Blog

temp-post-image

How well do you know the requirements for the Health Information Technology for Economic and Clinical Healthcare (HITECH) Act? How about the penalties for noncompliance? As a covered entity under HIPAA, a medical provider is responsible for any data breaches cause by business associates (BA), such as those who handle eligibility, enrollment, claims management, and IT service for the plan.

The penalties for HIPAA/HITECH violations and data breaches have grown in severity over the past few years, from a maximum of $25 thousand to $1.5 million. Add the cost of class action lawsuits, cyber incident response, remediation, and media notification and we’re talking millions! Basic cyber security practices are needed to protect the confidentiality, integrity, and availability of health information in electronic health record (EHR) system, regardless of how they are delivered—whether installed in a provider’s office or accessed over the Internet.

Assure You Comply with MU Privacy & Security Requirements
The HITECH Act promotes the adoption and meaningful use (MU) of health information technology and adds new protections to the regulations from the original 1996 HIPAA authority. These regulations include extending enforcement to BAs and covered entities and setting new limits on the use and sale of individual’s information. As healthcare providers, it’s important to not only understand the rules, but to take the appropriate measure to protect and secure information, and educate staff and patients on new policies and procedures. The real issue is the time it takes medical providers to enforce the requirements associated with HIPAA/HITECH. The challenges expressed by most providers include:

• Getting the employees properly trained
• The cost associated with meeting the requirements
• Obtaining the new software and other IT resources
• Understanding all of the requirements
• Encrypting data appropriately
• Approaching and monitoring BAs

Identify Risks to Your Medical Practice
As a cyber security company, we highly recommend hiring a professional to help implement the requirements. Security professionals are trained to identify all security vulnerabilities and threats, along with assessing business operations and employee habits and practices that can place ePHI at risk. At minimum, you can provide a security review by enforcing the following requirements:

• Assign a Security Officer
• Conduct a Security Rick Analysis
• Develop an Action Plan
• Develop clear and meaningful training
• Understand BA relationships and agreements

Initiation and maintenance are the two important phases of setting up the appropriate safeguards. This includes identifying risks and implementing a strong mitigation strategy that is monitored, cyclical, and continuously assessed, especially as IT software and applications are updates or replaced.

Read more

temp-post-image

Read more

temp-post-image

With the recent cyber attack headlines and the latest Cyber Security Framework (released by the fed govt), it’s easy to get information overload. Small businesses are increasingly targeted by hackers — due to a perceived lack of resources; these attackers are after intellectual property, client protected information, bank account numbers, and more. Will your latest antivirus software update prevent these ongoing attacks? The short answer is… no! If we were to break down the threat landscape and define threats in terms of ‘methods’, we would discover four categories. These categories, or phases of an attack, are: First Contact, Local Execution, Establishing Presence, and Malicious Activity. As you’ve noticed, I’ve ‘bolded’ Establishing Presence. This is the phase where our anti-virus software finally comes into play and identifies the threat. This is only if the anti-virus software recognizes the threat, that is, if an existing signature for the threat is known. Some viruses are so ‘new’ that anti-virus software fails to identify them as threats during a routine scan. This is why it’s so important to not only understand the phases, but also learn about the different ways of preventing each stage. So here is some general information about each phase of a cyber attack.

First Contact This is how the attacker first crosses path with its victim. The interaction is usually via a malicious web site, but can also occur through email or infected devices, such as external storage devices. To avoid initial contact, you need a filter that stops the attack before it reaches your desktop.

Local Execution Once there is contact, the attacker runs their malicious code on your machine. This is referred to as the ‘breaking in’ phase. The virus embeds itself on hardware, applications, or your operating system. It looks for flaws in your current software applications, or even weak passwords. When that flaw is identified it writes its code and moves on to phase three.

Establishing Presence At this point the attack, or virus, preserves itself, ‘setting up shop’ on your machine. It can block access to security software updates, change web browser security settings, or even hide itself in known good processes. And as mentioned before, this is where antivirus software comes into play, only if it is known threat or there is an existing signature for it. If you’ve reached this phase without detection, it is too late!

Malicious Activity And finally the attacker can start stealing information as it departs your system. This information includes customer bank accounts, intellectual property, financial records, passwords, and other identity information.

So how can a business help protect itself for any or all phases of a cyber attack? Simple… a layered, comprehensive and solid security management approach. The first step in achieving this is to consult with a cyber security company that can ensure that your resources are not compromised by running a security health check, as well as providing suggestions and procedures on remediation and management.

Read more