Channels ▼

HIPAA And SOA Adhered To In Faraway India

Mumbai, India, may seem to be a strange place to institute rigorous IT safeguards to comply with the tough provisions of the HIPAA and Sarbanes-Oxley Acts, but Indian outsourcing firm Patni Computing Systems has instituted measures to strictly adhere to those two U.S. security provisions.

With U.S. clients sending data to Patni's Mumbai headquarters, the Indian outsourcing firm has found that it must protect and secure the data, not only from potential standard incursions, but it also must comply with the two security- and privacy-oriented acts. "We have to make sure our software is HIPAA and Sarbanes-Oxley [SOA] compliant," said Satish Joshi, Patni's CTO and senior vice president, in an interview. "When a U.S. customer runs the software, it has to be compliant [with the acts]."

Patni has several U.S. medical-insurance clients who specify that the offshore outsourcing firm comply with HIPAA (the Health Insurance Portability and Accountability Act of 1996.) In addition, Patni has a few clients who must comply with the Sarbanes-Oxley Act, which calls for strict compliance with financial and accounting standards.

Joshi said Patni develops software for U.S. medical-insurance firms, and that software must meet the standards set by HIPAA for the protection of patient records. The emphasis is on creating software that can be used in the U.S. for HIPAA-compliant work and is not involved with the actual patient records. Software developed for U.S. financial firms must, likewise, comply with the accounting and financial standards set by SOA.

Joshi, who oversees Patni's security and privacy issues, indicated that the safeguards to comply with HIPAA and SOA are just an extension of the company's existing security measures. Data from U.S. firms is typically encrypted and sent to India over fiber-optic lines, but occasionally over satellite links. "It [encrypted data] is practically unbreakable," he said, adding that he does not know of any case where encrypted transmitted data has been broken. "We don't use disks or tapes to transmit data."

Noting that Patni's U.S. clients regularly visit the company's data center in Mumbai--the Indian city was formerly called Bombay--Joshi said they find security and privacy safeguards to be as rigorous as they are in the U.S. Access to the firm's data center is tightly controlled and restricted, individuals' access to data is specific and limited to work specified, no magnetic media can be removed or brought into the data center without tight controls, and data back up and storage is controlled.

"Our clients need assurance that data is actually destroyed after work is done," Joshi said. "Most clients have their own security standards that they have to comply with. They can review our [quarterly] security audit reports."

The firm also requires its employees to sign non-disclosure agreements. "We know that people can carry information in their heads," he said. "So we have rigid non-disclosure pacts."

Patni generally follows the security and privacy guidelines set by the ISO 17799 and BS 7799, international and British security standards, respectively.

Patni maintains its U.S. headquarters in Cambridge, Massachusetts, where the firm began after its founder, Naren Patni, graduated from MIT 25 years ago. It has more than 15 offices in the U.S. Its roster of 150 clients includes U.S. firms Coca-Cola, General Electric, Guardian Life Insurance, and Putnam Investments.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.