One of the first lessons of process improvement is that preventing errors is much less expensive and time-consuming than remedying the damage after the fact. The same is true for an information breach. The time and cost for installing new software, training staff members, and reinforcing policies and procedures pales in comparison to cleaning up the damage of an information privacy or security breach.

Recent headlines of multi-million-dollar OCR fines and the hundreds, thousands – even millions! – of lives affected suggest the scale of the damage to both businesses and individuals. The news reports rarely explain, however, exactly how the breach could have been averted. This is the first in a new series of articles using publicly reported breaches as teaching opportunities for breach prevention. These are not intended as an “I told you so” for the organizations breached – each incident could happen at almost any healthcare organization today. The goal is for all of us to continuously improve our understanding of the risks to patient information and the options available to us for protecting that information without creating an oppressive atmosphere for our patients, staff, and visitors.

Unauthorized photographs of a surgical patient

This first example was reported in the HIPAAJournal just last week. Basically, surgical staff members photographed a patient’s genital injury using their personal phones and shared the photos with friends. Details of the incident are available in the HIPAAJournal post. What we want to focus on here is whether and how management could have prevented this breach.

This incident is particularly egregious because the information disclosed was so sensitive and because so many health care professionals and staff members – the very people charged with keeping the patient and his information safe – were complicit in the violation. I understand that in the face of such irresponsible behavior, a manager might be tempted to feel helpless – “I can’t watch every person every minute. What can I possibly do to make sure none of my staff ever do something stupid?” Here are some suggestions.

Action 1: Policy disallowing use of personal phones in the OR (or any patient area) for any reason.

As a former frontline nurse, I understand the tendency to scoff at policy – “What good’s a policy? People will do whatever they want to anyway!” There’s some truth to that – practice never perfectly matches policy – but what a policy does do is establish clear guidelines for expected behavior.

If the hospital wants staff to have mobile communications, they need to supply them with Vocera badges or other devices and not rely on staff members’ personal telephones. Personal phones can be used at the desk and in the break room, but not in patient areas – period. Responsibility for enforcing the policy must be shared by charge nurses and circulating nurses, not just the department manager or director. A charge nurse found not to be enforcing the policy could be suspended just as if s/he had been using the phone him or herself.

Action 2:  Intensive staff training, retraining, and reinforcement.

The speed and shamelessness with which these staff members brandished their phones suggests gross ignorance of the HIPAA Privacy and Security Requirements and of the potential consequences for violating them – termination, civil charges and fines, and criminal charges that could include probation or jail time.  Staff should receive comprehensive HIPAA training during their orientation before being given access to patients or PHI. That training should then be reinforced with shorter refresher courses and/or routine discussions of patient privacy and information security in staff meetings, organizational Town Hall sessions, and online forums on the organization’s intranet.

Action 3:  Leadership in the moment.

In the OR, the anesthesiologist, the surgeon, and the circulating nurse all possess significant authority. Any one of these individuals could have called a halt, required everyone to power off their phones, sealed the room, and called hospital security to confiscate the phones until someone from IT could sit with each individual involved to clear the photos.

This action is still more Band-aid than prevention, but it is the actions of leaders in the heat of the moment that either reinforce or undermine policy and training. It did sound like the executives were taking the incident very seriously and had applied appropriate sanctions. It may also have been the case that the circulating nurse or surgeon brought the incident to the executives’ attention – that information wasn’t included in the article. The critical takeaway is that protecting patient privacy, confidentiality, and information security are now as important a leadership responsibility as patient safety and infection control.

The above actions, taken together, are the pillars of creating a Culture of Compliance. Whether the focus of the compliance is HIPAA, CLABSI protocols, or hand washing – all require clear expectations, appropriate training, and unrelenting leadership. Culture is powerful – the trick is to create a culture that makes it easy – automatic – to do the right thing.

Our very best wishes to the patient and everyone at UPMC Bedford Memorial trying to remedy the situation.

If you need assistance establishing a culture of compliance please contact us at compliance@thirdrock.com

Protect Your Patients.  Protect Your Practice.  Protect Yourself.™

Many physicians believe HIPAA is a total waste of their time and money.  That’s because they think it’s the federal government trying to force them to do something that they don’t need to be doing.  But, that’s not the intent of the HITECH and OMNIBUS rulings.  Much of the compliance that was put into place was because of the implementation of EMR/EHR systems in the healthcare industry.  The federal government’s Meaningful Use program even paid covered entities to transition from paper to electronic records. This created an entirely new set of cybersecurity issues that would need to be addressed.

Issues introduced by moving to electronic records (EMR/EHR systems):

1. Securing the patient records (Protected Health Information) at rest (in databases, spreadsheets, faxes,copies, etc.)
2. Securing the patient records during transmission (EMR in the cloud, emailing, faxes, network drives, etc.)
3. Insuring the computers and networks had proper physical and cyber security in place.
4. Insuring the staff was training to protect the PHI physically and electronically.  Including cybersecurity awareness training of cyber threats.

The need for HIPAA is real.  It is a well documented fact that the healthcare industry is lagging in the cybersecurity arena.  They need to beef up their budgets, personnel, training, software, and hardware to improve the protection of PHI.  Currently the U.S. Government says the average physician’s office is 14% compliant.  Think about that, would you bank at a financial institution if you knew they protected your money 14%?  NO, you would find a new bank.  Maybe it’s time to ask your doctor, are you protecting my PHI?  And if not, find a new doctor.

If you’re a doctor, executive, manager, or owner of a covered entity and you have not improved your cybersecurity then you need to rethink HIPAA and take immediate action.  Remember, Ignorance of the Law Is No Excuse. Don’t take my word for it, see how it worked out for a doctor with the courts in this article Doctor Gets Jail Time for HIPAA Violation.  You might read the article and think, “Well, I would never do that.”  That’s probably true, but remember, he didn’t lose any data, he just looked at it outside the allowed bounds of the law. The OCR is getting stiffer on their penalties. They now expect the covered entity to be responsible and take action to protect the patient’s data and identity.

Make sure you find the correct solution to address HIPAA, know the requirements and how to address them completely, easily, and affordably.

Protect Your Patients.  Protect Your Practice. Protect Yourself™.

If you haven’t read my previous two blogs on this topic I encourage you to do so.  The first blog stresses the importance of being risk management proficient over being a HIPAA “expert”. The second blog deals with being accountable in your work actions, which means not only are you responsible for your actions, but your actions can be independently verified.  These two “factors” can go a long way to protecting your organization from the risks of a breach and from substantial penalties and fines for failure to comply to HIPAA regulations.  A coworker forwarded an article to me that provides a good example of both of these traits, or rather the lack of them, but also emphasizes the next important step, training.

The National Law Review article published on April 27^th stated that the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement for a breach of electronic protected health information (ePHI).  This is the first settlement of a wireless health services provider, which totaled $2.5 million.  The Covered Entity (CE) reported a breach effecting 1,400 people due to a laptop being stolen from a car. Later that same year the CE reported an additional breach of 2,200 individuals.

The OCR audit found that the CE had 1) not performed a risk assessment, 2) lacked sufficient risk management processes and 3) had not adopted proper policies and procedures.

In addition to the fine, the OCR implemented a two-year compliance oversight program that includes the following corrective actions:

1. Conduct a risk analysis of security risks and vulnerabilities.
2. Implement a risk management plan to address and mitigate the security risks and vulnerabilities identified in the risk analysis.
3. Update policies and procedures based on implementation of the risk management plan.
4. Implement secure device and media controls with proper encryption protocols for portable devices and media.
5. Review and revise its training program relating to the use, security, encryption, handling of mobile devices, and out-of-office transmissions.

The complete National Law Review article can be found at http://www.natlawreview.com/article/stolen-laptop-and-lack-understanding-hipaa-leads-to-25-million-settlement.

The first 3 corrective actions are standard elements of risk management, which define how to perform corrective actions 4 and 5.  Obviously, cybersecurity is a top priority, but workforce training, corrective action 5, is a key component of any organization’s security.

Your security is only as good as any single individual in your organization.  One person clicking on an unverified hyperlink can introduce ransomware to your systems, stop delivery of healthcare and potentially damage a practice beyond repair. Training strengthens accountability and enables efficient and effective risk management.  Regular up-to-date training and ongoing awareness campaigns emphasize the importance of security and maintains vigilance, helping to build a “human firewall”.

These are standard deliverables for our customers and we support them throughout the process.  If you’d like to learn how we can help your organization better protect your customer’s ePHI and avoid costly fines, contact us at support@thirdrock.com.

Protect Your Patients.  Protect Your Practice. Protect Yourself™.

Engaging clinical staff in information security can be an uphill challenge. For people doing the tangible, social, and physical work of healthcare, a Security Officer’s cautions regarding the invisible threat of cyber-theft can seem like science fiction paranoia. Further, among the healthcare practitioners who do recognize information security as a relevant concern, a substantial number still see it as an “IT issue.”  And finally, as if those barriers weren’t enough, the mere mention of “HIPAA compliance” can cause practitioners to yawn (or groan!).  So how do you convince a bunch of very busy providers and staff members that it’s worth their while to take the few extra steps necessary or to alter some processes slightly in order to comply with HIPAA policies and procedures? There is no one size fits all solution, but one or more of the following tips may augment your current change efforts.

1. Create awareness of the threat.

Understandably, you may have begun your awareness and training campaign with what staff members need to do to comply. Until they understand why they need to take the required precautions, however, consistent behavior change is unlikely. They need to know that healthcare organizations are being actively targeted by cybercriminals and that any organization with an internet connection is at risk – no matter how large or how small.

2. Reframe HIPAA as a clinical safety issue.

Practitioners also need to understand that an information breach could impact their ability to deliver care, not just the administrative functions. Cybersecurity is a clinical issue. An organization paralyzed by ransomware is unable to access medication records, lab results, or radiology records, making it impossible for clinicians to deliver safe care. Even “smart” medical devices, such as glucometers or infusion pumps, can be hijacked to give inaccurate readings or operate at dangerous levels. Explain cybersecurity as the electronic equivalent of infection control precautions, measures staff members take every day to keep their patients safe.

3. Educate everyone!

The Board, C-suite executives, volunteers – no one is immune! Everyone should understand the threat, their own responsibility for keeping PHI secure, and how to identify suspicious activity in their realm. Once everyone is educated, remind them – again and again. Frequency, redundancy, and variety are key to information retention. Use every channel available to you – staff meetings, newsletters, performance reviews, email, screen saver and/or text messages. Use games and contests to make it fun. Use images and slogans to make it memorable and to emphasize the importance.

4. Train everyone!

Wait, isn’t that what I just said in the previous paragraph?  No – educating everyone is making sure they know what to do and why. Training ensures they know how to do it. Any security precautions that require physical action, such as logging out of a workstation, should be physically demonstrated, either in person or by video. In order to complete training, each learner should then demonstrate the ability to correctly perform the required action. Note: In some of our client organizations, staff members have not understood the difference between logging out of the EHR and logging out of the workstation.

5. Track and discuss progress – and any barriers to compliance.

We’ve all experienced “flavor of the day” initiatives, and in the current political climate, some people may think HIPAA was a politically-motivated initiative that might be overturned.  The fact is, HIPAA or no HIPAA, your organization’s PHI is a valuable asset central to the delivery of safe care and the organization’s financial solvency. Signal your staff that whatever the political climate, your commitment to information security is here to stay. Choose 3-5 metrics that provide some indication of HIPAA compliance, then review and discuss them regularly. Again, use every channel available.

But make sure these communications aren’t a one-way street. Often there are valid reasons why staff are having difficulty complying with the requirements, such as equipment location or contradictory role demands. Listen, then do everything you can to make it easy to do the right thing.

Good luck!  If you have additional recommendations, please share them with us via info@thirdrock.com. If we receive several suggestions, we’ll post them in a future blog.

Until then, be safe, not sorry!

The phrase “last mile” is commonly used across many industries to denote the final leg of a project or process – reaching the goal! More often than not, it’s referring to the most difficult part of the journey.  In logistics, it is delivering your iPhone made in China to your doorstep in rural Texas.  In the communications industry, it is installing the last few hundred yards of new optical fiber cabling for high speed internet to your home or office that is extremely costly and disruptive.  And literally, although I have never run a marathon, I’ve heard that the last mile is often the toughest.

So, what is the “last mile” of HIPAA?  Given that HIPAA is a never-ending journey can there even be a “last mile”?  After many assessments, at a wide range of healthcare facilities, I think there is a “last mile”.  I’ve seen it many times – the practice has done its annual risk assessment, has a risk management plan, yearly training for its staff, and policies and procedures. The IT group has implemented security safeguards and is taking corrective action.  Yet, in my opinion, they haven’t completed the last mile.  Why?  Because they haven’t changed their attitudes.  They believe HIPAA is just another government mandated requirement.  More paperwork, processes, and cost.  And if the management team doesn’t believe it is worthwhile, the staff will just go through the motions.  Failure is almost assured.  Patient data will be lost or stolen.   People’s lives will be negatively impacted – some severely.

So how do you successfully complete the “last mile” of HIPAA?  Start at the top.  The management team must embrace the responsibility for protecting their patient’s most sensitive data –  private data on their children, wives, husbands, and parents.  Protect their data in the same way you work to protect yours.  When you “walk the talk,” your staff will get the message.  Encourage them, and they will step up to the challenge to successfully complete the “last mile of HIPAA” as well.

I was inspired to write this blog by one of my business partners, Dr. Julie Rennecker, who leads our customer experience discipline.  She has 10 years bedside clinical experience as a hospital RN, a PhD from MIT in Organizational Behavior, and 20 years research and consulting experience in high-tech and healthcare, and is a recognized industry expert in Change Management.  Contact Third Rock if you’d like more information on Change Management and HIPAA compliance.

This is the second in a two part series concerning the value of compliance.  Our mission is, Worry-Free Compliance, to help you obtain a culture of compliance through normal business operations.  Our vision is to reduce the complexity, cost and burden of HIPAA compliance using a next-generation compliance management platform.

What does a next-generation management platform provide?  Here’s a list:

• • Complete
    • Manages the entire compliance process
    • Maintains custom policies and procedures
    • Provides and tracks training
    • Creates & maintains Body of Evidence for audits
• • Simple and Easy
    • Understandable format, HIPAA expertise not required
    • Logic driven questions reduces assessment time
    • Supporting documentation easily attached and managed
    • Generates electronic reports for audits
• • Significantly Reduces Time and Effort
    • Intuitive, step-by-step workflow
    • Provides remediation guidance and support
    • Automates building the body of evidence
    • Reduces man-hours by over 50%
    • Reduces overall cost of HIPAA compliance by 65%
• • Greatly reduces liabilities

Before you buy a HIPAA kit that will sit on your shelves and collect dust or hire a HIPAA auditor/consultant to perform a security risk analysis for you, then leaves you a checklist of issues to correct, you should consider using an online tool that makes you more compliant, in less time and helps you maintain your culture of compliance.

The first post in this two-part series was Value Proposition of HIPAA Compliance.

Take our free mini-Risk Assessment to see how compliant you are.

Protect your patients, protect your practice, protect yourself.

The healthcare industry is beginning to realize that HIPAA is here to stay and they are probably going to be audited sooner or later.  What physicians and all healthcare providers need to understand is that if you don’t protect your patients’ PHI/ePHI the following can happen to your patients as a result of their identity being stolen and used.

NOT Protecting Your Patients’ (PHI/ePHI):

1. You can cause them financial difficulties or even financial ruin.
2. You can cause them undue stress, even a stroke or heart attack.
3. You can cause them to be denied healthcare insurance.
4. You can cause them to be denied healthcare services.
5. You can cause them to be denied medicines, treatments, and therapies.
6. You can cause them to be misidentified during healthcare treatment, causing incorrect operations, procedures, medicines, or even death.
7. You can cause the death of your patient.
8. You will suffer the consequences listed under “NOT Protecting Your Practice”.

You might think, these can’t happen, but all of them have already happened, with the exception of causing a death, but there have been several close calls with death because of identity theft.

What HIPAA “forces” you to do, is what you should already be doing:  operating a safe, secure, efficient, productive, and profitable healthcare provider organization.  That’s right, if you were doing what needs to be done to protect your patients’ PHI/ePHI, you would be HIPAA compliant and you would be protecting your practice (business) and yourself.

NOT Protecting Your Practice:

1. You will likely be breached and lose access to or have your patient’s ePHI stolen.
2. You will receive the maximum fine from the HHS OCR audit, which may close your doors.
3. You will likely have a class action lawsuit by your patients against you.
4. You will have approximately 40% of your patients abandon you and your services.  (People don’t like having their identity stolen.)
5. You will have to pay for the remediation of your HIPAA non-compliance issues with government oversight.
6. You will have to pay for cyber theft protection insurance for all of your patients.
7. You will suffer from negative social media.
8. You will suffer major interruption to your cash flow.

And last but not least, you must realize you need to protect yourself.  The HIPAA law provides for the prosecution of individuals who neglect to protect their patients’ PHI/ePHI or those individuals who destroy, lose, or steal a patient’s PHI/ePHI. If you don’t want to wear an orange jump suit you might want to consider working on becoming HIPAA compliant.

NOT Protecting yourself:

1. You could find yourself sued by patients.
2. You could find yourself fined for failure to protect PHI.
3. You could find yourself found guilty of breaking the law.
4. You could find yourself in federal prison.

Protect your patients, protect your practice, protect yourself.

I would strongly suggest you use a Compliance Management Platform to build the required body of evidence, reduce the work load, increase compliance, simplify electronic reporting and save money while working to become HIPAA compliant.  Check out CompassDB™ at http://compassdb.com/.

If you want to know where you stand with your HIPAA compliance take the free HIPAA Quick-Check.

With the 2016 Summer Olympics in full swing I thought it apropos to use the analogy of achieving a gold medal to obtaining HIPAA compliance.  I know, not really fair or nice to the Olympics and Olympians, but it makes a decent blog post and a good analogy.   So, bear with me and work on achieving your HIPAA gold medal.

Vision

You need a clear vision.  You will obtain your goal of being HIPAA compliant.  You need to clearly understand what that requires.  Take our Free Risk Assessment to better understand what is now required by law to be HIPAA compliant.

Mindset

Just like an Olympian has to have the proper mindset, or mental fortitude, to achieve the highest award in sports, you too need to make the decision to achieve HIPAA compliance.  It’s going to take a lot of time, effort, money, sweat and tears to become the best or be compliant.  Once you’re performing at the peak you must continue practicing to maintain that level of performance.  Compliance is a culture, a way of life, how you should be operating your business.

Plan

Becoming a Gold Medal Olympian doesn’t happen because you decide you want to be one.  You must have a plan.  You need to understand what steps are required to become the best athlete or compliant.  It’s best if you perform an assessment of where you are and what is needed to reach your goal (gap analysis), then sketch out a plan and timeline to obtain the goal.  You’ll need training, work on correcting things you’re not doing or how to do them better, you should write down policies of how you will do certain things and the steps to do them properly (policies and procedures).  Most medal winners have great coaches that provide expertise, experience, leadership, planning and encouragement to obtain their goals.  You might want or need a HIPAA coach to help you achieve your HIPAA gold medal.

Communications (Talk)

The entire team needs to understand the Vision and Plan for how to achieve it.  Set a clear vision, then write an outline on how the team will take action to become HIPAA compliant.  It makes it much easier when everyone is in the same boat and rowing in the same direction.  Let the team know the office will become HIPAA compliant, it will take 6 months.  Everyone will need to do their part.  HIPAA training will be provided to each individual.  Set the expectation that the entire office will create and maintain a “culture of compliance™”.  It means the entire staff will provide better and safer care to patients who ultimately pay the bills.

Action (Hard Work)

What sets the Olympian medalist apart from the rest? Sometimes it’s 1/1000th of a second, but what got them there was action, they practiced over and over and over.  Their actions became muscle memory.  They worked hard to make it to the highest stage in the world.  They built a culture of consistent training and practice.  Their daily operations were to get better or maintain their superior level of performance.

You will need to work on your plan to improve your compliance over the next year.   Then you will need to maintain your compliance.  The key is to make HIPAA compliance part of your office culture.  Once you have created a “culture of compliance™”, being compliant becomes second nature, it’s part of running a more efficient, effective, productive, profitable and safer healthcare business.

Check out our free resources to help you achieve your HIPAA Gold medal.  The information provided in our resources and on our Third Rock Assurance™ solution and our CompassDB™ Compliance Management Platform pages will help you understand the steps you will need to take to become HIPAA compliant.

HIPAA is yet another government mandate for American healthcare businesses to address.  We all know it’s time consuming, requires a lot of effort to learn, stay current on and to implement.  Plus, it’s costly.  But, is it worth it?  Does it truly help the covered entity or business associate in the long run.  You might be surprised by the answer.

The simple answer is ABSOLUTELY.

First, let’s look at HIPAA goals.

Basic Goals of HIPAA

1. Portability: To allow patients to transfer their records between doctors.
2. Privacy: To protect the privacy of the patient.  No one wants the world or nosy neighbor to know about our warts or health issues.
3. Security: To protect our EXTREMELY valuable PHI from cyber-theft or loss.

Here’s a list of benefits and the indirect Return On Investment (ROI), even though it may not be quantifiable and directly traceable to revenue or profit.

Benefits of HIPAA

1. The Risk Assessment (Security Risk Analysis) helps your business identify issues you need to address to reach the goals listed above.
2. HIPAA training helps your entire staff to be better at obtaining those goals and not accidentally causing a breach.
3. The Policies and Procedures help you run a more standard, effective and efficient business operation.  If everyone knows the policies and the procedures to fulfill those policies, work will flow smoother, training new staff will be faster and cheaper, and the chances of a HIPAA violation (loss of PHI) will be reduced.
4. Cyber security scans and remediation help harden your cyber security and protect your valuable PHI from being stolen or destroyed.
5. Keeping records of your HIPAA work shows the auditors you’re doing what is expected and attempting to meet the goals of HIPAA.  Building a body of evidence is now a requirement of HIPAA auditors.

You might say, “Great this is all good and wonderful, but I’m still out time, effort and money without any financial benefit.”  You might want to consider NOT being HIPAA compliant.  Let’s assume you are NOT doing anything to be HIPAA compliant.  You get breached and lose 2,500 patient records.  You don’t report the breach to the OCR.   One of your patient’s identity is stolen, the information is tracked back to your practice, which is fairly easy, and now the OCR audits your practice.  You’re staring at a potential $500,000 fine.  A class action lawsuit that could cost well over a million dollars.  Plus, months and months of time to address the audit and reinforcements.  Then you have to implement HIPAA and show every step to the OCR.  Even if you have cyber-theft insurance, it probably won’t cover all of the expenses and it may cover none of them because you can’t show any proof (body of evidence) that you took steps to secure the patient’s data (ePHI).

ROI of HIPAA

1. The potential HHS OCR fines are greatly reduced if not eliminated.
2. The likelihood of physical PHI and electronic PHI breaches are reduced.
3. The likelihood of lawsuits from PHI breaches and data loss are reduced.
4. Your business operates more effectively, providing better care and patient privacy, security and data protection.
5. Your business operates more efficiently, training new staff faster with less effort.
6. Your business is a more ethical place of work, working to be a safe place for your patients to come for healthcare.
7. The negative social media impact is reduced or eliminated.
8. The likely loss of your livelihood is greatly reduced.

Conclusion on ROI of HIPAA

1. Do you earn more money by implementing HIPAA?  No.
2. Do you save money by implementing HIPAA?  Not directly.
3. Do you reduce your liabilities and likelihood of financial loss by implementing HIPAA?  Absolutely.
4. Do you do the morally and ethically correct thing and protect your patients personal privacy and financial security by implementing HIPAA?  Absolutely.
5. If you invest a $1,000 in HIPAA and you save yourself $1.5 million in fines and expenses, it’s an extremely cheap investment with many benefits.

Whether you look at HIPAA as an investment or insurance, it’s time to invest in a solution that is comprehensive, easy and affordable that will build your body of evidence and help you reach the HIPAA goals. What we at Third Rock refer to as your “Culture of Compliance™”. Consider a Managed Compliance Service Provider (MCSP) that provides HIPAA expertise, is your virtual HIPAA team, has an online, easy to use compliance management tool that reduces your learning curve, your effort to implement and your time to become compliant, all at a reasonable price.  That’s our goal with Third Rock Assurance™ powered by CompassDB™.

85 percent of organizations have suffered phishing attacks!

That is straight from the Wombat 2016 State of the Phish report.  Is that depressing or what!  The sad thing is, phishing can be thwarted most of the time.  But, it requires diligent training of your ENTIRE staff.  Including the board members, owners, executives and doctors.  Everyone needs to be trained to identify phishing attacks and resist opening the link and/or attachment.

A few stats from the report.

1. 85% of organizations have suffered phishing attacks.
2. 37% of executives have been victims of phishing.
3. 30% of phishing emails get opened.
4. #1 delivery of malware is via email attachments.
   1. #2 delivery of malware is web based.
   2. #3 delivery of malware is hyperlinks in email.
5. 250% increase in phishing attacks in first quarter of 2016.
   1. You are under attack by the cyber criminals.
6. 93% of phishing emails carried ransomware.
7. Average cost of a phishing attack is $1.6 million.  Obviously, this is because huge corporations have experienced successful phishing attacks.  But, never the less a phishing attack will cost your dearly.

Jonathan Crowe at Barkly has a great blog with charts for more details.  He also has a Phishing Field Guide: How to Keep Your Users Off the Hook

Here are a few tips to help you avoid catching the wrong phish (malware, computer bug).

1. Train your staff on cyber security.  Our HIPAA course covers phishing and other cyber security training.
2. Train your staff using a false phishing campaign.
3. Configure your email to filter out phishing emails.
4. Double check the email address is from someone you know.  Otherwise, you should probably NOT open it.
5. Double check the url, does it go to the right web site?  Do you recognize the url, does it make sense?
6. Not sure about an email?  Call and talk to the sender first.
7. Turn off macros if asked when opening any file.
8. Setup an email gateway to block all attachments and require users to download expected attachments from the server.

Here are some free phishing simulators you might try http://resources.infosecinstitute.com/top-9-free-phishing-simulators/.  The DOD also offers a free phishing test tool at http://iatraining.disa.mil/eta/phishing_v2/launchpage.htm.

Hope these tips help you protect your patients, protect your practice, and protect yourself.

@barklyprotects, #phishing