data breach Archives

RIPlace technique allows malware to bypass anti-malware programs

Suze Shaffer December 23, 2019February 1, 2024

By Suze Shaffer

Like we don’t have enough to worry about, now this!

Security researchers are saying this new technique is effective even against systems that are patched and run anti-virus scans. This process allows ransomware to encrypt files on Windows based systems. The way most ransomware gets into our systems is by unsuspecting users or hi-jacked user credentials. Of course it can happen from a disgruntled employee as well. Once this happens, the ransomware opens and reads an original file, then deletes or destroys the original by encrypting it. Within a short amount of time the hacker can invade your systems and crawl through your entire network. Taking everything down and literally destroying your livelihood.. Of course, there is more to this and if you want, you can research this. The main reason why I wanted to share this with you is because… as I have said many times, employees are your first line of defense! Well educated employees can prevent this from happening in your organization. Here is what you need to do TODAY to prevent a data breach:

Remind every user of your system that the computers are for business purposes ONLY. Clicking on infected websites can infect your network.
Remind users do not click on any links or attachments that are not expected even if it comes from someone they know.
Do not permit anyone access to your systems without confirming their identity. This includes service providers. If you do not have an appointment, call and verify the person is still employed there.
Remove user access for terminated employees IMMEDIATELY. Before terminating a person, have this process set and ready.
Conduct a criminal background check on ALL new hires. This needs to be included in your employee manual, and state that a background check can be performed at anytime during their employment.
Contact a network security professional and have them run an audit on your system. This will ensure you do not have any open ports or vulnerabilities.
Be sure to have a backup of your system that is NOT connected to your network.

I know I have said this in the past, but I have to say it again… The World Wide Web (WWW) is the new Wild Wild West, the difference is, danger is invisible until it is too late. Be careful out there.

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Are you sharing TMI – Too Much Information?

Suze Shaffer November 20, 2019February 1, 2024

By Suze Shaffer

When designing your website we all think it’s a great idea to “share” who are team is. Although, it is necessary in healthcare because patients want to see who your staff is and get to know them, be careful not to give out TMI – too much information. Hacker and spammers troll websites looking for information they can use. Think about this… when you post on your website your favorite flower, favorite food, or where you were born, these can be used as security questions or used to figure out other details of your life.

Another area of concern is when a business associate calls your office and asks for information and you didn’t request them to call or contact you. Make sure that person is still employed there and verify the call before giving out any information, sending any information, or permitting access to your systems. Recently, a friend of mine told me about an IT company who had one of their employees impersonated on the phone. Luckily the hacker wasn’t able to get anything since the computer wasn’t connected to the network. Just think what could have happened if it were!

Best practices in protecting your information.

Although you want to be “real” and connect with your patients online, give out information sparingly. What you post online is read by ANYONE!
When creating your security questions, don’t answer the questions truthfully. When asked what is your favorite flower, make something up! You just have to remember what you made up! For example: Favorite flower, Mexican – name a food instead. Favorite food, Pink Roses – name a flower instead. Mix it up a bit!
When anyone calls and asks for any confidential or patient information. Verify before giving out any information. Make sure that employee still works there and they have been requested to perform whatever they are requesting.
Never let anyone that calls on the phone have access to your computer, server, or any electronic device until they have been verified.
Do not permit any transactions to be processed until what is requested has been verified.

I know this sounds like a lot of extra work, but think about the consequences and the time that will be spent correcting a mistake. Not to mention the cost if you have a data breach!

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Ransomware is a REAL threat…

Suze Shaffer October 20, 2019February 1, 2024

By: Aris Medical Solutions

We all hope that we do not fall victim to ransomware, but we need to do more than just hope. All businesses, especially healthcare must have a contingency plan that includes data recovery in the event their systems are encrypted. If you have a backup that is NOT connected to your network, your downtime will be minimal. Keep in mind, you may need to go through the breach notification process based on your state and federal HIPAA law.

A Michigan ENT and Hearing practice refused to pay $6,500 in ransom and the hackers wiped their systems. With no chance of recovering this data, they chose to close the practice.
Most recently, a California Medical Practice was unable to recover their data after ransomware encrypted their systems including their backups. As a result, they will close their practice December 17, 2019.
I could keep adding to the list, but I would rather educate you on how to avoid this!

Best practice is of course to PREVENT ransomware in the first place. This starts with a solid network security program and education for your workforce. Most malware is introduced by an unsuspecting employee. Truly, one click of a mouse can cause a tumbling effect leading to the loss of your business. I know that sounds a bit dramatic, but most small to medium sized organizations that suffer a data breach do not survive.

Healthcare is a major target, in fact, 71% of ransomware attacks are towards small to medium sized practices since they do not have adequate network security in place.

Your first line of defense is an enterprise version firewall device. This means, do not purchase one that has parental controls!
Second, have a network security specialist set up your firewall and set custom security controls. It is fairly simple to set up a “network”, but it takes someone who truly understands network security to secure your network. This includes computers, servers, access points, etc.
Depending on the size of your organization, you may need to set up an onsite server as a domain controller. Once this is in place, all users are authenticated through the domain. Security permissions can be set all at once and can’t be changed by the users.
Phishing education for all employees including providers, and management. Business email addresses are targeted typically between Tuesday and Thursday according to the analysis from Barracuda. Phishing emails impersonate a trusted entity, they try to get the recipients to click on the links or attachments, share account credentials, and typically have some sort of urgency associated with the email. These emails often bypass traditional email security since they originate from reputable senders.
Ensuring you have business associate agreements in place before releasing any PHI. This will protect you from fines and penalties in the event they have a data breach. It is advisable to carry cyber-liability insurance. If your business associate causes a data breach, it will still be your responsibility to go through the breach notification process. Best practice is to require your business associate to carry cyber liability as well.
Physical security is often overlooked when we talk about data security. Portable devices need to be secured when left unattended. Printers and fax machines should not be located where they can be accessed by an unauthorized person. Servers should be in a locked room or cabinet. Computers should not be located near exits. Keeping an up to date inventory list and reviewing it regularly is critical in knowing if anything is missing. Lastly, a security system that has cameras and access logs is recommended.
Organizations that have well defined policies and procedures are less likely to have a data breach. Employees are educated on what they can and cannot do with business equipment. Knowing what to do in the event of a security incident can actually STOP a data breach from becoming a major breach. Plus, most large fines are because the organization did NOT have a policy or plan in place. Just make sure you have read and dated them!

Remember HIPAA is not a once and done process, as technology changes and employees come and go, you need to keep track and update accordingly. Use your Risk Management Plan to track your progress! Let us know if you need any help with implementation.

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

How much does a data breach really cost?

Suze Shaffer August 15, 2019February 1, 2024

We really don’t want to scare organizations, but this is a real problem and we feel this must be disclosed. A data breach costs an organization on many different levels. The cost of notification, credit monitoring, remediation, then comes fines and penalties if you do not have reasonable and appropriate safeguards in place based on the size of your organization.

Earlier this year we had estimated the cost per patient record to be $380, according to the Ponemon Institute, they are estimating this cost has risen to $429 per patient record. If you can’t determine which records were breached, then you must notify all of your patients. This is where the massive costs are generated. Of course, the sooner you discover the breach the less it will cost you. This is why audit log monitoring is so important. If you are monitoring who and what is going on in your network, you can prevent a breach or at least stop a breach before it becomes a major breach (over 500 records).

Audit log monitoring is very time consuming and nearly impossible to do on your own. We recommend monitoring your logs from different sources, starting with your EHR. This is where most of your patient data resides and this needs to be protected. Aris works with a company in California that offers EHR audit log monitoring. They have developed a system that will send out email alerts when suspicious activity occurs.

We also recommend monitoring your logs from your firewall or domain controller. This is even more complex and again we recommend utilizing a third party. Aris has partnered with a nationally recognized network security company that can assist in this area as well. We understand that cost is very important to our clients and that is why we have selected these particular companies. They are reasonably priced and offer outstanding service. Let us know if you would like more information from either of these companies.

Keep safe out there on the World Wide Web aka the Wild Wild West!

If you would like more information, contact us at 877.659.2467 or complete the contact us form.

Cyber Liability Insurance – is it really necessary?

Suze Shaffer April 19, 2019June 29, 2022

In the news nearly daily there is talk about a data breach, a hacking incident, or a cyber crime. Most practices do not think about this until it happens to them, unfortunately it could be devastating. Most experts now state that it is not IF this happens to you, but WHEN. The costs associated with a breach are widespread, see below for some examples.

notification costs (postage, call center, toll free numbers, etc.),
remediation costs (network scans, forensics, etc.),
reputation management (online and in print),
depending on the cause of the breach, you may encounter fines and penalties.

According to the Ponemon Institute, medical breaches are more costly ($408 ) than other small businesses ($148) per record. For example, if you have 5,000 patient records and you can’t determine which of the records were accessed or compromised you must notify all of the patients. That equates to $2,040,000.00. The main cause of data breaches were 48% due to malicious code or criminal attack, 27% due to negligent employees or contractors (business associates), and 25% due to system glitches and business process failures. When it comes to reputation management, this is critical after a breach. Especially in health care since it has the highest rate of churn because patients have more choices.

We are taught to be proactive with our health. We exercise, eat right, and make sure we get enough sleep. We see our physician to make sure our blood work has the correct levels and we have tests performed to catch any early detection of disease.

We should do the same for our business. Just think what would happen to the business side of a medical practice if their data was compromised, stolen, or encrypted. Most small businesses do not survive after a data breach. Here are some helpful hints to protect your practice and your business:

Conduct a network security audit to ensure your network is as secure as possible.
If you do not have an enterprise firewall, add one to your network. Be sure to have custom security policies implemented on your device.
Review all of your computers and be sure to use business operating systems, antivirus/malware, and software.
Work on your Risk Management Plan, understand your vulnerabilities and mitigate them to the best of your ability.
Education. Keeping all staff including the physicians educated on safe computer practices and only permitting work related surfing on company computers. Knowledge about the dangers and consequences of their actions can greatly reduce the chance of a breach.
Make sure the business associates that you use are HIPAA compliant. When you use other companies to assist you, it is the responsibility of the practice to ensure they know how to protect your data.
Invest in cyber liability insurance. Cyber liability insurance covers the cost of notifying patients, data restoration, extortion, and reputation management. It is best to obtain a policy from a knowledgeable agent that specializes in this area since there are many variables in this type of coverage. Also, may sure you read the exclusions. You may not have the coverage you think you do. Many medical malpractice or general liability policies have small token amounts included, this is NOT enough. Review the number of medical records, paper and electronic and insure them accordingly.

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Cost of cyber attacks on healthcare are steadily rising

Suze Shaffer August 1, 2018June 29, 2022

Why are so many medical offices being attacked? Simple, this is a one stop shop for everything needed for identity theft and many medical practices do not have appropriate safeguards in place. Business associates have even been the target or the entry point. HIPAA requires certain security safeguards to be in place to ensure the safety and security of Protected Health Information (PHI).

There have been 188 data breaches of 500 or more patient records in the first 6 months of this year, and in April alone there were 42. Thirteen of the 188 have already been resolved. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
These breaches include small medical practices, business associates, and hospitals. Small and large. Paper and electronic. No one is immune. Many organizations think they are too small to get hit, but the fact is the most common problem is untrained staff that unknowingly cause this to happen. Education is the key to avoiding this catastrophe from destroying your reputation. Of course you still need to certain technical safeguards in place, but even then it only takes one click of a mouse to bring your network down.

Here are some areas to consider:

How would you process a data breach?
How would you handle the reputation management of the breach?
How would you pay for the cost of breach and the investigations?

Having a breach notification plan in place before a breach occurs is critical to reducing the damage. You must have processing in place to shut the system down, continue manually, and report to the appropriate authorities.

Consider the lack of trust from your patients since their information was compromised from your office. No matter if it was your fault or that of a business associate this could have a negative impact on your patient database.

Breaches are costly on many fronts, the first being the cost of the notification of the patients, investigations, downtime, and the mitigation of the source of the breach. In 2013 the Ponemon Institute reported that a data breach cost $233 per medical record, now in the 2018 the report states a healthcare breach can cost on average $408 per medical record.
https://www.ibm.com/security/data-breach

Keep in mind if you do not know which records were breached then everyone must be included in the notification process. What could turn out to be the most costly is the fines and penalties associated with the breach. Depending on how and when you processed the breach is one determining factor. Also once the investigation is complete, if it is discovered this was an ongoing problem and was not mitigated, then you could be found in willful and wanton neglect. This is NOT a place you want to find yourself! The Office for Civil Rights (OCR) can also fine you for not conducting a thorough enough risk analysis thus leaving vulnerabilities untouched. How well do you trust your efforts in securing your data? Have you conducted a risk assessment to determine if what you have in place is sufficient?

How can Aris help?

First of all we conduct a thorough risk analysis that uncovers vulnerabilities and create a risk management plan so that you can mitigate those risks.
Since written documentation is also part of HIPAA compliance, we provide the necessary privacy and security policies, procedures, and documentation needed for state and federal regulatory requirements.
We also offer HIPAA training that includes privacy and security and any custom requests.
If you are one of the many organizations that simply do not have the time to implement your HIPAA program, we can do that for you as well. Month to month, no long term contracts!

If you would like a free HIPAA checkup call 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

General Data Protection Regulation: What does this mean to the US

Suze Shaffer April 15, 2018February 2, 2024

By Aris Medical Solutions

You may have already heard about the GDPR (General Data Protection Regulation) from the EU (European Union) that will affect many organizations here in the United States.

Our personal information has been being sold for years. Some with and some without our knowledge. Many organizations require a person to “accept” their terms and conditions with long legal agreements that we must agree to before using their software, joining their network, or downloading an app to name a few. Most people do not read this very important disclosure because it is simply too long and too legal. They collect data from us in order to enter a sweepstakes, win a prize, or simply to gain access to a forum. This information can be sold to other organizations so they can market their good and services to us. I will be explaining in my next notification how to poison this information and make it useless. For now we need to concentrate on how to understand this new regulation.

With the GDPR from the EU becoming effect May 25, 2018, organizations must become compliant by May 25, 2018.

Here is a basic summary of what you need to know:

Organizations that provide goods or services to anyone located within the European Union regardless of where the company is located must adhere to this new regulation. This also includes companies that process and store personal data of an EU citizen. This is similar to our individual state laws we currently have in the United States.
Personal data is anything that can be used to identify a person, directly or indirectly. This includes name, photo, email address, bank details, medical information, computer IP address, and even posts on social media.
You must have clear full consent to use a person’s information. No lengthy vague legal forms; just clear plain language. Nothing short of an opt-in will be acceptable.
Just like HIPAA, there is a tiered sanction policy. Organizations can be fined up to 4% of annual global income for breaching the GDPR. This is for severe violators. Organizations can be fined up to 2% for not having their records in order, not notifying a supervising authority, not notifying the person that is affected by a data breach, or not conducting an impact assessment.
These rules will apply to both cloud data controllers and processors and will not be exempt from GDPR enforcement.
Data breaches must be reported within 72 hours.

What do you need to do to prepare:

Review your client/patient database.
Do you have any European clients/patients?
Review where all of your data is stored.
Do you use a cloud system?
Do you have a BA agreement in place with the data processor/center?
Update your breach notification plan.

For more information on the GDPR: https://www.eugdpr.org/

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467.

“Protecting Organizations through Partnership, Education, and Support”

How well do you trust your compliance efforts?

Suze Shaffer April 10, 2018February 2, 2024

By Aris Medical Solutions

HIPAA encompasses many aspects. Risk assessments, risk management, and your policies, procedures, documentation are the backbone of compliance.

Most medical providers don’t think about compliance until they are audited. By that time it is too late to mitigate any issues that you may have. The main misconception is that “it will never happen to me”.

A random audit is possible but relatively a low probability. A compliance audit is typically initiated by a disgruntled employee, a patient that feels their privacy has been violated, or a data breach. Once the HIPAA violation is reported then the Office for Civil Rights (OCR) will determine if the complaint will need to be investigated. If it does, depending on the documentation that you provide, will determine whether or not a desk audit will be issued. This is where your policies and procedures are critical. If your employees understand what they need to do, how to do, and what needs to be documented, your chances of a desk audit is greatly reduced. The OCR understands that people make mistakes, but if you don’t learn from them, they will fine you heavily!

Note to self… if you recognize a problem, address it, correct it, and learn from it.

You can survive a audit with proper documentation!

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data click here call 877.659.2467.

“Protecting Organizations through Partnership, Education, and Support”

Updating your Contingency Plan

Suze Shaffer March 25, 2018February 1, 2024

By Aris Medical Solutions

Contingency Planning is more than just a power outage or how to backup and restore your data. A complete plan should include different types of scenarios that could happen in your area.

For those involved in Healthcare, creating a contingency plan is not optional. Should you have a disaster and are not prepared you can be fined! The Office for Civil Rights (OCR) considers protecting personal information a civil right and they will enforce this if you have a data breach or a situation where your data is not recoverable.

Think about ransomware, have you included this in your contingency plan?

Depending where you are located, have you included how to respond to a hurricane, tornado, snowstorm, or fire?

Where is your data located and what would happen if you had a toilet overflow or a pipe burst?

In light of the recent tragedies have you included a section on workplace violence?

How to create a Contingency plan:

Conduct a thorough HIPAA Risk Assessment. Understand and analyze what type of risks you are vulnerable to. This includes where you are located and what type of computer network that you utilize.
Create a diagram of how your network is configured. This will help you to determine the best method to protect and restore your data from a backup.
Implement a risk management plan that outlines what you have in place and what you will need in the future if it is not possible at the moment. Of course, you will need a timeline if you will be adding to your plan.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.