HIPAA Compliance Guide: A Guide on How to Be HIPAA Compliant When Working Remotely

Are you a physician? Do you work in a private practice or a clinic setting? Are you a healthcare facility or a business that works with the healthcare industry?

If you collect, store, share, and/or use patient information, you must follow HIPAA rules. If you’re unsure about how to become HIPAA compliant, continue reading. This article will explain HIPAA and compliance strategies.

You will also learn about making sure your remote workers meet HIPAA standards.

What Is the HIPAA Law?

Congress passed The Health Insurance Portability and Accountability Act (HIPAA) in 1996. The U.S. Department of Health and Human Services (HHS) also passed the Privacy Rules to implement the Act. HIPAA ensures the following:

  • Transfer and continuous health insurance coverage when someone changes or loses their job
  • Decreases health care abuse and fraud
  • Established standards for the handling of all health-related electronic billing and processing
  • Mandates protection and confidential processing of all protected health information

HHS and the Office of Civil Rights (OCR) implement and enforce the HIPAA Privacy Rule. They have the authority to impose civil money penalties for violations.

What Is PHI?

Protected health information (PHI) is the central focus of HIPAA and the Privacy Rule. All healthcare providers and facilities must ensure safe and confidential handling of PHI. This rule includes all third parties and business associates working with the facility or provider.

What Is a Covered Entity or Business Associate?

The HIPAA Privacy rule strictly defines covered entities and business associates (CE/BA). These are organizations that interact and share PHI with your facility.

How to Become HIPAA Compliant

Today, it’s not enough to be HIPAA compliant. By law, you must be ready to show how you meet HIPAA compliance requirements. The following is a guide to ensure your readiness.

Search for possible PHI and electronic (ePHI) vulnerabilities and risk-mitigation strategies. Select an individual to develop and implement policies and procedures. Ensure all CE/BAs are HIPAA compliant before granting access to PHI or ePHI.

Educate and document that all employees who handle PHI have completed HIPAA training. Track staff compliance with established policies and procedures.

Set up physical safeguards including restricted access to areas that contain PHI. Maintain a record of who accesses PHI. Develop policies related to the transfer, disposal, and re-use of any electronic media.

Place barriers to limit visual and auditory access to PHI by unauthorized individuals.

Use access controls to PHI data via passwords or other secure methods. Protect the PHI from unauthorized changes and data breaches during electronic transmission. Develop procedures for the proper way to destroy PHI when appropriate.

CE/BAs must adhere to HIPAA Privacy Rules as well. Compliance assessments must occur on a routine basis.

What Is a HIPAA Security Breach?

HIPAA § 164.402 defines a breach as any acquisition, access, use, or disclosure of PHI. This rule excludes the following situations.

The first is an unintentional breach by staff members of authorized (CE/BA). It’s considered unintentional if the acquisition, access, or use was made in good faith.

The action must have occurred within their scope of authority. Last, it must not have led to further use or disclosure.

Inadvertent disclosure involves the access and sharing of PHI between authorized persons at a CE/BA. The PHI must not have been used or disclosed in any further manner.

Last, the CE/BA must, in good faith, believe the unauthorized person who received the PHI won’t keep or use it.

Steps to Take If a Breach Occurs

If someone in a facility suspects a possible breach, an investigation must take place. They must determine if the breach meets HIPAA’s “low probability of compromise” threshold. Facilities should assume a breach if they suspect a compromised PHI privacy and security.

The “date of discovery” describes the date that a CE/BA or facility finds a credible breach. If the breach involved over 500 people, notify a prominent media outlet in the affected area. Also, notify the HHS. All involved individuals must also receive a notification.

In cases involving less than 500 people, the facility/CE/BA can keep a log of relevant data. They must notify HHS within 60 days after the end of the calendar year.

How Do You Prevent Security Breaches?

HIPAA only mandates initiation of the breach notification process for unsecured PHI. Thus, let’s turn our attention to breach prevention.

Develop policy and procedure manuals for the following:

  • Security
  • Disaster recovery
  • Patient privacy

Also, include manuals covering provider, employee, patient, and CE/BA procedures.

Complete a risk assessment of physical, technical, and personnel vulnerabilities. How many people and devices have access to PHI? What natural disasters occur in your area that might compromise security?

All employees must complete privacy training on a routine basis. How will you structure this training? How will you document staff participation?

Steps to Take to Ensure HIPAA Compliance with Remote Workers

Today’s workplace has changed dramatically. Many individuals now work from home or other remote locations. They may travel for their work activities as well.

This can make HIPAA compliance more challenging. The following suggestions can help ensure the protection and compliance of remote workers.

  • Ensure home wireless routers have encryption capability
  • Change wireless router passwords on a set schedule
  • Ensure all personal devices with access to PHI are encrypted and password protected
  • Don’t allow access to the facility network until devices are configured, have firewalls, and antivirus protection
  • Encrypt PHI before transmission
  • Mandate that all employees use a VPN when remotely accessing the company network
  • Provide all employees with a HIPAA-compliant shredder
  • Provide lockable file cabinets or safes to store hardcopy PHI

Develop policies and procedures outlining expectations for employee work protocols. Prior to beginning remote work, have employees sign a Confidentiality Agreement. If you allow employees to use their own device, establish a Bring Your Own Device Agreement.

Behavioral protocols may include the following.

  • Never allow anyone else to use your device that contains PHI
  • Mandate adherence to media sanitization policies
  • Mandate that employees disconnect from the company network when they stop working.
  • Set up IT configured timeouts that disconnect the employee from the network

Review and document all remote access activity. 

Are You a Healthcare Provider or in Charge of a Health Facility?

All businesses that collect, store, process, and share PHI must maintain HIPAA compliance. This article described how to become HIPAA compliant. It also addressed special considerations for remote workers

HIPAA Security Suite provides solutions to assist healthcare organizations and CE/Bas meet HIPAA regulations. We also help you ensure ongoing compliance. Contact us today to ask questions and learn more about our services.

HIPAA Violation Fines and Penalties: What Are They in 2020?

HIPAA, or the Health Insurance Portability and Accountability Act, was put in place to protect the rights and confidentiality of patients. 

Violating HIPAA is a big deal for medical professionals, and there are hefty fines associated with it. If you work in the healthcare industry, it’s important to stay up-to-date with evolving HIPAA regulations, violations, and their corresponding fines.

Fines may increase as the years go by, and they have increased for 2020. If you’re not up to date on HIPAA penalties, continue reading to learn all about HIPAA violation fines and punishments.

What is a HIPAA Violation?

HIPAA helps to protect the private health information of patients and health plan members. Any breach in this protection, whether purposeful or not, can be considered a HIPAA violation.

There are hundreds of ways that HIPAA can be violated, and healthcare professionals are expected to be aware of them so that they don’t run into problems. Professionals are trained to comply with HIPAA standards and provisions to ensure the safety of private data and health information of their patients.

What Happens if You Violate HIPAA?

In short, it varies.

Not all HIPAA violations are the same. Rather, there are different levels of violations that are taken into consideration when the penalty is being discussed. 

Not all violations are equal, and intentions factor in. If the act was willful or willfully negligent, it’s likely that the penalty is going to be higher. If it was accidental or unavoidable, the penalty is going to be lower. 

Penalties range from being only financial to being more criminal in nature. It all depends on the nature of the violation and the intention behind it, as well as any steps that were taken within an acceptable timeframe to rectify the situation.

Level 1

Level 2 violations are going to carry the lowest penalties. These violations are ones that couldn’t be avoided. The entity or person in question could have been ignorant of the violation and (even with all due diligence) not known about it in time. 

Level 2

Level 2 violations are still not purposeful. There was a reasonable cause for the violation, and the entity or individual should have known about it before a violation took place. 

Level 3

Level 3 violations begin to get more serious. For a level 3 violation, the action had to have been willfully negligent. That said, the violation was corrected within an acceptable time limit (or within 30 days) so the penalty is softened.

Level 4

These have the highest penalties for HIPAA violations. For a level 4 violation, the action had to have been willful or willfully negligent. There also must have been no timely attempt to rectify the situation. 

What Are the HIPAA Violation Fines?

The penalties vary based on the level of violation. Each financial penalty is per violation, so if multiple breaches happened at once, they can add up to a significant number. For the purpose of this, consider the penalty for a single violation. 

The cost of civil monetary penalties has gone up in 2020, so it’s important to keep updated if you’re in the healthcare industry.

Level 1 Violations: The minimum penalty is $119, while the maximum penalty is $59,522. The maximum amount that can be charged during a single calendar year is $1,785,651.

Level 2 Violations: For the next tier, the minimum penalty is $1,191, and the maximum penalty is $59,522. The penalty cap for the year is $1,785,651.

Level 3 Violations: For this level, the minimum penalty rises to $11,904 while the maximum penalty rises again to $59,522. The cap for the penalty is $1,785,651.

Level 4 Violations: For the highest tier of violations, the penalty begins at $59,522. The maximum and the calendar year cap are both $1,785,651.

For lower-level violations, the employee (if it was an individual) may also lose their job, or be subject to intensive further training and observation in order to maintain their position in the hospital or office. For willful violations, the employee is almost certain to lose their position.

Are There Criminal Penalties for HIPAA Violations?

In some situations, there’s more to a penalty than simple HIPAA violation vines. Some HIPAA violations are considered criminal offenses and can result in jail time. Offenses like these are nearly always willful and generally intended to cause some kind of harm.

For example, if a healthcare professional knowingly shared private health information for financial gain, this would be a criminal offense against HIPAA. All use or disclosure of private healthcare information has to be covered by the HIPAA privacy rule. 

Criminal HIPAA violations have their own tier system to designate levels and punishments.

Level 1: The person or entity had reasonable cause for the violation or was unaware of the violation. This can end in one year in prison.

Level 2: The person or entity was obtaining private health information under false pretenses. This can end in up to five years in prison.

Level 3: The person or entity was obtaining private health information for personal use or gain, or with malicious intent. This can end in up to ten years in prison. 

Are You Up to Date with HIPAA Penalties in 2020?

If you work in medicine, it’s important to keep yourself and your staff updated with changes in HIPAA regularly. Many HIPAA violations are accidental, but the HIPAA violation fines will still impact the staff and practice and could end in imprisonment. 

Having medical staff brush up on their HIPAA training regularly and keeping close tabs on private medical data is a good way to avoid any violations and penalties, especially in a time where there are more hackers and data breaches than ever. There is a hacker attack every 39 seconds and this breach, while not purposeful, could land you in trouble.

For more information on HIPAA and how to protect yourself from violations, check out our site. 

What You Need to Know About U.S. Data Privacy Laws

In the first half of 2018, there were 668 data breaches and 22 million records exposed.

The number of data breaches is steadily increasing. With more of your personal information online than ever before, you should be concerned about your privacy.

Part of that is being informed about what governs the protection of information. US data privacy laws are a complicated system.

But we’ll tell you all you need to know about privacy laws in the US. Keep reading for more.

State Data Privacy Laws

California was the first state to create a law around data breach notification. This law states that businesses who experience a data breach must report the breach to affected persons.

Today, 48 states have laws that are similar. They differ in their definitions of what categories and types of personal information are protected.

States are also not aligned with who is covered by the regulations. There are different requirements about what other agencies need to be notified in the case of a breach (if any).

Federal Data Privacy Laws

At the federal level, data privacy laws are a patchwork of different regulations and laws. Some focus on categories of information. Others regulate activities that use personal information.

There are also consumer protection laws that function as data privacy laws to some degree. Below is a list of the most important laws regarding US data privacy laws:

  • The Financial Services Modernization Act. It regulates the collection, use, and disclosure of information held by banks, insurance companies, security firms, and other financial products and services businesses.
  • The Fair Credit Reporting Act. Applicable to lenders who use consumer reports. Also applies to credit card companies that hold information regarding consumer-reporting.
  • The Federal Trade Commission Act. This Act applies to offline and online privacy and data security. It prohibits unfair and deceptive practices in regards to consumer data protection.
  • The Controlling the Assault of Non-Solicited Pornography and Marketing Act and the Telephone Consumer Protection Act. Focuses on the collection and use of e-mail addresses and telephone numbers.
  • The Electronic Communication Privacy Act. Concerns interception and tampering with electronic communications.
  • Judicial Redress Act. Provides ally nations the right to access the US court system in cases of privacy violations. Particularly when personal information is disclosed to law enforcement.
  • The Health Insurance Portability and Accountability Act (HIPAA). Has to do with medical records held by health care providers, pharmacies, data processors, and entities that relate to medical information.
    • The Standards for Privacy of Individually Identifiable Health Information. Regulates the collection and use of protected health information (PHI).
    • The Standards for Electronic Transactions. Regulates medical data that’s electronically transmitted.
    • The Security Standards for the Protection of Electronic Protected Health Information. Sets the standard for the protection of medical data.

With so many pieces of legislation regulating federal data privacy laws – not to mention state laws – the system is complicated, to say the least.

The Problem with Federal Data Privacy Laws

Compared with most Western countries, the US is lacking in data privacy laws. There is no comprehensive legal protections for personal data. That is, there is no single federal law to regulate how personal information is collected and used.

As it stands, federal government regulations affect only some sectors. Regulations only account for some types of sensitive information.

There’s also a patchwork of guidelines for best practices. But these self-regulatory frameworks don’t have the law to ensure their implementation.

In addition, it’s not uncommon for federal laws to overlap with state laws. These contradictions can leave companies in a regulatory limbo. They’re unable to comply with both state and federal laws that regulate the same items.

Companies aren’t the only ones who suffer from the haphazard approach to data security laws. The personal information of citizens is also left vulnerable without adequate methods of protection and enforcement of breaches.

Data Privacy Law in the Health Sector

Perhaps one of the best examples of the problem with federal data privacy laws is the health sector. HIPAA governs health privacy and security law.

It’s intended to protect PHI. It applies to “covered entities” that collect and use this information. This includes entities that just come into contact with medical information.

However, there are other privacy laws that regulate areas related to health. These aren’t consistent with the compliance required under HIPAA.

For example, student immunizations and school health records are regulated by the Family Education Rights and Privacy Act. And this piece of legislation overlaps with some aspects of the Children’s Online Privacy Protection Act.

Data Privacy Law Enforcement

Who enforces data privacy laws in the US? Both state attorney generals and the Federal Trade Commission (FTC) have a role to play.

While state attorney generals play an important role, the FTC has historically taken the lead in this arena. Under the FTC Act, this governmental agency has the general power to enforce data privacy law. They’ve been given the power to prohibit unfair and deceptive trade practices.

This jurisdiction of the FTC is limited. In terms of insurance companies, nonprofits, banks, and internet service providers, the FTC has limited influence.

In addition, some companies are refusing to recognize the authority of the FTC. And without a comprehensive law to set standards for the collection and use of personal data, the FTC continues to face pushback regarding their policing of data security laws.

Are You Compliant?

There are no overarching data privacy laws in the US. The federal government regulates data privacy through a number of acts and agencies and many state governments have enacted their own data privacy laws. This has led to contradictory standards and compliance issues for companies regulated at both levels.

Under HIPAA, the medical sector is affected by these overlaps. For more information on HIPAA and staying compliant, check out our blog.

What is Penetration Testing?

You might’ve heard of the term penetration testing if you work in computers, software, or web design fields. But what is penetration testing? And why should you bother with it?

Cyber threats, unfortunately, are very real in this day and age, with 80% of businesses hacked. And it seems hackers come up with new ways to break into properties and programs as fast as we can create new safety measures.

Penetration testing is the process of testing out a computer system, program, application, or the like and looking for chinks in the armor. If we can catch the vulnerabilities early-on, there’s much less of a chance of being hacked.

In this article, we’ll go more into detail on what pen testing is, why it’s especially useful today, and how you can get started. Read on to educate yourself on how to protect your business from exploitation by hackers.

What is Penetration Testing, and How Does it Work?

Like we stated before, the purpose of penetration testing is to figure out if there are any weak spots in cybersecurity that hackers can leverage. It also clearly identifies a company’s ability to realize and combat security threats.

Pen testing can be done with either software applications or by going in and poking around manually. Your goal is to think like a hacker, researching what tools and methods they use as well as what vulnerabilities they look for.

Next, go in and hack away; attempt to break in through the system or program just as a hacker would from the outside. Your findings will help you create fixes and stop security breaches, and you should keep the reports on file.

Pen Testing Methods

If you’re still asking yourself exactly what is penetration testing, then this breakdown of the methods used should help clear things up.

When pen testing, there are a few strategies or methods employed that help to view your software as a hacker would, identifying any flaws. Here are some of the major ones:

Targeted Testing

In targeted testing, the test is openly viewed by a team working together to find vulnerability points. Usually, this is the job of the IT team who are more educated on access points and programming weak spots than the average employee.

The idea behind this is to let everyone on the team view the test themselves so that all their minds can come together to develop solutions.

Internal Testing

An internal test is one that is meant to imitate the hack from somebody who is already behind the safety firewall. This means a hack from an authorized user who has a password, login credentials, or some other access privilege.

The internal test will determine what kind of hacking or damage can be done by someone like an upset employee.

External Testing

As the name suggests (and as you probably guessed), external pen testing is the process of trying to hack into servers and programs from the outside.

This is accomplished by targeting externally-visible servers like email, web, domain name servers, and firewalls. External testing also helps to answer how far a hacker can get into your server once they’ve broken through security.

Blind Testing

This type of testing is where you get to really understand how a hacker works, since you’re basically hiring one. The blind test gives the hired hacker little information to run with, giving as little information as a company name.

From there, the person or the team who is conducting the test tries to simulate a hack as thoroughly as they can, hacking as far into the system as they can get.

Double-Blind Testing

Double-blind testing is like blind-testing except on the next level: usually, only one or two people in the whole company know it’s going on.

This is a great way to gauge security features across the company, testing reaction time and response. Sound cruel? It’s one of the most efficient ways of testing the true, active response procedures against hackers.

What You’re Saving Yourself From

What is penetration testing good for?

Once a hacker has broken through your security measures, they can cause true tragedy for your company, even with just a few minutes to poke around.

Your company information is obviously something that can be compromised. This could be information on your employees, sensitive reports or documentation, private correspondences (just ask Hilary Clinton), and so much more.

Turning Off Customers

As crazy as this sounds, a hacker can also affect your Google ranking, which can affect sales and awareness.

Your marketing campaigns can get hijacked or malicious code may get left behind, signaling to Google that your website isn’t safe for others.

There’s also a nasty little thing hackers do called Cross-Site Scripting, which lets hackers redirect your site anywhere. Imagine a returning customer wants to buy more products, but they get redirected to a spammy or explicit website.

They’re not likely to keep coming back to shop.

And beyond that, a hacker who gets behind your firewall can also have access to your user or customer information. And that will lead to a world of trouble for the future of your business, making it difficult to earn back trust.

Maybe you’re thinking that’s not a problem for you since you’re only a small business with a small circle of clients. But don’t be so sure. Smaller businesses tend to be easier to hack because of more lenient security measures.

In fact, in a New York Times article, the Enterprise Leader of Cyber-Insurance at Travelers told readers that 60% of online attacks in 2014 targeted small to mid-size businesses.

Where to Start

You don’t have to ask yourself what is penetration testing good for anymore, and you don’t have to scratch your head over the procedures.

Start by talking with your IT team and research with them the proper methods to set up a penetration test. Reflect on the various strategies and which one you’ll need to use (typically, more than one).

And if you’re looking for other informative resources on protecting your company and staying compliant, you’re already in the right place! Check out other insightful articles at the HIPAA Security Suite blog!

How to Change the Privacy Measures of Your Web Browser Settings

The year 2017 saw a healthcare data breach every single day, totally more than 470 breaches by the end of the year.

Yet, despite these attacks, studies found that just 29 percent of health systems in the U.S. have effective cybersecurity measures in place to protect patient information.

Think that taking measures to safely store patient files and other sensitive information is enough? Think again.

Most medical offices know to warn employees against opening suspicious emails or attachments. But many don’t realize that everyday web surfing could be putting your company’s sensitive files at risk.

While spyware and other virus protection is important, there are other simple ways you can help keep your patients’ records secure.

One way is through choosing the right web browser settings. Keep reading to learn more about changing your web browser settings to increase online privacy and security today.

Disable Cookies

Cookies track your actions on the web.

The actual term for them is “magic cookies.” They are packets of data that is received by a computer and then resent without any alterations.

You likely take advantage of helpful cookies every day. They fill in your saved passwords, offer up search suggestions, let you save payment or shipping information, and more.

Other cookies are far less useful. Some could even be harmful if allowed to operate on computers in medical offices where sensitive data is stored.

Types of Cookies

“Session cookies” are one form of cookies that are often harmless.

These cookies only store information while you remain on a website. This might include a website that keeps track of items you’ve looked at or added to your cart.

The website might then use these cookies to allow you to checkout when purchasing multiple items. Or they may use them to remind you of an item you looked at to try to convince you that you really do want to buy.

Session cookies are deleted after a person leaves that website, or a short while after when the saved information is no longer needed. This renders session cookies largely harmless.

Another type of cookies are “tracking cookies.”

These cookies form long-term records of a web surfer’s visits to a certain website.

Many advertisers use these cookies to track your search history so that they can better target your interests. When you’re utilizing the web in your medical office, being bombarded by targeted ads that might have your employees clicking and following links they shouldn’t is a bad thing.

What to do About Cookies

To keep your employees from being tracked and re-directed, it’s a good idea to turn off cookies on any and all web browsers used in your practice or office.

To do this, you’ll need to enter your chosen web browsers’ search history menu and turn off the option that enables cookies.

A quick Google search will give you specific directions for turning off cookies on different browsers.

Clear Browsing History Regularly

Maybe you’re looking to track the websites your employees are visiting. If not, clearing your web browser history can be another great way to increase your web security.

If someone without authorization accesses your computers, a cleared browsing history is important. This can help keep them from accessing websites employees have visited. This adds another barrier between criminals and sensitive data.

There isn’t a setting to automatically clear web browsing history. So you’ll need to instruct employees to regularly clear their own web browsing history if you want to put this web security tip to use.

Use a Private Browsing Screen

Many medical employees regularly need to access websites where they log in to see sensitive patient information. If this is the case, even the above security measures might not be enough protection.

Don’t want to have to have to worry about disabling cookies or clearing browsing history? You can instead use a computer monitor privacy screen.

This private web browser will keep websites from storing your information. It will also prevent even your computer from tracking which websites you visit.

Block Certain Websites

Hackers and other web criminals are getting smarter about disguising their operations. This makes it harder for the average web browser to spot suspicious activity while surfing the web.

To keep your employees from having to make their own decisions about what is safe and what isn’t, it’s better to simply make sure that they can’t access certain websites.

It only takes seconds for malware and other web threats to access your systems and steal sensitive information. Blocking potentially harmful websites is an important step in preventing this.

Turn Off Location Services

If your office utilizes or issues tablets, smartphones, or laptops, another web browser setting you need to think about is location services.

Location services on your browser and from specific websites track where you and your mobile device go.

Search engines use this information to suggest local businesses when you run a search.

Websites may use this to let you know which of their locations are closest to you, or to suggest services or products that they think are more relevant to someone in your area.

While this information may seem innocent enough, it allows any website to track where your employees and your office devices are at any time.

Access your browser location settings to turn off location services and help protect your employees and your important files from harm.

Choosing the Right Web Browser Settings

Choosing the right web browser settings is a quick and simple way to increase your office’s web security. Just a few changes can make a big difference in protecting any sensitive or private information stored or accessed by your employees.

Not sure how far HIPAA laws require you to take your web security? Wondering whether your office is doing enough or if additional measures need to be taken to ensure compliance?

Click here to learn more about HIPAA guidelines and laws for medical offices.

Serious Security: How to Prevent Data Breaches in the Workplace

computer Security Breach Cyber Attack Computer Crime Password Security, on the tablet pc screen held by businessman hands - online, top view

Did you know that more than 3 billion Yahoo accounts were hacked back in 2016, resulting in one of the largest data breaches worldwide?

Moreover, studies show that approximately 60 million Americans are affected by identity theft each year. Since we all live in a broad and sophisticated digital world, it’s only natural to try to learn how to prevent data breaches at home and the workplace.

Luckily, data breach prevention can be done in numerous ways. Installing an antivirus program is the first line of defense, but you can do much more than that. If you own a business, it’s imperative that you protect the sensitive data of your clients.

Here are a few data breach prevention techniques you should know about in 2019.

How To Prevent Data Breaches In the Workplace – A Complete Guide

Data breaches can cause massive financial problems for companies of all sizes. On top of that, a serious massive breach can also ruin the image of a business, making it unable to attract more clients in the future. Here’s how you can prevent that at your workplace.

1. Don’t Use the Same Password for All Accounts

Most employees have multiple accounts for various applications and programs. They might even have multiple email addresses from various providers. After a while, it seems logical to use the same password for multiple accounts, so that you don’t forget it.

However, this is a recipe for disaster because cybercriminals can quickly take advantage of that. Once they have discovered the password, they can use it to hack into all your accounts and cause a massive data breach. To prevent that, make sure that you and your employees use different passwords for different accounts.

If it becomes harder to remember these passwords, use special programs to keep track of them. Some programs offer encryption features and they can keep all your passwords safe. Do not try to write passwords on a piece of paper because this can easily get stolen by a malevolent person.

2. Don’t Leave Computers Unattended

It’s customary for employees to leave computers unattended when they go for their lunch break or leave the office for whatever reason. This is not a good thing because someone can quickly have access to sensitive data in a matter of seconds. Cybercriminals can steal massive amounts of data onto a hard drive and the security of the business is compromised.

That’s why you should instruct workers to lock their computers when they get away from their desk. At the end of the workday, it would also be a good idea to lock laptops containing sensitive information in a drawer or cabinet. This prevents digital theft in the workplace and gives you more peace of mind.

3. Don’t Forget Private Documents in Meeting Rooms

Conference rooms provide a great place for business discussions and making important decisions within a company. However, they can also provide an opportunity for malevolent people to steal sensitive data written on papers. That’s why you should be very careful when leaving the conference room and make sure that you didn’t forget any important document on the desk.

There are special machines called paper shredders out there. They are designed specifically to cut sheets of paper into a thousand pieces, so no sensitive data can be retrieved by someone else. After leaving the conference room, you can put some of the documents containing vital information in the paper shredders. By doing so, you know for sure that no one will ever steal vital information from documents.

4. Be Careful When Downloading Apps on Corporate Devices

Malware and digital theft extend beyond computers and laptops these days. Digital thieves have become very smart and they can insert viruses into mobile applications too. By downloading a single app from an unauthorized source, you risk getting a nasty virus into your corporate smartphone or tablet which can quickly steal contact lists, financial information, and more.

That’s why you should install antivirus programs on corporate devices as well such as smartphones and tablets. Moreover, make sure that no employee can download any app on the internet because some of these apps contain viruses. If you need to download mobile apps, do it only from authorized sources and always scan the app with an antivirus program.

5. Be Mindful of Links and Attachments in Emails

You probably already knew that you should be careful with emails as they can contain a wide variety of viruses, adware, malware, and other pieces of code designed to cause a data breach. However, cybercriminals have devised complex strategies to fool people and make them believe they are in contact with a legitimate business or person.

For example, some hackers create entire web pages which look identical to the ones you probably use frequently such as the Gmail login page, Facebook login page, etc. Then they insert links to make you type your sensitive data in an attempt to log in to these websites. Your data is then sent as a text file directly to the hacker. This is called phishing and it’s very dangerous.

One way to prevent that is to check if login pages have security certificates (SSL). if the green padlock is not present, you should leave the site immediately. Also, keep in mind that legitimate organizations will usually refer to you by your real name at the beginning of an email. They will say something like “Dear John Doe” while hackers might begin with something like “Dear customer”.

Take Your Computer Security to the Next Level

Now you know how to prevent data breaches in the workplace and protect the sensitive data of your employees and clients. These are just a few methods, but there are plenty of others, so make sure that you explore this subject thoroughly.

The best thing you can do right now is to learn more about cybersecurity. For example, check out our article on phishing to understand how malevolent people on the internet can create elaborate strategies to steal your financial or personal information.

10 Tips to Protect Your Company Website From Hackers

Every business has to have measures in place to prevent hacking. This is especially true in the healthcare industry. You have to abide by HIPPA regulations and keep your patients’ data safe and secure.

Healthcare is a particular target for hackers, because you can hold sensitive data. The number of IT and hacking incidents in healthcare has continued to increase year over year.

Any data security breach can do long term damage to your practice and cost your practice time, productivity, and patient trust.

How can you protect your website from hackers? Read on to find out.

1. Know the Latest Threats

In order to know how to best protect your practice, you have to know what you’re protecting yourself against. Hackers are creative, and they come up with new ways to hack websites and steal data often.

For example, one of the latest scams involves an email that targets website owners stating that they’ll send a series of emails meant to upset people and give your practice negative reviews unless you click a link and send Bitcoin as an extortion payment.

Don’t do it! It’s just a spam message that should be deleted. Emails similar to this are sent all of the time to unsuspecting people, hoping that you’ll click on a link or pay a ransom.

Whenever you see emails like this, you can ignore them. If you’re not sure, ask a security expert.

2. Keep Software Up to Date

About a third of websites online use WordPress as their content management system. WordPress is also a major target of hackers. One of the biggest reasons why hackers love to target WordPress sites is because site owners run outdated software on the sites.

Whenever a new version of software comes out, whether that’s a WordPress update or plugin update, it usually includes a security fix or two. Once those security updates are released, you want to make sure that your site is updated to the latest version. 

3. Change Your Password Often

Another way to prevent hacking is to make sure you have a strong password that you change often. A password that’s easy to remember for you may be even easier to for hackers to crack.

One of the most obvious passwords is 123456, which is still commonly used. The second most commonly used password is password.

When you have a password this easy, you’re making it much easier to gain access to your site. Use a strong password that you keep in a secure place.

It also helps to keep that password from circulating among staff. Instead of having everyone access your website on one account, give everyone who need access their own account.

4. Train Your Staff on IT Security

Not only do you and your IT staff need to be up to date on the latest hacking scams, but your entire office does as well. Employees are responsible for more hacking incidents than anyone because they aren’t trained to discern scams from legitimate emails.

You staff needs to undergo HIPAA training, and they should also undergo IT security training.

5. Use HTTPS

When you type in a website, you’ve probably noticed that more websites are using https:// instead of http://. That means that they’re using a secured socket layer, which secures the connection between your site and your visitors’ browsers.

If you don’t currently use HTTPS for your website strongly consider switching. It will help secure your website, your visitors, and Google recommends it, too.

6. Use Security Plugins

If you use WordPress to power your website, you’ll want to make sure that you have a strong security plugin installed. Two of the most popular plugins are Sucuri and WordFence.

7. Secure WiFi Networks

Many offices and hospitals offer WiFi to patients and others who may be waiting at the office. These WiFi connections are usually open to the public and unsecured.

That can put your website and your IT infrastructure at risk. You want to make sure that all WiFi networks, even those networks used by the public, are secured with a password.

8. Secure Website Directory

Hackers recently infiltrated the website of Blue Cross/Blue Shield of Idaho and attempted to reroute customer payments to the hackers, instead of to the insurance company. The hacker also had access to medical records of some of its members through the members portal.

It’s unknown at this time how the hacker got into the insurer’s website. You want to add another layer of security to your website by preventing access to your site’s back-end file directory. This is often a place where hackers will try to gain access to your site.

9. Control File Uploads

As a healthcare provider, it’s commonplace to have patients upload documents such as a signature or HIPPA Privacy Forms to their account.

Hackers can use this as a way to add an executable extension to such files. When clicked on, these files can unleash an attack that can bring down your website.

In order to prevent this, the best way is to limit or discontinue file uploads altogether. If you can’t do that, then keep your uploads in a separate folder and run a script that can detect malicious code embedded in the files.

10. Check Your Email Ports       

Do you know how secure your email is? You already know that hackers will try to send emails hoping that you’ll click or pay money in Bitcoin to prevent hacking from happening.

Your email transmissions are another target that hackers will use you get into your systems. For example, if you use POP3 emails, your port should be 110. Otherwise, you may not have a secure email system. 

Knowing How to Prevent Hacking

Your medical practice is at risk of being attacked by hackers. Small medical practices and large hospitals alike have to make sure that their websites are protected. A down website or a data breach could be devastating in terms of public trust, productivity, and revenue.

By putting measures in place to prevent hacking from happening, you are protecting your practice and your patients.

If you want to make sure that your website and sensitive data is secure, contact us today.

7 Ways to Secure Your Network Infrastructure

The number of HIPAA violations have been rising over the last decade, and the penalties have been rising. In 2018, there were 11 violations and almost $30 million in penalties.

Your organization can’t afford to be one of these statistics. Not only will it reflect poorly on you, but it’ll also take a huge financial toll. Here are 7 ways to improve your infrastructure security to prevent data leaks and HIPAA violations.

1. Give Your Employees Regular Training

Your staff is the first line of defense when it comes to cyber attacks. Social engineering is on the rise. If your employees can’t recognize signs of an attempt, they can inadvertently give away key information.

This means having a digital security officer on staff is a must. They can train your workers to identify anything that’s awry with communications. They can also be the point of contact should anything suspicious arise.

In addition, digital security officers can periodically administer phishing tests. The results can tell them how well your employees understand cyber attacks. Not only that but how well they respond to a threat.

2. Practice Good Digital Hygiene

Having good practices in place is vital to your infrastructure security. Make sure your employees understand how to have good digital hygiene. Examples include using strong passwords, enabling two-factor authentication, and keeping personal information out of public reaches, such as on social media.

The main reason why social engineering is so successful is that data is readily available on the internet. If you and your staff take the proper precautionary steps to restrict personal information found online, it’ll be harder for cybercriminals to construct convincing scams.

3. Keep Your Software Up-To-Date

Nowadays, it’s common sense to install basic antivirus software to protect against digital attacks. While the majority of devices have antivirus programs on them, they’re not necessarily running at their full potential.

How many times have you been working diligently on your computer, or giving a presentation, only to have an annoying popup telling you that an update for your antivirus is available? You dismiss that pop up and then forget about it as you go about your busy day.

When you don’t update all of your software, this leaves you open to attacks from cybercriminals. They’re constantly trying to find vulnerabilities in your network, and these updates plug those vulnerabilities up.

Every moment that passes by without updating your software, this is another opportunity for scammers to seize. Don’t give them that chance and always install updates when you’re prompted.

4. Limit User Access Privileges

It may be simpler to give every employee access to every room and every file, but that increases the chances of your data being compromised. By having fewer people who have access to important documents, you’ll lower your risk dramatically.

Have your IT department implement something called “policy of least privilege” (POLP). With this policy, when employees log onto your network, they’re restricted to the least amount of information they need to access. For instance, an orderly won’t have the same access to files an attending would have.

5. Use Encryption

Encryption is the process of transforming any messages or transfer of information into a secret code. This won’t prevent cybercriminals from potentially intercepting your messages. But it adds an extra layer of security by ensuring they can’t read anything they’ve hijacked.

With encryption, only those with the “key” can decode the contents of those messages. Encryption is easy to implement in your communications systems. So if you haven’t already, have your IT department enable encryption for things such as your email accounts.

6. Think About Physical Security

Much of infrastructure security emphasizes digital security, but you have to think about the physical side of things as well. As a medical practice, you get lots of foot traffic in and out of your location. While the majority are employees and patients, a few can potentially be scammers trying to gain access to your valuable data.

Implement physical ways to keep cybercriminals out of your network. This can include locking rooms, giving keycard access to only those who require it (instead of every employee) and locking physical files in cabinets with the keys allocated to the appropriate personnel.

Also, you should carefully logging every visitor and have an employee escort every person, regardless of whether or not they’re a patient. Anyone on your premises who are left unsupervised has the potential to wander into rooms with sensitive data, especially if locks aren’t used. 

7. Disable Unsecured Wi-Fi

On unsecured wi-fi, any information transferred on it can be intercepted. For example, all a scammer needs to do is be near your premises and plug in an antenna to grab that data.

Not only should you disable unsecured wi-fi networks, but if possible, you should create two separate networks. One network should be for your employees and one for guests and patients. That way, if anything malicious infects the guests and patients network, it won’t compromise any vital data you have on your employees’ network.

Infrastructure Security Is a Necessity

As technology advances, it’s inevitable that things become more and more interconnected. This is the future; while interconnectivity introduces vulnerabilities, there are ways to address them so growth isn’t hindered.

With proper infrastructure security, you can protect your medical practice or hospital from cyber attacks and prevent HIPAA violations from occurring. By investing in preventative rather than reactive measures, you can save yourself both time and money in the long run.

To ensure your medical practice or hospital is HIPAA compliant, please get in touch with us today.

How Today’s Environment is Reshaping the Medical Device Industry

Jeff Mongelli Founder CEO Acentec

During a recent trip to the doctor’s office, other than the nurse using two fingers on my wrist and a watch to take my pulse, everything else was completely different. From booking my appointment online, to completing much of the usual paperwork from home, things have changed. For the first time, I was able to provide an actual medical history, since I was home where that information is. When I arrived at the office, I checked in on a tablet and was told the wait would be less than 5 minutes. Once the doctor entered the exam room, she had already reviewed a thorough and accurate medical history and began firing off questions about the sorts of things that happen during an active lifestyle. Although my first encounter with this provider, she seemed to know me like she’d been treating me for years. During the encounter, I was able to share with her the heart rate alerts I had received on my Apple Watch while essentially doing nothing. This type of information has been made available by the Internet of Things, or internet connected devices, both wearable and otherwise. That’s the positive side of technology’s impact on healthcare.

It’s not just our physician encounters that have changed. Medical devices have also seen great change. Not only do our elderly have access to home health monitoring equipment, but virtually every medical device being manufactured is now either connected directly to an internal network or onto the World Wide Web. These technological advancements have allowed for the flow of data into software systems that analyze, alert, and share that information with providers throughout the care chain. The result is leading to better health outcomes and improved quality of life for many of us.

Sadly, it’s not all good news. The connectivity of all these devices has created a treasure trove of opportunities for cyber criminals. The possibility of extorting someone for bitcoins or they’ll shut your pacemaker off is not an unrealistic concern. In fact, a 2017 Ponemon Institute study found that 39% of medical device manufacturers reported attackers have taken control of their devices. Additionally, 38% of care delivery organizations said inappropriate therapy/treatment had been delivered to patients because of an insecure medical device. Imagine a hacker in Romania manipulating the medicine pump connected to your arm when you’re in the hospital – this is today’s reality.

What’s being done about it?

Truthfully, not enough. Rather than pile on the device manufacturers themselves, let’s consider 3 stakeholders and where each carries a share of the burden. First, it’s the device manufacturers who’s brands are on the line, so one would think they’re doing all they can to strengthen their final products. That may not be the case. The Ponemon study goes on to state most device manufacturers have yet to adopt more stringent software and device security protocols, resulting in production devices with vulnerable code. The urge to get to market as quickly as possible often supersedes adhering to the proper process of security and vulnerability testing.

Second, one must consider the security of the facilities who house these devices, namely hospitals, other care facilities, and even our own homes. From a hackers perspective, medical devices are simply another node on a network, much like a computer or a printer. That means they’re as vulnerable as any other networked device. If medical devices are not being routinely patched and updated, whether manually or automatically, then they’re vulnerable to new threats and exploits.

Finally, the third culprit in our trio is the facilities who refuse to update their devices. Believe it or not, there are still medical devices in use today that are running Microsoft XP as their operating system. This OS became unsupported in April of 2014, which means for the past 4 plus years, any new Microsoft based attacks would find an open door to those devices. Again, to be fair, a significant reason these devices haven’t been upgraded is because the cost to small and rural facilities is prohibitive. Many of these smaller organizations, like solo providers, are struggling to stay above water in our new healthcare environment. The thought of spending $200,000 or more on a new X-Ray machine, for example, is beyond their reach and reason. This particular issue doesn’t have a simple fix.

What was left off the list?

Many industry insiders grew accustomed to blaming the bureaucratic morass as their reason for not developing and pushing out updates to their devices. However, as far back as 2005 the FDA began making allowances for security related patches and updates and this year again issued an update to this policy with the intent to streamline the process. Frankly, we can’t accuse the FDA of standing in the way on this issue.

We also omitted the fact that few IoT devices communicate their data over encrypted channels. This includes medical devices. Citing the Ponemon study, only a third of device makers built encryption into their devices and few healthcare facilities were deploying it on their own IoT devices. While the percentages have likely improved since the study was published, those devices, and the thousands produced before them, are still in use and will be in use for years to come. Lack of encryption of data in transit and data at rest violates a HIPAA recommendation and can be a source of fines from the Office for Civil Rights (OCR), so it should be implemented wherever possible.

What needs to change?

Due to these increased vulnerabilities, a paradigm shift is required and it’s as significant as the technological advancements that led to them. The traditional way of contracting with a software development team to add the soft layer on top of a device is no longer valid. Gone are the days when an offshore software team can be hired, given a functional specification, and then be released once the project is completed. Now, medical device manufacturers need to bring software development in house and incorporate it into the design cycle as early as possible. Likewise, the firmware team needs to stay intact post development and work closely with the software team to coordinate patches and updates on an ongoing basis. Needless to say, these teams aren’t cheap, nor is this talent easy to come by. As a result, it’s going to take some time for medical device manufacturers to get the right teams in place and to adjust their business models to account for the increased overhead they present.

Like all things cybersecurity related, the manufacturers can do everything right, but a secure environment is as much dependent on the training of the workforce as the hardware itself. Even today, despite the security holes that exist in the bulk of the currently deployed medical devices, the greatest source of breaches originate at the user level.

Ultimately, the costs of this shift will be borne by the consumers through increased costs of care. We can hope that more vigilant cybersecurity efforts will leverage down the risks involved, but unfortunately this new business model is here to stay.

About the Author:

Jeff Mongelli built and sold his finance company 17 years ago to GE Capital to enter the healthcare industry. As the Founder and CEO, Jeff built Acentec, Inc. into a national leader in improving the clinical and financial performance of healthcare organizations. He understands that achieving the promise of improved healthcare through aggregated data requires dedicated commitment to the protection and privacy of that information. Jeff is considered an industry expert in IT Technology & Security, HIPAA compliance, and is actively involved in the field of artificial intelligence. He is frequently quoted in the industry’s publications and is a featured speaker at national trade shows and Medical Association meetings. He’s a member of the FBI’s Infragard program and a collaborator in their Healthcare CyberSecurity Workgroup and also a member of Homeland Security’s Information Network.