Is your company allowing employees to bring their own devices and use them to log onto the corporate network? If so, do you know what is happening on your network as well as how many devices are on your network?

Recently, I ran a network discovery at a company and found some interesting things. First, I ran the discovery during the “off hours,” meaning there should have been no one in the facility and only the automation and security systems operating.  Instead, the scan showed 70 computers, instruments, and printers running on the network.

Next, I ran the same scan during business hours ― full production and full staff – resulting in 120 devices being found on the network.  What were the additional devices?  Some of the devices were corporate workstations which get turned off overnight, and the remainder of the ‘new’ devices were personal cell phones.

Now, depending on how your networks are configured, that might not be a problem. In a properly segmented network, company-owned devices would have their own segment, and employees’ personal cell phones, laptops, and tablets would be on one or more additional segments. In this case, however, the staff members’ devices were also on the production network, introducing significant risk for the organization. Phones are susceptible to all the same types of malware and viruses as computers. Yet, phones and tablets are much less likely to be running anti-anything (e.g., anti-virus, -malware, or -spyware).

Additionally, a lot of cell phones support tethering, which would allow the user to exfiltrate data via the cell phone to another computer, server, or cloud repository without the company being able to detect it.  This would be done by connecting the device to the internal network and then tethering the device to the external network.  Once connected, data can flow both directions, e.g.: Good data (company confidential data) going out and Bad data (viruses, malware, spyware) coming in.  Or worse yet, someone else could establish a presence, which would allow them to attack other companies while disguised as your company or establish a server from which they transmit spam and porn from your network.

The lesson to learn is that things are never as easy or as secure as you think they are. Be diligent about policies, processes, and knowing what should be flowing where on your network.

If you have concerns about your cyber security and would like to improve your cyber confidence and compliance, please contact us at:  info@thirdrock.com

Building a Cyber Confident℠ World

Right now the healthcare industry is in the final race to complete the requirements for MACRA, the new reimbursement scheme for Medicare. Thousands of dollars are at risk – failing to satisfy the MACRA requirements in 2017 will result in payment reductions for all of 2019!

Submerged within the 2,398 pages of MACRA lies a key requirement for eligibility – completing a security risk assessment (SRA). The SRA is a “core requirement.”  Without an SRA, a healthcare practice can undo all their other efforts to achieve the high score needed to get full Medicare reimbursements and bonuses. In fact, without an SRA, a practice is likely to face payment penalties in 2019.

Be aware of two misunderstandings that give healthcare practices a false sense of security in meeting the annual requirement for a Security Risk Assessment:

• “My EHR is HIPAA-compliant, so I don’t need to do an SRA.”

Simply installing a certified electronic health record (EHR) does not fulfill the Meaningful Use or MACRA requirement for a security risk analysis.  Even with a certified EHR, you must perform a full security risk analysis to ensure that you are properly safeguarding all the protected health information (PHI) you maintain, whether in paper or electronic form.

• “My IT service takes care of all that security stuff.”

Don’t assume your IT service provider is taking care of security.  IT companies typically believe they are only responsible for installing a firewall and anti-virus application and keeping your computers running. They assume the Practice Manager is handling all other aspects of system security, including policies and procedures, staff training, password maintenance, mobile device management, and facility security.

The Security Risk Assessment isn’t just busy-work. Completing an SRA and fixing any identified gaps will increase your cybersecurity and complete a critical HIPAA requirement, saving you thousands in penalties and fines as well as protection from a breach.

Doing an SRA should be an important year-end “To do.”  It will give you peace of mind, letting you go into the New Year feeling more protected and positioned to increase your revenue. Don’t miss out!

If you have any questions about performing a Security Risk Assessment,

please contact us at: compliance@thirdrock.com.

Protect Your Patients.  Protect Your Practice.  Protect Yourself.™

Many of the issues we see in cybersecurity, whether you are in healthcare, retail, finance, etc., are by and large preventable. It is not about having a big budget or a large team of experts. No, some of it is just common sense. It is not unlike driving a car. When driving a car you take several basic, yet important, steps to try and lower your risk of an accident. You look both ways at a stop sign, you drive safely to avoid losing control, you keep your car in working condition, and just in case you are in an accident, you’re protected by your auto insurance.

Nothing really difficult. Does it mean you will never have an accident? Of course not, but you significantly lower your risk.

When trying to protect your organization’s information, some of the worst – and most common – information security errors are also the ones that are the most preventable. Let’s take a look…

Vigilance is often the first step. What do I mean, by vigilance? It is simply not taking security for granted. Far too often I hear, “The chances something will happen to us are so small.”  That always sounds good, until something happens.

Antivirus is something that is surprisingly overlooked. It is not always that organizations forget to install it, it is that they forget to keep it updated and the license renewed. If your Antivirus is outdated, for any reason, it is almost as bad as having no protection.

Email security is often overlooked, even though it is one of the easiest targets for hackers and cyber-thieves. Whether it is due to lack of end-user training or lack of security in place, it is a huge target for hackers. First and foremost your email users should be trained on proper email safety, such as how to avoid phishing messages.

Firewalls these days are often the first line of defense and for smaller shops they are often setup by the internet service provider. The bad thing about that is the provider often leaves the default username and password in place which allows hackers to easily gain access to the firewall and let themselves in the door without knocking. This is generally a very easy change that takes only a few minutes to correct.

Speaking of passwords! I hate to break it to you, “1234” or “password” is a really, really poor password.

Finally, one of the most common mistakes in cybersecurity is…

Backups! I know some are saying, “What do backups have to do with cybersecurity?”

EVERYTHING!

Not unlike having insurance for your car, it is only important when you need it the most. Backups are your insurance for bad things happening, whether it is a cybersecurity issue, an accidental file deletion, or a disaster. Having backups that are stored securely offsite are one of the most important steps to protect your business. There are many options to fit all budgets and organizations.

The biggest thing from all of this is to simply not overlook cybersecurity. I know it is easy to say, “It won’t happen to me.” but the odds are it will.

So, buckle up!

In recognition of October being National Cybersecurity Awareness Month, Third Rock is offering a FREE mini-Risk Assessment to promote the role cybersecurity plays in protecting your patients, your practice and yourself.  In addition, we welcome you to visit our HIPAA and Cybersecurity Resources page.  Do you have a cybersecurity question you’d like answered?  Email us at info@thirdrock.com or give us a call at 512.310.0020.  We’d be more than happy to help!

Protect Your Patients.  Protect Your Practice.  Protect Yourself.™

I thought about naming this blog “Would the Real Download Link Expose Yourself.”  But, a few people said that wasn’t a great title.  Go figure!

I’m sure you’ve visited a website to download something, maybe an image or install software or maybe some template to design a cool new flyer.  You’ve probably also clicked on a large green or teal or blue or some other lovely color button that said, “Download”, only to find out it was an ad to some trash item you’re not interested in nor do you want.  It’s an irritation and waste of time.  So, you return to your previous page or site and hunt for the real download link, which is often just the words “Download Here” linked to your download object.

What you may not realize is, these fake download buttons may be taking you to a site to infect your computer with a virus or malware or ransomware.  You think you just visited some jerk that wants to sell you some trash.  In reality, that’s the least of your worries.  It may be a site operated by cyber criminals trying to steal data from your computer or hijack your computer for their use.  From now on, double check that the Download link or button is the correct download link you want.

Here are some tips to help you identify the fake ones vs. the real ones.

1. Add a trustworthy ad blocker to your web browser.  uBlock Origin is a good one we use.
2. Learn to look at the “Download Button” and see if it has a the little ad play button (right arrow) in it or around it.
3. Put your mouse over the button and look at the URL it displays in the bottom left of your screen, if it’s not the local URL domain (of the current web site), something is probably not right, so don’t click.
4.  Better safe than sorry, only visit reputable sites to purchase goods online and download items.

Remember, be careful!

Join our free monthly newsletter to stay up-to-date on HIPAA and cybersecurity.

 Take our confidential free mini-Risk Assessment.

Protect Your Patients.  Protect Your Practice.  Protect Yourself.™

The EquiFax breach really has me angry.  Mostly because I have no control over any aspect of this mess.  EquiFax scoops up data on all of us without our consent.  They seem unaccountable and untouchable.   With a last name like mine, I’ve had many opportunities to dispute incorrect data on my credit reports, which is always time consuming and irritating.  They make it known how unimportant you are and assume you are “guilty” unless you prove otherwise.  They collect data on all the people in the U.S. old enough to make purchases using credit, and they don’t even bother to encrypt it!  Worse yet they didn’t even bother to patch their systems after they had several breaches earlier this year!  Talk about arrogant!

Is EquiFax just one bad apple?  Sadly, they are not.  Historically, industries with self-certification of compliance to data protection regulations have woefully low compliance.  Government surveys say the healthcare industry is about 15 percent compliant!  With respect to the credit card industry, they are better than the healthcare industry by a whopping 5 percent!  Eighty percent of businesses fall short.  The insurance and financial industries currently have NO regulations to protect your data!  The “good news” is regulations are being drafted and are being implemented starting with New York state.

I hope EquiFax is a tipping point for the consumers in our country!  It’s time we take control of our data and demand it is properly protected.  Nothing seems safe when each morning news declares there is another data breach and the North Koreans launched another missile! It is alarming and discouraging.  But I shouldn’t have to give away my hard-earned credit score to buy that shiny new toy for my man cave (I wish!) for a low price on the Internet. I shouldn’t have to worry that my most confidential data is in jeopardy because I had my annual physical! Should I buy that insurance policy to protect my family, or will the data I provide on the application fall into the hands of cybercriminals and cause significant damage to my family?

Going forward, I will do my homework when purchasing online by selecting reputable companies and not chasing the lowest price.  I will ask my doctor when was the last time his practice did a security risk assessment and all staff had cyber security training?  Does their medical system encrypt the data at all points (most don’t)?  I will look at my financial and insurance companies with a skeptical eye and make informed decisions.  I will also add my voice to the Equifax failure to better protect my children and their future.

I encourage you to take our confidential free mini-Risk Assessment to see how compliant your organization is. Should you discover you aren’t as compliant as you had hoped, contact us at compliance@thirdrock.com.  We’d be happy to help you improve your score and protect your patients, your practice, and yourself!

Heads up, everyone – our team has gotten phishing emails like this one posing as messages from DocuSign.

DON’T CLICK unless (a) the message is from someone you know and (b) is a message and document you were expecting.

If you receive too many documents via DocuSign to remember if you were expecting the message/document or not, take these precautions:

·         Hover your mouse over the Download link.

·         Carefully read the url that appears.

·         If the url is not for DocuSign, delete the email immediately.

·         Then ask your IT provider to ensure the web filter, firewall, and anti-virus are all up-to-date.

DocuSign is a legitimate business that provides a valuable service to the business community. This is not their fault – these messages are a hoax.

Contact us today if you would like to have your IT system scanned to identify unaddressed vulnerabilities.

Join our free monthly newsletter to stay up-to-date on HIPAA and cybersecurity.

Protect Your Patients. Protect your Practice. Protect Yourself. ™

Sometimes we tend to focus strictly on the technical side of security and compliance and fail to notice the very important issues hiding in plain sight. While a hacker breaking into your network and stealing ePHI is the threat that is being talked about the most, it is sometimes the overlooked old-fashioned threats that present the greater risk.

Think about how many times a patient record has been sitting somewhere and how long does it actually take for someone to pick it up and walk off? What about allowing easy access to documents or equipment that contain sensitive data? Over the years we have seen clients forget some of the simple things that they could do to protect patient information.

Below is a simple walk-through checklist that you can use to recognize and fix security issues that may be hiding in plain sight…

1. Have any documents been left on the counter face up when not in use?
2. Have patient documents been left on a surface that is accessible to patients, visitors, vendors, etc.?
3. Have paper charts been left unattended where someone could grab them while walking down a hall?
4. Are all discarded documents containing PHI shredded or placed in a locked container to await shredding?
5. Have security cameras been installed to track unauthorized access to anywhere patient data could be found?
6. When calling a patient from the waiting room, do staff use only the patient’s name, and preferably only a first name?
7. Have staff logged out of all unattended computers, especially those in exam rooms and publicly-accessible hallways?
8. Do you and your staff lock unattended rooms that could provide access to the network or computer equipment?
9. Is the back door (or other secondary entrance) ever left open or unlocked for any reason?
10. Do you and your staff lock offices when unattended?

Sometimes, just by walking through on a weekly basis you can find simple issues that need to be addressed. We recommend doing this during business hours as you want to see what your visitors see. Not only will this help you be more vigilant in your security, but it will allow visitors to rest easier seeing that you are actively taking steps to protect them and their health information.

Protect Your Patients.  Protect Your Practice.  Protect Yourself.™

info@thirdrock.com | 512.310.0020