Archive Monthly Archives: March 2017

Here’s Why HIPAA Doesn’t Work Without Cyber-Compliance

Medical offices of any kind already have a lot to be concerned with. Every day, these people are doing what they can to help others; sometimes, in a life or death situation. So, it’s understandable that your office may not have the time to worry about cyber security and hackers. After all, you’re way too busy helping patients, dealing with insurance companies, calling in prescriptions, and organizing paperwork to even have time to think about that.

However, that’s no excuse to neglect the need for cyber security. As a matter of fact, those who work in medical offices are held to a much higher standard: HIPAA. HIPAA laws need to be taken very seriously, and because data breaches are on the rise, now is the time to make sure you and your patients are protected. Here’s why:

In Today’s World, Everything is Digitized

Unless your doctor’s office is still in the medieval era, it’s likely that most of the day to day work happens on the computer. Nowadays, patients’ records are usually stored on a database of some kind, that lists everything from their recent surgeries and current symptoms to their insurance information and personal address.

Electronic Medical Records or Electronic Health Records, make it very easy for medical offices to keep tabs on patients. In the past, files were handwritten and kept in overflowing cabinets. In case of an emergency, it may have been difficult for a secretary to dig out information on a patient in a hurry.  Thanks to EMR, doctors can quickly find out if a patient has any allergies or what their recent medical history is.

So, while it’s great that everything is organized this way, it can put patients at risk, as well as the offices that serve them. If a medical office is not cyber-compliant, a data breach can steal all that sensitive information. When a medical office needs to follow HIPAA laws, this could be business-ending.

There Has Been a Rise in Hacks on Medical Offices

Over the last few years, hackers have realized that there’s a lot they can benefit from by breaching a medical office. According to IBM’s Security Intelligence blog, the healthcare industry has ranked #1 in compromised records. You may recall the major breach on Anthem, Inc. that exposed nearly 80 million patient records back in 2015.

Remember, small businesses are especially vulnerable to attacks. So, if you’re a small business in the healthcare industry, your risk can be that much higher.

But, Why Would a Hacker Want This Information?

Good question. Why would a hacker want access to sensitive medical information in the first place? There’s really nothing useful for them on those forms, anyway, right?

Wrong.

Medical records or any kind of patient record can possess social security numbers and credit card numbers. But, beyond that, hackers can also use your private medical information against you to file fraudulent medical claims or even get access to prescription drugs. Additionally, hackers can use medical information to blackmail patients by using Malware. This type of hack is known as “Spear phishing,” and it’s done by referencing a patient’s sensitive information while pretending to be their employer, doctor, or someone else who would seemingly be the only person who would have access to that kind of information.

If You Fail to Comply, Expect a Lawsuit and/or Government Intervention

Without trying to scare you, it’s important to note that data breaches can happen to anyone. But, that’s precisely why protecting yourself is important now more than ever. If you run a medical office or any other type of business that’s required to observe HIPAA laws, then you must be cyber compliant.

While cyber compliance doesn’t necessarily protect you against a breach, it does protect you from a lawsuit or government action, which can almost be expected when you’re dealing with patients’ information. Hiring a validated, unbiased third party to evaluate your exposure and patch up any holes can help protect you if a hack should occur. These experts will issue you an official, cyber-compliant document that demonstrates to lawyers or government officials that you took the necessary steps to protect your office and your patients.

How To Talk To IT About The Need For a Cyber Security Intervention

You’re a small business who realizes the importance of cyber security. You want to do what you can to make sure you’re protected and prevent potential problems from happening later on. You already have an IT team, but you’re aware that IT and the need for cyber security are very different things.

But, does your IT team know that?

Perhaps yes, perhaps no. Either way, it’s about time you have that conversation with them, discussing the need for a separate cyber security approach. Maybe you’re afraid the conversation may be a bit awkward or uncomfortable. After all, you don’t want your IT team to feel as though they’re not doing enough, or their work is worthless. In fact, you want them to know just how important their role is when it comes to protecting your company from data breaches.

So, here are some tips on getting the conversation started.

Reveal the Facts

The IT department has a lot of responsibilities, there’s no doubt about that. They are in charge of the governance, infrastructure, and functionality of a company’s network and architecture of systems. There are a lot of jobs within those categories, but none of them really include “preventing a network from a data breach.”

Some information you want to include in this conversation are the facts and statistics of cyber risks. Talk about how small businesses are at the same risk of a data breach, if not more, than larger companies. This is because small businesses tend to be the most vulnerable, since they sometimes ignore the need for such protection.

Worried that won’t be enough?

Then tell them how more than 50% of small companies have been hacked in the last year. Or, how the costs to repair those hacks is close to a million dollars.

Always Start with Positive Feedback

While everyone in the office is an adult, it helps to always hear the good news first; no matter how old we are. When you start having the discussion with your IT team about the need for a cyber security intervention,  make sure you lay the positives on them. Let them know how much you appreciate the work they do and be specific about what they do well. This is your chance to let them shine.

Transition Into The Need for Cyber Security

Once you’ve got the basics covered, it’s time to talk to IT about bringing in cyber security experts. Explain that the professionals that you’ll bring in to help will work side by side with the IT department to make systems as secure as possible. These professionals will not be stepping on IT’s toes; rather, coming together to make sure your company is protected against hacks on all levels and is fulfilling the legal responsibility to its clients. IT will help implement the suggestions a cyber security expert makes on a long term basis.

How The Key Federal Regulations of Cyber Security Keep You Safe

Part of being safe on the Internet involves both consumers and companies to follow certain standards to ensure data protection. Of course, it’s not enough for people to be expected to do that on their own. This is why key federal regulations of cyber security exist; to implement processes and standards to make sure everyone’s information is protected as much as possible.

Are you familiar with these federal regulations? If you’re using the Internet for work or personal activities, then you should know these.

#1: U.S. Federal Trade Commission Act

The U.S. FTC Act may not get as much attention on the others on this list, but, it very well should. This act was put into play in 1914. Without it, America wouldn’t be the country it is today. Because of this act, consumers are protected as well as business owners.

The act states that there should be no unfair methods of competition. Additionally, it protects consumers from buying into services or products in cases where they are being misled by false advertisements. This act is the basis for all other acts in the last century and the new millennium. Nowadays, the act has been modernized to apply to the digital age, ensuring that businesses and consumers are protected online as much as they are offline.

#2: The Health Insurance Portability and Accountability Act

Also known as “HIPAA,” the Health Insurance Portability and Accountability Act helps protect patients who utilize official healthcare services. Tied into this is also the Health Information Technology for Economic and Clinical Heath Act (HITECH). Both of these acts, which have been around for more than twenty years, help keep you safe when you’re at the doctor. Anything your doctor knows about you is between you and the doctor, only. (Unless you state otherwise.)

#3: The Gramm-Leach-Bliley Act

The GLBA today applies to companies that provide financial services to their clients, such as banks, security companies, insurance companies, etc. To put in plainly, the Gramm-Leach-Bliley Act involves “Any institution engaged in the business of providing financial services to customers who maintain a credit, deposit, trust, or other financial account or relationship with the institution.”

Basically, any company who collects sensitive information of their customers needs to be held accountable if a breach leaks that information. Therefore, this act mandates that these financial industries follow appropriate standards in order to ensure the protection and privacies of their customers.

#4: PSI DDS

Somewhat similar to the GLBA is the Payment Card Industry Data Security Standard. Though it’s not actually a law, any company that collects credit card information of their customers needs to follow certain standards in order to be cyber compliant and protect their consumers. It helps ensure that customers who make payments via a card won’t risk getting their information hacked. Though situations have happened in the past, the standards implemented by PSI DDS ultimately have kept thousands of businesses and their consumers safe.

#5: The Homeland Security Act and the Federal Information Security Management Act

If your organization is a government-backed, then last but not least, FISMA, which is a branch of The Homeland Security Act, applies to you. It requests that government organizations implement mandatory policies and principals to safeguard sensitive information. If government organizations don’t follow FISMA, they can be at a huge risk of being hacked by one of the biggest threat actors, or an independent hacker. It’s a matter of national security, and without this act, our country could essentially be in danger.

Watch Out for These Common Social Media Cyber Scams

Social media is one of the most important things that companies use to drive their business. It’s an amazing way to get more connected to people, have constant communication with customers, and easily implement your inbound marketing campaigns. However, with every good thing, there’s usually a downside. And, the downside to utilizing social media too much is that you can quickly fall victim to a hack.

If your company uses social media at all with your business, then you must be aware of common social media cyber scams. Here they are:

When a Hacker Uses a Fake Social Media Account

Sometimes a hacker can impersonate a social media account user from a bank you use or a company you do business with. This is known as Angler Phishing.

Let’s say you go on Twitter or Facebook to get in touch with a company, either by making a tweet, a post, or sometimes, even sending a message. Something like, “Hey @appname, I need help with…” This is now public information. A hacker can then pose as the customer agent that wants to reply to your post.

In that message, they may add a link that looks exactly like a link that would come from the app company, bank, or whoever you’ve tweeted at. If you follow that link, it becomes very easy at that point for the hacker to get all your information. The solution? A reputable business probably won’t need to have you solve a problem this way. It’s always best to get in touch with someone directly from the company before making a bad mistake.

Hitting “Like” Buttons That Aren’t Really “Like” Buttons

It seems so simple, liking a post on Facebook. You do it every day, probably multiple times a day. But, when you yourself or an employee of your business goes to like something on Facebook, there’s a chance that that like button has been hacked as a means of tricking you. You thought you were giving an individual or an organization a compliment. But, now, you’ve just downloaded Malware onto your computer.

This is known as “likejacking.” These can spread like wildfire too, because after you’ve clicked that link, it can share it on your feed, putting your friends at risk, too.

Sneaky Subscriptions

Have you ever seen a quiz or game come up on your news feed? It looks like fun and all your friends are doing it. Plus, you’re pretty bored at the moment and any type of entertainment would be good right now. So, you decide to click the “play now” or “take the quiz” button. But, before you can start doing anything, it asks you for your phone number or email address.

Suddenly, you’ve just become a victim of a sneaky subscription social media cyber scam. You’ve been signed up for something without your consent. And, if you signed up with your cell phone number, a hefty amount has just been added to your monthly phone bill. Ouch.

A Believable Facebook Post by Shared By a Friend

When something is coming from a friend you know on Facebook, it has to be trusted, right? After all, your friend would probably know that he or she has been hacked, and would do something about it. But, the fact of the matter is that hacks have gotten a lot more believable over the years. Hackers know that people are able to identify hacks much easier than they’ve been able to in the past, so they’ve adjusted their hack accordingly.

So, when your friend shares something on Facebook that says something like, “Wow, check out this crazy video” with a link attached, DON’T click on it. Most of the time, the wording is made out to sound like your friend, and it sometimes takes a while before they even know this message is going around.

Fake Affiliate Program Promotions

You’re scrolling in a Facebook group you like or see an ad or post for an offer that sounds so intriguing. An airline you like is giving away a free trip if you get 100 likes. A store you shop at is giving out a giftcard if you just share their link. Does it sound too good to be true? Then it probably is. Remember, there’s no such thing as a free lunch. Don’t fall for something like this. It’s a very easy way to become a victim of a cyber scam.

>