Is being responsible for electronic medical records a daily source of trepidation for you or your business? While the sentiment is understandable, it often results from a lack of understanding about what HIPAA compliance actually means. As industry-wide penalties continue to rise every year, it’s essential to take a closer look at who is being fined, and why. Keep reading for more details on the most recent case.

As the largest fully integrated healthcare system in Illinois, Advocate Health Care Network’s mismanagement of electronic medical records (EMR) came as quite a shock. Regardless of your feelings on such a sizable provider being unable to maintain secure EMRs, what can’t be argued is the precedent set by last month’s $5.5-million settlement.

How exactly did it come to such a historic penalty? The answer is threefold. Firstly, Advocate failed to perform the risk assessments mandated by HIPAA regulations -- an oversight that could have potentially prevented the other two infractions. Secondly, Chicago’s premier healthcare network failed to obtain proper written agreements with each of the business partners who had access to its data, which may have gone unnoticed if one of its associates had not been the subject of a security breach.

The final infraction, and arguably the most directly relevant to Advocate’s internal security policies, was the unsatisfactory safeguards in place on two stolen laptops with confidential medical information. While the breach of its business partner’s network only put 2,000 EMRs at risk, the stolen computers had access to almost 4 million.

So, if you’re tired of vague platitudes about ‘penalties for lax data compliance’ or the ‘liability risks of mediocre security,’ this is your answer: inadequate preventative measures, unfit business partners, and poor internal security protocols can spell millions in damages. Unfortunately, this isn’t just an aberrant case -- the total punitive damages for HIPAA noncompliance in 2015 totaled $6.2 million; after just over eight months into 2016, they currently stand at $20.3 million.

Keep your company’s name off the growing list of companies that didn’t have suitable systems in place when it mattered most. Our EMR management practices provide a full suite of care for your data records; from prevention to end-point security, your information is safe with us. Our proficiency in the healthcare IT industry spans a wide variety of experiences and know-how. Contact us today. We’d love to tell you all about it.

In 2012, cloud storage firm Dropbox was hacked with over two-thirds of its users’ details dumped all over the internet. While the company initially thought a collection of email addresses was the only thing stolen, it was wrong -- passwords had been compromised as well. This new information came to light when the database was picked up by a security notification service. So if you were using Dropbox before the incident and haven’t changed your password since, you should do so right away.

Despite the unfortunate incident, Dropbox has implemented a thorough threat-monitoring analysis and investigation, and has found no indication that user accounts were improperly accessed. However, this doesn’t mean you’re 100 percent in the clear.

What you need to do

As a precaution, Dropbox has emailed all users believed to have been affected by the security breach, and completed a password-reset for them. This ensures that even if these passwords had been cracked, they couldn’t be used to access Dropbox accounts. However, if you signed up for the platform prior to mid-2012 and haven’t updated your password since, you’ll be prompted to do so the next time you sign in. All you have to do is choose a new password that meets Dropbox's minimum security requirements, a task assisted by their “strength meter.” The company also recommends using its two-step authentication feature when you reset your password.

Apart from that, if you used your Dropbox password on other sites before mid-2012 -- whether for Facebook, YouTube or any other online platform -- you should change your password on those services as well. Since most of us reuse passwords, the first thing any hacker does after acquiring stolen passwords is try them on the most popular account-based sites.

Dropbox’s ongoing security practices

Dropbox’s security team is working to improve its monitoring process for compromises, abuses, and suspicious activities. It has also implemented a broad set of controls, including independent security audits and certifications, threat intelligence, and bug bounties for white hat hackers. Bug bounties is a program whereby Dropbox provides monetary rewards, from $216 up to $10,000, to people who report vulnerabilities before malicious hackers can exploit them. Not only that, but the company has also built open-source tools such as zxcvbn, a password strength estimator, and bcrypt, a password hashing function to ensure that a similar breach doesn’t happen again.

To learn more about keeping your online accounts secure, or about how you can protect your business from today’s increasing cyber threats, give us a call and we’ll be happy to help.

As the spectacle and competitive atmosphere of the Rio Olympic Games have drawn the world’s attention, hackers who use social engineering are inching closer to our private information. Although our systems may be prepared for the likes of malware and worms, social engineering is a different beast of its own. If used effectively, hackers can manipulate people into disclosing personal information, rendering security systems useless. So how exactly do they go about doing this? Below are five of the most utilized social engineering tactics you should be aware of.

Phishing Phishing scams are perhaps the most common type of social engineering attack. Usually seen as links embedded in email messages, these scams lead potential victims into seemingly trustworthy web pages, where they are prompted to fill in their name, address, login information, social security number, and credit card number.

Phishing emails often appear to come from reputable sources, which makes the embedded link even more compelling to click on. Sometimes phishing emails masquerade as government agencies urging you to fill up a personal survey, and other times phishing scams pose as false banking sites. In fact earlier this year, fraudulent Olympics-themed emails redirected potential victims to fake ticketing services, where they would eventually input their personal and financial information. This led to several cases of stolen identities.

Tailgating

What’s the best way to infiltrate your business? Through your office’s front door, of course! Scam artists can simply befriend an employee near the entrance of the building and ask them to hold the door, thereby gaining access into a restricted area. From here, they can steal valuable company secrets and wreak havoc on your IT infrastructure. Though larger enterprises with sophisticated surveillance systems are prepared for these attacks, small- to mid-sized companies are less so.

Quid pro quo

Similar to phishing, quid pro quo attacks offer appealing services or goods in exchange for highly sensitive information. For example, an attacker may offer potential targets free tickets to attend the Olympic games in exchange for their login credentials. Chances are if the offer sounds too good to be true, it probably is.

Pretexting

Pretexting is another form of social engineering whereby an attacker fabricates a scenario to convince a potential victim into providing access to sensitive data and systems. These types of attacks involve scammers who request personal information from their targets in order to verify their identity. Attackers will usually impersonate co-workers, police, tax authorities, or IT auditors in order to gain their targets’ trust and trick them into divulging company secrets.

The unfortunate reality is that fraudsters and their social engineering tactics are becoming more sophisticated. And with the Olympics underway, individuals and businesses alike should prepare for the oncoming wave of social engineering attacks that threaten our sensitive information. Nevertheless, the best way to avoid these scams is knowing what they are and being critical of every email, pop-up ad, and embedded link that you encounter in the internet.

To find out how you can further protect your business from social engineering attacks, contact us today.