© 2015 NASDAQ-LISTED: EGHT

How to Design Security and Compliance into Innovation (Instead of Trying to Bolt it On Later)Michael McAlpen

HIMMS Healthcare Technology Innovation Showcase

March 30, 2015

2

Security and Compliance Standards 8x8 Meets

3

High-Impact Hacking Compromises Millions

Hacking for identity theft Hacking for “bragging rights” Compliance breaches invite audits,

lawsuits and even criminal penalties

Companies lose money and reputation with every incident—and it’s about to get worse with innovations coming down the pike. Most Americans have been victimized by:

4

Risky Future Digital Health Technologies

Cyber-implants directly connected to smartphone apps Cyber-pills that text doctors

directly from inside your body Proprietary implantable neuro-

modulation devices Compu-contraceptive implants

controlled remotely

Security and compliance risks could get worse with new technologies that exploit mobile and Big Data capabilities

5

Subcontractors

Service Providers

Healthcare Entities

Providers

Plans

Clearinghouses

Accounting

Finance

Data Storage

Billing

Cloud

Administrative

Legal

Tax Advisor

Consulting

Regulations: Entire Ecosystems Must Now Comply

HIPAA: Business Associate status triggered when PHI is created, received, stored or transmitted FCC CPNI: a violation

is two or more PII items E. U. Data Protection

Directive: security & accountability

6

What are Auditors Looking For?

Due Care, Due Diligence & the “Prudent Man” Rule HIPAA Evidence that you provided what is “Practical and

Practicable” Minimal (FIPS 140-2) Data-in-Motion and Data-at-Rest Security Offer or request Business Associate Agreements Reputable 3rd party security validation(s) attestation of

any of your third-party vendors who persistently handle your PHI/PII data.

It is surprisingly easy to meet auditors’ demands. Here’s what they want to see:

8x8 CONFIDENTIAL7

Contact CenterSolutions

9 Easy Steps to Secure Coding

1. Start with a trusted security advisor2. Use secure development methodologies (OWASP)3. Scan code statically for coding errors4. Scan executable code dynamically for coding partners5. Work with secure companies/partners like Veracode6. Ensure 3rd party security and compliance (SSAE 16)7. Follow Council on Cyber Security guidelines8. Support HTTPS/TLS and AES 256 for stored data9. Use triple-layer defense (Blue Box SDKs)

Build in Security &

Compliance

8

Resources and Apps for Wearable Designs

Council on Cyber Security (counciloncybersecurity.org/critical-controls)

Blue Box (bluebox.com)

Provides SDKs that implement a secure installation

Instantiates in a secure shell with encryption for triple-layer defense

9

HIPAA Phone & Contact CenterCompliance is Often Overlooked in these forms

Electronic Personal Health Information (E-PHI) Personally Identifiable Information (PII) Intellectual Property (IP) Proprietary data Other regulated data

8x8 CONFIDENTIAL10

HIPAA-Compliant Cloud Communications Solutions

Why is it necessary? Call recordings and chat transcripts in the Contact Center Nursing stations & Accounting departments can become informal Contact Centers What do you need? Significant audits and system management A partner who take ownership of security What should you look for in a partner? External third party validation of compliance Comprehensive BAA agreements

8x8 is the only third-party validated HIPAA-compliant unified communications and contact center vendor that is able to provide HIPAA-compliant solutions with tailored Business Associate Agreements.

11

ChenMed CIO – Oliver Degnan

CHALLENGES

Outdated PBX only did phone calls and routing was forced through Miami HQ for all locations

Needed fast deployment

HIPAA compliance is critical

OUTCOME

HIPAA compliant solution deployed in 5

weeks to 38 sites, 1,400 users

ChenMed to save millions on

communications costs

Quick expansion as employees are added

SOLUTION

Virtual Office Pro(full UC suite)(1400+ Seats)

Deployed in

5 weeks

With 8x8’s rapid deployment model, we were fully functional on one seamless solution across 38 sites and more than 1,400 users in five weeks, and we can quickly deploy new locations as we grow.

12

Appendix

13

Helpful Links:

8x8, Inc: https://www.8x8.com/voip-business-phone-systems/by-industry/healthcare

Recipe for Basic Cyber Security: http://www.counciloncybersecurity.org/critical-controls/

U.S. Department of HHS HIPAA web site http://www.healthit.gov/providers-professionals/security-risk-assessment http://www.hhs.gov/web/508/accessiblefiles/checklists.html http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

CMS Security Risk Analysis Tip Sheet: http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/SecurityRiskAssessment_FactSheet_Updated20131122.pdf

National Institute of Standards and Technology (NIST):http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

14

Bio: Mike McAlpen

8x8, Inc., Executive Director of IT Security, Compliance and International Data PrivacyVisa, Inc. Exec., Visa Global Information Security & ComplianceHewlett Packard, Exec., H.P. Prof. Services Information Security, CIO/CISO AdvisoryFrequent Speaker: http://www.rsaconference.com/speakers/michael_mcalpen(USSS) U.S. Secret Service Cyber Crime Task Force(FBI) Board Member FBI InfraGard U.S. Cyber Defense Initiative(ITTC) Dept. Homeland Sec./Stanford Research Inst., Cyber Defense Transition Council (NCRIC) Joint FBI/DHS/State Regional Cyber Defense and Security Intelligence Center(AMA) American Bar Assoc., Sci-Tech Law InfoSec. & Healthcare Law(ISSA) Board Advisor International Systems Security Assoc. S.V. Valley(HIMSS) Healthcare Information and Management Systems Society(ISACA) Information Systems Audit & Control Assoc., Silicon Valley(CFCA) Communications Fraud Control Association(CSA) Cloud Security Alliance CISO Advisory Board Secureworld Silicon Valley Leadership Council