by Dave Moore, CISSP, 08/22/2021
Want to know how to be safe on the Internet? Come to the Norman Public Library Central location next month, September 29, 6:30pm, and take the new version of my class, “Fight The Internet Bad Guys and Win!” I will teach you how to stay out of trouble on the Internet, and then some. Call the library to register, ages 12 and older.
Last week’s column began our look at the HIPAA Security Rule that all doctors, nurses and other health care entities need to comply with in order to obey federal law. Unfortunately, a shockingly high number of medical professionals are not even close to following the rules designed to guard your health, protect your privacy, and keep you safe from Internet criminals.
This week’s column continues the discussion of The Health Insurance Portability and Accountability Act of 1996 (HIPAA). Whether you are a health care provider or not, HIPAA cybersecurity is very close to general Internet safety, and there is good advice to be had. The two columns need to be read together in order to see the entire picture. Begin Part Two.
Annual HIPAA Training: employee and staff members are required to complete annual HIPPA training. Security Awareness Training: employee and staff members should complete documented, periodic security awareness training.
Thinking these things can be handled by normal IT staff is a mistake. The truth is, most IT professionals are not trained or certified in Security or HIPAA compliance, and are not qualified to handle these assignments.
Some basic HIPAA Compliance guidelines are: all Internet-capable devices require frequent updating. Make sure your devices and software are always kept up-to-date.
Email containing PHI (protected health information) must be end-to-end encrypted. Personal email providers (Yahoo, HotMail, GMail, etc.) generally do not provide this type of compliance. Only email services that provide true, end-to-end email encryption (Hushmail for Healthcare, Barracuda, ProtonMail, HIPAA-Compliant Microsoft 365, MailHippo, etc.) should be used to transmit PHI. Consult with your employer or other healthcare entities you work with to make sure you are only using approved, fully encrypted email services. Text messaging PHI can be considered a HIPAA violation.
All devices containing and transmitting PHI should be whole-disk encrypted. Access controls (logins, etc.) should be protected with strong passwords. Passwords should never be shared.
Computers are capable of having different types of accounts to accommodate different types of users. Administrator accounts are the most powerful, capable of doing anything and everything to a computer, and are therefore, the most dangerous. Administrator accounts should not be used for everyday work on the computer; “Standard” accounts, which are more limited in their capabilities, should be used, instead. That way, if a bad-guy hacker or virus gets into a computer, they are much more limited in the type of damage they can do.
Two-factor/multi-factor authentication should be used for all online account logins. Online passwords should never be shared, and should be changed regularly. PHI should be securely backed up and recoverable in case of equipment failure or other emergency situations.
Only us properly configured secure Web browsers, such as Mozilla Firefox. Browsers that store cookies, temporary files and browsing histories, such as Google Chrome, should not be used. Devices containing and transmitting PHI should only be used on known, secure networks. They should never be used on public wifi networks (restaurants, Starbucks, etc.). Bluetooth should be disabled.
The use of VPNs (Virtual Private Networks) is encouraged as a good way to protect PHI. However, HIPAA considers VPN providers to be “business associates.” Signed BAA’s (Business Associate Agreement) must be in place, obligating them to be HIPAA compliant, before a healthcare entity (doctor, nurse, clinic, hospital, etc.) is permitted to transmit PHI using the VPN service. Make sure you are only using approved VPN services.
Devices containing and transmitting PHI should never be used for personal entertainment or gaming. No XBox, no Steam, no Spotify, no AppleTV, no Netflix, etc. They should not be used on social networking sites that require a login, such as Facebook, Twitter, SnapChat, Pinterest, TikTok, Instagram, etc. They should not be connected to personal email accounts. They should not be used for general Internet “surfing,” or with commerce sites such as Amazon, eBay, etc.
Conferencing tools, such as Zoom and Microsoft Teams, must be used securely and only in password-protected sessions over secure networks. Consumer-grade tools, such as Apple Facetime, are generally not suitable for HIPPA-compliant use. Apps that are not work-related should not be used.
The HIPAA compliance information I’m showing here should not be considered all-inclusive or complete. Healthcare organizations and other entities handling PHI often have specific HIPAA needs, requirements and HIPAA compliance expertise which should be consulted and followed in your particular HIPAA compliance efforts.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or internetsafetygroup.org