Healthcare IT Security and Support
With as many regulations as the healthcare industry has over how data is stored, shared and accessed, many small practices find it difficult to keep up.
WE KNOW YOUR NETWORK
Whether critical issues like security and compliance are your main concern or lengthy upgrades and computer crashes are hindering productivity, it is no longer necessary to have an in-house technical staff to stay ahead of the curve. Ontech Systems understands how important it is to provide a secure and stable network when it comes to the sensitive nature of patient data and HIPAA compliance within the healthcare industry. The solutions we recommend and implement for our clients meet and exceed the necessary compliance regulations (HIPPA, etc).
For over 10 years, Ontech has developed a proven record of providing a stable, secure network to healthcare offices throughout Milwaukee and Southeast Wisconsin. Throughout that period of time, we have maintained 98% of our clients – one of the highest client retention rates in our industry.
Our goal through healthcare IT consulting is to help your practice operate more efficiently, remain HIPAA compliant and ultimately become more competitive within the healthcare market.
“Ontech is the most responsive, knowledgeable, and efficient IT systems company we have worked with..."
“Ontech is the most responsive, knowledgeable, and efficient IT systems company we have worked with. Ontech set our clinics up with a great system for moving forward with the ever changing healthcare environment and have given excellent support for every aspect of our IT platform. Thank you Ontech!!”
– JC, The Bridge Health Clinics & Research Centers, Inc.
Ready or Not, HIPAA Enforcement is Here
To say HIPAA enforcement is on the rise is an understatement.
In 2016, we saw a substantial increase in HIPAA enforcement resolution agreements and penalties to the tune of $23 million dollars in fines, a 300% increase in total collected fines over the previous annual record in 2014 of $7.4 million.
At the start of 2017, with the change in White House administration, many people anticipated that fines and enforcement would continue to increase throughout the year. With the recent appointment of Roger Severino, Director of the Department of Health and Human Services’ Office for Civil Rights, these predictions have come to fruition.
As far as HIPAA violations are concerned, this makes Severino the agency’s chief enforcer – and he takes his job very seriously. In his own words, Severino stated his mission is to find a “big, juicy, egregious breach case to use as an example from which others can learn.”
HIPAA Penalties on the Rise
As of August 2017, 9 actions have been settled with average settlement amounts consistently higher than those in 2016. As of this writing, the largest fine ever assessed was $5.5 million in 2016. This penalty was issued due to an unencrypted stolen laptop and failure to execute a proper business associate agreement.
So what does this mean for healthcare organizations who handle protected health information (PHI) or Personally Identifiable Information (PII)?
HOW TO LOWER YOUR RISK
To reduce the risk of potential HIPAA violations, there are several important steps to take:
Conduct Regular Security/Vulnerability Assessments
It is absolutely crucial to identify security flaws in your network. The best way to do this is by conducting a vulnerability assessment designed to pinpoint security loopholes lurking in your network.
Just one simple phishing email could unleash ransomware that results in your files being held hostage by cyber criminals. If your files were unencrypted and your organization doesn’t have layered security in place, it’s not only your network at risk – a HIPAA violation could be in your future.
Conduct an Introductory HIPPA Security Risk Analysis
In 2017, a consistent theme materialized from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) urging organizations to conduct regular risk analyses that comply with available OCR guidance, including the Guidance on Risk Analysis Requirements under the HIPAA Security Rule.
A HIPAA security risk analysis takes a broad look at HIPAA compliancy within your organization. From HIPAA privacy compliance assessments to technical vulnerability assessments, no two organizations are alike. A security risk analysis is a necessary step toward identifying risks and taking steps to move toward HIPAA compliancy.
Implement a Risk Management Plan and Risk Management Procedures
In light of risks and vulnerabilities identified during a risk analysis, a risk management plan (RMP) establishes policy for risk analysis and management of electronic protected health information (ePHI). It also helps you identify the vulnerabilities of data flow within your organization so you can close any security gaps as necessary.
There’s no denying HIPAA compliance is a complex topic and achieving HIPAA compliance requires a significant amount of documentation and technical know-how, but you don’t have to navigate the road to HIPAA compliance alone.
Report Breaches within 60 Days
In January, the first enforcement action of its kind for lack of timely breach notification took place with a settlement amount of $475,000. If a data breach does occur within your organization, be sure to report it to the OCR, the affected individuals and the media without unreasonable delay and in no case later than 60 calendar days after discovery (media notification is only required if the breach affected 500+ individuals)
Do you have antivirus installed on computers throughout your organization? Can you prove it? When it comes to HIPAA, it’s one thing to know you have antivirus installed on computers, but another to prove it. HIPAA compliance requires a great deal of paperwork and if you are short on documenting and defining policies and procedures, we can help you understand what you might be missing so gaps may be filled in.
Unsure if You Are HIPAA Compliant?
If you would like to discuss what it would take to set up a vulnerability assessment, security risk analysis, privacy assessment, and / or assistance with meeting the objectives of HIPAA, contact our office by phone at (262) 522-8560, or send us a request online.
Is Your Medical Practice Making these 5 Common Data Backup Mistakes?
Between HIPAA compliance and patient privacy concerns, it’s critical to have proper data backup systems in place for your offsite healthcare data security. More than ever before, healthcare legislation authorities are cracking down on medical organizations who fail to comply with HIPAA regulations.
Million dollar plus fines are now commonplace. If you run a small medical practice in particular, you (literally) can’t afford to run the risk of staying behind the curve when it comes to technology.
Mistake #1) Not Keeping Enough Backups
HIPAA describes its data backup requirement as “Retrievable exact copies of electronic protected health information”. In other words, what they want is archiving and accessibility. In the event of a disaster, your PHI (protected health information) must be backed up securely and it must be easily restored.
Does your medical practice perform a daily backup that overwrites previous backups? What if, for technical or legal reasons, you needed to access data from a certain point in time, but you don’t have archived copies of your backup? It’s best to keep backups as long as needed. Hourly backups can be consolidated into weekly and weekly into monthly, etc. This way, you can always access data – from any point in time – whenever you need it.
Mistake #2) Not Backing Up Data Offsite
In order to ensure your data is secure and HIPAA compliant, data backup must take place offsite and be replicated to at least one other location. Tape backups alone are unreliable and won’t keep your practice HIPAA compliant. Your data needs to be encrypted to ANSI standards and tape or disk-based backups are unencrypted and can easily be tampered with or moved.
Cloud based offsite data backup, while once costly and out of reach for most practices, now offers backup solutions that even the smallest medical practices can afford.
Mistake #3) Assuming Your Backup is Working
This is especially important, as HIPAA requires that your data not only be recoverable, but also viewable at the “granular” level.
You must be able to restore individual messages and documents rather than an incomplete summary of records.
Even if your backup was set up by an outside vendor and you were told it was an automated process, it is critical that you test your backup periodically to ensure you can actually restore all your data.
How often should you test your backup? Give us a call at (262) 522-8560 and one of our highly qualified techs will provide you with recommendations specifically for your medical practice.
Mistake #4) Not Backing Up Everything You Should Be
In addition to practice management data, you also need to be backing up accounting data, documents, emails, spreadsheets and correspondence. If this data is isolated on PC’s around the office, you need to re-evaluate the data backup and business continuity process you currently have in place for your medical practice.
Mistake #5) You Are Missing Formal Documentation Outlining Your Data Backup and Recovery Process
While formal documentation of a data backup and recovery process is a HIPAA requirement, their wording is vague. However, the outcome is clear that as a business owner, your compliant data backup plan must be on paper – and you must follow it.
HIPAA authorities also require that you periodically test your plan of action – and document it. Detailed reporting on your backups should be generated regularly.
Request a No-Obligation, Free Network Discovery
Healthcare Data Security: Is Your Milwaukee Area Practice Making these Mistakes?
If you’re already overwhelmed by your current day-to-day responsibilities and your office is making one or several of these mistakes, request a free, no-obligation Network Discovery.
Through our network discovery, one of our qualified, professional techs will evaluate the data backup process and policies your Milwaukee area medical practice currently has in place.
We’ll offer ways to ensure your practice remains in compliance and answer all your data backup and technical questions.
Your Network Discovery includes an audit of your current network, infrastructure, server(s), PC’s, backup, security performance and reliability, followed by a non-technical Q&A Session with our Network Consultant.