Contact Us Today!   314.394.3001   |   info@andersontech.com

2020 Cyber Security Essentials Checklist

/in , , /by

The start of a new decade brings a sense of changing times and new beginnings. For your cyber security, it marks a good time to review how the state of cyber threats has changed since the time of Y2K or the 2013 Yahoo data breach. With the evolving threats and methods deployed in cyber crime, basic security standards have also progressed to keep your network safe. Do you know the basic security measures you should take to protect your business in 2020?

Download your copy of Anderson Technologies’ Cyber Security Essentials Checklist for 2020!

Verify everything!

We’ve talked before about the Zero Trust model for IT security. Even if you aren’t ready to bring your entire IT architecture up to Zero Trust standards, several of its security measures are now common-sense protections against modern cyber threats.

MFA

Multifactor Authentication (MFA) is quickly becoming the gold standard for preventing unauthorized access to your systems. In an age of Have I Been Pwned’s free credential checking and the all-too-often reuse of passwords, the question is no longer if your usernames and passwords have been stolen, but when and which ones.

MFA is the most basic way to prevent someone with stolen credentials from accessing your systems, and comes in various iterations, from an email or text code to authentication apps and security dongles like or RSA SecurID tokens. It’s a simple measure that ensures the bad actor needs more than a stolen credential to compromise your systems.

Access Controls: Minimum Necessary Use (Need to Know)

The days of free access within an organization are over. Clearly defining user roles and necessary access permissions is essential. There’s no reason for an intern to have the same access to your systems as the office manager or IT staff. Segmenting user access to the minimum necessary for their job performance means that if one employee is compromised, the bad actor won’t be able to reach every part of your business.

Stop Viruses and Malware in Their Tracks!

It’s common knowledge that anti-virus and anti-malware are required in this day and age, but remember that if your software firewall or anti-virus program catches an intrusion, the threat has already made it into your systems.

Know Your Hardware

Businesses need to understand the difference between a hardware firewall and a software firewall. You need to have the best protection against cyber threats, but many business owners don’t realize they are missing the necessary hardware firewall. Go to your IT closet and take a close look. Can you identify your modem, router, and hardware firewall? They are three different pieces of equipment, and if you aren’t sure which is which, talk to your IT staff or MSP to make sure all three are in place and properly configured for maximum protection and minimum interference.

Training and Filters

Firewalls and anti-virus programs won’t be of much use if an employee clicks a link in a phishing email and lets the bad actors in. Blacklisting certain websites and installing email filters like Proofpoint are great first steps for keeping malicious links and emails from getting through, but the biggest way to prevent phishing is training your employees how to recognize it. These tactics are too prevalent not to invest in comprehensive employee training.

Update! Update! Update!

Nothing invites bad actors into your systems like an unpatched computer, such as Windows 7 which stops receiving updates after January 14, 2020. Security updates are not just slight improvements; they often fix known bugs and zero-day threats that bad actors can use to infiltrate or bypass the implemented security safeguards. Without keeping up to date with your security updates, criminals can exploit unpatched vulnerabilities to breach your security and either install malware on or extract valuable and private information from your systems. So, when an update appears, make sure it gets installed right away and upgrade un-supported software as soon as possible.

Be Prepared for a Breach

The era of small businesses being too little to be profitable to hackers is long gone. Small, medium, and large business are all targets for cyber criminals and it’s essential to think not in terms of if you are breached, but when you are breached. How can you mitigate the risk or minimize the damage a breach could do to your business?

Backups

No business in 2020 should be without comprehensive and secure daily backups of their IT systems. Properly configured and tested backups are your insurance against ransomware and natural disasters. If you know you can restore all your data effectively and quickly from backups, there’s no need to pay a ransom for the hope you can get all your data back.

But don’t just grab the first out-of-the-box backup solution you find. Make sure your backup provider doesn’t keep only one iteration, meaning if your backup gets infected, you have no other options. Configure the solution correctly to back up all the information you need.

Encryption

If you are in a HIPAA-regulated industry, encryption is not optional. It’s the best way to prevent unauthorized breaches when mobile devices and laptops are lost or stolen. A properly encrypted laptop lost on a business trip isn’t a breach even if ePHI is on it, since the encryption prevents anyone who finds the machine from accessing the data.

Encryption is a good idea for any business that uses laptop and mobile devices for work purposes. The last thing you need is someone finding a lost phone or laptop and suddenly having access to sensitive business information or programs.

The Daily Routine

Sometimes it’s the little things that end up being the source of a cyber intrusion. These security measures may seem like common sense, but that doesn’t mean you shouldn’t have a clear policy for them. Failure to follow basic procedures everyday can open the door for cyber criminals.

Passwords and Password Managers

Reusing or only making minor alterations to passwords across applications is a major problem. Too many passwords are hard to keep straight, but people struggle even more to remember secure randomized passwords. This can lead to the worst-case scenario of employees writing down passwords that anyone could find. Having a long phrase or sentence the employee can remember is best practice, but if you have a lot of programs that require passwords, you don’t want employees using only one across the board.

Password managers like Myki or LastPass are a great solution to this problem. Employees can create the long, randomized alpha-numeric passwords, which are considered most secure, without the need to write them down or repeat the same password over and over. These services also provide apps for mobile phones so employees don’t need to be at the desk to access their passwords.

Screenlocks

Not every company institutes a screenlock timeout procedure for their business, but it’s a simple and effective security measure, especially if parts of your business are open to the public (HIPAA requires it). Even if you don’t have any public areas, screenlock policies can prevent insider threats from gaining access to an employee’s computer or information simply because they forgot to lock the computer before they left their desk. Make sure the screenlock requires a password and isn’t delayed to the point it’s useless to protect your information.

If you don’t have these basic policies and procedures in place, it may be time to re-evaluate the security measures you are using. Were they created for a different time and threat landscape? Can they continue to protect you against modern cyber crime? If not, it’s time to step up your basic security measures and stop criminals before they sneak into your business.

 

If you need help determining if your current security measures are adequate to protect your business, contact us today for a free consultation!

5 Fraud Trends and How to Beat Them: Top Tips to Implement for Cyber Security Awareness Month

/in , , , /by

Every October, Cyber Security Awareness Month is a time to learn, assess, and make changes to protect yourself and your business from the latest, most sophisticated dangers. Beyond damages to reputation and production, monetary costs from cyber crime add up in the billions of dollars.

Stay safe and aware this October. Here are five fraud trends that you’ll want to know:

Fabrication

Synthetic identity fraud is a cyber crime long game. First, a hacker procures a social security number by theft or purchase on the Dark Web, and then fabricates an associated name, DOB, email account, or phone number. From there, the fake identity is legitimized and nurtured.

Once a fraudster is able to become an authorized user for lines of credit, a process that typically takes 5 months, the “bust-out” is ready to be executed. This leaves creditors and businesses with dummy accounts filled with credit card maximums, loans, and cell phone/utility plans.

Ransomware

Ransomware can send chills down the spine of any business owner, and for good reason.

Two cities in Florida were forced to pay over a million dollars in aggregate bitcoin ransom after losing access to phone and email systems for multiple weeks. A quick glance at data breach headlines on any given week will reveal SMB attacks as well. Ultimately, ransomware boils down to economics, and it will require a concerted effort by organizations to shift the paradigm, refuse to pay criminals, and protect data before attacks.

Business Email Compromise (BEC)

A sophisticated scam, BEC targets anyone who regularly processes requests for electronic fund transfers. The scammer compromises an email account through phishing or intrusion tactics and requests that transfers of funds or personal information such as W2 forms be sent immediately.

Because the request comes from a familiar face, and may even be routine, this scam is highly effective—and very expensive. As of July 2019, total dollar loss has exceeded $26 billion.

Account Takeover (ATO)

The commoditization of crimeware and “spray-and-pray” techniques have led to a higher frequency in breaches, many of which are executed by non-sophisticated hackers. Solving ATO fraud at the small and medium business level in today’s world requires purpose-driven teams and technologies that can protect your business in a smarter, more efficient way.

Dark Web

Security researchers estimate that in the first half of this year alone, over 23 million credit and debit card details were being sold in underground forums. What’s worse, nearly two out of every three originated in the United States (64%), followed by the UK (7%) and India (4%). Once such data dumps hit the Dark Web, cyber criminals will exchange stolen information and credentials in order to orchestrate damaging fraud schemes.

Now that you know some of the trends in cyber crime, here are several helpful solutions.

Guard yourself and your business against these threats. Here are our Top 12 Cyber Security Tips:

  1. Involve all stakeholders in raising cyber security awareness across your organization.
  2. Backup key data regularly and perform scheduled test restores to ensure their integrity.
  3. Enable multi-factor authentication company-wide and establish and enforce an appropriate password policy for all users.
  4. Install enterprise-grade anti-malware and spam-filtering solutions with anti-phishing capabilities across your network.
  5. Leverage internet content filtering to block phishy websites.
  6. Prepare for cryptojacking attacks.
  7. Purchase SMB security suites that include Dark Web monitoring.
  8. Assess your organization’s cyber security policies and procedures and review annually.
  9. Ensure that all third-party partners have cyber security protocols and policies in place.
  10. Build a cyber security incident response plan and democratize key information.
  11. Bind an appropriate level of cyber security insurance to cover your company in case of a breach
  12. Partner up with expert managed IT services providers to train your employees and implement the above.

Awareness and action go hand in hand. This Cyber Security Awareness Month, contact Anderson Technologies to protect your business from the newest threats, and enhance business functions every day.

HIPAA Part 7: Getting Started

/in , , , /by

We’ve come to the end of our HIPAA series, and if you’ve been following along, you might feel overwhelmed by the prospect of becoming HIPAA compliant. There’s a lot to do if you’re just starting out. Keep in mind that by creating a culture of compliance, it becomes easier to verify that you’re following the Security and Privacy Rules in the future. Instead of creating policies, you’ll be updating them. Instead of choosing technical safeguards, you’ll be evaluating what’s already in place. Once you are HIPAA compliant, it’s easy to stay HIPAA compliant.

Tips for Beginners

For those of you tackling HIPAA for the first time or those whose current HIPAA compliance program isn’t doing enough, here are a few tips to help you start the process.

Know what you have—The start of any HIPAA compliance program is determining what PHI and ePHI you have, what programs or processes access that information, and what policies or safeguards are already in place to protect it. Without knowing that, you can’t know what needs to be fixed.

Perform the SRA first—It’s the first security standard for a reason. A complete and thorough Security Risk Analysis is critical to compliance, and you’ll find that during the SRA process you’ll address many of the other standards in the Security Rule. If you don’t feel you can perform this on your own, it may be beneficial to call in an outside consulting company to help you.

Document everything—Get used to this right away. You must not only become compliant, but you need to prove that you are compliant, and that is done through documentation. Be careful you don’t fall into the trap of “paper compliance,” where you have the documentation but fail to follow through in everyday practice. A policy is useless if it’s not implemented.

Accept that it’s a process—Compliance doesn’t happen overnight. From the SRA to the documentation to the evaluations, compliance takes time. It is a continuous process of monitoring and updating to ensure the privacy and security of PHI.

Get everyone on the same page—Training on HIPAA needs to happen from top to bottom. This helps create a culture of compliance that will make ongoing compliance efforts easier. If those in leadership positions understand why it’s important to be HIPAA compliant, appropriate policies and procedures can be created and the budget adjusted according to needs. When employees know the rules to ensure the confidentiality, integrity, and availability of PHI, there is less chance that an avoidable breach will happen.

There is no one prescriptive way to go about HIPAA compliance. HIPAA is designed to be vague enough that any size or type of business can adopt the same requirements. This allows each business the freedom to implement in the way that best fits them, but it also requires that you take responsibility for the decisions you make. With that said, following a logical HIPAA compliance plan will help determine the most reasonable and appropriate measures for your business in a straightforward way. Compliance is always easier with a plan.

HIPAA Resources

Knowing where to go for information can assist any Compliance Officer in their efforts to become HIPAA compliant. Below is a collection of the resources found throughout this series.

HIPAA Part 6: Plan for the Worst

/in , /by

No one likes to think they’ll suffer a disaster, a ransomware attack, or a data breach, but hope isn’t enough to satisfy HIPAA. The question is no longer if something will happen, but when. HIPAA expects you to plan, prepare, test, and be ready for anything that could disrupt the confidentiality, integrity, or availability of your ePHI and affect patient care.

In this installment of our HIPAA series, we’re going to look at the different kinds of disaster planning HIPAA requires and the importance of knowing how to implement them.

Security standard §164.308(a)(7): Contingency Plan is an umbrella term for a number of more specific plans that are meant to ensure the availability, integrity, and confidentiality of ePHI in the event of a disaster or other major security incident. While the Security Rule doesn’t explicitly require you to include other parts of your business, non-electronic PHI is still covered by the Privacy Rule, and most cyber security insurance plans require some degree of business contingency planning.

First Things First

Before you can start making plans to keep your business going during and after a disaster or cyber security incident, you first need to know what parts of your business, hardware, software, and data are critical to operations and security. HIPAA requires this in implementation specification §164.308(a)(7)(ii)(E): Applications and Data Criticality Analysis. But don’t let its position after the contingency plans fool you. This needs to be done first and foremost.

Even though §164.308(a)(7) only references assessing “specific applications and data,” if you are implementing business-wide contingency plans, you’ll want to go through all your daily operations and vital processes to determine what you can’t do a day’s worth of business without and what you could leave for when your world is no longer upside down. Without this information, you won’t be able to create the plans necessary to fulfill the following implementation specifications.

The Big Four

 One thing to remember about the plans listed below is that they don’t have to be completely isolated from each other. You might find combining pieces together (such as lists of vendors, hardware, software, etc.) is more practical than listing them in each plan separately. What’s important is that employees are trained, know what they are responsible for, and where to access this information in an emergency situation. There’s no use making a plan if no one uses it.

Following standardized responses should minimize errors, particularly those that might be caused by stressful incident handling situations.” – NIST SP 800-61r2 Computer Security Incident Handling

  1. 164.308(a)(7)(ii)(A): Data Backup Plan

What does it do? Your data backup plan is one of your most vital recovery plans. It provides you with assurances of data integrity and availability in emergency situations. For healthcare facilities directly caring for patients, data loss or network failure could mean the inability to treat patients. All ePHI must be backed up, preferably in a place that won’t suffer the same disaster as your facility, such as in cloud storage or in a separate secure location.

Your data backup plan should include who is responsible for maintaining the backups, verifying all data is being backed up, testing that backups can be retrieved, and who to contact when backups are needed.

When does it go into effect? You should make this a priority. Your data backup plan needs to be up and running before an emergency strikes. 

A data backup plan is also one of the best defenses against ransomware. Read more about that here!

  1. 164.308(a)(7)(ii)(B) Disaster Recovery Plan

What does it do? The complexity of a disaster recovery plan depends on how much of your business you choose to include. §164.308(a)(7)(ii)(B) specifies you must “establish (and implement as needed) procedures to restore any loss of data.” More comprehensive business-wide plans would include other data vital to the company that isn’t specifically ePHI.

A disaster recovery plan should include the hardware, software, backups, environment, vendors, business associates, etc., necessary to recover data lost in a disaster or cyber security incident. It also covers the people responsible for coordinating and performing all disaster recovery efforts. Employees assigned in this plan should be trained and ready to fulfill their duties in the event of a disaster.

When does it go into effect? A disaster recovery plan helps you recover lost data and infrastructure after a disaster or cyber security incident has occurred. 

  1. 164.308(a)(7)(ii)(C): Emergency Mode Operation Plan

What does it do? This plan could also be called a continuity of operations plan. Its intent is to keep your business or facility operating at a level necessary to ensure patient safety and ePHI security the moment a disaster hits. Downtime can not only cost a lot of money, but can be detrimental to facilities actively caring for patients.

By having the procedures in place for any number of emergency situations, employees can react immediately, know who to contact, how to bring critical business processes back online, and maintain the necessary security and privacy standards required by HIPAA. A good emergency mode operations plan should have contact names, numbers, first response expectations, and anything else an employee would need to recover critical operations in the first 12-36 hours.

More than the other plans, having done a thorough and accurate criticality analysis is vital to a successful emergency mode operation plan. You need to be aware of what you need to restore and in what order it needs to be restored to effectively continue with daily operations as best you can. Failure to do a proper criticality analysis can waste time and resources by focusing recovery efforts on functions that aren’t immediately necessary.

When does it go into effect? An emergency mode operations plan should be implemented during a disaster to keep the business going, and, in the case of healthcare facilities, to keep patients safe and cared for appropriately. 

  1. Business Continuity

What does it do? You’ll notice that there is no implementation specification that goes along with this plan. The Security Rule doesn’t specifically require a business continuity plan, but it can be a useful addition to a set of contingency plans.

While the other plans all focus on what happens during or immediately after an emergency situation to keep your business running, a business continuity plan focuses on getting you back to where you were before the disaster. What are the lower priority vendors or clients that you might have missed contacting already? Do you know all the hardware and software that needs to be replaced or recovered? Think of it as the long-haul plan that doesn’t let you forget about the little things. Disasters are stressful, and a good business continuity plan can keep you on track through the mental fatigue that can set in after a disaster.

When does it go into effect? Business continuity plans help you bring your entire business back to normal day-to-day operations after a disaster occurs and the crisis period is over.

Incident Response

There are many different kinds of cyber security incidents that could affect your business. While all incidents are major problems when they occur, you may not require the full emergency responses planned out above. In these cases, individual plans geared directly to cyber problems can be useful tools.

Depending on your risk, you may want more than the two plans below, but if you’re covered by HIPAA, these are important ones to include with your disaster management plans. The better prepared you are for an incident, the safer you can make your data and the faster you can recover from an attack.

Companies that identified a breach in less than 100 days saved more than $1 million as compared to those that took more than 100 days. Similarly, companies that contained a breach in less than 30 days saved over $1 million as compared to those that took more than 30 days to resolve.”  — 2018 Cost of a Data Breach Study, Ponemon Institute (emphasis added)

  1. Data Breach Response Plan

While a breach is any impermissible use or disclosure of PHI, a data breach response plan focuses on ePHI specifically. It lays out how to secure your systems after a breach, who to contact if you need more support, what to do once the threat is identified and fixed, and who must be notified of a breach of ePHI or other personally identifiable information (PII). (Remember, properly encrypted data isn’t a breach.) The FTC has a good outline for what to incorporate into your data response plan, and the HHS thoroughly explains all the requirements of a breach under HIPAA.

  1. Ransomware Attack Response Plan

The criticality of care facilities combined with the black market price of ePHI makes the healthcare industry a prime target for ransomware and other cyber attacks. And like most cyber attacks, ransomware deals two-fold damage, from the recovery itself to the subsequent breach notifications that must follow. (Remember, unless you can prove that ePHI has not been accessed due to safeguards in place, it’s a breach. For more on Ransomware and HIPAA, see the HHS’s Fact Sheet.)

A ransomware attack response plan sets up the procedures your employees should take in the event of a ransomware attack, such as steps to quarantine an infected machine, who to contact, and what not to do. It should also have procedures for technicians and management in how to secure the network, purge the system, recover lost data (per the data backup plan), and notify required parties. Also include the contact information of the law enforcement department to report the attack to, whether that is local, state, or federal. (For more information see the Department of Justice’s guide, “How to Protect Your Networks from Ransomware.”)

Test! Test! Test!

Most important of all, you need to test your contingency plans routinely and make sure all your employees are trained and know where to find the plan in emergency conditions. A plan no one knows about or can find is a plan that won’t be implemented. Besides, HIPAA requires it.

So make contingency plans part of your annual and new hire training. Make sure all your employees can find the plans and know what they are responsible for. Make sure everyone knows who’s in charge during emergency situations so that plans can be implemented fast and efficiently. It can save you time, money, and headaches when the worst happens.

If you need help implementing a cyber security incident response plan or training your employees in the best practices, contact Anderson Technologies at 314.394.3001 or by email by info@andersontech.com.

3 Easy Ways to Make the Most of Your Firewall

/in , , , /by

Is the mess of cords and cables in your server room weighing heavy on your mind? Whether or not you rely on a managed services provider (MSP) to keep your IT systems organized and in check, you have a responsibility as a business owner to understand the hardware that keeps everything running.

Misinformation about firewalls is one of the most common issues we see at Anderson Technologies. When asked “Do you have a firewall?” most business owners will emphatically respond “Yes!” without realizing that they’re unfamiliar with the hardware that they think is safeguarding their company. That dusty router in the corner of the phone closet or server room probably isn’t doing much more than its job, which is definitely not to protect your network.

We’ve previously written about the differences between hardware and software firewalls, and Anderson Technologies always recommends an enterprise-grade hardware firewall for businesses under our care. But don’t let that be the extent of your knowledge!

Below we’ve compiled a quick guide to understanding the nuances of your firewall and related equipment. By using the tips below, you’ll have an extra level of familiarity when discussing your hardware options with your MSP or teaching your employees proper cyber security protocol, as when striving for HIPAA compliance.

  1. Get to Know Your ISP

You might be asking, “What does my internet service provider (ISP) have to do with my firewall?” The answer to this question varies greatly depending on your network setup. When asked about firewalls, many business owners automatically point to their internet modem or router, and misinformation from ISPs and previous MSPs are to blame.

Most home networks don’t have or require a separate hardware firewall, because the modem and/or router provided by your ISP may have a basic one built in—that is, if it’s configured correctly (more on configuration in #2). Businesses, on the other hand, almost certainly require a more robust level of protection in the form of a hardware firewall. Though HIPAA’s security standard §164.308(a)(5) doesn’t explicitly state the particular hardware necessary to protect against malicious software, having a trustworthy firewall can help and is well worth the investment beyond regulation compliance.

Your ISP factors into the firewall equation at a very basic level. After all, if you don’t have an internet connection, what is your firewall protecting? Your MSP can easily adjust things like wireless access points and device connections, but if there’s a problem with the internet itself there’s not much we can do. Whether you’re using your wireless router’s built-in firewall or an enterprise-grade Meraki, that stream of internet flowing into your business relies solely on your ISP.

Along with your IT services provider, your ISP is a partner and resource when it comes to the technical workings of your business. Always have your ISP’s contact information handy in case a security or performance problem is coming from the foundation of your network—the internet itself.

  1. Configure, Configure, Configure!

Configuration is a term that tends to scare those who don’t consider themselves “tech-savvy,” but at its root, configuration is nothing more than telling your devices how to work.

Think about it this way: when you bring your new smartphone home, it won’t have any of your personal settings or information. Maybe the menu text is too small to read, or the brightness and sound aren’t set to your liking right out of the box. Fixing these settings may take some general knowledge about how the phone works, and possibly some investigation and deduction. But once you’ve changed all the settings to fit your lifestyle, the phone will be working for you and not the other way around.

Configuring your firewall and other network equipment works pretty much the same way, but with nuances that might require outside IT services. Firewall configuration determines which user accounts can manage the firewall’s settings, which computers can access different layers of confidential data, and any other restrictions you need to implement. After this, your firewall will know exactly how to act in a way that meets your business’s individual needs. Guides on configuring your firewall on your own aren’t difficult to find, but when it comes to your business’s firewall, if you feel unsure about how to program it, consulting with a professional is recommended.

  1. Bolster Your Network—Inside and Out

Businesses are prey to targeted attacks more than ever, according to Symantec’s 2019 Internet Security Threat Report. Cyber criminals are stealthier in how they infiltrate networks and know how to take advantage of any weakness. Your firewall serves as your network’s dedicated bodyguard, but what is a bodyguard without backup when trouble arises? Supplement your firewall with both inside and outside reinforcements.

Network protections from the inside include intrusion prevention systems (IPS), robust antivirus/antimalware software, and protective buffers like Proofpoint or multi-factor authentication (MFA). If a cyber threat circumvents the firewall by entering your network from the inside—such as from unregulated permissions or compromised or unpatched software—security software can mitigate the damage. Inside protection also includes ransomware detection and data backups in case the worst happens.

What about protections outside your firewall? Those can be more difficult to implement, if only because they deal with the most vulnerable factor in any security network—humans. Email filtering tools (like Proofpoint) and internet content filtering software (CFS) can screen most of the potential threats that present themselves to your employees. But all it takes is one employee opening one spammy link from a spear phishing email, and your whole network becomes victim to a targeted attack. Everyone on your team needs to have the same awareness, goals and training because firewalls can only do so much on their own.

Firewalls are amazing investments that can save your business hundreds of thousands in the long run by preventing devastating cyber attacks. It’s important to know what’s going on beyond all those cables, circuit boards, and blinking lights. And when someone asks if you have a firewall, you’ll be able to confidently point out the device and know your network is protected.

Anderson Technologies is always here to answer any questions you may have, regarding firewalls or other cyber security topics. Contact us today here or by calling 314.394.3001.

HIPAA Part 5: The Cycle of Risk

/in , , /by

In part 4 of our HIPAA series, we dug deep into the Security Risk Analysis (SRA) and how to perform one. This time, we’re going to look at what to do with the SRA once it’s completed. The SRA serves as a starting point for fulfilling many of the standards of the Security Rule, but its most important function is to help you create a risk management plan to mitigate and monitor the risks you identified. The risk management plan will determine what actual changes you make to ensure your electronic protected health information (ePHI) and your business are safe from all reasonably anticipated threats.

What is a Risk Management Plan?

In the SRA, risk is identified, current security measures are evaluated, and the potential impact of a vulnerability being exploited/triggered is determined. A risk management plan takes all that information and turns it into a plan of action. It prioritizes the risks with the greatest impact, puts plans in place to mitigate the danger, implements those plans, then evaluates whether the risk is brought down to reasonable and appropriate levels.

The SRA and the risk management plan together serve as the foundation for compliance with the Security Rule. If you’ve performed a thorough SRA and created a comprehensive risk management plan, many later standards may be fulfilled in the process of implementing the plan and mitigating the identified risks.

A comprehensive risk management plan also serves to satisfy several HIPAA standards.

  • 164.308(a)(1)(ii)(B) – Risk Management: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).
  • 164.308(a)(8) – Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of [ePHI], that establishes the extent to which an entity’s security policies and procedures meet the requirements of [the Security Rule].

4 Steps to Creating a Risk Management Plan

  1. PrioritizationThe first step of analyzing the data produced in the SRA is to prioritize which risks need to be addressed immediately and which can be addressed in the future. All risk eventually needs to be dealt with, but budgets, manpower, and immediate threats will all factor into how and when.It’s vital that senior management is involved in the risk management planning process. Mitigating risk to a reasonable and appropriate level may require considerable investment of both time and money. New hardware infrastructure or outside help from IT professionals may be necessary, and employees’ time may be needed to create new policies and procedures and train staff. Even if the budget-makers aren’t involved in the SRA, having them involved in the risk management plan will help to prioritize what needs to be handled first, and allow them to see why the investment is necessary.
  2. MitigationOnce the risks are prioritized, the next step is to decide how to mitigate the possible danger. Just as with the rest of HIPAA, how this happens is determined differently by each company depending on the level of risk posed and the resources available.What’s important to remember is that the goal is not to eliminate risk all together. If it’s possible to do so and still have a functioning and sustainable business, all the better, but for most businesses, the complete elimination of risk may be either too expensive or too prohibitive to actually continue fulfilling their core mission. The goal of mitigation is to reduce risk to a reasonable and appropriate level. Do all you can within your means to protect ePHI.

    We cannot stress enough that while cost is one factor to consider in your mitigation strategy, it alone cannot be used to justify not mitigating risk if the likelihood of a threat and the potential impact are severe enough.

  3. ImplementationA comprehensive risk management plan is useless if it’s not implemented. Failure to put the new policies and procedures to safeguard ePHI into action throughout your company can result in the vulnerabilities you identified being exploited: exposing ePHI, your company losing trust, and incurring serious fines.Implementation needs to occur at all levels of your business, from documenting the newly created policies and procedures, to infrastructure investments, to checking the settings on hardware you identified as a risk. According to NIST SP 800-39,

    The objective is to institutionalize risk management into the day-to-day operations as a priority and an integral part of how organizations conduct operations . . . recognizing that this is essential in order to successfully carry out [business] missions in threat-laden operational environments.

    NIST is talking about IT operations, but the same is true to all threats to ePHI. A culture of avoiding or mitigating risk at every level can produce a working environment that protects ePHI and strives to maintain security measures. Remember, the risk management plan is essentially a plan of action that must be put into practice to be successful.

  4. EvaluationImplementing your risk management plan won’t protect ePHI if, ultimately, the mitigation strategy you chose doesn’t work as expected. That’s why evaluating the success of your risk management plan after implementation is important. Once in place, you may find that what you thought would mitigate the risk hasn’t done so, or hasn’t done it as well as necessary to bring the danger down to reasonable and appropriate levels. Or you may find that while it does mitigate risk, it also causes severe difficulties in the day-to-day operations of your business. In these cases, another strategy may be more successful for your business in the long run.§164.308(a)(8) also requires covered entities to “perform a periodic technical and nontechnical evaluation . . . in response to environmental or operations changes . . . that establishes the extent to which an entity’s security policies and procedures meet the requirements of [the Security Rule].” This means that subsequent SRAs need to be performed and your risk management plan re-evaluated whenever there are major changes to your business or IT infrastructure that could affect ePHI.

    Like we mentioned in Part 3 of our HIPAA series, documentation is a constant part of compliance with the Security Rule, and the risk management plan is no different. Having a clear record of what you planned, when and how you implemented the plan, and the success or failure of those actions are necessary not only for your own future use but also in case you’re audited.

The Cycle Never Ends

The most important thing to remember about risk is that it never ends and is always finding new ways to threaten your business. You have to keep moving right along with it. Risk management is a continuous cycle of analyzing risk, implementing a plan to fix it, determining if that plan worked, and repeating.

For some businesses, performing an SRA and updating a risk management plan might be an annual activity as part of their HIPAA compliance. Other businesses that have fewer risks and fewer changes to the business may decide to wait two or three years between SRAs. It all depends on what is reasonable and appropriate for your organization.

Just don’t stop moving through the cycle of risk management. Danger doesn’t stop changing, and neither should you.

 

If you need help implementing the IT requirements of your risk management plan, contact Anderson Technologies today at 314.394.3001 or email us at info@andersontech.com.

Taking Your Nonprofit to the Cloud!

/in , /by

As a nonprofit, you are frequently responsible for doing more with less. Saving time, money, and effort is essential to maintaining and expanding your reach with limited manpower and funding. One of the most accessible ways to do that is through the technology department.

In part one of our series for nonprofit organizations, we discussed how digital presence can impact your work. In part two, we tackle the cloud. Moving computing, storage, and backups to the cloud may sound daunting, but with a managed services provider at the helm, the process can be smooth and beneficial in many ways.

What is the Cloud?

Despite the name, the cloud is tied to earthly locations. The cloud refers to software and services that run on the internet, rather than locally, and are hosted on a vast network of servers, constantly saving and delivering applications, files, and settings.

A cloud service provider makes services and server space available to you. Cloud service providers have varying costs and regulations, so choosing what is right for your nonprofit is important.

Read more about our work with nonprofit organizations!

Know the Terminology

There are two major ways the cloud can be used in a business or nonprofit environment: cloud computing (including cloud services), and cloud backup. Most commonly, these are used in conjunction, but the cloud isn’t an “all or nothing” deal. Nonprofits can benefit from utilizing the cloud a little – or a lot!

Cloud Backup

Instead of keeping copies of files, programs, and systems on offline storage devices or a second server, maintained and refreshed in case the main on-site server malfunctions, this same data can be kept in the cloud. You may be familiar with cloud backup services like Acronis, Carbonite or MozyPro being used as a backup for files.

When used instead of or for augmenting traditional backups, cloud backups can provide a more seamless transition as well as more current saves, whereas traditional systems typically back up information once a day. That means device failure is less likely to destroy files that are saved in the cloud! Files are immediately available by logging into the cloud environment and can be synchronized back to the new hardware from the cloud copy.

Cloud Services and Computing

If you use Google G Suite, Microsoft Office 365, or Netflix, you are already using cloud services without realizing it! Instead of using a local server, cloud computing utilizes a network of servers hosted online to store and process data. Cloud computing can scale from running a handful of programs, to having full cloud environments that mirror office computers.

With cloud computing, nonprofit files and applications are accessible whenever and wherever you or your coworkers need them. These can be accessed from any device with a secure internet connection (workstations, laptops, tablets, or even from their mobile phones). Your team members are no longer limited to one physical location and can access information and programs from the office, home, while traveling — anywhere.

How Can the Cloud Benefit My Nonprofit?

Software as a Service

Also known by its acronym, SaaS, software as a service is only made possible through cloud computing. Instead of installing software locally via CD-ROM, SaaS is downloaded from the internet, and typically, instead of a one-time, up-front cost, SaaS is provided in monthly subscription packages. This keeps costs low and covers updates, and often special discounts are available for nonprofits. Intuit QuickBooks Online, for example, when used as SaaS, offers automatic backups, app integration, and access designed for mobile as well as desktop devices.

Mobility

Probably the most widely known benefit of utilizing the cloud for computing is mobility. Mobility means that while using the cloud, you and your team members are less constrained and have far greater flexibility when it comes to accessing your organization’s data. In the past, this kind of secure access from around the world would require specialized software and a VPN tunnel to a dedicated server located within your office. Now, securely accessing work files remotely has been streamlined. With cloud services, you can access documents and applications using any device with an internet browser, including your smartphone.

Security

Whether you are working remotely or sharing sensitive information with the board, the cloud offers a secure solution. In the past, a transfer of data would have meant setting up an FTP server or investing in email encryption. Through the cloud, files can be shared almost instantly with increased security and flexibility. There are limitations here, however. As reported by Symantec in their Internet Security Threat Report 2019, 70 million or more records were stolen or leaked “as a result of poor [cloud] configuration.” Much like other aspects of IT, with quality management and monitoring the cloud can be a huge asset.

Email

Rather than hosting email onsite on a Microsoft Exchange email server, this service can also be moved to the cloud. In this case, there is an enormous possibility of increased efficiency and lower cost.

Reduced Liability

Because a cloud service provider is behind the wheel of your cloud services, the individual – that’s you! – has reduced exposure due to relying on a third party’s expertise in the case of a data breach or malfunction. In terms of HIPAA compliance, you still have a responsibility to ensure that the cloud service provider you choose is compliant, and it’s important to vet the providers you partner with, regardless of regulation. Instead of trying to do everything yourself (at an increased cost, and higher effort), outsource to those who are the experts. Using a cloud service provider means you will pay less, but get more.

Price

Compared to the price of maintaining your own dedicated infrastructure, cloud computing, storage, and backups can offer the potential for discounts. Microsoft, for example, offers several free service options specifically designed for nonprofit organizations.

There is a caveat here. Anderson Technologies has seen certain nonprofit-specific software providers drastically raise the price for SaaS over a standard license run on a local server. Some cloud service providers specializing in donor databases price SaaS by the number of entries in the database rather than the number of users who need access. For small nonprofits with a large reach, this can really impact the total cost of moving to the cloud. There are cases where a cloud service provider can adjust cost, but for the few who rely on specific, costly software, this factor may override other benefits of the cloud.

Ultimately, managed services make cloud computing work. With IT experts behind you, moving to the cloud can be straightforward, with backups fully automated, settings securely configured, and you’re less likely to be overcharged by a cloud services provider. Anderson Technologies knows what it takes to run a nonprofit’s computing environment smoothly and on budget. Are you ready to take your nonprofit to the cloud? Call us today at 314.394.3001 or email us at info@andersontech.com.

4 Strategies for Boosting Your Nonprofit’s Online Presence

/in /by

The world of technology and the internet can look very different from a nonprofit organization’s perspective. With a board of directors, budgets, and often limited personnel, properly vetting and implementing new technology can be a daunting task.

In the first of our series of blog posts focused on technology and nonprofit organizations, we take a look at the best tips to help grow your nonprofit’s digital presence. Here is some of what’s new in the world of the web and social media that can help your organization succeed.

Make the Internet Work for You

What does your nonprofit’s web presence look like? Is it a seldom-updated Facebook page? A website that hasn’t seen a major overhaul in years?

The internet is all about visibility, reliability, and holding a user’s attention. Once you establish these, client and donor engagement should follow.

Visibility

If a potential donor uses Google or Bing to search for your nonprofit, what will they find?

Search engines now seek to provide the smart answers. They try to answer a search’s intent, and they try to do it well. As search engine algorithms have evolved, so has the field of search engine optimization (SEO). For your website, the process of SEO implements what Google or Bing’s algorithms are looking for in your nonprofit’s category. Sites that maximize their SEO show up higher in search results.

The first step to visibility is actually having a web presence, which means having not just a Facebook or LinkedIn page, but also a well-maintained website. A pre-formatted site from a provider like WordPress or SquareSpace can serve your purpose, if done well.

The number one way to build your digital presence is to have one! Make sure you have a website, and keep it updated.

Reliability

The second step is optimizing your presence. When is the last time your web presence was updated? Search engines look for sites that are regularly updated. A site that hasn’t been touched quickly drops in rank compared to other sites that discuss the same topics. Even name recognition goes down when tied to a stagnant web presence.

How accurate are your listings? All websites, Facebook pages, and directory information should point to the same location, hours, and phone number. Consider the clients. If there are two or three addresses listed, where should they go? Many will seek another solution, rather than attempt to navigate a confusing one.

Inaccurate or missing information is a signal to search algorithms that your site probably isn’t the most reliable source for information. The ultimate reliable website shares everything a user needs to know in an easy-to-navigate menu with mobile-friendly formats and inspires confidence in your nonprofit as a result.

Google yourself! Does all the information that comes up point to the right place, times, and contact information?

Attention Grabbers – and Keepers

No one is suggesting that your nonprofit become the next Buzzfeed, but a website user who is interested in the information on your site stays longer, visits again, shares information with friends, and —most importantly—can become a client, volunteer, or donor.

Entertainment doesn’t have to mean flashy videos. Think about what a visitor to your website wants to see. Your site should be easy to navigate, provide clear information, and answer potential questions. The nature of search algorithms (the higher a site ranks in search, the more people visit, the longer the visits, the more trust the algorithm has in a site, the higher a site ranks in search, etc.) means it’s important that visitors don’t just click once and are done.

Because of the personal and often life-changing impact nonprofits offer, you have a unique opportunity to keep website visitors interested and engaged. Personal stories about real people can spur volunteers and donors into action. They are also a wonderful source of content for social media.

Provide the information visitors need, and then give them a reason to keep reading.

Stake Your Claim in the Social World

Think of social media as free advertising. Searches for organizations and people are not just done on search engines, but on platforms like LinkedIn and Instagram. Presence on social media not only gives you a place to post updates, advertisements, and success stories, but also helps build a complete profile of your organization.

If you are a total stranger to social media, getting started may seem daunting. But as discussed above, SEO makes or breaks online visibility. Algorithms, whether Google’s or Facebook’s, determine what users see when they type in a keyword or the name of a nonprofit. Active social media accounts inform those algorithms that the page is active and that it has a better chance of containing the answer to a searcher’s query. An up-to-date listing on Facebook or Google My Business assures algorithms and users alike that an organization is legitimate.

As of this posting, there are several social media platforms that you should be aware of, but don’t feel pressured to maintain an active presence on all of them. While each can benefit your nonprofit, the audience and method of posting on some may not be a good match for you. While there are free services that allow for cross posting to different platforms at the same time, what works on Facebook or LinkedIn won’t fare well on Tumblr. The best course of action is to tailor content to the platform on which it is posted. Here’s a list of the most popular social networks for you to consider:

  • Facebook. Almost universal in usage. Perfect for sharing information and news, and establishing your brand.
  • Twitter. Essential for the plugged-in audience. Popular hashtags come and go in the space of hours, so participation has to be constant. Quips and memes perform well in this space.
  • LinkedIn. Professional space for news sharing, updates, and networking. Can be used to connect with high-profile individuals and to share your message in the nonprofit field.
  • Instagram. An image-based network. Telling your story through pictures can give you access to a whole new audience.
  • Tumblr. Fast-paced, meme-centric, and a must-visit for an audience of teens and young adults.

Once you have a successful social media account, you no longer have to do all the work yourself. Followers will use the space as a place to congregate, sharing your posts and your story with their own circles and granting you exposure you wouldn’t have otherwise.

Establishing and improving your internet presence is just the beginning of our nonprofit-focused blog series. Stay tuned for our next blog all about the cloud! Do you represent a nonprofit that is in need of managed IT services? Contact Anderson Technologies today at 314.394.3001 or info@andersontech.com.

HIPAA Part 4: Risky Business

/in , /by

No matter the size of your practice, compliance with the HIPAA Security Rule is a serious undertaking. In order to fix a problem, you must first know it exists. That’s why the Risk Analysis and Risk Management implementation specifications are the foundation of your security compliance efforts. We touched on risk management in Part 2 of our HIPAA series, but in the next two articles we’ll be digging into the Risk Analysis and Risk Management implementation specifications more thoroughly with tips and tools to help you through the process.

The importance of performing a thorough risk analysis and coming up with a risk management strategy cannot be overstated. Throughout this article there will be links to resources to help you decide how best to perform your risk analysis. If you’ve never performed a risk analysis, we strongly suggest going over those resources first.

What is a Security Risk Analysis?

While much of this article presents an outline of how to conduct a Security Risk Analysis (SRA), it first helps to understand what an SRA is. Identifying that a problem exists—or could exist—is crucial to fixing it, preventing it, or making it as safe as possible. That is the purpose of the SRA.

An SRA is ultimately a process that allows you to analyze the way your company approaches risk and see how all areas of your business or organization—from policies and procedures to technical implementation—influence each other. It creates lists of threats, vulnerabilities, and threat events which could impact not only your organization, but your patients, customers, or vendors as well. Once you understand the risk in your daily business functions, finding a solution to keep them secure and operational is much easier.

Threat: the potential for a person or thing to trigger or exploit a vulnerability.

Vulnerability: a flaw or weakness in the system security procedures, design, implementation, or internal controls that could be accidentally triggered or intentionally exploited and result in a security breach or a violation of the system’s security policy

Threat Event: how a particular threat could trigger or exploit a specific vulnerability

(NIST 800-30)

The SRA process is complicated and can require a substantial investment of time and effort to complete, depending on the size and scope of your business. But when it’s finished, the SRA will provide you with a blueprint for the future. It identifies areas that are protected, areas that could use some fixing, and areas that are desperately unprotected. This allows you to prioritize your needs and create a risk management strategy specific to your environment. And when going through your HIPAA Security Rule compliance, there’s no better tool than an SRA.

Why Do You Need an SRA?

For HIPAA, you must conduct a targeted SRA. §164.308(a)(1)(ii)(A) requires an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. . . .” The key to this is the specification of electronic protected health information (ePHI).

Since the Security Rule only deals with ePHI (where the Privacy Rule handles all PHI), the SRA only needs to focus on the ways in which ePHI is created, received, maintained, or transmitted. Including or performing a second SRA to include all PHI and the ways it could be improperly handled or disclosed would be best practice to assess your policies and procedures regarding non-electronic PHI, but it’s not required under HIPAA.

It’s important to remember that ePHI involves far more than an electronic health or medical record system.  It includes all types of electronic media hardware that can create, receive, maintain, or transfer ePHI, as well as software such as appointment calendars or billing databases.

While it can only help your organization to conduct a business-wide risk analysis, the targeted scope of ePHI under HIPAA narrows what you need to assess. Don’t narrow your field too much, though. The cost of insufficient or non-existent SRAs and risk management plans can lead to data breaches and serious fines.

According to the Office of the National Coordinator (ONC) for Health Information Technology, simply filling out a checklist is not enough to complete an SRA or count as proper documentation of one under HIPAA. You can learn more about common misconceptions about the SRA at the ONC’s website.

Guides and Tools to Help You Conduct an SRA

While no tool can replace a thorough and accurate SRA, there are plenty to assist you during the process. The ONC recently released an updated version of its SRA Tool that you can download to help identify areas that may need improvement. They also have video tutorials like the one below and interactive games to test your knowledge of both privacy and security requirements.


ONC’s overview of the Security Risk Analysis

There are also numerous guides to help you better understand the process of risk analysis and management. Besides what we’ve mentioned in previous articles (the Department of Health and Human Services’ (HHS) HIPAA Security Series, and NIST’s Introductory Resource Guide—Appendix E), both the ONC and the HHS have overviews of the process.

For detailed explanations of the risk analysis and management process, NIST published two separate guides: SP 800-39 Managing Information Security Risk and SP 800-30 Guide for Conducting Risk Assessments. These are not specifically geared to HIPAA’s SRA, but the level of information provided is far more complete than many of the HIPAA-specific guides. We recommend that you read SP 800-39 before SP 800-30. While SP 800-30 offers greater detail about specific parts of the risk analysis process (especially in the appendices), SP 800-39 is more reader friendly and a good foundation for SP 800-30.

How to Conduct an SRA

Like all parts of HIPAA, scalability and flexibility are at the core of the SRA. A two-dentist practice isn’t going to need the same kind of SRA as a large nursing facility, so HIPAA doesn’t dictate the exact steps to conducting an SRA. However, all thorough and accurate SRAs will go through similar steps and feature key information, no matter the format you choose. As always for HIPAA, document each step for the final SRA report.

Note: While going through the steps, it’s important to remember to look at risk from an organizational perspective (business-wide policies and procedures or budgets), a business function perspective (billing or patient care), and an informational systems perspective (settings on specific technology or hardware purchases). Another way to look at this would be administrative, physical, and technical lenses to match up with the HIPAA safeguards (though, if you prefer HIPAA terminology, keep in mind that physical isn’t perfectly analogous to business function.)

Step 1: Gather a Team

An SRA shouldn’t be performed by one person. Business owners or senior leadership should work together with management and IT experts during the SRA process. Not everyone sees risk the same way, and having a knowledgeable team ensures that your SRA will identify risk from all necessary perspectives.

Step 2: Determine the Scope

In this case, HIPAA has defined the scope for you in §164.308(a)(1)(ii)(A): “the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information” wherever it is created, received, maintained, or transmitted.

If it holds, accesses, or transmits ePHI, it is part of the SRA. For some businesses this will be a lot to cover, while others may only reference a few systems. And while the scope could be increased to include all PHI, it shouldn’t be reduced.

Step 3: Create a Risk Analysis Framework

A risk analysis framework isn’t required for an SRA, but it’s a useful tool to maintain consistency and avoid ambiguity between those preparing the SRA, those implementing it, and those conducting future SRAs. Since few people see risk the same way, the framework creates a clear set of assumptions, constraints, risk tolerances, and priorities/tradeoffs that will determine how your business manages risk.

Many of these terms appear in later steps, but they’re not used in the same way. In the framework you explain how to identify and respond to the risk factors, while later you use the framework to actually identify and respond to the risk. The framework puts everyone on the same page so that each person knows what to look for, how to judge the risk, and how to manage that risk appropriately.

The framework should also dictate the methodology you use to conduct this and future SRAs. This can be qualitative (high, medium, low), quantitative (numerical quantities), or a mix of both. Not all risk can be numerically quantified (# of individuals affected vs lost reputation—the first can be counted, the second cannot), so a qualitative or mixed approach can be more useful.

If you choose to skip the framework step, much of this information will still need to be explained in later steps to satisfy documentation requirements, and you won’t have it readily available for subsequent SRAs.

Step 4: Gather Data

In order to determine the risk to ePHI, you must first determine where it is stored, received, maintained, and transmitted. And while this encompasses a great deal more than physical hardware, having a record of the physical hardware and its movements is a part of the Physical Safeguards (§164.310(d)(2)(iii)—Accountability). This is especially important as more and more healthcare settings utilize portable electronic media, such as tablets or laptops.

Think of the flow of ePHI. Where does it begin in your business? Do you create it or receive it? Follow it from its starting point to endpoint and document what systems each piece of ePHI interacts with. Depending on your business, this could be only a few pieces of software and hardware or it could be most systems in the office. Either way, you need a complete list in order to conduct a HIPAA-compliant SRA.

Step 5: Identify and Document Potential Threats and Vulnerabilities.

This could be considered one step or two, depending on how you decide to conduct your SRA. It may be simpler to identify potential threats and vulnerabilities separately, but you may find that as you identify a threat, you also identify the vulnerability it could exploit and vice versa. It is up to your team to decide the best method.

If you’ve already created a framework, you’re ready to identify threats and vulnerabilities. If not, take some time to decide what you’re going to consider a threat or vulnerability, how you’ll identify them, and what sources are valuable to work from during the process.

Sources of information could include past SRAs, business security reports or testing, known breaches of similar institutions (Breach Level Index, OCR Breach Report), the security community’s public lists and advisories (National Vulnerability Database, National Checklist Repository), information from vendors, and your managed services provider or IT staff.

As always, remember to document everything.

Threats: One important thing to note when starting your list of potential threats is that you are not required to list all potential threats. You must list all reasonably anticipated threats to ePHI. Having valuable sources of threat information is important, because you don’t want to waste time or resources on a threat that will never affect you, such as a hurricane if you’re nowhere near the ocean.

At this point you’re not looking at whether or not you’ve already mitigated the risk of such threats affecting ePHI. You’re only considering if it is a reasonably anticipated threat. And threats aren’t just about whether someone steals your data for misuse, but whether you can verify the integrity of your ePHI and have it available when you need it.

Vulnerabilities: When dealing with ePHI, it’s easy to think of vulnerabilities as technical problems. Non-technical vulnerabilities cannot be overlooked, and could even be the root problem to other perceived vulnerabilities. A lack of policies and procedures on how to securely set up new hardware or a budget that doesn’t meet the demand of current threats could lead to a number of technical vulnerabilities through misconfiguration of security settings or poor hardware purchasing. This is why a team is important for looking at both the big picture and the small details.

Step 6: Assessing Security Measures

Now that you have a complete list of threats and vulnerabilities, it’s time to see what security measures you already have in place to protect ePHI. Small- to medium-sized business have a greater degree of control over their environment, which is an advantage in mitigating risk. Like vulnerabilities, security measures can be both technical and non-technical, and should be looked at from all perspectives. When documenting, also identify that all technical security measures are not only there but also configured and utilized correctly.

Step 7: Determining Risk

In order to determine risk, it’s time to put the threats and vulnerabilities together to create a list of possible threat events. This is not a strictly one-to-one pairing. A single threat might affect multiple vulnerabilities, and a single vulnerability might be affected by multiple threats. (For more guidance on threat events, see Appendix E of SP 800-30.)

For each threat event, you must determine the likelihood of it occurring and the impact it would have on ePHI and your business if it did. Likelihood is the probability that a threat event will occur.

Below are examples (both qualitative and quantitative) of how you could determine likelihood and impact. Depending on your business’s risk tolerance, you might add more levels beyond high, medium, and low.

The impact of a threat event can be felt across different levels. The most obvious is the direct breach to ePHI’s confidentiality, integrity, and availability, but impact can also be felt in the loss of revenue from a damaged reputation, the cost of fixing the effects of the threat event, time and effort spent dealing with regulatory audits, and other intangible results. Below is an example of how you might measure impact.

Level of Risk

Accurate assessments of the above are vital to determining the overall level of risk posed by a threat event because risk is a combination of likelihood and impact. For example, if the impact is high but the likelihood is low, then the overall risk would be low. The clearer the definitions in the framework of what constitutes the levels of likelihood and impact, the more accurate and consistent your evaluations of threat will be. Threat matrices (such as those in Appendix I of SP 800-30) can be used for both qualitative and quantitative methodologies.

Step 8: Document and Manage Risk

If you’ve kept up with your documentation, the final SRA report should be simple to put together. Appendix K of SP 800-30 offers a base template for writing an SRA report, but you should tailor it to your business’ needs. In general, it should include all the lists you’ve made, as well as the reasons for your determinations and how you plan to use this information.

The final task of an SRA is to develop a risk management plan. HIPAA understands that risk cannot be wholly eliminated, but it should be reduced to reasonable and acceptable levels. Conducting an SRA and implementing a risk management plan become the foundation for implementing the rest of the Security Rule’s safeguards. In the next installment of our HIPAA series, we’ll look at how to use your SRA to create a risk management plan.

If you’d like the IT experts at Anderson Technologies to be a part of your risk analysis team, contact us today at 314.394.3001 or by email at info@andersontech.com.

hipaa documentation

HIPAA Part 3: Document! Document! Document!

/in , , /by

As you read through the Privacy and Security Rules for HIPAA, you’ll see a pattern that shouldn’t be taken for granted. Nearly all the implementation specifications require some form of policy and procedure documentation. This involves more than the reasoning and justification for how you choose to implement the specifications (though that must be documented as well). These are the policies and procedures that HIPAA expects your business to follow every day.

Organizational Standards

Besides the administrative, physical, and technical safeguards which make up the majority of the Security Rule, there is a lesser known section of safeguards called organizational standards that deal largely with the paperwork required by HIPAA concerning protected health information (PHI) in any form. This section is often overlooked because many of its requirements are addressed in greater detail throughout the Privacy and Security Rules. The four standards in this section include:

  • Business Associate Contracts
  • Requirements for Group Health Plans
  • Policies and Procedures
  • Documentation

This article focuses on the last two standards: Policies and Procedures and Documentation, both of which lay the groundwork for HIPAA compliance. The other two standards shouldn’t be ignored, but they concern only those who: a) are or need a business associate or, b) are a sponsor to a group health plan that provides data beyond enrollment and summary information.

Note: If you work with or are a business associate that works with ePHI and your contract has not been updated since the HITECH Act in 2009 or the Final Omnibus HIPAA Rule in 2013, you will want to review and update all contracts to ensure they meet the current standards regarding business associates.

Standard 164.316(a): Policies and Procedures

Why have an entire standard dedicated to something addressed in nearly every single implementation standard? This standard explains what HIPAA expects from the policies and procedures that a business creates. Specifically, it references the Security Standards’ General Rule of Flexibility of Approach, which is discussed in Part 2 of this series. It also allows for policies and procedures to be changed at any time to adjust to new demands or technologies, as long as all changes are documented and implemented accordingly.

Standard 164.316(b)(1): Documentation

This standard identifies how documentation required by HIPAA is to be maintained. According to this standard and its subsequent implementation standards, all documentation required throughout the Security Rule’s standards, including but not limited to

  • policies and procedures,
  • job responsibilities and duties,
  • risk assessments, and
  • action plans

must be recorded (physically or electronically) and retained for a minimum of six years from the date of creation or when it was last in use, whichever date is later. All documentation must be available to anyone who uses those procedures, and documentation should be consistently reviewed and updated as necessary.

Note: The six-year retention rule only satisfies HIPAA standards. State law may require some documentation to be retained for longer. Always verify what state laws apply to your business, as HIPAA does not supersede many state requirements.

Bringing Your Policies into Compliance

It’s possible your business already has clear policies and procedures in place, but that doesn’t immediately make you HIPAA compliant. You still need to go through each one to ensure it satisfies the implementation specifications it pertains to. If not, policies may need to be updated or new ones added. HIPAA gives businesses a great deal of leeway in how policies and procedures are written, so both updating existing documentation and creating all new materials is acceptable.

What should the policies and procedures say?

HIPAA doesn’t dictate the exact wording of any policy or procedure. It’s up to the business, taking into consideration the Flexibility of Approach guidelines, to determine what policy needs to be implemented. Generally, a policy explains a business’s approach to the subject it relates to.  If the policy concerns removing access from those who no longer work for the company, it could read something like:

At the end of an employee’s last day of employment with [company name], security and/or IT staff will remove that employee’s access to company systems and restricted locations and document the change of access. The employee’s supervisor will verify that all access has been revoked within twenty-four hours.

This offers clear guidance about what the company intends to do to remove access from someone who no longer is allowed to work with PHI. It also provides an implementation timeline, who should implement the policy, and how the company will ensure it gets implemented properly.

The procedure that accompanies the policy would then offer easy-to-follow directions on how those responsible are to implement the policy. A sample procedure may look like this:

Regarding Policy for Removing Access of Former Employees

Duty of IT Staff or Managed Services Provider

  1. Go to [directory] and locate the list of all programs and devices employee had access to according to job title. Check this list against their user account to ensure no programs are missed.
  2. Starting at the top of the list, go through each program and device and remove employee access. For procedures regarding specific programs, see [directory of procedures].
  3. Go to Active Directory and find employee information.
  4. Backup emails and save them to [directory] to be stored for a period of one year before deletion.
  5. Backup any information relating to patient care in appropriate directories. See [directory list] for proper placement.
  6. Disable user’s Active Directory account and change their password.
  7. Document time, date, and your name in the Employee Termination log to indicate all access it removed.
  8. Inform former employee’s supervisor when access removal is completed for verification.

Procedures should be as detailed as possible so that there is no ambiguity or confusion in what needs to be done. It allows newer employees to accomplish tasks they may not have performed before. There may also be multiple procedures related to the same policy depending on the duties of each person. Margret Amatayakul wrote an excellent guide to creating policies and procedures for the Journal of AHIMA (American Health Information Management Association).

Note: Both the Security Rule and the Privacy Rule require policies and procedures to be created. A company can combine relevant Security and Privacy standards into a single policy or create entirely separate policies for the Security and Privacy Rules. Each business should determine what is best for its employees.

Employee Training

Once you have your policies and procedures written and accessible, the next vital step is to train employees on them. HIPAA requires all employees to be trained in the policies and procedures related to their job. This training includes everyone from the maintenance staff to the CEO. Each time a policy or procedure is updated, retired, or replaced, the affected staff must be informed and, if needed, new training should occur.

Of course, maintenance personnel and CEOs won’t need the same kind of HIPAA training, just as IT support doesn’t need the same training as a nurse. HIPAA doesn’t dictate the way training happens, only that it happens. This means big companies that can afford professional training materials can do so, but smaller companies may hold informational meetings, allowing each to train the way that is most effective and makes the most sense for them.

Suggestions for employee training

  • Go through your employees’ job descriptions and separate employees by the level of access they have to PHI.
  • Create training programs for each level of access and/or the duties required in the job description so each employee gets the training suited to their job.
  • Don’t overload employees with policies and procedures that don’t relate to their job.
  • Ensure all training includes how to access the company’s policies and procedures in case employees need to revisit or reference them.
  • Ensure all employees know who to contact if they have any questions.

Sanctions

Along with training employees, HIPAA also requires you have clear consequences for not following the written policies and procedures. The types of offenses should be clearly defined and the disciplinary action enacted for every infraction.

One way a company might dictate levels of disciplinary action would be to clarify whether a break in policy or HIPAA standard was accidental, made through negligence, or of malicious intent. This allows various consequences for the same infraction without being inconsistent. An example would be: a) an employee leaving a workstation unlocked because an emergency situation demanded they respond immediately, b) they consistently forget to lock their workstation even after being warned about it, or c) they intentionally leave a workstation unlocked to allow someone without access to view ePHI. While the problem is technically the same, they don’t all deserve the same consequences. As with everything else, all infractions and disciplinary actions need to be documented and retained for six years.

In 2018, the Health and Human Services Office of Civil Rights reported 279 breaches of PHI, each resulting in at least 500 individuals affected, though often the number was much higher. Policies and procedures may feel tedious to write, but they provide employees with the information necessary to do their job in a HIPAA compliant manner and could prevent a breach of PHI.

For help with developing clear and secure policies for your company’s software and devices, contact Anderson Technologies at 314.394.3001 or by email at info@andersontech.com.