Tag Archives: two-factor authentication

How Technology Prevents HIPAA Violations

HIPAA violations are growing in number and cost, and have affected medical facilities of all sizes.

While training and vigilance on the part of administrators and staff is a vital component to HIPAA compliance, the right technology can turn an open book into a bank vault. From secure medical grade all-in-one computers to software to online tools, here are some of the best ways technology is making ePHI (electronic protected health information) more secure.

HIPAA violations and costly fines don’t have to be an inevitability.

How Bad is It?

HIPAA violations and fines are practically raining from the sky. 2018 saw significant data breaches, some that affected millions of patients.

In January of 2018, it was revealed that the data of 30,000 patients was stolen by hackers from Florida Medicaid when an employee fell for a phishing email.

Also in January, a medical group in New York had a record breach that had nothing to do with malicious intent. A misconfigured database with an unsecured port accidentally exposed the data of 42,000 people to anyone who stumbled across it. Social security numbers, patient notes, and even names of family members were all up for grabs.

In April, the Center of Orthopaedic Specialists in California got hit by ransomware that may have exposed 85,000 patient records to hackers. In September, three hospitals settled a $1 million dollar fine for potentially compromising patient privacy while they were filming a documentary for ABC.

And, of course, Anthem paid a record-breaking $16 million in fines and violation settlements for a breach that affected 79 million patients. They were given a hefty penalty for not only the breach itself, but for failing to implement adequate access controls, not conducting a risk analysis before it happened, and for not regularly reviewing system activity to keep an eye on red flags.

Almost all of these breaches could have been prevented or mitigated by better technology, more robust security software, and improved employee education.

Online Training Programs Can Educate Staff Members

Hacking is a multi-headed hydra that is more than just ransomware and worms. “Social engineering” describes all of the methods deployed by hackers to gain access to secure systems from regular people in an organization.

Social engineering tactics can vary wildly, from dressing like an electrician to get access to a sensitive area, to calling up an employee and pretending to be an IT tech who needs their information, or even just employing a malware program that requires a victim to click, open, download, or install something they shouldn’t have.

Consider enrolling staff members into an online HIPAA compliance course, or a general data security training program. If you’re afraid of employees falling asleep during a dry infosec video, try SecurED, a data security training course that was actually written in part by Hollywood comedy writers.

And if you want the real skinny from an expert, world-famous hacker Kevin Mitnick actually created his own security awareness training to help illuminate the best techniques for avoiding malicious software and social engineering.

Install Security Software on All Devices

Cloud storage attached to medical all-in-one computers, medical tablets, and personal devices must be encrypted. Any messages, data, or images that back up to a cloud service are just as susceptible to interception as messages sent from one user to another.

Dropbox, OneDrive, and Google Drive aren’t automatically encrypted, and expose a weak point in any system. The solution isn’t to stop using cloud services — backing up data has never been more important — but to instead use a secure cloud storage program like Sookasa to encrypt files before they enter a cloud storage folder.

It also may be wise to consider HIPAA compliance tracking software like HIPAATrek. This software, and other brands like it, create a one-stop-shop for all current HIPAA regulations, training, assessments, risk analysis surveys, checklists, and a whole host of compliance tools to keep any medical facility in the green and out of the fast-growing list of HIPAA horror stories.

Secure Accounts with Two-Factor Authentication

A single password and login for staff members aren’t sufficient for sensitive accounts. Passwords can be guessed, cracked, or collected fairly easily, especially if employees aren’t maintaining proper password etiquette.

Two-factor authentication is recommended by all security professionals at this point, and a failure to do so could have dire consequences for any organization under HIPAA authority.

Smart cards, custom RFID tags, and biometric scanners can provide the physical authentication, while a PIN or password can be used in conjunction to add an extra layer of security. Medical all-in-one computers or medical tablets with built-in RFID and biometric scanners are highly recommended for this purpose because they are far more reliable than a USB scanner plugged into an off-the-shelf office computer.

Plus, USB readers are portable and have a tendency to get lost or disappear. Misplacing an integrated medical panel PC is slightly more difficult.

Only Use Messaging Software with HIPAA Associate Agreements

Texting and easy picture-sharing have completely changed the way our society communicates, even in the workplace.

However, HIPAA’s security standards mean that doctors and nurses can’t be as free as the general populace. While texting a coworker a question might seem innocuous, it can lead to breached confidentiality and a hefty fine if it contains patient details. Ditto for sending pictures — getting a second opinion from another nurse about a suppurating wound isn’t a bad idea in theory, but may, in fact, be a violation of HIPAA standards.

For workplace communication, make sure work devices are installed with encrypted messaging software from a HIPAA associate. If your practice is using a BYOD policy, make sure those devices have the same level of encryption. Or, it may be a wise idea to abandon a BYOD policy altogether — they’ve been shown to invite massive security breaches.

A messaging app made by a business under a HIPAA associate agreement is certified to provide the necessary security to meet HIPAA standards.

There are quite a few HIPAA compliant texting apps, like TigerConnect and OhMD, that can make a major difference in cybersecurity. Many of these apps, or similar email encryption programs (like Barracuda or Virtru ) can also be installed on medical tablets and medical all-in-one computers, creating an easy, encrypted communication system for any facility.

Don’t Forget the Real World

Consider those hospitals fined for filming a documentary — not all patient confidentiality breaches come from computer hackers.

Even something as simple as the placement of a computer screen or patient monitor can have HIPAA implications. Medical all-in-one computers with built-in privacy screens can reduce the angle where a monitor is readable, while a computer on wheels can be rotated away from prying eyes.

Cameras and video recording are obviously off-limits, but sometimes staff can be tempted by the social media machine in their pocket. A perfectly harmless photo from the wrong angle can unknowingly capture sensitive information on a chart, or the face of a patient in the background.

Of course, a malicious low-tech data thief could also snap a quick picture of sensitive information while a doctor’s back is turned.

Technology can help, of course, but common sense is even more important. Keep an eye on your surroundings, especially when viewing ePHI, to maintain maximum data security.

Employ and Document Digital Security Methods Today

A three-pronged approach of education, technology, and vigilance should hopefully keep any doctor’s office, hospital, or clinic away from major HIPAA violations. Even should a lax staff member cause a breach, a thorough and documented history of implementing all of these techniques should also lower the culpability and any potential fines for the organization.

Contact Cybernet today to learn more about medical all-in-one computers and medical tablets with built-in two-factor authentication, Imprivata single-sign-on compatibility, and built-in privacy screens.

 

How Two-Factor Authentication can Improve HIT Security

How Two-Factor Authentication is a Small-Scale Standard for Protecting Information

This year is no stranger to cyber-security attacks. One need only to refer to the Equifax data leak to recall security mishaps or the ransomware culprit “WannaCry” that holds protected information “ransom” unless victims pay to have the compromised files released. These and other attacks hit several corporations utilizing infrastructure weaknesses and security ignorance, compromising information for voters, financial records, email records, and other sensitive information, bringing a higher awareness to the online community about keeping all information as safe as possible. One area that is often overlooked is personal medical records, which can be just as valuable to cyber criminals as personal financial data. That’s where Two-Factor Authentication can come into play for healthcare IT professionals. It can ensure data is just as safe at the individual user level as it is protected on a massive, corporate scale.

Problems of Single Authentication

Authentication refers to one of the various methods of accessing important information, whether it’s a remembered password, a physical authentication token, a common access card, a biometric scanner storing user-specific information, or other methods. The problem with some of these methods is they’re too weak—unsophisticated passwords can be guessed by brute force, passwords can be forgotten, or worse, passwords can be stolen and then used by unauthorized individuals. Access cards can get lost, stolen, or “ripped” by devices that pull the information off of them to be reused maliciously. Cheap biometric devices may incorrectly read a person’s face or fingerprint, locking out access or providing access to the wrong individual. Compound these problems in an environment with a lot of sensitive data, and suddenly single authentication becomes the problem rather than the proper security protocol.

How Two-Factor Authentication Addresses Problems

Instead of using complex passwords that can lock users out or flee bad memory, authentication can be approved by using accurate biometric scanners and RFID identifiers integrated onto the medical grade PCs and tablets that healthcare professionals use on a daily basis, removing human entry altogether. By removing the human element—loss and forgetfulness—medical professionals can access patient information with minimized risk to violating HIPAA laws.  Imprivata’s intelligent Single Sign-On platform removes the need to remember complex passwords and erroneous entries—this is a security protocol standard that requires certified hardware in order to authenticate successfully. Also, using a highly accurate biometric scanner is a must-have since fingerprints cannot be lost or “stolen” much like cards can. Ensuring these systems are in place and functioning properly is key for maximum possible security on patient information.

Two-Factor Authentication is a Growing Standard for Medical Computers

Seen as Two-Factor Authentication is a growing tech trend in hospitals in some states, it’s already at the forefront of security protocols for medical professionals and hospitals to use on their medical computers. Ohio is the first state to require Two-Factor Authentication for HIPAA laws. However, nearly half the hospitals in the United States are using Two-Factor protocols, meaning it is quickly becoming the standard, even if it isn’t mandated by law. Corporations are using high-quality authentication protocols that require certified hardware in order to authenticate properly, such as Imprivata’s sophisticated Single Sign-On platform and CrossMatch’s high-quality biometric scanners that are Imprivata-certified. These necessary certifications are the best market-available products to ensure security.

Two-“Fact”or Authentication Facts

The Office of the National Coordination for HIT recently reported that there was a 53-percent jump in hospitals over the course of four years that started utilizing Two-Factor Authentication for their HIT needs. Christus Health, an Imprivata user, reported over 2.3 million dollars was saved using Single Sign-On technology. Crossmatch’s DigitalPersona technology has been implemented in several HIT companies, touting ease-of-use across multiple IT infrastructures. Using these technologies together is making an impact in today’s HIT world.

Solutions for Two-Factor Authentication

The good news is that every medical computer that Cybernet manufactures is customizable for Two-Factor Authentication—biometrics, CAC integration, or RFID scanning can be added for security needs. Plus, Cybernet’s computers are approved for Imprivata Single Sign-On use, so the human element has been removed for password entry. Our biometric scanners come from CrossMatch, which are high-quality readers certified to work with Imprivata—you can rest assured that a biometric reading will be accurate and that it will authenticate users with Imprivata SSO. These security protocols in place minimize information leaks and keep out unwanted individuals from accessing what they shouldn’t have access to. Visit the Cybernet website to see how we can customize our hardware to meet your unique needs.