Upload
ranae
View
20
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Sidus BioData Considerations for HIPAA Regulated Cloud Deployments May 21, 2013. Speaker Bio. - PowerPoint PPT Presentation
Citation preview
Sidus BioDataConsiderations for HIPAA Regulated
Cloud Deployments
May 21, 2013
Speaker BioJason Silva has over 15 years experience in Data Center Management and
Information Technology. His experience includes the management and
implementation of internet and intranet systems in the healthcare,
pharmaceutical, government, and technology sectors. As Founding Partner
and Chief Executive Officer of Sidus Group, Mr. Silva has played a pivotal
role in achieving the qualification of the Sidus Data Center and forming Sidus
BioData. Sidus BioData is now actively engaged in hosting both GxP
applications and HIPAA/HITECH data. Mr. Silva has spoken extensively on
the implementation of regulated cloud computing environments to national
and international industry groups.
Introduction• Sidus BioData, is a Maryland owned and operated IT Hosting/Outsourcing
service provider• Standing as one of the first fully FDA /HIPAA Qualified Commercial
Datacenters in North America to align with GAMP5.• Founded in 1999, 28 employees, over 700 customers across 47 states, 12
countries• Datacenter facilities in Annapolis, Md, Cumberland, Md, Somerville, Ma,
Ashburn, Va• Tier 2+ Datacenters qualified against FDA and HIPAA regulations• Professional CISA (Certified Information Systems Auditor) certified quality team
provides a seamless, compliant migration to the Datacenter as well as ongoing support
• Managed hosting of sensitive data for: - Biotech Companies - EMR Vendors - HIPAA/HITECH regulated organizations - Medical Device Companies
Success in the Cloud
Trust in the cloud implementations on four core concepts:
Security – Traditional issues around data and resource access control, encryption and incident detection
Control – The ability of the enterprise to directly manage how and where data and software is deployed, used and destroyed
Service Level Management – The definition, contracting and enforcement of service level agreements between a variety of parties
Compliance – Conformance with required regulatory, legal and general industry requirements (such as Part 11, Annex 11, HIPAA and Sarbanes-Oxley)
Cloud Management Challenge
Support for consumer devices Anywhere, any device, anytime Audit/Reporting/Alerting Secure the Mobile Device Managed vs Non Managed device security policy Secure Data at Rest Secure Data in Transit AUP enforcement
Getting OnboardDecide what is the right type of deployment is right for client needs out of the four outlined deployment models.– Perform Regulatory Assessment
• What regulations does the client’s intended use of the cloud fall under?• What regulations may impact the solution in the future?
– Perform Security Assessment• What type access methods to the cloud are needed?• What type of devices are going to utilized ?• What external hosted services are going to interface with the
deployment?– Perform Business Assessment
• What are the performance level targets?
• Design compliant cloud environments based on regulatory and security concerns first and business case second
View of Cloud Implementations
Lets take a look at the cloud implementations based on the four models that are appropriate to the regulatory space:
• Community Cloud• Virtual Private Cloud• Private Cloud• Hybrid Cloud
Four (Sidus) Deployment Models
• Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns
• Virtual Private cloud. Elements of the cloud infrastructure is operated solely for an organization. (e.g., dedicated highspeed storage or backup system)
• Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.
• Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).
Community Cloud• Shared resources:
– CPU– RAM– Storage
• Private VLAN• Shared firewall with
unique custom access control and guest machine isolation.
• High Availability
Community Cloud
Virtual Private Cloud• Shared resources:
– CPU– RAM
• Private VLAN• Dedicated virtual firewall
appliance with unique custom access control and guest machine isolation.
• High Availability• Dedicated storage
– LUN– SAN
Virtual Private Cloud
Private Cloud• Dedicated Resources:
– CPU– RAM – Storage
• Private VLAN• Dedicated physical or
virtual firewall appliance with unique custom access control and guest machine isolation.
• High Availability• Customizable
Private Cloud
Hybrid Cloud• Dedicated Resources:
– CPU– RAM – Storage
• Private VLAN• Dedicated physical and
virtual firewall appliance with unique custom access control and guest machine isolation.
• High Availability• Customizable• Can include traditional
servers
Private Cloud
Operating System
Application
Quality System
• CISA/CRISC’s on-staff, full program of IT Compliance Services
• Quality Manual plus over 40 Compliance Policies, SOP’s and Forms
• “Total Quality System” approach: - SOPs and policies cover FDA/HIPAA/HITECH requirements - Datacenter “qualified” against FDA/HIPAA regulations - Risk Management Program - Individual Training Curriculums for each employee - Change Control/Validation Program - Independent Quality Assurance group - Provide regulated customers with a turn-key “compliance package”
Healthcare Analytics Provider Case
Health plans participating in the Health Insurance "HIX" Marketplace are challenged with: 1. Sharing premium revenue with other plans in the Marketplace.
2. Needing precise Member risk scores for targeting & assisting complex members to maintain competitive premium rates.
3. Annual audits require increased accuracy and precision in a plan’s risk adjustment program.
4. Interventions require speed and efficiency as a result of the condensed schedule.
• Reimagining data to help people live healthy and independent lives through the execution of sophisticated analytics, predictive techniques, and data collection tools.
• Deploy sophisticated analytic systems that improve payer financial performance generating significant ROI.
Visualization and Reporting/Dashboard Health System Integration
HIX Risk Adjustment and Predictive AnalyticsPulse8 Mission
Health Care Analytics
Age Group
Weight Scale
Prescriptions
Procedures
Diagnoses
Provider Specialty Mix
Provider Visit Frequency
Provider Visit by Calendar
Year
Labs/PathologyDisease/CM Programs
Member Reported Data
Eye Exams
Quality Measure Performance
Cost Per Encounter
Patient Assignment
s to PCP
Rx Volume
Hospital Admissions ER Visits
Patient Case Mix
Patient Volume
Location of
Services
Clinical HistoryHistoric Member Profile
Individual Opportunity ProfileRisk Factor
Pulse8 Strata
Clinical HistoryHistoric Member Profile
Individual Opportunity ProfileRisk Factor
Pulse8 Strata
Clinical HistoryHistoric Member Profile
Individual Opportunity ProfileRisk Factor
Pulse8 Strata
Provider Assignment
s
Suspect Identification (Risk Adjustment
Gaps)
Member Behavior
Algorithms
Systems and Infrastructure
HIPAA Compliant Security• GxP Qualified Facility• Full GAMP5 based Quality
System• Monitored 24/7 with Three-Tier
Restricted Physical Access Protocol
• Redundant Network and Dual Physical Fiber Paths from Multiple POPs
• Staffed by CISA/CRISC’s• EHNAC Approved• All data transfers are encrypted
either through sFTP, pgp encryption on the files themselves, or both.
Securely View
Business Intelligence
Results
Pulse8 Utilizes a Tier 2+ Telco Carrier Grade Datacenter Headquartered in Annapolis, Maryland as Our Strategic Infrastructure Partner
Hosting Vendor Selection Considerations
Cloud Vendor Selection Considerations
1. Cloud Capacity • Does the cloud vendor have the infrastructure capacity to support your
application?– What is its current capacity for bandwidth, compute and storage
resources?– What is the vendor’s plan for expansion of resources. What reserve
threshold triggers an expansion?– How many sites does the vendor operate and what capacity resources
are available at these sites?– Does the vendor operate its own facilities or is its infrastructure
collocated in another vendor’s facility?
2. Resources (Human Cloud)• Does the vendor provide the engineering support that is needed to design and
effectively operate your solution within your performance goals– What proactive monitoring is in place for performance issues and who is
notified?– What types of resources are available on-demand? DBA, Network,
Security Engineers?
Cloud Vendor Selection Considerations cont.
3. Regulatory Qualifications• Does the vendor currently support clients that are within an Healthcare related or FDA
regulated vertical?• Does the vendor maintain an active quality system that can flow through to the client. • Are clients notified of infrastructure and operational changes at the datacenter
infrastructure level?• Does the vendor maintain change management and quality management duties at
the client solution level?• What is the audit history of the vendor? Have they been audited by a third party for a
relevant regulatory structure?• Does the vendor provide audit support for periodic client audits.• Does the vendor provide CISA and CRISC certified personnel for compliance support.
4. Transparency• Will the vendor provide unfettered access to quality system documentation?• Does the vendor make training and maintenance documents available?• Will the vendor support audits by your clients?• Will the vendor share disaster recovery plans?
Thank You! Questions?