What’s next?  I was inspired to consider this question today after reading John D. Halamka’s blog entry on Life as a Heathcare CIO.

If you’re not familiar with his work, John Halamka is, an MD, MS, and is Chief Information Officer of Beth Israel Deaconess Medical Center, Chief Information Officer at Harvard Medical School, Chairman of the New England Healthcare Exchange Network (NEHEN), Co-Chair of the HIT Standards Committee, a full Professor at Harvard Medical School, and a practicing Emergency Physician.  He is also a long time Accellion customer and has implemented Accellion’s secure file sharing at both BIDMC and Harvard Medical School.  You can read more about his implementation of Accellion in this eWeek article.

Given the scope of his career, it seems like he must ask himself the “What’s Next?” question a lot.  On his blog he answers it.  What’s next?  Constant Reinvention.  He recently announced he is going to step down as CIO of Harvard Medical School, help them find a fulltime replacement for the role and embrace the next reinvention of his career.  About the next phase of his career he states:

It’s July of 2011… and I feel powerful forces are aligning to create a quantum leap forward in electronic health records and health information exchange technology.

We think he’s right.  Healthcare organizations are struggling with the growing use of mobile devices and unmanaged Dropbox-type of solutions in their enterprise and need to secure, manage and audit the mobile sharing of electronic health records, research and other Protected Health Information (PHI).  They know this problem puts the organization at risk for non-compliance with HIPAA and Hitech. The organization could also run the risk of a serious data breach, making news headlines, and incurring hefty regulatory fines.

Accellion’s healthcare customers tend to be more savvy than most and care about offering their staff easy to use file sharing and collaboration applications while still securing and managing sensitive patient and research data.

Accellion is constantly introducing new products and features, and the market continues to have new problems to solve – unmanaged Dropbox-type of solutions in the enterprise, proliferation of new mobile devices.  Asking “What’s Next?” helps us all to thrive and innovate.

So, thanks John for providing today’s inspiration and we wish you luck for your next reinvention.

A recent issue of Research Practitioner Magazine includes the article, “Collaboration Moves Research, Clinical Knowledge” and talks about the importance of medical researchers reaching out to potential collaborators, nearby and globally, as they work on ground-breaking medical research.

For more than 100 years, one such facility, Seattle Children’s Hospital, has provided inpatient, outpatient, diagnostic, surgical, rehabilitative, behavioral, emergency and outreach services to children from infancy through young adulthood.  Part of Seattle Children’s Hospital, Seattle Children’s Research Institute, has nine major centers, and is internationally recognized for its work in cancer, genetics, immunology, pathology, infectious disease, injury prevention and bioethics.

Accellion customer Wes Wright, Chief Technology Officer at Seattle Children’s, weighed in on how Seattle Children’s uses file transfer and collaboration technology from Accellion to facilitate their research.

Seattle Children’s Hospital in Washington struggled sending secure files through a difficult-to-use secure file transfer protocol server and using email encryption. Less than a year ago, however, the hospital and foundation switched to a Web-based program, one that offers encryption, user tracking, and transfer of large data files. The program is offered by Accellion, headquartered in Palo Alto, Calif.

The switch to the new file transfer system was spurred primarily by research needs, says Wes Wright, vice president and chief technology officer at Seattle Children’s. “We put the solution in to help us transfer data files for research, but it has since spread out among the whole organization.” After the purchase, the system took only took about three weeks to implement.

About 4,800 employees use the system now… the reason is the simplicity of the plug-in, Wright says. If a user wants to transfer a file, he opens Microsoft Outlook and chooses new mail. In the right-hand corner of the new mail is a plug-in that says “Accellion.” “You hit that button and it opens a file browse window. You browse to the file you want and attach it.”

…The system also tracks who has downloaded and looked at each file. “Whenever anyone accesses a particular file, we keep a log of it,” he says. Sometimes researchers send the file to themselves and download it on their home systems so they can work at home. “We know that user X sent it to himself and then downloaded it when he got home. We can keep track of that file and where it went.”

Such technology is “the wave of the future with HIPAA and high-tech regulations and rules,” Wright says. “The easier we can make it to securely share and collaborate among researchers, it’s going to be a research differentiator.”

We’re so proud Seattle Children’s Hospital staff and research team use Accellion to help move such important work forward.

Robert Mullins’ Network World blog entry warning that SharePoint data might be at risk comes as no surprise.  Customers have come to us for a way to extend the file sharing functionality of SharePoint securely beyond the firewall for the last few years.

What was most interesting is the research done by Randy Franklin Smith of Ultimate Windows Security.  The company’s survey showed that:

SharePoint users come from highly regulated industries: 38.2 percent comply with PCI; almost 20 percent with HIPAA; and 27.6 percent with SOX.  However, 72 percent of respondents have not evaluated the compliance issues related to their SharePoint data.

72 percent.  With the high profile data breaches happening every week, it’s important that these companies work on an overall data security strategy that includes SharePoint.

With Accellion’s plug in for SharePoint, it simply becomes another choice in the pulldown menu within SharePoint that lets users choose to share certain files with added security inside and outside the organization.  That means: an easy-to-use reporting and audit trail, three tiers of defined user access, file encryption while being transferred and at rest, and the ability to set an expiration date for the file and to set permissions upon sending the file.

Accellion Secure Collaboration is a finalist for the Best of TechEd awards at Microsoft TechEd North America this year in Atlanta, May 16-19.  Feel free to come by our booth 1830 for more information and to say hello.

Finally a story about a CIO who takes on the data security threat from USB sticks and thumb drives. Earlier this week, in Health Data Management News, appeared a short article entitled “Data Security is The CIO’s Constant Challenge”.  This is the story of Chuck Christian, CIO at Good Samaritan Hospital, Vincennes, Indiana and his IT department, and their efforts to protect private healthcare information and ensure HIPAA compliance.

Chuck explained “Earlier this year, Good Samaritan went well beyond its laptop policies, disabling USB ports across the computers connecting to its network.  It was a pre-emptive move to preclude inappropriate data transfers to easily lost devices.”

Chuck Christian explained that disabling the USB ports definitely resulted in changes in behavior.  Not least being the purchasing manager from the hospital who wanted to purchase thumb drives in bulk.  Chuck’s response – “I said no.” To the credit of Chuck and his IT department they implemented a number of secure alternatives to enable staff at the hospital to get their jobs done.

It’s as simple as that.  If you are in charge of data security “Just say no” when someone even suggests using a USB stick or bringing it into the workplace, and give them a secure alternative, such as Accellion secure file transfer.

Chuck Christian you are our Accellion Hero of the week.

This week Lincoln Medical and Mental Health Center of NY suffered an embarrassing data breach resulting from a lost FedEx shipment of CDs. More than 130,000 medical records were exposed in this breach and it is small consolation to read that “Siemens was promptly directed to suspend further transport of CDs by the carrier.”  Of particular note in this data breach is the fact that both Siemens and Lincoln Medical and Mental Health Center thought it was an okay idea to ship CDs of unencrypted healthcare data as part of a standard business process, until of course a shipment went astray.  Did the word HIPAA never come up?  Why would anyone think it is a good idea to ship CDs of unencrypted healthcare data when there are readily available secure file transfer solutions?

DataLossDB the Open Security Foundation tracks data breaches and lists 134 data breaches from Snail Mail affecting 2729 Organizations in its database. This week’s Lincoln data breach adds one more organization who has experienced the security hazards of shipping sensitive information unencrypted via the mail.

Are organizations aware of the security risks from email attachments? Generally not.

With email attachments typically accounting for more than 70% of e-mail volume, the bulk of data on email systems resides in the email attachments not email messages. Unfortunately in many organizations the management of email attachments is an afterthought leading to security vulnerabilities.

The disturbing reality is that users will try to force as much information through email as they can get away.  Without adequate security controls in place users commonly send confidential information unprotected through email attachments.  In cases where users hit email attachment size limits, they rapidly seek out unsecure IT workarounds such as thumb drives, CDs, P2P file sharing, just to get their job done.

So why the apparent lack of concern regarding the security of email attachments?  Here are just 3 of the common misconceptions:

•  Misconception #1: E-mail attachments are limited to 10MB; therefore, the risk of a data breach from file transfer is minimal.
•  Misconception #2: FTP is available; therefore, the risk of a data breach from file transfer is minimal.
•  Misconception #3: We haven’t experienced a security breach from unsecure file transfer, so the risk of a data breach from file transfer is minimal.

To learn how these common misconceptions compromise security read the full article published in Enterprise Systems this week.

Given the increased profile of data breaches and updated and extended compliance regulations such as HIPAA, now is not the time to ignore security vulnerabilities. Organizations, large and small, are waking up to the hazards of email attachments and are deploying managed file transfer solutions to protect confidential information and ensure compliance.

Give us a call if you would like to review the security of email attachments and investigate deployment of a managed file transfer solution to protect your organization.

After much buildup, the new HIPAA regulations finally go into effect this week.  As of February 17, 2010, Business Associates must be in compliance with the HIPAA Security Rule.  HIPAA.com provides a good resource for all the rules and regulations related to HIPAA compliance with catchy titled articles such as “Know your 5010 from your ICD-10″.

How does Accellion help with HIPAA compliance?  Let me count the ways.

1) Test results, medical images, physical examination reports, health insurance notifications, and all forms of personal health information, all fall under the HIPAA compliance requirements.  Accellion provides the security and encryption to ensure the secure transfer of sensitive files containing personal health information.

2) Accellion provides comprehensive tracking and reporting of every file transfer to ensure that only authorized recipients may receive and access sensitive file transfers.

3) Accellion eliminates the need for unsecure FTP servers.

4) Accellion eliminates the use of unsecure USB sticks for sharing medical data.

Many hospitals and healthcare networks have already implemented Accellion managed file transfer to ensure HIPAA compliance – check out our healthcare customers here and in today’s press release.

If you are subject to HIPAA compliance – we are here to help.

The new HITECH Act that goes into effect February 2010 places new requirements on healthcare organizations for the protection of personal health information (PHI).

The Healthcare Information Management and Systems Society (HIMSS) announced its findings of a national survey of hospitals and business associates to check the state of healthcare vulnerability to data breach.  68 percent of all hospitals indicated that the HITECH Act’s expanded breach notification requirements will result in the discovery and reporting of more incidents, and 57 percent reported that they now have a greater level of awareness of data breaches and breach risk.

Organizations are just coming to terms with the implications of the new regulations with some interesting interpretations being proposed. While the regulations appear quite clear on the need to secure the transfer of confidential patient information, in particular via email, the lack of regulations regarding use of text messages is raising questions.  If sending an unsecured email with the following message  “Your blood pressure is too high” will get you into trouble with HIPAA, what will happen if you text this message?

A good rule of thumb to apply to keep on the right side of HIPAA regulations is that unsecured communication is unsecured communication whether it be via text, email or file transfer.  The new HITECT Act is intended to protect personal health information so this means secure it in transit.