This week's post comes courtesy of Diana Wicker, Director of Compliance and Reporting at
First Sun EAP and easily the coolest person I met in 2019.
She is a social worker turned Chief Technology Officer of a major EAP.
How cool is that?Here is her post:
You can do this thing.
The one thing I would like everyone reading this to take away is –
you can do this thing. You can learn about and implement cyber security even as a solo practice counselor.
Step 1: Read – You won’t know what you don’t know until you start reading. Right now, the US Federal government is diligently pushing to update regulations and create guidelines and frameworks that are easily accessible and understandable so that everyone that needs to comply can do so.
A great place to start:
https://www.itgovernanceusa.com/federal-cybersecurity-and-privacy-laws.
Step 2: Watch – So, you’ve done the reading and some of it is still above your head. I get that. Look for videos so that you can see how these frameworks are intended to be used. Many of the government agencies are holding webinars and releasing video tutorials on how to do these things.
A great place to start is
https://www.healthit.gov/topic/privacy-security-and-hipaa.
Step 3: Attend – Cyber security is hands on, and not everyone has experience with updating settings on computers, smart phones, tablets, and other electronic equipment. Many local technical schools, colleges, and universities hold continuing education classes in computer skills.
Step 4. Do – Download and use SRA Tool 3.1.
https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool This is a freebie from the federal government that helps you track:
a. HIPAA Security Rule
b. HITECH Act
c. NIST Cybersecurity Framework
Step 5: Vendors – When in doubt, hire out. IT consulting firms abound. Seek one familiar with HIPAA, HITECH, and the most up to date guidelines and frameworks so they can review your office setup and help you ensure that you have everything set up as you need it to be.
The easy things you can do with the equipment you already have:
1. Modem/Router – how the internet gets to you
• Update the name of the device to something unique.
• Change the default password that came with the device to something unique.
• Update the Firmware on your wireless router so the security patches have been completed.
• Turn off unnecessary ports and services (such as FTP servers), if they are not routinely used.
• Encryption on your router: WPA2-PSK (AES) or WPA3 (SAE)
2. Machine – how you do your work
• Encrypt your machines with a password (computer, laptop, tablet, smart phone)
• Set password or PIN for the operating system
• Turn on virus protection
• Turn on security updates
• Do not set programs, apps, or websites to auto-fill passwords to login. Use a password keeper app instead.
3. Software – where your data lives
• Set password or PIN on all software that might contain PHI (18 PHI Identifiers:
https://en.wikipedia.org/wiki/Protected_health_information)
• Encrypt your data – at rest and in transmission (this means email too)
• Know what your software touches – be mindful of integrated apps and what they have access to.
4. The Cloud – 3rd party services and vendors
• Software that lives on the internet and you log into it – Get a BAA if it touches PHI.
5. Internet of Things – smart toys
• Does it listen? Does it record? Does it respond? Then it is NOT HIPAA compliant. Turn these OFF in your clinical areas!
Oh, and, heads up, just in case you missed the announcement -
The FAX machine is dead.
The Centers for Medicare & Medicaid have decreed that in 2020
the FAX is no longer to be used for healthcare information. Whither the government goest, business/industry will follow. Look for a HIPAA compliant cloud fax/email service.
I know, that really looks like a lot. Take one item on the list at a time and work your way through.
And remember, you can do this thing!
Thank you Diana!