Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.
Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.
She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.
Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?
All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!
Sometimes these terms are interchanged which is is not exactly correct. Let us explain the difference!
Two factor authentication is typically a username AND a password. This can also be explained as who you are and something you know.
Two step is using two different types of authentication like a username and password PLUS a one time code that is text to your phone. Some providers permit the use of a fingerprint to authorize the second step.
The use of a security word is also used as a second step type of authentication so you need to be very careful about posting any type of personal information on social media. Aris suggests when the security question asks for your mother’s maiden name, make up a name! Just don’t forget what name you used!
No matter what type of the second step authentication that is offered, it is best to select whatever is offered because although a username and password is the most common type of authentication, it is also easily compromised.
People who work within the Health Care sector are heavily targeted since the type of data they access is very valuable on the dark web. Anyone who works with patient information or for a company that provides services to a medical facility can be targeted. Again, special care must be taken to ensure that patient information is not compromised.
First step in protecting patient data is conducting a HIPAA Security Risk Analysis. Know where your data is and understand how to protect it. Secondly, make sure you have a full set of Privacy and Security Policies and Procedures. Members of your staff need to know how important protecting patient data is and understand what they need to do to accomplish this.
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
MIPS (Merit-based Incentive Payment System) and MACRA (Medicare Access and CHIP Reauthorization Act) is designed to create better patient outcomes and reward those providers that accurately document the progress of their patients. This all sounds great but it takes additional time until this new workflow is established. This is very frustrating to providers who just want to take care of their patients. It is a “learned” function and can be dealt with accordingly if you keep your patience. I know what you are thinking…. and it is easier said than done.
So many practices think since “meaningful use” went away they no longer need to conduct a risk analysis. This is incorrect information. Part of the requirements are that you must still conduct a risk analysis or update the one you already have. When “updating” your risk analysis, be very careful. You are attesting that you have reviewed your vulnerabilities and mitigated those risks.
Conducting a thorough risk analysis is more than just checking a box. It is meant to assist the organization in identifying possible vulnerabilities so you have the opportunity to mitigate them to prevent data breaches. If you merely change the date on your risk analysis and later suffer a breach; that could come back to harm you. If you skip over this or do not take this seriously, you are literally putting your practice at risk.
The best way to tackle this elephant in the room is… one step at a time!
Review your technology devices. Determine if anything has been or needs to be replaced and/or updated.
Understand where and how data is created, accessed, and stored. This includes reviewing the workflow of everyone involved with PHI and ePHI.
Conduct your risk analysis and update the risk management plan. If you choose to “update or review” your existing risk analysis, make sure you do not overlook anything.
If you have not not done so already, create a Incident Response Team (IRT). Utilizing the Security Incident Report will help in determining whether the security incident should be treated as a data breach or not.
When it comes to the actually MIPS documentation, there are organizations that will assist you at no cost to the practice. Don’t chance missing this opportunity to ensure your documentation is accurate.
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
With all of the large data breaches making the news many smaller organizations think why bother. If the large companies can’t keep their data save, there is no way I can. Keep in mind, large organizations are a huge target and their data is sought after on a grander scale. Smaller companies are targets too, because their data is easier to capture. Smaller organizations typically do not have a qualified IT person or company that oversees their network. Unsuspecting employees are usually how the data is compromised because they have not been properly trained.
Here are some helpful hints how you can protect your data:
Conduct a thorough risk analysis. Know where your data is and how it is accessed.
Create a risk management plan to demonstrate your efforts in compliance.
Conduct a network security audit to ensure your computers/network do not have any open vulnerabilities. This is more than just a scan of your network.
Create a full set of privacy and security policies and procedures so employees understand patient’s rights and how to protect their data.
Employee education. This is more than just once a year HIPAA training. This should be included in your monthly/quarterly meetings. Monthly emails can be sent to the staff as reminders of how important their vigilance is needed.
Patient data is valuable on the dark web and it is up to us to protect the data. One breach can destroy your organization unless you have a lot of money for reputation management. So when you are thinking about how much all of this “prevention” is going to cost, it will cost so much more if you ignore this need.
You can also view archived investigations that have been resolved or that are older than 24 months on the same website.
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
(Taken from OCR Cybersecurity Newsletter 10/31/17 – Mobile Devices in Healthcare)
Mobile devices, including cellphones, tablets, and laptops, are increasingly ubiquitous in many work environments – including healthcare organizations. The use of mobile devices in the workplace can be convenient and productive, but organizations should realize the risks associated with increased usage of mobile devices – especially when mobile devices are used to create, receive, maintain or transmit electronic PHI (ePHI). Entities regulated by the HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules) must be sure to include mobile devices in their enterprise-wide risk analysis and take action(s) to reduce risks identified with the use of mobile devices to a reasonable and appropriate level. See 45 C.F.R. § 164.308(a)(1)(ii)(A)–(B).
Risks when using mobile devices to store or access ePHI
Many threats are posed to electronic PHI (ePHI) stored or accessed on mobile devices. Due to their small size and portability, mobile devices are at a greater risk of being lost or stolen. A lost or stolen mobile device containing unsecured ePHI can lead to a breach of that ePHI which could trigger HIPAA breach notification obligations for a HIPAA covered entity or its business associate (the entity). Additional risks could arise when using personal mobile devices to store or access ePHI. If an entity does not permit the use of personal mobile devices for work activities, especially activities involving ePHI, policies should be in place and enforced that make such prohibitions clear. Entities permitting the use of personal mobile devices must include such devices in their enterprise-wide risk analysis and implement security measures sufficient to reduce those risks to a reasonable and appropriate level.
Mobile devices, similar to many other computer systems, may be delivered by the vendor with default settings which may be unsecure. Such default settings may enable connectivity to unsecure Wi-Fi, Bluetooth, cloud storage, or file sharing network services. Entities should take steps to ensure that mobile devices are properly configured and secured before allowing the device to create, receive, maintain, or transmit ePHI. Additionally, workforce members should be trained in the proper, secure use of mobile devices to store or access ePHI. Such training could include educating workforce members on the dangers of using unsecure Wi-Fi networks, such as public Wi-Fi offered in airports and coffee shops, as well as unsecure cloud storage and file sharing services.
Workforce members should also be trained on the risks of viruses and malware infecting mobile devices. Just as with other computer systems, malicious software that infects mobile devices could provide access to unauthorized individuals which could result in a breach of PHI. Access to information on mobile devices need not be limited to nefarious actions by malicious software, but could also originate from more mundane applications. A seemingly innocuous mobile app or game could access your contacts, pictures or other information on your mobile device and send such data to an external entity without your knowledge.
As mobile devices are increasingly and consistently used by covered entities and business associate and their workforce members to store or access ePHI, it is important that the security of mobile devices is reviewed regularly, and modified when necessary, to ensure ePHI remains protected. See 45 C.F.R. § 164.306(e).
Tips to help protect and secure PHI while using mobile devices
Implement policies and procedures regarding the use of mobile devices in the workplace – especially when used to create, receive, maintain, or transmit ePHI.
Consider using Mobile Device Management (MDM) software to manage and secure mobile devices.
Install or enable automatic lock/logoff functionality.
Require authentication to use or unlock mobile devices.
Regularly install security patches and updates.
Install or enable encryption, anti-virus/anti-malware software, and remote wipe capabilities.
Use a privacy screen to prevent people close by from reading information on your screen.
Use only secure Wi-Fi connections.
Use a secure Virtual Private Network (VPN).
Reduce risks posed by third-party apps by prohibiting the downloading of third-party apps, using whitelisting to allow installation of only approved apps, securely separating ePHI from apps, and verifying that apps only have the minimum necessary permissions required.
Securely delete all PHI stored on a mobile device before discarding or reusing the mobile device.
Include training on how to securely use mobile devices in workforce training programs.
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
If you have a minor breach (under 500 records) you are required to self report this breach within 60 days after the end of the calendar year in which the disclosure occurred. If you report it, you run the risk of being investigated. So many times I hear organizations say… why would I “report” myself, that would be insane! If you do not report it and it is discovered at a later date, the fines will be increased and they will investigate heavily to determine if you have concealed any other breaches. So, the answer is YES; you should self report.
Understand that the different agencies like the Office for Civil RIghts (OCR) who enforces HIPAA, Federal Trade Commission (FTC), Department of Justice (DOJ), and Centers for Medicare and Medicaid (CMS) more than likely communicate with each other. If you are audited or investigated by one agency, they are looking at your organization as a whole and may report their findings to other agencies. In one scenario that we recently were made aware of the organization was expecting an investigation from the Office for Civil Rights and the Department of Justice showed up! These agencies can decide how and what to investigate based on the information they have received.
The best way to protect your organization is to make sure you have a complete and thorough risk analysis. This will uncover potential vulnerabilities and give you the opportunity to mitigate them BEFORE something happens. Next, make sure you have a risk management plan that dates/documents what you have implemented/corrected based on your risk analysis. Policies, procedures, and documentation are the foundation of all organizations. Your employees need clear and concise procedures so they understand what they need to do. This always insulates you from misunderstanding. Above all, it demonstrates your compliance efforts!
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
Cyber attacks are on the rise in healthcare, and are one of the leading cause of data breaches. Disgruntled employees are another and patients that believe their information has been compromised round out the top three. Although nothing is 100% secure, there are a few simple things you can do to prevent nearly all of these attacks.
First and foremost prepare and plan for a breach. Implement a Breach Notification plan. Understand the difference between an internal and external breach. Make sure you have your security team in place!
Too many practices think they can ignore the possible threat because they use a cloud based EHR. Most hacks and unauthorized access are caused internally due to an employee that is uneducated in security. Employees that use their work computers to access personal email or use their work email for personal use expose the practice to this uncertainty. This could potentially allow viruses and malware into your network. It only takes one person to surf the web and pick up keylogging malware or click on an email attachment or link and bring your entire organization to a halt. Best practices to share security information with your staff at least monthly. Continual education of the possible threats are necessary. You can never be TOO diligent in the area of security!
Make sure you use a Termination Checklist to remind you of all of the access points that must be removed should an employee leave. This is a huge oversight that we see a lot of when we are conducting network security audits. Employees leave and some of their login credentials are removed but not all of them.
Last but certainly not least; if you have a patient that complains about their privacy being violated, take it seriously and resolve the issue as quickly as possible. Make sure you document the process.
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
So… you find a flash drive and you want to be a good Samaritan and return it to its rightful owner. Great idea, right? Criminals know this and they use it against us! They want our data!
Malware and viruses can be installed on a flash drive. When you open it and find there isn’t any real information to tell you who it belongs to, so you think “nothing” happened. Malicious code can be developed to do most anything today. It can immediately take over your system or it can lay in wait. Infecting and worming it’s way into your files and creating havoc and you not even know it until it is too late.
Best practices:
Never, EVER, insert a flash drive into your computer that you do not know where it came from.
Never insert a flash drive that was used in a home environment, home computers have a 73% chance of having some type of malware.
Never accept a flash drive that someone has used on their computer on a public Wi-Fi.
If you find a flash drive, ask around, or post on a bulletin board.
If you notice a flash drive in one of your computers that doesn’t belong there, report it to your HIPAA Security Officer immediately.
Be informed, be alert, and be diligent!
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
Many healthcare providers have websites, since in today’s digital age nearly everyone searches for goods and services before making a decision, this includes healthcare. However, healthcare providers must ensure their websites are HIPAA compliant if any patient data is transferred or accepted.
Many vendors are targeting healthcare with promises of ease of use, added patient interactions, and the ability to gain more patients. Before you agree to accept patient information through your website, you must ensure the vendor or service you are going to use actually understands HIPAA and the requirements.
Here are some issues to consider:
Do patients complete forms on your website? If yes, your website must be secure by utilizing encryption during transmission. This also includes if you are using appointment scheduling through your website. If your site starts with “https” then the data is securely transmitted. However, your site may require updates to ensure the encryption is up to date. If you have a “contact us” and they can send an email to you and your site is not encrypted you should post a message advising them not to send any personal information.
Who has access to your website? If you work with a third party, they too must be HIPAA compliant and understand how to protect your website. If possible add a two-step authentication to prevent unauthorized access. Make sure you have administrative access to your site as well.
Do you know how and where your data is stored? You must utilize a company that understands HIPAA and security if your website accepts or stores any patient data. If your site is not set up properly, Google can actually index your intake forms. If your web hosting company shares your web server with other clients, this too must be reviewed. Keep in mind, if your data (including your backups) is encrypted, it would not be a reportable breach but you still must have a HIPAA compliant business associate agreement in place.
Do you have a recent backup of your website? This may sound crazy because it’s “in the cloud”. Keep in mind, a cloud is just a term used to explain it is NOT on your physical location. It is located on a server somewhere on someone’s physical site.
Do you know how to properly destroy old data? Whether the data is stored on a web server, an old external hard drive, or computer, all data must be removed in a HIPAA compliant manner. This could be a physical destruction or sanitized so that the data cannot retrieved. Don’t forget to document this process!
Websites are a necessity today. If you decide to add features like online forms and/or patient scheduling, only do so if properly setup and secured.
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Practice call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
With all of the new technology that we have access to, many vendors are targeting healthcare with promises of ease of use and the ability to communicate with other healthcare providers. Before you agree to “share” or open your “portal” you must ensure the vendor or service you are going to use actually understands HIPAA and the requirements.
File sharing and cloud computing are here to stay. As we move forward with sharing patient data amongst our peers, you will need to be vigilant with your security.
Here are a few things to review:
Network misconfigurations are very common, review your data flow, including how data is transmitted and stored.
Backup your data!
When access is given to an employee, contractor, or vendor, once the need for access is no longer required, terminate their access credentials immediately.
Although most providers do not think hackers are a problem for them, they are! Your network security is vital and you must use a trained professional to set up your network and your file sharing configuration. If your IT professional does not specialize in network security, then hire a network security auditor to conduct a vulnerability scan after you have implemented your systems. A good vendor will mitigate your risks as they scan your network.
Make sure you have a HIPAA compliant business associate agreement in place.
Review the service agreement. Make sure it includes specific business expectations.
Invest in cyber liability insurance.
File sharing and cloud computing are wonderful tools that can be used in healthcare if setup properly and securely.
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Practice call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
This is actually easier said than done. However, there are some simple tips you can use to help guard yourself against this cyber warfare.
First of all let’s discuss what is Ransomware and why are these criminals doing this?
Ransomware is when an invader takes over your computer and encrypts your data and will not release it until you pay a “ransom”. Simply put, they do this to make money and, since it is a lucrative business, we do not see it going away anytime soon. With healthcare being such a popular target, you must be vigilant at all times.
Next, there are malicious malware and viruses that are used just want to be mean. Although I am not a fan of bumper stickers, I do like the one that says “Mean People Suck”. These criminals are the meanest of the mean. They don’t even give you the opportunity to pay a ransom. They just encrypt your data or delete it. I could go on and on explaining how all of this works, but instead let’s just talk about how to prevent this from happening in the first place!
Rule #1
Read the email carefully. More than likely you can spot misspelled words or subtle clues that the email is not authentic. Look closely at the email address. At a quick glance it may look like a legitimate email address. It will start with a prefix other than the original address and may even include a period (.) in a separate place. I have said this many times…rather than clicking on links or attachments in your email, open your browser and go to that particular website instead.
Rule #2
Again, do not EVER click on an attachment in an email that claims to have important information that you must act on immediately. For example:
FedEx (UPS, USPS) was not able to deliver your package
Your friend liked your post on Facebook, click to read more (some of these are true but it is best to open your browser and go to Facebook)
A message about your credit card or bank account.
There are many variations to these emails. Just exercise caution when opening your mail even from people you know. Their email account may have been hacked and being used to distribute the virus.
Rule #3
Keep a backup of any and all data that you want or need. Once the backup is created, disconnect it from your computer or network. If your system is ever violated, your backup will not be affected. Then you can wipe your system clean and restore your data.
Having a good anti-virus and anti-malware installed on your system are a necessity today, but it still only takes one click of a mouse to bring your network down because the software developers have to identify the problem before they can send out an update. Criminals are creating hundreds if not thousands of new viruses daily! Continual education for you and your staff is a must!
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Practice call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
