Your Healthcare Organization Is HIPPA Compliant—Is That Enough for True Security?

Your Healthcare Organization Is HIPPA Compliant—Is That Enough for True Security?

The Health Insurance Portability and Accountability Act (HIPAA) is in place specifically to protect sensitive information in the healthcare operation. With a complex and diverse listing of standards regarding how information can be handled, how systems should function, and how things should be done within an organization, HIPPA does do a lot to protect patient information. While most organizations stick closely to these standards, there is no real way to certify you are actually compliant.

healthcare technology

Sadly, the inability to check compliance and the lacking aspects of HIPPA compliance can lead to a cyber-attack or major data breach. Healthcare cyber-attacks cost as much as $1.4 million in recovery, so making sure compliance is where it needs to be and considering whether more needs to be done is important.

Reasons Why HIPPA Compliance Alone May Not Be Enough

Even though HIPPA policies and standards are generated to protect private and sensitive information in the healthcare industry, the truth of the matter is, HIPPA alone does not address every security concern. It is unfortunately not uncommon for a healthcare industry manager to foolheartedly put all of their faith in HIPPA compliance and completely miss that certain security defenses are missing.

In the most basic terms, HIPPA standards are designed to provide the most basic security setup in the healthcare industry. There is nothing stating that following these minimum standards will protect your healthcare business from every single threat there is where information security is concerned. Furthermore, cybersecurity threats evolve and develop so quickly that HIPPA doesn’t catch up fast enough to make much of a difference. Pair this with the fact that many healthcare organizations already struggle to keep up with newly developing security concerns associated with cloud data storage and the Internet of Things (IoT), and you have a lot of looming risk to speak of.

Rely On More Than Just HIPPA Compliance and Amp Up Security Efforts

Of course, HIPPA compliance is important, but it never hurts to up the efforts to make sure every aspect of the digital operation is secure and safe. There are multiple areas where security must be address in a healthcare organization’s digital infrastructure according to Health IT Outcomes, including:

  • Controlling access to the system in a way that yields sensitive information only to those who would need to see it within the company
  • Maintaining a stable protocol that dictates how risks are identified and handled on a daily basis
  • Having an excellent security plan in place that acts as a go-to guideline for proper security practices
  • Maintaining assets in a way that carefully documents the existing location of all assets, data, and other components of a system
  • Implementing an information security incident management plan
  • Controlling the physical hardware and keeping it secure at all times
  • Organizing security plans that work for all aspects of the organization

Naturally, handling HIPPA compliance is also part of what is necessary, but as you can see by this detailed list, it is only one part of ensuring network security. It is not the only process to be considered for absolute security.

Final Thoughts On HIPAA Compliance and True Security

Even though HIPPA sets forth decent standards, the process of applying these standards to put them to work within a healthcare operation can vary considerably. Furthermore, some HIPPA compliance standards only cover the basic necessities of having a secure system. Unfortunately, these two facts can leave a healthcare facility with digital security concerns they have no idea exist. It is always a better idea to take things further than even HIPPA recommends to secure the system properly with the help of an IT managed services company and make sure all aspects are covered.

Did You Know Healthcare-Based Cybercrime Is On The Rise?

Did You Know Healthcare-Based Cybercrime Is On The Rise?

Healthcare-Based Cybercrime Is On The Rise

If you’ve been working in the healthcare sector for more than a decade at least, then you know how much technology has changed the world over that time.

The way you store and access health care information, the use of interconnected medical devices, etc. – it has all contributed to a higher quality of care, benefitting both the healthcare professional and the patient.

However, just as technology helps the healthcare industry through the convenience of data storage and access, it also presents serious cybersecurity risks.

To put it simply: the easier it is for you to access Protected Health Information (PHI), the easier it is for cybercriminals to do so as well. Don’t make the mistake of assuming that just because you’re not a major hospital or more active medical practice that you aren’t a potential victim – data is data. If you’re an easy target, cybercriminals will find you.

If you want to take advantage of the benefits that modern healthcare technology has to offer, then you have a responsibility to make sure it’s properly secured against today’s more common cybercrime threats.

Unfortunately, throughout the industry, that doesn’t appear to be the case…

The Rise Of Cybercrime In The Healthcare Sector

FireEye researchers have noticed an increase in targeted attacks against healthcare organizations that house large amounts of valuable patient data. This is opposed to the conventional “wide-net” approach to cybercrime attacks, which are more opportunistic, targeting as many organizations as possible and hoping for the best.

These hackers are using credential theft malware, ransomware, extortion campaigns, and cryptomining to execute these attacks. Over the past two years, many databases associated with healthcare have been put up for sale on the dark web, as well as the sale of access to healthcare systems in these markets.

“On Feb. 6, 2019, on a popular Russian-language forum, ‘Jendely’ advertised access to a U.S.-based medical institution,” noted FireEye in their report. “According to the advertisement, the actor obtained the domain administrator’s access to the network consisting of 3,000 hosts. The access is being auctioned for $9,000–$20,000.”

Not long after that, a US healthcare organization was hit with malware, an attack that is suspected to have originated in China. FireEye determined that this was not the first time that the victim was targeted by that group.

This all confirms the suspicions of cybersecurity experts watching the healthcare industry – attacks are on the rise, and they’re becoming more targeted and more likely to reoccur. In fact, organizations in the healthcare industry are the third most likely to be hit again after an original cyber-attack.

How Can You Protect Your Practice?

1. Anti-virus Software

Antivirus software is used in conjunction with a firewall to provide defense against malware, adware, and spyware. Each of these cybercriminal tactics has the potential to do immense damage to internal processes and a company’s reputation. The job of antivirus software is to spot, block, and isolate intrusive, malicious applications so they can’t do damage to your data and legitimate software.

Antivirus is installed to protect at the user level, known as endpoint protection, and is designed to detect and block a virus or malware from taking root on a user’s computer, or worse, accessing a network to which the user is connected.

If a user encounters a threat, the antivirus software detects the threat and blocks it using a string of text – an algorithm – that recognizes it as a known virus. The virus file tries to take one action or sequence of actions, known to the antivirus software, and the algorithm recognizes this behavior and prompts the user to take action against suspicious behavior.

2. Firewalls

Your firewall is your first line of defense for keeping your information safe.

A firewall is a particular type of solution that maintains the security of your network. It blocks unauthorized users from gaining access to your data. Firewalls are deployed via hardware, software, or a combination of the two.

A firewall inspects and filters incoming and outgoing data in the following ways:

    • With Packet Filtering that filters incoming and outgoing data and accepts or rejects it depending on your predefined rules.
    • Via an Application Gateway that applies security to applications like Telnet (a software program that can access remote computers and terminals over the Internet, or a TCP/IP computer network) and File Transfer Protocol Servers.
    • By using a Circuit-Level Gateway when a connection such as a Transmission Control Protocol is made, and small pieces called packets are transported.
    • With Proxy Servers: Proxy servers mask your true network address and capture every message that enters or leaves your network.
    • Using Stateful Inspection or Dynamic Packet Filtering to compare a packet’s critical data parts. These are compared to a trusted information database to decide if the information is authorized.

3. Two-Factor Authentication

Two-Factor Authentication is a great way to add an extra layer of protection to the existing system and account logins. 45% of polled businesses began using 2FA in 2018, compared to 25% the year prior.

By requiring a second piece of information like a randomly-generated numerical code sent by text message, you’re better able to make sure that the person using your employee’s login credentials is actually who they say they are. Biometrics like fingerprints, voice, or even iris scans are also options, as are physical objects like keycards.

There are three categories of information that can be used in this process:

    • Something you have: Includes a mobile phone, app, or generated code
    • Something you know: A family member’s name, city of birth, pin, or phrase
    • Something you are: Includes fingerprints and facial recognition

So what are the benefits of a Two-Factor Authentication solution?

    • Bring Your Own Device: In today’s modern business world, more and more employees prefer to do at least some of their work through their mobile devices, which can present a serious security risk. However, with an MFA solution, you can enroll new employee devices in minutes, given that there’s no need to install an endpoint agent.
    • Convenient Flexibility: A Two-Factor Authentication solution won’t force you to apply the same security policies to every user in the company. Instead, you are given the capability to specify policies person by person or group by group.

4. Data Backup

Do you have a data backup policy in place?

If not, then you’re vulnerable, right now, to ransomware.

Ransomware has quickly become one of the biggest cyber threats to businesses today – remember the Wanna Cry epidemic that infected hundreds of thousands of IT systems in more 150 countries?

That was ransomware, and it could happen to you too. Unless that is, you get a data backup solution put in place.

If you have you have a data backup solution, then it doesn’t matter if your data has been encrypted. You can just replace it with your backup, simple as that.

That’s why you should make a considerable investment in a comprehensive backup data recovery solution so that you can restore your data at a moment’s notice when necessary.

Be sure to:

    • Back up data on a regular basis (at least daily).
    • Inspect your backups to verify that they maintain their integrity.
    • Secure your backups and keep them independent from the networks and computers they are backing up.

5. Encryption

In layman’s terms, encrypted data is formatted in a secret code that would be meaningless if intercepted. It is one of the most efficient ways to secure a database given that decryption can only occur through a key, which is essentially a “secret password”. In this case, there is a need for updated encryption software to ensure that private information is only accessible through the database program.

Encryption technology is a great way to protect important data. By making data unreadable to anyone who isn’t supposed to have access to it, you can secure files stored on your systems, servers, and mobile devices, as well as files sent via email or through file-sharing services.

6. Virtual Private Network

One of the most proven techniques to make sure your data is safe is to use a virtual private network (VPN), which will give you back control over how you’re identified online. A VPN creates a secure tunnel for your data to transit the Internet, using a network of private servers.

When you use a VPN, your data is encrypted, or hidden, as it moves from your device to the VPN and then continues onto the Internet through what’s called an exit node. A VPN creates the appearance that your data is coming from the VPN server, not from your device.

That makes it harder for an attacker to identify you as the source of the data – no matter whether you’re on your mobile device’s data connection, or using an unsecured retail Wi-Fi network while you’re in line for coffee. Even if attackers can intercept your data, the encryption means the attackers can’t understand your data or use it to their advantage.

When you put your data out to the VPN server, it exits back out to the public internet. If the site you’re visiting has HTTPS to keep the connection safe, you are still secure.

Don’t make the mistake of assuming your healthcare organization is low-profile enough to avoid a cybercriminal’s crosshairs. As explored above, your practice is a high-value target because of the data you store, no matter your size. If you’re an easy target, they will find you.

Like this article? Check out the following blogs to learn more:

What You Need to Know About Moving Your Health IT System to the Cloud?

Intuitive Scheduling: The Missing Link for a Happy Office

3 Stories of Healthcare Business Associate Data Breaches Will Shock You

Do You Really Understand The HIPAA Breach Notification Rule?

Do You Really Understand The HIPAA Breach Notification Rule?

HIPAA Breach Notification Rule

When you think healthcare and cybersecurity, the first things that come to mind are probably HIPAA, or WannaCry. And that’s for good reason – almost half of all ransomware incidents reported last year targeted healthcare companies.

It’s ongoing healthcare cyber events like these that are making the HIPAA Breach Notification Rule more important than ever before. It’s not just a hypothetical – you need to know what’s expected of you in the event that you experience a breach.

Are you confident that you do?

What Is The HIPAA Breach Notification Rule?

According to the AMA

“HIPAA’s Breach Notification Rule requires covered entities to notify patients when their unsecured protected health information (PHI) is impermissibly used or disclosed—or “breached,”—in a way that compromises the privacy and security of the PHI.

An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity demonstrates that there is a “low probability” that the PHI has been compromised.”

In layman’s terms, this rule details who you must notify, and how, in the event that your patients’ PHI is breached. It could be a matter of making a public announcement on your website, or reporting to the media, or issuing breach notification letters to Business Associates.

What Is Your First Move When You Suspect A Breach Has Occurred?

The first step you need to take is to determine the extent of the breach, and specifically, whether any PHI was accessed. There is always the chance that, due to your security measures in place, or the ability of the malicious third party, no PHI was accessed or exposed during a breach. If that’s the case, then the breach notification rule does not apply.

The best way to find out for sure is to conduct a risk assessment, which needs to determine:

    • Whether your PHI was acquired or viewed
    • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification
    • The identity of the unauthorized person(s) who used the PHI or to whom the disclosure was made
    • The extent to which the risk to the PHI has been mitigated by the covered entity

With this information, you can then figure out your next step – if PHI was breached, then you know you’re subject to the breach notification rule…

What About Notification?

In the event that PHI has been breached, you’ll then need to figure out who needs to be notified, in what manner, and within what timeline.

The three entities you’ll be notifying include:

    • Victims
    • Media
    • Regulators

The baseline rule is that those affected by the breach must be informed of it within 60 days of when you became aware of it.

However, this timeline can be affected – for example, if law enforcement requires additional time to investigate, and it is determined that notification would impede their efforts, the deadline can be modified.

What Does The Notification Need To Include?

Sent by first-class mail or email, the notification must include:

    • Description of the breach
    • Description of the types of information involved in the breach
    • Steps breach victims should take to protect themselves from harm
    • Description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches
    • Contact information for the covered entity

However, if you have out of date or incomplete contact info for 10 or more victims, you must post the notification to your website for 90 days, and set up a toll-free number which victims can call for further information.

If the breach affects more than 500 victims, you must notify prominent media outlets in the state in which those victims are likely to reside.

Lastly, when it comes to regulators, you must notify OCR according to the number of victims:

    • Fewer than 500 victims: OCR must be notified on an annual basis
    • More than 500 victims: OCR must be notified within 60 days of discovery

What About Business Associates?

The contract between you and any Business Associates needs to detail which entity is responsible for notification. While it is ultimately your responsibility, you may have a Business Associate Agreement that states otherwise. There are also cases in which the responsibility is shared.

What’s The Best Way To Avoid A Breach?

So far we’ve only talked about what to do when you discover a breach has occurred. While it’s important that you understand these processes, and assume that you’ll likely experience a breach some point, it’s also prudent to talk prevention.

The best way to protect your PHI is with encryption. In layman’s terms, encrypted data is formatted in a secret code that would be meaningless if intercepted. It is one of the most efficient ways to secure a database given that decryption can only occur through a key, which is essentially a “secret password”. In this case, there is a need for updated encryption software to ensure that private information is only accessible through the database program.

Encryption technology is a great way to protect important data. By making data unreadable to anyone who isn’t supposed to have access to it, you can secure files stored on your systems, servers, and mobile devices, as well as files sent via email or through file-sharing services.

A Quarter Of US Health Employees Aren’t Trained For Cybersecurity

A Quarter Of US Health Employees Aren’t Trained For Cybersecurity

A Quarter Of US Health Employees Aren’t Trained For Cybersecurity – Does That Include Your Staff?

A significant portion of the country’s healthcare workforce doesn’t know how to contribute to their practice’s cybersecurity. Are your staff members putting you at risk?

A majority of cybersecurity technologies offered today include the best in vital software, from firewalls to anti-malware to data encryption and more. However, as important as this technology is, on its own, it simply isn’t enough.

The key to truly comprehensive cybersecurity is simple, yet often overlooked: the user.

The best cybersecurity technology and practices in the world can be undone by one staff member who doesn’t understand how to use them, or how to protect the data they work with.

And in the healthcare industry, this is a big problem…

The State Of Healthcare Cybersecurity

According to a new report from Kapersky, up to 24% of healthcare workers in the US have not received any cybersecurity training. North of the border that number soars to 41%.

That doesn’t mean the other 76% of your staff is totally secure in their practices either – 11% of them would likely state that the only cybersecurity training they ever received was during their hiring process. In the end, only 38% of employees from the 1,700 surveyed healthcare organizations reported that they received cybersecurity training on an annual basis.

The fact is that cybersecurity in healthcare IT is more difficult than other sectors – poorly trained workers only makes this problem worse.

The modern healthcare workplace requires a lot of data sharing with a lot of different people, more so than in other sectors. It exists on more different devices in more dispersed settings. The complexity and breadth of health IT systems have increased.

At its core, healthcare cybersecurity comes down to the HIPAA Security Rule.

The Security Rule sets standards for the handling of electronic Protected Health Information (ePHI), which is the specific type of data the HIPAA Privacy Rule covers. This rule establishes national standards for properly securing patient data that is stored or transmitted electronically.

The rule requires that three different types of safeguards are put in place:

  • Administrative
  • Physical
  • Technical

The purpose of these safeguards is to ensure the security of ePHI as it is transported, maintained, or received. Essentially, the Security Rule is meant to allow for new technology to be integrated into your operations uninterrupted while still keeping private patient data protected.

By law, the Security Rule applies to health plans, healthcare clearinghouses, and any other healthcare provider that handles any sort of health information electronically. Any provider or entity that comes in contact with ePHI must comply with the HIPAA Security Rule – if that includes you, then make sure you follow it.

How Do I Train My Employees For Cybersecurity?

A comprehensive cybersecurity training program will teach your medical staff how to handle a range of potential situations:

  • How to identify and address suspicious emails, phishing attempts, social engineering tactics, and more.
  • How to use business technology without exposing data and other assets to external threats by accident.
  • How to respond when you suspect that an attack is occurring or has occurred.

Your staff can have a significant effect on your cybersecurity – either they know enough to keep your assets secure, or they don’t, and therefore present a serious threat to your security.

So, which is it? Do your employees and volunteers have the knowledge they need to spot cybercrime scams, avoid common pitfalls and keep your data secure?

If you’re not sure, then they may need training…

Security awareness training helps your employees and volunteers know how to recognize and avoid being victimized by phishing emails and scam websites.

They learn how to handle security incidents when they occur. If your employees and volunteers are informed about what to watch for, how to block attempts and where they can turn for help, this alone is worth the investment.

What You Need to Know About Moving Your Health IT System to the Cloud?

What You Need to Know About Moving Your Health IT System to the Cloud?

Are You Ready for the Cloud?

With a clear, comprehensive implementation plan, you can minimize downtime and disruptions while you move your data and applications to the cloud.  

Healthcare Cloud

Let’s walk through the 5 W’s + How.

  • Who?
  • What?
  • When?
  • Where?
  • Why?
  • How?

No, this isn’t an intro to journalism course. Instead, we’ll use this formula to break down your options for finding the best IT outsourcing firm to help you move your health care practice to the cloud.

What Should You Be Looking For?

Clouds are private, public or a hybrid of the two. These labels can be confusing. Public clouds aren’t open to the public and private ones serve as remote data centers for a single health care provider.

To decide the best cloud for your organization, determine what you’re actually looking for. Choose from a service that supplies platform, infrastructure or software as a service — PaaS, IaaS or SaaS. Relevant considerations include company size, HIPAA impact and what you wish to accomplish.

Who Is the Best Cloud Provider?

Healthcare IT News identifies seven top providers:

  • Amazon Web Services, who developed these services first, has aggressive pricing and releases new features regularly. Their main service is IaaS.
  • CDW Cloud Solutions, familiar to many healthcare organization, offers a variety of services, such as migration planning and project support.
  • IBM Cloud, ClearDATA, Google Cloud Platform, Microsoft Azure and VMWare receive honorable mention.

It’s best to look into several services to determine the best one for your IT needs.

When Is it Time to Switch to the Cloud?

Most companies have some kind of cloud-based functionality already. For those still deciding whether to switch, the following questions can help clarify your thoughts.

  • Who can help us with the migration plan?
  • Is the management team stable?
  • What’s the strategy driving the move?
  • Are local providers reliable?
  • Is it in the budget?
  • Will we net a positive return on our investment?

These questions get right to the heart of the matter and help you find out if your team is ready, able and willing to make the switch.

Where Should the Data Centers Be Located?

The physical location doesn’t matter that much. It’s more important to replicate data and applications in distinct regions for redundancy and to ensure access to your data. Where you locate or have your IT consultants locate your backups is determined by the technology and configurations that work best with your systems. In fact, if you’re paying for around-the-clock monitoring, location becomes irrelevant.

Why Are You Thinking About Moving to the Cloud?

This question is a bit outmoded. A better question would be, “Why wouldn’t you move to the cloud?” That’s a question most companies have or are asking themselves right now. Cloud systems scale easily and they’re cheaper than the cost of maintaining your own local data centers. In the cloud, critical processes, such as data replication or disaster recovery are more straightforward.

Cloud services also offer a pay-as-you-go model that fits the budget of more practices and startups. While data security used to be considered a risk on the cloud, new technology has helped ensure the security of your systems and client data.

How Can You Get There?

Vet out an experienced healthcare IT provider that’s handled multiple cloud implementations and integrations. Reputable providers should be able to share their own cloud models, provide references, and ensure that you start and end with a reasonable budget.

Scalability is key in the cloud. It’s one of the major benefits, so make sure your organization is in a position to leverage it. With the right cloud set up, scaling up your user base should be easy and hassle-free. The documentation your IT consulting provides should include detailed plans regarding the tools and features needed for HITECH and HIPAA requirements. With a clear, comprehensive implementation plan, you can minimize downtime and disruptions while you move your data and applications to the cloud.

Happy Labor Day

Happy Labor Day

To make the most out of what we hope will be a gorgeous long weekend, we will be closing our office for the day on Monday, September 2nd.

Labor Day 2019

And as always, we’ll have technicians on call for all of our managed IT services clients, and you’ll be able to reach us by calling our office if any emergency technical issues arise.