NetDirector Exceeds Demanding Security Standards with SOC2 and HIPAA Certifications

TAMPA, Fla., March 1, 2017 /PRNewswire/ — NetDirector, a cloud-based data exchange and integration platform, has recently completed work with A-LIGN to undergo rigorous and valuable security certifications. NetDirector was recently awarded attestations in compliance with HIPAA and SOC2 Type II standards, the leading security standards in Healthcare and Mortgage Banking, respectively.

The SOC 2, or Service Organization Controls 2, is an examination under AICPA standards designed for technology service companies to demonstrate controls around data security and processing integrity. The SOC 2 reports are intended to meet the needs of a broad range of users that need to understand internal controls at a service organization as it relates to security, availability, process integrity, confidentiality and privacy. The Type II report is a report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls.

The Health Insurance Portability and Accountability Act, or HIPAA, defines policies and procedures, as well as processes, which are required of companies that store, process, or handle electronic health information that is considered “protected” (ePHI). HIPAA compliance is increasingly valuable to both technology service providers and integrators like NetDirector, as well as providers, electronic health records systems, billing platforms, and others integrating and utilizing healthcare data.

Both the SOC 2 and the HIPAA audit were performed by Tampa-headquartered nationwide security and compliance solutions provider A-LIGN. A-LIGN specializes in helping businesses across a variety of industries navigate the complexities of specific audits and security assessments, and both the SOC 2 and HIPAA reports of A-LIGN’s findings can be made available to prospective or current customers.

“NetDirector displayed the necessary controls in their HIPAA and SOC 2 attestation reports,” said Scott Price of A-LIGN. “Their security and management teams were great to work with throughout the process. There is a strong attention to detail in the organization.”

In addition to the in-house attestations, the data centers utilized by NetDirector through Peak10 maintain the same security standards or higher in all aspects of their company. Many technology companies have recently been brought to light as claiming true “compliance” in their organization, when they really mean that their data center has gone through the rigorous examination. At NetDirector, the belief is in transparency and clear communication regarding security, including compliance audits at all ends of the process.

“I am very proud of our team for successfully completing these important 3rd party audits,” said Harry Beisswenger, NetDirector CEO. “Both the mortgage default servicing industry and the health data environment come with very unique security and compliance requirements, and these certifications and reports strengthen the trust that our clients place in us to safely integrate their platforms and transform their data.”

Company Bio:

NetDirector provides a secure cloud-based data and document exchange solution for the healthcare and mortgage banking industries to deliver seamless data integration between parties. NetDirector bridges gaps created by disparate systems & technologies by allowing companies at any location to share data & documents securely over a single internet connection with any other member of the ecosystem. Our approach allows trading partners to collaborate and exchange data in a seamless, bi-directional, real-time manner. NetDirector currently processes more than 8 million transactions per month.

Is Interoperability Disruption Inevitable in Healthcare?

The College of Healthcare Information Management Executives (CHIME) closed out 2016 with a cautionary message regarding future interoperability challenges. CHIME’s Board of Trustees raised concern over “persisting lack of interoperability among and across our disparate health system” in a December 16 letter to Centers for Medicare and Medicaid Services (CMS) Administrator Andy Slavitt.

While generally praising CMS for giving healthcare organizations more flexibility in the use of IT pursuant to new physician payment models, CHIME recommends a single set of standards to facilitate more seamless data exchange.

“We do not believe interoperability will become widespread without more uniformity in the use of health data standards,” the letter states. “A stronger state of interoperability facilitated by a uniform set of standards, including a national solution ensuring accurate patient identification, is our best hope for driving better care.”

Where things stand

At its highest level, “semantic interoperability” supports the electronic exchange of patient summary information among caregivers and other authorized parties via potentially distinct electronic health record (EHR) systems and other systems to improve healthcare delivery.

Progress is being made, argues Sam Weir, MD, lead informatics physician at UNC Health Care in North Carolina: “Physicians are increasingly working in large healthcare systems with relatively mature EHRs. These systems are working with their EHR vendors to implement the nationwide interoperability roadmap as quickly as they can.”

Nonetheless, that same trend favoring migration toward mainstream, integrated EHRs such as Epic Cerner and Allscripts may actually hinder longer-term interoperability success, according to Mike Restuccia, chief information officer at Penn Medicine. In the meantime, he agrees with the need for widely adopted and deployed semantic, data model and data definition standards.

Mario Hyland, the founder of IT consultancy Aegis, warns that interoperability obstacles are just starting to come to light — as in the case of hospitals using separate EHRs being able to exchange data until a software upgrade by one or both organizations causes an interface problem. He estimates that 35 to 40 percent of all visits result in an interoperability request, with achievement more likely to be “broken than solved.”

The path ahead

Former Apple CEO John Scully, who’s now chairman of pharmacy benefit management firm RxAdvance, and Humana CEO Bruce Broussard recently urged a push for disruption in healthcare through changes in behaviors, data analytics, interoperability and aligned incentives. They cite breakthroughs in the implementation of standards-based protocols such as Fast Healthcare Interoperability Resources (FHIR) in support of healthcare alliance efforts. The executives also point to data exchange between payers and providers enabling real-time, proactive alerts to the prescribing physicians to prevent drug-drug interactions or other potentially harmful outcomes.

Interoperability in such forms will lead to a more holistic approach to patient care, they predict, with mobile devices and other technology combining with data analytics to open up a deeper level of personalization.

NetDirector factors into this discussion as a proven disrupter in the area of healthcare data exchange — especially one-to-many integration that allows for ease of adoption and quick implementation. That approach allows providers to focus on patients care with confidence that technology such as NetDirector’s cloud-based HealthData Exchange will seamlessly handle the movement of clinical and financial data among disparate systems, and deliver it when and where needed.

For more information, please contact us or request a free demo.

Transaction Spotlight: Fees and Costs Request

Ransomware Rises Up as Major Healthcare Data Security Threat

Ransomware, a form of digital extortion, involves lockdown of computers via malware or encryption of electronic files with a private key that only the attacker holds. Victims are left to pay the hacker to regain access, develop workarounds or isolate affected data/devices.

The FBI reports an increase in incidents in which users infect their computers with ransomware by clicking on a compromised website, often lured by a deceptive email message or pop-up window. A fairly recent variant encrypts files on a hard drive as well as any external or shared drives to which the computer has access.

Although ransom amounts typically range from a few hundred to several thousand dollars per instance, hackers collected more than $200 million total in the United States during the first quarter of 2016.

Healthcare organizations, in particular, need to be on the lookout. Research conducted by security firm Solutionary reveals that the healthcare sector accounted for 88 percent of all ransomware attacks it tracked during the first half of 2016.

In perhaps the highest profile healthcare case of this year, 434-bed Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in bitcoin ransom to obtain a decryption key and restore normal operations after a lockout.

Why is healthcare such a target?

A number of interrelated factors play into healthcare’s ransomware vulnerability:

  • Hospitals and health systems store detailed personal information on patients to make it readily available in the course of care. Stolen health insurance credentials can be used to commit medical fraud, fetching 10 to 20 times more than credit card numbers on the black market.
  • Healthcare providers rely on electronic records to stay operational. With patients’ lives potentially on the line during a ransomware attack, they may be more willing to pay up quickly than victims in other industries.
  • Healthcare is a consolidating industry, with major care organizations merging and acquiring other facilities. Integration of disparate information systems often leaves gaps that give hackers access to sensitive data.

What can be done?

Threat intelligence experts at Solutionary say healthcare organizations can counter the threat of ransomware by using off-site backups for their data — and the systems used to access that data. They should also test the backups regularly to ensure data can be restored quickly.

While providing data exchange services to healthcare organizations, NetDirector utilizes IT infrastructure provider Peak 10’s offsite data center to ensure online backups, data recovery capabilities, minimal to no downtime, and the most current security certifications.

With the major risk of self-managing data security, it makes sense for providers to use a trusted vendor like NetDirector to protect against ongoing threats such as ransomware.

For more information on complete healthcare data integration services, contact NetDirector or request a free demo.


Move to the Cloud Helps Relieve Healthcare IT’s Resource Pinch

Improve your spending in healthcare with better cloud technologyStrategic planning at healthcare organizations calls for increased investment in cloud-based models to help alleviate resource overhead and reduce the need for technology refreshes.

Cloud services provider Peak 10’s 2015 “National IT Trends in Healthcare” report, which compiled responses from 149 IT decision makers, revealed that 25% of organizations not currently outsourcing to an Infrastructure as a Service (IaaS) model would implement IaaS in production environments by the end of 2016. Among that same group, 25% said they would deploy IaaS for testing and development, and 27% planned to use IaaS for disaster recovery.

Peak 10’s follow-up report for 2016, released in May and available for download here, surveyed 157 C-level executives and IT professionals, who indicated that hospital groups continue to outsource IT functions and adopt cloud-based solutions. Other related trends include IT playing a more integral role in driving organizational revenue, and the need to juggle “security and compliance to balance mitigating attacks and staying in line with industry and government regulations,” the report states.

The 2016 survey respondents rated their own internal IT security program with a B- average score, “most likely due to being overwhelmed with limited IT staff available for security operations.” The report continues, “IT departments strive to cover as much ground as possible, but keeping up with security as a whole often results in the need to drop all IT pursuits and respond to an alarm.”

The most recent report also shows healthcare IT departments increasingly adopting application hosting using third-party cloud partners — up 33% since 2014 — as an initial foray into cloud outsourcing. They’re realizing operational and financial benefits through shared computing resources, setting the stage for more applications — and even full infrastructures — as viable cloud-based options.

“Technology is changing at a rapid rate and while it is making patients’ lives easier, it is also increasing the amount of information that is at risk of falling into the wrong hands,” according to David Kidd, vice president of governance, risk and compliance at Peak 10. “Although healthcare organizations have been cautious about moving to the cloud, they are now recognizing the benefits and security in the cloud. This allows for more time to be spent on patients and the organization’s core mission.”

Overall, healthcare is ripe for the changes rippling through the ecosystem. NetDirector CEO Harry Beisswenger describes a paradigm shift in which hospitals are taking a “zero-footprint” approach with no software or hardware required on site. “You would connect to us once, map once, and you’d be done. Set it and forget it, instead of having to set up each interface and each customer individually and create all the business logic and formatting,” he explains. “We significantly reduce their hardware/software costs, as well as their analysts’ or resource costs, which are very expensive.”

NetDirector uses Peak 10’s Tampa Data Center to host its fault-tolerant technology stack, which maintains network uptime at 100% for most months and reduces the need for scheduled maintenance. NetDirector also maintains a second regional data center in Atlantato ensure full business continuity in the event of a disaster or outage at the main data center.

Click here for a list of technology partners working with NetDirector to provide its HealthData Exchange platform.

For more information on HealthData Exchange, contact NetDirector or request a free demo.

Improving Data Usage in the Healthcare Environment

HealthcareDataUsage2016At University of Colorado Health (UCHealth), continuous process improvement relies upon effective data usage and integration with the enterprise EHR system. Over the past year, UCHealth has leveraged data science to significantly improve resource utilization in cancer treatment. Now the health system is taking a comparable approach to operating room (OR) scheduling in a project that will roll out through the latter part of next year.

At a cancer treatment infusion facility, UCHealth optimizes scheduling to “level load” patients throughout the day and maximize chair usage. Daily reports, shared during staff huddles, indicate where unexpected patients can be added and when to expect peak loads. Additional performance reports include historic data and highlight areas for further improvement.

This merging of Lean production practices with data analytics has yielded 15 percent lower waiting times for cancer treatment patients — 33 percent lower at peak hours — amid a 16 percent increase in patient volume. What’s more, staff overtime dropped by 28 percent due to optimized scheduling.

The OR project will similarly mine data to maximize surgical resources across five hospitals.

And the forward thrust will lead to new opportunities, according to CIO Steve Hess: “So, inpatient is the natural next place to go after OR. But don’t stop there, think about radiology and imaging, think about lab tests, pharmacy needs, ambulatory clinics … Frankly, the canvas is blank in terms of what you can do with machine learning combined with process improvement philosophies.”

Areas of improvement

Sue Schade, recently identified as one of the “most powerful women in healthcare IT” by Health Data Management and currently interim CIO at University Hospitals in Cleveland, is a strong believer in “visual management” techniques that can help identify systems’ priorities. Her Lean-rooted philosophy takes aim at areas such as reducing cycle times, eliminating preventable incidents, decreasing variation, and increasing coordination and communication between teams.

Data derived from tracking systems helps hospital leadership zero in on the causes of major incidents to prevent reoccurrence and provides performance metrics that can be shared across departments.

Schade quotes from the book The Lean IT Field Guide, “If a picture is worth a thousand words, information made visible in the workplace is priceless.”

Simplifying healthcare data integration

However promising any improvement strategy may be, it would not be possible without properly formatted and integrated data. NetDirector’s HealthData Exchange meets this challenge by moving clinical and financial data among disparate systems within the healthcare ecosystem.

HealthData Exchange uses a “map once, use many” method — as opposed to custom point-to-point interfaces — to enable the sending and receiving of data to/from all of an organization’s providers and vendors. Connected hospitals and physician practices instantly have access to dozens (and potentially hundreds) of providers and vendors through pre-defined integrations.

And because it’s built and optimized for cloud deployment, HealthData Exchange incorporates redundancy and security at every level. The network currently processes more than 10 million data and document transactions per month, while enabling individual users with the means to proactively monitor all connections.

For more information, contact NetDirector or request a free demo.

What’s Happening in Healthcare Regulation and Compliance

Healthcare-Regulations-and-Compliance-Spring-2016Technology’s crossover into most aspects of healthcare brings new possibilities in prevention, treatment and continuous care. But sometimes, too, it raises unique issues that need to be addressed by regulatory or legislative oversight.

Recent headlines from opposite ends of the U.S. highlight new laws at the state level — but with implications that could soon apply more broadly.

The rise of ransomware

Ransomware attacks, in which hackers disable computer systems and demand payment before allowing victims to regain access, would be prosecuted as cyber-extortion under a bill advancing in California’s legislature.

The bill heads to the state Senate’s appropriations committee with strong support. It follows a high-profile case that ended in February with Hollywood Presbyterian Medical Center paying a $17,000 ransom in bitcoin to a hacker who had shut down the 434-bed hospital’s systems.

“The malware locks systems by encrypting files and demanding ransom to obtain the encryption key,” Hollywood Presbyterian CEO Allen Stefanek told the Los Angeles Times. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”

The office of California State Senator Bob Hertzberg cited FBI statistics stating that hackers collected more than $209 million in ransomware payments in the Untied States during the first quarter of 2016.

Shortly after the Hollywood incident, computers at the Los Angeles County Department of Health Services were infected with a data-blocking program, the Times reported. In that instance, the agency refused to pay ransom and isolated infected devices on its own.

In a separate case in late March, MedStar Health, which operates 10 hospitals in the Washington, D.C. area, acknowledged on Facebook that a virus prevented certain users from accessing email and electronic patient records. MedStar opted to take down all system interfaces to prevent the virus from spreading and reported there was no evidence that information had been compromised. However, the health system had to utilize paper transactions where necessary.

Another malware attack last month at Methodist Hospital in Henderson, Kentucky, locked users out of electronic web-based services. A spokesperson said no patient data was impacted, but IT had to shut down all of the hospital’s desktop computers and scan each for infection before restoring operations. As in the MedStar case, the facility chose not to pay ransom but incurred time costs in resorting to paper-based back-up systems.

New York makes e-prescribing mandatory

Electronic prescribing for controlled and non-controlled substances became mandatory under New York state law on March 27. The e-prescribing edict, part of the state’s Internet System for Tracking Over Prescribing law, carries possible civil/criminal penalties or fines for non-compliance. The measure is intended to reduce prescription theft and forgery, as well as “doctor shopping” by patients.

Of particular note for electronic prescribing of controlled substance (EPCS), the law requires additional security features and registration of certified software with the Bureau of Narcotic Enforcement (BNE).

A year ago, the New York Department of Health sent a letter to prescribers cautioning that “implementation timelines for EPCS software vary and may be lengthy.” The agency strongly recommended immediate action in obtaining and registering certified EPCS software, which in many cases may be part of a commercial EHR system.

According to health information network Surescripts, more than two-thirds of active e-prescribers in New York are EPCS-enabled after a large surge earlier this year.

But even though providers may apply for a waiver from the EPCS requirements under specified circumstances (including technology limitations), physicians and organizations using systems from small EHR vendors may still be out of compliance. Achieving certification is “a bit of a heavy lift on the EHR side,” Surecripts Senior Vice President Ken Whittemore told Health Data Management.

Additionally, BNE approval requires completion of EHR updates, identity-proofing of prescribers, two-factor authentication for prescription signing, and establishment of secure access controls, noted Whittemore.

Keeping the focus on care

The delivery of healthcare shouldn’t be derailed by security threats from outside agents. Nor should it be burdened with technology implications stemming from otherwise well-meaning requirements.

At NetDirector, we stay current with issues that could affect compliance in these areas, so that providers can focus on delivering superior care. Our solutions implement high-level integrations that insulate organizations from cyber-hazards and enable core systems to function as intended — and, in some cases, as required by law or regulation.

For more information, please contact us or request a free demo.

Securing NetDirector’s Cloud-Based Data Exchange

What does security mean to you?CloudSecurity

For each of us it means something different depending on what we want to secure. For some it may mean setting up a home alarm system to protect the family, locking the car doors to secure valuables, or saving enough money to secure one’s livelihood for 6 months in case of a layoff or medical emergency.

Whatever you are trying to secure it is important to have a high quality security system in place with a proven track record to prevent intrusions.

Due to the overwhelming increase in vulnerability of the small to mid-size businesses, our goal at NetDirector is to secure our data exchange software so that our customers and service providers are confident their valuable data is safe and secure.

How does NetDirector secure the data exchange software?

Read more