Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com

Author: Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome. Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas. She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation. Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance? All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

How much does a data breach really cost?

Posted bySuze Shaffer

We really don’t want to scare organizations, but this is a real problem and we feel this must be disclosed. A data breach costs an organization on many different levels. The cost of notification, credit monitoring, remediation, then comes fines and penalties if you do not have reasonable and appropriate safeguards in place based on the size of your organization.

Earlier this year we had estimated the cost per patient record to be $380, according to the Ponemon Institute, they are estimating this cost has risen to $429 per patient record. If you can’t determine which records were breached, then you must notify all of your patients. This is where the massive costs are generated. Of course, the sooner you discover the breach the less it will cost you. This is why audit log monitoring is so important. If you are monitoring who and what is going on in your network, you can prevent a breach or at least stop a breach before it becomes a major breach (over 500 records).

Audit log monitoring is very time consuming and nearly impossible to do on your own. We recommend monitoring your logs from different sources, starting with your EHR. This is where most of your patient data resides and this needs to be protected. Aris works with a company in California that offers EHR audit log monitoring. They have developed a system that will send out email alerts when suspicious activity occurs.

We also recommend monitoring your logs from your firewall or domain controller. This is even more complex and again we recommend utilizing a third party. Aris has partnered with a nationally recognized network security company that can assist in this area as well. We understand that cost is very important to our clients and that is why we have selected these particular companies. They are reasonably priced and offer outstanding service. Let us know if you would like more information from either of these companies.

Keep safe out there on the World Wide Web aka the Wild Wild West!

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

What does being HIPAA Compliant actually mean anyway?

Posted bySuze Shaffer

 

We are always talking about HIPAA compliance because that is what we do! Sadly many practices think just having a patient sign they received your Notice of Privacy Practices is all that is needed. There is so much more to HIPAA than that! After we go over a client’s risk analysis they realize this and are anxious to get their compliance in place. Then you get busy and it is pushed off to the next week, then the next, and then you realize it never was implemented!

Being HIPAA compliant means MANY things, and I could write about this for hours, but here are some basic reminders:

  1. Work on your Risk Management plan, implement your policies and procedures and mitigate risks. Policies and procedures are necessary so employees understand what is and is not permitted. The enforcement of your sanction policy and being consistent for those employees who violate HIPAA can help you avoid fines and penalties.
  2. Monitor your audit logs. Know who is doing what within your systems. Whether it is an employee or a business associate, you must know who and how users access ePHI. This is critical in preventing or stopping a data breach.
  3. Make sure your HIPAA compliance officer is informed and educated on any security incidents that may occur. This can help them to determine if and when a data breach occurred when they are reviewing the audit logs. The HIPAA compliance officer is required under federal law to report data breaches, large and small. The only difference is timing. Large data breaches must be reported within 60 days (state law could be more stringent) and smaller breaches within 60 days after the end of the year in which the breach occurred.
  4. Check the OIG exclusions list before you hire a new employee which can save you from being required to return payments you received from CMS in the event you hired someone on this list. Also, conducting a thorough criminal background check can prevent you from being stolen from! Conducting and documenting annual HIPAA training as well as when new employees are hired will educate them on patient privacy and data security. Make sure the method of training you choose covers both areas.
  5. Make sure everyone uses their own login credentials and never share their passwords. If someone signs in under another person, then that person that is logged in could be held liability for anything that is done under their credentials! Remember to use strong passwords and change them often. If possible, implement a secondary authentication in addition to using just a username and password. This is extremely helpful in protecting information for business and personal. All online accounts, even email should use a two-step of some type.
  6. Since we work in healthcare we have the ability to look at anyone’s medical record in our system. Keep in mind, you should only look at records that you have a need to do so. This means that if a patient is being seen by another provider or medical staff member and you do not have the need to view the record, you are NOT permitted to do so.
  7. When it comes to technology, many people think if it’s not broke, don’t fix it. This is NOT true! As our systems age, unless they are updated and upgraded, your information may be at risk of a data breach. Firewalls, computers, servers, and software all must be maintained. Firewalls are your first line of defense. Would you put up a fence and never bother to lock it? I have said this many times in the past, in the old wild wild west you could see danger coming towards your town and prepare. The world wide web is the new wild wild west, but the intruders are invisible. You must have several layers of security to secure your data. NOTE: Microsoft Windows 7 will no longer be supported after January 14, 2020. I have always liked this operating system, but now we must prepare for those computers to be updated or replaced.

HIPAA is much more than just these items, but this should help you to remember some important steps!

If you haven’t implemented HIPAA privacy and security policies and procedures, now is a good time to start to ensure your employees understand how to protect your data. If you would like more information, contact us at 877.659.2467 or complete the contact us form.

Heavy fines demonstrate the importance of a network security audit…

Posted bySuze Shaffer

 

When we discuss IT security, we generally think of a company that maintains our computer network. That is partially true, but that is just the beginning. There is a difference between maintaining your network and securing it. There are a lot of companies that are eager to maintain your network because you pay them a monthly fee to do so. Maintaining a network is making sure updates are done, anti-virus / anti-malware are current, upgrading any technology that is outdated or about to be unsupported. A network security company tests to see if there are any open vulnerabilities that could affect or infect your network. There is a huge difference between the two.
For example, a misconfigured settings of a Windows operating system permitted access to files containing PHI without requiring a username or password. Then two years later a second breach occurred when a server was misconfigured following an IT’s response to troubleshooting an issue, this time it exposed patient information over the internet. These two breaches cost Cottage Health a $3M fine. The Office for Civil Rights (OCR) investigation found that they had not conducted an accurate and thorough assessment and failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level based on the size of their organization. Even though they had an IT company maintaining their ePHI system, they failed to obtain a signed business associate agreement.

Cottage Health fined $3M

Another breach that happened in 2014 has just been settled by the OCR. Touchstone Medical Imaging has been ordered to also pay $3M. The OCR and the FBI informed Touchstone in 2014 that one it’s FTP servers allowed uncontrolled access to ePHI. The uncontrolled access permitted search engines to index the patients personal information, which remained visible after the server was taken offline.

Touchtone Medical Imaging fined $3M

The lesson here is, what you do today can affect your business in the years to come. Make sure you are doing what is reasonable and appropriate to safeguard your patient information. One more keep point, these are just the federal fines. All 50 states now have their own set of privacy laws to protect personal identifiable information that doesn’t have anything to do with health information. Since we work in healthcare, we must adhere to state and federal privacy laws. No longer can you ignore the elephant (HIPAA) in the room, HIPAA is here to stay and you need to choose wisely who you work with to secure your data.

If you haven’t conducted an audit this year, now is a good time to schedule one to ensure your data is secure. If you would like more information on network security audits, contact us at 877.659.2467 or complete the contact us form.

Is your employee handbook up-to-date?

Posted bySuze Shaffer

It is important for all businesses to review what they have in their employee handbook. If you do not have one, it is imperative that you create one immediately. Employees have rights under certain laws. You could have misinformation that would not hold up in court or land you in a lawsuit. This is not our specialty, but we work with a consulting firm and an attorney that understands this very important area. If you have not addressed them in your handbook we will be glad to put you in touch with one of our resource partners.

In the meantime here are some areas that you should review.

  1. Maternity leave
  2. Free speech rights (NLRB)
  3. Social media
  4. Cell phone use
  5. Off-duty conduct
  6. Paid leave policy
  7. Overtime
  8. FMLA leave and those who are not eligible
  9. Maternity leave
  10. Firearm policy
  11. Whistleblowers
  12. E-cigarettes, tobacco, and marijuana use

Be sure to keep you HIPAA policies and procedures up to date as well!

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Cyber Liability Insurance – is it really necessary?

Posted bySuze Shaffer

 

In the news nearly daily there is talk about a data breach, a hacking incident, or a cyber crime. Most practices do not think about this until it happens to them, unfortunately it could be devastating. Most experts now state that it is not IF this happens to you, but WHEN. The costs associated with a breach are widespread, see below for some examples.

  1. notification costs (postage, call center, toll free numbers, etc.),
  2. remediation costs (network scans, forensics, etc.),
  3. reputation management (online and in print),
  4. depending on the cause of the breach, you may encounter fines and penalties.

According to the Ponemon Institute, medical breaches are more costly ($408 ) than other small businesses ($148) per record. For example, if you have 5,000 patient records and you can’t determine which of the records were accessed or compromised you must notify all of the patients. That equates to $2,040,000.00. The main cause of data breaches were 48% due to malicious code or criminal attack, 27% due to negligent employees or contractors (business associates), and 25% due to system glitches and business process failures. When it comes to reputation management, this is critical after a breach. Especially in health care since it has the highest rate of churn because patients have more choices.

We are taught to be proactive with our health. We exercise, eat right, and make sure we get enough sleep. We see our physician to make sure our blood work has the correct levels and we have tests performed to catch any early detection of disease.

We should do the same for our business. Just think what would happen to the business side of a medical practice if their data was compromised, stolen, or encrypted. Most small businesses do not survive after a data breach. Here are some helpful hints to protect your practice and your business:

  1. Conduct a network security audit to ensure your network is as secure as possible.
  2. If you do not have an enterprise firewall, add one to your network. Be sure to have custom security policies implemented on your device.
  3. Review all of your computers and be sure to use business operating systems, antivirus/malware, and software.
  4. Work on your Risk Management Plan, understand your vulnerabilities and mitigate them to the best of your ability.
  5. Education. Keeping all staff including the physicians educated on safe computer practices and only permitting work related surfing on company computers. Knowledge about the dangers and consequences of their actions can greatly reduce the chance of a breach.
  6. Make sure the business associates that you use are HIPAA compliant. When you use other companies to assist you, it is the responsibility of the practice to ensure they know how to protect your data.
  7. Invest in cyber liability insurance. Cyber liability insurance covers the cost of notifying patients, data restoration, extortion, and reputation management. It is best to obtain a policy from a knowledgeable agent that specializes in this area since there are many variables in this type of coverage. Also, may sure you read the exclusions. You may not have the coverage you think you do. Many medical malpractice or general liability policies have small token amounts included, this is NOT enough. Review the number of medical records, paper and electronic and insure them accordingly.

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

 

Malicious code, websites, and data breaches

Posted bySuze Shaffer

 

When we conduct HIPAA training most employees are discouraged when we tell them not to surf the web on work computers. There is a very good reason for this… malicious code can be found on websites that have not been updated and maintained properly. Websites, just like any other technology device you use, must be updated and maintained to avoid being hijacked. Website developers sell templates, this makes it very easy to create a website. When vulnerabilities are discovered in the design of the site or one of the plug-ins, updates are pushed out. It is so important that you have a webmaster that stays on top of this! How would you feel if your website was used to infect your web traffic? Image how embarrassing it would be if your patients got a virus or malware from your website?

That brings us to another very important issue when it comes to healthcare; remote users. Home computers are more likely to be infected, in fact 68% of infections were on consumer computers. Are your employees using their own computers at home to access patient data? Was the RDP set up properly? Are the devices properly maintained by an IT professional? Do employees bring their devices from home into your office? Do your employees use their smartphones to connect to your WiFi? These are all areas that need to be reviewed and addressed to ensure your data is not at risk. This is not about restricting employees computer usage because the employer is being unreasonable. This all about protecting your organization from cyber attacks and protecting patient data.

Well educated employees are your best asset and together with proper security you can protect your organization from a data breach. The average data breach cost is $3.8 million and healthcare being one of highest at $380 per patient record. Keep in mind, if you can’t determine which patient records were breached, they are all considered to be breached and are included in the process. Between the cost of the breach and loss of confidence most organizations do not survive past 1 year after a breach.

Our business partner is nationally known and has mitigated some of the largest data breaches. They work with your IT professional to secure your network BEFORE you suffer a data breach. Let us know if you would like a quote on a network security audit.

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

 

2019 HIPAA Updates

Posted bySuze Shaffer

 

As we start this new year we must reflect what we have learned from 2018 in order to make 2019 a success.

The Office for Civil Rights (OCR) has gained momentum in enforcing HIPAA violations. With that said HIPAA is an ongoing process and once is not enough. It is not considered done unless it is documented. At the annual conference this past year, the OCR admitted they are adamant on ensuring your patient’s information is protected. Therefore, you must document your compliance. If you say you did something, they will ask for your documentation. If you do not have documentation, you will be fined.

Companies located in United States are now required to adhere to the General Data Protection Regulation (GDPR) if they market goods and services to citizens of the European Union (EU). You must ensure the security of the data as well as inform visitors to your website how you intend to use their data. This must be clearly written in your privacy notice on website. This is not to be confused with your Notice of Privacy Practices that you give to your patients. If you plan on marketing to visitors from your website, you must offer them a free opt-out option. We could go on in more detail on this subject, but since many medical clinics do not market to international patients, you may contact us for more information.

Here are a few things to review and update as necessary:

  1. Risk analysis and risk management plan, this is your documentation to demonstrate what risks you have (had) and how you have mitigated them or plan to mitigate them.
  2. Replacing or updating any outdated technology, hardware and software require updates from time to time. You can be fined for utilizing outdated hardware/software that is no longer supported by the manufacturer.
  3. Adding a second authentication process for access to ePHI as well as for online personal accounts.
  4. HIPAA training, ensuring your employees understand how to protect your data is also part of this training.
  5. Making sure you have all of the necessary privacy and security policies, procedures, and forms in place. This means reading and dating them to demonstrate they were actually implemented.
  6. Retaining your documentation for the required time limit, including correspondence with patients that are considered to be part of their medical record.
  7. Reviewing your website, determining if your site collects any data and how it is transmitted and stored.

If you see something in your workplace that looks suspicious, tell your HIPAA Compliance Officer, you could be the one to prevent a data breach or stop a data breach from becoming a major breach (over 500 patient records). Keeping data secure is everyone’s business. Being mindful of our surroundings and educating others helps all of us in this crazy world we live in now!

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

 

Do you have all of your HIPAA training documented?

Posted bySuze Shaffer

 

What do you know about HIPAA enforcement?
Just imagine you were investigated by CMS or the OCR, what would they find?
How confident are you in your medical and/or HIPAA documentation?
Do you have the appropriate documentation to protect your organization?

The Office for Civil Rights (OCR) is very serious about ensuring your organization is educating employees on patient rights and securing PHI. During a recent investigation in Florida an organization was fined $100K for each year they could not produce documented HIPAA training. The first year they only had 3 employees! They were fined for five years, $500K. Once you are under investigation, they review ALL of your documentation, not just what they originally requested. You do not want to end up being in the willful and wanton neglect category. This is where the big fines are calculated.

If you have a patient complaint or suffer a data breach, the best advice is to document, document, AND document! OH, did I mention… DOCUMENT? Next, cooperation. If they ask for something, give it to them. Nothing more, nothing less, but give them what they ask for. Show the OCR you are trying to do the right thing. After all, how would you like it if the information that was compromised was yours? Wouldn’t you want the organization to do what they could to stop the breach or prevent another one from happening?

Remember the MD Anderson in Texas fines? They had multiple devices lost containing unencrypted ePHI. They claimed that they were not obligated to encrypt its devices, and stated that the ePHI that was involved was for “research,” and thus was not subject to the HIPAA non-disclosure requirements. They challenged the OCR and the Judge ruled in favor of the OCR and MD anderson was ordered to pay $4,348,000 in civil money penalties. The quote from OCR Director Roger Severino: “OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations”.

At the NIST/OCR conference in Washington DC, the director along with other members of the OCR staff reminded organizations about enforcement. This is NOT going away. Patient information is extremely valuable to criminals. The days of just a slap on the wrist because you didn’t conduct risk assessment, conduct HIPAA training, or you can’t prove your HIPAA compliance is over. Every organization that has anything to do with patient information must get on board and understand HIPAA. There is NO certificate to prove you are HIPAA compliant, the proof is in your documentation. So I ask one more time… How well do you trust your HIPAA documentation?

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

 

Data breaches of 2018

Posted bySuze Shaffer

We hear on the news about data breaches almost daily. Some are credit card theft, our personal information being sold, and then are medical data breaches. These are extremely worrisome as this is where identity theft can start. The medical community is a major target for that very reason, medical records are the main source of complete information to steal personal information.

Do you know how many individual patient records have been compromised in 2018?

11,785,675 patient records were reported as breaches to the Office of Civil Right (OCR) in 2018 that were over 500 records per incident. Keep in mind this does NOT include breaches under 500 records.

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=3F3012CA56DF3E4D79031A59CCBBBA4D

Plus 944,595 patient records that had been exposed that have already been archived according to the OCR portal.

At the NIST/OCR October conference, they talked about how medical offices use the excuse… “I didn’t know”. They also said that was not an acceptable answer any longer. They can and will fine organizations that are not HIPAA compliant. You are 4 times more likely to get hacked than to have your equipment stolen and this does not even include the breaches caused by unauthorized access. Needless to say data breaches are on the rise no matter what angle you are looking at.

So as we close out 2018 and venture into 2019…
You MUST be diligent and keep up to date on the latest technology for data security.
You MUST make sure your employees are WELL educated on data security.
You MUST document your compliance efforts.

In the words from the Office for Civil Rights, “If it’s not documented, it doesn’t exist”!

Be safe out there in the World Wide Web… it’s a wonderful but dangerous place!

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Spoofing, Phishing, and how to avoid getting caught in the middle

Posted bySuze Shaffer

After attending the Office for Civil Rights (OCR) annual webcast, many things were confirmed that we thought may have been rumors. First of all, medical offices are targets of hacking because you hold everything needed for identity theft.

What is identity theft? Most people think of it as their credit card being stolen, or even their tax returns. True, that is identity theft but there is also another component that is not often talked about. That is, assuming someone else’s identity for health care purposes. Imagine someone assumes your identity and has a surgery and “corrects” your medical record and changes your blood type. Then, you are involved in a car accident and receive a blood transfusion but it’s the WRONG blood. Yes, this can happen. We are not sure how often, but with the rise of medical records being stolen we could see this happen more often. Knowing where your data is located and how it is stored is a starting point in protecting this valuable information. Conducting a risk analysis and having an ongoing risk management is mandatory under HIPAA. During this process you will uncover potential vulnerabilities. Once you mitigate these risks, you may be able to avoid a data breach.

Protecting yourself and your organization is one in the same. Practice these safety tips at work and at home:

  • Make sure your operating system updates are current as well as your anti-virus and anti-malware.
  • Scan for viruses and malware after every update.
  • If you use personal devices to access ePHI or work files, be sure to use enterprise versions of anti-virus and anti-malware. Free versions typically are not robust enough.
  • NEVER use free Wi-Fi even if you are not accessing any patient information. You could pick up malware from someone that has spoofed the Wi-Fi network that you thought you were logging into.
  • NEVER click on links within emails that claim to be urgent or a free offer of some type. Typical phishing expeditions start in this manner. After you click, they ask for certain information they are lacking about you or they may ask for everything! Sometimes, this is merely a tactic to get you to go to a certain website and place malware on your computer and you never even know it.
  • NEVER click on a link within an email asking you to verify your identity. You wouldn’t show a stranger on the street your driver’s license just because they asked to see it, then why would you “verify” your identity with someone invisible in your email? Again, this is how spear phishing starts.
  • NEVER click on an attachment within an email unless you are expecting it, even if you know the person that sent it. Their email could have been hacked and you are being spoofed into thinking it is from them. This includes messages from FedEx, UPS, and the IRS. Best practices is to open your web browser and go to their website and sign in.
  • NEVER click on links in text messages unless you are expecting one, such as you just signed up for text messages from a service provider. Bank customers are being spoofed into clicking on links in text messages and taking you to what looks like your bank. Guess what… it’s NOT your bank but looks like it!

I have said this before… the World Wide Web (WWW) is the new Wild Wild West. The only difference is, in the old wild wild west you could see danger coming on the horizon and prepare. The World Wide Web, the dangers are there, but they are invisible.

Be safe out there!

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC