HipLink Blog

HipLink Insights

Welcome to our Blog! Please join the conversation with the latest company news and industry trends!

Subscribe to this list via RSS Blog posts tagged in ransomware

Posted by on in Blog
Keeping PHI Secure to Avoid HIPAA Data Breaches

 

In this rapidly advancing technological world, an increasing number of healthcare providers are incorporating electronic health record (EHR) technology. In addition, they are also connecting to health information exchanges more frequently, making patient health information (PHI) more susceptible to online security threats as well as possible HIPAA data breaches.

 

The convenience of PHI being more accessible to providers also carries the risk of being more accessible to hackers and unauthorized users.   Effectively monitoring and managing potential risk is imperative for a healthcare organization.  Risk assessments play a key role in staying HIPAA compliant.  Mobile devices and ransomware threats are examples of why healthcare providers need to be prudent in their risk analyses.  The slightest oversight or lapse could lead to a HIPAA data breach as well as a lengthy, expensive recovery course.

 

What Is a HIPAA Data Breach

 

Per the U.S. Department of Health and Human Services (HHS), a data breach is the forbidden use or disclosure of PHI under the Privacy Rule that jeopardizes the security or privacy of patients.  For example, if a nurse’s assistant is a friend of patient Jane Doe and posts on social media that Jane Doe’s health condition is worsening, this is a HIPAA breach.  Another type of data breach is unencrypted data being lost or stolen due to using backup tapes for data archival. Portable devices that are unencrypted or not properly safeguarded by passwords, personal identification numbers, or other security measures, pose a much greater risk of a data breach. 

 

There are three exceptions to the HHS Privacy Breach.  First, if a healthcare worker unintentionally acquires the use of PHI while acting under authority of the covered healthcare organization, this is an exception. Secondly, inadvertently sharing PHI with another person who has authorized access to PHI is not a breach.  For example, John Doe is a patient at XYZ Hospital.  Dr. Smith is his cardiologist and Dr. Jones is his nephrologist.  To properly coordinate a heart and kidney care plan of treatment for Mr. Doe, Drs. Smith and Jones are allowed to share PHI pertaining to the patient.  Lastly, if a healthcare organization believes that the person to whom the PHI disclosure was made is unable to retain the information, this is also not considered a data breach. 

 

Understanding HIPAA data breaches and the exceptions to the rule provides healthcare organizations the information they need to formulate extensive data security plans to keep PHI safe and secure.  One of the easiest ways to prevent an employee data breach is by training, documenting, and monitoring employee adherence to security policies and procedures. In addition to training your own employees, remember to be vigilant when checking your business associates’ compliance to ensure their employees have been trained.

 

Ransomware Attacks – Are They HIPAA Data Breaches

 

Whether or not a ransomware attack is a HIPAA data breach is determined on a case-by-case basis.  To put it somewhat simply, if electronic protected health information (ePHI) is encrypted as a result of a ransomware attack, it is considered a HIPAA data breach because the PHI was able to be accessed.  Therefore, it is a disclosure that is not permitted under the HIPAA Privacy Rule. 

 

On the other hand, if the ePHI encrypted in a ransomware attack was already encrypted in alignment with HIPAA regulations, it may or may not be considered a breach.  Each situation is treated uniquely.  The HHS Office of Civil Rights states, “If the electronic PHI (ePHI) is encrypted by the entity in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals such that it is no longer ‘unsecured PHI,’ then the entity is not required to conduct a risk assessment to determine if there is a low probability of compromise, and breach notification is not required.”

 

Ensuring PHI Protection

 

The HHS PHI Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. 

 

In order to determine the best security measures, a healthcare organization must consider its size, capabilities, and complexity.  Furthermore, the technical hardware and software infrastructure must be evaluated as well as the expense of security measures.  Last, but certainly not least, every healthcare organization must scrutinize the likelihood and possible consequences of plausible risks to ePHI.

 

To protect ePHI, it is imperative that healthcare organizations keep all security measures up-to-date, confirm compliance with state and local laws, as well as HIPAA compliance.  There are several ways ePHI security can be compromised, and that is why facilities have to be cautious and able to adjust security measures when necessary. 

 

HipLink offers real-time secure messaging for Apple or Android devices. The user can send secure text messages, encrypted for HIPAA compliance from a desktop or smartphone.  For more information, contact us at 408-399-6120.  

Hits: 6405
0
Recent comment in this post - Show all comments
  • anonymous
    anonymous says #
    GOOD POST

Posted by on in Blog
Secure, Reliable Messaging and Ransomware

How do you keep your communication flow during a cyber attack? The recent cyber attacks in hospitals are raising many questions about safety and security within many organizations.

CNN just recently reported that Ransomware is growing and that the FBI received 2,453 complaints about Ransomware hold-ups last year, costing the victims more than $24 million dollars”. CSO Online reported that incident response teams are dealing with 3-4 Ransomware incidents weekly. They also report that ransom requests have increased considerably and that in many cases the cost of recovery is so extreme that the only valid option is to consider payment.

Criminals sneak in through various techniques such as “man in the middle” attacks, lock the system and demand a ransom to unlock it. They rely on Bitcoins (XBT) since those are difficult to trace to actual people. Many of these hackers have offshore accounts and the chances of actually getting your money back or catching someone a world away” is highly unlikely.

At HipLink we feel that the best solution is to minimize your attack surface and implement a communications platform with the ability to manage and secure your communications from end-to-end should one take place.  Our focus is to provide our customers with a complete solution for managing these requirements. Our business model has always been to build a strong communications hub with several layers of redundancy to minimize a central point of failure or compromise. This means that we do not put all of our eggs into one basket. We look at the big picture and we understand that implementation needs to be dynamic and offer seamless alternate ways to notify staff using automated intelligence.

Many of HipLink’s customers have remote and on-premise servers that communicate with HipLink and act as a back-up communication platform in case of an emergency that may compromise any of the mission critical systems running each day. HipLink’s ability to accommodate strategic communication pathways on behalf of both employees and infrastructure separate our systems from others, making them popular in many of the world’s most advanced data centers.

Our flexibility within a wide range of verticals allows us to place ourselves in a unique position that accommodates a broad range of communication requirements. This position not only improves daily workflow efficiency but can help save critical data and in many environments, lives.

   

Hits: 6756
0
Recent comment in this post - Show all comments
  • Wendy H.
    Wendy H. says #
    Great blog- thanks for posting. Really enjoyed reading it.