Healthcare Compliance Solutions, Inc.: October 2016

Wednesday, October 19, 2016

Ten HIPAA Security Tips Saving Small Practice’s Time, Money and Reputation

This article was submitted by contributing author, Vic Berger.

My business practice focuses on helping organizations understand their risks related to security. Cyber Security is one risk every organization struggles with. Small businesses face the same types of risks as bigger companies but lack the staffing and resources to respond the same as a large organization. I am frequently asked by small business owners “What cost effective recommendations would you make for my business to make it more secure?” Here are my top ten recommendations for small businesses when dealing with information security.

1. Have A Written Security Policy

Every business needs a good written information security policy. This is the basis for your security plan, as well as your legal safety net when something happens. There is no single action a company can take that is more important. Yet this is often the first issue I find in audits of companies of every size, and in every sector. The plan needs to be well written; read and understood by every employee in the company; and consistently maintained. There are numerous templates and examples of security policies on the internet. Many consulting companies will tailor a stock plan to suit your organization.

2. Encrypt Everything

The first rule of I.T. security is “no solution is perfect 100% of the time”. You cannot always trust prevention methods to keep your data safe. The only way to consistently assure the protection of your data is to encrypt it so it cannot be read. This is especially important with cloud or internet based storage accounts. Dropbox, Google Drive, OneDrive, Box, and Egnyte are all great tools, but no cloud provider will guarantee the security of your data, and all have recently been breached. My basic rule of thumb is: if it is on the internet, consider it public access unless you have encrypted it. You can encrypt your cloud storage using a simple to use (and free for personal use) encryption program from nCryptedcloud that supports Dropbox, Box, Google Drive, OneDrive, and Egnyte available at https://www.encryptedcloud.com/ You can also use a portable USB format hardware encryption and key management device from BlackSquare called Enigma, at www.blacksquaretechnologies.com for personal and small business encryption on portable devices, computers, and cloud accounts.

3. Protect Your Website

Current information security statistics indicate that 85% of all websites have one or more significant security vulnerabilities. I apply patches to my websites almost daily to keep up with newly discovered vulnerabilities. There are three basic types of websites, with three different recommendations based on what you use:

A. A static web page with basic company information that doesn’t change. Your biggest risk is disruption or defacing of this type of website. Your hosting provider or ISP will take care of the service disruption. For defacing, keep a good site backup and do a complete CLEAN restore as soon as possible (hackers leave behind gotchas).

B. An interactive or dynamic web site with user content and/or e-commerce. Often these are created using a standard Content Management Software (CMS) package like WordPress, Joomla, or Drupal. These are best left to a professional company to update and manage if possible. If you must do it yourself, get a good book on securing your type of CMS. Subscribe to the vulnerability notification feed for your CMS type (all of the common solutions have this). Check your website against new vulnerabilities often.

C. A site dedicated to internet e-commerce or a highly interactive site where users log in to access content. Hire this one out! Do not try to do this yourself unless information security is your core business, or you have an I.T. staff with specialized training and certifications in internet security.

4. Data Backups

I see irreplaceable data lost almost every day. I have seen it in government agencies, fortune 500 companies, and in every industry vertical. It can be from a data breach, a hardware failure, a natural disaster, or from human error. Whatever the reason, there is no excuse for not having good backups. You should have at least one full data backup per week. More if your data changes frequently. Store the backups offsite, and somewhere safe. I suggest the granite vault at Perpetual Storage www.perpetualstorage.com, it is the safest storage site in the country. You should also buy a GoBox and store everything you would need to rebuild your business after a major disaster.

5. Avoid Consumer Grade

If you can buy an I.T. product at a local box store, electronics retailer, or office supply store it is probably consumer grade, and not designed for business. This includes firewalls, routers, wireless access points, servers, storage, networking devices, tape drives, or anything that protects, moves, or manages your data. Yes, commercial grade is more expensive, for a reason: It Is Commercial Grade! Consumer grade security equipment was designed to protect a few ports and protocols commonly used by consumers. Business applications use different ports and protocols. It either does not run behind consumer grade equipment or you have to poke holes in your security to make it work. Consumer grade security is also easy to breach. Commercial grade uses much better security methods, and is consistently tested. Call your local I.T. reseller and ask them what they recommend.

6. Know Your Risks

Knowing what you have, that would be of value to someone else, helps you determine what to focus on to protect. Do you have sensitive or privileged data? Is your data unique or valuable? Are there government regulations like HIPAA or Sarbanes-Oxley that affect your industry? Are customers or consumers ever given access to your data? How many employees do you have, and what risk areas do they create? Beyond what is already addressed elsewhere in this whitepaper, as a minimum you need: Antivirus (web search free antivirus), Anti spyware (web search free anti-spyware), and a good security shell for your organization (Try Arellia www.arellia.com). If you have customers that are EVER by your work computers you need an anti-keystroke logging solution (StrikeForce www.strikeforcetech.com). Your mail and web should have mandatory content filters (either through your ISP or your firewall).

7. Plan For BYOD

BYOD stands for bring your own device. This is a huge shift in the government and corporate sector, but probably business as usual in small businesses. Small businesses often use what they have, even if it is a personal device. This is increasingly creating security issues. What your employees, knowingly or unknowingly, have on their devices, and what they do with them in their own time is now brought into your environment. This can open up security holes as well as create liability issues. Make sure that BYOD is clearly defined and covered in your security policy. There is technology that can restrict the security vulnerabilities of personal devices, so ask your local I.T. reseller for assistance. Finally, make sure your employees clearly understand your expectations and limits where BYOD is concerned.

8. Who Is Guarding The Sheep

This applies whether you are a fortune 500 company or a small business. I.T. administrators have great power. They can view privileged information, and have an extremely high level of system access and control, more than even the owners and senior executives of the company. This is a great responsibility, but also a huge temptation. It is very common to discover that I.T. administrators have been inside payroll files, HR files, or other personal or sensitive material. A good security shell like Arellia (see #6) creates log files to review, but that means that someone has to faithfully do this. Again, start with policy and clearly define responsibilities and expectations. Two person integrity is always prudent where money and manpower permit. And as always, rule #2 applies: Encrypt everything!

9. Physical Security Is Information Security

Theft is about opportunities, and criminals use them very effectively. Data from a stolen laptop is easier to obtain than hacking. Why brute force passwords when you can easily install a keystroke logger. A screwdriver to the back door is as good as a key if there is no other security. You must have good physical security policies and practices to have good information security. Cameras are effective and have become reasonably cheap. Programs that wipe stolen devices are commonly available. Keeping sensitive information and records locked away after hours deters opportunistic thieves. Think like a criminal, and then protect yourself from what you would exploit.

10. Know When To Call For Help

I am a passable plumber, marginal carpenter, and just plain dislike auto mechanics. I can do all three if required but usually end up spending more time, effort, and money than what I had intended. I can tackle small jobs but I leave the major projects to the professionals. I.T. Security is a highly specialized field with significant training and experience necessary to operate at a professional level. Your whiz kid nephew, who is good with computers, does not have that level of training or the required experience. This is especially important when there is an incident. Less than 3% of all I.T. professionals have the security experience and certification necessary to handle a data breach. I leave significant plumbing, carpentry, and auto mechanics jobs to the professionals, leave your major I.T. security issues to the professionals as well.

This article was submitted by a contributing author:

Vic Berger

CEO, Opsis Technologies

www.opsistechnologies.com

855-99OPSIS

For more information on protecting your office regarding this issue or additional HIPAA, OSHA, HR, and Medicare resources, please visit our web site: http://www.hcsiinc.com or email support at: support@hcsiinc.com.

Tuesday, October 18, 2016

2016 Ongoing HIPAA Training: Saving You 3 Months When You Breach PHI

Time for a HIPAA Check Up From the Neck Up!

This training will Save You 3 Months After You Breach PHI!

Recovering from the Breach:
1) Steals Your TIME!
2) Destroys Your REPUTATION!
3) Ruins Your CAREER!

Creating a Culture of HIPAA Privacy and Security is one of the biggest challenges facing Healthcare Providers and Business Associates today! Why? You Don't Have ANY SPARE TIME!

In this training HCSI will guide you through the process of how to develop a Culture of Compliance so that when the Auditor comes knocking at your door you are spending minutes with him instead of MONTHS!

What to Expect in the Training:
1-How to develop an effective Risk Analysis.
2-How to develop policies and procedures.
3-How to develop a Compliance Plan in case of an audit.

For more information on protecting your office regarding this issue or additional HIPAA, OSHA, HR, and Medicare resources, please visit our web site: http://www.hcsiinc.com or email support at: support@hcsiinc.com.

Thursday, October 13, 2016

Cutting the Fat from 2016 Compliance Officer Duties: HIPAA, OSHA, Medicare, HR

As you know, HIPAA, OSHA, Medicare, Human Resource Management have each established their own ongoing requirements for Compliance Officers, per location.

Would you agree that this list of duties can be confusing and overwhelming?

This is why we are going to have a training that will help cut the fat from these lists of responsibilities to help compliance officers who are also front desk, office managers, assistants, or even doctors

to focus on the core procedures that must be documented and communicated to staff.

Also, Exciting news...we think!!! I'm going to be rolling out a HUGE Incentive Program for you!

I'm not going to roll out the red carpet with all the details of our Incentive Program until the webinar, but what I can say is that it involves HCSI mailing you $100 Holiday Gift Cards in October!

Again, this webinar is going to do two things:

1) "Check up from the neck up": Ongoing Compliance Officer Duties

2) "Roll out the Red Carpet": Incentive Program

Who should watch this webinar:

• Doctors

• Practice Management (Office Manager, Assistants, etc.)

• Compliance Officers (HIPAA, OSHA…)

• Staff (Front Desk, Back Office, IT, etc.)

(Allow 1 hour for the training)

This video can also be viewed on YouTube, at: https://www.youtube.com/watch?v=LTHtwBydkhY

For more information on protecting your office regarding this issue or additional HIPAA, OSHA, HR, and Medicare resources, please visit our web site: http://www.hcsiinc.com or email support at: support@hcsiinc.com.

Wednesday, October 12, 2016

Fire Safety and Extinguisher Use in Healthcare Facilities

FIRES IN HEALTHCARE FACILITIES

In 2006-2010, U.S. fire departments responded to an estimated average of 6,240 structure fires in or on health care properties per year. These fires caused an average of six civilian deaths, 171 civilian injuries and $52.1 million in direct property damage annually. Almost half (46%) were at nursing homes, and almost one-quarter (23%) were in hospitals or hospices. Cooking equipment was involved in three out of five (61%) fires; dryers were involved in 7%, 6% were intentionally set; another 6% were started by smoking materials, and heating equipment was also involved in 6%. Only 4% of these fires spread beyond the room of origin. Causes, circumstances, and extent of fire spread varied by occupancy.

This graphic provides estimates of fire frequency and associated losses for reported fires in: all health care properties; in nursing homes; in hospitals or hospices; in mental health facilities caring for those with developmental disabilities, mental retardation, mental illness or substance abuse issues; and in clinics or doctors’ offices. Estimates were derived from NFPA’s fire department survey and the USFA’s National Fire Incident Reporting System (NFIRS).

Introduction to Fire and the Proper Use and Maintenance of Extinguishers

This is The Fire Triangle. Actually, it's a tetrahedron, because there are four elements that must be present for a fire to exist. There must be oxygen to sustain combustion, heat to raise the material to its ignition temperature, fuel to support the combustion and a chemical reaction between the other three elements.

Remove any one of the four elements to extinguish the fire.

The concept of Fire Protection is based upon keeping these four elements separate.

Types of Fires

Not all fires are the same. Different fuels create different fires and require different types of fire extinguishing agents.

Class A

Class A fires are fires in ordinary combustibles such as wood, paper, cloth, trash, and plastics.

Class B

Class B fires are fires in flammable liquids such as gasoline, petroleum oil and paint. Class B fires also include flammable gases such as propane and butane. Class B fires do not include fires involving cooking oils and grease.

Class C

Class C fires are fires involving energized electical equipment such as motors, transformers, and appliances. Remove the power and the Class C fire becomes one of the other classes of fire.

Class D

Class D fires are fires in combustible metals such as potassium, sodium, aluminum, and magnesium.

Class K

Class K fires are fires in cooking oils and greases such as animals fats and vegetable fats.

Some types of fire extinguishing agents can be used on more than one class of fire. Others have warnings where it would be dangerous for the operator to use a particular fire extinguishing agent.

Types of Fire Extinguishers

Water and Foam

Water and Foam fire extinguishers extinguish the fire by taking away the heat element of the fire triangle. Foam agents also separate the oxygen element from the other elements.

Water extinguishers are for Class A fires only - they should not be used on Class B or C fires. The discharge stream could spread the flammable liquid in a Class B fire or could create a shock hazard on a Class C fire.

Carbon Dioxide

Carbon Dioxide fire extinguishers extinguish fire by taking away the oxygen element of the fire triangle and also be removing the heat with a very cold discharge.

Carbon dioxide can be used on Class B & C fires. They are usually ineffective on Class A fires.

Dry Chemical

Dry Chemical fire extinguishers extinguish the fire primarily by interrupting the chemical reaction of the fire triangle.

Today's most widely used type of fire extinguisher is the multipurpose dry chemical that is effective on Class A, B, and C fires. This agent also works by creating a barrier between the oxygen element and the fuel element on Class A fires.

Ordinary dry chemical is for Class B & C fires only. It is important to use the correct extinguisher for the type of fuel! Using the incorrect agent can allow the fire to re-ignite after apparently being extinguished successfully.

Wet Chemical

Wet Chemical is a new agent that extinguishes the fire by removing the heat of the fire triangle and prevents re-ignition by creating a barrier between the oxygen and fuel elements.

Wet chemical of Class K extinguishers were developed for modern, high efficiency deep fat fryers in commercial cooking operations. Some may also be used on Class A fires in commercial kitchens.

Clean Agent

Halogenated or Clean Agent extinguishers include the halon agents as well as the newer and less ozone depleting halocarbon agents. They extinguish the fire by interrupting the chemical reaction of the fire triangle.

Clean agent extinguishers are primarily for Class B & C fires. Some larger clean agent extinguishers can be used on Class A, B, and C fires.

Dry Powder

Dry Powder extinguishers are similar to dry chemical except that they extinguish the fire by separating the fuel from the oxygen element or by removing the heat element of the fire triangle.

However, dry powder extinguishers are for Class D or combustible metal fires, only. They are ineffective on all other classes of fires.

Water Mist

Water Mist extinguishers are a recent development that extinguish the fire by taking away the heat element of the fire triangle. They are an alternative to the clean agent extinguishers where contamination is a concern.

Water mist extinguishers are primarily for Class A fires, although they are safe for use on Class C fires as well.

Cartridge Operated Dry Chemical

Cartridge Operated Dry Chemical fire extinguishers extinguish the fire primarily by interrupting the chemical reaction of the fire triangle.

Like the stored pressure dry chemical extinguishers, the multipurpose dry chemical is effective on Class A, B, and C fires. This agent also works by creating a barrier between the oxygen element and the fuel element on Class A fires.

Fire Extinguisher Chart

The Rules for Fighting Fires

Just remember the three A's

ACTIVATE the building alarm system or notify the fire department by calling 911. Or, have someone else do this for you.

ASSIST any persons in immediate danger, or those incapable on their own, to exit the building, without risk to yourself.

Only after these two are completed should you ATTEMPT to extinguish the fire.

Only fight a fire if:

The fire is small and contained
You are safe from toxic smoke
You have a means of escape
Your instincts tell you it's OK

Fire Extinguisher Use

It is important to know the locations and the types of extinguishers in your workplace prior to actually using one.
Fire extinguishers can be heavy, so it's a good idea to practice picking up and holding an extinguisher to get an idea of the weight and feel.
Take time to read the operating instructions and warnings found on the fire extinguisher label. Not all fire extinguishers look alike.
Practice releasing the discharge hose or horn and aiming it at the base of an imagined fire. Do not pull the pin or squeeze the lever. This will break the extinguisher seal and cause it to lose pressure.

When it is time to use the extinguisher on a fire, just remember PASS!

Pull the pin.

Aim the nozzle or hose at the base of the fire from the recommended safe distance.

Squeeze the operating lever to discharge the fire extinguishing agent.

Starting at the recommended distance, Sweep the nozzle or hose from side to side until the fire is out. Move forward or around the fire area as the fire diminishes. Watch the area in case of re-ignition.

Fire Extinguisher Inspection

Like any mechanical device, fire extinguishers must be maintained on a regular basis to ensure their proper operation. You, the owner or occupant of the property where the fire extinguishers are located, are responsible for arranging your fire extinguishers' maintenance.

Fire extinguishers must be inspected or given a "quick check" every 30 days. For most extinguishers, this is a job that you can easily do by locating the extinguishers in your workplace and answering the three questions below.

Is the extinguisher in the correct location?
Is it visible and accessible?
Does the gauge or pressure indicator show the correct pressure?

Fire Extinguisher Maintenance

In addition, fire extinguishers must be maintained annually in accordance with local, state, and national codes and regulations. This is a thorough examination of the fire extinguisher's mechanical parts, fire extinguishing agent, and the expellent gas. Your fire equipment professional is the ideal person to perform the annual maintenance because they have the appropriate servicing manuals, tools, recharge materials, parts, lubricants, and the necessary training and experience.

Fire Safety Preparation and Followup

Ensure that your ENTIRE staff has completed their OSHA compliance training. Verify that your OSHA Compliance Officer and/or HR department have properly done the following:

Have all fire safety alarms, detectors, exit signs, fire doors, emergency lights, etc. Properly inspected by qualified building maintenance staff and/or the local fire department.
Developed safe emergency evacuation routes and have these posted in readily available areas visible to both staff and patients.
Have regular fire drills and instruct employees on the use of alarms, extinguishers, and other emergency procedures in your Fire Safety Plan.
Train with your staff often enough that they feel confident and knowledgeable in the event of an emergency. Fires happen and move quickly. Your staff needs to know how to notify 911, and move themselves and patients quickly and efficiently to a safe location.

Sources: http://www.hcsiinc.com, http://www.nfpa.org, https://en.wikipedia.org/ and

http://www.fire-extinguisher101.com/

Tuesday, October 4, 2016

Those Pesky Password Changes!

This article was written by a contributing author.

So the IT guy says you have to renew your password every 30 to 60 days but we have so many passwords to remember in healthcare already! Where they all are stored? Electronic medical record systems, in the office, hospital systems, insurance sites, HR systems, accounting and payroll systems etc.

You get the picture by now.

We are already so burdened down with patients, billing and revenue, coding correctly, pay cuts!

I understand it is so challenging to work in the healthcare now and the virtual world we now live in.

So why must we take this serious! It seems innocent to let your co-worker use your password just this once until he or she receives theirs.

Everyone in healthcare need to understand these words “Cyber Attack”! In 2015 there were 10 breaches all made in the month of December of very serious nature reported to HHS Office of Civil Rights.

Let’s take a look 5 of these breaches!

1. 12/01: Centegra Health System, Il, affected 2,929 people.

A mailing snafu may have exposed personal information of patients.

2. 12:01: Cottage Health, Calif. Affected 11,000 people

In a statement, Cottage Health officials said limited information from as many as 11,000 patients was exposed.

"Cottage Health recently hired a team of cyber security experts to test our data systems," the statement said. "This team discovered a single server that was exposed. We immediately shut down this server and began an investigation."

3. 12/02 Univesity of Colorado Heath, Co. 827 people affected.

A nurse at Poudre Valley Hospital was fired for viewing patients' medical records out of personal curiosity, the Coloradoan reported.

University of Colorado Health, which operates PVH and Medical Center of the Rockies in Loveland, is notified patients that an employee inappropriately accessed their electronic medical records.

4. 12/03 Blue Cross Blue Shield of Nebraska, 1,872 people affected Blue Cross and Blue Shield of Nebraska notified beneficiaries that a printing error caused some dental explanation of benefits forms to be sent to the wrong customers. The forms revealed treatment and services that the insurer paid for their insured.

5. 12/8 Maine General Health and subsidiaries, 500 people affected

On Nov. 13, 2015, the FBI notified MaineGeneral that agents had detected MaineGeneral data on an external website that is not accessible by the general public. The data affected includes the dates of birth and emergency contact names, addresses, and telephone numbers for certain patients referred by a treating physician to MaineGeneral Medical Center for radiology services since June 2009.

These incidents can cost from thousands of dollars to millions of dollars. Ways to avoid these problems! Perform risk analysis assessments; provide education and training, policies and procedures. Role playing can be helpful to make these situations real to your employees and to ensure success in the event of a breach or cyber attack. The best advice I can offer is to treat these systems and records as if it is your own bank account. Be consistent with your HIPAA training and make it a constant work in process!

Don’t fret be consistent take advantage of the people in the know that can make your life easier!

Marchelle Cagle, CPC,CPC-I, CEMC,CPB,CMOM

Cagle Medical Consulting, LLC

consult@caglecpc.com

This article was written by a contributing author, Marchelle Cagle. We are always open to receiving well written articles from people who have experience working with the following topics: HIPAA, OSHA, Medicare, and Human Resources. If you would like to contribute to this blog by writing an article that will help others who could be in your same situation, please email your article to jhuff@hcsiinc.com. All well written articles will be considered for publication.