Overview:

The Medical Assistant certificate program prepares students for a career as a medical assistant. Skills sets gained are medical assisting, clinical skills, clerical and administrative procedures including reception and scheduling, medical terminology, electronic charting, clinical testing, basic pharmacology, HIPAA training, first aid, and CPR certification.

Training:

• Basic medical terminology
• Basic Anatomy and Physiology
• Basic Pharmacology
• Clinical procedures and skills
• Healthcare Law and Ethics; HIPAA
• Medical office skills
• Customer service
• Communication skills
• Medical math
• Computer skills: Microsoft Office, Electronic Health Records
• Professional Development: resumes, cover letters, job searching and practice interviews
• Individual learning plans
• Individual employment counseling with a case manager

An internship in a healthcare setting is included. Job search, coaching, and support services are provided to employee and employer.

Classes offered twice annually

Program Schedule:

Monday-Friday, 9am - 3pm
Includes 720 training hours (30hrs/week for 24 weeks) and 120 hour minimum internship

Who is eligible?

• Applicants 18 years or older, who have a high school diploma or equivalent
• Unemployed, underemployed, and dislocated workers
• Students who are motivated to learn new skills and secure employment

All course materials included with tuition.

Medical Assistant Training Plus

This program is available for students needing English as a Second Language and/ or remediation classes.

This program prepares students for entry level clerical and bookkeeping positions with job titles such as accounting clerk, posting clerk, accounts receivable clerk, payroll clerk, or bookkeeper.

This program is designed for advanced level ESOL speakers who seek training in the bookkeeping & accounting field. The PLUS program includes an additional contextualized instructional material that is designed to enhance comprehension and retention for ESOL students. Additional supports are provided based on the individual learning plan.

The course will provide students who have minimal or no previous knowledge of accounting a basic understanding of accounting / bookkeeping principles and procedures used to record, classify, and summarize financial data. Students will become familiar with accounting terminology, financial records, forms, and statements currently used by industry. In addition, the program includes in-office training and computer skills, business math, and job development skills.

Program Overview

The Bookkeeping and Accounting certificate program teaches skills in manual and computerized accounting and bookkeeping functions, including preparation and maintenance of ledgers, journals, and adjusting closing entries, basic financial statements, cash and banking procedures, payroll, and accounts payable and receivable.

Comprehensive training includes:

Manual and computerized accounting procedures includes extensive training in QuickBooks and Excel accounting programs

Business writing and communication skills

• Northstar computer literacy certification
• Microsoft Office and typing skills

Work readiness skills include: business etiquette, cover letters, resumes, job search techniques, mock interviews, job placement and reference assistance

• A 120-hour minimum internship in an accounting office will get you real work experience and have you well prepared to enter the workforce
• Financial literacy seminar
• Food and Nutrition Education seminar
• Independent learning plans
• Individual counseling and job coaching
• Case management and tutoring

© 2022, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.National Law Review, Volume XII, Number 194

Q. I am a public health nurse and we frequently have to fax questions to the private physicians taking care of our patients. What can be done?

A. Faxing health-related questions to private physicians is allowable under the Privacy Rules if it is for treatment of the patient. Treatment is defined as the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party, consultation between health care providers relating to a patient, or the referral of a patient for health care from one health care provider to another. However, the nurse should first confirm that the fax number is correct and make sure the fax is in a secured location to prevent unauthorized access.

Q. I work in a nursing home, and we have to fax patient records to doctors' offices all the time or have them fax orders to us. What are the limitations on this practice?

A. This is considered treatment and use and disclosure by fax is allowable, but proper administrative, technical, and physical safeguards must be provided to protect the individual's privacy.

Q. Can I fax information to pharmacies/MD offices from our hospital or physician offices such as patient lab values, and notes from other health care providers such as physical therapy, or consultants called into the case?

A. As long as the disclosures are being made for treatment purposes for the patient, the necessary disclosures are allowed to be faxed to other treating entities, including pharmacies. The Privacy Rules permit a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rules, such as treatment of the patient. However, the minimum necessary rule is always in play. The minimum necessary rule is based on the practice that protected health care information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.

Q. We work in the doctor's office and are always asked to fax information to the local hospital or other physician offices. What can we fax without worry?

A. As long as the requested information is for "treatment," "payment," or "heath care operations" of the patient, the requested information should be appropriate to fax. However, the minimum necessary rule is always in play. It is also necessary to ensure the appropriate administrative, technical, and physical safeguards.

By Salvador Ordorica. CEO of The Spanish Group LLC, a first-class international translation service that translates over 90 languages.

Even as the day-to-day workflow of business is changing to meet evolutions in technology, the backbone of a successful company remains an appropriately trained and engaged workforce. At the same time, we are seeing our employees become more diverse, often located in entirely different countries. While these diverse individuals bring numerous intangible and tangible benefits that companies have come to cherish, they also come with a new set of compliance challenges.

Today’s companies struggle to keep current with constantly changing laws and emergent social concerns within their training; with added layers of complexity due to linguistic barriers, many businesses are hesitant to bring on board the best employees for the job, concerned that they will be unable to provide adequate training and meet compliance regs.

Practical multilingual compliance training helps employees from diverse backgrounds stand on equal footing in both the hiring and onboarding processes.

When you have effective multilingual training solutions for workplace health and safety, OSHA, HIPAA, etc., you can more comfortably bring on more skilled employees with more unique backgrounds. The following are some tips I have picked up helping companies diversify their workforce and training systems.

Typically speaking, you should aim to have all relevant training and compliance materials available in the major languages that your employees speak. But even this basic rule is not as simple as it may seem. The following steps can provide you a basic outline for creating a more effective multilingual training strategy.

1. Correctly identify the languages being spoken.

The very first thing, of course, is to figure out which languages you need your materials translated into. You want to ensure you have your materials translated into the official languages of the countries in question, but you also want to take the time to make sure you have training and essential lessons available in the languages your employees speak at home and are most comfortable with.

Don’t make assumptions based on region or ethnic background. In many cases, your employees may be speaking a particular dialect that differs from the one you expect. For example, suppose you have several native Thai employees. In that case, there is a chance that they will only speak one of the regional Thai dialects like Isan and may have difficulty understanding your materials even though you have translated them into a more standard form of Thai.

The closer you can get to the languages your employees are most comfortable speaking, the more you can encourage interaction while learning, and the more your employees will be able to understand and retain quickly.

2. Have a system for conducting and following up on training.

Figure out if you can have instructors to help facilitate your training in various languages or if you need to opt for some form of interpreting service to help you. What the training looks like can heavily dictate what needs to be translated and how it should be translated. Simply put, have some form of plan in place before you commit to creating your materials. It is not rare for companies to translate materials into three different mediums before deciding on their final approach.

3. Translate materials with the audience in mind.

A word-for-word translation of something often fails to properly convey the intended meaning and nuances involved. The term "transcreation" refers to the process translators often have to go through to recreate the intention of statements. We will often use metaphors or cultural phrases that simply do not make sense or do not convey the same meaning in another language or culture. Transcreation takes the intended meaning and reconveys it into the new language with the proper cultural and linguistic considerations. Often translators will need to create a whole new sentence to get the intended meaning across. This is a complex skill set and one that needs to be employed in full when it comes to training materials.

You need to understand your employees' education, culture and linguistic backgrounds and have your translator create messaging that speaks directly to them. Aim for clarity and simplicity, but localize the materials as closely as possible to the real-world experiences of your workforce.

You may also want to take the time to go through your parent documents and do your best to remove any Western cultural phrases or idioms and ensure all phrasing is culturally sensitive. This can help speed up the process for future translations and will require you to rely less on the abilities of various translators (as it makes for a more straightforward and standardized process).

4. Edit, review, test and track.

While most companies think about editing and reviewing training materials, they rarely think to put them to the test before finalizing them. This ties in with the first tip of having a proper plan in place. A good strategy is one that you have tested and that you know works. Pay careful attention to any software you may be using to underpin your training efforts and how people in other cultures can adapt to it.

It is a challenge, but you should also have a system for staying abreast of relevant laws and ensuring that you keep materials like employee guidebooks and standard operating procedures constantly updated in all necessary languages. Companies can often reduce fines for things like FCPA violations by showing that they provided all the proper training in the correct languages.

Lastly, track your effectiveness. We have a million data points at our fingertips these days. Figure out how to measure the quality of your training through these initiatives and over time. This can be especially helpful if you are testing different approaches.

If you follow these tips, you will likely find that you can more easily bring on, train and work with employees from a wide range of cultural and linguistic backgrounds.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required hospital networks, clinics, and research institutes to meet strict healthcare cybersecurity standards. But complying with the new Strengthening American Cybersecurity Act may be a whole new level of challenge.

The bill, enacted on March 15, takes a carrot and stick approach to security. It comprises three distinct acts. The Federal Information Security Modernization Act of 2022 and the Federal Secure Cloud Improvement and Jobs Act of 2022 could be described as carrots. They encourage covered entities to be proactive in improving their resilience to attacks. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is more of a stick. It stipulates harsher sanctions for breach notifications.

The rulemaking process, conducted by the Cybersecurity and Infrastructure Agency (CISA), is yet to begin in earnest. Accordingly, the extent of the law’s coverage is unclear. Currently only federal agencies and operators of critical infrastructure are definitely covered. However, the “Healthcare and Public Health Sector” is one of CISA’s 16 previously earmarked critical sectors. So the Strengthening American Cybersecurity Act will likely usher in new healthcare cybersecurity standards. The sooner they come, the better, given how the threat landscape is evolving.

Stricter Reporting Is Likely

Among the most stringent compliance requirements in the new Act is the focus on making cyberattack reporting faster and more detailed. The law requires covered entities to notify CISA within 72 hours of a breach occurring. When ransom payments are made, organizations must tell CISA within 24 hours. (Read The Life-Threatening Rise of Ransomware in Healthcare.) Reports to CISA must be detailed and provide information about how the incident happened and which security controls were in place.

Healthcare providers are familiar with the need to report certain types of HIPAA breaches. Indeed many have been busy instituting procedures to notify Protected Health Information (PHA) exposure within 60 days to comply with the most recent version of the law. However, few organizations are likely ready for the swift response reporting stipulated by the Strengthening America Cybersecurity Act.

HIPAA is designed to secure PHA only. The reporting requirements in the Strengthening America Cybersecurity Act are much broader. And the new law’s definition of a cybersecurity incident is still unclear. What is clear is that covered organizations must respond to cyberattacks much faster than they do now.

Unfortunately, when responding to security incidents healthcare organizations perform exceptionally poorly. A cross-sectoral study by Immersive Labs found health care organizations received an average cyber incident performance score of only 18 percent. This was the worst of any sector in the study. (Read The Top Three Weaknesses in Healthcare Cybersecurity.)

Stopping Attacks Is the Best Way to Beat Reporting Requirements

The best way to reduce the stress of reporting requirements is to stop breaches in the first place. Regrettably, preventing attacks is also something healthcare organizations are poor at. Last year almost 1 in 2 residents in many US states had their personal healthcare information exposed by a cyberattack.

Tighter healthcare cybersecurity standards may bring increased risk of legal action. And the average healthcare data breach already costs over $9 million and takes 75 days to contain.

Healthcare’s poor record at stopping and reporting attacks is partly a product of culture. Cybersecurity has traditionally been under-prioritized. Even in 2021, with ransomware attacks on healthcare soaring, a ComputerWeekly report showed barely 1 in 10 hospital executives prioritized cybersecurity.

Another part of the recently passed law, the Federal Information Security Modernization Act of 2022, sets out a framework for changing this status quo. This act requires covered organizations to implement a range of preventive cybersecurity measures. Implementing zero-trust architecture may soon become mandatory.

The Case for Zero-Trust in Healthcare

Taking a zero-trust approach to security essentially means no network entity is automatically assumed to be safe, even after initial verification. This approach is urgently required within healthcare.

Providing care to patients means healthcare organizations offer threat actors an immense range of attack vectors. These are both technological and human. With endpoint numbers soaring, it’s chilling to note more than half of healthcare IoT devices host a known unpatched vulnerability. No less unsettling is that almost a quarter of healthcare staff have not received any security awareness training.

Healthcare organizations can’t overcome these inherent and long-standing vulnerabilities by plastering over cracks. Instead of trusting Verified endpoints and devices, organizations need a security strategy that never trusts anything or anyone connected to its network. Making this happen is part technological and part cultural.

The obvious challenge of implementing zero-trust in healthcare is how to balance healthcare professionals’ operational requirements with tighter security controls. Healthcare professionals and hospital staff need to access patient data effortlessly. In many cases, security controls that get in the way can be dangerous to patient health.

Security teams must work with practitioners and administrators to develop authentication procedures and policies that fit real-world scenarios to overcome these obstacles.

In healthcare, an effective zero-trust strategy is one that strikes a balance between accessibility and security.  Zero-trust technology protects hospital networks from malicious code execution and provides deterministic protection without impacting performance or straining networks.

With Regulation Looming, Don’t Delay Security Improvements

We don’t yet know precisely what the Strengthening American Cybersecurity Act requires of healthcare organizations. By the time the rulemaking process finishes, CISA may choose to apply a different version of the law’s current statutes.

However, it’s clear regulators will ask more of healthcare organizations’ cybersecurity. Zero-trust architecture is a central part of the security improvements federal regulators will require for healthcare organizations.

Learn more about how zero-trust architecture and Moving Target Defense protects against the advanced cyberthreats healthcare needs to defend against. Read the white paper: Zero Trust + Moving Target Defense—The Ultimate Ransomware Strategy.

PR Newswire

CHICAGO, June 29, 2022

BDO USA confirms HIPAA compliance for Sinch security over voice, fax and UCaaS services

CHICAGO, June 29, 2022 /PRNewswire/ -- Sinch, a leading provider of cloud communications platform solutions for voice, messaging, and emergency services, today announced it has successfully achieved third-party validation of its compliance with the Health Insurance Portability and Accountability Act (HIPAA) for its security over voice, fax and UCaaS services. HIPAA accreditation was gained through an in-depth security assessment completed by BDO USA.

Achieving this compliance milestone demonstrates that Sinch's administrative, physical, and technical safeguards meet the required standards of control and security for their cloud and remote solution infrastructure, network protection, and operational practices.

HIPAA has established regulatory standards governing the security, privacy and integrity of data requiring vendors encountering this sensitive data to be HIPAA-compliant. The goal of an assessment is to evaluate how compliant an entity is with HIPAA rules and regulations protecting customers by keeping their data safe, protecting providers from data breaches to uphold their reputations, and helping providers invest their time and resources most effectively to assure maximum security.

"We have a solid track record of protecting client data and security to safeguard against potential data breaches," said Maher Rahman, vice president of information security, Voice Business Unit, Sinch. "Completing the security assessment with BDO allows us to continue to maintain the highest standards of cybersecurity and data integrity."

Rahman added, "Achieving this compliance certification allows us to further enhance the security provided to partners and clients who utilize our extensive voice solutions including SIP trunking, voice termination, UCaaS, and fax services. It also expands our current compliance suite related to ISO 27001, ISO 9001, PCI-DSS and SOC 2 Type II reporting across these product offerings."

BDO's rigorous process to evaluate firms for HIPAA certification required Sinch experts to host over a dozen workshops and provide extensive documentation of policies and procedures that decisively attest to HIPAA maturity. The BDO auditors and principals were highly impressed with Sinch process, procedure and documentation, related to handling electronic personal health information (ePHI), and awarded overall rating and individual domain scores among the highest they have issued in past years.

BDO is the fifth largest global public accounting, tax and audit firm internationally employing over 8,500 consultants in the U.S. across 70+ locations. BDO has been performing HIPAA security and privacy assessments for several years with qualified engagement resources that have experience managing HIPAA compliance requirements.

Sinch's leading cloud communications platform lets businesses reach everyone on the planet, in seconds or less, through mobile messaging, email, voice and video. More than 150,000 businesses, including many of the world's largest companies and mobile operators, use Sinch's advanced technology platform to engage with their customers. Sinch has been profitable and fast-growing since its foundation in 2008. It is headquartered in Stockholm, Sweden, and has local presence in more than 60 countries. Shares are traded at NASDAQ Stockholm: XSTO:SINCH. Visit us at sinch.com.

View original content to get multimedia:https://www.prnewswire.com/news-releases/sinch-secures-hipaa-compliance-validation-on-security-for-voice-fax-and-ucaas-301577474.html

SOURCE Sinch

Mathieu Gorge is the author of The Cyber-Elephant in the Boardroom, as well as CEO and founder of VigiTrust, which provides Integrated Risk Management SaaS solutions to clients in 120 countries across various industries. He helps CEOs, CxOs, and boards of directors handle cyber accountability challenges through good cyber hygiene and proactive cybersecurity compliance programs. He is a multi-award-winning CEO and an established authority on IT security, information governance, and risk management, with more than 20 years of international experience.

Mr. Gorge is also a prominent member of the international cybersecurity community and served as President of the French Irish Chamber of Commerce. He is the current Vice President of the Irish section of the French Trade Foreign Advisor, appointed by the French Government. He previously served as the Chairman of Infosecurity Ireland and was an Official Reviewer for ANSI.

We had the pleasure of talking to Mr. Gorge about what happens when regulations and habits cannot keep pace with the times and evolution of technology, especially as cybersecurity applies to COVID vaccine passports and other sensitive data being handled currently.

This is the situation we are seeing right now in the healthcare industry, where HIPAA covers most consumer personal health information, but has some significant gaps. For example, it does not cover data from Fitbits and other wearable technology, or DNA used in ancestry kits for sites like 23andMe.

Alice Ferng, Medgadget: Please tell us more about yourself, your background, and VigiTrust.

Mathieu Gorge, CEO & Founder of VigiTrust: I’m Mathieu, CEO and Founder of VigiTrust. We are a provider of software as a service (SaaS) integrated risk management (IRM) software that enables our clients to prepare for validation and to manage continuous compliance with legal and industry frameworks and regulations like PCI, GDPR, HIPAA, NIST, ISO, and many others. In fact, we are told that it covers about 150. The tool is called VigiOne; it’s in use in about 120 countries primarily in retail, healthcare, hospitality, government, semi state, higher education, and to a lesser extent, the transportation industry—primarily airports and airlines. We run an advisory board which is a not-for-profit think tank that has 150 plus science members who are C-level Board of Directors, law enforcement regulators, researchers, security bloggers in office. The not-for-profit think tank – when you sign the charter, you get access to a portal – you can put that on your LinkedIn. In fact, we’re doing a lot of updates on that at the moment as part of our own governance. And we also have a community of about 700 security professionals that are invited guests to some of the events.

I also created a methodology called the “Five Pillars of Security” about 12 years ago, and it’s based on the idea of whenever you look at any information governance, security regulation framework anywhere in the world, any industry, you always dial back to five common denominators: 1) people’s security, 2) physical security, 3) data security, 4) infrastructure security – which is your wider infrastructure – your third parties, first parties, your franchisees, your subsidiaries, your cloud, your applications, your remote workers, and so on, and then finally, 5) crisis management – what do you do when something goes wrong.

We use the five pillars of security specifically for education of board-level and C-level, folks. And in fact, it was suggested to me by members of the advisory board that I should write a book about the topic. And that’s how “The Cyber Elephant in the Boardroom” came about. So that’s my background in in a nutshell. And obviously, as you can hear from my accent, I’m French, but I’ve been living in Ireland for 25 years.

Medgadget: How or why did you get into cybersecurity? Was it something you were always interested in?

Mr. Gorge: I started working in project management, and then as part of the work that I was doing selling project management training, I started selling training to IT organizations. And then I started working in in sales in network security back in the day, back in the late 90s. And I kind of, you know, “got the bug: I thought it was an interesting, interesting industry. After working in that industry, for other people, for about four years, I felt around 2002 and 2003 – in fact, I started VG trust in 2003 – that there was a requirement for security, education, and education in data protection. Now, today, it’s common ground, and everybody understands the concept of data protection. But back then it was a new thing. And so even though I started VigiTrust to do data protection training, the first few years, when I went back to my old clients they always said, “Well, look, you’re nice, but your business is young, and you’re trying to sell something new. But we’d like to help – you can you sell us a firewall,” or something like that. Within three years, we were in Ireland a reasonably big value added reseller when we started doing assessments, and eventually, we went back to clients and started doing training on data protection, up until about 2012, when we productized the training. And then in around 2016, we stopped doing consulting, and pivoted into what is now VigiTrust: a provider of SaaS based integrated risk management tools. So that that’s the background.

I’ve always been really passionate about it, because I believe in protecting your data. Data is the new currency and is the new oil. But it’s also something that at some stage, some of the data becomes you. And in fact, the whole idea of having to tell your employer that you’ve been vaccinated, and suddenly you provide your employer a copy of your COVID details and health information. It’s crazy, because the amount of the amount of information that we share with parties has gotten to a stage where there’s very little personal information that you don’t share. And I’ve always been fascinated by that.

Medgadget: This is a very important and fascinating topic, as that touches on my main professional worlds of tech and healthcare. We’re often talking about HIPAA or GDPR, and the amount of personal data that is willingly or tacitly given away without much further thought from patients or consumers of products. When doing clinical research, one of the first things we’re so careful about is de-identifying everything and making it pretty much impossible to link the data with a specific individual, yet we see many holes in data handling procedures and protocols these days. Please elaborate more on data handling related to the COVID vaccine passport propositions and the main issues that you see with that as a professional in cybersecurity. I think a lot of folks don’t understand what data is actually getting handed over and who handles the data and how that’s stored, or what the consequences long-term may be.

Mr. Gorge: Yes, this goes back to education around the value of your personal data, right? So everybody tends to understand the value of your credit card data. But equally, they don’t really pay too much attention to it because if something goes wrong, they contact the credit card provider and 90% of the time, they get their money back within the same day, and 99% of the time, they can get the money back. So, they’re not too thinking about it.

But your health information is very unique, and you can’t go to another hospital and get a different set of health data – your health data is what it is. If you’ve got whatever medical condition you’ve got, even if it’s something small, such as asthma, or if you get tired when you do XYZ, you can’t change that it’s part of who you are.

You cannot get a second health identity, and your health identity is unique to you. It’s very important that we convey as security professionals – or medical professionals in your case – the value of that data to people that go to a hospital or to a physician or wherever. Unfortunately, most people are not really aware. And when they become aware of that, it’s when they’re in the hospital and they’re sick, and their primary concern is to get better.

I think that the hospitals have a duty to inform people as to what data they’re going to collect, and typically do so in the fine print, but nobody really understands that so it is a challenge. And in regards to HIPAA, if I’m not mistaken, HIPAA was enacted in August 1996, and so it’s an old framework, which has advantages and disadvantages. The main advantage is that there’s a lot of data as to what works and what doesn’t work, and how you apply the five rules. There’s a lot of best practice. And there’s enough jurisprudence out there that says, “Well, you know, there’s a hospital that owns the most expensive laptop in the world, and because the practitioner had a laptop with information covered under HIPAA and that laptop was stolen, they had to pay $3.5 million in fines.” People get that, and the university is the one that gets the attention. But HIPAA is a lot more unannounced and nuanced, and I do you think that it’s one of the things that HIPAA doesn’t cover well, and is why it needs to be modernized – the whole idea of software security.

HIPAA is very good at disaster recovery and making sure that entities keep the most up to date information, such that if there’s a problem, we can bring that up. And it will be accurate, and it will be as recent as possible. And that’s great. HIPAA is good at covering for parties, business, associates, and so on, and it’s good at requiring policies and procedures. Where I think HIPAA is falling down is where it’s an old regulation around software security. The part that I feel is missing, or, at least in my experience of dealing with health systems, is the whole idea of: if a hospital is using custom made software or if they’re integrating with custom made software – that we’re not necessarily putting in place the right checks in the right controls around – such as, has that software been checked for security architecture, or has there been secure coding reviews, and that kind of stuff. Right now, you see a lot of attacks going deep into code, and I think that that’s an area HIPAA needs to be modernized in.

Medgadget: So let’s say I’m one of these hospitals, and I’ve just created my own new program. And, actually, there’s so many spinning off right now related to the even the COVID data, and they’re trying to track personal health data or contact tracing in all sorts of ways. Many of these are not necessarily well built, because they were built in haste and often with limited resources where the actual coder isn’t a professional coder, or at least, a coder that is more familiar with security protocols. What would be your recommendations here?

Mr. Gorge: COVID is a great example of people rushing to market with applications that allow you to collect data and use the data for surveillance purposes that add value from a traceability or contact tracing perspective, from access to data to help cure people or look after them. But unfortunately, it’s a case of rushing to market versus risk assessment versus actually making sure that the solution is not increasing your risk surface.

And so rushing to markets, for data that’s going to be COVID related, is inherently going to be linked to my – to me – to my personal information, which means that if it’s not done the right way and if there’s no security checks, I am majorly increasing my risk exposure as a health system. So the recommendation would be to, of course, implement tools that allow you to do those things, but to make sure that the applications are pen tested, that the code is being reviewed, and that the applications are scanned on a regular basis, and that they’ve been risk assessed. And if there’s an issue, that they’re potentially suspended for a couple of days to fix the issues, because otherwise, it’s just creating a nightmare.

And I will say that using basic stuff, like the checks from OWASP or SANS, it should be second nature to those people that actually create those applications. But unfortunately, it’s not. And I think it’s not because HIPAA is not really focused on that, but HIPPA is focused on other important areas where things are already consistent.

When I look at the way that a health system is run: if you want to simplify “health system” to maybe a group of hospitals – there will be physicians, there might be clinics, there might be even potentially a nursing home that links to the hospital, and so on. So you’ve got all of these interconnected, little business units that exchange information, but are they exchanging information in a secure way of exchanging information in a way that I can say, this is not you?

The patient was admitted that day, we took that information, we checked his insurance, we asked him a few questions, we did a COVID test, and the tests came back positive. We did another test the next day, and it came back negative. So we had a false positive and so on. And so I mean, do I really want all of that data going from one business unit to another? Maybe I do, maybe I don’t, and maybe it has to go to another business unit within the health system so that I can be treated the right way. But I now have copies of all of my data in various business units. And traditionally, HIPAA requires some good controls around there. But with COVID, we’re essentially dealing with something that is just so topical and so sensitive, that we need to pay attention to it.

Now going back to the idea of the COVID passport: Let’s say I go into the health system and I come out, and I’m COVID free, and I go to get my vaccine somewhere in the hospital, and am given a CDC card, and then I’m told to go fill out an application. I go on to the application and and I upload all of my information – now that application has my date of birth, my name, where I live, my COVID status, the type of vaccine that I got. So if you look at Johnson & Johnson, which was halted recently in some places – imagine that I have a vaccine passport that says, “has been vaccinated by Johnson & Johnson – and now somehow somebody gets ahold of that, and starts saying, “Well, no, actually, you can’t hang out with Mathieu anymore, because he got he got that vaccine. That doesn’t work.” Well, from what I understand it’s one in a million, apparently, but you can see the ramifications of all that.

I think that right now, it seems since beginning of COVID, we’ve been reacting, and we’ve been taking a short-term approach towards cybersecurity, versus a long-term security goal to make sure that all of the additional information that we collect, is actually collected the right way. That it is stored the right way and disposed of the right way. But we’re just not really doing that, you know, and I fear that we’ve seen a rise in phishing, we’ve seen a rise in ransomware, and we’ve seen a number of groups using the information immediately. We’ve also seen a number of well-known criminal groups that are actually probably playing the long game, by infiltrating critical infrastructure, like hospitals, because hospitals are overwhelmed. Cybersecurity right now is extremely important, but they’re literally overwhelmed, and criminals have no hearts and I dread they’re going after those targets.

Medgadget: Yeah, it’s awful, and there’s definitely an upward trend of schemes to steal data from folks. I also agree with you and think that hospitals and healthcare data are most vulnerable right now. What would be your recommendations for healthcare systems and healthcare professionals? Clinical researchers or other hospital staff? How do they even start to learn about this? And what should they immediately implement?

Mr. Gorge: There’s a high chance that there’s some related COVID-19 cyber-storm that’s brewing because we’ve expanded our risk surface tremendously. Whether it’s a health system or any other organization, you will find that there’s a majority of the staff that is now working from home, probably using their own devices. And suddenly, you’ve increased your risk surface by double or triple since and sometimes even multiplied it by 10.

I think you need to go back to mapping your ecosystem. How many business units do you have? What kind of data is each business unit collecting, storing, and manipulating for whatever reason? What is it tracking? And then what’s the data flow between all of the different business units? And how is that data flow protected? Once you have done all of that, you can go back to the five pillars of security that I mentioned to you, whereby you can essentially say, “Okay, I want I want to know, within this health system environment, how am I doing for physical security? Can somebody just walk in and steal a computer, maybe steal the hard drive of a multifunctional printer, and then get access to all of that data that you provide? When you check in? At the hospital? How’s the people security? Who has access to what and who’s coming in? Who’s coming out? Where are they going? Can I trace everything? How’s the data security? What kind of data am I dealing with?”

So obviously, any type of normal PHI (protected health information), but in addition to that, any type of COVID vaccine information with any type of PII (personally identifiable information), or even payment data, because where things are going with modern hospitals, it’s like a five star hotel where you can pay to get access to the internet, you can pay to have additional services, and everything is done by credit card or tokes or so on, so everything is interconnected. So where is that data? From the infrastructure perspective: is my infrastructure bulletproof? How much of it is run by third parties or first parties? And then finally, crisis management. What are we going to do if the list of patients in the COVID worlds makes it to the dark web? Many have identified as a potential scenario. My guess is that not all health systems have done that as much as they can, and this is potentially an opportunity for health systems to get their house in order, right? Because if you listen to Bill Gates and other visionaries, there will be more pandemics, and there will be more crisis.

We need to learn from the mistakes that we weren’t completely ready for – for that type of game changing event, right? We need to look at architecture. If you look at the IT architecture of any business, whether it’s a hospital, bank, or hotel, it’s completely been turned upside down. So what you believe to be the right architecture, and the right model before, may have been the right model at the time, but today, you can’t anymore, because 90% of people are working from home. And even if we go back to working to the office, we’re going to have to reorganize and re-engineer the physical space. And therefore, that means reorganizing the logical access to systems and traceability, and so we’re opening up a lot of new doors. We need to be on our A-game.

Medgadget: Taking the conversation back to any individual out there – what should folks be thinking about? Most folks don’t think about things the way a cybersecurity professional does, and many don’t realize that they’re being directly or indirectly pressured to provide different sorts of data for all sorts of reasons as they go about their day.

Mr. Gorge: So I mean, I can provide you the risk professional answer, which will be long drawn answer with: be careful with your data, don’t share data with people you don’t know, make sure that you, if it’s an application that looks odd that you Google it, make sure that you look at the reviews, if you know don’t use 15 different applications to do the same thing, because you’re multiplying copies of the data.

But I think that the easiest answer to that is: if an application related to COVID at the moment is asking you to share data that you wouldn’t share with your stylist or with your best friend – be extra vigilant, do you really need to share it? Do you really need that application? Is it really adding value to you and to protecting your health? Because if the answer is “Eh, not sure,” then you shouldn’t do it. If on the other hand, the answer is, “Yeah, I really need it,” then at that stage, you need to dig a bit deeper, and, you know, nobody’s going to read the privacy policy unless we need to, but maybe now would be a good time to do that and potentially check that you’re happy to share that data. This is not crying wolf, but you have to ask yourself: if that company is hacked, and my data ends up in the public domain, what is going to be the impact. Okay, so my date of birth, well, I can probably get your date of birth anywhere on Google. My address – it’s annoying – but I can probably get it too. My health status — that’s really annoying – and I don’t want anyone to know, because it’s very, very personal. And as I said, there’s no health status “B,” and you only have one, and you need to protect it. So I’m not trying to scare people, I’m just trying to say that the real value of health data is tremendous. And yes, there’s HIPAA, and yes, it’s putting in a lot of good controls and it’s dealing with most of the attacks. But, COVID has generated loads of new attacks, and criminals have absolutely no mercy whatsoever. So now is the time to be cautious, I would say.

Medgadget: Yes, this is just the reality these days, and it’s better to be aware now rather than once it’s too late. Our physiological status and biometrics are definitely unique to us, and this sort of information isn’t something to be trifled with because there can be all sorts of long-term consequences.

Mr. Gorge: Absolutely. And I go back to the analogy with a credit card. It’s a pain if my credit cardholder data is stolen and used, but there’s so much regulation in this, and so much jurisprudence that I am nearly guaranteed to land on my feet within 24 hours. If somebody steals my health data, it’s a whole different ballgame.

Medgadget: What about the other side of this, in terms of risk management – let’s say it’s too late, and somebody has already given out their data and or they’ve enabled access to something or agreed to be tracked. What do you do to backtrack? Is that possible?

Mr. Gorge: Again, I go back to that idea of my five pillars, the fifth pillar being crisis management. So if you work with reputable health systems, and so on, you will definitely have identified a number of scenarios to address the risk, and to take corrective action when something goes wrong. That might be helping you to protect your identity, it might be making sure that it doesn’t happen again, that kind of stuff. But the reality is that you’re hoping that it won’t happen, especially for health data. And that’s why large health systems also have systems that allow them to stratify the type of data that we get, as you know, so they might have one level for generic personal data, and they might have another level for generic health questions, and another level for more in depth questions. And eventually, you end up with stuff that’s highly confidential, and goes back to the idea of data classification, with only people who are accessing the right data on a need to know basis. If you don’t need access to that data, you don’t get access to the data. Why would you have access to the data? You work as a triage officer at the reception at the hospital? You don’t need to see the results of my drug tests. Two days later, you don’t need to see, because your task is done. Somebody else is dealing with that, and they need access to that.

VigiTrust Annual Global Advisory Board – May 27, 2021

The Cyber Elephant in the Boardroom | Cybersecurity Podcast for CxOs (mathieugorge.com)

Thursday, June 16, 2022

Preparation for operations after the end of the Public Health Emergency (PHE) have commenced. HHS released guidance on using remote communication technologies for audio-only telehealth services in compliance with HIPAA. In March of 2020, HHS stated it would exercise enforcement discretion for noncompliance with HIPAA in connection with the good faith provision of telehealth services using non-public facing audio or video remote communication technologies during the PHE. That enforcement discretion will end when the PHE ends.

In this latest guidance, HHS noted that due to various barriers, such as disability, financial, or language, not all patients are able to access audio-video telehealth technologies and that audio-only telehealth helps to address the needs of these patients. Here are four key FAQs based on the guidance that telehealth providers and platform-providers, covered by HIPAA, should consider when implementing an audio-only telehealth offering:

1.  Are audio-only telehealth services able to be provided in compliance with the HIPAA Privacy Rule when the PHE ends? Yes. Telehealth providers need to implement reasonable safeguards to protect the privacy of protected health information (PHI), such as communicating in a private setting, or using lowered voices and not using speakerphone where a private setting is not feasible in order to comply with the HIPAA Privacy Rule. Telehealth providers must also verify the identity of any patient not known to the telehealth provider.

2.  Is it possible to comply with the HIPAA Security Rule when providing telehealth services over the phone or a mobile app? Yes. Technologies covered under the HIPAA Security Rule include smartphone applications, VoIP technologies, technologies that record or transcribe telehealth sessions, and messaging services that electronically store audio messages. One aspect of complying with the HIPAA Security Rule is that a security risk analysis on the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI must be conducted when using such technologies. The security risk analysis should then be used to assist in the development of a risk management plan to address the identified risks and vulnerabilities.

3.  Does a telehealth provider need a business associate agreement (BAA) with the telephone company and/or wireless carrier? Maybe. Telecommunications service providers (TSPs) are the companies that provide voice and/or data transmissions services such as the telephone company, the wireless carrier, and/or, in some cases, a mobile application provider. Telehealth providers must enter into a BAA with a TSP that creates, receives, maintains, or transmits PHI for or on behalf of the telehealth provider. However, telehealth providers do not need to enter into a BAA with a TSP where the TSP: (i) only has transient access to the PHI transmitted; (ii) does not create, receive, or maintain PHI on behalf of the telehealth provider; and (iii) does not require access on a routine basis to the PHI transmitted on the call. TSPs meeting all of these specifications are known as “conduits.” HHS provided the following examples of scenarios where a BAA is or is not required with a TSP: 

Also, since the HIPAA Security Rule only applies to electronic PHI, it does not apply to services using a standard telephone line (i.e., landline). In general, telehealth providers should be cautious about relying on TSPs that do not sign BAAs and must conduct due diligence to ensure the TSP does not access or maintain PHI transmitted during the call.

4.  Does a telehealth provider need to ensure that its patients are complying with HIPAA? HHS notes that patients may use any telephone system they choose and telehealth providers are not responsible for the privacy or security of patients’ information once it has been received by the patient’s phone or other device. However, telehealth providers should note that if they provide a mobile app to the patient for use in either accessing telehealth services or storing medical information, the mobile app must comply with the HIPAA Privacy and Security Rule.

The planning and transition from PHE to post-PHE processes should start now for telehealth providers. Conducting risk assessments and diligence on existing vendors and their compliance with privacy and security laws must occur immediately. If a vendor that accesses, views, or maintains PHI refuses to sign a BAA, telehealth providers should immediately look to terminate the relationship with that vendor and consider alternative vendors that will sign a BAA. Developing a strategy for HIPAA compliance now, before the PHE sunsets, will pay dividends in the future.

Want to Learn More?

HIPAA applies to covered entities, like health care providers that conduct electronic transactions, but not most of the period-tracking apps found in an app store.