*Offers updated on March 26, 2020
Most enterprises are getting slammed with employees working from home. Most of us designed our remote user VPN’s for the occasional "snow day" ...right. Now we have an entire workforce, working from home full time for weeks…maybe months …oh yeah, and using a full suite of applications including voice… crazy. No really!
Many of you have contacted SynerComm to get additional VPN licenses/concentrators, endpoint security controls, and help designing and spinning up "new ways" to get employees connected securely. During these crazy times some of our vendors are stepping up and trying to make a difference.
To help you we would like to share a few solutions/offers from our vendors:
| Vendor | Offer | Details |
| Palo Alto Networks | Free 90-day GlobalProtect VPN subscription license for mobile devices like iPads, etc. (Other GP is already free) | Customer logins into their own support portal and select trial licenses |
| Pulse Secure | Flexible Pulse Connect Secure licensing | Valid through May 31st |
| CrowdStrike | Surge relief for 60 days (existing customers) CrowdStrike Falcon Prevent home use licenses | Expiration TBD |
| SentinelOne | Free trials: SentinelOne Core: AI-powered prevention, detection, and automated response in a single, autonomous lightweight agent; legacy antivirus replacement across Windows, Mac, and Linux operating systems with no connectivity or network dependency. Deployment services: remote deployment assistance to ensure rapid installation and customized configuration | Offer expires May 16th |
| Armorblox | No charge offer to help businesses with 100+ employees during these challenging times. | Expiration TBD |
| Extreme Networks | Work from Home bundle discount Extreme Networks and Tech Data have created a Portable Branch Office Kit to enable your customers to connect, secure, and manage remote sites and remote workers quickly and easily. Combining SD-WAN, Wi-Fi, and cloud management into an easy to deploy, plug and play solution, this kit offer delivers the ability to provide an enterprise-class experience for all connected users, regardless of where they reside. | Discounted |
| Lastline | Lastline Analyst at no cost for 90 days to organizations with 500+ employees. | Offer expires June 30, 2020 |
| Proofpoint | Free trial - Scalable secure access for increasing your mobile workforce. | Offer expires September 30, 2020 |
| UBIQ | Free trial to Trusted File Manager | Offer expires June 20, 2020 |
[vc_empty_space height="20px"][ult_buttons btn_title="Contact Us" btn_link="url:/contact/|title:Contact%20Us||" btn_align="ubtn-center" btn_size="ubtn-large" btn_title_color="#ffffff" btn_bg_color="#0569b3" icon_size="32" btn_icon_pos="ubtn-sep-icon-at-left"][vc_column_text el_class="large-blue"]
Have questions or want some guidance with taking advantage of these vendor offers?
In a business environment where resources are limited, compliance requirements abound, and budgets are constantly challenged to meet cost containment targets, the complexity of the regulations your business is obligated to comply with can present a challenge. This challenge becomes even more difficult within the dynamic environment of hospitals, doctors’ offices, and all supporting elements of the medical profession. One of the key elements of facing this challenge is understanding what defines Protected Health Information (PHI) and what qualifies an organization as a HIPAA Covered Entity.
In broad terms, PHI is information that deals, or is associated in any way, with medical details or medical records of an individual. For the term “Electronic Protected Health Information” (ePHI), the definition doesn’t change much, as it simply encompasses the information or data being maintained in an electronic format, as on a computer or any other digital device. To clarify PHI more precisely, the privacy rule states it is “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual”. Most people respond with “wow, that sounds like it covers a lot” – which is does. Not only is the health-centric data covered by HIPAA, but so is data that directly identifies a person, or a “personal identifier”. To help get our arms around this topic, we can gain understanding of what HIPAA considers as a personal identifier by reviewing a section of the regulation (Sections 164.514(b) and(c)) for the Privacy Rule. What we can see is that HIPAA considers the following 18 data points as personal identifiers:
Keep in mind the above is not an exhaustive list, as it is the definition by HIPAA that drives what can be considered a personal identifier. What should be understood is that this is a starting point for the listing of what needs to be considered when looking to secure and keep private the PHI and ePHI within your organization. These are the data sets that need to be located and tagged so that they can be properly secured. A good methodology is to review the official definition and decide if a particular data element qualifies as protected under HIPAA. It is advisable to err on the side of caution and include data that “could be” viewed as sensitive, because making the wrong determination can easily lead a company to having to pay HIPAA fines and penalties. Despite the small possibility that some data could have an extra layer of protection with this broader approach, it likely is a small price to pay when considering the potential fines and penalties – as was seen with Anthem Inc, reported to have paid $115 million to settle lawsuits over its HIPAA information breach.
This brings us to the next key element for HIPAA – which organizations are obligated to adhere to HIPAA, and am I one?
Here again, we see that HIPAA protections apply to a wide array of organizations and businesses – obviously, these entities are linked to, or perform some activity, with health information. It is the connection with data that brings in the HIPAA regulation and its requirements, as described below. The organizations that deal with medical data are officially termed as “covered entities”. Any contractors, vendors, or 3rd party relationships with a covered entity that involves PHI or ePHI fall under the official term of “business associates”. The requirements of HIPAA extend to business associates, through the covered entity, and are required to be clearly defined within the Business Associate Agreement (BAA). The BAA is to be a component of the contractual agreement between the two organizations.
For clarity on what qualifies as a covered entity:
Covered entities are the individuals, institutions, or organizations that maintain patient healthcare or payment information or would reasonably be expected to come into contact with PHI in the course of their daily duties – mostly, healthcare providers, health plans, and healthcare clearinghouses. Examples of covered entities include:
What about 3rd party vendors? If a 3rd party is engaged by a covered entity, then a Business Associates Agreement (BAA) is required, per HIPAA. A BAA is a focused document that addresses the requirements of HIPAA and acknowledges that the business relationship between the two parties will involve PHI or ePHI. To help define where these components apply, here is a more detailed explanation of a Business Associate:
A Business Associate is a person or entity, other than a workforce member, who performs certain contractual functions or activities for a covered entity, or provides certain services to a covered entity, when those functions involve the access to, or the use or disclosure of, PHI. Per HIPAA, Business Associate functions or activities include (but not limited to) creating, receiving, maintaining, or transmitting protected health information for a functions including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing.
It should be clear that the protections for HIPAA-defined medical information and data follow that data, no matter where it resides or who handles it. If your organization has any dealings or contact with medical companies or entities, and you do not have HIPAA protections in place, it would be worthwhile to perform a thorough review to be certain. That review should be fully documented and put forth to proper legal counsel to consider and make a definitive conclusion as to the obligations your company has under the HIPAA regulation.
Too often organizations seem to not have a good understanding of what data they have within their systems, and this leads to a lack of knowledge as to what legal obligations a company has committed itself to. Don’t let this happen to you – leverage the knowledge presented here, along with the information that is publicly available to make a clear determination as to what information security protections your company needs.
