- Properly managing a variety of applications across a large healthcare organization while staying HIPAA compliant can be done in a number of different ways, but each IT decision sends ripples through the organization. With the end goal of keeping costs down as much as possible while maintaining a productive, secure environment, many organizations have a mix of technologies in place.
These hybrid environments include both on and off-premises applications and Bharani Krish, Director of IT Enterprise Infrastructure Services at Molina Healthcare, and his team manage all applications via Platform as a Service (PaaS) and support the daily operation of any software that runs on the server. The Molina Infrastructure as a Service (IaaS) team, according to Krish, handles the server operating system (OS) and network and when they work with him and his team, they will provision any Software as a Service (SaaS) model.
Krish said he and his team made a pledge to assure Molina that by next year it will turn all internal applications into various forms of an “as a service” model so that most of our provisioning will be “as a service.” But this provisioning work, which includes monitoring and tracking access rights and privileges, must be done in a secure, HIPAA compliant fashion and Krish said automation is a big key. “Based on our type of provisioning, it’s kind of automated because we have a standard security template that comes along with operations,” he said. “In the healthcare industry, security is important and we take it very seriously.”
Because of new healthcare reform and developments, Krish said the challenge when he first started was every time his team received a request, it took time to provision the database.
Cybersecurity Attacks Leading 2016 Data Breach Cause Utilizing Healthcare Authentication for Stronger Data Security Half of Businesses Report Ransomware Attack in Past Year Avoiding a Reactive Approach in Federal Health Data Security One month until HIPAA omnibus compliance: Current trends Managing a health data breach with a response plan Duke Health System notifies patients of data breach Healthcare Cloud Adoption Slow Due to HIPAA, Survey Finds DHS Cyber Incident Response Plan Focuses on Infrastructure Risk Orlando Health Data Breach Affects 3,200 Should HIPAA Compliance Let Researchers Access Patients’ PHI? Kentucky passes state data breach notification law Optimizing health data security with cloud, virtualization Cedars-Sinai reports unencrypted laptop theft, data breach UMass Lowell, UMMS Launch Secure Health Data System New Software Enables Secure EHR Data Linkage, Study Finds UK Health reports 1,079-patient data breach How Health Data Security Benefits from Industry Sharing EHR Contingency Plans Part of OIG 2016 Health IT Focus How to Increase Patient Safety, Health Data Security on EHRs Kaiser Permanente reports 2011 research server malware attack Memphis Regional Medical Center reports health data breach Human Error Leading Cause of Healthcare Data Breaches in 2015 Debate over public health and patient privacy at Exeter Hospital Healthcare Cybersecurity Education Critical, Says AHA Most Wired Org Focuses on Multi-Level Healthcare Data Security Using encryption at rest to enhance healthcare BYOD security HIPAA Regulations v. FERPA Rules In Privacy Rights HIPAA Breach Notification Checklist VA Feb. PHI Data Breach Report Shows Increase in Incidents Six legal tips for HIPAA omnibus compliance Healthcare Privacy, Security Measures Included in ONC Draft Senate HELP Committee Wants Answers on Health Data Integrity University Urology of Tenn. releases data breach statement Creating Healthcare Cloud Security for Cancer Research VA Reports Decrease in July PHI Data Breach Notifications Cloud data risk report: Seeing how healthcare stacks up HHS Inspector General to headline HCCA conference keynotes Healthcare data breach trends: Preparing and reporting DirectTrust Voices Concern for Cybersecurity in Healthcare Breaking Down the Evolution of Healthcare Phishing Scams How Will New Research Bill Affect HIPAA Regulations? HIPAA Regulations Discussed in Latest Mental Health Bill Proposed NY Data Breach Legislation Accounts for PHI Security Walgreens fined $1.44 million for pharmacist data breach EHR best practices: ONC security tips OHSU Health Data Breaches Lead to $2.7M OCR Agreement Why Education is Crucial to Health Data Security in 2016 Risk-Based Cybersecurity Approach Key in HHS IT Strategic Plan Presbyterian CISO stresses importance of governance Majority of Companies Use Risk-Based Cybersecurity Framework USH-Pruitt reports two data breaches in two weeks R.I. approves patient privacy bill for crime investigations Google privacy case highlights lack of technical safeguards HHS proposes new CHP HIPAA compliance requirements $130K NY State Settlement from Late Data Breach Notification HIPAA Omnibus Rule compliance tips for healthcare law firms OIG Report Says Anthem Refused Data Security Audit HIMSS Has Ideas for 2015 Interoperability Standards Advisory NIST sends out RFI to public for cybersecurity framework Additional Data Breach Bills Lack Federal Standards 2014 Cyber Security Forecast: Significant healthcare trends L.A. County boosts encryption policies after data breach How to Avoid Common Healthcare Data Security Challenges NHHIO expands legislation for use and disclosure of protected health information Faxing Error Leads to Healthcare Data Breach, Lawsuit HIPAA BAA, patient data flow strategies for an HIE Next-generation healthcare security: Cloud, BYOD and applications Utah health clinic sends patient data breach notifications IG points out four VA Health security shortcomings Privacy and Security Tiger Team: New policy recommendations Should HIPAA reach extend to SMS? Healthcare CISO education program focuses on risk management Thieves Expose Healthcare’s Data Integrity Shortfalls HIMSS14: Health data encryption rollout strategies for CIOs Healthcare cloud security: CISO perspective Should healthcare organizations be wary of FTC regulations? Coalfire launches HIPPAcentral compliance platform System of CMS IT Security Controls Lacking, Says OIG Report HISP to HISP: Building trust by joining Mass. state pipeline Healthcare BYOD: Choosing the right mobile security vendor Privacy and Security Tiger Team advises HHS on HIPAA tweaks Healthcare Cybersecurity Still Top Issue, Says CHIME Leader Secure healthcare cloud load-balancing: Time to go virtual NY Clarifies Minor Patient Data Access, Maintains Security Software Update Causes PHI Exposure for Blue Shield of Calif. Foreign countries hack VA system and expose vulnerabilities Survey: HIPAA fines, not data safety top reason for compliance Hacking Accounts for 98% of Healthcare Data Breaches in 2015 Billing snag leads to PHI breach; NJ man sues for benefits names Senate HELP Draft Brings Health Data Security Concern VA Sees 51% Decrease in PHI Incidents for May Working to Overcome the Cybersecurity Skills Gap in Healthcare BYOD adoption requires security education, staff training How Big Data Affects Health IT Privacy, Security HHS Revises Rules for More Patient Privacy in Drug Abuse Care Are Stolen Medical Records Still Worth More Than Financial Data? Why Secure Medical Devices Should be a Priority Senate Pursues Legislation for More Health IT Cybersecurity FTC Reverses Ruling, Says LabMD Lacked Data Security Measures
I looked at our environment and found that our production was 400 terabytes and non-production was closer to 2 petabytes. Depending on the size, it may be a terabyte or 10 of them, so it takes time to take the backup and move across to development with the security template masking everything. It may take a few hours to a day and the development cycle was slowing down.
To help Molina with provisioning and managing massive amounts of data, Krish said the organization chose the Delphix Compliance Engine to efficiently deliver that masked data (based on individual policy) while rolling out new applications and remaining compliant with federal regulations. Krish said Molina was able to transfer the transactional log, which was very small, and then provision it within less than ten minutes, irrespective of size.
We had a separate solution for mapping the data, that’s in a compliance requirement – they don’t want to expose the correction data to the development team or even the functional team. So we had a separate module. We had a separate software that tied up to the Delphix virtual database and once that database is published we could use that module to map the data based on our internal policy, which modeled very well, but again, that’s a delay in provisioning that solution.