Archives for arozell

2018 – The Year For Employee Security Training

As per Nationwide’s annual survey released Monday, nearly 60 percent of small businesses have been the victims of a cyberattack in 2017, but the vast majority didn’t realize that they had been attacked.  When this insight is coupled with a report this week that a database has been seen on the dark web that contains over 1.4 billion stolen username/password combinations that is being used by criminals. It is truly alarming.

When you consider that IBM stated that 95% of data breaches are caused by human error, its never been more important for companies to invest in employee security training. But its not just private companies, state and local municipalities, schools, etc are also under cyberattack and these employees, staff and teachers need security training.

InfoTech Innovators believes that employee security training can be convenient, flexible and affordable. Our PII Protect Employee Security Training offers a self-paced portal, certificates of completion, video tutorials on security topics and more.

 

Contact us today

 

Hackers are targeting small and medium size businesses

Hackers are a constant. Exploits, security holes and attack vectors  are changing daily giving hackers greater opportunities to break in. Every small and medium size business should be executing network vulnerability scans regularly, in addition to fortifying their cyber security posture in general (e.g. Anti Virus, security education, applying manufacturer software updates/patches, etc).

Hackers are targeting small and medium size businesses. Small and medium size businesses sometimes feel that they aren’t likely to be a target due to their size and that hackers couldn’t possibly be interested in what they do – but in reality the exact opposite is true. Hackers prey on the knowledge that small businesses tend to have lower defenses than larger organizations, usually due to lack of financial and human resources. By their very nature, thriving small businesses are innovative and niche, which again is very attractive to the bad guys who may be interested in customer data and intellectual property and know exactly how to pick out the weak targets. Burying your head in the sand may save money in the short term, but the cost of hacking could range from minor inconvenience, reputation damage, loss of customer data, fines and ultimately company closure.

There are a few prevailing “false narratives” that many small and medium size businesses dangerously believe.

  • Many  believe that because they hired a company to install a website, install a network, install computers, install software that this magically makes them secure forever ( or that a third party company is somehow responsible for on going security without a contract that says so).
  • Their in house IT technicians are performing proactive security issue discovery. Many technicians are very good at what they do, but to assume they have time/skill to perform proactive security technology auditing can be a dangerous assumption.

InfoTech Innovators offers internal and external network vulnerability scanning services that inspect the potential points of exploit on a computers, servers, or network to identify security holes. A vulnerability scan detects and classifies system weaknesses in computers, networks and communications equipment and predicts the effectiveness of countermeasures. Armed with the vulnerability report our service produces, a small business can then take steps to fortify their network security technology posture.

As referenced in this article on Forbes.com “More than half (55 percent) of the nearly 600 small- and medium-sized businesses surveyed by the Ponemon Institute reported being hit by a cyber attack in the past year, and 50 percent said they experienced a data breach involving customer and employee information over the same time period. It cost these companies an average of $879,582 in damage to or theft of IT assets and an average of $955,429 due to the disruption of operations, according to Ponemon’s “State of Cybersecurity in Small and Medium-Sized Business,” which was released in June 2016.

Contact InfoTech Innovators today and learn how we can help !

InfoTech Innovators

InfoTech Innovators – Best of Toms River Award for 2017

InfoTech Innovators LLC is among a very small group of companies that have won the Best of Toms River Award for four consecutive years.

The Toms River Award Program recognizes those companies that have shown the ability to use their best practices and implemented programs to generate competitive advantages and long-term value. These local companies enhance the positive image of small business through service to their customers and our community. The Toms River Award Program was established to recognize the best of local businesses in our community. Our organization works exclusively with local business owners, trade groups, professional associations and other business advertising and marketing groups. Our mission is to recognize the small business community’s contributions to the U.S. economy.

InfoTech Innovators LLC Receives 2016 Best of Toms River Award

Press Release

FOR IMMEDIATE RELEASE

InfoTech Innovators LLC Receives 2016 Best of Toms River Award

Toms River Award Program Honors the Achievement

TOMS RIVER February 23, 2016 — InfoTech Innovators LLC has been selected for the 2016 Best of Toms River Award in the IT Business and Solutions Consultant category by the Toms River Award Program.

Each year, the Toms River Award Program identifies companies that we believe have achieved exceptional success in their local community and business category. These are local companies that enhance the positive image of small business through service to their customers and our community. These exceptional companies help make the Toms River area a great place to live, work and play.

Various sources of information were gathered and analyzed to choose the winners in each category. The 2016 Toms River Award Program focuses on quality, not quantity. Winners are determined based on the information gathered both internally by the Toms River Award Program and data provided by third parties.

About Toms River Award Program

The Toms River Award Program is an annual awards program honoring the achievements and accomplishments of local businesses throughout the Toms River area. Recognition is given to those companies that have shown the ability to use their best practices and implemented programs to generate competitive advantages and long-term value.

The Toms River Award Program was established to recognize the best of local businesses in our community. Our organization works exclusively with local business owners, trade groups, professional associations and other business advertising and marketing groups. Our mission is to recognize the small business community’s contributions to the U.S. economy.

SOURCE: Toms River Award Program

Hackers Hold Hollywood Hospitals Computer System Hostage, Demand $3.6 Million

“Hackers have taken the computer system of the Hollywood Presbyterian Medical Center hostage, demanding 9,000 Bitcoin or $3.6 million…Also, some patients had to be transferred to other hospitals, as some of the medical equipment that need computers at the Hollywood Presbyterian Medical Center were rendered inoperable, including apparatuses for X-ray and CT scans, documentation and pharmacy and lab work. “

Below is the link to the article on Tech Time:

http://www.techtimes.com/articles/133874/20160216/hackers-hold-hollywood-hospital-s-computer-system-hostage-demand-3-6-million-as-patients-transferred.htm

Having a security and customer focused culture in healthcare is paramount. Security training, technology, procedures, policies, etc are not just a static “HIPAA security assessment audit check mark”, it has to be a way of doing business each and every day for a healthcare provider. InfoTech Innovator’s HIPAA Risk Assessment Service can help a healthcare provider to perform their required HIPAA Risk Assessment and our knowledgable technical staff can help point out client areas requiring better security training, technology, services and help clients to implement these for their organization.

Ransonware is typically spread via phishing email attacks and downloads. General phishing are scams that attempt to trick recipients into responding or clicking immediately, by claiming they will lose something (e.g., email, bank account). Such a claim is always indicative of a phishing scam. “Spear phishing” is more specific and can target (or be tailored to) specific individuals, roles, or organizations.

Below is a great link from the University Of Indiana that offers some basic information on how to spot
phishing.

https://protect.iu.edu/online-safety/personal-preparedness/email-phishing.html

HIPAA Business Associates, BAAs and CEs .. $3.5m HHS-OCR settlement.

As per the article below by Owen Kurtin on jdsupra.com.. “A recent Department of Health and Human Services Office of Civil Rights (HHS OCR) $3.5 million settlement confirms that it is a facial violation of HIPAA for a Covered Entity to transmit, and for a Business Associate to receive, patient Protected Health Information without a written, compliant Business Associate Agreement in place. In other words, if there is no written, compliant Business Associate Agreement in place, the Covered Entity had no right to transmit, and the Business Associate had no right to receive, the PHI in the first place.

This sends a strong message from HHS-OCR about CE to BA relationships and the need for BAA’s.  This same message as been a consistent message from InfoTech Innovators LLC.

Below is a link to the full article on jdsupra.com

http://www.jdsupra.com/legalnews/hipaa-business-associate-agreement-best-49072/

Landmark HIPAA settlement confirms push to firm up patching schedules

Anchorage Community Mental Health Services ACMHS must pay 150,000 and integrate an action plan to meet HIPAA compliance after the organization had more than 2,700 individuals electronic health information compromised in a cyber attack. OCR opened an investigation into the group’s HIPAA compliance and found that the medical organization violated the “Security Rule.”

The HIPAA Security Rule requires entities who handle electronic protected health information to regularly patch systems and update their IT infrastructure. Although ACMHS had adopted the sample Security Rule policies and procedures in 2005, they were never followed. This lack of patching of IT security systems allowed malware to breach the medical organization’s systems, and, the bulletin says, prompted the settlement.

“This settlement illustrates that covered entities and business associates not only need to adopt the appropriate HIPAA policies, procedures and practices on paper, but they have to “live them” via execution. Keeping software and computer infrastructure patched and current is part of living HIPAA compliant. This gets to heart of negligence related to proper IT controls and management. It’s not enough to just install technology and forget about it, security and patching is an on going task.” said Al Rozell President of InfoTech Innovators.

Meaningful use audits could recover $33M in EHR incentives – Shoddy or missing Security Analysis

November 10th, 2014
This article over on Search Health IT reported on 11/10/2014, that

CMS data from public records request reveals physicians, hospitals fail meaningful use audits with missing or shoddy HIPAA security analysis.

To the tune of $33M in EHR incentives recovered.

The audits cover meaningful use attestations going back to 2013. CMS plans to continue audits in 2015. Millions of dollars in federal incentive payments have already had to be returned by those who flunked, and more will likely have to be given back, up to an estimated total of $33 million according to an analysis of the CMS data posted as an infographic by consultant Health Security Solutions.

Two consultants and a lawyer interviewed for this story by SearchHealthIT said they believe nonexistent or shoddy self-assessments of how well doctors and healthcare organizations are protecting patient health information are the main reasons for a notably audit high failure rate among eligible practitioners (EPs). Meaningful use requires HIPAA security assessments, which forces the practitioner or hospital to identify and mitigate risks threatening the data contained on their networks.

Al Rozell from InfoTech Innovators stated:
“Very often in small to medium size practices ( and larger healthcare organizations on occasion) we are find unqualified personnel that try to do their own internal assessments. They fill out a questionnaire they downloaded, answer the questions, sometimes they note IT security gaps (sometimes not), etc.  HIPAA Security Risk Assessments need to be performed by qualified IT Security personnel with trained HIPAA security professionals and THAT is what InfoTech Innovators does. A complete Security Risk Assessment with a risk remediation strategy and a proposed execution plan is critical. If they have not done an adequate Security Risk Assessment, the answer is even more simple.. do one:) and start making HIPAA compliance an aspect of how you run your business and care for your patients.”

Mr Rozell added :
Complaining about doing it doesn’t get it done. The cost of the HIPAA compliance related to hiring professionals, supplementing staff or training staff to execute assessments for you internally is a cost of doing business and that cost is considerably less than the punitive or other costs to your practice and/or reputation if HIPAA is ignored.

HIPAA: Liability to Private Parties for Violations

November 14th, 2014.

An article by David Harlow on his blog entitled, HIPAA: Liability to Private Parties for Violations discussed how last week

Connecticut joined at least nine other states (DE, KY, ME, MN, MO, NC, TN, UT, WV  in recognizing that, while HIPAA does not create a private right of action for violation of privacy, it does constitute a standard against which the actions of a defendant in such a case will be judged. In other words, if a covered entity or business associate or downstream contractor releases PHI other than in accordance with HIPAA (i.e., for treatment, payment or health care operations purposes, or to or at the direction of the data subject or his or her legal representative), the breach of the HIPAA rule may be the basis for a finding of a breach of a duty of care in a state court negligence action.

Of course..we have long advised primary care ( covered entities) and business associates that the potential liabilities and damages of non HIPAA compliance exceeds solely HHS-OCR audit failure penalties (which are potentially significant ..may I add). It is possible in the context of a breach that a case could be made potentially for operational neglect. ” as per Al Rozell from InfoTech Innovators. Mr Rozell goes on to add “HIPAA compliance is a way of conducting business and is not a single point in time attestation that just exists on a dusty report. The policies, procedures, practices, safeguards and monitoring must happening day in and day out. To us, that is the operational burden of proof. Now, if a practice or BA has not conducted a HIPAA Security Risk Assessment, they are not even at the starting gate. An EHR is not a silver bullet that can holistically or magically make a practice HIPAA compliant… audits, assessments, other safeguards, policies, procedures and practices are part of the picture too.

The Most Alarming Fact of the HIPAA Audits

Great article by Daniel J. Solove. Daniel is the John Marshall Harlan Research Professor of Law at George Washington University Law School.

Daniel reviews the results of phase 1 HIPAA Compliance audits performed by HHS-OCR that  took place during 2011 and 2012. Some alarming statistics on a whole, most notiably :

  • Under OCR’s pilot audit program,“58 out of 59 health care providers audited had at least one negative finding regarding Security Rule compliance.” That’s more than 98%.
  • Two thirds of all entities–47 of out of 59 providers, 20 out of 35 health plans, and 2 out of 7 clearinghouses—had no complete or accurate risk assessment program.
  • Of what OCR kindly termed the “findings and observations,” most involved the Security Rule. Of the total pilot audit findings, 60% were based on the Security Rule, 30% on the Privacy Rule, and 10% on the Breach Notification Rule.

The Second Phase of Audits

While there is no set start date, the second phase of audits is scheduled to begin this fall (2014) and continue into 2016.

Unlike phase 1, phase 2 will be conducted primarily by OCR staff. Another difference is that phase 2 will likely result in compliance reviews, a type of enforcement tool. Moreover, OCR does not intend for phase 2 to include on-site audits.

According to an OCR report, the 2014 audits will focus on covered entities and the following areas: security risk analysis and management, breach notifications, and privacy notices and access issues.

The InfoTech Innovators solution powered by one of our elite security business partners will provide you with the tools and expertise you need to help you comply with the HIPAA Security Rule. Our solution was developed by experts knowledgeable with the HIPAA Security Rule, computer and network security, and security training.

His article can be viewed here