Office 365 Empowers a School to Take a Different Approach

LaSalle Consulting Partners, Inc. introduces a thought-provoking customer story from Microsoft. In this video, we focus on how advanced digital tools from Microsoft help Broadclyst School drive the future by supporting its students on the leading edge of learning. Without any extra funding, Broadclyst manages to provide devices for each child and create learning spaces that teach them skills they’ll need in life. Union Building Trades Training Centers could utilize many of the same technologies to support their training programs.

Contact us to learn how Office 365 and Microsoft tools can create a solid foundation for your organization’s future.

Download: Office 365 Empowers a School to Take a Different Approach

Technology Security Alert: The Importance of Multi-Factor Authentication

 

Dear Client or Business Associate:

Cyber criminals have started creating genuine looking phishing emails which are bypassing email spam filters. This is resulting in some users clicking links within the phishing emails and providing their email credentials to unauthorized hackers. Once they gain access to the email accounts they can retrieve any valuable information from the account. They may also impersonate the user by sending emails to the user’s contacts in the hopes of gaining valuable information from their unsuspecting contacts.

For those of you that utilize Microsoft’s Office 365 for email, we highly recommend that you implement an available feature called multi-factor authentication to help prevent unauthorized access to your email account. Multi-factor authentication is a two-step verification process whereby email users receive a code via text message or a phone call that they enter when logging into Outlook to access their mail.

This two-step verification process prevents cyber criminals from gaining access to users’ email accounts even if they have attained login credentials through means of phishing emails as described above. This is especially important for those users that have Office 365 administrative privileges since their credentials can provide access to all user accounts in the organization. It is also crucial if you have regulatory requirements related to security and privacy such as HIPAA.

Please contact LaSalle Consulting Partners by email, or call us at 312-361-3326 if you have questions, concerns, or would like to learn more about implementing multi-factor authentication.

LaSalle Consulting Partners, Inc.

200 W Madison St | STE 940 | Chicago, IL 60606

312.361.3326
www.lpartnersinc.com

LinkedIn   Google Plus   Facebook   Microsoft Pinpoint   Employee Benefit Fund Blog

 

Windows Server 2003 – Upcoming HIPAA Security Concern

LCP_SecurityHealthcare security breaches have, in recent years, resulted in costly penalties to covered entities. Data security threats that can lead to these breaches originate from many sources. A new source will be born on July 14, 2015.

As of July 14, 2015 Microsoft will end support for the Windows Server 2003 operating system. Microsoft and security experts are cautioning that Windows Server 2003 users will face increased security risks as a result of this change, largely due to the lack of new security updates. Windows Server 2003 will be significantly more susceptible to attacks as criminals will have free reign to exploit vulnerabilities in the operating system without response from Microsoft in the form of security updates or technical content updates.

As in the past, users who handle electronic personal health information (ePHI) face a greater risk than others. A single personal health record is now worth more on the black market than a credit card number, social security number, and date-of-birth combined.

With strict enforcement of the HIPAA and HITECH Acts, and increased computer hacker interest in ePHI, it is increasingly necessary for covered entities to be confident in their ability to secure the data from threats. Microsoft’s decision to end support for Windows Server 2003 will make those Windows 2003 users handling ePHI an even greater target for criminals attempting to exploit the operating system’s potential new, unprecedented vulnerabilities.

LaSalle Consulting Partners, Inc. recommends that Fund administrators upgrade or replace any existing Windows Server 2003 devices that have access to ePHI prior to July 14 in order to avoid exposure to potential security threats inherent to Windows Server 2003.

Anthem Data Breach

Anthem Inc. announced on February 4, 2015 that the personal information of many current and former policy holders had been compromised in what is suspected to be the largest health-care breach ever. The breach occurred one year after the FBI warned the health care industry that they were being targeted by hackers.

Anthem has nearly 200 security specialists, and their chief information officer insists that their “security capabilities are certainly on par with the industry, if not better.” Despite extensive security measures, hackers were able to steal as many as 80 million individuals’ names, addresses, birth dates, member IDs, social security numbers, and employment information.

Experts say that victims may be further wronged through identity theft schemes in years to come. Such schemes include fraudulent tax returns and medical identity fraud – the latter of which can have fatal consequences. Furthermore, identity thieves will pay up to 50 times the normal price for stolen medical records because medical records allow them to create a more complete identity.

Potential class-action lawsuits have already been filed against Anthem. The lawsuits allege that appropriate measures were not taken to encrypt personal information that was stolen in the breach. In support of those allegations, The Wall Street Journal reported that Anthem customer social security numbers were not encrypted.

The Anthem data breach is yet another wakeup call that technology security measures must be increasingly stringent. Sometimes industry standards are not good enough. Please contact LaSalle Consulting Partners to learn about how your organization could better safeguard its assets and electronic information.

LaSalle Consulting Partners, Inc.
200 W Madison St | Suite 940 | Chicago, IL 60606 | 312-361-3326

Securing ePHI Outside of the Office – Northwestern Memorial HIPAA Breach

LCP_Blog_Data_ProtectionIt is highly advisable to take precautions applicable to notebooks or other devices which leave the office if they are likely to store ePHI. Measures must be taken in order to protect confidential information and avoid costly penalties. At LaSalle Consulting Partners, we recommend that all data be encrypted using the highest encryption standard available before it leaves your location, and that it remains encrypted at all times.

Should the laptop or device become misplaced or stolen, the data contained on its encrypted drive is completely inaccessible without the associated encryption key. This extra level of protection prevents unauthorized users from accessing sensitive information. It also means that organizations are not required to notify those whose ePHI is contained on the device should it be misplaced. In October 2014, a Northwestern Memorial HealthCare laptop computer that was not protected with disk encryption was stolen from an employee’s vehicle. In accordance with the HIPAA Breach Notification Rule, Northwestern Memorial was required to notify the 2,800 patients whose ePHI was contained on the computer (Read more here). Breaches such as this can be easily avoided through the encryption of device hard drives.

Please contact LaSalle Consulting Partners to find out how we can help you develop and implement policies that help safeguard ePHI, even away from the office.

LaSalle Consulting Partners, Inc.
200 W Madison St | Suite 940 | Chicago, IL 60606 | 312-361-3326

The Need for Risk Assessment of Peripheral Devices

RiskLaSalle Consulting Partners continues to emphasize the importance of security and risk assessment in the workplace, particularly for HIPAA covered entities and business associates. One of the areas we have seen overlooked in risk assessment is the peripheral devices that exist on a computer network. Peripheral devices are devices on your network other than your computers and servers. These include devices such as printers, multi-function copiers, scanners, tablets, and mobile phones. If any of these devices are used to store or process sensitive information, and contain a hard drive or other form of memory, then your organization may be vulnerable to a security breach.

The HIPAA Security Rule risk analysis implementation specification at 45 CFR §164.308(a)(1)(ii)(A) mandates that organizations identify and assess exposures that may compromise the confidential nature of ePHI. Failure to protect confidential ePHI can result in hefty penalties and other legal action.

Affinity Health Plan, Inc. paid federal regulators a settlement amounting to $1.2 million after they returned copy machines to a leasing company, unknowingly releasing the ePHI of over 300,000 individuals contained on the machines’ hard drives. The breach was discovered by CBS Evening News, who purchased the copy machines as part of an investigation, after Affinity Health Plan returned them to the leasing company. While the incident was the first HIPAA settlement involving copiers, it may not be the last.

We recommend subjecting peripheral devices to a risk analysis. This precaution can assist in avoiding the legal and financial consequences of violating HIPAA regulations. Please contact LaSalle Consulting Partners for more information on the risk assessment of peripheral devices.

LaSalle Consulting Partners, Inc.
200 W Madison St | Suite 940 | Chicago, IL 60606 | 312-361-3326

HIPAA Security Rule and Home Workers

LCP_remote-pc-accessThe number of staff that work from home has continued to increase at benefit fund offices as it has with many other organizations. While this can be beneficial for both the Fund office and the remote worker, it also poses HIPAA related security concerns. Lack of security in the home computer environment can lead to a fund office network breach and/or unauthorized access to electronic personal health information (“ePHI”).
Without proper policies and security in place the following can occur:

  • Lack of a firewall or an improperly configured DSL or cable modem could allow unauthorized access by a hacker to the home worker’s computer. Once the hacker has gained access to the computer they could possibly use the connection to access the fund office network.
  • Depending on the security in effect, it may be difficult to prevent a home worker from copying files from the fund office network to the home worker’s PC. If there is any possibility of this happening, the home worker’s computer should be encrypted similar to the PC encryption at the fund office. This would help prevent unauthorized access to ePHI if the computer were to be stolen
  • Lack of sufficient and up to date Microsoft security patches could allow unauthorized access by a hacker to a home workers computer. Once the hacker has gained access to the computer they could possibly use the connection to access the Fund office network.

These are just a few examples of potential security issues that can occur. Only through proper policies, staff training and technical safeguards can these threats be kept to a minimum. We recommend that HIPAA covered entities establish the same policies for home computers as they do for computers located at the fund office premises. Click here for a document by the Department of Health & Human Services which provides additional guidance to HIPAA covered entities that provide remote access to ePHI.

LaSalle Consulting Partners can help you develop and implement policies that help safeguard ePHI. Please contact me at 312-361-3313 if we can be of help.

LaSalle Consulting Partners, Inc.
200 W Madison St | Suite 940 | Chicago, IL 60606 | 312-361-3326

HIPAA Permanent Audit Program: the Pre-Audit Survey

The Office for Civil Rights (OCR) is mandated to conduct periodic audits to assess the compliance of covered entities and business associates with the HIPAA Privacy, Security, and Breach Notification Rules. On February 20, 2014 the Department of Health and Human Services announced plans to utilize a Pre-Audit Survey form to gather information in an effort to assess the size, complexity and fitness of an entity for an audit. Below is a summary of the announcement.

  • The Office for Civil Rights (OCR) will be sending the survey to as many as 1,200 HIPAA covered entities and business associates to determine suitability for an audit, as part of the much anticipated permanent HIPAA audit program. Approximately two-thirds of that survey will be completed by HIPAA Covered Entities and the remainder, Business Associates. Information will be gathered to evaluate the “fitness of a respondent for an audit.”
  • The OCR is required to conduct audits to ensure the compliance of covered entities and business associates with the HIPAA Privacy, Security, and Breach Notification Rules. By acquiring information through the Pre-Audit Survey, the OCR will attempt to determine which organizations may benefit from their audit.
  • The survey will take approximately 30-60 minutes. Organizations will need to install software prior to the survey. In response to this requirement, and other time constraints placed on organizations by issuance of the permanent HIPAA audit, the OCR has released the following Burden Statement:

“Burden in this context means the time expended by persons to generate, maintain, retain, disclose or provide the information requested. This includes the time needed to review instructions, to develop, acquire, install and utilize technology and systems for the purpose of collecting, validating and verifying information, processing and maintaining information, and disclosing and providing information, to train personnel and to be able to respond to a collection of information, to search data sources, to complete and review the collection of information, and to transmit or otherwise disclose the information.”

Organizations must be prepared for the Pre-Audit Survey. Preparations will entail certain actions (for instance, installing the necessary software), but another significant aspect of preparedness is becoming knowledgeable on OCR mandates and keeping up-to-date with information concerning the permanent HIPAA audit program that will begin soon.

Other possible preparations include, but are not limited to, performing an independent Risk Assessment (a less understood mandate of the OCR), forming policies and procedures to protect ePHI and/or respond to a data breach, and drafting Business Associate Agreements with clients and Business Associates (in the case of HIPAA Covered Entities). For the full announcement, please visit the Federal Register. Please contact LaSalle Consulting Partners for more information on the upcoming Pre-Audit Survey.

Source: https://federalregister.gov/a/2014-03830

LaSalle Consulting Partners, Inc.
200 W Madison St | Suite 940 | Chicago, IL 60606 | 312-361-3326

The HIPAA Security Rule and Necessity of Risk Assessment

Risk - 2Though most would agree that risk analysis is an important consideration for any organization, HIPAA covered entities are required to conduct such risk assessment to ensure compliance with the HIPAA Security Rule. The Security Rule states that covered entities, organizations responsible for the transmission of e-PHI, must “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization” (§ 164.308(a)(1)(ii)(A)).

While the necessity of risk assessment is certain, the Security Rule does not specify the frequency with which assessment must occur. Instead, the Rule addresses the breadth of analysis which must be conducted. The Rule indicates some considerations for analysis which include (but are not limited to) e-PHI within the organization, external sources of e-PHI, and potential threats to information systems that contain e-PHI. The Security Rule recognizes, however, that risk assessment cannot be standardized due to each organization’s unique relationship with e-PHI.

Listed below are the “Elements of a Risk Analysis”, provided by the U.S. Department of Health & Human Services. The list is intended to aid covered entities in implementing risk analysis methodologies that will best suit their needs.

  1. Section 164.308(a)(1)(ii)(A) states: Scope of the Analysis
  2. Data Collection
  3. Identify and Document Potential Threats and Vulnerabilities
  4. Assess Current Security Measures
  5. Determine the Potential Impact of Threat Occurrence
  6. Determine the Level of Risk
  7. Finalize Documentation
  8. Periodic Review and Updates to the Risk Assessment

LaSalle Consulting Partners, Inc. is familiar with several organizations that can assist with Risk Assessments. We can help in selecting the best firm to suit your needs. We can also help you prepare for an assessment and remediate any technology related risks that are identified during an assessment. Please contact Frank Zurek at frank.zurek@lpartnersinc.com or call 312-361-3313 for further information.

LaSalle Consulting Partners, Inc.
200 W Madison St | Suite 940 | Chicago, IL 60606 | 312-361-3326

Windows XP – Upcoming HIPAA Security Concern

Healthcare security breaches have, in recent years, resulted in costly penalties to covered entities. Data security threats that can lead to these breaches originate from many sources. A new source will be born early next year.

As of April 8, 2014 Microsoft will end support for the Windows XP operating system, initially released in August 2001. Microsoft and security experts are cautioning that Windows XP users will face increased security risks as a result of this change, largely due to the lack of new security updates. Windows XP will be significantly more susceptible to attacks as criminals will have free reign to exploit vulnerabilities in the operating system without response from Microsoft in the form of security updates or technical content updates.

As in the past, users who handle electronic personal health information (ePHI) face a greater risk than others. Over 18 million patient records were breached between 2009 and 2011, and a single personal health record is now worth more on the black market than a credit card number, social security number, and date-of-birth combined.

With strict enforcement of the HIPAA and HITECH Acts, and increased computer hacker interest in ePHI, it is increasingly necessary for covered entities to be confident in their ability to secure the data from threats. Microsoft’s decision to end support for Windows XP users will make XP users handling ePHI an even greater target for criminals attempting to exploit the operating system’s potential new, unprecedented vulnerabilities.

LaSalle Consulting Partners, Inc. recommends that Fund administrators upgrade or replace any existing Windows XP computers that have access to ePHI prior to April of next year in order to avoid exposure to potential security threats inherent to Windows XP.

Sources:

http://www.secureworks.com/assets/pdf-store/other/infographic.healthcare.pdf http://blogs.technet.com/b/security/archive/2013/08/15/the-risk-of-running-windows-xp-after-support-ends.aspx

LaSalle Consulting Partners, Inc.
200 W Madison St | Suite 940 | Chicago, IL 60606 | 312-361-3326