Skip to main content

Tag: Medicat Hosted Solution

Medicat’s Private Cloud EHR Hosted Solution

Private Cloud EHR with 99.99% (Four Nine) Guarantee

Medicat has partnered with TierPoint to provide the only Private Cloud EHR Hosted Solution for College Health that offers a Four Nine Uptime Guarantee as part of the Service Level Agreement (SLA).

This document will explain why that investment is important to you and why it is critical to the security of your students’ electronic Patient Health Information (ePHI).

Private Cloud is like public cloud in offering scalability and self-service, but it does so through proprietary architecture. Unlike public clouds, which deliver services to many organizations, and share a computing infrastructure across different users, business units, or businesses, a private cloud is a privately provisioned data center at the hosting facility with the following characteristics:

  • Built to the specifications of a single organization
  • Dedicated to a single organization
  • Designed for protection and privacy of client ePHI
  • Firewall protecting a limited number of clients
  • One database per client; no shared data
  • Direct control over client data

Service Level Agreement

A Service Level Agreement (SLA) is a contract between a service provider (EHR Vendor) and the end user (Client) that defines the level of service expected from the service provider.

One of the levels of service is “system uptime,” which is a measure of the time each month the computer system will be available for use. Uptime is measured in percentages, specifically using the “Nine” system. The more nines in the guarantee, the more uptime, and as a result, fewer minutes or hours of potential “downtime.”

  • 00% availability = 7+ hours of unplanned downtime/month
  • 90% availability = 43.8 minutes of downtime/month
  • 99% availability = 4.38 minutes of downtime/month

Medicat has invested in the appropriate private cloud infrastructure to achieve a Four Nine Availability Guarantee. Most EHR companies do not offer a guarantee at all, or provide only a three nine (99.9%) guarantee. Imagine not having access to your patient records for nearly an hour on Monday morning! On the other hand, waiting a little over four minutes to resume use of your system is manageable.

Medicat’s Private Cloud EHR Hosted Solution has not been down in nearly two years.

Uptime Institutes Tier III Certification

The Uptime Institute has created a four-tier ranking system as a benchmark for determining the reliability of a data center. This proprietary rating system is based on the amount of system uptime guaranteed, and starts at a Tier I ranking which is used by companies that can afford to be down many hours each month. The top ranking is Tier IV, and required by government agencies, financial markets, and NASA, which cannot afford to be down at all.

Tier III certified data centers are utilized by larger businesses and are chosen for their uptime and redundancy measures, which include:

  • 982% uptime (Tier III Uptime)
  • No more than 1.6 hours of downtime per year
  • N+1 fault tolerant providing at least 72-hour power outage protection

N+1 Redundancy means that the facility has what is required to operate, plus a backup. The “N” represents what is required for a cloud facility to operate. The backup, or redundancy, can include items like power feeds, diverse network paths, UPS, and diesel generators, and is defined as the duplication of critical components or functions of a system with the intention of increasing reliability of the system.

Four Nine Availability Standards

How did Medicat take a secure TierPoint Private Cloud (99.982% uptime) data center and improve on that in order to offer the Four Nine Availability Standard (99.99% uptime) in our SLA? By investing in two key areas:

  • First, the intentional design of our Private Cloud within the TierPoint Research Triangle Park (RTP) facility to a Fault Tolerant, High Availability 2(N+1) standard. There are two fully duplicated and independent Medicat data centers, each with N+1 Fault Tolerant, solid state hardware enabling stateful (real time) internal failover of all SAN and network components.
  • Second, the creation of a pre-built Warm Standby Disaster Recovery site at a comparable TierPoint facility in Chicago, Illinois, which creates geographic redundancy.

The Warm Standby Disaster Recovery site continuously receives and archives client data from the RTP site. Should a catastrophic, non-recoverable event disable the TierPoint facility in RTP (e.g., direct hit by a large tornado), Medicat would bring up the Warm Standby site in Chicago, and users could resume their work with only a brief interruption.

This “brief interruption” is measured in Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO measures the time it takes for the system to resume functioning, and RPO measures the amount of time elapsed since the last backup of data.

Medicat’s defined RTO and RPO guarantees:

  • A Localized event at the RTP facility that requires failover to the secondary N+1 Data Center:
    • RTO: 3 minutes
    • RPO: 15 seconds
  • A Geographic event that requires failover to the Warm Standby Disaster Recover Data Center in Chicago:
    • RTO: 1 hour
    • RPO: 15 minutes

SOC Certifications

Service Organization Control (SOC) reports—created by the American Institute of Certified Public Accountants (AICPA)—are internal control reports on the offerings furnished by a service organization, which provide important information for users to appraise the risks involved with an outsourced service. Performed by an independent third party, these reports are essential for service providers to build trust with clients.

Certifications and Examinations showing compliance with Federal and Industry Standards around security, processes, and procedures are also required to achieve high availability standards. TierPoint is audited annually under HIPAA, PCI DSS, Type 2 SOC 1, Type 2 SOC 2, and SOC 3 standards. Medicat is audited annually under Type 2 SOC 2, and SOC 3 standards, which includes HIPAA.

A company that has successfully completed Type 2 SOC 2 Examination has certified that its system is designed to keep its clients’ sensitive data secure over time. When it comes to the cloud and related IT services, such performance and reliability is essential, and is being required more often by regulators, examiners, and auditors.

Summary

When considering an EHR vendor offering a cloud hosted solution, there are many parts that make the whole, and weighing those against your IT departments’ risk tolerance is critical in choosing an EHR partner. Medicat’s Private Cloud EHR Hosted solution was built knowing we would have to pass the most rigorous security testing by the IT departments of every college and university in the country. Accordingly, Medicat has passed those tests by every college and university that has considered Medicat, numbering well over 200.

Medicat’s investment in the Private Cloud EHR Hosted solution with a Four Nine Guarantee is arguably the most secure hosted solution in college health today. A comparison with any other EHR Hosted Solution will quickly demonstrate the security advantages provided in Medicat’s solution.

The trust that the college health market places in Medicat has been demonstrated in the market choice over the past decade. Medicat has grown from 70 college health clients in 2005 to over 450 college health clients in 2017. Medicat sees the evolution of College Health EHR moving toward a Campus-wide Student Success System meeting the needs of various clinics and departments across campus with dashboard reporting to inform protocols for student retention and success.

To meet this growing demand, Medicat believes it starts with the most secure Private Cloud EHR Hosted Solution available, which supports an extremely robust, intuitive, and easy to use Patient Health Management System. This investment confirms Medicat’s continued commitment to the success of our college health clients as they seek to meet the ever-increasing needs of their students.

Medicat Partners: TierPoint, Cisco, IBM, Microsoft

Latest News & Press

Recent White Papers

Continue reading

Why is SOC 2 Important to You?

Your EHR Vendor and their Hosting Facility should have SOC 2. It seems everyone understands that a SaaS Hosting Facility must be certified at the highest current federal standards. But no-one seems to question why their EHR vendor, who has access to the same patient ePHI, hasn’t completed the same examinations.

The following information is provided to help explain why your EHR vendor should be examined by an independent third party, what SOC is, why Medicat chose the more rigorous Type 2 SOC 2 Examination on your behalf, and what that means to you.

The short version is that the Sarbanes Oxley Act (SOX) requires all publicly traded companies to establish internal controls and procedures for financial reporting to reduce the possibility of fraud. To properly conduct this financial statement examination, an audit must be performed for any organizations that affect the security or financials of the publicly traded organization. All such organizations should also be audited using SOC 1 (financial reporting) or SOC 2 (security reporting). The same holds true for privately held Hosting Facilities and their relationship with their clients (e.g., EHR vendors); both should pass audits at the highest Federal and Industry standards to ensure the security of your students’ ePHI.

What is SOC 2?

Service Organization Control (SOC) reports—created by the American Institute of Certified Public Accountants (AICPA)—are internal control reports on the offerings furnished by a service organization, which provide important information for users to appraise the risks involved with an outsourced service. These reports are essential for service providers to build trust with clients, as they are performed by an independent third party.

SOC 2 reports focus on service providers that host or store data, ensuring that they are following industry best practices and their operations are up to code. The SOC 2 report contains a description of the infrastructure, software, people, and procedures (the “system”) that the company has in place to protect and safeguard data. A SOC 2 report contains descriptions of what components the company has and what it does to make sure it successfully delivers on the five Trust Service Principles.

  • Security – Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
  • Availability – Information and systems are available for operation and use to meet the entity’s objectives.
  • Processing integrity – System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
  • Confidentiality – Information designated as confidential is protected to meet the entity’s objectives.
  • Privacy – Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

Service organizations can choose which type of SOC 2 audit to undertake: Type 1 or Type 2.

  • Type 1 SOC 2 report – a layout of procedures and controls that the service provider has established as of a certain point in time.
  • Type 2 SOC 2 report – includes all the information in Type 1, but also supplies evidence as to how effective those procedures and controls were over a specified period. The audit period in a Type 2 report is typically no less than six months—enough time for a comprehensive evaluation.

Why is it important for your EHR vendor to have SOC 2?

Type 2 SOC 2 compliance is an outstanding standard for business owners and decision makers because it provides them with the peace of mind that the service provider they choose can deliver what it promises.

A company that has performed Type 2 SOC 2 Examination has therefore proven that its system is designed to keep its clients’ sensitive data secure over time. When it comes to the cloud and related IT services, such performance and reliability is essential, and is being required more often by regulators, examiners, and auditors.

Medicat’s Hosted Solution

Medicat’s Private Cloud Infrastructure ensures the storage and handling of your students’ electronic Patient Health Information (ePHI) meets and exceeds all government and industry standards. There are two components of that infrastructure:

  • The TierPoint Hosting Facility where your students’ ePHI is stored. TierPoint’s Facilities in North Carolina’s Research Triangle Park (RTP), and in Chicago, are both rated to the highest Federal and Industry Standards, including Type 2 SOC 2 Examination. Your student’s ePHI could not be safer.
  • Medicat’s significant investments in its own infrastructure and security framework to better protect our Clients’ ePHI. To substantiate that investment, Medicat has gone through the same third-party audit process as the leading data centers in the country and has completed Type 2 SOC 2 Examination.

Summary

These rigorous requirements provide an important level of confidence and comfort when considering a move to the cloud. It is critical to insist on an EHR partner that has achieved a level of security that meets these standards.

That is why SOC 2 audits matter, and why Medicat has invested in the highest compliance possible; the Type 2 SOC 2 Examination. After all, the security of your patients’ data depends on it!

Industry Articles

Recent Medicat News

Continue reading