How does HIPAA law apply to health information technology? Know the role of risk analysis to maintain privacy and security of electronic health information.
The term “health information technology” (health IT) is a broad concept that encompasses an array of technologies to store, share, and analyze health information. With an increasing number of providers plunging into the vast pool of HIT, it becomes imperative that you have a clear vision of the association between HIT and HIPAA, along with the need to perform risk analyses.
SMBs need security policy template and security risk assessment more than ever before. Learn what steps you have to take.
A security policy template is a must for any organization, irrespective of its size and the nature of its business. Small and medium businesses (SMBs), just like large organizations, need to have a clear policy on how they are going to face a cyber attack. A security policy template works as a starting framework that your practice can customize in a way that meets your organizational and legal requirements.
The first step in formulating a security policy template is to assess your needs and regulatory requirements. Second comes the critical security risk assessment (SRA) process. In this article, you will get insight into SRA, its goals and common mistakes to avoid. Read the rest of this post.
In our previous post, we described various techniques used to attack WordPress-based sites. In this post, we’ll give some examples of what happens after the vulnerabilities have been exploited to hack into a website. The purpose is to continue to reiterate the lessons that blogs such as ours (see here, here and here) provide to alert the medical industry, specifically, and business, in general, to security issues that can lead to breaches and loss of business, reputation, and income.
It is worth recalling that WordPress is the world’s most popular content management system (CMS) powering ~60% of websites worldwide (that are known to use a CMS), and ~29% of all web sites. While it is hard to find the statistics on how many websites related to the medical industry use WordPress, it is likely that these could well be a substantial percentage of the total given the ease of setup and use associated with WordPress. The fact that many of these are smaller sites, often without much IT support (much less security support) makes them all the more vulnerable. This makes education about the security aspects of WordPress all the more necessary.
Despite the valiant efforts of the WordPress organization, vulnerabilities continue to exist and most exploits take advantage of the simplest techniques – infrequent updates of critical software, poor web site hygiene (easily broken passwords, retaining default options, turning off auto updates, etc.) and the use of vulnerable WordPress plugins and themes. (Hereafter, we also include plugins and themes when we talk of WordPress vulnerabilities, unless we need to specifically distinguish between these.) Sucuri.net, a website security company, noted that of the 11,485 infected websites that they analyzed in 1Q2016, 78% of these were built on WordPress of which ~56% were out-of-date (i.e., not running the latest version). The vulnerabilities were primarily in the plugins and themes. Read the rest of this post.
Many patients are apparently wary of embracing patient portals due to security concerns. Learn how you can reassure them about the safety.
No doubt, patient portals are highly effective in increasing patient engagement and optimizing treatment outcomes. But many patients tend to be reluctant in adopting this “new” tool as they are concerned about the security and privacy issues.
The safety concerns make a lot of sense considering how hackers are increasingly attacking health data. If your practice uses patient portals, it’s your responsibility to convince the patients that their sensitive information is in safe hands. How will you do that? Read the rest of this post.
TLS stands for “Transport Layer Security” and is the successor of “SSL” (Secure Socket Layer). TLS is one of the standard ways that computers on the Internet transmit information over an encrypted channel. In general, when one computer connects to another computer and uses TLS, the following happens:
- Computer A connects to Computer B (no security)
- Computer B says “Hello” (no security)
- Computer A says “Lets talk securely over TLS” (no security)
- Computer A and B agree on how to do this (secure)
- The rest of the conversation is encrypted (secure)
- The meat of the conversation is encrypted
- Computer A can verify the identity of Computer B (by examining its SSL certificate, which is required for this dialog)
- The conversation cannot be eavesdropped upon (without Computer A knowing)
- The conversation cannot be modified by a third party
- Other information cannot be injected into the conversation by third parties.
TLS (and SSL) is used for many different reasons on the Internet and helps make the Internet a more secure place, when used. One of the popular uses of TLS is with SMTP for transmitting email messages between servers in a secure manner. See also:
- How Does Secure Socket Layer (SSL or TLS) Work?
- The Case for Email Security (Why normal email is insecure)
WordPress is the world’s most popular publishing platform, with a strong emphasis on usability and support of open web standards. It powers most of the largest content providers as well as millions of personal blogs. Its open source software, available at WordPress.org, can be downloaded to a suitable server and run as a standalone publishing platform, while ordinary users can quickly create personal sites as sub-domains of WordPress.com.
There’s no doubt that the statistics about WordPress are impressive: ~30% of the million most visited sites on the Internet run WordPress; at 52%, it far surpasses its nearest competitor (at a measly 6.3%) for the largest market share of content management systems; it powers 96% of blogging websites worldwide – we could go on and on, but we refer the reader to other sources for more numbers.
But with such numbers come vulnerabilities. Its popularity makes it a conspicuous target for hackers. Not all hacking is in search of personal data or immediate financial gain. WordPress attacks serve as a fertile finishing school for hackers-to-be as well as provide access to resources that can be used for launching other types of attacks, such as search engine optimizations, ad injections, affiliate links, botnet attacks, etc. Consider some examples: Read the rest of this post.
Fred is a busy small business CEO. He hired a cheap developer online to setup his secure medical web site for him. The developer got an SSL certificate and setup pages where patients can make appointments and the doctor can receive patient requests and notices, “securely”. However, the developer didn’t have any real training in security, none in HIPAA, and as a result, PHI was being sent in the clear, there were no audit trails or logs, SSL security was not enforced, and may other serious issues plagued the site. The worst part — No one knew.
Luckily, Fred was made aware of the situation before a serious security breach happened (that he knew of); however, he had to re-do the site from scratch, more than doubling his time and money costs.
Creating a web site that has “secure” components requires more than slapping together some web pages and adding an SSL Certificate. All such a certificate really does is create a thin veneer of security — one that does not go very far to protect whatever sensitive data necessitated security in the first place. In fact, naive attempts at security can ultimately make the data less secure and more likely to be compromised by creating an appetizing target for the unscrupulous.
So, beyond paying big bucks to hire a developer with significant security expertise, what do you do? Start with this article — its purpose is to shed light on many of the most significant factors in secure web site programming/design and what you can do to address them. At a minimum, reading this article will help you to intelligently discuss your web site security with the developers that you ultimately hire. Read the rest of this post.
Thinking of incorporating electronic health information exchange (HIE) into your business process flow? Here are 5 things you should not miss.
Health information exchange (HIE) through electronic means is a great way to add value to your practice. No doubt, any form of HIE has its own share of benefits. For example, faxing patient information has been in practice for decades now. (Further reading: Is FAXing really HIPAA Compliant?)
But electronic HIE deserves a special mention because the data have to be standardized before exchanging electronically. Data standardization allows smooth integration of the health information into patient’s’ EHR. This results in an improved patient care.
Continue reading to know other health information exchange benefits and how to safely integrate electronic HIE into your practice. Read the rest of this post.
I just got junk email … from me!
It is surprisingly common for users to receive Spam email messages that appear to come from their own address (i.e. “firstname.lastname@example.org” gets a Spam email addressed so it appears to be from “email@example.com”). We discussed this issue tangentially in a previous posting: Bounce Back & BackScatter Spam – “Who Stole My Email Address”? However, many users wonder how this is even possible, while others are concerned if their Spam filters are not catching these messages.
How can Spammers use your email address to send Spam?
The way that email works at a fundamental level, there is very little validation performed on the apparent identity of the “Sender” of an email. Just as you could mail a letter at the post office and write any return address on it, a Spammer can compose and send an email address with any “From” email address and name. This is in fact extremely easy to do, and Spammers use this facility with almost every message that they send.