAA-Compliant Hosting provider with state-of-the-art data centers in New York, London, Toronto, San Francisco, Dallas, and Orlando.

Over the years, they have steadily built a reputation as an exceptional hosting company, known for simplifying complex technologies, providing top-quality services, and consistently demonstrating trustworthiness to their clients. Atlantic.net built their reputation over twenty years of direction and counsel given to CEOs, managers, engineers, and IT professionals.

Recently, we collaborated with Atlantic.net to write a guest post titled How This Company Chose Their HIPAA Compliant Hosting Plan.

Atlantic.net will be sponsoring the network reception at the end of Paubox SECURE.

BPM

 

 

 

 

Founded in 1986, BPM is one of the largest California-based accounting and consulting firms, ranking in the top 50 in the country. They provide meaningful, comprehensive financial and business counsel. They are also experts in accounting, tax, and finance.

With six offices across the Bay Area, BPM serves emerging and mid-cap businesses as well as high net worth individuals in a broad range of industries, including financial services, technology, life science, manufacturing, food, wine and craft brewing, automotive, nonprofits, real estate and construction.

The Firm’s International Tax Practice is one of the largest on the West Coast. Its well-recognized SEC practice serves approximately 35 public reporting companies, mostly in the technology industry.

Goodwin Proctor LLP

goodwin proctor logo

 

 

 

 

Goodwin Proctor LLP, or Goodwin, is a leading Silicon Valley law firm and a Global 50 law firm. The firm has more than 1000 lawyers with offices in Boston, Frankfurt, Hong Kong, London, Los Angeles, New York City, Paris, Silicon Valley, San Francisco, and Washington, D.C..

Goodwin focuses on complex transactional work and high-stakes litigation in matters involving financial institutions, intellectual property, private equity, real estate capital markets, securities litigation/white collar defense, and technology/life sciences.

In Silicon Valley, Goodwin specializes in helping companies close funding rounds quickly, relatively inexpensively and efficiently. Goodwin also created a resource for founders to assist them as their company grows. I’m glad to say we are a happy customer of Goodwin Proctor. They have proven to be a wise business decision for the company.

Having these three great organizations sponsor our inaugural conference thrills us.

Join us at Paubox SECURE to learn more about these organizations and network with industry leaders. Use code COMP for a complimentary ticket!

Thursday, 26 October 2017

KRACK Attack Takeaways

KRACK Attack - What to do about it - Paubox

Composing my thoughts at SFO airport

Ten days ago, it was announced that a serious weaknesses in WPA2 had been discovered. WPA2 is the protocol that secures all modern protected Wi-Fi networks. An attacker within physical range of a victim’s wifi network can exploit these weaknesses using key reinstallation attacks, or KRACK.

It should be noted that the discovered weaknesses are in the Wi-Fi standard itself, not in individual products.

Am I affected by KRACK?

KRACK is applicable to smartphones, laptops, tablets, and IoT devices. Vendors are still developing patches for KRACK.

ZDNet has a thorough listing of the patch status for large vendors.

KRACK Takeaways

  • There are no confirmed reports of KRACK being actively used (yet).
  • An attacker must be physically near a wifi network to deploy KRACK. In other words, attackers in foreign countries cannot use KRACK from afar.
  • HTTPS web connections are still encrypted and safe. The same goes for email connections via TLS.
  • Paubox is not affected by KRACK.
  • Android phones and tablets are the most vulnerable to KRACK.

Seamless Encryption by Default

KRACK Attack Takeaways - Paubox

San Francisco to Los Angeles

The KRACK vulnerability points out the inherent weakness in using non-encrypted connections for email and web browsing.

It also validates our approach at Paubox: We designed our products from day one to employ a term we call seamless encryption.

In a nutshell, seamless encryption is about providing the expected benefit without requiring the end user to change their behavior. In this case, the expected benefit for our customers is HIPAA compliant email.

We believe our approach is sound and represents the eventual maturation of the internet.

SEE ALSO: KRACK Attack – What to Communicate

Stack Ranking and New Connections in Silicon Valley

Stack Ranking and New Connections in Silicon Valley - Paubox

I continue to believe that at its core, Silicon Valley is about people. The hyper density of smart, driven folks working on tech is simply overwhelming and it’s one of the things I love most about being here.

Last night I extended my network a bit more thanks to an invite from Matt Kamp. Matt and I met at a Founders Pledge dinner earlier this year and we’ve stayed in touch since.

He was in town for a Venture Beat conference and wisely made the best of his trip by organizing a small pau hana get together at The Cavalier.

The attendees were:

Turns out John Cowgill was at our Demo Day for Batch 18 of 500 Startups last year and remembered my presentation. That’s pretty cool.

Amir Hosseini really likes what we’re doing at Paubox. I returned the compliment by showing him my Uber Eats purchase history and how prominently Curry Up Now shows up =) He also recommended I check out the Worldz conference, which I will do.

I learned about stack ranking via email questionnaires from Spencer Padway. I’d like to try that for Paubox and trends to look out for in 2018.

I didn’t get a chance to talk to Skot much, as we were at far ends of the table.

Matt Kamp is SVP at Influence & Co, a content marketing agency that specializes in creating engaging content that fuels companies’ content marketing efforts and positions their key employees as influencers in their industries. I’d like to see if we can work together next year.

Matt Kamp and Amir Hosseini - Paubox

Matt Kamp and Amir Hosseini

Tuesday, 24 October 2017

Is Cisco Jabber HIPAA Compliant?

Is Cisco Jabber HIPAA Compliant? - Paubox

Lately we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. Jabber by Cisco is a provider of presence and messaging software.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

The purpose of this post is to determine if Cisco Jabber offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Jabber

Jabber is a provider of presence and messaging software.

It’s important to note that Cisco acquired the company called Jabber (jabber.com) in 2008. The open standard Jabber (jabber.org) is a stand-alone entity.

The Jabber protocol, now called XMPP, is an open standard for Instant Messaging.

Jabber and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance to ensure security and privacy.

Jabber XCP Frequently Asked Questions

We checked the Cisco Jabber site and found a page called Jabber XCP Frequently Asked Questions.

In it, Cisco points out:

Q: How secure is Jabber XCP?
A: Jabber XCP is secure enough to support compliance regulations such as the Securities Exchange Commission (SEC) and Health Insurance Portability and Accountability (HIPAA). Jabber XCP security is used and trusted by the U.S. federal government.

The page does not make any mention however, of Cisco being willing to sign a Business Associate Agreement for use with Jabber.

The Cisco Approach to Telehealth White Paper

We also found a White Paper on Cisco’s site called The Cisco Approach to Telehealth.

It’s written in marketing speak and does not dive into any details around whether the company will actually sign a BAA with its customers.

Cisco Compliance Solution for HIPAA Security Rule Design and Implementation Guide

We next found the Cisco Compliance Solution for HIPAA Security Rule Design and Implementation Guide.

The Implementation Guide is comprehensive and overwhelmingly demonstrates Cisco’s focus on the U.S. Healthcare market.

There are two issues remaining however:

  • Cisco still does not mention signing a BAA.
  • Jabber is not mentioned as being HIPAA compliant.

We were unable to find any other evidence on Cisco’s site that mentions it signing a BAA.

Does Cisco Jabber Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

While Cisco is obviously focused on the U.S. Healthcare market, we were left with the impression that they do not actually sign Business Associate Agreements with their customers.

Instead, we believe they’ve determined themselves to fall in the HIPAA Conduit Exception Rule category.

SEE ALSO: HIPAA Conduit Exception Rule – What is it?

It’s also possible we fundamentally do not understand the nature of Jabber. Perhaps it’s not a cloud-based service at all and instead must be installed on-premises. If that’s the case, a BAA from Cisco would most likely not be required.

Conclusion: We are unable to conclusively determine if Jabber is HIPAA Compliant or not. We’re also unable to determine if it’s even a cloud-based service.

Monday, 23 October 2017

Digital Health Security Conference – Paubox SECURE

Paubox SECURE conference 2017

With our inaugural Paubox SECURE Conference less than two weeks away, now is an ideal time to convey the enthusiasm we have for its arrival. As we quickly approach 1,000 customers, we felt the timing was perfect to host our own user conference.

We believe market leaders in tech share certain traits.

In my opinion, they are:

  • Behavior. The leader behaves like one. To us, that means hosting a User Conference. To date, no one in the HIPAA compliant email space has hosted a user conference. This also means community service because the leader always gives back.
  • Brand.
  • Happy customers. This involves a high NPS and customer logos on our site.

Paubox SECURE will be at the Cowell Theater on November 2nd (Thursday) from 1pm – 8pm. You can register here.

Registration & Welcome

Registration will begin at 1pm.

As you make your way to the Cowell Theater entrance, you will be greeted by Paubox staff. Our staff as well as directional signs will guide you to the registration area where you will receive a custom Paubox lanyard and badge.

Enjoy catered refreshments and admire a picturesque view of the Golden Gate Bridge until our first presentation in the conference begins.

Keynote Speech: Anatomy of a Ransomware Attack

ransomware attack, hack, paubox secure

At 1:40pm, I will kick off our conference with a presentation on the Anatomy of a Ransomware Attack.

Ransomware is a form of malicious software that holds your data hostage until you pay a ransom payment to release it. Cybercriminals commit extortion by holding important files against you, and sometimes act as a Shadow Broker if their demands are not met.

Over 4,000 ransomware attacks occur daily with the average ransom demanding over $1,000. This is especially alarming if you are a small business. Small businesses are more likely to be targeted because they are easier to infiltrate, and approximately 60% of small businesses that are breached will go out of business within the next 6 months.

Learn the best way to defend against a ransomware attack or what to do if you fall victim to one.

2nd Session: The Future of Machine Learning and AI in Healthcare Security (Panel)

machine learning, paubox secure,

At 2:35pm, our first panel will begin. The topic will be The Future of Machine Learning and AI in Healthcare Security.

The panelists are:

Anya Schiess, General Partner, Healthy Ventures

Prior to co-founding Healthy Ventures, Anya led strategy and business development for Cardinal Health’s medical services, distribution, and laboratory businesses. Spending most of her time on tech-enabled healthcare services, Anya became convinced that now was the right time to invest in early stage opportunities at the intersection of health and information technology.

Greg Reber, Founder & CEO, AsTech Consulting

Greg is an early pioneer in the information security field and was among the first to recognize and address the risks presented by consumer-facing applications. He launched AsTech in 1997 and has established AsTech as the premier firm that Fortune 1000 companies turn to for real-world, effective information security solutions.

Brent Newhouse, Co-Founder, Qventus, Inc

Brent co-founded analyticsMD, Inc. in 2012. Prior to that, Newhouse served as Business Operations & Strategy Associate at Google from August 2010 to August 2012, and as the Business Analyst of McKinsey & Company from October 2008 to July 2010. He holds an M.B.A. from Stanford University Graduate School of Business, a M.S. in Management Science and Engineering from Stanford University School of Engineering, and a B.A. in Economics from Stanford University.

Join us as we discuss the revolutionizing force of machine learning and AI in healthcare, where these advances will lead to, and how cybersecurity in healthcare will be affected.

Rick Kuwahara, our CMO, will moderate the panel.

3rd Session: Fireside chat on Surviving a HIPAA Audit

hipaa audit

Around 3:20pm, we will have a short break to stretch our legs and enjoy more delicious catered refreshments.

At 3:50pm, we will return to the theater where Bluegrass Biggs and I will do a fireside chat on Surviving a HIPAA Audit.

With ransomware attacks rising 250% in 2017 and focusing specifically on the United States, the OCR is taking serious measures to ensure healthcare organizations are HIPAA compliant.

They first rolled out their Phase 2 HIPAA Audit Program by conducting desk audits in 2016. Now, on-site audits are being conducted as well. Covered Entities and Business Associates may be subjected to both of these audits, and if you fail, you must pay a costly HIPAA violation fee (with fines increasing 10% in 2017) amongst other irreversible damage to your reputation and business.

Do you know how to prepare to survive it?

Bluegrass Biggs, Founder and CEO, BiggsB Inc.

Bluegrass has extensive knowledge in the fields of regulatory compliance, project management, CSV and Life Sciences. He founded BiggsB Inc to provide project management and comprehensive regulatory compliance solutions for a wide variety of Life Sciences companies. He values creativity and is constantly seeking the best possible way to approach the challenges of regulatory compliance.

4th Session: Health IT Security In a Digital World (panel)

health it security

At 4:25pm, we’ll begin our second panel: Health IT Security In a Digital World.

Health IT has the ability to advance clinical care, improve population health, and reduce costs. At the same time, health IT also poses new challenges and opportunities for protecting PHI.

Despite these challenges, Health IT is essential in today’s digital age.

Our panelists for this topic are:

Lin Wan, PhD, Co-Founder and Chief Technology Officer, Stella Technology

Lin is the Co-Founder and Chief Technology Officer at Stella Technology, a healthcare information technology and interoperability leader. A seasoned technologist with nearly 20 years of experience in healthcare software development, Lin is an expert on healthcare interoperability and has been a key contributor to specifications pioneered by federal and state interoperability initiatives, including the Sequoia Project, Direct, ONC S&I Framework and the EHR | HIE Interoperability Workgroup.

Nick John, Security Director, Redox, Inc.

Nick started his 14 year digital health career working at Epic as the Director for Interface Implementation. After eleven years, he made the move to working for digital health startups. Nick now serves as the Security Director at Redox, a modern API for healthcare integration. Nick has built Redox’s security program from the ground up, and led the company through both HITRUST and SOC2 audits.

Shawn Savadkohi, Information Security Officer, San Mateo County Health System

Shawn joined the San Mateo County Health System in 2016 as their Information Security Officer. In his 25 years working in Information Technology, he has crossed both public and private sector industries, including non-profit charities, public utilities (water, wastewater), entertainment, and healthcare. Shawn has served local government as a web developer, network engineer, systems administrator, SCADA programmer, security consultant, technical operations manager, and solutions architect. Most recently, he has helped network operations teams identify risk and secure resources in cloud IaaS and PaaS environments.

Our CMO Rick Kuwahara will also moderate this panel.

Networking Reception + a Wake for the Fax Machine

Networking Reception + a Wake for the Fax Machine - Paubox SECURE Conference

At 5:15pm, we will walk over the Lobby where we will have a networking reception. Enjoy a variety of beverages ranging from juices to cocktails as well as delicious hors d’oeuvres. Around 5:30pm, I will convene a wake, or a celebration of life, for the fax machine.

Yes, you read that right. I will give a eulogy for the device everyone in healthcare has a horror story about – the fax machine.

At 8pm, we’ll call it a wrap for Paubox SECURE.

We look forward to seeing you there!

You can register here.

Saturday, 21 October 2017

Is Intercom HIPAA Compliant?

Is Intercom HIPAA Compliant? - Paubox

Lately we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. Intercom is popular customer messaging platform.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

The purpose of this post is to determine if Intercom offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About Intercom

Intercom is a US-based software company that makes a customer messaging platform. The company allows software businesses to chat with prospective and existing customers within their app, on their website, through social media, or via email.

Intercom and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance to ensure security and privacy.

We checked the Intercom site and quickly found what we were looking for on their Terms and Conditions page.

In it, Intercom points out:

No Sensitive Personal Information. Customer specifically agrees not to use the Services to collect, store, process or transmit any Sensitive Personal Information. Customer acknowledges that Intercom is not a Business Associate or subcontractor (as those terms are defined in HIPAA) or a payment card processor and that the Services are neither HIPAA nor PCI DSS compliant. Intercom will have no liability under this Agreement for Sensitive Personal Information, notwithstanding anything to the contrary herein.

Does Intercom Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Since Intercom specifically states in their Terms and Conditions that they do not offer a BAA nor do they allow customers to store PHI in their platform, we conclude it is not a HIPAA compliant service.

Conclusion: Intercom is not HIPAA Compliant.

Friday, 20 October 2017

What is FINRA?

What is FINRA? - Paubox

The Financial Industry Regulatory Authority, or FINRA, is a Self-Regulatory Organization (SRO) dedicated to investor protection and market integrity.

In addition to being an SRO, FINRA is also a non-profit corporation that operates under the supervision of the Securities and Exchange Commission (SEC).

The dual mission of FINRA is to provide investor protection and market integrity.

What is a Self-Regulatory Organization (SRO)?

A self-regulatory organization (SRO) is an organization that exercises some degree of regulatory authority over an industry.

The regulatory authority could exist in place of government regulation, or it can be applied in addition to government regulation.

The ability of an SRO to exercise regulatory authority does not necessarily derive from a grant of authority from the government.

FINRA Overview

FINRA is the successor to the National Association of Securities Dealers, Inc. (NASD) and the member regulation, enforcement and arbitration operations of the New York Stock Exchange.

The government agency which acts as the ultimate regulator of the securities industry, including FINRA, is the Securities and Exchange Commission (SEC).

In a nutshell, FINRA makes sure the broker-dealer industry operates fairly and honestly.

They do this by:

  • Writing and enforcing rules governing the activities of 3,800 broker-dealers and 634,000 brokers.
  • Examining firms for compliance with those rules.
  • Fostering market transparency and educating investors.

FINRA regulation plays a critical role in America’s financial system—by enforcing high ethical standards, bringing the necessary resources and expertise to regulation, and enhancing investor safeguards and market integrity.

FINRA Technology

FINRA technology is vital to protecting investors.

FINRA technology enables:

  • Effective oversight of brokerage firms.
  • Accurate monitoring of the U.S. equities markets.
  • Quick detection of potential fraud.
  • Keeping investors informed through tools like BrokerCheck.

FINRA Activities

To accomplish its dual mission of investor protection and market integrity, FINRA performs the following activities daily:

  1. Deter misconduct by enforcing the rules.
  2. Discipline those who break the rules.
  3. Detect and prevent wrongdoing in the U.S. markets.
  4. Educate and inform investors.
  5. Resolve securities disputes.

FINRA360

FINRA - What is it? - Paubox
FINRA360 is a comprehensive self-evaluation and organizational improvement initiative. It was started in 2017 by FINRA CEO Robert Cook.

The objective of FINRA360 is to:

  • Ensure that FINRA is operating at its highest effectiveness.
  • Protect investors.
  • Promote market integrity in a manner that supports strong and vibrant capital markets.

FINRA360 is currently researching the following topics:

  • The organization and operation of FINRA’s regulatory functions and whether they are optimal for sharing information and establishing consistent standards.
  • The use of data and technology throughout FINRA.
  • The tools and metrics used to assess outcomes and success across FINRA’s various regulatory programs and support functions.

What is the Difference between FINRA and the SEC?

In a nutshell, FINRA is the organization that monitors and regulates U.S. stockbrokers and brokerage firms.

The mission of the SEC on the hand, is to ensure fairness for investors.

The SEC is the primary overseer of the U.S. securities markets and has broad reach. It is a government organization and has oversight of several other agencies, including FINRA. It is also known as the “watchdog of Wall Street.

SEE ALSO: FINRA Annual Regulatory and Examination Priorities Letter

Tuesday, 17 October 2017

This is What This Company Did When Choosing HIPAA Compliant Hosting

Many types of organizations must comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA): the providers, plans, and data clearinghouses considered covered entities, as well as the business associates that are directly responsible for compliance as of the Omnibus Final Rule.

The wide-ranging need for HIPAA compliance is reflected in how fast the healthcare IT market is growing. To look at the field from the provider side, this form of computing is recognized as a strong niche “because of its exponential growth since 2013.”

After all, the demographics in the United States are changing as the Baby Boomers reach retirement age.

In 2015, 48.2 people, or 14.9%, were 65 or over; in 2030, population experts say that number will be 74 million, or 21% of us.

The amount of money spent on healthcare in the United States is expected to increase 5.8% per year through 2025 due to this social transition. That’s 1.3% better growth than the expectation for US gross domestic product.

By 2025, healthcare is projected to represent 20.1% of the GDP, up from 17.5% in 2014.

These statistics are a bit mind-boggling – and they represent a trend rather than a sense of the individual company’s perspective. Any business that is responsible for protected health information (PHI) has a different situation and challenges.

RELATED: How to Make Sure You Have a HIPAA Compliant Website

Let’s look at the story of one company and the decisions it made for a HIPAA-compliant hosting plan.

Healthcare SaaS company selects hosting partner

ShareSafe Solutions provides software-as-a-service (SaaS) solutions via cloud computing that are in four primary areas: real-time analytics, communication, continuing education, and security.

The company’s centerpiece product is called the Unified Platform. The product intends to broadly improve clients’ operations and results while safeguarding against breach and HIPAA violations.

ShareSafe’s mobile identity authentication system is designed to minimize breach possibilities to better manage login credentials. Part of the core function of the organization is to provide its services within a context that is HIPAA compliant – protecting digital information and interactions between various parties. The system gives users real-time analytics and updates on logins, security, and performance.

The healthcare SaaS company recently made an infrastructural transition to a hosting service that provides it with a combination of dedicated and Cloud servers.

By embracing a relationship with a hosting provider that they have come to trust, the firm’s leadership is now able to take advantage of flexibility so that they can adapt for faster and more meaningful expansion.

Security is clearly central to the company, so the executive team’s choice of a HIPAA compliant partner was certainly not a minor one.

How ShareSafe’s HIPAA compliant hosting has evolved

ShareSafe started by implementing four dedicated servers in conjunction with a firewall. The company also opted to use some of its servers within a colocation arrangement.

At this same time, ShareSafe transitioned from VMWare to a virtualization OS called ProxMox. “Proxmox provides greater capabilities for security versus VMWare,” said Beck, “and I had been using VMWare for years in previous deployments.”

Cloud has been on the rise over the last few years. As ShareSafe continued to grow, the organization decided it was time to begin integrating Cloud Servers into its infrastructure.

At first, the company used a few different vendors for Cloud so they could test options. They evaluated how quickly problems were addressed, and then moved all of their Cloud over to the best-performing service.

That responsiveness is key to ShareSafe, and it was central in choosing their system so that they could rely on fast deployments in the future.

As the healthcare market and healthcare technology continue to grow, ShareSafe is ready as they start implementing additional servers beyond their original four large-capacity enterprise machines – additional high-capacity NFS servers are being prepared for deployment.

Plus, the company is strategizing the incorporation of various clusters for multiple redundancy in Cloud distributed across a number of US data centers. These changes are increasing the size of the firm’s architecture by more than 100%.

Through this move to geographically distributed locations, ShareSafe is investing in the prevention of downtime or data loss from intrusions or blackouts. They are defending against DDoS attacks.

ShareSafe needed a hosting environment that would keep their systems running at all times; and they succeeded. Between February and September 2016, the uptime for the company through the hosting provider they had chosen was 99.99%.

The company now has a deep understanding of the range of quality in support provided by different hosting services, having tried a few.

For example, two DDoS assaults hit ShareSafe during 2016.

With one of their prior providers, some of their systems were down for 4 hours. With ShareSafe’s chosen provider that ultimately received their whole ecosystem, their services were back up within 5 minutes in both cases of DDoS.

That latter provider was literally 48 times faster than the 4-hour recovery. The responsiveness of the technical support ended up being a critical factor in their choice.

Making your move

Learning about the experiences of other healthcare providers is vital to helping you understand what choosing a HIPAA compliant hosting solution might look like for your business.

If you want to learn more about how ShareSafe has carefully built a highly secure yet flexible system through a HIPAA-compliant hosting provider, read their case study.

About Atlantic.net

This post was written in collaboration with Atlnatic.Net. Atlantic.Net is a market-leading Cloud Hosting, Managed Hosting, Dedicated Hosting, and HIPAA-Compliant Hosting provider with state-of-the-art data centers in New York, London, Toronto, San Francisco, Dallas, and Orlando.

Sunday, 8 October 2017

Is GoToMeeting HIPAA Compliant?

Is GoTo Meeting HIPAA Compliant? - Paubox

Lately we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. GoToMeeting by LogMeIn is an online meeting, desktop sharing, and video conferencing software solution.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

The purpose of this post is to determine if GoToMeeting offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About GoToMeeting

GoToMeeting is a web-hosted service created and marketed by LogMeIn. It is an online meeting, desktop sharing, and video conferencing software that enables the user to meet with other computer users, customers, clients or colleagues via the internet in real time.

GoToMeeting and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance to ensure security and privacy.

We checked the GoToMeeting site and found a page called GoToMeeting and HIPAA Compliance.

In it, GoToMeeting points out:

Because of the technical and security measures employed by the service, when used properly, GoToMeeting can help covered entities fulfill their HIPAA compliance obligations.

The page also states that GoToMeeting is willing to sign a Business Associate Agreement.

Does GoToMeeting Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Since GoToMeeting offers a BAA, we conclude it is a HIPAA compliant service.

Conclusion: GoToMeeting is HIPAA Compliant and adheres to regulatory compliance for healthcare providers and healthcare organizations.

Make sure you sign a BAA with GoToMeeting before using it to store or transmit any PHI.

Can I use SharePoint and be HIPAA Compliant?

Is Microsoft SharePoint HIPAA Compliant? - Paubox

Lately we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. SharePoint by Microsoft is a web-based, collaborative platform that integrates with Microsoft Office.

We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.

In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:

The purpose of this post is to determine if SharePoint offers HIPAA compliance or not.

SEE ALSO: HIPAA Breaches and Cloud Providers

About SharePoint

SharePoint is use by organizations to create websites. It can be used as a secure place to store, organize, share, and access information from any device.

According to Microsoft, there are several versions of SharePoint. They are:

  • SharePoint Online
  • SharePoint Server
  • SharePoint Foundation
  • SharePoint Designer 2013
  • OneDrive for Business sync

Microsoft SharePoint and the Business Associate Agreement

We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance to ensure security and privacy.

We checked the Microsoft Trust Center and found a page called HIPAA and the HITECH Act.

In it, Microsoft wisely points out:

“Currently there is no official certification for HIPAA or HITECH Act compliance. However, those Microsoft services covered under the BAA have undergone audits conducted by accredited independent auditors for the Microsoft ISO/IEC 27001 certification.”

Since SharePoint Online is bundled into Office 365 for Enterprise, we found a pdf doc called Office 365 Compliance Framework for Industry Standards and Regulations that offered deeper insight into SharePoint and its capabilities for HIPAA compliance.

The document specifically states that SharePoint Online can be HIPAA compliant when used with Office 365 for Enterprise.

Does Microsoft SharePoint Offer HIPAA Compliant Service?

The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.

Since Microsoft offers one for use with SharePoint Online when used with Office 365 for Enterprise, we conclude that particular version of SharePoint can be a HIPAA compliant service.

Conclusion: SharePoint Online is covered within the Microsoft Business Associate Agreement when used with the Office 365 for Enterprise licenese.

Make sure you sign a BAA with Microsoft before using SharePoint to store or transmit any PHI.

Future Focus: My TED Talk speech

Future Focus: My TED Talk speech - Hoala Greevy, Paubox

I was asked to give a ten minute TED Talk-like speech on my Innovation Journey at the Third Annual Future Focus conference this week in Honolulu.

As I would discover when I looked it up, the Innovation Journey consists of a nonlinear cycle of divergent and convergent activities that may repeat in unpredictable ways over time.

Research findings suggest that entrepreneurs and managers cannot control innovation success, only its odds by developing and practicing skills for traversing the obstacles encountered in divergent and convergent cycles of the journey.

Click here to view my presentation deck.

Future Focus: My TED Talk speech - Hoala Greevy, Paubox

About Future Focus

Future Focus: My TED Talk speech - Hoala Greevy, Paubox

Future Focus is the Hawaii Innovation Initiative’s Forum on Astronomy, Space Exploration, and Cybersecurity.

Now in its third year, the conference focuses on emerging technologies, federal resources and opportunities that are available in Hawaii’s innovation ecosystem.

Future Focus: Innovation Threat Identification and Cyber Security

Future Focus: Innovation Threat Identification and Cyber Security panel - Paubox

I participated on a panel during the Future Focus conference in Honolulu on Wednesday.

The panel’s topic was called: Innovation, Threat Identification and Cyber Security.

It was made up of:

  • Garret Yoshimi (Moderator), Vice President for Information Technology/CIO, University of Hawaii
  • David Wells, Cyber War Innovation Center, U.S. Pacific Command
  • Tarik Sultan, Managing Partners, Sultan Ventures
  • Robert Runser, Technical Director, NSA Hawaii
  • Len Higashi, Senior Business Development Manager, Hawaii Technology Development Corporation
  • Myself

Innovation, Threat Identification and Cyber Security panel

Future Focus: Innovation Threat Identification and Cyber Security panel - Paubox

Here are my takeaways from our panel:

  • Sultan Ventures has 24 companies in its portfolio.
  • NSA is required to share its IP to those interested in commercializing it.
  • The NSA CRADA program (Cooperative Research and Development Agreements) is one of the most valuable technology transfer mechanisms for obtaining long-term value.
  • The NSA has a github repo.
  • I learned about the concept of a PACE Plan (Primary Alternate Contingency and Emergency).
  • There were about 50-60 people in the room.
  • Robert Runser and David Wells encouraged the audience to check out WALKOFF.
  • Len discussed the state’s 80/80 Iniative by 2030.
  • I reinforced to the audience the ever-changing nature and new challenges presented by ransomware signatures.

About Future Focus

Future Focus: Innovation Threat Identification and Cyber Security panel - Paubox

Future Focus is the Hawaii Innovation Initiative’s Forum on Astronomy, Space Exploration, and Cybersecurity.

Now in its third year, the conference focuses on emerging technologies, federal resources and opportunities that are available in Hawaii’s innovation ecosystem.

Friday, 6 October 2017

HIPAA Breach Report for October 2017

hipaa breach reporting, hipaa breach, hipaa, reporting

The Paubox Breach Report analyzed HIPAA breach reporting submitted to the U.S. Department of Health & Human Services (HHS) in September to analyze the types of breaches of unsecured protected health information (PHI) affecting 500 or more people.

HIPAA Breaches Ranked by People Affected

Paubox HIPAA Breach Report: October 2017 - Breaches Ranked by People Affected

Top Three Breach Types

  • Email breaches ranked the highest with 206,994 people’s PHI hacked or stolen in September. That’s up over 600% from last month’s total of 33,334.
  • Network Server breaches ranked second with PHI of 182,782 people breached.
  • Desktop Compuer breaches came in third with 18,317 people having their PHI breached.

Bottom Three Breach Types

  • Electronic Medical Record ranked as the lowest number of people’s PHI being breached in September with 3,109.
  • Laptop breaches ranked second lowest at 4,869.
  • Other were the third lowest type of breach as ranked by people affected with 5,127.

HIPAA Breaches Ranked by Occurrence

Paubox HIPAA Breach Report: October 2017 - Breaches Ranked by Occurrence

The Most Common

  • Email came in as the most common breach in September with 13 reported breaches affecting 500 or more people’s PHI.
  • Network Server came in as the second most common breach type with 6 incidents.
  • Desktop Computer and Other came in third with 5 breaches.

The Least Common

  • Laptop, Paper/Films and Electronic Medical Record rounded out the bottom of the category with 2 reported breaches each.

Takeaways

Email breaches took the top spot for both number of people affected and number of reported breaches. As a HIPAA breach vector, email has consistently ranked in the top quadrant this year.

Full Data

Click here to download the raw data.

About the Paubox HIPAA Breach Report

The Paubox HIPAA Breach Report analyzes breaches that affected 500 or more individuals as reported in the HHS Wall of Shame in September 2017.

Minimize the risk of email getting you on the list with Paubox Encrypted Email. Start your free trial today.

Thursday, 5 October 2017

Future Focus: Jeremiah Grossman

Future Focus: Jeremiah Grossman - Paubox

I ran into my friend and security god Jeremiah Grossman yesterday at the Future Focus conference in Honolulu.

He and I were asked to present TED Talk speeches at the conference. His presentation happened in the morning, mine followed later in the day.

Here are my takeaways from Jeremiah’s TED talk speech:

  • It took him five minutes to break into a Yahoo email account in 1999.
  • Yahoo sent him a t-shirt after he advised Yahoo of the hack he found. Turns out it was sent from co-founder David Filo.
  • The Hacker Yahoo (job title on his card)
  • Learned internet scale at Yahoo.
  • “The internet is probably the single greatest invention we’ll see in our lifetime.”
  • How do we automate hacking and build an assembly line? (Genesis of Whitehat Security)
  • “People expect transparency and integrity.”
  • He first created websites in 1992 while still in high school on Maui.
  • “What you need is the grind. That’s what we look for in anyone we want to work with.”

SEE ALSO: What’s The Biggest Hurdle for Email Encryption?

About Jeremiah Grossman

Future Focus: Jeremiah Grossman - Paubox

Jeremiah Grossman is a preeminent internet security expert. He is also a Brazilian Jiu-Jitsu Black Belt and a proud Maui resident.

He is currently Chief of Security Strategy at SentinelOne. He also founded WhiteHat Security in 2001.

Jeremiah has delivered nearly 400 speaking appearances, on 6 continents, and in 19 countries. His subjects include hacking, technology advancements, business success, effective leadership, and government policy.

When Jeremiah speaks publicly, whether to small handfuls or audiences or many thousands, he targets events where he can have the most positive impact on the lives of people and the security of the Internet.

About Future Focus

Future Focus Conference - Paubox

Future Focus is the Hawaii Innovation Initiative’s Forum on Astronomy, Space Exploration, and Cybersecurity. Now in its third year, the conference focuses on emerging technologies, federal resources and opportunities that are available in Hawaii’s innovation ecosystem.

Future Focus: Opening Remarks by Governor Ige

Future Focus: Opening Remarks by Governor Ige - Paubox

I attended the 3rd Annual Future Focus Conference yesterday at the Hawaii Convention Center. Its focus this year was on Cybersecurity, Astronomy, and Space Exploration.

After a welcome by emcee Donalyn Dela Cruz, Governor David Ige opened the conference with a speech.

Here are my takeaways from Governor Ige’s opening remarks at Future Focus:

  • He brought a personal touch to the recent Equifax breach and its impact on his family.
  • The State of Hawaii has a CISO newly hired and created position: Vince Hoang.
  • “We do know the state networks are under thousands and thousands of attacks every second.”
  • Future Focus is one of his favorite conferences.

SEE ALSO: My Experiences on the Innovation Journey

About Future Focus

Future Focus: Opening Remarks by Governor Ige - Donalyn Dela Cruz - Paubox

Donalyn Dela Cruz emceed the event

Future Focus is the Hawaii Innovation Initiative’s Forum on Astronomy, Space Exploration, and Cybersecurity. Now in its third year, the conference focuses on emerging technologies, federal resources and opportunities that are available in Hawaii’s innovation ecosystem.