computer and data as the ‘agency’s computer or data.’ Once we change employees to think in a possessive manner regarding the technology, they are more careful with it.” 4. Outsource An IT Firm: “Organizations simply do not have enough hours per year to do HIPAA training and implementation correctly,” Tracey says. “We realized we could provide a package that freed up clients’ time. Companies only need to allocate 15–20 hours per year to HIPAA compliance. We do the rest.” 5. Educate Companies On The Benefits Of Compliance And The Consequences Of Noncompliance: Providers often don’t realize that the fines for violations may be less severe if they have taken proper measures to comply. “If a provider has properly trained an employee and received the policy attestation for the issue in question, the fine and/or associated legal actions can be greatly mitigated,” Tracey explains. “However, if the violation is deemed negligent because training and policy were not in place, the fines can be 10 times higher. But a breach doesn’t have to qualify as a HIPAA violation to be catastrophic. It may result in data loss, costly downtime, and further ramifications if the data gets sold, which can happen even when the ransom is paid.” 6. Implement Rules And Procedures Following The HIPAA Standard: Most companies don’t know what data they hold or where it’s located in their systems. They also have misconceptions about which data is protected. “Regularly, companies, especially smaller businesses, do not have procedures in place for even simple things such as what to do when you download a file and copy it or move it,” Tracey says. “A client may tell us they store all their medical data in an electronic health records (EHR) program, then invite us to perform an audit. It’s not unusual to find 6–8 months’ worth of information that never got deleted or $2 million worth of medical information saved in download folders and other unencrypted locations — all outside the EHR.” “While HIPAA was designed to protect the privacy of patient records, it is actually an excellent framework for any organization’s security plan.” With so many companies unaware of how much time it takes to make sure a company is safe and how overworked most internal IT departments are, there needs to be more conversations around the risks and what companies can do to protect themselves. “The conversation about cybersecurity inside of organizations is long overdue,” Tracey says. “While there’s a long list of things to be afraid of, fortunately, there are reasonable solutions for all those bad, scary things. HIPAA is truly the gold standard and should be applied across all industries. An effective entry point is education. And an understanding of what threats you’re dealing with at this moment in time will help you make a plan to deal with those in order of the highest priority. Regardless, immediately start getting employees cybersecurity training, even if it’s minimal. Mandate and verify they do it. It’s time to take cybersecurity seriously because there’s no time to drag your feet.” For more information on Innovative Technologies, please visit UpstateTechSupport.com. n
Paul Tracey, Founder And CEO Of Innovative Technologies
“The larger companies are still susceptible, but they don’t get hit as often because they are investing in educating their employees. Small businesses aren’t having that conversation, and that’s a real problem. Hackers are having success with small businesses because of the lack of security tools and security training these businesses have.” The new work-from-home environment has only made the situation worse. “If security measures were loosely followed before the pandemic, consider how problematic it became as masses of people were deployed to work from home using computers that aren’t set up with proper security, firewalls, or other protocols,” Tracey says. “Sadly, we’ve already seen a substantial uptick identified in digital threats targeting platforms that remote workers use. HIPAA standards could have prevented that.” HOW TO GET A COMPANY TO ADOPT A SECURITY MINDSET Tracey recommends the following actions to help transform a company’s security: 1. Execute Training: “The workforce is significantly undereducated about technology,” Tracey says. “And keeping up with the number of new threats popping up every day is tremendously difficult. That’s why we focus on employee education. It must be met with the same kind of commitment and persistence as doing the security work.” 2. Gamify Security: “We gamify the security practice,” Tracey says. “We send videos with security tips and phish and spear-phish all users by sending out a phishing email from us. If a user clicks on that link, it immediately sends them to training. We’ve found this on-the-spot training to be extremely effective at changing the behavior.” 3. Change The Culture: “The culture can completely change and be unrecognizable when you shift the employee computer behaviors and mindset,” Tracey says. “Frequently, I notice how people refer to their company
MSPSuccessMagazine.com/cyber2022
15
Made with FlippingBook Ebook Creator