HIPAA Compliance for Medical Practices
59.2K views | +3 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

4 HIPAA compliance areas your BAs must check

4 HIPAA compliance areas your BAs must check | HIPAA Compliance for Medical Practices | Scoop.it

It finally looks like the feds are starting up the next phase of HIPAA audits — but there’s still time to ensure your business associates (BAs) are staying compliant. 


In preparation of the next round of audits, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has begun sending out pre-audit surveys to randomly selected providers, according to healthcare attorneys from the law firm McDermot, Will and Emory.

Originally, the surveys were meant to go out during the summer of 2014, but technical improvements and leadership transitions put the audits on hold until now.

Moving toward Phase 2

The OCR has sent surveys asking for organization and contact information from a pool of 550 to 800 covered entities. Based on the answers it receives, the agency will pick 350 for further auditing, including 250 healthcare providers.

The Phase 2 audits will primarily focus on covered entities’ and their BAs’ compliance with HIPAA Privacy, Security and Breach Notification standards regarding patients’ protected health information (PHI).

Since most of the audits will be conducted electronically, hospital leaders will have to ensure all submitted documents accurately reflect their compliance program since they’ll have minimal contact with the auditors.

4 vendor pitfalls

It’s not clear yet to what extent the OCR will evaluate BAs in the coming audits due to the prolonged delay. However, there are plenty of other good reasons hospital leaders need to pay attention to their vendors’ and partners’ approaches to HIPAA compliance and security.


Why?


Mainly because a lot of BAs aren’t 100% sure what HIPAA compliance entails, and often jeopardize patients’ PHI, according to Chris Bowen, founder and chief privacy and security officer at a cloud storage firm, in a recent HealthcareITNews article.


A large number of data breaches begin with a third party, so it’s important hospital leaders keep their BAs accountable by ensuring they regularly address these five areas:


  • Risk Assessments. As the article notes, research has shown about a third of IT vendors have failed to conduct regular risk analysis on their physical, administrative and technical safeguards. Ask your vendors to prove they have a risk analysis policy in place, and are routinely conducting these kinds of evaluations.
  • System activity monitoring. Many breaches go unnoticed for months, which is why it’s crucial your BAs have continuous logging, keep those logs protected and regularly monitor systems for strange activity.
  • Managing software patches. Even the feds can struggle with this one, as seen in a recent HHS auditon the branches within the department. Keeping up with security software patches as soon as they’re released is an important part of provider and BA security. Decisions about patching security should also be documented.
  • Staff training. Bowen recommends vendors include training for secure development practices and software development lifecycles, in addition to the typical General Security Awareness training that HIPAA requires.
more...
No comment yet.
Scoop.it!

BYOD and cloud are top data breaches and malware risks, survey shows

BYOD and cloud are top data breaches and malware risks, survey shows | HIPAA Compliance for Medical Practices | Scoop.it

With the influx of personal devices in the workplace and the unprecedented risk of data breach and malware, tightening IT security at a company can seem like a daunting task. Just how difficult of a task is it? What are the biggest security risks and what are the top minds in IT considering to combat them?



Security risks and data breaches are growing while the form factors of computing devices shrink—because

Wisegate, a crowdsourced IT research company, surveyed hundreds of its senior IT professional members to find out. Earlier this year, we shared with CSO readers that a lack of security metrics and reporting was undermining IT security programs. Now, we’ll take a look at what those top security risks are.


Data breaches and malware are at the top

In a not surprising response to a poll that asked IT professionals to name their top three security risks, 32 percent of respondents named data breaches and malware as their top threats and risks. Over half—51 percent—of respondents included not only data breaches and malware, but also insider and outsider threat, BYOD management and security, and advanced persistent threats as their companies’ top risks.

While data breaches and malware are not new risks to the industry, we wanted to get to the bottom of what technology and business trends are causing this concern over malware and information leaks.


Trends impacting security programs: BYOD and cloud

When asked to identify the trends that most impact their security programs, IT professionals revealed that the malware threat and its associated data breach risk is likely to get worse over the coming years specifically because of these trends:

  • The continuing evolution of BYOD practices 

  • Increasing adoption of cloud technology, both public and private 



Required BYOD


What we’ll see is a world where employers will actually require people to bring and use their own devices. Most companies already provide staff with equipment, and many currently tolerate BYOD. The trend will continue until eventually companies will choose to make the personal devices employees already use official.


But this leads to a tension between company and personal information held on the same device. The company will need to protect its own data, but the personal data will be in conflict with any device monitoring that the company does. In short, there is potential for a ‘Big Brother’ inspired kickback from the employee. However, the savvy security team will earn the user’s trust by demonstrating that the company can only monitor the corporate data, and not only doesn’t, but cannot monitor anything else.


Shying away from BYOD and using the cloud to defend against malware-inspired sensitive breaches is a strong argument. It is harder to infect the cloud than it is to infect an individual endpoint. But there is also a scale issue. If an attacker manages to infect the cloud, he could potentially get to impact many more customers and much larger datasets. The weakness in cloud security is less the cloud itself and more how the cloud is used. This is an aspect of something that is one of the biggest challenges to IT security: the difference between something working correctly and something working correctly and securely. This affects everything from malware prevention to proprietary apps, open source software, and websites.


The future of IT security is data security—not device security

When asked what infrastructure security controls would be prioritized over the next few years, nearly a third of respondents—32 percent—named information protection and control as their top priority. Web application firewall wasn’t far behind, with 26 percent naming this as a top priority.




This suggests a shift in emphasis from protecting devices to placing a greater emphasis on protecting applications and the data itself. Firewalls are now application firewalls rather than trusted network firewalls. If IT security professionals’ top security controls are designed to protect the data itself, even if there is a breach of sensitive information, that information will remain hidden from any attacker.


What next?


Faced with the impossibility of defending against malware attacks in the new cloud/BYOD paradigm, security teams are engaged in a massive shift from protecting devices to protecting data. Stay tuned for our breakdown of this new paradigm—data centric security in a future CSO article. We’ll take a deeper dive into the idea that if data itself is safe, it doesn’t matter if there is a breach.


more...
No comment yet.
Scoop.it!

What Can You Expect in 2015 Regarding HIPAA Enforcement?

As of earlier this month, 1, 170 breaches involving 31 million records have been reported to the Department of Health and Human Services (HHS) since mandated reporting of breaches began in September 2009.  An increase in the number of breaches isn’t the only statistic on the rise.  Although 2014 data has not yet been released, the number of complaints in 2013 reached a new high (4,463).  It doesn’t take a crystal ball to predict that these numbers in 2015 will continue to rise.  We haven’t reached the apex yet.

The newly approved 2015 federal budget does not include an increase in funding for the federal agencies responsible for enforcing HIPAA, including the HHS Office of Civil Rights (OCR), but HHS isn’t viewing it as a setback.  Per an OCR spokeswoman “OCR’s strong enforcement of the HIPAA privacy, security, and breach notification rules, remains very much on track…”  Just a few weeks ago, HHS settled with the Alaska Department of Health and Humans services for $1.7 million for potential HIPAA violations.

If enforcement efforts remain on track in 2015, so should compliance efforts next year.  Keep your HIPAA policies and procedures up to date and conduct regular risk assessments.  If your organization has not addressed security on mobile devices or theft of patient data by former employees, do so now.  Especially if you are contemplating a transaction in 2015, it’s time to take a deep dive regarding HIPAA compliance.


more...
No comment yet.
Scoop.it!

Most companies take over six months to detect data breaches

Most companies take over six months to detect data breaches | HIPAA Compliance for Medical Practices | Scoop.it

Financial firms take an average of 98 days to detect a data breach and retailers can take up to 197 days, according to new research.

A new cybersecurity report conducted by the Ponemon Institute on behalf of Arbor Networks suggests it is not only cyberattack events which place sensitive data and corporate networks at risk. Instead, the time it takes for businesses to detect a data breach once it occurs gives threat actors plenty of time to conduct surveillance, steal data and spy upon victim companies -- pushing up the cost of cyberattacks.


According to a survey of 844 IT and IT security practitioners in the financial sector across the US and 14 countries within the EMEA region and 675 IT professionals in the same countries within the retail sector, both industries are struggling to cope with today's threat landscape.

Once a data breach occurs, it takes an average of 98 days for financial services companies to detect intrusion on their networks and 197 days in retail. Despite these long periods of time, known as "dwell" time, 58 percent of those surveyed who work in finance -- and 71 percent of those in retail -- said they are "not optimistic" about their firms' ability to improve these results in the coming year.


The research says that on average, 83 percent of financial companies suffer over 50 attacks per month, as do 44 percent of retail firms. The high rate of attacks is not surprising considering the valuable data stored by these industries -- ranging from trade secrets to sensitive customer data. If accessed, this data can be sold on the black market for high prices.


Among financial services firms, 71 percent of respondents view technology that monitor networks and traffic as the "most promising" method of stopping or minimizing advanced persistent threats (APTs). In total, 45 percent of those surveyed said they have implemented incident response procedures, and 43 percent have begun sharing data on APTs -- a facet often ignored in cybersecurity as companies can be unwilling to admit they have suffered a data breach.


Among retail firms, 64 percent said network-based technology is the best way to cope with APTs, 34 percent have implemented incident response procedures and 17 percent have established threat sharing with other companies or government bodies.


"The big takeaway from our research is that more investment is needed in both security operations staff and in security tools, which can help companies efficiently and accurately detect and respond to security incidents," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.


"The time to detect an advanced threat is far too long; attackers are getting in and staying long enough that the damage caused is often irreparable."


more...
No comment yet.
Scoop.it!

Can You Keep a Secret? Tips for Creating Strong Passwords

Can You Keep a Secret? Tips for Creating Strong Passwords | HIPAA Compliance for Medical Practices | Scoop.it

The computers in your office are veritable treasure chests of information cyber pirates would love to get their hands on. Only authorized personnel in a practice should have the keys to unlock what’s inside. Passwords as those keys. They play an important role in protecting Electronic Health Records (EHR) and the vital information those records hold.

The HIPAA Security Rule says that “reasonable and appropriate . . . procedures for creating, changing, and safeguarding passwords” must be in place. But the rule doesn’t stop there. It goes on to say that “In addition to providing passwords for access, entities must ensure that workforce members are trained on how to safeguard information. Covered entities must train all users and establish guidelines for creating passwords and changing them during periodic change cycles.”

Regardless of the type of computers or operating system your office uses, a password should be required to log in and do any work. Today’s blog will focus on how to create strong passwords – the kind that aren’t easily guessed. And since attackers often use automated methods to try to guess a password, it is important to choose one that doesn’t have any of the characteristics that make passwords vulnerable.

How to stay ahead of the hackers

They’re a clever bunch, those hackers. And they seem to know a lot about human nature, too. They’ve figured out the methods most people use when choosing a password. And they’ve turned that knowledge to their advantage.

To outsmart them, create a password that’s:

NOT a word found in any dictionary, even foreign ones
NOT a word any language — including its slang, dialects, and jargon
NOT a word spelled backwards
NOT based on recognizable personal information — like names of family and friends
NOT a birthdate
NOT an address or phone number
NOT a word or number pattern on the keyboard — for instance, asdfgh or 987654

A strong password should:

Be at least 8 characters in length
Include a combination of upper and lower case letters, at least on number and at least one special character, like an exclamation mark

Examples of strong passwords

With their weird combinations of letters, numbers, and special characters, passwords can be a challenge to remember. Starting with an easy-to-remember phrase and then tweaking it to fit the guidelines for strong passwords is one way around that problem.

For instance:

1h8mond@ys! (I hate Mondays!)

5ayBye4n@w (Say bye for now)

Safety first

The importance of having strong passwords — the longer, the better — and changing them on a regular basis can’t be overstated. And it goes without saying that writing a password on a Post-It note and attaching it to a computer monitor should never be done. Do everything you can to make your passwords strong, and store them somewhere safe. These steps will help ensure the security of your PHI and give those hackers fits.

more...
No comment yet.
Scoop.it!

Phishing, ransomware attacks on health industry to rise

Phishing, ransomware attacks on health industry to rise | HIPAA Compliance for Medical Practices | Scoop.it

While security experts predict increased cyberattacks on healthcare organizations in 2015, they foresee phishing and ransomware posing particular challenges.

Phishing emails try to lure recipients into giving out information such as usernames, passwords or credit card numbers. They also can give attackers ways to infiltrate the enterprise network, according to an article in iHealthBeat by John Moore of Chilmark.

"Phishing emails often provide the entry point," Scott Koller, a lawyer at BakerHostetler, says in the article.

Ransomware allows cybercriminals to hold data hostage while they demand payment to unlock it. If they demand to be paid in Bitcoin, a digital currency, they can be difficult for law enforcement officials to track down.

Cybercriminals are growing more sophisticated in their ransomware attacks, according to an article at NPR. Increasingly, they use the anonymous online network Tor to conceal all communication between the attacker and victim, preventing even top executives from identifying and blaming a particular employee.

In the face of increasing threats, healthcare organizations are boosting their security efforts, according to the iHealthBeat article. Among their top priorities are:

  • Encryption and mobile device security
  • Two-factor authentication
  • Security risk analysis
  • Advanced email gateway software
  • Incident response management

"Encryption very much needs to be on everybody's radar," Koller says. In September, Forrester Research reported that only about half of healthcare organizations secure data using full-disk encryption or file-level encryption.

Just last week, Experian's 2015 Data Breach Industry Forecast called healthcare "a vulnerable and attractive target for cybercriminals." While predicting more data breaches, it noted that many doctors' offices, clinics and hospitals may not have adequate resources to safeguard patients' personal health information.



more...
No comment yet.