(866) 251-4459 support@compnetsys.com
What Is HIPAA, And Why Should I Worry About It?

What Is HIPAA, And Why Should I Worry About It?

The Health Insurance Portability and Accountability Act (HIPAA) is a Federal statute, and associated regulations, that, among other things, control what healthcare providers and other “covered entities” do with “protected health information” (PHI). The HIPAA regulations are fairly straightforward, but there are a lot of them. There is a good summary here, with links to the relevant portions of the Code of Federal Regulations (CFR). This article covers only the basics.

Who Does HIPAA Apply To?
“Covered entities” are health care providers, health plans, and health information clearinghouses. The latter are usually aggregators of health information from hospitals, doctors, and the like. “Protected health information” is any information that relates to an individual’s past or present health status, treatment, and payments for any treatment an individual receives. Past, present, and future healthcare records are covered.
Data falls under HIPAA protection for 50 years after the death of the patient. The form in which the information exists does not matter – it can be written, oral, or electronic. If the information is in electronic form, additional requirements for protecting it applies.
Why Should I Worry About All This?
People are concerned about following HIPPA guidelines and they should be. It’s important to protect the personal and healthcare information of all patients. In addition, the Office of Civil Rights (OCR) within the Department of Health and Human Services (HHS) can impose large fines and other penalties for HIPAA violations. Hospitals and health systems have been fined in the millions of dollars for HIPAA violations. And HIPAA violations, if they make it into the news media, always create bad publicity.
What Can I Do To Remain Compliant?
Training of staff on HIPAA rules and practices is by far the most important step. The second is making sure that PHI stored in electronic form is protected. That involves things like:

Using encryption when data is stored or transmitted
Making sure that staff have only the access needed to do their jobs
Making sure that access to systems is, at a minimum, protected by strong passwords
Protecting records with the latest technology such as swipe cards or biometric identifiers

What Do I Have To Do To Conform To HIPAA?
You need to:

Formulate your privacy practices
Notify patients of privacy practices
Obtain consent or authorization when required
Make sure that your arrangements with business partners meet HIPAA requirements
Make sure you distinguish your normal health care operations, where consent is not required, from disclosures, where consent or authorization is required
Make sure you follow the HIPAA “security rule,” which covers PHI in electronic form

It goes without saying that your legal department needs to be involved in all of this. The Notice of Privacy form should inform patients and staff of what your practices and guidelines are. A notice should be given in written form to patients when they are first encountered.
“Arrangements with business partners” concerns companies that may have access to PHI in the course of providing services to a health care provider. These include companies that provide storage of documents, destruction of documents, or electronic handling of documents. You are required to make sure that they understand the HIPAA requirements and conform to them. You can think of it as the HIPAA requirements “flowing downhill” from you to your business associates.
What’s The Difference Between Consent And Authorization?
In many cases, no consent is required. This includes disclosure of PHI for treatment, payment, and health care operations. A covered entity may, but is not required to, seek consent from a patient for these purposes, but it is common to do so.
On the other hand, an authorization is required for any use of PHI other than the ones listed above. An authorization is more formal than a consent, must be written, and must contain several elements, which are covered here.
Authorization is required when the disclosure is for any purpose other than treatment, payment, or health care operations. This includes disclosure to a third party, such as a life insurance company, an employer, or a provider not affiliated with your healthcare organization.
Please note that electronic transmission of PHI is covered by the authorization requirement as well. If authorization to send the information on paper is needed, authorization to send it electronically is needed as well.
What Are The Takeaways?

HIPAA compliance is not optional.
Penalties for violating it can be very costly.
HIPAA applies to PHI in any form – paper or electronic.
Obtaining consent is generally a good idea; authorizations are required.
Depending on the services your business partners provide to you, they may be required to conform to HIPAA as well.
It is always better to err on the side of caution when dealing with HIPAA.

If you still have questions, be sure to visit the HIPAA website. Today, there are many organizations that can help you learn about and comply with HIPAA guidelines. For instance, many managed IT services providers have tools to help with compliance.

8 Foolish IT Security Mistakes Never Get Caught Doing

8 Foolish IT Security Mistakes Never Get Caught Doing

Everyone makes foolish mistakes. You’ve done, I’ve done it, and it’s all part of being human. But if that mistake affected your IT security, consider the ramifications it could have on your organization for being careless. For instance, a computer hacked or leak of sensitive data because a password was easy to crack. Luckily, these security problems don’t have to become a common occurrence and can get fixed easily.

What Are The Eight Foolish IT Security Mistakes to Avoid?
In no particular order, we’ve created a list of the most common IT security mistakes technicians see regularly. Also included are their recommendations to fix and avoid making the same mistakes again.
Mistake #1 – Using a weak password or not having one at all
Even with all the security warnings repeated continuously, people will always choose the same or a straightforward password to remember. It could be a birth date, the word “password,” a family pet’s name or the number sequence: 1-2-3-4-5-6. Then there are other individuals, that decide they don’t want a password, or they’ll get to it later, but later never comes.

Recommendation: Consider using a password generator. When using a password generator, it can create a strong password in seconds. Currently, on the market, there is Dashlane, Keeper Password Manager, Password Boss, LastPass, and Sticky Password.

Mistake #2 – Writing passwords on sticky notes or slips of paper
This mistake follows the previous one and makes it extremely easy for anyone to access your account or device, especially if they got their hands on your password. It is common to find a piece of paper and jot down our passwords. Or worse write it down on a sticky note and attach it to the back of your computer monitor. In all reality, why do that? It’s like you don’t have a password at all because everyone knows where you stuck it.

Recommendation: Stop writing down your passwords on paper. Consider using a password saver. Currently, on the market, there is Dashlane, Keeper Password Manager, Password Boss, LastPass, and Sticky Password.

Mistake #3 – Refusing to install antivirus protection or disabling it for faster computer speed
There continues to be this belief that antivirus software is not needed, especially for those individuals and companies that own and use Apple/Mac devices, but this is simply not true. Yes, it can be frustrating when your computer slows down while software is running.

Recommendation: Consider using an anti-virus program that won’t’ slow down your computer. Currently, on the market, there is Avast, AVG, Kaspersky, Bitdefender, and Check Point Zone Alarm.

Mistake #4 – Taking unnecessary risks with email and blindly trusting the sender
This mistake includes opening email attachments from unknown sources or people you don’t know. Or worse responding to these individuals and sharing highly sensitive information (such as credit card numbers or passwords). When you open an email with an attachment, and you don’t know who the sender is, leaves you wide open to a malware virus or your computer hacked. Please be mindful; when sharing personal information, always remember, doing so could place you, your business, and your client’s information vulnerable to identity theft.

Recommendation: From this point forward, no longer send sensitive information or data through an email. Consider using a tool like Google Drive. You can then send the data as a link which requires the recipient to log in first before they can access the file.

Mistake #5 – Walking away from your computer and not locking the screen
Eavesdropping continues to be an overlooked security issue and risk. When you get up from your computer and walk away, who has taken notice, that could potentially gain access to your account? What might happen if you forgot to close the bookmarked tabs in your browser, to step away, and on those tabs were your online banking account or your company’s bookkeeping system? With an open unlocked screen, you’ve given anyone full access.

Recommendation: Always lock your computer before leaving it. On most keyboards, you will see the Microsoft Windows key. Press and hold it down while you press the letter “L” key, and your screen instantly locks. You can also preset your computer to automatically close after a specific amount of time passes (one minute, five minutes or 10 minutes).

Mistake #6 – Not installing the application and operating system patches or updates on time
Operating system updates and patches are crucial and vital in protecting your computer from evolving threats. Mainly, these updates and patches keep your computer healthy. Next time, before you hit the “not now” or “ask me later” button, reconsider.

Recommendation: When prompted, always install the updates and patches when notified. Better yet, at least once a week, deliberately check for updates and patches. If you’re unsure where to begin, contact us or send us an email and we will help you.

Mistake #7 – Putting off having a reliable, stable, and well-tested cloud storage backup
It’s going to happen. Servers will fail, and computers will crash. It’s not if, but when. Not considering what a lifesaving tool, cloud computing offers, is like signing a death warrant on your files. Besides getting hacked, there are other reasons servers go down, i.e., age, fire, flooding, natural disasters are just four everyday occurrences.

Recommendation: Seek out an IT company that hosts cloud storage services or is a vendor partner with a large cloud computing company. Do take the time to read and understand the SLA they present to you before you sign their contract.

Mistake #8 – Allowing personnel that is untrained, or not certified to secure your IT systems
Unfortunately, employees will be the most significant security threat a business faces. Most of the time is it not intentional, but human error and lack of training that usually causes the problems. It may seem convenient, but not everyone is an IT expert or specialist. IT security has many moving parts, and if one piece isn’t correctly set up, your system remains vulnerable.

Recommendation: Allow your employees to do what you hired them to do. But when it comes to your IT system, consider hiring an outside IT services provider.

Did you find this article informative? If you liked this one, check out our other content we think you’ll find interesting.

PSA Alert! Sleeping While Phone Charges

PSA Alert! Sleeping While Phone Charges

Read the following alert before charging your phone tonight and from this day forward. According to the Newton, New Hampshire, fire department’s PSA message posted on social media; it seems as though charging a phone in bed poses a serious health risk and lethal safety concerns for you and your loved ones. Now it is imperative you think twice before charging your tablet or smartphone in bed ever again.

What the Newton fire department shared is quite literally a wake-up call
The Newton Fire Department, in Newton, New Hampshire shared this photo. You will notice burned sheets and pillows next to a device charger’s cord. If the picture seems scary, you now have your proof. Without warning, if a child or teenager is sleeping next to their phone while it’s charging, this could happen to them, putting them in grave danger.
 
According to the fire department, a home fire is reported in the U.S. every 86 seconds. They also uncovered some recent research which indicates over 50 percent of children and teenagers charge their tablet or phone under their pillows. When you consider that everyday habit, you must ask yourself, “where does the heat go if the phone is covered up?”
We all know if the heat from that charger can’t evaporate you’re going to have a cord, charger, and device that’s hotter and to difficult to touch. If the charger and phone are under the pillow, then that pillow, mattress, and the entire bed could catch fire, and the whole house could go up in flames, putting all the family members in danger.
Should we be concerned, isn’t this an isolated situation?
Unfortunately, it isn’t. It continues happening.
It wasn’t that long ago a 10-year-old boy, in Northern Ireland woke up in shock. He was charging his new phone in his bedroom overnight. What awakened him was the smell of smoke, as his iPhone sat burning on his bed. The phone got overheated and severely singed. Fortunately, there was no fire outbreak.
Then there’s the incident where a family of a 15-year-old girl from Wales had to flee their home. They were not as lucky. The girl’s iPhone overheated while resting on the bedding. Next thing they know the bed quickly caught fire and engulfed the home. Fortunately, no one was hurt. But it took six months before the family could return to their home, due to the extensive fire damage.
But we can’t just look at children and teenagers who leave their tablets or phones charging overnight. Take the Alabama man, in his 30s that nearly lost his life getting electrocuted, after he fell asleep with his cell phone charging right next to him in bed.
As he slept, the charger disconnected from the phone. But in the morning he rolled over, and his military dog-tags around his neck got caught on the exposed prongs of the plugged-in phone charger. What happened next, nearly took his life. The dog-tags acted as a conductor so, the electricity traveled straight to his neck. Strips of flesh and skin were missing from his neck and his shirt got singed, where the metal dog-tag necklace had burned his throat.
What should you know moving forward?
It was pointed out in a 2017 Hartford Home Fire Index; there is a “high risk” when charging your phone on your bed overnight. They compared it to leaving a candle burning unattended or when your stove doesn’t get turned off after cooking.
There was more extensive research published by the American Medical Association (AMA), in their JAMA Pediatrics monthly peer-reviewed medical journal that shows roughly 89 percent of teens and 72 percent of children use, on average at least one device, tablet or phone, in their “sleep environment.” And quite often it’s used just before bedtime.
“The distinctly possible result is that the pillow or bed or both will catch fire,” the Newton fire department added. “This places the child or teen, as well as everyone else in the home in grave danger.”
What should you start doing today?
To quote Stuart Millington, senior Fire Safety Manager, of the New Wales Police department, “Turn chargers off. Unplug them before you go to bed,” His warning came after a similar incident where a phone caught fire while charging under a pillow of a North Wales family home. “Never leave items unattended or charging for long periods of time.”
If you are a parent or grandparent, warn your kids and grandchildren. Bring it to their attention to the dangers of sleeping next to a charging tablet or phone. Also, look to see where device charges are plugged in, and if not suitable recommend a designated charging zone in your home for all devices.
Did you find this article informative? If you liked this one, check out our other content we think you’ll find interesting.

What IT-Aspects Are Important When Relocating Your Law Office?

What IT-Aspects Are Important When Relocating Your Law Office?

Perhaps the space is not large enough for your expanding partnership. Maybe, it’s antiquated and no longer feels appropriate. Whatever reason an office chooses to move to a new building, relocating is a large undertaking. Unfortunately, in many offices, the IT-related aspects of the move are overlooked until the last minute. This can be disastrous.

Improper planning can result in lost data or broken equipment. It could cause interruptions in service. This might mean lost clients, which of course would equal lost money.
Fortunately, it is not difficult to do this right. It does, however, take adequate notice. This is often longer than one would anticipate. Usually, it requires at least 60 days. It also helps to have a good plan and consistently follow through. Here are a few other things to consider before relocating.
How Should an Office Plan for the Move?
The first step would be to determine who will act as the internal manager of the relocation. This should include someone on the staff who is familiar with the office. In a small business, he or she might coordinate the entire project alone.
For larger establishments, however, it would be wise to hire a professional Managed Services Provider. They are more experienced with delicate relocations and can help lead the internal manager in the process.
Generally, the first step is to inform all Internet and telecom providers of the coming move. It is often in the service agreement that they receive a certain amount of notice. This also ensures there will be no interruption in service.
When Is an IT Evaluation of the New Space Conducted?
Ideally, IT needs would be considered when initially choosing the location. This is not always realistic. In an office, there are many aspects to consider when selecting a new office space. A few of these include demographics of the area, accessibility, image, and the history of the site, etc. IT needs are often an important afterthought.
Typically, an evaluation of the new space will be conducted during the planning phase of the actual move. It would be done with or by the project manager or Managed Services Provider. If the office has one, the head of the IT department should be involved as well.
There are several things that should be evaluated to ensure the move goes as smoothly as possible. These include, but are not limited to, the following:

Cabling for computers, telephones, and security cameras
Power outlets of adequate number and in optimal locations
Wireless networking capability

Each room should be checked. Any of the above that are subpar will need to be addressed. This would ideally occur before the move itself.
How Should an Inventory Be Done?
The IT needs of most offices are evolving. Before moving it all, it would be advisable to take an inventory and evaluate the existing equipment. Begin by determining what is no longer needed. It is better to responsibly recycle it than move it to the new location.
Next check the condition of each remaining piece of equipment. Make a list of anything that is worn or outdated. Decide how to dispose of them rather than pack them. Order replacements so there is no interruption once the move has been made.
As the business world continues to embrace IT, this is the perfect time to assess current trends. It is also a good idea to look to the future and ensure any new equipment purchased is flexible enough to adapt.
Make a hardcopy list of every piece of equipment being moved to the new office space.
Have Disaster Recovery and Business Continuity Plans Been Developed?
Failure to have a Disaster Recovery Plan and a Business Continuity Plan in place before a move could, in fact, be devastating to your business. Further, it is an essential step to make several backups of everything important. This includes files, as well as data systems, security systems, and servers. Keep these separate and in a safe place during the move. If you’re already working with a managed IT services provider, they will take care of this for you. They can also handle much of the move as far as your IT infrastructure goes.
Lists should be made of the important information required for the successful implementation of the Business Continuity Plan. A few items to include are:

Business priorities
Inventory of all equipment
Emergency contact information for IT vendors
Plan for switching phone lines and internet connections

This improves the likelihood that the office will be able to resume business with as little delay as possible. If you have a good relationship with a managed IT service provider, they may be able to move your networking and computing equipment and get everything back up and running a day or so.
In Conclusion
When it comes to the day of the move, everything should have already been planned. This ensures the smoothest transition. For offices that do not have an onsite IT team, hiring a professional IT-relocation company would be a good idea. The internal manager or Managed Services Provider would be responsible for making important decisions. With proper planning, the actual move to the new location should be much easier.
 

US Weapon’s Systems: Weak to Cyberattacks?

US Weapon’s Systems: Weak to Cyberattacks?

A recent report has revealed that there are many US weapons systems that are susceptible to hackers. This news is disturbing on many levels, including the attitude exhibited by Department of Defense officials. What does the report reveal, and how serious is the threat?

GAO Report
The US Government Accountability Office (GAO) just released a report that reveals that almost all weapons that were tested by the Department of Defense (DoD) between 2012 and 2017 have serious vulnerabilities that make them very open to cyber attack. These vulnerabilities have been labeled mission critical, which makes this news all the more serious. The report had been requested by the Senate Armed Services Committee in connection with expected DoD spending in excess of $1 trillion in order to develop weapons systems.
Examples of Weaknesses Detected
The vulnerabilities were discovered by penetration tests performed by employees of the DoD. In one example, a penetration tester was able to partially shut down a weapons systems by merely scanning it. In another test, it only took nine seconds for DoD testers to guess the admin level password on a weapons system. Failure to make changes to default passwords connected with open source third-party software installed on systems resulted in several instances of vulnerability.
Those performing these tests were not making any efforts to hide their presence, but the systems they tested had a difficult time detecting their presence. These systems should have been able to detect the presence of intruders and alert those in charge. A few of the automated systems did detect the presence of the penetration testers and alerted those monitoring the systems. However, in an even more disturbing turn, the individuals monitoring the systems didn’t seem to understand what the intrusion alert meant and thus did not take any action.
Failure to Take Basic Cybersecurity Precautions
What makes this report distressing is that many of these potential open doors exist in part because of a failure to follow basic cybersecurity rules. Guidelines such as the use of encryption, robust passwords, and basic employee training are foundational to a security system. Because such guidelines have been neglected, hackers equipped with even simple techniques and tools would be able to not only take control of key systems associated with these weapons but do so almost undetected. What could a skilled hacker with the latest tools accomplish inside such a poorly secured system?
Is There a Valid Reason for the Lack of Concern?
The subtitle of this GAO report was “DoD Just Beginning to Grapple with Scale of Vulnerabilities.” Surprisingly, those in charge of such systems do not seem very concerned about these susceptibilities, perhaps because they feel the GAO is exaggerating the seriousness of the problems discovered. For example, the report does remind readers that some of the findings may no longer be a problem once a system is deployed in the field.
In addition, these officials have indicated that in the past they believe the systems were well-secured. The authors of the report, however, strongly imply that there’s a disconnect between what these officials may believe and what the reality is.
Another possible cause of the DoD’s lack of concern is the belief that the types of tests that were run would be practically impossible for any system to pass. The GAO, however, insists that the tests were not extreme and represented realistic threats to these critical systems.
The DoD may also be resting on its laurels: it received praise last year for a bug-bounty program that led to many different bugs being patched. On the other hand, the GAO report points out that only one of 20 vulnerabilities discovered in previous risk assessments had been fixed by the time the report was written.
Implications of the Report
One of the implications of the report is that a number of US weapons systems could be susceptible to a disabling cyber attack. Considering that so many adversaries of the United States have established reputations for extremely talented hackers, this is all the more disconcerting. And hackers are not subject to the same constraints as DoD penetration testers. Malicious actors may well have access to funding, state-of-the-art equipment, and would intentionally keep their activities hidden.
Another implication of the GAO report is that their testing merely revealed the proverbial “tip of the iceberg” when it comes to vulnerabilities that exist in US weapons systems. The penetration tests performed were far from exhaustive. For example, categories that were not tested included potential weaknesses related to counterfeit parts or industrial control systems.
Conclusion
The incidence of cyber attacks are on the rise, and the techniques and tools available to malicious actors are continuously evolving. It makes sense that the security of a nation’s existing weapons systems should be a very high priority. The revelations of the GAO’s report are disturbing, yet there is hope that the DoD will respond to the vulnerabilities discovered.