Archive for category: Articles

Fax Service+ HIPAA Compliance

Categories: Articles

Despite its dated roots, and the myriad complaints, fax machines can be HIPAA-compliant as long as appropriate security safeguards are followed. In short, HIPAA regulations do not prevent covered entities (health providers, plans and clearinghouses that transmit health information electronically) from faxing.

It’s the covered entity’s responsibility to ensure their fax practices comply with HIPAA privacy rules. These include the “minimum necessary” rule, which limits information in the fax to the minimum amount necessary in certain instances, as well as the implementation of administrative, technical, and physical security policies to protect PHI.[1]

Unfortunately, these rules are not always followed. Academic physician Sachin H. Jain, M.D. commented that most fax machines sit open and accessible to a wide range of individuals in most healthcare settings–suspending any expectation of privacy and security.[2]

For obvious reasons, fax machines must be located in secure, non-public areas to prevent unauthorized personnel from viewing faxes. Office staff should always verify the recipient’s fax number and use a cover sheet that does not include patient information.

Most Common Fax Related Violations

Sending a fax to the wrong number is one of the most common errors, as evidenced by a number of reported breaches. Last year, Oakland, Calif.-based West Coast Children’s Clinic had to notify patients of a HIPAA breach after it faxed a patient’s PHI to an incorrect fax number. The data included the patient’s name, date of birth, developmental and psychological treatment history, family history, educational history, testing results and prescribed treatment.

What are the lessons to be learned? Make sure security safeguards are in place when using the fax machine to transmit PHI, and confirm your staff is properly trained to whenever handling and transmitting patient information.

Internet fax replaces paper with digital transmissions and emerged as a popular alternative to the traditional fax. Internet fax is typically provided as a hosted service, whereby health providers can subscribe to a third-party entity that converts emails and other content to faxes.

Typically no human interaction occurs, thereby eliminating human error. This change in workflow reduces risk and offers added convenience and efficiency over traditional fax machines. For healthcare providers that aren’t ready to eliminate fax altogether, moving to secure Internet fax can be a valuable step toward mitigating the inefficiencies and security risks posed by traditional fax machines.

 

Article submitted by Paul Mancini, National Sales with Clear Choice Telephones.

Questions? Contact Paul at 678-387-3200 or paul@clearchoiceinc.com

 

Paul Mancini

678-387-3200 desk

678-464-4701 cell

What’s Your Peace-Of-Mind Worth?

Categories: Articles - Tags: ,

You’ve been responsible for the office operations for years. But lately, in the age of technology, it seems that things have gotten more complicated and more stressful, rather than simpler.

The administrative, human resource and regulatory compliance related tasks of your business are increasing, and you end each day knowing that there’s much more left to do.

A client data breach, and the business reputation fall-out that follows, is the last thing your business needs right now.

Did you know that a data breach is most often caused by human error; either by an employee or by a vendor that services your office?

Yet, many businesses of all sizes still don’t have information destruction policies or procedures. Some still use office shredders to save on operating expense. Relying on your staff to shred what they think is important is both risky and expensive; when you consider the labor involved. And there’s no record that it was destroyed, in case you may need that later.

In the long-term, outsourcing your information destruction needs to a professional On-Site shredding service, better protects your business and saves you money. It’s low cost reputation insurance that gives you Peace-of-Mind.

Make sure you select a shredding service that does more than just shred or recycle your office paper and provide a receipt. A trustworthy shredding company should be able to:

  • Offer On-Site shredding service, as it reduces your risk by shortening the chain-of-custody that your information passes through prior to destruction. It’s destroyed before they leave.
  • Provide a Certificate of Destruction after each service call and keep them on file permanently, should you ever need copies in the
  • Offer shredding of digital devices (hard- drives, cell phones, tablets, flash drives, CDs, etc.) which often contain much more information than your documents
  • Demonstrate their operating and hiring practices are externally audited and certified by NAID (National Association of Information Destruction) and ISO (International Standards Organization)
  • Regularly train their employees (and yours, if necessary) on secure handling and destruction procedures
  • Maintain an excellent customer satisfaction reputation; verifiable with independent unsolicited reviews on Google, Yelp, Angie’s List, etc.
  • Document the recycling of your shredded paper and metal through vendors that specialize in industrial re- use of recycled
  • Share evolving Information Security best practices with you and help you implement information destruction policies and procedures for your business.

For more information, contact Greg Gálvez at greg.galvez@proshred.com or 678-580-1155

Human Error in Cyber Security: 5 Mistakes to Watch Out For

Categories: Articles - Tags: , , ,

Human Error in Cyber Security: 5 Mistakes to Watch Out For

Accidents happen. Mistakes occur. Human error is just a part of, well, being human. However, that doesn’t mean that you can’t go the extra mile to ensure that you minimize the likelihood of a human error, especially when it comes to cybersecurity. When a data hack or other security attack happens, the root cause is often an avoidable accident.

While you should take steps to try and eliminate these human errors from your operations, you should also make sure you have a thorough, well organized, and secure IT support system in place to combat any would-be hackers and data thieves. At Medicus IT, we offer the following cybersecurity services: managed cybersecurity, phishing/security awareness solutions, vulnerability scanning, and encryption and management. Learn more about these services here to see how we can help keep your organization secure.

To help ensure that your operations are hacker-proof, look out for these human errors in cybersecurity.

Poor Passwords

Yes, your password should be easy to remember. No, it should not be simple enough that others can guess it. And yes, it should be difficult enough where it would take hackers a long time to figure out (check out this helpful tool to see how long it would take someone to figure out your password).

A poor password is one of the easiest mistakes someone can make when it comes to cybersecurity. We are all capable of remembering passwords that are too tricky to guess or hack. However, we tend to stick with easy, simple to remember passwords for our own convenience. Don’t do this. Choose a password that contains letters, numbers, special characters and is at least ten characters long. Avoid writing down your password as well. But if you absolutely must, then keep it hidden somewhere safe and once your memorize your password, throw it out.

Misdelivery

Misdelivery is a common mistake that has more to do with being careless more than anything else. Whenever you are sending an email, always double, triple, and quadruple check to make sure that you are sending the information to the right person. Even if you aren’t sending any confidential information, get in the habit of always checking. This type of human error is more common than you might think. According to the 2018 Verizon Data Breach Report, misdelivery was the fourth most frequent action that caused data breaches.

Falling for Phishing Scams

That same Verizon report also found that email was the most common medium in which cybersecurity attacks originated from, with 96% of all attacks sourced from email. Everyone in your practice should be familiar with phishing emails, where someone will pretend to be an outside, trustworthy entity (like a bank) for example and try and get passwords or other sensitive information.

The key to avoiding phishing scams taking place in your office is to instill a culture that is aware of the dangers of being careless with emails. One of the most effective ways to do this is to incorporate phishing/security awareness solutions into your operations regularly. At Medicus IT, we work with clients to run phishing scam simulations that can determine how many employees fell for our faux scam and who exactly clicked on the email. Therefore, you can understand the scope of the problem and which employees need the training to determine how to spot scams. We also offer secure email solutions and SPAM filtering products to further protect your practice.

Inadequate Software Security

While you could argue that failure on your software security’s end to stop a hacker is not human error, we would argue the opposite. Deciding not to go with top-notch, high-quality, and highly-rated security software is, in fact, a human error. Sure, you could try and save money by going with a cheaper option. But the smarter and safer option is to pay for the security that you know will get the job done.

Don’t settle for anything less. Trust in Medicus IT to make sure that your information and data is in safe hands.

Low Security Awareness

There are other ways in which your information can become at risk due to negligence or lack of awareness of potential security threats. This can include leaving company laptops out in the open where they can easily be stolen, plugging in un-secure devices like USB drives that potential hackers planted, and downloading unsafe software online.

Take the time to educate all your employees on best practices for making sure that they don’t fall prey to a security scam or other threats.

2019-It’s Time to Purge Those Records-Or is it

Categories: Articles

A new year always brings about change, and when it comes to which records you keep or toss at the office can sometimes be a challenge.

Federal records and The Uniform Preservation of Private Business Records Act (UPPBRA) states that records should generally be kept for a period of three years. But sometimes you cannot find a clear-cut answer for how long you should keep certain records.

Things can get a bit opaque if you don’t have any information available to you and you don’t want to purge your old records without being certain; you also don’t want to keep records longer than needed “just because,” so what do you do?

If you can’t find an answer it could mean that the records in question should be kept permanently, but to be safe, do your research. Document all resources used during your research whether you fall back on permanently keeping the records or you lean more toward the three-year time period for records purging. This will ensure you will likely avoid any penalties should an audit or court case crop up.

You can also check with your attorney or CPA because laws differ from state-to-state. Another great resource would be reaching out to a local Human Resource company such as Stellaris Group in Marietta, Georgia and have them review (or help you create) a Records Retention Schedule and time frame for record keeping or purging since they are always current on new and changing federal and state laws.

 As of 2019, the following information offers a basic guideline of what to keep and what to toss after a certain amount of time. But again, to be sure, check with a local HR company, your attorney, or your CPA.

A three-year time frame applies to most, with the exception of the following:

HEALTH AND BENEFITS RECORDS:

USERRA Leave Records                                           Permanent

Toxic and Bloodborne Pathogens Records                 30 Years

Job Related Injuries and Illnesses Records                 5 Years

*PRE-EMPLOYMENT AND EMPLOYMENT DOCUMENTS:

Intellectual Property Ownership/Nondisclosure            5 Years

Separation Agreement                                               5 Years

Unemployment Claims Records                                 4 Years

Note: If applicant is not hired, keep records for three (3) years.

RETIREMENT:

401 (k) Allocation Records                                         4 Years

Pension Eligibility Records                                         50 Years

Request for Calculation                                              4   Years

Retirement Beneficiary Form                                      50 Years

PAYROLL AND TAX:

Paychecks/Stubs, W-2s-W-4; Earnings Register;

Employee Withholding                                               4 Years

Federal and State Payroll Tax Forms                         4 Years

Federal Forms 1099                                                  4 Years

Time Sheets and Cards                                             4 Years

Computer Loan Agreement                                        5 Years

Direct Deposit Records                                              4 Years

Garnishment Records                                                4 Years

Final Payroll Deduction Checklist                               4 Years

HR POLICIES AND REPORTS:  

EEO-1 Reports                                                         Permanent

HR Policies (current)                                                 3 Years

Affirmative Action Plans and Records                         5 Years

Form 5500                                                                6 Years

OSHA 300/300A                                                        5 Years

VETS- 4212 Reports                                                 5 Years

The above serves as a general guideline, but to recap: When in doubt, always check with someone who stays current with federal and state laws because they can and do change. Stellaris Group in Marietta has a team of HR professionals who can help guide you in the right direction when it comes to all facets of day-to-day office management and they will always lead you in the right direction. 

Article by : Dawn Stastny

Dawn Stastny, SPHR, SHRM-SCP is the Managing Partner and Founder of Stellaris Group, LLC. To learn more about Human Resources Outsourcing and Consulting, connect with her at 678-935-6001 or by email at Dawn.Stastny@Stellaris.Co

GSG Compliance brings you easy-to-read breach notification rules and more…

Categories: Articles

As always, GSG here to help answer any questions and of course help you with a Security Risk Assessments, Information Security Policies, BA Agreements, and more.

This article from xtelligentmedia contains a lot of great information regarding data breaches. It does a great job in laying out the steps to follow in a variety of circumstances.

GSG Compliance often is asked about the “how, when, and why” regarding breaches of PHI. While there are many circumstances that have led to a breach of some kind, this article makes an easy read of what to do to prevent them and what to do should one occur. There is no one thing to do to protect your data, but there are some basic and common tasks that will put a covered entity in a much better defendable position.

“How To Comply with the HIPAA Breach Notification Rule”

  • Steps to take when a breach happens or suspect of a breach
  • Cyber incidence response
  • Significance of Encryption

ARTICLE

Bill Steuer
GSG COMPLIANCE
877-270-8306  ext. 133
877-828-8809 (fax)

HST Holiday Pics

Categories: Articles

The Healthcare Services Team gather for the 2018 Holiday to celebrate success!

OSHA Postings are due the First day of February

Categories: Articles

Employers have to post OSHA Form 300A for 2018 by the first day of February and leave it up through April 30. This form displays illnesses and injuries that occurred during the previous year and serves as a log of work-related injuries and illnesses recorded. The form must be posted in an area where it is visible to all employees. Records must be kept at the worksite for a minimum of five years and available to not only current employees, but to former employees (or their representatives if need be) as well.

The United States Department of Labor requires employers with 10 or more employees to keep records of work-related illnesses and injuries that are considered serious (if an injury only required first-aid, it need not be recorded). Severe injuries regarding loss of an eye, amputation or hospitalization must be reported within 24 hours; any fatality must be reported within 8 hours. Businesses that employ 10 or less employees who work in low-hazard conditions are considered exempt from the above requirements.

Note: OSHA Form 300A (Summary of Work-Related Injuries and Illnesses) is the only form needed for electronic submission for establishments in excess of 250 employees as of July 30, 2018 due to issuance of a Notice of Proposed Rulemaking (NPRM). In addition to form 300A, OSHA also requires the employers submit their (EIN) Employer Identification Number.

Ensure Your Workers Are Safe:

Employers are responsible for providing a safe work environment and by law are required to provide training and information to employees in a manner of communication that the employee/s understands. They must be made aware of certain hazards in the workplace and instructed on how to avoid them or prevent them from happening according to OSHA standards. This can include labeling hazardous materials or chemicals and providing Fact Sheets; posting signs, color-coding; safety training and written instructions clearly defined in an Employee Manual and the implementation of OSHA’s Illness and Injury Prevention Program at your place of business.

Fines Are Steep for Violations:

Congress enacted legislation that required federal agencies adjust civil penalties to account for inflation as of November 2015. OSHA’s maximum penalties have not been adjusted since 1990 and are going to increase by 78 percent. Moving forward, this will adjust each year for inflation based on the Consumer Price Index beginning after August 1, 2016 when they went into effect.

  • Serious or Other-than-Serious Violations are currently $7000 per violation and the new penalty will be $12,471 per violation.
  • Failure to Abate is currently $7,000 per day beyond the abatement date and the new penalty will rise to $12,471 per day beyond the abatement date.
  • A Willful or Repeated violation is currently $70,000 per violation and the new rate will become $124,709 per violation.

In the course of a citation being issued, it must remain posted and visible until it has been corrected, or for a length of three days, whichever comes first. Smaller businesses may see a reduction in OSHA penalties based on deciding factors and number of employees/sizes of business. OSHA’s Field Operations Manual has been revised and is now available to field staff to address recent changes.

This may all sound a bit complicated, but it doesn’t need to be. If your business does not have a designated HR department, try reaching out to a local HR agency such as Stellaris Group in Marietta, Georgia.  Stellaris Group offers OSHA and Safety Programs, Government Compliance, Internal Investigations and everything you need for complete Human Resource Management for your business.

Article by: Dawn Stastny, SPHR, SHRM-SCP is the Managing Partner and Founder of Stellaris Group, LLC. To learn more about Human Resources Outsourcing and Consulting, connect with her at 678-935-6001 or by email at Dawn.Stastny@Stellaris.Co

5 Signs You’re Reading a Spear Phishing Email

Categories: Articles

Since the early 2000s, spear phishing scams have been a problem. These scamming emails occur when someone attempts to lure sensitive information from an unsuspecting recipient by posing as a legitimate company or entity (i.e. ‘please provide your credit card info for a free trial,’ or, ‘your account has been hacked, please reply with your password and username to reclaim control’).

Falling victim to a phishing scam can be detrimental to the individual or company who is preyed upon. And unfortunately, phishing scammers have been getting better and better, therefore making it more difficult to detect when an email is legitimate vs. when it is a fake.

To help you decipher between what’s real and what’s not, look for these 5 signs that you’re reading a spear phishing email.

Nosy and Suspicious Requests

Your bank, or any other company, will not ask you for your social security number, bank account information, PIN numbers, or any other highly sensitive material over email. Whenever you receive an email that is requesting any type of info from you, always remain suspicious. When in doubt, call the bank or company directly to ensure that the email is in fact legitimate.

Grammatical Errors

While we can all be guilty of a typo here or there, some phishing emails are often plagued by spelling, grammatical, and format errors. While in some instances, the grammatical errors are caused by the sender not being a strong English speaker, many theorize that these errors are prevalent in scam emails because they save time.

Because it usually takes multiple emails back and forth between the phisher and the victim for them to successfully extract the information, the scammers need to weed out between those who will fall for it and those who won’t. In other words, people who look past grammatical errors and ignore spelling mistakes are more likely to actually provide the information than those who don’t. Therefore, they can save time by sending low-quality emails to more people, faster, and cast a wider net around potential victims.

Pretty evil, we know. So always be mindful of too many grammatical errors!

Missing a Name for Who it is Addressed to

An email that begins with ‘Dear customer’ or a similarly generic introduction is more likely to be a spear phishing email than those that actually include your own name. For reasons described in the previous tip, it is more advantageous for these criminals to not take the time to figure out the names of the recipients, but rather to just send out as many as they can.

Email From a Public Internet Account

If you believe you’re receiving an email from a bank or business, the sender’s email should not have a public internet account attached to it. Email from @ Gmail, Yahoo!, Hotmail, or Outlook should be a red flag that the sender is not who they say they are. Many phishing emails will use the name of the bank or entity in the email to try and trick you.

(Example: NorthBranchBank@gmail.com)

Non-Accurate URL

Phishing scammers will often use fraudulent websites to try and steal your information. If you are provided a link, check carefully to make sure that the URL is correct. You can easily do this by opening a new tab and googling the website yourself and checking to make sure that it is the same as the one provided in the email. Scammers will try and make the website look as close to the original as possible, but you can spot slight differences, such as alternative spelling or added punctuation.

Use Medicus IT For Your Cybersecurity Needs

At Medicus IT, we offer phishing and security awareness solutions for our clients to help you prepare for a phishing email attack on your business. We’ll work with you to implement a phishing scam simulation, which will allow us to identify which employees fell for the scam. Therefore, we can pinpoint which employees need to be trained in how to spot these scams. It’s also a great reality check, as it shows just how easy it is for businesses and their employees to be tricked into giving up personal information.

These simulations are extremely important for healthcare providers, whose patient’s information and records should be confidential at all times.

Article by:

Oct 1 Safe Harbor Deadline

Categories: Articles

Are you a business owner who needs to reduce their current year taxable income and save for retirement? Now is the ideal time to evaluate retirement plan options for 2018 and beyond.

The deadline to establish a safe harbor 401(k) plan fpr 2018 is October 1st, 2018. These plans provide significant benefits to business owners and their key staff members:

  • Business owners to make the maximum 401(k) contribution this year ($18,500 or $24,500 if age 50+);
  • Safe harbor company contributions can be either a flat 3% contribution to eligible employees, or a matching contribution of up to 4% of pay;
  • The plan may allow for additional profit sharing or matching contributions;
  • These plans can be paired with cash balance/defined benefit plans for even larger tax-deductible contributions.

Please contact us ASAP so we can start designing a solution for your needs. We look forward to working with you!

Joshua C. Harper, CFP®, CLU®, ChFC®

 Office (404) 926-1303

Cell (404) 277-1604

Fax (470) 777-2470

 

Three Alliance Center

3550 Lenox Road NE, Suite 1100

Atlanta, GA 30326

Article provided by Joshua C. Harper , CFP®, CLU®, ChFC®, for Capstone Financial. For questions, please contact here.

The Story Of Windows 7 & Server 2008 End Of Life Has Just Gone Viral!

Categories: Articles

Microsoft’s most loved computing operating systems are ending sooner than we think. Support for Windows 7, Windows Server 2008 and Windows Server 2008 R2 end on January 14th, 2020. This means that they will discontinue all support, including paid support; and all updates, including security updates. At this time your systems will no longer receive regular security updates, it is because of this that your older systems will no longer be considered compliant. Additionally, your computers, servers, medical modalities running these older systems will be prone to new unpatched exploits, potentially leaving your systems open to further attacks.

Between now and January 2020, Microsoft is offering “extended support” for Windows 7. Which means, Microsoft is still offering paid support and continues to provide security updates. No new features will be released.

As for Windows Server 2008, everyone will need to migrate to Windows Server 2012 or higher. Microsoft will no longer accept warranty claims, or provide non-security hot fixes. Microsoft will continue to offer bug fixes and security updates through extended support. Be mindful though, that we must validate what systems are being supported by your line of business and your applications before proposing an upgrade solution, it is not uncommon for software vendors (including many EMRs) to not support the most recent Server operating systems.

In the table below you can see the current dates that Microsoft will be ending support for various operating systems:

What Do You Do Now?

Now, its time to upgrade your operating systems. The whole process takes time and careful planning, especially if you have a lot of machines and systems to assess in the process. Here are the steps to take to make sure your transition is successful:

1. Identify devices that need to be upgraded or replaced that meet essential (HIPAA) security compliance.

2. Develop a budget for upgrades, replacements and a timeline of when this will occur.

3. If your systems needing upgrades aren’t powerful enough for the latest Microsoft upgrades, we recommend backing up valuable data and then shredding the hard drive, recycling the old PC, and replacing it with a new computer running Windows 8 Professional or Windows 10.

4. Have security controls in place to separate difficult systems from Windows 7 and Server 2008 machines that cannot be upgraded or removed.

5. Training employees on the new upcoming operating systems that are going to be implemented in your practice/business.

What is Windows 10 and how do I upgrade From Windows 7?

If you don’t have a product key or a digital license, you can buy Windows 10 Pro from the Microsoft Store. Select the Start button, select Settings > Update & security > Activation, and then select Go to Microsoft Store.

The great thing about Windows 10 is that it supports apps that are used across multiple devices, including PCs, tablets, and smartphones. It supports face login, touchscreen, and keyboard/mouse input methods and is faster than Windows 7.

It has a lot of useful benefits like interface, security, speed, compatibility, and software tools that are a massive improvement over Windows 7. The goal of Windows 10 is familiarity and a much simpler learning curve. It gives you the best of both worlds.

Is your practice/business still using Windows 7 and Server 2008? Do you need help upgrading your operating system, replacing your computers with Windows 10 and Server 2012, hard drive shredding and recycling?

Then, Contact Us.

We’re always here to help with all of your IT needs.

Article provided by Mike Jann , for Medicus IT  mjann@medicusit.com.

© Copyright - Healthcare Services