Latest Technologies, Industry Trends & Best Practices

5 Ways to Promote HIPAA Security Among Your Workforce Members

By Brand Barney, SecurityAnalyst, HCISPP, CISSP, QSA, at SecurityMetrics

Despite advances in HIPAA security and regardless of increased government cyber security initiatives via the Department of Health and Human Services (HHS), attackers continue to steal unprotected patient data. In 2016, medical and healthcare entities accounted for nearly 37% of reported data breaches (Identify Theft Resource Center). While the cause of these data breaches varies from one organization to the next, most security professionals consider workforce members to be the weakest link in Protech Health Information (PHI) security.

To minimize your organization’s risk for a data breach, I’d like to share five things you can do to foster a culture of security among your workforce members:

  1. Create Role-Based Access Controls

Everyone has their own unique role within a healthcare organization, from receptionists to nurses to surgeons. What would happen if the receptionist decided to switch roles with the surgeon for a day? I’d say you’re heading towards a malpractice lawsuit.

The same concept applies to staff accessing PHI. The term “access control” refers to the level of access to PHI by workforce members. When establishing access control in your organization, start by defining roles (e.g., receptionist, volunteer, third party IT), then establish user privileges accordingly. Workforce members should only have access to the minimum amount of information needed for their job role.

User access isn’t just limited to your normal office staff—it applies to anyone who needs permission to your systems or “behind the desk,” including the IT guy you hired to update your EMR software.

  1. Do not allow employees to share ID credentials

Each workforce member should have their own login IDs and passwords for computer, software, and physical access. For example, when using Startel Secure Messaging Plus (SM+), the IT administrator should make sure employees are given their own unique ID and password.

In some cases, the employees may share ID credentials because of the convenience factor. For example, a doctor’s office where the receptionists, medical assistants, and doctors all share one username and password to log on to their system. Sometimes this password is even written on a Post-it note and taped to the computer screen at the reception desk. Employees need to understand that sharing ID credentials is not a safe practice because this makes it easy for intruders, social engineers, and even disgruntled ex-employees to access sensitive information.

  1. Set up and monitor system logs

If you currently haven’t set up system logs, now is a great time to start. Event, audit, and access logging is a requirement for HIPAA compliance. System event logs contain information about actions taken on devices. For example, if I logged into my computer at 10:45AM, this event, date, and time should be recorded.

Make sure to assign someone to review your logs daily to search for errors, anomalies, or suspicious activity that deviate from normal security practices. Reviewing logs regularly can help you identify malicious attacks on your system and prevent data breaches from happening. They are also useful in determining the cause of breach in the event of a forensic investigation.

  1. Ensure your devices have automatic logouts

More often than not, data breaches are a result of small, easy-to-correct things that go unnoticed. For example, computers and devices need to have an automated logout (e.g., a password-protected screensaver that pops up on a computer after a set amount of time). This helps discourage thieves from trying to steal data when employees aren’t present.

Establish no longer than a five-minute time period before the device logs off and makes information inaccessible. High-traffic areas like reception desks should probably be limited to two minutes or less.

Some solutions already have automatic logouts enabled (like Startel’s Secure Messaging Plus Solution), while other programs may require manual configuration.

  1. Conduct regular HIPAA trainings and tests

Last but certainly not least, conduct regular HIPAA trainings with your workforce members. Training will help remind your staff about security practices, showing them how to stop bad security behaviors.

It’s important that your workforce members actually absorb the information in the trainings. Make sure to establish some form of accompanying test to verify that your HIPAA trainings are being retained and that the money you spent on training is not going to waste. Some organizations may be tempted to just “check the box” when it comes to HIPAA compliance, but true data security requires that your employees be knowledgeable about HIPAA best practices.


By following these 5 tips, your workforce members will be better prepared to defend your organization against cyber criminals. Remember, it only takes one weak link to break a chain, so make sure employees know security best practices and take HIPAA compliance seriously.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, and has over 10 years of data security experience. For more information about HIPAA compliance and data security, visit www.securitymetrics.com.

Dispelling 6 Misconceptions about the Cloud. Myth 6: Too Significant to Outsource Control

In our sixth and final week of our debunking the cloud myths series, we take on the misconception that the Cloud is too significant to outsource control. While outsourcing will result in less control from a technical standpoint, the business ease and financial savings will continue to increase the usage of these services.   

MYTH: Too Significant to Outsource Control.

FACT: When considering implementing a cloud-based solution, most people tend to think they will have to give up control of their organization to their cloud vendor. From a technical standpoint this is in part true, as your cloud provider becomes responsible for implementing, maintaining and updating your hardware and software. However, it is the client who continues to manage his/her organization and its day-to-day operations, including routing calls, setting up accounts, assigning privileges, etc., using their administrator login. When selecting a cloud provider, it is important that you choose one who you view as a partner and trust to manage your IT resources. Giving up some control may be a good thing, especially when you have a trusted partner to focus on the technology pain points of your business. And in turn, you will be able to concentrate on other areas of your business that add value.

Thank you to those that kept up with our blog series, Dispelling 6 Misconceptions about the Cloud, over the past 6 weeks. We hope you enjoyed reading it, and learned a thing or two along the way. Designed for small and mid-size organizations, Startel’s Cloud Contact Center Solution enables customers to access our entire suite of products and applications and communicate with their customers any time, on any device, anywhere in the world, via an Internet connection. To learn more about Startel’s Cloud Contact Center solution, visit our website or contact us at sales@startel.com.

Dispelling 6 Misconceptions about the Cloud. Myth 5: Cloud is a Fad

There has been a lot of hype around the word ‘cloud’. In fact, wherever you go, and no matter what type of technology you stumble across, there now seems to be a ‘cloud’ version of it. In the fifth week of our 6-week series addressing the myths/misconceptions related to the cloud, we examine the myth that the Cloud is a Fad. According to industry analysts and experts, forget fad. The Cloud is real, it’s here and it’s growing!

MYTH: Cloud is a Fad.

FACT: Cloud is here to stay, and according to Gartner it is accelerating quickly and globally. Based on their 2011-2017 forecast, Gartner expects adoption to hit $250 billion by 20172. And the McKinsey consulting firm forecast that cloud technology could have an economic impact of $1.7 trillion to $6.2 trillion by year 20252.

While its terminology has changed in recent years, and the ways in which the technology is being used have evolved, the concept of cloud computing dates back to the early 1960’s, when computer scientist John McCarthy discussed it at MITs centennial celebration3. Once the Internet matured, the vision of cloud computing became a reality when Salesfore.com began delivering applications through a website in the late 90s. Since then, employing private clouds has become a proven and established service, and if the experts prove to be correct, it is only a matter of time before most organizations have “gone to the cloud.”

Bottom line: The movement to cloud-based platforms is inevitable. Even cloud deniers need to come around to the fact that the way we’ve been doing computing in the last 30 years is changing. Core applications, computing, storage, and other IT services will continue to move to public clouds. Although the migration will be slow, it will be steady.

Next week we wrap up our six-week series with our final myth: ‘The Cloud is Too Significant to Outsource Control.’ In the meantime, we look forward to hearing from you! Please post your comments.

2: http://thoughtsoncloud.com/2014/05/future-cloud-computing-5-predictions/
3: http://www.washingtonpost.com/opinions/five-myths-about-the-cloud/2014/01/03/dd826052-7191-11e3-8b3f-b1666705ca3b_story.html

Dispelling 6 Misconceptions about the Cloud. Myth 3: Cloud is Not Reliable

This week, the third week of our 6-week series addressing the myths/misconceptions associated with the cloud, we take on Myth 3, which revolves around the reliability of the cloud.

MYTH: Cloud is Not Reliable

FACT: While notable outages have been well documented in recent years, businesses that are using the cloud prove to be more reliable than other types of infrastructure platforms. Defined processes, advanced 24/7 monitoring capabilities and expert system administration all help contribute to uptime guarantee. In fact, most cloud providers offer a 98-99% SLA and have invested heavily in infrastructure and support to ensure high levels of performance and availability. With cloud solutions, data can be backed up to multiple locations and services, providing an added level of protection.

Studies by Microsoft and others have confirmed that when businesses shift to the cloud, they see improved service availability1. A 2013 study released by Microsoft Corporation found that SMBs that use cloud services have experienced the following advantages1:

– 94% have gained security benefits they did not have with their former on-premise technology, such as up-to-date systems, up-to-date antivirus and spam email management
– 62% have seen increased levels of privacy protection
– 75% have experienced improved service availability

The real silver lining in cloud computing is that it enables a higher level of reliability at a fraction of the cost.

Next week we will look into the myth that the ‘Cloud Cannot Scale for Large Organizations.’ In the meantime, please post your comments. We look forward to hearing from you!



Dispelling 6 Misconceptions about the Cloud. Myth 2: Cloud is One Size Fits All

Over the course of the next 6 weeks, I am taking on many of the myths/misconceptions associated with the cloud. Here is Myth 2; please post your comments!

MYTH 2: Cloud is One Size Fits All

FACT: When it comes to the cloud, there is no such thing as a cookie-cutter solution. The idea that software in the cloud is not customizable is one that has been perpetuated by premise-based software vendors and is frankly not true. The inherent flexibility of the cloud means that organizations can have greater control and customization of their contact center solutions. Satellite offices can manage their own locations, while sharing the same technology platform across the whole organization and still benefit from centralized management. Predefined access rights enable individuals to see only the information that pertains to their permissions/role. Today’s cloud vendors offer a wide range of deployment options, service models and features to meet their clients’ requirements and needs. Be sure that the cloud vendor and cloud solution you select matches your organization’s needs and industry’s requirements.

Next week we will look into the myth that the ‘Cloud is Not Reliable,’ which studies by Microsoft and others have confirmed this to be quite untrue. In the meantime, please post your comments. We look forward to hearing from you!



Dispelling 6 Misconceptions about the Cloud. Myth 1: Cloud is Not Secure

Cloud services and cloud platforms have become an undeniable part of the IT landscape. However, while the shift from traditional software models to the Internet has steadily gained momentum over the last several years, “the cloud” is still a fairly new concept. And like all things new, it comes with some concerns and uncertainty. Over the next 6 weeks, I will do my best to debunk some of the top misconceptions/myths associated with the cloud, including:

1. Cloud is Not Secure
2. Cloud is One Size Fits All
3. Cloud is Not Reliable
4. Cloud Cannot Scale for Large Organizations
5. Cloud is a Fad
6. Cloud is Too Significant to Outsource Control

If you have a concern about the cloud that is not listed above, please mention it here and give us the opportunity to address it.

When the cloud is done right, it fundamentally changes how companies and entire industries operate along with how customers engage and purchase products and services.

MYTH 1: Cloud is Not Secure

FACT: Security threats in the cloud are no greater, and in many cases much less common, than those faced by on-premise systems. When selecting a cloud provider, do your due diligence and ensure that your cloud vendor will host your contact center, and sensitive information, on a single instance cloud platform or dedicated hardware serving only your organization. Also ensure that the proposed cloud solution includes secure and redundant remote cloud servers protected by Tier III, SSAE16 data centers. Lastly, confirm that your center will be managed in a stable, PCI, HIPAA, GLBA and Sox compliant environment. Any reputable cloud provider will also provide clients with the following services:

– A dedicated team of IT experts
– Full compliance with industry and regulatory standards
– Regularly scheduled third-party security audits
– Automatic hardware and software updates

Next week we will take on the myth that the ‘Cloud is One Size Fits All’, which could not be further from the truth. In fact, the inherent flexibility of the cloud means that organizations can have greater control and customization of their contact center solutions. In the meantime, please post your comments. We look forward to hearing from you!

In the World of Mobile Messaging Applications, there are NO Privacy Guarantees

On Thursday 8 May 2014, the Federal Trade Commission (FTC) settled charges with mobile messaging application maker Snapchat. As the Wall Street Journal article reports, the gist of the alleged infractions (which were neither admitted nor denied by Snapchat) all relate to misleading consumers in one of three ways:

1. “By telling them (consumers) that messages would disappear.”
2. “Misrepresenting its (Snapchat’s) data collection practices.”
3. That Snapchat “didn’t adequately protect users’ personal data.”

I am not a lawyer, nor do I want to comment directly on the misfortunes of Snapchat who have now been ordered to implement a new comprehensive security program and agree to 20 years of monitoring by the FTC (an eternity in the technological world). I only bring this situation up as discussion points about, 1) what a technology company can and cannot guarantee users, and 2) what users of technology should look for in an application provider.

Working for technology companies for the last 25 years, I have seen many amazing changes occur in rapid fashion. We have gone from completely locked down proprietary systems where no Internet existed, to today’s cloud-based unified communications, where a 7-year-old can operate a smartphone to access an application that is maintained halfway around the world. As technology becomes more invasive in our lives, privacy issues are bound to increase exponentially. Perhaps part of the allure of today’s secure messaging trend is a direct backlash against broadcast technology, which has been so popular during the last few years. There seems to be a tug & pull between several technology trends: broadcast media vs. directed media; permanent vs. ephemeral content; data collection in order to serve up targeted online ads vs. temporary communication; contextual based communication vs. non-contextual communication; paid vs. free applications, and finally privacy vs. public disclosure. 

I cannot help but feel sorrow for a technology company that builds and launches (often for free) a great product that satisfies the needs of the vast majority of their users, but still gets slammed by the small minority, who complain to the Federal Government (in this case the FTC). Keep in mind, these users chose to use the product in the first place! The take away may be that technology companies need “full disclosure” of what their applications can and cannot do (explained in layman’s terms), and in addition they need to be up front with any information they gather on their users. The old adage that “nothing is free” may apply here. After all, how could Snapchat provide a product for free with no strings attached?  How could anyone for that matter? Perhaps users should look to technology companies that charge small fees for usage of their applications, but also fully disclose the application’s capabilities and limitations as well as if/how they handle customer information.

For instance, is making a claim that content will disappear guaranteed 100% of the time even a viable promise? Most people know that if you want to capture a screen on an Apple iPhone you push down on the “Hold Button” and while holding it down, you push down the “Home Button.” Most any message, or photo, sent to an iPhone user is susceptible to being copied and kept. Even if a technology company creates a product where the normal “screen capture” as described above does not work – what is to stop the recipient of a message whose content is meant by the sender to be private, from using a digital camera or secondary smartphone and taking a picture, or movie, of the screen and making it public? My point is there are myriad ways for the recipient of any form of media to copy and keep what is sent to them. There are even 3rd party programs specializing in thwarting “disappearing” messages and images.

Let’s assume in a professional business environment/setting the recipient and sender’s goals are aligned. In other words, the sender and receiver both want the text, photo, and/or video to disappear once they have reviewed it. If this is true, then most smartphone applications that promise privacy will be able to deliver. It is in the event that both senders’ and recipients’ goals are not aligned that we need to prepare for. What users need to know is that there is no 100% guarantee that text, images, and/or videos will disappear as intended by the sender, especially if the recipient’s goals are opposing or immoral. No technology vendor will be able to anticipate and prevent every unintended consequence of the use of their technology. Common sense by users should prevail.

In regards to what technology users should look for in an application provider, I would start with the belief that users of technology and those that create technology are partners. Partnerships will only be viable if there is a foundation of kindness, respect and honesty. So how does one determine if a technology company is a viable partner? Begin by excluding any companies that have proven they are not reliable partners. Review potential partners’ privacy policies and ensure that they adhere to it and that you agree with it. 

Another strength of the technology revolution is that users of technology have choices – they can vote with their feet, e.g., move to another application. In addition, and as mentioned above, nothing is free, so perhaps look for a technology provider/partner that charges as reasonable fee and clearly states in their privacy policy realistic expectations. For example, if you are looking for a secure messaging technology provider, ensure that their Privacy Policy states that all content on both servers and devices (smartphones) is encrypted to a certain level, encrypted during transmission through SSL, but that the vendor cannot guarantee content is not abused by recipients of that application. By being upfront and honest, the user knows the technology company’s privacy status and is well aware of what they are signing up for. 

Lastly, look for a technology provider who promises their sole source of funding is from the proceeds derived from sales by users of their technology and that they never share information with any 3rd parties at any time. They may charge users a small fee to use the application, but these days a small fee seems well worth the privacy it may buy. Just ask Snapchat.

HIPAA in the Contact Center: PHI and Encryption

To ensure that your organization and your clients are acting in accordance with the HIPAA Security Rule as it relates to ENCRYPTION of ePHI, I did some extensive research and found a resource written by the American Medical Association titled “HIPAA Security Rule: Frequently asked questions regarding encryption of personal health information.” The document addresses a number of questions among physicians and other health care professionals as well as other HIPAA-covered entities and business associates. Consider the below points as it relates to your usage of ePHI: 

To Begin with, What Information Should You Encrypt?

Any systems and individual files containing PHI/ePHI should be encrypted. Examples include electronic medical records, claims payment appeals, scanned images, emails containing ePHI, etc.

Emails containing ePHI. If you or your clients (physicians) correspond with health insurers or other health care professionals via email and those emails contain ePHI, then you could be accused of failing to protect ePHI for which you are responsible.

Encrypt all devices containing ePHI. Passwords are not enough, especially in the event that a hard drive was removed from a laptop containing ePHI. All devices that contain ePHI, including laptops, PCs, smartphones and tablets, need encryption technology, preferably “whole disk encryption” technology.

If ePHI is accessed via the Internet, encrypt those sessions. Since data that is published on the Internet is available to the public, you need to check with your Web service provider to ensure that any PHI that travels across the Internet is protected by secure sockets layer (SSL) or similar technology.

Encrypt any other remote access sessions. If you have a situation in which physicians/staff connect to the home office remotely to read email or access other resources containing ePHI, then this access may constitute a vulnerability to unauthorized snooping. It is important that these sessions be conducted using encrypted tunnels, or VPNS.

What Happens If a Security Breach Occurs at an Organization That Uses Encryption Technology?

If the ePHI is stored and transmitted in encrypted form, then you do not need to notify patients. This only applies to HIPAA-covered entities and business associates that use encryption technologies that render ePHI unusable, unreadable, or indecipherable to unauthorized individuals.

How do Startel’s Solutions Help Organizations Protect ePHI?

Businesses that handle sensitive information are not only morally obligated to protect sensitive, private and personal information of their clients; they are legally obligated to do so. Startel’s Encrypted Email Service enables compliance with HIPAA by utilizing Secure/Multipurpose Internet Mail Extensions (S/MIME) encryption protocol. This protocol converts email messages from a readable plaintext format to a scrambled cipher text format. Only the recipient using the private key that matches the public key used to encrypt the email message can decipher the message. If someone intercepts the message without access to the private key the email message would appear only as garbled text.

The private and public keys are the means for both encoding and decoding email messages. Essentially the unique private/public key acts as a distinctive digital signature bound to a particular email address.

In addition, the Startel Encrypted Email Service is encoded utilizing the Advanced Encryption Standard (AES) 128 Bit block size. This level of cryptography ensures security is maintained for all encrypted messages. Any attempt to “break” an encrypted message secured at 128 Bit encoding would take billions of years to try every possible combination.

Users of Startel’s Encrypted Email Service have peace of mind knowing that their messages remain secure and private during transmission and storage.

In my third blog post of this topic, I will address how Startel’s Secure Messaging application handles ePHI and specifically, how it complies with HIPAA.

Source: http://www.ama-assn.org/resources/doc/psa/hipaa-phi-encryption.pdf

Request More Information