As of today, everyone can go to my website and download my whitepaper on compliance and security.

It’s called: “18 Critical Steps Every Practice Must Know About Compliance And Security-An Insider’s Guide to meeting HIPAA and MA Data Protection Technical Guidelines.”

In it, I break down both the HIPAA laws as well as 201 CMR 17 (MA Data Protection Law)
and explain precisely what you need to do in order for your computer network to meet compliance and avoid major fines.
But also steps to take to make sure your information is protected to the fullest degree.

Oh and I used regular english instead of my normal tech-speak.

Best part is it’s FREE! So what are you waiting for? go get it! —–> www.SentinelDigital.com
On the right hand side, under the blue arrow.

Feel free to leave a comment after you read it and tell me what you thought about it.

-Edson

I was talking to a Doctor and friend of mine today and a question came up
about teleconferencing, and meeting compliance while doing so.

To start answering this question let it be known that HIPAA doesn’t certify software as being HIPAA compliant or not.

Secondly on 6.10.11 – Skype representatives contacted a company named Breakthrough and stated “Skype is merely a conduit for transporting information” (Click here to read the entire message written)

Now let’s look at Skype itself…

According to them, assuming they’re telling the truth:

Skype uses the AES (Advanced Encryption Standard), also known as Rijndael, which is used by the US Government to protect sensitive information, and Skype uses the maximum 256-bit encryption. User public keys are certified by the Skype server at login using 1536 or 2048-bit RSA certificates

So from a techie point of view, they are indeed “HIPAA compliant.”

Skype is basically a tool to transport video images from one location to the next.
They do not store video or audio on their servers, so therefor you could have a video conference without violating HIPAA rules.

Except for…

HOWEVER, if you chat on Skype about patients it’s a whole different story because those conversations would be consider Personal Health Information and because the chats ARE stored on their servers, that would be a HIPAA violation.

Skype is compliant but are you?

But once again, secure technology is only as good as the people using it.
If you aren’t using secure passwords, don’t have a firewall in place, don’t log off of your computer/Skype when you are done, then you’re still violating HIPAA regulations.
In order to be HIPAA compliant while using Skype it’s more about keeping the environment
around you and the program secure rather than the actual program that you are using.

If you’re looking for more information visit this awesome blog post I found:
Is Skype HIPAA Compliant II

Leave a comment and share your thoughts on Skype and HIPAA Compliance!

About Edson Monteiro.

Edson is a compliance & security specialist, as the President of Sentinel Digital Systems and author of Tech-Source blog, he helps small businesses meet guidelines and saving them big bucks on penalties

This video is about 2 years old but still very much relevant.
In order to be secure it takes 3 things: Technology, Procedure and Practice.

Being a small business the budget tends to be smaller but you must still think big.

Leave a comment and tell us how you are protecting mobile devices and its data!

About Edson Monteiro.

Edson is a compliance & security specialist, as the President of Sentinel Digital Systems and author of Tech-Source blog, he helps small businesses meet guidelines and saving them big bucks on penalties.

]]> http://blog.sentineldigital.com/how-to-create-a-secure-business-network/feed/ 1 http://blog.sentineldigital.com/securing-your-mobile-devic-in-7-easy-steps/ http://blog.sentineldigital.com/securing-your-mobile-devic-in-7-easy-steps/#comments Mon, 16 Apr 2012 10:00:51 +0000 edson http://blog.sentineldigital.com/?p=175 The technology of mobile devices has advanced quicker than ever before.
We have smartphones, tablets & laptops nowadays.

Mobile devices continues to grow more powerful and become even more integrated into our personal and work lives. We have our email, calendars, apps that are integrated with our computer programs and much more. Smartphones and tablets can help an organization increase efficiency, productivity, and provide flexibility as well as speed.

Of course as it plays a bigger roll in our lives, it also becomes a bigger target for criminals.

Often times criminal target business information, such as personal data belonging to your clients.
To protect your device you should be doing the following:

1) Develop a Strategy for Mobile Device Security.

Start by performing an audit to figure out where mobile devices play a role in your organization.
An audit helps you understand your organization’s risk based on the amount, types and usage of mobile devices in your organization.
Next do a risk assessment to find what the possible theft and loss scenarios for your mobile devices and data.
Once you have the results of your audit and risk assessment, you can identify appropiate policies and controls to protect any sensitive and confidential data that may be processed, stored, or transmitted on your mobile devices.

2) Create a Security Policy for Mobile Device usage.

Create a security policy; this could be a little hard depending on how many and what kind of mobile devices that your organization uses.
You still need it to adress risks associated with all the mobile devices being used and procedure that should be followed. Make sure that the following topics are included:

Password complexity requirements
Data that should NOT be stored on mobile devices
Guidelines for business and personal use of mobile devices
How to decide if an application is safe to be downloaded and installed
How to report lost/stolen devices
Jailbreaking devices

3) Establish Accountability

Management in an organization have the responsibility to give the users the policy, procedures, and technologies to secure mobile devices in the workplace. But on the other hand the users have to understand the policies and procedures, be accountable for the security and data on those devices. Make sure your users are well informed and trained on mobile security.

4) Launch Awareness Training

Speaking of training, put in place a training and awareness program to help your employees understand new and up and coming threats.  Especially since more and more users are using their mobile devices to complete their work. These trainings should include cover threats such as:

Phishing – Fake emails asking for personal information
Malware – Downloaded applications that have malware, virus, malicious codes or bots hidden in them.
Eavesdropping – Voice calls aren’t always confidential, especially to foreign countries, and could be a great risk.

5) Use Application Control, Patching & other Safeguards.

Use mobile device management solutions to protect your device and data. It will help do the following:

Restrict corporate e-mail delivery to only those devices that are meeting your company policies.
Change passwords on mobile devices over the air.
Deliver apps to mobile devices in a controlled way.
Make sure that mobile devices are compliant with company policies.
Ensure OS (operating systems) and apps are current and patched
Whitelist approved apps – Blacklist unapproved ones.
Discover jailbreaking and rooting.
Manage and identify all mobile devices accessing your network

6) Use Remote Wipe, Encryption, and Anti-Theft Capabilities

It will cost your business more if a device containing sensitive or confidential data is stolen that it would if it was encrypted.
Besides encryption you should also have anti-theft technologies in place that would help find stolen devices or prevent unauthorized people from using a lost or stolen device.
Most smart-phone have remote wipe on it so that you can erase any data on a lost or stolen phone.
You might also find it useful to invest in software to manage all your devices, and provice centralized logging and reporting.

7) Understand Privacy Issues

Mobile devices have plenty of privacy risks that they inherit. Unauthorized disclosure of customer or employee information can end up damaging your business’ reputation and results in costly fines due to security incidents, data breaches or not complying with regulations.

Leave a comment and tell us how you are protecting mobile devices and its data!

About Edson Monteiro.

Edson is a compliance & security specialist, as the President of Sentinel Digital Systems and author of Tech-Source blog, he helps small businesses meet guidelines and saving them big bucks on penalties.

Compliments of Background Check Guide

Leave a comment and tell us what you think!

About Edson Monteiro.

Edson is a compliance & security specialist, as the President of Sentinel Digital Systems and author of Tech-Source blog, he helps small businesses meet guidelines and saving them big bucks on penalties.

Yea that’s how many companies that deal with personal information treat the laws made to protect personal information like state laws and HIPAA.

Out in California a national medical record company went bankrupt after a burglary (click here to read it). They also had offices in Framingham, Mass., and Kailua, Hawaii.

In a way I feel bad but at the same time… HIPAA does set physical security standards that need to be met.
and they exist for a reason. Like people who run these businesses treat HIPAA like teenagers treat STD’s.
They have an untouchable mentality and when they hear something that happened they tend to think “Oh that won’t happen to me”… NEWSFLASH it CAN and probably WILL if you don’t do something about it.

I wrote an article few weeks back describing how to start getting to HIPAA compliance and what MA state law requires.

So… people or businesses who don’t make an effort to meet these compliance requirements, well I really “pity the fool” – in my best Mr. T. impression.

Leave a comment and tell us what you think!

About Edson Monteiro.

Edson is a compliance & security specialist, as the President of Sentinel Digital Systems and author of Tech-Source blog, he helps small businesses meet guidelines and saving them big bucks on penalties.

This coming from the U.S. Dept of Health and Human Services. Out of the reported breaches that affected 500 or more individuals, 73% of them were electronic. Adding up to a total of 10,122,893 people who’s personal information somehow got in hands that it did not belong to. “On average, approximately 48,000 individuals were affected per electronic data breach” – Old data learns new tricks

The number 1 cause was THEFT.

66% of the electronic data breaches came from theft. Medical identity theft is the fastest growing form of identity theft.  Often times people steal this and attempt to seek medical attention under another person’s name.

Second cause was LOSS.

14% of e-date breaches can be blamed on lost laptops, tablets and mobile devices that contain personal health information for patients.

Third reason: UNAUTHORIZED ACCESS/DISCLOSURE.

10% of those electronic data breaches are a result of people (ex. colleagues or patients) logging into devices at offices while not being authorized.

Fourth cause is due to HACKING/IT INCIDENTS.

9% of electronic data breaches are the fault of hackers and and viruses. Hackers get smarter by the minute and your organization must always stay 2 steps ahead of them in order to keep them away from your data.

In order to protect your organization from becoming a victim of data breaches.. and avoiding big penalties.. you must implement and enforce several steps.

1) It starts with making everyone aware of how important data breaches are.

2) Implement a monitoring system, where you can monitor each device in your network.
You can monitor:

• unauthorized use of computers
• intrusion attempts into your servers
• intrusion attempts by hackers into devices
• anti-virus/spamware status
• and much more

3) Perform vulnerability scans on a regular basis. Scans will keep you up to date on where the flaws in your network are and what the suggested solutions are.

4) Enforce strong passwords. Passwords that ask for:

• at least 6 characters
• dont contain their names
• combination of capital & small letters
• numbers
• symbols ($, ^, ! etc)

5) Install encryption programs on devices. So that if a loss does occur, the data will be encrypted and not accessible.

6) Keep devices and patches up to date. Patches contain the most up to date security fixes. Not updating your patches leave doors open for intruders.

7) Have all devices have auto-log off when no-one is on the computer for longer than 20 seconds. People often forget to log off when they run to the restroom or go out for lunch. This leaves their workstations open for unauthorized use.

Leave a comment and tell us what you think!

About Edson Monteiro.

Edson is a compliance & security specialist, as the President of Sentinel Digital Systems and author of Tech-Source blog, he helps small businesses meet guidelines and saving them big bucks on penalties.

For the health care providers, this is what Meaningful Use is.

Let’s start with what Meaningful Use is…” a qualification to receive federal funding for health information technology, specifically, the use of electronic health records.”

There are 3 stages in Meaningful Use. Stage 1 criteria  (already in effect) set the baseline for electronic data capture and information sharing. Stage 2 (expected to be implemented in 2014) and Stage 3 (expected to be implemented in 2016) will continue to expand on that baseline.

So how are they bullying health care providers?

There are 25 objectives for qualified professional and 24 for hospitals and CAHs (critical access hospitals). In order to qualify you must meet 20 and 19 of those objectives, respectively.

1) If you didn’t meet their criteria and fulfill their meaningful use objectives by 2011, you will not receive incentive payments.

2) If you fail to implement an Electronic Health Record system by 2015 you get penalized.

3) Medicare will be cutting payment amounts to individuals that do no comply.

The Centers for Medicare and Medicaid Services (CMS) on May 19 mailed the first Medicare checks, totaling $75 million, to physicians who had attested that they had achieved meaningful use of their electronic health records (EHRs).

Don’t get bullied, just get compliant. The benefits definitely outweigh the consqeunces.
Share you take on Meaningful Use. Feel free to comment.

About Edson Monteiro.

Edson is a compliance & security specialist, as the President of Sentinel Digital Systems and author of Tech-Source blog, he helps small businesses meet guidelines and saving them big bucks on penalties.

Your patient’s health information is the most important asset of your business. Keeping it protect is more important than ever.The following strategy will help you meet compliance.

The HITECH legislation is Title XIII of the 2009 American Recovery and Reinvestment act, and can be found beginning on page 112 in the official document at:http://www.gpo.gov/fdsys/pkg/BILLS-111hr1enr/pdf/BILLS-111hr1enr.pdf

See also: the HIPAA Security rule and the HIPAA Privacy Rule.

In summary of David C. Kibbe, MD, MBA’s article

1. Understand why computer security is important.

If you need a simple answer to the question, “Why is computer security necessary and important?” the answer is “because everyone cares about the privacy and integrity of their health information.” The point of computer security is to prevent personal health information from falling into the wrong hands or being accidentally changed or destroyed.

2. Make sure your colleagues and employees take security as seriously as you do.

The HIPAA security standards require your practice to have written security policies and procedures, including those that cover personnel training and sanctions for security policy violations. Your office staff and colleagues must truly understand basic security logic and take their role in protecting patients’ privacy very, very seriously. Most security breaches occur when insiders exercise faulty judgment or fail to follow protocols in which they’ve been trained.
Consider two highly people-dependent areas of computer security: physical access and password management.

3. Monitor your information system devices that interact with protected health information in your office.

To assess your office’s current security risk, you have to know, in detail, the capabilities and weaknesses of your information systems. No two medical practices have exactly the same information system components, nor do they manage the flow of information exactly the same way. Some practices still manage most information on paper and have a single computer for billing and accounting purposes. However, most practices, even small ones, have complicated information technology environments that include multiple components. Ex. Firewall, PC’s, Modems, Switches etc.
Detailed examination of your entire system is an important step for three reasons.
o First, it’s required. HIPAA requires you to carry out such a risk analysis and base your new computer security policies and procedures on this analysis, which must be specific to your practice.
o Second, it’s the only reasonable way to assess your risk of security breaches in your current systems and protocols.
o Finally, this exercise can be valuable in the acquisition and use of EHR systems if your practice is moving in that direction.
The HIPAA security standards require your practice to appoint someone as the security manager, so you might want to assign these tasks the person or company monitoring your system. If you need your systems monitored contact Sentinel now (Click here) We offer full system monitoring and security vulnerability audits.

4. Prevention is the best reaction

One of my professors once told me that and it is so true. There are many ways data integrity can be affected; the most common is loss of data from some sort of emergency or disaster, including human error, mechanical hard disk failure, equipment damage due to flooding, or computer virus infection.
A solid computer-system contingency plan is made of a number of steps, including performing backups, preparing for continued operations in an emergency and recovering from a disaster.

5. Be certain that you have anti-virus software and keep it up to date.

Even if you are in solo practice and use only one laptop computer for all your data capture, storage and transmission – and therefore may not require a network firewall – you probably connect to the Internet for e-mail and Web browsing. In terms of risk to your computer’s data, connecting to the Internet is the most dangerous activity in which you can engage. Read my blog post on anti-virus for more information: Click me

6. Understand what encryption will do and when it is necessary.

Contrary to what many people are saying, the HIPAA security standards do not require e-mails, or any other transmission from a doctor’s office, to be encrypted. The standards do require your practice to assess whether its unencrypted transmissions of health information are at risk of being accessed by unauthorized entities. If they are, you should consider some form of encryption

7. Demand that your vendors fully understand the HIPAA security standards.

As you become better informed about computer security and the HIPAA security standards, you will realize the extent to which compliance makes you dependent on hardware, software, network and other information technology (IT) vendors. Their products and services, whether out-of-the-box computer hardware or hands-on-in-the-office IT services, will enable you to meet many of the security standards – or not.

These 7 steps should help you recognize what to look for in order to get HIPAA compliant. Remember to become and remain compliant you have to continuously make sure that every rule is being followed.

What are your thoughts? Any other suggestions? Post a comment below and share your thoughts.

About Edson Monteiro.

Edson is a compliance & security specialist, as the President of Sentinel Digital Systems and author of Tech-Source blog, he helps small businesses meet guidelines and saving them big bucks on penalties.

In the world of small business it’s hard enough covering your overhead expenses, never mind having to worry about a stupid antivirus that keeps popping up saying “renewal needed” with a ridiculous pricetag on it.

Yet small business antivirus software is critical to protecting you business. You wouldn’t leave your business proposals on the park bench. You wouldn’t consider storing your business files in an insecure location. So you shouldn’t leave your computer unprotected, or non-properly protected.

Online threats in the form of viruses, adware, spyware, Trojan horses and rootkits come in masses. A security breach at the business level doesn’t just mean a little downtime. Once you’re infected you’re looking at irreparable damage that could be caused by those infections removing your archives or physically damaging computers.

Adware and spyware are more than just the annoying pop-ups you see. When they get in your business environment they can unveil crucial information or trade secrets. An single infection on any business computer can quickly spread to the entire network. With so many endpoints (desktops, laptops, cell phones, tablets), business computers are even more risk at risk. Several of today’s advanced threats specifically target businesses because business are like sitting ducks when it comes to their security and the scale of the potential damage of getting into a business could be massive. Don’t get caught without effective protection for your entire company.

Most free anti-virus today only cover a few aspects of potential attacks like scanning and maybe web monitoring. When looking for a proper anti-virus you want to make sure you see if they protect the following features before you buy them:

On-access Scanning
On-Demand Scanning
Scheduled Scanning
Heuristic Scanning
Adware/Spyware Scanning
Firewall
Script Blocking
Scan Compressed Files
Auto-Clean Infected Files
Quarantines Infected Files
Monitor HTTP Traffic
Email Protection
Antispam
Instant Messaging Protection
Registry Startup Protection

Also make sure that they protect the platforms that you need:
Server Protection
Workstation PCs
Laptops
USB flash drives
Device Restricting

4 Anti-virus suites have every single one of these features:
Kaspersky Business Space Security
Bitdefender Management Server
VIPRE Business Premium
G DATA AntiVirus Business

But if you don’t need every single on of these features there are also other anti-virus/spam-ware suites that will do the job, just make sure it protects what you need it to protect.

What kind of anti-virus are you using? And who do you recommend? Leave comment and share your thoughts.

If you need help finding or installing anti-virus software to get your systems and data protected properly feel free to contact Sentinel Digital Systems

Subscribe to our blog now to receive e-mails when new articles are posted.

About Edson Monteiro.

Edson is a compliance & security specialist, as the President of Sentinel Digital Systems and author of Tech-Source blog, he helps small businesses meet guidelines and saving them big bucks on penalties.