A Practical Approach to the Safe Harbor Law with 1st Healthcare Compliance

Host Catherine Short welcomes Raymond Ribble, CEO and Founder at SPHER, Inc., on the topic of “A Practical Approach to The Safe Harbor Law.” HIPAA data breach penalties typically get measured in millions of dollars, even following an organization implementing NIST cybersecurity framework measures. However, with the new HIPAA Safe Harbor Law, signed in January 2021, HHS and OCR may consider some penalty mitigation. It is important to understand that the Safe Harbor Law, while offering substantial protection, does not provide a true safe harbor and only offers some protection. This episode will examine what the established security practices for healthcare are, and how to pivot your organization’s security profile to mitigate breach penalties if an event occurs.

Data Access Protection: A Critical Part of Security | SecurityMetrics Podcast 69

Early detection of unauthorized access to electronic Protected Health Information (ePHI) is critical to preventing breaches and meeting HIPAA requirements. The co-founders of SPHER, Inc., Raymond Ribble, CEO, and Robert Pruter, Chief Revenue Officer, sit down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss: -Why it’s critical to know who is accessing patient data -How to know who is accessing critical data -Real-world stories of unauthorized access and what to do about it Hosted by Jen Stone, Principal Security Analyst (MCIS, CISSP, CISA, QSA) [Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts

Digital Transformation of Healthcare and Finance: The Role of Blockchain, Fintech and AI

The conference brings together business leaders, academics, administrators and students from across the globe to exchange ideas and discuss challenges and opportunities—including the latest business, technology and healthcare trends. You are invited to attend the 2022 joint conference that focuses on recent advances in healthcare IT and financial technology (fintech), both of which will substantially impact businesses and society.

How to Prevent Employee Snooping and Insider Threats

First Healthcare Compliance hosts Raymond Ribble, CEO and Founder at SPHER, Inc. a market-leading compliance analytics, cyber-security solution addressing: HIPAA compliance, State Privacy Laws, and ePHI security threats, for an interactive discussion on “How to Prevent Employee Snooping and Insider Threats.” Snooping and Insider threats are exactly why user monitoring and ePHI access strategies are vital to the security of sensitive patient information and data protection. While it is an unsettling thought, not all cybersecurity incidents are traced from employee negligence. With so much attention and money surrounding cybersecurity in the healthcare industry, malicious employees may decide to purposefully disclose patient information. Since employees and contractors may have knowledge of your network setup, vulnerabilities, and access codes, snooping employees with malicious intent hold the key to exposing your organization to a series of unwanted risks and threats. This webinar will cover the following objectives: 1. Identify roots signs of Employee and Contractor Unauthorized Access 2. Provide guidelines to prevent Snooping 3. Provide Insight and procedures to detect Insider Threats

How AI Improves EMR Auditing

Healthcare providers and clinic managers have three common myths about EMR user monitoring auditing.

Myth #1 – The electronic medical record EMR automatically does all the auditing – I don’t have to do anything

Myth #2 – I don’t have to audit my users – I know them

Myth #3 – I won’t have to worry about this until I have a breach

Rob Pruter, the User Monitoring Expert at SPHER is my guest on this episode of Practice Management Nuggets For Your Healthcare Practice! He’s going to share with us how to protect your practice and your patients when you use Artificial Intelligence (AI) technology that can recognize unusual activities and generate a warning message. Finally, an easy way to perform user monitoring and quickly recognize risks from external bad actors and employee snooping incidents!

Meet Rob Pruter Rob is the Chief Revenue Officer at SPHER, Inc. https://www.spherinc.com/ He is responsible for all global sales, marketing, and partner revenue at SPHER, Inc. For the past 20 years, he has successfully built marketing programs and partner alliances in the healthcare IT space with larger companies and innovative start-ups. He has a passion for protecting patient privacy and cybersecurity for the healthcare industry. And he is my new best friend with a passion to improve audit log monitoring!

Surviving an OCR Audit

First Healthcare Compliance hosts Raymond Ribble, founder of SPHER Inc. and co-founder of Fusion Systems Co., Ltd., for an interactive discussion on “Surviving an OCR Audit.” An overview of what steps a Covered Entity and Business Associate must take to prepare their groups to respond to an OCR or external audit of their privacy and security procedures. Objectives: 1. An introduction to the types of audits that exist 2. Tips to prepare your group for an external audit 3. Tools and techniques to help assess your readiness

 The Security Rule: How to Manage Adherence Presented by: Raymond F. Ribble, President, SPHER, Inc.

A joint Data Breach Study from IBM and The Ponemon Institute estimates the average cost of a healthcare data breach to be $3.86 million, with the average cost per lost or stolen record at $148. The report further predicts the likelihood of a healthcare organization experiencing a breach within the next two (2) years to be extremely high.  Associated studies from the FBI and past law enforcement reports indicates the average breach was not identified until passage of more than 360 days.  The resulting cost and damage to an organizations business model, it’s reputation, and the obvious patient privacy violations often prove too daunting to be overcome leading to practice failure and bankruptcy.

During the 2019 ADAM Annual Conference presentation of The Security Rule: How to Manage Adherence, by SPHER Inc.’s President, Raymond Ribble, the background necessary to understand the HIPAA guidelines and a narrative of HIPAA Security Rule compliance was reviewed for ADAM members.

safeguard.png

The HIPAA Security Rule administers the following safeguards:

Administrative Safeguards:

Defined as administrative actions, policies, and procedures for managing the selection, development, implementation, and maintenance of security measures to protect ePHI and manage employee conduct related to ePHI protection.  Standards include:

  • Security management process — includes policies and procedures for preventing, detecting, containing, and correcting violations. A critical part of this standard is conducting a security risk analysis and implementing a risk management plan.

  • Assigned security responsibility — requires a designated security official who is responsible for developing and implementing policies and procedures.

  • Workforce security — refers to policies and procedures governing employee access to ePHI, including authorization, supervision, clearance, and termination.

  • Information access management — focuses on restricting unnecessary and inappropriate access to ePHI. Monitoring user access to patient ePHI.

  • Security awareness and training — requires the implementation of a security awareness program for the entire workforce of the CE.

  • Business and Associate Agreements — requires all covered entities to have written agreements or contracts in place for their vendors, contractors, and other business associates that create, receive, maintain or transmit ePHI on behalf of the HIPAA covered entity.

Physical Safeguards:

Defined as physical measures, policies, and procedures for protecting electronic information systems and related equipment and buildings from natural/environmental hazards and unauthorized intrusion. Standards include:

  • Facilities’ access control — these are policies and procedures for limiting access to the facilities that house information systems.

  • Workstation use — addresses the appropriate business use of workstations, which can be any electronic computing device as well as electronic media stored in the immediate environment.

  • Workstation security — requires the implementation of physical safeguards for workstations that access ePHI.

  • Device and media controls — requires policies and procedures for the removal of hardware and electronic media containing ePHI in and out of the facility and within the facility.

Technical Safeguards:

Defined as the technology and the policies and procedures for the technology’s use that collectively protect ePHI as well as control access to it.  Standards include:

  • Access — refers to the ability/means to read, write, modify, and communicate the patient data and includes files, systems, and applications. Includes access procedures as well as data encryption.

  • Audit controls — mechanisms and tools for recording and examining user access activity pertaining to ePHI within the systems which maintain PHI.

  • Authentication — requires the verification of the identity of the entity or individual seeking access to the protected data.

Each organization has to determine what are reasonable and appropriate security measures based on its own user environment and application is use. While there is definitely a cost associated with protecting patient PHI, HHS has consistently placed an emphasis on performing annual security risk assessments and implementing mitigation plans to manage the risks.