https://apgarandassoc.com Privacy, information security, HIPAA, HITECH and regulatory compliance Fri, 12 Oct 2018 23:05:18 +0000 en-US hourly 1 https://wordpress.org/?v=4.9.8 https://apgarandassoc.com/wp-content/uploads/2018/01/cropped-Apgar-Associates-Icon-32x32.png https://apgarandassoc.com 32 32 Communication Disconnect: Sales Promises & the Information Security Audit https://apgarandassoc.com/communication-disconnect-sales-promises-information-security-audit/ Fri, 12 Oct 2018 22:06:35 +0000 https://apgarandassoc.com/?p=2101 Has this happened to your company? The sales team has a hot prospect who wants them to conduct an information security audit. Sales promises that not only can that happen, but also that it will happen by a specific deadline. The problem? No one checked with the C-suite or operations management before committing. This communication […]

The post Communication Disconnect: Sales Promises & the Information Security Audit appeared first on .

]]>
Has this happened to your company? The sales team has a hot prospect who wants them to conduct an information security audit. Sales promises that not only can that happen, but also that it will happen by a specific deadline. The problem? No one checked with the C-suite or operations management before committing.

This communication – and timing – disconnect between sales and operations can cost companies both prospects and current customers. Information security is traditionally implemented and maintained behind the scenes. In today’s market, particularly for healthcare vendors, good market positioning means that information security has to be front and center.

As an example, the demand for a SOC 2 audit report is on the rise. Healthcare vendors and other service organizations are being asked for it as proof of a sound information security program. We work with clients as they prepare for and proceed through SSAE 16 SOC 2 audits. In cases where vendors engage a CPA firm conduct a SOC 2 audit, we find that the decision to go through an information security audit comes from two places: the C-suite and sales.  The C-suite sees the audit as a way to retain current customers and to maintain marketability.  The sales team looks at it as another strong sales point.

What happens when the sales team over-promises?

If the sales team sells a product or service based on the assumption an information security audit can be done without checking in with its IS department, they may find themselves in a huge bind. It’s even more problematic if the company executed a customer contract along with the promise to conduct a SOC 2 audit. Imagine how that will come back to bite the company when the customer demands a copy of the nonexistent report!

In one instance, a company we’ve worked with in the past lost out on a multi-million dollar deal based on an over-promise.  Sales promised they would complete a SOC 2 audit, that they then delayed for a couple of years. The prospective client walked away from the table.  Remember, the proverbial grapevine works well, healthcare industry or otherwise. If you’re doing a great job, people will hear about it. If you fall on your face, they’ll hear about it faster.

Sales teams like to run full steam ahead, promising results, valuable products and enhanced service.  That’s a good thing. That’s how companies stay in business and continue to grow.  Often, though, IT / IS is left trying to figure out how to keep the promises made.

Vendors for healthcare and other service organizations are under mounting pressure to prove customer data is safe and secure. Information security is a market driver.  If sales and the information security team aren’t on the same page, the outcomes could be disastrous for business. So communicate amongst yourselves! Sales, IT and the information security team.  Actively involve the C-suite. Then you can be assured the company is steered in the right direction, with the right resources. When promises measure up to delivery, everyone is happy.

The post Communication Disconnect: Sales Promises & the Information Security Audit appeared first on .

]]>
You’re a US company & subject to the GDPR. Now what? https://apgarandassoc.com/youre-a-us-company-subject-to-the-gdpr-now-what/ Thu, 27 Sep 2018 21:40:47 +0000 https://apgarandassoc.com/?p=2085 What happens now that US Organizations who thought they were off the GDPR hook, are so on it. The onset of the GDPR, at first glance, seemed straightforward. Are you in the EU? Do you employ or do business with anyone in the EU? No? All good on personal data privacy. Except that your one-time, […]

The post You’re a US company & subject to the GDPR. Now what? appeared first on .

]]>
What happens now that US Organizations who thought they were off the GDPR hook, are so on it.

The onset of the GDPR, at first glance, seemed straightforward. Are you in the EU? Do you employ or do business with anyone in the EU? No? All good on personal data privacy. Except that your one-time, at-a-glance, high level assessment won’t hold up. Blame the GDPR’s broad definition of personal data. And realize that Europeans are far more guarded of their personal data privacy than the US, at a very granular level. Beyond health or financial information, or minor’s personal information, the GDPR goes far deeper.

Examples of GDPR-defined personal data

  • Work email address
  • Political party
  • Religious beliefs
  • Racial or ethnic information

GDPR defines “personal data” as:

Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

There are also two important functional roles defined under the GDPR: the Data Controller and the Data Processor. A data processor is defined as someone who processes data on behalf of the data controller. That may be a company providing a 3rd party software or platform that stores data. The data controller is the entity that collects the data, such as a health plan collecting member data or a bank collecting customer data.

So how does a US organization, particularly one typically highly adherent to strict compliance standards deal with the GDPR? A company that has attained certification through HITRUST or SOC2 likely feels fairly confident of being able to meet the GDPR’s requirements. Unfortunately, one does not equal the other.

6 Actions You Can Take to Support GDPR Compliance

  1. Be sure that your Security Risk Analysis encompasses all “personal data” as defined under the GDPR, not just PHI and PII. Remember location data counts, too! If you’re a data controller, you’ll also need to look at impact assessments that relate to GDPR-defined personal data.
  2. Check that your 3rd party data processor is approved by the data controller. PHI that falls into the GDPR personal data category can only be used and disclosed on instruction from the data controller. That means that what typically would be ok use by a Business Associate under HIPAA isn’t if the data is defined as “personal data” under GDPR.
  3. Appoint your EU-based representative and designate a Data Protection Officer. This is a major point of compliance with the GDPR. The DPO’s contact info must be publicly published as well as formally shared with the EU’s Privacy Commissioners.
  4. Be sure you’re authorized to engage in data flow transfers that relate to the individuals, or “natural persons” under the GDPR regs. Validate under your operations management contract that the data transfer is necessary and authorized.
  5. Modify your security incident response plan to include the GDPR breach notification guidelines. Under the GDPR, data controllers only have 72 hours from the breach discovery to notify the EU Data Protection Authorities. Be sure to test your ability to comply with the requirement.
  6. Prominently display your privacy practices and the privacy rights of individuals to conform with the GDPR. Individual privacy rights include access to data collected, ability to correct that data, how they can restrict the processing of the data, even to require that you erase the personal data.

Under the GDPR, US companies who discover from their data analysis that they deal with personal data of any kind from people who live in the EU (even non-EU citizens), must comply with its requirements. The cost of non-compliance is huge – up to 20,000,000 EUR. For US healthcare organizations who still struggle to meet HIPAA requirements over two decades after its enactment, the GDPR may well mean that they simply choose not to do business with EU residents.

Are you contemplating how to comply with the GDPR? Contact Apgar & Associates for a data inventory and risk assessment: 503-384-2538.

The post You’re a US company & subject to the GDPR. Now what? appeared first on .

]]>
Privacy and Security Training: Less hype, less myth, more HIPAA realities. https://apgarandassoc.com/privacy-and-security-training-less-hype-less-myth-more-hipaa-realities/ Fri, 24 Aug 2018 20:51:01 +0000 http://apgarandassoc.com/?p=2053 I’m often taken aback by some of the marketing material I receive from privacy and security training vendors.  This is clearly a “buyer beware” moment.  The review of a training vendor’s material can give you some insight into their credibility. Particularly if you’re already somewhat knowledgeable of the material that needs to be covered in […]

The post Privacy and Security Training: Less hype, less myth, more HIPAA realities. appeared first on .

]]>
I’m often taken aback by some of the marketing material I receive from privacy and security training vendors.  This is clearly a “buyer beware” moment.  The review of a training vendor’s material can give you some insight into their credibility. Particularly if you’re already somewhat knowledgeable of the material that needs to be covered in any privacy and security training session you’re looking to enroll in.  The training risk comes when someone doesn’t have a good grasp of the material, because they may well be being fed outdated information or worse, partial truths about HIPAA.

I may be a little sensitive because of the type of privacy and security training that we and some of our partners provide. Timely, current event-relevant, regulation-sensitive training. But in this instance, we received a vendor mailing focused on email integration and texting in the healthcare communications environment. Sounds entirely reasonable, right? Unfortunately, the marketing copy reflected outdated or even misleading information.

Marketing hype or regulatory reality?

The vendor’s privacy and security training marketing materials included these topics and observations, presented as facts:

  • Email and texting are in the early adoption stages in healthcare settings. Texting is becoming the preferred engagement, overtaking paging.
  • Mobile phone use for texts or calls relating to payment, to provide critical healthcare information or other official purposes is a no-no for providers and violates HIPAA.
  • Risk evaluation and management related to business communication that may or may not contain PHI is under scrutiny. Improper exposure may be considered an official breach.
  • Violation enforcement can include fines up to $50,000 per day and more.
  • Impacts of the Telephone Consumer Protection Act (TCPA) limit the use of cell phones for payment and healthcare purposes unless consent is obtained.

Let’s take it from the top. First of all, texts and emails are common in today’s healthcare environment. While the topic is worth addressing as part of ongoing training (and hopefully touches on serious email threats like phishing), it’s not a new issue.

[Read Phishing: Help Good Employees Avoid the Hook of a Cybersecurity Nightmare]

Secondly, clarification is in order when it comes to texts. HIPAA doesn’t require covered entities to obtain consent before, say, sending an appointment reminder via text message. I do, however, think it’s a courtesy that should be extended because not everyone is comfortable with anything to do with their health being texted to them.

Now to take it a step further, if the email or the text message is encrypted, there are really no HIPAA consent requirements. If the individual requests texts and emails be sent unencrypted, covered entities do need to document that the individual making the request has been informed of the dangers associated with unencrypted transmission of PHI.  That’s not the same as obtaining consent.

When it comes to risk evaluation and risk management, yes those are hot items. And while I do wonder what an “unofficial” breach is, I agree the improper exposure of PHI may result in a reportable breach.  Please keep in mind that if the exposure is unintentional, like a misdirected email, it may or may not be a reportable breach. That’s where the HIPAA Breach Notification Rule’s four factor risk assessment comes into play.

Here’s where I seriously part ways with the material: the violation enforcement information and the penalties.

If you’re doing the right thing, discover a breach, follow the required investigation and notification process and you timely report the breach to OCR, you likely won’t be fined by OCR.  Now, if there is a breach and OCR finds you haven’t conducted a risk analysis, haven’t adopted current and enforceable policies, haven’t trained your staff and so on, then yes, chances are higher that you’ll be paying in the form of a penalty or monetary settlement.

As far as the $50,000 per day, OCR can levy penalties up to $50,000 for a single violation up to a maximum of $1.5 million per calendar year.  There’s no reference in any OCR guidance that violations are counted in days. They could in fact be counted as the number of records breached.  If, as an example, 1,000 patients’ PHI was breached, OCR could count that as $50,000 X 1,000 (if you’re found guilty of willful neglect).  Because the penalty amount calculated this way would exceed $1.5 million, the maximum penalty amount would be levied unless a lower amount was negotiated between OCR and the breaching entity.

Finally, the TCPA. I need to point out that the TCPA was enacted in 1991 – pre-HIPAA – and addressed robocalls. It had nothing specifically to do with text messages and healthcare.

The bottom line on healthcare privacy and security training.

Emails and texting to communicate healthcare information has been going on for years. Keep in mind that yes guidance from OCR (“Right to Access”) emphasizes the need for covered entities to communicate effectively with patients there is no reference to text messaging or emailing other than to state that patients can request communications be made using unencrypted email as long as the risks associated with it are clearly communicated.  There is zero reference to text messaging in the guidance or in HIPAA itself.

I wholeheartedly agree that you need to regularly conduct privacy and information security training with your workforce. I also agree that you need up-to-date privacy and security training documentation.

I’m concerned that there are entities not up on the risks and how those risks are associated with patient communication. The first edict from HHS that applies to the use of email to communicate with patients dates back to January 2013 (the Omnibus Rule) and February 2014 (the HIPAA CLIA Rule) respectively.

Training vendors need to be vetted. If you or your staff are going to take your valuable time to attend any vendor-offered training, you need to know that it has more real-world application to privacy and security risks, engages employees on how they can protect ePHI, and accurately reflects regulatory requirements. More HIPAA realities, less marketing myth.

The post Privacy and Security Training: Less hype, less myth, more HIPAA realities. appeared first on .

]]>
What the Russian Indictment teaches us about cybersecurity. https://apgarandassoc.com/what-the-russian-indictment-teaches-us-about-cybersecurity/ Mon, 06 Aug 2018 15:52:57 +0000 http://apgarandassoc.com/?p=2041 Aside from the sensationalism of alleged espionage by a foreign power, the cybercrime accusations listed in the Mueller investigation’s indictment document should be a warning to businesses everywhere. It’s an object lesson in “this could happen to you” cybersecurity. Russian cyberwarfare notwithstanding, nation state attacks on US entities are common. The US CERT site has […]

The post What the Russian Indictment teaches us about cybersecurity. appeared first on .

]]>
Aside from the sensationalism of alleged espionage by a foreign power, the cybercrime accusations listed in the Mueller investigation’s indictment document should be a warning to businesses everywhere. It’s an object lesson in “this could happen to you” cybersecurity. Russian cyberwarfare notwithstanding, nation state attacks on US entities are common. The US CERT site has a running list of North Korean “malicious cyber activity” to prove it.

It’s rare that the general public gets to see the “how” of a cybersecurity breach. Organizations typically stick to generalities when they own up to data breaches. Notice that the cyber-attackers used every tool at their disposal to locate and exploit vulnerabilities at the Democratic National Committee and Clinton campaign: spear phishing to steal passwords and gain network access, spoofed security notifications and email accounts, hacking tools and malware. This single-minded cyber-attack is a prime example of how things really play out when hackers want to get in your back door.

Every organization needs to take the cautionary message to heart. Because to mitigate the risk of a data breach recurrence, you not only need to know what happened, but also how and why it did. Think about it. What if you’re a healthcare provider? People’s lives are at stake.

3 Fundamental Tips for Risk Mitigation

  1. Implement perimeter controls to detect breaches and other cyberattacks such as ransomware. How else will you know a phishing attack has occurred? When the system takeover happens? Use appropriate technical perimeter controls to detect an attack early on so you can take immediate action.
  2. Launch system redundancy while you resolve the breach or security incident. You need to take the system down to root out every instance of malware, which means business continuity measures come into play. If you can launch your backup, business operations can continue with only a small blip.
  3. Engage computer forensic experts to get an image of the drives. Sure, maybe you can wipe drives as part of eliminating ransomware. Now what? You have no way to find out how it happened or why.

The above tips make the assumption that you have the basics in place, like security incident response and business continuity plans (which go hand-in-hand, by the way). If you don’t have functioning fundamentals, the ensuing scramble after a data breach or cybersecurity incident starts to look like that classic vaudeville sketch “Who’s on first?”

Chris Apgar, CISSP, is a nationally recognized expert and educational instructor on information security and privacy, as well as a frequent instructor, panelist and panel facilitator for leading national industry groups in healthcare, compliance and security.

The post What the Russian Indictment teaches us about cybersecurity. appeared first on .

]]>
How to lose data & money: The cost of unmitigated risk https://apgarandassoc.com/how-lose-data-money-cost-of-unmitigated-risk/ Thu, 28 Jun 2018 22:11:19 +0000 http://apgarandassoc.com/?p=2012 The post How to lose data & money: The cost of unmitigated risk appeared first on .

]]>

The OCR announcement of a $4.3 million price tag on MD Anderson’s Cancer Center for noncompliance highlights the cost of unmitigated risk. A 2006 security risk analysis showing that a lack of encryption posed a PHI security threat prompted the Center to develop policies for portable device encryption. Smart. But then an OCR breach investigation uncovered that the policy wasn’t actually enacted for years. Not smart.

Loss of USB devices and a stolen laptop exposed the disconnect between the stated policy and actual application of the policy. What could they have done differently? Followed through on their stated policies. Would a demonstrable attempt at PHI protection by alternate means, although encryption wasn’t implemented, have helped? Perhaps. It’s hard to know.

What likely didn’t help the Center was its 2011 internal Information Security Program report that stated ePHI on mobile devices and other portable storage devices was not yet mitigated – a written acknowledgement of failure to enforce its own policies. The USB device loss and the laptop theft happened in 2012 and 2013. In light of that fact, it’s fortunate that OCR asked for penalties under Tier 2’s Reasonable Cause vs Tier 3’s Willful Neglect, if only from the point of view of preserving (somewhat) MD Anderson’s Cancer Center’s reputation.

In light of the cost of “over-promising and under delivering” now is the ideal time to get a compliance assessment of your policies and procedures on the schedule. Are you in danger of an unmitigated risk? Are your policies realistic? Are they being practiced? Can you prove it?

4 Tips for Policy Follow-Through

  1. Tie your policies and procedures back to your actual business operation workflow and processes. Implementing an enforcement mechanism such as encryption gives policies “teeth.”
  2. Make sure you’re following the rules. Policies and practices need to align with the regulations you’re required to follow.
  3. Be realistic when drafting policies and procedures. “Audits will occur at weekly intervals” may not be a realistic policy to accomplish if you’re already overstretched. (See #1)
  4. Maintain proof of policy enactment. Document and be able to demonstrate you take action on all of your policies. For example: That information could include the date a policy was enacted, any time there was an internal citation for correction, and documentation of how it was corrected.

Your policies and procedures are essentially marching orders for your staff. Be sure those policies are clear and accurate so you can not only enforce them, but also document that you’ve done so. Then when a breach happens and OCR comes in, you’re better positioned.

Apgar & Associates helps you discover privacy and security vulnerabilities so you can manage risks before a breach occurs. Contact us to schedule your assessment today: 503-384-2583.

The post How to lose data & money: The cost of unmitigated risk appeared first on .

]]>
How You can Meet Compliance Challenges – and Investor Demands https://apgarandassoc.com/how-you-can-meet-compliance-challenges-investor-demands/ Tue, 12 Jun 2018 23:16:12 +0000 http://apgarandassoc.com/?p=2001 From digital startups to financial firms, the ability to demonstrate information security per not only investor demands, but also board members and potential business partners, is widespread. As privacy and security consultants who also prep companies for certification, we’re seeing how the need for privacy and security compliance, long since a demand for healthcare, now stretches […]

The post How You can Meet Compliance Challenges – and Investor Demands appeared first on .

]]>
From digital startups to financial firms, the ability to demonstrate information security per not only investor demands, but also board members and potential business partners, is widespread. As privacy and security consultants who also prep companies for certification, we’re seeing how the need for privacy and security compliance, long since a demand for healthcare, now stretches across industries.

Take this example. An online company selling a product that’s gained rapid popularity attracts the attention of a multi-national interest. It’s a dream scenario for a start-up. A great concept, proven, that garners the best possible outcome: a well-heeled investor. Then a painful reality sets in during due diligence.

The straightforward request of “Let’s start with a review your policies and procedures” has everyone scrambling. Why? Because they don’t exist – at least in the format and detail that a true commitment to privacy and information security calls for.

A high-dollar investment from an established global entity is going to have requirements attached to it that a digital startup likely didn’t include in their gotta-get-launched-yesterday operational plan. Especially when the investor demand reflects an expected alignment with the standards to which their organization adheres, ISO 27001.

Digital startups are one thing, but what about established businesses? Maybe there are industry-related policies and procedures in place but the type of business never called for compliance with a particular set of security standards. Now there’s an opportunity to expand into government work. To play in the big sandbox, there’s a need not only to implement an information security program, but one that adheres to the NIST cybersecurity framework that was updated in April 2018. That’s a big leap.

There are common denominators for most certifications and regulatory needs. You may be asked to achieve ISO 27001 certification or HITRUST. Or you may need to choose the best assessor for your SOC certification process. Almost certainly, no matter your business, you’ll need a security risk analysis.

Start with the fundamentals. In nearly every state there are breach notification laws that require you to have an information security program in place. If not a specific program, then at minimum you need to be able to demonstrate administrative, technical and physical safeguards of sensitive data – whether that’s PHI or client financial information. Once you take care of the basics, your business will be ready for the next great opportunity, and able to meet investor demands.

Work with a team that knows how to map your path to certifications and regulatory standards regardless of industry. Apgar & Associates’ certification readiness preps you for HITRUST, ISO and more. Call us today to get started: 503-384-2538.

The post How You can Meet Compliance Challenges – and Investor Demands appeared first on .

]]>
Minor Privacy Rights: Where Feds & State Diverge https://apgarandassoc.com/minor-privacy-rights-where-feds-state-diverge/ Tue, 05 Jun 2018 14:16:59 +0000 http://apgarandassoc.com/?p=1993 In most instances, HIPAA rules apply for adults and minors. That’s to say, the federal regulation sets the bar. HIPAA treats minors as adults when it comes to privacy rights if they’ve reached the age of informed consent except when state laws say otherwise. Some state laws permit or require disclosure to parents or guardians […]

The post Minor Privacy Rights: Where Feds & State Diverge appeared first on .

]]>
In most instances, HIPAA rules apply for adults and minors. That’s to say, the federal regulation sets the bar. HIPAA treats minors as adults when it comes to privacy rights if they’ve reached the age of informed consent except when state laws say otherwise. Some state laws permit or require disclosure to parents or guardians regardless.

For example, in Oregon, minors reach the age of informed consent at age 15, with exceptions.  Those are: Parents or guardians can receive information on the minor up to age 18, unless the minor gets married or has been emancipated. Oregon law trumps HIPAA in those cases.

To understand some of the broader implications, it helps to know that covered entities determine what makes up an individual medical record (aka designated record set, or DRS). So when a parent or guardian wants access to a minor’s record, they have it (unless state law trumps it). Oh, and divorce doesn’t change that ability get a copy of a minor’s medical record.

Minor privacy rights can vary according to the medical issue, as well. For instance, privacy rights as related to alcohol and chemical dependency diagnosis and treatment, which falls under the most stringent federal privacy laws. In these cases, the most strict law prevails when it comes to privacy or access to their PHI, which includes minors if they’ve reached the age of informed consent.

In some states, like Oregon, there are exceptions. For example, although the Oregon age of informed consent is 15, when it comes to:

  • outpatient mental health, alcohol and chemical dependency treatment, the age of informed consent is 14
  • HIV/AIDS information and STDs, the age of informed consent is from birth
  • Birth control, the age of informed consent is from birth

So when logic doesn’t apply, but the law does, what do you do? Be sure that you understand all of the ramifications of a minor’s privacy rights under both HIPAA and your state laws. That means not only must you train and re-train staff in that understanding, but you also need to pay close attention to your legislature’s activities. Document disclosures and authorizations and know what your liability is related to either.

Chris Apgar, CISSP delivers training webinars on regulations and best practices related to HIPAA, HITECH and cybersecurity issues. To learn how Apgar & Associates privacy and security expertise can help your organization, give us a call at 503.384.2538.

The post Minor Privacy Rights: Where Feds & State Diverge appeared first on .

]]>
How can you avoid the costly price tag of unauthorized ePHI access? https://apgarandassoc.com/how-can-you-avoid-costly-price-tag-unauthorized-ephi-access/ Thu, 24 May 2018 17:51:09 +0000 http://apgarandassoc.com/?p=1982 We’re talking millions. Take a look at the largest HIPAA-violation related fines of 2017. Companies like dialysis-giant Fresenius, Memorial Healthcare Systems, and 21st Century Oncology (21CO), which operates 143 centers nationwide, have been fined millions thanks to unauthorized access (21CO has filed for Chapter 11 bankruptcy). In 21CO’s case, the access was through a vulnerable […]

The post How can you avoid the costly price tag of unauthorized ePHI access? appeared first on .

]]>
We’re talking millions. Take a look at the largest HIPAA-violation related fines of 2017. Companies like dialysis-giant Fresenius, Memorial Healthcare Systems, and 21st Century Oncology (21CO), which operates 143 centers nationwide, have been fined millions thanks to unauthorized access (21CO has filed for Chapter 11 bankruptcy). In 21CO’s case, the access was through a vulnerable back door to their IT systems, but for Fresenius and Memorial Healthcare Systems, unauthorized ePHI access was employee-related.

When you look at the heart-stopping price tag of non-compliance, the question becomes: Could the unauthorized access been avoided? Most would argue – and I’d agree – that no system or organization is 100% secure. However, there are ways to mitigate risk, both human and technology. Let’s start with the human factor: your employees. Here are a few tips to pass along:

5 Ways Employees can Protect ePHI

  1. Be sure no one can see your screen. Whether at your desk or using a mobile device, if you’re accessing PHI, protect it from view. Angle your desk – or your body – so that no one can inadvertently see the sensitive data.
  2. Keep quiet about patient records. Just because a recent emergency visit was the stuff of urban legend doesn’t give you the right to share it.
  3. Protect your password and make it strong. A phrase that combines letters, numbers and special characters is a commonly used best practice.
  4. Stay off public wifi when accessing ePHI. It’s tempting to catch up on work at the local coffee shop or the airport, but public wifi is a notorious favorite of hackers.
  5. Immediately report any suspicious activity to your IT department. Strange email? Don’t click the link or open the attachment – call IT.

Things get a little more straightforward when you step into the technology side. That’s not to say it’s easier. But common security controls are just that, common. Data encryption for static and in-transit data, keeping up with software security patching, frequent system backups, a secure messaging platform and access control audits – all place significant barriers in front of sensitive healthcare data.

Where does responsibility for healthcare data breaches lie? Workforce, cybercriminals, technology vulnerabilities, lack of training – any and all can place ePHI at risk. While there is no magic pill to secure healthcare information, there are many ways to manage the risk. To learn how Apgar and Associates can help you manage risk and ramp up privacy and security measures, contact us today.

The post How can you avoid the costly price tag of unauthorized ePHI access? appeared first on .

]]>
Phishing: Help Good Employees Avoid the Hook of a Cybersecurity Nightmare https://apgarandassoc.com/phishing-help-good-employees-avoid-causing-cybersecurity-nightmare/ Tue, 13 Mar 2018 19:34:37 +0000 http://apgarandassoc.com/?p=1948 The sneakiest of cyber-attacks, phishing has grown in sophistication even as organizations work to tighten cybersecurity programs. Phishing attacks have always been an easy backdoor into an organization’s – or individual’s – network. With one click as you rush through daily emails, you can unleash malicious software into the system. Phishing fools the best employees. […]

The post Phishing: Help Good Employees Avoid the Hook of a Cybersecurity Nightmare appeared first on .

]]>
The sneakiest of cyber-attacks, phishing has grown in sophistication even as organizations work to tighten cybersecurity programs. Phishing attacks have always been an easy backdoor into an organization’s – or individual’s – network. With one click as you rush through daily emails, you can unleash malicious software into the system.

Phishing fools the best employees. Impersonation has become slick – emails look nearly identical to those you’d get from a bank, shipping service, or online retailer. Even government agencies get used to perpetuate the scam.  Links or attachments that look benign, like receipts, tracking links or spreadsheets, contain nasty malware that can bring down a system and halt business operations until it’s contained.

6 Phishing-wary Best Practices

  1. Recognize the sender’s email address. Then stop. Look again, and don’t click on the link or open the attachment. If the topic seems even a hair out of character for the sender, it may be coming from a hacked account.
  2. Hover your cursor over the suspect link. If the heading says it’s from your bank but the web link that you see when you hover your cursor over the link doesn’t match, don’t click the link!  It would be a good idea to report these scams to your bank or other legitimate sender you may communicate with.
  3. Don’t recognize the email address or sender? Definitely don’t click. And perhaps let your IT department know a strange email is in your Inbox.
  4. Weren’t expecting an email from this sender? Use the telephone! Yes, an old-fashioned call to verify that the email is legitimate could save your company a world of hurt.
  5. Pay close attention to emails directing you to websites that look just a little off. Fake sites often impersonate real ones.
  6. Update software security and anti-malware software when it’s released. Don’t swipe it off the screen or keep clicking “install later.” That’s the kind of procrastination cyber attackers count on.
  7. Backup data frequently, then test those backups. You want to know that a data restore action actually works. If it doesn’t, rethink your backup strategy.

Your best bet to combat phishing attacks? Workforce awareness. Much of the privacy and security training we provide is geared toward helping your workforce recognize phishing attacks, learn how everyday activities can compromise information security, and realize how their particular job function relates to overall cybersecurity, no matter what the position is.

Resource: OS OCR SecurityList, February 2018 Cybersecurity Newsletter: Phishing

 

 

The post Phishing: Help Good Employees Avoid the Hook of a Cybersecurity Nightmare appeared first on .

]]>
What could ever go wrong with people using portable media?  https://apgarandassoc.com/ever-go-wrong-people-using-portable-media/ Tue, 31 Oct 2017 19:08:03 +0000 http://apgarandassoc.com/?p=1937 Well, the royal family’s security could be compromised, for one. If you missed it, Heathrow Airport, one of the busiest airports and Britain’s largest, is scrambling to understand how a memory stick (aka thumb drive) with extremely sensitive information ended up on a busy west London street. The documents on the unencrypted drive detailed airport […]

The post What could ever go wrong with people using portable media?  appeared first on .

]]>
Well, the royal family’s security could be compromised, for one. If you missed it, Heathrow Airport, one of the busiest airports and Britain’s largest, is scrambling to understand how a memory stick (aka thumb drive) with extremely sensitive information ended up on a busy west London street. The documents on the unencrypted drive detailed airport security measures and plans, including the routes typically used for Her Majesty’s route to and from the airport.

The documents were all marked “confidential” or “restricted.” Yet the thumb drive had no encryption and was just lying on the street, available for anyone to pick up and use. The scariest part? This could happen to anyone, to any business, at any time. 

How do you prevent this type of blatant risk to sensitive information? Ask yourself the following about your security and privacy policies and procedures:

  • What have we done – or can we do – to assure our sensitive data’s security isn’t compromised like this?
  • How well does our own senior leadership follow the same strict security measures as line staff?
  • Do we allow sensitive data to be stored, or even temporarily used for transport, on unencrypted drives?
  • Who is allowed to access sensitive data and in what way can they interact with it? Should they even be able to?

Frightening as this event is, it’s also far too unsurprising. Before you decide that portable media is fine for transporting or storage of your sensitive data, think twice, then think again. Convenience should not override the need for data protection.

Apgar and Associates’ HIPAA privacy, information security, HITECH and regulatory compliance consulting services support the health care industry and the vendors that work with them.  The firm works across industry sectors to help businesses prepare for ISO, SOC II and HITRUST certifications, as well.

The post What could ever go wrong with people using portable media?  appeared first on .

]]>