Wilson Technology Group and More

Your One Stop IT and Telecommunications Firm


Leave a comment

Types of Cyber Attacks

Adware – is designed to display advertisements on your computer or mobile device
Botnets – Hackers create botnets by successfully attacking your computer or other device and turning it into a “zombie computer”
Denial of Services – a special form of cyber attack that focuses on the interruption of a network service
Malware – any computer code that has a malicious intent
Phishing – hacker puts “bait” in front of you hoping that you’ll “bite” so they can “hook” you
Ransomware – takes control of your system, holding your information hostage until you pay the ransom to your attackers
Spyware – monitors or spies on its victims, records keystrokes
Trojans – sneaky kind of malware, look harmless or even beneficial and trick you into installing them on your system
Viruses – infect a computer, survive by attaching to other programs or files.
Worms – replicate themselves many times to fulfill a nefarious purpose

Find out more by visiting: http://www.wilsontechgroup.com
Find us on LinkedIn and Facebook


Leave a comment

Are You A Safe Internet User?

If you answer “Yes” to any of the following, you may be at risk.

1) Do you visit websites by clicking on links within an email?
2) Do you follow add links from a WEB site?
3) Do you reply to emails from companies or persons that you are not familiar with?
4) Do you bank/shop online?
5) Do you replay to emails that offer deals/coupons or request your opinion?
6) Would you provide your personal/banking information as a result of an email notification?
7) Is your Firewall/antivirus software out of date?
8) Do you use a non-secure logon and password?
9) Is your data unencrypted?

Find out how you can protect yourself by going to: http://www.wilsontechgroup.com
Find us on LinkedIn and Facebook


Leave a comment

Technical Considerations in Developing Policy for Mobile Devices

Is your company technically mature enough to enforce the policies it is writing? What technical issues need to be considered?

1) Mobile device encryption
2) Pass code requirements
3) Enforce screen lock timers
4) Enforce no jail broken phones
5) Enforce an enrollment system for remote wipe
6) Enforce application and OS update policies
7) Data classification (no all data has the same value – separate it)
8) Data isolation (you cannot protect everything so separate it)
9) VPN (keep services off the open internet when possible)
10) Use 2 factor authentication

Find us on LinkedIn, Facebook and www.wilsontechgroup.com


Leave a comment

Policy Drafting Considerations for Mobile Devices

Regulators are focusing on mobile devices, particularly regarding HIPAA and HITECH compliance. Many policies affect BYOD and include:
1) Acceptable use policies
2) Security policies
3) Social media policies
4) Remote access policies
5) Litigation hold policies
6) Remote working policies
7) Incident response policies
8) Breach notification policies
9) Privacy policies

Include the appropriate team members in developing policies:
1) Senior management
2) Chief IT officer (sets the strategic direction including policy)
3) IT staff (implements policy/strategy)
4) Legal/regulatory (subject matter expertise/enforcement)
5) Human resources (enforcement)

Find us on LinkedIn, Facebook and www.wilsontechgroup.com


Leave a comment

HHS Office of Civil Rights

Since the compliance date of April 2003, Over 89,045 HIPAA complaints were received in the HHS Office of Civil Rights. What were the results? Nearly 22,000 complaints were resolved through investigation and enforcement. Close to 10,000 complaints were investigated where no violations were founded and nearly 52,000 complaints were closed and were not eligible for enforcement.

The HHS Office of Civil Rights spends most of its efforts investigating the following:
1) Impermissible uses and disclosures of PHI (Personal Health Information)
2) Lack of safeguards of PHI
3) Lack of patient access to their PHI
4) Uses or disclosures of more than the minimum necessary
5) Lack of administrative safeguards of ePHI

Some of the problems identified in the above include:
1) Failure to conduct a Risk Analysis (RA) in response to a new environment
a) BCBSTN – changed offices
b) WellPoint – installed software upgrade
2) Failure to conduct an accurate and thorough RA that incorporated all IT equipment, applications, and data systems utilizing ePHI
a) New York Presbyterian Hospital
3) Workforce Members
a) Failure to train and/or train on an ongoing basis
b) Failure to “apply appropriate sanctions”
c) Failure to install security measures to monitor unauthorized access
i. UCLA case – workforce members repeatedly snooping on patients between 2005-2008
d) Failure to implement appropriate policies and procedures for authorizing access to patient data base
4) Technical/Security Failures
a) Failure to take inventory of equipment that accesses PHI
b) Failure to implement processes to assess and monitor the equipment that accesses PHI
c) Failure to implement appropriate security measures
d) Failure to follow existing policies and procedures on information access management
i. New York Presbyterian Hospital

Why have a policy?
a) Protect clients/patient rights
b) Instill professionalism throughout your enterprise
c) Protect your organization from liability
d) Protect your employees from liability

Find us on LinkedIn, Facebook and www.wilsontechgroup.com


Leave a comment

Health and Human Services (HHS) Supports Mobile Devices

Recognizing the proliferation of mobile devices, HHS has strongly advocated using them. Their reasoning includes:

1) Improving public health outcome (and reducing costs)
2) Helping with chronic disease management
3) Reminding people to take medications
4) Reaching rural areas
5) Empowering people through education

 

Find us on LinkedIn and Facebook

http://www.wilsontechgroup.com


Leave a comment

Are You a Safe Internet User?

If you answer “Yes” to any of the following questions, you may be at risk:

1) Do you visit websites by clicking on links within an email?
2) Do you follow add links from a WEB site?
3) Do you reply to emails from companies or persons you are not familiar with?
4) Do you bank/shop online?
5) Do you reply to emails that offer deals/coupons or request your opinion?
6) Do you provide your personal/banking information as a result of an email notification?
7) Do you keep your Firewall and antivirus software up to date?
8) Do you use a non-secure logon and password?
9) Is your data unencrypted?

Find us at: http://www.wilsontechgroup.com
LinkedIn; Facebook


Leave a comment

More on Data Security

What questions do you need to be asking yourself?

When was your last Risk Analysis? Did it include a vulnerability scan? Pen test? On-site walkthrough?

Encryption? Are your portable devices encrypted?

BYOD – do you have signed agreements in place?

What is your policy on employee use of social media? The breach notification clock starts when “known or, by exercising reasonable diligence would have been known.”

What does your HIPAA training training say about security? Or does it only address privacy? For instance, passwords, use of mobile devices, proper use of email, etc.?

Do you have a contract with your vendors? Who is paying for breach remediation?

Find us on Facebook and LinkedIn
http://www.wilsontechgroup.com


Leave a comment

New Florida Data Breach Law Section 501.171

Section 501.171 repeals and wholly replaces Florida’s existing data breach law and went into effect on July 1, 2014. It applies to every business that handles “personal information” of Florida residents and requires these businesses to take proactive “reasonable measures” to secure data.

The definition of personal information is quite broad and includes social security numbers, healthcare information, health insurance policy number, credit card numbers, and “a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.

It includes a data records disposal provision: “…Such disposal shall involve shredding, erasing, or otherwise modifying the personal information in the records to make it unreadable or undecipherable through any means.”

There is no private right of action, but a “violation of this section shall be treated as an unfair or deception trade practice in any action brought by the Florida Attorney General…against a covered entity or third party agent.” Civil penalties are not to exceed $5000,000 and will go into the General Revenue Fund.

Find us on Facebook and LinkedIn
http://www.wilsontechgroup.com


Leave a comment

The Office of Civil Rights (OCR)

The OCR has been quite active, particularly since 2011. Recent settlements include:
1) UCLA Health System $865,500 Workers were found snooping on celebrity patients
2) Alaska Dept. of HHS $1.7M Unencrypted portable media device was stolen from care of employee
3) Affinity Health Plan $1,215,780 Returned copiers to a leasing agent without erasing the copies hard drives

Who has obligations? Regulated businesses include healthcare and financial services.

Nonregulated businesses also have obligations. This includes the (FTC) Federal Trade Commission. They work for consumers to prevent fraudulent, deceptive and unfair business practices. They have the authority to pursue any company that has engaged in unfair or deceptive acts or practices in or affecting commerce. The FTC will take action against individual owners.

The Florida Information Protection Act (SB 1524) broadens Florida’s existing data breach law. It requires that each covered entity, governmental entity, or third party agent shall take reasonable measures to protect and secure data in electronic form containing personal information.

What is personal information? An individual’s first name or first initial and last name in combination with any one or more of the following data elements for that individual: SSN; driver’s license or ID card number; credit or debit card no. (with security code, access code, password); healthcare information; individual’s health insurance policy number, etc.)

What does it mean to take reasonable measures to protect and secure data in electronic form containing personal information? Businesses must address administrative, physical and technical safeguards.

Find us on Facebook and LinkedIn
www.wilsontechgroup.com