#1 You Are a Covered Entity

Have no illusions, if you work the healthcare vertical, you are a covered entity, and therefore are responsible for protecting any data that you manage for your clients. But you also need to work with your clients to ensure that their data is protected, and sometimes that means protected from themselves. No matter how secure your 3rd party tool or healthcare management solution is, they cannot protect you from human error on your side, malicious insiders, sync errors or hacking. Damage caused by breaches are significant, and we’re not talking about the HIPAA fine, but rather the high cost of business downtime, damage to reputation and loss of valuable customer data.

#2 Proof of Process Matters

HIPAA guidelines are often just that – guidelines, and they can be interpreted any number of different ways. However, in the event of a breach, HIPAA and other data protection laws always give good marks for trying. Performing due diligence in the form of accurate, up-to-date and end-to-end documentation can go a long way in having a fine reduced or waived. Ensure that all of your processes for securing personal health information are documented. For an internal IT team, make sure that these processes don’t just cover your team, but anybody who might have access to protected information. An internal team can set up a few IT Glue Lite accounts in order to share process documentation with non-tech users. An MSP may get more value setting up a MyGlue instance for each healthcare client, and sharing process documents that way.

#3 Defend Against the Weakest Link – People

It is often said that people are the weakest security link. In the healthcare industry, 56% of the security breaches are due to internal reasons. Both IT Glue and MyGlue also double up as powerful password management applications. With MyGlue, your clients can use strong passwords exclusively, you can control who has access, and they’ll be able to use the passwords without ever seeing them. If the alternative is sending them over email or passing sticky notes to one another, that’s a HIPAA violation, so MyGlue is going to reduce risk substantially.

#4 Have a Safety Net

HIPAA’s Security Rule mandates that backups should be frequent, encrypted, tested and stored offsite and covered entities must be able to fully “restore any loss of data.” As Matt McDermott, Principal Technical Marketing Engineer at Spanning explains, “HIPAA puts the backup and restore accountability squarely on covered entities. Spanning Backup provides automated, daily backups of your application data, and the ability to restore any lost or deleted data back into your environment from any point in time. A number of our healthcare clients have reduced the stress of data loss and damage due to HIPAA non-compliance with Spanning Backup.”

In Summary

The biggest pieces to solving the compliance puzzle are having the right processes in place, and using the right tools for the job. A violation, should it occur, is treated with less severity when you can demonstrate proof of process, and you’re using the right tools.

To learn more about how IT Glue and MyGlue can help secure passwords as part of HIPAA compliance, sign up for a demo of our platform.

Yes, sign me up for a demo!

IT Glue is an award-winning documentation platform that allows for efficient storage and retrieval of all the documentation you need to help your MSP run better. By integrating PSA and RMM data, we can help increase your efficiency, and reduce onboarding times by even more. By eliminating wasted time from your business, IT Glue gives you more time to focus on what matters – growing your business.

The post The Fundamentals of HIPAA Compliance appeared first on IT Glue.

At IT Glue, we take your privacy very seriously and are proud to announce that our systems and processes are GDPR compliant.

Security and privacy have been designed into IT Glue from the start. After all, we’re protecting some of the most valuable information assets an MSP can have – including administrative credentials and documentation of client environments.

Some of the ways we protect your privacy include:

• We minimize the personal information we collect, and only do so with your expressed permission
• All our systems and data are hosted with a highly certified, Tier 1 hosting provider: Amazon Web Services
• EU customers may choose to be hosted in the EU zone
• Minimizing the number of data processors we use, and ensuring none of them have access to unnecessary data. All vendors who connect to our production system go through a stringent vendor management process.

As part of our SOC 2 certification process, we decided to go above and beyond the basic security controls to protect your privacy and data:

• We implemented PCI-DSS and ISO 27001-compliant controls and operating procedures
• Our controls and processes are tested annually as part of our ongoing SOC 2 compliance
• We perform regular independent testing exceeding PCI-DSS standards, including vulnerability scanning, penetration testing and internal audit
• All connections to IT Glue are encrypted

IT Glue partners own the data they store in IT Glue at all times. We only process that data as appropriate for the services provided.

If you have any questions about your privacy or the security of your data, including needing information on providing access or erasing your data, please contact: support@itglue.com

The post GDPR Compliance: How IT Glue Protects Your Privacy appeared first on IT Glue.

Background

The General Data Protection Regulation (GDPR) has been a topic of interest for the last year or so among organizations that collect or store personal data from residents of EU countries. The law will be enforceable beginning May 25, 2018. Here’s what you need to know right now:

• Your company probably has legal obligations under GDPR
• It does not matter where your company is located
• The penalties for non-compliance are severe

In a 2017 survey of outsourced IT service providers in the UK, 60% identified GDPR as the biggest challenge to organizational IT plans in the next 3 years. Even among European MSPs, readiness is incomplete. Among non-European MSPs, readiness for most is non-existent at this point. The time to get your MSP ready is now.

GDPR in a nutshell

The General Data Protection Regulation is the new data protection law enacted by the EU that comes into effect on May 25, 2018. The structure of GDPR is unique from other privacy laws in that it is the first data protection regulation that ensures individuals’ rights are paramount. GDPR applies to any company, anywhere, that collects or stores personal data about EU residents.

Does GDPR apply to you or your customers?

If you are a business that is not headquartered in the EU, how will you know whether you need to comply with these regulations? The answer is easy. If you fall under one of these three categories, you will have to comply:

1. If you have a physical presence in the EU
2. If you don’t have a physical presence but you offer products or services to EU residents
3. If you don’t offer products or services but you monitor EU residents’ online behavior

If you are an MSP that falls into one of these categories, you will have obligations under GDPR as a controller of data. If you do not fall into any of these categories but one or more of your customers do, you will have to comply because you will be considered a processor of data under GDPR requirements. These terms are pretty vague, so let’s unpack them a bit, to help you understand what obligations exist for each.

Controllers and processors

The difference between a controller and a processor is who has authority and makes decisions over the personal data that is being collected. If you have customers who are EU residents or companies, you are collecting and in control of that data directly. That makes you a controller under GDPR. If your clients are the ones who have customers who are EU residents or companies, but you are responsible for the storage and/or handling of that data, you are a processor under GDPR.

If you or your customers need to comply, what do you need to do now?

GDPR encourages a risk-based approach where you need to decide how to approach implementing safeguards and processes. Don’t forget that GDPR is not only about cybersecurity, but it is a framework that requires technological, legal and operational solutions to ensure compliance.

These are few of the things that you need to keep in mind:

• What kind of personal data is being collected? There are different “degrees” of sensitivity. The risk level is different if you are collecting an email address vs. collecting health data.
• Are you transferring data to a country outside of the EU? Is that country deemed adequate by the EU data protection authorities? If not, what safeguards do you have in place to ensure a satisfactory transfer and protection of personal data?
  Since you are an MSP, most likely you are processing personal data on the behalf of another company. You need to review your current agreements and ensure that they have the appropriate provisions that ensure that GDPR requirements are satisfied.
• Are you transparent at explaining to individuals what data you collect from them, how you use it, and for how long? Do you require their consent? If you do, you will need to record when they give you consent and equally as important if they take that consent away. For your customers, it’s most likely, you will have to help them with this.
• Do you need a Data Protection Officer? The data protection authorities are looking to establish a relationship with organizations that process EU residents’ personal data and to have someone “on the ground” to respond to requests from data subjects. It is recommended that your MSP has a structure in place to handle requests from regulatory bodies.

How to best prepare yourself and your clients to be ready for GDPR

It’s important to discuss GDPR with your clients, in order to determine what exposure and obligations you have.

• Understand your data. Identify and justify the purposes you are collecting it for, how long you are keeping it, where it resides and how sensitive it is.
• Work on your communication to individuals. Review your privacy notice and ensure it includes the information required by GDPR, provide specific information at the time of collection, ensure that you receive and document consent where needed.
• Review your processes to respond to individual requests. Ensure you are equipped to respond to requests to access, modify, delete, take away or stop processing data within 30 days.
• Review third-party contracts. Ensure that your contracts with the organizations with which you exchange data incorporate GDPR principles into their language.
• Adopt a data protection by design culture. Ensure that reviews of data protection requirements happen up front when developing a new product or service. Perform data protection impact assessments. Create awareness in your organization of data protection principles.
• Develop a clear protocol for incident response. Be trained, and equipped with SOPs to handle privacy breaches.
• Identify your Lead Data Protection Authority. Designate a Data Protection Officer who can be the main point of contact for regulatory agencies on matters of data privacy. Ensure that your DPO is familiar with GDPR best practices.

GDPR as a business opportunity

GDPR is an ongoing obligation for both you and your clients. The reality is that outside of Europe, very few MSPs are going to be fully capable of helping their clients meet GDPR requirements. There is an opportunity to gain first-mover advantage by developing an understanding of GDPR requirements, and how to build them into your clients’ IT environments. From cookies to encryption to data protection to having the ability to scrub data on demand, there are several different things your clients will need from you in order to be compliant. The more you can offer, the bigger the opportunity you’ll have to build new client relationships and strengthen existing ones.

IT Glue and GDPR

• IT Glue acts as a data processor for its clients. We’ve mapped out everywhere your data exists and how it moves throughout our systems.
• We’ve taken a very deliberate approach to respecting our clients’ privacy. We only collect the data we need at any point to provide the promised services.
• We categorize the data we collect and receive in two ways: Personal Data and Subscriber Data.
• We only collect the minimum required Personal Data. This includes your registration information and email addresses for user provisioning. Other Personal Data, such as IP addresses, are collected in our logs for troubleshooting and audit purposes.
• Subscriber Data, the data about your customers you upload and enter into IT Glue, is yours. While we maintain it for you, you maintain its security and privacy at all times. Subscriber Data is only shared with 3rd parties if you enabled any integrations through IT Glue.

As both Personal and Subscriber data is yours, we honor any requests to remove data from our systems. Simply email support@itglue.com and we will fulfill your requests. Further information about IT Glue’s security and privacy can be found in our security whitepaper and our privacy policy.

To learn more about preparing your MSP for GDPR, contact Kirke Management Consulting at https://kirke-consulting.com/

To learn how to increase your value as a trusted security advisor for your clients through GDPR and more, check out our popular SECaaS webinar.

Author: Ale Brown,
Founder and Principal Consultant, Kirke Management Consulting
604.787.3230
abrown@kirke-consulting.com

With assistance from:
Mike Knapp
Partner, Incrementa
mknapp@incrementa.ca

Editor:
Joshua Oakes
IT Glue
joakes@itglue.com

The post What MSPs Need to Know about GDPR appeared first on IT Glue.

IT Glue

About the EU Cloud

Our new EU Cloud will be hosted by Amazon Web Services (AWS) in Frankfurt. If you are a new or existing IT Glue partner, you can choose from either a US or EU cloud to host your data.

What’s more, this new data centre allows EU-based providers to meet GDPR provisions with respect to third-country hosting prior to their coming into effect in May, 2018.

According to IT Glue CEO, Chris Day, “Having EU cloud storage for our European partners further strengthens IT Glue’s footprint as a global leader in the documentation market.” Day adds, “We put a lot of energy into bringing our EU Cloud to life with the highest level of security standards and I am thrilled to finally be offering it to our European partner base.”

IT Glue’s Managing Director, EMEA, Phil Sansom, sees the EU Cloud as an essential addition. “The EU Cloud is great news for our European MSP partners,” says Sansom. “Along with our rapidly expanding EMEA team, based in Reading, UK, the launch of our EU Cloud is a testament to our commitment to the success of our European partners.”

FAQ

I’m not with IT Glue yet, but this changes things. To whom do I speak?

You may contact our UK office at +44 203 769 4300 or our head office in Vancouver at +1-844-235-GLUE [4583]. You can set up your account for the EU Cloud when you sign up.

I want to move my data to the Germany-based cloud. How do I do that?

Existing IT Glue partners who are interested in migrating their data to the new EU Cloud can schedule a data migration by contacting IT Glue’s Partner Support team. We will be contacting all of our EMEA partners when we are ready to begin the transfer process.

Are data transfers secure?

Absolutely. Our development team has placed special emphasis on building a secure transfer service to ensure full security compliance during the data migration.

I’m in Australia/New Zealand/South Africa/Canada – does this affect me?

All partners have the option of migrating to the EU Cloud. If this makes sense for you operationally, you are more than welcome to schedule a migration. Otherwise, nothing changes for you.

I’m in the US. Does this affect me?

Not really. Your data will continue to be hosted by Amazon Web Services in the US. You have the option of migrating to Europe, but it is unlikely that this would make sense for you.

Yes, sign me up for a demo!

IT Glue is the world’s leading IT documentation software for MSPs. We want to make your journey to documentation excellence and peace of mind easier, so we provide an extension array of informational resources to help your team document more easily. From our Knowledge Base to the IT Glue Library, to our amazing Partner Support team, IT Glue has your back as you travel the road to documentation mastery.

The post IT Glue Launches New EU Cloud appeared first on IT Glue.

Your clients put themselves at risk when they share passwords and when they don’t have a secure policy for changing passwords. These are both things that are against HIPAA rules, yet are incredibly common. When it comes to HIPAA, how well are you and your clients following the appropriate regulations?

HIPAA and MSPs

HIPAA isn’t only for the healthcare businesses. For IT providers, when you have access to a covered entities’ data (including healthcare providers, plans, businesses that deal with electronic protected health information, etc.), you are considered a business associate. This relationship means you could be liable if a security breach were to happen, so you must comply with the Health Insurance Portability and Accountability Act (HIPAA) to mitigate this risk.

HIPAA and your clients’ password management

In a study of over 100 small medical offices, over 17% of them had sensitive information on post-its – including passwords. Poor password hygiene puts businesses at risk. In 2015, 50% of small and midsized companies reported suffering at least one cyberattack in the last year. Weak passwords are one of the main causes for these breaches.

As stated in the HIPAA security rule section, password management is a part of HIPAA compliance. You and your clients must have “procedures for creating, changing, and safeguarding passwords.” This includes not sharing passwords, writing them down, or displaying them anywhere for others to see.

A password management tool is the solution

HIPAA compliance is important for both you and your clients. Your clients need strong security training that creates a workplace security culture. Creating and managing complex passwords needs to be a priority.

The most robust solution would be to offer your clients a password management tool. In this way, clients can create, manage, and store strong passwords in one simple hub. A password management platform also greatly reduces the need to share passwords because certain permissions can be set to limit access. You and your clients can rest easy knowing you’ve taken necessary precautions against cyber threats, while also complying with HIPAA.

IT Glue can help with password management. Store your clients’ team-based passwords in IT Glue, use the IT Glue mobile app, or download the Chrome Extension to provide greater access to the passwords stored in IT Glue. Or watch our demo to see the full range of features:

Yes, sign me up for a demo!

IT Glue is the leading documentation platform for MSPs, designed to eliminate waste, improve productivity and hit your SLAs better. We are SOC 2 compliant, meaning that you can count on the security of your information in IT Glue.

The post Your Guide to HIPAA Compliance and Password Security appeared first on IT Glue.