Archive for the ‘HIPAA’ Category:

Do I Need A Server For My Small Business?


I get asked this questions quite a bit, especially by new business owners. A lot of current businesses also want to get rid of their office existing server and move to the cloud.

Moving an office server to the cloud is always an option with the right internet bandwidth and large enough budget but this post is about exploring the need for onsite server in a small business.

Before deciding on whether a server is needed or not, below are some of the uses/benefits of a server in a small business are:

  • Line of Business Application Requirement.
  • User authentication for computers (Active Directory)
  • File server for business data.
  • Backup location for computers.

A few factors need to be considered before this question can be accurately answered. I will list the factors below and later explain how it impacts the sever or no server decision.

1) Regulatory Compliance
2) Employee Assigned Computers.
3) Employee Size
4) Line of Business Application.

1) Regulatory Compliance: Compliance requirements like HIPAA § 164.308(a)(4)Information Access Management requires each employee have a unique user ID for all Information Systems, so employee activities can be logged and audited on each system. This can be done without a server (Active Directory) but a server makes the management of user IDs and password a lot easier than managing each user on each computer.

2) Employee Assigned Computers: If your employer have permanent assigned computers then you will only need to manage one or maybe two logins on each computer. This becomes more complicated if employees roam between available computers like a Doctor’s office. Imagine managing different credentials for 10 employees on 10 computers, this quickly becomes an avalanche of IDs (100) to manage. An active directory server makes this easier to manage, by  managing all 10 IDs from one server.

3) Employee Size: User authentication is a little easier to managed for a business with five or less employees. Even with regulatory compliance and non-assigned computers, you will be managing at most 25 IDs on five computers for a five person company.

4) Line Of Business Application: If your primary line of business (LOB) requires a Server to function, then you will need a server. There is no away around, you might be able to go with a cloud server but it still depends on the LOB and your internet bandwidth.

After considering all the factors listed above, my answer to question varies from business to business. If your business is not affected by any of the criteria above, then you can do away with an on-site server or at least move to the cloud with a cloud server.

CyberSecurity Tips


Cybersecurity Statistics Sheet
eBook – Cybersecurity Tips for Employees
Quick Tips – 5 Ways to Stay Secure Online
NIST – Small Business Information Security Fundamentals.

Managing Cybersecurity Risk Using the NIST Cybersecurity Framework.

Who is the NIST (National Institute of Standards and Technology):
The NIST is a federal agency within the US Department of Commerce. It was tasked in 2013 to develop a voluntary framework for reducing cyber risks to critical infrastructure.

What is the NIST Cybersecurity Framework:
This is a voluntary guidance to better manage and reduce cybersecurity risk in organizations. It was designed to promote risk and cybersecurity management communications between internal and external organizational stakeholders.

The framework was designed to be used by organizations of various types and sizes. Each of the framework components (Framework Core, Profiles, and Tiers) can be used in a variety of ways to address the needs of an organization. Some of the ways are:

  • Communication with stakeholders within an organization.
  • Sharing of cybersecurity expectation with business partners and suppliers.
  • Mapping of the framework to current cybersecurity management processes.
  • Using the framework as a planning tool to assess risk and current practices.

Framework Components and how they are used.
Framework Core:
This is a set of cybersecurity activities, desired outcomes, and applicable references that are common across critical infrastructure sectors.These activities are grouped by five functions:

  • Identify assets in the organization.
  • Protect identified Assets in the organization.
  • Detect anomalies and events.
  • Respond appropriated to detected anomalies.
  • Recover from anomalies.

The framework core give organizations an overview on how cybersecurity risks should be managed from the beginning to the end.

Framework Profile:
These are the cybersecurity goals an organization is aiming to achieve based on their business needs selected from the framework categories and subcategories. The profile allows an organization to determine its current cybersecurity risk level and develop a way to reduce the risks.

Framework Tiers:
These provides an organization a way to assess how it views cybersecurity and the processes in place to manage cybersecurity risks. The tiers range from Partial (Tier 1) to Adaptive (Tier 4). The tiers assist an organization in determining how closely their cybersecurity risk management processes are aligned with their business.

Overall the framework provides a plan for an organization on how to address cybersecurity risks.

5 Steps For Protecting Patients Data (PHI).

According to Health IT Outcomes security breaches cost healthcare $6 billion annually. Patients medical records are now 10 times more valuable than credit card numbers to hackers. Hackers monetize patients medical record in different ways and the market is for it is growing. Protecting your patients’ data should be a high priority at your practice. We have listed some steps below to get you started.

Assign a security officer. Most businesses, especially small ones do not have anyone in charge of IT security. The security officer handles all the security related issues or works with a contracted IT firm. A security officer also provides the employee with a resource for any security related questions.

Perform a Risk Analysis. Details of a Risk Analysis can be found here. A risk analysis reveals potential holes in your IT infrastructure hackers can use to steal patient data. Once the holes are revealed you need to take steps to address these holes.

Employee Training. Employee blunders is the second leading cause of HIPAA breaches. Employees need to be trained on the right way to handle patients data and the impact if its not handled with the highest security.

Inventory of Equipment/Software Storing Patient Data. Most business do not know all the places patients data is stored. You can only protect patient data if you know where its stored. You should also restrict access to the data based on job responsibilities.

Install Technical Safeguards. You need to technical safeguards in place that prevents hackers from gaining access to your network. Most businesses have some in place but they are either not monitored, reviewed or updated. This responsibility can be handled by your assigned security officer or outsourced to an outside firm. Some technical safeguards are listed below:

  • Firewall.
  • Antivirus.
  • Software Patches.
  • Backup and Recovery.

The steps listed above should you get you started. Achieving HIPAA compliance is not as hard when you prioritize protecting your patients’ data.

Do I Need A Business Associate Agreement (BAA)?

We discussed HIPAA Business Associates in our last post and listed some examples you might have in your Practice.

If you have Business Associates, then HIPAA requires you have Business Associate Agreements (BAA) in place. A Business Associate Agreement is a contract between covered entity (CE) and a business associate (BA) that details the permitted and required use of protected health information (PHI) by the business associate.

A business associate contract is a required implementation in the HIPAA Administrative Safeguards. Some details of a business associate contract are:

  • Establish permitted use and disclosure of PHI by the BA.
  • Provide that the BA will not use or further disclose the information other than as permitted or required by the contract or as required by law.
  • Require the BA to implement appropriate HIPAA safeguards to protect PHI.
  • Require the BA to report any PHI breaches to the covered entity.
  • Require the BA to ensure that any subcontractors it engages that will access PHI agree to the same restrictions apply to the business associate.

Having the right business associate contract in place can potentially protect your organization from breaches caused by a Business Associate.

A business associate agreement is a legal contract between two parties and should be treated as such. The contract should be reviewed by your lawyer to make sure you are protected as much as possible from any Business Associate mishaps.

The department of health and human services (HHS) website has a sample business associate contract you can modify to suit your practice needs.

Who Is A HIPAA Business Associate (BA)?

Healthcare providers work with other companies to perform certain business functions. Some of the contracted companies will access your facility, IT Systems and even your patient data to perform their activities. If the contracting companies have access to your patients’ data, either directly or through your IT systems then HIPAA considers them Business Associates (BA).

HIPAA defines a Business Associate as:
A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

Some examples of Business Associates are:

  • Billing Companies that access your patient information to bill patients.
  • IT companies that access your IT systems to provide support.
  • Software/EHR companies that access your EHR for maintenance and updates.
  • Data Backup companies that store your patient data.
  • Electronic Fax company that receives, sends and stores patient data.

The commonality and most important point is access to your patients’ electronic Protect Health Information (ePHI). If they have access to it, they are a Business Associate. Some contracted companies like a Web Design company may not need access to your patients’ ePHI so they are not considered a Business Associate. A member of your workforce is not considered a business associate.

If you are not sure a contracted company is a Business Associate, then its better to assume they are. Under HIPAA Security and Privacy Rules, Business Associates are required to sign Business Associate Agreements/Contacts that protect you and your patients’ ePHI.

As an IT Service provider we sign a Business Associate Agreement with all our healthcare clients for their protection and also ours. Signing a BA agreement with our clients lets them know we take HIPAA compliance seriously.

HIPAA Security Risk Analysis

A risk analysis is the first step towards HIPAA compliance. A Security Risk Analysis basically identifies what is wrong. HIPAA defines a Risk Analysis as:

An accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

Risk analysis and risk assessment are sometimes used interchangeably but they are different as defined by HIPAA. A risk analysis is a required step towards HIPAA compliance while a risk assessment is conducted if there is a breach. You conduct a risk assessment after a breach to determine if patients’ protected health information (PHI) has been compromised. This will also determine if you need to implement the HIPAA breach notification.

You don’t need any special tools or qualifications to perform a risk analysis. There are tool available that make the process a lot easier and less time consuming. Any covered entity can choose to perform the risk analysis in-house, if you have the time and expertise to do so.

Regardless of how you conduct your Risk Analysis there are certain elements it must include. Elements of a Risk Analysis are:

Scope Of The Analysis.
Data Collection.
Identify and Document Potential Threats and Vulnerabilities.
Assess Current Security Measures.
Determine the Likelihood of Threat Occurrence.
Determine the Potential Impact of Threat Occurrence.
Determine the Level of Risk.
Finalize Documentation.
Periodic Review and Updates to the Risk Assessment.

No matter how you conduct your Risk Analysis, make sure all the elements above are covered and documented. Conducting a Risk Analysis does not mean you are HIPAA compliant, its only the first step towards compliance.

Getting Started With HIPAA Compliance

As a healthcare practice you cannot ignore your compliance with the HIPAA Security Rule. HIPAA Security and Privacy Rules were created to protect patients’ protected health information (PHI). HIPAA violations can result in penalties of $100 to $50,000 per violations and total fines can be as much as $1.5 million if the violation is due to willful neglect.

A data breach can be financially costly to your practice and may also impact your patients if PHI lands in the wrong hands. A data breach can as simple as a lost laptop containing patient information.

Being HIPAA compliance is not an easy task but shouldn’t be ignored either. I have listed four steps below to get you started with your HIPAA compliance.

Risk Analysis
A Risk Analysis is the first step towards HIPAA compliance. This is used to discover potential risk and vulnerabilities to the confidentiality and availability of electronic protected health information. The risk analysis should be documented and any discovered vulnerabilities should be addressed. If you have already conducted a risk analysis then review and update yearly.

Implement Administrative, Physical and Technical Safeguards
There are certain safeguards that need to be implemented by covered entities to protect PHI. The safeguards are broken down into there types (Administrative, Physical and Technical). Some safeguards are required and some are addressable. All the required safeguards need to be implemented, if you choose not to implement the addressable safeguards then you need document why not.

Employee Training
Most HIPAA violations are caused by employee negligence. HIPAA safeguards require you train your employees, send occasional security reminders and monitor you employees to make sure there are not causing HIPAA violations.

Business Associate Agreement
If you employ any company/contractor that has access to PHI, then they are considered business associates.
You need to have a Business Associate Agreement in place that requires them to comply with HIPAA Security rule. A business associate agreement can potentially protect your practice from HIPAA violation caused by the business associate.

The steps listed above should only be considered as a starting point towards your HIPAA compliance. HIPAA compliance is an ongoing process that needs to be constantly monitored and reviewed to fit your practice.