Safe and sound Featured

7:00pm EDT February 23, 2009

With most companies preoccupied with how to contend with the current economic instability, who has the time or resources to bother with the hassles of regulatory requirements? Unfortunately, compliance with Sarbanes-Oxley (SOX) and the Health Insurance Portability and Accountability Act (HIPAA) doesn’t take a backseat when times are tough. Now more than ever, companies need to achieve secure processes and environments to avoid audits, fines, and lost or compromised data.

“These are mandatory requirements, so it isn’t as if a company can choose not to implement processes that are executable,” says Ed Kenty, president and CEO of Park Place International. “The key advantage to working with an independent service organization (ISO) is the road map it can put in place for an organization to meet those requirements.”

An ISO, besides providing your company with post-warranty maintenance on data center equipment, helps protect your company’s critical data and information.

Smart Business learned more from Kenty about the SOX and HIPAA requirements to which companies need to comply and the ways an ISO can help.

Who needs to be concerned with SOX and HIPAA requirements?

Most publicly held companies are at the mercy of these regulatory commissions, from small businesses to Fortune 100 companies. All their customer data — in some cases, personal information — is located in their data centers. Everything that’s critical and everything that’s being regulated is controlled within the data center. HIPAA and SOX regulations go across all verticals, from health care and finance, to legal and government, regulating data protection, backup and recovery, storage and data, how information is handled, firewall and security.

Is it usually external audits or internal recovery problems that lead to compliance issues?

It’s a combination of both. First of all, these regulatory commissions will audit these companies to make sure they’re in compliance. Companies all have certain things they have to do over certain time frames.

For example, health care institutions are being required to have disaster recovery strategies in place. There are no true deadlines to when disaster recovery strategies are supposed to be put into place, but the goal is to become JCAHO (Joint Commission on Accreditation of Healthcare Organizations) accredited as soon as possible. They must have some secure site outside of their facility where they can back up and restore their operations to give them that layer of protection if something should go wrong. They have to have a sound backup and recovery strategy and a disaster recovery system that they can enact quickly.

When it came out, HIPAA contained a lot of new security and patient protection regulations. But, the regulatory commissions didn’t expect organizations to have all of this in place immediately. They realized that a) that would be physically impossible and b) it would be fiscally imprudent for a hospital to be able to do it all at once. So they put all of these institutions on a timeline and have given them a certain amount of time to become compliant. Each year that goes by, there are certain deliverables and milestones that they all have to meet.

SOX presents a vigorous set of standards, particularly around data storage, which includes storage protection, access and retrieval, and disaster-proof on-site storage. In the case of an audit, you have to show the SOX auditors that this process works. So not only do you have to have the infrastructure in place to support it, you’ve got to have a demonstrable process around it.

Do you run into many clients who are simply unable to manage their own compliance?

With the economy the way it is, money is tight for health care institutions, many of which are not for profit. They don’t have the large staffs and resources that they used to have to understand these obligations and put a plan in place to meet these requirements. Particularly in the health care space, a third-party ISO will be familiar with the HIPAA requirements and will have professional services staff that provides consulting to these institutions to let them know where they stand. ‘Third party’ is the key here.

Becoming compliant with HIPAA and SOX (and staying that way) can be a very extensive process. It’s all about speed of data recovery, time to get operational and data protection that will make sure there’s no chance that a customer’s social security number or other personal information can get in the hands of somebody else.

What other advantages can an ISO partnership offer?

An ISO specializes in operating with critical information that is heavily regulated. So that has to be considered when somebody is making a choice to align with a service partner. They need to know that the partner is not just going to be plowing through their data center destroying information.

An OEM’s (original equipment manufacturer) goal is to sell new hardware when setting up a disaster recovery site. Whereas an ISO might suggest that an organization refreshes its operational equipment, with whatever brand of equipment that fits its budget and needs. Also, an ISO can use the old hardware to set up a disaster recovery site in another location and tie everything together.

ED KENTY is president and CEO of Park Place International. Reach him at (800) 931-3366 or