HIPAA Conversation

Don’t get fined because you don’t have the right things in place to protect your organization from Hipaa violations. Plans and Security should be  in place my name is Bobby. We will be a little bit technical today and we want to make sure you understand what are the five cyber security questions that are added to the hipaa one security risk assessment this is this is often an evolving and changing process is federal state regulatory requirements change you want to make sure we’re on top of those were going to introduce five of those two they were also going to discuss leveraging the risk assessment for identifying mitigate risks we want to identify those gaps and put a plan in place to remediate those gaps so we’ll start with the topic will drop a nice I like to use the analogy scuba diving will give these snorkel analogy those are going to just you know stroke on the surface and then we’re going to put on the gear and drop really deep it was scuba gear and don’t come back up and give an overall summary so very important if you have questions you want us to drop deeper you want us to hang on to that question and explore elaborate a little bit more please let us know and we will do so you can do that in your question dialog box so introduce our team here today we’ve got Ken Armstrong he is our cyber security expert here at Hibbing one performs a lot of the risk assessments on that side of the house even Marco our president and founder in our lovely mascot pat-pat stands for physical administrative and Technical safeguards very important that we adhere to these things as we look at our compliance insecurities within the organization little bit of detail here but we’ve been doing this a long time we understand you’ll Healthcare compliance our Auditors are certified our goal is to help you not end up on the All-Stars Wall of Shame you know with a breech and we got many different things very simple things that if you implement will eliminate the majority of the risks that we’re finding people your trip people up about 7,000 client site so we we’ve gleaned a lot of knowledge and learning through clients mistakes we can share those most important we are not attorneys but at his Auditors we got understand hipaa-compliant some of the nuances and the consistent changes so before we jumped in my I want to ask a real quick question who is on the call today so I’m going to launch a pole I’d like somebody to scoot up to the computer and an answer this question for me which option best describes your role and by doing this you know if your administrative and clinical staff or your data security what this allows us to do is Taylor a conversation to you so if we find we’re really heavy on the it and compliance a hipaa-compliant side we can go really deep if we find a lot of administrative staff we want to explain to wife from your perspective about two more seconds thank you for filling that in I’m going to close the pole in 3 2 and 1 and display the results here I think you’ll find this interesting so others on the call today this is fascinating we’ve got over 52% of our listeners that are HIPAA compliance or data security we typically C70 80% are usually administrative staff and in clinical staff understand the ins-and-outs of hipaa-compliant so this is going to be a lot of fun in this discussion because we can dive a little bit deeper today so thank you for doing that I’m going to close the pool here and we’ll get moving so I can’t turn on the news without seeing a lot of the breach related incident why are we seeing so many in the world that budgets for it have gone through the roof we’re seeing the Fort Knox of you know Network and server and instruction security why are we still seeing more of these every day when you’re single Bobby it’s actually payroll of cyber criminals are praying on all of us just in the 2018 it’s estimated that the payments in cybersecurity has grown to over 2 billion dollar industry so this opportunity it’s just it’s just fueling the evolution of making these emails to click on and to download even more and more difficult to separate from what’s real and what’s from fiction on top of that hackers know that targeted attacks the faces of all the owners and providers and executives are on website so hackers know that these people typically don’t change passwords makes it easy to compromise their accounts and use their accounts the download and run the pain huge number of increase of these reported breaches On The Wall of Shame that says something about this now what about yamar partner shows in and what we’re finding the nature of these breaches change you know what used to be that try to hack in Grandpa less than and sell that on the black market now you can have the best security in place right it and we find it the back door is being left open by employees training and awareness email little fishing it’s the new normal that’s here it’s not going away and the Bad actors are making a lot of money doing it so it’s important from an IT perspective again I appreciate all the work in and anxiety that that you live with and putting a Fort Knox of security together but you got to trainers training and awareness there so many other things and it will share some very basic things that you can do in terms of training and awareness password protection who sings today I have that will assist you in your security initiatives there’s a lot of security folks on the call today so you’re probably doing a lot of email phishing practice email phishing which is very helpful but also you know we have to do more than just that that is about half of the threat these days you know when you consider that it’s a heck of a lot cheaper to invest in security now than it is to deal with a breach of ponymon and IBM I just came up with their numbers were looking at about $408 per record and that includes you look to help combat this you know we have over 7,000 sites using the software and we definitely want to help you know to help our clients improved the way that they manage their risks what we’ve done is we’ve added we’ve elevated it was a security risk analysis and added new questions to cover these cyber security requirements to sell buy the new threats that are happening HIPAA is great it’s a fat it’s a fantastic foundation what we’ve done is we married the spirit of HIPAA and elevated it with current technology and controls the first one that we want to talk about that we’ve updated with sin with a nipple one software is the use of passphrases instead of passwords that are changed every 90 days or 100 days we actually are asking for passphrase which were at least 20 characters in length and then you can relax those requirements to change them too often in addition to that something that is still we don’t see add opted very Wily but it’s so accessible is multi-factor authentication that it those are two things that will help close the door and block most of the attacks that we’re seeing happen on Terminal Services unsecured profiles and the same users that we talked about that are on the faces of the websites they’re the ones that are targeted they typically don’t change their password and they can use that so the traditional knowledge has been to change password often and to keep them private and never share them with anyone when providers share passwords with workers within the organization and there’s a breach and an investigation 100% of the time the position is not sanctioned 100% of time the amass on the other systems that are helping the position with that password to get terminated so these are things that we have to be very careful at so we’re asking is for you use a passphrase and combine that with multi-factor Authentication for those that are on the call that may not know what it is and I’m not going to go into a lot of detail here multi-factor authentication combined something you know like your passphrase and something you have like yourself oh and yes I’m a security perspective targeted by a nation-state there’s always ways around everything but certainly using technologies that are available today to all of us low cost low entry like for example we just did a white paper in partnership with Microsoft on Office 365 they have a combination of security features that can be used and again and this is a statement from Microsoft they are seeing over 300 million every day so it’s mind-blowing to us that it’s something that’s available to even in the lowest estrellon of Microsoft licensing you can turn a multi-factor authentication even if you’re a single. Writer with only three staff members you can turn on its included in the cost and it’s very easy to use medication-assisted blocking out for those 55% it folks on the call if you got a still wondering what is MFA we do have that white paper available you’re welcome to come to hit one we’ve got logs on passwords you know how to write it’ll pass phrase what to do and we did have a question just slide deck is available at the presentation so we will send this out to you again if you have any additional questions thrown in the chat box or jump on our website every topic we have up here we going to eat and then wrote that white paper for you so you can have some experience deploy multi-factor authentication for thousands of users do you have any tips for those that on the call today in terms of how to prime are primary user base to adopt multi-factor authentication Technologies fishing at this point that it’s kind of like implementing any type of project you want to get your engineers involved at the requirements phase you want to get Executives involved at the requirements phase multi-factor authentication implementation is no different when I get everyone involved in that we becomes their idea and the hygiene of your organization and you’re going to reduce by 9.9% of the attacks on your organization definitely something you want to do for those little more a technical don’t forget to turn out like protocols like Bobby mentioned we have a blog post I go into actually how-to instructions how to do this Office 365 is a unique product on the market place for Microsoft but you can there are eight from Amazon web services as well as your data providers and hosting providers as well so I’m not changing passwords list I become compromised as you change from previous guidance and it’s kind of funny when we first started talking it is because I just had the conversation yesterday about the evolution of passwords and what they need to be under the guidance and why is the reason it’s different is because many of you would use your password and then when it was time to change it what would you do it put a one behind it all of your passwords information is available on the dark web. To you so they have access to that if they see one or two they know to go try before five 6 so USA Fitness guidance is an opinion that is an opinion we can do past phrases and those get a little more mileage but we’ve seen instead of changing them off often go with past phrases and make sure you’re not putting them on sticky tabs under your keyboards and you’re not sharing them that is very important we see a lot of that we’re in the process right now go updating another question we’ve updated a lot of our interview questions for these new guidance illness does recommend now to not change them often but you change them to a long pass phrase easier to remember harder to gas plus since most of our passports have been compromised on the web to recommend doing this now for everyone but then relaxing the duration of changing passwords to actually never saw another question for you Steve by Janet a production of attacks using multi-factor authentication is MFA recommended for accessing systems internally we currently have MFA turned on when we access externally it really depends hit to use at Lowe’s goes those terms but it really depends on your risk profile so for example your internal systems if you can access them directly from the web you want to turn MFA on those as well if you have to get into the outside gate with MFA if you will like Azure active directory or into your systems and then once you’re in launched from there a multi-factor authentication at the perimeter should be adequate can I purchase call us we are here to help you need 1000 hours there is once you have a breach it’s too late and it’s a very expensive it serious or just begging for mercy at that point and there’s a lot of things you can do turning on multi-factor authentication and turning so we have those available on our website so I get questions please let us know thank you Bobby and thank you for those Prussians let’s talk about data loss prevention would you go into how we cover did loss prevention out of your organization so a lot of time platforms have some sort for the speaker internal or through third-party to identify and classify content pattern matching process or through an exact data Med match process ranges in brandy Larry from high-level to very detailed look at your content inside the tip of one look at that real quick so we ask so what’s up and I’m so if you answered yes we asked for some documentation there in the form of the procedure as well as a screenshot DLP big takeaway there is it controls data throughout the data lifecycle from creation through destruction so once the data has been classified we can apply policies to enforce things like encryption information Rights Management we can limit access to only authorized individuals and prevent us from being traded through our systems one great example this we use internally tip of one that’s also documented as well is through Office 365 so you can see the financial example of a HIPAA rule policy looks for two things to look for Social Security numbers and prevent external download of this information from guests from a SharePoint site extremely effective control that can limit exposure could also be applied to email I’ll show you one example of this right here in this email message this Excel file that contains some innocent VIII Financial perspective and so the deal people sees classify this data as sensitive and then so according to the policy is health insurance doesn’t leave the organization inappropriately and any information leaves your organization we can play in Crookston to automatically text messaging and bring her email is acceptable and it is acceptable only if and I say only a few during the patient intake forms you have the Panda Express check box for email unencrypted and also a checkbox to communicate through a text message as well before the patient’s signs but certainly you coming back you like this then you don’t have to worry about that because every email that they received will be encrypted and you’ll be covered and protected as well you just agree of controls required Network I’m sure some documentation to the policy as well as the requirements for looking for a week and you can dress up as well idioms is a commonly known they utilize os-level integration in the offering cell operating system self it features of profiles tunicate Palm Beach mobile device to Grant access to the organization most typically Indians are used to force encryption password to biometric requirements and then to enable secure the lease and corporate data from the by Sonora Quest what’s the most important part of this device has been lost or low employee leaving organization take a picture and bare minimum in being to set up to deck you through encryption screen lock remove white BYOD bring-your-own-device policies they confiscate this little bit so we should encourage you to respect BYOD policy make sure you communicate important to an organization with a thousand devices and there were a lot of those conversations that needed to happen address for years and things like that it’s not big brother we’re just trying to protect you just keep that in mind and then look for it from Charleston to through the network be applied not just outside of network browser even through a client should have built in all transmission should be encrypted already so the other answer is you know if you’re looking at information between computers and file servers basis internally it really depends on you know how your wireless networks are secured and so forth typically internal networks it’s more secure to encrypt everything very difficult to do typically what we find is that applications again that are housing e p h r i n e if you’re doing your own internal development which were going to cover here in just a moment make sure that it forces all Communications to be encrypted with current standards thank you had were the question that help it. Gov has a SRH vs. F1 compare and which option is better I would just say this in 30 seconds or less you stand or sit as a free and I’m doing the air quotes free tool free like a puppy their shots there’s dog food at chews up the couch to the point now the big disclaimer on the front page it will not help you pass your assessment and then I’m just going to go right for the jugular here I used to be friendly to the tool kits garbage it doesn’t calculate your wrist there’s no remediation there’s no automating automated follow up on task there’s a collaborative effort there’s no fight a report so if you are on the IT staff or HIPAA security officer that has all the time in the world and can calculate your own risk high medium and low put it in the spreadsheet and try to do it the archaic way and you have a lot of the time to do that great and it’s free if you want to call it free but it comes at a cost which is your type R tool very inexpensive very efficient and we do this like I said 7000 client sites each year I’ve never had anyone and I’ve been here from the beginning had anyone go through the process is a wow that was a waste of time we spent too much money so that will be the only product endorsement thank you Matt for the question and anybody that has you know we draw attention Center just chimed in and says no written remediation plan no mitigation plan is a big problem they do this day in and day out and their use our software and we have partnered with another dashboard they don’t want to get into the space so there’s a lot to know and in our goal isn’t to try to take a buck from you it’s to help you so that in the event of an audit you pass and you’re eating all those  a requirement and we make sure we follow them so you don’t have to there you go on the train for Teacher development security software development life cycle is a concept intend to bring security closer to the development team development life cycle formula to find in a policy procedure to ensure the management development and deployment of secure software so if you have documentation the formula intend to place security throughout the development cycle and not just bolted on afterwards you know I come from a background I did that for a while and then bring it in early and often to make sure it’s part of that life cycle example policy that we can provide we experience this ourselves to hear at HIPAA one we are software developer we have a software-as-a-service platform that we provide as well and the bottom line is security slows down the ability to go to market but in the long-term it helps add more value to your product that’s what we seem and that’s all I’ll say about that first place I went to see the ad as to what Ken said you know he talked about the software it’s TurboTax like approach ask you a question you have this documentation yes we do load it into the software and we review that make sure that it meets the current regulatory requirements if you say no not a problem we give you the document so rather than going out there wondering what kind of policy if you need we have everything you need to pass not it so that that’s the beauty again of going through this reflects of questioning engine and the output is here’s my high wrist and by the way here’s what you need to do show me some key takeaways from process with security to application development in the last minutes to review and discover problems after it’s already been written and it finally want to consider developing security staff is part of the face gate review process development precedes to process an executive or someone sign off that this is secure and it can go into production that adds a lot of cloud and it will slow things down a little bit but I guarantee it’ll be a lot more effective than having one of your users are clients call you and say hey I can see change management important topics to talk about that for a while this is a focus on the process for technical environmental and operational changes at a high level question here reviews after significant changes in a systematic method for reviewing implementing and controlling technical environmental and organizational changes your organization is it reviewed is it approved and do is the process repeatable inconsistent just a quick update we’re going to go over by a few minutes your hopefully you can stay on for 5 minutes and I would say about 7 to go and we’ll let you go awesome thank you so much for example package or something and then you discovered only works with ie9 now you have to consider how that affects other your assistant that access all the other applications as well and get that sign off for sure we’re going to so how does all this Italian into HIPAA security risk analysis technical question for violating any of the organization’s policies and procedures help clarify operational expectations for everyone address risk is falling Mist the following us for everything we’re actually in the process of implementing we’ve already it’s already in the shop or we’re just going to label all of the nest controls you’ll see them coming here shortly before the end of the year but we have calculated likelihood vs. impact to calculate risk the software within a fraction of a second it automatically calculates is for you and within a fraction of a second give you the results instantly so if using guess try to look and you’re looking at several days of weather Sculpture does it intermediation plan means that there’s a gap and the risk has been out there for you the software cheese up their vulnerability the solution reaction time you can customize that you can put multiple email addresses the software will apply this risk to this individual and then you reduces the overhead tetra do Hino the need to have a steering committee meetings and so forth because everyone has a list of what their tasks and activities are supposed to do, considering the truck you assigning individual and it creates a Steve said it’s the auto harassed feature this is the reminder to continue remediating these items just doesn’t happen with spreadsheets and then the action plan at the very bottom of the exactly what you need to do so we take all the guesswork out of it and is it vulnerability area is tweet to modify so very key that you see the value and the Time Savings of utilizing a tool against TurboTax for HIPAA compliance and if you need a policy and procedure the software Q’s it up both in the interview process and after the risk analysis is over in the both places and we’re on our sixth revision of the policies and procedures currently updating them with the minimum necessary to be complying with HIPAA security rule the wrong word format so you can easily edit them so quick recap standards not only for hipaa and cybersecurity threats that where the rubber meets the road in terms of how all of us use our computers but also you can use HIPAA one for third-party validation to satisfy other entities requirements spreadsheets it comes with one year of services to fill those out on your behalf once we do our risk analysis so we’re going to do another old question here real quick just you know this is real quick 30 seconds is given opportunity for those of us that are on the line that want to talk more about anything related to this webinar thank you and we always have a diverse audience which of the services are you interested in learning more about we have documentation on security risk analysis for training HIPAA compliance training we got privacy breach risk analysis and brand new 42 CFR part 2 to most of you that may mean nothing to those of you that that rings in your ear we are first to have the 42 CFR part 2 additive software a business associate have a tool available for you for free those users of the software get that tool to manage their business associates it’s a beautiful thing and attrition testing cyber security vulnerability scanning or you know what I’m here for educational purposes and that is just fine we’re not going to display the results to this but again what it does is allows us to reach out and give you a white paper there’s no car so I am going to close the pool here just in about 5 seconds but again thank you to those that have joined us today and we are going to send out this document policies and procedures having all these things are available to you and it’s so much better than buying a policy Peter Library prank your friend points out there are free in the tools that are already built you don’t need to go buy it at very expensive PNP Library we find it the cost of the risk analysis is often less expensive than you will spend on a PMP library and you implement you know hundreds of documents and adhere to about half of them that’s not a good thing either from a compliance perspectives so I’m going to close the pool here we want thank you for joining us if you have any questions please visit us at Hipaaone.com one.com 1p two A’s and we know we’re responsible for many of you spelling hit the wrong with are hippos so we apologize will take the blame for that but it’s been a very good discussion were about 10:36 I think you for those that have stayed with us and again go to our website fill out the form and will provide you with any information that you like absolute please feel free to browse are blogs from a main website lie with Ciara Butterfield market manager have completely redone our website were very proud of that and it’s beautiful so please check it out every everything is very quick to find and will also be doing new blog post as well as more webinars we’re adding a ton of new features into the software and we look forward to seeing you soon have a wonderful day maybe free breeches thank you thank you