Is it time for your Annual HIPAA Risk Assessment?
HIPPA: In short - HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. ... Reduces health care fraud and abuse; Mandates industry-wide standards for health care information on electronic billing and other processes; HIPPA
Recently, we received a question from a physician's office - "I already had a consultant come in last year and do a HIPAA risk assessment. I am now compliant. Why do I need to schedule another HIPAA risk assessment this year?" A HIPAA Risk Assessment is not just a mandatory compliance requirement, it is something that is needed to be done to keep your patient data safe and secure on an ongoing basis, and to identify potential issues. Things change, things happen, and you need to monitor your security on an ongoing basis. If you suffer a breach, then the agency that might conduct an audit is likely to ask for your most recent HIPAA Risk Analysis or Risk Assessment. If it is too far in the past, then you might be considered negligent. If you participate in the MACRA/MIPS incentive program, then you need to attest annually with the Center of Medicaid and Medicare Services (CMS) that you have conducted the annual HIPAA Security Risk Analysis. These are some reasons why a HIPAA Risk Assessment is not a one-time practice. Risk Assessments should be reviewed annually at a minimum and as new work methods are executed or updated technology is introduced.
Top 5 actions you can take to prepare for your next HIPAA Compliance review or risk assessment:
Identify where your PHI is stored:
On your Computer?
In your office?
Within your network storage?
On the cloud?
How to Safeguard your PHI?
What are compensating controls?
Compensating controls or alternative controls are put in place to satisfy the requirement for a security measure that is impractical to implement at the present time.
Examples of compensating controls:
When a medical office has paper charts that are filed on open shelves in a storage room or behind the reception desk, it is recommended to lock the charts at the end of the day. Many times it is not practical to put locks on all open shelves that are used to file charts. A compensating security measure can be used to install cameras surrounding the premises to monitor and record all activities. It is important that you also have a process in place to monitor the video recordings periodically.
If an Ultrasound Technician uses CDs, Tapes and Disks to store images or uses a USB hard drive to transfer the images to PCs and the EHR, then these devices have to be encrypted. Many times, the Technician is not sure if the Thumb drives are encrypted. A compensating control here would be to lock the CDs and flash drives in a cabinet when not in use.
The Health Insurance Portability and Accountability Act (HIPAA) is primarily concerned with the Privacy and Security of Patients' Protected Health Information. All entities that come into contact with Protected Health Information on a regular basis are covered under the Act. Has it been more than one year since your last HIPAA Risk Assessment? Or have you never had a HIPAA Risk Assessment done before? Either way, be sure to schedule your 2018 HIPAA Risk Assessment and 2018 HIPAA Training right away - don't wait until its too late.
PCS World Network has been providing IT services to the medical industry for over 15 years. A Managed Solution Provider You Can Trust. We can help you solve many of your concerns.
PCS World Network, Inc,
P.O. Box 152249
San Diego, Ca. 92195
Off: (619) 272-7593
Fax: (619) 272-7592
By Parita Patel 24By7Security
5 Data Security Threats Facing Companies Today
With all the threats to data security in today's IT landscape, viruses, once the bane of an IT administrator's existence, are the least of their worries. Here's a look at some of the concerns companies face when trying to secure data in a Web 2.0 world.
Targeted cyber attacks
Cyber attacks are no longer the creation of bored teenage hackers looking for bragging rights. With global organized crime syndicates behind cyber attacks, the nature of how they attack networks is changing, says a recent report by Forrester Research. No need for hackers to gather as much information as possible in one go; targeted attacks can now extract data over a longer period of time.
From intentional leaks from disgruntled employees to blunders involving misplaced laptops, data is escaping from inside organizations. The 2010 Verizon Data Breach Investigations report released in July found that almost 50 percent of data breaches were inside jobs. Companies need to be more vigilant about who has access to information, especially when it comes to corporate networks outside the firewall. The U.S. military is so concerned about insider threats to security that the Department of Defense is working on an algorithm to figure out when trusted insiders may be on the brink of psychologically turning on an organization.
Cloud computing opens up a new set of data-security concerns, mainly because it means companies must relinquish control of security to an outside party. While cloud computing providers are doing everything they can to build secure data centers, the way data is stored in the cloud - in shared environments alongside other customer data - is different from how a company might store it themselves and poses security concerns.
Corporate employees aren't just wasting time on social networking sites like Facebook and Twitter - they're inadvertently leaking company data. Aside from the vulnerabilities in these online applications that seep into corporate networks, people are often posting private information. Third-party applications that employees can access through Facebook - which are often developed by individuals or very small companies - may also pose security threats unknown to corporate IT administrators.
Smartphones are ubiquitous in today's workplace. While companies have some control over protecting devices they configure, many employees use personal smartphones to download and access corporate information, giving IT administrators little to no control over their security. Because it's so difficult to implement platform-specific security given the range of devices being used, the paradigm is shifting from device-specific solutions to security being built into the network.
Let PCS World Network's Team Give You A FREE Consultation Today!
Carlton Stephen Walters
Stephen Walters, President & CEO of PCS World Network, Incorporated a premiere provider of computer and Internet based solutions.
Protecting Against Spam and Phishing Attacks
With a Layered Approach to Email Security
What is email phishing and why should you be concerned:
While these security mechanisms are known to many security professionals and executives, it is critical you to establish basic policies, procedures, user guidelines and protection systems to safeguard your personal and companies data from phishy fraudsters. With a layered approach to spam and, phishing prevention, security teams can ensure that their employees and partners stay off the hook.
Email Phishing is the attempt to obtain such as usernames, passwords, and credit card details (and money) often for malicious reasons, by disguising as a trustworthy content or entity in an electronic communication (email). See https://en.wikipedia.org/wiki/Phishing
There is other type of phishing i.e. Spear phishing, Clone phishing, Waling, Link manipulation, Website forgery, Converted redirects and many others. All with the intent to still something from you!
How to protect yourself, Layered schemes are used in most information security strategies, and it is essential to establish a similar approach to protecting the organization from unwanted email. In fact, spam and phishing are some of the biggest problems IT security managers face today. According to LinkedIn’s phishing attacks are a top concern for 37 percent of security professionals surveyed, ahead of insider threats (33 percent) and malware (32 percent).
To protect corporate data from spam and phishing attacks, companies need basic, layered protection for their email services, whether hosted locally or in the cloud. Let’s take a closer look at this approach to illustrate how each layer compliments the organization’s overall data protection strategy.
This protection layer can be either the initial or the final step, depending on how you look at it. To start, we should generate data about quantities of emails cataloged as spam. From this data, we can extract a statistic that allows us to make a business case for the investment or the process to improve our current antispam protection system.
However, the process of spam control through information management could also be the sixth and final layer of protection, because it allows us to generate the statistics necessary to determine the number of attacks that were stopped by the other layers of protection and thus validate the effectiveness of our layered strategy.
To begin with this layer, we have to consider that many default antispam protection systems lack the latest threat detection technologies. Some platforms lack a continuously updated source of threat intelligence data or, worse, any intelligence generation services at all. Companies must turn to external solutions that, through detection systems, sensors and other information-gathering mechanisms, summarize the data of potential new attackers, existing threat actors and suspects. With this data, the providers of these services are responsible for validating the incoming traffic of the mail server before it reaches our network or users.
It is critical to validate that our perimeter protection systems have spam detection services. While most organizations use firewalls to provide perimeter protection to internal networks, many internal computers also have spam detection capabilities. It is also important to confirm that, once activated, the services are correctly configured and equipped with a robust reporting system that allows us to quickly identify emails classified as spam. Finally, we must configure a quarantine system to isolate false positives.
Confirming that our email systems have antispam services may seem very basic and simple, but they are often configured and implemented incorrectly. While many next-generation email platforms have local spam protection services, teams must check that these services are properly configured and pointing to the updated internal antispam servers.
If you do not have an internal antispam mail server, open source options such as RadicalSpam, SpamAssassin, MailScanner, OrangeAssassin and iRedMail can provide solid protection and threat data to block attackers. They must also have information providers that deliver frequently updated and valid threat intelligence.
Each host should have a protection mechanism connected to the mail client. Similar to a centralized system on a server, this mechanism must be able to detect threats, spam emails and spear phishing attacks. These systems are usually implemented in corporate or personal antivirus systems and connect to mail clients such as Outlook, Notes, Thunderbird and others.
Users represent one of the most important layers of protection. All organizations should implement training programs and internal tests to gauge employees’ overall security awareness.
At the training level, educate users about the types of attacks they might encounter — especially spear phishing attacks — that could compromise critical enterprise assets. It is also necessary to conduct frequent tests to measure users’ susceptibility to phishing or spam campaigns. Most open source and commercial platforms have mechanisms for detecting these types of threats, but ensuring employees don’t fall for these schemes are vital.
PCS World Network has an experienced staff and tool to help protect your systems.
Contact us Today for a FREE initial consultation!
For additional information about our services and custom plans contact us at:
PCS World Network - Business Continuity Analytics
"We Get Our Customers More Customers!”