Health care organizations are now a primary target since they are the custodians of patient data and a plethora of information. The reason patient information is sought after so much is because it can be sold on the black market for a decent price. Social Security Numbers also have a longer shelf life unlike credit card numbers. Therefore it is imperative that any company or person that is involved with healthcare data do what they can to protect their computers and/or network.
Criminals are diligent in trying to gain access to these valuable databases. They can get into your network through social engineering, malware, and mobile devices to name a few. Sadly, most attacks go undetected for months, sometimes even a year unless it is ransomware when you are “notified” immediately!
Under the Security Rule, all entities that work with Protected Health Information are required to conduct a Risk Analysis to uncover any potential vulnerabilities. Then they must create a Risk Management plan to correct those deficiencies. Although most of the “technical” standards are addressable and not required, this does not mean optional. All covered entities and business associates must have reasonable and appropriate safeguards in place to protect their data. Aside from your normal IT services, we believe it will only be a matter of time before network security audits will become mandatory. Keep in mind your Policies and Procedures are still the backbone of HIPAA Compliance.
So what can you do to protect your data and your organization?
Conduct a security risk analysis
Mitigate the vulnerabilities that are discovered
Request a third party network security audit
Request documentation that your business associates are HIPAA Compliant
Continual EDUCATION!
These are just some of the basics that you should implement. For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
We have been trained to be polite. When someone asks us a question, we are compelled to answer. Sometimes, you just need to HANG UP!
A new scam is making headlines now because they are recording your answer to use in the future. For example, when someone calls and asks you “can you hear me” and you simply say “yes”, this scammer is recording your voice. This scammer may be a live person or a robo call, some robo calls now even sound like a human and you do not realize it is a recording at first. Either way by you simply saying yes, they can edit the call and use your own voice to authorize a purchase or a contract. They may already have other personal information like your credit card number and need this additional component to carry out their scam.
Of course there are many phone scams out there, always remember to exercise caution when someone calls asking for information. ANY information! Do not even give out what type of copier or phone system you use. If they are a vendor of yours they will already have this information.
So, let’s start a new catch phrase. Instead of “just do it”, let’s “just hang up”!
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
Section 1557 is the nondiscrimination provision of the Affordable Care Act (ACA). The law prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. Section 1557 builds on longstanding and familiar Federal civil rights laws: Title VI of the Civil Rights Act of 1964, Title IX of the Education Amendments of 1972, Section 504 of the Rehabilitation Act of 1973 and the Age Discrimination Act of 1975. Section 1557 extends nondiscrimination protections to individuals participating in:
Any health program or activity any part of which received funding from HHS
Any health program or activity that HHS itself administers
Health Insurance Marketplaces and all plans offered by issuers that participate in those Marketplaces.
Section 1557 has been in effect since its enactment in 2010 and the HHS Office for Civil Rights has been enforcing the provision since it was enacted.
This provision goes much further than most practices are aware of including the fact this rule became effective July 18, 2016.
Take steps to ensure 1557 has been addressed:
Assign a Civil Rights Coordinator;
Revise your policies and procedures;
Incorporate a general assessment evaluation;
Review the patient intake process;
Track all requests for auxiliary aids and services;
Monitor performance of interpreter services to ensure effective communication;
Review your complaint process;
Post a Notice of Nondiscrimination;
Post a Nondiscrimination Statement; and
Conduct mandatory training for all staff.
Title II of the Americans with Disabilities Act of 1990 (Title II), Section 504 of the Rehabilitation Act of 1973 (Section 504) and Section 1557 of the Affordable Care Act of 2010 (Section 1557) requires an entity to take steps to ensure communication with individuals with disabilities is as effective as communication with others through the use of appropriate auxiliary aids and services. This includes people with as well as language barriers.
OCR has modified the notice requirement in § 92.8 to exclude publications and significant communications that are small in size from the requirement to post all of the content specified in § 92.8; instead, covered entities will be required to post only a shorter nondiscrimination statement in such communications and publications, along with a limited number of taglines. OCR also is translating a sample nondiscrimination statement that covered entities may use in fulfilling this obligation.
In addition, with respect to the obligation in § 92.8 to post taglines in at least the top 15 languages spoken nationally by persons with limited English proficiency, OCR has replaced the national threshold with a threshold requiring taglines in at least the top 15 languages spoken by limited English proficient populations statewide.
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
Karsten Hahn who is a GData malware analyst discovered this ransomware called DynA-Crypt. Larry Abrams at Bleepingcomputer alerted the world about this new type of ransomware. Thanks to them, we know about this and must be diligent in protecting our information.
This new strain is even more dangerous and destructive than the others. This malware not only encrypts your data, but also takes screenshots of your active desktop, login commands that you type, and even records system sounds from your computer. It will even steal information from Skype and Chrome. While this vicious attack is encrypting your computer, stealing your information, it is also deleting your files.
This would be considered a major HIPAA data breach and not only will you lose everything, you will have to report this to your State and Federal authorities under the Breach Notification Laws.
Make sure your anti-virus and anti-malware is up to date and verify it is an enterprise version. Although this is not specifically stated under HIPAA, it is considered reasonable and appropriate. If you never have this happen to you, the HIPAA Police is not going to penalize you. However, if this does affect your practice or organization and you do not have reasonable and appropriate safeguards in place, you will be fined and penalized.
Everyone in your organization should be made aware of this new attack and remind them NOT open any file attachments OR click on any links in ANY email unless you are absolutely sure it is safe. Best practices is to open your browser and go directly to the company’s website to check on anything you receive in an email. Also be VERY careful trusting emails from friends. If YOUR email is hacked, they will spoof a name in your contact list and send an email back to YOU. They hope that since you know this person you will open the email. If you receive an email that asks you to click on a link or open a file, look carefully at the FULL email address, more than likely is NOT your friends email. Keep in mind, it still could come from their actual email address. Always call or text them and ask if they sent this to you.
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting Patient Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
Home security cameras and baby monitors are making the news again about being hacked. This is nothing new, we have been telling people for years to change the default passwords on ALL your technology devices. Anyone can Google your device or IP address and they can get your default password. HIPAA requires that you have reasonable and appropriate safeguards in place to protect patient data. This includes updating and changing technology as needed.
For example all I had to type in Google was “Default password for Netgear”, and this is what I found:
For most NETGEAR devices (except ReadyNAS/ReadyDATA products and Fully Managed Switches), the default username and password are: Username (all models) = admin. Password (current models) = password. Password (very old models) = 1234. Aug 9, 2015
If you use any security cameras, Google “IP Camera Default Usernames Password and IP Addresses”. I found a website that lists ALL CAMERAS!
I highly recommend that you walk around your home and office and make a list of all your technology devices and Google them. If you can find a default password on the internet; so can everyone else. If you do not know how to change the password, we suggest hiring someone to do this for you. Otherwise you could simply remove the password all together!
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting Patient Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
The state of Indiana expanded the requirements for background checks to include national criminal history checks on employees and owners of home healthcare and personal services facilities.
The previous law required only a limited criminal history check. A limited criminal history contains only felonies and class A misdemeanor arrests within the state of Indiana. The expanded criminal history check includes history of all counties and states where the person lived. The national criminal history check contains information from all state and federal jurisdictions.
Employers must request a national criminal history check within three days of a new employee’s commencement of work, and owners cannot employ someone to provide services in a patient’s residence for more than 21 days without receipt of the results of the check. Employers must complete a national criminal history check on all new hires, and no employee without the check can serve patients in their residences. Owners, officers, and managers are also subject to the criminal history check. Convictions of rape, certain exploitations, or criminal deviate prohibits anyone from owning a facility or working in patient care. This history check must cover the person’s lifetime and it not limited to a certain time frame or number of years. This exclusion also applies to anyone that failed to report the crime or was convicted of theft within the last 10 years.
Although this law does not include “medical practices”; Aris still recommends a background check on all staff members. More than likely we will see more states amend their laws and they may include all of healthcare. If you are not doing so, it is time to review your Workforce Clearance Procedures.
Here are some websites to assist you: https://www.intellicorp.net/marketing/home.aspx
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting Patient Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
Things may seem wonderful since a new year is beginning; please don’t forget that many things remain the same.
For instance…
Healthcare is targeted in many ways. Do your employees know how to spot a phishing email or a potential virus? Most phishing expeditions and viruses are delivered right to your inbox! Did you know that nearly 90% of all ransomware attacks were on healthcare? A new report by Check Point software’s researchers states that Ransomware plague earns $2 million, while only 0.3% victims pay up. With this much money that is being made, more and more criminals are creating Ransomware. What would you do if one of your employees clicked on a link and downloaded a virus or your system was encrypted by ransomware?
Today, we are extremely busy and the criminals know this. It is so easy to spoof another company’s logo and create a phishing email or worse; a ransomware infection. What can you do? First and foremost you must continually educate your staff on what to look for and how to avoid making costly mistakes.
Here are some things to watch out for:
Emails that claim your account has been compromised and you need to call a toll free number immediately. Lookup the number for the company and call them on that number and not the number supplied in the email. If you call the number that is supplied, either you will to talk to a real criminal and they try to get information from you or your credit card number. The other way is you get stuck in a voicemail holding pattern and then your number is programmed in and they call you back and try the same scam.
Emails that claim your package (FEDEx / UPS / USPS) or payment (IRS / Bank / Credit Card) was not delivered, and you need to click on an attachment or a link.Open your browser and go directly to the company’s website, do not click on anything in the email.
Phone call that advises you there is new software upgrade or virus and offers a free scan on your computer. Do not permit anyone access to your computer unless they have been verified by the company they work for and you know who they are.
Fake apps that look like the real stores. Watch for apps that do not have a lot of reviews or bad reviews. Do not click on a link to download an app, go to the app store. Even then be careful, although Apple and Google use algorithms to detect, some have slipped through! Do not give out too much information and try to avoid adding any credit card numbers to apps. Read the permissions on all apps before downloading. If it is asking for more than is needed, do not download even though it sounds like a great app. Many apps contain malware to steal your information. If you connect your portable device to your office network, it can steal information from there as well.
Remember, most scams have a sense of urgency to prevent a negative consequence. Also, as the old saying goes… if it sounds too good to be true, it probably is. Always think before you react!
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
All of you know and follow the HIPAA regulations, but you also need to make sure you follow the Federal Trade Commission (FTC) guidelines as well. The Department of Health and Human Services (HHS) released an article explaining about the requirements.
HIPAA involves the Privacy of an individual and FTC Act prohibits companies from engaging in deceptive or unfair acts or practices in or affecting commerce. Keep in mind if you use a third party, you also need a business associate agreement in place. Anytime you share patient information outside of treatment, payment, or healthcare operations (TPO), you must have a written authorization from the patient. Organizations can not mislead patients about what is happening with their health information. The manner in which you share their information must be clear, concise, and written in plain language so they understand.
This annual campaign is to raise awareness about cyber security. We live in a world that is more connected than ever before. The Internet touches almost all aspects of everyone’s daily life, whether we realize it or not. National Cyber Security Awareness Month (NCSAM) is designed to engage and educate public and private sector partners through events and initiatives to raise awareness about cyber security, provide them with tools and resources needed to stay safe online, and increase the resiliency of the Nation in the event of a cyber incident.
Did you know… that 2 out of 3 people have experienced a tech scam within the last 12 months?
Did you know… nearly 1 in 10 people have paid money to a scam?
Do not let anyone you do not know gain access to your computer… Scammers call people and either offer them a free scan or tell them there is a new virus out and they are probably infected. These scammers almost always have the sense of urgency and try to pressure you to “Do-it-Now”.
Don’t do it! Most of us are the ones that allow the scammers in. Either by answering the phone or clicking on a link in an email. Social engineering is at an all time high and WE are the ones that are giving OUR money away!
Add security to your login… passwords are the most common authentication tools used today, and they are the easier to hack. Always use a two-step authentication process whenever it is offered. There are many solutions available. Biometrics, security keys, and one time use codes that are text to your cell phone.
Did you know… you can pick up malware by merely visiting a website? Covered Entities and Business Associates have to be especially diligent in keeping their network systems clean and protect patient data. HIPAA Compliance begins with solid HIPAA Policies and Procedures but it also includes Technical Safeguards that are needed.
Here are some suggestions to help keep your network clean and safe:
Limit administrative privileges to those who really need it and only sign in as the administrator when needed
Limit users to specific work hours and block after hours usage if possible
Perform a network security audit at a minimum annually
Perform routine physical inventory and ensure unauthorized devices are not connected to your network or computers
Keep anti-virus and anti-malware software up to date
Web surfing should not be permitted with any device that accesses or stores Protected Health Information (PHI)
Change default passwords on all technology devices
This excerpt was taken from the Office for Civil Rights (OCR):
Did you know that your file transfer protocols may be particularly vulnerable to cyber-attacks?
FTP (file transfer protocol) is a standard network protocol used to transfer computer files on a computer network. A type of data storage device, called a network-attached storage (NAS) device, started becoming victim to a serious type of malware which exploited the FTP service available on FTP servers, including FTP services available on NAS devices, beginning this year. NAS devices connect to a computer network and provide a way to access data for a group of persons or entities.
According to a recent report by Softpedia, Sophos, a computer security firm, gathered telemetry data that indicated 70 percent of a certain vendor’s NAS devices connected to the internet were infected with a malware variant called Mal/Miner-C (also known as PhotMiner). Sophos researchers claim that out of 7,000 of these NAS devices connected to the internet, 5,000 were infected with this malware by cybercriminals who also collected $86,000, in cryptocurrency like bitcoin and monero, from cryptocurrency mining related to this attack.
Allegedly, the malware variant appeared in the beginning of June 2016. A report revealed that the malware was targeting FTP services, such as those available on NAS devices, and spreading to new machines by attempting to conduct brute-force attacks using a list of default credentials. Also, the researchers claim that a design flaw regarding the use of public folders on certain NAS devices permitted the Miner-C malware to more easily copy itself to the public folders.
The Mine-C or PhotoMiner (the malware) tricks users by copying files to the public folders that resemble a standard Microsoft folder icon. Once the user clicks on the folder, s/he activates the malware variant, and it installs the malware on the victim’s laptop, desktop, or other computing device. The malware allows cybercriminals to generate cryptocurrency (i.e., bitcoins, monero) by “mining”. Cryptocurrency mining exploits computer processing power to solve difficult math problems. Essentially, attackers are rewarded with cryptocurrency for the amount of math problems they solve.
This type of malware can affect an information system’s performance by eating up a system’s computing power, and slowing down other system processes.
For more information on how Aris Medical Solutions can help your organization call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
The Office for Civil Rights announced in August they would be working with their Regional Offices to more widely investigate the causes of breaches that affects less than 500 patient records. The Regional Offices will use their own discretion to prioritize which breaches to investigate.
Some of the factors they will be considering include:
The number of records affected
Intrusions of the IT systems
The sensitivity of the data
Whether the data was unencrypted or disposed of improperly
Number of breaches from the same entity including business associates
The lack of reported breaches when comparing similar situations with specific covered entities and business associates
Here are some helpful tips to avoid data breaches:
Confirm fax numbers and email address BEFORE sending.
Do not permit ANYONE access to your systems without confirming their identity and verifying they are still employed with that particular company.
Do not click on links in emails, instead, open your browser and go to the website.
Make sure all accesses to ePHI utilizes strong passwords, preferably passphrases.
Change your passwords/phrases at least every 90 days. This includes your EHR, PM software, workstation operating system, and email access.
If a two-step authentication is available, make sure it is engaged.
Use encryption whenever possible, depending on the operating system you use, it may be FREE!
Request a network security audit to be performed that includes remediation.
Do not retain records longer than necessary, why have that exposure if it is not required!
Make sure everyone involved with Patient Data is HIPAA Compliant.
As we mentioned last month, enforcement of HIPAA is here and you must ensure that if you are audited or investigated you have all of the appropriate documentation in place. Remember… if it is not documented, it doesn’t exist!
If you are one of the many organizations that simply do not have the time to do this, you are not alone. We offer a full range of services from a Do-It-Yourself HIPAA program to a Full HIPAA Implementation package. Call Aris at 877.659.2467 or click here to schedule a demo.
