law practice management – Cooper Mann Consulting

July 9, 2013

Cloud IT: Hiding Complexity and Risk

Cloud computing and Internet technologies have delivered previously unimagined capability for even the smallest of businesses – capability to compete, build brand recognition, and reach markets in remote geographies. The mantra for businesses used to be “location, location, location”, but it’s become connectivity – perhaps even more than location – which now delivers business opportunity. As technology has evolved, allowing businesses and consumers to connect regardless of time or place, the complexity of the systems and networks have also increased dramatically. Where a business could once easily identify their various vendors or business service providers, the identification of those involved in the service ‘delivery chain’ are no longer so easily recognized. Among the benefits of cloud computing technologies is the ability to reach beyond traditional boundaries. The risk for many businesses is in not fully understanding how, and with whom, those boundaries are being crossed.

For many an enterprise, the convenience and efficiency introduced with cloud computing models overshadows the increased risk potential. Service level agreements and vendor contracts are assumed to be sufficient to protect the business and its information assets, yet recent events (such as the recent reveals of PRISM and the actions of the National Security Agency) should cause businesses to look a little deeper at their entire provider network. It’s not that the average business should be concerned about government snooping of their emails, but they should be aware of who has access to their systems and data, and which entities are responsible for which parts of the system. It’s only prudent to know the details, and it is the best first step to mitigate business risk.

Enterprise Clouds are complex, sophisticated entities which invariably rely on a daisy-chain of third parties and contractors to help build, run and maintain their Cloud provider’s systems. The organizational and technical complexities are additive, resulting in increased systemic risk. Systemic risk is the least visible and hardest to eliminate, and those risks become real when the providers’ systemic risks become [yours].

The question is, how well does your Cloud provider manage the ecosystem of contractors and third parties that are farther down the food chain? This is even more relevant in the globalized workforce, where, paradoxically, Cloud and related technologies have greatly facilitated the outsourcing and offshoring of work to low-cost countries. http://www3.cfo.com/article/2013/6/data-security_prism-national-security-agency-edward-snowden-cloud-implications-vendor-management

Before executing a service agreement with an outsourced provider, make certain that the details of facility, connectivity, network, equipment, and other elements of the delivery and system are spelled out. Business subscribers should know where the various points of failure exist, and which company is responsible for dealing with each. If a carrier fails and connectivity to the data center is lost, the hosting service provider may be powerless to impact the situation, even though access to service is part of the SLA and requirement. If a hosted software product has a vulnerability or fails to perform, the developer of the product is likely responsible, rather than a hosting service provider. The point is that there are often multiple players in the delivery chain, and customers should be aware of this reality prior to engaging with the service.

Ultimately, the business with mission critical data in the possession of a 3^rd party service provider should have a healthy helping of doubt as to whether the provider has full control over their environment. Business owners, managers and CFOs should recognize the increased necessity of evaluating risk within their provider systems and in provider/vendor relationships, to keep trade secrets secret and prevent intellectual property from becoming the property of others.

Joanie Mann Bunny Feet

Make Sense?

June 19, 2013

HIPAA Privacy and Security and the Cloud

Is your cloud solution or hosting service HIPAA compliant? This is among the most frequently asked questions from professionals shopping for cloud hosting service. Unfortunately, it is also among the questions most frequently answered with ambiguity, or with naiveté. The problem is that many businesses dealing with HIPAA compliance responsibilities as it relates to protection and security of personal health information may not fully understand their responsibilities as they extend to outsource IT and other service providers. In the case of HIPAA compliance, many providers suggest their compliance without truly understanding what it means, and are introducing significant risk to their business and subscribing customers because of it. With recent changes in rules relating to protection and control of personal health information, it is not just the health care provider, the health plan, 3^rd party administrator or others that process health insurance claim information which must agree to provide adequate controls – the requirement may fully extend to business associates of these entities… possibly including their cloud service or hosting solution providers.

Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS. http://www.hhs.gov/news/press/2013pres/01/20130117b.html

HIPAA guidelines and rules exist to protect and secure personal health information, a requirement growing in importance with advancements in technology, electronic health records, e-billing solutions, and cloud computing adoption. Where the regulations were once focused on the entity directly involved in generating or processing the information, the view is now extended not only to 3^rd party administrators, but also to the technology solutions and providers involved. When a “covered entity” (an entity with a responsibility to protect and secure personal health information [PHI]) makes a decision to move this information to the cloud, a number of important and complicated issues must be addressed in the agreements with the service or solution provider. These issues include security and privacy of information (including providing individuals the right to access and request changes to the stored information), tools which may be provided to allow the customer additional security protection, encryption of data at rest and in transmission (and who holds the keys), data location, return of data, disaster recovery, and service levels.

Cloud provider contracts and business associate agreements with cloud providers are not one-size-fits-all and should be negotiated carefully to protect PHI in a manner that accurately reflects the capabilities of the parties http://www.americanbar.org/content/newsletter/groups/labor_law/ebc_newsletter/12_winter_ebc_news/ebc12winter_cloud.html

The provider delivering cloud hosting services to the business may now be considered to be a “business associate” under HIPAA, meaning that the responsibilities of the Customer (the “covered entity”) also extend to their service provider. For any business operating under a HIPAA compliance requirement, moving to the cloud must necessarily involve a detailed discussion and set of agreements that spell out the “business associate” relationship as well as the details of the service delivery and accepted performance levels.

Joanie Mann Bunny Feet Make Sense?

June 10, 2013

Are the security requirements for accounting and finance professionals using cloud services any less stringent than those governing lawyers?

As accounting and finance professionals look to the cloud and Internet technologies to address collaboration, mobility, and improvements in service delivery, they should also be looking at ways to ensure the protection and security of client financial information. Professional services organizations of all types are embracing cloud products and services, sometimes without properly considering how it might impact information security and business risk. The security requirements for accounting and finance professionals using cloud services are no less stringent than those governing lawyers.

In her article “NC Bar Council issues final opinion on the cloud “, author Nicole Black points out some of the essential considerations for using cloud computing services in a professional legal practice. Accounting and finance professionals should recognize this guidance as being applicable to their businesses, too.

The main question stems from the ethical issues faced by “lawyers who intend to store confidential client information on servers owned and operated by third parties”. An opinion issued by the North Carolina State Bar Council addressed two primary questions in this area:

1. Is it OK for a law firm to use Software as a Service or cloud computing products?

2. Are there any special vendor assessments or other measures which should be taken by lawyers who wish to minimize the security risks of implementing this type of solution?

Read the entire article by Nicole here (PDF format)

Nicole Black is a Rochester, New York attorney and the Vice President of Business Development and Community Relations at MyCase, a powerful and intuitive cloud-based law practice management platform. She is also a GigaOM Pro Analyst and is the author of the ABA book Cloud Computing for Lawyers, co-authors the ABA book Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York, a West-Thomson treatise. She is the founder of lawtechTalk.com and speaks regularly at conferences regarding the intersection of law and technology. She publishes four legal blogs and can be reached at nblack@nicoleblackesq.com.

Joanie Mann Bunny Feet J

original post April 5, 2012

June 6, 2012July 19, 2017

The Holistic Approach to Cloud-Enabling Your Firm

The Holistic Approach to Cloud-Enabling Your Firm

Today’s professional accounting or law practice has a number of issues to contend with, not the least of which is technology. While IT has been serving the firm for years, shifting paradigms in computing are leading professionals to wonder exactly which direction they should turn for advice. It’s easy, at a high level, to see the value and benefit of outsourced IT services and being able to focus on your core offerings, but it’s a little harder to find exactly which path your firm should follow. One thing has proven true over the past few years: taking a holistic approach to cloud-enabling your firm is far better than any uncoordinated exchange of applications and services.

There are four areas the firm should explore when looking to more fully leverage technology to its benefit, which is what “cloud-enabling” the practice really means:

Transitioning to a paperless (or less paper) office
Exploring alternative billing methods (value versus time?)
Outsourcing non-core and non-strategic tasks and processes
Streamlining procedures to create consistency in service levels

The challenge is that firms have numerous options and approaches being thrown about, none of which represent obvious solutions to the entire problem. In pieces, cloud services and online applications can deliver new capability and functionality, but a professional practice has the requirement for systems to work together to be effective. Re-entry or redundant storage of data is inefficient, so it is difficult to streamline procedures when the systems run on different platforms or don’t integrate well.

One approach is the “hybrid” approach, where you take the best of the tried and true, and deploy it in new ways to create new capabilities. Also introducing cloud-based and SaaS solutions where they can truly help the firm innovate makes sense, as long as those solutions can connect back to the core systems. The key is to not lose what efficiency and business intelligence the firm already has while attempting to transform and improve upon those models (digital transformation).

The new thinking by some firms is to adopt web-based practice management solutions that make it easier to collaborate with team members and clients. Many of these solutions get great reviews and indeed do make it easier for users to access information from anywhere and on mobile devices. Lots of neat features for the forward-thinking practice are available, yet the problem is that these solutions usually don’t have general accounting functionality required by the business, nor do they address some of the fundamental capabilities that apps on the desktop can.

For the online applications serving line-of-business functionality, the easy answer to finance department questions is to connect to an online accounting solution, like QuickBooks Online. While this may serve the needs of the developer, the needs of the business finance department often outpace the functionality available in the smb online accounting products. To address this reality, many developers have created the means to export data to the QuickBooks software running on the local desktop.

The desktop editions of QuickBooks remain extremely popular with professional service firms and the businesses they serve. In a cloud and mobile world, the firm and their client doesn’t have to be tied to the local desktop in order to keep their desktop software or collaboratively work in the data. When the QuickBooks desktop software is setup within a secure remote access environment (whether on-premises or with a hosting provider), users benefit from the same mobility and realtime collaboration advantages as with a SaaS solution, like anytime/anywhere access.

Virtual desktops and remote application models allow users to access what seems like a workstation in the cloud, with business applications such as QuickBooks and Microsoft Office and whatever else the firm uses. The desktop is a true Windows platform, so the features and functionality are just as they are when working directly on a local PC.

Most remote or virtual desktop setups also let the user access the Internet and use a browser on the remote desktop, allowing users to run the SaaS solutions they’ve subscribed to alongside their desktop applications yet still remain in a totally virtual and mobile working environment. This approach allows the firm to centralize management and administration of internal servers and networking resources, or eliminate much of the maintenance and management by outsourcing to a hosting provider. Outsourcing the hosting and management of systems further establishes predictability in cost and increases IT agility.

The thing to remember is that one size does not fit all, and every firm will need to work within their own requirements and motivations to come up with the proper approach. What works for a solo practitioner or small firm won’t necessarily work for a larger firm… or maybe it will, depending on the company culture and structure. There are a lot of options with the cloud when it comes to outsourced information technology models, online practice management and other business solutions, and mobile services which reduce the impacts of time and distance. It’s time to start implementing on-demand access and mobile-friendly service options before the competition leaves you behind. Interestingly enough… the competition that looks like a huge and successful firm could be just one person using some really smart IT.

Make sense?