5 Reasons to Reexamine Your Connectivity Plan

When someone begins an IT services contract with us, our first step is to gather information about their current business and IT environment. Often, this discovery phase uncovers a disconnect in their communications situation. Here are five common pain points we see:

Pain Points

  1. Network Performance: The efficiency of your organization depends to a large extent on the efficiency of its network and applications. If your applications are running slowly or freezing up, this can irritate and slow down your workforce.
  2. Scaled Growth: Whether it’s meeting the user maximum on a VoIP plan, needing more physical phonelines for your in-office staff, or creating dedicated lines for clients, are you struggling to make your connectivity plan work for the current reality of your organization? The plan that worked for you when the contract was signed three years ago may not support the bandwidth needs of the user base you have now.
  3. Overpaying: We often find that better plans have become available but the provider is not notifying the client, so you’re paying more than necessary for their services. On top of that, when your contract with a provider expires, most of the time they jack up your rate to motivate you to sign another deal.
  4. Downtime: What does one hour of downtime cost your business? If you have a team of 20, and we figure your average hourly cost for this team is $1,000, one hour of downtime is roughly ten times more expensive than paying for a redundant cable connection. A company may be struggling with frequent downtime without understanding that it’s directly tied to an outdated or insufficient connectivity solution. At healthcare facilities, for example, admissions, medication orders, medical records, guest Wi-Fi—all of it depends on your Internet and phone lines. If they go down, this can directly affect your revenue and your compliance status.
  5. Mobility: Do you have a mobile workforce and find your communication solutions lacking in field applications or support? Especially in the wake of the pandemic, many organizations are moving to a work-from-home arrangement, and are scrambling to keep their team communicating, both internally and with customers.

How We Can Help

If your organization is struggling in one of these areas, we have a five-step process to help.

  1. Discovery: We start by collecting information. What is and is not working well? What system(s) are you currently using? Why are you looking for a change?
  2. Research: This is a big part of the value of our partnership. We navigate the telecom landscape for you, conducting extensive research on what options or alternate providers are available in your area. Who provides physical service to your building? What plan sizes are offered? We compile all of this into a spreadsheet to help you compare your options.
  3. Review: We go over the pros and cons of each option, set up webinars or demos with providers, request a proposal from chosen providers, and review those with you as well. We then negotiate with the provider to make sure we have the best promotions and are getting you the best services at the best possible price.
  4. Implementation: We will manage the implementation process all the way to the final sign-off. From billing to design to installation to training your team on the new system, we are your partner and advocate in dealing with the provider.
  5. Post-sale support: We don’t stop once you’re up and running; if you have any technical support needs, we work with the provider on your behalf and hold them accountable for a timely fix.

With an optimized connectivity solution, you’ll see these benefits:

  • Better application performance: Increased bandwidth can eliminate packet loss, latency & jitter.
  • Minimized downtime: Building true redundancy into the network by setting up primary & secondary connections cuts down on costs and compliance issues.
  • Expense management: By negotiating a better rate or finding a better plan for you, we help you redirect your budget dollars toward other organizational goals.
  • Expert assistance: We know the industry and the system; put our expertise to work for you to get you the best bang for your buck.

FIT Solutions and our partners work to provide elite IT services to organizations. Give us a call today at 888-339-5694 or contact us here to see how we can improve your business environment.

Step-by-Step EHR Migration Checklist for Senior Care Facilities

Ownership changes are a fact of life in senior care. When a nursing home or LTPAC facility changes hands, you’re often faced with the challenge of migrating the electronic health record (EHR) system to a new platform — without sacrificing or impacting continuity of care. At FIT Solutions, we’ve supported many of these migrations. Over time, we’ve developed a roadmap and set of best practices for efficiently and successfully completing the handover to new ownership.

EHR Migration Roadmap: Planning Ahead

Preparation is key. In our experience, the more attention you pay to the first four steps here, the less likely you are to encounter unplanned obstacles downstream that could substantially delay your migration.

  1. Determine the migration type. We anticipate that as the new owner, you’ll be using an EHR system hosted in the cloud. There are so many advantages to a cloud-based system that hardly anyone hosts their instance on-premises in their own data center anymore. Here are the possible scenarios.
    • EHR to same EHR. If the outgoing and incoming owners use the same EHR system, the migration can be as simple as spinning up a new instance of the software in the cloud and copying the database over. Not all of the steps in this checklist will apply to you, but most assuredly, some of them will.
    • Paper records to EHR. In some ways, moving from paper records is more straightforward than migrating across different EHRs. You’ll need to do some scanning and have the resources to do that available to you.
    • EHR to different EHR. The majority of the time, this is the scenario you’ll be dealing with.
  2. Obtain and inspect the final letter of agreement. We can’t emphasize this enough. You need to have the sale confirmed and letter of agreement finalized several months before the migration. The letter of agreement spells out whether the pre-existing computing, network and telephony equipment comes along with the sale. It also spells out which EHR records you’ll be allowed to copy. Policies vary from seller to seller — sometimes widely. The letter of agreement dictates what information you can migrate, and how. You can’t presume anything.
  3. Assess the willingness of the outgoing owners to cooperate. Regardless of what’s in the letter of agreement, reach out and get an idea of the outgoing owner’s willingness to share information, grant access and respond to your inquiries. The entire process will go much smoother with a cooperative seller. Some limit access and support. Enlightened sellers understand that transferring ownership supports their overall strategy, and is just part of doing business.
  4. Conduct a coordinated site survey. If you can, go onsite well in advance and do a thorough walk-through and site survey. Ideally, the IT team as well as electrical and other contractors will all go at the same time to work through and plan any potential changes. Typically, there is some IT work that’s dependent on the electrical work. This includes the need to relocate electrical outlets and network drops, or add new ones to accommodate new kiosks, Wi-Fi access points or other equipment. If backup power isn’t in place, this is the right time to rectify that shortfall if budget allows, or to at least put a contingency plan in place. Verify that there’s a contract for the essential electrical work, and clarify who owns it.

EHR Migration Roadmap – Setting the Stage

Once you understand the landscape, it’s time to start preparing the environment for the new EHR.

  1. Purchase new equipment as necessary. Assuming you’ll be allowed to take over the old equipment, cloud-based EHR systems can often run on older hardware. However, the browser needs to be up to a certain standard and the hardware needs to support it.
  2. Complete the electrical and cabling work. If any electrical service and network connections need to be provisioned to accommodate relocated computers, servers or Wi-Fi access points, schedule that work so it’s complete before the IT teams start to install the new equipment.
  3. Identify effective, tech-savvy and smart superusers. You’ll need to press some staff into service for two jobs: handling data re-entry to populate the new EHR with the most essential data, and to serve as support for the other users during the transition.
  4. Complete the IT-related work. This includes installing any new hardware, and configurations of the network, network devices, phone and/or fax systems. Now is the time to make sure that essential items are in place to support the transition, such as online storage and multifunction printers/scanners. If you’re switching ISPs, arrange for the connections. If you’re retaining the former ISP, make sure the contracts and new billing arrangements are in place to ensure continuity.

Migration Roadmap – Preparing to Execute

Two to three weeks prior to going live with the new EHR, start the process of migrating records to the new system and preparing your staff. You’ll be using paper charting during this interval, to cover any gaps.

  1. Contact the EHR provider to create a new instance of the software. Assuming you’re already a customer with existing accounts for your other facilities, this is likely a simple phone call.
  2. Prepare manual/paper processes to cover contingencies. During the time records are being converted and uploaded to the new EHR, you’ll need to have paper forms in place so caregivers can document their actions.
  3. Start superusers on the data migration or export to .pdfs. This is where your letter of agreement dictates what you can do. The profile and MDS documents can usually be electronically copied. Census or basic resident information can be often be migrated by a third-party provider. However, the core of the records, including care plans, assessments, orders and ADL tasks typically need to be output as .pdfs or scanned in from paper copies, and attached to the patient records in the new EHR.
  4. Put training materials in place. During the lead-up to adoption of the new EHR, make preparations to train the staff. Stage any training modules or videos, and ensure that all employees can access them. Set up a sandboxed system with simulated patient data, giving the caregivers the opportunity to practice. Prepare your superusers to conduct webinars and other training sessions, and schedule them during the first two weeks post-live.
  5. Plan for staffing and superuser coverage. During at least the first two weeks post-cutover, make sure that one or two superusers are available to cover for each shift. Clarify which resources, whether the superusers, IT services team or EHR support, are to handle specific issues such as how-to questions, password resets, Internet or Wi-Fi issues, email issues and access to shared drives.
  6. Execute training programs. Once the new EHR is populated with the essential data, you can roll out your training programs across all care teams. Rely on your superusers to train other nurses, CNAs and aides as you take the system live.

At FIT Solutions, we’ve handled and supported dozens of EHR migrations for senior care facilities. If you have an upcoming project or are planning an acquisition, feel free to reach out to our staff of experts. Give us a call at 888-339-5694.

Amazon Alexa & Google Assistant for Senior Care: 4 Considerations

There is tremendous interest in using voice assistants such as Amazon Alexa and Google Assistant in skilled nursing, LTPAC facilities and assisted living settings. The devices that access these technologies — most often an Amazon Echo or Google Home speaker — can be used in conjunction with smart home technologies to control lighting, heating and cooling, home entertainment, communication and other various systems. With simple voice commands, residents can turn the lights and off, set the thermostat, communicate with loved ones, create a shopping list, turn music on, hear the news and get the latest weather report.

These devices address various concerns around safety, promote feelings of independence, help seniors stay connected, and do a host of other very good things. Especially for those with limited mobility, cognitive issues or other challenges, voice control can be enabling for everyday life and contribute to overall well-being. When they are used in in conjunction with sensors and other smart home-enabled technologies, you can appreciate why so many facility designers are beginning to incorporate these into their plans.

Sensors can detect whether the resident is active or inactive, or whether the refrigerator or medicine cabinet has been opened. They sense movement and turn pathway lighting on to prevent falls. Smart water systems monitor consumption to make sure residents are drinking enough water. Medication reminders and pill dispensers assist those with memory issues.

We love the advantages these technologies offer, but allow us to point out a few potential issues for facilities to consider.

Connectivity Requirements

These technologies rely heavily on the cloud for their fundamental operation, including the voice recognition that makes them tick. The various sensors and other smart-enabled devices and technologies are likewise “Internet of Things” (IoT) devices. They’re Internet-reliant — and the more functions they provide, the more residents rely on them for their everyday living. It’s a whole new world when “the lights won’t turn on” triggers an IT trouble ticket. Having highly reliable, regularly monitored and redundant Internet connections with failover capability and sufficient bandwidth is absolutely essential.

HIPAA Considerations

When voice assistants are used for medication reminders, gathering healthcare data or other medical matters, HIPAA regulations come into play. Amazon has recognized the medical applications for its technology, and has entered agreements with some third parties in the healthcare arena to deliver services over Alexa that are “HIPAA compliant.” This means that the data is collected and stored by the third party in a HIPAA-compliant manner; it does not mean that any or every use of Alexa is “HIPAA compliant.” Even seemingly routine discussions about healthcare matters that happen to be picked up while the voice assistant is listening can lead to HIPAA exposure.

Wi-Fi Security Implications

Voice assistants rely on Wi-Fi for connectivity. If they’re going to be used for gathering and transmitting healthcare data that’s subject to HIPAA, they absolutely must be connected to the same protected, healthcare-dedicated Wi-Fi network that handles your EHR and other medical systems. Allow voice assistants on the guest-and-resident network only if they’re resident-owned and -installed, and you can be sure they’re functioning in a way that’s outside the reach of HIPAA.

Remember the Network

In our conversations with senior care facilities, the enthusiasm for voice assistant and smart home technologies is evident, and we share it! But we encourage you to keep the network and security implications in mind to ensure that these assets do not become liabilities.

At FIT Solutions, our managed IT services come with tools and expertise in network design and connectivity, monitoring and troubleshooting. If you have a project like this in mind, give us a call at 888-339-5694.

Team Onboarding—Best Security Practices for Senior Care Facilities

It’s a common adage in cybersecurity: humans are the weakest link in your defenses. Hackers still do manage to infiltrate networks directly, but more commonly, their preferred route of access is through your people. No matter how fortified your firewall or effective your antivirus, anyone could click on a link and fall for a phishing scheme or be fooled into sharing a password. The risks compound if you regularly take on new employees. Every system they can access also represents a potential entry point for a criminal. You not only need to be able to give employees access when they join, but more importantly, shut down all their access when they leave.

Here are a few suggestions to help you close down those security holes.

Automated Onboarding — and Offboarding

An account left open is an open opportunity. Terminated employees have used their unterminated access to steal information or otherwise take revenge. Successful crimes have also been committed when criminals exploit a still-open account after an employee has moved on. Once a criminal has a foothold, they can either use access to one system as a beachhead for escalating privileges or move laterally across systems to gain access to higher-value information. So each and every account with access to EHR, human resources, nutrition, directory services, accounting and other key systems leaves the others vulnerable. When an employee leaves, there’s no reason to leave those accounts active, but it’s easy to overlook one or two—and it happens all too often.

Solutions are available that automate the steps of onboarding. These make the process essentially self-service for the new hire and easier for everyone involved, including human resources and IT staff. Once configured correctly, with a single login the user can either automatically be given access to all the systems the role requires, or receive instructions on setting up new accounts or passwords. On the back end, any manual steps that system administrators need to take are flagged for action as part of a standard workflow. Most importantly, the chain of access and granting various system privileges is completely reversible. That is, when the employee leaves, the system cycles through a series of actions that remove the privileges of all accounts for that individual – and the security holes they represent.

These automation solutions take multiple forms. Sometimes they’re part of a Human Resources Information System (HRIS). This type of software automates the process for HR (payroll, benefits and similar functions) as well as IT. Software that handles only the IT onboarding piece is more commonly referred to as Identity Access Management (IAM) or Single Sign-On, among other terms. There’s considerable feature overlap among these categories of software. Make sure that any you are considering can automate onboarding to the specific systems you use.

User Education Services

Weak passwords, passwords shared across multiple accounts, a tendency to fall for social engineering ruses and ignorance of basic information security are all human-based vulnerabilities. Employee-education services have become an essential part of security. Enroll each new hire in these programs as an integral part of the onboarding process.

  • Cybersecurity Awareness Training. This type of training instructs employees on how to spot phishing scams as well as good password hygiene and other precautions and security measures. Training can be self-paced online, via webinar or in-person seminars. Which option you choose depends on the third-party provider’s offering and what’s practical for your organization.
  • Phishing Testing. This service sends simulated phishing emails on a regular basis, using the same social engineering tricks used by criminals. If an employee takes the bait, the service provider follows up and requires the employee to take further training. The IT or security department receives regular reports on how well the employees are doing overall, as well as an audit trail on which employees have completed the training.

One other service to consider is dark web monitoring, which crawls illegal online marketplaces looking for stolen login credentials for sale. If they find any credentials of your employees, you’ll receive an alert so you can delete the account or change the password to something stronger and more secure.

At FIT Solutions, we have partner relationships with many service providers who are the best in the business at what they do. We can assist you with selection, setup and ongoing best practices to support all of your new hires and also to close down access for former employees. If you would like to know more, give us a call at 888-339-5694.

PointClickCare or MatrixCare: Which for Senior Care?

If you’re considering an electronic health records (EHR) system for your LTPAC or assisted living facility, our experience with senior care clients tells us that there are two popular choices: PointClickCare and MatrixCare.

Which should you choose for your facility? Well, it depends.

First, let’s get the basics out of the way. Both are built with a strong LTPAC focus, which separates them from EHR systems such as Epic or Cerner that are more often found in hospitals and integrated health systems. Both are strong on HIPAA security compliance. Both include electronic medication administration record (eMAR) functionality. Both are delivered through a software-as-a-service (SaaS) model, which means you don’t have to maintain an onsite server, and updates, patches and data backups are handled for you. In our experience, both companies offer great support.

They differ in a few ways as well, and while we can’t recommend one system over the other, we’ll share those differences. Which system you choose depends on which of these issues matters more to you.

  • Device support. MatrixCare is a Microsoft partner, and that’s reflected in the operating systems and devices it supports. The clinicians’ devices must run the Windows operating system and Internet Explorer. MatrixCare supports non-Windows client devices via either a Citrix virtualization client or Windows Terminal Services. While those scenarios are well-documented and supported, running the Citrix or Windows Terminal Server is the responsibility of your IT team. On the other hand, PointClickCare supports desktops, laptops, tablets and smartphones that run Windows, MacOS, ChromeOS or Android, and all of the popular web browsers (although not all modules support all combinations). If you want to run PointClickCare in a virtualized environment, it’s not technically supported by the company, but some facilities are doing so successfully.
  • User Interface. The MatrixCare user interface is sleeker and more modern, but in our opinion, this is mostly a matter of aesthetics. Both are equally functional.
  • Reporting and Analytics. PointClickCare offers reporting, but creating custom reports and analytics requires using a feature called Data Relay. It allows you to copy most of the data onto another server for running analytics. By contrast, MatrixCare has an Analytics Suite module that lets you make use of Microsoft Azure and PowerBI to develop analytics and create custom dashboards. Both of these scenarios require some degree of knowledge by your users and IT team.
  • Audit trails. Our clients report that MatrixCare is stronger in this area, particularly at survey time.
  • Redundancy. Both systems recommend that facilities have two Internet connections in case one connection goes down. However, in the event of an outage, PointClickCare suggests hourly backups of the eMAR records so clinicians can revert to paper charting. MatrixCare provides a mobile app that can work offline, and syncs the records back to the eMAR module once the connection becomes available again.

At FIT Solutions, we’re familiar with both of these senior-care EHR systems and our IT specialists are happy to support you, regardless of your choice. If you would like to know more, give us a call at 888-339-5694.

4-Step Strategy for Onboarding Senior Care Acquisitions

Consolidation through mergers and acquisitions is a fact of life in long-term, post-acute care (LTPAC). A typical scenario is a large, multi-facility operator buying a freestanding facility or small chain of facilities, bringing economies of scale that can make the acquired facilities more profitable. Part of what is acquired is the technology infrastructure. We’re often asked to come in as the technology consultant as part of these transactions. We help the acquirer understand what they’re getting and create a roadmap for shifting the operations from the old umbrella to the new. Allow us to share the benefit of our experience.

1. Start with a Thorough Inventory

Even if the seller has inventory records, inevitably, something gets overlooked. Often, there are items that were never documented. Current services and providers might have been switched and the information was never updated. Put together a very thorough list of categories of items to be considered, from computers to network infrastructure to service providers. Think from a process perspective as well: How is data being backed up? What about remote access? This can lead you to items that might be otherwise missed.

Then, sit down with someone from the seller’s organization who can help you work through the list to gain a fuller picture of the inventory. A good approach is to start from the perspective of the service-point entrance and work through the various segments of the network. What services actually come into the building? Typically, there is, at minimum, Internet, phone and television from one or more service providers that goes to a network room. From there, how do the services propagate out to the rest of the environment? What is the network layout? Finally, arrive at the end nodes and take into consideration the OS, systems accessed and the software and licenses involved.

2. Don’t Overlook Anything: Do an Onsite Analysis

Even with a detailed inventory, items get overlooked. Going onsite will fill in the gaps — and undoubtedly, there will be gaps to find. Sometimes, you may find items that individual departments installed without the knowledge of the IT department, or network closets that were nearly forgotten. Many facilities were not originally built with IT requirements in mind, so network infrastructure can be behind unmarked doors or in other unexpected locations. Once, we found a forgotten and critical medical alert server hidden behind a potted plant. Another time, there was an entire wing with several dozen wireless access points, but the points were hidden in the drop ceiling and were not included with the inventory.

Ask for administrator credentials to log in to the systems. Check network speeds and talk with IT and end-users to understand what the environment is like.

3. Clarify What’s Going to Get Transferred

When it comes to transferring IT assets, sellers have different policies. To limit their exposure to compliance issues raised post-sale, some will pull all end-user systems and servers offsite before the new owner takes over. Others transfer the computing hardware, but wipe the systems clean. Still others are willing to leave everything as-is, and simply turn the keys over. Even if the computing assets will remain in place, it is likely that the acquirer will be switching to new EHR and other clinical systems, as well as business systems, to put the organizational efficiencies into place that they expect to realize. The pre-existing hardware and systems might not be up to the task. Bottom line? No two onboarding scenarios are alike, so make sure both sides are clear on expectations.

4. Develop a Transfer Plan

Given the above, some difficult operational and financial decisions might need to be made. The decision to retain the pre-existing equipment or replace it has to be balanced against the financial realities of the upfront costs, alongside the operational downsides of systems that can’t meet performance standards.
Above all, LTPAC, senior care and skilled nursing facilities deliver care 24/7. There is no option to shut things down for a weekend to make the switch, as might be possible in some other industries. Making older equipment work could be false economy, because it typically involves workarounds or finding fixes for systems that are past support. That means the transition takes longer and front-line care workers need to contend with more downtime or even resort to paper charting. All of this needs to be accounted for to arrive at a transfer plan that makes operational and financial sense, adheres to regulations, and preserves continuity of care.

At FIT Solutions, we’ve done dozens of onboarding projects and have complete systems and procedures in place for streamlining IT transfers in merger and acquisition scenarios. We account for the business realities and care-delivery issues, as well as the IT aspects. And since every scenario is different, we never stop learning, refining and improving our methodology. If you’re considering an acquisition, let us pave the path for you. Give us a call at 888-339-5694.

8 Steps to Mobile Device Security for Senior Care Environments

National Cybersecurity Awareness Month, observed each October, promotes heightened awareness of the importance of computer security issues. This year’s theme is “Own IT. Secure IT. Protect IT.”

The first — Own  IT — refers to taking responsibility for security. While much of the focus of the messaging is on individual security, there are some timely reminders for business environments as well. This is especially true for our FIT Solutions customers who use mobile tablets to access EHR and other clinical systems.

Your internal network contains protected health information, and for HIPAA compliance, you must be absolutely sure that any connected devices are secure. Here are the best practices we recommend:

  1.  Secure Your Wi-Fi.
    This is vital for LTPAC environments. Offering Wi-Fi to patients and their guests is a standard business practice, and is essentially an expectation.  Keep the guest Wi-Fi on a network that is separate from the clinical network, and establish a firm policy to prohibit your staff from sharing the clinical network password with patients or guests. Business-class Wi-Fi access points allow you to set up separate networks and prevent cross-traffic between them. If your staff brings their own smartphones to work, only allow them to access the guest network. You might offer them a third and separate network that allows some access, but still prevents their devices from accessing clinical data. Given the possibility of an unsecured device leading to a breach of patient data, you simply must allow only devices that you can directly control and secure to access medical records.
  2. Require Endpoint Security Software.
    Any device that connects to your network is an endpoint with access to your network’s data. PCs are no longer the only vulnerable point; Android devices are especially susceptible, and criminals are increasingly targeting tablets running iOS. Make anti-malware software part of the standard configuration, and set it to trigger regular updates.
  3. Fortify Your Logins. 
    A tablet or other device that has access to medical data must be locked with a passphrase to prevent unauthorized use by visitors who might pick it up. In addition to a strong password policy, the best practice is to enable multi-factor authentication for any access to the clinical network. These measures protect you against unauthorized use of the device as well as against criminals guessing passwords or using stolen credentials to gain access. In addition, hide the SSID so you’re not broadcasting the name of the clinical network.
  4. Mandate VPN Use.
    Mobile devices can be susceptible to eavesdropping. Take advantage of the strong encryption offered by a VPN by implementing a VPN for access to the clinical network if the device needs to leave the secure network. Look for one that also supports multi-factor authentication to protect the VPN logins.
  5. Protect Against Malicious Apps.
    One of the biggest mobile-device risks is applications that pose as something useful or fun, but are actually designed to steal data. Establish policies that limit or block the use of third-party software on your clinical devices.
  6. Develop and Require a Secure Configuration.
    Establish a standard, secure configuration for devices that connect to the clinical network.  This includes requiring a lock code or password for access, preventing access of other wireless networks, and either hiding the device from Bluetooth discovery or, better still, disabling Bluetooth altogether.
  7. Enable Remote Lock and Wipe.
    Be sure you are able to remotely lock the device to prevent its use if it is ever lost or stolen. Ideally, the devices don’t store any data at all and are only used to access or update the patient records. But if they do hold any data, or as an extra measure of protection, ensure you can wipe the data from the device as well. If the device is found, you can simply re-image it from a backup.
  8. Conduct Mobile Security Audits.
    Hire an outside firm to annually audit your mobile security and perform penetration testing. Testing using the same mobile devices that you use in your environment will uncover potential issues before a criminal discovers them.

We encourage you to use National Cybersecurity Awareness Month to take a serious look at your security and address any shortcomings. If you would like assistance implementing these measures or an evaluation of your HIPAA compliance posture, FIT Solutions is here to help. Call us today at 888-339-5694.

Windows 7 End-of-Life (EOL): How to Maintain HIPAA Compliance

You may soon be facing a HIPAA compliance headache on the workstations in your healthcare facility. Microsoft support for Windows 7 and Windows Server 2008 ends on January 14, 2020. 

No more security patches will be issued after that date. This puts those operating systems at odds with the HIPAA administrative safeguards, which include the specification for “protection from malicious software,” specifically “procedures for guarding against, detecting, and reporting malicious software.”

The end of support means that workstations running those operating systems will be unpatched against new exploits, leaving them highly vulnerable, and therefore, out of HIPAA compliance.

If you are still running those older operating systems, you’re not alone. Many companies still have Windows 2008 servers and Windows 7 workstations in their environments. While these operating systems are ten years old and newer systems are certainly better, organizations keep using them. They are very stable and continue to do their jobs well. But the longer you hang onto them, the greater the risk to your organization.

First, let’s talk about the risks, and then how to alleviate them without having to purchase all-new systems at once.

Lessons from Past Compliance Audits

After a data breach occurs, history shows that regulators conduct a thorough audit of the affected organization’s entire environment. They look at everything. Although the breach was caused by an employee walking out with a thumb drive that was lost or stolen, every other instance of non-compliance that the auditors uncover is subject to a fine, even if it had nothing to do with the breach. Organizations that have been found using Windows products that were past their end-of-life — such as Windows XP — have been fined for that in the past. Undoubtedly, Windows 7 and Server 2008 will be no exception.

Considering the Alternatives

Under the language of the HIPAA rule, specifications are listed as either required or addressable. “Protection from malicious software” is an addressable specification. That gives organizations a bit of wiggle room. Complying with an addressable specification involves evaluating the risk, considering the measures to mitigate it, coming up with a reasonable alternative that is equivalent, and documenting it. (That’s the short version; here’s the official source on how to meet an addressable specification.)

Let’s say you find it impossible or at least extremely cost-prohibitive to replace all of your out-of-compliance operating systems by January 14. You could address the HIPAA specification by updating a set number of systems every month between now and the end of 2020, until all have been updated. In the meantime, you implement an Endpoint Detection and Response (EDR) monitoring system to keep an eye on the unpatchable systems, as well as use encryption on the systems that hold personal health information (PHI).

Hopefully, you have already performed this sort of analysis across all of the HIPAA specifications as part of your overall compliance effort. HIPAA requires you to perform a risk analysis, have a risk management plan, and document them both. Those are the first documents an examiner will want to see.

At FIT Solutions, we can advise you on all of the aspects of IT that impact your ability to comply with HIPAA. That includes helping you with your risk management and risk assessment plans and documentation, as well as assisting with your Windows 7 and Windows Server 2008 end-of-life planning.

Call us today at 888-339-5694.

Business Continuity for Senior Care: How an SD-WAN Protects Your Patients

Your nursing home or skilled nursing facility likely relies heavily on your Internet connection for delivering patient care.

If your electronic health record (EHR) or electronic medical record (EMR) system is hosted in the cloud, staff access to patient treatment plans, physician orders, medication dosages and other critical information depends on a reliable Internet link. Plus, if you rely on voice-over-IP for your telephone systems, that’s another system that is absolutely critical for patient care. It’s needed for making 911 calls, timely communication with physicians, receiving urgently needed lab results, and the many, many other types of medical information that are routinely handled by phone. What happens if your primary Internet connection fails?

Regulatory Considerations

Regulators are keenly aware of the importance of communication. That’s why Internet uptime is woven into the fabric of healthcare regulations that deal with business continuity and disaster recovery, specific to senior care, at the state and federal levels.

Addressing those requirements is vital for protecting your patients and your organization. Fortunately, there’s a relatively new technology that’s ideal for managing redundant Internet links and providing intelligent failover. SD-WAN stands for Software-Defined Wide Area Network. It’s a mouthful that boils down to a simple idea: using software instructions to intelligently choose between multiple wide area network connections (that is, multiple Internet connections) when sending or receiving data traffic.

Out with the Old — In with the New

Here’s why an SD-WAN is better than the old approach to providing redundant failover. The old method for a backup Internet connection was to maintain one connection as the primary and designate another as secondary. This was an all-or-nothing proposition: The secondary sat idle until needed. The setup required regular testing to verify the secondary was still functional.

An SD-WAN allows both connections to serve as the primary. The software intelligently chooses between the two connections based on various factors, such as the type of traffic (voice or different types of data) and the capability and quality of the connection (available bandwidth, latency and similar parameters). Two or more connections can be actively used, and when one link goes down, the traffic passes to the other automatically and immediately. Here’s how well it works: If you initiate a voice-over-IP call, and then unplug the connection, the SD-WAN switches to the other connection with little or no hint of an interruption in the conversation.

Rather than the secondary connection sitting idle, it can be put to use and effectively increase the available bandwidth. The pooled bandwidth and redundancy make it possible to choose less expensive connections, such as combining a cable and DSL connection rather than more-expensive fiber circuits. If you procure the two connections from different providers, then you’re protected if either provider experiences an outage. The SD-WAN will ensure that access to critical systems will remain.

Modern SD-WAN implementations can be configured without entering traditional network parameters such as IP addresses or port numbers. This makes an SD-WAN especially attractive to organizations that have multiple sites, as is often the case in senior care. SD-WAN technology masks the complexities of maintaining redundant connections and switching them across multiple sites. It just works, which is what we all want from our technology.

At FIT Solutions, we work as advisors to our senior-care clients on multiple aspects of IT. Assistance with the technology aspects of your backup, disaster recovery and emergency preparedness plans is a key part of the offering. We know the legal and regulatory requirements you face, and can provide recommendations on administrative practices, technological implementation and support, or active management of your systems. We can help you determine whether SD-WAN technology — and which of the available options — is right for you. Call us today at 888-339-5694.

Get in touch.

Fill out the form and our team will get
back to you as soon as we can!