 |
 |
 |
Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. Due to the unique language of acupuncture, there will be errors, so we suggest you watch the video while reading the transcript.
Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. Due to the unique language of acupuncture, there will be errors, so we suggest you watch the video while reading the transcript.
Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. Due to the unique language of acupuncture, there will be errors, so we suggest you watch the video while reading the transcript.
Hi everybody. This is Perry Barnhill with the Fearless Acupuncturist, and we wanna welcome you to another show regarding HIPAA and compliance and how you can protect yourself and your patients in your practice. Slideshow please. First, I’m gonna give a big thanks to the American Acupuncture Council for sponsoring this show.
Okay, so let’s get into this. Let’s talk about loss or theft of equipment and data in our practices. Before I do that. Let me just go over just a couple things here on why myself and why Julie teach hipaa. We understand what it’s like to have an office. We understand what it’s like to take care of patients, and we also understand what it’s like not to really know what it is we’re supposed to know in regards to hipaa.
So that’s why we’ve created a compliance program, specifically addressing HIPAA and the needs in your office as it relates to you as acupuncturists. So before we get started there’s something, I’d like to go over this regarding where you fall within the whole HIPAA world. So what we’ve done is we’ve created a little bit of a quiz here and I’m gonna hop to the next slide here so you can scan this.
So scan this QR code, and this will take you to just a few questions regarding HIPAA and compliance in your office. Now, as you go through these questions, first of all, it’s quick, it’s easy. We’re not gonna share this with a bunch of people, so don’t worry about that. You can grade yourself based on the answers to your questions.
If you’ve gotten an F, just like anything else, you’re not even close to being HIPAA compliant. But let me say this as well, even if you have a B, that’s great and you can commend. You should commend yourself for at least having a B, but that means that there’s still a few things you need to get in play to be totally HIPAA compliant.
These things. Let me just say this. HIPAA is something we don’t wanna mess around with. In fact, I talk to acupuncturists and providers all the time. The biggest risk, believe it or not, I believe we all have in practice these days, is not being HIPAA compliant. And the reason I say that is because the penalties and the fines associated with not being HIPAA compliant.
Huge, and we just don’t want that to happen to us. So make sure you go there, you check this out and see where you fall within the whole world of hipaa. Okay, so seconds count. Here’s a little story about a provider going to a coffee shop. They have their laptop there. They jump on the public wifi, they order a coffee, they sit down, they get called, they go pick up their coffee, they come back and their laptop is gone.
Basically, their laptop got stolen, so as you can imagine, I think all of us would be freaking out because our laptop got stolen and we should be freaking out if our laptop had any kind of protected health information on it or something. You’re hearing me referred to as PHI. Or EPHI, which stands for electronic protected Health Information.
So did you know, and just go through this really fast, a laptop is stolen every 53 seconds, so these things happen all the time. 70 million smartphones lost every single year. Very small percent recovered at only 7%, 4.3 percent of company issued smartphones. Their loss are stolen every single year, and 80% cost of a lost laptop is from data breach.
Last one here, 50%. 52% of all devices are stolen from the workplace. This is a big deal. Physical loss and data loss, so physical awareness of the device. Just as some examples, we misplace our phone, or we leave our laptop like in the coffee shop, or we leave our tablet unattended at work. Or in transit.
We basically lose these things. We can lose data, not sharing or not using proper passwords. How do we do that? If someone can access your systems by using your password that are not supposed to they can access data they shouldn’t have, and that is considered a breach. Sharing passwords, again, don’t share passwords.
Don’t share passwords with anybody. Accessing personal or unauthorized. Non-work, internet access or websites on your work computers be very strict, not just with yourself, but also with your employees regarding the places they can and cannot visit on the computers and on the internet. So let’s do this.
Let’s take a quick little quiz here. And what I want you to do is think about the best answer here. Some of these might be answers, but. Pick the best one here. So here’s a question. Which of the following activities can cause data to be damaged or lost? A. Staying online too long. B. Never. Never fully shutting your computer down.
C. Unauthorized access to a system. D, always keeping your computer charging. Okay, so the best one here, the very best one. Okay, the best answer here is C. Unauthorized access to a system. Anytime somebody accesses our system, meaning they gain access to protected health information that was not authorized to do that’s a breach and that’s something we don’t want to happen. Here’s a really cool chart on how long it takes a hacker to break your password, and these are just examples. Again, I’m not gonna go over all of these. You can screenshot this, you can look for it, but it’s just very interesting. So if you go to the left here, look at the number of characters.
If you just have four characters and they’re only numbers. Are there only lowercase letters or even look at the next box over upper and lowercase letters or that whole row? A hacker can access your system immediately or break your password. So the goals are, and there are very specific requirements according to hipaa.
It’s a law. You have to have certain requirements for your passwords. They have to be so long, meaning so many characters, length, they have to have special characters. So there’s things that have to be done here, but go to the bottom. So check this out. If you had 11 characters and you just slide over to the right hand side, 11 characters with numbers, upper and lowercase letters and symbols.
Take a hacker up to 34 years for them to break your password. This is where we want to be so they don’t break our passwords. So how do you create unique passwords? Make ’em meaningful to use to you and nobody else. Something you could remember. Create past phrases with special characters, and avoid items that can be easily discovered in social media or pictures.
So don’t use your first and last name. Don’t put a one in front of your first and last name. Don’t put a dollar sign behind it. These are way, way too easy to access it. Here’s an example. Fly me to the moon. Now, what does this have? It has many characters. It has upper and lowercase. It has a number, and it also has a special character, which is an explanation point.
So what do you need to know in order or to help prevent loss or theft of your equipment? Make sure you know your organization’s policy. C before removing them from the office. You cannot, or you should not remove any equipment. From the office unless you have very specific policies and procedures in place.
We have these things in your Ma in our manuals. We know this is part of things that providers do. They take their laptops home. Sometimes they allow their staff to do these things. I would suggest do not allow your staff to take. Home any protected health information. All right. But anyways, here’s some questions.
Can you travel with your equipment? You could, but you have to have policies and procedures in place. Can you take your equipment offsite to work remotely? Yeah, you can do these things, but certain things have to be followed, and you have to understand how to access that data or your practice safely and securely.
Can you use a USB or other portable storage devices? You can. But you have to make sure, again, those things are protected. Is the information on the computer or storage device encrypted? If the answer’s no, then you cannot take that device anywhere. It has to be encrypted. How can I use the secure VPN Virtual Private Network password protected wifi to log into a network and work?
So you have to know the answers to these things before you do any of them, has to be in your HIPAA manners. These things have to be part of your policies and procedures. We have these things in there. So is it important to be aware your practices, policies on traveling with equipment or taking equipment home to work remotely?
I pretty much answered that, so here we go. Absolutely. It’s true. We always have to verify our practices, policies, and procedures associated with the use of equipment outside of our office location. This will help ensure that you’re not exposing your laptop or mobile device, mobile devices to unknown risk accessing unsecured networks.
This is a real big deal if these things get breached, if you get accessed by someone that shouldn’t be accessing these things. We have to report these things, and the likelihood is if we don’t have, not the likelihood, but if we don’t have policies and procedures in place, we’re gonna get fines and we’re gonna get penalties.
Really important to have these things in place. Here’s some best practices on how you can protect your devices and your data. Obviously, knowing where your mobile devices are at all times, don’t leave ’em hanging around. Never leaving them unattended or unlock. Don’t leave laptops in a car. Doctors, providers get these things stolen and when you start asking questions like, oh yeah, I left it in the front seat, and every, and then their car gets broken into, you’re in trouble.
If that happens, there’s certain policies and procedures that you have to have in place if you decide to do these things. You have to encrypt sensitive data if it’s not encrypted. It gets stolen or it gets breached, that’s a problem. Being aware of your surroundings, meaning maybe you shouldn’t take your laptop, in a car, depending on where you’re going.
I wouldn’t take it anyways. If I was to go into a store and I have my laptop, I would take it with me. Quite literally. I would take it with me. That’s how concerned I am about these things. Have to make sure your passwords are strong, and like I said, don’t ever share your passwords. And here’s the other thing too.
If something happens, you have to report the loss of this equipment. Immediately you have to report it to hipaa, and if you don’t have certain procedures and policies in place, this is where the fines come into play. And this, quite frankly, is what concerns me the most. So a summary loss or theft of equipment or data can have significant long-term implications that will far outweigh the cost to replace the device.
You have to follow all system instructions regarding secure passwords and updating your software, updating patches to make sure that this is secure as it possibly can be. If something happens, you have to take immediate action. If an event, and when I say event, I mean there’s a breach or maybe there was a breach, meaning there was a compromise, or maybe you’re not really sure if there was or if there wasn’t a breach.
We have questionnaires that assess, breach to say and determine, yes, there was a breach. Maybe there was, or, yes, there definitely was. And then given the answer to those things, what do we do from here? And again, if these things happen, you have to provide as many details as possible related to the incident.
Who do you provide those things to? You’re gonna have to provide them to the OCR, the Office of Civil Rights, which is basically the HIPAA place, and hopefully we never have to go down that road and be in that position. So here’s some next steps. If you have questions for us or if you wanna schedule a demo or quite frankly, just get started, you can do these things.
You can schedule a demo with us. If you go to go dot fearless provider.com/demo, of course you can scan the QR code here to the right. You wanna get started with our program. You can fearless acupuncturist.com. It’s easy. You go there, you sign right up, and you get access to all the manuals, all the information.
All the videos or sometimes people want to contact me ’cause they have some specific specific questions. Please feel free to, you can contact me at Dr. perry@betterhipaablueprint.com. In the meantime, everybody make sure you have all your HIPAA stuff as good as you can, is as dialed in as possible ’cause it’s not worth the risk of not having it.
I want y’all to have an amazing day and I will talk to you next time.
The top three cybersecurity threats. As outlined in the health industry, meaning you, your acupuncture practice and cybersecurity.
Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. Due to the unique language of acupuncture, there will be errors, so we suggest you watch the video while reading the transcript.
Hi, everybody. Good morning, good afternoon, whatever it may be for you. This is Perry Barnhill with the Fearless Acupuncturist, and in the background that you don’t see Dr. Julie McLaughlin. We want to give a big thanks to the American Acupuncture Council for bringing you this presentation on the top three cybersecurity threats that you need to be aware of in the context of your practice and hipaa.
Start slideshow please. I am gonna give big thanks to the a, a C for bringing this to you. All right, here we go. Let’s talk about the top three. There’s many tops, but we’re gonna start with the top three. Okay. The top three cybersecurity threats. As outlined in the health industry, meaning you, your acupuncture practice and AC cybersecurity.
Oh, so why do we teach hipaa? We understand what it’s like to have a practice. We understand what it’s like to take care of patients, and we also understand what it’s like to not really know for sure what it is we should know in regards to compliance and in regards to hipaa. So we’re here to teach you this and we’re gonna start going through some of these top three cybersecurity threats.
Again, myself and Julie we’re both he healthcare practitioners, as you can see, and also both have certifications in compliance. Alrighty. So let’s talk about some things, buzzwords, as I would say that you hear probably quite frequently, but don’t really think about in the context of your practice and in hipaa, social engineering.
So what does social engineering mean? Let’s go through this. Social engineering is a form of psychological manipulation that tricks users into making. Security mistakes and giving away sensitive information. It relies on human error. So it relies on things like our staff that may make a mistake and click the wrong link.
What we’ll talk about, and also mistakes that we as the providers may make as well. So in uses humans to make mistakes and instead of specifically using the software or actually your system to make a mistake, it tricks us by exploiting. Our human emotions. So let’s get into some of those things.
One, this is something that you really need to sit down, talk about, train with your staff such that they don’t get themselves in trouble with clicking on the wrong link. Now, what are some things you need to pay attention to? This is what they call phishing. If you’ve ever heard the word phishing, it’s not like catching a fish in the water, but these crooks are out there phishing for us to make mistakes and trick our brains into clicking something we shouldn’t click.
So if for example, number one here, if you don’t recognize the sender in an email, for example, do not click it. Okay? If you’re not expecting an attachment or an email. You may not wanna be clicking it. ’cause if you click it, you might get yourselves in a whole lot of hot water. What about this one?
Does the from address match the message? When you get an email, look at these things closely. You’d be surprised. But the little things here, these little tips, could prevent you from having the compromise of protected health information, which in turn could potentially get you some fines and penalties with HIPAA if you’re not doing the things you’re supposed to be doing.
All right, and number four. What about this one? You get emails that sort of create or invoke a sense of urgency. Double check it. Maybe it’s not a legitimate email. What about the, not recognizing the destination URL or the website, is it a secure website? These are things where I, it professionals help out a ton, but simple little tips like this training our staff and us being aware of them can help prevent massive compromises and breaches of PHI.
Number eight is this email asking for your logging credentials. Seriously, be very cautious. Certainly if you’re not aware that something’s coming across, if anybody asks for your logging information, it’s probably better idea just not to do it unless you’re a hundred percent for sure. Number nine, bad grammar or bad spelling.
I know you’ve seen this. Have you seen emails come across The spelling? Looks a little weird, a little funky. It’s not correct. The grammar doesn’t sound particularly correct as well. Don’t click on it. Just don’t click on it. What about this one? Number 10 is the greeting or signature generic or lack contact info.
Anything that looks funny with emails that are coming across, just don’t click on ’em. ’cause if you do and they’re contaminated and they’re corrupted it’s a lot of energy and it takes a lot of time to make sure that. Compromises of PHI didn’t happen. And you didn’t get hacked. Which kind of brings me to the next one here.
Ransomware. We’ve heard of ransomware. What is ransomware? Ransomware is a threat, to us and to our devices. And what makes this form of malware so unique is the word ransom. Basically, ransom extorts us, these hackers. They’ll steal our information, our protected health information, like our patient’s information, the patient’s files, and they’ll tell us, Hey.
We have this, we’re gonna keep it. You can’t even access it until you pay us X amount of money, and it sometimes is thousands and thousands of dollars. Now I wanna say this, don’t ever pay them until you speak with an IT professional or you speak with someone who you’re very confident, that’s very aware of all of this ransom, this malware don’t do anything until you contact someone, a professional regarding these things.
Okay? So here’s some threat quick tips to be aware of, kinda like we talked about in the phishing side of things. Most ransomware, they’re sent in phishing emails. So you get these funny looking emails, you click on ’em, and guess what? Now they got your information or your patient’s information, and they can hold it ransom.
So don’t click on those things, stay alert when any email prompts you to enter your credentials. If you notice, a lot of these tips are very similar. To the phishing tips. First they gotta get you, and then when they get you, they can hold you for ransom or hold that information for ransom.
So be cautious, before you click any links in any emails that you have, make sure those senders are legitimate and as a proactive measure, check to see whether the computer and network to what you’re connected to have proper intrusion protection systems and software in place. I can’t overemphasize this unless you really need to make sure your computers are secure.
Now that we’ve talked about ransomware, kinda like we talked about phishing and gave you some tips, let’s talk about some tips regarding RAN regarding ransomware and how you can prevent yourselves from getting hacked and having to pay some of these ransom demands. Okay, most ransomware, guess what?
They’re sent in phishing and email campaigns. So be careful if you open up any attachment that may look weird. Funny spelling, grammar, just like we talked about earlier. ’cause once they get that, they can hold your protected health information for ransom. Number two, stay an alert when any email prompts you to enter your credentials.
I know we said this earlier, but it’s really important because these fishers, these scammers, they will check on these things. They will ask for these things and once they have them. They’re into your system and they have your passwords. Be cautious. Before clicking any links looking at the senders and checking the URLs.
Very important. Share all of this information with your staff. ’cause your staff, you may think that, okay, this ain’t gonna happen, but it might if you don’t train your staff on the things they shouldn’t be clicking on and what they need to be aware of as a proactive measure. Check your computer, and make sure the network to which you’re connected have proper intrusion systems and software in place.
It’s so important that you have IT professionals. Help and protect your computer systems. And due to the severity and time sensitivity of ransomware attacks, if you think this is happening, or if you think it happened, or if it’s in the process of happening or something weird is going on with your computer.
Make sure you seek out your IT professionals, because if they get it, it’s a big process of trying to get it back. And then guess what? Now we gotta deal with hipaa. Now we have to deal with the OCR and potential report. And then guess what? We might even have to send notifications to patients. Something we just don’t wanna have to do if it’s not necessary.
So here’s some other things. Preventing loss or theft of equipment or data. Things like taking your laptops or your data in your car. So physical loss of equipment, these things can happen. Or even data access to that you work with daily has to be carefully protected. Alright, so let’s talk about some tips here.
Never leave your laptop or your iPad unattended at work or in transit. Yeah, in transit. What do I mean by that? Like I said, in your vehicles. There are providers that have left their laptops wide open, sitting on the front seat, even sitting on the dash, and they get stolen. It’s not something we want to happen.
Password policies and updating the passwords. These are all things that need to be in your manual. They’re all things that we have to do. They have to be part of your procedures and your policies. If you don’t have these things in play, guess what? You’re not HIPAA compliant and maybe subject to some fines or some penalties.
We don’t want that. It’s not necessary. Don’t share your password with anyone. I know a lot of us, we don’t do these things, but sometimes we do. Staff shouldn’t be, sharing their password with the staff person next to ’em. They need to have unique passwords again. If this is part of your policies and your procedures, USB drives, be very careful if anybody brings in, like a patient, A USB drive.
’cause they want you to look at their files or their imaging. It could be corrupted. So I would avoid. Even going down that road with them, you have to encrypt sensitive data. Of course if you lose anything, number seven here, lose any equipment or if you have any at all suspicious activity on your systems, you have to get on top of this early, seek out the IT people, get ’em to stop it so it doesn’t go any further.
Alerting officials again promptly if something seems suspicious. And keeping your emergency context close by this is so important. I can’t even overemphasize how important this is for you to be aware, but also anybody in your office really needs to be on top of these things. So what are some next steps?
A lot of people say, Hey, I don’t know if I’m compliant or not. Go through a HIPAA download checklist. You can download this right here for your office. You can scan the QR code here, go through and look at these questions. And sometimes they’re not always as a simple yes or no, do you have policies and procedures to protect patient information? A lot of us do. So you could say, oh, I got that one. But do you have. Legitimately written down policies and procedures, what’s the policy? What is it? And the procedure is how do we do it, or how do we implement it?
You have to have all of these in play for everything HIPAA related, even passwords, updating passwords, making sure passwords are strong. All right. A lot of times if you’d ever, if you ever want to, a lot of people like to schedule a demo. They wanna see what our program looks like. So you can do that, you can schedule a demo by going to this go dot fearless provider.com/demo.
You can scan the QR code. We are more than happy to go over it with you. You can look at our program from the inside. A lot of times people just wanna get started. So go to www.fearlessacupuncturist.com. Or you can contact myself at Dr. perry@betterhipaablueprint.com. I’m more than happy to answer any questions that you may have.
So in the meantime, everybody have an amazing day, and thank you so much for joining us here. Take care.
…we are going to talk about something you may have heard before, social engineering and how it could affect your practice in regards to HIPAA.
Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. Due to the unique language of acupuncture, there will be errors, so we suggest you watch the video while reading the transcript.
Hey everybody. Good morning, good afternoon, whatever it may be for you. This is Perry Barnhill with the Fearless Acupuncturist. Want to first give a big thanks to the American Acupuncture Council for sponsoring this show, and we are going to talk about something you may have heard before, social engineering and how it could affect your practice in regards to HIPAA.
Go to slideshow please. Okay. Again, another big thanks to the American Acupuncture Council for bringing this show to you. Okay. Social engineering, you may have heard of this before, so it’s all about, we’ve talked about this in our previous shows. We wanna plan, we want to prepare, and we want to protect ourselves and our practice from things like this, and so it doesn’t happen.
Or if it does happen, we can mini minimize the effects of it. So why do Julie and I teach hipaa? We understand what it’s like to have practices. We understand what it’s like to be concerned about hipaa. We also understand that HIPAA is a very complicated subject. We try to break it down to help minimize the stress in your offices, because if you know what it is you need to know for hipaa, it makes things much, much better.
Okay, so in the meantime, as people are starting to hop on this show, we want you to look at this and maybe consider taking this little quiz. So this quiz, it’s quick, it’s easy. One of the reason we did this quiz is because so many of the providers are not aware of exactly where they stand with hipaa. And simply by doing this quiz, you can see what your grade is.
It’s a few questions. It doesn’t take long, and it’ll give you a grade. Obviously, if you’re F or D, you need a lot of help. If you’re B, you may still need some help, so make sure you check it out and see where you’re at. You can scan the QR code here, or you can simply go to the website that we got listed below.
So what is social engineering and how does it work? Social engineering, it’s a form of psychological manipulation that tricks users. Users meaning us as providers in our offices and our staff, into making mistakes and giving away sensitive information. What do I mean by sensitive information?
Sensitive information in this context is. Patient information, anything you have on your patients be their name. It could be their address, it could be their email address, not just their conditions or not just a treatment that you provided for ’em. It can literally be any one of those things. So what happens is it relies on human error instead of vulnerabilities and software and in the operating systems by exploiting human emotions.
And here’s some examples. If you got an email that says it’s sent by a quote unquote friend, make sure you double check that before you respond. Messages relaying a troubling story about someone you may know or a message saying that time is running out messages that seem too good to be true, or offers that seem too good to be true and messages or offers of giving you help of things that you had never requested.
The sender, you can’t confirm their identity. So these just, these alone, if you pay close attention to ’em and you avoid clicking on the wrong thing, can save you so much time, so much stress, and a ton of money, and a ton of potential fines when it comes to hipaa. So the impacts to healthcare these days for these hacking incidences, it’s huge.
It’s responsible up to 75%. Of all the incidences in 2022, they include phishing, email, attach, and ransom, and malware incidents. 80% of all breached patient records in 2022, they were caused by hacking. This is why it’s a big deal to avoid this. Here’s the other thing, and if you ever wondered why are they doing this?
Guess what? They can sell files a single medical record. And when I say they, the cyber criminals, the crooks out there that steal this information for 250 bucks a file. So you can imagine 10 files. It’s a lot of money. A hundred files. It’s a lot of money. And most of us have all this information in our offices, so we have to protect it.
Common clues in social engineering, things that they trick you into, revealing information. Again, patient information, they can install malware onto your computers. And like I said earlier, it re relies on human error. Human errors from us as providers, human errors from our staff as well, not the software, the operating systems.
They trick us. They trick our brains. Here’s a little quiz I want you to think about and take hackers like to use social engineering techniques to trick you into making a security mistake like I’ve just talked about. They do this by adding these words or phrases to a message. Select the answer from the list below, sending a message with a sense of urgency.
Be including words that say, quick and time. Is running out c mentioning an illness of a family member or a friend, or what about all of the above? I think most of you probably got this. Yeah. The answer’s all the above. They do all kinds of things. They have this sense of urgency. They trick you into think it’s your family or your friends.
They’ll do anything they can to steal that protected health information. ’cause like I said earlier, it’s very valuable when they get it. What are the most common forms of social engineering? If you’ve watched some of our shows before, we talked about phishing, so make sure you see those things, those shows in the past.
But it’s social engineering uses email or malicious websites to solicit personal information by posing as a trustworthy organization. And now they’re doing this thing called spearfishing, and that’s also a form of folks. Social engineering. It targets a narrow audience, hence the word spear. These attacks, they’re more coordinated these days.
We’re getting SMS, we’re getting text messages, even staff, and they can trick staff through their phones to give things out that they shouldn’t be giving out. That could potentially get yourself some hot water. Here’s some examples. If you’ve ever got these before, whether it’s in an email or whether it’s in your text where they say, Hey, your bank account is locked.
You have, it’s a message claiming to be one of your credit cards. Maybe it’s American Express Chase, or whatever it may be, you know about some activity. That you may won a prize and if you click on it, if you click on any of these things, boom. They may be able to get into your systems. It must be a fake, but it’s also a funny attack.
Sometimes things are funny. You click on ’em and they trick you into going to these sites that we shouldn’t be going to. Unusual activity account messages that say you need to click to secure your data. So these five things here is just some of the things that. I would encourage you to talk to your staff about, so they play, a little extra closer attention to not clicking on the wrong sites or maybe asking you before they click on them.
Here’s a few boxes here. This alone can serve as a HIPAA training for you, yourself and your staff. Make sure you talk to these, your staff about these. And you be aware of these things, recognizing and reporting phishing. So four things to check when you suspect that an email might be a phishing attempt.
I’m not gonna read all the bullet points, but I want you to be aware the sender’s unfamiliar or unexpected, go through those bullet points, read those things, or the message doesn’t look right, it sounds funny, maybe the grammar isn’t correct. Double check those. Check the from address, you know who sent it.
Does it look legitimate? A lot of times you can spot a fake just because it just doesn’t look legitimate at all. Don’t click on that. Inspecting links and attached files. So again, share this with your staff because if we can prevent. An attack from happening, then we never have to report it. But if it happens, guess what?
We have to report it. We even have to tell the patients, sometimes you have to take ads out in newspapers to tell the public it happened depending on the sizes of these things, and that’s not to mention the fines of penalties that could happen as a result of this. Here’s a checklist, and again, this is a really good thing to share with your staff and for you to make mental notes of print it out, talk to the staff about these things, not recognizing the sender, not expecting an email or an attachment.
The from address looks funnier. It doesn’t match it. Invokes or sensing invoking a sense of urgency, not recognizing the destination. URL, is it a accurate website or not asking for login credentials. Bad grammar, bad spelling. It’s a greeting. The signature, is it generic or does it lack contact information?
Again, make sure that you share this with your staff. Now, of course, this isn’t enough to be HIPAA compliant, but again, if we can prevent these things from happening, we’ll be far better off in the end. So what are some next steps that you can do? What about questions? Couple things you can do. You can schedule a demo if you’d like to.
You can get started right away. You can go to fearless provider.com and slash demo, ask for one of the demos. We’re happy to hop on there and show you what we have here with our HIPAA program. You can scan the QR code here. Go right to it. You can get started. Just go to fearless acupuncturist.com. Get started with the HIPAA program.
Or you can contact me at Dr. perry@betterhippoblueprint.com. In the meantime, everybody, I hope you learn from the show here. Please pay close attention to those things and please share this information with your staff. In the meantime, I hope you all have an amazing day.
Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. Due to the unique language of acupuncture, there will be errors, so we suggest you watch the video while reading the transcript.
Hi everybody. This is Perry Barnhill with the Fearless Acupuncturist. Good morning to you, or good afternoon, whatever it may be. Today we want to give a big thanks to the American Acupuncture Council for sponsoring this video that we’re about to show you in regards to ransomware. Next slide, please.
Again, a big thank you to the American Acupuncture Council for sponsoring this. All right, here we go, everybody. Ransomware, you’ve heard about this. You’ve probably heard TV shows talking about it in regards to the computer things that happen, and it’s not if it’s going to happen to you. It’s when, so what I wanna talk about today is how do you plan for it?
How do you prepare and how do you protect yourselves if these things happen or maybe when these things happen? Myself again, Perry Barnhill. Julie McLaughlin in the background as always, much help. We are here as healthcare providers just like you with certifications in compliance and hipaa. Okay, so ransomware, let me just take a moment.
I want to share a story with you. This is an actual event of what happened. Now, it’s a hospital situation, but these things happen in private practices. All right? So keep that in mind. They happen often, unfortunately, so I’ll just go over this little story with you. It was approaching midnight on Sunday and the head of an IT person at Florida.
The hospital had a problem. The emergency room of this 100 bed facility called to report that it couldn’t connect to the charting system that the doctors and providers were using to look up the patient’s medical histories. So a Florida hospital IT director soon realized that the charting software, which was maintained by an outside vendor, was infected with ransomware and that he didn’t have much time to keep the computer virus from spreading.
So guess what? The hospital shut down his computer system. On his advice, and here’s what he said. He said, if we hadn’t stopped, it would’ve probably spread throughout the entire hospital. And what had to happen was the hospital had to revert back to their paper records, which I know a lot of offices have paper records.
But this is all applicable because not if you just have paper records. You generally, and almost always have at least something regarding the patient in your computer. So even if you’re just using paper charts, you still have patient’s financial information in the computers, a lot of times you have their histories in their computer.
In the computer all the time. Something’s there. So if the computer gets infected by ransomware, they can access that and they can hold it for ransom. So what is ransom, or at least what do most of us think ransomware is? It’s extortion software and it locks your computer and then they ask money for it, or they ask a ransom for it.
So in simple terms, what happens is the malware gains access to device, your, to your device, the computers, and depending on the type of ransomware, either your entire system, your entire operating system. Or individual files are encrypted, and then what they do, these cyber crooks, they demand a ransom from you or sometimes even the victims from patients.
So just some simple facts with ransomware. I think a lot of us are aware of these things. Basically, they can massively impact your practice. One little ransomware effect can cause chaos in our practices. In some cases, these ransomware, these cyber criminals can demand excess of a thousand, or rather, I wish only a thousand, but million dollars so that you can get this information back.
Now, that doesn’t mean you pay, okay, I’m not saying that, but let me do this first. Let’s go over a quiz and just go through this. So is this true or false? According to an IBM report in 20, in 2022, do you think the frequency of ransom breaches has increased from previous rare years? True or false?
I bet you know the answer. It’s definitely true. Most of us realize that these computer, these hackers these cyber criminals are creating more problems for us as time goes on. Yeah, 7.8 in percent breaches in 2021, and then 11% in 2022, and it continues to increase each year. How about this one, the impacts.
Ransom of a ransomware attack can be crippling to include monetary, permanent closures of especially smaller organizations like our offices. They delete files, they even patient procedures and testing can be canceled, so what can you, as an individual office or provider do to help these things or prevent these things from happening?
A. Participate and complete any required training. B, ensure your network security is in place. C have your IT administrator or your computer person contact information easily accessible, or is it all the above? Yeah it’s definitely all the above. Each of us. Each of those things we have to do, they play a critical role in patient care and patient safety.
Remember, cybersecurity it is patient safety and together we can protect our practices and the patient data we are entrusted to secure. So how can ransomware impact us as providers? This is a big one. This is massive. Monetary impacts the amount of money we’ll have to pay, one to resolve these things.
Two, maybe the fines and penalties that could come as a result of it. If we don’t have our HIPAA policies and procedures in place impact to our organization. Sometimes depending on the type of breaches that happen or the amount of breach that’s affected, we have to report these things publicly.
To disclose to the public that we had a breach in our office. So it really can affect our reputation. It can close our organization or close our offices, especially smaller ones. Deleted files, or you completely have lost them. Delayed patient canceled care. When systems shut down, it can potentially cripple your networks and forcing manual transactions where possible, and it really can cause havoc in our offices.
So these are reasons why you wanna make sure you protect your patient’s health information. So what’s the best defense? Usually the best defense is a good offense. Most ransom attacks are sent in phishing campaign emails. We just did a, we did a class on this. We did a video on this. One of the last times that we did for this.
Regarding phishing and phishing campaign emails, so make sure you watch that if you haven’t. Staying alert when any email asks you to enter your credentials. You have to be extremely careful when emails are sent, making sure you know exactly where they’re sent from, or at least you know it’s a trusted source.
The next one here, installing updates. Whenever you’re prompted to do you have to do these things. ’cause if you don’t and you have a breach, guess what? You’re in trouble and you’re liable. Does your practice have an incident response plan? According to hipaa, and according to all the rules, we have to have an incident response plan.
Meaning if something happens, this is exactly what we do. Do you have training you should be aware of to understand your practice’s security policy? Is there training that you have because you have to have training. This is all part of the HIPAA policies and procedures. You have to have training, you have to be able to document that training as well.
And also, if these things happen, do you have an emergency contact list in order to help resolve these things in order to help get the files back if needed? Some of the resources, a lot of people like to see where the resources come from. They come from the Office of Civil Rights, and if you didn’t know, so the Office of Civil Rights or the OCR, they’re basically the police of hipaa.
These are the folks we don’t want knocking on our doors if something happens. So what are some next steps? What are some things that you can do? One of the things that we talked about is you can download this HIPAA compliance checklist. Click the QR code. You’ll get it that way. Go through these questions, go through these statements and these bullet points.
If you can’t answer, if you can’t say that you’re doing each and every single one of them, not just nine outta 10, for example, you have to do each and every one of them to become HIPAA compliant. So make sure you go through this. If not, we certainly can help you with that. If you have any questions, we are more than happy.
To answer your questions. If you’d like to schedule a demo or just get started with it, just a couple things you can do here. You can scan that QRR code or you can schedule demo. Just go like it says right here to go do fearless provider.com/demo. If you wanna just get started, go to www.fearlessacupuncturist.com.
Or you can contact myself at Dr. perry@betterhipaablueprint.com. You can also talk contact Dr. Julie as well at Dr. julie@betterhipaablueprint.com. I want to thank everybody for attending this program and want to give a big thanks to the American Acupuncture Council for Sponsors. Again, this is Perry Barnhill with the Fearless Acupuncturists and everybody have an amazing day.