Spotting scams, you need to look closely!

Most people in healthcare have been affected by the Change healthcare cyberattack. Scams have hit a new level, and you must be more diligent than ever before. Scams can be spotted, but you must look closely. A scam can quickly turn into a data breach. I recently conducted a HIPAA security officer training and reminded them of some of the threats that destroy your computer systems, both at work and at home. I watched “The Beekeeper” movie over the weekend. This made me change our Security Notification for this month. If you like action packed, good guy gets even, this is a great movie. This movie is about an email scam and revenge. If you are a Jason Statham fan, you will like this movie!

Here is the scenario:

Your computer gets a huge alert and says your computer is locked, you have been hacked, your email, bank accounts, passwords, etc. were compromised. They will give you a phone number to the “help desk”. You call the number, they “help” themselves and empty your bank account. Don’t call the number they give you, look it up yourself. DO NOT use a customer service or help desk number from a Sponsored Ad. Some scammers will pay for an ad to get to the top of Google. Most times you just need to reboot to clear the screen. DON’T click on anything in the warning. It is best to contact your IT company first. If you are home and can’t get in touch with someone, you may need to use Ctrl, Alt, Delete to shut your computer down. Then run a virus scan when you boot back up. Whatever you do, do not pay anyone, anything until you verify the validity of the situation!

Scams in text messages:

There are many versions to an email like this, they also come in text messages, and voice mails. Scams are hitting new levels every day. Some want you to click on a link, others want you to call the number they provide. Never click on a link, or call the number listed in the text, until you verify the text is valid.

Other email scams:

We have been saying for years, DO NOT CLINK ON LINKS. When you receive an email from your bank, IRS, post office, FedEx, etc. Look closely at the “from” email address. Many times, you can spot the fake address. It could be something as simple as a “.” In the URL address. Also, who it is addressed to, sometimes it is someone else. They do this so you will reply to let them know they have the wrong person. Again, this is a tactic from scammers to see if you will answer. If there is a link, they want you to click on, hover over it instead. It may take you to a completely different site. This could infect your computer or look like where you are supposed to go, only to lure you into entering your login credentials.

Phone call scams:

Scammers can spoof legitimate agencies like the power company, IRS, and even the police department. Never pay for any “immediate” requirements. This includes the threat of your power being shut off, IRS payment due, or paying a penalty for missing jury duty. These are just SOME of the examples these criminals are using.

Online marketplaces:

Scammers also target people who post things for sale on sites like Craigslist or Facebook Marketplace. They also prey on people who post looking for help finding their lost pet.

These scammers contact you and say they want to buy the item you’re selling — or that they found your pet. However, before they commit to buying, or returning your pet, they typically say they’ve heard about fake online listings and want to verify that you’re a real person. Or they might say they want to verify that you’re the pet’s true owner.

They send you a text message with a Google Voice verification code and ask you for that code. If you give them the verification code, they’ll try to use it to create a Google Voice number linked to your phone number. (Google Voice gives you a phone number that you can use to make calls or send text messages from a web browser or a mobile device.) The scammer might use that number to rip off other people and conceal their identity.

Sometimes these scammers are after a Google Voice verification code and other information about you. If they get enough of your information, they could pretend to be you to access your accounts or open new accounts in your name.

If you gave someone a Google Voice verification code follow these steps from Google to reclaim your number.

No matter what the story is, don’t share your Google Voice verification code — or any verification code — with someone if you didn’t contact them first. That’s a scam, every time. Report it at ReportFraud.ftc.gov.

What can you do?

When you receive an email, text, or phone call, you should call your bank or the company to advise them of what happened. If they are doing this to you, they are doing this to MANY others. Also, you can report this to the Federal Trade Commission (FTC). The FTC does not resolve individual reports, but your report will be entered in the FTC’s Consumer Sentinel database and will be available to federal, state, and local law enforcement across the country.

If someone has clicked a link or opened an attachment that downloaded harmful software:

  • Contact your IT department to update your computer’s security software.
  • They will run a scan and delete anything it identifies as a problem.

If you think a scammer has your information, like your Social Security, credit card, or bank account number:

  • Go to identitytheft.gov for steps you can take based on what kind of information was lost or exposed.

If you gave your username and password to a scammer:

  • Change your password right away. If you use the same password for other accounts or sites, change it there, too.

If someone calls and offers to “help” you recover money you have already lost:

  • Don’t give them money or personal information. You are probably dealing with a fake refund scam.

Scammers are getting bolder and more brazen. It is up to us to stay diligent and to stay safe.

Feel free to share this blog with your colleagues. We want to educate as many practices as we can since data breaches can be expensive. If you need assistance with HIPAA Compliance, check out our HIPAA Keeper™. It’s an online compliance system that has everything you need to get compliant and stay compliant! Best of all you will have a HIPAA security analyst to guide you every step of the way!

For more information or to speak to someone about HIPAA Compliance call us at 877.659-2467 or use the contact us form.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA Security Rule requirements, Part 2 – Security Awareness and Security Incident Procedures

What the Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS) considers as reasonable and appropriate safeguards are always open for discretion. Every organization is different, and what may work for one, may not for another. For that reason, this information is a guideline only and should not be taken as legal advice.

Here are a few areas that should be reviewed:

§ 164.308(a)(5)(i) Security Awareness and Training has (4) implementation standards. They are labeled as “Addressable” under the HIPAA Security Rule. Do not be fooled by the term addressable, that does not mean optional. It just means you have options in implementing the standards.

The Security Awareness and Training standard means that a covered entity must implement a security training program for all employees including management. The frequency in which the training is performed is typically questionable and HIPAA requires new hires must be trained within a reasonable amount of time. We recommend HIPAA training BEFORE any person has access to PHI or ePHI since one mistake can cause a data breach. Then, HIPAA requires “periodic” training. Most organizations conduct annual HIPAA training. Although HHS does not specifically state you must conduct annual training, should you suffer a data breach and it is caused by an employee that did not have proper training, you could be fined for that violation. That is why it is so important to ensure your employees not only attend (and have documentation) HIPAA training, but must also actually understand what is required of them and how to safeguard patient data.

§ 164.308(a)(5)(ii)(A) Security Reminders – HIPAA is not just a once-a-year process. Periodic security reminder updates should be conducted throughout the year to keep HIPAA and data security in the minds of your staff. This should be documented as well.

§ 164.308(a)(5)(ii)(B) Protection from Malicious Code – Procedures must be in place to guard against, detect, and report viruses and malware. Up to date anti-virus and anti-malware software can ward off most intrusions. That is, as long your staff does not click on attachments or visit certain website where malicious code is located. Education is key. Ensuring software patches are applied when released, scanning systems on a routine basis, and utilizing firewalls are also very important. Making sure users do not introduce malicious code from downloads, DVDs, flash-drives, or other products brought from home.

§ 164.308(a)(5)(ii)(C) Log-in Monitoring – Procedures for monitoring log-in activity and reporting discrepancies. This standard states you must monitor user logins and unsuccessful attempts. Best practices are to have procedures to lock a user out after a predetermined number of failed log-in attempts. This may prevent an unauthorized user from gaining access to your system. With malware that repeatedly tries new passwords, this is highly recommended.

§ 164.308(a)(5)(ii)(D) Password Management – Procedures for creating, changing, and safeguarding passwords. All users must use their own credentials to log into systems that contain ePHI. Passwords are to be complex, never shared, secure, and changed at least every 90 days. Although HIPAA does not specifically state the 90-day rule, it is best practices unless you are utilizing a second method of authentication.

§ 164.308(a)(6)(i) Security Incident Procedures has (1) implementation standard, and this is “Required”. This means you MUST implement the standard as stated. You must have policies and procedures in place that identify security incidents, so employees understand what a security incident is, and how to respond.

§ 164.308(a)(6)(ii) Response and Reporting requires a covered entity to have policies and procedures in place to report and mitigate security incidents and determine if a data breach occurred. Then, if a data breach has occurred, the covered entity must determine how many patient records were affected. The time frame to report the breach to OCR and possibly state and local agencies differs on whether the breach is over 500 patient records or not. This should be clearly outlined in your Breach Notification Plan. During the breach notification process, state law will supersede the federal HIPAA law if the state law is more stringent. Keep in mind, all 50 states have their set of privacy laws.

We will be adding more information on other Security Standards, so watch for more posts!

If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.

OCR Issues Audit Report on Health Care Compliance

Yesterday, the Office for Civil Rights (OCR) at the Department of Health and Human Services (DHHS) released its 2016-2017 HIPAA Audits Report. Although this seems outdated, it typically takes this long to compile the data.  They reviewed selected covered entities (CE) and business associates (BA) for HIPAA compliance of the HIPAA Privacy, Security, and Breach Notification Rules.

DHHS is required by law under the HITECH Act to conduct periodic audits. The chances of a random audit are slim, but they do happen, and you must be prepared. Don’t be fooled by a slim chance of a random audit, you can be audited for many other reasons! This audit comprised of 166 covered entities and 41 business associates. The OCR publishes this report to share the overall findings.

A summary of the audit findings includes:

  • Most CEs met the timeliness requirements for providing breach notification to individuals.
  • Most CEs that maintained a website about their customer services or benefits satisfied the requirement to prominently post their Notice of Privacy Practices on their website.
  • Most CEs failed to provide all of the required content for a Notice of Privacy Practices.
  • Most CEs failed to provide all of the required content for breach notification to individuals.
  • Most CEs failed to properly implement the individual right of access requirements such as timely action within 30 days and charging a reasonable cost-based fee.
  • Most CEs and BAs failed to implement the HIPAA Security Rule requirements for risk analysis and risk management. 

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

The 2016-2017 HIPAA Audits Industry Report may be found at:  https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf

If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.

Looking back at 2020 and HIPAA Compliance Violations

During this pandemic, the Office for Civil Rights (OCR) relaxed some of the requirements for Telehealth. This has since been retracted. Make sure the service you are using is in fact HIPAA compliant and you have a business associate agreement (BAA) in place. We also encourage you and all your business associates (BA) to carry cyber liability insurance. Data breaches and mishaps are part of our everyday life it seems. Although your medical malpractice insurance may offer a token amount of coverage, it is probably not enough. Keep in mind, if you cannot determine WHICH patient’s data has been breached, you must notify all your patients. This is where is can be very costly. When selecting an agent, make sure they are well versed in this type of insurance, as we have seen some policies are not worth the paper they are written on. Read the exclusions!

Below are some HIPAA violation highlights from 2020. This is not meant to scare you, but to remind you of how important adhering to HIPAA really is. The Office for Civil Rights (OCR) enforcement actions are designed to send a message to the health care industry about the importance and necessity of compliance with the HIPAA Rules.

The OCR investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.

“The health care industry is a known target for hackers and cyberthieves.  The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable,” said OCR Director Roger Severino.

The OCR investigation discovered longstanding, systemic noncompliance with the HIPAA Privacy and Security Rules including failures to conduct a risk analysis, implement risk management and audit controls, maintain HIPAA policies and procedures, secure business associate agreements with multiple business associates, and provide HIPAA Privacy Rule training to workforce members.

“Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino.

The OCR investigation revealed that a former employee returned eight days after being terminated, logged into her old computer with her still-active user name and password. Additionally, OCR found that the former employee had shared her user ID and password with an intern, who continued to use these login credentials to access PHI after the employee was terminated. The investigation determined that the entity failed to conduct an enterprise-wide risk analysis, and failed to implement termination procedures, access controls such as unique user identification, and HIPAA Privacy Rule policies and procedures.

“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records,” said OCR Director Roger Severino.

The OCR investigation revealed that in addition to the impermissible disclosures, Aetna failed to perform periodic technical and nontechnical evaluations of operational changes affecting the security of their electronic PHI (ePHI); implement procedures to verify the identity of persons or entities seeking access to ePHI; limit PHI disclosures to the minimum necessary to accomplish the purpose of the use or disclosure; and have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.

“When individuals contract for health insurance, they expect plans to keep their medical information safe from public exposure. Unfortunately, Aetna’s failure to follow the HIPAA Rules resulted in three breaches in a six-month period, leading to this million-dollar settlement,” said OCR Director Roger Severino.

The OCR has settled twelve investigations for HIPAA Right of Access denials. This is not to be confused with a medical summary at the end of a patient encounter. A patient’s request for a copy of their medical record (their designated record set) either by them or from a third party must be handled in a timely manner.

“It shouldn’t take a federal investigation to secure access to patient medical records, but too often that’s what it takes when health care providers don’t take their HIPAA obligations seriously.  OCR has many right of access investigations open across the country, and will continue to vigorously enforce this right to better empower patients,” said Roger Severino, OCR Director.

“No one should have to wait over a year to get copies of their medical records.  HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message,” said Roger Severino, OCR Director.

“The OCR is committed to enforcing patients’ right to access their medical records, including the right to direct electronic copies to a third party of their choice. HIPAA covered entities should review their policies and training programs to ensure they know and can fulfill all their HIPAA obligations whenever a patient seeks access to his or her records,” said Roger Severino, OCR Director.

“For too long, healthcare providers have slow-walked their duty to provide patients their medical records out of a sleepy bureaucratic inertia. We hope our shift to the imposition of corrective actions and settlements under our Right of Access Initiative will finally wake up healthcare providers to their obligations under the law,” said Roger Severino, OCR Director.

The OCR investigation determined that there was systemic noncompliance with the HIPAA Rules including a failure to encrypt ePHI on laptops after Lifespan ACE determined it was reasonable and appropriate to do so.  OCR also uncovered a lack of device and media controls, and a failure to have a business associate agreement in place with the Lifespan Corporation.

“Laptops, cellphones, and other mobile devices are stolen every day, that’s the hard reality.  Covered entities can best protect their patients’ data by encrypting mobile devices to thwart identity thieves,” said Roger Severino, OCR Director.

A breach report regarding the impermissible disclosure of protected health information to an unknown email account. The breach affected 1,263 patients.  OCR’s investigation revealed longstanding, systemic noncompliance with the HIPAA Security Rule.  Specifically, they failed to conduct any risk analyses, failed to implement any HIPAA Security Rule policies and procedures, and neglected to provide workforce members with security awareness training until 2016.

“Health care providers owe it to their patients to comply with the HIPAA Rules.  When informed of potential HIPAA violations, providers owe it to their patients to quickly address problem areas to safeguard individuals’ health information,” said Roger Severino, OCR Director.

“All health care providers, large and small, need to take their HIPAA obligations seriously,” said OCR Director Roger Severino. “The failure to implement basic HIPAA requirements, such as an accurate and thorough risk analysis and risk management plan, continues to be an unacceptable and disturbing trend within the health care industry.”

HIPAA covered entities and business associates are required to conduct an accurate and thorough assessment of the risks to the ePHI it maintains. Identifying, assessing, and managing risk can be difficult, especially in organizations that have a large, complex technology footprint. Understanding one’s environment – particularly how ePHI is created and enters an organization, how ePHI flows through an organization, and how ePHI leaves an organization – is crucial to understanding the risks ePHI is exposed to throughout one’s organization. As technology changes, risk assessments must be updated and reflected in a risk management plan. Reviewing policies and procedures may also need to be updated depending on the type of changes in technology. As we get ready to close out 2020, set your schedule to review your updates and planned upgrades for 2021.

To read about enforcement and the resolution agreements, click on the link below:

https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html

If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.

Responsibilities of a HIPAA Compliance Officer

While the nation was shut down and people were suffering, hackers were busy at work. It is coming to light how many organizations have had a data breach and have been hit with ransomware.

Now more than ever all organizations need to make sure their HIPAA Compliance Officer understands what is needed for data security. The FBI has stated cybercrime in 2020 has surpassed 2019 and we still have a few months to go. The problem is the hackers have become very sophisticated in their attacks. Whereas it used to be easy to spot a fake email, that is no longer the case. Between email and text efforts, they are gaining access to our information and we are the ones permitting it. Also, user credentials are compromised and used to gain access to your network or to send false emails to gather personal information. These scams typically involve a criminal that has hacked a legitimate email address. For example, a person would receive a message that appears to be from someone within their organization or a business associate with which that person knows. The message will request a payment, wire transfer, gift card purchase, or even a list of employees with social security numbers that seems legitimate. The compliance officer should be notified, and the transaction verified BEFORE it is completed. Every office needs to have a verification process in place before releasing ANY data.

We have said this before… if a stranger walked up to you and asked you to verify your identity would you give them any information? Of course not, but that is exactly what we are doing when we receive an email or text message from someone or somewhere, we trust. Trust, but verify.

With more and more people working remotely, that brings us to another vulnerability. Covered entities that utilize the services of business associates are required by HIPAA to ensure the business associate is in fact HIPAA compliant. The starting point is to ensure you have a business associate agreement in place with all your vendors that create, receive, maintain, or transmit protected health information (PHI). This agreement should include security requirements to ensure they are protecting your patient data. If a covered entity does not have a BA agreement in place and the vendor causes a data breach, the covered entity will more than likely receive the fine. With a BA agreement in place, it is still typical the covered entity bears the financial burden of the breach but may not receive the fines. That is why a BA agreement should include an indemnification and requiring the business associate to carry cyber liability insurance. Recently, a business associate was fined $2.3 million for a data breach that was caused by a hacking incident. If the covered entities did not have BA agreements in place, they could have been the ones who received this hefty penalty. Also, recently an orthopedic clinic was fined $1.5 million after a journalist notified them that a database of their patient information was posted for sale online. For this reason, we recommend covered entities should carry their own policies as well. “Hacking is the number one source of large health care data breaches. Health care providers that fail to follow the HIPAA Security Rule make their patients’ health data a tempting target for hackers,” said OCR Director Roger Severino. Many electronic and portable devices are used to process and store PHI. Anyone with access to such devices could potentially have the ability to change configurations, install malicious programs, change information, or access information that are not authorized to. Any of these actions has the potential to affect the integrity of patient information. HIPAA requires covered entities and their business associates to implement and follow policies and procedures to limit access to only those who are authorized.

Risk management should be at the top of everyone’s list. Preventing data breaches and securing patient data is everyone’s responsibility, but the OCR requires someone to be the point person, hence the HIPAA Security or Compliance Officer title. This responsibility is so much more than just a title. HIPAA Compliance Officers responsibilities include creating, maintaining, and enforcing compliance. This includes the staff, management, and even the medical providers.  I hear too often that the compliance officer gets push back from the doctors or owners. This is so unfortunate since they are only trying to do their job that is required under state and federal law. They are the frontline defense in keeping your practice alive and well. The owners of the practice may suffer the financial loss, but sometimes everyone does if the practice closes. Let’s all work together to keep patient data safe and secure.

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

HIPAA in 2020 – How the protection of our privacy maybe changing

By Suze Shaffer

HIPAA Compliance TrainingJanuary 15, 2020

Hindsight is always 2020, as we begin this new year, let’s try to make that a current sight!

By now, those of you who have been using Windows 7 computers and 2008 Servers have been getting notifications that the end of life was coming. Time is here. January 14, 2020, Microsoft no longer will be supporting these operating systems. What this means is they will no longer send out security updates. Each time a security update is issued, it is because someone has found a vulnerability that could be exploited. This is why hackers lay in wait for unsuspecting people to ignore this. Of course, it is doubtful that you will get hit on January 15, but the chance is there and will increase with each passing day. If you are hacked and this causes a data breach, you WILL be fined for using outdated software. At the conference in October, the OCR specifically discussed this.

All 50 states have their own set of privacy laws to protect their residents. In Healthcare we have to adhere to HIPAA, the Federal law, but also must follow state law when it is more stringent. Sometimes, this means flipping back and forth and it becomes very confusing. The good news is that lawmakers are trying to come up with a Federal privacy law to help stop the confusion. Although they haven’t come up with a firm plan yet, they are working on it. This is partly due to the GDPR (General Data Protection Regulation) being enforceable in the United States. Some people view this a cost guzzling law, but we are all consumers and we should have the right to know who is collecting our data, how they are storing our information, and if they are selling our information. Hopefully, our Federal lawmakers will come up with a law that will allow consumers to opt out if we don’t want our information sold. In healthcare, our information may be sold by EHRs and other healthcare companies, when it is de-identified. Medical practitioners are required to obtain a patient’s authorization before they share patient information. Other businesses should be required to do the same and be fined for selling our personal information if we do not permit the disclosure.

To learn more on what is being discussed in legislation , click here:

https://cdt.org/collections/federal-privacy-legislation/

If you would like to learn more about the legislative proposal, click here:

https://cdt.org/insights/statement-of-michelle-richardson-examining-legislative-proposals-to-protect-consumer-data-privacy/

In June 2018 California passed a consumer privacy law, AB 375, that may be more stringent than the GDPR. The California Consumer Privacy Act (CCPA) went into law January 1, 2020. Although the law isn’t as stringent as the GDPR on timeline notifications, it does have some very tight restrictions that go even further. Any company that have at least $25 million in annual revenue and serves California residents must comply with the law. Also, companies of any size that have personal data on at least 50,000 people or that collect more than half of their revenues from the sale of personal data fall under this law. Companies don’t have to be based in California to fall under the law. They don’t even have to be based in the United States.

We believe more states will follow California unless we can agree on a Federal law to help all consumers. Most of us are patients at a medical facility somewhere, and we are ALL consumers everywhere! By enacting a Federal privacy law, this is a good thing, not a bad!

Happy New Year and praying for good things to come!

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

RIPlace technique allows malware to bypass anti-malware programs

By Suze Shaffer

HIPAA Ransomware

Like we don’t have enough to worry about, now this!

Security researchers are saying this new technique is effective even against systems that are patched and run anti-virus scans. This process allows ransomware to encrypt files on Windows based systems. The way most ransomware gets into our systems is by unsuspecting users or hi-jacked user credentials. Of course it can happen from a disgruntled employee as well. Once this happens, the ransomware opens and reads an original file, then deletes or destroys the original by encrypting it. Within a short amount of time the hacker can invade your systems and crawl through your entire network. Taking everything down and literally destroying your livelihood.. Of course, there is more to this and if you want, you can research this. The main reason why I wanted to share this with you is because… as I have said many times, employees are your first line of defense! Well educated employees can prevent this from happening in your organization. Here is what you need to do TODAY to prevent a data breach:

  1. Remind every user of your system that the computers are for business purposes ONLY. Clicking on infected websites can infect your network.
  2. Remind users do not click on any links or attachments that are not expected even if it comes from someone they know.
  3. Do not permit anyone access to your systems without confirming their identity. This includes service providers. If you do not have an appointment, call and verify the person is still employed there.
  4. Remove user access for terminated employees IMMEDIATELY. Before terminating a person, have this process set and ready.
  5. Conduct a criminal background check on ALL new hires. This needs to be included in your employee manual, and state that a background check can be performed at anytime during their employment.
  6. Contact a network security professional and have them run an audit on your system. This will ensure you do not have any open ports or vulnerabilities.
  7. Be sure to have a backup of your system that is NOT connected to your network.

I know I have said this in the past, but I have to say it again… The World Wide Web (WWW) is the new Wild Wild West, the difference is, danger is invisible until it is too late. Be careful out there.

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Are you sharing TMI – Too Much Information?

By Suze Shaffer

HIPAA Doctors

When designing your website we all think it’s a great idea to “share” who are team is. Although, it is necessary in healthcare because patients want to see who your staff is and get to know them, be careful not to give out TMI – too much information. Hacker and spammers troll websites looking for information they can use. Think about this… when you post on your website your favorite flower, favorite food, or where you were born, these can be used as security questions or used to figure out other details of your life.

Another area of concern is when a business associate calls your office and asks for information and you didn’t request them to call or contact you. Make sure that person is still employed there and verify the call before giving out any information, sending any information, or permitting access to your systems. Recently, a friend of mine told me about an IT company who had one of their employees impersonated on the phone. Luckily the hacker wasn’t able to get anything since the computer wasn’t connected to the network. Just think what could have happened if it were!

Best practices in protecting your information.

  1. Although you want to be “real” and connect with your patients online, give out information sparingly. What you post online is read by ANYONE!
  2. When creating your security questions, don’t answer the questions truthfully. When asked what is your favorite flower, make something up! You just have to remember what you made up! For example: Favorite flower, Mexican – name a food instead. Favorite food, Pink Roses – name a flower instead. Mix it up a bit!
  3. When anyone calls and asks for any confidential or patient information. Verify before giving out any information. Make sure that employee still works there and they have been requested to perform whatever they are requesting.
  4. Never let anyone that calls on the phone have access to your computer, server, or any electronic device until they have been verified.
  5. Do not permit any transactions to be processed until what is requested has been verified.

I know this sounds like a lot of extra work, but think about the consequences and the time that will be spent correcting a mistake. Not to mention the cost if you have a data breach!

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Ransomware is a REAL threat…

By: Aris Medical Solutions

HIPAA Ransomware arismedicalsolutions.com

We all hope that we do not fall victim to ransomware, but we need to do more than just hope. All businesses, especially healthcare must have a contingency plan that includes data recovery in the event their systems are encrypted. If you have a backup that is NOT connected to your network, your downtime will be minimal. Keep in mind, you may need to go through the breach notification process based on your state and federal HIPAA law.

A Michigan ENT and Hearing practice refused to pay $6,500 in ransom and the hackers wiped their systems. With no chance of recovering this data, they chose to close the practice.
Most recently, a California Medical Practice was unable to recover their data after ransomware encrypted their systems including their backups. As a result, they will close their practice December 17, 2019.
I could keep adding to the list, but I would rather educate you on how to avoid this!

Best practice is of course to PREVENT ransomware in the first place. This starts with a solid network security program and education for your workforce. Most malware is introduced by an unsuspecting employee. Truly, one click of a mouse can cause a tumbling effect leading to the loss of your business. I know that sounds a bit dramatic, but most small to medium sized organizations that suffer a data breach do not survive.

Healthcare is a major target, in fact, 71% of ransomware attacks are towards small to medium sized practices since they do not have adequate network security in place.

  1. Your first line of defense is an enterprise version firewall device. This means, do not purchase one that has parental controls!
  2. Second, have a network security specialist set up your firewall and set custom security controls. It is fairly simple to set up a “network”, but it takes someone who truly understands network security to secure your network. This includes computers, servers, access points, etc.
  3. Depending on the size of your organization, you may need to set up an onsite server as a domain controller. Once this is in place, all users are authenticated through the domain. Security permissions can be set all at once and can’t be changed by the users.
  4. Phishing education for all employees including providers, and management. Business email addresses are targeted typically between Tuesday and Thursday according to the analysis from Barracuda. Phishing emails impersonate a trusted entity, they try to get the recipients to click on the links or attachments, share account credentials, and typically have some sort of urgency associated with the email. These emails often bypass traditional email security since they originate from reputable senders.
  5. Ensuring you have business associate agreements in place before releasing any PHI. This will protect you from fines and penalties in the event they have a data breach. It is advisable to carry cyber-liability insurance. If your business associate causes a data breach, it will still be your responsibility to go through the breach notification process. Best practice is to require your business associate to carry cyber liability as well.
  6. Physical security is often overlooked when we talk about data security. Portable devices need to be secured when left unattended. Printers and fax machines should not be located where they can be accessed by an unauthorized person. Servers should be in a locked room or cabinet. Computers should not be located near exits. Keeping an up to date inventory list and reviewing it regularly is critical in knowing if anything is missing. Lastly, a security system that has cameras and access logs is recommended.
  7. Organizations that have well defined policies and procedures are less likely to have a data breach. Employees are educated on what they can and cannot do with business equipment. Knowing what to do in the event of a security incident can actually STOP a data breach from becoming a major breach. Plus, most large fines are because the organization did NOT have a policy or plan in place. Just make sure you have read and dated them!

Remember HIPAA is not a once and done process, as technology changes and employees come and go, you need to keep track and update accordingly. Use your Risk Management Plan to track your progress! Let us know if you need any help with implementation.

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

How much does a data breach really cost?

We really don’t want to scare organizations, but this is a real problem and we feel this must be disclosed. A data breach costs an organization on many different levels. The cost of notification, credit monitoring, remediation, then comes fines and penalties if you do not have reasonable and appropriate safeguards in place based on the size of your organization.

Earlier this year we had estimated the cost per patient record to be $380, according to the Ponemon Institute, they are estimating this cost has risen to $429 per patient record. If you can’t determine which records were breached, then you must notify all of your patients. This is where the massive costs are generated. Of course, the sooner you discover the breach the less it will cost you. This is why audit log monitoring is so important. If you are monitoring who and what is going on in your network, you can prevent a breach or at least stop a breach before it becomes a major breach (over 500 records).

Audit log monitoring is very time consuming and nearly impossible to do on your own. We recommend monitoring your logs from different sources, starting with your EHR. This is where most of your patient data resides and this needs to be protected. Aris works with a company in California that offers EHR audit log monitoring. They have developed a system that will send out email alerts when suspicious activity occurs.

We also recommend monitoring your logs from your firewall or domain controller. This is even more complex and again we recommend utilizing a third party. Aris has partnered with a nationally recognized network security company that can assist in this area as well. We understand that cost is very important to our clients and that is why we have selected these particular companies. They are reasonably priced and offer outstanding service. Let us know if you would like more information from either of these companies.

Keep safe out there on the World Wide Web aka the Wild Wild West!

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

©2025 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC