Web/Tech

August 2020 Security Reminder Notice

3lp
HSGLogoR
 
 
Note: For HIPAA Survival Guide with Expresso clients, this Security Reminder will be stored in your DOCS / Products / HIPAA Tools folder.
 
 
 
 
"Forrester, a leading global research and advisory firm, recently analyzed the emerging cybersecurity risk ratings solutions market.
 
The free 2020 Forrester report delivers critical insights for CISO's and third-party risk teams on how and why cybersecurity risk rating solutions can fit into their security programs."
 
 
 
 
"video surveillance component consists of around 700 different Siqura cameras, working with VDG Sense video management software and storage from TKH Security,” Anwer said. “The iProtect access control system, also from TKH Security, manages around 400 doors with card and pin authentication. [The] iProtect security management system is able to flawlessly fulfill the set of complex requirements demanded by this client."
 
 
 
 
"The pervasive impact of Internet of Things (IoT) devices on our lives is greater than that of traditional IT devices. There are several unknowns in IoT security, and it raises concerns for customers who are looking to incorporate IoT devices in their existing infrastructure. Fortunately, security by design can resolve some of the major root causes of the underlying vulnerabilities in these connected devices.
 
In acknowledgement of the challenges discussed above, an internal NIST report IR8228 entitled Considerations for Managing IoT Cybersecurity and Privacy Risks indicates that educating IoT device customers plays an important role and that they should be aware of the cybersecurity risks and mitigation plans for IoT devices. This report also points to the requirement of creating robust communication channels between the manufacturer and the customer, specifically regarding cybersecurity features and expectations for security controls."
 
 
 
 
"The unprecedented hacking of celebrity Twitter accounts this month was caused by human error and a spear-phishing attack on Twitter employees, the company has confirmed.
 
Spear-phishing is a targeted attack designed to trick people into handing out information such as passwords.
Twitter said its staff were targeted through their phones.
The successful attempt let attackers tweet from celebrity accounts and access their private direct messages.
 
The accounts of Microsoft founder Bill Gates, Democratic presidential hopeful Joe Biden and reality star Kim Kardashian West were compromised, and shared a Bitcoin scam."
 
 
 
 
"A preliminary settlement of a class action data breach lawsuit against Iowa Health System - which does business as UnityPoint Health - contains an extraordinary provision that could prove quite costly.
 
Unlike settlements in most other data breach class action lawsuits, this one does not contain a "global cap" on the total amount of claims to be paid to victims.
 
Under the terms of the proposed settlement, UnityPoint will provide one year of comprehensive credit monitoring and ID theft protection services with a retail value of about $200 per settlement class member."
 
 
 
 
"On March 15, 2020, the CDC announced gatherings of 50 or more people be canceled for the next eight weeks, marking a pivotal point in the 2019 Novel Coronavirus. The CDC needed to make a strong recommendation to limit the spread of the virus, and on this day, there were 3,000 cases in the US, and airports were in chaos due to new screenings.
 
With our daily livelihoods changing right before our eyes, bad actors online started to see this chaos as an opportunity. SlashNext Threat Intelligence researchers identified that in the days which followed, we saw a +3000% increase in COVID-19 themed Phishing URLs. With no sign of slowing down, thousands of new phishing pages are launched hourly to steal personal information, corporate data exfiltration, and credit card fraud."
 
 
 
 
 
The coronavirus pandemic has put many things on hold, but CCPA enforcement is not one of them. The California Attorney General’s enforcement authority kicked in on July 1, 2020, and companies reportedly have begun to receive notices of alleged violation. In addition, several class actions have brought CCPA claims. Although final regulations to implement the CCPA have yet to be approved, compliance cannot wait.
 
If you’re not yet on the road to CCPA compliance (or would like a refresher), this webinar is for you. We covered:
  • Latest CCPA developments
  • Compliance strategies
  • Potential changes to the CCPA if the California Privacy Rights Act (CPRA) ballot initiative passes
 
Anyone who has not begun their CCPA compliance efforts or thinks they need a refresher should watch this webinar.
To view the presentation slides, click here.
To view the webinar recording, click here."
 
Nudge: The Federal government is reviewing what HIPAA will require for a new Privacy Rule Risk Assessment. Note that in anticipation of expected Federal Privacy regulations, we have developed a Privacy Rule Risk Assessment for Expresso.
 
 
 
 
"TikTok has long presented a parenting problem, as millions of Americans raising preteens and teenagers distracted by its viral videos can attest. But when the C.I.A. was asked recently to assess whether it was also a national security problem, the answer that came back was highly equivocal."
 
 
 
"Data breaches are a hot topic and will undoubtedly get even hotter. Cybersecurity for your own enterprise isn’t enough — you must evaluate your vendors and determine if they’re prepared to resist cyberattacks. 
 
The increase in data breaches has only led to more regulatory scrutiny. Regulatory focus on third-party vendors was already increasing after the 2008 financial crisis, but has reached a fever pitch in recent years. New data privacy laws often make companies liable for the mistakes of their vendors, even as businesses are relying on outsourcing more and more. So this reliance on vendors, suppliers and subcontractors means increased liability."
 
 
Nudge: Take a look at our new Business Partner Vetting Portal in Expresso. It will save time and money with a paperless method to obtain valid assurances from potential Business Partners. Contact us at [email protected] for a preview.
 
 
 
 
"Enforcement of Maine’s landmark online privacy law, which bans internet service providers from collecting and selling customers’ personal data without their permission, began this month after clearing a major legal hurdle in July.
Still, state officials can not provide a clear picture of what will happen to providers in Maine if they don’t comply.
 
The law dictates that internet providers must gather express, affirmative consent from customers before collecting any of their identifying data, such as location, browsing history or device identification. Providers also must give customers “clear, conspicuous and non-deceptive notice” of their rights at the point of sale, and are not allowed to offer promotions to customers who choose to give consent to have their data collected or refuse service to those who do not."
 
 
 
 
"The ransomware threat landscape worsened in several significant ways through 2019 and into the current year, according to BakerHostetler’s 2020 Data Security Incident Response Report. Average demands increased more than tenfold and all industry segments saw growth in attack frequency, with stark increases seen by education and government entities.
 
Several threat actor groups began exfiltrating sensitive data from victims as an additional means to extort a payment, the report noted.
The average ransom paid in 2018 was $28,920 and the largest payment $250,000. But that figure jumped to $302,539 the following year and the largest payment was $5.6 million, the latest report stated.
 
A tip to avoid this: require vendors to implement multifactor authentication to access an environment."

Posted at 09:59 AM in Accountable Care Organizations, Current Affairs, Health IT, HITECH / HIPAA, Information Technology for Healthcare (EHR/EMR), Internet Resources, Web/Tech | | Comments (0)

HSG WEBINAR June 2019

 
 
Lessons for HIPAA Self-Audits
  
Webinar TitleHIPAA Self-Audits 
 
Description: This webinar will walk you through a proposed self-audit process so that you can prevent willful-neglect when (not if) an HHS audit comes your way.
 
Date:  June 20, 2019
Time:  2:00 - 3:30 p.m. EST

 
 
The Self-Audit Process

Introduction
 
Are you ready for a HIPAA Audit? Covered entities and business associates are under potential threat of an audit by the HHS' Office for Civil Rights (OCR). The cost of compliance is steep in terms of capital and budget investment. The alternative is civil monetary penalties for noncompliance. Take a look at the "Wall of Shame" and see for yourself.
 
The scope of an HHS/OCR HIPAA audit generally does not extend beyond the Privacy, Security, and Breach Notification Rules. HIPAA Risk Assessments and Self-Audits can be performed periodically (every year) or when operational needs change in the organization. Results of an HHS or OCR audit may indicate types of corrective actions that are recommended or mandatory. However, should an audit indicate a serious compliance issue, OCR may initiate a compliance review to further investigate. 
 
The Security Rule standard requires the following (Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronically protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.).
 
What is a Self-Audit?
 
HIPAA self-audits provide a preview of the policies, procedures, standards, and practices of a Covered Entity ("CE") or Business Associate ("BA"). CEs and BAs include individual and organizational providers of health services; health plans of all sizes and functions; health care clearinghouses; and a variety of business associates of these entities. Self-Audits prepare organizations to avoid the "bad day" when (not if) a HIPAA audit arrives due to a Breach.
 
Self-Auditing involves an independent assessment of a CE or BA's organizational activities and records. There are many reasons to conduct a self-audit including: examination preparedness for an OCR Audit, identification of vulnerabilities (lack of HIPAA specifications and controls) and benchmarking against practices. A self-audit can also be a learning experience for Compliance Officers and with each audit, knowledge and skills improve.
The audit process begins with a Risk Assessment where vulnerabilities (lack of HIPAA controls) and risks from threats exploiting vulnerabilities identify areas to remediate. Risk Remediation comes next where activities are taken to fill gaps in HIPAA policies, procedures, and implementation standards. Self-Audits review information within the Risk Assessment and Remediation materials to identify areas that need change.
A best practice for Risk Assessment evaluation and remediation is to identify critical individuals to participate not only in the Risk Assessment, but also the auditing and risk remediation process. These individuals should come from different areas of the organization (i.e., personnel, network, and legislative/HIPAA compliance). A great tool to guide the process is our Security, Privacy Rule, and Cloud, Social Media and Mobile device Checklists.
This begs the question, what do we mean by a checklist, and more specifically in this context, a legal/compliance checklist? The short answer is that checklists are ways to "attack" a problem or issue. Checklists have been widely adopted across industries (e.g. aviation) and are now becoming quite acclaimed in the practice of medicine. The publication of The Checklist Manifesto: How to Get Things Right by Atul Gawande (general surgeon at the Brigham and Women's Hospital in Boston, a staff writer for The New Yorker, and an assistant professor at Harvard Medical School) has led to widespread interest in checklists in healthcare.
Conclusion
 
Your HIPAA Compliance Initiative will continue to grow and evolve over time. The law will change. Your operational environment will change. You will have staff turnover. Your organization will be bought. Your organization will merge with other organizations. For all these reasons and many more, your organization's self-audit program should be kept evergreen. If you let it stagnate and gather dust it will quickly lose its value. It's a trite, overused expression, but nonetheless continues to convey a significant truth: "the only constant is change."
 
Although HHS/OCR has suspended its formal audit program, you can be sure of one thing, when (not if) you have a significant breach then an HHS audit will follow. If you have stuck your proverbial "head in the sand" then it is likely that willful neglect violations will be found-those are the ones that start at $50K per violation. OUCH! You can purchase insurance (e.g. our Subscription Plan) to prevent this eventuality but many covered entities and business associates rather remain blissfully uninformed; believing that breaches are bad things that happen to other organizations.
 
 

Posted at 02:54 PM in HITECH / HIPAA, Web/Tech, Webinars | | Comments (0)

HIPAA Stuck on Stupid Webinar

TitleStuck on StupidHow to Eliminate 95% of HIPAA Liability while being less than Thirty Percent (30%) Compliant.

Description: This webinar focuses on providing the C-Suite and compliance officers a strategy for eliminating a significant portion of HIPAA liability despite the fact that your organization may be less than 30% compliant. All organizations, both large and small, must make strategic decisions as to what to attack first with limited compliance budgets and staff.
 
Date:  March 21, 2019
Time2:00 - 3:30 p.m. EST

 

Posted at 09:18 AM in Current Affairs, Health IT, HITECH / HIPAA, Web/Tech, Webinars | | Comments (0)

HIPAA Survival Guide February Webinar

HIPAA Survival Guide® Webinar

Title: The Importance of having a Single Version of the Truth

Description: Many people claim that the amount of paperwork required for HIPAA is voluminous. This webinar will cover a proposed taxonomy that will enable you to organize the visible, demonstrable evidence required to prove compliance at the granularity level of a requirement.

Date: February 21, 2019

Time: 2:00 - 3:30 p.m. EST

Register here for the February Webinar

Please note that some attendees have experienced difficulty in obtaining their Certificate of Attendance due to the requirement for Adobe Flash Plug-In. If you experience difficulty, please forward the email with the link to dleyv[email protected] and your Certificate will be mailed back.

Posted at 02:46 PM in HITECH / HIPAA, Web/Tech, Webinars | | Comments (0)

HIPAA Survival Guide August 2018 Newsletter

 
 

  Register here for the FREE HIPAA Survival Guide Newsletter

  
 
Does your staff have sufficient HIPAA training?
 
 
Determining the amount of adequate training is not an easy question because the answer is highly dependent on the individual and the organization. Individuals often claim that vendor training provides only the problems, but not the solutions. That is a missed opportunity because if you know the problem and don't have an adequate answer, you're likely to be faced with difficulty responding and potentially encounter an Incident, Breach, or unauthorized disclosure of Protected Health Information ("PHI"). In this article, we describe aspects of what may be considered "good training" and what kind of training we make available so that you can compare across vendors.
 
You need answers! In our view, if you do not succeed in establishing compliance literacy in your workforce, you are likely going to have an occasional bad day, not to mention being out of compliance with the HIPAA regulations for training and associated documentation. As expressly stated in HHS' Audit Protocol, policies and procedures that have been adopted and activated by covered entities and business associates to meet selected standards are reviewed to determine an organization's implementation specifications of the Privacy, Security, and Breach Notification Rules. Training, by the way, is one of the Privacy Rule Regulations. 

If you are audited, one of the things that will be reviewed is your training documentation. Yes, seems this is a small item compared to your Risk Assessment and other Compliance efforts. However, Covered Entities ("CE") and Business Associates ("BA") must train all members of their workforce regarding PHI as it applies and as necessary to perform their jobs. Compliance with Privacy Rule regulation 164.530(b) requires policies and procedures for training and to document which staff member was trained on what topic and when.
 
From a practical standpoint, when it comes to training, it's not enough to have an understanding of the regulations, but also training should provide the ability to evaluate responses to a variety of situations where PHI may be at risk. Training that provides hypothetical risk situations related to HIPAA regulations that prevent incidents or breaches and/or a Quiz regarding knowledge obtained is a component of quality education.
 
But is HIPAA a top priority for a CEO's average day? Probably not, unless there is an Incident or a Breach. The same is likely true for other executives in your organization. Aside from the regulation requirement, this is a VERY good reason why a named Compliance Officer should be in each Covered Entity and Business Associate's organization. A Compliance Officer has the responsibility to ensure that policies and procedures are being followed by the workforce to avoid non-compliance. And yes, the Compliance Officer ensures policies for training and the visible, demonstrable evidence for same.
 
So, how much training is really needed? For the purpose of this article, we will use the HIPAA Training Products contained within our Subscription Plan as training recommendation topics for different categories of workforce members. Again, remember our principal premise is that all workforce members need to become HIPAA literate since you have the 800-pound gorilla of Breach Notification staring you in the face.
 
Training for Clinicians
Not all staff members need to attend or be educated for every HIPAA training module. We recommend three (3) training sessions for clinicians as listed below:
Why do we recommend specific training for clinicians? Well, I can say as a Registered Nurse, clinicians do not need to understand every aspect of the regulations. What they need to know is how to respond to various threats to PHI or situations where compliance action is required. They need an awareness and a basic understanding of Security, Privacy, and Breach Notification regulations that will enable prevention of risks while managing situations when HIPAA rules are tested. 
 
A particular item of importance is knowing WHO to call when a situation arises. The same is true for Business Associates. You might be surprised at the number of times I have randomly asked clinicians the name of their HIPAA Compliance Officer and they did not know. That's a recipe for a bad day! Try this yourself next time you visit your doctor. Ask the receptionist or the nurse, or any other clinician or workforce member you encounter if they know the name of their Compliance Officer. By the way, this is generally true of organizations both large and small, even those that regularly train their employees.
 
Foundational Training for Other Staff
The following list of training modules is recommended for other workforce members, including the executive management team. 
I have been asked if there is a HIPAA LITE for Business Associates, and the answer is No! Business Associates need to be as aware of the regulations as Covered Entities if they are "touching PHI." That said, we also provide specialized training for Business Associates in situations where their needs differ from Covered Entities (see below).
 
Specific Training for Compliance Officers
In addition to the training above, compliance officers should consider taking the following training classes to obtain their certification. We offer a HIPAA Certified Professional ("HCP") certification after taking an exam that covers material from the training modules listed below.
 
 
Certification Training Modules
3.    Audit
7.    Documentation* 
8.    HITECH Act
9.    Omnibus Rule
 
We also recommend that Compliance Officers take advantage of our pre-recorded four-part training series entitled: "Surviving a HIPAA Audit." Subscribers may log in to the Compliance Hub Member website to:
For some, the amount of information may be overwhelming, but just like HIPAA, you bite off a piece of the elephant one at a time.
 
Specialty Workforce Training
Finally, we recommend that staff who are responsible for items in the list below, and Compliance Officers and/or Executive Officers become knowledgeable on the following topics:
  1. Training for workforce members that are designated as "point persons" for the Patient's Bill of Rights; these are sections 164.520 through 164.528 of the Privacy Rule. 
    • The regulations require that individuals "sign off" on certain processes pertaining to providing access to a patient's PHI; 
    • Helping a patient amend their PHI; 
    • Distributing the notice of privacy practices, etc.
  2. Training for individuals that handle Privacy Rule requests for authorizations, restrictions, etc.
  3. Training for personnel assigned the responsibility of tracking security incidents.
  4. Training for information technology personnel that are required to audit information systems containing PHI.
  5. Training for personnel that are assigned the responsibility for disposing of PHI.
This is not an exhaustive list. The "final" list of training will depend on your operational environment, the size and complexity of your organization, and the resources you have available, etc. One thing is certain, look for training that provides answers, not just a description of the problems.
 
 
HOW TO COMPLY WITH HIPAA
 

At 3Lions Publishing, Inc. our mission is to provide clients with:

  • Premium Compliance Products,
  • Education,
  • Free Monthly Webinars
  • Newsletter Articles on HIPAA and regulatory topics, as well as 
  • "High Touch" LIVE assistance with Products for Risk Assessment and Remediation
We do NOT charge extra for compliance support like many of our competitors, the cost for your LIVE assistance is included in your Subscription purchase. 

A full 360-degree circle of Risk Assessment and Remediation products are provided in 3Lions Publishing Inc.'s 
 
The Subscription Plan includes  Expresso®the Risk Assessment "SaaS" based software, over 30+ compliance and remediation products, and training videos that help Covered Entities and Business Associates understand how to implement the necessary Controls to be in compliance with HIPAA regulations. Our LIVE "High Touch" Assistance helps you "get it done" fast!
 
Our many Training products describe various aspects of the regulations as well as demonstrations of how to use Expresso and associated compliance tools. As part of the Subscription Plan, we also provide certification for clients seeking designation as a HIPAA Certified Professional ("HCP").
 
A "Crosswalk" between Expresso Risks and Remediation tools provides easy access to model policies, procedures and tracking mechanisms for compliance. 
 
FREE Monthly newsletters and webinars provide education on topics of regulatory concern. Missed one? Webinars and articles are posted to the HIPAA Survival Guide Store Website for future reference.
 
So, why are we sharing this information in our Newsletter? Education, Education, Education. Stay tuned not only for Product updates but also for new capabilities and value offered to our elite group of clients. Save time and money with our high quality, bargain Subscription Plan! 
 
Or, take advantage of our FREE 15 day trial of Expresso to complete your Risk Assessment
 
 
Questions? Please call or write using the contact information below.
 
Email:     [email protected]
Phone:   (800) 516-7903    
 
 
HIPAA Help
 
 
What is the new LinkedIn GDPR Survival Guide?
What is the HIPAA Survival Guide® Subscription Plan and what does it include?
HIPAA Requirements for Cloud, Social Media, and Mobile including Policies and Procedures
HIPAA Requirements for Breach Notification including Policies and Procedures
HIPAA Requirements for a  Business Associate Agreement including the essential terms of the agreement
How to prepare for a HIPAA Security Rule Audit  
How to prepare for a HIPAA Privacy Rule Audit  
How to prepare for a HIPAA Breach Notification Audit  
How to prepare for a HIPAA Risk Assessment Audit  
 
For HIPAA Help send us an Email at [email protected]
 

 
Included in the HIPAA Survival Guide® Subscription Plan 
 
 
Protect Your Practice and Your Business
 
 
Click Here for HIPAA Survival Guide® Subscription Plan Testimonials

Take advantage of our Heartbeat™ and Pulse™ offerings with The HIPAA Survival Guide® Subscription Plan With Expresso®
 
 
 
 
 

Posted at 07:33 PM in Health Reform, HITECH / HIPAA, Information Technology for Healthcare (EHR/EMR), Web/Tech, Weblogs | | Comments (0)

EXPRESSO® Compliance Video

CLICK HERE TO WATCH THE EXPRESSO® COMPLIANCE EQUATION VIDEO. 

This short video provides an explanation of how EXPRESSO® uses its Compliance Equation to perform a HIPAA Risk Assessment. In addition, the video describes HIPAA Survival Guide products, education, and tools that you can customize and use in your organization. 

 One of the key HIPAA Survival Guide tools are our Scorecards that not only provide descriptions of HIPAA Implementation Specifications or Controls, but also point you to HIPAA Survival Guide Remediation products, which provide customizable examples of proposed organizational policies, processes, tracking mechanisms and an assortment of compliance tools and education for covered entities and business associates.

Scorecards based on specific requirements are the only way to measure the progress of your compliance initiative (i.e. by definition, if you are in compliance with all the requirements of a regulatory regime then you are in compliance).EXPRESSO® and the HIPAA Survival Guide works in tandem to guide your efforts in becoming HIPAA Compliant. 

ScorecardPlease note that we offer a  15-DAY FREE TEST DRIVE of EXPRESSO®! Why not give it a try?  Just click on the link below! 

Expresso® 15-day FREE Test Drive

To try EXPRESSO®, just click on the above link and fill out your contact information. Our Customer Service Staff will set up your Free 15 Day EXPRESSO® Test Drive and arrange a "Go To Meeting" session to review how you can do your HIPAA Risk Assessment in 3 hours or less. 

EXPRESSO® is an easy to use Risk Assessment software that allows you to detect risks, threats, security objects, and vulnerabilities to PHI and identify impacts and assign controls at a glance!  It allows you to do a Baseline Risk Assessment in 3 Hours or less!   

Our "Quick Start Guide" gets you off and running to complete your first Risk Assessment. EXPRESSO® comes pre-­populated with all the Risks, Threats, Vulnerabilities and Impacts necessary to a complete a Baseline Risk Assessment.

 

 

With Expresso® You Can: 

1) Perform a Baseline Risk Assessment in a matter of hours, 

2) Bulk import Security Objects: people, places, assets, processes to apply Security Controls,

3) Track the results of the Controls applied, and 

4) Retain instances of past Risk Assessments for reporting or audit purposes. 

If you have any questions, you may reach me at [email protected]

 

Posted at 10:13 AM in Health IT, HITECH / HIPAA, Internet Resources, Web/Tech | | Comments (0)

WannaCry Webinar Re-Broadcast

Chris Saah CEO of TecFac (Technology Facilitators) joined Carlos Leyva and the team for a discussion of the recent the ransomware attack and how to prevent ransomware from penetrating your organization in addition to discussing HHS' methodology implications. 
 
Download the webinar, slides and fact sheet:
 

Looking for a simplified way to keep up with HIPAA?  For a limited time, we are making available our "Showing HHS Visible, Demonstrable, Evidence" webinar when you sign up for our FREE monthly newsletterHSG2

Posted at 03:23 PM in Current Affairs, Health IT, Healthcare, HITECH / HIPAA, Web/Tech | | Comments (0)

Tags: HIPAA, ransomware

Search

Healthcare Blogroll

Categories

Analytics

CC