1. Sidus BioData Considerations for HIPAA Regulated Cloud Deployments May 21, 2013

2. Speaker Bio Jason Silva has over 15 years experience in Data Center Management and Information Technology. His experience includes the management and implementation of internet and intranet systems in the healthcare, pharmaceutical, government, and technology sectors. As Founding Partner and Chief Executive Officer of Sidus Group, Mr. Silva has played a pivotal role in achieving the qualification of the Sidus Data Center and forming Sidus BioData. Sidus BioData is now actively engaged in hosting both GxP applications and HIPAA/HITECH data. Mr. Silva has spoken extensively on the implementation of regulated cloud computing environments to national and international industry groups.

3. Introduction Sidus BioData, is a Maryland owned and operated IT Hosting/Outsourcing service provider Standing as one of the first fully FDA /HIPAA Qualified Commercial Datacenters in North America to align with GAMP5. Founded in 1999, 28 employees, over 700 customers across 47 states, 12 countries Datacenter facilities in Annapolis, Md, Cumberland, Md, Somerville, Ma, Ashburn, Va Tier 2+ Datacenters qualified against FDA and HIPAA regulations Professional CISA (Certified Information Systems Auditor) certified quality team provides a seamless, compliant migration to the Datacenter as well as ongoing support Managed hosting of sensitive data for: - Biotech Companies - EMR Vendors - HIPAA/HITECH regulated organizations - Medical Device Companies

4. Success in the Cloud Trust in the cloud implementations on four core concepts: Security – Traditional issues around data and resource access control, encryption and incident detection Control – The ability of the enterprise to directly manage how and where data and software is deployed, used and destroyed Service Level Management – The definition, contracting and enforcement of service level agreements between a variety of parties Compliance – Conformance with required regulatory, legal and general industry requirements (such as Part 11, Annex 11, HIPAA and Sarbanes-Oxley)

5. Cloud Management Challenge  Support for consumer devices  Anywhere, any device, anytime  Audit/Reporting/Alerting  Secure the Mobile Device  Managed vs Non Managed device security policy  Secure Data at Rest  Secure Data in Transit  AUP enforcement

6. Getting Onboard Decide what is the right type of deployment is right for client needs out of the four outlined deployment models. –Perform Regulatory Assessment What regulations does the client’s intended use of the cloud fall under? What regulations may impact the solution in the future? –Perform Security Assessment What type access methods to the cloud are needed? What type of devices are going to utilized ? What external hosted services are going to interface with the deployment? –Perform Business Assessment What are the performance level targets? Design compliant cloud environments based on regulatory and security concerns first and business case second

7. View of Cloud Implementations Lets take a look at the cloud implementations based on the four models that are appropriate to the regulatory space: Community Cloud Virtual Private Cloud Private Cloud Hybrid Cloud

8. Four (Sidus) Deployment Models Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns Virtual Private cloud. Elements of the cloud infrastructure is operated solely for an organization. (e.g., dedicated highspeed storage or backup system) Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise. Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

9. Community Cloud Shared resources: –CPU –RAM –Storage Private VLAN Shared firewall with unique custom access control and guest machine isolation. High Availability Community Cloud

10. Virtual Private Cloud Shared resources: –CPU –RAM Private VLAN Dedicated virtual firewall appliance with unique custom access control and guest machine isolation. High Availability Dedicated storage –LUN –SAN Virtual Private Cloud

11. Private Cloud Dedicated Resources: –CPU –RAM –Storage Private VLAN Dedicated physical or virtual firewall appliance with unique custom access control and guest machine isolation. High Availability Customizable Private Cloud

12. Hybrid Cloud Dedicated Resources: –CPU –RAM –Storage Private VLAN Dedicated physical and virtual firewall appliance with unique custom access control and guest machine isolation. High Availability Customizable Can include traditional servers Private Cloud Operating System Application

13. Quality System CISA/CRISC’s on-staff, full program of IT Compliance Services Quality Manual plus over 40 Compliance Policies, SOP’s and Forms “Total Quality System” approach: - SOPs and policies cover FDA/HIPAA/HITECH requirements - Datacenter “qualified” against FDA/HIPAA regulations - Risk Management Program - Individual Training Curriculums for each employee - Change Control/Validation Program - Independent Quality Assurance group - Provide regulated customers with a turn-key “compliance package”

14. Healthcare Analytics Provider Case Health plans participating in the Health Insurance "HIX" Marketplace are challenged with: 1. Sharing premium revenue with other plans in the Marketplace. 2. Needing precise Member risk scores for targeting & assisting complex members to maintain competitive premium rates. 3. Annual audits require increased accuracy and precision in a plan’s risk adjustment program. 4. Interventions require speed and efficiency as a result of the condensed schedule.

15. Reimagining data to help people live healthy and independent lives through the execution of sophisticated analytics, predictive techniques, and data collection tools. Deploy sophisticated analytic systems that improve payer financial performance generating significant ROI. Visualization and Reporting/Dashboard Health System Integration HIX Risk Adjustment and Predictive Analytics Pulse8 Mission

16. Health Care Analytics Age Group Weight Scale Prescriptions Procedures Diagnoses Provider Specialty Mix Provider Visit Frequency Provider Visit by Calendar Year Labs/Pathology Disease/C M Programs Member Reporte d Data Eye Exams Quality Measure Performance Cost Per Encounter Patient Assignment s to PCP Rx Volume Hospital Admissions ER Visits Patient Case Mix Patient Volume Locati on of Servic es Clinical History Historic Member Profile Individual Opportunity Profile Risk Factor Pulse8 Strata Clinical History Historic Member Profile Individual Opportunity Profile Risk Factor Pulse8 Strata Clinical History Historic Member Profile Individual Opportunity Profile Risk Factor Pulse8 Strata Provider Assignment s Suspect Identification (Risk Adjustment Gaps) Member Behavior Algorithms

17. Systems and Infrastructure HIPAA Compliant Security GxP Qualified Facility Full GAMP5 based Quality System Monitored 24/7 with Three-Tier Restricted Physical Access Protocol Redundant Network and Dual Physical Fiber Paths from Multiple POPs Staffed by CISA/CRISC’s EHNAC Approved All data transfers are encrypted either through sFTP, pgp encryption on the files themselves, or both. Securely View Business Intelligence Results Pulse8 Utilizes a Tier 2+ Telco Carrier Grade Datacenter Headquartered in Annapolis, Maryland as Our Strategic Infrastructure Partner

18. Hosting Vendor Selection Considerations

19. Cloud Vendor Selection Considerations 1.Cloud Capacity Does the cloud vendor have the infrastructure capacity to support your application? –What is its current capacity for bandwidth, compute and storage resources? –What is the vendor’s plan for expansion of resources. What reserve threshold triggers an expansion? –How many sites does the vendor operate and what capacity resources are available at these sites? –Does the vendor operate its own facilities or is its infrastructure collocated in another vendor’s facility? 2.Resources (Human Cloud) Does the vendor provide the engineering support that is needed to design and effectively operate your solution within your performance goals –What proactive monitoring is in place for performance issues and who is notified? –What types of resources are available on-demand? DBA, Network, Security Engineers?

20. Cloud Vendor Selection Considerations cont. 3.Regulatory Qualifications Does the vendor currently support clients that are within an Healthcare related or FDA regulated vertical? Does the vendor maintain an active quality system that can flow through to the client. Are clients notified of infrastructure and operational changes at the datacenter infrastructure level? Does the vendor maintain change management and quality management duties at the client solution level? What is the audit history of the vendor? Have they been audited by a third party for a relevant regulatory structure? Does the vendor provide audit support for periodic client audits. Does the vendor provide CISA and CRISC certified personnel for compliance support. 4.Transparency Will the vendor provide unfettered access to quality system documentation? Does the vendor make training and maintenance documents available? Will the vendor support audits by your clients? Will the vendor share disaster recovery plans?

21. Thank You! Questions? jsilva@sidusbiodata.com