Category Archives: HIPAA Privacy Rule

Office 365 Empowers a School to Take a Different Approach

LaSalle Consulting Partners, Inc. introduces a thought-provoking customer story from Microsoft. In this video, we focus on how advanced digital tools from Microsoft help Broadclyst School drive the future by supporting its students on the leading edge of learning. Without any extra funding, Broadclyst manages to provide devices for each child and create learning spaces that teach them skills they’ll need in life. Union Building Trades Training Centers could utilize many of the same technologies to support their training programs.

Contact us to learn how Office 365 and Microsoft tools can create a solid foundation for your organization’s future.

Download: Office 365 Empowers a School to Take a Different Approach

Technology Security Alert: The Importance of Multi-Factor Authentication

 

Dear Client or Business Associate:

Cyber criminals have started creating genuine looking phishing emails which are bypassing email spam filters. This is resulting in some users clicking links within the phishing emails and providing their email credentials to unauthorized hackers. Once they gain access to the email accounts they can retrieve any valuable information from the account. They may also impersonate the user by sending emails to the user’s contacts in the hopes of gaining valuable information from their unsuspecting contacts.

For those of you that utilize Microsoft’s Office 365 for email, we highly recommend that you implement an available feature called multi-factor authentication to help prevent unauthorized access to your email account. Multi-factor authentication is a two-step verification process whereby email users receive a code via text message or a phone call that they enter when logging into Outlook to access their mail.

This two-step verification process prevents cyber criminals from gaining access to users’ email accounts even if they have attained login credentials through means of phishing emails as described above. This is especially important for those users that have Office 365 administrative privileges since their credentials can provide access to all user accounts in the organization. It is also crucial if you have regulatory requirements related to security and privacy such as HIPAA.

Please contact LaSalle Consulting Partners by email, or call us at 312-361-3326 if you have questions, concerns, or would like to learn more about implementing multi-factor authentication.

LaSalle Consulting Partners, Inc.

200 W Madison St | STE 940 | Chicago, IL 60606

312.361.3326
www.lpartnersinc.com

LinkedIn   Google Plus   Facebook   Microsoft Pinpoint   Employee Benefit Fund Blog

 

Windows Server 2003 – Upcoming HIPAA Security Concern

LCP_SecurityHealthcare security breaches have, in recent years, resulted in costly penalties to covered entities. Data security threats that can lead to these breaches originate from many sources. A new source will be born on July 14, 2015.

As of July 14, 2015 Microsoft will end support for the Windows Server 2003 operating system. Microsoft and security experts are cautioning that Windows Server 2003 users will face increased security risks as a result of this change, largely due to the lack of new security updates. Windows Server 2003 will be significantly more susceptible to attacks as criminals will have free reign to exploit vulnerabilities in the operating system without response from Microsoft in the form of security updates or technical content updates.

As in the past, users who handle electronic personal health information (ePHI) face a greater risk than others. A single personal health record is now worth more on the black market than a credit card number, social security number, and date-of-birth combined.

With strict enforcement of the HIPAA and HITECH Acts, and increased computer hacker interest in ePHI, it is increasingly necessary for covered entities to be confident in their ability to secure the data from threats. Microsoft’s decision to end support for Windows Server 2003 will make those Windows 2003 users handling ePHI an even greater target for criminals attempting to exploit the operating system’s potential new, unprecedented vulnerabilities.

LaSalle Consulting Partners, Inc. recommends that Fund administrators upgrade or replace any existing Windows Server 2003 devices that have access to ePHI prior to July 14 in order to avoid exposure to potential security threats inherent to Windows Server 2003.

HIPAA Permanent Audit Program: the Pre-Audit Survey

The Office for Civil Rights (OCR) is mandated to conduct periodic audits to assess the compliance of covered entities and business associates with the HIPAA Privacy, Security, and Breach Notification Rules. On February 20, 2014 the Department of Health and Human Services announced plans to utilize a Pre-Audit Survey form to gather information in an effort to assess the size, complexity and fitness of an entity for an audit. Below is a summary of the announcement.

  • The Office for Civil Rights (OCR) will be sending the survey to as many as 1,200 HIPAA covered entities and business associates to determine suitability for an audit, as part of the much anticipated permanent HIPAA audit program. Approximately two-thirds of that survey will be completed by HIPAA Covered Entities and the remainder, Business Associates. Information will be gathered to evaluate the “fitness of a respondent for an audit.”
  • The OCR is required to conduct audits to ensure the compliance of covered entities and business associates with the HIPAA Privacy, Security, and Breach Notification Rules. By acquiring information through the Pre-Audit Survey, the OCR will attempt to determine which organizations may benefit from their audit.
  • The survey will take approximately 30-60 minutes. Organizations will need to install software prior to the survey. In response to this requirement, and other time constraints placed on organizations by issuance of the permanent HIPAA audit, the OCR has released the following Burden Statement:

“Burden in this context means the time expended by persons to generate, maintain, retain, disclose or provide the information requested. This includes the time needed to review instructions, to develop, acquire, install and utilize technology and systems for the purpose of collecting, validating and verifying information, processing and maintaining information, and disclosing and providing information, to train personnel and to be able to respond to a collection of information, to search data sources, to complete and review the collection of information, and to transmit or otherwise disclose the information.”

Organizations must be prepared for the Pre-Audit Survey. Preparations will entail certain actions (for instance, installing the necessary software), but another significant aspect of preparedness is becoming knowledgeable on OCR mandates and keeping up-to-date with information concerning the permanent HIPAA audit program that will begin soon.

Other possible preparations include, but are not limited to, performing an independent Risk Assessment (a less understood mandate of the OCR), forming policies and procedures to protect ePHI and/or respond to a data breach, and drafting Business Associate Agreements with clients and Business Associates (in the case of HIPAA Covered Entities). For the full announcement, please visit the Federal Register. Please contact LaSalle Consulting Partners for more information on the upcoming Pre-Audit Survey.

Source: https://federalregister.gov/a/2014-03830

LaSalle Consulting Partners, Inc.
200 W Madison St | Suite 940 | Chicago, IL 60606 | 312-361-3326