Many of the issues we see in cybersecurity, whether you are in healthcare, retail, finance, etc., are by and large preventable. It is not about having a big budget or a large team of experts. No, some of it is just common sense. It is not unlike driving a car. When driving a car you take several basic, yet important, steps to try and lower your risk of an accident. You look both ways at a stop sign, you drive safely to avoid losing control, you keep your car in working condition, and just in case you are in an accident, you’re protected by your auto insurance.

Nothing really difficult. Does it mean you will never have an accident? Of course not, but you significantly lower your risk.

When trying to protect your organization’s information, some of the worst – and most common – information security errors are also the ones that are the most preventable. Let’s take a look…

Vigilance is often the first step. What do I mean, by vigilance? It is simply not taking security for granted. Far too often I hear, “The chances something will happen to us are so small.”  That always sounds good, until something happens.

Antivirus is something that is surprisingly overlooked. It is not always that organizations forget to install it, it is that they forget to keep it updated and the license renewed. If your Antivirus is outdated, for any reason, it is almost as bad as having no protection.

Email security is often overlooked, even though it is one of the easiest targets for hackers and cyber-thieves. Whether it is due to lack of end-user training or lack of security in place, it is a huge target for hackers. First and foremost your email users should be trained on proper email safety, such as how to avoid phishing messages.

Firewalls these days are often the first line of defense and for smaller shops they are often setup by the internet service provider. The bad thing about that is the provider often leaves the default username and password in place which allows hackers to easily gain access to the firewall and let themselves in the door without knocking. This is generally a very easy change that takes only a few minutes to correct.

Speaking of passwords! I hate to break it to you, “1234” or “password” is a really, really poor password.

Finally, one of the most common mistakes in cybersecurity is…

Backups! I know some are saying, “What do backups have to do with cybersecurity?”

EVERYTHING!

Not unlike having insurance for your car, it is only important when you need it the most. Backups are your insurance for bad things happening, whether it is a cybersecurity issue, an accidental file deletion, or a disaster. Having backups that are stored securely offsite are one of the most important steps to protect your business. There are many options to fit all budgets and organizations.

The biggest thing from all of this is to simply not overlook cybersecurity. I know it is easy to say, “It won’t happen to me.” but the odds are it will.

So, buckle up!

In recognition of October being National Cybersecurity Awareness Month, Third Rock is offering a FREE mini-Risk Assessment to promote the role cybersecurity plays in protecting your patients, your practice and yourself.  In addition, we welcome you to visit our HIPAA and Cybersecurity Resources page.  Do you have a cybersecurity question you’d like answered?  Email us at info@thirdrock.com or give us a call at 512.310.0020.  We’d be more than happy to help!

Protect Your Patients.  Protect Your Practice.  Protect Yourself.™

In January of this year, the HHS Office of Civil Rights levied a $475,000 fine against Presence Health for taking too long to notify their patients – as well as the OCR – after discovering the breach of PHI (protected health information). The incident occurred in October 2013 when Presence Health, based in Illinois, discovered that hundreds of physical documents containing patient names, birth dates, medical record numbers, and surgery details for 836 patients were missing.  They did not report the breach to the OCR until Jan, 31, 2014 — 100 days after the incident occurred.

This was the first HIPAA fine “solely based on an unnecessary delay to breach notification” (HIPAAJournal).

Now, CoPilot Provider Support Services, Inc., a business associate based in New York, is under investigation for delayed reporting of a breach of ePHI (electronic protected health information). An unauthorized person accessed and downloaded 221,178 individuals’ sensitive information in October 2015, but CoPilot didn’t involve the FBI until February 2016 and didn’t issue breach notifications to patients or the media until January 2017. Oops! The OCR is still investigating whether CoPilot is a HIPAA-covered entity, but the NY State Attorney General levied a $130,000 fine in June for violation of state law, according to an announcement from the Attorney General’s Office.

Healthcare entities cannot afford to delay breach notification. Here’s a summary of the basic notification requirements outlined in the Breach Notification Rule:

• A covered entity must notify the Secretary of Health and Human Services (via their portal) if it discovers a breach of unsecured protected health information.
  •  If the breach affects 500 or more individuals, the covered entity must notify HHS/OCR “without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.” (HHS.gov)
  • If a breach affects fewer than 500 individuals, the covered entity must notify HHS/OCR “within 60 days of the end of the calendar year in which the breach was discovered.” It is NOT necessary to wait until the end of the calendar year.
• Regardless of the size of the breach, a covered entity must notify patients “in written form by first-class mail…or by e-mail” (if an individual has agreed to email communication) “without unreasonable delay and in no case later than 60 days following the discovery of a breach.”
• If a breach affects more than 500 individuals, the covered entity must also notify the media.

More detailed instructions for dealing with incomplete or out of date contact information can be found on the HHS website.

These incidents and resulting fines should serve as a wake-up call to the industry – take action sooner rather than later!

Join our free monthly newsletter to stay up-to-date on HIPAA and cybersecurity.

You may not realize how easy it is for someone to submit a complaint about your organization. However, if you are not prepared, what happens after that submission is not something you will soon forget!

This is why HIPAA compliance must be a culture and not just a piece of paper. While someone WILL submit a complaint against you at some point, if you have a culture of compliance in place, there should be little to no effect on your business. If you just run through a simplified checklist once a year, however, and do not enforce the policies and procedures, you will be putting your patients – and your organization – at serious risk.

First, who can submit a HIPAA complaint to the OCR?

This is the scary part – anyone who believes a covered entity is not complying with HIPAA in any way can submit a complaint! The complaint can be submitted directly to the OCR or to the Compliance Officer at the covered entity.

Next, a high level overview of what happens next…

I. Review

During this step the OCR will review the complaint. They will decide, based on the criteria listed below, if they can or will take action:

• Did the activity occur after HIPAA’s effective dates:  April 14, 2003 for violations of the Privacy Rule and
  April 20, 2005 for violations of the Security Rule?
• Is the healthcare organization a Covered Entity that is required to comply with HIPAA’s Privacy Rule and Security Rule?
• If the complaint is accurate, would the alleged activity be a violation of HIPAA’s Privacy or Security Rules?
• Was the complaint filed within 180 days of the date the complainant knew (or should have known) of the violation?  The OCR has discretion to waive this requirement for good cause.

During this review, if the complaint includes a possible criminal violation, the OCR can report the complaint to the U.S. Department of Justice (DOJ) for review. See the OCR website for more detail about this step in the process.

II. Investigation

During the Investigation step, the OCR will notify the complainant if their complaint has been accepted. The reported organization will also be notified. The OCR will contact both the complainant and the reported organization with follow-up questions about the incident. They will also work to gather evidence about the reported incident and ask for a copy of the organization’s policies and procedures, required risk assessments, and other related documents.

III. Resolution

After the OCR completes the investigation, they will review the gathered information and make a decision on how to move forward. They may attempt to resolve the case in several ways which may include a combination of the following:

• Voluntary Compliance
• Corrective Action Requirements
• Resolution Agreement
• Civil Monetary Penalties

Entities who may be facing Civil Monetary Penalties may have additional rights, such as the right to a hearing before an administrative law judge to determine whether the penalties are supported by the evidence.

It’s not over yet! Once you go through this process, you will be audited by the OCR.

When the audit happens, the OCR can and will likely find other non-compliance issues. This will add to the penalty and can cost your company 100’s of thousands of dollars or well into the million dollar range.

The question is not IF, but WHEN someone submits a complaint. There are many reasons a patient or family member might submit a complaint. Once that complaint has been submitted, the OCR will have their eye on your organization.

If you need assistance establishing a culture of compliance please contact us at compliance@thirdrock.com

Protect Your Patients.  Protect Your Practice.  Protect Yourself.™

Sometimes we tend to focus strictly on the technical side of security and compliance and fail to notice the very important issues hiding in plain sight. While a hacker breaking into your network and stealing ePHI is the threat that is being talked about the most, it is sometimes the overlooked old-fashioned threats that present the greater risk.

Think about how many times a patient record has been sitting somewhere and how long does it actually take for someone to pick it up and walk off? What about allowing easy access to documents or equipment that contain sensitive data? Over the years we have seen clients forget some of the simple things that they could do to protect patient information.

Below is a simple walk-through checklist that you can use to recognize and fix security issues that may be hiding in plain sight…

1. Have any documents been left on the counter face up when not in use?
2. Have patient documents been left on a surface that is accessible to patients, visitors, vendors, etc.?
3. Have paper charts been left unattended where someone could grab them while walking down a hall?
4. Are all discarded documents containing PHI shredded or placed in a locked container to await shredding?
5. Have security cameras been installed to track unauthorized access to anywhere patient data could be found?
6. When calling a patient from the waiting room, do staff use only the patient’s name, and preferably only a first name?
7. Have staff logged out of all unattended computers, especially those in exam rooms and publicly-accessible hallways?
8. Do you and your staff lock unattended rooms that could provide access to the network or computer equipment?
9. Is the back door (or other secondary entrance) ever left open or unlocked for any reason?
10. Do you and your staff lock offices when unattended?

Sometimes, just by walking through on a weekly basis you can find simple issues that need to be addressed. We recommend doing this during business hours as you want to see what your visitors see. Not only will this help you be more vigilant in your security, but it will allow visitors to rest easier seeing that you are actively taking steps to protect them and their health information.

Protect Your Patients.  Protect Your Practice.  Protect Yourself.™

info@thirdrock.com | 512.310.0020

As we hear more and more about breaches and ransomware in businesses and especially healthcare, it is becoming an even greater concern for healthcare business owners. It is no longer if you will be attacked, but when and how often.

The first step in closing the cybersecurity gap is to realize that you can’t do it on your own. Cybersecurity is not finding your basic “IT guy” that “can fix it”. It is about obtaining the right resource whether that is a full time hire or a managed service.

The next thing to realize with cybersecurity is that it is not a one time fix, but is ongoing and continually changing to meet the new challenges coming out every day. This is not just adding a firewall, anti-virus, patches, etc. It is a plan, a mentality that evolves over time.

HIPAA is actually a good start towards good cybersecurity, but it is not everything. We all like to complain about HIPAA, but it is actually a great guide to getting your business far more secure and ready to be secure. However, to truly close the cybersecurity gap, no static documents and processes will keep you continuously secure by themselves.

Why worry?

One breach can close your business! Think about your business being down for days, weeks, or even longer. How long can you survive? What about a breach where patient data gets stolen and leaked!! Now you have to go through notifying the government and the public, HIPAA audits, and major fines.

Keep in mind there are 4 tiers of HIPAA fines. If you have a proper HIPAA risk assessment and cybersecurity plan, those fines will be significantly reduced. If not, you could see fines of $50,000 PER PATIENT RECORD.

Time to close that GAP!!

Protect Your Patients.  Protect Your Practice. Protect Yourself™.

If you have questions concerning establishing a cybersecurity plan or about HIPAA, including how to conduct a Security Risk Assessment or how to best remediate identified risks, please contact us: info@thirdrock.com; 512.310.0020.  We’d be happy to help!

HIPAA gets a bad rap – and deservedly so. However, most of that bad rap is because it is set up in a typical government fashion that is hard to understand and make sense of. When you look at the HIPAA laws and guidelines, it is not long before you become more perplexed than you were before.

However, once you get past the government’s idea of light reading, or by using our CompassDB tool which translates it into a humanly readable language, you realize that the HIPAA guidelines are not really all that cumbersome. In reality, they are your standard operating procedures for your business in a template that can cover many different types of organizations.

If you think about it, we should all want our business to continue no matter what happens. We all want to be resilient to threats, both internal and external, as they can affect our way of life. The Security Risk Analysis required by HIPAA (and MACRA and Meaningful Use) helps you identify security threats to your business. The other HIPAA requirements guide you on how to become more resilient when dealing with the threats.

By following the standards set forth by HIPAA, you drastically reduce your liability and your risk of business disruption.

Protect Your Patients.  Protect Your Practice. Protect Yourself™.

If you have questions about HIPAA, including how to conduct a Security Risk Assessment or how to best remediate identified risks, contact us: info@thirdrock.com; 512.310.0020.

By now, most have heard or been affected by the WannaCry ransomware that has spread to over 150 countries at last count.

The WannaCry ransomware started taking over users’ files on Friday, demanding $300 to restore access.

Hundreds of thousands of computers have been affected so far. Computer giant Microsoft said the attack should serve as a wake-up call.

The first line of defense in this is always having a properly maintained firewall both on your network and on each individual computer system. However, as we all know, your network can and will be breached at some point, whether or not it is due to WannaCry or some other ransomware or virus; it will happen.

What is the best defense against ransomware and other malware?

A good backup!

It sounds simple, but amazingly most either are not doing backups or not verifying that the backup works. I worked with an organization that had been backing up for several years, but had never tested restoring the files. Well, they got hit with a bad virus, and it was determined that restoring the previous day’s backup would be the best way to recover. Unfortunately, the backup was corrupted and would not work. We went back to previous days and weeks, and none of their backups were good.

Having a backup is not good for anything if you can’t actually recover the data when you need it.

1.  To get started, investigate business level backup systems that will work in your environment. It truly is a case by case basis on which backup system is right for your organization; depending on size, speed, hours, etc.
2. Schedule restore tests on a regular basis to make sure that you have a valid backup that you can recover from in the case of an attack.
3. Maintain the backup system to ensure that it is considered “mission critical” as it is the last line of defense for your entire business.

Bottom line:  Stay ahead of ransomware by maintaining complete, working backups!

For questions about how to evaluate and improve your own backup practices or for a comprehensive Security Risk Assessment, contact us at info@ThirdRock.com.