HIPAA Compliance for Hosting and Data Security

If you work anywhere in the healthcare space, you’re probably very familiar with HIPAA compliance. Passed in 1996, the Health Insurance Portability and Accountability Act provides rules and guidelines for healthcare access, health information storage, health insurance, and more.

HIPAA consists of five primary parts or titles:

  • HIPAA Title I – Health care access, portability and renewability,
  • HIPAA Title II – Preventing health care fraud and abuse; administrative simplification; medical liability reform
  • HIPAA Title III – Tax-related health provisions
  • HIPAA Title IV – Group health insurance requirements
  • HIPAA Title V – Revenue offsets for tax deductions

While HIPAA provides an important function of protecting the health coverage and personal information of individuals, along with reducing fraud across the industry, it can get a little confusing.

Arguably the most complex section of HIPAA is Title II, which among other things, covers how information is stored and accessed. Since almost everything is digital these days, that means Title II covers your hosting, server, and network setup. 

Meeting the Requirements of HIPAA Title II

Failure to follow the proper requirements of HIPAA Title II can put your customers personal data at risk, not to mention result in some serious penalties. It’s very important that all of your information is stored securely within a HIPAA compliant system. 

Of course, HIPAA extends beyond hosting, covering IT areas such as account access, password management, and more. You also need to be mindful of working with external vendors and third parties, as they bring additional risks and requirements regarding your data. 

Professional Help for Staying HIPAA Compliant 

By itself, the world of hosting and IT support is very technical. When you add in HIPAA compliance, the complexity multiplies. That’s why it’s best to utilize an experienced IT team that’s well versed in HIPAA compliance. 

At DataYard, we offer a wide range of services for companies and organizations that operate under HIPAA. This includes private cloud hosting at our data center in Dayton, Ohio that meets HIPAA and HITECH requirements. Additionally, we can provide you with consultation, on-going support, and threat protection so that all of your technological and digital fronts are covered. 

You don’t need to understand all of the complexities of HIPAA Title II. You just need an IT team that does. Contact us today! 

Our Data Center is Here for You

LEARN MORE ABOUT OUR HOSTING AND CONSULTATION SERVICES


DataYard – At Your Service

DataYard – At Your Service!

Now available by popular demand, DataYard has created a brand new offering under a brand new division, At Your Service.  AYS will help regional companies with all aspects of business IT – whether it is managing existing workstations and servers, migrating to a VoIP phone service, upgrading network equipment, or guiding your transition to the cloud – DataYard has you covered.

The DataYard Difference

For over two decades, DataYard has helped thousands of local businesses use technology to improve business efficiency and reliability. But we noticed that we were getting more and more requests from clients to assist with projects beyond just Internet services or hosting projects – they needed help with technology inside of their businesses, and turned to us for advice. AYS is an answer to those questions and needs, and DataYard can now bridge the gap between on-premise IT work and cloud-based hosting services.

We’ve built some great partnerships over the last twenty years – with Microsoft, VMware, and Cisco, to name a few – and these relationships make it possible for DataYard to be your full-service, end-to-end IT partner. If you have a problem, project, or just want to talk through an issue, give us a call – DataYard is here to help you make IT better.

DataYard’s 2016 Internship Program – Internet of Things Kick-Off!

On June 1st DataYard officially brought on two new summer interns for a specific and pretty cool project – to explore the Internet of Things (IoT)!

The chosen ones – Owen Devine and James Kinion – will be working with us through August to design, build, and deploy mobile units which report not only their own geographic location, but a slew of environmental variables as well. While we have a vague idea of how we at DataYard might accomplish this task, the interns have been set free in a sea of low-cost devices which when used together can accomplish almost anything.

We’re makers here at DataYard, and are super excited about the future of the IoT space. We got a 3D Printer for the office last Christmas, and Eric Wright has probably burned through twenty pounds of PLA over seventeen generations of a custom-fit phone Heads Up Display for his road bike. We built our own big-screen network status and reporting display, have daily DJ battles on a Raspberry Pi3 via Airplay to the MusicBox interface, and a Retrobox Pi3 for SNES emulation is coming soon – not even mentioning the custom solutions we put in place for clients every day.

We’re hoping to support the future of the IoT movement by getting some sharp young minds playing the field – and we plan to do that while deploying additional (and mobile) environmental monitoring to our data center – stay tuned for updates on DataYard’s continuing quest to innovate and create ways to Make IT Better!

Client Spotlight – Mikesell’s Project Overview

DataYard is proud to announce our latest partnership with the Mikesell’s Snack Food Company – the oldest potato chip company in the United States! Since 1910, Mikesell’s has been manufacturing and shipping delicious treats from right here in Dayton to the surrounding tri-state. DataYard and Mikesell’s were introduced via mutual partners and Technology First relationships, and we began discussing a full-scale technology redesign and refresh in May of this year.

Mikesell’s had an interesting predicament, albeit not out of the ordinary – recent restructuring of the internal technical team had brought with it a change in long-term vision and strategy. Mikesell’s new CIO, Steve Hangen, wanted to shift the focus of the internal technical resources away from supporting local servers and towards supporting internal processes. However that didn’t remove the reality that there were multiple (and fairly critical) line of business applications running internally on antiquated hardware. Pair that with an Internet bandwidth bottleneck and an outdated DR strategy, and the risk to business continuity was enough to make anyone sweat.

After months of planning and fine-tuning, DataYard and Mikesell’s finalized our strategy and partnership at the end of August. In a few separate installments, I’ll be describing the individual goals of the overall redesign – the how, what, and why.

  • Network topology redesign – DataYard completely re-imagined the WAN design, and has deployed a new network to centralize ownership and management of network services. We had to get creative in a few spots, and a description of these challenges will be an interesting read!
  • Active Directory Upgrade and Virtualization – Once the WAN was centralized, we needed to upgrade and migrate internal Active Directory (AD) services up into the DataYard cloud. One less administrative headache for Mikesell’s internal personnel! We’ll discuss the process, benefits, and challenges here in a later post.
  • Exchange Upgrade and Virtualization – After the AD project was completed we’ve now set our sights on the upgrade from Exchange 2010 to Exchange 2016. This upgrade is happening simultaneously with the migration up to the DataYard cloud. The Exchange project will lighten the load on Mikesell’s staff, and the coming description of the objectives and execution should give valuable insight to anyone facing a similar challenge.
  • JDE Deployment – Mikesell’s is moving away from legacy line of business applications on an internal mainframe and towards the JD Edwards ERP solution in the DataYard cloud. This project will undoubtedly have its obstacles, but the resulting streamlining of operations will provide significant benefit and increased efficiency at Mikesell’s for years to come.
  • University of Dayton Project – DataYard is assisting seniors from UD and providing the needed infrastructure for the students’ MIS Capstone project. The development of this new application will result in the increased day-to-day effectiveness of Mikesell’s internal staff, as well as provide invaluable experience to future IT professionals.

I’m looking forward to sharing the details of these projects as DataYard knocks them out, one by one – starting with a description of the network topology redesign and deployment, coming soon.

Mikesell’s is a historic brand with deep roots in Dayton, and we are very excited to begin a long and successful partnership – stay tuned!

Linux Exploit Liability? Backspace 28 times to get in…Really?

Linux Exploit Liability? Backspace 28 times to get in…Really?

Recent headlines on a new Linux exploit have been spectacular:

  • How to hack any Linux machine just using backspace
  • Exploit Logs You Into Linux Systems After Hitting Backspace 28 Times
  • Log into most any Linux system by hitting backspace 28 times

The vulnerability lies within the Grub2 bootloader, a password management system used by some Linux systems upon startup. Unpatched, the exploit would cause the system to reboot or bring up a Grub rescue shell granting the user a full set of admin privileges — within the rescue function only.

What is the real danger? Ryan Chewning, DataYard Linux Systems Administrator, sees these as largely sensational pieces. “The exploit requires physical access to the Linux system, first and foremost,” he says. “Additionally, it is my experience that the feature being attacked is not widely used in the first place.”

Our bottom line? If you’re hosting in DataYard’s managed Linux environments, you need not worry. Physical access is controlled and systems are constantly updated with all necessary security patches.

As always, if you have any questions or concerns, please let us know!

DataYard Talks Linux Exploit Backspace 28

 

New Flavors. New Updates. New OAMM.

Once a Month Meals’ redesign focused on helping visitors and members quickly get to the content they wanted.

Once A Month Meals (OAMM) is the premier site for all things freezer cooking. From their patent pending MenuBuilder product to the bustling community of members who love to cook and have fresh food on their table without the hassle of cooking from scratch every night.

In early March, OAMM launched a five month long project that was focused on bringing a streamlined experience to visitors and their current members. All facets of their technology were improved. The site design upgrade was the most notable, and it now focuses users on their lists of carefully curated menus and recipes. This change makes it much easier to search menus, recipes, and become a new member if the visitor chooses.

Joel Taylor (Technical Director for OAMM) said that the project was a huge undertaking as there are many different technical facets to how OAMM operates.

“OAMM runs on two custom Ruby on Rails apps, a WordPress install for its frontend and an Ember.js frontend for MenuBuilder. We built a new API from MenuBuilder to enable dynamic content to flow through WordPress to our visitors and members. Previously menus and recipes had to be published in both systems, and human error had twice the chance to introduce itself – not to mention double the workload. Now, we publish in one system, and it automatically populates throughout all our apps.”

Joel mentioned that DataYard was critical to their success in providing dedicated support throughout the redesign process for their server infrastructure needs.

“We had a couple meetings with DY in person discussing the new goals of our site and what technology we’d need in place to make our page load times sub three seconds. We have five web nodes all communicating to each other and three caching systems. If anyone knows WordPress well, they know how critical it is to cache well. We couldn’t just flip on page caching due to dynamic content for our logged in members, therefore caching our API responses and other pieces of communicated data was vital for page speed. Being able to talk through our infrastructure options with DY was one of the best hosting provider experiences I’ve had.”

The OAMM team worked very closely with their long-term partner, Sparkbox. Sparkbox provided OAMM with content strategy, their new design and a lot of the heavy lifting on the API.

“OAMM came to Sparkbox several years ago with a belief that families should eat together. With this vision, we helped them turn their previously cumbersome, manual process into a robust, customized piece of software that allowed users to create their own freezer menus—thanks to the years of experience the OAMM team already had in perfecting menu plans. We were excited to work with OAMM during the redesign to turn this robust backend system for managing menus and recipes into an API that now drives the entire site. The redesign also included updates to the brand to further evolve it into the smart and approachable product it had become. It has been a lot of fun to help grow and adapt the site with the OAMM team.” – Rob Harr, Vice President, Sparkbox

Tricia Callahan (President and Owner of OAMM) says that the redesign project had been long overdue.

“The greatest goal for our recent redesign was to create a cohesive experience for our users between our community and our product. As we worked to achieve this goal, it was important that we also increase site performance and functioning. This was no easy task as we have several appliances feeding into our WordPress site so we knew we needed some unique solutions. Throughout the process we received tailored support and recommendations from the DataYard team that made the cumbersome and delicate process of this redesign easier to manage. Most notably, they took their time to carefully consider how these changes could be made without disrupting the experience of our current users, giving me the peace of mind as a business owner.”

DataYard was thrilled to be a part of the project, and is proud to continually deliver the service, uptime, and performance that any high volume and subscription driven site demands. From both the technical and business perspectives, the match is one made in heaven.

“Working with Joel at OAMM on their environment is always enjoyable and collaborative. Continuing to improve the site performance – from an infrastructure and server application perspective – is always the primary goal, and something I’m happy to be a part of.” – Ryan Chewning, Systems Administrator, DataYard

 “The intersection of creative firms and DataYard as an infrastructure partner is one which seems incredibly natural. Every project I’m involved in with folks like Tricia, Joel, and the team at Sparkbox is awesome. When design, development, and infrastructure work together towards a common and communicated purpose, it’s a beautiful thing.” – Alek Mezera, Account Manager, DataYard

Visit Once A Month Meals’ site for delicious inspiration and membership information!

WordPress updates raise CMS security questions

“By failing to prepare, you are preparing to fail.” –Benjamin Franklin

WordPress vulnerabilities and exploits have filled the press lately, with 3 urgent security releases in the past month alone. The popular content management service (CMS) powers nearly one quarter of the web, making WordPress a ripe target for exploitation and a big concern for website owners and visitors to those sites.

A recent study from W3Techs shares that 47% of WordPress users only back up their sites “every few months,” with 25% saying they’re not trained in using WordPress at all. If exploited, however, nearly 25% say they would pay “almost anything” to get the lost data back. Add that to another 20% who would pay “several thousand dollars” to recover, and we’ve got almost half of WordPress users who recognize the price of inaction.

Why are these sites so vulnerable? In failing to prepare. Nearly half of the respondents reported having no IT or Website Manager. They are using WordPress because the CMS makes editing and adding site content easy for an everyday user. Sales and marketing teams are often left minding the shop with little to no technical training on the backend of the website.

WordPress itself is very responsive when it comes to releasing updates to patch holes as they come up, but they have to be implemented.

Where do you stand?

If you’re using the fully hosted WordPress.com solution, then the updates are part of the package. If you’re using the self-hosted WordPress.org solution, then it’s up to you to be prepared. (Not sure? More here.)

On self-hosted websites, the key is in how rapidly the security updates and patches are adopted. Security updates and patches are boring maintenance items, often not included in the overall website plan.

What can you lose?

Walking through the door to Customer Service, you see they’re really hopping already with email, chats, phones… Wow! Then, you catch the conversation in the room, and you realize there’s something wrong. Really wrong.

The site is not doing what it’s supposed to be doing. Content has changed. Customers are being redirected to odd places. They report suspicious pop-ups and installation requests. Some even, trusting you, have allowed these things to run.

Your website is doing a lot…of all the wrong things. You’ve been hacked.

Websites drive revenue, provide information, collect donations, and communicate on your behalf. When the site stops working, your mission and reputation are in jeopardy. If you collect information on your users, breach of privacy may open you up to additional cost and liability.

What can you do?

Designers and developers build content, behavior, graphics, features, shopping carts, etc. It’s tested and then deployed to a hosting provider. After a final check, the keys are turned over to the company.  If it’s up to you, what do you do?

First, WordPress is not alone.  Open-source (WordPress, Drupal, Joomla) and proprietary CMS platforms are all susceptible to exploit.

As a hosting provider for many self-hosted websites built on a variety of CMS platforms, what do we see? How do successful sites not only launch, but also remain secure and successful?

Know your CMS.

Communication is the key. When you’re building your website, get everyone together, and keep them talking on a regular basis. Ask a lot of questions along the way.

  • What CMS forms the foundation of the site? What permissions can be set for users? Many users posting content to the site may not need permission to change core elements about the site’s base architecture.
  • What plug-ins or add-ons contribute to the functionality? While recent exploit targeted the core WordPress CMS, these integrated programs interact with the sites and can also be targets for getting past site security.
  • Does your CMS have an auto-update function? WordPress offers a few options that can be set to help keep you current. If not, does the CMS offer alerts or an update blog site so that you can stay current on any issues?
  • What must be managed manually? Major version changes of the core CMS often require compatibility testing and are often not automatic as a result. Set up a testing and release schedule for these big changes.
  • Staying on the current version means that you’ll also stay up to date with the most recent security patches. Seen in every technology platform, end of life for a version means no one will be trying to keep it patched and stable.

Know your role.

Remember that survey. Nearly half of site owners would spend thousands, if not “almost anything” to recover lost data. That’s a lot of Benjamins.

It is like a good insurance policy, and a better use of resources, to plan for maintenance instead of praying and paying for miracles after you experience a loss.

IT resources are needed to manage and maintain the live website. You don’t have to be that expert yourself, but don’t forget to budget for routine maintenance and updates when you’re allocating IT resources.

If you don’t have in-house expertise, consider a management agreement with your developer. Like oil changes for car, it’s part of the price of ownership.

Know your hosting provider.

Not all hosting providers are created equal. Your hosting provider should be an active partner: at a minimum, keeping the Windows- or Linux-based infrastructure stable, secure, and updated in its own right.

As a provider ourselves, we’re a bit biased here at DataYard. We think that a hosting provider should be so much more!

Customer service and support expertise are vital. At DataYard, we love being included in a website’s overall design and development from Day One. We’re experts on our hosting platform, the options available, and maximizing the architecture’s performance for your site.

We talk to you about the site architecture itself, and making sure it’s backed up on a regular schedule. Regular backups mean no mad scramble to see if anything can be recovered.

“When we work with the developers as a site is under construction, we look for bottlenecks to performance,” shares Ryan Chewning, DataYard Systems Administrator. “Most security plugins in WordPress, for example, are incompatible with one another even when they’re fine separately. Some of the security plug-ins help drop malicious connections rapidly, keeping system resources readily available.”

For those building a new website to replace an existing site with active customers, we have extra considerations. Ryan explains, “The user experience during any change is important, from incorporating plug-ins that seamlessly bridge site versions to minimizing any downtime needed to complete the transition.”

The relationship with your hosting provider should not stop when the site goes live. Active management is a valuable element to keeping your website healthy. A DataYard managed account is monitored for performance. With success and more traffic, needs change over time. Ryan concludes, “We watch for performance degradation and make proactive recommendations to keep the site growing along with you.”

What next?

Since your website ties to your bottom line, the bottom line is that you don’t want to trust it to just anyone. If you’re not sure what you have, now’s the time to ask. If you need some help looking at where you are and where you want to be, remember to ask your trusted partners here at DataYard.

“Venom” Vulnerability Details Released

This week the “Venom” vulnerability was announced, affecting a number of virtualization systems, like Xen, KVM, and VirtualBox (http://www.zdnet.com/article/venom-security-flaw-millions-of-virtual-machines-datacenters/). Hackers can use the defect to exploit flaws in code written more than 10 years ago, a virtual floppy disk controller, to shut down the hypervisor. With the hypervisor disabled, a hacker would then able to access the virtual machines of other people or companies running on the same server.

Prior to Wednesday’s announcement software makers developed patches to close the door to the exploit, but not all hosting providers have been able to roll the patch out to their affected systems. As a result, a number of virtualization platforms running these distributions remain vulnerable to possible exploits.

Since our systems are built on VMware, DataYard’s cloud infrastructure is not vulnerable to this exploit. Microsoft’s Hyper-V and Bochs are also not affected by this bug.