With U.S. clients sending data to Patni's Mumbai headquarters, the Indian outsourcing firm has found that it must protect and secure the data, not only from potential standard incursions, but it also must comply with the two security- and privacy-oriented acts. "We have to make sure our software is HIPAA and Sarbanes-Oxley [SOA] compliant," said Satish Joshi, Patni's CTO and senior vice president, in an interview. "When a U.S. customer runs the software, it has to be compliant [with the acts]."
Patni has several U.S. medical-insurance clients who specify that the offshore outsourcing firm comply with HIPAA (the Health Insurance Portability and Accountability Act of 1996.) In addition, Patni has a few clients who must comply with the Sarbanes-Oxley Act, which calls for strict compliance with financial and accounting standards.
Joshi said Patni develops software for U.S. medical-insurance firms, and that software must meet the standards set by HIPAA for the protection of patient records. The emphasis is on creating software that can be used in the U.S. for HIPAA-compliant work and is not involved with the actual patient records. Software developed for U.S. financial firms must, likewise, comply with the accounting and financial standards set by SOA.
Joshi, who oversees Patni's security and privacy issues, indicated that the safeguards to comply with HIPAA and SOA are just an extension of the company's existing security measures. Data from U.S. firms is typically encrypted and sent to India over fiber-optic lines, but occasionally over satellite links. "It [encrypted data] is practically unbreakable," he said, adding that he does not know of any case where encrypted transmitted data has been broken. "We don't use disks or tapes to transmit data."
Noting that Patni's U.S. clients regularly visit the company's data center in Mumbai--the Indian city was formerly called Bombay--Joshi said they find security and privacy safeguards to be as rigorous as they are in the U.S. Access to the firm's data center is tightly controlled and restricted, individuals' access to data is specific and limited to work specified, no magnetic media can be removed or brought into the data center without tight controls, and data back up and storage is controlled.
"Our clients need assurance that data is actually destroyed after work is done," Joshi said. "Most clients have their own security standards that they have to comply with. They can review our [quarterly] security audit reports."
The firm also requires its employees to sign non-disclosure agreements. "We know that people can carry information in their heads," he said. "So we have rigid non-disclosure pacts."
Patni generally follows the security and privacy guidelines set by the ISO 17799 and BS 7799, international and British security standards, respectively.
Patni maintains its U.S. headquarters in Cambridge, Massachusetts, where the firm began after its founder, Naren Patni, graduated from MIT 25 years ago. It has more than 15 offices in the U.S. Its roster of 150 clients includes U.S. firms Coca-Cola, General Electric, Guardian Life Insurance, and Putnam Investments.