All of you know and follow the HIPAA regulations, but you also need to make sure you follow the Federal Trade Commission (FTC) guidelines as well. The Department of Health and Human Services (HHS) released an article explaining about the requirements.
HIPAA involves the Privacy of an individual and FTC Act prohibits companies from engaging in deceptive or unfair acts or practices in or affecting commerce. Keep in mind if you use a third party, you also need a business associate agreement in place. Anytime you share patient information outside of treatment, payment, or healthcare operations (TPO), you must have a written authorization from the patient. Organizations can not mislead patients about what is happening with their health information. The manner in which you share their information must be clear, concise, and written in plain language so they understand.
This annual campaign is to raise awareness about cyber security. We live in a world that is more connected than ever before. The Internet touches almost all aspects of everyone’s daily life, whether we realize it or not. National Cyber Security Awareness Month (NCSAM) is designed to engage and educate public and private sector partners through events and initiatives to raise awareness about cyber security, provide them with tools and resources needed to stay safe online, and increase the resiliency of the Nation in the event of a cyber incident.
Did you know… that 2 out of 3 people have experienced a tech scam within the last 12 months?
Did you know… nearly 1 in 10 people have paid money to a scam?
Do not let anyone you do not know gain access to your computer… Scammers call people and either offer them a free scan or tell them there is a new virus out and they are probably infected. These scammers almost always have the sense of urgency and try to pressure you to “Do-it-Now”.
Don’t do it! Most of us are the ones that allow the scammers in. Either by answering the phone or clicking on a link in an email. Social engineering is at an all time high and WE are the ones that are giving OUR money away!
Add security to your login… passwords are the most common authentication tools used today, and they are the easier to hack. Always use a two-step authentication process whenever it is offered. There are many solutions available. Biometrics, security keys, and one time use codes that are text to your cell phone.
Did you know… you can pick up malware by merely visiting a website? Covered Entities and Business Associates have to be especially diligent in keeping their network systems clean and protect patient data. HIPAA Compliance begins with solid HIPAA Policies and Procedures but it also includes Technical Safeguards that are needed.
Here are some suggestions to help keep your network clean and safe:
Limit administrative privileges to those who really need it and only sign in as the administrator when needed
Limit users to specific work hours and block after hours usage if possible
Perform a network security audit at a minimum annually
Perform routine physical inventory and ensure unauthorized devices are not connected to your network or computers
Keep anti-virus and anti-malware software up to date
Web surfing should not be permitted with any device that accesses or stores Protected Health Information (PHI)
Change default passwords on all technology devices
This excerpt was taken from the Office for Civil Rights (OCR):
Did you know that your file transfer protocols may be particularly vulnerable to cyber-attacks?
FTP (file transfer protocol) is a standard network protocol used to transfer computer files on a computer network. A type of data storage device, called a network-attached storage (NAS) device, started becoming victim to a serious type of malware which exploited the FTP service available on FTP servers, including FTP services available on NAS devices, beginning this year. NAS devices connect to a computer network and provide a way to access data for a group of persons or entities.
According to a recent report by Softpedia, Sophos, a computer security firm, gathered telemetry data that indicated 70 percent of a certain vendor’s NAS devices connected to the internet were infected with a malware variant called Mal/Miner-C (also known as PhotMiner). Sophos researchers claim that out of 7,000 of these NAS devices connected to the internet, 5,000 were infected with this malware by cybercriminals who also collected $86,000, in cryptocurrency like bitcoin and monero, from cryptocurrency mining related to this attack.
Allegedly, the malware variant appeared in the beginning of June 2016. A report revealed that the malware was targeting FTP services, such as those available on NAS devices, and spreading to new machines by attempting to conduct brute-force attacks using a list of default credentials. Also, the researchers claim that a design flaw regarding the use of public folders on certain NAS devices permitted the Miner-C malware to more easily copy itself to the public folders.
The Mine-C or PhotoMiner (the malware) tricks users by copying files to the public folders that resemble a standard Microsoft folder icon. Once the user clicks on the folder, s/he activates the malware variant, and it installs the malware on the victim’s laptop, desktop, or other computing device. The malware allows cybercriminals to generate cryptocurrency (i.e., bitcoins, monero) by “mining”. Cryptocurrency mining exploits computer processing power to solve difficult math problems. Essentially, attackers are rewarded with cryptocurrency for the amount of math problems they solve.
This type of malware can affect an information system’s performance by eating up a system’s computing power, and slowing down other system processes.
For more information on how Aris Medical Solutions can help your organization call 877.659.2467 or click here to contact us.
“Protecting Organizations through Partnership, Education, and Support”
The Office for Civil Rights announced in August they would be working with their Regional Offices to more widely investigate the causes of breaches that affects less than 500 patient records. The Regional Offices will use their own discretion to prioritize which breaches to investigate.
Some of the factors they will be considering include:
The number of records affected
Intrusions of the IT systems
The sensitivity of the data
Whether the data was unencrypted or disposed of improperly
Number of breaches from the same entity including business associates
The lack of reported breaches when comparing similar situations with specific covered entities and business associates
Here are some helpful tips to avoid data breaches:
Confirm fax numbers and email address BEFORE sending.
Do not permit ANYONE access to your systems without confirming their identity and verifying they are still employed with that particular company.
Do not click on links in emails, instead, open your browser and go to the website.
Make sure all accesses to ePHI utilizes strong passwords, preferably passphrases.
Change your passwords/phrases at least every 90 days. This includes your EHR, PM software, workstation operating system, and email access.
If a two-step authentication is available, make sure it is engaged.
Use encryption whenever possible, depending on the operating system you use, it may be FREE!
Request a network security audit to be performed that includes remediation.
Do not retain records longer than necessary, why have that exposure if it is not required!
Make sure everyone involved with Patient Data is HIPAA Compliant.
As we mentioned last month, enforcement of HIPAA is here and you must ensure that if you are audited or investigated you have all of the appropriate documentation in place. Remember… if it is not documented, it doesn’t exist!
If you are one of the many organizations that simply do not have the time to do this, you are not alone. We offer a full range of services from a Do-It-Yourself HIPAA program to a Full HIPAA Implementation package. Call Aris at 877.659.2467 or click here to schedule a demo.
I am sure you have seen the recent HIPAA fines from the Office for Civil Rights (OCR). HIPAA enforcement is like never before and the fines are fierce. We knew this day would come and it has.
We are encouraging all medical practices and business associates to make sure you have all of your HIPAA compliance policies, procedures, and documentation implemented. When you are audited is not the time to discover you forgot something. The OCR is not being very kind.
When you are reviewing your HIPAA policies and procedures and deciding whether or not to implement the “Addressable” standards, be careful. Addressable is NOT optional; you must have reasonable and appropriate safeguards in place. Since there is not enough case law on record, this is a gray area. Just be careful you do not fall into the big black hole! Also, do not skip over any “Required” standards. These are required no matter what size your organization is.
We are seeing fines like $750K for neglecting to have a Business Associate Agreement (BAA) in place before data was released and a $650K fine for a lost IPhone that was not encrypted. Make sure you not only have BAAs in place but the business associate is in fact HIPAA compliant. This the responsibility of each practice. HIPAA enforcement is here and it is not going away anytime soon.
If you are one of the many organizations that simply do not have the time to do this, you are not alone. We offer a full range of services from a Do-It-Yourself HIPAA program to a Full HIPAA Implementation package. Call Aris at 877.659.2467 or click here to schedule a demo.
“Protecting Organizations through Partnership, Education, and Support”
Since most medical practices are going electronic, it may be time to free up some of that precious space in your office. Make sure when, how, and where you decided to store your data is secure.
Some practices move excess patient charts to a self storage unit. It’s cheap and if you have an patient chart inventory list you should be safe… right?
What happens if the facility burns down?
What if someone breaks in and it is not discovered for months?
What if you don’t have an inventory list of which records are in there?
Did you know that PHI is considered PHI until after a person has been deceased for 50 years! That means even if the person isn’t alive, it is still a reportable breach!
Did you know that if you can’t determine if ANY records or WHICH records were stolen, you would have to report all of them.
Self storage units may sound like a good deal. That good deal could cost you more in the end. If the unit burns or if it is vandalized, you could be charged for wilful neglect for NOT securing the records. Not to mention, you may be required to report this as a data breach and cost you nearly $350.00 per record! Are you willing to accept that risk? After all, the OCR doesn’t specifically state what is or is not HIPAA compliant. If you suffer a data breach, THEN they will determine if you had reasonable and appropriate safeguards in place.
Now I will ask you.. Wouldn’t it make sense to spend about the same amount of money and have a professional company store your records? That’s right; for about $50.00 per month you can store approximately 100 boxes of records! Of course pricing will depends on your location and how many you need to store. When organizing the records, we suggest by year and alphabetize them. This makes it much easier when the time comes to destroy them!
If you need assistance with a Risk Analysis, Risk Management Plan, or implementing a full set of HIPAA Policies and Procedures, call Aris at 877.659.2467 or click here to schedule a demo. We offer a full range of services from a Do-It-Yourself HIPAA program to a Full HIPAA Implementation package.
“Protecting Organizations through Partnership, Education, and Support”
News broke that LinkedIn user account credentials were dumped on the dark web.
Back in 2012 is when the actually breach occurred, but now the data has surfaced for sale.
Although LinkedIn has taken reasonable advances to mitigate this problem, you still need to protect yourself as well. What that means to you is… you need to change your password as soon as possible. If you used this password anywhere else, you should change that as well. We also recommend implementing a two-step authentication on all sites that offer it. It is easy to set up and adds an extra measure to keep your data safe. Also be very cautious when answering or accepting new connections. Criminals have figured out how to look real, sound real, and get you to take their bait. They do leave clues, but you need to be diligent and read the communication carefully and do not click on any links. Open your web browser and type the name of the company and see if there are any warnings about the website. Your anti-virus (if you use a decent one) should notify you if the website has any suspicious activity.
An additional reason we bring this to your attention is because there are medical practices that have suffered a breach and they do not even know it. It may take years before this data surfaces or is sold. We not only work within this profession but we are also patients at medical facilities all over the country. We must do our part as employees as well as consumers to protect this (our) data. What you need to do:
Use strong passwords (phrases) and change them at least every 90 days.
Implement a two-step authentication anywhere it is available.
Uneducated employees cause most of the breaches, either by clicking on a link or through a lost or stolen device. Continuous education is of the utmost importance.
The use of encryption and/or auto-wipe/remote wipe on all devices that access or store Protected Health Information (ePHI).
Report any suspicious activity to your HIPAA Security Officer.
Be sure to review this report to determine if a breach has happened or potentially has happened.
Mitigate the risk to the best of your ability and make sure it is documented.
If you need assistance with a Risk Analysis, Risk Management Plan, or implementing a full set of HIPAA Policies and Procedures, call Aris at 877.659.2467 or click here to schedule a demo. We offer a full range of services from a Do-It-Yourself HIPAA program to a Full HIPAA Implementation package.
“Protecting Organizations through Partnership, Education, and Support”
The Office for Civil Rights (OCR) announced the clarification in the Fact Sheet they released earlier this year. The maximum amount that can be charged for patients that request a copy of their Protected Health Information (PHI) under the right of access is not $6.50. Rather, charging a flat fee not to exceed $6.50 is an option available to those entities that do not want to go through the process of calculating the actual or average costs for requests for electronic copies of PHI maintained electronically. Entities may choose the fee calculation method that is most appropriate for their circumstances, of course within the boundaries of what is permissible under the Privacy Rule.
The new FAQ may be found at: New Clarification – Up to $6.50 Flat Rate Option. Additional information regarding permissible fees and other aspects of the individual right of access may be found at: http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html
Contact Aris Medical Solutions at 877.659.2467 or click here to find out how we can protect your organization.
“Protecting Organizations through Partnership, Education, and Support”
The Omnibus Rule that became effective March 26, 2013 was a game changer in many ways. One area was requiring Covered Entities to ensure that Business Associate Agreements (BAA) were in place with all of their business partners by September 23, 2013. If a Covered Entity had agreements already in place, Covered Entities had until September 22, 2014 to replace them with new ones that had all of the required elements of the new Omnibus Rule.
Did you know that if a Covered Entity (Medical Practice) releases Protected Health Information (PHI) to person or an entity and the practice does not have a signed BAA in place, the Covered Entity can be fined? In the eyes of HIPAA, you have disclosed PHI to an unauthorized user. Yes, this is TRUE!
Did you know that if a medical practice’s software vendor has a data breach and you as the Covered Entity do not have a BA agreement in place you could be fined as well? I know what you are thinking… it’s THEIR responsibility, not yours. True, but it is YOUR responsibility to have an agreement in place. Have you reviewed your BA agreements to ensure the documents have all of the required elements and it protects YOU the Covered Entity? These are very important documents and since it is the responsibility of the medical practice to protect patient data, the practice dictates when this information can be shared. The practice also has the responsibility to have assurances that the entity understands how to protect the data before it is released.
The Office for Civil Rights (OCR) recently imposed a $750K fine for such an offense. A Raleigh Orthopedic practice released 17,300 x-rays films to a Business Associate (BA) that promised to transfer the images in exchange for the silver in films. Unfortunately the practice forgot to have the entity sign a Business Associate Agreement.
Make sure you do not make the same mistake…
Contact Aris Medical Solutions at 877.659.2467 or click here to find out how we can protect your organization.
“Protecting Organizations through Partnership, Education, and Support”
Most people try to do their best to avoid phishing scams but sometimes we do not even know it is happening!
For instance, criminals could be reading your emails to find out who you are, who you talk to, but more importantly… who you do NOT talk to.
This recently happened to a business I know. One of the corporate partners had his email infected with malware and was being “watched”. Once the criminals figured out who talked to who and who they did not talk to, they made the “phone” call. It went something like this:
Hi Sally, it’s Fred at ABC company. Frank, your CEO, asked me to call you to let you know that the $50K transfer has been approved. Here is the routing information you need. Thanks! Have a nice day!
Sally had never actually talked to Fred and didn’t know his voice. Frank and Fred are known business associates. They knew who Sally was and what was her job function. They also knew that Frank commonly gave Sally financial instructions. She trusted him and never questioned his requests.
Make sure you have appropriate procedures in place. Had this company had a protocol in place, that required Frank to sign off on any wire transfers or distributions, this would not have happened.
At your next staff meeting, discuss your procedures and make sure this doesn’t happen to you!
Contact Aris Medical Solutions at 877.659.2467 or click here to find out how we can protect your organization.
“Protecting Organizations through Partnership, Education, and Support”
Many organizations have the attitude that they are too small to be a target for a data breach. Just because you don’t hear about small and medium sized practices being targeted doesn’t mean it is not happening.
Most medical practices are busy treating patients and are not aware of the severity behind this type of threat. Since small and even medium sized practices do not have the infrastructure in place to protect their data, they are a larger target than think. Data breaches can go undetected for months, if not years since they are not watching for it. For instance, if a Pediatric Practice is hacked, those social security numbers can be used for years before it will be discovered.
Many business associates are also targeted because they have access to medical records in different manner. Again, small and midsized organizations that do not have appropriate safeguards in place can wreak havoc in a medical environment. So what can you do?
First of all, conduct a Security Risk Analysis to understand what are your vulnerabilities. This is critical in order to mitigate risks.
Next, have a network security audit performed. Even if you access your data in the cloud and not through an onsite server, you can still be hacked.
Invest in monitoring your network. Know who is accessing your data.
TRAINING IS A MUST! Your employees can be your best asset or your largest liability.
Not only is this required under HIPAA, it is considered best practice in protecting patient data.
Contact Aris Medical Solutions at 877.659.2467 or click here to find out how we can protect your organization.
“Protecting Organizations through Partnership, Education, and Support”