» 

Blog

Posts Categorized Under "HIPAA"

Can HIPAA Certified Solutions Really Guarantee Compliance?

achieving HIPAA compliance

When searching for a new healthcare solution to meet your organization’s needs, it’s easy to see the labels “HIPAA Certified” or “HIPAA Compliant” and believe your bases are covered. After all, “HIPAA Certified” means the product or application follows HIPAA’s privacy rules and has everything in place to protect your health and patient information, right?

Unfortunately, no. While such a certification could be useful for organizations in the future, giving them peace of mind during the stressful process of shopping for new solutions, the U.S. Department of Health and Human Resources (HSS) “does not contemplate certification of HIPAA compliance, nor does it authorize any third party to provide an “official” certification,” reports this recent article from HealthData Management. This means businesses that tout their products as compliant or certified can do so—but can’t enforce the claim as legally true.

If you see a solution that’s labeled “HIPAA Certified,” you can still consider it as a viable option, just do so carefully. Businesses often use these terms as a simple way to say “we meet all of HIPAA’s rules and regulations in our given field, and we can help you take steps toward full compliance.” But they can’t guarantee their product will make you compliant, and ultimately the responsibility to become and remain compliant rests on you and your organization.

Rob Reinhardt, owner of Tame Your Practice, a company that provides consulting to mental health and wellness professionals, says this of “HIPAA Certified” solutions: “You cannot maintain HIPAA compliance by simply “only purchasing HIPAA compliant stuff.” Only Covered Entities and Business Associates can be compliant. They do so by following all of the requirements of HIPAA and HITECH, which are extensive.” Covered Entities are health care providers, like doctors and psychologists, health plans, like health insurance companies or government plans, or health care clearinghouses. Business Associates are people or businesses that help Covered Entities carry out their daily functions.

Are you shopping for a solution that will support your business processes and bring you one step closer to full HIPAA compliance? To make the search less painful, here are a couple tips we recommend following when vetting potential companies.

1. Read the Fine Print

When you come across a product that is labeled certified or compliant, read the fine print to see exactly what they’re offering you. Make sure they clearly list what they’ll do to help your organization achieve HIPAA compliance, and be wary of  any company that hides this information or won’t give it to you. We also recommend you think carefully before purchasing software from a business that’s been declared HIPAA compliant by a third party. Just because someone else says they’re compliant doesn’t mean they are.

2. Ask the Right Questions

Go into the conversation or demo with a list of questions you need answered. Here are a few we recommend to get you started:

  • Do you have a clear outline of how your product will help me become HIPAA compliant?
  • Do you have a HIPAA compliance checklist I can see?
  • How does the product encrypt sensitive data?
  • Can it run audit reports of data access and movement?
  • What level of expertise does your business have with HIPAA and HITECH?
  • Do you have a HIPAA specialist on staff that I could talk to?

In the end, finding a solution that matches your needs shouldn’t be difficult. It should be easy. Just remember: the right solution will help you in your journey to HIPAA compliance, not guarantee it. Only you can do that—by making sure your organization meets all HIPAA regulations.

Looking for a managed file transfer solution that can help your organization meet several key HIPAA and HITECH requirements via a managed, centralized, and auditable environment? Our solution, GoAnywhere MFT, may be right for you.

To learn more, download our white paper, How Managed File Transfer Addresses HIPAA Requirements for ePHI, or view our HIPAA and HITECH solutions brief.

 


8 Ways to Protect Your Healthcare Organization from a Data Breach

Last year there were 328 data breaches of healthcare organizations. That’s a new record, up from 268 the previous year. In these breaches, the records of approximately 16.6 million Americans were exposed. These incidents occurred at all types of organizations in the industry, including clinics, insurance providers and their healthsystem business associates.

If you’re in the healthcare industry, here are eight steps you can take to ensure that your organization isn’t the next one in the news.

#1. Continually Evaluate HIPAA Compliance

You’re in healthcare, so you already know about HIPAA, the Health Insurance Portability and Accountability Act that safeguards Protected Health Information (PHI). Fines for non-compliance can reach millions of dollars and even include jail time, which should be enough to ensure that you take HIPAA seriously. But you should also think of HIPAA as a solid starting point for avoiding major cybersecurity threats.

HIPAA requires annual risk assessments, and it’s not a bad idea to assess your security and compliance even more frequently. In a typical organization a lot of changes are made in a year, including new software implementations and upgrades, employee turnover and role changes, or mergers and acquisitions—all of which can create vulnerabilities. These assessments are also a great chance to evaluate your internal security policy and incident response plan.

#2. Educate Your Employees

We all worry about the nefarious hacker, lurking in a dark room and furiously typing code to steal your organization’s records. The truth is that one of the leading causes of healthcare data breaches in 2016 was employee error.

Make sure that all employees in your organization know what personal information can be shared with patients, caregivers, and others according to HIPAA and any state regulations you need to follow. Give your employees a test of their security knowledge or run simulations through phone calls and emails, and reward the employees who respond correctly.

#3. Manage Roles and Access

Keeping medical records secure can be a challenge because they pass through so many hands, but the access that a doctor needs is different than that of a member of the finance or IT staff. It’s essential that every user has an individual account with role-based access appropriate for their position. The IT administrator should also have full visibility into who accesses or manipulates what data and when, so they can identify suspicious activity such as downloading large volumes of data to an unknown IP address.

#4. Subnet Your Network

It may seem like a basic mistake to an IT or security professional, but you might be surprised how many healthcare providers leave patient records exposed to anyone who accesses the publicly available internet. Subnetting, or creating separate subnetworks, allows you to set aside part of your network for the public and others (with more security) for any applications that touch medical records or credit cards.

#5. Use Multi-Factor Authentication

The standard username and password isn’t secure enough for users who need to access private patient information. Multi-factor authentication typically requires at least two of the following: something you know (like your password), something you have (like a token), or something you are (like a fingerprint). A 2015 report by the Office of the National Coordinator for Health IT found that, while hospital support for multi-factor authentication had risen by 53 percent since 2010, only half of small urban hospitals were capable of it. Fifty-nine percent of medium and 63 percent of large institutions had the capability.

If you are a healthcare organization that still doesn’t support multi-factor authentication, it’s a key step to take toward securing your data.

#6. Protect Devices and Be Cautious with BYOD

The majority of healthcare data breaches occur not because of hackers, but because of stolen or lost devices. For devices owned by your organization, make sure they are encrypted and that you have the ability to wipe them remotely.

You should also adopt strong security measures in your BYOD policy. Employees will want to have the convenience of easily accessing PHI from their tablets, laptops, or mobile phones, but if one of these devices falls into the wrong hands, the result could be devastating to your company. Here are some steps you should take in your BYOD policy:

  • Require strong authentication methods
  • Don’t allow medical records to be stored on employee devices
  • Prevent devices from connecting to healthcare applications beyond a certain distance from your facility

#7. Ensure Business Associates are Protecting PHI

Healthcare providers rely on a wide network of associated companies and services. Business associates of organizations that must comply with HIPAA are also held to HIPAA standards for protecting patient data and will be fined if they fail to do so. Your business associate agreements with these organizations should be tailored to both HIPAA and any state regulations that apply to your organization. The associates should be required to develop internal processes to assess security, and discover and report data breaches. Choose business partners that are agreeable to complying with security best practices or they will be a liability.

#8. Encrypt Data at Rest and in Transit

HIPAA states that covered entities should “implement a mechanism to encrypt PHI whenever deemed appropriate.” That can be a little hard to interpret, but regardless of HIPAA or other regulations, strong encryption is the best way to protect your data.

HIPAA also says that if encrypted data is stolen, the incident does not constitute a data breach. In other words, you can avoid damaging your reputation by having to notify your patients, the media, and the government by using encryption.

managed file transfer solution can encrypt your files both at rest and in transit using modern, secure encryption methods. Good MFT software will help ensure that you stay up-to-date as encryption standards change over time, while also making your data transfers simple to manage and audit.

To find out how GoAnywhere MFT can help you stay HIPAA compliant, download the guide.

 


FBI Issues Warning on FTP Servers

FBI warning for FTPThe FBI recently issued a Private Industry Notification to healthcare providers warning them of the dangers of unsecured FTP servers. According to the alert, the FBI is aware of criminal actors actively targeting FTP servers operating in “anonymous” mode, meaning a user can authenticate to the FTP server with a common username like “anonymous” or with a generic email address or password. The FBI notification cited a 2015 study from the University of Michigan that indicated over one million FTP servers were configured to allow anonymous access.

While the notification was intended for medical and dental facilities, inadequate FTP security is a concern across all industries. According to the FBI, “Any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals.”

The problems with FTP servers go beyond anonymous mode. For one thing, many organizations are running legacy FTP software that hasn’t been kept up-to-date with modern security concerns. Another widespread issue comes from granting excess permissions to trading partners or internal staff. Anyone given administrative access could change a setting on the server without realizing the potential security implications.

Hopefully it’s clear that you should be using encryption to protect your data. What some businesses fail to realize is that encryption methods vary greatly in strength based on factors like  key size and type of encryption ciphers used. Many of the older ciphers and protocols have been broken and are now obsolete. Finally, a major problem with legacy FTP servers is a lack of alerts if anything goes wrong and the lack of detailed logs to help you maintain compliance with industry regulations.

These common pitfalls can be addressed with a robust managed file transfer (MFT) solution. Managed file transfer offers a variety of strong, up-to-date protocols and encryption methods, allowing you to replace standard FTP with something more secure like SFTP or FTPS. Software with role-based security gives you the option to limit any user or user group to just the permissions they absolutely need, and detailed audit logs keep track of exactly which user took what action and when—essential information for your team and for auditors alike.

To learn more about how to secure an FTP server, watch the on-demand webinar, Top 10 Tips for Securing Your FTP or SFTP Server.

 


Get the Guide: Achieving HIPAA Compliance with GoAnywhere MFT


Are your file transfers HIPAA compliant? Is your healthcare organization at risk for fines, or worse - a data breach of sensitive patient information? Many health IT teams meet these questions with unease.

Fortunately, GoAnywhere is here to help.

HIPAA (the Health Insurance Portability and Accountability Act) protects the confidentiality, integrity, and availability of electronic health information. For any IT professional working in the healthcare industry—or for a company that does business with healthcare organizations—HIPAA is a concern. Compliance is strictly enforced, with penalties including substantial fines and, in rare cases, even prison sentences.

HIPAA is dedicated to protecting patient health information, but cybersecurity is only a portion of what the law covers and HIPAA’s security standards were not written for an IT audience. Avoiding specific technical language means the law changes with the times and allows organizations to adopt new technologies that help them meet HIPAA requirements. This approach provides flexibility, but it also makes HIPAA compliance challenging—IT professionals have to translate HIPAA into IT terms to determine what steps they need to take to become compliant.

Patient care involves constantly exchanging and updating electronic records, making file transfers a potential area of security vulnerability. GoAnywhere MFT protects valuable personal data while simplifying HIPAA compliance.

We’ve put together a guide that demonstrates how GoAnywhere MFT addresses several key HIPAA requirements. For example, GoAnywhere prevents unauthorized access by authenticating users and passwords with a variety of techniques including database authentication, LDAP, and Active Directory. Audit trails are generated to document if unauthorized attempts are made to alter or delete documents.

 

Download the guide to learn more about how GoAnywhere makes HIPAA compliance easy.

 

 

 

 

 

 


Why Healthcare Organizations Need a Managed File Transfer Solution

Anmed health clinic

 

Last year was a scary year in healthcare cybersecurity. A hack of Banner Health breached up to 3.7 million records. Another data breach at 21st Century Oncology resulted in multiple lawsuits being filed against the organization. When a third party gained unauthorized access to computer systems at Valley Anesthesiology and Pain Consultants, almost 900 thousand patients, employees, and providers had to be notified. These are just a few examples of the biggest incidents in the news—smaller security failures are happening all the time.

Patient records are extremely sensitive, so healthcare organizations have to be especially vigilant about securing their data. Additionally, they need to be able to prove compliance with HIPAA. In an industry that involves constantly moving and updating patient records, maintaining security and compliance requires a robust method of protecting any transfer of data. That’s why no healthcare cybersecurity strategy is complete without a managed file transfer (MFT) solution.

Why Not Use a Basic File Transfer Tool?

Many EHR or network monitoring software already implemented within a healthcare organization include some secure file transfer capabilities, so it’s easy for IT professionals to ask: “Why not just stick with the basics?” While some of the add-on file transfer tools may protect sensitive data in transit, there are several crucial features that a complete managed file transfer solution can perform.

Supports varied platforms, protocols and encryptions: A good managed file transfer platform will support a variety of protocols, such as SFTP, FTPS, and HTTPS, and encryption standards like AES and Open PGP. It may be necessary to select different methods for each transfer based on your partner’s requirements.

Centralized system for organized monitoring and reporting: For many healthcare organizations, regular monitoring and reporting of file transfers is a requirement for compliance adherence. The ideal MFT solution provides a single tool capable of handling all your transfers out of one area, whether that be server-to-server batch file transfers, user-to-user ad-hoc file transfers and person-to-person file collaboration. A centralized area simplifies the ability to monitor and report all transfer activity.

Controls user access: HIPAA requires that organizations prevent unauthorized access to files. Of course, this can mean hackers with malicious intent, but you should also have protocols in place to protect data from internal actors. A 2015 study found that internal actors were responsible for 43% of data loss. That includes both intentional and accidental security failures.

MFT software with role-based security options can limit each user to the servers and the functions of managed file transfer that they absolutely need to use. Individual files and folders can be restricted to certain users or user groups. Since every user has a unique user ID, all their activity can be tracked—essential if you face an audit.

Facilitates HIPAA compliance: Modern IT environments and the volume of electronic records stored by healthcare organizations are far larger and more complex than what existed HIPAA was first enacted. Although many organizations got by with FTP-based tools or custom scripts in the past, the best way to meet HIPAA requirements today is with an easy-to-use, comprehensive managed file transfer platform.

In addition to providing the required security protocols and encryption, a good MFT tool will generate detailed audit trails and reporting of every file transfer, identifying the users, the recipients, and the file names transmitted. Just what an auditor needs to see.

Simplifies and automates transfers: Configuring each file transfer in a way that is secure, compliant, and meets the individual needs of each business partner is extremely time consuming. Too many manual steps in the transfer process can make a high volume of file transfers impossible to manage, not to mention error-prone. The automation capabilities of managed file transfer software can streamline data transfer processes and reduce the potential for mistakes.

Case in Point: 
AnMed Health Saves 500+ Hours of Manpower Each Month

Anmed health clinicWhen health system AnMed Health made the decision to replace outdated file transfer systems with GoAnywere MFT, their new ability to support SFTP and PGP encryption increased the number of vendors AnMed could perform simplified, and secured transfers with.

But that wasn’t the only benefit. Using managed file transfer eliminated the need for third-shift data center staffing and saved programming, operations, and network staff over 500 hours a month. How much money do you estimate that 500 hours a month could save your healthcare organization?

Another useful improvement was automatic notifications and greater visibility into the status of file transfers. Previously, the AnMed Health team often only found out about a problem when they received a call from a vendor.  A robust MFT solution will alert you if something goes wrong, allowing you to attack the issue without delay.

Ready to see for yourself? Schedule a demo of GoAnywhere MFT to see how easily your file transfer process can be secured, automated and centralized.


Sign Up for the FREE Secure File Transfer Webinar Series

Linoma Software is hosting a FREE October Webinar Series on the advantages of securing your system-to-system and person-to-person file transfer processes.  Please take a moment to register for one, or both, of these informative live presentations.

Webinar: Get Your FTP Server in Compliance

Get Your FTP Server in Compliance

Are you still running an outdated FTP server in your DMZ? Does your FTP server have the security controls and audit reporting needed to meet the latest PCI DSS and HIPAA compliance requirements?

GoAnywhere goes beyond a typical FTP server by providing the enterprise-level features and security you need to get compliant.

FREE WEBINAR: Now Available On-Demand

We demonstrate GoAnywhere and how to:

  • Use SFTP, FTPS and HTTPS for file transfers
  • Protect files at rest and in motion with AES 256 encryption
  • Set triggers to automatically process files
  • Control access to private and shared folders with granular permissions
  • Generate detailed audit logs and reports

Register Now


3 Advantages of an on-premises Solution for File Sharing

Are you looking for a better solution than cloud-based file sharing services like Dropbox to transmit sensitive company data?

Put an end to employees using unsecure cloud-based file sharing services. Improve compliance and cut the risk of sensitive company data falling into the wrong hands.

FREE WEBINAR: Now Available On-Demand

We cover the three advantages of an on-premises product for Enteprise File Sync and Sharing (EFSS):

  • Local management of user accounts and files
  • End-to-end encryption of files at rest and in motion
  • No monthly user subscription fees or storage limits

Register Now


Join us for these complimentary webinars to get a valuable tour of GoAnywhere MFT. Linoma's engineers will be on hand during the webinars to answer your technical questions.


5 Ways Healthcare is Using Managed File Transfer

UTMC and AnMed HealthHealthcare organizations looking to improve secure file transfer processes have discovered the many advantages of Managed File Transfer (MFT) and the GoAnywhereTM Suite. Meeting regulatory compliance with HIPAA and HITECH, connecting multiple office locations or simply updating legacy systems all create excellent opportunities to evaluate the benefits of MFT.

"The medical environment is changing with new regulations and mandates to be addressed," says Scott Schwarze, manager of information services at the University of Tennessee Medical Center (UTMC). "We wished for a product that would do most of the heavy lifting."

  1. Eliminating Personnel Risk

    UTMC found itself in a vulnerable position when their only employee capable of maintaining complicated VB scripts became seriously ill. AnMed Health in Anderson, South Carolina recognized they were in a similar position with only one network staffer capable of setting up DOS batch transfers.

    "With a small staff but large output, the goal was something that all team members could be trained on," said Schwarze. Despite its extensive capabilities, GoAnywhere customers quickly discover the simplicity of scripting and troubleshooting tasks. Lisa Nanney, senior programmer analyst at AnMed Health adds, "when issues do arise, my operations staff can resolve the problem immediately."

  2. Proactive Notifications

    "Our old file transfer system did not offer automatic auditing," said Nanney. "Because we weren't proactive, it often took a call from a vendor to discover there was a problem." While AnMed Health uses notifications in GoAnywhere to raise alerts on file transfer issues, Cancer Registry of Greater California (CRGC) finds them invaluable in improving workflow.

    "We knew it was important to manage the flow of documents," states Cory Hamma, systems support manager for CRGC. When files are uploaded by a partner facility, employees are notified of each successful transfer. This establishes a procedure for timely attention to uploaded files and ensures that they don't go unprocessed.

  3. Reducing Menial Tasks

    One of AnMed Health's initiatives was to eliminate the need for third shift staffing. Their results using the efficient automation tools in GoAnywhere saved programming, operations and network staff over 500 hours a month.

    A Network Engineer who handled the FTP server spent at least 24 hours a month troubleshooting transfers. According to Nanney, "he doesn't even touch transfers now unless we need connection assistance."

    But Nanney didn't stop there. She went on to automate many of their insurance claims and payment processing. This recovered over 50 hours of Data Center time in addition to accelerating the recoup of payments.

    During the evaluation of existing FTP processes for migration to GoAnywhere, the UTMC staff discovered they could eliminate custom processes from the procedure. "By eliminating cut off times for output from SQL jobs, labor hours for SQL developers were cut in half," says Schwarze.

  4. Compatibility with Trading Partners

    When UTMC was evaluating file transfer solutions "we assumed going in that we could not impact vendors," stated Schwarze. "Most of the vendors provided an SFTP or FTPS connection for file transfers." Their modified policy stated that data must not only go over an encrypted connection, but the files need to be encrypted as well.

    Schwarze appreciated GoAnywhere's ability to connect to most systems using standard file transfer protocols. Files are then encrypted and compressed using Open PGP and other standards. He added, "HIPAA does not require the double encryption method, but we felt in this technology environment it would be prudent."

    AnMed Health had several vendors migrate to SFTP, which posed a problem with their old FTP server. "We do transfers with vendors now that would not have been possible without GoAnywhere," said Nanney.

  5. Replacing Inefficient Processes

    CRGC covers a population area of nearly 20 million residents across 48 of California's 58 counties. In order to transmit files between locations, they were utilizing a number of secure email subscription services. Hamma described this being problematic due to, "the file transfer size limitation, lack of organizational control, and complexity for remote users."

    "Many research files exceeded 1 GB in size," said Hamma, "so the ability to remove that barrier entirely was huge." GoAnywhere also resolved organizational control with its detailed audit logs that ensure accurate documentation of who, when and where files are accessed.

    For AnMed Health, something as simple as replacing green-bar reporting streamlines operations. Nanney's team now sends reports to a network drive mapped to the IFS, cutting paper costs and eliminating yearly maintenance for "one dinosaur of a printer".

Regardless of your industry, GoAnywhere's MFT Suite delivers real results to improve secure file transfer and collaboration processes. Talk to a representative today and discover what GoAnywhere can do for your organization. To read the full case studies, please visit the links below:


Healthcare Industry Still Lags in Protecting Data

As healthcare information security requirements and penalties get tougher, a great deal of discussion is focused around how well the healthcare industry is securing patient data.

healthcare data security survey results

The general consensus is that the industry still has a long way to go. One of the industry's publications, Healthcare InfoSecurity, released the results of the Healthcare Information Security Today survey sponsored by RSA which took an in-depth look at security and IT practices of senior executives in the healthcare industry.

<< click on the image to learn more  

 

The survey reviews many information security topics including

  • Impact of a data breach
  • Security threats
  • Compliance and steps to improve security
  • Risk assessment

Some of the responses surprised us on how far healthcare companies need to go for proper HIPAA compliance. Take a look at these statistics:

  • 55% of respondents were not confident in their organization's ability to comply with HIPAA and HITECH Act regulations concerning privacy and security (grading themselves adequate or less).
  • 66% responded that their organization's ability to counter internal information security threats was adequate or less.
  • Only 47% of survey participants utilize encryption for information accessible via a virtual private network or portal.
  • 32% of respondents have not conducted a detailed information technology security risk assessment/analysis within the past year with 47% updating their risk assessment only periodically.

The good news is that the survey shows that healthcare organizations are taking steps in the right direction to improve their security practices.

  • 37% of organizations' budgets for information security are scheduled to increase over the next year.
  • 40% of respondents plan to implement audit tool or a log management solution within the next year.

When asked what their organization's top three information security priorities are for the coming year, the top responses included

  • Improving regulatory compliance efforts
  • Improving security awareness/education
  • Preventing and detecting breaches

Healthcare IT teams will need updated security policies, comprehensive training for employees, and reliable tools and solutions that can deliver functionality, ease of use, audit reporting, and efficient workflows that protect the security of confidential data at rest and in motion.

The pressure is growing, compliance audits are looming, and tackling these issues are just part of the evolution of the healthcare industry.  


New Protections for Patient Data Increase Pressure For Trading Partners to Get Compliant

Yet another layer of regulation has been added to the Health Insurance Portability and Accountability Act (HIPAA) that offers even greater protection for healthcare patients' privacy, while also defining new rights regarding how they can access their health records.

meet HIPAA compliance regulationsThe biggest change is the expansion of HIPAA compliance requirements to include trading partners and third parties who also handle patient data, such as billing companies, contractors, and more.  The U.S. Department of Health and Human Services (HHS) reports that these third parties have been responsible for several significant data breaches which is one reason the responsibility for compliance has been extended to this group.

Penalties for violating HIPAA compliance rules will be assessed based on the determined level of negligence, and can go as high as $1.5 million per incident.

Other issues addressed with the latest additions to the HIPAA regulations include more clarity in defining which types of breaches need to be reported, as well as how patients will be allowed to access and interact with their health records electronically.

If you're concerned about whether your FTP server meets compliance regulations, join us for a webinar on Thursday, Jan. 31 at Noon Central entitled "Get Your FTP Server in Compliance!"  You can learn more about the agenda for this webinar here.

For more information about the new HIPAA rules, check out the press release from HHS.