Category: Security

Staying Compliant in Healthcare: Conducting a HIPAA Risk Assessment

HIPAA (Health Insurance Portability and Accountability Act) serves as a constant reminder to professionals in the healthcare field that data security is of utmost importance. Every company that works directly with protected health information (PHI), along with their business associates, is required to complete a risk assessment.

What is a Risk Assessment?

HIPAA requires covered entities, which includes health plans, healthcare providers, and healthcare clearinghouses to complete a thorough risk assessment to determine all possible vulnerabilities in terms of data security. 

A HIPAA risk assessment should determine that your organization is in compliance with all of the privacy, security and breach notification requirements of HIPAA. It is required of both covered entities and business associates. This can be achieved via the risk assessment process, the goal of which is to identify all of the potential areas of vulnerability. 

Why is a HIPPA Risk Assessment Mandatory?  

HIPPA regulations exist to cover data security. Covered entities are responsible for assessing, identifying, documenting vulnerabilities and taking precautions to eliminate or mitigate the risk of a breach.

An organization can be fined for the failure of due diligence to recognize areas where a data breach could occur. For example, the Centers for Medicare and Medicaid Services reported a wireless health service provider violated HIPPA Privacy and Security rules when a laptop with PHI was stolen from an employee’s vehicle. The investigation revealed insufficient risk analysis and the company agreed to pay $2.5 million and implement a corrective action plan. 

Companies are also subject to a fine fined even if no data has been breached, but they allowed a situation to develop which creates vulnerability. 

What Does a HIPPA Risk Assessment Entail? 

Due to the unique vulnerabilities of electronically stored and transmitted data, a professional in cybersecurity, data protection, and data backups should handle your risk assessment. Wahaya’s cybersecurity and compliance services can assist your organization with internal compliance and the specific requirements to protect you from legal regulations regarding PHI and HIPAA. 

Here is a quick summary of what a risk assessment entails:

A risk assessment should first determine (a) where PHI resides, moves, or is transmitted, and all of the access points. For example, the individuals in an office that have access to patient data and via what media. Interestingly, the rise of mobile devices has created a new area of concern for data security because medical professionals can access data on their phones and tablets.

Then, the assessment should determine the vulnerabilities along all of these touchpoints. That means identifying the threats to data security, which HHS summarizes in four categories:

  1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
  2. Unintentional errors and omissions
  3. IT disruptions due to natural or man-made disasters
  4. Failure to exercise due care and diligence in the implementation and operation of the IT system.”

Next, a risk assessment will need to identify and evaluate all of the existing security protocols to protect PHI.

The following step is to determine if these tools are sufficient for data protection and whether the protocols and safeguards are being observed. 

After that, identify the likelihood of a threat. In other words, not all risks are of equal likelihood. As there are limits to an organization’s capacity to eliminate risk, the focus should be on the ones which have a higher probability of occurrence.

Finally, calculate the likely consequences of a breach of PHI. If a breach occurs along any particular touchpoint, how severe would it be? Would it be the release of a single piece of PHI, or one affecting thousands?

Given that so much data is now stored electronically, the risk of a data breach is considerably higher and security is far more complex. It needs to be noted that ignorance of any part HIPAA Guidelines is not an excuse for non-compliance. Failure to do a risk assessment, or to have conducted an adequate risk assessment that failed to identify specific vulnerabilities is, in and of itself, a fineable offense.

Given how quickly the digital landscape changes, it is important to consult an expert with experience in HIPAA related digital security. Wahaya IT Consulting can help protect your business and your patients’ PHI from HIPAA violations with a thorough risk analysis, adding data security measures, and following all security and compliance regulations. Click here to contact our team of IT Professionals!

Managing Risks: Small firms need to wake up

Managing Risks: Small firms need to wake up

You may not think too much about serious disasters. Most of us focus on the day-to-day chores of running our businesses and keeping revenues up. However, there are long term planning concerns that many firms just avoid. Those concerns are managing the risk to your business if something very bad happens. This long-term planning is called risk management and it is the dullest topic ever—until something bad happens.

Business school academics have varying definitions of risk and risk management, but for our purposes the concepts are fairly simple. Risk is the negative uncertainty that comes from any potential loss. Risk management is the collection of activities a business undertakes to mitigate, avoid, and transfer the losses that might damage the business due to some negative event.Risk management, now frequently referred to as Enterprise Risk Management, has been an area of business focus for decades. Businesses have long recognised that they need to look at the financial risks they might face if something happened to their physical assets or were confronted with major litigation. However, in the past few decades, there has been a stronger and broader focus on the entire spectrum of risks that confront a business which has begun to push the issue to the C-suite level. Unfortunately, while large businesses devote serious resources at the the highest level to managing risk to protect their organization, smaller firms often spend little or no time considering risk as an important business issue. Even smaller firms who do take the time to think about protecting against operational threats may be unlikely to consider threats that are a degree or two of separation away from their core business. That means that technology infrastructure may be ignored if, and when, business continuity and disaster recovery plans are being considered.

Background: Why is risk management gaining greater visibility? As noted, risk management isn’t new. However, the last few decades have seen the United States face two major catastrophic events: Hurricane Katrina in 2006 and the terror attacks in 2001. Both brought to the fore the consequences to businesses who are unprepared, as well as the reality that very bad things can happen.

Globalization has also shown that distance does not shield us from the consequences of far away events. The earthquake and subsequent tsunami that hit Japan in 2011 reminded manufacturers and businesses in the United States about the consequences of their reliance on long supply chains and just-in-time inventory.

Another new threat that has alerted even the smallest firms to their vulnerability is technological. For a small firm, a major man-made or natural disaster may seem too distant to distract management from day-to-day operations, but the emergence of cyber threats, ransomware, hacking and data theft has really hit home for every organization out there. Even smaller firms totally focussed on making it day-to-day are taking notice of this threat. Have you really given thought to how you would handle a disaster?

Click to contact us for more information about managing IT risks.

BYOD: Placing limits

BYOD: Placing Limits

In our recent blog, we talked about the data security concerns that BYOD can bring to your workplace. There is another factor that needs to be considered before adopting BYOD. How much Bring Your Own can your IT department support? Supporting too many different operating systems, hardware models and software versions can be a real drain on the resources of your IT staff. Supporting BYOD can become very expensive.

You will need to consider placing limits on the BYO part of the issue. There are a wide array of possible devices out there. Supporting all of them would be overwhelming. Users don’t just BYOD, they bring their own Operating System and their own software applications and all of those applications’ multiple versions. Trying to support and control an almost limitless list of entry points into your data is both unwise and impossible. IT will need to place limits on which devices and operating systems it will support.

Another point to consider is how much the company will rely on the individual user to install and upgrade company-required applications? Will IT be responsible for those duties? By placing the burden on IT, you ensure all the proper versions are being used, but you increase the labor requirement, which may become impractical.

In summary, there are a lot of issues regarding BYOD that create concerns. BYOD policies have a lot of moving parts which makes supporting them a difficult task. Make sure you are recognizing all the areas that will require IT support.

Contact us for more information on our IT support services.

BYOD can have some downsides

Employers know that employees prefer BYOD policies and that they can increase productivity. However, BYOD can have some downsides. Probably the most prominent concern among those who have to address the BYOD issue is the increased risk to data security. Obviously, the more devices you have with the ability to connect to your data, the more opportunities you create for a breach. Simply put, a house with 20 doors and 50 windows with multiple lock styles is a bit more vulnerable than a house with one door and one window.

BYOD increases risk to the organization. Data breaches bring a few layers of concern. First, the loss of proprietary data can affect your competitive status in the market. However, the real high-visibility concern is the theft of your customer’s personal data. Theft of personal data brings three serious consequences.

First, data breach laws require informing all victims of the data breach and in some cases, the media must also be informed. This public visibility can have long-lasting implications for brand value.

Second, you face a short- and long-term revenue hit. Customers angry and frustrated, as well as others who learn about the breach through social media, word-of-mouth, and traditional media sources, may move their business to the competition.

Third, data breaches can bring civil penalties. In the case of the General Data Protection Regulation (GDPR) in the European Union, these penalties can be extremely severe. ( And keep in mind, the GDPR doesn’t just apply to entities physical operating within the EU. It applies to the data of any user who is a citizen of the EU.)

In summary, given the severity of the consequences and the increased vulnerability created by BYOD, it is important to create a BYOD policy with strict parameters. It cannot be a “wild west” of anything goes.

Click here to learn more about our IT solutions.

The dark web: An introduction

The dark web: An introduction

Have you come across the term, dark web, recently? As a business, you might have heard that you need to keep your data safe from the dark web. So, what is the dark web anyway? Read on to find out…

What is the dark web?

The cybercrime landscape is evolving fast. The “Nigerian” email scams are now old. Cybercriminals are smarter and more organized now–almost functioning like professionals. In fact, there’s a sort of a parallel universe where they all operate in a very corporate-like manner. And that parallel universe is called the Dark Web.

The surface web, the deep web and the dark web

Essentially, the internet can be categorized into 3 parts.

  • The surface web, which includes your ‘regular’ websites–the kinds that just show up on web searches. For example, you type, Dog Videos and links to a bunch of dog videos on YouTube shows up. YouTube, in this case, is an example of the surface web.
  • The deep web, which shows up in web searches, but requires you to log in to view specific content. For example, your internet banking page or your netflix subscription.
  • Then comes the dark web.

The dark web is part of the internet that isn’t visible to search engines and requires the use of an anonymizing browser called Tor to be accessed. The dark web offers anonymity and hence is the hub for all sorts of illicit activities in today’s internet age. Strictly speaking, the dark web typically hosts illicit content. The kind of content that you find in the dark web include

  • Credit card details, stolen login credentials for something as serious as internet banking accounts to something as trivial as Uber or Netflix,
  • Contact details/communication platform for striking deals with hitmen, drug dealers, weapon dealers, hackers, etc.,
  • Marketplace to buy malicious codes to help corrupt or jam IT systems and even RaaS (Ransomeware as a service!)

All of the above and more, for a fee of course. In short, the dark web is like the underworld of the internet.

Interested in learning more about our dark web and cybersecurity solutions? Click here to contact us.

Adopting a BYOD policy

Employee convenience is touted as one of the primary drivers for adopting a BYOD policy. However, just because it can make life easier doesn’t mean employees don’t have serious concerns about the implementation of BYOD in the workplace. From the employee perspective, there are downsides.

One particular issue that arises with BYOD are employee’s concerns about the privacy of personal data and applications. Because these are their own devices, they have an enormous amount of personal data, including health information, photos, texts, emails and other information stored on the device. Also, apps they may have installed could potentially reveal information about their religion, politics, sexual orientation or other characteristics that they may consider private and off-limits. Concern that their employer could see their personal data is a legitimate worry; there are Human Resource implications here. Knowledge of certain data about an employee could make an employer vulnerable to discrimination laws. What about GPS tracking? Can the employer track employee whereabouts? The employer has a compelling interest to track the device in case it is lost or stolen, but the employee has similar competing concerns about privacy.

There are no absolutely correct answers here, but a perception of overstepped boundaries could lead to an atmosphere of distrust that can be counter-productive. It is also important that these decisions be made with knowledge of all applicable local, state and federal regulations. In short, just be aware BYOD is a complex matter that can’t be handled within the silo of IT.

Click here to learn more about our cybersecurity and compliance solutions.

Website cloning: Don’t fall for that trap!

Website cloning: Don’t fall for that trap!

Have you watched one of those horror movies where the something impersonates the protagonist only to wreak havoc later? Well, website cloning does the same thing–to your business–in real life. Website cloning is one of the most popular methods among scammers to fleece you of your money.

As the name suggests, the cybercriminal first creates a ‘clone’ site of the original one. There can be a clone of any website, though retail shopping sites, travel booking sites and banks are the favorites of cybercriminals. The clone site looks exactly like the original one, barring a very miniscule change in the url.

Next, they will create a trap intended to get unsuspecting victims to visit the clone site. This is usually done via links shared through emails, SMS messages or social media posts asking them to click on a link to the clone site. The message urges the recipient to take an action. For example, a message that presents itself as though it is from the IRS, asking the recipient to pay pending taxes by clicking on a specific link to avoid a fine or business shutdown, or an SMS about a time-bound discount on iPads. Sometimes, they go straight for the target and masquerade as a message from your bank asking you to authenticate your credentials by logging into your banking portal–the only glitch, the banking portal will be a clone.

Staying safe

So, how do you identify a clone website and a dubious message?

  • Does the email sound too good to be true? Well, then it probably is. Nike giving away free shoes? Emirates Airlines giving you free tickets to Europe? Apple iPhone X for just $20? All of these scream SCAM!
  • Even if the message sounds genuine, such as an email from your bank asking you to authenticate your login credentials, check the email header to see if the sender’s email domain matches your bank’s. For example, if your bank is Bank of America, the sender’s email ID should have that in the domain. Something like customercare@bankofamerica.com could be genuine, whereas, customercare@bankofamerica.net is suspicious.
  • Check the final URL before you enter any information to make sure it is the actual one. Most shopping/banking websites, where payments are made and other personal details are shared are secure (HTTPS)and will have a lock symbol at the beginning of the URL. Also, check the domain. For example, something like- www.customerauthentication.com/bankofamerica is not

Identifying a cloned website is tricky, but it is not something you can afford to ignore. Giving away your personal and financial information to a fraudster can cause a lot of harm to you and your business.

Click here to learn more about our cybersecurity and compliance solutions.

BYOD=Bring your own disaster?

BYOD=Bring your own disaster?

Workplaces today have changed. They extend beyond the working hours, beyond the cubicles. Whether you are commuting to work or even vacationing, chances are you or your employees take a break from the break to reply to those important emails that require ‘immediate action’. Plus, there may even be employees who are not even on the same continent as you. What does all this mean for your business in terms of IT security? Does BYOD translate to bring your own disaster to work? This blog explores the risks of BYOD culture and offers tips on how you can avoid them.

When you adopt a BYOD culture at your business, you are opening the virtual floodgates to all kind of malwares and phishing attacks. Your employee may be storing work-related data on their personal devices and then clicking a malicious link they received on their personal email or (even whatsapp in case of tablets or smartphones) and put your entire network at risk. Secondly, you cannot control how your employees use their personal devices. They may connect to unauthorized networks, download unauthorized software programs, use outdated antivirus programs etc,. Even something as simple and harmless as the free wifi at the mall can spell danger for your data.

What you can do?

First of all, if you have decided to adopt the BYOD culture in your organization, ensure you have a strong BYOD policy in place. It should cover the dos and don’ts and define boundaries and responsibilities related to the BYOD environment.

It also makes sense for you to invest in strong antivirus software and mandate those employees following the BYOD model to install it. You can also conduct device audits to ensure your employee’s personal devices are up-to-date in terms of software, security and firewall requirements to the extent that they are safe to be used for work purpose.

And one of the most important aspects–train your employees on the best practices related to basic data security, access and BYOD environments. This will ensure that they don’t make mistakes that prove costly to you. You can conduct mock drills, tests and certifications and provide the BYOD privilege to only those who clear your tests. You could also use positive and negative reinforcements to ensure everyone takes it seriously.

BYOD is great in terms of the flexibility it lends to both–the employer and the employee, and the trend is here to stay. It is up to businesses to ensure it helps more than it can hurt.

Click here to learn more about our cybersecurity solutions.

3 things your Managed Services Provider (MSP) wants you to know

Are you considering bringing a MSP on board? Or perhaps you already have one. Either way, for you to truly benefit from your relationship with a MSP, you need to build a solid bond with them. As a MSP who has been in this business for long, I can tell you the 3 important steps that will help you get there.

Share, share, share

Your MSP is your IT doctor. Just as you would share everything about your health with your doctor, you need to share everything related to your business that impacts your IT, with your MSP. Give us an overview of your business and answer questions such as

  • What you do exactly as a business
  • Who are your key clients
  • Which industry verticals do you serve
  • What are your peak and lull seasons, if you have them
  • What are the core regulatory codes that apply to you based on the industries you work for
  • What are your business expansion plans for the near future and in the long run

Sometimes clients shy away from discussing all these things because they don’t trust the MSP enough. There is a fear of the MSP sharing business plans and other confidential information with their competitors. As a MSP, I can tell you that we work best with clients who trust us. When you are trusting us with the lifeblood of your business–your IT infrastructure, you should be able to trust us with your plans for your business.

Let’s talk often

While it’s great that you outsource your IT completely to us, it is still important that we meet and talk. Your business needs may change over time and we don’t want to be caught off-guard. We know you are busy, but set some time aside every month or even every quarter to catch up with us and discuss your IT challenges and needs.

Take us seriously

Your IT is our business, and we take our business very seriously. So, when we tell you something, such as–to implement strong password policies, limit data access, upgrade antivirus, etc., please take notice!

Teamwork forms the core of any successful relationship. Same holds true for your relationship with your MSP.  Trust us, pay attention to us and hear us out. We’d love that…and we’d love to work with you!

Don’t make these IT mistakes as you grow!

During the course of IT consultancy, we come across a lot of clients who are not happy with the way their IT shaped up over the years. They feel their IT investments never really yielded the kind of returns they expected and come to us looking to change the trend. When analyzing the reasons for the failure of their IT investment, here’s what we come across most often.

Not prioritizing IT

This is the #1 mistake SMBs make. When focusing on growing their business, most SMBs think marketing, sales and inventory, but very few consider allocating resources–monetary or otherwise towards IT. IT is seen as a cost-center, rarely prioritized and any investment in IT is made begrudgingly.

Going for the fastest, latest or even the ‘best’ technology–which may not be the best for you

This is in contrast to the issue discussed above. Many SMBs realize the key role that IT plays in their business success. But they tend to get carried away and invest in the latest IT trends without considering whether it fits their business needs well, or if they really need it. Sometimes it is just a case of keeping up with the Joneses. But, why spend on the fastest computers or largest hard drives when you get only incremental productivity benefits?

Your team is not with you

When you bring in new technology or even new IT policies, it is your team that needs to work on it on a daily basis. If your staff is not on the same page with you, your IT investment is unlikely to succeed. So, before you make that transition from local desktops to the cloud, or from Windows to iOs or roll out that new BYOD policy, make sure you have your staff on your side.

You are not sure how to put it to good use

The lure of new technology is like a shiny, new toy. Investing in something popular and then not using it to its maximum is commonplace. Make sure you make the most of your investment in IT by providing your staff with adequate training on how to use it.

IT can seem challenging to navigate when you have to do it all by yourself. It entails steep costs when taken care of in-house. Add to that the complex task of deciding what IT investment you will benefit the most from and then training your team to use it…all of this is pretty daunting when you have to do it all by yourself. A MSP has the experience and expertise needed to be your trusted partner and guide in these challenges, helping you make the most of your IT investment.

Click here to learn more about our managed service provider solutions.