Category: Industries

Managing and Securing the Digital Classroom

The use of technology in classrooms has revolutionized the learning environment for both teachers and students. It democratizes education by allowing a greater number of resources to be available to a wider range of students. Textbooks are being replaced by digital devices and virtual classrooms, expanding the idea of the ‘classroom’ and enabling teachers to shift the education model to help students develop the skills needed for the digital future.
While there has never been a doubt that technology is beneficial to learning, there was less certainty about how to manage and secure the devices used by students. Heightening the situation, school districts usually operate with lean IT teams and limited budgets, leaving two big challenges to be solved:
1) how can schools rationalize and maximize technology budgets; and,
2) how can they ensure their technology is safe for students, educators, and staff?
Growing Budget and Keeping It
Finding the funds for technology in an already overburdened budget isn’t easy. Most school administrators know the key to securing funding is found in the results or strong learning outcomes. If students learn more, faster and with greater efficiency, digital classrooms are a no-brainer. The hurdle, however, is translating exactly how technology supports improved student learning and then communicating that fact with credibility.
In education, as is the case in every other industry today, data is required to make a strong business case for increased resources. Detailed student technology analytics is a key component to understanding device use and correlating that use to improved academic performance. Data provides you with the foundation for solid decision-making as well as a way to justify ROI and secure further budget. School boards and other stakeholders want to invest in technology for learning, but schools must prove that they are good stewards of that investment in order for it to continue.
Protecting At-Risk Devices and Data
With new technology comes added risk, including major data privacy concerns. Cybersecurity is now the number one priority for K-12 IT teams according to the latest K-12 leadership survey by COSN. In fact, there have been 479 cybersecurity incidents during the last two to three years, and schools with known one-to-one programs are often targeted by thieves. Kids themselves are also increasingly the victims of theft as they walk to and from school, or even within the school grounds.
In addition, students regularly lose or misplace devices which can lead to exposed sensitive information and/or unauthorized access to the school network. The theft or loss of a device has many repercussions. A stolen student device, school-owned or BYOD, greatly impact that student’s learning ability, as device replacement through insurance can take up to eight weeks.
Within K-12 specifically, the need to ensure that the content accessed by students is also sanctioned. If not adequately protected, the information contained on or accessed through these devices could pose threats that lead to data breaches and fines by the ICO.
Safe, Smart, Secure Schools
In order to sustain digital classrooms, technology must be managed and secured regardless of form, factor or operating system. In our highly mobile environment with devices continuously on-the-move and off the school network, persistent visibility and control is no longer a nice-to-have. It’s a must.
Read: Better Device Security in 3 Steps for Education
With one single solution, IT should be able to determine the status of each device, manage typical IT maintenance requirements, and take immediate security actions when required. This streamlined, automated management option not only provides important security but also improved operational efficiencies that can cut down on hundreds of IT hours.
It may seem like a steep curve, but it is possible to support the shift to digital learning while also helping to protect school districts’ investment in technologies. Absolute’s Persistence technology is embedded in the core of devices at the factory, providing a reliable two-way connection so that education organizations can confidently manage mobility, investigate potential threats, and maintain the safety of students who use these devices. Student Technology Analytics allows schools to prove the positive impact of technology to secure continued investment and ensure no student gets left behind.
It’s an exciting time to be an educator. Learn more about how Absolute is uniquely positioned to help manage and secure your Edtech investment in the IDC commissioned report, Student Technology Analytics: How K-12 Leaders Make the Case for Better Technology in the Classroom.

Better Device Security in 3 Steps for Higher Education

Universities and colleges have diverse challenges when it comes to risk management. To provide a progressive learning and research environment, broad, collaborative network access must be made available to a wide range of users. Decentralized data systems and countless user endpoints – that leave the campus daily – result in blurred perimeters.
To compound the issue, the vast amounts of personal information held by every higher education institution, as well as valuable intellectual property, makes education an attractive, high-value target for cyber criminals. And the sensitive nature of the data they keep also means education is highly regulated — which only ups the stakes for everyone. How can these institutions keep students and devices safe without sacrificing their charter?
Better Security in 3 Steps
When building a security program for your institution, start with what is most vulnerable – endpoints. Continuous visibility and control will deliver improvements, even when faced with a limited budgets.

Track and Manage Assets — Because you can’t secure what you can’t see, you first need visibility into all of your devices, their applications, and your users. Absolute’s patented Persistence® technology provides an unbreakable connection to every device, keeps inventory automatically up-to-date, collects hardware, software and geolocation data points, reveals waste and inefficiency, as well as pinpoints security risks and compliance failures.
Automate Security Agent Resilience — Examine endpoint resilience and compliance drift, and regenerate security controls — such as encryption, anti-malware, VPN, EDR or DLP — whenever necessary. With Absolute, endpoints become self-healing machines, capable of safeguarding the distributed data they contain, enabling IT to keep control of every endpoint and freeze or wipe it remotely at any time.
Maintain Continuous Compliance — Conduct ongoing and flexible checks according to a cybersecurity framework or your own standards. Specifically, many have found the NIST Cybersecurity Framework particularly comprehensive and worthwhile. (Watch this explainer video: NIST Cybersecurity Framework.) Absolute can help you identify where compliance may have failed and will restore controls that cause compliance drift when disabled or outdated.

On or Off the Network
No matter where your devices are, you need to see, understand and control your entire endpoint population at all times. The loss of sensitive information brings with it costly compliance fines but even more damaging, broken trust among students, educators and staff. Higher education data security isn’t always straight forward but step-by-step, progress can be made.
To learn more about how to identify your institutions sensitive data and improve both visibility and control over it, view Absolute for Higher Education. 

5 Cybersecurity Healthcare Tips

HIPAA Compliance Awareness During National Nurses Week 2019
If saving lives and caring for the sick aren’t already steep enough responsibilities, today, the sophisticated world of cybercrime has thrust the healthcare industry, and the medical professionals that work within it, into its crosshairs.
Healthcare and the Digital Workspace
That means on-the-go nurses — with laptops and tablets in hand that often contain sensitive, HIPAA-regulated data — are subject to all the cyber risks that apply to those devices. Healthcare organizations, like all businesses that are adapting to the modern digital workplace, need to see and understand the risks to endpoint devices and the data on them.
In recognition of National Nurses Week and to support all that is asked of these hard-working, caring professionals, here are a 5 tips for how healthcare organizations can apply a cybersecurity-centric mentality to the job.
5 Cybersecurity Healthcare Tips

Educate all staff — To mitigate the risk of employee mishap and misuse, train staff on the importance of data security. Implement a well-communicated policy on how and when to report missing devices, suspicious email trends and device irregularities and maintain enforceable repercussions for intentional infractions. Read: Healthcare Cybersecurity and Data Security in 2019 for insight into this year’s top threats.
Help the C-suite understand — Appoint a CISO or Data Protection Officer to be responsible for your organization’s data security. This person should oversee HIPAA compliance initiatives and ensure data security is a regular topic at Board meetings.
Take back control of your endpoints — When endpoints go rogue or become invisible due to faulty security agents, you need to act fast. Absolute’s proprietary Persistence® technology is embedded in the firmware of more than 70 percent of the world’s endpoint devices. Because it’s the only embedded security solution, it is the only cloud-based platform that maintains a persistent connection to devices, regardless of user behavior or device performance.
Add resiliency to security solutions — The 2019 Endpoint Security Trends Report found that more security does not equate to more secure devices. In fact, much of organizational endpoint security spend is wasted on solutions that simply don’t work due to missing or broken agents or disabled controls. Rather than throwing good money after bad, IT and security teams should instead strive to reduce complexity on the endpoint and focus on ensuring that existing security tools are fortified, more resilient, and less inclined to fail.
Get real about real-time evaluation and response — Your organization should be able to evaluate its security posture in real time to ensure all devices are patched for known vulnerabilities, whether on or off the network. When new vulnerabilities crop up (and they will), your IT team should be in a position to proactively address these emerging threats with data controls and/or patch distribution. According to a Ponemon study, 425 hours are wasted each week by IT teams chasing false negatives and false positives.

Focus on What Works
There isn’t a single checkbox healthcare organizations can make to secure data. Layering on all the security tools in the world won’t guarantee total data security either. Instead, maximize the resources you already have – your people, your processes and your controls. A concerted effort across each of these five areas listed above will provide a solid foundation from which to build for the benefit of patients, medical staff and the organization as a whole.
If you’d like to learn more about how to protect your organization and medical staff from today’s cyber threats, get our latest case study, Apria Healthcare Delivers Secure Health Solutions with Absolute.  And, in great appreciation for all healthcare professionals, we extend our heartfelt thanks.

In Clinic or In a Patient’s Home, Apria Healthcare Keeps Data Secure

Healthcare technology — which includes everything from medical staff tablets to monitoring devices, patient sensors and even prosthetics — is increasingly reliant on an interconnected network. The interconnectedness enables improved patient care but it also opens the door for added vulnerabilities. As cyber crime skyrockets across the healthcare industry, one of the nation’s leading home respiratory services and medical equipment provider, Apria Healthcare recognized the risks early on and implemented Absolute to better secure their patient data.
Headquartered in Lake Forest, California, Apria operates more than 400 locations servicing 1.8 million patients per year through in-home care and 24/7 clinical services. In order to support home-healthcare — by far the fastest growing healthcare sector at an annual growth rate of 7% largely due to its potential for improved care at a reduced cost — Apria’s 8,000 employees rely heavily on mobile devices. For Apria therapists to better access critical patient data while in a patient’s home and therefore deliver improved care, the organization deployed a fleet of tablets protected with Absolute.
Read: Why Data Privacy in Healthcare Matters
Unbreakable Visibility & Control
With Absolute Persistence® technology installed, Apria gained unbreakable endpoint visibility and control. They now have a reliable, two-way connection to each device and can remotely monitor the status of their devices to avoid a healthcare data breach. They can also track device location if one was ever lost or stolen.
To make that data meaningful, Apria has created several groups of employees based on their location and function, with automated alerts if details (like username or location) change unexpectedly. Apria is then able to investigate and remotely freeze or wipe the device, as needed.
“Each of our devices is tied to an individual,” said Janet Hunt, Senior Director, IT Quality & Support Services, at Apria. “With Absolute, we can establish groups that we categorize by employee, location, and function.”
Apria is now confident in their ability to see and control all of their devices and secure sensitive information, keeping them in compliance with HIPAA and other health regulations. They can track and report on inventory, device location and activity — no matter where the device is located.
“Absolute is the number one priority for our CIO,” Hunt said. I can’t verbalize how important this is to my company and how much more effective we’ve become at securing our healthcare data.”
To find out how the Apria Healthcare uses Absolute to secure patient information, gain visibility into device location and activity and improve access to patient care in the field, check out the case study or read up on our healthcare solutions.

10 Future-Proof Cybersecurity Tips for Healthcare

The threat of cybercrime can be felt most strongly where its impact is most acute. Although threats are very real to all industries – including critical infrastructure, government, financial services and others –healthcare has the biggest target on its back today. These threats have been steadily rising for many years and last year was no exception. See the 15 largest health data breaches of 2018. What can you do to bolster stay safe in 2019? Here are 10 future-proof cybersecurity tips for your healthcare organization.
Individual Impact
The impact of data breaches on organizations is significant, with healthcare data breach costs ranking the highest of any industry at $408 per breached record. But what about the impact to a patient? What happens when patient data is used in medical identity theft for years, only discovered when the collections agency comes calling? Or worse, when a patient receives incorrect medical care because the medical record is compromised by false updates? What happens to the patient who enters the hospital for care only to find all hospital systems shut down by ransomware? What happens to the patient if his pacemaker or MRI machine is hacked?
Risky Technology
Healthcare technology is continually advancing with the goal of improving patient outcomes, and yet many technologies are being deployed before security concerns can catch up. We trust that we’ll receive the best care possible from our doctors, but we’ve only just begun to feel the impact of cybersecurity threats on patient care. So, what can healthcare organizations do to improve this escalating situation?

Review all contracts — Healthcare organizations today are large and complex systems, with many ‘smaller’ entry points through partner systems or vendors. Security standards must be reviewed regularly and a process put in place to promptly report data breaches by all partners and vendors. Organizations should make sure that they have the contractual rights to insist on security standards for vendors.
Formalize breach notification process — Include both detection and response capabilities and consider purchasing special insurance. Under GDPR requirements, organizations must report a data breach within 72 hours. Read: 5 Tips for Compliance Officers Dealing with GDPR.
Rehearse your data breach plans — Make sure your organization can report on the consequences of a breach in a timely manner.
Maintain endpoint visibility — Ensure firmware and software can be updated against vulnerabilities and alerts can be issued if a device goes missing, misses an update or shows signs of tampering.
Protect legacy technology — The reality of limited budgets in healthcare means that many legacy systems remain unsupported and that could place the entire network at risk. Isolating these systems or building protections around legacy systems can serve as a temporary safeguard until systems can be modernized.
Automate detection and response capabilities — A recent Ponemon study found that traditional endpoint security approaches are costing enterprises more than $6 million in poor detection, slow response and wasted time. Security solutions should be automated to detect and contain threats with minimal human input or intervention.
Add resiliency to security solutions — How can you ensure that your current security controls cannot be tampered with by malicious or insider activity? This resiliency is available through Absolute’s persistence technology.
Help the C-suite understand — Appoint a CISO or Data Protection Officer to be responsible for data security and ensuring data security is a regular topic by the Board, a key differentiator in reducing security gaps.
Educate staff — Train them on the importance of data security to mitigate the insider threat. Have a well communicated policy on how and when to report lost devices or suspicious texts or emails and enforceable repercussions for infractions.
Conduct regular compliance reviews — GDPR lays out stringent data protection requirements, as does HIPAA and HITRUST. Be proactive in identifying and rectifying issues. Read: HIPAA Compliance Checklist for 2019

Patient medical records are now the #1 target for cyber criminals. And healthcare organizations are legally required to protect their PHI, even as it leaves their systems and goes to other covered entities.
For more on how you can prevent data breaches, read about actionable strategies in the whitepaper, Data Breach Prevention for Healthcare: A Best Practice Guide.

Why Data Privacy in Healthcare Matters

Data privacy in healthcare is much more than a regulation checkbox. It directly correlates to a sustainable, successful global healthcare system. In the continuous battle for better patient care and a business model that makes healthcare more affordable, information is king.
The Rising Cost of Healthcare
According to a study published by the Journal of American Medical Association (JAMA), the rising cost of healthcare is due to five primary factors:

Population growth
Population aging
Chronic disease prevalence
Use of medical services
Service price and intensity (i.e. pharmaceutical drug prices)

These factors drive healthcare spending – which is skyrocketing. By 2022, global healthcare spending is expected to reach to just over $10 trillion annually worldwide. In the U.S. alone, healthcare spending rose nearly a trillion dollars over the past ten years.
The rising costs hurt consumers of course (as anyone who has been to the doctor lately can tell you), but they are also a painful reality for healthcare organizations. Administrators must determine how to deliver the best possible patient care, while remaining in the black.
Data is the New Healthcare Currency
In the search for a more sustainable business model to meet these competing demands, many geographies, the U.S. included, are now seeing an industry shift from the volume-based, fee-for-service model to a more patient-centric, value-based approach. The rationale behind it is that a sick person is already an expense; whereas to focus on wellness, prevention and early intervention is a mutually-beneficial partnership that reduces costs over the long-term.

To deliver on value, healthcare organizations must rely heavily on digital technologies, clinical innovations, virtual care and plenty of patient information. At this intersection, we find the increasingly-common phrase, ‘data is the new healthcare currency.’ For this reason, data privacy belongs at the center of any conversation about the business of health care.
Patients expect it. Regulators require it. Your reputation depends on it.
Valuable Data in a Growing Attack Vector
Beyond the value healthcare providers assign data for the purpose of patient care, cybercriminals also find great value in healthcare data records. One report says electronic healthcare records (EHR) are valued at $250 per record on the black market compared to the next highest priced record – a credit card – at just $5.40. With that kind of money in play, healthcare is a particularly attractive target for most hackers. It makes sense, then, that healthcare organizations see an average of 32,000 intrusion attacks per day, per organization as compared to 14,300 attacks per organization in other industries.
And the possibilities for cybercriminals to attack are growing as healthcare organizations’ threat surface expands. Caregivers and employees are more mobile, partnerships with third parties are more common, and medical devices are increasingly complex with new IoT technology.
Read: Are Hacked Medical IoT Devices Ransomware’s Next Target?
Cost of a Data Breach
An attempt at your data is likely, and once breached, it will be costly. In their Annual Cost of a Data Breach Study 2018, the Ponemon Institute identified breach resolution costs (including detection and escalation, notification, post data breach response and lost business) to be highest for the healthcare out of any industry by far at $408 per record. The industry ranked second is financial services at a considerably lower price point of $206 per record.
These numbers don’t include regulatory fines that inevitably result with a confirmed breach. How non-compliance is handled is unique county-to-country but none of the fines come cheap. As regulations continually evolve and penalties multiply, it’s clear that data privacy needs to remain a top priority.
To learn more about how to avoid a costly breach and embrace the digital healthcare revolution, download the whitepaper: The Cost of a Data Breach in Healthcare.
 

Healthcare Cybersecurity and Data Security in 2019

Healthcare has rapidly evolved from a traditionally paper-based industry to one that has embraced digital in almost every way. The growth of technology and patient care has subsequently thrust the industry into the spotlight when it comes to protecting sensitive information.  Healthcare cybersecurity and data security in 2019 is one of the top issues facing the healthcare industry.
State of Cybersecurity in the Healthcare Industry
The amount of endpoints on healthcare networks is growing exponentially, especially with the popularity of both personal and corporately-owned mobile devices. Add in a host of IoT devices such as printers and smart appliances, and the potential for trouble is significant. The good intention motivating these devices is improved productivity. However, when you combine the device proliferation with healthcare organizations’ legacy systems and inadequate security budgets, it becomes a pervasive interoperability problem.
To make matters worse, employees who lose devices or see them stolen, click on a phishing link or inadvertently send Personal Health Information (PHI) across insecure channels only exacerbate the issue. You’re left with a recipe for embarrassing, costly leaks of sensitive data — not to mention the likelihood of hefty fines from HIPAA and HITECH regulations.
The need for better endpoint visibility and control has never been greater.
Why is Data Security the Biggest IT Concern for Healthcare Organizations?
While there are countless complex challenges facing healthcare IT professionals, it’s almost unanimous that security is at the top.
By widely adopting electronic information systems, any organization that does business in the healthcare industry has increased its risks regarding sensitive patient data protection. This is not lost on hackers, who have adapted their methods and tactics to monetize their attacks by seizing control over healthcare data, encrypting data and asking for ransom. This attack, known as ransomware, hits the healthcare industry particularly hard.
The pervasive vulnerabilities that threaten our ability to protect confidential data is a huge concern for healthcare decision makers. The numbers explain why.
The Protenus Breach Barometer for the third quarter of 2018 reports a total of 4.4 million patient records compromised in 117 health data breaches, with the number of affected patient records increasing in each quarter.
According to the Cost of a Data Breach Report conducted by the Ponemon Institute and IBM, the average healthcare data breach costs $408 per record — the highest of any industry for eight straight years. At almost triple the cross-industry average of $148 per record, it is obvious that cyber and data security is one of the most critical concerns for the industry.
Perhaps the biggest concern, however, is this: as organizations place more medical devices onto their networks, those IoT devices are also vulnerable to attack, and can even endanger the lives of their patients.
Most Common Cybersecurity Threats in Healthcare
The number of threats facing the healthcare industry is only going up. We’ve touched upon a few of the main threats already, but it’s a good idea to categorize them into four main groups — all of which can jeopardize PHI or ePHI, the cornerstone of healthcare data.
Ransomware
We discussed ransomware in the previous section, and because it dwarfs all other types of cyber-attacks facing healthcare companies, we’re listing it first.
Security experts agree that phishing emails, the primary method for launching a ransomware attack, will persist and prey on the healthcare sector.
Insider Threats
This one may not seem as obvious, but the threat is real.
So real, in fact, that a Verizon 2018 Protected Health Information Data Breach Report by Verizon found healthcare to be the only industry in which internal actors represent the biggest risk to an organization. The study also reports 58% of all healthcare data breaches and security threats are caused by insiders, anyone with access to healthcare resources and important data. 
IoT Healthcare Attacks
As Internet-connected medical devices are adopted on a much grander scale each year, IoT is going to be a huge issue for healthcare. On the one hand, hospitals and other providers benefit from IoT’s medical advancements and infrastructure improvements. On the other hand, most IoT devices are not built with cybersecurity as a default.
In fact, hacked medical IoT devices may be used to launch ransomware attacks.
Due to the severity of risks involved, IoT security mustn’t be overlooked.
Supply Chain Attacks
You may have the best security in your organization or network, but what about your suppliers, service providers, partners, or business associates who have access to your data? Those networks or systems may not be as secure. Hackers can and will focus on these weaker networks.
A supply chain attack is when a hacker exposes one of the weak links in your supply chain and leverages it as a form of indirect access into your network. Hackers are always looking for backdoors, and the supply chain is often their way in, either through insecure networks, software or hardware.
Interesting fact: in a recent CrowdStrike survey, 84 percent of healthcare respondents agree that “software supply chain attacks have the potential to become one of the biggest cyber threats to their industry.”

3 Ways to Improve Healthcare Data Security
Maintaining control over critical PHI or other sensitive data isn’t easy, but if healthcare organizations make a concerted effort to follow these three approaches they should be ahead of the game.
1. Take Back Control Of Your Endpoints
When endpoints go missing or show cause for concern, you need to act fast and smart. Failing to act quickly puts you at risk of exposing your organization to ransomware attacks and security breaches.
The fact is, laptops at a healthcare organization often go missing for months before the loss is detected in a yearly IT audit. Your efforts need to be focused on reshaping this critical flaw in oversight. When a device misses an update, goes missing or shows signs of tampering, you need to make sure red flags go up immediately so you can deal with it ASAP.
2. Strengthen Your Security Posture
Organizations should consider investing in endpoint controls and applications to protect their most critical assets. In doing so, you ensure your applications are running smoothly and have not been tampered with. Critical applications such as VPN, antivirus, encryption, device management and other controls are too easily compromised by malware, corruption or negligent users and often leave IT and security pros flying blind.
Improving visibility and control to the endpoint can help patch these holes in a healthcare security environment that might otherwise render existing and new security layers ineffective.
3. Get Real About Real-Time Evaluation and Response
Your organization should be able to evaluate its security posture in real time to ensure all devices are patched for known vulnerabilities, whether on or off the network. When new vulnerabilities crop up (and they will), your IT team should be in a position to proactively address these emerging threats with data controls and/or patch distribution.
According to a Ponemon study, 425 hours are wasted each week by IT teams chasing false negatives and false positives. By following these approaches, it’s estimated organizations can save an average of $2.1 million annually in time saving. Even better, they’ll have a greater chance of preventing a costly breach.
Finally, risk analysis should be an ongoing process that checks the following boxes for covered entities: regularly review records to track access to ePHI and detect security incidents; periodically evaluate the effectiveness of security measures put in place; and regularly re-evaluate potential risks to ePHI.
We hope you’ve found several takeaways here, and are in a better position to improve your healthcare cybersecurity posture. If you need more strategic tips, be sure to check out our HIPAA Compliance Checklist for 2019.

Avoid Security Breaches in Healthcare with Data Visibility

Security breaches in healthcare are rampant. Just one month into 2019 and the Office for Civil Rights (OCR) already has plenty of new Health Insurance Portability and Accountability Act (HIPAA) compliance violations to investigate. The well-known ‘wall of shame’ data breach portal shows that in January alone more than 350,000 individuals have had their protected health information (PHI) compromised by a data breach. The reported causes of these healthcare security breaches are:  hacking, theft of lost/stolen devices, unauthorized access/disclosure, and improper disposal.
The Cost of a Healthcare Data Breach
Healthcare IT security continues to be a growing issue. Not only has the number of victims increased, so has the cost to those involved. According to Ponemon Institute, healthcare data breach costs are the highest of any industry at $408 per record. In 2018, we saw the largest fine ever handed out by the OCR since they began enforcing HIPAA compliance when health insurer Anthem Inc. was ordered to pay $16 million in October.
Read The Cost of a Data Breach in Healthcare
Why is healthcare hit so hard? Healthcare is data and all of it – personal, familial and financial information – is highly valued by cyber criminals. Add to that the organizations themselves are typically large, distributed, and often encumbered by legacy systems and/or inadequate security budgets, making them an easy target in too many cases.

Faced with these and other challenges, it is increasingly important that healthcare organizations make the most of their security investments. But that doesn’t that mean layering on every new tool is the right answer —for strong security or for compliance. Many organizations wrongly assume that deploying a host of security technologies inevitably ensures compliance when, in reality, the safer bet is to start with the data and knowing where it resides.
The Burden of Proof for HIPAA Compliance
To be HIPAA compliant, the Department of Health and Human Services (HHS) requires that covered entities specify “technologies and methodologies that render PHI unusable, unreadable, or indecipherable to unauthorized individuals,” through either encryption and/or destruction. It falls to healthcare organizations to supply proof of data encryption or proof of destruction in order to avoid being liable for non-compliance.

The challenge is that you can’t secure (in this case encrypt) or validate for devices you can’t see. Visibility into the health and efficacy of your endpoints is a key element in remaining HIPAA compliant. Identifying all of your endpoints —even those that are inactive — also happens to be the starting point to a solid security program too.
Devices are re-imaged, users disable apps, registry files become corrupted, and devices leave the protection of the network. All of these ‘dark’ devices remain outside the control of IT, posing a significant threat to data security and HIPAA compliance. Moreover, in the event of a security incident, these devices may no longer have the technology needed to prevent the incident from escalating to a full-scale data breach.
Would you be able to validate your data security at the exact moment of an incident? Quantify the extent of your organization’s dark endpoint problem by starting with this free assessment. And, if you would like more information on effective steps to protect your healthcare data, watch this webinar with Absolute and SANS Institute, 7 Steps to Protecting Data in the Era of Digital Care.

What is HIPAA Compliance and Why is it Important to Healthcare Security?

If you are involved with the healthcare industry, you’ve probably heard of HIPAA, the Health Insurance Portability and Accountability Act. Regulations and best practices surrounding HIPAA can be confusing, but it’s critical that anyone connected to the healthcare industry understand at least the basics.
So we’re here to break things down for you.
First, and perhaps most important, is to answer one of the most commonly asked questions:
What is HIPAA compliance?
HIPPA Compliance Definition
Through ongoing regulations, HIPAA compliance is a living entity that health care organizations must implement into their business in order to protect the privacy, security, and integrity of protected health information. HIPAA compliance requirements are discussed near the end of this post.
Before we continue, three more acronyms need to be highlighted which figure prominently in the definition:

PHI = Protected Health Information
HHS = Department of Health and Human Services
OCR = Office for Civil Rights

HIPAA’s regulatory standards were created to establish the legal use and disclosure of protected health information (PHI). The Department of Health and Human Services (HHS) regulates compliance, and the Office for Civil Rights (OCR) enforces compliance.
The OCR also provides ongoing guidance on developments affecting health care and is responsible for investigating HIPAA violations.
Need a HIPAA compliance checklist? Absolute’s got you covered! 
Decoding PHI
While HHS and OCR are self-explanatory, PHI requires further explanation.
Protected Health Information (PHI) is the combination of one’s identifying information — such as your name or address) — and any health-related data collected from a healthcare practitioner or facility, such as your medical record, any conversations with providers, or billing/insurance information.
PHI is anything that contains both your Personally Identifiable Information (PII) and your health information.
For example, if we know that Sheldon Cooper is diagnosed with obsessive-compulsive disorder, that’s PHI. Why? Because it contains PII — Sheldon Cooper, and also health information — obsessive-compulsive disorder. Sheldon’s PHI would, therefore, be protected by HIPAA.
One more definition: ePHI, electronic protected health information, is when PHI is transmitted, stored, or accessed electronically. ePHI falls under the HIPAA Security Rule, a HIPAA regulation addendum which came into effect to address the rapid changes in medical technology and how health records are stored.
Why HIPAA is Important
There are countless reasons why HIPAA is important, but the key takeaways are these: it aims to ensure privacy and confidentiality; it allows patients access to their healthcare data; and also reduces fraudulent activity and improves data systems. It all boils down to data security.
For healthcare organizations, HIPAA provides a framework that safeguards who has access to and who can view specific health data while restricting to whom that information can be shared with. Any organization dealing with PHI must also have physical, network, and process security measures in place to be compliant.
Even subcontractors and any other related business associates must be compliant.
HIPAA is there to protect individuals and to ensure everyone has full access to a copy of their personal medical records. It is ultimately a civil rights issue. It mandates data protection for anyone who creates, stores, transmits or uses individually identifiable health information.
All healthcare entities and companies which handle, store, maintain, or transmit patient health information are expected to be in complete compliance with the regulations of the HIPAA law.
By adhering to HIPAA laws, providers can save millions of dollars annually just by properly managing security risks.
David Harlow, an attorney, and consultant specializing in healthcare data and digital health matters, states that HIPAA should be seen as the minimum standard regarding privacy and security standards and protections. “Simply complying with HIPAA is not enough,” he said. “There are more stringent state laws (which vary, state to state) and some industry best practices which are more protective of patient data.”
What are HIPAA Guidelines
With HIPAA, there’s a lot of information to digest when it comes to the guidelines providers must follow to be compliant. What’s most important — and what we will be focusing on — is to clarify what HIPAA violations are, as well as to define what it means to be HIPAA compliant.
For specific guidelines, we recommend the official HIPAA site — a useful resource from the U.S. Department of Health & Human Services.
HIPAA Violations
A HIPAA violation occurs when there is a breach of an organization’s compliance program in which the integrity of PHI or ePHI is compromised.
It’s important to note that data breaches are not the same as HIPAA violations. A data breach can also be a HIPAA violation, but only when that breach is caused by a breakdown in the HIPAA compliance program or by a specific violation of an organization’s HIPAA policies.
For example, a data breach would be if a laptop belonging to an organizations’ doctor is stolen and that laptop contains unencrypted access to medical records. If that organization did not have a policy which stated laptops couldn’t be taken offsite then it would also be a HIPAA violation.
According to Harlow, publisher of HealthBlawg, enforcement of violations is likely more limited to cases in which there has been a data breach. In his definition, a data breach is when PHI is released to or obtained by a third party without the patient’s authorization, other than for purposes of treatment, payment or healthcare operations.
“We can learn from cases where the OCR has entered into settlement agreements with Covered Entities (practitioners) or Business Associates (third parties) that have experienced data breaches,” he said. “The settlement agreements are made public, together with case summaries. From my perspective, it is critical that the regulated community understand and appreciate that the weakest link is the often the human link.”
One data breach we can all learn from is the Anthem Insurance Company hack, which relied on an unsuspecting employee clicking on a link in a phishing email.
“Staff must be trained and tested, and systems and failsafes must be put into place,” said Harlow. “Hundreds of millions of dollars of remediation costs, class action settlement payments and fines were paid out by Anthem as a result of that click.”
He advises that the government does not discriminate when enforcing the rules, as they will fine the small entities along with the large companies. Perhaps not in millions of dollars, but significant sums nonetheless.
To further break down the takeaways from healthcare security breaches, you’ll find some great lessons here from Josh Mayfield, Absolute’s Director of Security Strategy.
Finally, it’s critical to point out that if you’ve been breached, you need to report the breach in a timely manner. In 2017, OCR brought about its first HIPAA settlement for a violation of the Breach Notification Rule levying a $475,000 fine against Presence Health for failure to properly follow the rule.
Common HIPAA violations include:

Stolen smartphones, laptops or USB devices
Cyber hack or attack, including malware incidents and ransomware attacks
Business associate breach
Electronic health record (EHR) breach
Office break-in
Sending PHI to the wrong patient/contact
Discussing PHI outside of the office
Social media posts

HIPAA Compliance Requirements
This compliance list represents a baseline for processes that businesses should be following:

Self-Audits
Remediation Plans
Policies, Procedures, Employee Training
Documentation
Business Associate Management
Incident Management

While all of these are important, Harlow recommends focusing on the need to address the privacy and security of PHI holistically, through continuous review and improvement of systems, policies and procedures, training and implementation.
“This is not a ‘set it and forget it’ sort of compliance exercise,” he said. “I would also emphasize that the HIPAA rules are written as flexible standards that are to be implemented based on the size and nature of the covered entity or business associate.” For instance, Amazon’s compliance program for its HIPAA-compliant cloud services will not be the same as the compliance program implemented by a multi-specialty physician practice.
At the end of the day, complying with HIPAA regulations may seem tedious, but in today’s threat landscape we all need to practice proper security hygiene anyway to protect ourselves.
The ramifications of not doing so are too severe to ignore.
We’ve covered plenty of ground, but to learn even more about achieving HIPAA compliance and how Absolute can help your business, download our white paper here.

HIPAA Compliance Checklist for 2019

HIPAA was adopted in 1996 and since then, Covered Entities (CEs) have been required to protect individuals’ personal health information or face hefty fines for non-compliance. The U.S. Health and Human Services Office for Civil Rights (OCR) enforces HIPAA; the fines they have issued have grown exponentially in recent years.
Anthem, one of the nation’s largest health benefits companies, paid a record $16 million in 2018 for a data breach that exposed the electronic protected health information (ePHI) of 79 million individuals. The next largest settlement was $5.5 million paid by Memorial Healthcare Systems in 2017 for the inappropriate access of PHI of 115,143 individuals.
With increasingly severe HIPAA non-compliance fines on the line, healthcare organizations must exercise extreme diligence in the protection of PHI. But it isn’t an easy task. Compliance requires that CEs adhere to two primary rules: the HIPAA Privacy Rule, which details which data must be protected, and the HIPAA Security Rule which establishes how that data is protected.
The Privacy Rule defines identifiable health information as demographic data that relates to:

an individual’s past, present, or future physical or mental health or condition
the provision of healthcare to the individual
the past, present, or future payments for the provision of healthcare to the individual

The Security Rule outlines three categories of safeguards – administrative safeguards, physical safeguards and technical safeguards – to help you ensure data is protected and standards are followed accordingly.
Achieving and maintaining HIPAA compliance requires both thoughtful security and ongoing initiative. While there is some irony in providing a compliance checklist when we often hear ‘compliance is much more than checking a box,’ there are program elements that can – and should – be checked off. When marked complete, your level of confidence in your organization’s HIPAA adherence will increase.

The below 7 areas have been excerpted from the OCR’s recommended essential elements of an effective HIPAA compliance program.
Complete the following assessments / audits and be able to provide all appropriate documentation that they have been conducted for the past 6 years.
[ ] Security Risk Assessment
[ ] Privacy Assessment
[ ] HITECH Subtitle D Audit
[ ] Security Standards Audit
[ ] Asset and Device Audit
[ ] Physical Site Audit
Educate staff.
[ ] Have all staff members undergone annual HIPAA training, and do you have documentation to prove that they have completed annual training?
[ ] Is there a staff member designated as the HIPAA compliance, privacy and/or security officer?
[ ] Have all staff members received security awareness training and do you have documentation to prove they have completed it?
[ ] Do you provide periodic reminders to reinforce security awareness training?
Conduct risk analyses to assess whether encryption of electronic protected health information (ePHI) is appropriate and provide documentation on the decision-making process.
[ ] If encryption is not appropriate, have you implemented alternative and equivalent measures to ensure the confidentiality, integrity, and availability of ePHI?
[ ] Have you implemented controls to guard against unauthorized accessing of ePHI during electronic transmission?
Implement identity management and access controls.
[ ] Have you assigned unique usernames/numbers to all individuals who require access to ePHI?
[ ] Is access to ePHI restricted to individuals that require access to perform essential work duties?
[ ] Have you implemented policies and procedures for assessing whether employees’ access to ePHI is appropriate?
[ ] Have you developed policies and procedures for terminating access to ePHI and recovering all electronic devices when an employee leaves an organization or their role changes?
[ ] Does your system automatically logout a user after a period of inactivity?
Create and monitor ePHI access logs.
[ ] Routinely monitor logs to identify unauthorized accessing of ePHI.
[ ] Implement controls to ensure ePHI may not be altered or destroyed in an unauthorized manner.
Develop policies and procedures for the secure disposal of PHI.
[ ] Develop policies and procedures for rendering PHI unreadable, indecipherable and incapable of being reconstructed.
[ ] Develop policies and procedures for permanently erasing ePHI on electronic devices when they are no longer required.
[ ] Ensure all devices that store PHI are stored securely until they are disposed of in a secure fashion.
Define a clear process for security incidents and data breaches.
[ ] Ensure you have the ability to track and manage all incident investigations.
[ ] Be able to provide the required reporting of minor or meaningful breaches/incidents.
[ ] Implement a procedure by which employees may anonymously report a privacy/security incident or potential HIPAA violation.
Successfully completing this checklist does not guarantee your organization is HIPAA compliant – nor does it ensure that your organization will avoid potential data breaches. However, it will get you off to a very good start. For more information on implementing a successful program, download our whitepaper: Achieving HIPAA Compliance: Your Guide to Avoiding HIPAA and HITECH Penalties. 

Loading

Categories