© 2015 NASDAQ-LISTED: EGHT
How to Design Security and Compliance into Innovation (Instead of Trying to Bolt it On Later)Michael McAlpen
HIMMS Healthcare Technology Innovation Showcase
March 30, 2015
2
Security and Compliance Standards 8x8 Meets
3
High-Impact Hacking Compromises Millions
Hacking for identity theft Hacking for “bragging rights” Compliance breaches invite audits,
lawsuits and even criminal penalties
Companies lose money and reputation with every incident—and it’s about to get worse with innovations coming down the pike. Most Americans have been victimized by:
4
Risky Future Digital Health Technologies
Cyber-implants directly connected to smartphone apps Cyber-pills that text doctors
directly from inside your body Proprietary implantable neuro-
modulation devices Compu-contraceptive implants
controlled remotely
Security and compliance risks could get worse with new technologies that exploit mobile and Big Data capabilities
5
Subcontractors
Service Providers
Healthcare Entities
Providers
Plans
Clearinghouses
Accounting
Finance
Data Storage
Billing
Cloud
Administrative
Legal
Tax Advisor
Consulting
Regulations: Entire Ecosystems Must Now Comply
HIPAA: Business Associate status triggered when PHI is created, received, stored or transmitted FCC CPNI: a violation
is two or more PII items E. U. Data Protection
Directive: security & accountability
6
What are Auditors Looking For?
Due Care, Due Diligence & the “Prudent Man” Rule HIPAA Evidence that you provided what is “Practical and
Practicable” Minimal (FIPS 140-2) Data-in-Motion and Data-at-Rest Security Offer or request Business Associate Agreements Reputable 3rd party security validation(s) attestation of
any of your third-party vendors who persistently handle your PHI/PII data.
It is surprisingly easy to meet auditors’ demands. Here’s what they want to see:
8x8 CONFIDENTIAL7
Contact CenterSolutions
9 Easy Steps to Secure Coding
1. Start with a trusted security advisor2. Use secure development methodologies (OWASP)3. Scan code statically for coding errors4. Scan executable code dynamically for coding partners5. Work with secure companies/partners like Veracode6. Ensure 3rd party security and compliance (SSAE 16)7. Follow Council on Cyber Security guidelines8. Support HTTPS/TLS and AES 256 for stored data9. Use triple-layer defense (Blue Box SDKs)
Build in Security &
Compliance
8
Resources and Apps for Wearable Designs
Council on Cyber Security (counciloncybersecurity.org/critical-controls)
Blue Box (bluebox.com)
Provides SDKs that implement a secure installation
Instantiates in a secure shell with encryption for triple-layer defense
9
HIPAA Phone & Contact CenterCompliance is Often Overlooked in these forms
Electronic Personal Health Information (E-PHI) Personally Identifiable Information (PII) Intellectual Property (IP) Proprietary data Other regulated data
8x8 CONFIDENTIAL10
HIPAA-Compliant Cloud Communications Solutions
Why is it necessary? Call recordings and chat transcripts in the Contact Center Nursing stations & Accounting departments can become informal Contact Centers What do you need? Significant audits and system management A partner who take ownership of security What should you look for in a partner? External third party validation of compliance Comprehensive BAA agreements
8x8 is the only third-party validated HIPAA-compliant unified communications and contact center vendor that is able to provide HIPAA-compliant solutions with tailored Business Associate Agreements.
11
ChenMed CIO – Oliver Degnan
CHALLENGES
Outdated PBX only did phone calls and routing was forced through Miami HQ for all locations
Needed fast deployment
HIPAA compliance is critical
OUTCOME
HIPAA compliant solution deployed in 5
weeks to 38 sites, 1,400 users
ChenMed to save millions on
communications costs
Quick expansion as employees are added
SOLUTION
Virtual Office Pro(full UC suite)(1400+ Seats)
Deployed in
5 weeks
With 8x8’s rapid deployment model, we were fully functional on one seamless solution across 38 sites and more than 1,400 users in five weeks, and we can quickly deploy new locations as we grow.
12
Appendix
13
Helpful Links:
8x8, Inc: https://www.8x8.com/voip-business-phone-systems/by-industry/healthcare
Recipe for Basic Cyber Security: http://www.counciloncybersecurity.org/critical-controls/
U.S. Department of HHS HIPAA web site http://www.healthit.gov/providers-professionals/security-risk-assessment http://www.hhs.gov/web/508/accessiblefiles/checklists.html http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
CMS Security Risk Analysis Tip Sheet: http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/SecurityRiskAssessment_FactSheet_Updated20131122.pdf
National Institute of Standards and Technology (NIST):http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
14
Bio: Mike McAlpen
8x8, Inc., Executive Director of IT Security, Compliance and International Data PrivacyVisa, Inc. Exec., Visa Global Information Security & ComplianceHewlett Packard, Exec., H.P. Prof. Services Information Security, CIO/CISO AdvisoryFrequent Speaker: http://www.rsaconference.com/speakers/michael_mcalpen(USSS) U.S. Secret Service Cyber Crime Task Force(FBI) Board Member FBI InfraGard U.S. Cyber Defense Initiative(ITTC) Dept. Homeland Sec./Stanford Research Inst., Cyber Defense Transition Council (NCRIC) Joint FBI/DHS/State Regional Cyber Defense and Security Intelligence Center(AMA) American Bar Assoc., Sci-Tech Law InfoSec. & Healthcare Law(ISSA) Board Advisor International Systems Security Assoc. S.V. Valley(HIMSS) Healthcare Information and Management Systems Society(ISACA) Information Systems Audit & Control Assoc., Silicon Valley(CFCA) Communications Fraud Control Association(CSA) Cloud Security Alliance CISO Advisory Board Secureworld Silicon Valley Leadership Council
