April 19, 2024 This week, we’ve gone through what makes HIPAA, well, HIPAA. HIPAA, or the Health Insurance Portability and Accountability Act of 1996, comprises three rules. These rules include: Today, we’re talking about the Security Rule. Trust us, we know that compliance jargon can get complicated. That’s why we’re here to make it simple. What’s the Security Rule? Let’s kick it back to the totally rad 90s to give more insight. The year is 1996, and we’re entering the digital age. While we fought with dial-up and AOL was all the rage, more and more Electronic Protected Health Information (ePHI) was being created and transmitted digitally. HIPAA was signed into law because of this technological boom, needing federal guidance on the protection of health information with each new innovation. As a result, a part of HIPAA, the Security Rule was born. The Security Rule establishes the standards for how ePHI needs to be protected. This includes the administrative, physical, and technical safeguards to ensure ePHI is secure, remains private, and accurate. Building a Fortress Administrative safeguards are the first line of defense when it comes to protecting patient data. Administrative safeguards are policies and procedures that your practice or business does to ensure compliance and protection of ePHI. The Security Risk Analysis (SRA) is a classic example of an administrative safeguard. This proactive measure helps practices and business identify their risks and vulnerabilities when it comes to protecting PHI. The SRA is required under the Security Rule. Training also falls under administrative safeguards, ensuring all staff is knowledgeable and up-to-date with best practices to remain HIPAA-compliant. Keep it Secure You wouldn’t leave your keys lying around, would you? The same goes with PHI. Physical safeguards include a range of measures to secure ePHI. Common examples of the appropriate physical safeguards include: Tech Talk Now, alongside physical safeguards, technical safeguards are key to keeping ePHI safe. We hate to break it to you, but a lock isn’t going to protect your ePHI when there’s a hacker across the globe trying to breach your ePHI! Common examples of technical safeguards include: Covered Entities and Business Associates can get on track with these proper safeguards by working with your IT department or an IT partner. How Abyde Can Help Phew! Who knew HIPAA could get so complicated? Well, Abyde is here to save the day, simplifying the compliance process for your organization. Abyde’s software is tailored to fulfill HIPAA regulations, including an intuitive SRA, entertaining training, custom policies and procedures, and more. The Abyde software is here to make sure you Never Stress Over Compliance Again! If you are looking for an IT partner to assist you in implementing technological safeguards, we can also help with that, too! We have numerous IT partners who specialize in healthcare, knowing what you need to be secure. Reach out to info@abyde.com and call 1.800.594.0883 to find your next IT partner. To learn more about HIPAA compliance, email info@abyde.com and schedule an educational consultation here for Covered Entities and here for Business Associates.
Abyde Feature Week: Scorecard
March 19, 2024 Welcome to Feature Week! Whether you stayed tuned from last week, or are a first-time reader, we are celebrating the features that Abyde offers to make it easy for your practice to stay compliant. Yesterday, we highlighted Abyde’s state-of-the-art Security Risk Analysis (SRA), turning a complicated evaluation of your business’s compliance practices into a simple questionnaire that can be completed in minutes. Once your SRA is done, the Scorecard comes into play. Get comfortable and stay tuned on how this feature can make HIPAA a breeze for your business. Keeping Score Whew!, That SRA wasn’t so bad, right? So, what’s next? This isn’t a scorecard like in golf but is a hole-in-one when it comes to monitoring your compliance practices. The Scorecard is a review of your answers to the SRA and gives your business a thorough explanation of how your current practices hold up against regulations, and what your organization can do to improve. The SRA is like a coach’s playbook, outlining the game plan for HIPAA compliance. The Scorecard is this plan in action, like reviewing your game tape, seeing what you need to improve and what vulnerabilities you have as a business. This scorecard is easy to review and gives your business the risk levels of your current practices. Each question is unique, and some practices are more critical than others. For instance, only changing your password every six months is not ideal, but not as risky as not encrypting your files. Unfortunately, some practices will never be ‘low risk’, even if they are not wrong just because there’s always the chance of human and technological errors. For instance, numerous employees working remotely while handling Protected Health Information (PHI) is always going to be riskier than all PHI staying in one location. Impacted by a breach? You can easily show proof of a Security Risk Analysis by downloading the Scorecard in the software, showing the government that you take HIPAA seriously. You can also see every version of your Scorecard in the software, seeing how your path to compliance has gotten easier with the help of Abyde. Ready to keep your HIPAA compliance score? Reach out to info@abyde.com and schedule a demo here for your business.
Abyde Feature Week: Security Risk Analysis
March 18, 2024 For some, this might be Spring Break, but we have something even more exciting planned: Feature Week! Throughout this week, we are going to share the amazing things we have to offer Business Associates (BAs) for HIPAA compliance. I know that Spring Break and software features might seem like worlds apart, but somehow at Abyde, we make compliance and simplicity go hand in hand. So, get comfortable, fix your beach chair, grab a drink, and see how Abyde can make your compliance journey easy with our Security Risk Analysis (SRA). What is a Security Risk Analysis (SRA)? A Security Risk Analysis (SRA) is a required assessment of risks and vulnerabilities of how Protected Health Information (PHI) is handled. The quick 411– PHI is identifiable information about a patient, like a social security number, medical records and more. The Security Risk Analysis, established in the Security Rule, is an overall evaluation of how your business properly protects PHI, ranging from how often you change the passwords on your systems, to security alarms on the door of the business. This assessment is required, and organizations’ lack of one is a common HIPAA violation. Last year, a BA was fined $100,000 by the Office of Civil Rights (OCR) after they were impacted by a ransomware attack. One of the first things the OCR looks for is an SRA. As you might’ve guessed, there was no SRA in place, contributing to the hefty fine. How Abyde can help There’s A LOT of information to go through, and it might be overwhelming. That’s where our simplified Security Risk Analysis comes in. With Abyde, you can now analyze your processes without needing to hire a consultant or trying to audit yourself by referring to tons of paperwork. Before Abyde, an SRA could take weeks. With Abyde, it takes minutes. Our simple questions get straight to the point, and if you don’t know the answer to something? Don’t worry! You can mark the question and it will come back up later in our Ongoing Questions section on the dashboard, or call our team of compliance experts for help. Abyde is here to make compliance simple. It’s what we do best. Stay tuned for the next day in our feature week: our Scorecard. To learn more about the features of the Abyde software, email us at info@abyde.com and see the software in action by scheduling a demo here for Business Associates and here for Covered Entities.
Change Healthcare Breach: What We Know Now
March 14, 2024 BREAKING NEWS! Your friends at Abyde are right back at you with an update on the Change Healthcare breach. Check out our first blog post on the breach here! Now, to quickly bring you up to speed, Change Healthcare, a division of United Healthcare, was impacted by a ransomware attack. This ransomware attack is like nothing we’ve ever seen, and being called the most significant attack on our healthcare system of all time. This ransomware attack was disastrous, taking Change Healthcare systems offline, and making it impossible for healthcare providers to check for insurance eligibility, see new patients, properly process prescriptions correctly, and much more. Now, it’s been several weeks since the initial attack, and we have the latest scoop for you. What’s going on now? Well, now here comes the fallout. While some of the systems have been able to get back online, like pharmacy functions, Change Healthcare is still not 100%. This has been detrimental to healthcare providers, and is costing them $100 million a day! Now, I know that’s gotta hurt. Now, the lawsuits are starting to roll in. Now, multiple class action lawsuits have been filed against Change Healthcare/United Healthcare due to its inadequate security systems and how it’s been handled. Unfortunately, in this attack, it’s highly likely Protected Health Information (PHI) is in the hands of criminals. In this ransomware attack, over six TB of stolen data was encrypted by the deceptive hackers. So, these lawsuits are just getting started. The government is also involved in this breach, investigating the causes and effects of the ransomware attack. The FBI has run into this group of hackers before and has taken some of their servers offline, causing many to think this attack was of vengeance. The Department of Health and Human Services also came together to discuss and address the impact of the cyber attack for more to come. As of yesterday, March 13, the Office of Civil Rights also released a statement of beginning their investigation of the attack. It’s safe to say this is far from over, and it’s been a tough month for United Healthcare. What should I do? To keep up with the news, we recommend you follow our news page, where we release the newest updates in compliance news and the best tips for your practice or business. To keep up with the Change Healthcare system updates, you can follow this page here. To keep your practice or business safe, and avoid this hot water that United Healthcare found itself in, it is essential for you to proactively protect your organization. This includes working with an IT company, employing firewalls, encryption, and of course, having compliance software like Abyde. Abyde is your one-stop shop when it comes to compliance management, allowing you to evaluate your risks and address them before it’s too late. Need documentation in order? Yeah, all in the software. Oh and – let me stop you right there, yes, we also dynamically generate our personalized policies and procedures, so don’t worry about writing them. And if you experience a breach? We’re here for you. We have an awesome team of compliance experts here to help you navigate any situation, so you’re not alone. Want to learn more about compliance? Reach out to us at info@abyde.com and schedule a compliance consultation here for Covered Entities, and here for Business Associates!
Yikes! My Files Are Kidnapped!: What is Ransomware?
March 7, 2024 Ransomware. Even the name sounds ominous! With the Change Healthcare ransomware attack, you might have heard a lot about ransomware in the news lately. While the effects of the attack are wreaking havoc on the healthcare system, you might be wondering what this notorious ransomware is all about. Well, you’ve come to the right place! We’re here to educate you on ransomware and how your practice or organization can be prepared for this cybercrime. What is it, exactly? Ransomware is a form of malware, or malicious software, that encrypts the files of a victim and requires a ransom to access files again. This is a very common way hackers infiltrate healthcare systems and over 4,000 ransomware attacks occur a day! If you’re confused about how ransomware works, here’s a simple example: Dan the Doctor was having an alright day, and then he got an email that went to his practice that he thought would turn it into the best day of his life! The email said he won 20 million dollars! All he had to do was click the link in the email to receive it. He clicked it as soon as possible, already dreaming of spending the rest of his life on the beaches of Hawaii. Spoiler alert: his day was going to get a lot worse. As he clicked the link, ransomware began its sinister magic: encrypting patients’ protected health information (PHI). He couldn’t believe what he did, putting his patients and his practice in jeopardy. Then, to get access to these files again, he had to pay thousands of dollars, or these files would be put online, putting his innocent patients even more at risk. His dreams of Hawaii turned into a very hurt wallet and his patients at risk. While you might think that could never happen to you: email scams, or phishing, are the most common way ransomware attacks are sent. Our simple example is just a story, but it happens often in the healthcare field. For example, the most recent major cybercrime is the ongoing Change Healthcare ransomware attack, in which they paid 22 million dollars in ransom! The OCR is also beginning to fine practices and organizations that do not take the proper precautions against ransomware attacks. The first ransomware attack fine was announced in October, costing the Business Associate (BA) $100,000 in HIPAA fines. What do I do? Now, while ransomware attacks have become extremely prevalent, with a 278% increase in ransomware breaches reported to the OCR, there are precautions you can take. Working with an IT company is key for your practice or business, with prevention being the first line of defense. This includes things like encrypting your files, keeping all software up-to-date, having firewalls, antivirus and more. Additionally, working with a compliance program like Abyde also lowers your risk. By identifying your vulnerabilities and enacting the right protocols, ransomware stands no match! For instance, password updating, proper data handling, access controls, and training, are all different barriers that help your practice or business. Also, if your practice is infected by ransomware, do not pay the ransom, get the infected device offline and off the network, report the breach to the OCR, and get IT experts to investigate the attack. To learn more about how your practice can stay compliant and secure against ransomware attacks, email us at info@abyde.com and schedule consultations for Covered Entities here, and Business Associates here.
Change Healthcare Breach: A Long Road Ahead
April 26, 2024 It’s Friday! It’s time to unwind and not think about work for a few days… except for the Change Healthcare breach, that party’s not over. Let’s get you caught up. As we’ve kept you updated with the latest updates in the Change Healthcare Breach on the blog and our social media with our This Week in Compliance (TWIC) series, there have been some significant updates in this compliance catastrophe. Accompanied by our This Week in Compliance (TWIC) video, let’s dive into the latest on Change Healthcare breach. Double Trouble Sometimes, two isn’t better than one. Change Healthcare received a double scoop of trouble, and, unlike a sundae with delicious hot fudge, this came with two servings of ransom demands! Change Healthcare is no stranger to ransom demands, paying $22 million in Bitcoin to the BlackCat hacking group. This is just the beginning of the story. Another hacking group, RansomHub, announced they had several terabytes of Protected Health Information (PHI). For some perspective, here’s a simple explanation. A terabyte contains over 5 million document pages! Think about how many patients a leak of that information could impact! At first, there was skepticism about whether these RansomHub bullies truly had access to the information, bluffing for a ransom payment. Unfortunately, RansomHub does have this PHI, sharing over 20 victims’ health information to prove a point. While we don’t know how much it is, we’re willing to bet it’s much more than an Abyde subscription. Pretty Penny for PHI This breach is costing the UnitedHealth Group over a billion dollars! These costs impact not only the medical giant but all of the practices and hospitals that rely on the organization to process prescriptions. According to the American Hospital Association, 94% of all hospitals report financial impact, with 33% costing the hospitals more than half of their revenue! In addition to the monetary costs of the attack, the UnitedHealth group has to repair its shattered reputation. The UnitedHealth Group is currently caught in the crosshairs of national-level legal proceedings, with Congress beginning hearings on the attack. Shockingly, UnitedHealth Group was not in attendance, but the CEO, Andrew Witty, is due for an appearance at the beginning of May. What’s next? This breach is a serious reminder that no matter how big, or small, your practice is, data breaches can happen to anyone. It’s important to stay proactive and address your vulnerabilities to protect PHI. As we continue to discover the extent of the attack, even if your practice didn’t cause the breach, Covered Entities must notify affected patients according to the Breach Notification Rule. For our Abyde users, check out the What’s New section for guidance on notifying your patients. The HHS also has a FAQ section on its website regarding the breach. To learn more about how to keep your practice safe, schedule a consultation with a compliance expert here.
Don’t Get Caught Off Guard: HIPAA Audits are Back!
February 23, 2024 They’re Baaaaaack! And in this case, not the poltergeists in the 80s classic, but the Office For Civil Rights (OCR). The OCR shared some significant news, announcing their plans to reintroduce their random HIPAA audits program. The last time this program was in place was in 2016 – 2017, with over 200 Covered Entities and Business Associates audited to ensure HIPAA compliance. Before this program is officially implemented again, the OCR is surveying past audit participants, and hearing their feedback before random audits begin. However, Director of the OCR, Melanie Fontes Rainer, confirmed the audits would resume this year, “OCR intends to initiate audits of HIPAA-regulated entities later this year. These audits can assist regulated entities in improving their HIPAA compliance and their protection of health information.” The audits revealed eye-opening shortcomings of CEs and BAs, with Paul Hales of Hales Group describing that “86% of covered entities and 83% of business associates failed the risk analysis audit, and 94% of CEs and 88% of BAs failed the risk management audit”. Thankfully, this news doesn’t have to be like a horror movie if you’re proactive and take compliance seriously. What does this mean for you? While random HIPAA audits might seem very nerve-wracking for your practice or organization, with the proper tools, you can be easily prepared. These audits will help all in healthcare, highlighting the importance of being compliant and keeping patients’ data safe. That’s why Abyde is here to help. Our software simplifies compliance, allowing your practice to focus on what matters most, taking care of patients, or in the case of Business Associates, running your business. To learn more about how you can be prepared for the random OCR HIPAA audits, email us at info@abyde.com or schedule a compliance consultation below. MEDICAL PRACTICES: SCHEDULE CONSULTATION BUSINESS ASSOCIATES: SCHEDULE CONSULTATION
The OCR Cracks Down on Cyber Attack Breaches: Second Ransomware Attack Settled in Four Months
February 22, 2024 Well, the Office of Civil Rights (OCR) did it again. In the past four months, two ransomware cyber attack cases have been settled, resulting in hefty fines, yikes! While the first ruling affected a Business Associate with a major fine, this breach impacted a Covered Entity. In February 2019, Green Ridge Behavioral Health in Maryland filed a breach report that all of their files on patients were encrypted with ransomware, resulting in over 14,000 patients’ data being compromised. That’s a lot of people! As the name suggests, ransomware is a cybercrime where data is held for ransom. Users are unable to access data/files till the ransom is paid. It is a malicious crime that is extremely prevalent in healthcare, with a 264% increase over the past five years in large breaches reported to the OCR. In their investigation, the OCR found potential violations of the HIPAA Privacy and Security Rules from before and right up until the breach. In their variety of violations, some other major misses included: As a result, Green Ridge Behavioral Health was fined $40,000 and will now be monitored by the OCR for the next three years. That’s a long time and a lot of money for a practice that could have avoided this situation with the right compliance solution. That’s where Abyde steps in. Cyber attacks are unfortunately common in healthcare, accounting for 79% of the large breaches reported to OCR. We’ve now seen a pattern of the OCR ruling on ransomware cases, cracking down on practices and organizations that are not prepared for a cyber attack. The OCR is not messing around, and these fines are a clear example. Thankfully, with Abyde, we make the journey to compliance simple. The Abyde software resolves many of the reasons why practices and organizations get fined. You can complete our intuitive Security Risk Analysis in minutes, being able to see what your practice needs to do to be compliant in a flash. Abyde also has engaging training, with interactive activities and videos, all with entertaining themes, to keep the user interested (yes, you read that right). We also have a portal that allows you to easily manage all of your agreements with Business Associates, digitally signing and storing them in the software. What’s the cherry on top? We will remind you when these agreements are close to expiring, being your compliance crew so you can focus on running your practice. We have a variety of resources for practices of any size to use, like dynamically generated policies and procedures, allowing you to finally ditch the dusty HIPAA binder, HIPAA logs, our team of friendly compliance experts is always a call (or message!) away, and much more. Why wait for a compliance disaster? Email us at info@abyde.com and schedule a demo of our revolutionary software here.
Safeguarding Your Practice: A Comprehensive Approach to Cybersecurity
February 12, 2024 The following blog was co-written with Abyde’s partner, Carrie Millar at Dentist Insurance Services. If you would like more information on Dental Insurance Services, please click here to visit their website. In an era where technology plays a pivotal role in healthcare practices, ensuring the security of sensitive patient information is paramount. Cybersecurity threats pose a significant risk to medical practices, and adopting a multi-faceted approach is crucial to safeguard against potential breaches. This article explores the three key components to cyber safeguarding your practice: Strong IT for prevention, a Formal HIPAA compliance program, and Cyber Liability Insurance. 1. Strong IT for Prevention The foundation of any robust cybersecurity strategy is a well-built IT infrastructure. Prevention is the first line of defense against cyber threats. Implementing strong IT measures involves securing networks, regularly updating software and systems, and employing robust firewalls and antivirus solutions. Encryption of sensitive data both in transit and at rest adds an extra layer of protection. Regularly monitoring network activity and promptly addressing any anomalies can help identify potential security breaches early on. Employee training on cybersecurity best practices is equally essential, as human error remains a significant factor in cyber incidents. By investing in strong IT measures, practices can significantly reduce the risk of unauthorized access and data breaches. 2. A Formal HIPAA Compliance Program Compliance with the Health Insurance Portability and Accountability Act (HIPAA) is mandatory for healthcare providers, and it forms a critical aspect of cybersecurity. HIPAA compliance programs, such as Abyde (www.abyde.com), provide a structured framework for ensuring that your practice adheres to the stringent regulations in place. These programs offer comprehensive training for employees, covering topics such as data handling, password management, and recognizing potential phishing attempts. Regular audits and assessments help identify areas of improvement and ensure ongoing compliance. By instilling a culture of compliance within your practice, you not only protect patient information but also mitigate the risk of legal consequences associated with HIPAA violations. 3. Cyber Liability Insurance While prevention and compliance measures significantly reduce the likelihood of a cyber incident, it is crucial to acknowledge that no system is entirely impervious to attacks. Cyber Liability Insurance acts as a safety net in the event of a security breach, providing financial assistance to cover the costs associated with the aftermath. Make sure your comprehensive cyber liability insurance policy includes business income coverage, forensic investigation costs, public relations costs, as well as third-party liability. A great example of this is the Coalition Insurance policy sold by insurance broker Healthcare Professional Insurance Services (www.joinhpis.com) The average cost of a cyber-attack has surged in recent years to almost $400,000 per location and an average of 9 closed business days, making Cyber Liability Insurance an indispensable component of a comprehensive cybersecurity strategy. Having this safety net allows practices to recover more swiftly and continue providing uninterrupted services to patients.
Malicious Insider Cybersecurity: Montefiore’s $4.75 Million Lesson
February 7, 2024 New York’s Montefiore Medical Center just learned a brutal lesson in data security: don’t underestimate the threat from within. The healthcare giant has been slapped with an astounding $4.75 million fine for HIPAA violations, stemming from multiple incidents of unauthorized employee access to patient records. This hefty penalty is the largest fine since 2021 and sends a clear message to the entire healthcare industry: malicious insider cybersecurity is a critical threat demanding immediate attention. The Inside Job: It all started in 2013 when a Montefiore employee turned rogue, accessing and selling the personal information of over 12,000 patients. Montefiore did not find out and report this breach till 2015. The HHS began its investigation in late 2015, and saw numerous violations. Security Sleepwalking: OCR’s investigation exposed glaring security gaps at Montefiore. They found the hospital: The Price of Neglect: Montefiore failed to implement basic HIPAA Security Rule safeguards, resulting in a record-setting fine and a major reputational blow. This case is a stark reminder to healthcare providers of the ever-growing danger of insider threats and the crucial need for comprehensive cybersecurity measures. Lessons Learned: So, how can healthcare providers avoid a similar fate? Here are key takeaways from Montefiore’s missteps: Don’t know how to start? Well, we do. Abyde can easily assist you in building a culture of compliance for your organization. The revolutionary Abyde software includes an extensive security risk analysis, highlighting best practices and any risks your practice currently faces. The security risk analysis is simple, yet still robust, ensuring your practice knows what steps it needs to take to be compliant. Our software also outlines the responsibilities of employees through our dynamically generated, personalized for you, policies and procedures. Additionally, Business Associate Agreements can easily be created and signed within the portal, storing all important compliance documentation within the software. To learn more about how you can achieve compliance for your organization, email us at info@abyde.com and schedule a demo here.