Indian Outsourcer Complies With U.S. Security Laws

Patni Computing Systems has instituted measures to strictly adhere to HIPAA and the Sarbanes-Oxley Act.
Mumbai, India, might seem to be a strange place to institute rigorous IT safeguards to comply with the tough provisions of the HIPAA and Sarbanes-Oxley acts, but Indian outsourcing firm Patni Computing Systems has instituted measures to strictly adhere to those two U.S. security provisions.

With U.S. clients sending data to Patni's Mumbai headquarters, the Indian outsourcing firm has found that it must protect and secure the data--not only from potential standard incursions, but also to comply with the two security- and privacy-oriented acts. "We have to make sure our software is HIPAA and Sarbanes-Oxley compliant," Satish Joshi, Patni's chief technology officer and senior VP, said Wednesday in an interview. "When a U.S. customer runs the software, it has to be compliant."

Patni has several U.S. medical-insurance clients who specify that the offshore outsourcing firm comply with HIPAA, the Health Insurance Portability and Accountability Act of 1996. In addition, Patni has a few clients who must comply with the Sarbanes-Oxley Act, which calls for strict compliance with financial and accounting standards.

Joshi said Patni develops software for U.S. medical-insurance firms, and that software must meet the standards set by HIPAA for the protection of patient records. The emphasis is on creating software that can be used in the United States for HIPAA-compliant work and is not involved with the actual patient records. Software developed for U.S. financial firms must, likewise, comply with the accounting and financial standards set by Sarbanes-Oxley

Joshi, who oversees Patni's security and privacy issues, indicated that the safeguards to comply with HIPAA and Sarbanes-Oxley are just an extension of the company's existing security measures. Data from U.S. businesses typically is encrypted and sent to India over fiber-optic lines, but occasionally over satellite links. Encrypted data "is practically unbreakable," he said, adding that he does not know of any case where encrypted transmitted data has been broken. "We don't use disks or tapes to transmit data."

Noting that Patni's U.S. clients regularly visit the company's data center in Mumbai--the Indian city formerly called Bombay--Joshi said they find security and privacy safeguards to be as rigorous as they are in the U.S. Access to the firm's data center is tightly controlled and restricted, individuals' access to data is specific and limited to work specified, no magnetic media can be removed or brought into the data center without tight controls, and data backup and storage is controlled.

"Our clients need assurance that data is actually destroyed after work is done," Joshi said. "Most clients have their own security standards that they have to comply with. They can review our [quarterly] security audit reports."

The firm also requires its employees to sign non-disclosure agreements. "We know that people can carry information in their heads," he said. "So we have rigid non-disclosure pacts."

Patni generally follows the security and privacy guidelines set by the ISO 17799 and BS 7799, international and British security standards, respectively.

Patni maintains its U.S. headquarters in Cambridge, Mass., where the firm began after its founder, Naren Patni, graduated from MIT 25 years ago. It has more than 15 offices in the United States, and Its roster of 150 clients includes big U.S. companies such as Coca-Cola, General Electric, Guardian Life Insurance, and Putnam Investments.