Use of intranets / extranets for HIPAA compliance

HIPAA – Then & Now

The Health Insurance Portability and Accountability Act, better known as HIPAA, has been around since 1996, with the intent to protect patients by properly handling their protected health information (PHI).

With good intentions, HIPAA set forth to provide both security provisions and data privacy. The legislation was passed in the age of paper records, a time that required much different security measures than what we see today.

23 years later, it’s safe to say the ways in which we store, access, or transfer PHI have changed drastically. Of course, incredible changes and advancements in technology require changes to how we protect and safely handle patient data. Have we seen regulatory change with HIPAA regarding the digital age we now live in? Unfortunately, the answer is no.

The Digital Age

Today, the chances of you finding a healthcare provider that still relies on paper records is slim. The convenience of electronic medical records (EMRs) for both providers and patients is undeniable. From providing an easy way to share records with patients and other clinicians to allowing for simpler communication between patients and their providers, EMRs have changed the healthcare industry.

Unfortunately, with the pros come the cons. Digital medical records do pose some major risks, and as mentioned, HIPAA has made minimal progress when it comes to addressing them.

Hackers Exploiting Healthcare

According to the Protenus Breach Barometer, 2018 saw 15 million patient records compromised in 503 breaches, triple the number of compromised records in the previous year. 2019 has already seen some massive healthcare breaches, like the Quest Diagnostics data breach that affected at least 12 million patients.

So, why are hackers setting their sights on healthcare organizations? There are several reasons.

PHI yields high profits on the dark web. Where credit card information can quickly become worthless to cybercriminals, PHI is another story. Not only can healthcare breaches go undetected for sometimes lengthy periods of time, the data that is compromised in one is not something that the affected individual can easily change, like a birth date for example.

Hackers also know that the healthcare industry historically underinvests when it comes to IT security and training. What’s this mean for a cybercriminal? Lack of IT resources often means poor security, perhaps no firewall, outdated systems, no anti-virus, and more. In addition, lack of employee training means employees are ill-equipped to handle a cybercriminal’s malicious attempts at gaining access to the sensitive information they are expected to safeguard.

Furthermore, with the vast technology and highly connected systems used in the healthcare industry, one attack on a small system could lead to detrimental consequences for an organization. Cybercriminals know that organizations rely on these systems, and thus, suspect that attacking them may give them what they’re hoping for, like in a ransomware attack for example – pay the ransom and regain access to your systems, or ignore this request and lose your data.

Acknowledging the Cybersecurity Problem

With HIPAA being flawed and outdated, how do we move forward to protect patients and their data from cybercriminals?

Although HIPAA needs some major updating, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR), who is responsible for enforcing HIPAA, hasn’t completely ignored the issue at hand.

In December 2018, HHS issued cybersecurity guidelines in an effort to drive voluntary adoption of cybersecurity practices. This guidance sent a message that HHS’ is well-aware of the cybersecurity issues surrounding the healthcare industry.

In addition to the cybersecurity issues plaguing healthcare, protecting consumer data, in general, has become a hot topic with the passing of the EU’s General Data Protection Regulation (GDPR). While Congress has tossed around the idea of a federal privacy legislation that would create a unified privacy law, there are no real signs of that being carried out anytime soon.

How Do We Fix This?

  1. Don’t wait around for a regulation. We cannot wait around for HIPAA to change. Nor Congress to pass a federal law to better protect the privacy of patients and consumers.
  2. Take a look around. It is critical for Covered Entities and Business Associates to tightly examine the patient data they are protecting. Cybercriminals don’t just seek financial information,  but rather, information that could yield a large profit for them. Information such as a birthdate, a Social Security number, or anything in between can prove to be more valuable. If you store, access, or transmit any kind of PHI, take a hard look at that data. If a hacker were to exploit it, what kind of damage could be done?
  3. Secure your systems. Now that you’ve thought through what kind of data you have access to, secure it. Don’t leave any data vulnerable. Cybercriminals can launch extremely detrimental attacks against individuals and organizations. Do everything you can to keep them from successfully carrying one out against you.
  4. Train employees. Make sure employees understand how valuable the data they have access to is, and the repercussion that could ensue if that data is compromised. Employees should know how to properly protect PHI, how to report a data breach, how to spot a phishing attempt or any other malicious attempt by cybercriminals, and everything in between.
  5. HIPAA is not optional – abide. Despite the flaws of HIPAA, it’s intended to protect patient data, which is valid and necessary, from an ethical point of view as well as a regulatory one. Whether you’re a Covered Entity or a Business Associate, it is your responsibility to comply with HIPAA.

Technology will continue to advance, and hackers will continue to do the same with their skill. It is up to us to continue to evolve our cybersecurity practices, which in turn will help better protect PHI.

 

The post Why We Need to Go Beyond HIPAA appeared first on HIPAA Secure Now!.

Hipaa Officer

Healthcare Systems

 

Healthcare organizations more and more require high end systems to provide doctors the data required to make rapid and accurate diagnoses. Digital patient records and medical imaging drive bandwidth greater as insurance providers and legislators still pressure healthcare providers to lessen costs. Data network solutions from NHR enable healthcare organizations to provide greater quality, readily available, and much more economical choose to meet their clinical and business objectives.

Expanding & Upgrading Systems on a tight budget – Modern healthcare uses burgeoning way to obtain digital diagnostic images. Ultrasounds, X-sun rays, PET scans and MRIs rapidly grow to many mega-bytes per record and bog lower network traffic. Pre-owned networking equipment from NHR enables health systems to construct the condition-of-the-art architecture they require without draining sources.

Regulatory Compliance – It’s imperative for Healthcare IT professionals to conform with HIPAA along with other government privacy rules while using the latest e-health technologies and looking after a high-notch security program under tight financial constraints. Security and integrity of patient records needs a robust network, and NHR places world-class technology inside the budget.

Downtime No Choice for Critical Systems – Medical professionals command real-time use of digitized patient information from the location, night or day. With lives at risk, network downtime isn’t an option. Substantial discounts on pre-owned equipment from NHR make redundant configurations an economic possibility. Onsite sparing strategies provide the epitome of immediate recovery. NetSure maintenance provides 24×7 support and then-day hardware substitute at a small fraction of manufacturer maintenance costs. These affordable solutions are perfect for protecting distribution or access level equipment – keeping every hospital and each physician connected.

Collaboration – Getting a higher-performance core facilitates multi-niche or multi-radiologist collaboration therefore the right individuals are associated with patient information to be able to enhance the time-to-treatment ratio and also to facilitate accessibility right specialists. And just what about online patient collaboration? Forward thinking health systems are exploring Telecare mixers allows patients to make use of online monitoring systems to upload data for their medical records. NHR’s expertise and cost-effective solutions help healthcare organizations innovate their systems and add new information sources.

 

 

As many of you know, an Electronic Health Record (EHR) is a digital record of a patient’s paper charts, updated in real-time.  This is an incredible option to have in the world of medicine, where information can be exchanged between doctors as well as business associates. It also provides an incredible benefit to the patient, giving them the best and most appropriate care when needed.

Overall, it really is a great thing to have so much information at your fingertips.  Unless that information gets into the wrong hands.  Which is exactly what happened to Allscripts Healthcare, an EHR company used by a variety of businesses in the medical field, including

hospitals, pharmacies and emergency service (ambulance) centers around the world.

Today Allscripts is working with the Department of Justice to pay $145 million in a preliminary settlement in response to an attack that exposed patient records which were thought to be safe in the cloud.   They were in violation of HIPAA, the HITECH Act’s EHR incentive program, and the Anti-Kickback Statute related to Practice Fusion – which was the company acquired by Allscripts in 2018.  This settlement will resolve both companies of all criminal and civil liability related to the investigation surrounding them both.

Unfortunately, they aren’t alone.  With the human component being the big risk factor in any organization, healthcare employs many, many people with patient access.  Each record is a gold mine for hackers, and therefore even one mistake can prove costly to an organization like we’re seeing with Allscripts.

How do we remedy this?  The first and most important step is to cover your assets. Cyber Insurance is going to increase your likelihood of surviving a breach, but once you have the end protection setup, get your employees trained.  And then repeat the training.  Conduct Security Risk Assessments at least annually, not only to comply with HIPAA but to identify security gaps which could leave your organization’s data up for grabs. Then, perform a vulnerability scan and find out if your system is as secure as you hope and believe.

Protection and prevention go hand in hand and in the world of healthcare, you can never have enough.

The post Allscripts to Pay $145 Million for Practice Fusion EHR Investigation appeared first on HIPAA Secure Now!.

 

We’re just passed the midway point of the year and if this were our own health report, we’d be failing miserably when it comes to data breach prevention.

According to a recent report from Protenus and Databreaches.net, over 31 million healthcare records were breached in the first six months of 2019.  That is double the amount of 2018.

The information in these breaches was not caught and remediated quickly either.  Patient data was ‘for sale’ and available for manipulation on the dark web for months before being discovered in the American Medical Collection Agency breach.  With a confirmed 20 million records having been affected, the fallout from that will reveal itself in all of the days and months ahead – if not years.

So how did we get here?

Some of these were insider jobs – in fact, 60 of the incidents were a result of that. That means that over 3 million records were exposed because of existing employees.  These aren’t the hackers lurking on the dark web or in airports stealing your Wi-Fi, these are KNOWN actors in a business.  Hacking accounted for 60% of all incidents.  This means that out of 168 data breaches, phishing took down 88 businesses, with ransomware and malware being deployed at 27 of those.

The statistics are staggering, but what is also something to take note of – aside from the revelation that insiders are putting your business at risk – is that it’s not direct healthcare entities that are always responsible.  Yes, providers reported 72% of the breaches, but it was also health plans and business associates that are contributing to the overall numbers.

What does this mean?

It means that we can stand by and watch the numbers continue to elevate, the rate of increase continues to double and triple, or we can rework our approach, attack and react.  We’ve said it before, but every business owner – regardless of the vertical or channel in which they operate, need to say, “It is no longer an option of IF I’m part of a breach, but a matter of WHEN I’m part of a breach.”  Second to this must be the integration of cyber insurance into a business’s arsenal.  Surviving the breach is one thing, but thriving afterward and even during a breach, is another.

The post Halfway Health Check appeared first on HIPAA Secure Now!.

 

Every day in my newsfeed I’m alerted to yet another compromise to patient information.  The headline isn’t always the attention-grabbing ones that we see when major credit companies or big-box retailers are exposed. These are just listed, one after the other, identifying locations of healthcare businesses, whether it be hospitals or private practice, that have had possible exposures.

If you are part of a private practice or small organization that works in the healthcare industry, you need to be aware: this is happening in your office.  It doesn’t always happen in the huge hospital with thousands of employees, the locations that we assume have less control over such a large employee base.  This is happening everywhere.  The doctor’s office with the same 3 people who have run the front office for years; the dentist you’ve been going to see since you were a child.

Patient data is a coveted treasure among cybercriminals and unless you are taking measures to protect it from end to end, you are at risk.  While working with a trusted IT advisor is critical, you also need to ensure that you are covered if a breach does occur.

Those compromises that are listed in my newsfeed don’t say that patient data was stolen and sold, they merely confirm the fact that it was seen by uncertified eyes.  That means, they don’t know what happened, but they do know that it could pose a problem in the future.  So, in order to protect their business and reputation, they are going to incur the cost of credit monitoring.  What you don’t hear about is the cost of the forensic expert or additional breach resources that were needed even to identify if data was compromised.

Verify that you have a cyber insurance policy to protect you in such an incident.  Without it, your business and its health are at risk of “not making it”.

The post Scrolling Through the Breaches appeared first on HIPAA Secure Now!.

cyber insurance policy
Computer network security

This isn’t something you can pencil in and get to when you have time, cyber maintenance has to be something you commit to. We all have those moments when we realize that we had the best intentions to stick with something, but its priority fell by the wayside. We start off strong, then taper off until we forget completely.

When it comes to your cybersecurity, there isn’t a shortcut or short-term guide to safeguarding your information and identity, so taking time to address it is not only necessary, it is going to pay off in the long run.

Sharpie this in

Book time on your calendar in the way you would for personal or home maintenance.  You schedule haircuts and change the batteries in smoke detectors, so consider establishing the same type of habits when it comes to your online information.

Take this time to update passwords, ensure that your software is all updated to the latest version and that you have two-factor authentications enabled where it is an option.  Call your credit card companies and ask about their security policy – and do they have methods in place to protect you from being hacked?  Enabling alerts on purchases and payments via text or email will help you to tackle any issues immediately rather than long after the damage has been done.

The bottom line is that you need to take time out of your schedule to deal with this. It’s not always convenient and it’s not always what you feel like doing, but you need to make it as much as a priority as any other maintenance in your life.

The post Make Time for Cybersecurity appeared first on HIPAA Secure Now!.

Cyberwarfare

 

In 2018, 71% of ransomware attacks targeted small businesses, according to a report by Beazley Breach Response Services. It’s clear that small businesses are a cybercriminals favorite target, yet many remain unprepared to handle a cyber-attack.

Is it that small businesses don’t care about cybersecurity?

It wouldn’t be fair to make that assumption; however, small businesses do often overlook cybersecurity concerns. This could be the result of many different things. For example, small businesses often do not have the resources to dedicate to cybersecurity. In fact, some of those businesses don’t have a dedicated IT individual/company at all. In some instances, small businesses may be carrying the “it won’t happen to me mentality” – despite plenty of statistics stating that small businesses are the most susceptible to a cyber-attack. And then there is the complexity of the topic. Many organizations don’t understand cybersecurity. Mix the lack of understanding with the other reasons that cybersecurity is often overlooked, it’s easy for small businesses to put it on the back burner and forget about it.

Out of sight, out of mind

Another reason it’s hard to get organizations to care about cybersecurity is that “if they can’t see it, it isn’t there”. It’s easy to take physical security of your organization seriously. You know that you must lock the office door when you leave, or that leaving medication unlocked and unsupervised could lead to its disappearance.

Unfortunately, cybersecurity doesn’t work the same way. Organizations can be told about cybersecurity risks and best practices, but not being able to physically see the danger makes it difficult to care or prioritize those safeguards above others. Think about it, you’ve used the same password for everything, for years. It’s not a difficult password so it’s easy for you to remember. You’ve heard that complex passwords are important, and you know you should never use the same password across multiple accounts, but you’ve been doing this for years and nothing bad has happened, so it’s probably not a concern for you. Cybersecurity is often out of sight, out of mind.

Healthcare organizations are especially vulnerable

The healthcare industry is the most targeted industry by cybercriminals. Many of the reasons for this are the same reasons that attackers target small businesses. Healthcare organizations also see a lot of turnover, which could translate to cybercriminals as new employees to target, many of which, may not be properly trained.

The value of healthcare data to a cybercriminal is also unparalleled. Medical records bring in big bucks on the dark web, allowing these attackers to see large returns for even just one successful attack.

Don’t wait till it’s too late

The worst mistake you can make is to think you’re not at risk, or not think cybersecurity is a high enough priority to do something about it. Small businesses need to take what we’ve learned about cybercriminals targeting them as a warning and act before they too become another statistic.

Cybersecurity tips

1. Recognize You’re a Target – First and foremost, you must accept that you are a target for cybercriminals. Every organization, small or large is a target and no industry is off limits. If cybercriminals see value in attacking your organization, they will.

2. Security Risk Assessment – It’s important to understand where your organization’s security gaps are. Perform a Risk Assessment to determine what safeguards should be in place but are not. For example, policies, data backup procedures, inactivity timers on your computers, etc.

3. Security Awareness Training – Employees must be trained on cybersecurity and understand how to spot malicious attempts made by cybercriminals. Employees should know how to spot a phishing email and the dangers of clicking attachments or URLs within emails, as these are common methods for a hacker to get in.

4. Complex Passwords – Passwords must be complex, reasonably long (at least 10 characters), and different across all accounts. Simple passwords can easily be cracked by cybercriminals through a brute-force attack, putting your entire organization at risk. Using repeat passwords across various accounts is also dangerous since one compromised password could give a hacker access to all your accounts.

5. Use a Password Manager – Managing several difficult passwords can be a difficult task, but password security should not be compromised for convenience. Using a password manager is a great way to ensure all passwords are secure. The best part is, you only need to remember one master password.

6. Enable Two-Factor Authentication – Sometimes referred to as 2FA, or multi-factor authentication, two-factor authentication is another layer of security for accessing your accounts, aside from you entering your credentials. 2FA requires a second form of authentication for you to successfully log in. For example, you may have to enter a 6-digit code sent to you via a text message to prove it is really you who is trying to log in.

7. Perform Updates – Ensure your software is being updated when updates become available. Software updates are often issued to fix a vulnerability found in the software. Not performing updates can often leave you susceptible to attacks that could have been prevented.

8. Regularly Backup Your Data – Do not underestimate the importance of routinely backing up your data. A cyber-attack could occur at any minute, and when it does, your data could be at risk. If your data becomes inaccessible or corrupt, through a ransomware attack, for example, you’ll need to be able to get that data another way – from your backups.

9. Audit accounts for suspicious activity – Make sure you’re performing audits on your systems. For example, if you have an EHR, you should be auditing it regularly looking for unusual activity, such as logins after hours, users accessing abnormal amounts of medical records. If inappropriate activity is occurring, the quicker you catch it the better off you’ll be.

10. Cyber Insurance – As cybercriminals continue to become more sophisticated, attacks will continue to occur. It’s no longer a matter of if your organization will be attacked, but when. Security incidents are incredibly costly, sometimes putting organizations out of business. Costs could include a breach coach, forensics, breach notification, credit monitoring, crisis management, and more. Verify that your organization has cyber insurance (this coverage is often not included in your standard policy) to protect you in the event of a security incident.

The post 10 Cybersecurity Tips for Small Businesses appeared first on HIPAA Secure Now!.

dark web

 

Approximately 25,000 patients are being notified by Adirondack Health that their protected health information (PHI) may have been obtained by a hacker.

Vermont-based Adirondack Health is part of the Adirondacks Accountable Care Organization (ACO). Adirondacks ACO analyses health data for the entire region and is made up of all the Adirondack region’s hospitals.

The Breach

On March 4, 2019, it was discovered that an unauthorized individual had accessed an employee’s email account for two days. After discovering the unauthorized access, Adirondacks ACO began checking every email and attachment in the affected employee’s account, looking for any PHI that may have been accessed.

Adirondacks ACO discovered that two employees had been discussing information regarding patients who had missed a baby wellness exam and other screenings, as part of their population health analysis. The employees were planning to send the information, contained in a “gap-in-care” spreadsheet, to providers so they could determine how to contact their patients.

That’s when an unauthorized individual from outside the U.S. remotely obtained access to the email account. At this time, no evidence suggests that the email was opened by the unauthorized party, however, the possibility could not be ruled out.

The Exposure

The unauthorized access was not due to a phishing attack, and a spokesperson for Adirondack Health stated he does not believe the employee could have avoided it. The spokesperson also stated that policies are being changed as a result of the incident.

Information contained in the exposed spreadsheet includes patients’ names, dates of birth, Medicare ID numbers, health insurance member numbers, as well as limited treatment and/or clinical information. Some patients also had their Social Security numbers listed.

Adirondacks ACO began notifying patients of the breach in early July. 25,000 letters of notification have been sent to affected patients, with only a few remaining.

For patients who had their Social Security numbers listed on the spreadsheet, free credit monitoring and identity protection will be provided by Adirondacks ACO.

The post 25,000 Patients’ Data Exposed in Email Hack appeared first on HIPAA Secure Now!.

Adirondacks Accountable Care Organization

Lytec Medical Billing Software

 

Lytec medical billing software has existed for nearly two decade now. Since 1989, Lytec medical billing software helps a large number of medical billing and medical professionals efficiently operate their practices.

Why is Lytec medical billing software really tick on the market isn’t the name that was decades within the making. It isn’t the marketing hype. Rather, it’s the perfect mixture of proven software and private service that allows physicians to select Lytec medical billing software total other software programs available. Lytec medical billing software not just increases the profitability of the practices, it may also help them cut lower on costs.

Now, nearly two decades following the first Lytec medical billing software hit the industry, a brand new kind of system emerges – the Lytec 2005! Using more than 40,000 systems offered in only the very first couple of several weeks of their release, Lytec medical billing software programs are the best choice used management and medical billing software. It’s all of the tools essential to effectively perform all of the functions which medical billing requires, including patient accounting, insurance billing, claims tracking, a / r, and appointment scheduling.

With regards to streamlining all of your medical billing and office tasks, Lytec medical billing software programs are what you want. A large number of customers agree that getting a Lytec medical billing software solution inside your office is a superb asset, not just to your practice but to this sort of profession in general.

 

HIPAA along with other Add-Ons

Lytec medical billing software programs are not without its little extras which makes that certain solution package stick out in the first. First, it’s HIPAA-compliant. The Insurance Probability and Accountability Act contain guidelines which medical practices are needed to follow along with as mandated by the us government of america. With Lytec’s HIPAA compliance system, you don’t need to understand the complex systems within the HIPAA and merely allow the software do all of it for you personally.

Other important options that come with the Lytec medical billing software includes the AccuScrubber MX, ApptBox, Direct Claims, Electronic Claims Processing, and much more. AccuScrubber is definitely an add-on computer software that you simply install to your computer to examine any healthcare claims you feed it. It really works right combined with the Lytec medical billing software without causing any complications, serving simply to boost the functions of every rather.

 

The ApptBox however is definitely an automated communications application that enables a physician’s office to inform and ensure a patient’s appointment along with other office related functions.

Use of intranets / extranets for HIPAA compliance

 

 

Collaboration among medical professionals, specifically in conditions that need the discussing of private patient information, requires an intranet or extranet that provides enhanced security measures.

 

The Insurance Portability and Accountability Act (HIPAA) has three major needs:

 

• Protect the privacy of person health information

• Provide the required security to safeguard the privacy of person health information

• Provide standardization of electronic data interchange in healthcare transactions

Addressing this need, intranets and extranets are actually available which meet these security needs. While you think about the implementation of the intranet or extranet, look for an additional security measures:

 

• Secure server with 128bit SSL file encryption

• Server monitoring

• Secure IDs and passwords

• Defined authority levels

• Viewing permission controls

• Session break after half an hour

• The capability to disable user-specific cookies,

• The ability of users to alter their very own password,

• The capability to create strong passwords.

• Complete, united nations-editable activity log for security audits

 

Selecting an internet-based solution

 

To hurry the implementation of the intranet or extranet using these features, an more and more popular approach is by using a credit card applicatoin Company (ASP).

 

Additionally to supplying an instantaneous solution which has the right security measures in-place, the benefits of an internet-based ASP incorporate a less expensive of entry, an established track-record of performance and you don’t need to install intranet software or extranet software.

 

Is Your COMPANY's Data on the Dark Web, Find out TODAY!!!

GET YOUR FREE DARK WEB SCAN TODAY!!!

Copyright © 2015 - 2018 Sentree Systems, Corp.. All rights reserved.

Sentree Systems, Corp. | 6137 Crawfordsville Rd Ste F #177 Indianapolis, IN 46224 | 317-939-3282