All Data Fast News is © Data Fast Solutions, unless where otherwise indicated • All Rights Reserved
Keep up to date with Data Fast Solutions for your business.
Phishing, the attempt to fraudulently gather personal and financial data, is an ongoing threat to hospitals and other health care facilities. One of the most recent cases of phishing, as reported by the HIPAA Journal in June of this year, was Verity Health Systems in Oregon. The phishing email was not in relation to patient data, but was requesting information on Verity employees themselves. The email appeared to come from within the company, so the unsuspecting receiver of the email complied with the request, sending employee names, addresses, social security numbers, and even the earnings and withholdings of Verity employees to the attacker.
Some feel certain that they would not become victim to such an attack, but phishing has become much more sophisticated with the IRS, and other organizations, issuing warnings to the public to stay alert. The HIPAA Journal article states that compromises via business email have been highly effective due to the fraudulent emails appearing to come from a CEO or other executive.
Microsoft provides some ways to recognize phishing which may include emails that contain:
Bad spelling and grammar - Cyber attackers are generally not good spellers and their grammar is often bad.
Links in an email - If a link in an email seems suspicious, do not click on it. Microsoft advises to rest your mouse over the link, but DO NOT click on it to see if the address that was typed for the link matches what is displayed.
Threats - Phishing emails often contain threats of account closures or other urgent sounding verbiage stating that their request for information must be completed or consequences will follow.
But how would this have helped the Verity employees? Many people are already aware of certain ways to recognize phishing, so attackers are constantly attempting new ways to phish, as was seen in the Verity case. Therefore, thorough training and continued communication are key. In fact, prior to the Verity Health Systems attack, two other large healthcare companies, Magnolia Health Corporation of California and St. Joseph’s Healthcare in New Jersey had almost identical scams which resulted in data breaches in February of this year.
Training employees on the ways in which new attacks are occurring and then following up with employees on recent reported cases can help thwart future attacks. When cyber attackers see that their fraudulent efforts are working, they tend to continue in the same manner. If the Verity employees had been aware of the attacks on Magnolia and St. Joseph’s earlier in the year, they may have questioned the validity of the email they received.
Staying informed is one of the best defenses against phishing. Data Fast Solutions is your best I.T. partner to make sure that you stay informed about phishing and other cyber attacks. Data Fast Solutions has seasoned, skilled, professionals who are highly knowledgeable in cyber security as it relates to HIPAA and keeping your health care organization safe from cyber attacks.
This article is ©2016 Data Fast Solutions • All Rights Reserved
In a prior article, in August of this year, the conveniences of cloud computing in healthcare, as well as the security risks of using the cloud were highlighted. Recently, Health and Human Services (HHS) updated their guidelines on cloud computing in relation to HIPAA to comply with regulations to protect the privacy of and keep electronic protected health information (ePHI) secure. These new guidelines include cloud service providers (CSPs) and their role in HIPAA compliance.
Specifically, the guidelines state:
“When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA. Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate. This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data. Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules. As a result, the covered entity (or business associate) and the CSP must enter into a HIPAA-compliant business associate agreement (BAA), and the CSP is both contractually liable for meeting the terms of the BAA and directly liable for compliance with the applicable requirements of the HIPAA Rules.”
The HHS guidelines go on to answer questions such as:
“If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?”
“Do the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud?”
Answers to these, and other questions, can be found on the HHS.gov website as:
As a result of changing guidelines, it’s important that current Service Level Agreements (SLAs) between a CSP and their customer be updated to make sure that the SLA is consistent with updated HIPAA rules.
Just as cloud computing allows easier collaboration between healthcare professionals, it’s also important to collaborate with a good I.T. company like Data-Fast Solutions who is well-versed in HIPAA compliance. This will ensure updated HHS HIPAA guidelines are continually being met.
Mobile devices such as laptops, smartphones, and tablets are used now, more than ever, in healthcare because of their convenience, ease of use, and ability to transmit data efficiently. In addition, apps on mobile devices have made previously arduous tasks more manageable by providing healthcare workers with the ability to complete their work in less time.
Time management apps and other apps such as those used for maintenance of health records, patient monitoring, and medical training have given health care professionals the ability to make informed, sometimes life saving, medical decisions much more quickly than in the past.
However, the convenience of using a mobile device can leave those in the healthcare industry vulnerable to cyber attacks if certain guidelines for protecting and securing information are not followed properly.
The Department of Health and Human Services (HHS) has put together a fact sheet to ensure your organization knows how to protect the private health information.
Installing and enabling encryption
Use of a password (to lock a mobile device and to lock apps within a mobile device)
Installing and activating wiping and/or remote disabling to have the ability to erase data on a mobile device if it’s lost or stolen
Disabling file-sharing applications if they are installed
Installing and enabling a firewall
Installing and enabling security software and keeping security software up-to-date
Researching mobile apps thoroughly before downloading (to ensure privacy and prevent hacking)
Maintaining physical control of your mobile device
Using adequate security to send or receive health information via secure Wi-Fi
Properly deleting all stored health information on a mobile device prior to discarding it
A healthcare organization should have policies and procedures in place for the use of personal mobile devices versus those provided by the company for work use.
In addition to these guidelines, HHS has a web page dedicated to health information privacy and security on mobile devices. It includes helpful documentation as well as videos to watch to help train staff on the use of mobile devices and HIPAA compliance. It also includes downloadable training materials for healthcare staff with postcards such as "10 Tips to Protect and Secure Health Information When Using a Mobile Device".
Technology safeguards can be put in place for mobile devices, but some of the biggest breaches have occurred when a person using a device is not well informed about how to prevent access to private information. Recent research by Arxan Technologies found that 84 percent of health related apps were open to hacking through code tampering and reverse-engineering. In addition, most app users are not fully aware of the privacy policies for apps and how the private information is used once the app is activated on their mobile device.
Continually reviewing and updating technology and training is imperative to keeping mobile devices HIPAA compliant. Utilizing a certified and knowledgeable HIPAA I.T. professional such as Data Fast Solutions can ensure your mobile technology is well protected and your staff is up-to-date on how to prevent a cyber attack via a mobile device.
Healthcare professionals are now well-versed in HIPAA policies and procedures and are well aware of the importance of HIPAA and the ramifications for non-compliance. However, some healthcare workers may not be as familiar with the HITECH Act. Per HHS.gov, “the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.”
HITECH was put in place to meet certain goals of the existing regulatory aspects of HIPAA which included improving quality of care through reduced costs and efficiency. Patient personal health information (PHI) in electronic health records (EHI) is of utmost importance in meeting HIPAA guidelines. Having a good information technology company who is well trained and certified in HIPAA/HITECH analysis and assessment can save your health care organization valuable time and money.
A thorough HIPAA/HITECH analysis should include a review of your PHI/ePHI policies and procedures as well as an examination of your network layout and infrastructure. The analysis can identify whether encrypted or unencrypted PHI is being used in portable devices such as laptops, phones, or thumb drives to lessen the risk of cyber attacks. Other areas of the analysis should include a review of the way fax machines are used, if any, and their potential for leaving PHI vulnerable. Rather than using a fax machine, a knowledgeable I.T. company can give you more convenient, secure, modes of transmitting PHI to lessen your organization’s risk of exposing sensitive information. In addition, the use of email and possibility for breaches in unsecured webmail systems, such as those used outside the office to send and receive email from home, should be reviewed. And, finally, an analysis of an area that is surprisingly often overlooked is the way in which PHI is stored, purged or destroyed.
If breaches are found in an analysis, a HIPAA/HITECH assessment can determine the severity of the breach and an I.T. professional can take the steps necessary to secure your network as quickly as possible. As with the analysis, an assessment should be done by HIPAA/HITECH certified trained and knowledgeable I.T. expert to avoid costly mistakes.
In April, 2014, the FBI issued a warning to health care organizations that the highest volume of cyber threats are in the healthcare industry. “Data analysis revealed multiple devices (e.g., radiology imaging software, digital video systems, faxes, printers) and security application systems (e.g., Virtual Private Networks (VPN), firewalls, and routers) were compromised.” Which is why a HIPAA/HITECH analysis and assessment is vitally important.
Also, the FBI reports that according to a Ponemon Institute report dated March 2013, “63% of the health care organizations surveyed reported a data breach in the past two years with an average monetary loss of $2.4 million per data breach. The majority of each data breach resulted in the theft of information assets. Lastly, 45% reported that their organizations have not implemented security measures to protect patient information.”
Patient information can be much more sensitive than data in in other industries making it more appealing for cyber attacks. Yet, according to the FBI “the healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.”
Treating information technology in your healthcare practice as importantly as you do your patients, by relying on HIPAA/HITECH trained and certified professionals, will ensure your organization is not part of the FBI statistics.
Cloud-based computing in healthcare has seen extensive growth in recent years due, in large part, to its flexibility in providing easy access to important data. No longer are healthcare professionals required to spend long hours at the office waiting for important documents or return to the office after hours for a record or file. Time is often critical and the cloud can simplify portability for most healthcare workers. It also offers easier collaboration as well as innovation, security, and efficiency, often at a lower cost than traditional servers hosted on-site.
Collaboration and Empowerment
Patient records and emails have been readily available through the cloud for a few years, but it is now being used for physicians and patients to collaborate about care in real time. In many areas of medicine, records can be compared much more quickly for the benefit of patients who may be waiting anxiously for results. In addition, patients themselves are now empowered, more than ever before, to manage their own healthcare in efficient and meaningful ways. Diabetic patients can manage their glucose levels through the cloud on their desktops, smartphones, or laptops, and easily share that information with their physician who can then recommend any changes if necessary.
With cloud technology, healthcare experts are no longer hindered by trying to decipher huge amounts of complex data in different areas of research. As advancements in technology are made, so too are advancements in life saving medicine. Recently, cloud-based platforms have allowed doctors and researchers the ability to conduct groundbreaking, complicated analysis in areas such as genomics, oncology, and neurology.
While the cloud provides healthcare professionals access to data anytime and anywhere with more flexibility and speed, a secure connection is paramount to thwart unwanted attacks. This is possible through highly encrypted software and ensuring that software is always up-to-date. Encryption must be HIPAA compliant, so it’s important that the guideline provided by The Department of Health and Human Services (HHS) be referenced frequently to ensure HIPAA guidelines are being met. This guide can be found at:
Used regularly, the guide will help healthcare organizations avoid breaches to their cloud based systems.
Cost and Efficiency
Without the maintenance of expensive servers, and the need for software and hardware upgrades onsite, a smaller business can perform much like a larger organization, but without the added cost. Changes in the healthcare industry are occurring constantly and must be implemented rapidly. Cloud computing allows adjustments to be made quickly depending on the needs of the organization with little or no downtime. After adjustments are made, training can also be conducted through the cloud making it less cumbersome and time consuming for the end user.
Many factors may influence a healthcare organization’s need for technology and cloud computing may not always be the best choice for all. However, a good HIPAA knowledgeable company like Data-Fast Solutions can offer an onsite assessment to provide you with the best solutions to meet your needs.
Unfortunately, ransomware is a word that has become all too familiar to healthcare organizations in the past year. Unlike cyber attacks on financial and retail industries, which are often directed at sensitive information itself, ransomware is used by hackers to encrypt files and databases and hold them for ransom.
Recent examples of ransomware attacks include Methodist Hospital in Henderson, Kentucky which reportedly paid a ransom of $17,000 to restore their systems. In addition, two Prime Healthcare Management hospitals, in California, were forced to shut down their systems. That attack also affected several other hospitals and affiliates on a shared network. Their organization did not pay a ransom stating that their IT team was able to implement the procedures they had in place to address the attack and lessen disruptions.
As these attacks on the healthcare industry continue to rise, Data Fast Solutions offers these tips on how to help protect your organization from malicious ransomware attacks.
End User Education
As technology becomes more and more a part of our everyday lives, some organizations may take end user training for granted assuming that people may already know about cyber security. However, this couldn’t be further from the truth. Hackers bank on the end user being untrained in matters of cyber risk making it easier for them to implement their attacks.
The Symantec 2015 Internet Security Threat Report states that ransomware is often found in email attachments that look like invoices or bills. The end user opens the attachment downloading and installing the ransomware unknowingly.
In addition to email attachments, employees should be trained to never use hardware such as USB flash drives unless they are from trusted sources.
As companies become more mobile, training should also include information on attacks targeted at mobile devices. In the past, mobile technology was exempt from ransomware attacks, but this is no longer the case. Just as desktop computers and laptops can be affected, so too can mobile devices.
Data Fast Solutions recommends using real life scenarios in end-user training so the importance of cyber security in an employee’s day-to-day job may be retained more easily.
Paying a ransom for hijacked data is not necessary if systems have been backed up. It really can be as simple as that, yet many companies don’t bother to back up data or do so sporadically. Data Fast Solutions specializes in this process as a way to protect companies from ransomware and can quickly restore an organization’s data should an attack occur.
Effective Implementation of Policies and Procedures
Being prepared means knowing, in advance, what to do if and when a cyber attack occurs. This seems like common sense, yet many organizations in the healthcare industry are still in a reactive, instead of proactive, mode when such an attack occurs. Having well planned policies and procedures in place will lessen the impact of an attack. Well laid plans can seamlessly thwart an otherwise detrimental attack by lessening downtime and the costs associated with an incapacitated system.
Test and Test Again
Training end-users, backing up data, and having solid policies and procedures in place are a good start, but testing is one of the most important aspects of keeping a company well-protected from cyber attacks. If testing does not occur, there will be no way to determine if the efforts in place will work effectively.
Collaborate with External Cyber Security Professionals
Once a business has a good, well-tested plan in place to counter a ransomware attack, that plan must be reevaluated on an on-going basis. This will ensure any potential weak links are discovered as hackers up their game. Cyber security partners like Data Fast Solutions continually provide cyber security analysis to keep an organization safe. This is done by making sure there are security points in place throughout an entire network and alerts are responded to quickly if a breach is attempted.
Electronic health records (EHR’s) are held in a complex system that must be configured properly to meet HIPAA rules and regulations. A good I.T. company such as Data-Fast Solutions can handle all aspects of your system configuration to ensure it not only meets, but exceeds the standards set forth by HIPAA guidelines. However, in order for a healthcare system to work optimally, healthcare professionals and I.T. developers should collaborate as a team before, during, and after the configuration.
To help with this implementation, the Office of the National Coordinator for Health Information Technology (ONC), has put together guidelines known as SAFER Guides which consist of nine guides to assist healthcare organizations with EHR safety. The SAFER Guides, used in conjunction with a highly reputable I.T. company such as Data-Fast Solutions, can ensure HIPAA guidelines are met.
Phase 1 - Safe Health I.T.
Part one of the checklist, Safe Health I.T., covers access points, hosting (physically and electronically), authentication mechanisms, system hardware and software testing, and ensures proper processes are in place to ensure data integrity throughout all phases of system configuration.
Phase 2 - Using Health I.T. Safely
Using Health I.T. Safely is part two of the checklist and looks at clinical content used, role based access systems, live production versus training and testing environments, system configuration settings that allow clinical practices to flow as intended, and computer interface usability.
Phase 3 - Monitoring Safety
The last part of the checklist, Monitoring Safety, ensures that the organization has processes and procedures in place to monitor configuration settings to determine if they’re working as intended.
The checklist also has corresponding worksheets, within the guide, that provide rationale for practice or risk assessment, suggested sources of input (clinicians, support staff, health I.T. support staff, etc.), and examples of useful scenarios.
While use of a SAFER Guide is not mandatory, it’s a useful tool to ensure your EHR’s are not compromised or left vulnerable to unwanted threats. In addition to the guide, it’s important to utilize an I.T. company, like Data-Fast Solutions, who is well-versed in HIPAA compliance.
The full guide for system configuration can be found at:
Electronic health information (EHI) has contributed greatly to streamlining patient records, allowing those in the medical field to have important, sometimes life saving, information at their fingertips. Devices for remote use such as laptops, personal (home) computers, Smart Phones, public computers (such as those in a library or hotel), Wireless Access Points (WAPs), USBs, and email are used more frequently now to conduct day-to-day business in the healthcare field than ever before.
However, convenient remote access can leave EHI vulnerable if certain safeguards are not in place. The Department of Health and Human Services (HHS) provides specific guidelines for those using remote access in the healthcare field. Technology such as Virtual Private Networks (VPNs) can help thwart unwanted access, but it takes much more to lessen the risk.
Along with technical safeguards, proper training is imperative to ensure sensitive information is not compromised. HHS states, “...it is important that a covered entity’s workforce awareness and training program specifically address any vulnerabilities associated with remote access to ePHI. Training should provide, at minimum, clear and concise instructions for accessing, storing and transmitting ePHI.”
Following are some important highlights for training:
Log-on and Passwords
Potential unauthorized or improper access, or modification of EHI is more probable, if a two-part authentication process is not used. Requiring an authorized user to answer additional security questions, prior to access, helps lessen the risk.
Rules for Authorized Access
Training should communicate that there are different levels of access based on job function and that improper access by unauthorized personnel is strictly prohibited.
Procedures should be in place on how to terminate a session properly. Information about the default for automatic termination, if a system is left idle after a specific period of time, should also be communicated.
Risk for Viruses
Train personnel on the risks for contamination through viruses. Instruct them on personal firewall software and the importance of regular updates to virus protection software.
Proper Storage of Remote Devices
Communicate that the risk of losing, or the theft of, remote devices is a real possibility if proper steps are not taken to secure them. Ensure that strong encryption technology is used on remote devices to protect the EHI if lost or stolen.
Proper Disposal of Remote Devices
Procedures for how to dispose of remote devices that are no longer being used is critical to prevent EHI from being exposed to those not authorized.
Remote access can provide more flexibility and productivity, but should always be coupled with thorough training to ensure HIPAA guidelines are followed.
In our previous article, "The Importance of Utilizing A Good HIPAA Knowledgeable I.T. Company", we mentioned that the Office for Civil Rights (OCR) was expected to perform more frequent audits and to assess larger fines as HIPAA complaints and breaches are investigated.
In addition to audits arising from complaints and breaches, routine phase 2 HIPAA audits are now well underway. The audit protocol, updated last month (April 2016), is available at:
A portion of the phase 2 audits pertain to electronic protected health information or ePHI.
The U.S. Department of Health and Human Services specifically outlines technical safeguards that must be adhered to as follows regarding ePHI:
Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
If you are a health care organization, or a covered entity (CE) who is working with the health care industry, it's important to follow the tips below for making sure your ePHI is secure.
Encrypt Personal Health Information (PHI)
Always use SSL (Secure Sockets Layer) for web-based access of any sensitive data. SSL is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private.
Encryption techniques and mechanisms should only be known to a select, authorized, few employees.
In addition to text, images and scans should also be encrypted and must not contain any personal identifying information.
Never use public File Transfer Protocol (FTP).
Only use Virtual Private Network (VPN) access for remote access.
Use login retry protection in your application.
ePHI is a top priority, especially as it relates to phase 2 audits, but it is certainly not the only concern. Outside of audits, there are many aspects to maintaining good, overall cyber security standards in relation to HIPAA rules and regulations. These standards will be addressed in upcoming articles.
It's been twenty years since the Health Insurance Portability and Accountability Act (HIPAA) was implemented to improve health care efficiency and protect an individual's private health information. Unfortunately over the years, there have been numerous examples of breaches resulting in civil and criminal penalties. In an article by Healthcare IT News from May of 2014, the top six HIPAA breach fines ranged from 1.7 million to 4.8 million dollars.
The 4.8 million dollar fine went to New York Presbyterian Hospital and Columbia University which affected 6,800 individuals. Healthcare IT News reported that the breach occurred "when a CU physician, who developed applications for NYP and CU, attempted to deactivate a personally owned computer server on the network containing ePHI. Due to lack of technical safeguards, server deactivation resulted in ePHI being accessible on Google."
Other cases included unencrypted laptops and USB hard drives. Yet another was due to poorly performed software upgrades that resulted in social security numbers of patients being accessible by unauthorized persons over the internet for nearly five months.
These types of incidents continue to occur, yet every violation is completely preventable when utilizing the services of knowledgeable I.T. companies. The best I.T. professionals are those who are not only well-versed in I.T. security, but who fully understand HIPAA rules and regulations.
The most sought after are those like Data-Fast Solutions who are continually educated about new HIPAA privacy and security regulations. This ensures a health care organization can be confident and completely prepared for a possible HIPAA security audit.
According to the U.S. Department of Health and Human Services HIPAA Breach Notification Rule, at: www.hhs.gov/hipaa/for-professionals/breach-notification/index.html, audits can include:
notice of privacy practices;
patients’ rights to request privacy for protected health information (PHI);
access of individuals to PHI;
administrative, physical, and technical safeguards;
uses and disclosures of PHI;
amendment to PHI; and
requirements of the HIPAA Breach Notification Rule.
HIPAA audits can make any health care organization experience stress if the right safeguards for their technology are not firmly in place. A HIPAA knowledgeable I.T. professional can easily recognize any vulnerabilities and do what is necessary to address them quickly and effectively.
In 2015, in the month of December alone, one of the second largest HIPAA fines in history was assessed.There is no doubt that HIPAA breaches resulting in fines in the millions can be detrimental to any health care company. However, for smaller companies dealing with protected health information (PHI) even the lowest fine can adversely affect a business. Monetary fines are not the only concern. It can take two to three years for a HIPAA investigation to occur.
The Office for Civil Rights (OCR) is expected to perform more frequent audits and to assess larger fines as HIPAA complaints and breaches are investigated. The I.T. related fines levied by the OCR for violations occurring due to unencrypted hardware and poorly performed software upgrades simply would not occur with a good I.T. company in place. HIPAA I.T. experts can easily and seamlessly handle all aspects of sensitive technology to ensure the stress and time involved in a potential audit is minimal.