HIPAA Compliance for Medical Practices
62.2K views | +16 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Compliance and Windows Server 2003 | EMR and HIPAA

HIPAA Compliance and Windows Server 2003 | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Last year, Microsoft stopped updating Windows XP and so we wrote about how Windows XP would no longer be HIPAA compliant. If you’re still using Windows XP to access PHI, you’re a braver person that I. That’s just asking for a HIPAA violation.

It turns out that Windows Server 2003 is 5 months away from Microsoft stopping to update it as well. This could be an issue for many practices who have a local EHR install on Windows Server 2003. I’d be surprised if an EHR vendor or practice management vendor was running a SaaS EHR on Windows Server 2003 still, but I guess it’s possible.

However, Microsoft just recently announced another critical vulnerability in Windows Server 2003 that uses active directory. Here are the details:

Microsoft just patched a 15-year-old bug that in some cases allows attackers to take complete control of PCs running all supported versions of Windows. The critical vulnerability will remain unpatched in Windows Server 2003, leaving that version wide open for the remaining five months Microsoft pledged to continue supporting it.

There are a lot more technical details at the link above. However, I find it really interesting that Microsoft has chosen not to fix this issue in Windows Server 2003. The article above says “This Windows vulnerability isn’t as simple as most to fix because it affects the design of core Windows functions rather than implementations of that design.” I assume this is why they’re not planning to do an update.

This lack of an update to a critical vulnerability has me asking if that means that Windows Server 2003 is not HIPAA compliant anymore. I think the answer is yes. Unsupported systems or systems with known vulnerabilities are an issue under HIPAA as I understand it. Hard to say how many healthcare organizations are still using Windows Server 2003, but this vulnerability should give them a good reason to upgrade ASAP.


more...
No comment yet.
Scoop.it!

Can You Keep a Secret? Tips for Creating Strong Passwords

Can You Keep a Secret? Tips for Creating Strong Passwords | HIPAA Compliance for Medical Practices | Scoop.it

The computers in your office are veritable treasure chests of information cyber pirates would love to get their hands on. Only authorized personnel in a practice should have the keys to unlock what’s inside. Passwords as those keys. They play an important role in protecting Electronic Health Records (EHR) and the vital information those records hold.

The HIPAA Security Rule says that “reasonable and appropriate . . . procedures for creating, changing, and safeguarding passwords” must be in place. But the rule doesn’t stop there. It goes on to say that “In addition to providing passwords for access, entities must ensure that workforce members are trained on how to safeguard information. Covered entities must train all users and establish guidelines for creating passwords and changing them during periodic change cycles.”

Regardless of the type of computers or operating system your office uses, a password should be required to log in and do any work. Today’s blog will focus on how to create strong passwords – the kind that aren’t easily guessed. And since attackers often use automated methods to try to guess a password, it is important to choose one that doesn’t have any of the characteristics that make passwords vulnerable.

How to stay ahead of the hackers

They’re a clever bunch, those hackers. And they seem to know a lot about human nature, too. They’ve figured out the methods most people use when choosing a password. And they’ve turned that knowledge to their advantage.

To outsmart them, create a password that’s:

NOT a word found in any dictionary, even foreign ones
NOT a word any language — including its slang, dialects, and jargon
NOT a word spelled backwards
NOT based on recognizable personal information — like names of family and friends
NOT a birthdate
NOT an address or phone number
NOT a word or number pattern on the keyboard — for instance, asdfgh or 987654

A strong password should:

Be at least 8 characters in length
Include a combination of upper and lower case letters, at least on number and at least one special character, like an exclamation mark

Examples of strong passwords

With their weird combinations of letters, numbers, and special characters, passwords can be a challenge to remember. Starting with an easy-to-remember phrase and then tweaking it to fit the guidelines for strong passwords is one way around that problem.

For instance:

1h8mond@ys! (I hate Mondays!)

5ayBye4n@w (Say bye for now)

Safety first

The importance of having strong passwords — the longer, the better — and changing them on a regular basis can’t be overstated. And it goes without saying that writing a password on a Post-It note and attaching it to a computer monitor should never be done. Do everything you can to make your passwords strong, and store them somewhere safe. These steps will help ensure the security of your PHI and give those hackers fits.

more...
No comment yet.