Cyberattacks: Prevention May be the Cure from Ransomware

By Robert McDermott, President/CEO, iCoreConnect

Just as you wash your hands regularly so you don’t get sick, it’s critical to adopt good habits of “digital hygiene” to prevent cyberattacks on your practice. The “illness” threatening your practice is called malware. Malware is an umbrella term for any malicious software criminals use to steal your or your patients’ data.

Ransomware, a particularly sinister malware, burrows into your system and begins encrypting all your data so you can’t access it. Then a cybercriminal holds your data for ransom, demanding you pay a hefty sum of money for them to give you access to your own files.

Just like a human virus sometimes can be undetected, malware can be in your computer system long before you realize it. By the time you see symptoms, it’s too late. Cybercriminals are continually developing sophisticated methods for infecting computers and servers without you catching on. There are two primary ways malware gets into your system and holds your practice ransom.

HACKING

Hackers secretly tap into your data by exploiting weaknesses in your IT security. Outdated, unmaintained systems often make smaller, older practices particularly easy targets. Working with a proactive team of IT experts, known as managed IT services providers (MSP), is an important layer of defense against attacks. These folks can save you money, time and headaches over the long run. They detect threats early to eliminate or reduce damage well before it gets out of hand.

A particular vulnerability is how you are using email. Only use Gmail, Hotmail, Yahoo, etc. for personal or non-patient specific messages. For anything beyond that, set up a fully HIPAA-compliant, cloud-based email system that protects your information whether it’s sitting in your inbox or sending to another doctor’s inbox. There are big differences between an encryption-only email for general security and a truly HIPAA-compliant email fulfilling every HIPAA security requirement. These requirements range from verifying recipient identity to making sure no email is altered.

PHISHING

Phishing occurs when a criminal tricks any employee into thinking something is a trustworthy source, then convinces them to click a corrupt link or provide sensitive information directly (like a credit card number). The attacker is preying on a lack of awareness on the part of you or a staff member. You must educate your whole team to recognize suspicious messages, links and questions to avoid falling victim. If the sender is unknown or claims to be your IT person, MSP or someone in your office yet asks you to click an unusual link, verify the email first with the actual person on your team.

No one is inherently immune from cyberattacks. Take action now by working with a qualified dental IT services provider to assess, boost and maintain your IT immune system. Work directly with your staff to understand what to look for and how to prevent these types of criminals from getting in the door. Healing from an attack is much more difficult and costly than preventing it in the first place.


iCoreConnect, an FDA Crown Savings merchant, specializes in comprehensive software that speeds up workflow for dentists. The FDA endorses these products from iCoreConnect: iCoreExchange HIPAA-compliant email and iCoreDental cloud-based practice management. FDA members receive substantial discounts on both products. Book a demo at icoreconnect.com/fda or call 888.810.7706.

Top 6 Ways to be Prepared for a HIPAA Audit

By Abyde

Let’s be real — there’s probably a few things in life we all have an “Oh, it won’t happen to me” mentality about. For many medical professionals, that may be exactly how you feel about HIPAA audits, yet HIPAA investigations are becoming more common than you might think. 

While the odds of facing a totally random HIPAA audit might not be high, they increase significantly when you factor in additional investigation triggers like data breaches, cyber attacks, and patient complaints — none of which a dental practice is immune to.

Proactively preparing for anything that might be thrown your way is imperative for your practice to have the ability to handle a HIPAA audit without the consequence of a hefty violation. Here are the top six things you should have in place before a breach, complaint or audit investigation occurs:

1. Security Risk Analysis
The first thing the OCR looks for upon investigation is a properly documented and up-to-date Security Risk Analysis. This shows that you’ve assessed your practice operations and identified any vulnerabilities — before an audit occurs. While it’s the first step of HIPAA compliance, only 17% of practices audited by the OCR met this requirement.

2. Practice-specific Policies and Procedures
Proper documentation is key for all aspects of your compliance program, including your practice-specific HIPAA policies and procedures. These policies and procedures serve as the guidelines for how protected health information (PHI) should be handled within your practice and the proper documentation is necessary to prove the expectations and standards you have set for your organization. 

3. Disaster Recovery Plan
Disasters happen, most of the time without warning. Having a disaster recovery plan in place is important to ensuring continuity of patient care and continued access to important medical records. As the saying goes, if you fail to plan, you plan to fail.

4. Implement Proper Administrative, Technical and Physical Safeguards
Securing all forms of PHI with the necessary safeguards already implemented within your practice is essential to successfully meeting HIPAA requirements, and ultimately protecting your patients.

5. Staff HIPAA Training
Properly train your staff on all HIPAA privacy and security policies and procedures. This training should be ongoing to ensure that staff is staying up to date with any changes to HIPAA regulations or practice operations.

6. Business Associate Agreements
It’s important to be on the same page with everyone who has access to your patient’s secure information. Implementing the proper business associate agreements with all third-party vendors that could potentially access PHI ensures patient data is secure while also offsetting liability to business associates should they be the cause of a data breach.

There’s a lot that goes into your HIPAA program, even more than the top six items listed here, which is why it’s all the more important to have a true culture of compliance in place and a complete HIPAA program to prevent and minimize threats to your patients’ data.


Abyde is an FDA Crown Savings Endorsed Partner and the Abyde software solution is the easiest way for any sized dental practice to implement and sustain comprehensive HIPAA compliance programs. FDA members save 20% on Abyde services that help their practices meet government-mandated HIPAA standards that protect patient health information by identifying and correcting key security safeguards. Visit fdaservices.com/abyde or call 800.594.0883.

This article was originally posted on Abyde’s blog on Aug. 14, 2020. Reprinted with permission.

My EHR System Makes Me HIPAA Compliant, Right?

By Abyde

Let’s face it, in today’s digital age, it’s tough to find a medical practice that doesn’t use an electronic health records (EHR) system. Even if you were late to the game and just recently made the switch, the use of EHRs in doctors’ offices nearly doubled between 2009 and 2017, to almost 86% of providers. One of the biggest qualifications for any EHR system is that it meets all HIPAA-compliance requirements to protect the sensitive patient data held within it.

But is that where HIPAA compliance begins and ends? 

A common misconception many providers have, however, is that implementing a HIPAA-compliant EHR ensures their practice is in compliance with all standards — instead, it’s just one piece of the much larger puzzle.

Make no mistake, having a HIPAA-compliant EHR is essential. There are several safeguards that should be implemented to protect your EHR’s electronic data, such as: 

  • Having the proper technical safeguards in place to secure your online databases.
  • Having access controls such as unique logins for your EHR system limiting access to authorized individuals.
  • Encrypting all stored information within your EHR.
  • Having access logs to your EHR system in case of any breaches or audits.

While these safeguards are key, there are other HIPAA requirements that go beyond the security of your EHR software and impact your practice’s operations, physical accessibility and all technology used within the organization — including IT networks and other applications not included in your EHR software. That’s why the Security Risk Analysis’ three sections — administrative, physical and technical safeguards — are so essential to ensure every aspect of your business’ risk is assessed.

  1. First, let’s look at HIPAA-compliant operations and administrative safeguards. Much of HIPAA law applies to having the proper policies and procedures in place. This means documenting things like how your practice releases protected health information (PHI), how you complete required annual HIPAA training, how you review employee access to PHI, how you’ll apply sanctions to workforce members if violating privacy laws, and more. Most of these will address how the “business” side of your practice operates. What’s more, your policies must reflect your actual practice operations — they can’t simply be templates downloaded off the internet to meet HIPAA requirements. Administrative safeguards also should include having all contracts in place to protect your PHI, such as Business Associate Agreements with all required vendors — including your EHR provider. 
  2. Second, your physical safeguards encompass both obvious and not so obvious ways to protect your practice from harm. This means determining if you have locks on your doors (we hope this one is covered) but also how often access codes are changed, when your last fire marshal inspection was, if you use privacy screens to prevent seeing PHI on computers in use, and if your PHI is physically separated from patients to prevent unauthorized access — just to name a few. Physical security is key to showing your practice’s efforts to prevent loss or theft of PHI and goes well beyond your EHR system.
  3. Lastly, beyond your EHR, your practice has likely implemented several different technology systems and applications. These technologies carry the same risks as your EHR and need technical safeguards to ensure the privacy of PHI they store or access. From your office Wi-Fi to your cloud storage solution or server, each system must have controls to prevent unauthorized access to your PHI. In fact, the more technology you rely on, the more accessible PHI is to the wrong people. It’s not just data at rest either — sending emails containing PHI requires encryption, as does instant messaging or text messaging when it includes PHI. All these systems are gateways to your practice’s data and are essential to protect just like your EHR solution.

Even non-HIPAA experts can conclude that having a HIPAA-compliant EHR system is a no-brainer. But missing all, or even just some, of the other pieces to the puzzle puts your practice and your patients at high risk. In fact, within Abyde’s Security Risk Analysis, only 10% of the questions pertain to your EHR system. Whether with Abyde, internally, or with another vendor, it’s essential to review the other 90% of your necessary safeguards before getting slammed with a HIPAA violation. 


Abyde is an FDA Crown Savings Endorsed Partner and the Abyde software solution is the easiest way for any sized dental practice to implement and sustain comprehensive HIPAA compliance programs. FDA members save 20% on Abyde services that help their practices meet government-mandated HIPAA standards that protect patient health information by identifying and correcting key security safeguards. Visit fdaservices.com/abyde or call 800.594.0883.

This article was originally posted on Abyde’s blog on July 16, 2020. Reprinted with permission.

Could Your Practice’s Website Reveal Your HIPAA Non-compliance?

By Dr. Danika Brinda, CEO, Planet HIPAA

Did you know that your practice’s website can reveal to the world that you are out of compliance with HIPAA?

A quick look around your website could reveal to a HIPAA auditor that your practice is struggling with HIPAA compliance. Wondering what I am referring to? It’s the Notice of Privacy Practices! The regulations state that your practice must ensure that the most current version of your Notice of Privacy Practices is posted on the practice’s website (if one exists). Here is the specific language from the regulations:

CFR 164.520(c)(3)(i) – A covered entity that maintains a website that provides information about the covered entity’s customer services or benefits must prominently post its notice (of privacy practices) on their website and make the notice available electronically through their website.

Go ahead, give it a try. Head on out to your website (or another practice’s). Try and find the Notice of Privacy Practices. Were you successful or did you find something that is called Privacy Policy? If you look through the Privacy Policy, most of the time the language is something specific to the privacy policy of the website and not the Notice of Privacy Practices. Keep searching for the Notice of Privacy Practices. If you are unsuccessful at finding it, the basic elements of the regulations are not met. If you found the Notice of Privacy Practices – great work! You are compliant, right? NOT NECESSARILY!

Even with your Notice of Privacy Practices posted on your website, you must make sure that the document is your most current version and matches the one available in your office. You also must make sure it meets all the requirements that were defined in the 2013 HIPAA Privacy Regulations and the 2013 HIPAA Omnibus Rule. If any of the following three statements are true, your website revealed that you are out of compliance with HIPAA:

  1. Your Notice of Privacy Practices was not posted on your website.
  2. Your Notice of Privacy Practices was dated prior to Sept. 23, 2013.
  3. The Notice of Privacy Practices on your website isn’t the most up-to-date copy.

If you think the auditors will not be looking on your website to make sure your Notice of Privacy Practices is posted, think again. In the OCR 2016 HIPAA Desk Audit Guidance on Selected Protocol Elements, it states the covered entity must “upload the URL for the entity’s website and the URL for the posting of the entity’s notice.” In fact, the instructions for the HIPAA auditors state that they must:

“Determine whether the entity maintains a website. If so, observe the website to determine if the Notice of Privacy Practices is prominently displayed and available. An example of prominent posting of the notice would include a direct link from homepage with a clear description that the link is to the HIPAA Notice of Privacy Practices.”

Not only does it have to be posted on your website, but it must be in a location that is easy to find with an easy description!

The Notice of Privacy Practice is not a difficult area to comply with for the HIPAA regulations; however, it is a common area of non-compliance. To be compliant with this regulation, the following four items should be established:

  • Notice of Privacy Practices
  • Notice of Privacy Practices Policy and Procedure
  • Acknowledge Form of the Notice of Privacy Practices
  • Making the notice available on the practice’s website

The specific elements that need to be defined in the Notice of Privacy Practices are specifically defined in the regulations. More information can be found here.

 

Dr. Danika Brinda is the CEO of Planet HIPAA and has more than 12 years of experience in health care privacy and security practices. She also is a nationally recognized speaker on a variety of health care privacy and security topics, and specializes in helping dental organizations implement a HIPAA-compliance program.

This article was first published on Planet HIPAA on Sept. 5, 2016.