Episode 20: Its The People, People

Show Notes

When it comes to securing anything the weakest link in the chain is always people.  People are the ones who make mistakes, over-share, and are also the criminals.  This episode talks about what people can manage to do so you have to think of all kinds of things outside the norm.

University of Pittsburgh MC BA breach after being hacked the year beforeEmployee of the billing service call center copied personal information from the billing system. 2,259 patients were then passed on to a third-party. Notification that it happened came from FBI. Last year UPMC was hacked and employee information taken for all 62,000 employees. Over 800 employees reported ID theft.

Oakwood Healthcare worker fired for HIPAA-violating Facebook commentsTerminated after posting disparaging comments about a patient on her Facebook page. Worked at a hospital that had to treat a suspect in a police shooting. Her posts were pointing out her disgust in having to treat him. It is still a violation.

Roanoke, Va. Carilion Clinic - 14 employees admitted snooping Found it by random log reviews. Previously, only checked on patients where a big new story was happening.

Physician Suffers Second 2015 Data Breach Break-in in Jan requires breach notification to 350 patients. Break-in again in March they got computers and patient charts. The computers were not encrypted and they had patient info OTHER THAN THE LETTERS to the 350 patients. This time the total patients involved are 1,342. At this point they hire a security guard who stops a third break-in. The doctor is moving their office to a new town. Encryption could have saved a lot here, increased security after the first break-in would be the most obvious requirement. That is a simple decision that was just not made. Now over 4 times the number of patients are involved.

Doctor convicted of illegally accessing medical records Doctor having an affair and looked at the mistress' medical records. Looking to see if she had STDs. Plead guilty in federal court and kept his license but must be monitored.

Final Note

Medical is years and years behind other industries on security requirements and criminals are figuring that out. Plus, those that are way ahead are getting breaches like Home Depot, Target, and more.  In all those cases there was a person somewhere involved in the process, in some cases several people made mistakes are took the wrong action.

Check out the latest episode!

Episode 19: "I am vulnerable, too" said your smartphone

Mobile devices are vulnerable just like your network, servers, laptops, and desktops. Your risk analysis should include checking on any types of messages, pictures, or access to your data that can be done on your smartphones. Even if you don't put PHI on them they may be able to be used against you in some way to crack your network and your PHI.

Patches

• Android updates and know your version of Android
  • Wipe leaves some stuff on old Android versions
• iOS updates and know your version
  • Windows is so small market share but mention it

Encryption

• Android
  • Option to encrypt this device
  • Lock screen setting to wipe device after X failed logins
• iOS
  • data protection turns on with password set
    • set to wipe if after X number failed logins

MDM - Mobile Device Management

• What is it
• What can you do with it

BYOD - Bring Your Own Device

• Set rules to follow
• Do checks for software updates
• Don't let kids play with phone
• MDM?

Backup

If you lose the phone or it dies will you lose important things?  Figure out a backup plan but make sure it is properly secured too.

Unsecured WiFi and Bluetooth

• Try not to use it unless necessary
• Bluetooth can be used to connect to your phone within 30 feet
• Personal WAN can be used to jump on your connection and use your data plans

Final Notes

Understand this is the new frontier for hackers. Ransomware and malware for smartphones are growing quickly

Check out the latest episode!

Episode 18: Email isn't secure, really, it isn't

Let's review email systems and how they can be secured for ePHI and other sensitive data.

Find Healthcare IT

HIPAA For MSPs

Kardon Compliance

Alston Article on Email Security

 

Notes

Leigh from Florida sent us an email asking for us to explain some more specifics about email. She had been listening to Episode 8: HIPAA Myths Part 2 which mentioned it but she had specific questions how can email be secured. This couldn't be covered in a quick 5 minute HIPAA answer episode so we are doing a whole episode. 

• How does email work - for "real people" to understand
  • Compare to the post office since that is the way it was originally modeled to match
• Why that isn't secure at all, really
  • http://www.healthcareitnews.com/news/hipaa-breach-letters-go-out-after-email-hack (article on email hacked and it had patient info in it)
  • open transmissions and many different servers
• Misconceptions
  • I use a password so it is secure
  • I use https so it is secure
  • I use TLS so it is secure
  • I use updated Outlook with Hosted Exchange so that should be secure
• Secure email via
  • End to end encryption tools - each party knows the key
  • Messaging system - you get an email telling you to log in to get the secure email
  • Hosted services that allow for specific types of messaging
    • Hosted exchange
    • Plug-in apps
  • Secured internal only messaging systems
    • Very specific set up to secure the mail database on your internal server
    • Controls you have in place to prevent email to other domains outside the secure system (usually software required)
    • Some systems are automatic encryption / others require you to hit a button on the mail to send it secured.

• Secure messaging systems for internal discussions that don't use email

  • whole new way of communications in forums / chats instead of email

• Texting also matters but that is a different episode we can touch on it here

• A word about spear phishing - excellent example this week from a client

Check out the latest episode!

Episode 17: Compliance Management with ComplyAssistant

Links

ComplyAssistant

FindHealthcareIT

HIPAAforMSPS.com

Kardon Compliance

Notes

• Who is Gerry Blass
  • Been in healthcare for the long ride
  • Consultant for years
  • Now consultant and software company
• ComplyAssistant - when did you start development and what was your vision for it? What kinds and size of clients do you have - hospital, practices, BAs and CEs of all types
• ComplyAssistant features 
  • Due Diligence for BAs
  • Contract management
  • Incident Management
  • Project Management
  • Documentation, Documentation, Documentation Management
  • Incident Management
  • Whatever else Gerry wants to add
• Importance of having a documentation and management system of some sort in place
  • Why ComplyAssistant instead of using a spreadsheet / folder approach?

Check out the latest episode!