General Consultant Discussion

I received in the mail from a customer a ""HIPAA/HITECH Business"" Agreement. The agreement primarily seems to want an assurance that we will safeguard PHI (protected health information). Since we do not store any data on our server - I'm thinking this is mostly a formality that the company asks of all their IT providers. Anyone been asked to sign one of these and/or know of any pitfalls to beware of?

Yes. Is this called a ""Business Associate Agreement"" This document explains it very well in the context of vars. You can thank Congress for this nightmare.

So far as I can tell this really doesn't apply to the typical Sage 100 VAR who is doing support but not hosting any data or taking any information off-site. The only confidential information that I could think we'd be exposed to is vendor or customer names during a support session. Sounds as if in my case it's more of a checklist compliance measure by the customer.

Got one of these last year. Only issue I found was having to sub work out for enhancements, or allowing a developer access to their system. Oh, and the rate goes up for having to contend with compliance issues.

However this may open a can of worms. Sage is now uploading some data to their cloud systems and you could also have data on your system or uploaded to Sage for troubleshooting. I cannot remember the term - but I think you might be able to see if the client can classify Sage as non-Health Care whereas absolutely no patient data is stored in the ERP databases. Typically the Health Care company have some type of billing system and basically integrate summarized Revenue and Cash Receipts to the GL. They might be able to exclude the ERP; however you may have other issues if you can connect remotely to their networks that would include PHI. See the definition of Business Associate from Mark's PDF. Your only hope is to have the client classify you as not having access to any PHI. The client has liability however since if for some reason you do have access to PHI and they incorrectly do not classify you as a business associate. (a refund check for example is processed to a patient through SAGE) It is easier for them to make you comply to HIPAA rules than managed what you have access to with respect to HIPAA. We have a large home health chain on Intacct and it was excluded since no data was stored in the ERP and the Patient database and billing systems were protected in another cloud based application. Of course - Intacct is housed in a SAS70 datacenter as well as the new standard so it would most likely comply. I think we will see changes. The HIPAA laws will most likely be a focus in the future and most smaller healthcare organization will struggle to comply. Hospitals are trying to comply and they have their hands full even with significant IT Resources.

Officially the key is that you should not have any physical or remote access to any machine at a client which stores patient information. If you can only remote into MAS, you should be fine. If MAS is sitting on a SQL server that also hosts a database of clinical trial info or a patient information system, then bingo, you need to sight.

Good point on the Sage data stream (aka PEP or Sage Advisor). I have a major beef with the notifications Sage makes during upgrades because 98% of the time we are the ones clicking through to accept and not the customer. That's also why I will always turn off PEP unless the customer has authorized it to stay on.

I guess another option would be to decline any remote access, offer a higher compliance based support agreement that requires on-site service for anything where you touch the computer. I usually don't have an open connection where I can RDP to the server so in virtually all cases I'd only remote connect to a customer desktop and only after they gave permission.

SAS 70 (or SSAE 16) alone does not make you 'compliant'. Technically you can't sell a ""HIPAA Compliant"" anything. You can say your system has the features that can assist with your compliancy, but only a compliance officer or HIPAA auditor can determine if a specific installation is compliant. We've sold ERP systems for drug manufacturers and compliancy is big, but in the end you can follow the rules but somebody else has to 'officially bless it'. SSAE 16 (or SAS 70) tells you the data center is physically and electronically secure, but that doesn't mean the clients data is or isn't encrypted (per HIPAA rules). That's up to the vendor or end user who using the data center. For example, dropbox is very much not secure because although they encrypt data, all customers data is encrypted with a common key. If that key gets out (which it did a while back requiring a massive rekeying), then all customers data is now as good as unencrypted. This is how Bluray was cracked. Plus my guess is the NSA can still crack it because they paid big encryption vendors (like RSA) big bucks to install back doors. Alot of clients who think they are complying with HIPAA often have huge exposure because of their backup systems. IE some IT guy takes all the data home for the offsite rotation, or puts it in a directory for transmission to some cheapo cloud backup service like Carbonite (not so secure LOL). In many cases, the transmission (in flight as its called) isn't even encrypted. Of course....shameless plug... www.eversafe-backup.com fully complies with HIPAA requirements because the data is stored on the local appliance encrypted (256bit), is transmitted to the data center encrypted, and stored (""at rest"") in the SSAE 16 data centers encrypted. More importantly, each customer get their own encryption key and you can even have each individual server backed up have an independent key. If the customer loses their half of the key, however, they ain't ever getting their data back (similar to the joys of Cryptolocker) I'd bet 50% of the companies who have to comply with HIPAA or even PCI-DSS (credit card) have a failpoint weak link. It usually doesn't matter until they have a breach and then get creamed by government and civil lawsuits....Target...cough cough...

Even more concerning is the stuff they are doing with the Mobile apps. From my understanding they are mirroring customers, etc to their cloud servers. If this is the case, what if it accidentally gets turned on and how would we track who turned it on. I am not a conspiracy theorists but I would not be comfortable making an assertion what Sage gathers or will possibly gather in the future. More concerning I would not have a way to monitor future changes to the architecture. Sage would most likely cover themselves with a EULA. Definitely not an assertion I would give lightly or for free. I would definitely advise the client to get Sage to sign the agreement as well. Sage would most likely not do it, but at least you informed the client of a risk that you have no control over. This is a big push in SAAS Multi-tenant where they have controls over the datacenter and can provide audited controls.

Also, Wayne, typically if they are serious about HIPAA, they would never have an open RDP option. They will require you to install a VPN client (one more thing to muck up your computer)

@Mark - we no longer see VPNs as secure as passwords can be compromised and easily shared. It is also to easy to socially engineer their theft. We have moved to VPNs with a hardware based key similar to the FOB that you see from your bank. That way a user must possess the physical device to access the network and we can immediately disable it if it lost or compromised. Of course this is on top of the already present username/password credentials. Also ignore the whole SSL issue.... LOL

Most clients with VPN's use them in addition to passwords. In the case of EverSafe, this is typically a short term emergency use scenario so they aren't likely to get hacked during that short window of usage. The problem with FOB's is they don't work well for adhoc remote access for users like Wayne or I. You don't want to have to wait for them to mail a device while they are down.

Thanks to the NSA, there is no such thing as security, only levels of difficulty...

And you would not have access as an adhoc user into those networks. This is the way of the new world that has compliance requirements. Financial Institutions and Health Care are both moving to this. In fact, all of our Financial Institutions require this without exception. The whole theory is a vendor with access to the network must be well thought out in these environments. Essentially to avoid the trap you just started where as they have an emergency so they opened the kingdom for some guy we have not done any due diligence on them. The FOBs are cheap so if the VAR is an approved vendor - they would receive a FOB that is permanently assigned to them if they would require haphazard unplanned access. Of course the access can be monitored. Your whole argument of needing it adhoc - is the whole purpose and root cause of the control. Again - we are only seeing this in compliance driven customers - mainly banks and larger health care organizations but it is coming down the pipe. BTW - anyone that has a client that is struggling with this - we have solutions and will pay referral fees!

A number of years ago, all our medical clients had us sign a form. Now that they realize the medical billing is not part of ERP, we have only been asked when we are handling the whole network.