Category Archives: HIPAA Security Rule

Office 365 Empowers a School to Take a Different Approach

LaSalle Consulting Partners, Inc. introduces a thought-provoking customer story from Microsoft. In this video, we focus on how advanced digital tools from Microsoft help Broadclyst School drive the future by supporting its students on the leading edge of learning. Without any extra funding, Broadclyst manages to provide devices for each child and create learning spaces that teach them skills they’ll need in life. Union Building Trades Training Centers could utilize many of the same technologies to support their training programs.

Contact us to learn how Office 365 and Microsoft tools can create a solid foundation for your organization’s future.

Download: Office 365 Empowers a School to Take a Different Approach

Technology Security Alert: The Importance of Multi-Factor Authentication

 

Dear Client or Business Associate:

Cyber criminals have started creating genuine looking phishing emails which are bypassing email spam filters. This is resulting in some users clicking links within the phishing emails and providing their email credentials to unauthorized hackers. Once they gain access to the email accounts they can retrieve any valuable information from the account. They may also impersonate the user by sending emails to the user’s contacts in the hopes of gaining valuable information from their unsuspecting contacts.

For those of you that utilize Microsoft’s Office 365 for email, we highly recommend that you implement an available feature called multi-factor authentication to help prevent unauthorized access to your email account. Multi-factor authentication is a two-step verification process whereby email users receive a code via text message or a phone call that they enter when logging into Outlook to access their mail.

This two-step verification process prevents cyber criminals from gaining access to users’ email accounts even if they have attained login credentials through means of phishing emails as described above. This is especially important for those users that have Office 365 administrative privileges since their credentials can provide access to all user accounts in the organization. It is also crucial if you have regulatory requirements related to security and privacy such as HIPAA.

Please contact LaSalle Consulting Partners by email, or call us at 312-361-3326 if you have questions, concerns, or would like to learn more about implementing multi-factor authentication.

LaSalle Consulting Partners, Inc.

200 W Madison St | STE 940 | Chicago, IL 60606

312.361.3326
www.lpartnersinc.com

LinkedIn   Google Plus   Facebook   Microsoft Pinpoint   Employee Benefit Fund Blog

 

Windows Server 2003 – Upcoming HIPAA Security Concern

LCP_SecurityHealthcare security breaches have, in recent years, resulted in costly penalties to covered entities. Data security threats that can lead to these breaches originate from many sources. A new source will be born on July 14, 2015.

As of July 14, 2015 Microsoft will end support for the Windows Server 2003 operating system. Microsoft and security experts are cautioning that Windows Server 2003 users will face increased security risks as a result of this change, largely due to the lack of new security updates. Windows Server 2003 will be significantly more susceptible to attacks as criminals will have free reign to exploit vulnerabilities in the operating system without response from Microsoft in the form of security updates or technical content updates.

As in the past, users who handle electronic personal health information (ePHI) face a greater risk than others. A single personal health record is now worth more on the black market than a credit card number, social security number, and date-of-birth combined.

With strict enforcement of the HIPAA and HITECH Acts, and increased computer hacker interest in ePHI, it is increasingly necessary for covered entities to be confident in their ability to secure the data from threats. Microsoft’s decision to end support for Windows Server 2003 will make those Windows 2003 users handling ePHI an even greater target for criminals attempting to exploit the operating system’s potential new, unprecedented vulnerabilities.

LaSalle Consulting Partners, Inc. recommends that Fund administrators upgrade or replace any existing Windows Server 2003 devices that have access to ePHI prior to July 14 in order to avoid exposure to potential security threats inherent to Windows Server 2003.

The Need for Risk Assessment of Peripheral Devices

RiskLaSalle Consulting Partners continues to emphasize the importance of security and risk assessment in the workplace, particularly for HIPAA covered entities and business associates. One of the areas we have seen overlooked in risk assessment is the peripheral devices that exist on a computer network. Peripheral devices are devices on your network other than your computers and servers. These include devices such as printers, multi-function copiers, scanners, tablets, and mobile phones. If any of these devices are used to store or process sensitive information, and contain a hard drive or other form of memory, then your organization may be vulnerable to a security breach.

The HIPAA Security Rule risk analysis implementation specification at 45 CFR §164.308(a)(1)(ii)(A) mandates that organizations identify and assess exposures that may compromise the confidential nature of ePHI. Failure to protect confidential ePHI can result in hefty penalties and other legal action.

Affinity Health Plan, Inc. paid federal regulators a settlement amounting to $1.2 million after they returned copy machines to a leasing company, unknowingly releasing the ePHI of over 300,000 individuals contained on the machines’ hard drives. The breach was discovered by CBS Evening News, who purchased the copy machines as part of an investigation, after Affinity Health Plan returned them to the leasing company. While the incident was the first HIPAA settlement involving copiers, it may not be the last.

We recommend subjecting peripheral devices to a risk analysis. This precaution can assist in avoiding the legal and financial consequences of violating HIPAA regulations. Please contact LaSalle Consulting Partners for more information on the risk assessment of peripheral devices.

LaSalle Consulting Partners, Inc.
200 W Madison St | Suite 940 | Chicago, IL 60606 | 312-361-3326

HIPAA Security Rule and Home Workers

LCP_remote-pc-accessThe number of staff that work from home has continued to increase at benefit fund offices as it has with many other organizations. While this can be beneficial for both the Fund office and the remote worker, it also poses HIPAA related security concerns. Lack of security in the home computer environment can lead to a fund office network breach and/or unauthorized access to electronic personal health information (“ePHI”).
Without proper policies and security in place the following can occur:

  • Lack of a firewall or an improperly configured DSL or cable modem could allow unauthorized access by a hacker to the home worker’s computer. Once the hacker has gained access to the computer they could possibly use the connection to access the fund office network.
  • Depending on the security in effect, it may be difficult to prevent a home worker from copying files from the fund office network to the home worker’s PC. If there is any possibility of this happening, the home worker’s computer should be encrypted similar to the PC encryption at the fund office. This would help prevent unauthorized access to ePHI if the computer were to be stolen
  • Lack of sufficient and up to date Microsoft security patches could allow unauthorized access by a hacker to a home workers computer. Once the hacker has gained access to the computer they could possibly use the connection to access the Fund office network.

These are just a few examples of potential security issues that can occur. Only through proper policies, staff training and technical safeguards can these threats be kept to a minimum. We recommend that HIPAA covered entities establish the same policies for home computers as they do for computers located at the fund office premises. Click here for a document by the Department of Health & Human Services which provides additional guidance to HIPAA covered entities that provide remote access to ePHI.

LaSalle Consulting Partners can help you develop and implement policies that help safeguard ePHI. Please contact me at 312-361-3313 if we can be of help.

LaSalle Consulting Partners, Inc.
200 W Madison St | Suite 940 | Chicago, IL 60606 | 312-361-3326

HIPAA Permanent Audit Program: the Pre-Audit Survey

The Office for Civil Rights (OCR) is mandated to conduct periodic audits to assess the compliance of covered entities and business associates with the HIPAA Privacy, Security, and Breach Notification Rules. On February 20, 2014 the Department of Health and Human Services announced plans to utilize a Pre-Audit Survey form to gather information in an effort to assess the size, complexity and fitness of an entity for an audit. Below is a summary of the announcement.

  • The Office for Civil Rights (OCR) will be sending the survey to as many as 1,200 HIPAA covered entities and business associates to determine suitability for an audit, as part of the much anticipated permanent HIPAA audit program. Approximately two-thirds of that survey will be completed by HIPAA Covered Entities and the remainder, Business Associates. Information will be gathered to evaluate the “fitness of a respondent for an audit.”
  • The OCR is required to conduct audits to ensure the compliance of covered entities and business associates with the HIPAA Privacy, Security, and Breach Notification Rules. By acquiring information through the Pre-Audit Survey, the OCR will attempt to determine which organizations may benefit from their audit.
  • The survey will take approximately 30-60 minutes. Organizations will need to install software prior to the survey. In response to this requirement, and other time constraints placed on organizations by issuance of the permanent HIPAA audit, the OCR has released the following Burden Statement:

“Burden in this context means the time expended by persons to generate, maintain, retain, disclose or provide the information requested. This includes the time needed to review instructions, to develop, acquire, install and utilize technology and systems for the purpose of collecting, validating and verifying information, processing and maintaining information, and disclosing and providing information, to train personnel and to be able to respond to a collection of information, to search data sources, to complete and review the collection of information, and to transmit or otherwise disclose the information.”

Organizations must be prepared for the Pre-Audit Survey. Preparations will entail certain actions (for instance, installing the necessary software), but another significant aspect of preparedness is becoming knowledgeable on OCR mandates and keeping up-to-date with information concerning the permanent HIPAA audit program that will begin soon.

Other possible preparations include, but are not limited to, performing an independent Risk Assessment (a less understood mandate of the OCR), forming policies and procedures to protect ePHI and/or respond to a data breach, and drafting Business Associate Agreements with clients and Business Associates (in the case of HIPAA Covered Entities). For the full announcement, please visit the Federal Register. Please contact LaSalle Consulting Partners for more information on the upcoming Pre-Audit Survey.

Source: https://federalregister.gov/a/2014-03830

LaSalle Consulting Partners, Inc.
200 W Madison St | Suite 940 | Chicago, IL 60606 | 312-361-3326

The HIPAA Security Rule and Necessity of Risk Assessment

Risk - 2Though most would agree that risk analysis is an important consideration for any organization, HIPAA covered entities are required to conduct such risk assessment to ensure compliance with the HIPAA Security Rule. The Security Rule states that covered entities, organizations responsible for the transmission of e-PHI, must “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization” (§ 164.308(a)(1)(ii)(A)).

While the necessity of risk assessment is certain, the Security Rule does not specify the frequency with which assessment must occur. Instead, the Rule addresses the breadth of analysis which must be conducted. The Rule indicates some considerations for analysis which include (but are not limited to) e-PHI within the organization, external sources of e-PHI, and potential threats to information systems that contain e-PHI. The Security Rule recognizes, however, that risk assessment cannot be standardized due to each organization’s unique relationship with e-PHI.

Listed below are the “Elements of a Risk Analysis”, provided by the U.S. Department of Health & Human Services. The list is intended to aid covered entities in implementing risk analysis methodologies that will best suit their needs.

  1. Section 164.308(a)(1)(ii)(A) states: Scope of the Analysis
  2. Data Collection
  3. Identify and Document Potential Threats and Vulnerabilities
  4. Assess Current Security Measures
  5. Determine the Potential Impact of Threat Occurrence
  6. Determine the Level of Risk
  7. Finalize Documentation
  8. Periodic Review and Updates to the Risk Assessment

LaSalle Consulting Partners, Inc. is familiar with several organizations that can assist with Risk Assessments. We can help in selecting the best firm to suit your needs. We can also help you prepare for an assessment and remediate any technology related risks that are identified during an assessment. Please contact Frank Zurek at frank.zurek@lpartnersinc.com or call 312-361-3313 for further information.

LaSalle Consulting Partners, Inc.
200 W Madison St | Suite 940 | Chicago, IL 60606 | 312-361-3326