https://apgarandassoc.com Privacy, information security, HIPAA, HITECH and regulatory compliance Fri, 01 Nov 2019 13:54:04 +0000 en-US hourly 1 https://wordpress.org/?v=5.3.1 https://apgarandassoc.com/wp-content/uploads/2018/01/cropped-Apgar-Associates-Icon-32x32.png https://apgarandassoc.com 32 32 Are All Ransomware Attacks Breaches? https://apgarandassoc.com/are-all-ransomware-attacks-breaches/ Thu, 24 Oct 2019 10:59:36 +0000 https://apgarandassoc.com/?p=2609 It’s one of those questions that never goes away.  The answer is, “Maybe” and very definitely, “Not always.” Contrary to popular belief, even after ransomware attacks, the safe harbor still applies when it comes to breaches.  If your PHI data was encrypted prior to the ransomware attack that encrypted (aka “held for ransom”) it, you […]

The post Are All Ransomware Attacks Breaches? appeared first on .

]]>
It’s one of those questions that never goes away.  The answer is, “Maybe” and very definitely, “Not always.” Contrary to popular belief, even after ransomware attacks, the safe harbor still applies when it comes to breaches.  If your PHI data was encrypted prior to the ransomware attack that encrypted (aka “held for ransom”) it, you may very well not have suffered a breach. Which means that there may be no need to conduct a four-factor risk assessment.

If only it could be so simple. However, per OCR’s weigh-in, you do need to ascertain that the data attacked was encrypted at the time. If it was encrypted, it’s a security incident, but not a data breach. I’ll dig into that shortly.  Far too often I see posts and blogs that adamantly declare, “If a ransomware attack occurs, it must be a breach.”  Not so fast. It’s not so black and white.

OCR has stated that it’s a fact-based determination as to whether or not a breach occurred. If a breach, then you do need to notify OCR, individuals and potentially, the media.  If you run into a consultant (and sometimes counsel) who states that all ransomware attacks absolutely equal a breach, get a second opinion.

Data Encryption & the Burden of Proof

Here’s the flip side – when encrypted PHI may become unsecure, representing a breach due to a ransomware attack. Keep in mind that when you’ve powered up and logged in to your laptop or other mobile device, data may be unencrypted at the time because you’re accessing the data. When ransomware hits and those files are unencrypted at the time of the attack, you may have a breach of unsecured PHI on your hands.

But – if you do use full disk encryption and your laptop was not turned on (which means your laptop wasn’t unencrypted), or if no files were unencrypted at the time of the attack, the PHI was not compromised. No breach occurred.

Also, if the ransomware attack hits your backup media, encrypted at the time of the attack, there is a high likelihood that no PHI breach occurred.  Triple-check to be sure and be able to prove it if OCR comes to call. The burden of proof lies with you.

The burden of proof is greater under other circumstances, like when a ransomware attack occurs and PHI is not encrypted.  At that point, you absolutely need to conduct a four-factor risk assessment.  It bears mentioning, though, that if you have top talent forensic analysts who can prove that no PHI was siphoned off, you still may not be required to notify OCR or individuals because the PHI was not compromised.

Clearly, it’s not a simple black and white, yes or no answer to the breach question. Be careful. Preserve all evidence. Look closely at the circumstances to make sure no breach occurred that requires notification. But if a consultant or counsel, going on the basis of a blog post, says that you absolutely must notify because ransomware attacks always equal a breach, don’t take my word for it. Just ask OCR.

Compliance Planning includes the “what to do” in the case of a security incident and data breach. Chris Apgar, CISSP and Julia Huddleston, CIPP, CIPM, work with clients nationwide on HIPAA privacy and security compliance, and address the need for assistance with expanded use of electronic health information exchange. They also prep clients for the rigorous process of HITRUST, SOC2 and ISO certifications.

The post Are All Ransomware Attacks Breaches? appeared first on .

]]>
Perimeter Security: It’s the Simple Things That’ll Get You https://apgarandassoc.com/perimeter-security-its-the-simple-things-thatll-get-you/ Tue, 08 Oct 2019 14:01:53 +0000 https://apgarandassoc.com/?p=2580 Are you sure your medical records aren’t accessible by outsiders? Maybe check your perimeter security. I’m not talking about fancy technical security gadgets, but the simple, obvious things like setting a password on your internet-facing applications. Here’s why I ask. Did you hear about the 187 medical system servers not protected by passwords or necessary […]

The post Perimeter Security: It’s the Simple Things That’ll Get You appeared first on .

]]>
Are you sure your medical records aren’t accessible by outsiders? Maybe check your perimeter security. I’m not talking about fancy technical security gadgets, but the simple, obvious things like setting a password on your internet-facing applications.

Here’s why I ask. Did you hear about the 187 medical system servers not protected by passwords or necessary perimeter security measures? Thank the recent Pro Publica investigation for that bombshell.  An example: with just a simple data query, a MobilexUSA server exposed the names of more than a million patients!  The investigation uncovered the release of names, birthdates, and in some cases, social security numbers.

Get back to the basics. Avoid the obvious errors like

  1. leaving default passwords on servers (ask the State of Utah about their massive breach),
  2. not setting passwords at all and other blatant mistakes.

You lose patient trust, and you lose money.  There are notification costs, harm to your reputation, not to mention significant OCR fines.  Another big expense? The regulators’ imposed corrective action plans (CAPs).

Let’s look at the password issue alone. Basic perimeter security doesn’t stop at the need to change default server passwords, and to set up an original password.  Take it up a notch. Make sure the passwords you set aren’t easy to guess. Get complex. For cybercriminals, it doesn’t take a lot of computing power to crack a simple password.  Take it for granted that you need to set complex passwords on all of your devices.

Too often, it’s the simple things that get you.  If simple mistakes are why your data is exposed to the internet, you’re setting your organization up to an OCR finding of willful neglect.  That will definitely lead to civil penalties or monetary settlements.  Remember, fancy technology isn’t your biggest risk; it’s people and easy mistakes with significant implications.

No doubt, limited resources are an issue for smaller healthcare organizations like small clinics and health information technology (HIT) startups.  On the other hand, the adverse impact of not attending to even simple things can put smaller organizations out of business.  If you’re a smaller organization, or just not sure where to start, try the Office of the National Coordinator for Health Information Technology (ONC). There are plenty of no-cost resources available, like the toolkit for providers. Tackling perimeter security can be overwhelming, which is why it’s essential to start small, with the basics.

Chris Apgar, CISSP, CEO and president of Apgar & Associates, LLC is a nationally known speaker and author. He most recently authored the McGraw-Hill Healthcare Information Technology Exam Guide chapter on the regulatory aspects of health IT. Chris is also a nationally recognized expert and educational instructor on information security, privacy, HIPAA, the HITECH Act, state privacy law, and electronic health information exchange.  

The post Perimeter Security: It’s the Simple Things That’ll Get You appeared first on .

]]>
RFI Vulnerability Lesson: Beware of Who You (try to) Hack https://apgarandassoc.com/rfi-vulnerability-lesson-beware-of-who-you-try-to-hack/ Mon, 09 Sep 2019 17:57:19 +0000 https://apgarandassoc.com/?p=2529 Isn’t it rewarding when a fellow security professional posts about an attempted hack of his personal website that he turned into a lesson in website security? And in the end, hacked the hacker? That’s exactly what happened with Larry Cashdollar, a senior security response engineer at Akamai. Cashdollar noticed something peculiar in the logs on […]

The post RFI Vulnerability Lesson: Beware of Who You (try to) Hack appeared first on .

]]>
Isn’t it rewarding when a fellow security professional posts about an attempted hack of his personal website that he turned into a lesson in website security? And in the end, hacked the hacker? That’s exactly what happened with Larry Cashdollar, a senior security response engineer at Akamai. Cashdollar noticed something peculiar in the logs on his personal website. He dug further and turned up signs of someone scanning for remote file inclusion (RFI) vulnerabilities.

Before diving into the details, if you’re not sure what an RFI vulnerability is, definitely ask your web development and website management team if they’re aware of this type of vulnerability.  And if they don’t know, they need to do some research to prevent hacking attacks on your websites.  You can satisfy your curiosity – and share with your web team – this link to more information about it.

On to the Hacking Attempt

Larry Cashdollar told The Register his site’s logs showed that a  would-be attacker was probing for RFI holes to trick web applications into running a remote malicious script.  The hacker was trying to load a file using a custom tool that Cashdollar had created (!).

The hacker test was a generic test used against websites where they can figure out the input, supply a web address and see if they can execute on the input.  Unfortunately for the attacker, Cashdollar used the tool’s logs to trace back to the file that the attacker was trying to load. Then Cashdollar assessed that and other files the hacker had ready to execute to take over vulnerable websites, and was able to extract the criminal’s email address and their preferred language – Portuguese.

What was the purposes of the RFI vulnerability probe? The attacker wanted to install phishing pages that masqueraded as a legitimate bank’s login webpage, and then direct victims to the hacker’s page to collect bank account credentials.  This was a way around installing more sophisticated code to capture cryptocurrency.  It was just a matter of redirecting someone to a malicious site because the initial fake webpage looked legitimate.

3 Big Takeaways from the RFI Vulnerability Probe

Score one for the good guys! In this case the security professional caught and tracked down the attacker.  Now we need to take it as an alert to professionals who’re responsible for monitoring website security.  From Cashdollar’s account of the incident, the big takeaways for website administrators are the importance of:

  1. Diligently monitoring the audit logs
  2. Following a solid patching program for site management tools
  3. Writing web code that cannot be exploited for RFI and other known vulnerabilities.

If your website developers and administrators don’t know and don’t watch, you may not be as lucky as Cashdollar.

Chris Apgar, CISSP, CEO and president of Apgar & Associates, LLC is a nationally recognized expert and educational instructor on information security, privacy, HIPAA, the HITECH Act, state privacy law and electronic health information exchange.  A nationally known speaker and author, Chris authored the McGraw-Hill Healthcare Information Technology Exam Guide chapter on the regulatory aspects of health IT.

The post RFI Vulnerability Lesson: Beware of Who You (try to) Hack appeared first on .

]]>
Business Associate or Conduit? Why a BAA likely applies to you. https://apgarandassoc.com/business-associate-or-conduit-why-a-baa-likely-applies-to-you/ Fri, 05 Jul 2019 12:12:26 +0000 https://apgarandassoc.com/?p=2429 Ever run into a vendor who claims to be a conduit versus a business associate (BA)? It happens all too often, in my experience. Here’s the problem: the conduit exception is a narrow one. If you’re storing PHI data, even encrypted PHI where you don’t have the encryption key, you’re a BA. Sign the Business […]

The post Business Associate or Conduit? Why a BAA likely applies to you. appeared first on .

]]>
Ever run into a vendor who claims to be a conduit versus a business associate (BA)? It happens all too often, in my experience. Here’s the problem: the conduit exception is a narrow one. If you’re storing PHI data, even encrypted PHI where you don’t have the encryption key, you’re a BA. Sign the Business Associates Agreement (BAA); it applies to you.

Not convinced? Let’s look at the preamble to the Omnibus Rule of 2013. HHS said, “The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services. As we have stated in prior guidance, a conduit transports does so on a random or infrequent basis. Thus, document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold.”

With that HHS summary in mind, you can see it’s pretty difficult to market services and storage to the healthcare industry without a BAA and think you won’t run afoul of HIPAA. Yet even as recently as a few years ago, our privacy and information security firm would encounter storage vendors and document sharing vendors who would not sign a business associate agreement. Again, just because you can’t access the PHI doesn’t mean you’re not a business associate.

In OCR’s May 2019 guidance, you’ll find a list of BA liabilities. Those remind BAs of their compliance responsibilities in regard to HIPAA regulations. OCR’s reminder list also notes that BAs have a duty to execute a business associate agreement with their BA subcontractors. What isn’t mentioned, but is required, is that covered entities (CE) and BAs must  execute a BAA with each other.  So if you’re not an internet service provider (ISP), or the US Postal Service (and the like), plus you store PHI, you need to execute a BAA to be in compliance with HIPAA regulatory requirements.

I’ll end with a cautionary note about vendors convinced they aren’t a business associate. Covered Entities, if your vendor is unwilling to sign a BAA, yet they have access to your PHI, it’s probably a good idea to find another vendor. It may be that your vendor who stores paper charts or other PHI doesn’t realize that they’re a business associate. Or it could be that, in the case of a storage unit, the storage facility owners simply don’t know what’s being stored. But if PHI is involved, then you need to execute a business associate agreement.

Whether you’re a physician practice, a medical transcription service, or a TPA providing a health plan with claims processing services, you’re dealing with HIPAA compliance. Give us a call: 503-384-2538 for help to assure you’re on top of it.

The post Business Associate or Conduit? Why a BAA likely applies to you. appeared first on .

]]>
The CCPA and the Iffy Territory of the “HIPAA exemption” https://apgarandassoc.com/the-ccpa-and-the-iffy-territory-of-the-hipaa-exemption/ Thu, 02 May 2019 18:04:54 +0000 https://apgarandassoc.com/?p=2364 A brief recap: The California Consumer Privacy Act (CCPA) aims to give California consumers greater control over their personal information by imposing certain obligations on entities covered by the law. The CCPA takes effect January 1, 2020. And as we said in an earlier blog article, you don’t have to be a California-based business to […]

The post The CCPA and the Iffy Territory of the “HIPAA exemption” appeared first on .

]]>
A brief recap: The California Consumer Privacy Act (CCPA) aims to give California consumers greater control over their personal information by imposing certain obligations on entities covered by the law. The CCPA takes effect January 1, 2020. And as we said in an earlier blog article, you don’t have to be a California-based business to be affected.

The CCPA was amended in September 2018 to include an exemption for protected health information (“PHI”) collected by a covered entity or business associate subject to HIPAA (aka the “HIPAA exemption”).  At the same time, the Act was amended to also exempt  “Medical Information” already covered by the state’s Confidentiality of Medical Information Act (CMIA).  Medical information as defined in the CMIA is identifiable information about a patient’s medical history or condition that is held by a healthcare provider, healthcare service plan, pharmaceutical company, or contractor.  This is not your garden variety “contractor” that’s also a business associate under HIPAA. It’s a much narrower definition, and essentially equals a health-related organization that is not a service plan or provider.

Before you celebrate being “HIPAA exempt…”

Where’s the problem?  Well – the CCPA regulates the types of personal information that are to be protected, and not the types of businesses to be regulated.  The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”.  Examples of personal information provided in the text of the law include:

  • Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
  • Geolocation data.
  • Audio, electronic, visual, thermal, olfactory, or similar information.

On the other hand, to the extent that PHI is actually defined in HIPAA, it’s defined as “individually identifiable health information” that’s maintained or transmitted electronically or in any other form or medium. Individually identifiable health information (IIHI) is information that a covered entity creates or receives. IIHI relates to the past, present, or future physical or mental health or condition of an individual; treatment of the individual; or the past, present, or future payment for health care to an individual. IIHI also can be used to identify the individual.

Still wondering “what’s the issue?”  Let’s say that you’re a large health system that collects information from people who access your web sites in order to gauge what those visitors use your website(s) to do.  Let’s say that you’re a business associate that provides services to a health plan – and its members – through a mobile app.  In both of those cases, you’re collecting personal information as the CCPA defines it.  And in both cases, you may be hard pressed to make the argument that the information you are collecting is PHI.

What can you do? What should you do?

  1. Pay attention to California’s General Assembly and Attorney General. The California General Assembly is considering a number of bills that make clarifying changes to CCPA text. To date, none of them address the issue identified above. The California Office of the Attorney General is engaged in a rule-making process, with an initial notice of proposed rule-making anticipated in Fall 2019.
  2. Start developing an inventory of personal information that you collect that isn’t protected health information.

Check in here for the next CCPA-related post, a more in-depth discussion of personal data and other unexpected challenges the regulation brings.

Talk to Julia Huddleston, CIPP, CIPM about your data privacy concerns, including regulations like the CCPA. You can reach Julia at 503-384-2538.

The post The CCPA and the Iffy Territory of the “HIPAA exemption” appeared first on .

]]>
Should you trust Alexa with your health information? https://apgarandassoc.com/should-you-trust-alexa-with-your-health-information/ Tue, 23 Apr 2019 15:32:34 +0000 https://apgarandassoc.com/?p=2356 By now you’ve likely heard that Amazon is moving into the HIPAA space with Alexa.  In conjunction with their partners, they’re launching what Amazon calls “HIPAA compliant” apps.  If only it were that easy to create a HIPAA covered app, or as Amazon calls it, skill.  As with Amazon Web Services (AWS) it’s ultimately up […]

The post Should you trust Alexa with your health information? appeared first on .

]]>
By now you’ve likely heard that Amazon is moving into the HIPAA space with Alexa.  In conjunction with their partners, they’re launching what Amazon calls “HIPAA compliant” apps.  If only it were that easy to create a HIPAA covered app, or as Amazon calls it, skill.  As with Amazon Web Services (AWS) it’s ultimately up to the individual developers to honor the law.  While Amazon may well be a trusted third party, if developers don’t build apps or “skills” with privacy, security and HIPAA compliance in mind, I wouldn’t trust Alexa with any of my healthcare data.

Having worked with a number of software development companies in the healthcare space, I can tell you that more often than not developers want to create cool and useful things. The problem with that is cool and useful don’t always automatically align with security and privacy needs. In fact, in the development process you won’t often find security and privacy at the top of the priority list.

Time, Trust & Alexa Users

Trust but verify, folks. If I were the covered entity or business associate planning to eventually trust the Amazon platform to adequately secure protected health information, I would want assurances and proof that the developers of any app/skill have privacy and security baked in.

Granted, Amazon has indicated that trust takes time to build. That it will be a while before patients widely trust Alexa with sensitive health information.  Ok, let’s say we’re down the road a way.  Trust has been earned.  Now we face another potential issue that has nothing to do with the platform or any of its available apps/skills.  The concern lies with the end users.  End users are not always savvy when it comes to protecting sensitive personal information. I think this is where there’s a definite need for some education on the part of partners, Amazon and healthcare providers.

Right now, when Alexa is on, it listens to all voices in the room, all the time. How awful would it be if an end user thought he or she was taking advantage of touted HIPAA compliant solutions but instead was airing sensitive information using another Alexa app?  Hopefully Alexa will also be smart enough to not broadcast protected health information like “You need to follow up with your [insert-private-condition-here] specialist” to the whole house.

Alexa (Amazon), are you listening?

The post Should you trust Alexa with your health information? appeared first on .

]]>
Who needs to comply with the CCPA? Hint: Not only California. https://apgarandassoc.com/who-needs-to-comply-with-the-ccpa-hint-not-only-california/ Wed, 27 Mar 2019 10:18:05 +0000 https://apgarandassoc.com/?p=2327 The first thing to realize about California Consumer Privacy Act (CCPA) compliance is that you don’t have to be a California-based business to be affected. As of 2018, California was the world’s 5th largest economy. You’re better off to ask yourself what the chances that you’re not subject to the CCPA. US-based or global, you […]

The post Who needs to comply with the CCPA? Hint: Not only California. appeared first on .

]]>
The first thing to realize about California Consumer Privacy Act (CCPA) compliance is that you don’t have to be a California-based business to be affected. As of 2018, California was the world’s 5th largest economy. You’re better off to ask yourself what the chances that you’re not subject to the CCPA. US-based or global, you have to consider the factors involved, all of which are more likely to make you subject to, rather than exempt from, the CCPA.

If you answer yes to any of these 3 questions, you’re probably subject to the CCPA – and its requirements for personal information protection.

  1. Does your business’s worldwide annual gross revenues meet or exceed $25 million?
  2. Do you annually touch the personal information of 50,000 or more California residents? Their households? Or their devices?
  3. Does half or more of your annual revenue come from selling the personal information of California residents?

Before you gleefully answer “No” to all three, here’s the catch. You need to understand the definitions applied to the qualifiers in the questions.

Start with the definition of personal information – guaranteed to blow your mind. If we include the full definition here, you’ll throw your hands up in disgust and not read any further. Essentially, it’s “any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household or device.” That’s extremely broad.

Let’s move on to “touching” personal information. An Internet Protocol, or IP address, can be considered personally identifiable information – yes, you read that correctly. That means a visit to your company website where IP information is automatically collected (think about your handy dandy Google Analytics always running in the background). You’ve just touched personally identifiable information.

To get even more granular: Do you know which of your website visitors are considered California residents?

I know 50,000 annually sounds like a lot of website visitors. Especially if you don’t consider yourself to be enterprise-level. But it breaks down to only 137 visitors from California per day. Now wrap in the personal information definition. It includes households and devices. It’s pretty hard to have a website as a company of any size and not have that number of touches per year.

Then there’s “selling” the personal information. Many wouldn’t consider the everyday interactions with client and consumer data as selling. However, the definition of “selling” in the CCPA stretches all understanding. It can mean “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.”

How does a business comply with the CCPA? The very thought of what it will take overwhelms. As both a certified information privacy manager and professional who regularly attends regulatory seminars, I can tell you that every CCPA-related event is thick with corporate legal counsel – a fair number from those great big companies that we all know. We’re all impatient to understand how compliance can happen. Stay tuned as I share more insights and commentary on the CCPA in the weeks to come. Topics include: the “HIPAA Exemption”, the various interpretations of “selling” personal information, the “opt out” option, and more.

Julia Huddleston is a Certified Privacy Manager and a Certified Privacy Professional through the IAPP (International Association of Privacy Professionals). She’s deeply involved in privacy compliance activities with clients and how policies and procedures are implemented to protect data privacy. You can reach her at Apgar & Associates: 503-384-2538.

Resource(s): IAPP CCPA Comprehensive Seminar 2019

The post Who needs to comply with the CCPA? Hint: Not only California. appeared first on .

]]>
Consumers in the Regulatory Driver’s Seat: Protecting Personal Data Privacy https://apgarandassoc.com/consumers-in-the-regulatory-drivers-seat-protecting-personal-data-privacy/ Tue, 12 Mar 2019 15:24:58 +0000 https://apgarandassoc.com/?p=2308 Consumers on the warpath to protect personal data privacy are making strides in state houses. For instance, here’s an update on Oregon’s Senate Bill 703 re selling health information. If you use Big Data at all, you’ve probably been following this Bill. It’s basically saying that anyone selling personal health information, although thoroughly de-identified, would […]

The post Consumers in the Regulatory Driver’s Seat: Protecting Personal Data Privacy appeared first on .

]]>
Consumers on the warpath to protect personal data privacy are making strides in state houses. For instance, here’s an update on Oregon’s Senate Bill 703 re selling health information. If you use Big Data at all, you’ve probably been following this Bill. It’s basically saying that anyone selling personal health information, although thoroughly de-identified, would need to pay the source for the privilege, i.e., you and me. As you may imagine, research groups and analysts who may touch any Oregonian’s de-identified PHI, not to mention privacy officers at the source of de-identified data, are watching this closely.

You can likely thank Facebook backlash for this Bill. Taking personal data and sharing it without user knowledge has caused huge problems for the social media giant. Now we’re hearing that they’re going to reel it all in, but how do you get the genie back in the bottle?  The trust is gone, and SB 703 is just one instance of how outraged consumers are at how data is being used.

From a compliance perspective, the information, aka personal data, is already de-identified PHI, so that’s not the basis for the Bill. It’s a clear call for personal data privacy protection beyond the pale of what we’ve seen up to now. You can also look at the yet-to-go-live California Consumer Privacy Act as another example of privacy protection taken to the Nth degree.

This isn’t to say that personal data privacy isn’t important because it absolutely is, it’s merely to point out that the logistical reality of complying with either SB 703 or CCPA is a nightmare we’ve yet to face. You can hardly blame people for playing ostrich when confronted with such a daunting task. You can also hardly blame people for pushing back on companies being able to use personal information for free.

We’ll be writing more on CCPA and its potential effect on business operations both outside and within the healthcare environment. In the meantime, should Oregon’s SB 703 move further down the path to fruition, we’ll weigh in on that, too.

Need specialized insight on these and other data privacy and information security regulations? Contact Apgar & Associates, LLC at 503-384-2538. Our in-the-trenches knowledge and professional consulting will help you and your workforce with compliance and critical certification preparation.

The post Consumers in the Regulatory Driver’s Seat: Protecting Personal Data Privacy appeared first on .

]]>
How can your Third Party Vendor help or hurt your SOC 2 status? https://apgarandassoc.com/how-can-your-third-party-vendor-help-or-hurt-your-soc-2-status/ Tue, 19 Feb 2019 14:12:45 +0000 https://apgarandassoc.com/?p=2280 Are you tracking the moving target of your third party vendors’ privacy and security practices? You may want to get on that. If you’re one of the many organizations about to tackle the SOC 2 assessment process, familiarize yourself with the AICPA’s 2017 Trust Service Criteria document (formerly Trust Service Principles). You’ll quickly notice the […]

The post How can your Third Party Vendor help or hurt your SOC 2 status? appeared first on .

]]>
Are you tracking the moving target of your third party vendors’ privacy and security practices? You may want to get on that. If you’re one of the many organizations about to tackle the SOC 2 assessment process, familiarize yourself with the AICPA’s 2017 Trust Service Criteria document (formerly Trust Service Principles). You’ll quickly notice the underlying theme is organizational risk management where vendor risk management figures prominently.

The updated criteria delves into the many joys of maintaining and assuring “commitment” and “competency.” Under the evolving TSPs (yes, still called TSPs), “system and organization controls” expand to include cybersecurity risks, such as those that come with third party vendors.

In fact, nearly every mention of risk profile components includes vendors. Their reliability, the need to assess external threats, the ongoing relationship. So how do you begin to manage the risk they bring to your organization?

Vet them at the outset as part of due diligence prior to contract. Well, of course, you say. Wait for it: vet again, and again, at timely intervals.

All too often, we see the opposite. When going through a proposal process, organizations may be all over the potential vendor partner with a microscope. Once the contract is complete, crickets. As long as the service is fairly smooth, vendor privacy and security audits are rare, if they happen at all.

However, an organization that’s considering any certification (HITRUST, ISO) or a successful SOC report won’t have that option. And increasingly, to be competitive, you need to make the extra effort to demonstrate your data privacy and information security competency. So what’s the plan?

Tips for Third Party Vendor Risk Management

  1. Vet vendors early and often. Because it bears repeating, make due diligence a repetitive activity. Regular re-assessment of your vendor’s privacy and security practices could be the action that saves your organization from an embarrassing and costly breach.
  2. Make them prove that they train their workforce on issues you think are important. Isn’t your third party partner part of your operations? Don’t they affect your ability to conduct business successfully? Think about how you can identify your most important training issues and push them to include them in their training. That speaks to assuring competency, by the way. A TSP.
  3. Mitigate risks immediately. You’ll inevitably identify privacy and security risks during everyday business oversight. When they’re to do with a vendor, take action immediately. The more quickly you address any vulnerability, the less likely it can grow from a manageable security incident to a major security breach.

For those of you who are happy SOC 2 Report achievers, keep up to par on those TSPs. Remember, the AICPA is only one organization honing in on vendor risk management. Whether you’re going for a certification or simply trying to stay on top of regulatory requirements, the risk is real.

Are you considering a certification or readying for an assessment? Chris Apgar and Julia Huddleston have helped numerous clients prep for a successful assessment to achieve certification or a SOC 2 report. Call Apgar and Associates today to learn more: 503-384-2538.

 

Informational source includes: American Institute of Certified Public Accountants, Inc. “Trust Service Criteria.” Issued by the AICPA Assurance Services Executive Committee (ASEC). Copyright © 2017. Available at https://www.aicpa.org/content/dam/aicpa/interestareas/frc/assuranceadvisoryservices/downloadabledocuments/trust-services-criteria.pdf

 

The post How can your Third Party Vendor help or hurt your SOC 2 status? appeared first on .

]]>
How to Harden Laptops, Tablets & Smartphones to Protect PHI https://apgarandassoc.com/how-to-harden-laptops-tablets-smartphones-to-protect-phi/ Wed, 06 Feb 2019 14:35:06 +0000 https://apgarandassoc.com/?p=2264 When your goal is to protect PHI on laptops and mobile devices, keep in mind that information security is only as strong as its weakest link. Lenient information security standards exponentially increases the risk to sensitive healthcare data. It can also place you in non-compliance with the HIPAA Security Rule. On top of that the […]

The post How to Harden Laptops, Tablets & Smartphones to Protect PHI appeared first on .

]]>
When your goal is to protect PHI on laptops and mobile devices, keep in mind that information security is only as strong as its weakest link. Lenient information security standards exponentially increases the risk to sensitive healthcare data. It can also place you in non-compliance with the HIPAA Security Rule. On top of that the courts are likely to see it as a security failing in the case of data breaches. Now you’re looking at an expensive law suit!

An abbreviated overview of the HIPAA Security Rule’s general requirements calls for covered entities and business associates to do the following:

  1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under Subpart E of this part.

Can you demonstrate device encryption?

CEs and BAs, keep in mind, too, that you can’t take advantage of the HIPAA Breach Notification Rule safe harbor if you can’t demonstrate that stolen devices were actually encrypted at the time. If the device isn’t locked down, it’s hard to prove that the device was secure and no PHI or PII accessed when the device is lost or stolen. While Apple tablets and smartphones are natively encrypted, either end users or IT staff need to enable or turn on encryption for Android tablets and smart phones, Windows laptops, tablets and smartphones and Macs. Take the below steps to protect laptops, tablets and smartphones – and to protect PHI.

7 Steps to Laptop Data Security & Intrusion Protection

  1. Remove administrator privileges for all company-owned laptops and lock down devices
  2. Install and maintain mobile device management tools that support:
    1. Remote wipe of hard and flash drives
    2. Device tracking in the event a device is lost or stolen
    3. Enforce encryption of hard drives and flash drives
  3. Install and periodically update anti-malware applications
  4. Install and periodically update firewall applications
  5. Enforce strong passcodes or passwords and require periodic password changes
  6. Enable biometric authentication if available
  7. If using Windows, properly set share and Microsoft New Technology File System (NTFS) permissions to keep network snooping to a minimum and unauthorized users out of sensitive files stored locally

6 Ways to Protect Tablet & Smart Phone Security & Prevent Intrusion

  1. Remove administrator privileges for all company owned tablets and smartphones and lock down devices
  2. Install and maintain mobile device management tools (company owned and personally owned; BYOD) that support:
    1. Remote wipe of flash drives
    2. Device tracking in the event a device is lost or stolen
    3. Enforce encryption of flash drives
    4. Preferably – segregate company data from personal data on BYOD devices
  3. Install and periodically update anti-malware applications (Exception: iPhones and iPads)
  4. Install and periodically update firewall applications (Exception: iPhones and iPads)
  5. Require strong passcodes or passwords and regular password changes
  6. Enable biometric authentication if available

Device hardening is considered a reasonable security safeguard which means it’s a “must do” when it comes to HIPAA compliance and state law compliance in some states. Take the necessary steps to protect PHI and avoid the bad headlines, regulatory penalties, law suits and lost business. If you need to beef up compliance planning, conduct your security risk analysis, or just aren’t sure where to start with any of it, give us a call: 503-384-2538.

The post How to Harden Laptops, Tablets & Smartphones to Protect PHI appeared first on .

]]>