Compliance Catastrophes

Improper Access of PHI by Staff
Best Practices, Cybersecurity, HIPAA

Compliance Catastrophes: Improper Access of PHI by Staff

April 24, 2024 Comments Off on Compliance Catastrophes: Improper Access of PHI by Staff

April 24, 2024 It’s hump day! As we get through this middle bump of the week, we’re still rolling our series, Compliance Catastrophes; real-ish world examples of nightmare scenarios!  Today, we’re looking at you, healthcare workers and Business Associates! We know you do amazing work when taking care of patients, but keeping data secure is a part of building an awesome practice or business environment.  When given the keys to keep Protected Health Information (PHI) safe, it doesn’t mean to open the treasure chest of data! When working in this field, you’re around a lot of sensitive information, and it’s vital to uphold your commitment to patients by keeping it confidential!  We know it’s not all healthcare workers or their associates, but more people break this rule than you’d expect.  We’re getting scientific! There was a recent study that highlighted over 400 employees inappropriately accessing PHI at a hospital, and many only stopped accessing unauthorized PHI due to being warned they were caught by email.   It shouldn’t take being caught to change bad behavior! You know the drill – improperly accessing PHI is a breach of trust.  But just to be safe, let’s see an example of what you should not do. Now, joining us today, you guessed it, is our unlucky friend, Catastrophe Cathy.  PHI Peeking Cathy was at the front desk when a familiar face showed up for an appointment. An old friend from high school that she hasn’t seen in years!  They chat for a little bit, and Cathy can’t help but wonder what brought this friend in.  When she’s closing up, she can’t ignore the voice in the back of her head to go look. She falls for the temptation and searches for her friend’s medical information, curious about what brought her old friend into the practice.  As she’s reading about her old friend, another employee notices what she’s doing. Cathy is embarrassed and ashamed, as well as she should be! She was breaching her old friend’s PHI. That information is strictly confidential, no matter how close they used to be.  Real Life: Real FinesYou might think that a situation like this could never happen to you, but it happens often and there are severe consequences.  Last year, the OCR fined Yakima Valley Memorial Hospital in Washington State due to some snooping security guards. Curiosity didn’t kill the cat, but did leave it with a hefty fine! Over 400 patients’ records were looked at and the hospital was charged with a pretty expensive bill: $240,000!  To avoid snooping breaches, make sure all staff are properly trained on their roles and responsibilities. Access controls need to be monitored often, ensuring staff only have access to what pertains to their role. Additionally, make sure logs are reviewed, keeping your eyes open for any suspicious activity.   We all deserve our health information to be secure, and healthcare workers and business associates are at the front lines of keeping it confidential. To learn more about common compliance catastrophes, email us at info@abyde.com and stay tuned for the next in our series on our social media! 

HIPAA Compliance Stolen Devices
Business Associates, Cybersecurity, HIPAA

Compliance Catastrophes: Stolen Devices

April 23, 2024 Comments Off on Compliance Catastrophes: Stolen Devices

April 23, 2024 Welcome back to another blog on Compliance Catastrophes: real-ish world examples of nightmare scenarios! We’re going through the most common reasons for data breaches in healthcare and how your practice or business can stay safe.  Stolen devices in the workplace are one of the main reasons for a breach. According to the OCR, theft accounts for nearly 20% of large breaches (five hundred or more patients affected) over the past ten years.  A stolen device can quickly spiral into a HIPAA nightmare. That’s why devices need top-notch security for the safety of Electronic Protected Health Information (ePHI).  No question, ePHI needs protection. That’s why I’m here to remind you: when you have a device with it, stay alert!  Now, let’s see what happens when someone slips up and neglects their device protection responsibilities.  Let me reintroduce our friend, Compliance Cathy, she’s having a tough week!  Dinner with a Side of Disaster After a long day at the practice, Cathy was ready to get home and see her friends for dinner. When Cathy was at the restaurant, she left her computer bag on her passenger seat, being way more focused on the meal she was going to devour. While her steak was a perfect medium rare, the situation outside was a recipe for disaster!  When Cathy got outside, her night was spoiled. Her car was broken into! She realized immediately what went wrong. Her work laptop was stolen. The worst part, her computer was unencrypted, meaning the thief had easy access to patients’ PHI at the practice!  Device Safety 101  First, if you don’t have to bring home your work laptop, don’t! There’s less liability if the device is stored properly at work.  Even if you leave it at work, make sure it is secure at all times. For instance, at your practice or business, make sure the doors are locked when no one is at work and proper security is installed, like alarms and cameras.  Next, ensure all devices with PHI are properly encrypted. Encryption means sensitive data is unreadable for anyone except those authorized to view the information. Additionally, make sure strong password policies are in place. No more Password 123! Your friends at Abyde recommend that passwords must be at least 8 characters, including a number, an uppercase letter, a lowercase letter, and a symbol. Finally, make sure remote deletion is set up for all devices that have PHI, allowing you to use another device to wipe the stolen or lost device clean.  Keeping it Real Stolen devices are a common compliance catastrophe, and the OCR has enforced fines for non-compliant practices.  Don’t believe us? Here’s a real-life example of a stolen device catastrophe. In 2020, Lifespan ACE, a Rhode Island healthcare system, was fined over a million dollars when an employee’s car was broken into and an encrypted laptop was stolen. We’re not just making this stuff up! If you find yourself in a situation like Cathy’s, immediately alert the authorities of the theft. Contact your workplace and IT department, following company procedures.  See if your practice has remote deletion in place, wiping the stolen device. Your IT partner will likely handle all remote deletion and encryption of sensitive data. Some companies provide these services specifically for healthcare. We’re more than happy to point you in the right direction when it comes to your compliance journey, so just reach out if you’re looking for the right services for your practice or business.  Of course, ensure this breach is logged into your Abyde software and reported to the OCR.  With the right protocols, you can prevent and mitigate a stolen device.  While Cathy’s filet mignon dreams were burnt to a crisp, that doesn’t have to happen to you. To learn more about device safety, email us at info@abyde.com and follow us on social media for the latest news! 

HIPAA Compliance Email Safety
Best Practices, Cybersecurity, HIPAA

Compliance Catastrophes: Email Safety

April 22, 2024 Comments Off on Compliance Catastrophes: Email Safety

April 22, 2024 Good morning! We hope we can cheer up your Monday blues with the announcement of our new educational series, Compliance Catastrophes: real-ish world examples of nightmare scenarios!  Throughout this week, we’ll be releasing blogs and videos on common breaches of Protected Health Information (PHI) in healthcare, giving you the tips you need to stay secure.  We’re starting our series with one of the most common HIPAA breaches: email scams.  Email scams are very prevalent, with 91% of cyberattacks beginning with a phishing email. Phishing attempts are the most common form of cybercrime, with 3.4 BILLION spam emails sent daily.  Now, before we get too far, let’s clear up any misconceptions. Phishing attempts are unfortunately not a Saturday night getaway on a boat with your friends catching fish, it’s much more like casting a lure of fake urgency or importance to try and ‘fish’ for personal information, like PHI. You might think that you could never fall for a phishing scam, but let me tell you, it happens quite often.  Let me introduce you to the star of the week, Catastrophe Cathy.  A One-way Ticket to a Breach Cathy was scrolling through her email, and she couldn’t believe her eyes! Her boss sent her an email offering her a week’s vacation to Italy! All she had to do was claim it by clicking the link listed at the bottom of the email.  She was sold! It looked real; it said it was from her boss, Bob, and it even had his email signature!  As she clicked the link, the malware began to work its nefarious magic – infecting her computer and getting access to PHI.  Her dreams of seeing the Leaning Tower of Pisa came crashing down. Once she realized there was no trip. She panicked! What was she going to do?  Email Safety 101 Now, we can be like Cathy if we aren’t careful when checking our emails!  Falling for these phishing scams affects over 300,000 people a year, yielding over $50 million in losses.  First, an always good rule of thumb: If it’s too good to be true, it’s not. Sorry, or scusa (sorry in Italian) Cathy!  Next, always check who is sending the email. While it looked like it came from Bob the Boss, if she looked at the email address, she would have seen it came from Stevethescammer@email.com! Hackers pretending to be someone else at your organization is a very common practice known as spoofing.  Lastly, if you see any odd links or attachments, never click them, report them as spam, delete them, and, if applicable, forward them to your organization’s phishing email!  Phishing scams have also made a recent detrimental impact on healthcare. The OCR settled its first phishing cyber attack investigation, costing the Lafourche Medical Group $480,000!  Reel in Control Now, if you find yourself falling for an email scam, the first thing you need to do is to alert your team. You might be embarrassed, but it’s brave to admit you’re wrong, ensuring others don’t fall for a similar attack, too.  The most important step right now is to disconnect your device from the internet. Think of it like putting up a “closed for business” sign. This cuts off the hackers’ access and prevents them from finding more information on your network.  Loop in your IT team or IT provider, and follow company procedures for a cyber attack. Of course, notify patients affected by the breach, and report the breach in your Abyde software and to the OCR. Also, since it is a phishing attempt, you can report it to the FTC.  To learn more about common breaches, stay tuned to our blogs and videos this week! Follow us on social media to be the first to see the latest compliance news, and if you have any questions, email us at info@abyde.com. 

Concerned about HIPAA & OSHA compliance requirements in 2025? Join our live webinar for expert answers to the most common questions to ensure your practice is protected.

REGISTER TODAY
X