logo

Award-Winning Dallas-Fort Worth IT Services.

Questions? Call (817) 859-7140

You are here: Learning Center / Blog / Are Emails Compliant with HIPAA Laws?

VersaTrust Blog

VersaTrust has been serving the Texas area since 1997 , providing IT Support such as technical helpdesk support, computer support and consulting to small and medium-sized businesses.

Are Emails Compliant with HIPAA Laws?

Healthcare providers are searching for simpler ways they can communicate with patients. It can be tedious to schedule all communication in person or over the phone, so medical professionals are looking for another way. Email has become a popular form of communication for those in the healthcare industry, but there are questions about its legality and if it complies with HIPAA laws.

HIPAA sets the standard on what is or is not allowed regarding medical communication. Meaning that to avoid a breach, penalties or fines, healthcare providers must understand the HIPAA privacy and security rules.

Privacy Rule: Patients have a right to request a provider communicate by alternative means.

Security Rule: Communication through email is not prohibited, however, it must have adequate protection.

HIPAA laws state that healthcare providers can communicate electronically, so long as safety measures are in place. Some suggested safety measures include:

Encrypted Email

It is always a good idea to encrypt sensitive information that you send electronically. Encryption keeps information safe, and should it fall into the wrong hands, it will be useless to them unless they have the encryption key. This makes encryption especially important considering that most email systems are not HIPAA compliant.

Do Not Send Protected Health Information (PHI) Via Email

If you must communicate any PHI, it is best to do this in person. By communicating sensitive information through email, medical provers may put their patients at risk of having their private information exposed.   

Information that can be classified as PHI includes:

  • Payment claims submitted to insurance providers.
  • Patient referrals to specialists
  • Appointment scheduling

Have Patients Fill Out Communication Consent Forms

A communication consent form will verify what forms of communication a patient allows. Written consent tells medical providers a patient’s preferred form of communication. This form is helpful if there is any confusion down the line as to what types of communication a patient allows.

Communicate Through a Patient Portal

A private patient’s portal is a place for medical providers and patients to message each other without the potential risks an email carries. A private portal is a secure platform, where patients can view information about appointments, medical results, or communicate with staff.

The Office of Civil Rights (OCR) states that if a patient communicated with the medical provider via email previously, it is okay to assume that communication through email is okay. It is also the healthcare professional’s responsibility to alert the patient if they feel as though the patient does not understand the potential risk involved in communicating through non-encrypted emails. Alternative means of communication should also be made available in this instance.

There are other steps that HIPAA recommends to ensure the safety of information transmitted via email. HIPAA emphasizes ensuring that you send emails to the right recipients. They recommend double checking the intended recipient’s email address, and even sending a test email before-hand which would help verify that the right person will receive the email.

A report by the Healthcare Billing and Management Association states that most of the Covered Entities and Business Associates are not in compliance with HIPAA laws. The fact that most are not in compliance means that patients need to take extra steps to ensure their information is secure and protected from potential security breaches. Patients should only communicate with medical professionals in a way that they are comfortable with, and should always remain aware of potential threats.

Are “Meltdown” and “Spectre” Something to Worry About?

Intel processors are having a Meltdown while AMD and ARM are being attacked by a Spectre.

Is a James Bond villain making our computers freak out?

No, it’s a new vulnerability found within these processors that affects Windows PCs, Linux, Mac, and even Android phones.

A fix has been identified, named KAISER, and all the major companies like Microsoft and Google are working on patches, or have already sent them out.

The good news is that these bugs are theoretical at this point. No evidence has been found that a hacker has actually used them to steal data. They can also affect Amazon Web Services and Google Cloud, both of which have already patched their servers and secured the problem.

Meltdown allows malicious programs to gain access to higher-privileged parts of a computer’s memory, while Spectre steals data from the memory of other applications running on a machine. Meltdown is said to be limited to Intel processors, but Spectre has been exploited on ARM as well as AMD processors.

Your private and important data is stored in the kernel, a highly protected part of the processor. What Meltdown and Spectre potentially do is allow data to be pulled from the kernel into a safer zone, like an application, and pull it out.

When modern Intel processors execute code and arrive at the point in an algorithm where instructions branch out into two different directions, they save time by “speculatively” venturing down these forks. So, in other words, they take a guess and execute instructions in order to get a head start. If the processor learns that it went down the wrong path, it jumps back to the fork in the road and throws out the speculative work.

A hacker could trick a processor into letting the unprivileged code sneak into the kernel’s memory by using speculative execution. Retrieving this data isn’t easy since the processor throws out the temporary data when it jumps back to the fork. It does, however, temporarily store this information in the computer’s cache. With some clever coding and patience, a hacker could easily find and steal the data in the cache, giving him access to personal information, passwords, and more.

In order for a hacker to gain access to these kernels and steal your sensitive information, he has to first get into your system. Once inside, he can then install the malicious software needed to take advantage of the vulnerability.

Intel, AMD, and ARM have all been hard at work coming up with a fix for this serious vulnerability. But it’s not just PC’s or Mac’s that are being affected. Amazon and Google servers also use these chips, which could not only allow hackers to see the data on your server but potentially jump servers to see other people’s data as well.

Microsoft, Linux, and Apple are also getting involved to repair the issue. One potential downside to fixing this problem is a possible slowdown of your CPU or phone. Isolating the kernel memory from unprivileged memory could cause a significant slowdown in some processes.

While it’s still too early to know exactly how significant the slowdown will be, some researchers are saying that it could be as high as 30%. Once the patches to fix the issue are rolled out everywhere, we should get a better picture of how this will affect performance. But still, it’s better to have some slowdown than to have a hacker taking information from your PC.

To prevent hackers from taking advantage of your system with Meltdown or Spectre, make sure to keep all the software on your computer updated, including web browsers. Keep Flash updated as well.  Then run security software to be sure you don’t have any unwanted or malicious software on your system. Finally, be on the lookout for phishing emails. A hacker could use this to trick you into letting their malicious code onto your system.

What You Need to Know About “Meltdown” and “Spectre.”

Two critical vulnerabilities were found in Intel chips that could result in a malicious attacker stealing your data, such as photos, emails, documents, browsers, and password managers.

How can this affect you? The vulnerabilities called “Meltdown” and “Spectre,” can affect nearly every system built since 1995.

This includes computers and phones.

proof-of-concept code was tweeted out on Wednesday (January 5, 2018) prompting the reveal. Windows, Linux, and Mac systems containing the Intel chip from the past decade are all vulnerable. Amazon Web Services and Google Cloud were also affected. Both have patched their servers and secured the threat.

Meltdown allows malicious programs to gain access to higher-privileged parts of a computer’s memory. Spectre steals data from the memory of other applications running on a machine. Meltdown is said to be limited to Intel, but Spectre has been exploited on ARM and AMD as well.

When modern Intel processors execute code, the code reaches a pre-programmed point in the algorithm. Instructions branch out into two different directions, saving time by “speculatively” venturing down these forks. In other words, they take a guess and execute instructions in order to get a head start. If the processor learns that it went down the wrong path, it jumps back to the fork in the road and throws out the speculative work.

A hacker could trick a processor into letting their unprivileged code sneak into the kernel’s memory by using speculative execution. When the processor throws out the temporary data, it jumps back to the fork. This makes data retrieval difficult, but it temporarily stores this information in the computer’s cache. With some clever coding and patience, a hacker could easily find and steal the data in the cache, giving him access to personal information, passwords and more.

For a hacker to gain access to these kernels and steal your sensitive information he must first hack into your system. Then, he’ll install malicious software on your computer to take advantage of the vulnerability.

Intel, AMD, and ARM are hard at work coming up with a fix for this serious vulnerability. But it’s not just PC’s or Mac’s that are being affected. Amazon and Google servers also use these chips, which not only could allow hackers to see your data on the server, but to potentially jump servers to see other people’s data as well.

Microsoft, Linux, and Apple are also getting involved to repair the flaws. One potential downside to fixing this problem is the possible slowdown of your CPU or phone. Isolating the kernel memory from unprivileged memory could cause a significant slowdown in some processes.

While it’s still too early to know exactly how significant the slowdown will be, some researchers are saying it could be as high as 30%. Once the patches to fix the issue are rolled out everywhere, we should get a better picture of how this will affect performance. But still, it’s better to have some slowdown than to have a hacker taking information from your PC.

To prevent hackers from taking advantage of your system with Meltdown or Spectre threats, make sure to keep all the software on your computer updated, including web browsers. Keep Flash updated as well. Run security software to guarantee you don’t have any unwanted or malicious software on your system. Finally, be on the lookout for phishing emails. A hacker could use this to trick you into letting their malicious code onto your system.

Don’t Wait To Start Training Your Employees To Protect Your Business During W-2 Phishing Season

W-2 Phishing season is about to begin – without the right IT security services, your business will be left vulnerable.

You and I know that effective communication with co-workers and clients is crucial, but are you sure your employees are practicing safe email and messaging conduct? If you don’t already have the best technical security servicesyour answer is probably, “I’m not sure”, right?

Cybercriminals are smart – they adapt quickly and continually come up with new ways to take advantage of businesses like yours. A popular tactic among hackers today is “phishing”, a method in which they send fraudulent emails that appear to be from reputable sources in order to get recipients to reveal sensitive information and execute significant financial transfers. With only a surprisingly small amount of information, cybercriminals can convincingly pose as business members and superiors in order to persuade employees to give them money, data or crucial information.

At this point, phishing attempts are nothing new, but without the right computer security services, you can still fall victim to a common phishing scam. This is especially a danger in the coming weeks when phishing will be primarily used to target W-2 data being processed for your employees during tax season.

This is nothing new. Over the past few years, cybercriminals have been very successful during tax season, executing social engineering campaigns against thousands of targets in order to access and steal valuable W-2 data. By sending phishing emails to unsuspecting workers in the payroll and HR departments in target businesses, cybercriminals have caused extensive damage, leaving companies like yours liable for fraudulent tax returns, identity theft, and class action lawsuits.

What does a W-2 Phishing Email Look Like?

As dangerous and damaging as these types of social engineering scams can be for you and your employees, the good news is that they are avoidable – if you know what you’re looking for. The key identifiers of a phishing email like this include:

  • Sender: Typically, the email will appear to come from a high-level executive or someone that the target employee wouldn’t want questions or ignore. Often the cybercriminal will go so far as to mimic the executive’s email signature to enhance the authenticity.
  • Request: The email will request W-2 or other tax information to be sent via reply, sent to another email address, or to be uploaded to a server.
  • Timeframe: The cybercriminal will likely try to create a sense of urgency so that the target doesn’t have time to think about the request or confirm it through other means.

Once the user’s email, password, and other information have been entered into the fraudulent website, the damage is done. The hacker can then take the information and do even more damage with it. It’s the new and constantly evolving cybercrime threats like these that make network security services so vital.

The key to phishing methodology is that it doesn’t rely on digital security vulnerabilities or cutting edge hacking technology; phishing targets the user, who, without the right training, will always be a security risk, regardless of the IT measures set in place. The reality is that small and medium-sized businesses like yours are put at great risk if you don’t have cybersecurity services.

What Can You Do About Phishing?

So what’s the answer? What can the average business member do to keep themselves and their company safe when criminals are employing such deceitful methods? In addition to equipping your business with the best technical security services, you should also be sure to educate and test your employees on IT security best practices and knowledge. Make sure they understand the following:

  • Never give out private information: The trusted institutions with which you do business will not ask you for your private information. They already have your account numbers, social security number, and your passwords. They won’t have any good reason to ask for it again, right? If an email from a superior or external contact asks for that info, it is likely a scam, so be sure to confirm the request by phone or in person.
  • Never click on a link before you hover over it with your mouse: If you hover over a link with your mouse, your computer will show you where that link is actually taking you. Many times, criminals will give you what looks like the right link (such as www.YourBank.com) but when you hover over the link with your mouse it actually will show something different (such aswww.YourBank/2340937fvt5.com). If the link is not as advertised, then don’t click.
  • Always check up on unexpected email attachments. If you get an email from someone you know with an attachment that you weren’t expecting, give them a call or send them an email to confirm that the attachment is from them and is legitimate before you open it.

How Can You Be Sure Your Employees Know About Phishing?

The best way to ensure your employees know how to deal with a phishing threat is to test them. Allow us to help. We’ve prepared an example phishing email template that you can fill out and send to employees in just minutes to test their knowledge of phishing threats.

Check out this screenshot of an effective test email you can send to your employees to prepare them for the W-2 phishing season:

 

5 Reasons Why You Need to Make the Switch to Microsoft Office 365

If you run a business, chances are that you’ve thought about moving to an online productivity suite. The two most popular in recent years is Google’s G Suite and Microsoft’s Office 365. Touted as “innovative” and “the next big thing,” Microsoft’s productivity suite is a revolutionary concept when it comes to operating systems and computing. But why should you choose Microsoft over the other guys?

Because:

  • It’s cloud-based. Doing all your computing in the cloud means that you always have access to your files as long as you’re connected to the Internet. All of Office 365’s tools will work on any PC/Mac, tablet, or smartphone. With O365, you can use the online versions of the productivity suite, or install them to your device.
  •  It’s secure. Whether you’re using the version of O365 installed on your machine, or the cloud version, you’ll get the best level of security and encryption. The same set of Rights Management Services applies to both. None of your files can be accessed without the proper user credentials that are set up and monitored by Microsoft Azure. This provides the best security and control over your Office 365 data.
  • Data is backed up. Microsoft’s Office 365 offers its own form of checks and balances, 24/7 support that’s always on-call, and OneDrive to store all your files. But it’s always a good idea to have an extra layer of protection by using a Managed Services Provider (MSP) who can monitor your backups and add an extra layer of security if your data is compromised or lost.

Office 365 offers major advantages over others. As with anything worth doing, there are pros and cons when moving your operations to the cloud. However, there are some major advantages when using the Microsoft Cloud:

  • You can work anywhere. If you have an internet connection, you can use your data from anywhere and on any device. You can check emails, access files, and work on a project all from the same place – even if that place happens to be the other side of the world.
  • Easy collaboration between coworkers. How many times have you had multiple people working together on the same project only to have one version go missing. With Office 365 you can avoid this. Collaborators can work on the same file and get changes in real time. You can also share files as links right from OneDrive, rather than as attachments.
  • Access to the latest versions of programs. Imagine having access to the most current versions of Word, Excel, and Outlook without having to pay extra or reinstall programs. All the most recent versions of everything in the Microsoft Office Suite are available with an Office 365 subscription.
  • Great security features. How secure the Cloud is for you depends on what security measures you have in place. With Office 365, there are quite a few built-in security features to keep your data safe. These include:
  • Encrypted email. Only the intended recipient can read an email.
  • Data loss prevention. O365 checks and ensures that sensitive data (like your social security number) doesn’t get sent out via email.
  • Mobile device management. You can control Office 365 on your employees’ phones, and protect company information.
  • Advanced threat analytics. O365 learns and protects company data, and alerts you of suspicious activity on the network.

Alongside all the advantages of using Office 365, there are also a few cons:

  • Subscription-based model. You must pay a monthly or annual subscription for your Office 365.
  • If the Internet is down, your data is down. Because Office 365 is cloud-based, if the Internet goes out, you could be without access to your data. Plus, if you have a slow connection, working with a cloud-based system isn’t ideal.
  • Most people don’t use all of its features. Most users don’t use everything that Office 365 has to offer. They only use email, file storage, and access to Office programs. This isn’t a terrible thing, but it means you’re paying for features that you aren’t using.
  • Microsoft throws in some great extras. Office 365 comes with 1TB of storage space in Microsoft’s OneDrive cloud storage service, free web hosting and the tools to use it, and a full 60 minutes of Skype each month for making landline calls.

Microsoft Office 365 is a very good example of not only what a cloud service can be, but what more businesses are turning to for their cloud needs. Cloud computing is becoming a big part of more companies’ tech strategy, and Office 365 is an excellent way to jump into the cloud.

Our IT experts can walk you through your Office 365 set up. Give {company} a call at {phone}, or email us at {email}, and we’ll make sure you get the full benefit of this great service.