Cyber Safety Tips for Businesses When Employees Work from Home

With the threat of the Coronavirus, many companies are allowing or requiring employees to work from home. If your company deals with protected information such as healthcare, financial, consumer or personal, you should have policies and procedures in place to protect that data within your normal work environment. However, having your work force suddenly need to access this information from home may not be normal. Systems may be overloaded, sensitive information distributed in a way that you never anticipated and lines of communication disrupted. Do your policies and procedures cover such a situation, like a pandemic? Here are 6 tips to best protect your business and your clients.

Train Your Employees

We are not talking about the once a year standard, boring videos people half heartedly watch so they can print off a certificate proving they did it. Your employees must know key elements of cyber safety that they are regularly reminded of. If nothing else, make sure they know these 3 things.

1. Anticipate phishing and spear phishing attacks. Word will travel fast that everyone is working from home. Hackers will recognize you are vulnerable and try to take advantage of it. Tell your workforce to anticipate phishing and spear phishing attacks that will attempt to take advantage of pandemic fears. Give visual examples, have your IT on high alert searching for phishing attempts and contact employees immediately when one gets through your firewall.
2. Do not access sensitive information on unauthorized devices. The biggest culprit: cell phones. Have policies about what devices they are allowed to use to remotely access information and make sure they know. Never store sensitive information unencrypted on a portable device.
3. Do not access sensitive information on unsecure networks. Like working from Starbucks because they have free WiFi? That may be fine for personal use, but not when you’re accessing sensitive information. Public WiFi makes it easy for a hacker to infiltrate your computer, stealing the information you accessed.

Determine Critical Processes and Access Control

This is a key component to any Pandemic plan. Who is authorized to access sensitive information, and how do you ensure they can actually access sensitive information in a highly distributed environment? Minimize your exposure by controlling access to data. Not everyone working from home needs access to sensitive information. Make sure you lock down access to only essential employees. Follow through by monitoring who is accessing data, what they are accessing and why.

Multifactor Authentication

For those employees who need to access sensitive information, require multifactor authentication every time they remotely access a private server. This is an easy step to implement that can have a big impact on keeping cyber criminals out.  Explain to your employees why the two-factor authentication is an important safety capability.

Network Access Control

While you should train your employees not to access sensitive information on unsecure networks (see tip #1), you can implement access controls that actually block a user if they do not meet a certain level of security. You should implement a Virtual Private Network (VPN) which provides higher security for your workers using their home and/or public internet that are not secure.   It’s fairly easy and inexpensive to implement. For more information on VPNs, click here.

Encrypt Data

If information is stored locally on a device, make sure it is encrypted. Portable devices are often stolen that contain sensitive information. A simple step of encryption protects your clients’ information and protects you from hefty breach costs and fines.

Provide Company Devices

Laptops and cell phones should always be running the most up to date version of an operating system available (i.e. Windows 10 vs Windows 8). They should also have up to date firewall protections and antivirus software. If employees are permitted to use personal devices, it is difficult to ensure these protections stay up to date. Providing company devices that are properly configured and regularly updated help strengthen the barrier against cyber criminals.

Protection doesn’t have to be complicated, but it does have to be intentional. Simple steps taken by the company and the employees can go a long way. While we want to stay physically safe through this wave of the Coronavirus, let’s make sure we stay cyber safe too.

 Concerned if you have the right precautions and planning in place? Contact Third Rock at info@thirdrock.

One of the first lessons of process improvement is that preventing errors is much less expensive and time-consuming than remedying the damage after the fact. The same is true for an information breach. The time and cost for installing new software, training staff members, and reinforcing policies and procedures pales in comparison to cleaning up the damage of an information privacy or security breach.

Recent headlines of multi-million-dollar OCR fines and the hundreds, thousands – even millions! – of lives affected suggest the scale of the damage to both businesses and individuals. The news reports rarely explain, however, exactly how the breach could have been averted. This is the first in a new series of articles using publicly reported breaches as teaching opportunities for breach prevention. These are not intended as an “I told you so” for the organizations breached – each incident could happen at almost any healthcare organization today. The goal is for all of us to continuously improve our understanding of the risks to patient information and the options available to us for protecting that information without creating an oppressive atmosphere for our patients, staff, and visitors.

Unauthorized photographs of a surgical patient

This first example was reported in the HIPAAJournal just last week. Basically, surgical staff members photographed a patient’s genital injury using their personal phones and shared the photos with friends. Details of the incident are available in the HIPAAJournal post. What we want to focus on here is whether and how management could have prevented this breach.

This incident is particularly egregious because the information disclosed was so sensitive and because so many health care professionals and staff members – the very people charged with keeping the patient and his information safe – were complicit in the violation. I understand that in the face of such irresponsible behavior, a manager might be tempted to feel helpless – “I can’t watch every person every minute. What can I possibly do to make sure none of my staff ever do something stupid?” Here are some suggestions.

Action 1: Policy disallowing use of personal phones in the OR (or any patient area) for any reason.

As a former frontline nurse, I understand the tendency to scoff at policy – “What good’s a policy? People will do whatever they want to anyway!” There’s some truth to that – practice never perfectly matches policy – but what a policy does do is establish clear guidelines for expected behavior.

If the hospital wants staff to have mobile communications, they need to supply them with Vocera badges or other devices and not rely on staff members’ personal telephones. Personal phones can be used at the desk and in the break room, but not in patient areas – period. Responsibility for enforcing the policy must be shared by charge nurses and circulating nurses, not just the department manager or director. A charge nurse found not to be enforcing the policy could be suspended just as if s/he had been using the phone him or herself.

Action 2:  Intensive staff training, retraining, and reinforcement.

The speed and shamelessness with which these staff members brandished their phones suggests gross ignorance of the HIPAA Privacy and Security Requirements and of the potential consequences for violating them – termination, civil charges and fines, and criminal charges that could include probation or jail time.  Staff should receive comprehensive HIPAA training during their orientation before being given access to patients or PHI. That training should then be reinforced with shorter refresher courses and/or routine discussions of patient privacy and information security in staff meetings, organizational Town Hall sessions, and online forums on the organization’s intranet.

Action 3:  Leadership in the moment.

In the OR, the anesthesiologist, the surgeon, and the circulating nurse all possess significant authority. Any one of these individuals could have called a halt, required everyone to power off their phones, sealed the room, and called hospital security to confiscate the phones until someone from IT could sit with each individual involved to clear the photos.

This action is still more Band-aid than prevention, but it is the actions of leaders in the heat of the moment that either reinforce or undermine policy and training. It did sound like the executives were taking the incident very seriously and had applied appropriate sanctions. It may also have been the case that the circulating nurse or surgeon brought the incident to the executives’ attention – that information wasn’t included in the article. The critical takeaway is that protecting patient privacy, confidentiality, and information security are now as important a leadership responsibility as patient safety and infection control.

The above actions, taken together, are the pillars of creating a Culture of Compliance. Whether the focus of the compliance is HIPAA, CLABSI protocols, or hand washing – all require clear expectations, appropriate training, and unrelenting leadership. Culture is powerful – the trick is to create a culture that makes it easy – automatic – to do the right thing.

Our very best wishes to the patient and everyone at UPMC Bedford Memorial trying to remedy the situation.

If you need assistance establishing a culture of compliance please contact us at compliance@thirdrock.com

Protect Your Patients.  Protect Your Practice.  Protect Yourself.™

Here in Texas, the Gulf Coast is about to take a direct hit from a hurricane that is expected to dump up to 30 inches of rain in some locations and up to 10 inches across large areas. That kind of rain will definitely cause serious flooding.  It’s a little late for the Texas coastal bend area and the large inland areas that will be hit the hardest to take planning steps for disaster recovery. They’re in emergency evacuation mode already, protecting life and reducing property damage. What we can learn from these tremendous forces of nature is that disaster recovery needs to be part of all businesses’ Standard Operating Procedures – including our own.  What does this mean?

1. Make sure the backups of your critical data are current – and can be restored.
2. Make sure your important equipment – servers, workstations, laptops, medical equipment, etc. needed to perform regular work – is protected or stored above flood level.
3. Have a plan for communicating with co-workers and employees, including a list of phone numbers or a text group set up on your phone in advance.
4. Have a plan and the phone numbers for communicating with authorities – e.g. 911, police, fire department, EMS.
5. Have a plan outlining how to recover the core equipment and personnel necessary to bring your business and services back online.

The preferred approach is to create a Disaster Recovery (DR) plan. These can easily be 50 page documents, so it will take a lot of time and knowledge to create the plan. I would not suggest buying a template – these are typically instructions for creating a plan, not an actual plan.

To help you get started, here’s an outline from our own Disaster Recovery Plan.

We include a DR plan with our HIPAA compliance package.  It’s required by the Federal government, so we help our clients by providing a ready to use DR plan.  You still have to fill in your business’ specific information, but it will reduce your initial creation time by about 70%.

Join our free monthly newsletter to stay up-to-date on HIPAA and cybersecurity.

A number of customers contacted me recently concerning possible breaches and what they should do.  After reviewing their situations, these were actually incidental exposures.  What is an incidental exposure? It is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule.  Typical examples of such in the healthcare setting include conversations between patients and doctors where complete privacy is not practical, or patients’ charts visible to unauthorized people during transfer between areas.

The Privacy Rule does not require elimination of all incidental exposures.  That is just not practical.  In August 2002, specific modifications to the Rule were adopted to clarify that incidental disclosures do not violate the Privacy Rule when you have policies which reasonably safeguard and appropriately limit how protected health information (PHI) is used and disclosed. (note 45 CFR 164.502(a)(1)(iii))  If the incidental exposure is a by-product of an underlying use or disclosure which violates the Privacy Rule, then incidental exposure is a violation as well.

Whether an incidental exposure is a violation primarily depends on if you have “policies which reasonably safeguard and appropriately limit how PHI is used and disclosed.” What does that mean?  A covered entity must have the appropriate administrative, technical and physical safeguards in place.  Appropriate means reasonable for the size of your organization.  If your organization has performed a security risk assessment yet is not practicing risk management, you are not there.  Covered entities must also implement reasonable minimum necessary policies and procedures that limit how much PHI is used, disclosed, and requested for certain purposes.  Like before, an incidental use or disclosure that occurs as a result of a failure to apply reasonable safeguards or the minimum necessary standard, is a violation of the Privacy Rule.

In summary, if your organization is actively engaged in HIPAA compliance, has adopted the proper policies and procedures, you probably don’t have to worry about incidental exposures.  Take time to document them and make them “teachable moments” for the workforce. This will improve your processes, compliance, and security.  On the other hand, if you aren’t taking HIPAA compliance seriously, an incidental exposure can result in an audit and significant fines if reported by an unhappy patient or disgruntled employee.

If you have any questions about incidental disclosures or HIPAA, please contact us at: compliance@thirdrock.com

Protect Your Patients.  Protect Your Practice.  Protect Yourself.™

If you haven’t read my previous two blogs on this topic I encourage you to do so.  The first blog stresses the importance of being risk management proficient over being a HIPAA “expert”. The second blog deals with being accountable in your work actions, which means not only are you responsible for your actions, but your actions can be independently verified.  These two “factors” can go a long way to protecting your organization from the risks of a breach and from substantial penalties and fines for failure to comply to HIPAA regulations.  A coworker forwarded an article to me that provides a good example of both of these traits, or rather the lack of them, but also emphasizes the next important step, training.

The National Law Review article published on April 27^th stated that the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement for a breach of electronic protected health information (ePHI).  This is the first settlement of a wireless health services provider, which totaled $2.5 million.  The Covered Entity (CE) reported a breach effecting 1,400 people due to a laptop being stolen from a car. Later that same year the CE reported an additional breach of 2,200 individuals.

The OCR audit found that the CE had 1) not performed a risk assessment, 2) lacked sufficient risk management processes and 3) had not adopted proper policies and procedures.

In addition to the fine, the OCR implemented a two-year compliance oversight program that includes the following corrective actions:

1. Conduct a risk analysis of security risks and vulnerabilities.
2. Implement a risk management plan to address and mitigate the security risks and vulnerabilities identified in the risk analysis.
3. Update policies and procedures based on implementation of the risk management plan.
4. Implement secure device and media controls with proper encryption protocols for portable devices and media.
5. Review and revise its training program relating to the use, security, encryption, handling of mobile devices, and out-of-office transmissions.

The complete National Law Review article can be found at http://www.natlawreview.com/article/stolen-laptop-and-lack-understanding-hipaa-leads-to-25-million-settlement.

The first 3 corrective actions are standard elements of risk management, which define how to perform corrective actions 4 and 5.  Obviously, cybersecurity is a top priority, but workforce training, corrective action 5, is a key component of any organization’s security.

Your security is only as good as any single individual in your organization.  One person clicking on an unverified hyperlink can introduce ransomware to your systems, stop delivery of healthcare and potentially damage a practice beyond repair. Training strengthens accountability and enables efficient and effective risk management.  Regular up-to-date training and ongoing awareness campaigns emphasize the importance of security and maintains vigilance, helping to build a “human firewall”.

These are standard deliverables for our customers and we support them throughout the process.  If you’d like to learn how we can help your organization better protect your customer’s ePHI and avoid costly fines, contact us at support@thirdrock.com.

Protect Your Patients.  Protect Your Practice. Protect Yourself™.

Welcome to 2017.  If you haven’t heard, the Health and Human Services Office of Civil Rights (OCR) will perform several hundred on-site HIPAA audits this year. The possibility of being selected is highly unlikely, but if you are one of the “lucky” covered entities that is audited you had better be ready – with all your ducks in a row. Current HIPAA training is only one duck, you need at least four more.  So, prepare to go duck hunting and get them in order sooner rather than later.

There are two very important issues to understand about this new process and the protocol the OCR implemented in 2016. The OCR now requires documented proof that covered entities and business associates have …

1. Implemented HIPAA specific Policies and Procedures (P&P) in 2016 showing a plan for risk management.
2. Documentation, including the P&Ps and logs of HIPAA activity, in electronic format for uploading to their web site.

Don’t forget the OCR expected the following for a HIPAA desk audit starting in 2015 and 2016.

1. A current annual Security Risk Analysis (SRA) based on the OCR SRA questions and/or the NIST 800 standard.  In addition, a risk assessment that includes privacy is needed as well.
2. Current HIPAA training that includes privacy and cyber security training for all staff with access to PHI and ePHI.

The real takeaway?  The OCR expects to automate auditing and all covered entities and business associates will be audited by 2019.  The OCR expects covered entities and business associates to have HIPAA compliance documentation in electronic format starting in 2016.  Make sure your HIPAA report, corrective actions and logs are in electronic format and that you can show improvement in your HIPAA compliance.

Call-To-Action: If you haven’t started and done all of the necessary steps to be HIPAA compliant, it’s time to take action and have a Risk Assessment done immediately and make sure it’s delivered and available in electronic format, preferably online.

If you’ve been reading our blog very long you know we’ve discussed Is HIPAA worth it?, What’s the ROI?, etc, etc.  This article is really another way to think about why you need to start working on your HIPAA compliance today.

What is the Value Proposition of HIPAA Compliance?

• Identifies weaknesses that make your business vulnerable and liable
• Improves protection of your patients’ valuable PHI
• Protects your business from disruptive events – natural and man-made
• Fortifies your cyber-security
• Enhances insurability and marketability
• Reduces your liabilities
  • Costly breach remedies
  • Expensive audit fines
  • Lawsuits from lost PHI
  • Negative social media
  • Disruption of cash flow
  • Devaluation of your practice

  Once you have built a culture of compliance into your business operations, you will actually achieve the values outlined, and will likely reduce your costs as you learn to operate more efficiently, effectively and securely. Having standard and reasonable processes helps streamline the workflow, thus making your staff more efficient.

  Next up in this two part series will be our post on Value Proposition of Next-Generation Compliance Platform. We’ll cover the value of performing your compliance using a cloud based, Software-as-a-Service (SaaS) solution to perform and maintain your compliance “body of evidence”.

  Take our free mini-Risk Assessment to see how compliant you are.

  Protect your patients, protect your practice, protect yourself.