risk analysis Archives

Cost of cyber attacks on healthcare are steadily rising

Suze Shaffer August 1, 2018June 29, 2022

Why are so many medical offices being attacked? Simple, this is a one stop shop for everything needed for identity theft and many medical practices do not have appropriate safeguards in place. Business associates have even been the target or the entry point. HIPAA requires certain security safeguards to be in place to ensure the safety and security of Protected Health Information (PHI).

There have been 188 data breaches of 500 or more patient records in the first 6 months of this year, and in April alone there were 42. Thirteen of the 188 have already been resolved. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
These breaches include small medical practices, business associates, and hospitals. Small and large. Paper and electronic. No one is immune. Many organizations think they are too small to get hit, but the fact is the most common problem is untrained staff that unknowingly cause this to happen. Education is the key to avoiding this catastrophe from destroying your reputation. Of course you still need to certain technical safeguards in place, but even then it only takes one click of a mouse to bring your network down.

Here are some areas to consider:

How would you process a data breach?
How would you handle the reputation management of the breach?
How would you pay for the cost of breach and the investigations?

Having a breach notification plan in place before a breach occurs is critical to reducing the damage. You must have processing in place to shut the system down, continue manually, and report to the appropriate authorities.

Consider the lack of trust from your patients since their information was compromised from your office. No matter if it was your fault or that of a business associate this could have a negative impact on your patient database.

Breaches are costly on many fronts, the first being the cost of the notification of the patients, investigations, downtime, and the mitigation of the source of the breach. In 2013 the Ponemon Institute reported that a data breach cost $233 per medical record, now in the 2018 the report states a healthcare breach can cost on average $408 per medical record.
https://www.ibm.com/security/data-breach

Keep in mind if you do not know which records were breached then everyone must be included in the notification process. What could turn out to be the most costly is the fines and penalties associated with the breach. Depending on how and when you processed the breach is one determining factor. Also once the investigation is complete, if it is discovered this was an ongoing problem and was not mitigated, then you could be found in willful and wanton neglect. This is NOT a place you want to find yourself! The Office for Civil Rights (OCR) can also fine you for not conducting a thorough enough risk analysis thus leaving vulnerabilities untouched. How well do you trust your efforts in securing your data? Have you conducted a risk assessment to determine if what you have in place is sufficient?

How can Aris help?

First of all we conduct a thorough risk analysis that uncovers vulnerabilities and create a risk management plan so that you can mitigate those risks.
Since written documentation is also part of HIPAA compliance, we provide the necessary privacy and security policies, procedures, and documentation needed for state and federal regulatory requirements.
We also offer HIPAA training that includes privacy and security and any custom requests.
If you are one of the many organizations that simply do not have the time to implement your HIPAA program, we can do that for you as well. Month to month, no long term contracts!

If you would like a free HIPAA checkup call 877.659.2467 or complete the contact us form.

“Simplifying HIPAA through Partnership, Education, and Support”

Workstation Security

Suze Shaffer June 19, 2018June 29, 2022

HIPAA Compliance is more than just about a patient’s right to access their information. Although the HIPAA Privacy Rule is how most of this began, it is so much more now! The HIPAA Security Rule outlines administrative safeguards, physical, and technical security. Most organizations are so busy trying to figure out how to protect themselves from the unknown (technical concerns) that they forget about the actual physical security. We are not just talking about building security systems, but how you secure the individual devices that are utilized within your facility and those who travel with portable devices.

Here are some helpful ideas to review with your particular situation:

Although utilizing a security system that has motion sensors is better than nothing, using security cameras usually discourages theft.
Conduct a walk through of your facility and create an inventory list of all devices that access or store ePHI. Knowing what you have, where it is located, and if it contains ePHI is essential in securing your data. This includes portable devices and small electronic media. Remember, printers, copiers, and scanners can store data as well.
Review the location of all devices that access or store ePHI. Ensure they are not located in an area that could be easily accessed by an unauthorized person or utilize cable locks. If screens are viewable and cannot be relocated, the use of privacy screens are highly recommended. Encryption is recommended on any device that contains ePHI. If the devices are transported they should be encrypted even if they do not contain ePHI. If they are ever lost or stolen and the encryption is engaged, it would not be a reportable breach.
If your USB drives are not used, locks should be installed. This is an inexpensive method to protect the network. If your workstations utilize CD/DVD drives, these should be disabled as well. Another option would be to configure this through a Microsoft Group Policy.
Make sure paper PHI is not left in areas that could be accessed by another as well. This includes where you store your excess paper charts. These areas should be locked when not in use. It is also recommended to utilize signage instructing “Employees Only”.
Employees can be your biggest asset or your largest liability. Training your employees on computer security is an ongoing process. Annual HIPAA training should include the HIPAA privacy rule and HIPAA security rule. Also, add monthly security reminders to keep HIPAA fresh in their minds. Continuing education is the key to safety.
HIPAA Policies and procedures are the backbone of an organization. Properly trained employees know and understand what is required and needed. The data that a health care provider has in its possession is priceless. This data must be secure physically and technically. All of this is necessary to avoid a data breach.

If an organization fails to secure patient information the Office for Civil Rights (OCR) will open an investigation and the organization can end up with massive fines. These fines have ranged from $250K to $3.5M. Although the fines are based on the organization’s ability to pay, the days of receiving just a $50K fine seems to be over. Best practices would be to review your HIPAA risk analysis and make sure it is thorough. Some online risk assessments unfortunately do not uncover all of your vulnerabilities. The OCR could consider this as willful neglect even though you didn’t know. Make sure you update your risk management plan and mitigate those vulnerabilities. Small oversights could cost you a fortune.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467.

“Simplifying HIPAA through Partnership, Education, and Support”

MIPS, MACRA, and Risk Assessments

Suze Shaffer December 16, 2017February 1, 2024

By Aris Medical Solutions

MIPS (Merit-based Incentive Payment System) and MACRA (Medicare Access and CHIP Reauthorization Act) is designed to create better patient outcomes and reward those providers that accurately document the progress of their patients. This all sounds great but it takes additional time until this new workflow is established. This is very frustrating to providers who just want to take care of their patients. It is a “learned” function and can be dealt with accordingly if you keep your patience. I know what you are thinking…. and it is easier said than done.

So many practices think since “meaningful use” went away they no longer need to conduct a risk analysis. This is incorrect information. Part of the requirements are that you must still conduct a risk analysis or update the one you already have. When “updating” your risk analysis, be very careful. You are attesting that you have reviewed your vulnerabilities and mitigated those risks.

Conducting a thorough risk analysis is more than just checking a box. It is meant to assist the organization in identifying possible vulnerabilities so you have the opportunity to mitigate them to prevent data breaches. If you merely change the date on your risk analysis and later suffer a breach; that could come back to harm you. If you skip over this or do not take this seriously, you are literally putting your practice at risk.

The best way to tackle this elephant in the room is… one step at a time!

Review your technology devices. Determine if anything has been or needs to be replaced and/or updated.
Understand where and how data is created, accessed, and stored. This includes reviewing the workflow of everyone involved with PHI and ePHI.
Conduct your risk analysis and update the risk management plan. If you choose to “update or review” your existing risk analysis, make sure you do not overlook anything.
If you have not not done so already, create a Incident Response Team (IRT). Utilizing the Security Incident Report will help in determining whether the security incident should be treated as a data breach or not.
When it comes to the actually MIPS documentation, there are organizations that will assist you at no cost to the practice. Don’t chance missing this opportunity to ensure your documentation is accurate.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

Why should I try to secure my data?

Suze Shaffer November 20, 2017February 1, 2024

By Aris Medical Solutions

With all of the large data breaches making the news many smaller organizations think why bother. If the large companies can’t keep their data save, there is no way I can. Keep in mind, large organizations are a huge target and their data is sought after on a grander scale. Smaller companies are targets too, because their data is easier to capture. Smaller organizations typically do not have a qualified IT person or company that oversees their network. Unsuspecting employees are usually how the data is compromised because they have not been properly trained.

Here are some helpful hints how you can protect your data:

Conduct a thorough risk analysis. Know where your data is and how it is accessed.
Create a risk management plan to demonstrate your efforts in compliance.
Conduct a network security audit to ensure your computers/network do not have any open vulnerabilities. This is more than just a scan of your network.
Create a full set of privacy and security policies and procedures so employees understand patient’s rights and how to protect their data.
Employee education. This is more than just once a year HIPAA training. This should be included in your monthly/quarterly meetings. Monthly emails can be sent to the staff as reminders of how important their vigilance is needed.

Patient data is valuable on the dark web and it is up to us to protect the data. One breach can destroy your organization unless you have a lot of money for reputation management. So when you are thinking about how much all of this “prevention” is going to cost, it will cost so much more if you ignore this need.

For the current breaches under investigation click below:
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

You can also view archived investigations that have been resolved or that are older than 24 months on the same website.
For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Data call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

Storing Patient Records

Suze Shaffer July 15, 2016February 2, 2024

By Aris Medical Solutions

Since most medical practices are going electronic, it may be time to free up some of that precious space in your office. Make sure when, how, and where you decided to store your data is secure.

Some practices move excess patient charts to a self storage unit. It’s cheap and if you have an patient chart inventory list you should be safe… right?
What happens if the facility burns down?
What if someone breaks in and it is not discovered for months?
What if you don’t have an inventory list of which records are in there?

Did you know that PHI is considered PHI until after a person has been deceased for 50 years! That means even if the person isn’t alive, it is still a reportable breach!
Did you know that if you can’t determine if ANY records or WHICH records were stolen, you would have to report all of them.

Self storage units may sound like a good deal. That good deal could cost you more in the end. If the unit burns or if it is vandalized, you could be charged for wilful neglect for NOT securing the records. Not to mention, you may be required to report this as a data breach and cost you nearly $350.00 per record! Are you willing to accept that risk? After all, the OCR doesn’t specifically state what is or is not HIPAA compliant. If you suffer a data breach, THEN they will determine if you had reasonable and appropriate safeguards in place.

Now I will ask you.. Wouldn’t it make sense to spend about the same amount of money and have a professional company store your records? That’s right; for about $50.00 per month you can store approximately 100 boxes of records! Of course pricing will depends on your location and how many you need to store. When organizing the records, we suggest by year and alphabetize them. This makes it much easier when the time comes to destroy them!

If you need assistance with a Risk Analysis, Risk Management Plan, or implementing a full set of HIPAA Policies and Procedures, call Aris at 877.659.2467 or click here to schedule a demo. We offer a full range of services from a Do-It-Yourself HIPAA program to a Full HIPAA Implementation package.

“Protecting Organizations through Partnership, Education, and Support”

When was the last time you updated your passwords on all internet sites?

Suze Shaffer June 15, 2016February 2, 2024

By Aris Medical Solutions

News broke that LinkedIn user account credentials were dumped on the dark web.
Back in 2012 is when the actually breach occurred, but now the data has surfaced for sale.

Although LinkedIn has taken reasonable advances to mitigate this problem, you still need to protect yourself as well. What that means to you is… you need to change your password as soon as possible. If you used this password anywhere else, you should change that as well. We also recommend implementing a two-step authentication on all sites that offer it. It is easy to set up and adds an extra measure to keep your data safe. Also be very cautious when answering or accepting new connections. Criminals have figured out how to look real, sound real, and get you to take their bait. They do leave clues, but you need to be diligent and read the communication carefully and do not click on any links. Open your web browser and type the name of the company and see if there are any warnings about the website. Your anti-virus (if you use a decent one) should notify you if the website has any suspicious activity.

An additional reason we bring this to your attention is because there are medical practices that have suffered a breach and they do not even know it. It may take years before this data surfaces or is sold. We not only work within this profession but we are also patients at medical facilities all over the country. We must do our part as employees as well as consumers to protect this (our) data. What you need to do:

Use strong passwords (phrases) and change them at least every 90 days.
Implement a two-step authentication anywhere it is available.
Uneducated employees cause most of the breaches, either by clicking on a link or through a lost or stolen device. Continuous education is of the utmost importance.
The use of encryption and/or auto-wipe/remote wipe on all devices that access or store Protected Health Information (ePHI).
Report any suspicious activity to your HIPAA Security Officer.
Be sure to review this report to determine if a breach has happened or potentially has happened.
Mitigate the risk to the best of your ability and make sure it is documented.

“Protecting Organizations through Partnership, Education, and Support”