What are the HIPAA standards for IT?

A HIPAA covered entity is more than just a doctor’s office or hospital – its any business that comes in direct contact with a patient’s PII (personally identifiable information). This includes not only medical providers but law firms dealing with medical cases, health insurance companies and medical billing services. HIPAA is a mindset, a set of policies and procedures that are followed for doing business. That being said, there are some areas in IT that a covered entity should focus on.

IT areas of focus for HIPAA compliance:

  • Risk Assessment. Have one. It is required. Without one you can’t identify your vulnerabilities and you can’t address those vulnerabilities. This is your foundation for the HIPAA mindset.
  • Archiving logs of user transactions and event notifications. Who did what, when and where? These are the questions that have to be answered! Staff is a lot less likely to steal PII if they think they are being watched. You know people are paid to steal PII, right?
  • Secure e-mail implementation. Does your staff know how to send PII securely via e-mail? Use encryption if you need to send PII. Use a system that’s easy to implement.
  • Regular operating system and application updates for all computers. Computers should be updated weekly, and servers at least monthly. Its best to automate this process so its not forgotten. This automated process should provide notifications of what updates were successful and which were missed.
  • Regularly scheduled vulnerability scans. Do them at least once a quarter and following any major IT changes. The vulnerability scan compares your IT environment to several reputable databases of vulnerabilities to identify issues that need to be addressed. Vulnerability software needs regular updates, so should be subscription-based.
  • Policies & Procedures. Do you maintain a set of policies and procedures for handling and protecting PII?  Although IT is included, it covers all aspects of the office right down to locking doors to sensitive areas and minimizing the view visitors have of your paperwork and computer screens.
  • Quality firewall device with intrusion prevention system (IPS).  IPS is subscription-based protection that is updated as new IT threats emerge.
  • Good password policy. So critical! This includes not only how complex the passwords are, but how they are stored and end-user training on how to manage them.
  • Internet restrictions. Keep the office computers focused on the business, not on games, shopping sites or social media. All of those sites are ripe with poor security that can lead to a breach of your data or a malware infection. 
  • Mobile device management. PII should not be on unsecured mobile devices. If you must use mobile devices, via technology,  they can be secured.
  • Laptop encryption. Windows 10 Pro includes encryption. A stolen or lost laptop is considered a breach. Even if you don’t think you store PII on that laptop, it is used to access email and cloud apps where PII is kept. So encrypt it.
  • Physical security. Keep the server room locked! Desktops should be locked down with password protection if left unattended. Can patients wander behind the counter and have easy access to patient information laying around? 

Where can I find help with HIPAA?

Next Century Technologies has a dedicated team of HIPAA experts to assist with everything mentioned in this list. We have a cost-effective approach to HIPAA just for the budgets of the small and medium-sized covered entities. 

Call us at 859-245-0582 or click here to reach out to us.

About the Author

Tracy Hardin is President and founder of Next Century Technologies in Lexington, KY. She has a bachelor’s degree in computer science from the University of Kentucky and has earned certifications from Novell, Cisco and CompTIA. Her specialties in the field of IT are network design and security, project management and improving productivity through technology. She loves helping people by sharing her knowledge of tech.

What are the benefits of managed services?

Do you have a reactive or proactive mindset? Do situations, events or the latest crisis dictate your next step? You might be a reactive thinker. Do you take situations in stride, have a plan B when something goes wrong and plan ahead to avoid a crisis? You are being proactive. Reactive thinkers scramble to react; proactive thinkers tend to be cool under stress because they have thought out the different scenarios. Proactive vs. reactive is the fundamental difference between managed services and break/fix.

What is managed services vs. break/fix?

In a nutshell, managed services embodies both IT services and hardware that work together to secure, protect, maintain and support a company’s IT infrastructure. In a nutshell, it is a proactive mindset for managing IT. An ounce of prevention is truly worth a pound of cure in a world of ransomware and phishing attacks! Managed services are offered by IT solution providers that have built a stack of IT products that work together and a well-seasoned staff to utilize them.

Each managed service provider will have slightly different offerings, but the goal of proactively securing, protecting, maintaining and supporting remains the same. Most often, companies purchase a managed service plan so they don’t have to find, train and maintain their own IT staff.  However, some companies will leverage the skill-set and products of a managed service provider to complement their own internal IT staff.

Break/fix, on the other hand, is waiting for something to break before calling for help. Services, support and hardware are purchased on an as-needed basis from an IT solution provider. It’s a reactive approach to IT where the management of IT is the responsibility of the business owner, not an IT solution provider.

What are the benefits of managed services over break/fix from the business owner’s perspective?

First and foremost, managed service providers make their money when their clients’ networks are functioning well, and lose when they are not – great motivation to maximize uptime! This leads to better productivity for their clients because the focus is on keeping the computers going, which keeps the client’s staff working.

There are many other great benefits of managed services:

  • Managed services offers 24/7/365 monitoring. This is the cornerstone of managed services, and the only way to be truly proactive.
  • A managed service provider has a team of IT experts. IT is complicated. To manage it properly a business needs a team of individuals with different areas of expertise that work together to resolve any issues as they arise. The expertise can also help recommend, plan and implement IT infrastructure improvements.
  • You don’t have to spend time and money searching for an IT person! Too often companies go through a long, drawn-out process of placing an ad, reviewing resumes, interviewing and then end up hiring someone that is not qualified. Lack of qualifications can lead poor computer support or even a serious security breach. Not only that, but an in-house IT person will need ongoing training to keep up with the ever-changing world of IT and security.
  • Managed services is a proactive approach to managing IT. Break/fix, on the other hand, is reactive. An ounce of prevention is worth a pound of cure!
  • A managed service provider utilizes a multi-layered approach to secure all aspects of their clients’ IT infrastructure. Antivirus alone is no longer enough! A full 80% of data breaches target small companies. Many layers of security are now necessary including training the staff on what not to open or click.
  • Managed services provides a more predictable IT budget. With its fixed-price structure, it helps balance that budget for both hardware and support. Managed service plans are priced by the device or the user, and includes support hours as well. Some plans even include the hardware such as desktops, firewalls, and switches. The associated contract guarantees predictable pricing for the term.
  • Many cyber insurance policies offer discounts for companies that have a managed services plan. Some discounts are steep enough to cover the cost of their managed service plan! Cyber insurance policies can pay off big in a ransomware situation.
  • A managed service plan comes with a service level agreement (SLA). In writing, an SLA provides guaranteed response time. An IT solution provider puts their managed service clients first.
  • A managed service plan frees up YOUR time! Under a managed service contract, clients allow their staff to open their own support tickets because they know it will be covered by the contract. Copies of ticket and/or reports keep managers abreast of what is happening. This frees up management’s time and allows them to focus on their core business instead of dealing with IT issues.

Our take on it

From the aspect of an IT solution provider, our favorite part of managed services is the freedom to select the best products for our clients. They trust us to make the best decisions for their IT. We are constantly researching and learning about technology and the threats that go with it so we can provide the best service possible and protect our clients’ investments.  Plus, being proactive means we are cool under stress!

Next Century Technologies is a trusted provider of managed services and IT consulting since 2001.

Call us at 859-245-0582 or click here to reach out to us.

About the Author

Tracy Hardin is President and founder of Next Century Technologies in Lexington, KY. She has a bachelor’s degree in computer science from the University of Kentucky and has earned certifications from Novell, Cisco and CompTIA. Her specialties in the field of IT are network design and security, project management and improving productivity through technology. She loves helping people by sharing her knowledge of tech.

How do I pick a cloud provider or vendor?

Cloud  diagramNext Century Technologies protects and manages information technology for clients from many different industries and fields. When we are looking for a new cloud-based service, whether it be for storage, or backup, or Office365 distributor, we follow our banks’ standards and look for these features in all our cloud providers:

1. SOC2 Certification

Look for a cloud provider that is SOC2 (Service Organization Control 2) certified. SOC2 means a provider’s information systems meets the standard for security, availability, processing integrity, confidentiality or privacy as set by the American Institute of Certified Public Accountants. Why? It means the provider is committed to security. These rigorous standards are added protection for your data. Financial and medical institutions look for providers that adhere to this standard. You should too! 

2. Encryption

Is your data encrypted? Encrypted data is scrambled and requires a password key to unscramble. This keeps unauthorized people from accessing your data. Your data should be encrypted both in transit from your computer to the cloud, and while it is stored in the cloud.

3. Backups

Your data is in the cloud, but that does not mean it is backed up! What if you accidently delete a file? Is it hard to get back? What happens if ransomware hits your computer and the encrypted files are uploaded to your cloud storage, essentially encrypting everything in the cloud as well? What if a disgruntled employee deletes all their files or emails before quitting? Don’t assume your cloud provider is backing up your data – find out! Did you know Office365 has an e-mail retention of only 30 days? That means if you accidently delete an email or folder, you have 30 days to figure it out and recover it. Retention rates vary by provider, and some providers offer nothing in terms of backup! If backups are not offered, is there a third party product that can do the backup?

4. 2FA or MFALock and key

Two-factor authentication (2FA) or multi-factor authentication (MFA) are becoming more and more crucial to protecting your cloud data from ransomware. New ransomware attacks designed especially for cloud storage are becoming more common. Two-factor/multi-factor means you will need more than just a password to access your cloud storage account – you will need a secondary method of identity verification usually by means of a code sent to an e-mail or smart phone. Is 2FA/MFA offered by your cloud provider? Set it up. If its not offered, find a different provider. Not all SOC2 providers utilize 2FA/MFA!

5. Business Continuity

Catastrophes like hurricanes and floods can take out a data center or in the very least, cut their access to the internet. Does your cloud provider actively replicate their data center to other sites around the country? Find out. A reputable provider will have this type of information on their website. It’s a great selling point.

6. Free comes with a price!

You get what you pay for. If the service is free, then how is the provider making money off YOU? Chances are good they are not SOC2 certified (which costs a lot of money), nor do they offer backups or 2FA. Do they even bother encrypting your data? Are they selling your contact information to spammers or scammers? Is their data center in an obscure country with questionable security? Or is it in someone’s house? Will they even be in business next week? If they disappear, what happens to your data?

Have questions? We can help!

Next Century Technologies has been helping businesses with IT since 2001! Call us at 859-245-0582 or click here to reach out to us.

About the Author

Tracy Hardin is President and founder of Next Century Technologies in Lexington, KY. She has a bachelor’s degree in computer science from the University of Kentucky and has earned certifications from Novell, Cisco and CompTIA. Her specialties in the field of IT are network design and security, project management and improving productivity through technology. She loves helping people by sharing her knowledge of tech.