If you are in the health care business, chances are you have heard the phrase “HIPAA Compliance” before. However, what you may not know is how truly important HIPAA Compliance is for your business, or even what HIPAA Compliance is. No need to worry; Hammett Technologies is here to help! What is HIPAA Compliance HIPAA or the Health Insurance Portability and Accountability Act was is a set of rules and restrictions established to outline the lawful use and disclosure of Protected Health Information (PHI). *a more complex outline of HIPAA can be found here: https://www.hammett-tech.com/how-we-protect-you/hippa-compliance/ Why Being HIPAA Compliant Is Important If you are in the healthcare business, there are numerous reason you should be HIPAA Compliant. From lawsuits to fines from the government, HIPAA Compliance is to be taken seriously and followed completely. Some of the most important reason to be HIPAA Complaint are: Fines Fines for not meetings HIPAA Compliance have increased substantially. These caps on these fines have increased from $25,000 per year to $1,500,000 per year. Furthermore, if you ignore HIPAA Compliance and encounter a breach or receive a complaint, your business can be investigated for breaches, compliance failures, and other issues which can lead to further fines. Other Organizations Other organizations that work with you are most likely HIPAA Compliant themselves, especially if they are a larger corporation. Each Business Associate or Covered Entity your healthcare business works with must following HIPAA Privacy and Security Rules. This, in turn, means that if your business if not HIPAA Compliant you will lose their assistance, as well as, lose business in general. Blacklisted If a breach does occur, and the breach results in more than 500 individual’s Protected Health Information being affected, your business is required by law to report it to the Health & Human Services Department, as well as, the public and media. Other companies will not hold back comparing their HIPAA Compliant organization to yours, stealing both business in the present and future. If you are fearful that you do not meet all the HIPAA guidelines and regulations or are having trouble understanding HIPAA Compliance and how to become compliant, call Hammett Technologies! We have a devoted, professional IT team that can help you meet all HIPAA requirements stress free! HIPAA Compliance is essential for any business that handles Protect Health Information. Hammett Technologies will ensure that your business meets every requirement.
Computers around the world are continually generating records that occur. While some of these are routine checks, others are hostile, aimed at gaining access to or even destroying your network. However, by checking and reviewing the log files, you can stay on top of these issues. From malware, damage, and loss and legal liabilities, log files contain all the day to day information of your network. Therefore, it is important to practice event log management daily. It must be collected, stored, analyzed, and monitored to meet and report on regulatory compliance standards like PCI and HIPPA. WHY LOG MANAGEMENT IS IMPORTANT Every transaction and event that takes place on a machine on your network generates a log file. Microsoft-based systems use Windows Event Log files. When working on Windows, monitoring the event logs is crucial. Windows Event Log files all contain crucial information, but of all of them, the Security Log is the most important. The security log provides log in events as well as what each user is doing. It is vital that your IT security team understands the Windows Security Log to spot a vulnerability or attack accurately. However, this information can be overwhelming and exhausting to look through. If you use an Event Log Management tool, you can accurately and precisely navigate through log files, allowing you to find that single file that is causing an issue. Event Log Management is a crucial component in ensuring security and compliance, and it is essential to review all logs. SECURING THE CASTLE The top priority for any company should be security. Keeping the company safe from outside attacks that aim to disrupt customer’s data, exploit employee data, or crash a company’s server. However, attacks from the inside are just as real and can cause catastrophic damage. This is not to say that keeping your network safe from the outside is any less important, but you must be mindful of an attack from the inside. Perhaps you have an employee who is curious about financial records and wants to start drama among the workers or an employee who is upset about a decline for a promotion or pay increase and wants to delete years of data. These employees can create a backdoor into the network or give themselves admin privileges, attempting to fly under the radar from security. However, if you have a well-established ELM strategy, you can monitor these internal attacks accurately and stop them before they turn nuclear. PCI – DSS AND HIPPA COMPLIANCE Payment Card Industry Data Security Standard (PCI-DSS) provides IT professionals that handle consumers credit cards data. Any business that claims PCI compliance have to be able to show compliance in their yearly audit. If it is discovered that they are not, denial of processing and storing credit cards can occur. HIPPA requires a reliable audit trail to protect the personal data of all medical patients. HIPPA has two different significant rules: Privacy and Security. Medicaid and Medicare require, along with building an IT infrastructure and strategies to protect against threats to personal information, but there must also be preparations made for investigations of security breaches should they occur. Furthermore, you must be able to provide enough information to be able to establish occurred events, when they occurred, as well as what or who has caused them. Ways to Manage Events and Logs There are numerous ways to go about handling the logs for your networks, and WhatsUp Gold offers some of the best ways to do so: 1. Define your Audit Policy Categories Audit policies in Windows record the security log events found on your network’s log files for your company. With Microsoft Windows NT systems, audit policies have to be put in place manually on each server and workstation. However, Windows 2000 and 2003 Active Directory domains allow for Group Policy, which enables you to set universal audit policies for groups on the servers and even the domain. 2. Log Records Are Merged Automatically By default, decentralized records, such as Windows events logs and Syslog files, record their log activity. However, if you want to gain a “big picture” view of what is going on within your network, admins in charge of security and compliance need to be able to merge Windows event logs and Syslog files into one another in order to be able to monitor thoroughly, analysis, and report. It is necessary that you maintain your log data! Many compliance standards require data to be stored up to seven years. However, if you automate the process, life can become much more accessible. Automation can assist in data retrieval and the longevity of log data. It is important to remember: Archived logs must be readily obtainable. Automation helps reduce the risk of corruption. The larger the company, the more users and machines. With more users and machines comes an increase in bandwidth and network traffic, which will only further complicate the log file. Automation can greatly assist in making sure all data is collected. Usually, administrators use an event log management tool to record log event data from the servers and workstations. Make sure you find an event log management tool that supports a method to re-import collected log files into the database if they are needed. 3. Event Monitoring, Real-Time alerts & Notification Policies While your company may have most, if not all, Windows-based machines, it is important to branch out from the Windows event log monitoring system. Consider using Syslog as well. They have support for switches, routers, firewalls, IDS, as well as support for UNIX and Linux based systems. Most products that perform real-time scanning and monitoring of logs require the use of an agent. However, if you can find a software package that can be used without an agent, go for it. This avoids many issues upon initial setup and continued maintenance. Every company has a different classification of what they find important, and what they want to be listed in the logs. The one security research
At Hammett Technologies, we cannot stress enough how important it is that you have proper security in place to protect your company and personal information from potential attacks. Most malware today is designed to steal sensitive information from a victim’s computer, making healthcare providers high-priority targets. Cyber security expects in Israel recently hacked into a local hospital, changing CT and MRI images of patients, either adding or taking away cancerous growths. While this attack was simulated, though the use of algorithms, cyber security researchers were able to accurately remove and add cancerous growths. This edited images caused doctors, as well as the hospitals own AI-assisted tools, to misdiagnose over 90% of their patients. This attack was meant to spread awareness to the vulnerability of not just hospital, but all healthcare providers. If hackers were to replicate this attack, the consequence would be massive. This type of attack can lead some to believe they have cancer, or worse can lead someone to die by thinking they do not. Furthermore, this kind of attack could go hand in hand with ransomware. If attempting to steal money from the hospital, a hacker could infect the machine with ransomware, “…holding the medical imagery hostage,” stated the cyber security team. It is important to understand that this issue does not relate to just hospital, but all healthcare providers. If your company handles sensitive information, your company is being watch by hackers. Therefore, it is vital that you take steps to ensure that customer information is safe. Ensure that all HIPAA Compliances are met, for both your company’s safety and the customers. Ensure firewalls are in place and are regularly updated and maintained. Lock down the network and all devices with strong passwords (8+ characters, symbols, numbers). If you are worried about your company’s compliance or safety, give Hammett Technologies a call! We can give you a free assessment and let you know where you stand against potential threats. When you partner with Hammett Technologies you don’t become a client, you become family. Sources: https://arxiv.org/pdf/1901.03597.pdf