Are Your HIPAA Compliance Efforts Healthy?

Are Your HIPAA Compliance Efforts Healthy?

HIPAA ComplianceLet’s address the (ahem …) hippo in the room. HIPAA compliance continues to be a real challenge for small and mid-sized businesses.

HIPAA is an acronym for the Health Insurance Portability and Accountability Act, which has very specific rules and regulations around a patient’s health information.

Larger healthcare organizations – hospitals and insurance companies – have in-house information technology teams, but smaller businesses don’t have the same depth of IT help on hand. Yet they must abide by the same rules.

Risking a HIPAA violation can be costly. Fines reach up to $50,000 US dollars per occurrence.

Common violations include:

  • Keeping records unsecured. WellPoint didn’t secure an online health database and paid $1.7 million
  • Not encrypting data. The Massachusetts Eye and Ear Infirmary failed to encrypt physicians’ laptops, which led to a $1.5 million fine.
  • Loss or theft of devices containing personal health information (PHI). A pediatric practice in Massachusetts lost a flash drive and settled for a $150,000 fine.
  • Failing to train employees in HIPAA compliance. A Walgreens in Indiana breached a single patient’s privacy and paid her $1.44 million.
  • Disposing of records improperly. Affinity Health Plan paid $1.2 million after failing to erase the photocopier drives before returning them to the leasing company.
  • Releasing information without authorization. Phoenix Cardiac Surgery posted a patient’s appointment on an online calendar and paid $100,000.
  • Disclosing PHI to third parties who do not have access rights. A medical practice in Phoenix sent patient data over insecure email and was fined $100,000.

Tips for HIPAA Compliance

Be aware of HIPAA requirements. Smaller businesses can have a tougher time remaining up to date on technology and guidelines. But that doesn’t make them any less accountable for understanding HIPAA compliance. It’s important to do the research and get educated, or partner with an IT provider with the expertise to prevent possible violations.

Embrace encryption. If your business deals with any confidential information, encryption and firewalls are necessary. Prevent outside traffic from accessing your systems. Ensure data can’t be read if there is unauthorized access. If there is a breach, or a lost or stolen device, the HIPAA penalties are reduced if encryption is used.

Protect all your endpoints. Any mobile devices that have access to patient data need to be secured. With mobile device management, for instance, you can lock down and wipe lost or stolen devices.

Err on the side of caution. Employees gossiping over coffee in a dentist’s office could share patient information, or someone might be sending an email with unencrypted data, or a health announcement with recipient names visible. All these are HIPAA violations. Humans will make mistakes, yes, but it’s less likely if you educate about regulations and the importance of being careful.

Get a HIPAA Check-Up

HIPAA has been around since 1996. In 2005, regulators got more serious about electronic versions of PHI. Yet there are still some businesses out there with only a vague idea of what it means to be compliant.

Heavy hitters in healthcare already take HIPAA seriously. You should, too. So, you haven’t been audited yet, but that doesn’t mean you won’t be. A $50,000 HIPAA fine could make the difference in your business staying afloat another year.

HIPAA compliance is critical for many organizations. Set policies and procedures. Put in place security awareness training. Start using encryption, and assess for risks.

Be proactive with your IT management. By working with IT experts, you can stay on top of HIPAA and remain complaint. A managed services provider can assess risk, identify improvement areas, and propose new tech.

Call us at 319-227-7000 to get your IT and access management policies in healthy shape.

2020-02-03T14:45:28-06:00February 11th, 2020|Compliance|0 Comments

What is a Firewall, and Why Does It Matter?

What is a Firewall, and Why Does It Matter?Firewall Cedar Rapids, IA

Hearing “firewall” in the context of computing can be confusing. How does a tall, blazing fire separating rescue teams from people trapped apply to computers?

Well, imagine the rescue team using heavy blasts of water to save the day. A hacker is as motivated to get at your data. They will try everything to bypass your security. They want to get inside your network perimeter. In a business office, computers and printers are often networked together. This lets Jane in accounting and Kevin in graphic design access the same business tools.

In computing, a firewall sits between that internal network and the internet outside. It’s kind of like a nightclub bouncer. You definitely want it to be as burly and intimidating as possible to keep the riff-raff out. The firewall helps reduce or prevent unwanted traffic from getting through.

The Packet Filtering Firewall Approach

Your firewall can be hardware, software, or both. A packet-filter firewall monitors and controls network traffic. It filters data entering the network according to predetermined rules. IT experts set up a firewall to examine small amounts of data (called “packets”) to see if they contain threats. It checks packet data against criteria such as allowed IP addresses and packet type. If the data is suspect, the firewall stops those packets. If not, the data will continue on to its destination.

Firewalls stop certain software from sending and receiving data to and from the internet. This reduces the number of entry points for viruses or illegitimate traffic. After all, a club wouldn’t want to hire the bouncers to cover seven different doors.

A firewall also monitors outgoing traffic. Why’s that? Because an infected computer in your network could be sending out malicious information. If your company has fallen victim to a malware attack that turns a computer into a bot, it might be “phoning home.”

Unlike E.T. trying to get back to the safety of his home planet, the malware is checking in with its Zombie master. It’s helping to strengthen the bad guy’s ability to attack victims.

Firewalls can help prevent denial-of-service (DoS) attacks. In a DoS incident, thousands of computers are used to send an overwhelming amount of traffic to a network. It’s like putting 10,000 people in an elevator with an occupancy limit of 20 – expect a crash.

One famous 2016 attack seriously disrupted Amazon, Visa, PayPal, Netflix, AirBnB, and more.

Other Types of Firewalls

Packet-filtering firewalls aren’t your only option. Stateful inspection is helping to make firewalls even smarter. These check where the packet came from, where it is going, and what application requested it. This end-to-end examination is more rigorous. All the parameters must match trusted information for the packet to pass through. This approach offers a smart, fast way to inspect for unauthorized traffic.

When setting up any firewall, it is important to avoid any unintentional openings. A hole in a chain-link fence renders perimeter security useless. A hole in a firewall leaves your network vulnerable.

Need help deciding on the right type of firewall for your business? Want to be sure your firewalls are going to withstand attack?

Our experts can help set up and test your firewalls. Contact us today at 319-227-7000!

2019-10-25T15:19:54-05:00November 19th, 2019|Compliance, Networking, Ransomware, Security|0 Comments

4 Common Compliance Issues You Might Be Missing

4 Common Compliance Issues You Might Be MissingCompliance Issues

Information security is on every business’s radar these days. Data drives so much of what we do. Looking to contain the risks, many sectors have established IT compliance regulations. Whether meeting a standard or not, don’t overlook these common areas of concern surrounding compliance issues.

Governments and regulatory agencies have established compliance standards for the financial, legal, healthcare, and energy sectors. Other organizations abide by best practices for data protection and improving system security. Whether mandated or not, the goals remain similar:

  • Improve security protocols.
  • Identify vulnerabilities.
  • Prevent breaches.
  • Reduce losses.
  • Increase access control.
  • Educate employees.
  • Maintain customer trust.

Shortcomings can mean compliance concerns, industry fines, customer churn, and brand reputation damage. Being proactive about these four common issues can benefit companies in any industry sector.

Common Issues that Thwart Compliance

Companies with Bring Your Own Device (BYOD) policies save $350 annually per employee, according to CISCO, but cost savings aren’t the only reason organizations are embracing BYOD. Letting people use personal mobile devices at work improves productivity and engages employees.

Yet allowing BYOD in the work environment can make the organization more vulnerable. There is greater risk of:

  • the spread of malicious applications or viruses;
  • employees accessing business materials using unsecured Wi-Fi;
  • people who have left the company continuing to have access to proprietary systems.
  • None of these are good from a compliance point of view.

Personal portable devices may not have the same access controls as business computers, which makes them more vulnerable if lost or stolen.

This brings us to a second common compliance concern: physical security. A business may do a great job of securing its devices on-site. It has firewalls, patches security regularly, and asks employees to update passwords, but what happens if a laptop, mobile phone, or USB drive is stolen or lost?

All devices accessing business systems and networks from off-site should use encryption. With remote monitoring and management, IT staff can control security configurations regardless of the end-user environment. Mobile device management allows your IT team to secure, locate, or erase any mobile device used for business.

Counting on Others for Compliance

Another area of concern is third-party connections. Again, your business may be top of the class as far as the five core functions of cyber-security – Identify, Protect, Detect, Respond, and Recover – are concerned, but what if your vendor’s security isn’t up to snuff.

Do you have business partners that are storing your sensitive data? Or does a supplier have access to personally identifying customer or employee information? Third-party risk is a real thing – ask Target. Cyber-criminals stole data for 40 million debit and credit cards via the retailer’s HVAC company.

Cyber-criminals could use a third party’s lax security to target you. Make sure that your vendors are taking cyber-security as seriously as you do.

Even in your own business environment, cut the number of people who have access to sensitive data. Obviously, you’ve hired people you think you can trust, but you can still better ward off the insider cyber-security threat by:

  • educating employees about the importance of strong passwords, securing devices, and physical security;
  • informing people about social engineering (e.g. phishing emails or fraudulent business communications);
  • limiting personnel access to data, network, or systems based on necessity;
  • having a policy to revoke access permissions and reclaim devices from any employee leaving the company.

Ensuring compliance takes technological know-how and awareness of the evolving threat landscape. This vigilance, communication, and education require time and effort. Put the right policies and procedures in place with our help.

Contact us today to talk about your compliance issues at 319-227-7000!

2019-10-08T12:44:43-05:00October 15th, 2019|Compliance|0 Comments