RISC Management and Consulting

RISC Happy New Year 2014 Silver

There’s nothing like a fresh, new calendar to inspire new initiatives and renewed emphasis on business improvements. So it is with information security, too, and we here at RISC Management & Consulting offer a few ideas for your business resolutions – or in some cases, revolutions — in the New Year.

Prepare a Plan B: One of the best parts about the beginning of the new year is the excitement in the potential of the future. Right now, while you are reveling in the open road of the future and its upside, consider how you’d weather a storm. Do some planning for business continuity and disaster recovery. Don’t just jump headlong requiring these plans of employees who haven’t done this before. Base your plans on sound fundamentals such as relative impact determined by a Business Impact Analysis (BIA).

Review your firm’s security policies: If your policy manual hasn’t been updated within the last year, it’s time.

Create a workforce privacy and security training program for staff: Such a program would be offered regularly, included in the training for new hire and updated whenever new infrastructure or applications are implemented, or when legal requirements change. Don’t start from scratch; get help and referrals from others in your business. RISC has been educating regulated workforce members regularly delivering programs to industry and accreditation bodies. Already have a good staff training program? A RISC Management policy effectiveness assessment can identify whether your staff is knowledgeable about the content, requirements, and location of your organization’s policies. Are team members following your policy requirements when nobody is looking? RISC can help you to find out.

Invest in a data loss prevention solution: There are many ways to protect regulated, sensitive or confidential employee, customer or company information and safeguard intellectual property across electronic communications channels, including email (SMTP), Web (HTTP), Secure Web (HTTPS) and File Transfer Protocol (FTP) plus online applications and services such as WebMail, social networks, blogs and Wikis. Various tools offered by RISC Management enable healthcare organizations, financial institutions, banks, universities, and any concerned, responsible, business of any size, to effectively monitor, enforce and audit the loss of confidential data.

Spend two minutes learning more about the latest Omnibus Rule Changes to improve privacy protections and security safeguards in the Health Insurance Portability and Accountability Act of 1996 and how RISC Management can help you tackle those changes head-on. Click on https://riscconsulting.com/2013/09/23/final-omnibus-rule-changes-and-how-risc-can-help/ for the video.

Don’t let fear of a data breach keep you awake at night: Schedule a vulnerability test and learn ways you can protect your systems from the bad guys. Run a data breach response drill to practice on a scenario so there is less panic when responding to the real thing.

Create a formal process to document and approve changes to your computer applications and operating systems: Sounds simple, but in practice, such a process can prevent chaos and unintentional security problems. Need help? RISC Management can start with a risk analysis to identify and document potential gaps, and help build a change management program.

Brush up on innovations in health information technology: Why does this matter? Modern systems typically provide better security protocols and often result in financial benefits to stakeholders. Consider attending the Healthcare Information and Management Systems Society annual conference, more commonly known as HIMSS14. It’s Feb. 23-27, 2014, in Orlando, Florida, and former Secretary of State Hillary Rodham Clinton and Aetna CEO Mark Berollini are among keynote speakers. Visit http://www.himssconference.org/ for more information.

Best wishes from RISC Management & Consulting on a Prosperous, Secure, and Compliant New Year!

Adult & Pediatric Dermatology, P.C., of Concord, Mass., (APDerm) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules with the Department of Health and Human Services, agreeing to a $150,000 payment. APDerm will also be required to implement a corrective action plan to correct deficiencies in its HIPAA compliance program. APDerm is a private practice that delivers dermatology services in four locations in Massachusetts and two in New Hampshire. This case marks the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

The HHS Office for Civil Rights (OCR) opened an investigation of APDerm upon receiving a report that an unencrypted thumb drive containing the electronic protected health information (ePHI) of approximately 2,200 individuals was stolen from a vehicle of one its staff members. The thumb drive was never recovered. The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring AP Derm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.

The resolution agreement and press release can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/apderm-agreement.html.

For assistance please contact RISC Management.