Archives for July 2017

July 27, 2017

Too Many Cloud Companies…Too Few Good Ones

So. . .just how many cloud companies are there?

Since the advent of the smartphone (thanks Apple) cloud companies are popping up on every virtual corner, much like Starbucks did early on.

In my quest to see just how many cloud companies there are, I figured I’d start with a simple Google search. Right? I mean Google is the best for this type of thing!

So, I proceeded to type “cloud companies” in a google search bar. 133,000,000 results in just 0.47 seconds. Yep…I’m that guy. I broke Google (sorry Google!).

Ok, so that didn’t really work.

So I moved on to the Google Play store and navigated to apps. There, I typed in “cloud” and immediately got over 200 apps flooding my screen. I’m not entirely sure how many apps over 200 because I simply stopped counting.

Ok. . .clearly this approach isn’t working. So how do we determine just how many cloud companies there are? And moreover, does anyone really care?

Definitely more than 3

At this point, I’ve decided to take the “Owl and the Tootsie Pop” approach (if you’re my age, you’ve seen that commercial) and just saying who cares?

Because in the end, we don’t really care about the number of companies, what we care about is what they can do for us!

As consumers, we all have our “lists” of things we seek in pretty much every aspect of our digital shopping. My cloud list is relatively short and focuses on (1) ease of use (2) availability of my stuff (3) keeping my stuff safe and (4) being able to share and stream my stuff.

While most of these things seem relatively simple, this is where the list of cloud companies starts to get smaller. Let’s take a brief look at these four aspects.

The cloud SHOULD be easy…so why isn’t it?

Ease of use is a key for all of us.

How many times have you gone to your app store and downloaded an app that seemed to suit your needs, only to find that you simply have neither the time nor the energy to figure out exactly how to use it?

Or, how many times have you wanted to share some photos with your grandmother and you wind up being her tech-support guru because she’s literally lost as to how to access the files you shared.

You’re not alone. This happens to all of us.

I’m pretty much a classic tech-nerd (sans the tape on my glasses) and even I get frustrated with some of the choices out there.

Where is that file again?

And what about the availability of our files and images?

This one gets a bit tricky too because it isn’t always as simple as creating a cloud account or installing an app.

Does your app require you to upload all of your files to a single point of storage in the cloud? Do you need to put everything on an external NAS device connected to your router at home?

Availability is mandatory for all of us, yet, achieving it can sometimes be laborious.

I mean sure, at first you tell yourself “it’ll be great to put all my files in one place, so I may as well just break down and do it”. But soon you’re back to your old ways and you’ve got files all over the place, spread across every device you own.

Once again, you’re not alone. I’m notoriously bad at organizing my digital life.

I have some “special” pictures…if you catch my drift

So what about keeping our stuff safe?

I’m not a snapchat or Facebook sort of guy (cause I’m in the witness protection program) but If I was, I’d want to know that I can maintain ownership and control over my images.

Let’s say you’re out taking pictures and you capture some amazing photo of a sunrise or stars reflecting off a lake. All your friends and followers are suddenly enamored with your photographic prowess and you suddenly become a bit concerned about your ownership of your content.

Again, you’re not alone.

That’s why you see companies watermark their images all the time. So protection of our digital content is an important aspect of our personal cloud.

If sharing is caring, then I’m a very caring person

And finally, what about the ability to share and stream?

These are hallmarks of social media. Without the ability to share your files, the very aspect of social goes right out the window.

The ability to get those pictures to grandma safely and simply is just as important as sharing your favorite song with your best friend.

And let’s not forget the frustration of being the tech-support guru for the friends and family you share with.

Quality over quantity

Ok. . .so what’s the point of all this?

It’s simple really. We’ll never ever know how many cloud companies are out there because as soon as we count them all, more will pop up.

But what we do know is what we need.

Make your own list of priorities for your digital lives as I did above. Pick and choose the aspects that are important to you and you’ll find that you can quickly eliminate a great deal of companies with just a few simple searches.

And don’t forget to read the user comments in the app stores. These folks are just like you and me. They’re seeking something that can help them solve a need, so there’s a good chance that they’ll share something you’re also interested in.

And above all, stay safe.

Make sure you take a little time to vet the companies you choose to share your precious digital lives with. This is your stuff, not theirs. Make certain you get to maintain your rights to it!

July 19, 2017

A HIPAA Breach

A HIPAA breach can cripple your medical practice

Over the last few months we have discussed HIPAA in very general terms. I have tried to impart some of the basics of its security and privacy obligations upon each of you, while ignoring the rest of the Act.

Certainly, it is a massive undertaking to fully grasp all of HIPAAs ins-and-outs, and I will not ever try to bore you with the entire 5 sections of HIPAA. So if you need to know about Insurance Portability, Tax Matters, Group Plans, or Revenue Offsets, please feel free to read the other four Titles.

Now that we have discussed what information is subject to HIPAA and who is responsible to keep and control electronic protected health information (ePHI), it’s a good time to learn what I like to call the “so what?” of HIPAA. As I travel, meet, speak with, and interact with doctors, I am often presented with the “so what?” response.

Many doctors have told me: “Steve I understand that HIPAA exists, but we have always done it this way. I think we are compliant. Or we don’t know how to fully comply.” And almost all those conversations end with “so what if we are not compliant, no one will even look at my little office to audit us.”

So, I realized that I needed to do a little more in this blog. Let’s discuss what a breach is, what you have to do if you are in breach and finally the “so what?”, namely what are the fines?

Let’s first learn what a “breach” is and is not. A breach can be defined as the acquisition, access, use, or disclosure of protected health information in a manner not permitted, which compromises the security or privacy of the protected health information.

This means that if protected health information is in the possession of the wrong person and they can read it, a breach exists. If you give Jan Smith’s records to Jane Smith, there is a breach. Or if you fax medical records to (702) 555-1234, but the patient’s number was (712) 555-1234, you have a breach.

It’s these little mistakes that plague offices at times. Most certainly, if your patient charts are on your laptop and it’s stolen, that’s a breach. Should your server be accessed due to a hacking incident, or if you email a patient’s records to Kinkos as opposed to Dr. Kinko (the physician you intended to refer your patient to), you have a breach event.

Simply put, records must be seen only by those authorized to see them, and Covered Entities (CE) and Business Associates (BA) in possession of the records hold the responsibility to ensure no breaches take place.

“But what if my PHI is encrypted?” you ask. If the PHI is encrypted when the breach took place, you are probably covered. The unauthorized use or disclosure of PHI is presumed to be a breach, unless there is a low probability that the information was compromised.

So when the PHI ends up in the wrong hands, but all they see is 0s and 1s due to your encryption, you may be protected. If you realize an email went to joesmith@mail.org as opposed to josmith@mail.org, but the email was sent with encryption, you are probably ok not reporting a breach.

However, a breach notification is necessary in all situations except those in which the CE demonstrates through a risk assessment that there is a low probability that the PHI has been compromised. We will discuss what a “risk assessment” is in the next blog.

But today’s blog is addressing a breach. So, assuming a reportable breach took place, now what? Once a CE or BA is made aware of a possible breach, they must report the breach to the Department of Health & Human Services.

The report must be made without “unreasonable delay”. While it is not 100% certain what constitutes an “unreasonable delay”, 60 days appears to be the outer limit for reporting, and waiting until the 60^th day could be unreasonable as well.

Some state laws provide stricter reporting rules such as California’s mandate that you have 5 days to report a breach. We will discuss the notice details in a later blog

And now the “So what?” Here are the federal breach penalties. But please take note that some states allow separate penalties. Additionally, some states allow private causes of action against the CE by the harmed patients. So these charts present only the tip of the iceberg in some cases.

Looking through the charts it is easy to see the risks you’re taking by not making sure your office is HIPAA compliant. In 2016, the Office for Civil Rights (OCR) collected over $20 million in fines, and in 2017 they have already disclosed over $17 million in fines collected.

Finally, don’t think that just because you are only an employee for a company, that you are immune from these fines and prison sentences. If an executive is aware of a violation, delegating the responsibility to someone else (the company’s “Security Officer”, perhaps) DOES NOT protect the executive from a personal penalty.

So now that you know what the ramifications are for a HIPAA breach, it is crucial that you take the necessary steps to ensure you don’t end up as one of OCR’s statistics.

Take the painful (but important) measures to be compliant now to save yourself a lot of stress, heartache, and money in the future. Otherwise the question you’ll be asking isn’t “so what?” but rather “does anyone know a good attorney?”

July 17, 2017

Why Free Will Cost You a Fortune

Everyone loves a good deal. Whether it’s an amazing discount or a sale, we experience an endorphin rush when we get a good deal. Things only get better when we hear those magic words we love…“free.”

Nothing gets people more excited than when something is offered for free. If you’ve ever seen a store offering something for free then you know what to expect… a lineup around the corner.

This philosophy gets amplified when we talk about anything offered on the Internet. It is commonly accepted that any services offered through the Internet should be free.

And many websites are happy to oblige. Facebook is free, YouTube is free, Twitter is free…you get the idea.

The thing that no one seems to be asking anymore is “what’s the catch?”

In the real world we usually have an idea about why something is being offered for “free”; maybe they want to get you into the store to buy something else or they want to get you hooked onto the product, but there is always a reason.

Unfortunately we aren’t so inclined to look for a catch when it comes to “free” services online. It’s understandable that people expect online services to be free but it’s important to know why it’s being offered for free.

There is always an ulterior motive for something to be offered for “free” and there is always something that is being compromised in exchange for the “free” service. The level of compromise involved will depend on the service being offered.

Some compromises will be harmless, such as when a service is offered with limited features. However, often, the compromises made are more than the user bargained for when they signed up in the first place.

Ultimately the more we understand about why a service is being offered for “free” online, and the compromises that come with it, the better we can make a decision on whether to proceed with becoming a user.

Awareness is the best defense to ensure that we don’t end up in a situation where something we thought was going to cost nothing (“free”) ends up costing us an arm and a leg (and some other important body parts).

Let’s cover some of the reasons a product or service is being offered online for “free”, along with their level of harm:

Trial Versions/Upgrade Incentives: No different than when a product is offered for “free” in a real life setting, the company wants you to continue using the service (at a cost, naturally) once the trial period is over or upgrade to a paid tier. This is relatively harmless unless the company asks for your credit card to start the “free” trial and will charge you automatically. Then you need to have a good memory or set your calendars to not get charged.
Advertising: Similar to watching TV, a website may offer you a “free” service in order to ratchet up the hits and collect ad revenue. Unlike TV, ads on the internet are ridiculously annoying (TV ads are just mildly annoying). Between popups and flashing banners, some websites are just not worth visiting. This category falls into the “harmless but frustrating” section.
Micropayments: Typically with a service that relies on micropayments, the base tier is “free” but has very limited features and in order to expand the features you have to make some sort of minimal payment (think .99¢) that seems insignificant…at first. However there are many features that need to be unlocked and each one of them will require its own micropayment. In a way micropayments are like a faucet that has a drip. At first you might not think it’s so bad since you only see a drop of water falling at a time, but then you get your monthly water bill and see that it’s triple the usual amount. This is definitely one of those categories that can get out of hand very quickly and cost more than you expect if you aren’t too careful.
Data Mining: Now we’re getting into some bad territory. Data mining is when the service you’re using is harvesting information about you to use for other purposes. Have you ever booked a flight to a city and then seen a bunch of ads for hotels in that same city?…it’s not a coincidence. Sometimes data mining is used only for advertising (relatively harmless) but other times the company wants to collect a profile on you based on the websites you’ve visited, who you interact with, and even your spending habits. Needless to say, depending on the level of privacy you crave, this can be pretty harmful.
Malice: I did say the motives may not be sinister in nature, but sometimes they are. As a wise man once said “some people just want to watch the world burn”. I would be doing you a disservice if I didn’t mention that some “free” online products/services come with lovely add-ons such as viruses, worms, spyware, and malware or they might be used to extract personal information from you, such as your online banking login information. Needless to say, this is the most harmful form of “free” you get online and a good reason of why you need to be very careful about who you trust.

As you can see, not everything that is being offered for “free” is actually without any cost to you. It’s important to take a step back and ask yourself why the provider is offering it for “free”. What’s in it for them?

Do appropriate research and make sure that you aren’t putting yourself in a situation that can be harmful to you or cause you to expose more about yourself than you want.

So, yes, we all love to get something for free…just make sure it doesn’t end up costing you a ton in the end!

July 13, 2017

The Future of Digital Storage

As we rush out to the store to grab the latest and greatest smartphones and bask in the glory that is our never ending thirst for all things media, a thought occurs . . . ”where are we going to store all of this stuff?”

I mean, sure, we proudly flex the muscle of our portable devices, capable of producing 12 megapixel images or shooting full motion video and effortlessly streaming it to our 4k-capable retina display . . . but where is all this data going to be kept?

A cursory glance at the storage market tells us that any portable devices with any real storage capacity come at a premium. Ok, we get that, so we begin to seek other avenues to store our wealth of media that will still give us instant access.

Naturally cloud storage is the first and most viable option. So we immediately enter our email address, create a quick password, and hop onto the internet to store our digital world. Initially it’s great! We can get our stuff from anywhere, and many of the services give us a couple of GBs of space in the cloud for free . . . but at what cost?

The cost equation for the storage of your digital world comes down to “ease of access” versus “control of content”. Anyone who has read the terms and conditions of the typical cloud companies can tell you that you’re virtually giving up all license and all control of your content once you enter it into a public server.

The cost of your “free 5 GB account” is that your content is no longer in your direct control. Sadly, the only real alternative seems to be spending a significant amount of up-front cash on devices that have more built-in storage, or going to the store and buying one of those cloud boxes that you put on your desk at home and try to configure for remote access. It’s clunky and costly, but it’s safer. So how do you decide?

The plot thickens when you realize that every smartphone that is introduced is capable of generating even larger files, videos, images, and media content, yet the storage spaces on these devices continue to remain the same.

So what can be done to enable us to take advantage of all the powerful features of our smart devices without giving up ownership and control of our digital content?

Technology will continue its furious pace towards integration of content and expansion of storage components. How will that future look and who will win that race? Smart money says that the folks developing smartphone, laptop, and tablet technology will continue to lead. Why? The answer is simple really. These devices are not meant to be kept forever.

Look at the typical release cycle for new smartphones and tablets. Just when you get comfortable with your new device, a bigger-better-faster-smarter alternative hits the market.

And how long do you typically keep your tech devices? 1 year? 2 years? Longer? Are you the type that has to be on the train to the latest-and-greatest device available? Or are you still carrying around your series one Motorola flip phone? Don’t worry, there is no wrong answer. But, the fact remains that technology will continue to steamroll ahead whether we’re ready for the “next big thing” or not.

So where does that leave us with our original question about storage and ownership of our content? Will storage manufacturers be able to keep up with the ever-growing needs of the social media networks?

What will the online cloud providers do when they see a market where people still want privacy and control over their digital lives? Will companies like Amazon and Google own your content in an endless sea of server farms? Or will your network evolve into one that you and you alone control?

As it stands today, we’ve got far more questions than we have answers. Once thing is certain in all of this commotion . . . technology won’t stop, so keep your eyes on the horizon and together we’ll see how the innovators answer these growing concerns.

July 12, 2017

Who’s Covered by HIPAA?

Our previous HIPAA entry exposed you to some of the basics of HIPAA. One of the things we did was to identify who was covered by the HIPAA rules. Entities or individuals that are Covered Entities (remember: Health Care Plans, Health Care Clearinghouses, or Health Care Providers) are certainly subject to HIPAA.

But, effective February 17, 2010 under the HITECH Act, Business Associates (BA) became subject to HIPAA privacy and security rules as well. What this means is that a company that is not in the healthcare industry, per se, but deals with medical records as part of their job duties, COULD be subject to HIPAA rules.

A BA is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (PHI) on behalf of, or provides services to, a Covered Entity; attorneys, accountants, consultants, and others are some possible examples. But there is not a list in HIPAA which defines who is a BA by trade. Thus, the following test is used:

a party who is performing a function for a Covered Entity;
that has access to PHI;
but is not an employee of the Covered Entity.

Now that you have had a chance to determine if you are or are not a BA, what are your HIPAA requirements? Well, you must comply with HIPAA of course. But generally you must secure the PHI, and use it only for the same purpose it was given to the Covered Entity.

Where it sometimes gets tricky is, you must make the PHI “accessible” to the individual to whom the PHI belongs; most often the patient. So you cannot just lock it up and throw away the key. You must also perform risk assessments of your security and mitigate determined risks. Finally, you have notice obligations should there be a breach.

Next we will talk about what a breach is, your reporting requirements, and the related fines and penalties for a breach.