Sidus BioDataConsiderations for HIPAA Regulated

Cloud Deployments

May 21, 2013

Speaker BioJason Silva has over 15 years experience in Data Center Management and

Information Technology. His experience includes the management and

implementation of internet and intranet systems in the healthcare,

pharmaceutical, government, and technology sectors. As Founding Partner

and Chief Executive Officer of Sidus Group, Mr. Silva has played a pivotal

role in achieving the qualification of the Sidus Data Center and forming Sidus

BioData. Sidus BioData is now actively engaged in hosting both GxP

applications and HIPAA/HITECH data. Mr. Silva has spoken extensively on

the implementation of regulated cloud computing environments to national

and international industry groups.

Introduction• Sidus BioData, is a Maryland owned and operated IT Hosting/Outsourcing

service provider• Standing as one of the first fully FDA /HIPAA Qualified Commercial

Datacenters in North America to align with GAMP5.• Founded in 1999, 28 employees, over 700 customers across 47 states, 12

countries• Datacenter facilities in Annapolis, Md, Cumberland, Md, Somerville, Ma,

Ashburn, Va• Tier 2+ Datacenters qualified against FDA and HIPAA regulations• Professional CISA (Certified Information Systems Auditor) certified quality team

provides a seamless, compliant migration to the Datacenter as well as ongoing support

• Managed hosting of sensitive data for: - Biotech Companies - EMR Vendors - HIPAA/HITECH regulated organizations - Medical Device Companies

Success in the Cloud

Trust in the cloud implementations on four core concepts:

Security – Traditional issues around data and resource access control, encryption and incident detection

Control – The ability of the enterprise to directly manage how and where data and software is deployed, used and destroyed

Service Level Management – The definition, contracting and enforcement of service level agreements between a variety of parties

Compliance – Conformance with required regulatory, legal and general industry requirements (such as Part 11, Annex 11, HIPAA and Sarbanes-Oxley)

Cloud Management Challenge

Support for consumer devices Anywhere, any device, anytime Audit/Reporting/Alerting Secure the Mobile Device Managed vs Non Managed device security policy Secure Data at Rest Secure Data in Transit AUP enforcement

Getting OnboardDecide what is the right type of deployment is right for client needs out of the four outlined deployment models.– Perform Regulatory Assessment

• What regulations does the client’s intended use of the cloud fall under?• What regulations may impact the solution in the future?

– Perform Security Assessment• What type access methods to the cloud are needed?• What type of devices are going to utilized ?• What external hosted services are going to interface with the

deployment?– Perform Business Assessment

• What are the performance level targets?

• Design compliant cloud environments based on regulatory and security concerns first and business case second

View of Cloud Implementations

Lets take a look at the cloud implementations based on the four models that are appropriate to the regulatory space:

• Community Cloud• Virtual Private Cloud• Private Cloud• Hybrid Cloud

Four (Sidus) Deployment Models

• Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns

• Virtual Private cloud. Elements of the cloud infrastructure is operated solely for an organization. (e.g., dedicated highspeed storage or backup system)

• Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.

• Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

Community Cloud• Shared resources:

– CPU– RAM– Storage

• Private VLAN• Shared firewall with

unique custom access control and guest machine isolation.

• High Availability

Community Cloud

Virtual Private Cloud• Shared resources:

– CPU– RAM

• Private VLAN• Dedicated virtual firewall

appliance with unique custom access control and guest machine isolation.

• High Availability• Dedicated storage

– LUN– SAN

Virtual Private Cloud

Private Cloud• Dedicated Resources:

– CPU– RAM – Storage

• Private VLAN• Dedicated physical or

virtual firewall appliance with unique custom access control and guest machine isolation.

• High Availability• Customizable

Private Cloud

Hybrid Cloud• Dedicated Resources:

– CPU– RAM – Storage

• Private VLAN• Dedicated physical and

virtual firewall appliance with unique custom access control and guest machine isolation.

• High Availability• Customizable• Can include traditional

servers

Private Cloud

Operating System

Application

Quality System

• CISA/CRISC’s on-staff, full program of IT Compliance Services

• Quality Manual plus over 40 Compliance Policies, SOP’s and Forms

• “Total Quality System” approach: - SOPs and policies cover FDA/HIPAA/HITECH requirements - Datacenter “qualified” against FDA/HIPAA regulations - Risk Management Program - Individual Training Curriculums for each employee - Change Control/Validation Program - Independent Quality Assurance group - Provide regulated customers with a turn-key “compliance package”

Healthcare Analytics Provider Case

Health plans participating in the Health Insurance "HIX" Marketplace are challenged with: 1. Sharing premium revenue with other plans in the Marketplace.

2. Needing precise Member risk scores for targeting & assisting complex members to maintain competitive premium rates.

3. Annual audits require increased accuracy and precision in a plan’s risk adjustment program.

4. Interventions require speed and efficiency as a result of the condensed schedule.

• Reimagining data to help people live healthy and independent lives through the execution of sophisticated analytics, predictive techniques, and data collection tools.

• Deploy sophisticated analytic systems that improve payer financial performance generating significant ROI.

Visualization and Reporting/Dashboard Health System Integration

HIX Risk Adjustment and Predictive AnalyticsPulse8 Mission

Health Care Analytics

Age Group

Weight Scale

Prescriptions

Procedures

Diagnoses

Provider Specialty Mix

Provider Visit Frequency

Provider Visit by Calendar

Year

Labs/PathologyDisease/CM Programs

Member Reported Data

Eye Exams

Quality Measure Performance

Cost Per Encounter

Patient Assignment

s to PCP

Rx Volume

Hospital Admissions ER Visits

Patient Case Mix

Patient Volume

Location of

Services

Clinical HistoryHistoric Member Profile

Individual Opportunity ProfileRisk Factor

Pulse8 Strata

Clinical HistoryHistoric Member Profile

Individual Opportunity ProfileRisk Factor

Pulse8 Strata

Clinical HistoryHistoric Member Profile

Individual Opportunity ProfileRisk Factor

Pulse8 Strata

Provider Assignment

s

Suspect Identification (Risk Adjustment

Gaps)

Member Behavior

Algorithms

Systems and Infrastructure

HIPAA Compliant Security• GxP Qualified Facility• Full GAMP5 based Quality

System• Monitored 24/7 with Three-Tier

Restricted Physical Access Protocol

• Redundant Network and Dual Physical Fiber Paths from Multiple POPs

• Staffed by CISA/CRISC’s• EHNAC Approved• All data transfers are encrypted

either through sFTP, pgp encryption on the files themselves, or both.

Securely View

Business Intelligence

Results

Pulse8 Utilizes a Tier 2+ Telco Carrier Grade Datacenter Headquartered in Annapolis, Maryland as Our Strategic Infrastructure Partner

Hosting Vendor Selection Considerations

Cloud Vendor Selection Considerations

1. Cloud Capacity • Does the cloud vendor have the infrastructure capacity to support your

application?– What is its current capacity for bandwidth, compute and storage

resources?– What is the vendor’s plan for expansion of resources. What reserve

threshold triggers an expansion?– How many sites does the vendor operate and what capacity resources

are available at these sites?– Does the vendor operate its own facilities or is its infrastructure

collocated in another vendor’s facility?

2. Resources (Human Cloud)• Does the vendor provide the engineering support that is needed to design and

effectively operate your solution within your performance goals– What proactive monitoring is in place for performance issues and who is

notified?– What types of resources are available on-demand? DBA, Network,

Security Engineers?

Cloud Vendor Selection Considerations cont.

3. Regulatory Qualifications• Does the vendor currently support clients that are within an Healthcare related or FDA

regulated vertical?• Does the vendor maintain an active quality system that can flow through to the client. • Are clients notified of infrastructure and operational changes at the datacenter

infrastructure level?• Does the vendor maintain change management and quality management duties at

the client solution level?• What is the audit history of the vendor? Have they been audited by a third party for a

relevant regulatory structure?• Does the vendor provide audit support for periodic client audits.• Does the vendor provide CISA and CRISC certified personnel for compliance support.

4. Transparency• Will the vendor provide unfettered access to quality system documentation?• Does the vendor make training and maintenance documents available?• Will the vendor support audits by your clients?• Will the vendor share disaster recovery plans?

Thank You! Questions?

jsilva@sidusbiodata.com