Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com

Tag: HIPAA

Data breaches of 2018

Posted bySuze Shaffer

We hear on the news about data breaches almost daily. Some are credit card theft, our personal information being sold, and then are medical data breaches. These are extremely worrisome as this is where identity theft can start. The medical community is a major target for that very reason, medical records are the main source of complete information to steal personal information.

Do you know how many individual patient records have been compromised in 2018?

11,785,675 patient records were reported as breaches to the Office of Civil Right (OCR) in 2018 that were over 500 records per incident. Keep in mind this does NOT include breaches under 500 records.

https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf;jsessionid=3F3012CA56DF3E4D79031A59CCBBBA4D

Plus 944,595 patient records that had been exposed that have already been archived according to the OCR portal.

At the NIST/OCR October conference, they talked about how medical offices use the excuse… “I didn’t know”. They also said that was not an acceptable answer any longer. They can and will fine organizations that are not HIPAA compliant. You are 4 times more likely to get hacked than to have your equipment stolen and this does not even include the breaches caused by unauthorized access. Needless to say data breaches are on the rise no matter what angle you are looking at.

So as we close out 2018 and venture into 2019…
You MUST be diligent and keep up to date on the latest technology for data security.
You MUST make sure your employees are WELL educated on data security.
You MUST document your compliance efforts.

In the words from the Office for Civil Rights, “If it’s not documented, it doesn’t exist”!

Be safe out there in the World Wide Web… it’s a wonderful but dangerous place!

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Spoofing, Phishing, and how to avoid getting caught in the middle

Posted bySuze Shaffer

After attending the Office for Civil Rights (OCR) annual webcast, many things were confirmed that we thought may have been rumors. First of all, medical offices are targets of hacking because you hold everything needed for identity theft.

What is identity theft? Most people think of it as their credit card being stolen, or even their tax returns. True, that is identity theft but there is also another component that is not often talked about. That is, assuming someone else’s identity for health care purposes. Imagine someone assumes your identity and has a surgery and “corrects” your medical record and changes your blood type. Then, you are involved in a car accident and receive a blood transfusion but it’s the WRONG blood. Yes, this can happen. We are not sure how often, but with the rise of medical records being stolen we could see this happen more often. Knowing where your data is located and how it is stored is a starting point in protecting this valuable information. Conducting a risk analysis and having an ongoing risk management is mandatory under HIPAA. During this process you will uncover potential vulnerabilities. Once you mitigate these risks, you may be able to avoid a data breach.

Protecting yourself and your organization is one in the same. Practice these safety tips at work and at home:

  • Make sure your operating system updates are current as well as your anti-virus and anti-malware.
  • Scan for viruses and malware after every update.
  • If you use personal devices to access ePHI or work files, be sure to use enterprise versions of anti-virus and anti-malware. Free versions typically are not robust enough.
  • NEVER use free Wi-Fi even if you are not accessing any patient information. You could pick up malware from someone that has spoofed the Wi-Fi network that you thought you were logging into.
  • NEVER click on links within emails that claim to be urgent or a free offer of some type. Typical phishing expeditions start in this manner. After you click, they ask for certain information they are lacking about you or they may ask for everything! Sometimes, this is merely a tactic to get you to go to a certain website and place malware on your computer and you never even know it.
  • NEVER click on a link within an email asking you to verify your identity. You wouldn’t show a stranger on the street your driver’s license just because they asked to see it, then why would you “verify” your identity with someone invisible in your email? Again, this is how spear phishing starts.
  • NEVER click on an attachment within an email unless you are expecting it, even if you know the person that sent it. Their email could have been hacked and you are being spoofed into thinking it is from them. This includes messages from FedEx, UPS, and the IRS. Best practices is to open your web browser and go to their website and sign in.
  • NEVER click on links in text messages unless you are expecting one, such as you just signed up for text messages from a service provider. Bank customers are being spoofed into clicking on links in text messages and taking you to what looks like your bank. Guess what… it’s NOT your bank but looks like it!

I have said this before… the World Wide Web (WWW) is the new Wild Wild West. The only difference is, in the old wild wild west you could see danger coming on the horizon and prepare. The World Wide Web, the dangers are there, but they are invisible.

Be safe out there!

To find out more about how our automated HIPAA compliance platform can help your organization click here:

https://arismedicalsolutions.com/aris-hipaa-service-automated-platform/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Cost of cyber attacks on healthcare are steadily rising

Posted bySuze Shaffer

Why are so many medical offices being attacked? Simple, this is a one stop shop for everything needed for identity theft and many medical practices do not have appropriate safeguards in place. Business associates have even been the target or the entry point. HIPAA requires certain security safeguards to be in place to ensure the safety and security of Protected Health Information (PHI).

There have been 188 data breaches of 500 or more patient records in the first 6 months of this year, and in April alone there were 42. Thirteen of the 188 have already been resolved. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
These breaches include small medical practices, business associates, and hospitals. Small and large. Paper and electronic. No one is immune. Many organizations think they are too small to get hit, but the fact is the most common problem is untrained staff that unknowingly cause this to happen. Education is the key to avoiding this catastrophe from destroying your reputation. Of course you still need to certain technical safeguards in place, but even then it only takes one click of a mouse to bring your network down.

Here are some areas to consider:

  1. How would you process a data breach?
  2. How would you handle the reputation management of the breach?
  3. How would you pay for the cost of breach and the investigations?

Having a breach notification plan in place before a breach occurs is critical to reducing the damage. You must have processing in place to shut the system down, continue manually, and report to the appropriate authorities.

Consider the lack of trust from your patients since their information was compromised from your office. No matter if it was your fault or that of a business associate this could have a negative impact on your patient database.

Breaches are costly on many fronts, the first being the cost of the notification of the patients, investigations, downtime, and the mitigation of the source of the breach. In 2013 the Ponemon Institute reported that a data breach cost $233 per medical record, now in the 2018 the report states a healthcare breach can cost on average $408 per medical record.
https://www.ibm.com/security/data-breach

Keep in mind if you do not know which records were breached then everyone must be included in the notification process. What could turn out to be the most costly is the fines and penalties associated with the breach. Depending on how and when you processed the breach is one determining factor. Also once the investigation is complete, if it is discovered this was an ongoing problem and was not mitigated, then you could be found in willful and wanton neglect. This is NOT a place you want to find yourself! The Office for Civil Rights (OCR) can also fine you for not conducting a thorough enough risk analysis thus leaving vulnerabilities untouched. How well do you trust your efforts in securing your data? Have you conducted a risk assessment to determine if what you have in place is sufficient?

How can Aris help?

  • First of all we conduct a thorough risk analysis that uncovers vulnerabilities and create a risk management plan so that you can mitigate those risks.
  • Since written documentation is also part of HIPAA compliance, we provide the necessary privacy and security policies, procedures, and documentation needed for state and federal regulatory requirements.
  • We also offer HIPAA training that includes privacy and security and any custom requests.
  • If you are one of the many organizations that simply do not have the time to implement your HIPAA program, we can do that for you as well. Month to month, no long term contracts!

If you would like a free HIPAA checkup call 877.659.2467 or complete the contact us form.

“Simplifying HIPAA  through Partnership, Education, and Support”

Software Patches and Updates – Why they are so important.

Posted bySuze Shaffer

Whether you work in a medical office or are a business associate, they all rely heavily on the software they use for patient care. The reason software developers send out periodic updates is because more than likely a vulnerability has been discovered and the “patch” or “update” will mitigate the issue. Vulnerabilities come in a variety of types including electronic health records (EHRs), operating systems, custom software, databases, email, and even Java and Adobe Flash. Each program will have its own type of vulnerabilities. Unpatched software poses to a threat to ePHI and updating is required under HIPAA. Routers, phones, servers, and even some refrigerators have firmware that must be updated as well.

When discussing routers, it is important to mention that all routers come with default settings, including a username and password. These must be changed, otherwise they can be hacked. Routers also need to be rebooted or reset sometimes, depending on the type of vulnerability that has surfaced. Malware can infect not only your phone and computers, but also your router. It is imperative that you have an experienced IT professional that is current on these issues. Long gone are the days of plug and play. Although it is not difficult to set up a computer or a network, securing it is a whole new game.

Even if you utilize a cloud based system, the devices you use to access your system can be compromised. If you haven’t done so already, you should invest in a qualified IT vendor that will secure and monitor your computers and network. The data that your patients have entrusted you with is sought after in many areas. It is required under HIPAA to have reasonable and appropriate safeguards in place, but besides that… it’s the right thing to do!

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467.

“Simplifying HIPAA through Partnership, Education, and Support”

Workstation Security

Posted bySuze Shaffer

HIPAA Compliance is more than just about a patient’s right to access their information. Although the HIPAA Privacy Rule is how most of this began, it is so much more now! The HIPAA Security Rule outlines administrative safeguards, physical, and technical security. Most organizations are so busy trying to figure out how to protect themselves from the unknown (technical concerns) that they forget about the actual physical security. We are not just talking about building security systems, but how you secure the individual devices that are utilized within your facility and those who travel with portable devices.

Here are some helpful ideas to review with your particular situation:

  1. Although utilizing a security system that has motion sensors is better than nothing, using security cameras usually discourages theft.
  2. Conduct a walk through of your facility and create an inventory list of all devices that access or store ePHI. Knowing what you have, where it is located, and if it contains ePHI is essential in securing your data. This includes portable devices and small electronic media. Remember, printers, copiers, and scanners can store data as well.
  3. Review the location of all devices that access or store ePHI. Ensure they are not located in an area that could be easily accessed by an unauthorized person or utilize cable locks. If screens are viewable and cannot be relocated, the use of privacy screens are highly recommended. Encryption is recommended on any device that contains ePHI. If the devices are transported they should be encrypted even if they do not contain ePHI. If they are ever lost or stolen and the encryption is engaged, it would not be a reportable breach.
  4. If your USB drives are not used, locks should be installed. This is an inexpensive method to protect the network. If your workstations utilize CD/DVD drives, these should be disabled as well. Another option would be to configure this through a Microsoft Group Policy.
  5. Make sure paper PHI is not left in areas that could be accessed by another as well. This includes where you store your excess paper charts. These areas should be locked when not in use. It is also recommended to utilize signage instructing “Employees Only”.
  6. Employees can be your biggest asset or your largest liability. Training your employees on computer security is an ongoing process. Annual HIPAA training should include the HIPAA privacy rule and HIPAA security rule. Also, add monthly security reminders to keep HIPAA fresh in their minds. Continuing education is the key to safety.
  7. HIPAA Policies and procedures are the backbone of an organization. Properly trained employees know and understand what is required and needed. The data that a health care provider has in its possession is priceless. This data must be secure physically and technically. All of this is necessary to avoid a data breach.

If an organization fails to secure patient information the Office for Civil Rights (OCR) will open an investigation and the organization can end up with massive fines. These fines have ranged from $250K to $3.5M. Although the fines are based on the organization’s ability to pay, the days of receiving just a $50K fine seems to be over. Best practices would be to review your HIPAA risk analysis and make sure it is thorough. Some online risk assessments unfortunately do not uncover all of your vulnerabilities. The OCR could consider this as willful neglect even though you didn’t know. Make sure you update your risk management plan and mitigate those vulnerabilities. Small oversights could cost you a fortune.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467.

“Simplifying HIPAA through Partnership, Education, and Support”

General Data Protection Regulation: What does this mean to the US

Posted bySuze Shaffer

By Aris Medical Solutions

You may have already heard about the GDPR (General Data Protection Regulation) from the EU (European Union) that will affect many organizations here in the United States.

Our personal information has been being sold for years. Some with and some without our knowledge. Many organizations require a person to “accept” their terms and conditions with long legal agreements that we must agree to before using their software, joining their network, or downloading an app to name a few. Most people do not read this very important disclosure because it is simply too long and too legal. They collect data from us in order to enter a sweepstakes, win a prize, or simply to gain access to a forum. This information can be sold to other organizations so they can market their good and services to us. I will be explaining in my next notification how to poison this information and make it useless. For now we need to concentrate on how to understand this new regulation.

With the GDPR from the EU becoming effect May 25, 2018, organizations must become compliant by May 25, 2018.

Here is a basic summary of what you need to know:

  1. Organizations that provide goods or services to anyone located within the European Union regardless of where the company is located must adhere to this new regulation. This also includes companies that process and store personal data of an EU citizen. This is similar to our individual state laws we currently have in the United States.
  2. Personal data is anything that can be used to identify a person, directly or indirectly. This includes name, photo, email address, bank details, medical information, computer IP address, and even posts on social media.
  3. You must have clear full consent to use a person’s information. No lengthy vague legal forms; just clear plain language. Nothing short of an opt-in will be acceptable.
  4. Just like HIPAA, there is a tiered sanction policy. Organizations can be fined up to 4% of annual global income for breaching the GDPR. This is for severe violators. Organizations can be fined up to 2% for not having their records in order, not notifying a supervising authority, not notifying the person that is affected by a data breach, or not conducting an impact assessment.
  5. These rules will apply to both cloud data controllers and processors and will not be exempt from GDPR enforcement.
  6. Data breaches must be reported within 72 hours.

What do you need to do to prepare:

  1. Review your client/patient database.
  2. Do you have any European clients/patients?
  3. Review where all of your data is stored.
  4. Do you use a cloud system?
  5. Do you have a BA agreement in place with the data processor/center?
  6. Update your breach notification plan.

For more information on the GDPR: https://www.eugdpr.org/

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467.

“Protecting Organizations through Partnership, Education, and Support”

How well do you trust your compliance efforts?

Posted bySuze Shaffer

 

By Aris Medical Solutions

compliance board game

HIPAA encompasses many aspects. Risk assessments, risk management, and your policies, procedures, documentation are the backbone of compliance.

Most medical providers don’t think about compliance until they are audited. By that time it is too late to mitigate any issues that you may have. The main misconception is that “it will never happen to me”.

A random audit is possible but relatively a low probability. A compliance audit is typically initiated by a disgruntled employee, a patient that feels their privacy has been violated, or a data breach. Once the HIPAA violation is reported then the Office for Civil Rights (OCR) will determine if the complaint will need to be investigated. If it does, depending on the documentation that you provide, will determine whether or not a desk audit will be issued. This is where your policies and procedures are critical. If your employees understand what they need to do, how to do, and what needs to be documented, your chances of a desk audit is greatly reduced. The OCR understands that people make mistakes, but if you don’t learn from them, they will fine you heavily!

Note to self… if you recognize a problem, address it, correct it, and learn from it.

You can survive a audit with proper documentation!

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data click here call 877.659.2467.

“Protecting Organizations through Partnership, Education, and Support”

Do HIPAA Fines go away when a practice or business closes?

Posted bySuze Shaffer

By Aris Medical Solutions

Many medical practices and business associates have the misconception that if they are fined they can simply close their doors and not be obligated to pay the fines or penalties. We have been asked if this will work many times. The Office for Civil Rights (OCR) has answered this haunting question.

Three years ago the OCR received an anonymous complaint against Filefax, Inc. that transported 2,150 patient files to be shredded. These files were left in an unlocked truck in their parking lot, or by granting permission to an unauthorized person to remove the files from Filefax, and leaving the Protected Health Information (PHI) unsecured outside the Filefax facility.

Although Filefax shut their doors during the course of the OCR’s investigation they were still obligated under the law. In 2016, a court in unrelated litigation appointed a receiver to liquidate its assets. In addition to a $100,000 monetary settlement, the receiver has agreed, on behalf of Filefax, to properly store and dispose of remaining medical records found at Filefax’s facility in compliance with HIPAA.

The first step in protecting your practice or business is to conduct a thorough security risk assessment and identify vulnerabilities and workflow. From there you can develop a risk management plan to ensure you document your compliance efforts and mitigate risks.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

Office for Civil Rights (OCR) Self Reporting – Should you do it?

Posted bySuze Shaffer

 

By Aris Medical Solutions

 

If you have a minor breach (under 500 records) you are required to self report this breach within 60 days after the end of the calendar year in which the disclosure occurred. If you report it, you run the risk of being investigated. So many times I hear organizations say… why would I “report” myself, that would be insane! If you do not report it and it is discovered at a later date, the fines will be increased and they will investigate heavily to determine if you have concealed any other breaches. So, the answer is YES; you should self report.

Understand that the different agencies like the Office for Civil RIghts (OCR) who enforces HIPAA, Federal Trade Commission (FTC), Department of Justice (DOJ), and Centers for Medicare and Medicaid (CMS) more than likely communicate with each other. If you are audited or investigated by one agency, they are looking at your organization as a whole and may report their findings to other agencies. In one scenario that we recently were made aware of the organization was expecting an investigation from the Office for Civil Rights and the Department of Justice showed up! These agencies can decide how and what to investigate based on the information they have received.

The best way to protect your organization is to make sure you have a complete and thorough risk analysis. This will uncover potential vulnerabilities and give you the opportunity to mitigate them BEFORE something happens. Next, make sure you have a risk management plan that dates/documents what you have implemented/corrected based on your risk analysis. Policies, procedures, and documentation are the foundation of all organizations. Your employees need clear and concise procedures so they understand what they need to do. This always insulates you from misunderstanding. Above all, it demonstrates your compliance efforts!

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

Websites – is your data secure?

Posted bySuze Shaffer

 

By Aris Medical Solutions

 

Many healthcare providers have websites, since in today’s digital age nearly everyone searches for goods and services before making a decision, this includes healthcare. However, healthcare providers must ensure their websites are HIPAA compliant if any patient data is transferred or accepted.

Many vendors are targeting healthcare with promises of ease of use, added patient interactions, and the ability to gain more patients. Before you agree to accept patient information through your website, you must ensure the vendor or service you are going to use actually understands HIPAA and the requirements.

Here are some issues to consider:

  1. Do patients complete forms on your website? If yes, your website must be secure by utilizing encryption during transmission. This also includes if you are using appointment scheduling through your website. If your site starts with “https” then the data is securely transmitted. However, your site may require updates to ensure the encryption is up to date. If you have a “contact us” and they can send an email to you and your site is not encrypted you should post a message advising them not to send any personal information.
  2. Who has access to your website? If you work with a third party, they too must be HIPAA compliant and understand how to protect your website. If possible add a two-step authentication to prevent unauthorized access. Make sure you have administrative access to your site as well.
  3. Do you know how and where your data is stored? You must utilize a company that understands HIPAA and security if your website accepts or stores any patient data. If your site is not set up properly, Google can actually index your intake forms. If your web hosting company shares your web server with other clients, this too must be reviewed. Keep in mind, if your data (including your backups) is encrypted, it would not be a reportable breach but you still must have a HIPAA compliant business associate agreement in place.
  4. Do you have a recent backup of your website? This may sound crazy because it’s “in the cloud”. Keep in mind, a cloud is just a term used to explain it is NOT on your physical location. It is located on a server somewhere on someone’s physical site.
  5. Do you know how to properly destroy old data? Whether the data is stored on a web server, an old external hard drive, or computer, all data must be removed in a HIPAA compliant manner. This could be a physical destruction or sanitized so that the data cannot retrieved. Don’t forget to document this process!

 

Websites are a necessity today. If you decide to add features like online forms and/or patient scheduling, only do so if properly setup and secured.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Practice call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC