HIPAASimple.com

HIPAA Made Simple

• Lack of policies and procedures transparency results in $150,000 HIPAA settlement.

• Anchorage woman sentenced to 2 years in prison for HIPAA violation.

• Pharmacy fined $125,000 for breach.

• Dermatology practice settles HIPAA violation for $150,000.

• HIPAA violation leads to probation for Radiologist.

• Stolen laptop security case settles for $50,000.

• Groups hit with record $4.8M HIPAA fine .

Current Headlines

Standard CFR Code Section

Description R/A

Detail

Security Management Process

164.308(a)(1)

Risk Analysis R Technical assessment of risk through observed, automated collection, and automated verification.

Security Management Process

164.308(a)(1)

Risk Management

R Issues are weighted by risk score, probability, and potential impact.

Security Management Process

164.308(a)(1)

Information System Activity Review

R User and Login Analysis. Logins to systems with ePHI. Access to shares with ePHI. Look for access by terminated employees and vendors. External Vulnerability scan.

Workforce Security 164.308(a)(3)

Authorization and/or Supervision

A Ensures group policy alignment to adequately protect technical resources. Looks for unauthorized access to ePHI and other systems.

Workforce Security 164.308(a)(3)

Termination Procedures

A Validates terminated employees and vendors accounts are disabled. Looks for unauthorized access by terminated employees and vendors. Verifies removal of accounts from security groups. Identifies potential terminated employees through activity analysis.

Information Access Management

164.308(a)(4)

Access Authorization

A Login Analysis. Account enablement. Access verification to ePHI.

Security Awareness and Training

164.308(a)(5)

Protection from Malicious Software

A End-point security analysis. Firewall malware and IPS protection analysis.

Security Awareness and Training

164.308(a)(5)

Log-in Monitoring

A Login Activity review of audit logs.

Security Awareness and Training

164.308(a)(5)

Password Management

A Password compliance validation through group and local security policies. Baseline security analysis for weak passwords.

Contingency Plan 164.308(a)(7)

Applications and Data Criticality Analysis

A Identification of potential locations for ePHI.

Business Associate Contracts

164.308(b)(1)

Written Contract or Other Arrangement

R Identification of need for BAA with hosting and service providers.

Workstation Use 164.310(b) Workstation Usage.

R Account lockout settings. Local password validation. Login activity review. Potential ePHI verification. Network share permission checks.

A partial list of the required and addressable issues to be compliant with HIPAA/HITECH Federal laws.

There are actually many pages of these requirements.

We Become Your Compliance PartnerThe HIPAA/HITECH laws require every Covered Entity to meet detailed Privacy and Security standards. These are vigorously enforced by both Federal and State agencies.

HIPAASimple provides….

Layers Of ProtectionThe safest way to proceed with HIPAA is to secure many levels of protection for your office. HIPAASimple provides layers of protection for your compliance program.

Layers that we will discuss in this presentation:✔ Current Risk Analysis✔ Risk Management actions✔ Provision of HIPAA required forms✔ Policies & Procedures specific to

your practice✔ Written Training Lessons✔ Online Training Courses

Beginning Layer: Risk Analysis and Risk Management

We scan your network twice per year and deliver reports regarding any deficiencies. Our software is specifically designed

for HIPAA Risk Analysis.

Our HIPAA scanning software is very thorough to help keep your network safe from intruders.

The following areas were assessed. Potential issues were found in the areas highlighted in RED.

Environment-Facility Access ControlsUsers-Information System Activity Review-Termination Procedures-Access Authorization-Existing Seurity Measures Related to Access Controls-Password Management-Administrative Access Control-Audit Controls-Person or Entity AuthenticationWireless-Access Authorization-Access Establishment-Workforce Security

Servers and Local Computers-Protection Against Malicious Software-Applications and Data Criticality Analysis-Business Associate AgreementsFirewall-Access Authorization-Protection Against Malicious SoftwareEmail-Applications and Data Criticality Analysis

Issue ReviewAnti-spyware not installed (94 pts)

Issue: Malware protection is required but not identified as being installed on computers in the network.

Recommendation: Install a commercial grade anti-spyware program on the computers indicated in the Endpoint Security section of the Evidence of HIPAA Compliance report.

Every issue we uncover will receive a rick score and recommendations will be made for how to lower them.

Issue ReviewAutomatic screen lock not turned on. (94 pts)

Issue: Automatic screen lock prevents unauthorized access when users leave their computers. Having no screen lock enable allows authorized access to network resources.

Recommendation: Enable automatic screen lock on the following computers:

Many issues will be simple to fix.

Issue Review

Company WiFi open or using insecure security (i.e., WEP) (94 pts)

Issue: Open or insecure WiFi protocols may allow an attacker access to the company’s network and resources.

Recommendation: Enabled WiFi security and use a more secure protocols such as WPA2.

Wi-Fi issues are often discovered.

Issue ReviewAccount lockout disabled (77 pts)

Issue: Account lockout (disabling an account after a number of failed attempts) significantly reduces the risk of an attacker acquiring a password through a brute force attack.

Recommendation: Enable account lockout for all users.

Another example of an easy fix that will lower your Risk Score.

Issue ReviewPassword complexity not enabled (75 pts)

Issue: Enforcing password complexity limits the ability of an attacker to acquire a password through brute force.

Recommendation: Enable password complexity to assure domain account passwords are secure.

We act as your compliance partner and direct you in your compliance program.

Our Risk Analysis will also produce a Risk Management Plan which will rate your vulnerabilities according to severity and probability (High, Medium & Low). From this report we will guide you in better securing your network and devices.

Your office will be guided by our HIPAASimple Management process to:

• Prioritize what needs to be fixed.

• Schedule tasks over the course of the year.

• Work from simple monthly to-do list.

Secondary Layers: Policies, Procedures and Forms

Your Privacy Officer will use our online portal to customize policies and procedures just for your

office.

Our Client Portal is easy to use. Simply log in and

follow the directions.

As you complete your information, your

policies and procedures are ready to print or store online.

We offer guidance

every step of the way.

Just click your way through the client portal

Required forms are part of our protection.

Using our simple method your forms are always up to date.

More Layers: Staff Training• New Hire• Annual• Periodic

Training is tailored to your organization.

Simple policies for your staff to follow.

We update your policies and forms as new requirements are rolled out.

Online Layers: HIPAASimple Online Learning

Online course outline. Thorough, informative, and engaging for every staff member.

Highest quality online video training.

This kind of training stops problems before they ever get

started.

Questions throughout the course make it interesting.

Challenge questions help retain learning.

After successfully completing

the online course, you will receive your HIPAA Certificate of Completion.

Use Our HIPAASimple Management Process To:

• Plan your training for each year

• Receive a monthly to-do list

• Log new hires and exit reminders

• Keep a record and report all staff training, participants, and incidents

Extra Layers of Protection

Breach Notification Protocols Sanction Process for Violations Contingency Plan for Emergencies CMS Exclusion Database System Backups Disaster Recovery Plan Business Associate Agreements (BAA) PHI Storage and Destruction Guidelines HIPAA Hot Topics Bulletins Periodic Staff Training Toll Free Hot Line

• Lack of policies and procedures transparency results in $150,000 HIPAA settlement.

• Anchorage woman sentenced to 2 years in prison for HIPAA violation.

• Pharmacy fined $125,000 for breach.

• Hacker steals protected health data on 151,000 patients at Oregon dentist.

• Dermatology practice settles HIPAA violation for $150,000.

• HIPAA violation leads to probation for Radiologist.

• Stolen laptop security case settles for $50,000.

• Groups hit with record $4.8M HIPAA fine .

Current Headlines

HIPAASimple works so that

your practice never has to

worry about becoming the

next tragic headline.

Contact us with your compliance questions.

info@hipaasimple.com(800) 279-3668

Your compliance partnerwww.hipaasimple.com

Choose HIPAASimple for your compliance partner. We’ve

been helping medical offices

become compliant since

2002.