All Data Fast News is © Data Fast Solutions, unless where otherwise indicated • All Rights Reserved
Keep up to date with Data Fast Solutions for your business.
Unfortunately, ransomware is a word that has become all too familiar to healthcare organizations in the past year. Unlike cyber attacks on financial and retail industries, which are often directed at sensitive information itself, ransomware is used by hackers to encrypt files and databases and hold them for ransom.
Recent examples of ransomware attacks include Methodist Hospital in Henderson, Kentucky which reportedly paid a ransom of $17,000 to restore their systems. In addition, two Prime Healthcare Management hospitals, in California, were forced to shut down their systems. That attack also affected several other hospitals and affiliates on a shared network. Their organization did not pay a ransom stating that their IT team was able to implement the procedures they had in place to address the attack and lessen disruptions.
As these attacks on the healthcare industry continue to rise, Data Fast Solutions offers these tips on how to help protect your organization from malicious ransomware attacks.
End User Education
As technology becomes more and more a part of our everyday lives, some organizations may take end user training for granted assuming that people may already know about cyber security. However, this couldn’t be further from the truth. Hackers bank on the end user being untrained in matters of cyber risk making it easier for them to implement their attacks.
The Symantec 2015 Internet Security Threat Report states that ransomware is often found in email attachments that look like invoices or bills. The end user opens the attachment downloading and installing the ransomware unknowingly.
In addition to email attachments, employees should be trained to never use hardware such as USB flash drives unless they are from trusted sources.
As companies become more mobile, training should also include information on attacks targeted at mobile devices. In the past, mobile technology was exempt from ransomware attacks, but this is no longer the case. Just as desktop computers and laptops can be affected, so too can mobile devices.
Data Fast Solutions recommends using real life scenarios in end-user training so the importance of cyber security in an employee’s day-to-day job may be retained more easily.
Paying a ransom for hijacked data is not necessary if systems have been backed up. It really can be as simple as that, yet many companies don’t bother to back up data or do so sporadically. Data Fast Solutions specializes in this process as a way to protect companies from ransomware and can quickly restore an organization’s data should an attack occur.
Effective Implementation of Policies and Procedures
Being prepared means knowing, in advance, what to do if and when a cyber attack occurs. This seems like common sense, yet many organizations in the healthcare industry are still in a reactive, instead of proactive, mode when such an attack occurs. Having well planned policies and procedures in place will lessen the impact of an attack. Well laid plans can seamlessly thwart an otherwise detrimental attack by lessening downtime and the costs associated with an incapacitated system.
Test and Test Again
Training end-users, backing up data, and having solid policies and procedures in place are a good start, but testing is one of the most important aspects of keeping a company well-protected from cyber attacks. If testing does not occur, there will be no way to determine if the efforts in place will work effectively.
Collaborate with External Cyber Security Professionals
Once a business has a good, well-tested plan in place to counter a ransomware attack, that plan must be reevaluated on an on-going basis. This will ensure any potential weak links are discovered as hackers up their game. Cyber security partners like Data Fast Solutions continually provide cyber security analysis to keep an organization safe. This is done by making sure there are security points in place throughout an entire network and alerts are responded to quickly if a breach is attempted.
This article is ©2016 Data Fast Solutions • All Rights Reserved
Electronic health records (EHR’s) are held in a complex system that must be configured properly to meet HIPAA rules and regulations. A good I.T. company such as Data-Fast Solutions can handle all aspects of your system configuration to ensure it not only meets, but exceeds the standards set forth by HIPAA guidelines. However, in order for a healthcare system to work optimally, healthcare professionals and I.T. developers should collaborate as a team before, during, and after the configuration.
To help with this implementation, the Office of the National Coordinator for Health Information Technology (ONC), has put together guidelines known as SAFER Guides which consist of nine guides to assist healthcare organizations with EHR safety. The SAFER Guides, used in conjunction with a highly reputable I.T. company such as Data-Fast Solutions, can ensure HIPAA guidelines are met.
Phase 1 - Safe Health I.T.
Part one of the checklist, Safe Health I.T., covers access points, hosting (physically and electronically), authentication mechanisms, system hardware and software testing, and ensures proper processes are in place to ensure data integrity throughout all phases of system configuration.
Phase 2 - Using Health I.T. Safely
Using Health I.T. Safely is part two of the checklist and looks at clinical content used, role based access systems, live production versus training and testing environments, system configuration settings that allow clinical practices to flow as intended, and computer interface usability.
Phase 3 - Monitoring Safety
The last part of the checklist, Monitoring Safety, ensures that the organization has processes and procedures in place to monitor configuration settings to determine if they’re working as intended.
The checklist also has corresponding worksheets, within the guide, that provide rationale for practice or risk assessment, suggested sources of input (clinicians, support staff, health I.T. support staff, etc.), and examples of useful scenarios.
While use of a SAFER Guide is not mandatory, it’s a useful tool to ensure your EHR’s are not compromised or left vulnerable to unwanted threats. In addition to the guide, it’s important to utilize an I.T. company, like Data-Fast Solutions, who is well-versed in HIPAA compliance.
The full guide for system configuration can be found at:
Electronic health information (EHI) has contributed greatly to streamlining patient records, allowing those in the medical field to have important, sometimes life saving, information at their fingertips. Devices for remote use such as laptops, personal (home) computers, Smart Phones, public computers (such as those in a library or hotel), Wireless Access Points (WAPs), USBs, and email are used more frequently now to conduct day-to-day business in the healthcare field than ever before.
However, convenient remote access can leave EHI vulnerable if certain safeguards are not in place. The Department of Health and Human Services (HHS) provides specific guidelines for those using remote access in the healthcare field. Technology such as Virtual Private Networks (VPNs) can help thwart unwanted access, but it takes much more to lessen the risk.
Along with technical safeguards, proper training is imperative to ensure sensitive information is not compromised. HHS states, “...it is important that a covered entity’s workforce awareness and training program specifically address any vulnerabilities associated with remote access to ePHI. Training should provide, at minimum, clear and concise instructions for accessing, storing and transmitting ePHI.”
Following are some important highlights for training:
Log-on and Passwords
Potential unauthorized or improper access, or modification of EHI is more probable, if a two-part authentication process is not used. Requiring an authorized user to answer additional security questions, prior to access, helps lessen the risk.
Rules for Authorized Access
Training should communicate that there are different levels of access based on job function and that improper access by unauthorized personnel is strictly prohibited.
Procedures should be in place on how to terminate a session properly. Information about the default for automatic termination, if a system is left idle after a specific period of time, should also be communicated.
Risk for Viruses
Train personnel on the risks for contamination through viruses. Instruct them on personal firewall software and the importance of regular updates to virus protection software.
Proper Storage of Remote Devices
Communicate that the risk of losing, or the theft of, remote devices is a real possibility if proper steps are not taken to secure them. Ensure that strong encryption technology is used on remote devices to protect the EHI if lost or stolen.
Proper Disposal of Remote Devices
Procedures for how to dispose of remote devices that are no longer being used is critical to prevent EHI from being exposed to those not authorized.
Remote access can provide more flexibility and productivity, but should always be coupled with thorough training to ensure HIPAA guidelines are followed.
In our previous article, "The Importance of Utilizing A Good HIPAA Knowledgeable I.T. Company", we mentioned that the Office for Civil Rights (OCR) was expected to perform more frequent audits and to assess larger fines as HIPAA complaints and breaches are investigated.
In addition to audits arising from complaints and breaches, routine phase 2 HIPAA audits are now well underway. The audit protocol, updated last month (April 2016), is available at:
A portion of the phase 2 audits pertain to electronic protected health information or ePHI.
The U.S. Department of Health and Human Services specifically outlines technical safeguards that must be adhered to as follows regarding ePHI:
Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).
Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.
Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.
Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.
If you are a health care organization, or a covered entity (CE) who is working with the health care industry, it's important to follow the tips below for making sure your ePHI is secure.
Encrypt Personal Health Information (PHI)
Always use SSL (Secure Sockets Layer) for web-based access of any sensitive data. SSL is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private.
Encryption techniques and mechanisms should only be known to a select, authorized, few employees.
In addition to text, images and scans should also be encrypted and must not contain any personal identifying information.
Never use public File Transfer Protocol (FTP).
Only use Virtual Private Network (VPN) access for remote access.
Use login retry protection in your application.
ePHI is a top priority, especially as it relates to phase 2 audits, but it is certainly not the only concern. Outside of audits, there are many aspects to maintaining good, overall cyber security standards in relation to HIPAA rules and regulations. These standards will be addressed in upcoming articles.
It's been twenty years since the Health Insurance Portability and Accountability Act (HIPAA) was implemented to improve health care efficiency and protect an individual's private health information. Unfortunately over the years, there have been numerous examples of breaches resulting in civil and criminal penalties. In an article by Healthcare IT News from May of 2014, the top six HIPAA breach fines ranged from 1.7 million to 4.8 million dollars.
The 4.8 million dollar fine went to New York Presbyterian Hospital and Columbia University which affected 6,800 individuals. Healthcare IT News reported that the breach occurred "when a CU physician, who developed applications for NYP and CU, attempted to deactivate a personally owned computer server on the network containing ePHI. Due to lack of technical safeguards, server deactivation resulted in ePHI being accessible on Google."
Other cases included unencrypted laptops and USB hard drives. Yet another was due to poorly performed software upgrades that resulted in social security numbers of patients being accessible by unauthorized persons over the internet for nearly five months.
These types of incidents continue to occur, yet every violation is completely preventable when utilizing the services of knowledgeable I.T. companies. The best I.T. professionals are those who are not only well-versed in I.T. security, but who fully understand HIPAA rules and regulations.
The most sought after are those like Data-Fast Solutions who are continually educated about new HIPAA privacy and security regulations. This ensures a health care organization can be confident and completely prepared for a possible HIPAA security audit.
According to the U.S. Department of Health and Human Services HIPAA Breach Notification Rule, at: www.hhs.gov/hipaa/for-professionals/breach-notification/index.html, audits can include:
notice of privacy practices;
patients’ rights to request privacy for protected health information (PHI);
access of individuals to PHI;
administrative, physical, and technical safeguards;
uses and disclosures of PHI;
amendment to PHI; and
requirements of the HIPAA Breach Notification Rule.
HIPAA audits can make any health care organization experience stress if the right safeguards for their technology are not firmly in place. A HIPAA knowledgeable I.T. professional can easily recognize any vulnerabilities and do what is necessary to address them quickly and effectively.
In 2015, in the month of December alone, one of the second largest HIPAA fines in history was assessed.There is no doubt that HIPAA breaches resulting in fines in the millions can be detrimental to any health care company. However, for smaller companies dealing with protected health information (PHI) even the lowest fine can adversely affect a business. Monetary fines are not the only concern. It can take two to three years for a HIPAA investigation to occur.
The Office for Civil Rights (OCR) is expected to perform more frequent audits and to assess larger fines as HIPAA complaints and breaches are investigated. The I.T. related fines levied by the OCR for violations occurring due to unencrypted hardware and poorly performed software upgrades simply would not occur with a good I.T. company in place. HIPAA I.T. experts can easily and seamlessly handle all aspects of sensitive technology to ensure the stress and time involved in a potential audit is minimal.