There are many reasons why HIPAA compliance is so critical. One, a data breach exposes patients’ confidential records. This not only breaks the trust, it is a major privacy invasion. Not only that, if the breach is somehow made public, the health care provider’s reputation is damaged.

There are also serious financial consequences. In fact, both the health care provider and their MSPs could be on the hook for fines and penalties.

Roy Herron, systems analyst for the Methodist Healthcare Ministries (MHM) in San Antonio, was well versed in HIPAA and the compliance benefits of VSA by Kaseya. Prior to working for the healthcare organization, Herron had worked for a managed services provider (MSP), where he became acquainted with the remote monitoring and management (RMM) solution. He knew the software would be able to bring IT efficiency and compliance to the fast-growing healthcare system.

Compliance and Security

As a healthcare concern, MHM has serious compliance regulations to meet. “VSA is a big help in keeping costs down and allowing us to stay in compliance with HIPAA and the HITECH Act,” Herron said. While complying with these regulations takes a lot of effort, it also creates a safer environment. “The HITECH Portability Act is a big component of our security checklist. It helps keep everything up to date, which is a big thing to protect from breaches,” he added.

VSA also comes in handy when dealing with breaches. “I use it to correlate data if we have a suspected breach. I correlate between our Active Directory, DNS, who logged on to the machine, and what is going on,” Herron said.

Value of Auditing

Auditing is important to understand where your IT infrastructure has been and to protect the network. It is also absolutely critical for compliance. “Auditing allows me to change local usernames and disable them to keep well-known usernames from being used against our system for breaches. Instead of having to change the administrator password, I send out a bulk one and it is done like that,” Herron said. “I have auditing trails on every one of our computers and see who is logged in currently or who logged in.”

Remote Control and Management

MHM employees are scattered throughout rural areas in South Texas. With “half of our people in San Antonio and 100 to 120 users in remote very rural areas,” according to Herron, sending technicians to these sites was becoming unwieldy.

VSA has been a total game changer. “VSA has made it way more efficient. I do not have to take four hours out of my day where I cannot take calls, do tickets, or help anybody out,” Herron said. “VSA keeps us from having to send a technician out to fix their computer. I remote-on to it to help them with whatever they need, such as email or our next-generation health system, and fix it in five to 10 minutes.”

The Power of Patching

With most breaches impacting unpatched computers, keeping machines up to date is an essential safeguard. “I use VSA  for Windows patch management instead of having to have three or four different servers just to manage the patches. Everything is agent-driven right now. I have about a 92 percent patch rate within a week of when a new Microsoft patch is released. It is easy to set up. I did not have to tie in with everything else. You set up your policies and automation — and let it go,” Herron said.

Multiplatform is also essential. “It patches third-party software, not just the Microsoft Windows updates. I patch Firefox, Java, and some Flash. That is a big help. Otherwise, you probably have to send somebody out to physically patch each system, or spend tens of thousands of dollars on SCCM or SCE from Microsoft,” he said.

Meanwhile, the unified interface makes tasks easier to perform and manage. “The single pane of glass lets me see a group of our users and patching states. I can push everything out from my desk. Over the course of the day, it saves me probably two to three hours walking around,” he said.

Role of Reporting

Reporting is another key VSA attribute. “VSA lets me do reports to see which machines don’t have a service running or if something’s wrong. It tells me if they have not been patched, or how many patches are missing. That is big for compliance. One of the big factors in keeping your environment secure is patching,” he said.

Connecting with Live Connect

VSA’s Live Connect brings remote access to a completely new level, providing fast access to the computer even while an end user is working. “I am a heavy user of Live Connect, using it for command prompt scripts or VBS scripts that need to run, and to transfer files between computers. I also see in real time the processor usage and memory usage so I can tell that a machine may need more memory, or something on the computer is eating up the processes,” he said.

VSA and Live Connect are a big part of the IT efficiency story. “The time savings is plus or minus 20 to 30 minutes on a single call. It keeps call volume down, and our throughput has gone up significantly — probably by as much as 75 percent,” Herron estimated.

Two Factor Authentication Adds an Extra Layer of Protection

MHM has just acquired AuthAnvil by Kaseya, which offers two-factor authentication (2FA). Herron is contemplating ways to put it to work. “We are looking at use cases like tying it into our electronic health record system and using it for sign-ins and sign-outs,” he said.

Herron also likes the idea of password cycling. If a password changes every five minutes, even if an intruder gets the password, it will change in a matter of minutes – blocking access.

Read the full case study here.

The post VSA by Kaseya Keeps Methodist Healthcare Ministries HIPAA Compliant appeared first on Kaseya.

You must be provably HIPAA-compliant. An MSP can’t do any HIPAA-related work without being HIPAA compliant. The good news is that once you are certified you can vie for HIPAA contracts, and because you are credentialed and knowledgeable, you can charge a premium for your services.

1. Penalties are serious.

Huge healthcare operations all know HIPAA. They have to. They are the ones most impacted by the rules, and most likely to be subject to frequents audits. Smaller operations aren’t always prepared for the risks. But penalties are more than serious.

Here are just a few of the fines dished out in the United States in recent years:

• Affinity Health Plan paid $1.2 million because it didn’t erase the drives on its advanced photocopiers before returning them to the company that leased them.
• WellPoint didn’t secure an online health database and paid $1.7 million.
• The Massachusetts Eye and Ear Infirmary failed to encrypt physicians’ laptops and was hit with a $1.5 million fine.
• Phoenix Cardiac Surgery posted patient appointment on an online calendar and paid $100,000.
• A Walgreens in Indiana breached a single patient’s privacy and paid her $1.44 million.
• An Idaho-based hospice lost a laptop due to theft. The fine was $50,000.
• A medical practice in Phoenix sent patient data over insecure email, and was fined $100,000.
• A pediatric practice in Massachusetts lost a flash drive and settled for a $150,000 fine
• Another stolen laptop in Boston had the doctor paying $1 million.
• A lost backup drive cost the Alaska State Health Department $1.7 million.

This only scratches the surface. The HSS keeps an extensive list of violations.

2. Encryption is your friend.

HIPAA calls for all PHI data that is transmitted electronically to be protected, which is best done by strong encryption. In fact, if the data is strongly encrypted the MSP and client are pretty much immune from penalty if that data is somehow breached, or a lost device is already encrypted.

3. MSPs are responsible when clients run afoul of HIPAA.

Clients are known as covered entities and by definition are responsible for being in compliance with all aspects of HIPAA. MSPs that work with healthcare are called Business Associates and are just as responsible as the client themselves.

4. Your potential clients probably don’t care about HIPAA nearly as much as you do.

Very large hospitals and other big healthcare organizations care about HIPAA. And they can most afford to take HIPAA seriously, pay for the technology to support compliance, and train their workers. Unfortunately, the majority of small practices don’t much care about HIPAA – they haven’t been audited and don’t expect to.

Your job is to convince them otherwise. They need to know that a HIPAA fine could be financially devastating and ruin the trust between them and their patients – a real business crusher. Smaller healthcare organizations are most in need of MSP HIPAA services since they aren’t closely aligned with large insurance companies and hospitals.

5. The security assessment is the first major step in an MSP HIPAA engagement.

In some cases, an MSP may do a basic security assessment to convince a healthcare prospect that HIPAA compliance is actually important and they need outside help to achieve it. Once a client is hooked, a deep-dive security assessment will define what needs to be changed immediately, what new technologies should be put in place, and how MSP services such as RMM and authentication and access management can help achieve HIPAA compliance. With a rich-enough set of offerings, you’ll be able to sell Compliance-as-a-Service to healthcare – and hopefully beyond.

6. It pays to document.

HIPAA rules require that MSPs, as business associates, must document the protective measures in place for ePHI. These documents must be given to all staff and they should understand what they mean.

7. You need a HIPAA Business Associate Agreement (BAA).

The HIPAA Omnibus Final Rule required that Business Associates get BAAs with their clients, the covered entity. This basically says that the BA promises to stay in compliance with all HIPAA regulations and keep ePHI safe.

8. Encryption is a confusing aspect of the rules but errs on the side of caution anyway.

Encryption is one area where HIPAA isn’t completely explicit. Instead, the HHS talks about doing “what is reasonable and appropriate” to protect ePHI, and then says:

In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification:

• Implement the addressable implementation specifications
• Implement one or more alternative security measures to accomplish the same purpose
• Not implement either an addressable implementation specification or an alternative

This basically says the healthcare player or BA must find an effective way to secure data. One of the biggest issues is data in transit. Here the only way to know the data is protected is to strongly encrypt it. So while HIPAA doesn’t specifically require encryption, encryption is the only reasonable and viable way to meet HIPAA demands that ePHI is always protected.

9. Why you want encryption anyway.

Chances are your risk assessment, even an early stage assessment, called for encryption. That makes it a need. Encryption can keep you out of trouble. Many HIPAA fines are due to lost or stolen devices containing ePHI. The good news is there are no fines for lost or stolen devices if the device is encrypted – you don’t even have to report it.

10. The risk assessment is your friend.

This is another great idea that is codified by the HIPAA Omnibus Ruling. The assessment is required for covered entities and Business Associates.

The assessment covers:

• Security policies relative to HIPAA
• An analysis of vulnerabilities, risks and system threats
• A plan for protecting and securing ePHI no matter where it is

11. You must have a security incident response plan (SIRP).

Also, a HIPAA need-to-have, SIRP details, and documents what will be done in the case of a security breach or other security events. Part of this is tracking security events, hopefully, to prove no successful exploits have taken place. In the event of an attack or breach (even just an attempt) you should document what happened, and the incident’s severity. Attacks of organizations with more than 500 employees, patients or partners must report the incident to HHS.

12. An MSP is the best defense in the case of an audit.

An audit is when a healthcare organization is vetted to make sure it is in compliance. The aim is to define the state of the organization and see what steps are needed to improve performance. These are supposed to be annual. Most healthcare organizations, even large ones, are not generally equipped to handle an audit, with all its complexity.

An MSP is best equipped for an audit because the MSP has put in place all the needed security measures. The MSP has all the event logs and reports on who accessed what and when through Remote Monitoring and Management (RMM).

13. Access safeguards and controls require a new approach to authentication and access management.

One of the biggest issues, in fact, the crux of the HIPAA matter, is making sure only those with the proper authority can access ePHI and the systems that contain it. Information access management policies and procedures are key to locking down unauthorized access to ePHI and other health data.

Download the ebook “The IT Pro’s Guide to Minimizing Healthcare Compliance Risk” to discover the functionalities essential to an IT management system that will help ensure your compliance needs are met.

The post 13 Things Every MSP Should Know About HIPAA appeared first on Kaseya.

HIPAA, or the Health Insurance Portability and Accountability Act, is a set of regulations in the United States which apply to all people who have access to the data and or networks which contain ePHI. If you only manage a network for a client who handles ePHI, and even if you never access the information, you will still count as a “business associate” under the act, are legally required to be compliant with the act, and can be held liable in the event of a data breach.

This means that if you do, or intend to, support clients in the field of healthcare, then you need to be HIPAA compliant. Even though HIPAA is a piece of U.S. legislation, many countries have similar pieces of legislation with similar requirements.

This leaves us with a key question: What does HIPAA compliance require when it comes to IT security, identity, and access management?

Fortunately, I’ve boiled the answers to this question down into a list of simple yes or no questions you can ask your client. If the answer is no, consider that a bad sign.

Security Policies and Procedures

Policies must be established to handle and manage all security violations. You can ask your clients questions like:

• Are your employees aware of the penalties that will ensue from security violations?
• Are internal penalties in place for employees who violate security procedures?
• Do all your users know what to do in the event of security incidents or issues?
• Is there a process in place to document, track, and address security issues or incidents?
• Is there someone tasked with checking all security logs, reports, and records?
• Do you have a security official in charge of a password and smart security policy?
• Have you ever undertaken a risk analysis?

Access Management

Access to ePHI must be restricted to those who have permission to access it. You can ask your clients questions like:

• Do you have measures in place to authorize or supervise access to ePHI?
• Are there processes for determining the validity of access to ePHI?
• In the event of employee termination, is their access to ePHI blocked?

Security Awareness Training

HIPAA requires that a security awareness training program must be established for all staff. You can ask your clients questions like:

• Are employees regularly reminded about security concerns?
• Do you hold meetings about the importance of password, software, and IT security?
• Are your employees aware of the process surrounding malicious software?
• Do you have procedures for regular review of login attempts?
• Do those procedures check for any discrepancies or issues?
• Have you established procedures to monitor, manage, and protect passwords?

The Worst Case Scenario

There should be a plan in place for the protection and use of ePHI in the event of an emergency or disaster. You should ask your clients questions like:

• Are there tested and revised plans in place for an emergency?
• Have the applications and data needed for these emergency plans been analyzed?
• In the event of a disaster (I.T.E.O.A.D.), can copies of ePHI be made or retrieved?
• I.T.E.O.A.D… Can all ePHI be restored or recovered?>
• I.T.E.O.A.D… Will your ePHI be protected?
• I.T.E.O.A.D… Can critical ePHI related business functions be completed?

Contracts for Business Associate

Business associate contracts are critical for both ITSPs and MSPs involved who work in the healthcare setting. While not signing an agreement can provide a slight amount of protection from being liable under the law, detailing and signing off on your agreed-upon duties and liabilities can provide significantly more protection in the event of an investigation, audit, or breach. Documentation is key when it comes to protecting yourself.

Technological and Physical Protection

Procedures that limit physical access to facilities and equipment that house ePHI data need to be in place. Additionally, it is just as critical that procedures must ensure all ePHI is only accessible to employees who have permission to do so.

As someone working from an it position, it is your responsibility to ensure that access to applications and data containing ePHI is limited only to authorized users. This is where authentication becomes critical.

One method you can discuss with your client is known as multi-factor authentication (MFA). With MFA, users log in with a password as well as an additional security factor like a fingerprint scan or one-time use code from a secure mobile app. MFAs advanced level of security also allows businesses to explore other productivity and security solutions like single sign-on (SSO), which allows for a single credential to provide access to others. For many businesses which are required to comply with HIPAA regulations, multi-factor authentication and single sign-on are both convenient and practical solutions to many of their compliancy woes.

For a helpful HIPAA security checklist: Click Here
For more information on Multi-Factor Authentication: Click Here
For more information on Single Sign-On: Click Here

Author: Harrison Depner

The post Security and Healthcare IT: A HIPAA Compliance Questionnaire appeared first on Kaseya.