5 Ways Law Firms Can Better Protect Their Data

attorneys hands laying on a wooden table with notebooks, books, and laptops with a gavel nearby. attorney concept.

Law firms have access to vast amounts of confidential data from their clients, making law firm data security crucial. Unfortunately, some law firms are operated by more traditional, less tech-savvy individuals who lack the knowledge of modern security requirements and threats.

Fortunately, law firms can take some simple steps that will help them better protect their data without overhauling their entire process.

Consider the following five methods for protecting confidential data.

1. Train Employees to Counter Threats

Law firms’ employees are the first line of defense against security threats. Yet, your law firm’s security is only as good as the training workers have received to counter threats to your systems. A frequent means of ingress for hackers and malware is through phishing emails.

Your workers must learn basic office security measures like how to identify a phishing attempt, how to secure their workstation before leaving, and to avoid plugging in random USB or other storage devices they find around the office. Along with additional training, your employees can prevent themselves from becoming victims to the most common threats.

2. Make Sure You’re Using Multifactor Authentication for Apps and Emails

Damage mitigation is an essential aspect of law firm security, too. Essentially, you want to limit what someone can do with small yet valuable bits of data that are relatively easy to obtain. For example, if someone gets access to an email address, they could try to access your company’s applications with it.

By enabling multifactor authentication on your systems, you can thwart most attempts at gaining access in this manner. After all, even if they have an email and a password, they’ll still need access to the user’s phone or biometrics to access an adequately secured program in your office.

3. Limit Your Guest WiFi

Most law firms with a waiting room for clients offer to share their WiFi by providing a password to their clients. Although WiFi is a nice amenity to offer, it also puts you at risk.

If you allow guests onto your law firm’s WiFi, they could access other devices on the network or create and exploit vulnerabilities for malware. Limit your guest WiFi systems and separate them from the WiFi used by your employees to be safe.

4. Consider Implementing Managed Security Services

Not all law firms have IT services on staff, which can leave them vulnerable if they don’t perform timely system updates or have someone available to counter an incursion. Some firms are too small to keep IT workers on the payroll. Sadly, that does not mean that they are less likely to be attacked by hackers than larger law firms.

An excellent approach to this situation is to get a managed services provider (MSP) to implement IT security, provide training, and update your law firm’s systems without having to employ them long-term. MSPs can implement protections that will make a law firm more secure and a less-likely target for criminals.

5. Follow a Proper Data Storage Plan

Although it may feel like modern computers are infallible compared to the systems of the past, hard drives failures, ransomware, and simple storage devices losses are still vulnerabilities for law firms that keep a single copy of valuable data.

A better storage philosophy to abide by is the 3-2-1 policy. Essentially an employee will:

  • Create three copies of important data
  • Use two different forms of media to store the data (Hard drive, USB, external hard drive, cloud)
  • Keep one copy of the data off-site for data recovery (safes or shadow)

This storage plan can ensure a law firm has much better protection for its data and a means to bounce back in the event of a disaster.

Law firms have too much important data to lack a necessary form of security in their offices. Each of the methods mentioned here should be considered or implemented depending upon the existing security state within one’s law offices.

Remember, your business is never too small to benefit from the help of security professionals, and in the case of security, an ounce of prevention is worth a pound of cure.

Learn more about law firm data security and determine if your data is truly secure with a free risk assessment from WheelHouse IT!

HIPAA Technical Safeguards

pexels pixabay 60504 3

IT Security And HIPAA Technical Safeguards

Does your healthcare organization need to be HIPAA Compliant? The HIPAA Cybersecurity and IT Security Services that are implemented by Wheelhouse IT can protect your practice from unnoticed threats. Protecting your practice from HIPAA violations is critical if you are a healthcare provider.

If your practice and patients aren’t protected by the most recent HIPAA Compliance and technology, you could be putting your livelihood at risk. Security breaches and unauthorized access to health information and electronic patient health information can result in heavy fines, as well as loss of business.  When it comes to data security and technology management, Wheelhouse IT can make sure your practice be HIPAA cybersecurity and IT security compliant, while also ensuring that it’s employing best practices to reduce risks.

In this article, we discuss the best practices for technical safeguards for HIPAA, focusing on cybersecurity and IT security.

HIPAA violations and the compromise of protected health information (PHI) remain a threat and a risk for covered entities and their business partners. The goal of HIPAA is to help you reduce the risks to your organization and any stored or transmitted information, even though it may appear confusing and numerous at first glance. The Technical Safeguards detailed in the HIPAA Security Rule are one of these requirements.

The HIPAA Security Rule requires three kinds of safeguards that organizations must implement: administrative, physical, and technical safeguards. We’ll focus on technical safeguards which outline the protections that organizations need to be taking to protect electronic protected health information (ePHI). 

What are Technical Safeguards?

HIPAA technical safeguards protect PHI and have become a major part of any HIPAA Privacy program. Technical safeguards are important due to the advances in technology (assistive technology) in the health care industry. They are key elements that help to maintain the safety of EPHI as the internet changes. One of the greatest challenges of healthcare organizations face is that of protecting electronic protected health information (EPHI). This would include the protection of electronic health records, from various internal and external risks with current technology. The answer to the question, What are Technical Safeguards? They are the tools covered entities to use to protect ePHI.

There are several overarching standards discussed within the HIPAA technical safeguards:

  • Access Control – giving users rights and/or privileges to access and perform functions using information systems, applications, compatible technology, programs, or files.
  • Audit Controls – hardware, software, and/or procedural mechanisms that record and examine information system activity that contains or use ePHI.
  • Integrity Controls – implementing policies and procedures for ePHI protection against alteration or destruction.
  • Person or Entity Authentication – ensuring a person’s identity  and confidentiality of communications (authentication to employees) before giving him or her ePHI access.
  • Transmission Security – guarding against unauthorized ePHI access when data is transmitted over an electronic communications network.

Cybersecurity

Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information. Using cybersecurity to protect EPHI is a key feature of Technical Safeguards in the Security Rule of HIPAA. Technical safeguards are key protections due to constant technological advancements in the health care industry.

They are key elements that help to maintain the safety of EPHI as the internet changes. One of the greatest challenges healthcare organizations face is that of protecting electronic protected health information (EPHI). This includes the protection of electronic health records, from various internal and external risks. To best reduce risks to EPHI security, covered entities must implement Technical Safeguards.

There are many risks, and these come in various forms. Among these is malware erasing your entire system and access rights, a cyber-attacker breaching your electronic information systems and altering files, a cyber-hijacker or unauthorized users using your computer, control access, and other electronic mechanisms to attack others, or an attacker stealing or freezing your data in return for money. There is no guarantee that even with the best precautions and technical policies you will prevent this, but there are steps you can take to minimize the chances in your electronic networks.

Reasonable Safeguards

Reasonable Safeguards for PHI are precautions that a prudent person must take to prevent disclosure of Protected Health Information by health care providers. To protect all forms of PHI, verbal, paper, and electronic, providers must apply these safeguards. They help prevent unauthorized uses or disclosures of PHI. In addition, safeguards must be part of every privacy compliance plan. Organizations must share this with all members of the organization.

An organization may face multiple challenges as it attempts to protect the essential element: the EPHI. These issues must all be considered as they may originate from inside or outside the organization. Any organization needs to perform a full risk analysis and addressable specification to protect the organization from such a variety of threats. We present several examples of cyberthreats in healthcare you must be ready to address. This will help you as you develop your Security Program. First, we must understand the Technical Safeguards of the Security Rule.

Practicing Good Cyber Hygiene

When it comes to cybersecurity, it’s important to know what to look out for, tracking user identity, how to report any potential threats and security risks, and most importantly how to keep your practice and your patient data safe by maintaining good security standards. Recently, the United States Department of Homeland Security (DHS), and the United Kingdom National Cyber Security Centre (NCSC) issued a joint release featuring additional guidance on how to spot potential threats from user activity and take important technical security measures. Important tips for safeguarding your practice’s security measures during this time of increased risk include:

  • Make it harder for attackers and unauthorized persons to gain access to your users.
  • Know how to identify and report any suspected threats.
  • Protect your organization from the effects of undetected scams
  • Respond quickly and effectively to any incidents that do occur

There’s a lot of good ‘cyber hygiene’ out there, but here are a few top tips to keep your practice operations clean:

  • Secure systems that enable remote access
  • Ensure that employees have updated all anti-malware and antivirus software programs and software infrastructure on their devices
  • Encrypt any emails and electronic systems that include PHI or any other personal or financial information
  • Properly dispose of any PHI both electronic and paper when working off-site
  • Remind employees of appropriate access to PHI and implement controls such as applying additional protections for COVID-19 health records
  • Ensure that PHI is only accessed when necessary, especially on less secure wireless networks  and electronic procedures such as those used when working from home

Your Trusted Cybersecurity & IT Security Services Partner  

As opposed to large corporations, healthcare organizations lack sophisticated backup systems and other forms of resilience, making them prime targets for ransomware attacks. Unintentionally opened email attachments have become a common entry point for ransomware attacks. The malicious code spreads throughout the computer system, locking and encrypting data folders and the operating system.

Wheelhouse IT Cyber Security & IT Security Services assist organizations with HIPAA regulatory standards. HIPAA requires that patient data be stored securely, access to the data be controlled and monitored and that healthcare organizations have the policies, procedures, and systems needed to ensure compliance. Our team will Implement and govern your HIPAA Security Program to ensure your compliance daily. Rescuing risk of data loss for inform collect, store, and costly regulatory fines. Contact us today!

Microsoft Teams HIPAA Compliance

pexels greta hoffman 7675851 1

Is Microsoft Teams HIPAA Compliant In 2021?

Microsoft Teams is HIPAA-compliant in terms of security, but HIPAA-covered businesses must engage in a business partner agreement with Microsoft that covers the Microsoft Teams platform before it may be used in conjunction with any ePHI. While Microsoft Teams free or paid is compliant with standards, you’ll need a Microsoft 365 account and a premium edition of Microsoft Teams to perform compliance, obtain a report, and do any settings or monitoring.

Are you concerned about Microsoft Teams HIPAA compliance? Are you looking to achieve better HIPAA compliance with services like Microsoft Teams? Wheelhouse IT can help you! Wheelhouse IT is an MSP service provider that can help ensure full compliance with HIPAA requirements and provide meaningful observations to help achieve your organization’s security, privacy, and compliance goals and objectives. 

Since the COVID-19 pandemic began, security compliance has become very important – especially for health care providers.  In this article, we discuss Microsoft Teams HIPAA Compliance in 2021 and its effect on compliance safeguards, compliance requirements, and the overall range of security features it brings to the table.

HIPAA compliance is a must for any healthcare organization. If your company deals with health-related and personally identifiable information, you’ll want to be sure all data is protected. Compliance, on the other hand, is a complex issue, especially in light of recent technological advancements.

As health-related data has increasingly become digitized, HIPAA compliance has become necessary to improve security and privacy. HIPAA compliance guarantees privacy for Protected Health Information (PHI). PHI must be secure and protected.

Understandably, this leads to complications when it comes to the management and maintenance of health-related data. How do organizations discuss health-related information while still making sure that it’s secure? How does a health organization make it possible for those who need the information to be able to access it, while protecting it from others?

Under HIPAA regulations, HIPAA imposes standards in five categories: 

  • Admin safeguards
  • Physical safeguards
  • Technical safeguards
  • Organizational requirements
  • Documentation requirements (policies and procedures)

Using these standards, healthcare organizations are required to: 

  • Ensure confidentiality, integrity, and availability of all PHI
  • Regularly review system activity records
  • Establish, document, review, and modify user access
  • Monitor login attempts and report any discrepancies
  • Identify, respond and document security incidents
  • Obtain assurances from vendors before exchanging PHI

HIPAA Privacy Rule: Compliance Obligations

The following information is considered to be protected under the HIPAA guidelines:

  • Patient’s name, address, birth date, and Social Security number;
  • Individual’s physical or mental health condition;
  • Any care provided to the individual; and
  • Information that concerns the payment for the care provided when the patient is identified or when the patient has a reasonable chance of being identified.

HIPAA Security Rule

The HIPAA Security Rule sets national standards for securing patient data that are stored or transferred electronically. To that end, the HIPAA Security Rule requires health care organizations to implement both physical and electronic safeguards to ensure the secure passage, maintenance, and reception of protected health information (PHI).

Additional Items Needed for HIPAA Compliance

Enabling security features to operate Microsoft Teams in a HIPAA-compliant manner and having a signed, current BAA with Microsoft are good first steps to ensure HIPAA compliance for your healthcare organization. Other steps you can take include:

  • Appoint a HIPAA compliance, privacy, and/or security officer to direct and monitor your HIPAA compliance program.
  • Know the required annual audits and assessments for your healthcare business and conduct those as required.
  • Conduct and document regular HIPAA training sessions for all employees. This should include reporting procedures for breaches.
  • Set up a remediation plan, and test, review and update it at least once a year.
  • Review your BAA with Microsoft each year to ensure it is up to date.

HIPAA Compliant Software Usage

Under HIPAA, software companies that “touch” (create, receive, maintain, or transmit) PHI are considered business associates. For HIPAA compliant use, software must have technical and administrative safeguards securing the protected health information (PHI) that is transmitted, stored, received, maintained, or created through them. Additionally, there must be a signed business associate agreement between a covered entity and the business associate before the platform can be utilized in conjunction with PHI. 

However, no software can be fully HIPAA compliant; it is up to the end-user to ensure that they are using the platform in a HIPAA compliant manner. 

 Is Microsoft Teams HIPAA Compliant: Safeguards

Microsoft Teams has the following safeguards in place securing PHI:

  • Access controls – provides users with unique login credentials, ensuring that PHI is only accessible to authorized users.
  • Single sign-on (SSO) – enables users to secure access for related systems with one set of login credentials (i.e. Microsoft Teams, Office 365, etc.).
  • Multi-Factor Authentication (MFA)requires users to utilize multiple credentials to access data (i.e. username and password, biometrics, security questions, etc.). This ensures that the user is who they appear to be.
  • Audit logs – track access to PHI to ensure adherence to the minimum necessary standard.
  • Encryption – converts PHI into a format that can only be read with a decryption key, preventing unauthorized access to data at rest and data in transit.

There are specific ways to maintain HIPAA compliance with Microsoft Teams:

  • Restrict data sharing and communication to MS Teams. The more information flows through MS Teams, the better and more thoroughly it can be protected. Teams can integrate with the rest of Office 365 which provides similar protections.
  • Review and restrict permissions for users. Users should always be granted only the permissions they strictly need to do their jobs to help minimize business risk. Further, these permissions should be regularly audited, and they should be removed immediately when employees leave.
  • Digitize and consolidate all data. Having paper data is now a significant security concern. Paper information should be regularly shredded, and all data should be consolidated within the Teams environment.
  • Regularly audit compliance. Regular audits can identify any security gaps in the system, as well as properly closing them.

Requirements for a HIPAA Business Associate contract

A compliant HIPAA Business Associate contract should:

  • Describe how the BA is permitted and required to use PHI;
  • Require that the BA not use or disclose PHI, other than as specified in the contract or as required by law;
  • Require the business associate to use appropriate security measures to ensure PHI is used in accordance with the contract terms;
  • Require the covered entity to take reasonable steps to resolve any breach by the HIPAA BA if and when they become aware of one (if this is unsuccessful, the covered entity is required to terminate the contract with the business associate); and
  • Report the event to the OCR if terminating the contract with the business associate is impossible.

Compliance with HIPAA regulations is critical for the safety of your patient data and your network. Wheelhouse IT can assist you in complying with HIPAA regulations, as well as implement strategies to safeguard your network and data. As a result, your HIPAA compliance is never in doubt thanks to the expertise of our team.

To find out more, contact Wheelhouse IT today to discuss your HIPAA compliance needs and see how we can help customize a solution that best serves your healthcare organization. 

Let us know how we can help your organization comply with HIPAA today!

Plenty of Phish in the Sea: Detecting and Avoiding Scams

Plenty of Phish in the Sea: Detecting and Avoiding Scams

Phishing scams are among the more subtle of cyber threats — and often the most destructive. Consider these tips for protecting your information in the digital age.

Casting a Wide Net

So what exactly are phishing scams? The fraudsters of the digital age, phishing refers to online scammers who operate by impersonating reputable agents, such as financial institutions, cable providers, and any other entity that may request personal information. Most often, phishing scams occur in the form of emails requesting information such as social security numbers, routing numbers, and bank account data.

Other common phishing scams include emails with links to fraudulent websites that mirror legitimate entities. Malware may be contained in attachments or consumers may be instructed to respond to an email within a given amount of time, thereby allowing the scammer to obtain private data. Phishing scams utilize the same marketing and data acquisition techniques as social media outlets, often pulling thousands of user trends from sites such as LinkedIn, Facebook, and Twitter. Simply put, phishing scams are the impostors of the internet.

Reeling ‘Em In

Fishing scams come in two main varieties — spear phishing and whale phishing. Spear attacks target individuals, while whaling targets high level executives on a larger scale.

Pharming is another often used technique wherein users are redirected to a scam website or a cloned variant of a reputable site.

Voice phishing via communication media such as GoToMeeting and Skype is another form of digital deception that is on the rise. This type of phishing takes the form of phone calls from the IRS and other entities using prerecorded voice over technology.

Mobile devices may fall victim to similar scams in the form of SMS phishing. Like email scammers, SMS fraudsters use text messages to impersonate legitimate agents.

Shark Proof Your System

The prospect of having your personal information stolen can be daunting. Fortunately, there are ways to protect yourself from phishing scams that won’t turn your data into chum.

Stay informed on phishing scams and know what to look for. Double check URLs and domain names. Often, a scammer will use a false domain name that vaguely matches the email of a reputable entity. If a site looks suspicious, exit. Bookmark links to login pages for banks, credit cards, and other institutions so that you enter via the same secured link every time. Do not open attachments or links from unknown senders and always have a reliable firewall in place.

Install a secured VoIP system for business communications and know which institutions will — and will not — request information via phone. For example, the IRS will never contact you via phone or email.

Pay attention to the language being used. It is unlikely that a legitimate financial institution will ever request login credentials or personal information via email. Lastly, follow the cardinal rule of internet safety — do not ever disclosure your social security number in an unsecured form such as an email or website.

To stay up to date on cyber security, check out our YouTube channel or contact us to learn more!

What is Phishing and How Can I Avoid it?

What is Phishing and How Can I Avoid it?

Phishing is a popular scam in today’s digital world. Pronounced as “fishing,” this form of fraud is when a criminal targets their victim by email, telephone, or text message. These messages often contain malicious links, attachments, or other forms that require an unsuspecting victim to enter their personal details which are then stolen by the attacker.

How Can I Spot Phishing?

The good news is that phishing can be prevented. Here are a few ways to tell if you’re being scammed and how you can avoid it.

Poor Grammar

Many phishing messages, including emails and text messages, are poorly written. If the grammar or structure of the message seems off, it’s probably fraudulent.

Unknown Sender

If the message is coming from an unknown address or number, chances are it’s not legitimate. If you’re unsure if an email address is safe to reply to, look up contact information of the original company. If the domain name (last part of the email address) does not match, it’s fake.

Unknown Links and Attachments

If a message contains a suspicious hyperlink, don’t click it and assume it is malicious. Hovering over hyperlinked text can reveal the real destination of the link without opening the link and exposing your computer. Do not click on shortened links such as Bitly because these can be used to disguise longer malicious links.

Logos and Images

If the scammer is trying to imitate an existing company or service, look for official logos and high-resolution images. If the logos are cut off or pixelated, the message is fake.

Be careful not to rely on official logo usage when determining phishing. Advanced scammers can use high-quality logos without permission of the original company.

How Can I Avoid Getting Scammed?

Phishing is preventable if you know the signs. Approach unfamiliar or suspicious messages with caution and don’t be afraid to ask a third party if you think you might be facing a scam. Never give personal information through the phone or web unless you are the one who initiated the situation and are sure you will be safe.

If you suspect you are the target of a phishing scam, do not click any links and delete the email. If you received the message through a company, school, or other corporate email, alert your company about the message so they can warn others about the dangers of phishing.

WheelHouse IT provides technological services and security measures to help prevent you from phishing scams. Contact us if your business is interested in working with a technological adviser.