Compliance Technology Archives - Third Rock

Cybersecurity: Have you hardened your systems?

Robert Felps — Tue, 25 Apr 2017 14:00:15 +0000

We perform HIPAA Risk Assessments (Security Risk Analysis) for very small practices to large healthcare organizations, plus business associates that include software, big data, and marketing companies. We know the focus of the assessment needs to be security; therefore, we run an industry standard (NIST based) scan checking computers for HIPAA compliance. (NIST stands for National Institute of Standards and Technology) Our findings show that the average covered entity is about 15% compliant and the Windows Operating System is about 63% compliant against the NIST test. It’s obvious to us that cybersecurity has not been addressed.

If you’re a covered entity or a business associate, you might ask, “How do we improve these findings and correct these issues?”

It’s actually not too difficult.

Make sure your software is up-to-date. You should have “auto-update” turned on for operating systems, anti-virus software, and applications.
Ensure that your backups are (a) current, (b) secure, (c) off-site, and that they work. Test the backups on a daily basis to make sure they have not been encrypted by ransomware.
Correct the deficiencies of the Windows operating system, including setting up password policies. Utilizing a domain is wise.
Hire competent IT staff or a Managed Service Provider to provide consistent service for your computers and network. Paying for assistance only when you have a problem means no one is monitoring your network or computers on a regular basis.
Make sure your network has been locked down. Change firewall logins regularly, and use strong passwords. Hide or turn off WIFI broadcasting and use strong passwords. Do NOT allow guests onto the company network.
If you’re a larger covered entity, you should consider hiring a Managed Security Services Provider (MSSP).

Hope this helps you think about cyber security in a new light and to take action to Protect Your Patients, Protect Your Practice, and Protect Yourself.

If you have any questions drop us an email at compliance@thirdrock.com. We’re happy to help!

The post Cybersecurity: Have you hardened your systems? appeared first on Third Rock.

Culture of Compliance Awarded to The Urology Team

Ed Jones, PMP, CHSP — Tue, 14 Feb 2017 15:00:28 +0000

Third Rock is pleased to recognize The Urology Team, a well-known and respected Austin-based medical practice, with the Culture of Compliance Award. This is the first time Third Rock has presented this award which recognizes healthcare providers who have embraced HIPAA privacy and security practices so thoroughly that they are ingrained in their corporate culture and standard processes.

The Urology Team engaged Third Rock to perform their annual Security Risk Assessment which was completed in December 2016. After completing the on-site assessment and reviewing the findings, we were very impressed with their knowledge of HIPAA requirements and the extent to which they had successfully implemented them. We decided to make The Urology Team the first recipient of the Culture of Compliance Award.

How was The Urology Team able to reach such a high level of compliance? First and foremost, they assigned authority to implement and enforce HIPAA-compliant processes. The Providers, who also own the practice, gave Ada, the Privacy Officer, and Cindy, the Security Officer, authority to implement and manage HIPAA. Both Ada and Cindy take their responsibilities to protect patient data very seriously. They have adopted HIPAA Policies and Procedures, which are available to the entire staff, and in doing so, they have learned to manage risks and be on the lookout for new threats.

Each member of the workforce completes HIPAA training annually, or more often, and Ada and Cindy provide regular HIPAA reminders during team meetings. The ladies have also established a strong relationship with their IT Service Provider, Trinsic Technologies of Austin. They clearly understand the status of their IT systems and have an established IT strategy and plan. Lastly, Ada is maintaining a strong “book of evidence”, documenting all of the practice’s HIPAA activities and events.

HIPAA compliance is a never-ending journey, and there are always improvements to be made, but The Urology Team is well positioned for continued success with Ada and Cindy leading the way!

Take our free mini-Risk Assessment to see how compliant you are.

The post Culture of Compliance Awarded to The Urology Team appeared first on Third Rock.

Focus on Technology: Change Your Router Passwords!

Clint Eschberger — Tue, 17 Jan 2017 15:00:18 +0000

One of the most common services in healthcare is the connection to the internet. With all the focus on security and cyber breaches, one of the most vulnerable pieces on your connection to the internet is what is called the router / gateway. The router / gateway connects your computers and devices to the public internet and in many cases provides the initial security or barrier through the use of a built-in firewall.

The problem is, that while this is the door, the gateway to the internet, it is a two way door. Much like the door on your office or building, if it is not properly secured anyone can walk in. What makes this such an issue is the Internet Service Providers (ISP) that generally setup the router / gateway for your organization. Larger organizations may or may not take care of this themselves, but small and medium organizations rely on the ISP to do the install and setup.

Here comes the major problem!!

The ISP will generally leave the default username and password for the router / gateway. This means that anyone that gets on your network can simply connect to the router and use the commonly known list of default usernames and passwords to quickly access your router and change the settings to allow them to access your network from anywhere and steal data.

How to fix this

You have two options to correct this.

Most ISP’s have instructions on how to access and change the router’s username and password. You can login and change it yourself.
If you are unsure, contact the ISP and they can walk you through the process.

This is a critical issue that is extremely prevalent in many organizations, not just healthcare.

The post Focus on Technology: Change Your Router Passwords! appeared first on Third Rock.

Knock, Knock – We’re here to perform an onsite HIPAA audit.

Robert Felps — Thu, 05 Jan 2017 15:04:44 +0000

Welcome to 2017. If you haven’t heard, the Health and Human Services Office of Civil Rights (OCR) will perform several hundred on-site HIPAA audits this year. The possibility of being selected is highly unlikely, but if you are one of the “lucky” covered entities that is audited you had better be ready – with all your ducks in a row. Current HIPAA training is only one duck, you need at least four more. So, prepare to go duck hunting and get them in order sooner rather than later.

There are two very important issues to understand about this new process and the protocol the OCR implemented in 2016. The OCR now requires documented proof that covered entities and business associates have …

Implemented HIPAA specific Policies and Procedures (P&P) in 2016 showing a plan for risk management.
Documentation, including the P&Ps and logs of HIPAA activity, in electronic format for uploading to their web site.

Don’t forget the OCR expected the following for a HIPAA desk audit starting in 2015 and 2016.

A current annual Security Risk Analysis (SRA) based on the OCR SRA questions and/or the NIST 800 standard. In addition, a risk assessment that includes privacy is needed as well.
Current HIPAA training that includes privacy and cyber security training for all staff with access to PHI and ePHI.

The real takeaway? The OCR expects to automate auditing and all covered entities and business associates will be audited by 2019. The OCR expects covered entities and business associates to have HIPAA compliance documentation in electronic format starting in 2016. Make sure your HIPAA report, corrective actions and logs are in electronic format and that you can show improvement in your HIPAA compliance.

Call-To-Action: If you haven’t started and done all of the necessary steps to be HIPAA compliant, it’s time to take action and have a Risk Assessment done immediately and make sure it’s delivered and available in electronic format, preferably online.

The post Knock, Knock – We’re here to perform an onsite HIPAA audit. appeared first on Third Rock.

Value Proposition of a Next-Generation Compliance Platform (2 of 2)

Robert Felps — Thu, 27 Oct 2016 14:00:51 +0000

This is the second in a two part series concerning the value of compliance. Our mission is, Worry-Free Compliance, to help you obtain a culture of compliance through normal business operations. Our vision is to reduce the complexity, cost and burden of HIPAA compliance using a next-generation compliance management platform.

What does a next-generation management platform provide? Here’s a list:

- Complete
  - Manages the entire compliance process
  - Maintains custom policies and procedures
  - Provides and tracks training
  - Creates & maintains Body of Evidence for audits
- Simple and Easy
  - Understandable format, HIPAA expertise not required
  - Logic driven questions reduces assessment time
  - Supporting documentation easily attached and managed
  - Generates electronic reports for audits
- Significantly Reduces Time and Effort
  - Intuitive, step-by-step workflow
  - Provides remediation guidance and support
  - Automates building the body of evidence
  - Reduces man-hours by over 50%
  - Reduces overall cost of HIPAA compliance by 65%
- Greatly reduces liabilities

Before you buy a HIPAA kit that will sit on your shelves and collect dust or hire a HIPAA auditor/consultant to perform a security risk analysis for you, then leaves you a checklist of issues to correct, you should consider using an online tool that makes you more compliant, in less time and helps you maintain your culture of compliance.

The first post in this two-part series was Value Proposition of HIPAA Compliance.

Take our free mini-Risk Assessment to see how compliant you are.

Protect your patients, protect your practice, protect yourself.

The post Value Proposition of a Next-Generation Compliance Platform (2 of 2) appeared first on Third Rock.

Protect your patients, protect your practice, protect yourself.

Robert Felps — Thu, 29 Sep 2016 14:00:10 +0000

The healthcare industry is beginning to realize that HIPAA is here to stay and they are probably going to be audited sooner or later. What physicians and all healthcare providers need to understand is that if you don’t protect your patients’ PHI/ePHI the following can happen to your patients as a result of their identity being stolen and used.

NOT Protecting Your Patients’ (PHI/ePHI):

You can cause them financial difficulties or even financial ruin.
You can cause them undue stress, even a stroke or heart attack.
You can cause them to be denied healthcare insurance.
You can cause them to be denied healthcare services.
You can cause them to be denied medicines, treatments, and therapies.
You can cause them to be misidentified during healthcare treatment, causing incorrect operations, procedures, medicines, or even death.
You can cause the death of your patient.
You will suffer the consequences listed under “NOT Protecting Your Practice”.

You might think, these can’t happen, but all of them have already happened, with the exception of causing a death, but there have been several close calls with death because of identity theft.

What HIPAA “forces” you to do, is what you should already be doing: operating a safe, secure, efficient, productive, and profitable healthcare provider organization. That’s right, if you were doing what needs to be done to protect your patients’ PHI/ePHI, you would be HIPAA compliant and you would be protecting your practice (business) and yourself.

NOT Protecting Your Practice:

You will likely be breached and lose access to or have your patient’s ePHI stolen.
You will receive the maximum fine from the HHS OCR audit, which may close your doors.
You will likely have a class action lawsuit by your patients against you.
You will have approximately 40% of your patients abandon you and your services. (People don’t like having their identity stolen.)
You will have to pay for the remediation of your HIPAA non-compliance issues with government oversight.
You will have to pay for cyber theft protection insurance for all of your patients.
You will suffer from negative social media.
You will suffer major interruption to your cash flow.

And last but not least, you must realize you need to protect yourself. The HIPAA law provides for the prosecution of individuals who neglect to protect their patients’ PHI/ePHI or those individuals who destroy, lose, or steal a patient’s PHI/ePHI. If you don’t want to wear an orange jump suit you might want to consider working on becoming HIPAA compliant.

NOT Protecting yourself:

You could find yourself sued by patients.
You could find yourself fined for failure to protect PHI.
You could find yourself found guilty of breaking the law.
You could find yourself in federal prison.

Protect your patients, protect your practice, protect yourself.

I would strongly suggest you use a Compliance Management Platform to build the required body of evidence, reduce the work load, increase compliance, simplify electronic reporting and save money while working to become HIPAA compliant. Check out CompassDB™ at http://compassdb.com/.

If you want to know where you stand with your HIPAA compliance take the free HIPAA Quick-Check.

The post Protect your patients, protect your practice, protect yourself. appeared first on Third Rock.

Focus on Technology: HIPAA Quick Fixes

Clint Eschberger — Tue, 27 Sep 2016 14:00:37 +0000

While meeting all the HIPAA requirements for your technology (computer, network, etc.) requires some planning, there are some quick fixes that can greatly reduce the odds of your organization being breached while at the same time starting you on your path to compliance.

Below are some common issues that we see at all sizes of organizations. How you go about correcting some of them is determined by the size and resources of your organization.

Quick Fix #1

Issue: The operating system (i.e. Windows) on your organization’s computers / laptops is out of date.

Details: Hackers are constantly finding new ways into your computers. If you do not keep your computer up to date, it leaves these vulnerabilities open for attack.

Fix: For smaller organizations you will need to manually check each of your computers to make sure automatic updates are turned on and updating. Alternatively there are centralized patch management systems that can help, if you are running on a Windows domain.

Quick Fix #2

Issue: Weak password! Simple passwords DO NOT WORK!

Details: Hackers can download a tool off of the internet to crack passwords fairly easily. The weaker the password the more likely the hacker will be able to breach your computer and network.

Fix: Require that all users have unique accounts and passwords that are a minimum of 12 characters with a mix of UPPERCASE, lowercase, numbers, and at least one special character (i.e. !@#$%^&*). You should also have your users change their password every 90 days max. If you have a Windows domain you can enforce this with a domain policy.

Quick Fix #3

Issue: Outdated Antivirus

Details: Similar to #1, if your antivirus is out of date, your computers and networks are vulnerable to the latest virus’, malware, and ransomware.

Fix: Check all of your computer’s antivirus software to ensure that it still has an active subscription, is running, and is being updated. Most major antivirus companies have business versions of their product that allow you to centrally manage the antivirus and reduce the likelihood of something happening.

Quick Fix #4

Issue: Lack of trained staff

Details: Staff that has not been trained to watch out for malware in emails or on the web is generally the most likely way for your organization to become a victim of malware or ransomware.

Fix: Ensure the staff is properly trained in HIPAA. There are plenty of online training courses that are neither expensive nor time consuming. While the return on investment may be hidden, it is huge.

The post Focus on Technology: HIPAA Quick Fixes appeared first on Third Rock.

Focus on Security: Backups – The Ultimate Cyber-Security Weapon

Robert Felps — Thu, 05 May 2016 14:00:46 +0000

Backups, we all believe and trust they are being performed regularly and will work if we ever need to restore our business after a natural disaster, malicious attack or cyber-attack, such as ransom-ware. The reality is backups are not historically reliable and they become out of sight, out of mind! You need to ensure they are being performed regularly and restoring from the backup media works. ePHI data is highly desirable by criminals because it is worth far more than credit card information on the black market. Because of its value, Covered Entities and Business Associates are now the targets of cyber criminals. With ransomware on a rampage and breaches highly likely, now is the time to take action.

Backups are the ultimate digital security or at least the first priority.

Backups protect you from data loss and potential business ruin.
- because of natural disasters
- because of human mistakes or malicious acts
- because of criminal acts such as ransomware or destructive malware.
They do NOT however, protect you from data theft.
- You still need to take steps to secure your data.
- Consider encryption at rest and in motion.
- Implement a security plan that includes anti-virus, firewalls, password management, education, HIPAA compliance testing, Vulnerability testing and File Integrity Monitoring.

Steps to a safer more secure data life.

Perform backups on a regular schedule; nightly, weekly, monthly and quarterly.
Ensure the backups are stored in a safe and secure location, whether it’s physical media or offsite or cloud based.
- Do NOT store physical media near heat, water, sunlight or magnetic fields.
- Do NOT store data offline or in the cloud without good encryption.
- Redundant cloud storage is the most reliable media.
Verify the correct data is being backed up.
Encrypt the backed up data with at least 128 bit encryption, but 256 bit would be better.Verify the backed up data can be restored and used.
Check your backup reports daily to make sure the backup worked.

Hope this helps ensure you protect your patients, your practice and yourself.

The post Focus on Security: Backups – The Ultimate Cyber-Security Weapon appeared first on Third Rock.

Focus on Technology: ePHI Encryption

Robert Felps — Thu, 05 May 2016 13:30:30 +0000

Five years ago encryption was not common, nor cheap. Today, it’s everywhere and inexpensive to implement. Yet, healthcare still considers it a nuisance, ignores it or assumes their EHR or patient management software provides complete encryption. Consider the fact that ePHI is worth $500 per record and a credit card number is worth $0.50 (50 cents), it’s time for healthcare providers and their business associates to batten down the hatches on their ePHI. Cyber criminals want it and will find it. Meaning they will breach your defenses. Therefore, you must defeat the cyber theft from occurring by preventing the data from leaving in a usable format. Data encryption is the best way to protect it. Properly encrypted data is almost impossible to unencrypt, forcing cyber criminals to move on to the next easier set of valuable data.

Steps to take regarding ePHI and encryption:

Perform a Security Risk Assessment to identify everywhere you have ePHI.
Create a diagram of the ePHI at rest and in motion.
Create policies and procedures that address protecting, accessing and handling ePHI.
Ensure your software encrypts the ePHI in the database, in transmission and on the client.
- We have found many EHRs and patient management tools cache unencrypted ePHI on the local hard drive of workstations accessing the information. This is NOT good.
Encrypt your hard drives
Encrypt your backups.
Check that your encryption is working.
Check that your backups are working.

Hope this helps!

The post Focus on Technology: ePHI Encryption appeared first on Third Rock.

Reduce the Burden of HIPAA While Increasing Your Protection

Robert Felps — Mon, 02 May 2016 14:00:55 +0000

If you missed our recent webinar on Reduce the Burden of HIPAA While Increasing Your Protection you can watch it on-line now.

Ed Jones, Third Rock’s Chief Compliance Officer, keeps this presentation updated to help your stay current on HIPAA and cyber-security. We offer the course to professional associations and local healthcare societies, board of directors and executives and as a Continuing Education (CE) course. Contact us if you’re interested in a private webinar with Q&A.

Please join Ed Jones, Chief Compliance Officer and Robert Felps, CEO of Third Rock for a recording of our interactive webinar, from April 28th, that will help you understand:

How to reduce the burden of HIPAA Compliance
The reality of cyber-breaches.
Why reducing discovery time of a breach is critical.
Why recent HIPAA regulation changes are important to understand.
How to reduce potential fines for HIPAA non-compliance.
Protecting the equity you’ve built into your business!

Protect your Patients. Protect your Practice. Protect Yourself.

You may visit our videos page on our web site or our YouTube channel for other videos.

The post Reduce the Burden of HIPAA While Increasing Your Protection appeared first on Third Rock.