HIPAA Part 2: Policies for Your Technology

It is vital for HIPAA compliant organizations to implement internal policies and procedures with regards to technology.   Working with your Managed IT Services Provider or internal IT team to establish best practices can save your business from compliance issues related to HIPAA.  It is critical that employees understand what to do if a disaster hits your organization (this includes “everyday disasters” and is not restricted to Mother Nature). Examples of other threats include:  malware or ransomware infecting your system, falling victim to an email phishing attack, or losing your laptop computer, to name a few.  It is important to note that hackers strive to stay one step ahead of the current attack.  A new form of malware can pop up at any time and the more you educate yourself and your employees and establish best practices, the less likely you will have an intrusion.

Ransomware

The most recently known form of malware is known as ransomware, which has the ability to take over your system and files.  When it hits, it will lock you out of your files through the use of encryption, and the criminals behind it will demand a payment.  If you have protected health information (PHI) files on your system, not only can you not access them until you pay, but it is now in the hands of the cyber-criminals.

Ransomware comes in different forms with the most recent being “Locky.”  It invades your systems and renames all of your files to include the extension – .locky.  It not only renames, but also scrambles them and only the cyber criminals have the decryption key.  Regardless of the form, your systems and files are compromised.  Learn how to safeguard your business against malware invasions and safeguard your organization.

Phishing Schemes

Phishing schemes come in multiple forms – the “it hack” for 2016 is a “whaling attack.”  Phishing schemes are directed at all individuals, whereas the whaling attacks are directed at senior level executives, who have access to valuable information within a business or organization. These attacks typically occur utilizing a malicious email that appears to come from a company executive.

The spear ‘phisher’ thrives on all there is to know about you.  They research job titles, partner information, company background, LinkedIn accounts and personal social media outlets to entice you into opening their emails.  Employees must be aware of what these types of emails look like and the impact it can have on your organization.  If you read Part 1 of this 2-part HIPAA posting, I referenced the Anthem breach where employees fell for a phishing scheme and took the bait – hook, line and sinker! This lead to the largest breach in history to date.

Mobile Device Management

Reflect back to the NFL breach also referenced in Part 1.  Their recent hack was caused by a stolen computer.  Do you have a plan in place if someone loses their laptop? What about their iPhone, iPad or Android device?  Your company information is out there in the abyss and you may not even know about it.  A Mobile Device Management (MDM) solution will manage these losses by “wiping” vital information once the device is lost.

When a device is lost do you have protocols for employees to follow?  If they lose a device on a Friday and do not inform your organization until Monday, your business is compromised for 2-3 days.  An MDM solution is only as good as the communication within your organization.

USB Policy

A number of people work from home without secure remote access or share documents, diagrams, etc., via the use of a USB drive.  What if you have ransomware on your home computer and don’t know it?  If you download any information onto a USB and transfer it to your work computer you have just put your company files and critical data at risk.

Your Managed IT Services Provider or internal IT staff can work with you to create a policy that prevents  the use of USB drives on employee systems.  No matter how many policies and procedures you put in place internally, the same proactive measures are not typically transferred to a computer outside of your network.  It’s not worth jeopardizing the safety of your data, due to the behavior of your employees at home.

At The TNS Group, we understand the complexities of technology support, as it relates to the healthcare industry, and those organizations outside of that industry that must comply with HIPAA.  Contact us today to learn how we work collaboratively with our clients and business partners to ensure that they are effectively working towards maintaining compliance and best practices are established.