Category: Uncategorized

Over Easter weekend, hackers stole 5 million credit and debit card numbers that were used at Saks Fifth Avenue, Saks Off Fifth, Lord & Taylor, and Canada-based Hudson’s Bay Company. The personal information of customers who shopped at these stores is now compromised.

Most of the stolen card data — which goes all the way back to May 17 — was obtained from these stores in the New York City metro area, and other stores in the Northeast U.S. It appears that these stores weren’t using a secure credit card payment system. Security firm Gemini Advisory reported:

“The attack is amongst the biggest and most damaging to ever hit retail companies...Credit card data was obtained for sales dating back to May 2017. The breach likely impacted more than 130 Saks and Lord & Taylor locations across the country, but the majority of stolen credit cards were obtained from New York and New Jersey locations.”

Gemini Advisory says that the hacking group JokerStash/Fin7 boasted about their success on the Dark Web and that the data is now for sale. The name of their “product” is BIGBADABOOM-2. Gemini Advisory’s co-founder and chief technology officer said that this group previously targeted major hotel and restaurant chains. They were also responsible for other data breaches like the ones that affected companies including Whole Foods, Chipotle, Omni Hotels & Resorts and Trump Hotels.

The hackers typically use phishing emails to gain confidential information. They send the emails to company employees including managers and supervisors who are key decision makers. They disguise themselves as an entity these people would recognize as legitimate. The email contains an invoice and asks them to pay it via a link provided. Once clicked, their IT system is infected.

No store is immune from this type of breach. However, you can protect your business from phishing attacks by educating your employees.

Cybersecurity training is a must for all businesses today. You can have all the right security technology in place, but if one of your employees unknowingly clicks a malicious link, or visits a counterfeit website, your business can be ruined.

Phishing is when a scammer uses fraudulent emails, texts, or copycat websites to get you to click a link so that they can steal your confidential information like Social Security numbers, account numbers, login IDs, and passwords. They use this information to rob you of your money and your identity.

The majority of account takeovers come from simple phishing attacks where you or someone in your organization gets tricked into releasing private credentials and information.

Scammers also use phishing emails to get access to your computer or network, so they can install programs like ransomware that lock you out of your important files unless you pay a ransom.

Spoofing

Phishing scammers try to lure you or your employees into a false sense of security by pretending to be a trusted source like a legitimate company, the IRS, a colleague, vendor, or even a friend or family member.

Phishers create a sense of urgency, making it seem like they require your information right away or something terrible will happen to you. They may threaten to hold back a tax refund or close your bank account. Essentially, they lie to get your information.

Here are things that you and your employees should do to protect your business.

Be cautious about opening attachments and clicking links in emails.

Files and links may contain malware that can infect and weaken your computer’s security.

Type in URLs and email addresses.

If a company or organization you know sends you a link or phone number, don’t click the link or call the number. Go to your search engine and type in the correct URL for the company’s site and find the legitimate phone number.

Call the source. Don’t respond to emails that request confidential or financial information. Phishers use strategies that prey on fear. If you think the contact in the email needs this information, refer to the phone number in your address book, not the one posted in the email, and call them to verify the request.

Use Two–Factor Authentication. For accounts that support this, two-factor authentication is an extra step to ensure the security of your information. It requires both your password and an additional piece of information to log in to your account. The second piece might be a code the company sends to your phone or a random number generated by an application or token. Two-factor authentication protects your account even if your password is compromised.

 Update your applications and Operating System. Use a good security software you trust, and make sure you set it to update automatically. Also, make sure you update all your applications and your Operating System when you receive patches from the manufacturer. Don’t delay, as there are good reasons for these updates, and they will protect your information from the latest threats.

Back up your files to an external hard drive and enterprise-based cloud storage. Back up your files regularly to ensure you have a duplicate of all your files and applications if your network is compromised.

Google conducted a study between March 2016 and March 2017 in conjunction with researchers from the University of California, Berkeley. The results revealed that phishing is far riskier for users than data breaches because of the additional information phishers collect.

Use a unique email address.

Spammers send out millions of messages to name combinations hoping to find a valid email address. If you use a common name like Joe, you’ll receive more spam than with a name like Wwmj4itvi. It’s harder to remember an unusual name like this. Try using an acronym like: “We were married June 4 in the Virgin Isles (Wwmj4itvi).

Use an email filter.

If your email account provides a solution that filters out potential spam or will channel it into a bulk email folder, opt for this. If they don’t, you might want to consider another Internet Service Provider.

Use more than one email address.

Consider using a disposable email address service that forwards messages to your permanent account. If the disposable address receives a lot of spam, you can shut it off without affecting your permanent address.

Limit your exposure.

Don’t share your email address in public. This includes blog posts, chat rooms, social networking sites, or in online membership directories. Spammers use the web to obtain email addresses.

Check privacy policies and uncheck boxes.

Before submitting your email address to a website, determine if they can sell your email to others. Don’t provide your address to sites that won’t protect it.

Be wary of messages that:

• Try to solicit your curiosity or trust.
• Contain a link that you must “check out now”.
• Contain a downloadable file like a photo, music, document or pdf.

Don’t believe messages that contain an urgent call to action:

• With an immediate need to address a problem that requires you to verify information.
• Urgently asks for your help.
• Asks you to donate to a charitable cause.
• Indicates you are a “Winner” in a lottery or other contest, or that you’ve inherited money from a deceased relative.

Watch for messages that:

• Respond to a question you never asked.
• Create distrust.
• Try to start a conflict.

Watch for flags like:

• Misspellings
• Typos

 Always Use Secure Passwords.

• Use Two-Factor Authentication if it’s available.
• Never use words found in the dictionary or your family name.
• Never reuse passwords across your various accounts.
• Consider using a Password Manager (e.g., LastPass or 1Password).
• Use complex passwords.
• Create a unique password for work.
• Change passwords on at least a quarterly basis.
• Use passwords with 9+ characters.

Keep Your Passwords Secure.

• Don’t tell anyone your passwords.
• Don’t write them down or email them.
• Never include a password in a non-encrypted stored document.
• Don’t speak your password over the phone.
• Don’t hint at the format of your password.
• Don’t use “Remember Password” feature of application programs such as Internet Explorer, Portfolio Center or others.
• Don’t use your corporate or network password on an account over the Internet that doesn’t have a secure login starting with https://. If the web address begins with https:// your computer is talking to the website in a secure code that no one can access. There should be a small lock next to the address. If not, don’t type in your password.

If you believe your password may have been compromised, you should change it.

Regularly Backup Your Data Both Onsite and Remotely.

• Maintain at least three copies of everything.
• Store all data on at least two types of media.
• Keep a copy of your data in an alternate location.

If you haven’t backed up your data and you’re attacked, it’s gone forever.

Ask Your IT support to Conduct Testing and Security Awareness Training for Your Employees.

• Give a social engineering test.
• Share the results with your staff.
• Debrief and train your users.
• Test again each year.

 Report Phishing Emails and Texts to the Federal Trade Commission.

Forward phishing emails to the Federal Trade Commission at spam@uce.gov – as well as the organization that was impersonated in the phishing email. Include the full email header if it’s available.

File a report with the Federal Trade Commission at FTC.gov/complaint.

Visit Identitytheft.gov. Victims of phishing could become victims of identity theft; there are steps you can take to minimize your risk.

You can also report phishing emails to reportphishing@apwg.org. The Anti-Phishing Working Group which includes Internet Service Providers, security vendors, financial institutions and law enforcement agencies uses these reports to fight phishing.

I love my Alexa. I don’t know what I’d do without it. Last year I decided to set it up for voice shopping. That way, when I come home from work, I can start cooking dinner, get the kids going on their homework, and tell Alexa what I want to buy.

Evidently, other moms and dads are doing this too. Research shows that people are spending about $2 billion a year using voice shopping with their Echos and Alexas.

And, it’s predicted that this amount will increase rapidly over the next few years to a whopping $40 billion by 2022! According to the company that provided these statistics:

“Voice commerce represents the next major disruption in the retail industry, and just as e-commerce and mobile commerce changed the retail landscape, shopping through smart speakers promises to do the same…The speed with which consumers are adopting smart speakers will translate into a number of opportunities and even more challenges for traditional retailers and consumer products companies.”

It seems that Amazon is the preferred vendor with 85% of people choosing the products Amazon suggests. For those like me who purchase groceries online, 45% of online grocery orders are made through Amazon Fresh.

Here are some more interesting statistics:

• Right now, only 13% of homes have one of these devices, but by 2022 this is supposed to grow to 55%.
• Amazon Echo is the most used of any U.S. virtual assistant. Google Home is the next at 4%, followed by Microsoft’s Cortana at 2%.
• Those of us who have an Amazon smart speaker spend 66% more on Amazon than other people do.
• Amazon Alexa owners spend on average $1,700 a year at Amazon, while members of the Amazon Prime program spend around $1,300 a year at Amazon.

Well, what can I say? It’s so much easier to just speak into my Echo and tell Alexa to reorder what I did last week from Amazon Fresh. When I’m making dinner, I don’t have the time to sit down and type away on a keyboard. The Voice Purchasing function of Amazon’s Alexa and Echo is so convenient. I can order practically anything from Amazon without using my computer. It’s great!

It seems that the smart speaker market is still in its infancy (unlike my precious children), and it’s still not clear if the Google and Microsoft smart speakers will be able to catch up to Amazon in the future.

Speaking of children…

Because Amazon doesn’t ask me to confirm my purchases with a “yes,” I’ve found some items in my orders that I didn’t place – but that my “precious” children did! Sugary cereal, microwave popcorn, chips, cookies, etc. Boy, was I mad when I found out they did this. You can be sure these purchases will come out of their allowance!

When I complained to Amazon, they told me to increase the security on my Alexa. They said there are two ways I can secure the Echo speaker from the kids or others. I can disable the Voice Purchasing feature or simply create a four-digit PIN (a secret one of course!).

Here’s how to disable Voice Purchasing.

By disabling Voice Purchasing, you can still shop with your Alexa and add items to your cart. However, you’ll have complete your checkout from the Amazon website or app.

• Sign on to amazon.com(or open the Alexa app on your iOS or Android device).
• Go to Settings.
• Select Voice Purchasing.
• Toggle off the Purchase by voice to disable Voice Purchasing.

They also suggest the I use a confirmation code.

Doing this lets me keep Voice Purchasing enabled without allowing others to purchase things with my Amazon account. I have to speak my confirmation code aloud to complete my order. So, I make sure to do this when the kids or others aren’t around! 

• Sign on to amazon.com(or open the Alexa app on your iOS or Android device).
• Go to Settings.
• Scroll down and choose Voice Purchasing.
• If it isn’t enabled choose “Purchase by Voice” to enable it.
• In the text field beside Require confirmation code, enter a (secret) four-digit PIN.
• Save.

Why do I love my Alexa for shopping? Because it’s so convenient! If I’m running out of paper towels or toilet paper, rather than jotting this down on a shopping list, I just ask my Echo to tell Alexa to order what I did last month. They arrive at my house in just two days! No more going to the store, putting them in a cart, jamming them into my car, taking them out of my car, etc. (you get the idea). They magically appear on my doorstep with minimal effort on my part.

And, if I happen to order something that requires a return, I don’t have to pay for shipping. Come to think of it, I should have returned the kids’ chips, cereal, etc.!

If you haven’t shopped with Alexa, you should give it a try. I know, it can be a little scary the first time. But once you see how easy it is, you’ll be “hooked” like me.

Here’s how to set up Alexa for shopping.

First, you need to set up an Amazon Prime account, provide a U.S. shipping address, billing address and a U.S.-based payment method. Set your Amazon Prime account for 1-Click shopping.

Check the settings in your Alexa to make sure Voice Purchasing is enabled. You can go to Settings -> Voice Purchasing in the Alexa app, and enable it. You can also manage your 1-Click settings here and set a 4-digit PIN to make sure the kids don’t order stuff!

Now, you can order anything that’s Amazon Prime-eligible:

Order new products: If it’s something you’ve never ordered before, Alexa will suggest an “Amazon Choice” product that meets your description. If you’re not sure about what you want to buy, you can add it to your cart and cancel it right away if you change your mind.

Reordering: Alexa will look at your past orders, so if you ordered a particular brand of paper towels, you can easily reorder them with a “reorder _____” command. Alexa will ask you to confirm the order, and if you say yes, you’re all done.

Tracking: You can always track what you’ve ordered by asking Alexa. Just say, “Alexa, where’s my stuff?” She’ll let you know when your order will arrive.

So, you can see why I love my Alexa and why I can’t do without “her.” She’s my newest best friend!

This may sound like science fiction, but it’s not. The leading electronic health record vendors are, or will soon be, using Artificial Intelligence (AI) to read our EHRs. They revealed this at the 2018 HIMSS18 conference.

EHR vendors Allscripts, athenahealth, Cerner, eClinicalWorks, and Epic all plan to add AI into the next versions of their EHR platforms – some as early as 2019. AI will be incorporated into things like population health, telemedicine, voice interactions and even clinical decisions.

At the conference, Microsoft displayed how AI runs in conjunction with the Epic EHR system using Microsoft Azure. Siemens Healthineers showed how AI works with its cloud-based imaging software. Caradigm said they’re adding AI into their population health tools.

Dr. John Glasser from Cerner/Siemens tells us how this works:

“Right now, when [a physician goes] to order a prescription or you go to document, let’s say, on a patient, the machine — because you’ve got to document this, that or the other — … asks you the same questions, like if someone has diabetes regardless of the nature of the diabetes, and what’s been done before. So … you have the AI that says ‘I’m only going to document the stuff that is really tailored to this patient and their particular issues … and I’m going to populate with stuff I already know. I’m going to go ahead and take care of a bunch of the documentation and I’m going to focus [the physician’s] documentation on key items. That’s one way we do it. Really tailor … so they don’t waste time documenting stuff that’s irrelevant or that’s not going to be useful….

The second thing we have, and this is still early, … you’re in the room examining your patient, the machine is pulling data from the EHR … it’s looking at activities, what screen you go to as the doctor, it’s listening to the encounter, so it’s listening to the discussion and it’s pulling up key phrases and this, that and the other, and it’s watching the interaction. It’s actually seeing you listening to the patient’s chest or looking in the patient’s ear. But based on the system watching the conversation and listening to the conversation and pulling out the data it actually generates the documentation automatically. It’s still early, but it looks pretty darn promising … through recognition of voice and recognition of images and movement it will actually automatically generate this. Anyway … [with usability] it’s the fact that … if you can take time out of these kinds of things and reduce clicks, then we’ll have made progress with usability.”

Beyond EHRs – If AI can help a doctor save time and better serve their patients, isn’t this a good thing?

Saving time in the healthcare setting may mean the difference between life and death. AI can help a physician diagnose a condition and treat it promptly. An early diagnosis for a patient who suffers from a heart attack or stroke can be lifesaving.

With assistance from AI perhaps doctors will be able to spend more time with their patients. With an aging population that needs more time with doctors, extra time is a precious commodity.

Physicians have a never-ending pile of paperwork that often needs immediate attention. Today, most spend two-thirds of their time handling paperwork. This is up from one-third only 10 years ago.

A report from the Annals of Internal Medicine revealed that – “During the office day, physicians spent 27.0% of their total time on direct clinical face time with patients and 49.2% of their time on EHRs and desk work. While in the examination room with patients, physicians spent 52.9% of the time on direct clinical face time and 37.0% on EHR and desk work. The 21 physicians who completed after-hours diaries reported 1 to 2 hours of after-hours work each night, devoted mostly to EHR tasks.”

AI not only helps doctors save time, it also saves lives.

The treatment and prevention of dangerous diseases depend on early detection. And, a late or wrong diagnosis can have fatal consequences. AI research is being used to not only keep people healthy but to save lives as well. In 2017, doctors from Harvard and Beth Israel Deacon partnered with Philips to improve the diagnosis of cancer. Without AI, it could take 6 months to compile the data from 10,000 ultrasound reports. With Philips AI, physicians can retrieve the information from 200,000 ultrasound reports within 5 days.

Philips Research China, one of the company’s divisions specializing in AI, developed a Natural Language Processing (NLP) algorithm that extracts structured data from clinical reports, so doctors are provided with the proper information for secondary analysis. It’s currently being piloted in several large hospitals.

IBM is helping to fight cancer with AI, and its Watson Oncology platform. It will soon be used in a community hospital in Florida to help treat cancer patients. Watson takes in reams of clinical trial data and medical journal entries, detects patterns and gives cancer care specialists a list of effective treatment options.

Experts at the University of North Carolina School of Medicine tested Watson’s effectiveness with 1,000 cancer cases and found that it came up with the same recommended therapies as professional oncologists in 99% of the cases. Where this will really be of help is in smaller and rural medical centers where specialists are lacking.

AI helps doctors and patients in other ways.

Health assistants can also save you an unnecessary trip to the doctor, and time sitting in a waiting area with others who may have contagious illnesses. When you don’t feel well, you typically go to the doctor where he or she checks your vital signs, asks questions about your symptoms, and provides a prescription if warranted.

Now, a program called Your.MD can ask you about your symptoms and suggest steps you can take to help you feel better. It will also warn you if you need to visit a doctor. Other health assistants like Ada work in conjunction with Amazon Alexa to provide a symptom assessment report, and an option to contact a real doctor.

AI is also being used to remind patients to take their medicines. AiCure is another mobile app that uses AI to ensure patient compliance with prescriptions. This will help those who can’t remember to take their medications on time or those with serious illnesses who might skip their recommended doses altogether.

Will AI replace doctors one day?

As much as we like to think they won’t, it is a possibility according to authors Richard Susskind, chairman of the advisory board of the Oxford Internet Institute, in an article in the Harvard Business Review, and his son Daniel, an economics fellow at the University of Oxford’s Balliol College.

They believe that “AI will not only support physicians but ultimately replace them. The argument that technology cannot be empathic is moot, they argue, and many aspects of professional work do not require compassion. They argue that judgment, creativity, and empathy are not necessary to the practice of medicine”.

But have no fear. For the foreseeable future, AI will augment healthcare – not replace it.

In case you haven’t heard, IT systems for the City of Atlanta were shut down by SamSam, a virulent form of ransomware.

What’s SamSam? The SamSam malware hunts for critical files and uses AES 256-bit encryption to lock them up. The hacker then asks for a Bitcoin to be sent to a Bitcoin wallet. If the victim doesn’t pay, they erase all the data.

“SamSam is a ransomware controlled by a single threat group,” explained Keith Jarvis, a researcher with Secureworks Counter Threat Unit. “It’s unlike other ransomware that’s out there.”

What makes SamSam different is in the way the attacks develop.

SamSam scans for open ports and uses a brute force attack until it gets in. A brute force attack means that they’ll constantly hit the port with credentials until one works. Once the hacker group succeeds, they’re inside your system.

The ransom note left by hackers said that refusing to pay the $51,000 would result in deletion of all the information. This particular group of hackers has successfully collected $850,000 since last year.

1 in 4 of those who pay a ransom never recover their data. The FBI urges victims not to pay. This is why it’s essential that you back up your data to a reliable source.

This wasn’t the first time SamSam paralyzed a government.

It’s also infected offices in Colorado, North Carolina, Alabama, and Maryland.

Governments’ operations are mission-critical, and hackers know that they will ultimately pay the ransom.

Experts say that SamSam and other ransomware attacks will increase. No one is safe.

So, what should you do? Here’s what cybersecurity experts recommend.

“Backup, backup, backup!” You can restore your files from your last backup.

However, not all backups are the same. You must regularly back up your files to an enterprise-cloud solution. If you use a disaster recovery as a service (DRaaS) solution, you should be able to do this and quickly “spin up” the image of your backup on your computer. But first, make sure your most recent backup wasn’t infected as well. By spinning up the image in a self-contained virtual machine (VM), you can inspect the backup image without exposing it to your entire network.

Backup your data to a reliable source. A ransomware attack can hold your data hostage and paralyze your business just like it did for the City of Atlanta. That’s why having a reliable enterprise-cloud backup solution is crucial. Ask your Technology Solutions Provider to help you decide which one is best for your unique needs.

Work with your IT provider and answer the following questions so they can provide the best backup solution for you:

How critical is the data you store?

This will help your IT support determine when and how it should be backed up.

• For critical data that includes databases, you’ll require a backup plan that extends over a number of time periods.
• For confidential information, your backup data should be physically secure and encrypted.
• For less critical data, an extensive backup plan isn’t required. However, you should still back up data regularly and ensure it is easily recoverable.

Do you need to back up your backup?

If you use large servers, your IT provider should create an image of them so your data can be retrieved immediately. Remember, backups can fail, so it’s important to back up your backup.

Do you test your backups to ensure they are readily recoverable?  No matter how comprehensive your backup plan is, you’ll never know if it actually works unless you test it. Avoid potential backup failures by asking your tech provider to regularly test the recoverability of your data backups.

How long can your business survive if your data is unavailable?

It’s important to consider this possibility. It could be a while before your data can be retrieved if it isn’t stored properly. For some, this means weeks without their data. However, your IT support provider can make sure you’re using a proper extensive backup solution so that you can retrieve your data within minutes.

Time is an extremely important factor. Every minute of lost productivity will cost you. Not only in terms of money, but in regard to your reputation with your customers.

You should regularly back up your information to the cloud to protect against data or financial loss if you’re hit with ransomware. Just like you need this protection in the event of a power loss, accidental deletion of data, or a disaster that destroys your servers, you need it to protect your business from ransomware attacks.

Here are some other things that cybersecurity experts recommend:

• Turn off Remote Desktop Protocol (RDP). It should never be used on any public facing port, and its use should be discouraged anywhere else on a network.
• Turn on two-factor authentication. Brute force credential attacks won’t work if two-factor authentication is in place.
• Perform regular audits of your external network for open remote access ports. You can use the Shodan browser for this.
• Have robust credentials. Weak credentials make a break-in easier and faster.
• Use whitelisting. That means keep a list of the sites on the Internet where users are allowed to go and a list of what sites can have access to your network.
• Never allow Windows shares on the public network.
• Patch religiously. While you need to confirm that a patch will work, it’s critical to apply it promptly. The practice of delaying patches for months or forever is certain to cause problems.
• Finally, train your employees to recognize threats such as phishing emails.

Security Awareness Training for your employees Is the first step towards protection.

Hackers work 24/7 to obtain access to your confidential information, and using ransomware is one of the easiest ways for them to do this. It’s easier for them to trick your employees than it is to break into a well-secured IT system.

Ransomware succeeds via phishing attacks, where employees are convinced to click a malicious link. Once they do, the virus enters their computer and locks down all the data. Good employees make mistakes. If they aren’t properly trained to recognize a cyber threat, your network and business are vulnerable.

Today’s 
security solutions are no match for ransomware. This is because the criminals get into your system via your employees’ negligence. Malicious emails coupled with a lack of employee cybersecurity training 
is the leading cause of successful ransomware attacks.

Ask your IT support partner to conduct regular Security Awareness Training for you and your employees.

When conducted properly, this traininitg will reduce the risk to your organization’s IT systems and limit the chance of a data breach.

It’s essential to train your employees to recognize phishing emails and know what to do if they receive one. Make sure they know how to avoid common dangers like opening attachments from unknown senders. Every employee should participate in this training – and ensure that your IT provider holds refresher courses, as threats are constantly changing.

Don’t wait until a ransomware attack locks up your data. Take steps to protect your business now.

How Would It Cost Your Business If This Happened To You?

Have you read the news? According to Reuters, Under Armour Inc., headquartered in Baltimore, Maryland, recently suffered a breach of the private information for their 150 million MyFitnessPal app users.

This is the largest breach this year according to experts. It included account usernames, email addresses, and passwords. Lucky for them, Social Security numbers, driver license numbers, and payment card data weren’t stolen like they usually are in data breaches of this kind.

Once again we learn that keeping up to date on cybersecurity, changing passwords often, and using an IT support provider to implement a layered approach to security is essential if you want your business to stay safe in today’s digital world.

Perhaps, if Under Armour had used these services, they could have prevented this breach. Now, their reputation has been ruined.

Would you trust your private data to them?

I wouldn’t.

With so many data breaches today, they should have known better and considered the privacy of their customers. How can they salvage their creditability now?

As a business technology professional, I know that data protection costs much less than what I’d face from a breach – legal liability, fines, and lost customers.

With the rising number of cyber thefts, numerous lawsuits have been filed against businesses like Under Armour. In the last few years, data breaches have become so prevalent that it’s almost commonplace to hear that a company has been breached.

Learning that all their personal information is in the hands of thieves causes a significant change in the behavior of customers. One study found that consumers who learned of a data breach at their favorite retail store significantly cut back on their purchases.

With over 1,500 data breaches in 2017, consumers responded in this way:

• 84 percent said they might not consider doing business with a retailer who had experienced a data breach.
• 57 percent of holiday shoppers felt that identity theft and data breaches would be a significant threat during the holiday season.
• Four in 10 consumers said they believed businesses aren’t doing the best they can to protect them.
• 38 percent said they weren’t sure all companies were doing everything possible to stop data breaches.

I know that my business has the best cybersecurity and IT management that money can buy. I take full responsibility for this and all my customers’ private data.

After what I’ve learned, this is what I would tell the CEO of Under Armour, and others to do from now on:

Protecting your security isn’t only a job for your IT support provider but one for you as a CEO as well. You must understand that any interruption in your information systems can hinder your operations, negatively impact your reputation, and compromise your customers’ private data.

Many CEOs don’t fully understand this. They spend their energy developing new products and services and managing current ones. Security comes in second. Maybe they’re unaware of the risks or feel that it’s solely an IT concern. Some may not be very technical and fear to discuss what could be an intimidating topic, but this isn’t wise.

The Department of Homeland Security recommends five questions that CEOs should ask themselves to lower the risk of cyber attacks:

1) What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?

2) How is our executive leadership informed about the current level and business impact of cyber risks to our company?

3) How does our cybersecurity program apply industry standards and best practices?

4) How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?

5) How comprehensive is our cyber-incident response plan? How often is the plan tested?

We also need to train our employees on cybersecurity practices like recognizing phishing attacks and using secure passwords. The folks at OneSource handle this for us. Here are some of the topics they cover:

Lesson 1: Ignore Ransomware-Threat Popups and Don’t Fall for Phishing Attacks.

These threats look like they’re from an official entity like the IRS or FBI. If a screen pops up that says you’ll be fined if you don’t follow their instructions, beware! If you do, the criminal will encrypt all your data and prevent you and your employees from accessing it.

Watch out for messages that:

• Try to solicit your curiosity or trust.
• Contain a link that you must “check out now”.
• Contain a downloadable file like a photo, music, document or pdf file.

Don’t believe messages that contain an urgent call to action:

• With an immediate need to address a problem that requires you to verify information.
• Urgently asks for your help.
• Asks you to donate to a charitable cause.
• Indicates you are a “Winner” in a lottery or other contest, or that you’ve inherited money from a deceased relative.

Be on the lookout for messages that:

• Respond to a question you never asked.
• Create distrust.
• Try to start a conflict.

Watch for flags like:

• Misspellings
• Typos

Lesson 2: Always Use Secure Passwords.

• Never use words found in the dictionary or your family names.
• Never reuse passwords across your various accounts.
• Never write down your passwords.
• Consider using a Password Manager (e.g., LastPass or 1Password)
• Use password complexity (e.g., P@ssword1).
• Create a unique password for work.
• Change passwords at least quarterly.
• Use passwords with 9+ characters.
  • A criminal can crack a 5-character password in 16 minutes.
  • It takes 5 hours to crack a 6-character password.
  • 3 days for a 7-character one
  • 4 months for 8 characters
  • 26 years for 9 characters
  • centuries for 10+ characters
• Turn on Two-Factor Authentication if it’s available.

Lesson 3: Keep Your Passwords Secure

• Don’t email them.
• Don’t include a password in a non-encrypted stored document.
• Don’t tell anyone your password.
• Don’t speak your password over the phone.
• Don’t hint at the format of your password.
• Don’t use “Remember Password” feature of application programs such as Internet Explorer, Portfolio Center or others.
• Don’t use your corporate or network password on an account over the Internet that doesn’t have a secure login where the web browser address starts with http:// instead of https:// If the web address begins with https:// your computer is talking to the website in a secure code that no one can eavesdrop on. There should be a small lock next to the address. If not, don’t type in your password.

Lesson 4: Backup Your Data Onsite/Remotely and Securely

• Maintain at least three copies of everything.
• Store all data on at least two types of media (one offsite in a secure enterprise cloud solution).
• Keep a copy of your data in an alternate location.

If you haven’t backed up your data, and you’re attacked, it’s gone forever.

Lesson 5: Secure Open Wi-Fi with a VPN.

• Don’t go to sites that require your personal information like your username or password.
• Use VPN whenever possible. Limit your access to using sites with: https://
• Don’t connect if all the Wi-Fi networks you have ever accessed appear as “Available”.

We have our tech support professionals train our employees a few times a year because the threats keep changing. Plus, we have them conduct Vulnerability Assessments to make sure our cybersecurity “armor” stays strong and intact.

Don’t risk your data. Keep your data secure and your employees educated. I recommend that if you’re in an area they serve, that you should contact us immediately.

How Would It Cost Your Business If This Happened To You?

Have you read the news? According to Reuters, Under Armour Inc., headquartered in Baltimore, Maryland, recently suffered a breach of the private information for their 150 million MyFitnessPal app users.

This is the largest breach this year according to experts. It included account usernames, email addresses, and passwords. Lucky for them, Social Security numbers, driver license numbers, and payment card data weren’t stolen like they usually are in data breaches of this kind.

Once again we learn that keeping up to date on cybersecurity, changing passwords often, and using an IT support provider to implement a layered approach to security is essential if you want your business to stay safe in today’s digital world.

My Baltimore-based business uses One Source because they’ve been protecting organizations in Washington, DC., New Jersey, Delaware, Maryland, Northern Virginia, and Pennsylvania since 2001.

Perhaps, if Under Armour had used these services, they could have prevented this breach. Now, their reputation has been ruined.

Would you trust your private data to them?

I wouldn’t.

With so many data breaches today, they should have known better and considered the privacy of their customers. How can they salvage their creditability now?

As a business technology professional, I know that data protection costs much less than what I’d face from a breach – legal liability, fines, and lost customers.

With the rising number of cyber thefts, numerous lawsuits have been filed against businesses like Under Armour. In the last few years, data breaches have become so prevalent that it’s almost commonplace to hear that a company has been breached.

Learning that all their personal information is in the hands of thieves causes a significant change in the behavior of customers. One study found that consumers who learned of a data breach at their favorite retail store significantly cut back on their purchases.

With over 1,500 data breaches in 2017, consumers responded in this way:

• 84 percent said they might not consider doing business with a retailer who had experienced a data breach.
• 57 percent of holiday shoppers felt that identity theft and data breaches would be a significant threat during the holiday season.
• Four in 10 consumers said they believed businesses aren’t doing the best they can to protect them.
• 38 percent said they weren’t sure all companies were doing everything possible to stop data breaches.

 I know that my business has the best cybersecurity and IT management that money can buy. I take full responsibility for this and all my customers’ private data.

After what I’ve learned, this is what I would tell the CEO of Under Armour, and others to do from now on:

Protecting your security isn’t only a job for your IT support provider but one for you as a CEO as well. You must understand that any interruption in your information systems can hinder your operations, negatively impact your reputation, and compromise your customers’ private data.

Many CEOs don’t fully understand this. They spend their energy developing new products and services and managing current ones. Security comes in second. Maybe they’re unaware of the risks or feel that it’s solely an IT concern. Some may not be very technical and fear to discuss what could be an intimidating topic, but this isn’t wise.

The Department of Homeland Security recommends five questions that CEOs should ask themselves to lower the risk of cyber attacks:

1) What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?

2) How is our executive leadership informed about the current level and business impact of cyber risks to our company?

3) How does our cybersecurity program apply industry standards and best practices?

4) How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?

5) How comprehensive is our cyber-incident response plan? How often is the plan tested?

We also need to train our employees on cybersecurity practices like recognizing phishing attacks and using secure passwords. The folks at OneSource handle this for us. Here are some of the topics they cover:

Lesson 1: Ignore Ransomware-Threat Popups and Don’t Fall for Phishing Attacks.

These threats look like they’re from an official entity like the IRS or FBI. If a screen pops up that says you’ll be fined if you don’t follow their instructions, beware! If you do, the criminal will encrypt all your data and prevent you and your employees from accessing it.

Watch out for messages that:

• Try to solicit your curiosity or trust.
• Contain a link that you must “check out now”.
• Contain a downloadable file like a photo, music, document or pdf file.

Don’t believe messages that contain an urgent call to action:

• With an immediate need to address a problem that requires you to verify information.
• Urgently asks for your help.
• Asks you to donate to a charitable cause.
• Indicates you are a “Winner” in a lottery or other contest, or that you’ve inherited money from a deceased relative.

Be on the lookout for messages that:

• Respond to a question you never asked.
• Create distrust.
• Try to start a conflict.

Watch for flags like:

• Misspellings
• Typos

Lesson 2: Always Use Secure Passwords.

• Never use words found in the dictionary or your family names.
• Never reuse passwords across your various accounts.
• Never write down your passwords.
• Consider using a Password Manager (e.g., LastPass or 1Password)
• Use password complexity (e.g., P@ssword1).
• Create a unique password for work.
• Change passwords at least quarterly.
• Use passwords with 9+ characters.
  • A criminal can crack a 5-character password in 16 minutes.
  • It takes 5 hours to crack a 6-character password.
  • 3 days for a 7-character one
  • 4 months for 8 characters
  • 26 years for 9 characters
  • centuries for 10+ characters
• Turn on Two-Factor Authentication if it’s available.

Lesson 3: Keep Your Passwords Secure

• Don’t email them.
• Don’t include a password in a non-encrypted stored document.
• Don’t tell anyone your password.
• Don’t speak your password over the phone.
• Don’t hint at the format of your password.
• Don’t use “Remember Password” feature of application programs such as Internet Explorer, Portfolio Center or others.
• Don’t use your corporate or network password on an account over the Internet that doesn’t have a secure login where the web browser address starts with http:// instead of https:// If the web address begins with https:// your computer is talking to the website in a secure code that no one can eavesdrop on. There should be a small lock next to the address. If not, don’t type in your password.

Lesson 4: Backup Your Data Onsite/Remotely and Securely

• Maintain at least three copies of everything.
• Store all data on at least two types of media (one offsite in a secure enterprise cloud solution).
• Keep a copy of your data in an alternate location.

If you haven’t backed up your data, and you’re attacked, it’s gone forever.

Lesson 5: Secure Open Wi-Fi with a VPN.

• Don’t go to sites that require your personal information like your username or password.
• Use VPN whenever possible. Limit your access to using sites with: https://
• Don’t connect if all the Wi-Fi networks you have ever accessed appear as “Available”.

We have One Source train our employees a few times a year because the threats keep changing. Plus, we have them conduct Vulnerability Assessments to make sure our cybersecurity “armor” stays strong and intact.

Don’t risk your data. Keep your data secure and your employees educated. I recommend that if you’re in an area they serve, that you should contact One Source Imaging Solutions at (800) 875-8843 or ITsolutions@osisIT.com. They’ll explain how they can do this for you. It’s truly the best money I’ve ever spent.

Do you have a device or app that you enter personal information in so you can track what you eat, what you do for exercise, how much you weigh, where you live, and when you leave your home every day to go workout?  Well, if you use MyFitnessPal you may be 1 of 150 million users whose data may have been compromised.

Baltimore’s Under Armour announced Thursday evening (March 29th), that they experienced a data breach exposing usernames, email addresses, and hashed passwords of 150 million users of the popular MyFitnessPal app:

“Under Armour is working with leading data security firms to assist in its investigation, and is also coordinating with law enforcement authorities,” the company said in a statement. “The investigation indicates that the affected information included usernames, email addresses, and hashed passwords — the majority used the hashing function called bcrypt used to secure passwords.”

Under Armour will require all users to change their passwords and is “urging users to do so immediately.” They are also encouraging their users to keep an eye out for suspicious activity within their accounts.

What should you do?

If you receive an email that claims your personal MyFitnessPal information has been hacked, and that you need to click on links to change your password or open attachments to find out how to protect yourself, be very careful:

• Don’t click on links,
• Don’t open attachments, and
• If there’s a reference to a website with more information, type the web address into your browser. Don’t click the link.

Most importantly, change your password not only in your MyFitnessPal application but anywhere else you use that password or even a variation of that password. 

Don’t let your quest to live a healthier lifestyle be the opening for a hacker to ruin your life.

The Lesson You Should Learn From This

That is how hackers get by all the expensive security that banks and financial institutions have; by getting your password from a less secure source!

Read more here

Do you wish you knew more tech tricks to help you make your gadgets work smarter for you and save you time? See how to use your iPad as a second laptop screen, how to set time limits for using a Chrome browser, how to schedule an email to send at a certain time in Gmail, and more!

Technology exists to improve our lives. The fundamental purpose behind technology was man being driven to find new ways to do things to make life easier for mankind. The first form of technology recorded? What would you think – black and white television? The telegraph allowing expedited long-distance communication? Think back even further – much, much further. If the fundamental principle of technology is to make life easier for man, are the earliest examples of technology manmade weapons and fire?

Obviously, we’ve come a long way since stone weapons and fire, all the way to robotics and artificial intelligence, and then some – though we’re still waiting for the day when we all have flying cars like the Jetsons. Think about the ways you use technology every day. Do you listen to music in the car, on the bus or train, or while jogging? Do you brew coffee or tea in a Keurig? Are you reading this on a computer or mobile device? Do you use an alarm clock?!

We take tech for granted. It’s just. . . there. Think back to when the remote control became mainstream, and how that one chunky plastic box – the “clicker” – not only changed the world but revolutionized households. No longer did kids fight over whose turn it was to get up and change the channel. The first vehicle keyfob is widely considered to be introduced by the French in 1982 for the Renault Fuego just after Ford debuted the keyless entry system – by keypad – in 1980. Not only do the vast majority of passenger cars come standard with remote keyless entry devices now, but more are being equipped with push-button start capabilities – or even remote-controlled start-up, from the comfort of inside your home, office, or from a distance on a very hot or cold day.

Now that we’ve got you thinking about how you use technology each day, shift your thoughts to how you can “up your game”. You’re barely scratching the surface of what your tech can do for you.

Incredible iPad Trick

Are you in the camp that never has enough screen space? A few dozen tabs open in your web browser window, email, plus a few documents and spreadsheets for work clutter your screen space – and make your computer run slower. And if you’re on a laptop, you have even less screen real estate to start with! But what if you could use your iPad as a second screen for your laptop?

You can! Don’t believe us? Try downloading the Duet Display app and voila! Connect your iPad to your laptop using the sync/charging cable, and you’re all set.

Smartphone Scanner

Now this one is a doozy! Did you know your smartphone can work like a scanner? No, we don’t mean by taking one picture of a document. There are free apps out there, like Adobe Scan or Evernote Scannable, that allow you to turn your smartphone into a scanner to scan documents like forms, receipts, business cards, and more by using the camera on your phone.

Productivity Over Procrastination

Ah, Google. You know people too well…

And sometimes it’s downright creepy. But this handy little helper is pretty cool! There is an extension for Google’s Chrome browser, called StayFocusd, that allows you to set a time to let your mind wander and get lost in the darkest corners of the Internet – or at least surf aimlessly for a pre-set interval. The default setting is 10 minutes, but you can change this depending on your needs. Once your mental break is over, Chrome basically locks you out and disables access forcing you to resume being productive.

Scheduled Sends

You know the email message you want to type, but now isn’t the right time to send it. Email marketing platforms are great for this type of structured send, but the focus of these solutions is to send to email lists rather than from a single sender to a single recipient. There is an add-on for Gmail called Boomerang that facilitates scheduled sending for email.

Time Management

Ever wonder how you’re spending your time? Are you making the most of your day? Eternity Time Log is a time-tracking app to see how you’re spending your time, broken out by personal time, time spent devoted to professional productivity, and sees where interruptions occur – all in the name of organization.

Solar Power

The ancient Egyptian god of the sun, Ra, was believed to have created all forms of life and ruled over all parts of the created world: the sky, the earth, and the underworld. Man was believed to have been created from Ra’s sweat, and Ra represented light, growth, and warmth.

After reading this, it’s the understatement of the year to say that the sun is a good source of power…but it’s literally a great source of solar power. The SolPro Charger can soak up the sun’s rays and fully charge a smartphone with 90 minutes of exposure. Bonus: the charger can send power to your smartphone battery even as the SolPro is itself absorbing solar power.

If you had magical powers to stop time, how would you use it? Would you catch up on email correspondence? Would you read that best-seller you’ve been meaning to read for months now? Would you have a Netflix marathon? Would you catch up on a decade of sleep? Would you find the best way to organize your email inbox, filing cabinet, contact lists, or any number of other items that you’ve neglected for months?

Or would you – and here’s the genius move – use those powers to invent a device that could do all of this for you using the most advanced technology available, and make your own life easier? I think we know the answer.

Also, flying cars.

Bralin Technology Solutions invented a way to stop time! No, not really, but it sure felt like it last month. February held so much to see and do that if we ever sat still, we risked missing something important – and that’s not fair for YOU!

The team at Bralin Technology Solutions fit several fantastic events into the shortest month of the year, really ramping up 2018 in style! We participated in major events in February, and we want to share everything we learned – read on for the details.

February was a busy time for Bralin, and the excitement was palpable. The 2018 Saskatchewan Winter Games were hosted by North Battleford mid-month, and top young athletes from all over the province flocked to Saskatchewan to compete in 17 sports competitions. Since 1972, the Games have promoted community development, cultural understanding, and stewardship, as well as public awareness for amateur sports. Participants of the Games often go on to advance to higher levels of athleticism with progressive skills and athletic motivation. We were excited for the opportunity to support the Games as a sponsor this year. To read more about the Games, the athletes, the sports, or the history of the competition, more details can be found at the Saskatchewan Winter Games website. Be sure to visit the photo galleries and see pictures from past events, and don’t miss this year’s pictures.

Also in February, we were thrilled with the opportunity to participate in the Agri-Visions Conference and Trade Show at the wonderful Lloydminster Agricultural Exhibition Association facilities, a multi-day interactive event that showcases all things related to the agriculture industry, including seminars, demonstrations, special events, a full trade show, and featuring keynote speakers to discuss topics and present agricultural insights and information. This event is a must-attend for those seeking the latest information on both grain and cattle industries, presented in the same location and offering a rare opportunity to encounter seasoned experts discussing topics like Economic Drivers in Agriculture for 2018, Sustainable Trends in Livestock, Combine Innovations, Regulatory Actions and Impact on the Farmer, and much more. We gladly sponsored the opening speaker session at The Lloydminster Agri-Visions 2018, Tim Hammond from Hammond Realty who spoke on Trends in Farm Land Values. If you’re curious about the event, visit the Agri-Visions website and keep an eye out for 2019 information, coming soon.

We were offered the chance to participate in the Lloydminster Chamber of Commerce and Lloydminster Dreamforest Soup’r Lunch and Learn series, and we couldn’t wait! The Lunch and Learn series is a collection of free events at mid-day during the workweek where highly-experienced professionals talk about the sometimes-sensitive topics modern professionals face in the digital age. Jeremy Reynoldson and Paul Melrose-Wyatt talked about a very prevalent topic today, presenting ‘Navigating Through Tech Challenges’ to a group of eager professionals sharing the same concerns:

• Bandwidth issues
  • Helping people understand that, at its most basic level, bandwidth is the overall transmission capacity of a network.
• Password management
  • How many characters the most secure passwords should have at minimum, and how many uppercase letters, how many numbers, how many special symbols.
  • How often passwords should be changed – for the record, at least quarterly!
  • Maintaining unique passwords for different accounts – otherwise, you may as well just give the hackers your password!
• Phishing
  • When someone is posing as someone you trust, like a bank or financial institution, trying to get you to divulge sensitive information, like credit cards details, usernames, and passwords.
  • Phishing scams are getting much more sophisticated in response to training, awareness, and protective software.
• Ransomware
  • A newer “spin” on malware – a consolidated way to say “malicious software” – where hackers access a victim’s computer and plants ransomware that not only prevents users from accessing and using their files but demands a fee, a ransom is paid to remove the block.
  • Often, when the fee is paid, there is nothing to prevent the hacker from immediately reactivating the ransomware. Victim’s need to be prepared, or better yet, prevent ransomware from accessing a network or machine altogether.
• Trends in software applications
  • What’s old?
  • What’s new?
  • What’s good?
  • What’s bad?

• The Hippest, Hottest, Most Rad Trends Today
  • Microsoft Office has been the workplace staple, the desktop darling since the early 1990’s. Microsoft jumped on board the subscription service model, along with Adobe and Amazon, with a public launch of Office 365 in 2011. More workforces are migrating toward this subscription trend, as it is accessible from anywhere – desktop, laptop, tablet, you name it, wherever your office is at that moment is where Office 365 is. Part of the Microsoft suite of productivity packages for professionals, Office 365 also integrates seamlessly with other applications like SharePoint and OneDrive, which are fantastic features for file storage – and easy access!

February brought us some amazing opportunities at Bralin, and we can’t wait to share with you what March and the rest of 2018 have in store for us.

Stay tuned! For more information, get in touch with us right away at (306) 445-4881 or (306) 825-3881 or info@bralin.com.

The healthcare sector fell victim to more than 330 data breaches in 2017 – nearly one per day. Will you be next?

Large-scale ransomware attacks like WannaCry (which hit 112 countries) struck the industry with a scary new reality: Hackers will find a way in and – regardless of safeguards taken — hospitals will get hit.

And there’s more bad news – the fines for noncompliance with HIPAA regulations have reached new heights! HHS recently increased the penalties for HIPAA violations:

• No Knowledge (Covered Entity did not know about violation): $112 to $55,910 per violation
• Reasonable Cause (Lesser than Willful Neglect): $1,118 – $ 55,910 per violation
• Willful Neglect (Violation Corrected): $11,182 – $55,910 per violation
• Willful Neglect (Violation not Corrected): The Minimum penalty is $55,910 per violation with no maximum.

And, in addition to civil penalties for noncompliance, you could be liable for criminal penalties that include fines, imprisonment or both!

These fines are expected to continue to increase. Have you recently reviewed your HIPAA data-protection policies and procedures? If not, you should.

The really sad news is that these data breaches could have been prevented.

One of these offenders didn’t even take the time to undergo a Vulnerability Assessment to determine if there were any gaps in their IT security posture.

And they said they couldn’t show that they did everything that could have reasonably been done to protect their patients’ private data.

This is unforgivable.

Would you trust your family’s electronic Protected Health Information (ePHI) to a clinic that didn’t take precautions to protect it? — I doubt that you would.

When this happens, word gets around and patients simply move on to another medical professional.

Keep reading because we’re going to tell you about some of the worst data breaches over the past year. Plus, we’ll tell you what regulators are looking for and how to prevent non-compliance.

HHS/HIPAA #1 Offender – MedStar Health Maryland

MedStar Health is the 2^nd biggest healthcare system in Maryland. Wouldn’t you think they’d know better than to leave their patients’ protected information at risk?

Unfortunately, they weren’t well prepared. They were hit with a ransomware attack where their data was held ransom and under the control of criminals.

As a result, their 30,000 employees and 6,000 physician affiliates couldn’t access their electronic health records (EHRs) and much needed patient information. They also couldn’t use their computers. Instead, they had to resort to using paper and pencils! As a result, some patients were turned away.

Would you go to MedStar or one of their affiliates now? I wouldn’t. There are many other providers in the DC Metro Area, Maryland and Virginia that I could take my business to.

The hackers demanded a ransom payment in bitcoins at an equivalent of $1,250 per patient record, or $18,500 to unlock them all. And worse, the criminal’s demand didn’t clearly state that they also wanted a separate 45-bitcoin payment to unlock each affected MedStar network!

HHS/HIPAA #2 Offender – Banner Health Phoenix, Arizona

Banner Health is a major hospital system. Its payment processing network was penetrated by hackers in their food stations. And, because these computers were connected to the rest of Banner’s IT network, the hackers gained access to more than 4 million patient records! This included patients’ names, birthdates, addresses, claims information, medical information, and Social Security Numbers! In other words, “the works!”

What a disaster!

And guess what hackers do with this data? They sell it! A record that contains a name, address and Social Security number can sell for $1 to $3 on the black market. And, a detailed medical record (ePHI) with unique patient identifying numbers can fetch up to $100!  

Imagine the negative publicity Banner got. Not to mention the effect on their insurance rates–if they can even get insurance now!

HHS/HIPAA #3 Offender–Advocate Health Care Network

Advocate Health in Illinois, one of the nation’s biggest health-care systems, had to pay a fine to HHS for $5.55 million due to a breach that compromised the electronic data of 4 million patients.

To date, this is the single largest penalty levied against a single entity for a HIPAA violation.

According to HHS, the compromised patient records included people’s names, addresses, dates of birth, credit card numbers with expiration dates, demographic information, clinical information and health insurance information!

The HHS investigation also revealed that Advocate Health Care failed to:

1. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI.
2. Implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center.
3. Obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard in all ePHI in its possession.
4. Reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

Are you following these 4 requirements? If not, you could be fined as well.

Is Your Healthcare Organization HIPAA Compliant?

Being HIPAA compliant doesn’t necessarily mean that your data is secure. Hackers’ tactics are more sophisticated than ever before. This is a big business, and it’s easy for criminals to get into the hacking game.

Cybercriminals have new and more effective ways of stealing your data, and they try new techniques every day.

HIPAA law, although updated, just can’t keep up with all of these new attack vectors. It’s up to you to stay abreast of the cyber threat landscape and protect your health organization.

You must ensure your ePHI privacy, protect it from anticipated cyber threats, and employ security measures to protect against the latest threats.

At a minimum, you must comply with § 164.306 – Security standards: General rules.

(a) General requirements. Covered entities and business associates must do the following:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information you or your business associate creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.

(4) Ensure compliance with this subpart by its workforce.

(b) Flexibility of approach.

(1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart.

(2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors:

(i) The size, complexity, and capabilities of the covered entity or business associate.

(ii) The covered entity’s or the business associate’s technical infrastructure, hardware, and software security capabilities.

(iii) The costs of security measures.

(iv) The probability and criticality of potential risks to electronic protected health information.

Do you agree that these rules leave some room for interpretation? The HIPAA language is written this way for this reason, and it can be difficult to know where you stand.

That’s why it’s essential that you either have a HIPAA IT Professional on your staff, or contract with an IT Managed Service Provider (MSP) in your area who has this expertise.

To make matters worse, you also have to worry about the HITECH Act and its 4 tiers of increasing penalties.

The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology.

Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

Section 13410(d) of the HITECH Act, which became effective on February 18, 2009, revised section 1176(a) of the Social Security Act (the Act) by establishing:

Four categories of violations that reflect increasing levels of culpability;

Unknowing. The covered entity or business associated did not know and reasonably should not have known of the violation.

Reasonable Cause. The covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the covered entity or business associate did not act with willful neglect.

Willful Neglect. (corrected)The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the covered entity or business associate corrected the violation within 30 days of discovery.

Willful Neglect. (uncorrected) The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the covered entity or business associate did not correct the violation within 30 days of discovery.

• Four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation; and
• A maximum penalty amount of $1.5 million for all violations of an identical provision.

It also amended section 1176(b) of the Act by:

• Striking the previous bar on the imposition of penalties if the covered entity did not know and with the exercise of reasonable diligence would not have known of the violation (such violations are now punishable under the lowest tier of penalties); and
• Providing a prohibition on the imposition of penalties for any violation that is corrected within a 30-day time period, as long as the violation was not due to willful neglect.

We need a lawyer to interpret all of this!

How are you supposed to see your patients and interpret/comply with these strictly enforced rules?

You can’t. You need the advice of an IT Expert who understands HIPAA and HITECH regulations. One who can help you not only comply but ensure your ePHI is safe and secure 24/7.

Don’t take chances with federal regulators or risk a HIPAA audit. Seek the counsel of your local HIPAA IT Expert/ IT Managed Services Provider.