Stop! Think. Delete.

The hackers are getting more and more creative.  That means you have to really pay attention.  It only takes a split second to allow a hacker access to your computer.  One of worst things that’s started happening is known as Ransomware.  Unlike spyware where the activity happens in the background without your knowledge, the idea with ransomware is for you to know exactly what’s going on.

Andrew Clarke

Rasnsomware is exactly what it sounds like.  The hacker holds the data on your computer or your company’s network hostage by encrypting it until you pay.  If you don’t pay within a specific amount of time, your data is locked forever. There have even been a few police departments that were recently in the news because they were hit … and some of them actually paid!  To avoid getting yourself into this situation:

  • Backup regularly (you’ve heard this advice  a lot … it can’t be overstated) to a source that’s completely separate from your computer.  Having a backup gives the hackers less power, and it gives you more peace of mind.
  • When checking email, don’t open email from unknown sources.  Just delete it.
  • If something comes from someone you know, don’t automatically assume the attachment is safe.  Just because the email says it’s from your friend doesn’t mean your friend sent it.  Is the email something you would normally get from him/her?  Does it sound like it was written by your friend.  If you’re unsure, send your friend a separate email (don’t reply or forward to the questionable email) asking if they actually sent it, or just delete it if it’s not important.  Better safe than sorry.
  • Think before you click.  Think before you click.  Yes, I wrote that twice on purpose.  Don’t fall for scare tactics.  The IRS won’t be sending you email.  They know where you live and tend to contact you via regular mail, certified mail or phone.
  • Don’t fall for random acts of money.  If you’re not expecting money (via PayPal, for example), don’t click the link!
  • Read the name of the bank in the email.  If you don’t bank with them, that’s a clue.
  • Something else that recently made the news … The power company will not turn off your electricity in an hour if you don’t pay up.  That goes back to not falling for scare tactics.

The most important thing is to never, ever, ever pay ransom.  It amazes me that I found articles where some so called security professionals actually advocated paying.  You would be dealing with criminals, so what’s the guarantee that they would actually release your data and not do it again?  In 2014, it was reported by one source that the ransomware CryptoLocker had an estimated 500,000 victims targeted with reported returns of $3 million.

The answer is to backup and click with care.

Share and Enjoy:
  • Print
  • Facebook
  • Google Bookmarks
  • Tumblr
  • Twitter
  • LinkedIn
  • PDF
  • RSS
Posted in IT, News and stories | Tagged , | Leave a comment

Security – or lack thereof

I’m not a techie. In fact, I’m the exact opposite of a techie — I’m the person who hands my laptop over to a techie friend and says “here – can you figure out why my screen is flickering?”

It’s a good thing I don’t have access to protected health information on my computer because I spend *a lot* of time giving other people access to my computer.

Tara Courtland

Communications Director Tara Courtland

Which is where security comes in.

I see friends and acquaintances do the same thing all the time — “here, can you fix this?” “here, look at this video.” “Sure, you can borrow it to check your email.” Some of these people, I know, have access to sensitive information.

We spend a lot of time in healthcare talking about security, HIPAA, encryption and screen locks. We all know the high-security rules. But how often do you physically hand your laptop or your tablet to someone else? And do you watch over their shoulder, or do you walk off to get a cup of coffee while they’re looking?

I’m extremely cautious about my iPhone – it’s logged into my email and my Facebook account so I never leave that unattended and unlocked and I never ever let anyone else use it without watching. But I’m a little less cautious about my laptop. It’s got a screenlock so if I leave it unattended for more than 2 minutes, it requires a password to open. But that doesn’t help if I hand it over and then look away.

Like I said, there’s no PHI on it. But there are plenty of things I wouldn’t want someone else perusing. I didn’t think about it all that much until a recent occasion when a program crashed so irrevocably that I needed help and I needed it right away. I contacted a techie friend at work and he agreed that if I dropped it off, he’d take a look at it during his lunch break.

It wasn’t until I was prepping for that scary drop-off — logging out of my websites, making sure my Social Security number wasn’t saved in a document anywhere, etc., checking my photo files for unflattering shots — that I realized how often this guy and other friends touch my computer.

I know that most programs with access to PHI log out after a certain time period. But what else have you got on there? What’s on your tablet, your phone, your laptop hard drive and how often do you hand it over just to show someone a video or to get some help?

All the security precautions in the world don’t help if we bypass them manually.

Share and Enjoy:
  • Print
  • Facebook
  • Google Bookmarks
  • Tumblr
  • Twitter
  • LinkedIn
  • PDF
  • RSS
Posted in IT, News and stories | Tagged , | Leave a comment

Interoperability in healthcare — finally … and how do you get the players to cooperate?

The federal health information technology coordinator recently released a report on how to improve interoperability in electronic health-record systems. The report, Connecting Health and Care for the Nation, A Shared Nationwide Interoperability Roadmap” calls for most providers to have the ability to use their systems to send, receive and use a common set of electronic clinical information … at the nationwide level by the end of 2017.

NEMT CEO Linda Sullivan

There are approximately 20 pieces of data including, to name a few, patient demographics, lab test results and identifiers for a patient’s care team members.

According to an article in ModernHealthCare.com “While there has been some exchange of information to-date, both providers and insurers say that the level of information exchange is insufficient for their needs. Healthcare organizations wanting to exchange information have been hampered by a lack of consensus on which information exchange standards to use, how to configure computer systems to use them, and which rules and business practices to follow.”

What we don’t see yet is a complete coalescing around the rules of the roadfor a nationwide exchange network, said Dr. Karen DeSalvo, coordinator of The Health and Human Services (HHS) Office of the National Coordinator for Health IT.

This was followed up on February 3, 2015 by a blog post by Dr. Salvo stating that HHS announced a funding opportunity to support the interoperability initiative. This funding opportunity will ” . . . invest $28 million to increase the adoption and use of interoperable health IT tools and services to support the exchange of health information.”

This is clearly where we need to go but I continue to believe that healthcare IT vendors may be a significant obstacle in this process. Nearly every system is proprietary and there are more systems in hospitals today than there have ever been. Incentivizing the healthcare community is a first step in the right direction.

Share and Enjoy:
  • Print
  • Facebook
  • Google Bookmarks
  • Tumblr
  • Twitter
  • LinkedIn
  • PDF
  • RSS
Posted in IT, News and stories, Uncategorized | Tagged , , | Leave a comment

Audit your employees

Are you auditing your own employees? I know that I have written about this issue in the past, but it is something we all need to really be aware of and have a plan in place that we can carry out. None of us want to think about our own employees or our BAs as a concern for HIPAA. Unfortunately we do need to include auditing them in our security plan.

NEMT President Linda Allard

University Hospitals out of Cleveland had to notify 700 patients that they had a HIPAA breach when they caught one of their employees looking at confidential records. This employee was looking at both financial and medical records for over three and a half years before they were discovered. Not only were these patients’ medical records compromised but so were their social security and financial records. This was really a double concern for the patients. The facility found out after a complaint was made and they audited the EMR access of users for patients from January of 2011 through June of 2014.

I am sure that University Hospitals did not set out to allow their employees this kind of access. I am also sure that they evaluated their security and thought they were doing a good job. What they didn’t do was realize or correctly identify the data that their employees had access to and put a regular audit process in place.

Do you have role based access? In other words, does the role of an employee define what data they have access to? Have you defined the roles associated with each of your job descriptions and what access they need? This is a really good place to start understanding what access your users have. If you don’t have a process in place to audit your EMR and other places you store patient data, now is the time to sit down and determine how you can audit this data and then put the audit in place.

A study was released last year from HIMSS that said 80 percent of Healthcare IT security audits identified snooping to be a top threat in motivating breaches. The Department of Health and Human Services says that more than 41.4 million people have had their information compromised in a reportable HIPAA breach. Putting both role defined data access and an audit plan in place might help prevent you from contributing to those numbers.

 

Share and Enjoy:
  • Print
  • Facebook
  • Google Bookmarks
  • Tumblr
  • Twitter
  • LinkedIn
  • PDF
  • RSS
Posted in HIPAA, News and stories | Tagged , , | Leave a comment

The kitchen sink

Well, it’s January.  It’s the time of year when people like to make resolutions for the next 12 months.  Everybody wants to get a fresh start or at least talk about getting one, so I’m going to dedicate this blog to things that are good to do in January.  I’ll also sprinkle in a few odds and ends (hence the title).

Andrew Clarke

  • I know someone who is organized enough to clean his computer completely every January.  He reformats the hard drive and only installs the programs he actually needs.  If you are able to be that dedicated to starting fresh, your benefits will be a faster computer, a safer computer (because any malware would be wiped out),  and the peace of mind of knowing that you could recover fairly easily if your computer ever failed because you know where everything is.
  • If you can’t take things to that level (and very few of us can), you should at least run Malware Bytes and Eset to make sure your computer is basically clean.  A future post will deal with performing a more thorough evaluation of your computer to look for things like root kits.  Information on running the two programs mentioned here is available in previous blog postings.
  • Backup, backup, backup.  I don’t think I need to say more.  While it’s best practice to backup on at least a weekly basis, I know most of us don’t.  The next best thing would be to at least backup when the time changes (twice a year) and, finally, once a year if you just can’t bring yourself to be bothered more often.  That way, even though you’ll still lose a lot of data if your hard drive crashes, you won’t lose everything.
  • If you have a desktop computer, remove the cover and blow out the dust. You can buy cans of air at office supply stores or hardware stores.  Keeping the inside of your computer dust / animal hair free will prevent some failures that occur when fans get clogged, causing your computer to overheat.  Make sure you turn the computer off before you open it, of course.

 

Say what?!? section

  • I recently heard on the news that Microsoft is gearing up to release its next version of the Windows operating system this fall.  Oddly enough, it’s going to be called Windows 10.  They reportedly skipped over version 9 to emphasize just how dramatically different this version will be.  The report said they would be offering it for free to anyone who owns Windows XP, Windows 8, or any other version of Windows.  It’s supposed to correct some of the mistakes they made in trying to force us all to use touch devices.  I have not researched it yet, but based on what I’ve heard I’ll be doing so soon.  The beta version is supposed to be available now, but it’s only recommended for experts.
Share and Enjoy:
  • Print
  • Facebook
  • Google Bookmarks
  • Tumblr
  • Twitter
  • LinkedIn
  • PDF
  • RSS
Posted in IT | Tagged , | 1 Comment