Boost IT

Managed IT Services, Cybersecurity, & Cloud

Healthcare

How IT is Changing the Way Healthcare Manages Big Data

by

The healthcare industry is a great example of how we see technology changing the way big data can be managed to benefit everyone. Big data is a term that describes data sets, or the large volume of data, that we use everyday but which are so complex that traditional data processing application software is inadequate to deal with them. During the last decade, we have seen huge advancements in how we use technology to generate, store, and analyze big data. Technology has helped the healthcare industry become more efficient and productive.

Using Big Data for Healthcare Prevention

With improvements in technology that make managing big data more accessible to the providers that need it, the medical profession has been able to see solutions to predict epidemics, cure disease, improve quality of life, and avoid preventable deaths. Better decisions can be made because of big data. Diseases and illnesses can be caught sooner so treatment options can begin quicker.

IT doesn’t need to start with the medical professionals anymore. There are apps that patients can use to better understand and monitor their own health. The apps collect data that can be shared with providers for more data results over a longer period. The data is easier to share between providers and others evaluating it against baseline results. This helps to draw a more accurate and comprehensive conclusion about what is going on with a patient’s health.

Going further, big data provides comparisons between patients with similarities. It can be analyzed alongside thousands of others, highlighting specific threats and issues through patterns that emerge during the comparison. A provider can compare treatments and assess options based on results from other patients who deal with similar conditions. They can see the effects of prescriptions from patients with similar situations and risk factors like age, genetics, and lifestyle.

For a more in depth article on examples of how big data can transform the healthcare sector, read The big-data revolution in US health care: Accelerating value and innovation by McKinsey and Company.

One of the biggest hurdles is overcoming the silos that typically prevent big data from being shared. While it is gathered in huge numbers, it is often kept in control of the different doctors, hospitals, clinics, and administrative departments. For years, even data within the same institution was kept within the specific department and not accessible to others. However, the medical industry has been starting to recognize the problems with these silos. They are starting to create data trails using technology to link together the information that connects to the different departments and providers. This helps everyone in the overall analysis.

At Boost IT, we work with all different providers to maintain software that helps link data to multiple departments, associates, insurance companies, and others with appropriate authority so it can be shared to overcome the hurdles of silos and improve the overall health and well-being for everyone’s benefit.

Big Data in Clinical Trials

Just as big data can be used to help determine the best treatment options, it is also put back into the system for use in clinical trials. Huge amounts of data help the researchers see the patient type and characteristics that make the best candidates for their drugs.

One big breakthrough with technology and medicine is the personalization – where medicines are tailored to a person’s genetic makeup – which results from comparisons alongside thousands of others. Another advancement is the use in technology to prevent epidemics by determining large areas potentially affected by disease.

A big hurdle in using big data for clinical trials is with privacy and security. Extreme security safeguards must be put in place to limit accessibility so only those authorized to see the data can access it. Threats like security breaches are continuous concerns.

Boost IT has over 20 years of experience and continuous training in IT security to protect and manage big data so it remains private and secure. We understand the risks and need for staying current on cybersecurity so we can help you have the best protection against cyber threats. For more information, contact us at 404-865-1289.

HIPAA Compliance Checklist

by

HIPAA Compliance Checklist

HIPAA (Health Insurance Portability and Accountability Act) compliance is designed to protect patient privacy and set standards for how medical records can be shared and how they must be safeguarded. HIPAA compliance isn’t just for those directly within the healthcare industry, however. Nearly anyone dealing with electronic Protected Health Information (PHI) including doctors, hospital technicians and yes, the Managed IT Services Providers (MSPs) who manage hospital/medical office computers and networks in the cloud are required to be HIPAA compliant.

HIPAA compliance is a very serious matter. In fact, if you’re selected for an audit by the Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) and you are found to be noncompliant, you may be served penalties ranging from up to $50,000 per violation, and up to $1.5 million per year across all HIPAA violation categories. That type of penalty can severely hurt your bottom line, so ensure that you’re always HIPAA compliant. And the best way to stay compliant is with our ultimate HIPAA Compliance Checklist.

3 Core Components of the HIPAA Security Rule

Recent rule changes to HIPAA compliance means that all Business Associates (BAs) are now subject to the requirements of the security rule, including risk analysis, implementation of security procedures, training and having a breach response plan in place. At its core, the HIPAA compliance security rule can be broken down into three distinct components:

Physical safeguards – This means actually and physically protecting your facility and servers – locking doors, using access badges to get into secure areas, and with surveillance cameras monitoring. Most compliance experts suggest that one of the best physical safeguards you can have is simply controlling access of the PHI, based on job functions.

Technical safeguards – These safeguards govern the electronic access to the PHI within the cloud networks. Some key components of this to include in your HIPAA compliance checklist include:

  • Access control – each user requires a unique ID and password
  • Multi-factor identification – all electronic logins require multiple pieces of data to sign in, such as an auto-generated PIN number
  • Encryption on everything – encryption scrambles your ePHI so that those records can only be accessed by people who hold the encryption key. This should include all data in motion, using a TLS-secured connection to access records in the cloud, and should ideally be end-to-end encryption.
  • A comprehensive backup and disaster recovery plan (BDR) – Much of HIPAA compliance is centered around security and prevention, but there is a component that includes what to do when disaster strikes. Your BDR plan should consist of disaster declarations, a detailed disaster list, data backup and alternate site guides, and a PHI recovery plan.

Administrative safeguards – This sounds like a lot of paperwork but this type of training, process-implementation and documentation is actually some of the most important aspects of getting HIPAA compliance right. Some recommended administrative safeguards to include in your HIPAA compliance checklist include:

  • Signing Business Associate Agreements (BAAs) with all your partners. The term Business Associates (BAs) has expanded in recent years to include anyone who transports, stores or processes PHI, any subcontractors or subcontractors under a subcontractor, no matter how far downstream from the original entity, and all third-party data and document storage companies.
  • Listing out each business associate and set out rules for what data they have access to and what to do in case of accidental disclosure.
  • Making sure all your employees understand data security, create strong passwords, and avoid inadvertently downloading malicious software or sending sensitive data in unsecured emails.
  • Creating a process for auditing data and controlling how that data is preserved, changed or destroyed
  • Creating systems to prevent leaks
  • Reviewing all changes at least once a year

Other Considerations for Your HIPAA Compliance Checklist 

The three safeguards – physical, technical and administrative – are a great start to ensuring that you are fully HIPAA compliant, but there are always additional measures to take to really feel like you are no longer at risk of uncovering a breach during an audit.

Compliance experts suggest conducting a risk analysis in accordance with the National Institute of Standards and Technology (NIST) guidelines. The NIST produces Standard Reference Materials (SRM) that you can refer to when conducting your risk assessment.

Service-level agreements (SLAs) are also an important part of staying HIPAA compliant between you and your MSP partner. One great way to improve your SLAs is to have more precise terms, especially in offering guaranteed response times for routing changes, security threats and non-critical additions.

Finally, along with security rules, HIPAA compliance also entails several privacy rule obligations. This includes having an accounting of disclosures available, all PHI to be kept in a designated record set and the cooperation with all compliance investigations performed by the OCR.

HIPAA compliance is no laughing matter, and using this HIPAA compliance checklist to ensure your MSP and its partners remain fully compliant at all times is a great way toward staying out of the hot spotlight of OCR audits, avoid paying hefty fines and maintaining your reputation as an expert in security and compliance.

6 Steps to Avoid HIPAA Fines

by

In 2016 we will see more HIPAA audits and increased HIPAA fines. In 2015, there were 10 times more audits than in the last 10 years combined and currently 70% of healthcare organizations would fail an audit. This article in Healthcare IT News is an indication of what’s coming.

Here are the 6 Steps to avoid HIPAA fines.

Most Common Mistakes

The two most common mistakes a practice makes in becoming HIPAA compliant is:

  1. thinking that a risk analysis is enough
  2. having an insufficient set of written policies

The rules put forth by the government to comply with HIPAA laws are complex and all of them need to be addressed.

What does the HIPAA law require?

The HIPAA Privacy regulations require health care providers and their business associates to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. What does that look like?

  1. Risk Analysis (the discovery of deficiencies that a practice has with relation to the HIPAA Privacy and Security Rule),
  2. Risk Management (the remediation of the deficient items),
  3. Policies and procedures addressing each section of the Privacy and Security Rule,
  4. Vendor management (making sure proper Business Associate Agreements and assurances that the Business Associate is complying with the HIPAA Security Rule are in place)
  5. the staff has attested to each privacy and security policy and they have taken a HIPAA 101 training course and successfully attest they understand the basics of HIPAA

How to Avoid HIPAA Fines?

The best way to avoid being fined by an auditor is to show due diligence. What is that? It is making a good faith effort in complying with the rules, documenting all findings, and being able to show anyone your compliance plan and efforts.

Detailed HIPAA fines or penalties can be found at the American Medical Association.

The 6 Steps:

  1. You must have a risk analysis that audits you for administrative risk (policies and procedures), technical risk (how are you safeguarding the access to and protection of ePHI that resides on your systems), and physical risk (assessing how you are protecting the data within the four walls of your site or sites.
  2. You must remediate (fix) all deficiencies that were found during the risk analysis and document what you did to resolve the deficiency.
  3. You must have policies and procedures covering all aspects of HIPAA Privacy and Security and HITECH (breach notification).
  4. You must educate your staff with training and track their attestation that they understand all the new policies and procedures you have put into place to safeguard protected health information.
  5. You must identify your business associates (BA) and make sure you
    have up to date BA agreements in place. If possible get assurances the BA you share data with is complying with the HIPAA Security Rule.
  6. Finally you need to create a culture of compliance that everyone takes HIPAA and safeguarding ePHI to a different level of protection.

Contact us at 404-865-1289 if your healthcare organization needs a risk assessment or compliance support. Some information courtesy of The Compliancy Group.

HIPAA Compliance Assessment and Risk Analysis

by

HIPAA Assessment and Risk AnalysisHIPAA Compliance Assessment and Risk Analysis

The HIPAA assessment can include documentation for a number of different modules.  There is a link to download a FREE HIPAA Assessment tool below.

HIPAA Policies & Procedures

The Policy and Procedures are the best practices that our industry experts have formulated to comply with the technical requirements of the HIPAA Security Rule. The policies spell out what your organization will do while the procedures detail how you will do it.

In the event of an audit, the first thing an auditor will inspect are the Policies and Procedures documentation. This is more than a suggested way of doing business. The Policies and Procedures have been carefully thought out and vetted, referencing specific code sections in the Security Rule and supported by the other reports include with the HIPAA Compliance module.

HIPAA Risk Analysis

HIPAA is a risk-based security framework and the production of a Risk Analysis is one of primary requirements of the HIPAA Security Rule’s Administrative Safeguards. In fact, a Risk Analysis is the foundation for the entire security program.

It identifies:

  • the locations of electronic Protected Health Information (ePHI,)
  • vulnerabilities to the security of the data, threats that might act on the vulnerabilities
  • estimates both the likelihood and the impact of a threat acting on a vulnerability.

The Risk Analysis helps HIPAA Covered Entities and Business Associates identify:

  1. the locations of their protected data,
  2. how the data moves within, and in and out of, the organization
  3. what protections are in place, and
  4. where there is a need for more protections

The Risk Analysis results in a list of items that must be remediated to ensure the security and confidentiality of ePHI. The value of a Risk Analysis cannot be overstated. Every major data breach enforcement of HIPAA, some with penalties over $1 million, have cited the absence of, or an ineffective, Risk Analysis as the underlying cause of the data breach. The Risk Analysis must be run or updated at least annually, more often if anything significant changes that could affect ePHI.

In fact, HealthIT.gov provides a FREE HIPAA Risk Analysis tool you can download and run yourself.

HIPAA Risk Profile

A Risk Analysis should be done no less than once a year. However, we can create an abbreviated version of the Risk Analysis called the HIPAA Risk Profile designed to provide interim reporting in a streamlined and almost completely automated manner.

Whether performed monthly or quarterly, the Risk Profile updates the Risk Analysis and documents progress in addressing previously identified risks, and finds new ones that may have otherwise been missed and resulted in a data breach.

Other Reports

We can also complete a HIPAA Management Plan report, Evidence of HIPAA Compliance report, Disk Encryption Report, File Scan Report, and User and Computer Identification Reports.

Call Boost IT at 404-865-1289 if you want to get in compliance.  It’s easier than you think.

Security Breach Report 2014

by

Security Breach Report 2014

Breaches Doubled in 2014, Financial Losses up 34%

Cyber Attack Type By Industry
Courtesy of Verizon DBIR

The security breach report showed that security breaches doubled in 2014, are on the rise, and it is no surprise to find that as the number of information security incidents continues to mount, so do financial losses. The 2014 Verizon Data Breach Investigations Report (DBIR) shows the highest risk threat types by industry and specific steps to prevent those incident patterns.

Cyber Security Incident Patterns
Courtesy of Verizon DBIR

The the highest number of security incidents were attributed to:

  1. Web App Attacks
  2. Insider Misuse
  3. Crimeware
  4. Denial-of-Service
  5. Cyber Espionage
  6. Theft/Loss

Finance, Retail, & Professional Services were some of the most targeted industries outside of the public & information sectors.

Security Adviser, Roger A. Grimes of InfoWorld, discussed 5 main takeaways from the Verizon report if you’d like a brief summary.

Cyber Security Controls List
Courtesy of Verizon DBIR

A recently released PwC Security breach report showed that the number of detected incidents soared to a total of 42.8 million, a 48% leap over 2013. This increase comes at great cost:

  • Total security-related financial losses increased 34% over 2013.
  • Cyber security risks will never be completely eliminated.
  • Businesses must remain steadfast and agile considering there is a constantly changing security landscape.

Your company should consider implementing a 4-pronged approach to security to protect your valuable assets and proactively address the most common threats.

Based on some of Verizon’s recommended controls in this infographic, it confirms our thinking is on target. Apply these cyber security principles to small and mid-sized businesses. The full list is in the Verizon security breach report. Boost IT released 4 Cyber Security Tips for SMBs last month if you’d like to read more about how we can secure your data and protect your business.

 

 

How Was Anthem Hacked?

by

How Was Anthem Hacked?

And How You Protect Yourself and Your Business

It was Malware & other Tools

One malware infected computer can cripple an entire business.
Malware comes in many different forms.

I’m sure you’ve heard Anthem was hacked (Blue Cross Blue Shield), and we’ve been asked numerous times “How Was Anthem Hacked?” According to this Wall Street Journal article, “the Anthem hack relied on malware and tools that have been used almost exclusively by Chinese cyberspies, investigators said.”
SurfWatch Lab’s Adam Meyer gives his own thoughts in more technical detail in this CIO Journal article.

What Else You Should Know

MalwareAnthem was hacked because of the amount of data they have, but even if you don’t store SSNs, malware can cripple small and mid-sized businesses, too. So we wrote 4 blog posts over the past month with easy to implement cyber security tips. A great security strategy keeps tangible and intangible costs down, protects your clients, co-workers or patients, and provides the most reliable access to your data. Boost IT’s strategy has worked very well for the past 15 years. Not one of our clients has gotten infected with the deadly Cryptolocker ransomware.

How To Protect Yourself or Your Business

If you are an Anthem customer and need info on how to protect your identity, see Clark Howard’s ‘What You Need To Know’ Post.

Individuals and businesses of all sizes need a great security strategy, which has 4 parts. We created a post for each part. We’d love to hear your feedback so please leave comments.
Cyber Security Tips for SMBs : Part I (Anti-Malware) w/ Active Hacker Threat Map (Infographic)
Cyber Security Tips for SMBs : Part II (Firewall Solutions) w/ Cybersecurity resources for Small Business
Cyber Security Tips for SMBs : Part III (Still Need Anti-Virus?) w/ How Ransomware Spreads
Cyber Security Tips for SMBs : Part IV (Security Patches & Updates) w/ Software Names Included

Other Recent Posts:
The Value of a Hacked PC

Is Cyber Security a Social Responsibility?

keep-calm-and-support-cyber-securityWe are starting to realize that a Cyber Security strategy is not only to protect yourself and your business, but it also protects other individuals and businesses. Could it be called a social responsibility, even for small and mid-sized companies?

The more people that have this information the better individuals and businesses are protected, so please forward this to anyone that might benefit, or use share links at the end of this post.