Archives

Source: University of Alabama at Birmingham’s Online Business Program

The security firm, FireEye, has a very eye opening report titled “Big Threats for Small Businesses Five Reasons Your Small or Midsize Business is a Prime Target for Cybercriminals”

The report addresses a common misconception that small businesses have:

I’m too small to be a target

“The ‘I’m too small to be a target’ argument doesn’t hold water,” the Verizon report states. “We see victims of espionage campaigns ranging from large multi-nationals all the way down to those that have no staff at all.

Small and midsize businesses are facing the same cyber threats as large enterprises, but have a fraction of the budget to deal with them. More than 40 percent don’t have an adequate IT security budget, according to a November 2013 survey by the Ponemon Institute.

The statistics are clear: a small or midsize business is more likely—not less—to face a cyber attack compared with large enterprises.

The defenses most SMBs have in place today are ill equipped to combat today’s advanced attacks. Firewalls, next-generation firewalls, intrusion prevention systems (IPS), AV software, and gateways remain important security defenses. But they are woefully ineffective at stopping targeted attacks

A data breach can put you out of business

A staggering 60% of small businesses go out of business after a data breach.

…a 2012 study by the National Cyber Security Alliance, which found that 60 percent of small firms go out of business within six months of a data breach.  Cyber attacks are growing more sophisticated and, more often than not, target small and midsize businesses (SMBs). One unlucky click—a malicious email attachment, a link to a legitimate but compromised website—could result in a costly data breach that drains your bank account and customer trust.

Recommendations

Fireeye gives some good recommendations to lower the chance of being a victim

Assume you’re a target

Cyber attacks against small businesses rose 31 percent in 2013 versus the year before, making them the fastest-growing group of targets.

By assuming that you are in cyber attackers’ crosshairs, you can better prepare yourself against the inevitable attack.

Identify your most value assets and links

You would never hire bodyguards and forget to tell them whom they are supposed to be protecting. In the same way, defending your systems starts with identifying your most valuable assets.

Identify potentially valuable data and how it could be vulnerable to well-funded, highly organized attackers. That crucial step will help spot the weakest links in your security system and highlight what you need to do to protect your assets.

Deploy a security platform capable of identifying and blocking today’s attacks

A widening gap between threat actors’ offensive abilities and badly outdated defenses has left organizations more vulnerable than ever. Today’s attacks exploit previously unknown, zero-day vulnerabilities, easily bypassing signature- and reputation-based defenses. And file-based sandboxes, touted by legacy vendors as their fresh approach to security, are constrained by many of the same flaws as traditional security products.

SMBs must take a radically different approach. They need a security platform that can detect and block both known and unknown threats with real-time, coordinated security.

Wake-up Call

A first critical step for small to midsize businesses is to realize that they are a target of cyber criminals. The data you store on customers, clients, patients and employees is very valuable to criminals. Being small does not make you less of a target, it actually makes you more of a target. They best way to understand the risk of a data breach to your company is to perform a security risk assessment. A security risk assessment will identify critical data, determine how you are currently protecting that data and recommend additional security to better protect the data.

HIPAA Secure Now! President and CEO, Art Gross, offers some tips to avoid HIPAA related breaches in an article over at Dermatology Times

Back in 2013 Adult & Pediatric Dermatology of Concord, Massachusetts, was hit with a $150,000 HIPAA fine for an unencrypted thumb drive that stored more than 2,200 patient records and was stolen from a staff member’s car. Not only did the dermatology group owe the hefty sum, it joined the ranks of healthcare providers listed on the Wall of Shame where security breaches are reported by the Department of Health and Human Services Department’s (HHS) Office of Civil Rights (OCR). OCR even issued a news release calling out APDerm’s violation of the HIPAA Privacy, Security and Breach Notification Rules.

Members of ASCII Group, longstanding IT channel organization voted HIPAA Secure Now! for award, signifying company’s commitment to peers and helping them grow their businesses.

Morristown, NJ (PRWEB) November 17, 2014

HIPAA Secure Now! was voted one of the top 10 Esteemed Noble Partners by members of the ASCII Group, a membership-based community of independent MSPs, VARs and Solution Providers. Awards were handed out at this year’s ASCII Success Summit, recognizing members who have demonstrated channel goodwill and a commitment to helping their peers grow successful businesses. Winners in three categories, including Esteemed Noble Partner, received their awards at the Summit on October 23, 2014 in Atlantic City, N.J.

“On behalf of The ASCII Group community, we would like to congratulate HIPAA Secure Now! as an Esteemed Noble Partner and one of this year’s Top Contenders for The ASCII Cup,” said Jerry Koutavas, President, The ASCII Group, Inc. “We would like to recognize all of the companies featured at our Success Summits, for remaining committed to delivering value and significance to the channel.”

HIPAA Secure Now! has helped thousands of medical practices ensure their patients’ electronic health information is protected, under HIPAA regulations. The company provides risk analysis services, policies and procedures, and employee training to customers throughout the U.S.
HIPAA Secure Now’s security risk assessment program spots security risks of storing and transmitting patient information from the systems and mobile devices commonly used by medical practices today. Once potential risks have been identified, HIPAA Secure Now! refers clients to its national network of MSP partners to implement security technologies such as encrypting laptops and tablets.

“The ASCII Group has become our leading source of MSP partners and the benefits have been significant on both sides,” said Art Gross, CEO of HIPAA Secure Now!. “Our two-way value proposition is simple: MSP partners refer their medical clients to HIPAA Secure Now! to validate and document their clients’ compliance, as well as expose any gaps. In turn, we refer our clients to our MSP partners so they can receive professionally delivered technology solutions to address their compliance and security gaps. MSP partners benefit by increasing their revenue by delivering new services to existing clients and winning new customers through our referrals.”
The ASCII Group members selected HIPAA Secure Now! as an Esteemed Noble Partner based not only the quality of its product, but also their commitment to providing valuable, channel friendly solutions to the community.

About The ASCII Group, Inc:
The ASCII Group is a vibrant reseller community of independent MSPs, VARs, and other solution providers. Formed in 1984, ASCII has more than 70 programs that provide turnkey cost-cutting strategies, innovative business building programs, and extensive peer interaction. ASCII members enjoy benefits such as marketing support; educational information; group purchasing power; increased leverage in the marketplace; and multiple networking opportunities. These programs enable ASCII members to increase revenue, lower operating costs, and grow service opportunities. You can learn more at http://www.ascii.com or by calling 800-394-2724.

About HIPAA Secure Now!
HIPAA Secure Now! has been helping clients comply with the HIPAA Security Rule since 2009. The company’s all-in-one solution provides risk assessment, which also satisfies Meaningful Use requirements, as well as privacy and security policies and procedures, and training. HIPAA Secure Now! moves customers toward HIPAA compliance quickly and easily, and protects them in the event of an audit. Customers complete the entire process in two to three hours, and regularly comment that it is painless and has made HIPAA compliance very easy. For more information visit https://www.hipaasecurenow.com.

A infographic by the National Cyber Security Alliance (NCSA) reported that 71 percent of security breaches target small businesses, and nearly half of all small businesses have been victims of cyberattacks.

We talk about the cost of HIPAA related breaches for organizations but have you ever wondered how much it costs a victim of a HIPAA related breach?  According to Becker’s Hospital Review, the average cost of a HIPAA related breach to an individual is about $19,000.

According to a report by the Ponemon Institute, the average out-of-pocket cost to a patient after medical identity theft is $18,660. The 2013 data show that while only 36 percent of patients — more than 660,000 — end up incurring out-of-pocket costs as a result of medical identity theft, it is expensive for those victims. The total costs incurred by medical identity theft victims in 2013 were about $12.3 billion, according to the report’s extrapolation.

Costs incurred to a victim range from legal counsel to reimbursements to healthcare providers

Expenses for victims include identity protection, credit reporting, legal counsel, expenditures on medical services due to lapses in insurance coverage and reimbursements to healthcare providers for services provided to identity thieves.

One final question to ask yourself, if one of your patients or customers incurred $19,000 in breach expenses do you think they will stay as a patient, customer or client of your organization?

With over 30 million patient records breached since 2009 (and that only includes the breaches that have been reported. The actual number is probably much higher) there is a real crisis with protecting patient information. We keep hearing about healthcare organizations having breaches due to lost or stolen laptops and portable media (USB drives, CD/DVDs, Smartphones, etc.). Below are some of the recent breaches due to lost or stolen laptops and portable media.

Laptop With PHI Stolen From Ga. Health Employee’s Car

The Georgia Department of Behavioral Health and Developmental Disabilities (DBHDD) announced earlier this week that a laptop containing protected health information (PHI) of approximately 3,000 patients was stolen from an employee’s car on Aug. 14, 2014.

“DBHDD is reinforcing our information security practices to protect against future data breaches,”

Those active steps include strengthening department policies and procedures related to PHI and also increasing training on security awareness regarding DBHDD-issued laptops, explained the DBHDD statement. Moreover, the department is also working to ensure that all laptops are encrypted and that PHI can only be accessed using a virtual private network (VPN). This would ideally prevent protected data from being stored on a laptop.

DBHDD is encrypting the laptops AFTER they had a breach

Potential data breach for 44,000 Arizona retirees

Some 44,000 Arizona retirees may have had their personal data compromised in a security breach.

Officials say the problem began last month when the system sent two unencrypted computer discs containing the first and last names and Social Security numbers of members enrolled in ASRS dental plans to a benefits company in Kansas City, Missouri.

The company informed the ASRS that it hadn’t received the discs by the end of September.

Implement encryption
Organizations need to understand that PHI is extremely sensitive information. They need to safeguard this information. Breaches are happening everyday and the reality is that a majority of HIPAA related breaches are due to lost or stolen laptops and portable media. Any PHI on laptops or portable media needs to be encrypted. Encryption is not expensive, encryption is not difficult to implement, encryption is not difficult to use but yet most healthcare organizations have not implemented encryption to protect PHI.

Take inventory
One of the first steps to protecting PHI is figuring out where PHI is stored. An organization needs to take an inventory of where PHI is stored or accessed. At the very least, any PHI that is on laptops or portable media should be encrypted. Without these basic protections, we are going to continue to hear about more HIPAA related breaches.

According to FireceEMR, as of Nov 1, 2014 only 43,898 eligible professionals (EPs) have attested from Meaningful Use (MU).  There are over 500,000 active registrants signed up to participate in the MU program. Furthermore, only 11,478 EPs have attested for MU Stage 2 as of Nov 1, 2014.

The number of providers attesting to Meaningful Use in 2014 is still lackluster, with 43,898 eligible professionals (EPs) and 1,903 eligible hospitals (EHs) attesting for the 2014 reporting period, as of Nov. 1, despite the fact that there are now more than 500,000 active registrants signed up for the Meaningful Use program, according to the latest data from the Centers for Medicare & Medicaid Services.

Of those attesters, just 11,478 EPs and 840 EHs attested to Stage 2 of Meaningful Use.

CHIME, AMA and others call for shorter reporting period in 2015

The College of Healthcare Information Management Executives (CHIME) and American Medical Association (AMA) along with the Healthcare Information and Management Systems Society (HIMSS) and the Medical Group Management Association (MGMA) have called for reducing the 2015 MU reporting period from 12 months to 3 months.

Still, upon release of the latest figures, the College of Healthcare Information Management Executives–in unison with the American Medical Association, the Healthcare Information and Management Systems Society and the Medical Group Management Association–called the numbers “disappointing, yet predictable.” All four organizations renewed calls for more program flexibility and to shorten the reporting period in 2015.

Added HIMSS Executive Vice President Carla Smith, “If CMS continues to require a full-year of Meaningful Use reporting for 2015, we anticipate that large segments of providers will no longer be able to participate in the program–which hinders our nation’s ability to improve the quality, safety, cost-effectiveness, and access to care.”

What’s next?

The question many people are asking is this: will there be a large amount of EPs dropping out of the program or will most EPs attest for MU in the 4th quarter of 2014.  And if the MU reporting period is not shorten from 12 months will a large number of participants drop out of the program next year?

Good video on how hackers gain access to valuable data. Steps on how to protect your organization are discussed as well.  Share with employees and colleagues