In a busy medical office, it’s hard to keep track of each and every HIPAA regulation, and accidental HIPAA violations can easily occur. 

In many cases, practices discover multiple violations in place upon beginning compiance examinations before you or your users even realize you’ve done anything wrong. 

Unfortunately, violations can lead to stiff fines if you’re caught breaching regulations. Every year, the U.S. Department of Health and Human Services receives approximately 4,000 complaints about HIPAA violations. Make sure your office isn’t on the list by avoiding these common HIPAA related “trouble areas.”

Accident #1: Exposing Confidential Information to Other Patients

 Although everyone in your office understands it’s important not to discuss one patient with another or provide information to a family member without a signed release form, your team may not realize just how easy it is to accidentally expose protected information with the next patient in your exam room or even the entire waiting room.

Keeping patient information private requires scrupulous attention to the way your entire office handles files and all possible forms of patient information.

It’s easy to say, but harder to remember: Don’t leave anything containing Protected Health Information (PHI) unprotected where other patients can see it, and always sign out (or lock) any computer screens  that contain patient information before showing the next patient into an exam room.

Keep in mind, even simple info such as addresses are considered private information. It’s far better to ask patients to review forms than to rattle off an address to verify if the one listed is current.

Accident #2: Neglecting Your Computer Network

 Patient records are a treasure trove of information for identity thieves and cybercriminals. Once they hack into your system, it’s game over.

In one fell swoop, the bad guys suddenly have unlimited, centralized access patient names, addresses, social security numbers and credit card information.

Your firewall stops thieves from accessing your system, but no firewall can do its jop properly with its hands tied (AKA when it isn’t kept up to date.) 

 Make sure your IT services resource sets your network firewall to receive automatic updates and regularly monitors and checks your log files for signs of attempted intrusions.

From there, make sure your office team doesn’t ignore alerts and any time you suspect a breach, reach out to your managed services provider follows HIPAA reporting procedures for any computer breaches if your office falls victim to a malicious attack.

Being Lax with Your Laptop

Thanks to your laptop, you’re no longer chained to the office computer. Now you can take your work home with you and not miss out on family time!

That being said- No matter the setting, you must stay vigilant and make sure to not let a relaxed family setting lull you into being careless. After all, ePHI is still protected by HIPAA, be it at the office or inside your home.

It may seem simple, but it is imperative that you do not leave information on your screen, even if you’re only leaving the room to get a glass of water.

Password protect your laptop, close out all screens and tabs when not in active use and make sure to keep your computer locked away when it is not in active use.

More specifically, with the increasing rates of automobile theft in the San Francisco Bay Area, save yourself the time, money and headache of having to file a technology incident report andmake sure you do not leave your computer unattended in your car.

Texting Confidential Information

Texting is one of the fastest ways to share information with another medical professional, but it sends that information into cyberspace where anyone can potentially access it.

Make sure all users know the rules:

-Don’t text unless you’re using a special encrypted program to send texts.

-Only send those texts to other people if you’re positive they’re using the same appropriate program.

By keeping these potential programs in mind and educating your staff about HIPAA basics, you can avoid a costly, and potentially embarrassing, violation.

Read More

Customer focus and supporting the effective delivery of quality care is the aim of healthcare information technology solutions. However, it can be all too easy to forget that practices have two customer bases to please: employees and patients. As you seek to satisfy the needs of both sides, consider implementing the following healthcare IT best practices.

Mirror Portals

Patient information technology has developed at different rates. In-office computerized patient record systems came into common use years before many practices invested in patient-facing electronic health records. However, when portals are a mix of these two different record systems, communication is made difficult. Care must be taken to align these systems.

Ensure information like test results, prescribed medications and prior procedures accessible to internal customers—nurses, medical assistants and aides—mirrors information available to patients at home. After all, patient engagement often relies on information availability and transparency, as well as timely communication. Make sure your patients aren’t among the 40 percent of patients who are unsure if their physicians have a patient portal system.

Keep Information Where Your Customers Are

Patients receive information about their health in a variety of media. Most IT-related solutions ensure that data can be accessed through mobile devices, home computers or printed documents. Caregivers also need the same ability to access information to respond to patient queries quickly.

Consider how much time can be saved if an out-of-office practitioner can access a secure patient snapshot and answer a simple question. Now, the issue doesn’t need to be elevated, diverted or put on hold until Monday. Easy access from anywhere also ensures that information sharing isn’t subjected to a gatekeeper. If only one person knows about an issue, other equally qualified professionals are unable to respond if the gatekeeper is out-of-reach.

Respect Your Time and Your Patients’ Time

Precious time is often wasted updating routine health information at the start of appointments. With the availability of next-level technology, instead request patients update their records from home prior to appointments, or during time spent in the waiting room. Practice-supplied tablets can be handed to patients upon check-in, primed to walk patients through a questionnaire. This same software can then alert the caregiver to changes and prompt on-target discussion.

The most beneficial healthcare IT solutions for your medical practice are those that are equally beneficial to both health professionals, caregivers, and patients alike.

From mirrored portals to accessible data and optimized in-office time, by working with the right IT services provider, practices can leverage technology to  heighten both patient and employee satisfaction.

Read More

Latest Trojan CoreBot Targets Online Banking Sites Malware: What Is It, How It Works, How It Can Affect Your Business

 A few months ago, you may have heard about DyreWolf phishing malware scam which specialized in targeting businesses and organizations (as opposed to attacking individuals)…And now CoreBot malware is one of the latest threats to cybersecurity.

The malware got its name from the developer who called the file “core.” The Trojan is delivered through a drop file that leaves as soon as CoreBot is executed on the target machine. The stealer then adds a code to the Windows Registry to stay alive.

 The malware can steal passwords, and the modular plugin allows the developer to easily add more functions. CoreBot currently can’t intercept data in real time, but it is a threat to email clients, wallets, FTP clients, private certificates and some desktop apps.

How It Works

 First, the malware gets a foothold on Internet Explorer, Firefox and Chrome so that it can monitor your browsing habits, grab forms you fill out and execute web injections. When it detects a relevant website, the form-grabber kicks in to steal your personal information.

 The web injections are then activated to display a phishing page that tricks you into supplying additional information. This is when the cybercriminals behind the scam are alerted and take charge of the session in real time by way of a Man-in-the-Middle (MitM) attack.

 You are kept busy with a “please wait” message while the hacker connects to your intended destination through a virtual network computing (VNC) module. Once in, the cybercrook initiates new transactions or hijacks the current transfer process to send the money to another account.

How It Can Affect Your Business

 So far the victims of CoreBot have been large financial institutions, so your business is probably not yet at risk. If you think you might be affected, contact a technology support specialist in the Bay Area to get started with your free network assessment started for a health-check of your network environment.

With the right strategic San Francisco IT support on your side, not only will you be able to address your existing concerns for your organization’s technological health, but also plan ahead to anticipate, avoid and mitigate any future disasters.

Business tech support firms monitoring botnets see about 60 CoreBot infections every day. Approximately one quarter of the infections occur in the United States, but the malware is also found in the United Kingdom, Russia, Japan, Egypt, Moldova, Taiwan, India and Vietnam.

 While data theft can pose a threat to the average end-user, cyber criminals targeting sensitive data and financial information know that the greatest damage can be done when they breach corporate systems.

With that in mind, malware attacks such as CoreBot are only the beginning as cybercriminals seek to gather the data needed to infiltrate organizations and steal valuable information!

Read More

---

Latest Malware Attack Replaces Users Chrome Browsers Entirely by Bunding with Legitimate Software Downloads 

Just last Friday, Malwarebytes announced the discovery of the eFast hijacking scam which boldly attacks by replacing users’ default Google Chrome browsers with eFast, which targets victims with the promise of “A web browser built for speed, simplicity and security”

Suddenly Flooded with Pop-Up Ads? Find yourself constantly redirected to unrelated websites? It might be time to check your Chrome browser …

That being said, the malware attack acts as a stowaway within other software downloads and once it has successfully piggy-backed on a user-generated installation. But what type of installation would this be?

Have you ever had a “security software” offer to install for free or gotten a pop-up “urgent notice” that your machine needed to be scanned ASAP?

Maybe you panicked, and went ahead and clicked “yes” instead of reaching out to your IT services provider to check that the programs were actually legitimate..

What about one of those “too good to be true” free software offers (freeware) which bundle (use bundling) with the original software you were seeking with another offer promising faster online browsing or an enhanced shipping experience? We all know those little check boxes can be tricky…

 

Forget Taking Over, eFast Eliminates Competition

As business IT advances and office technology users  become more savvy, the developers of eFast have made sure to impersonate the genuine Google Chrome browser, with an eye for attention to detail across both original Chrome icons and Chrome windows.

Instead of simply hijacking a browser, eFast specializes in erasing and completely replacing Google Chrome.

By leveraging strong user dependence on browsers and their associated functions, the developers of eFast made sure that escaping wouldn’t be easy.

As soon as eFast breaks in, it deletes all of your desktop shortcuts and taskbars to Google Chrome and replaces them with impostor links and shortcuts. From there, cybercriminals are enabled to hijack your file associations, track each of your keystrokes and and monitor each link that you visit.

Furthermore, irrelevant of which browser you start out using, eFast is set up to override program viewers for .jpg, .gif and .pdf as well as for protocols such as ftp, http, https and mailto. Basically, eFast and will force itself upon its unsuspecting users whenever they open files…And then the real fun begins as as the malware attack then injects an endless stream pop-us and ads into each of your searches…

While the unauthorized adware can generate profits for malware developers, users must also be aware that a malicious attack easily leaves your passwords, login credentials and banking information vulnerable to exploitation.

Since Google’s Chrome Team Has Been Hard At Work….

Clara Labs, the people responsible for eFast (as well as a variety of other malicious softwares such as Unico, Tortuga and BoBrowser) are now having to up their exploit strategy game with each new development.

As one critic (@SwiftOnSecurity) put it, cybercriminals and hackers are finding that, “it’s getting so hard to hijack… that malware literally has to replace it to effectively attack.”  

If You Suspect You’ve Been Hit By eFast, It’s Time to Get Help Today

Being hit by a malicious attack can feel overwhelming as your business suddenly needs technical triage, is forced to decipher just what information has been compromised, and then has to remediate on a tight timeline to avoid any aftershocks or additional impact. 

Getting the right IT support provider means having experts take over and stopping damages in their tracks. Instead of spinning your wheels, get your business on the road to recovery with a free onsite assessment today.

---

---

 

Read More

Is Your Organization at Risk? If You Run Your Business Without Strategic IT Security, the Answer is…

For many small business owners IT security planning  can seem like a luxury, but a lack of proactive security can actively hamper growth, even among the smallest of businesses.At its worst, not having the right defenses in place can sink your business operations as your entire enterprise is brought to a standstill by a malicious attack.

Many small- and medium-business owners know that IT security is something they should care about, but they have no idea how to manage it. One study by the National Cyber Security Alliance found that a whopping 59 percent of small business owners have no plan in place to prevent data breaches.

Even industries that revolve around preparing for the worst can be affected. IT help desk services can often be the first the line of defense for insurance companies, financial services firms, and healthcare providers in San Francisco, Oakland, or elsewhere throughout the greater Bay Area.

In fact, insurance companies are one example where a lack of network support services might have an outsized impact. Insurance companies regularly deal with highly sensitive data, including names, Social Security numbers, birthdays and addresses. Having the right IT support is essential.

What’s at Stake

The cost of data breaches can be enormous for small business owners. Research from Atlanta-based payment technology firm First Data shows that as many as 90 percent of data breaches can be traced back to small businesses, and the average cost of a breach to small businesses can be as high as $50,000 or more. 

Not only would the cost of a malicious cyber attack or data breach be devastating for most small businesses, but the these costs and don’t even begin to account for the cost associated with the loss of trust from your customers.

Working with the right IT support firm to address the security, continuity and disaster recovery needs of your business are all critical to successfully maintaining and protecting your organization.

What Companies Can Do

Experts say that, at the very least, small businesses can enact the following controls:

No one wants to think about a worst-case scenario, but threats to business data aren’t likely to go away any time soon. Unfortunately, employees are often at unwittingly at the center of them. Data from TrendMicro found that nearly 60 percent of employees surveyed “very frequently or frequently stored sensitive data on their laptops, smartphones, tablets, and other mobile devices.”

This may mean that more sophisticated IT support is needed to prevent a worst-case scenario in the era of Bring Your Own Device (BYOD). Rather than relying on stop-gap measures, an ounce of prevention may secure your business now and in the future.

If you are looking to get started in addressing your IT security concerns or looking to implement a strategic business technology plan for your organization, look no further and contact Bay Computing to get your complimentary onsite assessment started today. 

 

Read More

HIPAA’s Impact on Your Healthcare IT Operations

Data Security Measures

Electronic Health Records Solutions

Read More

Healthcare Providers Beware: Cybercriminals Targeting Covered Entitites (CE) with Malware and Data Breaches

The cyber crime landscape is rapidly growing more dangerous and complex for organizations of all sizes. Reports of security incidents are growing 66 percent each year, with the average cost of a data breach estimated at $3.5 million. 

While organizations in any industry are at risk of cyber crime from outside attacks or insider perpetration, many small and medium-sized businesses (SMB) lack the infrastructure to adequately plan and prepare defenses for common threats. One rapidly growing information security threat that repeatedly poses a threat is Cryptowall, a increasingly common form of ransomware.

What is Cryptowall?

Cryptowall, formerly known as Trojan.Cryptowall, is a “Trojan Horse” virus that encrypts files on an infected computer. To unlock the files and retrieve access to critical information, users are asked to pay a “ransom” of at least several hundred dollars via a text document message. The attackers commonly ask for the payment to be made in Bitcoins, and direct users to complete the payment online via a secure Tor browser. In many cases, the ransom demands can increase in amount if the fee isn’t paid quickly.

If you’re curious whether someone on your staff with above-average computer skills can unlock your files, the answer is unfortunately no. As soon as files are encrypted, much like a bank vault, they will then require a key to be unlocked… And that key is what must be purchased from the cybercriminals themselves.

The head of cyber security at the US FBI recently stated that he usually advises victims of Cryptowall and other forms of ransomware to “just pay the ransom.” The FBI has yet to find a definitive solution to Cryptowall because it’s a highly effective form of extorting money out of healthcare organizations, SMBs and other companies.

How Do I Prevent a Cryptowall Attack?

The single most important action companies of any size can take to prevent terrible repercussions from a ransomware attack is regular data backups. Keep in mind, Cryptowall will also lock up data on any mapped drives, including external hard drives. The only guaranteed way to keep your information safe is investing in a secure, comprehensive backup solution that won’t be affected by the virus. (Keep in mind that the intervals of regular, ongoing backups can also be crucial to minimizing data loss).

Ransomware viruses can enter a company through a number of means, including file-sharing, email and RDP ports. While training your employees on information security best practices can protect against phishing attacks or unsafe file downloads, the most important step you can take is to develop a comprehensive information security practice and policy. By partnering with a professional IT services firm, you can benefit from having easy access to a dedicated a team of experts who are committed to keeping your patients, providers and practice safe.

Conclusion

Cryptowall attacks can have a devastating impact on healthcare providers and covered entity organizations of any size.

By working stategically with a dedicated IT services team, you can get started implementing the right defensive strategies to help protect your patients, practice and sensitive data such as PHI. 

Get started on your data security roadmap with the healthcare information technology experts of San Francisco today with your free onsite technology assessment and rest easier knowing your patients’ data is protected from being held ransom by cybercriminals. 

Read More

How HIPAA Affects Office IT, the Business Operations of Healthcare Providers and Overall Patient Care

From its inception, the Health Insurance Portability and Accountability Act (HIPAA) has had many ramifications for healthcare providers, and when it comes to technology management and IT support, it’s easy to feel overwhelmed.

When HIPAA affects how and where your office utilizes its IT devices and systems, your business operation methods and the manner in which patients are cared for. This is a brief look at some of the ways HIPAA may modify the workings of your healthcare enterprise.

Protecting Your IT Devices

Your IT provider’s healthcare IT help desk service in the Bay Area can inform you about procedures such as data encryption and decryption, unique user identification and audit controls, all of which are required under HIPAA. But physically safeguarding workstations that have access to electronic protected health information (ePHI) is also a requirement.

Reception areas are one of the places where inadvertent disclosure of PHI may occur, and simple solutions such as privacy panels at right angles to the reception and scheduling counters, and asking queuing patients to stand away from the worktops, are all that may be needed.

Furthermore, when computer monitors are used in open-bay setups (such as dentists’ chairs), best practices require that care be taken to ensure that screens displaying patient information are not left facing other patients or passing foot traffic.

Who You Do Business With

HIPAA regulations not only cover your healthcare organization (known as a covered entity), but your Business Associates (BA). These are entities or individuals who you may release PHI to, including attorneys, accountants, cloud storage companies, web hosts, IT vendors, email encryption companies, consultants and healthcare clearing houses who deal with claims. As part of your path to harmony with HIPAA, you and your BAs are required to sign a Business Associate Agreement (BAA).

Navigating Office Administration While Caring for Patients

 Regular routines are also affected by HIPAA regulations. For example, what happens with standard appointment reminders?

The University of Texas Health Science Center states that as long as patients are aware of this routine and the reminders are generic in form, that is, don’t necessarily state the name of the practice or clinic, appointment prompts are allowed under HIPAA. The same applies to sign-in logs in reception areas: no confidential medical information should be listed.

Helping your office navigate HIPAA-related Healthcare IT solutions are one of the specialties of Bay Computing– So get in touch with the Bay Area team of experts today and schedule a free onsite assessment to get your strategic technology plan started!

Read More

As Cyberattacks Continue to Skyrocket, DYRE Malware Grew 125% in Q2 Alone.  Are You Prepared for the Latest?

Both consumers and organizations of all sizes are at increased risk for DYRE malware attacks in the months to come. TrendLabs reported a 125 percent increase in DYRE attacks in the second quarter of 2015, proving that criminal interest in stealing user credentials is growing.

Simultaneously, attacks against healthcare organizations have grown 600 percent, and these organizations are 74 percent more likely to be targeted by phishing emails than other industries.

 Despite the increased climate of threats, small and medium-sized businesses (SMBs) can take the right steps to protect their finances and their customers’ sensitive data against DYRE and other phishing attacks.

What Is DYRE Malware?

DYRE malware typically enters a business network through a phishing email, which is designed to look like an important communication from a bank, the IRS, or another business entity. An example shared by TrendLabs included a subject line pertaining to a tax levy and an important-looking attachment with body copy that indicated immediate action was necessary. When employees click the link in the body of the email or open the attachment, the malware gains access to the system.

What Are the Repercussions of a DYRE Attack?

DYRE works quickly once it gains entry and performs “man in the middle attacks.” According to TrendMicro, it may perform browser screenshots and steal personal certificates to obtain password credentials to protected information. DYRE also works to avoid detection by disabling information security measures organizations may already have put into place, including firewalls and anti-malware protections.

Among private consumers, DYRE attacks are typically focused on stealing banking credentials so cybercriminals can gain access to an individual’s money. In healthcare organizations, the focus is usually to obtain protected patient or customer information so identities can be resold at a profit or ransomed back to the victim.

How to Protect Yourself Against DYRE and Other Phishing Attacks

To prevent a DYRE attack, phishing awareness among your employees is critical. A full-featured anti-malware solution and password change policies can help organizations get started protecting against the “dire” effects of this unfortunate information security trend.

In order to stay safe, all individuals at your organization need to be aware of how to detect a potential email attack, and who to notify if an email ever appears suspect… And for many small and medium businesses and practices, identifying the right resource to reach out to for technical help may not always be clear.

Despite increased threats, information security for SMBs and healthcare organizations isn’t impossible. Working with an expert managed services provider with years of experience helping with strategic information security enables you to identify your organization’s primary vulnerabilities, establish much-needed policies, and perform ongoing training to allow you to avoid the costly cleanup and customer defection that follows a major cyberattack.

Read More

Information security (IS) should be a key priority at organizations of any size. Gartner reports the average company dedicates just five percent of its budget to protecting customer data.

The staggering costs of a cybercrime attack can be particularly devastating to small and mid-sized businesses (SMB). Gain insight into the state of cybercrime and what SMB need to know to protect themselves.

1. Attacks Are Increasing

The average business doesn’t feel prepared for the current IS climate. In fact, 56 percent doubt they would even be able to detect a sophisticated attack.

3. Vendors Are Ignored

Many SMBs fail to realize that vendor security issues can lead to risks. Perhaps more concerning, 33 percent are not sure if they have a security agreement in place with their vendors.

4. Your Employees Are a Risk

Data breaches can occur due to cybercriminals, but the vast majority of security incidents are caused by employees. In many cases, this is due to a lack of knowledge on security best practices.

5. Companies Are Spending More

Sixty-two percent of companies of all sizes are choosing to proactively protect themselves against risks by spending more of their IT budgets on security, which can include bringing on professional help by working with a professional IT services provider.

6. Attacks Are Very Expensive

The average security attack worldwide costs $3.5 million dollars, which can cover the costs associated with fines, fees, notifying customers, and related charges. Each lost or stolen customer identity comes to around $145.

7. Companies Aren’t Testing Enough

Forty-nine percent of companies fail to complete “fire drills” to determine just how effective their data recovery practices, encryption, and other components of information security really are.

8. Mobile Is Risky

The rising adoption of smartphones and tablets doesn’t mean it’s safe. Mobile device management and Mobile vulnerabilities are currently considered the single-biggest security risk, especially since employees may take these mobile devices off site or connect to unsecured wireless networks.

9. Policies Matter

Despite the importance of educating employees, only 76 percent of brands have password policies developed and company-wide procedures in place.

10. IT Is Concerned

Eighty percent of IT professionals believe their organizations need to be working harder to defend against cybercrime. In many cases, these professionals are limited by budget and company culture.

Taking steps to protect your customers’ data could be the best IT investment you make this year. In an era of increased cybercrime, employee education, security technologies, and increased vigilance aren’t just important. They’re necessary.

Get in touch with your local San Francisco Bay Area Managed Services Provider to get started on your strategic information security roadmap today!

Read More