Mannassi IT Solutions

Blog

What's happening.

Posts in HIPAA
Don't Get Bit by HIPAA

Fun fact: HIPAA, the 1996 healthcare legislation that covers the security and privacy provisions for your medical information, is a lot more intensive than you may have believed. Do you know if your business is a covered entity or a business associate? Not knowing these answers could mean big fines.

HIPAA governs security for the obvious: hospitals, private practices, and medical providers. But it also covers the more unexpected: health insurance brokers, your HR department, and even your IT team. Since we began working on HIPAA compliance with clients in early 2017, we’ve found many gaps where business owners didn’t know they were required to be compliant.

If you’re sharing personal client information with a HIPAA compliant entity, even if your business has nothing to do with healthcare, you’re a business associate and you must also be HIPAA compliant! Compliance is also easy to breach; from one unlocked laptop left unattended while its user is at lunch, to not regularly changing your passwords, HIPAA can get really complicated really fast.

Here's the actual rule, straight from the HHS department: “The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associates that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity.” Do you know if your business associates are HIPAA complaint?

Don’t get too far into 2018 without double checking your security requirements. Remember, protected health information (AKA PHI & ePHI for its electronic cousin) covers any potentially identifiable information from phone numbers to official diagnoses and everything in between.

We’re happy to talk HIPAA with you any time. Follow us on Twitter & Facebook & reach out with any questions you might have!

Don’t get held for ransom!

The news is currently saturated with talk of the WannaCry/WannaCrypt ransomware virus that infected systems across the globe.  So, what is ransomware?

Ransomware is a type of malicious software that blocks access to the data on your computer until a fee is paid to the attacker (hence the “ransom”). The most advanced versions of the software can lock up your entire computer until a bitcoin ransom is paid. With little warning, and almost no way around the attack, victims sometimes pay large sums of money to regain access to their data.

For healthcare and associated organizations, it is especially dangerous because a successful ransomware infection of a system that has access to, or stores electronic protected health information (ePHI) is also a major breach of HIPAA compliance.  The following excerpt from the Health and Human Services website (emphasis mine) can shed some light:

Q: Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?
A: Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination.  A breach under the HIPAA Rules is defined as, “…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.”  See 45 C.F.R. 164.402.6
When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.
Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred.  The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.

After a 22-year-old wunderkind managed to thwart last week’s global attack by registering an embedded domain, he warned that the software only needed to be modified before it would be ready to be relaunched. Ransomware attacks are likely only going to increase, therefore proactive steps to protect your network are essential. Make sure you know what security your IT system requires to keep you from being held hostage! We can assess your network and strengthen its defenses against these types of attacks. Even if you escaped unscathed this time, don’t risk getting caught up in the next ransom!

The Wild West of HIPAA!
LAAHU's annual conference was western themed this year, hence our wild west attire!

LAAHU's annual conference was western themed this year, hence our wild west attire!

This past week Mannassi IT Solutions was an exhibitor at the annual conference for the Los Angeles Association for Health Underwriters (link).  We were showcasing our new HIPAA risk analysis services.  Many of the brokers we spoke to were very surprised to hear about the ramifications of not having their network meet HIPAA compliance standards, as required by the Office of Civil Rights (OCR).

What we discovered was that there is very little education about HIPAA outside of major hospitals about compliance standards for what the OCR calls “Business Associates”, people or businesses that interact with information protected under HIPAA but who are not doctors or nurses. The risks business associates run but not keeping their tech HIPAA compliant is huge. A single data breach can cost millions of dollars in fines, not to mention the client trust lost. Many people also don’t realize that the OCR can audit you at any time, even if you’ve never had a data breach.

The bigger picture is that HIPAA compliance is not a “one and done” process.  The dynamic and ever-changing nature of information technology means that not having an ongoing plan to monitor your network is, as the National Law Review called it in an article last week, “a plan to fail”.  Once you’ve got your systems up to HIPAA standards you need to keep a constant eye on the network, and monitor alerts for when it falls out of compliance. From a two-person office to a major hospital, keeping tabs on your security systems is a very real need.

We’ve been working on expanding our offerings, and now provide a solution called HIPAA as a Service.

With this service, you’ll have the peace of mind that you’re under 24/7 lock and key without having to man the battlements yourself. Plus, you’re provided with everything you need to prove your compliance should the OCR decide to audit you. It really does take the headache out of HIPAA compliance!

Visit our HIPAA page to learn more about how we can help you, or drop us a line at info@mannassi.com. We have limited time offers for getting started with HIPAA as a service right away.

Follow us on twitter @MannassiIT for daily updates about tech, healthcare, & everything in between!