" security Archives - LuxSci

Posts Tagged ‘security’

HIPAA Compliance Checklist

Saturday, January 11th, 2025

Our HIPAA compliance checklist was designed to help organizations understand their obligations under the law. The checklist items are not a complete list, just a starting point for your compliance program. HIPAA requires a yearly risk analysis to identify new vulnerabilities. Any business process change or new technology usage introduces new risk into an organization’s security program, so it’s important to review the standards regularly.

HIPAA Compliance Checklist

Who Does HIPAA Apply To?

First, recall that HIPAA regulations only apply to covered entities and their business associates. Individuals (unless they fall into one on of the following categories) do not have responsibilities under HIPAA. It is okay for a patient to disclose information about their medical conditions and treatments to others in whatever format they choose.

Covered Entities

Covered entities are organizations that provide health care, process medical information, or manage health insurance plans. There are three main categories of covered entities that include:

  1. Health care providers, payers and suppliers: Individuals or organizations that provide care, services, or supplies related to the health of an individual. This category also includes those who sell or dispense pharmaceuticals, medical devices, and equipment in accordance with a prescription.
  2. Health plans: An individual or group plan that provides or pays the cost of medical care.
  3. Health care clearinghouses: An entity that processes medical claims submitted by health care providers to insurance companies.

Business Associates

The HITECH Act extended HIPAA compliance requirements to the business associates of covered entities. A business associate is a company that collects, processes, or stores protected health information (PHI) on behalf of a covered entity. A few examples of business associates include marketing agencies, IT companies, financial services, or legal offices. LuxSci is a business associate. We store and transmit PHI on our servers and networks, and we have a responsibility to our customers to keep that data safe under the law.

Furthermore, the Omnibus rule requires business associates of business associates to also follow HIPAA regulations if they handle ePHI. An example of this scenario would be if a marketing agency working for a hospital contracted LuxSci for web hosting or online form services. Even though we don’t directly work with the hospital in this instance, we must still sign a business associates agreement that outlines how we will secure sensitive information.

Understanding PHI

Before diving into the HIPAA compliance checklist, it’s important to understand what data needs to be secured. HIPAA regulations safeguard protected health information. Otherwise known as PHI, it is simply defined as individually identifiable health-related information. Health-related information includes information about past, present, or future medical conditions, treatments, provisioning, and payments.

To fall under the PHI category, health-related information must be linked to an individual identifier. Some of the most common personal identifiers include: names, email addresses, phone numbers, medical record numbers, photos, and driver’s license numbers. When PHI is electronically stored or transmitted, it is called ePHI.

Medical records are an obvious example of PHI. However, even less sensitive items like email or text appointment reminders can infer medical information about a patient and also need to be properly secured. Think about it: something like an appointment reminder may mention the doctor’s name and the place of treatment in combination with an individual’s name and email address. Depending on the message content, it may be ePHI.

For more details, see: What exactly is ePHI? Who has to worry about it? Where can it be safely located?

It is crucial that organizations understand exactly what PHI they are responsible for protecting. Even seemingly innocuous text messages or email communications can land an organization in trouble if not properly secured.

Understanding the HIPAA Compliance Checklist

HIPAA uses the terms ‘required’ and ‘addressable’ to describe standards within the law. Required (R) means that the standard is mandatory. Addressable (A) means that the standard must be implemented by the organization unless a risk analysis concludes that implementation is not reasonable and appropriate. Important Note: Addressable does not mean optional.

The HIPAA Security Standard reflects a technology-neutral approach. This means that there are no specific technological systems to implement. Organizations must decide and document how they plan to meet each standard.

Which standards should be addressed?

One general rule is that any time there is risk, it should be addressed. If an organization decides to send unencrypted ePHI over the email, then there is a major risk of disclosure. An organization could be considered willfully negligent if an unauthorized user gained access to unencrypted ePHI. If the organization chooses not to encrypt the data, they should fully document and outline their reasoning for why they are choosing not to implement the standard.

Ignoring HIPAA requirements, addressable or required, is “willful negligence.” If there is a breach or violation, the penalties in cases of willful negligence are severe. Ignorance is no excuse.

HIPAA Compliance Checklist

HIPAA standards fall into four categories. Standards denoted with a (R) are required, while those with an (A) are addressable.

Administrative Requirements

Administrative requirements pertain to employee training. Organizations must implement security measures to reduce systemic risks and safeguard electronic and physical information.

  1. Risk Analysis: (R) Perform a risk analysis to understand where PHI is stored to determine what data is at risk.
  2. Risk Management: (R) Implement measures to reduce identified risks to an appropriate level.
  3. Sanction Policy: (R) Implement sanction policies for employees who fail to comply.
  4. Information Systems Activity Reviews: (R) Regularly review system activity, logs, audit trails, etc.
  5. Officers: (R) Designate HIPAA Security and Privacy Officers.
  6. Employee Oversight: (A) Create procedures to authorize and supervise employees who work with PHI, and for granting and removing PHI access to employees. Ensure that an employee’s access to PHI ends with termination of employment.
  7. Multiple Organizations: (R) Protect PHI from unauthorized parent or partner organizations or by unauthorized subcontractors.
  8. ePHI Access: (A) Implement procedures for granting access to ePHI. Document access to ePHI or to services and systems which grant ePHI access.
  9. Security Reminders: (A) Periodically send updates and reminders of security and privacy policies to employees.
  10. Protection Against Malware: (A) Implement procedures to guard against and detect malicious software.
  11. Login Monitoring: (A) Monitor logins to systems and report discrepancies.
  12. Password Management: (A) Ensure there are procedures for creating, changing, and protecting passwords.
  13. Response and Reporting: (R) Identify, document, and respond to security incidents.
  14. Contingency Plans: (R) Ensure that there are accessible backups of ePHI and procedures to restore lost data.
  15. Contingency Plans Updates and Analysis: (A) Periodically test and revise contingency plans.
  16. Emergency Mode: (R) Establish procedures to enable continuation of critical business operations. These procedures include securing electronic protected health information while operating in emergency mode.
  17. Evaluations: (R) Perform periodic evaluations to see if any changes in business operations or the law require changes to HIPAA compliance procedures.

HIPAA Organizational Requirements

Organizational Requirements include the development, documentation, and implementation of security policies and procedures and the management business associate agreements.

  1. Business Associate Agreements: (R) Create and manage contracts with business partners who will have access the organization’s PHI to ensure that they will adequately safeguard data.
  1. Policies, Procedures and Documentation Requirements: (R) A covered entity must implement reasonable and appropriate policies and procedures to comply with the standards and implementation specifications.

HIPAA Physical Requirements

Physical Safeguards concern physical access to buildings, workstations, computer servers, and networks. Only allow authorized access to ePHI and monitor access through established policies to prevent violations.

  1. Contingency Operations: (A) Establish procedures that allow facility access in emergency situations to support the restoration of lost data.
  2. Facility Security: (A) Implement policies and procedures to safeguard the facility and equipment from unauthorized physical access, tampering, and theft.
  3. Access Control and Validation: (A) Institute procedures to control and validate an individual’s access to facilities based on their role or function. Log visitors and control access to software programs.
  4. Maintenance Records: (A) Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security.
  5. Workstations: (R) Establish policies to govern software usage. Set up procedures for proper configuration on systems that provide access to ePHI. Safeguard all workstations the provide access to ePHI and restrict access to only authorized users.
  6. Devices and Media Disposal and Re-use: (R) Create procedures to securely dispose of media that contains ePHI. Put policies in place for the reuse of devices and media that formerly stored ePHI.
  7. Media Movement: (A) Record movements of hardware and media associated with ePHI storage. Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment.

HIPAA Technical Requirements

Technical Safeguards ensure the security of data at rest and in transmission. Controlling access to ePHI provides a reviewable log of users in case of a security incident.

  1. Unique User Identification: (R) Assign a unique name or number for identifying and tracking user identities.
  2. Emergency Access: (R) Establish procedures for obtaining necessary electronic protected health information during an emergency.
  3. Automatic Logoff: (A) Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.
  4. Encryption and Decryption: (A) Institute a mechanism to encrypt and decrypt electronic protected health information when deemed appropriate.
  5. Audit Controls: (R) Establish hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
  6. ePHI Integrity: (A) Create policies and procedures to secure electronic protected health information from improper alteration or destruction.
  7. Authentication: (R) Implement procedures to verify the identities of people or entities seeking access to electronic protected health information.
  8. Transmission Security: (A) Institute technical security measures to guard against unauthorized access to electronically transmitted protected health information.

What else should you know about HIPAA compliance?

Compliance is an ongoing process, not a one-time event. This HIPAA compliance checklist represents only an overview of the major points. Each organization will need to complete their own risk assessment to understand what data is at risk and the steps they need to take to secure it. It’s easy to see why many organizations choose to work with third parties to secure their technology. If your company needs help with HIPAA compliant email and web services, reach out to LuxSci today.

Tags: addressable, compliant, encryption, ePHI, hipaa, hipaa checklist, hipaa compliance, hitech, omnibus, phi, protected health information, security
Posted in LuxSci Library: HIPAA
No comments »

What is Cyber Insurance?

Tuesday, March 1st, 2022

As cyberattacks are increasing in frequency, many organizations have come to view them as inevitable. Even organizations that have a strong cybersecurity program can be impacted by a zero-day vulnerability or employee errors. Cyber insurance helps limit the impact of a cyberattack by helping organizations recover the costs. Cyber insurance is not a replacement for a comprehensive cybersecurity program. In fact, many cyber liability insurance policies require organizations to take steps to secure sensitive information.

cyber insurance

Who Needs Cyber Insurance?

In the 1990s, the earliest forms of cyber liability insurance were created to help address data processing errors. California’s passage of the Security Breach and Information Act in 2003 led to increased demand for insurance policies. Under this law, California companies were required to notify customers if their information was accessed or stolen by unauthorized persons. As other states passed similar laws and instituted financial penalties for data breaches, cyber insurance policies grew in popularity.

Historically, financial information and credit card numbers were prime targets for cyber criminals. As ecommerce and online banking took off, large financial institutions and retail chains were likely to have cyber insurance because of their increased risk. More recently, cybercriminals have expanded their scope to go after sensitive information collected by other industries. The healthcare, education, and manufacturing industries have become frequent targets for cyber criminals. As a result, more organizations are buying cyber insurance. According to the Government Accountability Office (GAO), cyber insurance sales increased from 26 percent in 2016 to 47 percent in 2020.

This means that any business transmitting or storing sensitive data online is vulnerable to a cyberattack. Sensitive data is not limited to financial information or medical records. Intellectual property, customer or lead lists, and other types of company data could all be at risk.

What Does Cyber Insurance Cover?

There are many types of cyber insurance policies and different coverage options. However, most plans reimburse companies for expenses caused by cyberattacks. Common coverage options include:

  • data recovery costs
  • system forensics to discover the cause of a cyberattack or location of a breach
  • customer notification and reparation costs
  • system repairs
  • legal fees

Some cyber insurance policies may even cover the cost of paying a ransom if compromised by ransomware. Although, it’s tempting to pay a ransom and resume operations quickly, organizations should not count on insurance reimbursement. Law enforcement also discourages companies from paying ransoms and these fees can be quite hefty.

What Doesn’t Cyber Insurance Cover?

Unfortunately, cyber insurance can’t help a company recover from the reputation costs of a data breach or security incident. Many organizations suffer from a loss of business in the aftermath of a cyberattack or breach. Cyber insurance does nothing to defray those costs.

Can I Ignore Cybersecurity?

On that note, it should be obvious that cyber insurance is not a replacement for a strong cybersecurity program. In fact, most insurance providers require organizations to meet minimum security standards to qualify for coverage. Failing to meet these standards may cause the company to void insurance policies.

In addition, lowering the organization’s risk profile by implementing a security program can also help lower insurance premiums. Demonstrating that the organization takes privacy and security seriously can help make these premiums more affordable.

Conclusion

In conclusion, any organization that transmits or stores sensitive information online or is reliant on internet-connected devices to perform vital tasks, should explore coverage options.

Tags: breach, cyber insurance, cyberattack, cybercrime, cybersecurity, risk assessment, security
Posted in LuxSci Library: Security and Privacy
Comments Off on What is Cyber Insurance?

5 New Year’s Resolutions to Improve Your Cybersecurity

Tuesday, January 4th, 2022

Happy New Year! Start the year off by making a New Year’s resolution to improve your cybersecurity. Here is LuxSci’s list of what your organization needs to do to prepare for the new year.

cybersecurity new year’s resolution

Read the rest of this post »

Tags: cybersecurity, mfa, multifactor authentication, passwords, phishing, privacy, risk assessment, security, training, zero trust
Posted in LuxSci Library: Security and Privacy
Comments Off on 5 New Year’s Resolutions to Improve Your Cybersecurity

2021 Year in Review

Tuesday, December 21st, 2021

As the year draws to a close, it’s a good time to take a look back. In this 2021 Year in Review, we analyze the most important developments in cybersecurity, as well as the major information security threats.

2021 year in review

2021 Year In Review: The Impact Of Coronavirus

As we entered year two of the coronavirus pandemic, we are still dealing with the fallout. The work-from-home model spurred on by COVID-19 presented a significant shift for the workplace and the way we use technology. The emergence of the Delta and Omicron variants wreaked havoc with plans to return to the office. As a result, many roles permanently shifted to full-time remote work. Still, other companies returned to the office and are managing a hybrid model. There are far more work-from-home opportunities than were available in the pre-pandemic world.

This has significantly altered the threat landscape. Organizations need to acknowledge that remote work is here to stay. As a result, they should update their security plans and invest in the equipment needed to enable secure remote work.

In addition, there have been a host of COVID-19-related threats that we have had to remain vigilant against. These have ranged from fake COVID-19 medication websites that suck up sensitive data, to malware loaders that use pandemic-related topics as a smokescreen. The most effective threats often utilize social engineering and the anxiety caused by COVID-19 is a benefit to cybercriminals.

The good news is that these threats seem to be going down, with Trend Micro finding about half the number of COVID-19-related threats in the first half of 2021 as they did in the beginning of 2020. However, this does not mean that overall cyberthreat levels are decreasing. Instead, it’s likely that attackers are simply moving on to other deception techniques.

2021 Year In Review: Ransomware

Trend Micro reported that ransomware detections have halved from 14 million in the first 6 months of 2020, to 7 million between January and June in 2021. However, it doesn’t mean that the threat is going away. The company’s report finds that attackers are adopting a targeted approach that aims for high rewards, as opposed to pursuing as many victims as possible. Indeed, we saw attacks on critical infrastructure this year that garnered national attention. The Colonial Pipeline, JBS Foods, and the Kayesa ransomware attacks were just a few that made headlines in 2021.

Figures from Palo Alto Networks show that ransomware payouts are rising. The average ransomware payment rose from $312,000 in the first six months of 2020 to $570,000 in the first half of 2021. The FBI was able to recover some ransomware payments from cryptocurrency wallets this year, but only in a small fraction of cases.

Trend Micro also noticed an increase in modern ransomware attacks that involve more sophisticated methods of infection. As ransomware threats get more sophisticated, make sure your cybersecurity program is keeping up. Annual reviews, training, and investment in cybersecurity are crucial to keep your business protected.

2021 Year In Review: Zero Trust Architecture

One of the more positive developments in cybersecurity has been the move to Zero Trust Architecture. This approach was spurred on by a government initiative that aimed to boost America’s cyberthreat resilience. The initiative also included plans to modernize the federal cybersecurity environment.

Under the plan, each agency head was required to develop plans for implementing Zero Trust Architecture according to guidelines set out by the National Institute of Standards and Technology (NIST). The government is continuing to invest more in cybersecurity as a part of America’s national defense. It’s likely we will see increased funding for such initiatives in 2022.

Zero Trust Architecture quickly caught on across all industries. It is an approach that assumes an organization’s own network is not safe from cyberthreats. This security model accepts that attackers may already be inside the network and involves creating trust zones of access which are as small as possible. The approach reduces the potential impacts of an attack. Limited trust zones prevent bad actors from accessing all of a network’s systems and data.

Stay Safe in the Future With LuxSci

The last 12 months have brought a lot of changes to the cyber landscape. One thing that always stays consistent is the tenacity of attackers in coming up with new ways to circumvent cyberdefenses.

Amid our ever-changing tech environment and the constant wave of novel attacks, the only way for companies to effectively defend themselves is with a cybersecurity partner like LuxSci. Contact us now to find out how our services can help to protect your organization from threats in 2022 and beyond.

Tags: coronavirus, cybersecurity, ransomware, remote work, security, zero trust
Posted in LuxSci Library: Security and Privacy
Comments Off on 2021 Year in Review

Should your web site database have its own dedicated server?

Tuesday, August 24th, 2021

Should you have separate dedicate servers or clusters for your web site and database? It comes down to your security and reliability needs. What are the pros and cons of each scenario? Is it worth the expense? We shall delve into these business-critical questions in this article.

dedicated web site database

Let’s look at the security and reliability impact of the various common configuration choices.

Read the rest of this post »

Tags: database, high availability, performance, security, server clusters, web site, zero trust
Posted in Dedicated & Cloud Servers
No comments »

« Older Entries