real simple February cloud storage

Quotables: How Do I Use the Cloud? (Real Simple)

Check out Anderson Technologies’ recent contribution to the February 2019 edition of Real Simple magazine. Director Farica Chang answers questions about the cloud and how it’s used every day!

“In short, the cloud refers to files and applications that are stored or used on the internet,” Chang says in the Real Simplifier feature.

Read the full article in the print edition of Real Simple, on newsstands February 10, 2019, or through digital retailers (like Amazon or Barnes & Noble) now.

Are you in need of expert IT consulting?  Anderson Technologies is a St. Louis IT consulting firm that specializes in system administration for small businesses.  Let us help you today!  Give us a call at 314.394.3001 or email us at info@andersontech.com.

What are Quotables? This is a category in our posts to highlight any professional publications that benefit from our expert IT consulting advice and quote us in articles for their readers. 

password breach collection 1

Collection #1 Security Breach

Here at Anderson Technologies we like to keep our clients updated on the latest cyber security news. We’ve covered such breaches as KRACK and the Equifax hack in the past, and now we’re reporting on a breaking data breach called Collection #1, which affects nearly 2.7 billion emails and password combinations.

What Exactly Is the Collection #1 Breach?

The Collection #1 Breach was first reported January 17, 2019, by Troy Hunt, a cyber security researcher and operator of Have I Been Pwned (HIBP). Hunt named the breach after the root folder—containing over 87GB of data—that was uploaded to a hacking forum. Comprised of around 773 million unique email addresses and 21 million unique passwords, this information seems to have been gathered from databases of personal information from over 2000 breaches as far back as 2008.

“This number makes it the single largest breach ever to be loaded into HIBP,” Hunt states in his blog post explaining the breach.

While this personal information may not be much use to one-off hacking attempts, the real danger comes with a technique known as “credential stuffing.” Gizmodo explains:

Basically, credential stuffing is when breached username or email/password combos are used to hack into other user accounts. This could impact anyone who has used the same username and password combo across multiple sites. This is concerning as the Collection #1 breach contains almost 2.7 billion combos.

How Do I Know if I’ve Been Impacted?

Thankfully, the easiest way to see if any of your email addresses, usernames, or passwords have been affected by Collection #1 is to use Hunt’s HIBP. You may have even used this resource to know whether or not to change a password after past breaches like Equifax!

Hunt has painstakingly cleaned and entered all data from Collection #1 into HIBP’s (safe) search engine, allowing anyone to securely check if any individual user account information was compromised.

have i been pwned

How Do I Keep My Accounts Safe from Future Breaches?

The nature of these data breaches indicate decoding of previously encrypted account information like email addresses and passwords. Anderson Technologies recommends protecting yourself with multi-factor authentication (MFA), as well as a password manager like LastPass or Dashlane.

“The only way to effectively deal with it is to use MFA,” says Joe Baker, Anderson Technologies Systems Administrator. “I like the MFA standard of something you know and something you have—you know your password, and you have your phone for authentication.

“Everyone should go to haveibeenpwned.com to check their email addresses. For me, after entering my email, I searched for and found my compromised email and old password in a matter of seconds. It’s shockingly easy to get this info once it’s out there in plain text. If it’s something that you care about, protect it with MFA. If you can’t protect the account with MFA, then don’t use that account.”

If you believe information vital to your business has been compromised (current administrator credentials, for example), immediate intervention can help mitigate further security threats. Senior Systems Administrator Eric Dischert suggests the following steps:

  • Update passwords for all affected accounts
  • Temporarily lock all systems until extent of the breach is known and appropriate steps have been taken
  • Ensure proper auditing and logging are running
  • Determine the root cause, impact, and necessary steps to fix
  • Deliver a public announcement (if industry regulations require it) and prepare for corresponding responses
  • Educate employees regarding breach details and lessons learned

As always, consult with your managed services provider to ensure all these steps are completed thoroughly enough to protect your business from further threat. For more information about Collection #1 and the consequences for your personal information, contact us here or at 314.394.3001.

hipaa documentation

HIPAA Part 3: Document! Document! Document!

As you read through the Privacy and Security Rules for HIPAA, you’ll see a pattern that shouldn’t be taken for granted. Nearly all the implementation specifications require some form of policy and procedure documentation. This involves more than the reasoning and justification for how you choose to implement the specifications (though that must be documented as well). These are the policies and procedures that HIPAA expects your business to follow every day.

Organizational Standards

Besides the administrative, physical, and technical safeguards which make up the majority of the Security Rule, there is a lesser known section of safeguards called organizational standards that deal largely with the paperwork required by HIPAA concerning protected health information (PHI) in any form. This section is often overlooked because many of its requirements are addressed in greater detail throughout the Privacy and Security Rules. The four standards in this section include:

  • Business Associate Contracts
  • Requirements for Group Health Plans
  • Policies and Procedures
  • Documentation

This article focuses on the last two standards: Policies and Procedures and Documentation, both of which lay the groundwork for HIPAA compliance. The other two standards shouldn’t be ignored, but they concern only those who: a) are or need a business associate or, b) are a sponsor to a group health plan that provides data beyond enrollment and summary information.

Note: If you work with or are a business associate that works with ePHI and your contract has not been updated since the HITECH Act in 2009 or the Final Omnibus HIPAA Rule in 2013, you will want to review and update all contracts to ensure they meet the current standards regarding business associates.

Standard 164.316(a): Policies and Procedures

Why have an entire standard dedicated to something addressed in nearly every single implementation standard? This standard explains what HIPAA expects from the policies and procedures that a business creates. Specifically, it references the Security Standards’ General Rule of Flexibility of Approach, which is discussed in Part 2 of this series. It also allows for policies and procedures to be changed at any time to adjust to new demands or technologies, as long as all changes are documented and implemented accordingly.

Standard 164.316(b)(1): Documentation

This standard identifies how documentation required by HIPAA is to be maintained. According to this standard and its subsequent implementation standards, all documentation required throughout the Security Rule’s standards, including but not limited to

  • policies and procedures,
  • job responsibilities and duties,
  • risk assessments, and
  • action plans

must be recorded (physically or electronically) and retained for a minimum of six years from the date of creation or when it was last in use, whichever date is later. All documentation must be available to anyone who uses those procedures, and documentation should be consistently reviewed and updated as necessary.

Note: The six-year retention rule only satisfies HIPAA standards. State law may require some documentation to be retained for longer. Always verify what state laws apply to your business, as HIPAA does not supersede many state requirements.

Bringing Your Policies into Compliance

It’s possible your business already has clear policies and procedures in place, but that doesn’t immediately make you HIPAA compliant. You still need to go through each one to ensure it satisfies the implementation specifications it pertains to. If not, policies may need to be updated or new ones added. HIPAA gives businesses a great deal of leeway in how policies and procedures are written, so both updating existing documentation and creating all new materials is acceptable.

What should the policies and procedures say?

HIPAA doesn’t dictate the exact wording of any policy or procedure. It’s up to the business, taking into consideration the Flexibility of Approach guidelines, to determine what policy needs to be implemented. Generally, a policy explains a business’s approach to the subject it relates to.  If the policy concerns removing access from those who no longer work for the company, it could read something like:

At the end of an employee’s last day of employment with [company name], security and/or IT staff will remove that employee’s access to company systems and restricted locations and document the change of access. The employee’s supervisor will verify that all access has been revoked within twenty-four hours.

This offers clear guidance about what the company intends to do to remove access from someone who no longer is allowed to work with PHI. It also provides an implementation timeline, who should implement the policy, and how the company will ensure it gets implemented properly.

The procedure that accompanies the policy would then offer easy-to-follow directions on how those responsible are to implement the policy. A sample procedure may look like this:

Regarding Policy for Removing Access of Former Employees

Duty of IT Staff or Managed Services Provider

  1. Go to [directory] and locate the list of all programs and devices employee had access to according to job title. Check this list against their user account to ensure no programs are missed.
  2. Starting at the top of the list, go through each program and device and remove employee access. For procedures regarding specific programs, see [directory of procedures].
  3. Go to Active Directory and find employee information.
  4. Backup emails and save them to [directory] to be stored for a period of one year before deletion.
  5. Backup any information relating to patient care in appropriate directories. See [directory list] for proper placement.
  6. Disable user’s Active Directory account and change their password.
  7. Document time, date, and your name in the Employee Termination log to indicate all access it removed.
  8. Inform former employee’s supervisor when access removal is completed for verification.

Procedures should be as detailed as possible so that there is no ambiguity or confusion in what needs to be done. It allows newer employees to accomplish tasks they may not have performed before. There may also be multiple procedures related to the same policy depending on the duties of each person. Margret Amatayakul wrote an excellent guide to creating policies and procedures for the Journal of AHIMA (American Health Information Management Association).

Note: Both the Security Rule and the Privacy Rule require policies and procedures to be created. A company can combine relevant Security and Privacy standards into a single policy or create entirely separate policies for the Security and Privacy Rules. Each business should determine what is best for its employees.

Employee Training

Once you have your policies and procedures written and accessible, the next vital step is to train employees on them. HIPAA requires all employees to be trained in the policies and procedures related to their job. This training includes everyone from the maintenance staff to the CEO. Each time a policy or procedure is updated, retired, or replaced, the affected staff must be informed and, if needed, new training should occur.

Of course, maintenance personnel and CEOs won’t need the same kind of HIPAA training, just as IT support doesn’t need the same training as a nurse. HIPAA doesn’t dictate the way training happens, only that it happens. This means big companies that can afford professional training materials can do so, but smaller companies may hold informational meetings, allowing each to train the way that is most effective and makes the most sense for them.

Suggestions for employee training

  • Go through your employees’ job descriptions and separate employees by the level of access they have to PHI.
  • Create training programs for each level of access and/or the duties required in the job description so each employee gets the training suited to their job.
  • Don’t overload employees with policies and procedures that don’t relate to their job.
  • Ensure all training includes how to access the company’s policies and procedures in case employees need to revisit or reference them.
  • Ensure all employees know who to contact if they have any questions.

Sanctions

Along with training employees, HIPAA also requires you have clear consequences for not following the written policies and procedures. The types of offenses should be clearly defined and the disciplinary action enacted for every infraction.

One way a company might dictate levels of disciplinary action would be to clarify whether a break in policy or HIPAA standard was accidental, made through negligence, or of malicious intent. This allows various consequences for the same infraction without being inconsistent. An example would be: a) an employee leaving a workstation unlocked because an emergency situation demanded they respond immediately, b) they consistently forget to lock their workstation even after being warned about it, or c) they intentionally leave a workstation unlocked to allow someone without access to view ePHI. While the problem is technically the same, they don’t all deserve the same consequences. As with everything else, all infractions and disciplinary actions need to be documented and retained for six years.

In 2018, the Health and Human Services Office of Civil Rights reported 279 breaches of PHI, each resulting in at least 500 individuals affected, though often the number was much higher. Policies and procedures may feel tedious to write, but they provide employees with the information necessary to do their job in a HIPAA compliant manner and could prevent a breach of PHI.

For help with developing clear and secure policies for your company’s software and devices, contact Anderson Technologies at 314.394.3001 or by email at info@andersontech.com.

windows 7 end of life windows 10 upgrade

Countdown to Windows 7 End of Life on January 14, 2020

While the world celebrated the New Year, Microsoft enjoyed their own major milestone as Windows 10 was finally declared more popular than Windows 7.  Previous iterations of the Windows operating system couldn’t sway many Windows 7 corporate holdouts (Windows 8 and Windows Vista, for example), but for several years Windows 10 has demonstrated the stability and performance necessary to support business users.

More than half of enterprise machines run Windows 10 today. However, many others still use Windows 7. Experts consider these active machines a security risk—not to mention their poor performance due to aging hardware. Now Microsoft is forcing everyone’s hand.  Exactly one year from today, Windows 7 joins other aged operating systems in “end of life,” placing any machines still running it on a deadline.

What Does This Mean for Your Computer and Your Business?

Windows 7 reaches end of life on January 14, 2020. After this date, Microsoft will no longer develop countermeasures or fixes to address new breaches, exploits, viruses, and attacks, leaving Windows 7 computers vulnerable. Some businesses may require a machine to stay on Windows 7 to run legacy software, but these machines should not be connected to the network as they will be a high-value target, giving hackers easy access to an otherwise secure network.

This deadline is an opportunity. Consider it a countdown to more efficient work spaces, more secure transactions, and features that integrate seamlessly with the Cloud and mobile devices. Speed, usability, and security all see major upgrades in Windows 10—upgrades that can make a huge difference for your business.

With the help of a managed services provider like Anderson Technologies, “end of life” doesn’t have to derail you. Is your business still relying on Windows 7? Contact us today to discuss your options for this important transition.

Order of Operations: Moving and Upgrading the Local 562 Union Network

“It was meant to be.”

This is how Megan Branham, Executive Assistant at Plumbers & Pipefitters Local Union 562, describes the Union’s partnership with Anderson Technologies. The organization was in the process of planning a company-wide move to upgraded facilities and wanted to upgrade their IT at the same time.

Local 562 is split into two distinct halves: Union and Welfare Educational Fund (WEF). Branham’s focus was on the Union side of the organization, but the technology on the WEF side needed to improve as well. The two halves work hand-in-hand, so upgrading technology on both sides was a must. And since Local 562 is growing, they needed more than the one-man IT team that previously managed its systems.

“I knew from the beginning it was an enormous job,” Branham says. “We needed something different, and we needed someone to understand the situation they were walking into.”

Finding the Right Fit

An organization as large as Local 562 requires substantial deliberation when choosing a new vendor to partner with. They gathered quotes from many different managed services providers before making a decision. Many IT vendors had been recommended to various high-level employees, and narrowing down candidates wasn’t an easy process.

Branham knew from her experience troubleshooting Local 562’s day-to-day IT problems that they were looking for a partner that could tackle both the network overhaul required by the move and the everyday “What is XYZ?” questions.

One of the biggest factors was how the new IT vendor would mesh with her team. “You could say we have a lot of strong personalities,” Branham says with a laugh. Many organizations, both large and small, encounter resistance to change at some level; Local 562 was no different.

“From the time we met Mark [Anderson], he was just very calm,” she recalls. “He really understood where I was coming from.” Not all vendors Branham considered had the same presence of mind. “I didn’t get that same feeling from the other companies,” she says. “It felt more like they would have come in, done things the way they thought it should be done, and we’d have to figure it out from there. This is a big deal when you’ve got so many people who are used to doing everything a certain way.”

Anderson Technologies focuses on making its clients an active part of the planning and implementation process, especially during a project when a new partner could easily take control from Local 562’s employees. “Mark [Anderson] also knew that it was important that we were an intricate part of designing how it was going to be, not to change everything we already had,” Branham says. “I felt like every single one of the staff at Anderson [Technologies] was very responsive to that.”

I felt like every single one of the staff at Anderson [Technologies]
was very responsive.”

Managing Expectations

Once the partnership with Anderson Technologies was approved, planning for the move could proceed. The opportunity to take a fresh look at Local 562’s current technological status couldn’t be missed. Anderson Technologies and Local 562 together examined what could be improved – or completely restructured.
“I knew our security was not up to par,” Branham says. With emerging cyber security threats came the importance of an outside team to monitor Local 562’s safety. “I felt it was important to have that third party doing all that for us too; not that it’s all them, but they’re helping us find the right ways to do things.”

A study of Local 562’s dynamics helped Anderson Technologies determine the organization’s greatest needs, even when they were difficult to quantify. While each half of the Union performs some functions in conjunction, separate responsibilities needed to be divided. Branham describes it as “spreading everything apart but still making it easy to work together.” Previous IT solutions had muddled that line. Local 562’s sole business manager delegates operations to directors in the two departments. All of Local 562’s digital infrastructure was housed on one network.

The “separate-but-together” end goal split Union and WEF into their own individual server environments but consolidated all employees under one email domain—uniting the two departments. “I knew that there was a way for us to streamline all these things,” Branham says.

Moving the Operation

The physical move itself was a source of colossal stress for every employee of Local 562. “The Anderson [Technologies] team was very calm, and that’s really what we needed ,” Branham says, “because there was a lot of anxiety on the side of everyone here.” During the week-long move from a property in North St. Louis County to one that’s twenty miles west, Anderson Technologies was on-site through the weekend to create new separate domains, install new firewalls, configure the new servers, migrate user profiles, transfer server data, and put out any fires that happened to arise.

Branham describes how the Anderson Technologies team took every little problem in stride: they “kept it smooth and comfortable, and it was a good process and good flow the way everything worked. [The team was] extremely flexible and that made a big difference in the way that people accepted the change, too.”

The Anderson [Technologies] team was very calm,
and that’s really what we needed.”

Coping with the technical logistics of the move was an anticipated challenge. Branham and the rest of Local 562’s employees expected to be unable to use their computers for an extended period of time during the ten-day move. Operations were planned to resume fully the following week. “I expected we would be back up running on Monday [a week into the move] for sure, hopefully it would get done over the weekend,” Branham recalls, “and I was using my computer on Friday morning. . . . I was floored.” Reducing Local 562’s planned downtime by several days allowed them to adjust to the move and return to work faster than expected.

Anderson Technologies’ partnership with Local 562 continues with dedicated ongoing managed services. “Everything has been very strategically done in a way that I know that it was the right choice for us,” Branham says of Local’s 562’s teaming up with Anderson Technologies for the big move and beyond. “Just the other day, one of our guys was saying to one of the gentlemen from Anderson [Technologies] about how “he never remembers his passwords, etc.” so Eric gave me the name of the program to look into. Just little things like that . . . to make our lives easier.”

If your business is ready to move from outdated headquarters, technology, or methodology, contact Anderson Technologies today for a free consultation.

Firewalls st louis

Hardware Firewalls Strengthen Cyber Security Protection [Updated for 2018]

Does your organization or small business have a firewall?

The answer is “yes,” right? If you use the internet, you’ve got to have a firewall! Don’t computers come with them?

Our 2017 audit of St. Louis small businesses found that, while most of the businesses and organizations we surveyed did in fact have a hardware firewall, 100% were not operating optimally. According to a 2018 Sophos whitepaper, 84% of survey respondents agreed that lack of effective application of firewalls was a serious security concern.

A number of businesses think their answer to the firewall question is “yes,” but after investigation, the real answer is revealed to be “not at all” or “only a software firewall.”

Unfortunately, lack of firewall awareness is a trend that continues into 2019.

Firewalls, one of the most important facets of digital security, are often misunderstood and frequently taken for granted. In computing, a firewall is not a wall meant to confine fires within a building, but a digital wall meant to segment networks and protect sensitive information.

Are you beginning to wonder about the state of your firewall? The rest of this article will serve as a brief primer on firewalls, including six questions to ask your IT division or managed services provider to discover just how well that firewall is doing its job.

Hardware Firewall vs. Software Firewall

With hackers, viruses, ransomware and malware compromising computer systems worldwide, every small business needs a hardware firewall. Firewalls provide enhanced IT security to protect your technology from attack, blocking unauthorized access while still allowing legitimate users access to the systems and data necessary to perform their jobs. They are an essential part of any properly designed IT protection plan.

But why a hardware firewall?

The problem with software firewalls is that they exist on the same network where sensitive data is stored. A hacker hitting this firewall has already penetrated your network. Yes, the software firewall does offer limited protection for a single computer, but it is nowhere near enterprise-grade. A hardware firewall, on the other hand, is a completely separate piece of hardware that stands guard at the perimeter of the network and prevents access.

Once you can confidently answer “yes” to having both a hardware and software firewall in place, keep your business safe by asking the following six questions about your firewall.

Six Questions about Your Firewall

  1. Is my firewall really protecting me?

Anderson Technologies performs an infrastructure analysis at the start of every new client engagement, and we’re surprised by the number of businesses vulnerable to cyber security risks. This is often due to the lack of a firewall (when the business owner thinks they have one) or insufficient and/or out of date configuration of an existing firewall, which results in inadequate protection of systems and data.

  1. Can it handle the latest security threats?

Because new cyber security threats are developed and launched every day, your firewall’s firmware needs to be continuously updated. It should be tested on a regular schedule to ensure that security flaws are patched by the manufacturer and protected against the latest threats.

  1. Is my firewall monitored?

Firewalls are not a “set it and forget it” device. Ongoing monitoring of a security appliance like a firewall is vital to understanding what kind of threats your business is exposed to and how often intrusion attempts are made. Knowing if and when your system is under attack allows you to marshal the proper response. Monitoring provides this valuable insight.

  1. Does its configuration both protect my vital systems and allow my employees to do their work efficiently with minimal interference?

Many firewalls are installed with limited configuration and too often are set to the manufacturer’s defaults. This can lead to cyber security vulnerabilities, unnecessary exposure, and business risk. Firewalls must be configured for the particular business environment they are being installed within to provide maximum security with optimal functionality.

  1. Is my firewall running effectively?

Blocking malicious attacks requires a firewall to perform many system-intensive background tasks. It needs enough processing power to not only handle the internet provider’s speeds but also efficiently run necessary protection processes while maintaining optimal performance. If your firewall is older, it could actually be causing a “bottleneck” on your network and slowing down your business’s productivity.

  1. Is my firewall equipment up to the task?

Not all hardware firewalls are created equally! Some manufacturers garner industry recognitions and awards for their security technology and constant innovations while others do the bare minimum. The latter companies lack enterprise-level support and fail to update their hardware to protect against the latest evolving threats. Make sure you have the right equipment to protect your business.

If you can answer these six questions positively, your firewall is likely performing well and protecting your systems and data from attack. If not, we’d love to help. If you suspect your business is vulnerable to attack and would like assistance analyzing options and developing a secure firewall solution, schedule a consultation by contacting us or calling 314.394.3001.

 

HIPAA Part 2: Diving Deep into the Security Rule

In our first HIPAA article, we offered a little history on the Health Insurance Portability and Accountability Act and a general overview of how the Privacy and Security Rules evolved from it. In this post, we’re going deep into the murky depths of the Security Rule from a business standpoint.

HIPAA’s Security Rule may seem daunting at first, especially if you’re not an IT expert, but you don’t need a degree in computer science to understand the standards it establishes. At its core, the HIPAA Security Rule is about knowing what data you have, assessing the people and technology handling it, and finding where problems could arise. Survey, assess, plan, implement, and—most importantly—repeat. This is an easy way to think about and manage the requirements laid out in the Security Rule.

What Is the Security Rule?

The Security Rule sets the standards that entities creating, using, or transmitting electronic protected health information (ePHI) must implement in order to “ensure the confidentiality, integrity, and availability of ePHI . . . protect against any reasonably anticipated threats and hazards . . . [and] protect against reasonably anticipated uses or disclosures of such information not permitted by the Privacy Rule” (NIST). If you can imagine it happening to you, then you have to protect against it.

Confidentiality, Integrity, and Availability

The Security Rule uses this phrase throughout. It’s a key tenet of its purpose, but what exactly does it mean to ePHI?

  • Confidentiality: Don’t allow anyone without proper permission to access ePHI, as described in the Privacy Rule, to see it.
  • Integrity: Ensure that the ePHI created, maintained, or transmitted isn’t altered in any way.
  • Availability: Ensure those with permission are able to access ePHI when they need it.

A quick way to think of these are “Don’t Show. Don’t Change. Can Use.” Keep these goals in mind when implementing the standards set forth in the Security Rule.

Understanding the Security Standards

The Security Rule consists of 18 security standards divided into three sections: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Some of those security standards contain implementation specifications (36 in total), which provide more detailed instructions on what needs to happen to fulfill the security standard. The Security Rule designates these implementation specifications as either required or addressable.

Important! Do not confuse addressable with optional. All implementation specifications must be handled, but those marked as addressable may not be suitable for all businesses managing ePHI. Each business must assess its own situation to determine whether an addressable implementation specification is reasonable and appropriate. Once assessed, the business has to ask themselves:

  • Is the specification reasonable and appropriate? Implement.
  • Is the specification not reasonable or appropriate? Implement an alternate solution that would be.
  • Are there no reasonable and appropriate ways to implement the specification? Do not implement.

All assessments and justifications for not implementing a specification as stated in the security standard must be fully documented.

Reasonable and Appropriate

This is another phrase that appears throughout the Security Rule. Since the Security Rule affects a wide variety of businesses, it was designed with flexibility of approach in mind. Many of its standards and implementation specifications explain what needs to be done but not how to do it. How is left up to the individual business to determine based on its use of ePHI and its environment.

The security standards general rule §164.306(b)(2) explains that when “deciding which security measures to use, a covered entity must take into account the following factors:

  1. The size, complexity, and capabilities of the covered entity.
  2. The covered entity’s technical infrastructure, hardware, and software security capabilities.
  3. The costs of security measures.
  4. The probability and criticality of potential risks to electronic protected health information.”

Flexibility, scalability, and technology neutrality are key features of the Security Rule that allow businesses of any size or function to use the same standards and adjust accordingly to the evolution of technology. It’s important to note that cost alone is not enough of a justification to not implement a security standard. All factors need to be considered together when dealing with addressable specifications.

Security Standards

Before diving into the nitty-gritty of each security standard and the implementation specifications, evaluate what your business already has in place. Some of the requirements may be satisfied by the current security infrastructure. Read all the security standards once to get a feel for what you need to be assessing, then take the time to determine what measures, policies, and hardware already protect your ePHI. Knowing where you stand can save you time and stress while working toward HIPAA compliance.

Below we’ll address each section in a high-level overview and mention some of the important standards you should be aware of. This won’t be a step-by-step breakdown of all the standards and implementation specifications. For that, the Department of Health and Human Services (HHS) produced the HIPAA Security Series papers, which are extremely helpful, as is National Institute of Standards and Technology’s (NIST) An Introductory Resource Guide for Implementing the HIPAA Security Rule.

Administrative Safeguards

Administrative Safeguards make up more than half of all the standards in the Security Rule; however, this is also where many of your current systems might already be established to satisfy the requirements with little to no alterations.

The standards and implementations categorized under Administrative Safeguards involve the process of planning, selecting, and managing a business’s protection of ePHI. This includes, but is not limited to, emergency preparedness plans, policies and procedures, contracts, and employee management and training.

This category is all about knowing what you have, planning for the future, and making sure everyone in the company knows how to enforce the confidentiality, integrity, and availability of ePHI. It’s not enough to simply implement these systems, though. Everything must be documented, accessible to all who need it, tested and reviewed periodically.

Important Standards to Note

Security Management Process §164.308(a)(1): This is the very first standard, and for good reason. Its implementation specifications require a risk analysis and continuous risk management. The information gathered in these steps will help with many of the other standards. The risk analysis can highlight areas of deficiency in your security that might otherwise appear only when a malicious actor finds and exploits it.

There is no single correct way to perform a risk analysis because all businesses have differing needs. If you are looking for where to start, there are many useful guides outlining the risk assessment process. The HHS’s HIPAA Series includes Basics of Risk Analysis and Risk Management, and Appendix E in NIST’s Introduction provides risk assessment guidelines. For a more comprehensive look at risk assessments, NIST also produced a Guide for Conducting Risk Assessments.

hippa risk analysis

Workforce Security §164.308(a)(3) & Security Awareness and Training §164.308(a)(5): These two standards have seven addressable implementation specifications between them. These deal with verifying that employees have the correct access to ePHI according to the duties they perform, and that they are informed on how to protect themselves and ePHI from cybersecurity threats. It also deals with how management handles adding new employees and removing employee access as job duties change or if the employee leaves the company. Both management and employees are responsible in protecting ePHI, but they must be given the knowledge, tools, and policies to do so.

Contingency Plan §164.308(a)(7): This standard includes the creation or revision of several different emergency preparedness plans, including a Data Backup Plan, Disaster Recovery Plan, and Emergency Mode Operation Plan. Besides preparing both management and employees in what to do, who needs to do it, and where resources are in the event of an emergency, this standard also helps assess what hardware or software is critical to the confidentiality, integrity, and availability of ePHI. This allows better prioritization and distribution of limited resources. Such precise knowledge is especially important in facilities that provide direct patient care.

Physical Safeguards

Physical Safeguards deal with the facility, hardware, and other physical mechanisms necessary to protect ePHI, as well as the policies and procedures that regulate them. These can range from locks on doors or security guards in times of disaster to employees logging off before leaving a workstation. If a person could walk into your office and access ePHI, the Physical Safeguards handle how to appropriately plan your security measures according to your needs.

Important Standards to Note

Device and Media Controls §164.310(d)(1): Given the portability of data in the daily functions of modern business, it’s vital that any movable media containing ePHI be strictly logged, tracked, and disposed of when no longer needed. Even one lost USB drive containing ePHI is a breach of the Security Rule. This standard relates to all types of removable media, including laptops, flash drives, CD/DVDs, hard drives, and portable backups. It also deals with the re-use of these materials within the office, which first requires the proper removal and destruction of all ePHI.

Technical Safeguards

Technical Safeguards deal with the technology used to create, access, transmit, and protect ePHI, as well as the policies and procedures that govern it. The Security Rule remains intentionally vague on the specific technology used to fulfill these standards to allow for advances in technology and the changes in security needs against new cyber security threats. This flexibility is also what allows a variety of businesses to handle ePHI and still comply with HIPAA’s Security Rule.

Technical Safeguards address aspects such as user access, hardware and software use, transmitting ePHI digitally, and encryption for various purposes. The Risk Analysis and Risk Management specifications from Administration Safeguards are especially useful in determining the technological needs and policies to enforce.

Important Standards to Note

Integrity §164.312(c)(1): This standard refers directly back to the key phrase confidentiality, integrity, and availability discussed earlier. It’s not enough to protect ePHI from being accessed or transmitted improperly; ePHI must also be protected from improper tampering or destruction of data. Wrong or incomplete information can have drastic effects on patient lives and care, so the ability to authenticate the validity of ePHI is a vital part of its security.

Monitor and Update

A vital part of the Security Rule is not only assessments and creating policies but implementing them so all employees are aware of and following the rules. Systems should be in place to verify that employees receive the necessary training in ePHI security procedures and understand the consequences of not following the policy. Reassessment of policies and re-training of employees should occur periodically so outdated procedures can be re-written for the current threat environment. Cyber threats are ever evolving, so too should ePHI cyber protections.

While the Security Rule may feel a bit daunting, many of its requirements are best practices for any business. Knowing exactly what data you handle, how it’s processed, and who needs access to it provides you with an informed view of your business’s operations. Having a written and tested Disaster Recovery Policy, Contingency Policy, and Continuity of Operations Plan will save you time, money, and stress should an emergency occur.

If you have any HIPAA related questions or need help implementing the Security Rule’s technical standards, contact Anderson Technologies at 314.394.3001 or info@andersontech.com.

Infected? A New Phishing Attempt for 2018

Even managed service providers receive scam emails and phone calls.

These serve as a reminder that education on phishing, scareware, and ransomware is an ongoing process, one that even IT experts need to stay sharp on.

But let’s assume you aren’t an IT expert. How can you best determine the validity of these messages and if they have malicious intent?

As with any learning process, practice is important. You may want to start with our phishing quiz. Know where you stand with gut instinct and some important clues.

Pink phishing lure

Can you spot the phish? Take our quiz today by clicking on the image above!

Whether the attempt is made by email or phone, there is always something just a bit off about a phishing attempt. The phisher may have some accurate personal information—like your name, or the fact that you have Yahoo! email or an AT&T phone account—and see if you’ll take the bait.

It is easy to panic at the threat of suspension or an overdue bill and put aside any unease because of the urgent matter apparently at hand. This is exactly what phishers and scammers hope will happen.

The goal of these calls or emails is to collect even more information about you, fleshing out a profile for future scams, which the phisher can sell to other scammers, or—the jackpot—to collect banking or credit card information and cash in.

Because these phishes do have some truth mixed in, many do fall victim.

False Blackmail

It might sound like an episode of Black Mirror—in fact, the tactics used in this blackmail email are eerily similar to those dramatized in a recent episode of the Netflix series depicting fictional futures—but scammers are now using direct emails as a method to extort information or Bitcoin from unsuspecting users.

About a month ago, Mark Anderson, Principal of Anderson Technologies, received a blackmail email scam. “As you could probably have guessed, your account was hacked, because I sent message you from it,” the scammer began in broken English. They first boasted by showing an unencrypted old password—probably acquired from Yahoo’s 2013 data breach.

The email continued to outline the threat. “Within a period from July 7, 2018 to September 23, 2018, you were infected by the virus we’ve created.” This virus, they suggested, gave them access to “messages, social media accounts, and messengers.” This apparently wasn’t enough intimidation for most scam victims, because the email then amped up the threat.

Users all over the internet report similar threats; the scammer creates a scenario that, if true, would serve as ample motivation to give in to their demands. The scammer says that video of the user was recorded while visiting “adult websites,” and that, unless 700 dollars is transferred to the scammer’s Bitcoin wallet within 48 hours, this footage would be released and they would “show this video to your friends, relatives, and your intimate one…”

So, with a relatively low payout amount, and a previously accurate (but very old) password, how did Anderson know this threat was a scam? He knew what they’d accused him of was false, not to mention he didn’t have a webcam as they’d suggested. But other clues included:

  • While the email appeared to be sent from Anderson’s old account, this can be accomplished through spoofing.
  • The password they listed was not the current (or even recent) password for that account.
  • Broken English isn’t always a giveaway but combined with the generic threat, it seemed like a form letter.
  • Googling some of the email text brings up threads of other users exposing the scam. We’ve censored some of the less savory aspects of the original email, but the full text and break down can be read online.

If you receive this email or a similar threat, your first step should be to research the threat online or reach out to an IT expert. Never pay a blackmail, ransom, or other request for money. Instead, update your passwords, run anti-virus and anti-malware scans on affected devices, and consider implementing multi-factor authentication on your accounts in order to bolster your security profile.

Are you looking for an IT expert to help guard your small business from scams like this? Contact Anderson Technologies by phone (314.394.3001) or email (info@andersontech.com) today.

Get Hip to HIPAA!

Even if you’ve never worked in the healthcare industry, you’ve probably heard of HIPAA. An appointment to get your teeth cleaned comes complete with a slew of forms that include your rights according to HIPAA.

But can you explain what HIPAA is and why that form is necessary? We often sign and date and move on, knowing it relates vaguely to what our care provider can do with our private health information.

HIPAA includes a lot more than you may realize, and if you work with Protected Health Information (PHI), especially electronic Protected Health Information (ePHI), understanding HIPAA is crucial. This article is the first in a series discussing what HIPAA is, understanding the Privacy and Security Rules, and analyzing HIPAA compliance standards.

What Does HIPAA Stand for?

If you’re not exceptionally familiar with this acronym, you may think it stands for the Health Information Privacy and Accountability Act. That seems reasonable given how the everyday person is exposed to it. In fact, it stands for the Health Insurance Portability and Accountability Act.

That doesn’t sound so familiar, does it? HIPAA was enacted in 1996 not with the intent to protect people’s privacy, but instead to regulate and simplify the health insurance industry. According to the official HIPAA language, the objective of this government regulation is:

To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.

Essentially, Congress wanted to make health insurance cheaper and simpler by reducing administrative costs and creating a standard method that everyone related to the health insurance industry could adopt. So where does all this privacy and security regulation come into play? The requirement “to simplify the administration of health insurance” triggered everything.

In the Administrative Simplification section of HIPAA, the Act requires that the rights of individuals relating to the use and disclosure of their health information be clearly explained and that standards are set for the electronic exchange of health information. These two subsections, privacy and safeguards, would later be addressed in what is now referred to as the Privacy Rule and the Security Rule.

The Privacy Rule

The Privacy Rule went into effect in 2000 and has been amended several times. It lays out the standards and guidelines for how PHI in all forms—verbal, physical, or electronic—can be used and disclosed. The Privacy Rule is the reason you know the acronym HIPAA at all.

Thanks to the Privacy Rule, health care providers, insurance companies, and their business partners must follow the same rules regarding health information. Individuals have the same right to access and the same expectation of privacy from all entities according to the guidelines in the Privacy Rule. PHI can include:

  • identifiable personal information,
  • any medical or mental health condition diagnosed during the lifetime of the individual,
  • any treatment or procedure performed in the lifetime of the individual,
  • payment information relating to health care,
  • and any identifiable or medical information that the individual wants restricted.

The Privacy Rule is also the reason you must sign that form stating you understand your rights according to HIPAA. Being informed that you have the right to privacy is part of your legal rights. There are exceptions to these rules, such as life-threatening emergencies, court orders, and release of information authorizations, but all are directly addressed and specified within the rule.

Ultimately, the HIPAA Privacy Rule sets the standard for each patient’s right to privacy regarding their PHI. Thanks to the Privacy Rule, PHI is automatically considered confidential in almost all circumstances, and it also explains under what circumstances PHI may be shared.

The Security Rule

The Security Rule is a little different. It first went into effect in 2003 and, unlike the Privacy Rule, relates only to ePHI. The Security Rule established the safeguard standards everyone dealing with ePHI must follow to be HIPAA compliant. Compliance means all ePHI is stored, processed, and transferred in a way that ensures patient privacy. While it doesn’t dictate specific implementation steps, since each company’s use and needs around ePHI is different, anyone dealing with ePHI must address each specification.

HIPAA began as a way to simplify health insurance procedures and make those handling health information more accountable to every citizen’s rights about their private health information, and its effects have been far-reaching. For anyone dealing with PHI, the requirements can appear daunting at first, but with a trusted IT partner, HIPAA compliance means any and all health information will be safe in your hands.

Look for our next HIPAA article, which will discuss the Security Rule in more detail. Until then, you can contact Anderson Technologies’ expert consultants for help navigating HIPAA compliance by calling 314.394.3001 or emailing info@andersontech.com.

MFA – An Extra Layer of Digital Protection

What do logging into Netflix from a new device, updating your PayPal account, answering questions about your first car before accessing your iTunes, and withdrawing money at an ATM all have in common? Authentication!

The National Institute of Standards and Technology (NIST) creates guidelines for passwords and the software that requires them, which Anderson Technologies has previously discussed. Technology is still changing to adopt these standards, so it is up to us to take cyber security into our own hands—and that includes business security practices. The most commonly used and overlooked of these measures is password safety and authentication.

Hackers are great at keeping up with technology, so as consumers and business owners, we must keep up with it as well to stay safe. Multi-factor authentication (or MFA) has been around for years, and it’s so common that we take advantage of it more than we might realize. MFA remains one of the strongest defenses surrounding our digital lives.

What Does MFA Look Like?

You’ve probably already encountered MFA without realizing it. Any website that utilizes verification codes or emails is using a form of MFA. A task as simple as changing your Apple ID requires MFA to confirm the new information. IT Glue describes instances of MFA that don’t involve technology at all, like showing government ID to verify your identity.

MFA as it applies to your business’ safety most often takes the form of software that requires a user to provide two forms of evidence proving they are authorized to access the system. This includes security codes, verification emails, security questions, and biometric software. However, it is not necessary to contact your bank or insurance company to initiate MFA. Applications like Google Authenticator or Authy can be attached to countless logins by connecting your account information.

What does this look like for the user? Validated access to your account (your email, for example) is established with a unique QR code or numerical key that securely connects your mobile device. From that point forward, logging into the site requires not just your standard user name and password but also a randomized six-digit code available only on your device.  This code refreshes every 30 seconds for even greater security. Many sites that store confidential data—think Intuit or IT Glue—require connecting your account login with an MFA application of your choice.

Some sites and servers have their own internal methods of verification, and other MFA methods may require special hardware. These are useful for businesses and organizations that use specialized systems to access confidential databases. This includes cashiers logging into their retail system or technicians scanning an ID card to pull up your file during a dentist visit.

What Are the Benefits of MFA?

Once hackers get their hands on your login credentials, it’s easy to mine data from your other accounts. MFA acts as a barrier to the hacker by assuring the identity of the user attempting to login. By using a secure method of authentication like Touch ID or Face ID on your smart phone, unless an unauthorized user has your fingerprint or face, it’s impossible for them to authenticate using your device.

MFA is beneficial for companies who have employees on the go or working remotely. Using multiple layers of authentication allow remote employees to securely access encrypted data from unfamiliar networks and devices.

What Are Some Challenges to Integrating MFA?

Resistance to change is one of the tallest hurdles when integrating MFA into your business networks. Though MFA usually uses devices your employees already have (like their smartphones and watches), the extra steps needed to gain access can seem superfluous. Some people see MFA as inconvenient or time consuming; however, this is rarely the case when using simple applications.

MFA goes hand-in-hand with the Zero Trust security model, a tool that requires authentication at every step of the login process. New security concepts can be challenging to introduce in the workplace but like all new plans of action, eventually the multiple verifications will become second nature. Your company will greatly benefit knowing all data is secure.

You and your employees may find it valuable to coordinate with a managed services provider when integrating MFA to internal networks, especially if your needs require special enterprise-grade hardware. An IT support team can provide training to ease the transition for your employees, some of whom may be hesitant or feel they don’t have the time to properly implement MFA.

With a little practice and an IT team behind your business’s transition, MFA doesn’t have to be intimidating or bothersome—and the benefits are great. For more information on how to keep your business safe using MFA, contact Anderson Technologies today at 314.394.3001.