Contact Us Today!   314.394.3001   |   info@andersontech.com

Archive for category: How To

HIPAA Part 6: Plan for the Worst

/in , /by

No one likes to think they’ll suffer a disaster, a ransomware attack, or a data breach, but hope isn’t enough to satisfy HIPAA. The question is no longer if something will happen, but when. HIPAA expects you to plan, prepare, test, and be ready for anything that could disrupt the confidentiality, integrity, or availability of your ePHI and affect patient care.

In this installment of our HIPAA series, we’re going to look at the different kinds of disaster planning HIPAA requires and the importance of knowing how to implement them.

Security standard §164.308(a)(7): Contingency Plan is an umbrella term for a number of more specific plans that are meant to ensure the availability, integrity, and confidentiality of ePHI in the event of a disaster or other major security incident. While the Security Rule doesn’t explicitly require you to include other parts of your business, non-electronic PHI is still covered by the Privacy Rule, and most cyber security insurance plans require some degree of business contingency planning.

First Things First

Before you can start making plans to keep your business going during and after a disaster or cyber security incident, you first need to know what parts of your business, hardware, software, and data are critical to operations and security. HIPAA requires this in implementation specification §164.308(a)(7)(ii)(E): Applications and Data Criticality Analysis. But don’t let its position after the contingency plans fool you. This needs to be done first and foremost.

Even though §164.308(a)(7) only references assessing “specific applications and data,” if you are implementing business-wide contingency plans, you’ll want to go through all your daily operations and vital processes to determine what you can’t do a day’s worth of business without and what you could leave for when your world is no longer upside down. Without this information, you won’t be able to create the plans necessary to fulfill the following implementation specifications.

The Big Four

 One thing to remember about the plans listed below is that they don’t have to be completely isolated from each other. You might find combining pieces together (such as lists of vendors, hardware, software, etc.) is more practical than listing them in each plan separately. What’s important is that employees are trained, know what they are responsible for, and where to access this information in an emergency situation. There’s no use making a plan if no one uses it.

Following standardized responses should minimize errors, particularly those that might be caused by stressful incident handling situations.” – NIST SP 800-61r2 Computer Security Incident Handling

  1. 164.308(a)(7)(ii)(A): Data Backup Plan

What does it do? Your data backup plan is one of your most vital recovery plans. It provides you with assurances of data integrity and availability in emergency situations. For healthcare facilities directly caring for patients, data loss or network failure could mean the inability to treat patients. All ePHI must be backed up, preferably in a place that won’t suffer the same disaster as your facility, such as in cloud storage or in a separate secure location.

Your data backup plan should include who is responsible for maintaining the backups, verifying all data is being backed up, testing that backups can be retrieved, and who to contact when backups are needed.

When does it go into effect? You should make this a priority. Your data backup plan needs to be up and running before an emergency strikes. 

A data backup plan is also one of the best defenses against ransomware. Read more about that here!

  1. 164.308(a)(7)(ii)(B) Disaster Recovery Plan

What does it do? The complexity of a disaster recovery plan depends on how much of your business you choose to include. §164.308(a)(7)(ii)(B) specifies you must “establish (and implement as needed) procedures to restore any loss of data.” More comprehensive business-wide plans would include other data vital to the company that isn’t specifically ePHI.

A disaster recovery plan should include the hardware, software, backups, environment, vendors, business associates, etc., necessary to recover data lost in a disaster or cyber security incident. It also covers the people responsible for coordinating and performing all disaster recovery efforts. Employees assigned in this plan should be trained and ready to fulfill their duties in the event of a disaster.

When does it go into effect? A disaster recovery plan helps you recover lost data and infrastructure after a disaster or cyber security incident has occurred. 

  1. 164.308(a)(7)(ii)(C): Emergency Mode Operation Plan

What does it do? This plan could also be called a continuity of operations plan. Its intent is to keep your business or facility operating at a level necessary to ensure patient safety and ePHI security the moment a disaster hits. Downtime can not only cost a lot of money, but can be detrimental to facilities actively caring for patients.

By having the procedures in place for any number of emergency situations, employees can react immediately, know who to contact, how to bring critical business processes back online, and maintain the necessary security and privacy standards required by HIPAA. A good emergency mode operations plan should have contact names, numbers, first response expectations, and anything else an employee would need to recover critical operations in the first 12-36 hours.

More than the other plans, having done a thorough and accurate criticality analysis is vital to a successful emergency mode operation plan. You need to be aware of what you need to restore and in what order it needs to be restored to effectively continue with daily operations as best you can. Failure to do a proper criticality analysis can waste time and resources by focusing recovery efforts on functions that aren’t immediately necessary.

When does it go into effect? An emergency mode operations plan should be implemented during a disaster to keep the business going, and, in the case of healthcare facilities, to keep patients safe and cared for appropriately. 

  1. Business Continuity

What does it do? You’ll notice that there is no implementation specification that goes along with this plan. The Security Rule doesn’t specifically require a business continuity plan, but it can be a useful addition to a set of contingency plans.

While the other plans all focus on what happens during or immediately after an emergency situation to keep your business running, a business continuity plan focuses on getting you back to where you were before the disaster. What are the lower priority vendors or clients that you might have missed contacting already? Do you know all the hardware and software that needs to be replaced or recovered? Think of it as the long-haul plan that doesn’t let you forget about the little things. Disasters are stressful, and a good business continuity plan can keep you on track through the mental fatigue that can set in after a disaster.

When does it go into effect? Business continuity plans help you bring your entire business back to normal day-to-day operations after a disaster occurs and the crisis period is over.

Incident Response

There are many different kinds of cyber security incidents that could affect your business. While all incidents are major problems when they occur, you may not require the full emergency responses planned out above. In these cases, individual plans geared directly to cyber problems can be useful tools.

Depending on your risk, you may want more than the two plans below, but if you’re covered by HIPAA, these are important ones to include with your disaster management plans. The better prepared you are for an incident, the safer you can make your data and the faster you can recover from an attack.

Companies that identified a breach in less than 100 days saved more than $1 million as compared to those that took more than 100 days. Similarly, companies that contained a breach in less than 30 days saved over $1 million as compared to those that took more than 30 days to resolve.”  — 2018 Cost of a Data Breach Study, Ponemon Institute (emphasis added)

  1. Data Breach Response Plan

While a breach is any impermissible use or disclosure of PHI, a data breach response plan focuses on ePHI specifically. It lays out how to secure your systems after a breach, who to contact if you need more support, what to do once the threat is identified and fixed, and who must be notified of a breach of ePHI or other personally identifiable information (PII). (Remember, properly encrypted data isn’t a breach.) The FTC has a good outline for what to incorporate into your data response plan, and the HHS thoroughly explains all the requirements of a breach under HIPAA.

  1. Ransomware Attack Response Plan

The criticality of care facilities combined with the black market price of ePHI makes the healthcare industry a prime target for ransomware and other cyber attacks. And like most cyber attacks, ransomware deals two-fold damage, from the recovery itself to the subsequent breach notifications that must follow. (Remember, unless you can prove that ePHI has not been accessed due to safeguards in place, it’s a breach. For more on Ransomware and HIPAA, see the HHS’s Fact Sheet.)

A ransomware attack response plan sets up the procedures your employees should take in the event of a ransomware attack, such as steps to quarantine an infected machine, who to contact, and what not to do. It should also have procedures for technicians and management in how to secure the network, purge the system, recover lost data (per the data backup plan), and notify required parties. Also include the contact information of the law enforcement department to report the attack to, whether that is local, state, or federal. (For more information see the Department of Justice’s guide, “How to Protect Your Networks from Ransomware.”)

Test! Test! Test!

Most important of all, you need to test your contingency plans routinely and make sure all your employees are trained and know where to find the plan in emergency conditions. A plan no one knows about or can find is a plan that won’t be implemented. Besides, HIPAA requires it.

So make contingency plans part of your annual and new hire training. Make sure all your employees can find the plans and know what they are responsible for. Make sure everyone knows who’s in charge during emergency situations so that plans can be implemented fast and efficiently. It can save you time, money, and headaches when the worst happens.

If you need help implementing a cyber security incident response plan or training your employees in the best practices, contact Anderson Technologies at 314.394.3001 or by email by info@andersontech.com.

3 Easy Ways to Make the Most of Your Firewall

/in , , , /by

Is the mess of cords and cables in your server room weighing heavy on your mind? Whether or not you rely on a managed services provider (MSP) to keep your IT systems organized and in check, you have a responsibility as a business owner to understand the hardware that keeps everything running.

Misinformation about firewalls is one of the most common issues we see at Anderson Technologies. When asked “Do you have a firewall?” most business owners will emphatically respond “Yes!” without realizing that they’re unfamiliar with the hardware that they think is safeguarding their company. That dusty router in the corner of the phone closet or server room probably isn’t doing much more than its job, which is definitely not to protect your network.

We’ve previously written about the differences between hardware and software firewalls, and Anderson Technologies always recommends an enterprise-grade hardware firewall for businesses under our care. But don’t let that be the extent of your knowledge!

Below we’ve compiled a quick guide to understanding the nuances of your firewall and related equipment. By using the tips below, you’ll have an extra level of familiarity when discussing your hardware options with your MSP or teaching your employees proper cyber security protocol, as when striving for HIPAA compliance.

  1. Get to Know Your ISP

You might be asking, “What does my internet service provider (ISP) have to do with my firewall?” The answer to this question varies greatly depending on your network setup. When asked about firewalls, many business owners automatically point to their internet modem or router, and misinformation from ISPs and previous MSPs are to blame.

Most home networks don’t have or require a separate hardware firewall, because the modem and/or router provided by your ISP may have a basic one built in—that is, if it’s configured correctly (more on configuration in #2). Businesses, on the other hand, almost certainly require a more robust level of protection in the form of a hardware firewall. Though HIPAA’s security standard §164.308(a)(5) doesn’t explicitly state the particular hardware necessary to protect against malicious software, having a trustworthy firewall can help and is well worth the investment beyond regulation compliance.

Your ISP factors into the firewall equation at a very basic level. After all, if you don’t have an internet connection, what is your firewall protecting? Your MSP can easily adjust things like wireless access points and device connections, but if there’s a problem with the internet itself there’s not much we can do. Whether you’re using your wireless router’s built-in firewall or an enterprise-grade Meraki, that stream of internet flowing into your business relies solely on your ISP.

Along with your IT services provider, your ISP is a partner and resource when it comes to the technical workings of your business. Always have your ISP’s contact information handy in case a security or performance problem is coming from the foundation of your network—the internet itself.

  1. Configure, Configure, Configure!

Configuration is a term that tends to scare those who don’t consider themselves “tech-savvy,” but at its root, configuration is nothing more than telling your devices how to work.

Think about it this way: when you bring your new smartphone home, it won’t have any of your personal settings or information. Maybe the menu text is too small to read, or the brightness and sound aren’t set to your liking right out of the box. Fixing these settings may take some general knowledge about how the phone works, and possibly some investigation and deduction. But once you’ve changed all the settings to fit your lifestyle, the phone will be working for you and not the other way around.

Configuring your firewall and other network equipment works pretty much the same way, but with nuances that might require outside IT services. Firewall configuration determines which user accounts can manage the firewall’s settings, which computers can access different layers of confidential data, and any other restrictions you need to implement. After this, your firewall will know exactly how to act in a way that meets your business’s individual needs. Guides on configuring your firewall on your own aren’t difficult to find, but when it comes to your business’s firewall, if you feel unsure about how to program it, consulting with a professional is recommended.

  1. Bolster Your Network—Inside and Out

Businesses are prey to targeted attacks more than ever, according to Symantec’s 2019 Internet Security Threat Report. Cyber criminals are stealthier in how they infiltrate networks and know how to take advantage of any weakness. Your firewall serves as your network’s dedicated bodyguard, but what is a bodyguard without backup when trouble arises? Supplement your firewall with both inside and outside reinforcements.

Network protections from the inside include intrusion prevention systems (IPS), robust antivirus/antimalware software, and protective buffers like Proofpoint or multi-factor authentication (MFA). If a cyber threat circumvents the firewall by entering your network from the inside—such as from unregulated permissions or compromised or unpatched software—security software can mitigate the damage. Inside protection also includes ransomware detection and data backups in case the worst happens.

What about protections outside your firewall? Those can be more difficult to implement, if only because they deal with the most vulnerable factor in any security network—humans. Email filtering tools (like Proofpoint) and internet content filtering software (CFS) can screen most of the potential threats that present themselves to your employees. But all it takes is one employee opening one spammy link from a spear phishing email, and your whole network becomes victim to a targeted attack. Everyone on your team needs to have the same awareness, goals and training because firewalls can only do so much on their own.

Firewalls are amazing investments that can save your business hundreds of thousands in the long run by preventing devastating cyber attacks. It’s important to know what’s going on beyond all those cables, circuit boards, and blinking lights. And when someone asks if you have a firewall, you’ll be able to confidently point out the device and know your network is protected.

Anderson Technologies is always here to answer any questions you may have, regarding firewalls or other cyber security topics. Contact us today here or by calling 314.394.3001.

HIPAA Part 5: The Cycle of Risk

/in , , /by

In part 4 of our HIPAA series, we dug deep into the Security Risk Analysis (SRA) and how to perform one. This time, we’re going to look at what to do with the SRA once it’s completed. The SRA serves as a starting point for fulfilling many of the standards of the Security Rule, but its most important function is to help you create a risk management plan to mitigate and monitor the risks you identified. The risk management plan will determine what actual changes you make to ensure your electronic protected health information (ePHI) and your business are safe from all reasonably anticipated threats.

What is a Risk Management Plan?

In the SRA, risk is identified, current security measures are evaluated, and the potential impact of a vulnerability being exploited/triggered is determined. A risk management plan takes all that information and turns it into a plan of action. It prioritizes the risks with the greatest impact, puts plans in place to mitigate the danger, implements those plans, then evaluates whether the risk is brought down to reasonable and appropriate levels.

The SRA and the risk management plan together serve as the foundation for compliance with the Security Rule. If you’ve performed a thorough SRA and created a comprehensive risk management plan, many later standards may be fulfilled in the process of implementing the plan and mitigating the identified risks.

A comprehensive risk management plan also serves to satisfy several HIPAA standards.

  • 164.308(a)(1)(ii)(B) – Risk Management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).
  • 164.308(a)(8) – Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of [ePHI], that establishes the extent to which an entity’s security policies and procedures meet the requirements of [the Security Rule].

4 Steps to Creating a Risk Management Plan

  1. PrioritizationThe first step of analyzing the data produced in the SRA is to prioritize which risks need to be addressed immediately and which can be addressed in the future. All risk eventually needs to be dealt with, but budgets, manpower, and immediate threats will all factor into how and when.

    It’s vital that senior management is involved in the risk management planning process. Mitigating risk to a reasonable and appropriate level may require considerable investment of both time and money. New hardware infrastructure or outside help from IT professionals may be necessary, and employees’ time may be needed to create new policies and procedures and train staff. Even if the budget-makers aren’t involved in the SRA, having them involved in the risk management plan will help to prioritize what needs to be handled first, and allow them to see why the investment is necessary.

  2. MitigationOnce the risks are prioritized, the next step is to decide how to mitigate the possible danger. Just as with the rest of HIPAA, how this happens is determined differently by each company depending on the level of risk posed and the resources available.

    What’s important to remember is that the goal is not to eliminate risk all together. If it’s possible to do so and still have a functioning and sustainable business, all the better, but for most businesses, the complete elimination of risk may be either too expensive or too prohibitive to actually continue fulfilling their core mission. The goal of mitigation is to reduce risk to a reasonable and appropriate level. Do all you can within your means to protect ePHI.

    We cannot stress enough that while cost is one factor to consider in your mitigation strategy, it alone cannot be used to justify not mitigating risk if the likelihood of a threat and the potential impact are severe enough.

  3. ImplementationA comprehensive risk management plan is useless if it’s not implemented. Failure to put the new policies and procedures to safeguard ePHI into action throughout your company can result in the vulnerabilities you identified being exploited: exposing ePHI, your company losing trust, and incurring serious fines.

    Implementation needs to occur at all levels of your business, from documenting the newly created policies and procedures, to infrastructure investments, to checking the settings on hardware you identified as a risk. According to NIST SP 800-39,

    The objective is to institutionalize risk management into the day-to-day operations as a priority and an integral part of how organizations conduct operations . . . recognizing that this is essential in order to successfully carry out [business] missions in threat-laden operational environments.

    NIST is talking about IT operations, but the same is true to all threats to ePHI. A culture of avoiding or mitigating risk at every level can produce a working environment that protects ePHI and strives to maintain security measures. Remember, the risk management plan is essentially a plan of action that must be put into practice to be successful.

  4. EvaluationImplementing your risk management plan won’t protect ePHI if, ultimately, the mitigation strategy you chose doesn’t work as expected. That’s why evaluating the success of your risk management plan after implementation is important. Once in place, you may find that what you thought would mitigate the risk hasn’t done so, or hasn’t done it as well as necessary to bring the danger down to reasonable and appropriate levels. Or you may find that while it does mitigate risk, it also causes severe difficulties in the day-to-day operations of your business. In these cases, another strategy may be more successful for your business in the long run.

    §164.308(a)(8) also requires covered entities to “perform a periodic technical and nontechnical evaluation . . . in response to environmental or operations changes . . . that establishes the extent to which an entity’s security policies and procedures meet the requirements of [the Security Rule].” This means that subsequent SRAs need to be performed and your risk management plan re-evaluated whenever there are major changes to your business or IT infrastructure that could affect ePHI.

    Like we mentioned in Part 3 of our HIPAA series, documentation is a constant part of compliance with the Security Rule, and the risk management plan is no different. Having a clear record of what you planned, when and how you implemented the plan, and the success or failure of those actions are necessary not only for your own future use but also in case you’re audited.

The Cycle Never Ends

The most important thing to remember about risk is that it never ends and is always finding new ways to threaten your business. You have to keep moving right along with it. Risk management is a continuous cycle of analyzing risk, implementing a plan to fix it, determining if that plan worked, and repeating.

For some businesses, performing an SRA and updating a risk management plan might be an annual activity as part of their HIPAA compliance. Other businesses that have fewer risks and fewer changes to the business may decide to wait two or three years between SRAs. It all depends on what is reasonable and appropriate for your organization.

Just don’t stop moving through the cycle of risk management. Danger doesn’t stop changing, and neither should you.

 

If you need help implementing the IT requirements of your risk management plan, contact Anderson Technologies today at 314.394.3001 or email us at info@andersontech.com.

Taking Your Nonprofit to the Cloud!

/in , /by

As a nonprofit, you are frequently responsible for doing more with less. Saving time, money, and effort is essential to maintaining and expanding your reach with limited manpower and funding. One of the most accessible ways to do that is through the technology department.

In part one of our series for nonprofit organizations, we discussed how digital presence can impact your work. In part two, we tackle the cloud. Moving computing, storage, and backups to the cloud may sound daunting, but with a managed services provider at the helm, the process can be smooth and beneficial in many ways.

What is the Cloud?

Despite the name, the cloud is tied to earthly locations. The cloud refers to software and services that run on the internet, rather than locally, and are hosted on a vast network of servers, constantly saving and delivering applications, files, and settings.

A cloud service provider makes services and server space available to you. Cloud service providers have varying costs and regulations, so choosing what is right for your nonprofit is important.

Read more about our work with nonprofit organizations!

Know the Terminology

There are two major ways the cloud can be used in a business or nonprofit environment: cloud computing (including cloud services), and cloud backup. Most commonly, these are used in conjunction, but the cloud isn’t an “all or nothing” deal. Nonprofits can benefit from utilizing the cloud a little – or a lot!

Cloud Backup

Instead of keeping copies of files, programs, and systems on offline storage devices or a second server, maintained and refreshed in case the main on-site server malfunctions, this same data can be kept in the cloud. You may be familiar with cloud backup services like Acronis, Carbonite or MozyPro being used as a backup for files.

When used instead of or for augmenting traditional backups, cloud backups can provide a more seamless transition as well as more current saves, whereas traditional systems typically back up information once a day. That means device failure is less likely to destroy files that are saved in the cloud! Files are immediately available by logging into the cloud environment and can be synchronized back to the new hardware from the cloud copy.

Cloud Services and Computing

If you use Google G Suite, Microsoft Office 365, or Netflix, you are already using cloud services without realizing it! Instead of using a local server, cloud computing utilizes a network of servers hosted online to store and process data. Cloud computing can scale from running a handful of programs, to having full cloud environments that mirror office computers.

With cloud computing, nonprofit files and applications are accessible whenever and wherever you or your coworkers need them. These can be accessed from any device with a secure internet connection (workstations, laptops, tablets, or even from their mobile phones). Your team members are no longer limited to one physical location and can access information and programs from the office, home, while traveling — anywhere.

How Can the Cloud Benefit My Nonprofit?

Software as a Service

Also known by its acronym, SaaS, software as a service is only made possible through cloud computing. Instead of installing software locally via CD-ROM, SaaS is downloaded from the internet, and typically, instead of a one-time, up-front cost, SaaS is provided in monthly subscription packages. This keeps costs low and covers updates, and often special discounts are available for nonprofits. Intuit QuickBooks Online, for example, when used as SaaS, offers automatic backups, app integration, and access designed for mobile as well as desktop devices.

Mobility

Probably the most widely known benefit of utilizing the cloud for computing is mobility. Mobility means that while using the cloud, you and your team members are less constrained and have far greater flexibility when it comes to accessing your organization’s data. In the past, this kind of secure access from around the world would require specialized software and a VPN tunnel to a dedicated server located within your office. Now, securely accessing work files remotely has been streamlined. With cloud services, you can access documents and applications using any device with an internet browser, including your smartphone.

Security

Whether you are working remotely or sharing sensitive information with the board, the cloud offers a secure solution. In the past, a transfer of data would have meant setting up an FTP server or investing in email encryption. Through the cloud, files can be shared almost instantly with increased security and flexibility. There are limitations here, however. As reported by Symantec in their Internet Security Threat Report 2019, 70 million or more records were stolen or leaked “as a result of poor [cloud] configuration.” Much like other aspects of IT, with quality management and monitoring the cloud can be a huge asset.

Email

Rather than hosting email onsite on a Microsoft Exchange email server, this service can also be moved to the cloud. In this case, there is an enormous possibility of increased efficiency and lower cost.

Reduced Liability

Because a cloud service provider is behind the wheel of your cloud services, the individual – that’s you! – has reduced exposure due to relying on a third party’s expertise in the case of a data breach or malfunction. In terms of HIPAA compliance, you still have a responsibility to ensure that the cloud service provider you choose is compliant, and it’s important to vet the providers you partner with, regardless of regulation. Instead of trying to do everything yourself (at an increased cost, and higher effort), outsource to those who are the experts. Using a cloud service provider means you will pay less, but get more.

Price

Compared to the price of maintaining your own dedicated infrastructure, cloud computing, storage, and backups can offer the potential for discounts. Microsoft, for example, offers several free service options specifically designed for nonprofit organizations.

There is a caveat here. Anderson Technologies has seen certain nonprofit-specific software providers drastically raise the price for SaaS over a standard license run on a local server. Some cloud service providers specializing in donor databases price SaaS by the number of entries in the database rather than the number of users who need access. For small nonprofits with a large reach, this can really impact the total cost of moving to the cloud. There are cases where a cloud service provider can adjust cost, but for the few who rely on specific, costly software, this factor may override other benefits of the cloud.

Ultimately, managed services make cloud computing work. With IT experts behind you, moving to the cloud can be straightforward, with backups fully automated, settings securely configured, and you’re less likely to be overcharged by a cloud services provider. Anderson Technologies knows what it takes to run a nonprofit’s computing environment smoothly and on budget. Are you ready to take your nonprofit to the cloud? Call us today at 314.394.3001 or email us at info@andersontech.com.

4 Strategies for Boosting Your Nonprofit’s Online Presence

/in /by

The world of technology and the internet can look very different from a nonprofit organization’s perspective. With a board of directors, budgets, and often limited personnel, properly vetting and implementing new technology can be a daunting task.

In the first of our series of blog posts focused on technology and nonprofit organizations, we take a look at the best tips to help grow your nonprofit’s digital presence. Here is some of what’s new in the world of the web and social media that can help your organization succeed.

Make the Internet Work for You

What does your nonprofit’s web presence look like? Is it a seldom-updated Facebook page? A website that hasn’t seen a major overhaul in years?

The internet is all about visibility, reliability, and holding a user’s attention. Once you establish these, client and donor engagement should follow.

Visibility

If a potential donor uses Google or Bing to search for your nonprofit, what will they find?

Search engines now seek to provide the smart answers. They try to answer a search’s intent, and they try to do it well. As search engine algorithms have evolved, so has the field of search engine optimization (SEO). For your website, the process of SEO implements what Google or Bing’s algorithms are looking for in your nonprofit’s category. Sites that maximize their SEO show up higher in search results.

The first step to visibility is actually having a web presence, which means having not just a Facebook or LinkedIn page, but also a well-maintained website. A pre-formatted site from a provider like WordPress or SquareSpace can serve your purpose, if done well.

The number one way to build your digital presence is to have one! Make sure you have a website, and keep it updated.

Reliability

The second step is optimizing your presence. When is the last time your web presence was updated? Search engines look for sites that are regularly updated. A site that hasn’t been touched quickly drops in rank compared to other sites that discuss the same topics. Even name recognition goes down when tied to a stagnant web presence.

How accurate are your listings? All websites, Facebook pages, and directory information should point to the same location, hours, and phone number. Consider the clients. If there are two or three addresses listed, where should they go? Many will seek another solution, rather than attempt to navigate a confusing one.

Inaccurate or missing information is a signal to search algorithms that your site probably isn’t the most reliable source for information. The ultimate reliable website shares everything a user needs to know in an easy-to-navigate menu with mobile-friendly formats and inspires confidence in your nonprofit as a result.

Google yourself! Does all the information that comes up point to the right place, times, and contact information?

Attention Grabbers – and Keepers

No one is suggesting that your nonprofit become the next Buzzfeed, but a website user who is interested in the information on your site stays longer, visits again, shares information with friends, and —most importantly—can become a client, volunteer, or donor.

Entertainment doesn’t have to mean flashy videos. Think about what a visitor to your website wants to see. Your site should be easy to navigate, provide clear information, and answer potential questions. The nature of search algorithms (the higher a site ranks in search, the more people visit, the longer the visits, the more trust the algorithm has in a site, the higher a site ranks in search, etc.) means it’s important that visitors don’t just click once and are done.

Because of the personal and often life-changing impact nonprofits offer, you have a unique opportunity to keep website visitors interested and engaged. Personal stories about real people can spur volunteers and donors into action. They are also a wonderful source of content for social media.

Provide the information visitors need, and then give them a reason to keep reading.

Stake Your Claim in the Social World

Think of social media as free advertising. Searches for organizations and people are not just done on search engines, but on platforms like LinkedIn and Instagram. Presence on social media not only gives you a place to post updates, advertisements, and success stories, but also helps build a complete profile of your organization.

If you are a total stranger to social media, getting started may seem daunting. But as discussed above, SEO makes or breaks online visibility. Algorithms, whether Google’s or Facebook’s, determine what users see when they type in a keyword or the name of a nonprofit. Active social media accounts inform those algorithms that the page is active and that it has a better chance of containing the answer to a searcher’s query. An up-to-date listing on Facebook or Google My Business assures algorithms and users alike that an organization is legitimate.

As of this posting, there are several social media platforms that you should be aware of, but don’t feel pressured to maintain an active presence on all of them. While each can benefit your nonprofit, the audience and method of posting on some may not be a good match for you. While there are free services that allow for cross posting to different platforms at the same time, what works on Facebook or LinkedIn won’t fare well on Tumblr. The best course of action is to tailor content to the platform on which it is posted. Here’s a list of the most popular social networks for you to consider:

  • Facebook. Almost universal in usage. Perfect for sharing information and news, and establishing your brand.
  • Twitter. Essential for the plugged-in audience. Popular hashtags come and go in the space of hours, so participation has to be constant. Quips and memes perform well in this space.
  • LinkedIn. Professional space for news sharing, updates, and networking. Can be used to connect with high-profile individuals and to share your message in the nonprofit field.
  • Instagram. An image-based network. Telling your story through pictures can give you access to a whole new audience.
  • Tumblr. Fast-paced, meme-centric, and a must-visit for an audience of teens and young adults.

Once you have a successful social media account, you no longer have to do all the work yourself. Followers will use the space as a place to congregate, sharing your posts and your story with their own circles and granting you exposure you wouldn’t have otherwise.

Establishing and improving your internet presence is just the beginning of our nonprofit-focused blog series. Stay tuned for our next blog all about the cloud! Do you represent a nonprofit that is in need of managed IT services? Contact Anderson Technologies today at 314-394-3001 or info@andersontech.com.

HIPAA Part 4: Risky Business

/in , /by

No matter the size of your practice, compliance with the HIPAA Security Rule is a serious undertaking. In order to fix a problem, you must first know it exists. That’s why the Risk Analysis and Risk Management implementation specifications are the foundation of your security compliance efforts. We touched on risk management in Part 2 of our HIPAA series, but in the next two articles we’ll be digging into the Risk Analysis and Risk Management implementation specifications more thoroughly with tips and tools to help you through the process.

The importance of performing a thorough risk analysis and coming up with a risk management strategy cannot be overstated. Throughout this article there will be links to resources to help you decide how best to perform your risk analysis. If you’ve never performed a risk analysis, we strongly suggest going over those resources first.

What is a Security Risk Analysis?

While much of this article presents an outline of how to conduct a Security Risk Analysis (SRA), it first helps to understand what an SRA is. Identifying that a problem exists—or could exist—is crucial to fixing it, preventing it, or making it as safe as possible. That is the purpose of the SRA.

An SRA is ultimately a process that allows you to analyze the way your company approaches risk and see how all areas of your business or organization—from policies and procedures to technical implementation—influence each other. It creates lists of threats, vulnerabilities, and threat events which could impact not only your organization, but your patients, customers, or vendors as well. Once you understand the risk in your daily business functions, finding a solution to keep them secure and operational is much easier.

Threat: the potential for a person or thing to trigger or exploit a vulnerability.

Vulnerability: a flaw or weakness in the system security procedures, design, implementation, or internal controls that could be accidentally triggered or intentionally exploited and result in a security breach or a violation of the system’s security policy

Threat Event: how a particular threat could trigger or exploit a specific vulnerability

(NIST 800-30)

The SRA process is complicated and can require a substantial investment of time and effort to complete, depending on the size and scope of your business. But when it’s finished, the SRA will provide you with a blueprint for the future. It identifies areas that are protected, areas that could use some fixing, and areas that are desperately unprotected. This allows you to prioritize your needs and create a risk management strategy specific to your environment. And when going through your HIPAA Security Rule compliance, there’s no better tool than an SRA.

Why Do You Need an SRA?

For HIPAA, you must conduct a targeted SRA. §164.308(a)(1)(ii)(A) requires an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. . . .” The key to this is the specification of electronic protected health information (ePHI).

Since the Security Rule only deals with ePHI (where the Privacy Rule handles all PHI), the SRA only needs to focus on the ways in which ePHI is created, received, maintained, or transmitted. Including or performing a second SRA to include all PHI and the ways it could be improperly handled or disclosed would be best practice to assess your policies and procedures regarding non-electronic PHI, but it’s not required under HIPAA.

It’s important to remember that ePHI involves far more than an electronic health or medical record system.  It includes all types of electronic media hardware that can create, receive, maintain, or transfer ePHI, as well as software such as appointment calendars or billing databases.

While it can only help your organization to conduct a business-wide risk analysis, the targeted scope of ePHI under HIPAA narrows what you need to assess. Don’t narrow your field too much, though. The cost of insufficient or non-existent SRAs and risk management plans can lead to data breaches and serious fines.

According to the Office of the National Coordinator (ONC) for Health Information Technology, simply filling out a checklist is not enough to complete an SRA or count as proper documentation of one under HIPAA. You can learn more about common misconceptions about the SRA at the ONC’s website.

Guides and Tools to Help You Conduct an SRA

While no tool can replace a thorough and accurate SRA, there are plenty to assist you during the process. The ONC recently released an updated version of its SRA Tool that you can download to help identify areas that may need improvement. They also have video tutorials like the one below and interactive games to test your knowledge of both privacy and security requirements.


ONC’s overview of the Security Risk Analysis

There are also numerous guides to help you better understand the process of risk analysis and management. Besides what we’ve mentioned in previous articles (the Department of Health and Human Services’ (HHS) HIPAA Security Series, and NIST’s Introductory Resource Guide—Appendix E), both the ONC and the HHS have overviews of the process.

For detailed explanations of the risk analysis and management process, NIST published two separate guides: SP 800-39 Managing Information Security Risk and SP 800-30 Guide for Conducting Risk Assessments. These are not specifically geared to HIPAA’s SRA, but the level of information provided is far more complete than many of the HIPAA-specific guides. We recommend that you read SP 800-39 before SP 800-30. While SP 800-30 offers greater detail about specific parts of the risk analysis process (especially in the appendices), SP 800-39 is more reader friendly and a good foundation for SP 800-30.

How to Conduct an SRA

Like all parts of HIPAA, scalability and flexibility are at the core of the SRA. A two-dentist practice isn’t going to need the same kind of SRA as a large nursing facility, so HIPAA doesn’t dictate the exact steps to conducting an SRA. However, all thorough and accurate SRAs will go through similar steps and feature key information, no matter the format you choose. As always for HIPAA, document each step for the final SRA report.

Note: While going through the steps, it’s important to remember to look at risk from an organizational perspective (business-wide policies and procedures or budgets), a business function perspective (billing or patient care), and an informational systems perspective (settings on specific technology or hardware purchases). Another way to look at this would be administrative, physical, and technical lenses to match up with the HIPAA safeguards (though, if you prefer HIPAA terminology, keep in mind that physical isn’t perfectly analogous to business function.)

Step 1: Gather a Team

An SRA shouldn’t be performed by one person. Business owners or senior leadership should work together with management and IT experts during the SRA process. Not everyone sees risk the same way, and having a knowledgeable team ensures that your SRA will identify risk from all necessary perspectives.

Step 2: Determine the Scope

In this case, HIPAA has defined the scope for you in §164.308(a)(1)(ii)(A): “the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information” wherever it is created, received, maintained, or transmitted.

If it holds, accesses, or transmits ePHI, it is part of the SRA. For some businesses this will be a lot to cover, while others may only reference a few systems. And while the scope could be increased to include all PHI, it shouldn’t be reduced.

Step 3: Create a Risk Analysis Framework

A risk analysis framework isn’t required for an SRA, but it’s a useful tool to maintain consistency and avoid ambiguity between those preparing the SRA, those implementing it, and those conducting future SRAs. Since few people see risk the same way, the framework creates a clear set of assumptions, constraints, risk tolerances, and priorities/tradeoffs that will determine how your business manages risk.

Many of these terms appear in later steps, but they’re not used in the same way. In the framework you explain how to identify and respond to the risk factors, while later you use the framework to actually identify and respond to the risk. The framework puts everyone on the same page so that each person knows what to look for, how to judge the risk, and how to manage that risk appropriately.

The framework should also dictate the methodology you use to conduct this and future SRAs. This can be qualitative (high, medium, low), quantitative (numerical quantities), or a mix of both. Not all risk can be numerically quantified (# of individuals affected vs lost reputation—the first can be counted, the second cannot), so a qualitative or mixed approach can be more useful.

If you choose to skip the framework step, much of this information will still need to be explained in later steps to satisfy documentation requirements, and you won’t have it readily available for subsequent SRAs.

Step 4: Gather Data

In order to determine the risk to ePHI, you must first determine where it is stored, received, maintained, and transmitted. And while this encompasses a great deal more than physical hardware, having a record of the physical hardware and its movements is a part of the Physical Safeguards (§164.310(d)(2)(iii)—Accountability). This is especially important as more and more healthcare settings utilize portable electronic media, such as tablets or laptops.

Think of the flow of ePHI. Where does it begin in your business? Do you create it or receive it? Follow it from its starting point to endpoint and document what systems each piece of ePHI interacts with. Depending on your business, this could be only a few pieces of software and hardware or it could be most systems in the office. Either way, you need a complete list in order to conduct a HIPAA-compliant SRA.

Step 5: Identify and Document Potential Threats and Vulnerabilities.

This could be considered one step or two, depending on how you decide to conduct your SRA. It may be simpler to identify potential threats and vulnerabilities separately, but you may find that as you identify a threat, you also identify the vulnerability it could exploit and vice versa. It is up to your team to decide the best method.

If you’ve already created a framework, you’re ready to identify threats and vulnerabilities. If not, take some time to decide what you’re going to consider a threat or vulnerability, how you’ll identify them, and what sources are valuable to work from during the process.

Sources of information could include past SRAs, business security reports or testing, known breaches of similar institutions (Breach Level Index, OCR Breach Report), the security community’s public lists and advisories (National Vulnerability Database, National Checklist Repository), information from vendors, and your managed services provider or IT staff.

As always, remember to document everything.

Threats: One important thing to note when starting your list of potential threats is that you are not required to list all potential threats. You must list all reasonably anticipated threats to ePHI. Having valuable sources of threat information is important, because you don’t want to waste time or resources on a threat that will never affect you, such as a hurricane if you’re nowhere near the ocean.

At this point you’re not looking at whether or not you’ve already mitigated the risk of such threats affecting ePHI. You’re only considering if it is a reasonably anticipated threat. And threats aren’t just about whether someone steals your data for misuse, but whether you can verify the integrity of your ePHI and have it available when you need it.

Vulnerabilities: When dealing with ePHI, it’s easy to think of vulnerabilities as technical problems. Non-technical vulnerabilities cannot be overlooked, and could even be the root problem to other perceived vulnerabilities. A lack of policies and procedures on how to securely set up new hardware or a budget that doesn’t meet the demand of current threats could lead to a number of technical vulnerabilities through misconfiguration of security settings or poor hardware purchasing. This is why a team is important for looking at both the big picture and the small details.

Step 6: Assessing Security Measures

Now that you have a complete list of threats and vulnerabilities, it’s time to see what security measures you already have in place to protect ePHI. Small- to medium-sized business have a greater degree of control over their environment, which is an advantage in mitigating risk. Like vulnerabilities, security measures can be both technical and non-technical, and should be looked at from all perspectives. When documenting, also identify that all technical security measures are not only there but also configured and utilized correctly.

Step 7: Determining Risk

In order to determine risk, it’s time to put the threats and vulnerabilities together to create a list of possible threat events. This is not a strictly one-to-one pairing. A single threat might affect multiple vulnerabilities, and a single vulnerability might be affected by multiple threats. (For more guidance on threat events, see Appendix E of SP 800-30.)

For each threat event, you must determine the likelihood of it occurring and the impact it would have on ePHI and your business if it did. Likelihood is the probability that a threat event will occur.

Below are examples (both qualitative and quantitative) of how you could determine likelihood and impact. Depending on your business’s risk tolerance, you might add more levels beyond high, medium, and low.

The impact of a threat event can be felt across different levels. The most obvious is the direct breach to ePHI’s confidentiality, integrity, and availability, but impact can also be felt in the loss of revenue from a damaged reputation, the cost of fixing the effects of the threat event, time and effort spent dealing with regulatory audits, and other intangible results. Below is an example of how you might measure impact.

Level of Risk

Accurate assessments of the above are vital to determining the overall level of risk posed by a threat event because risk is a combination of likelihood and impact. For example, if the impact is high but the likelihood is low, then the overall risk would be low. The clearer the definitions in the framework of what constitutes the levels of likelihood and impact, the more accurate and consistent your evaluations of threat will be. Threat matrices (such as those in Appendix I of SP 800-30) can be used for both qualitative and quantitative methodologies.

Step 8: Document and Manage Risk

If you’ve kept up with your documentation, the final SRA report should be simple to put together. Appendix K of SP 800-30 offers a base template for writing an SRA report, but you should tailor it to your business’ needs. In general, it should include all the lists you’ve made, as well as the reasons for your determinations and how you plan to use this information.

The final task of an SRA is to develop a risk management plan. HIPAA understands that risk cannot be wholly eliminated, but it should be reduced to reasonable and acceptable levels. Conducting an SRA and implementing a risk management plan become the foundation for implementing the rest of the Security Rule’s safeguards. In the next installment of our HIPAA series, we’ll look at how to use your SRA to create a risk management plan.

If you’d like the IT experts at Anderson Technologies to be a part of your risk analysis team, contact us today at 314.394.3001 or by email at info@andersontech.com.

5 Tasks to Tackle: Prep Your Business for 2019

/in , /by

Don’t wait until the last minute to prepare your small business for 2019!

The end of the year is a busy time. Small businesses especially need to have a plan for growth in place well before the New Year. Taking detailed stock of your operations helps uncover improvement opportunities and provides ideas.  Our “5 Tasks to Tackle” will help rocket your business forward.

  1. Assess Your Business

Properly preparing for 2019 involves taking a step back and looking at the big picture to determine if any operational changes are needed. If you’ve never performed a SWOT analysis (Strengths, Weaknesses, Opportunities, and Threats) on your business, now would be a great time to do so! This strategic process illuminates avenues where your business can expand, highlights areas previously neglected, and reveals what your clients are demanding. Whole-business reviews shed light on issues pushed to the backburner.

  1. Audit Your Hardware and Software

2019 is the last hurrah for popular older applications and operating systems.  Microsoft’s extended support for Windows 7 stops on January 14, 2020.  Adobe Flash reaches end-of-life on December 31, 2020.  If you’ve been holding out on upgrading, act now before you’re forced to scramble.

Hardware always breaks down on its own schedule, and it never happens at a convenient time. Keeping your hardware monitored and upgraded prevents unexpected crashes. We recommend replacing your hardware every 5 years at a minimum to keep pace with newer technology and reduce the risk of unexpected hardware failures.

Are you using updated versions of important software? Are there other programs that could do the same work more efficiently or save you money on licenses?  Take stock of your needs and plan for the necessary budget to replace equipment in an organized fashion.

If your business would benefit from hardware or software upgrades, the end of the year is a great time to take advantage of an IRS Section 179 tax deduction (consult your tax advisor for applicability). Splitting the hardware and labor costs between fiscal years may also be a beneficial consideration.

What about storage? Are your computers’ hard drives cramped? Are physical records filling your office space? Move towards a paperless office and further protect that digital storage by implementing cloud services.

  1. Improve Your Web Presence

When is the last time you took a good, long look at your website?  These days, if your website isn’t built on a framework that supports mobile devices or if you don’t update it regularly, your search result rankings suffer for it.  A neglected website may also inadvertently send the wrong message to potential clients.

How does your site perform in search results? If search ranking is lacking, it may be time to look into SEO (search engine optimization) best practices. Google now flags websites without a properly installed SSL security certificate as unsecure; this affects page rank and traffic in search results. Partnering with a development team helps ensure your web presence reflects the true excellence of your business.

On March 25, 2018, GDPR (General Data Protection Regulation, passed in the European Union) went into effect. If your site receives visitors from the EU, you are held to this standard and expected to comply with changes. GDPR centers on protection of user information. For most sites, compliance is relatively simple, and a knowledgeable GDPR compliance developer can perform a quick audit to identify the updates needed to bring your site up to par.

  1. Audit Your Backup and Security Policies

Have you audited your backups this year by performing a test restore to confirm everything is functioning accordingly? In case of a ransomware attack, do you have hourly on-demand backups in place? Disaster recovery protocols need management and oversight, but it’s easy to forget them because they tend to be out of sight and out of mind – until something bad happens.

Passwords should be updated regularly. Do you have a policy in place for changing passwords on a cycle appropriate for your industry (especially if your business needs to comply with HIPAA regulations)? The importance of updating passwords cannot be stressed enough. Recently, the National Institute of Standards and Technology released new Digital Identity Guidelines that drastically altered what constitutes a strong password.  While we’re waiting for internet protocols to catch up, password managers such as LastPass can help keep track of complex passwords across various websites.

Did you know 1 out of 9 employees (and 1 out of 4 nonprofit workers) spend time working from home or on the go? Is your business prepared and secure enough for this expanding number of teleworkers?

When was the last time you took a close look at your office security policy? What about communications?  Take this time to assess your technology policies and ensure your business is ready to start the new year capable of handling any opportunities that come your way.

  1. Review Your Social Media Strategy

Social media may seem daunting at first – but start small, and it will become a natural part of your marketing routine.  Ask yourself some questions before you begin: What platforms make the most sense for your business?  How can you represent your organization in a fun and engaging way?  Does a blog seem like a good way to reach out to potential clients while simultaneously increasing your site’s search engine optimization ranking?

As our world becomes increasingly internet-based, your business needs to make a strong digital first impression.  Maintaining a social media presence on the web, even if it’s on a single work-focused site like LinkedIn, provides an opportunity to tell potential clients who you are.  Perform a search for your business online and take control of its narrative.  Encourage current happy customers to post a review on Google or write a testimonial for your website.

Don’t feel compelled to implement a massive new strategy that involves updating five or six different social platforms every day.  Do what makes sense for you and balance your time, but don’t neglect this powerful tool to reach out to those who would benefit from your products and services.

 

Don’t wait for 2019 to prepare your business for growth in the New Year!  These five tasks will take your business a long way.  Build your own successful strategy and allow our team to assist you. Anderson Technologies performs an infrastructure audit annually for its managed services clients.  Our team of experts can take a fresh look at your business and make sure you have the right technical solutions in place to support your company’s goals for the coming year.

If you don’t already receive IT services from Anderson Technologies, contact us today to schedule your free initial audit!  Call 314.394.3001 or email info@andersontech.com now.

Get Hip to HIPAA!

/in , /by

Even if you’ve never worked in the healthcare industry, you’ve probably heard of HIPAA. An appointment to get your teeth cleaned comes complete with a slew of forms that include your rights according to HIPAA.

But can you explain what HIPAA is and why that form is necessary? We often sign and date and move on, knowing it relates vaguely to what our care provider can do with our private health information.

HIPAA includes a lot more than you may realize, and if you work with Protected Health Information (PHI), especially electronic Protected Health Information (ePHI), understanding HIPAA is crucial. This article is the first in a series discussing what HIPAA is, understanding the Privacy and Security Rules, and analyzing HIPAA compliance standards.

What Does HIPAA Stand for?

If you’re not exceptionally familiar with this acronym, you may think it stands for the Health Information Privacy and Accountability Act. That seems reasonable given how the everyday person is exposed to it. In fact, it stands for the Health Insurance Portability and Accountability Act.

That doesn’t sound so familiar, does it? HIPAA was enacted in 1996 not with the intent to protect people’s privacy, but instead to regulate and simplify the health insurance industry. According to the official HIPAA language, the objective of this government regulation is:

To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.

Essentially, Congress wanted to make health insurance cheaper and simpler by reducing administrative costs and creating a standard method that everyone related to the health insurance industry could adopt. So where does all this privacy and security regulation come into play? The requirement “to simplify the administration of health insurance” triggered everything.

In the Administrative Simplification section of HIPAA, the Act requires that the rights of individuals relating to the use and disclosure of their health information be clearly explained and that standards are set for the electronic exchange of health information. These two subsections, privacy and safeguards, would later be addressed in what is now referred to as the Privacy Rule and the Security Rule.

The Privacy Rule

The Privacy Rule went into effect in 2000 and has been amended several times. It lays out the standards and guidelines for how PHI in all forms—verbal, physical, or electronic—can be used and disclosed. The Privacy Rule is the reason you know the acronym HIPAA at all.

Thanks to the Privacy Rule, health care providers, insurance companies, and their business partners must follow the same rules regarding health information. Individuals have the same right to access and the same expectation of privacy from all entities according to the guidelines in the Privacy Rule. PHI can include:

  • identifiable personal information,
  • any medical or mental health condition diagnosed during the lifetime of the individual,
  • any treatment or procedure performed in the lifetime of the individual,
  • payment information relating to health care,
  • and any identifiable or medical information that the individual wants restricted.

The Privacy Rule is also the reason you must sign that form stating you understand your rights according to HIPAA. Being informed that you have the right to privacy is part of your legal rights. There are exceptions to these rules, such as life-threatening emergencies, court orders, and release of information authorizations, but all are directly addressed and specified within the rule.

Ultimately, the HIPAA Privacy Rule sets the standard for each patient’s right to privacy regarding their PHI. Thanks to the Privacy Rule, PHI is automatically considered confidential in almost all circumstances, and it also explains under what circumstances PHI may be shared.

The Security Rule

The Security Rule is a little different. It first went into effect in 2003 and, unlike the Privacy Rule, relates only to ePHI. The Security Rule established the safeguard standards everyone dealing with ePHI must follow to be HIPAA compliant. Compliance means all ePHI is stored, processed, and transferred in a way that ensures patient privacy. While it doesn’t dictate specific implementation steps, since each company’s use and needs around ePHI is different, anyone dealing with ePHI must address each specification.

HIPAA began as a way to simplify health insurance procedures and make those handling health information more accountable to every citizen’s rights about their private health information, and its effects have been far-reaching. For anyone dealing with PHI, the requirements can appear daunting at first, but with a trusted IT partner, HIPAA compliance means any and all health information will be safe in your hands.

Look for our next HIPAA article, which will discuss the Security Rule in more detail. Until then, you can contact Anderson Technologies’ expert consultants for help navigating HIPAA compliance by calling 314.394.3001 or emailing info@andersontech.com.

GDPR: How It Impacts You

/in , , /by

On May 25th, the European Union implemented their country-spanning General Data Protection Regulation (GDPR). Even if you’re not sure what it is or how it affects you, you’ve probably seen the results of this directive in action. New cookie consent notices pop up on home pages, and countless companies sent out emails with updated privacy policies. You may have noticed Anderson Technologies has gone through this process recently. All of this is due to GDPR.

What Does GDPR Change?

GDPR gives citizens in European Union (EU) countries clear rights to their data regardless of who is collecting it or where that entity is located. Some of these rights include:

  • The right to know what happens with their data.
  • The right to be shown all data collected on them.
  • The right to update or modify that data.
  • The right to be forgotten or to have all data relating to them deleted.

It also places the burden of informing and obtaining consent to collect data on the entity collecting it. This means it is illegal to use email lists from a newsletter to send promotional advertisements without the user specifically agreeing for you to do so. Most importantly, visitors who refuse to allow their personal data to be collected must receive the same experience as those who allow the collection of their data.

It also demands that those who collect or process personal data do so with data protection at the forefront through means such as pseudonymization, full anonymization of data, and encryption. It becomes the business’s responsibility to protect personally identifiable data and to know that all vendors and third parties with access to it have equivalent security measures in place.

Companies can be fined for failure to comply with GDPR guidelines.

Does GDPR Affect Your Company’s Website?

There is a good chance some aspect of GDPR affects you even if you don’t actively do business in the EU. Personal information can include names, addresses, email addresses, and IP addresses. To collect any of this, even through the use of cookies, explicit consent is required. It’s hard to find any website with zero visitors from EU countries. If even one EU citizen’s data is gathered, then the GDPR relates to you.

The good news is…

Unless you’re actively working with the EU, in which case you’ve probably already implemented compliance standards, only a few sections of the GDPR affect you. And if you don’t collect or transfer any personal data through cookies, contact forms, newsletter sign-ups, or analytics, then it doesn’t matter how many people from the EU visit your site.

The bad news is…

Personal data is collected in ways you might not think about, and just because someone is already signed up for your services or newsletter doesn’t mean their previous consent is compliant. Some means of data collection you might not think about are Google Analytics or share buttons on your site that connect to social media. Also, passive consent (i.e., pre-filled check boxes to sign up for emails or providing an email address that will be used for marketing in order for the user to download an eBook) is no longer allowed.

All consent must be optional and freely given.

Is the EU Going to Come After You?

Keep in mind that if you are seriously concerned about GDPR compliance and the responsibilities your business has in regard to the data you collect, you should contact a lawyer who specializes in GDPR compliance for full legal guidance. The information here is meant to provide a general understanding regarding GDPR and shouldn’t be taken as legal counsel on compliance issues.

For most US-based small businesses that do not have working relationships within the EU and do not intend to court them as potential clients/vendors, the immediate risk of not being 100% compliant after May 25th is minimal. That’s not to say you shouldn’t take practical steps to become compliant if the law affects you. Non-compliance can have steep fines of up to 10-20 million euros or 2-4% of total global turnover—whichever is higher. But those are for serious violations and a last resort after contacting the business about non-compliance and issuing warnings to resolve any problems.

What’s important is that a reasonable effort to comply within the means of your business is made with user privacy and data protection in mind.

Making Your Website GDPR Compliant

The first thing you need to know is whether or not you collect data from EU citizens.

In order to do that, you need to know what data, if any, you collect. This can include analytical data, physical and email mailing lists, names/IDs in comments or forums, and IP addresses. Then it’s time to get consent. Depending on what you collect, there are tools available to help. If you run a WordPress site, this guide can be helpful in figuring out what issues WordPress has already resolved and what issues you need to address.

  • Cookie Consent Bar — You’ve probably seen a lot of these lately. If your site installs any cookies, whether for the functioning of the website, collecting analytical data, third-party cookies for plug-ins, etc., then the user must not only be notified, but allowed the option to not have them activated. There’s no need to figure out how to do this all on your own. If you’re not sure if you need a consent bar, Jeffalytics created a flowchart to help figure it out. There are also plenty of plug-ins and add-ons available that will do this for you, and some of them are free. Not all these plug-ins are user-friendly or even fully functional, so your developer should verify that cookies are not added until the user hits accept. Cookies required to run the site can be excluded from the block as long as your Privacy Policy explains why.
  • Consent Checkbox Beneath Forms — Whenever you directly collect information, such as asking for name and email address when signing up for a newsletter, it is a good idea to have a checkbox stating that by clicking it the user understands how you are going to use and store their data. If you want to use that email for promotional materials, you can’t without their consent. You can offer a checkmark box for this option during the sign up, but it cannot be pre-checked or a requirement to sign up. The user must check it themselves.
  • Google Analytics — Not surprisingly, Google has already done a lot to bring themselves into compliance, but the tools they offer are not in complete compliance since most are meant to collect personal data. So what can you do to fix this without sacrificing all that valuable data? You need to turn on IP Anonymization. Google made this process easy for users by anonymizing all but the final set of numbers in users’ IP addresses. This means you will lose some geographic data, but generally only in local areas. You will still know the country and city of origin.
  • Opt-Out — All users must have the option to not only request all the data you collect on them but to ask you to change or delete the data if they wish. This process should be made clear in your privacy policy and quickly implemented upon request. It’s important to keep a record of all contact with users about their personal data and log when data was modified or deleted. 
  • Privacy Policy — It is important that you have a privacy policy on your website that explains in easy-to-understand, non-legal terms all aspects of your data collection and retention. This is intended to present users with the what, when, how, and why of your data collection, and to inform them of their rights over the data. This is also a good place to display a list of cookies used on your site and their functions. Many of the cookie consent bar plugins provide a short code that will generate this list for you. Your privacy policy should also explain how the user can contact you in order to exercise their rights over the data you collect on them. All communication should be simple to perform and recorded by your business. If you don’t have a privacy policy yet or aren’t sure what needs fixing on an existing policy, NIBusiness Info has a free, fully explained and customizable example available for download.
  • Notification of Breach — Perhaps the biggest change from current data practices is the GDPR’s requirement that if your data has been breached, it must be reported within 72 hours of you learning of it. The GDPR also states that the individual whose data is compromised as a result of the breach must also be notified “without undue delay” if the data poses a considerable risk on the rights the GDPR provides EU citizens. This is not required, however, if the data has been made unusable to unauthorized access through means such as encryption.

GDPR may be frustrating to implement, but its goal is to change the way companies look at data collection and retention. It’s just as important in GDPR to know how you protect your customers’ data as it is what data you collect. Security, accountability, and understanding are goals every business should strive for when handling user data. Even if you don’t do business with the EU, it’s a good idea to perform a network security audit to see how safe your company’s data is and if there is room for improvement.

If you’d like help making your website GDPR compliant, contact Anderson Technologies by phone at 314.394.3001 or by email at info@andersontech.com.

Can you recover deleted files?

Hands Off the Keyboard! How Managed IT Can Recover Your Deleted Files

/in , /by

One wrong click, a blink, then panic sets in.

That file you just deleted is vital to a current project or contains records necessary to your business.

Instead of letting your heart rate skyrocket, catastrophizing about what you’ve just lost, read this guide on basic data recovery.

When What’s Gone Isn’t Really Gone

Once you realize the deletion error, stop what you’re doing.  A few simple steps may prevent further loss and help you discover the scope of your situation.

  1. Check the Recycle Bin. It’s easy to forget in the post-deletion panic that if you haven’t emptied the desktop folder known as the Recycle Bin (Windows) or Trash (Mac) your file may still be there, safe and sound, if it was saved locally. Think there’s no way that your file is still there? Check anyway. It only takes a moment, and many times, that check will solve everything.
  2. Search the File Directory. No luck in the Recycle Bin? All is not lost. Use your computer’s search function (usually in the task menu at the bottom or top of the screen) to search your computer’s file directory for the deleted file. Depending on how many files live on your computer, this may take a while. Here are detailed instructions for searching on Windows 10 and Mac OS X.
  3. Check backups. Okay, so the file doesn’t seem to be on your computer. Was it on the server? Do you have backups configured? These days there are many options, such as Windows Backup, Cloud 365, Dropbox, SugarSync, or OneDrive. Many of these services keep deleted files for 30 days or may have a slightly older version of the file you can restore to your computer. Important Note: If you are unfamiliar with these services, but have them in place, don’t hesitate to call a managed IT services provider for help. Choosing the wrong file or transferring it the wrong way can do more damage than good.

Still no luck? Time to call a managed IT services provider. Further poking around like attempting a Windows restore, volume shadow copy, downloading recovery software, or even just continuing to use the computer to stream or download can rewrite the hard drive—reducing or even eliminating the possibility that professionals can rescue the file.

Bringing in an IT team to recover your files does cost money, but the price of repairing well-intentioned “fixes” can grow exponentially. The deleted file is valuable. If you can’t afford to lose it, you can afford to call the professionals.

What to Expect from a Managed IT Services File Recovery

First, your managed IT services team will check the steps above to determine just how difficult recovery of your vital files will be. If the deletion was caught early enough, or if you have backup services in place, most files can be recovered remotely in under five minutes! Luke Bragg, Senior Systems Administrator at Anderson Technologies, recalled a time when he was able to calm the panic of a client and locate the deleted file in just 20 seconds! It was easy—for a professional.

According to a Clutch report on cloud computing, almost one-third of consumers who use cloud-based backups don’t know they are using the cloud. A managed IT services team can detect this and restore those backed-up files!

Widespread Loss: Data Recovery from Destruction

What if your office or workspace has been struck by natural disaster?

Flood, fire, and quake can obliterate technological systems, leaving your small business without records, client data, or even operating systems. This is far bigger than an accidentally deleted file and, unfortunately, recovery after a disaster isn’t as easy to tackle on your own.

  1. Shut off power and step away from the electronics. The safety of you and your team is paramount. You may be thinking of everything you have lost, but don’t let that desperation put anyone in danger.
  2. Consult the authorities. Exposed wires, spilled chemicals, or other dangers may affect your recovery. Local authorities have guidelines regarding tech in disaster—be sure to follow them!
  3. Assess the damage. Even though a piece of technology may appear to be undamaged, it is important to employ experts to help you assess damage, loss, and potential recovery.

In these cases, managed IT services experts will be a huge asset to your recovery.

IT experts will help you determine if technology is damaged and set up a provisionary network so that you can resume business as soon as possible.  A managed IT services team will hold your hand through the disaster and ensure the safety of you and your equipment.

Your managed services team will work with you to identify and restore vital files and records. In fact, even businesses without off-site or cloud backup services have a chance of data recovery. Disc forensics —the science of extracting information from hardware—is a last resort, but many managed IT services teams are prepared to tackle it in these extreme cases.

Chances for recovery of systems or files with a managed IT services partner increases exponentially, but the bottom line is, without backups already in place, data recovery is never guaranteed. Read the fine print when dealing with a recovery vendor to know what you’re paying for.

Prepare for the Worst

Anyone who has lost files from human error or natural disaster knows that the best practice is to avoid loss in the first place. If you are reading this before losing files, take this opportunity to engage a managed IT services provider to set up regular off-site or cloud backup services, and prepare a disaster plan designed to keep your equipment and data safe.

Call Anderson Technologies today for help! Whether you are in a panic, recovering from a disaster, or wanting to prepare for the future, our managed IT services team is prepared to get you—and keep you—in business. Check out our page on data recovery services, or call 314.394.3001 for more information.