Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. We suggest you watch the video while reading the transcript.
Hi, everybody. Good morning, good afternoon, whatever it may be for you. This is Dr. Perry Barnhill with the Fearless Chiropractor. Go to slides please. First and foremost when I give a big thanks for chiro to si ChiroSecure for sponsoring this video we’re gonna do in regards to cybersecurity. So let’s talk about this.
Click here for the best Chiropractic Malpractice Insurance
This is super, super important these days. The top three cybersecurity threats. As outlined in our practices as healthcare providers. Okay, so before I get into that, why is it that myself and Dr. Julie t hipa? First of all, I really want you to understand this, is that we are chiropractors, so we understand what it’s like to have an office, to have employees and take care of a ton of people, but we also understand what it’s like to be concerned and to be worried about these things.
Compliance in regards. Regards to hipaa. So we’re here to teach you these things. Both of us have certifications in compliance as well, and specifically in hipaa. So we are gonna get started and talk about some of the things that you definitely need to be aware of. Fearless provider quiz slash self-assessment.
Get a Quick Quote and See What You Can Save
I want you all to check this out because so many of us think that we’re actually compliant with hipaa. I talk to hundreds of doctors all the time, and one of the things is they go, Hey, I think I’m compliant, period. But I’m not really sure, but I think I’m pretty good because I have things such as the notice of patient privacy policy in the office, and I do a few things.
So what Dr. Julie and I have done is we’ve. Done this HIPAA risk score quiz. It doesn’t take long to do. So here’s what you do. Scan this QR code here, or you can go to the website below and take this quiz. Take this questionnaire again. It’s not long, it’s not scary, but it’s gonna give you a really good idea where you stand with hipaa and you know what?
A, an F, a D or a C, it’s not gonna fly. It’s not gonna fly with hipaa. And believe it or not, as much as I hate to say it, even though B’S are generally good grades, if you have a B. You have the possibilities. If they ever came looking at things to have big fines, you gotta be closer to that a group. All righty.
Okay, so here we go. Insider accidental or malicious data loss. And I just want to give you a quick quote here from someone from the Department of Health and Human Services. They said, quote, an insider threat in the healthcare sector is potentially a person within a healthcare organization. Or a contractor, which is like a business associate, by the way, who has access to assets or insider information concerning the organization.
Security practices, data and computer systems. Basically, this is what they’re saying. There’s a lot of folks out there that could potentially have access to our systems and we have to protect those things. So insider threats, define who, what, and why. So they involve people in the organization, meaning our practices who have access to our computer systems and our network.
So obviously there’s a lot of folks in our in, I mean everybody in our office generally has access to our systems. And when I say access to our systems, especially when we’re talking about hipaa, I’m referring to what we call PHI. You’ve heard this word a thousand times. PHI, is protected health information and we’ve done videos in the past on what is and what isn’t protected health information and just.
Speaking generally, assume pretty much everything you have regarding a patient is considered protected health information. The next bullet point here, negligence or malice causes these insiders to compromise your patient enterprise data. And repercussions for patient security and overall quality of care.
These are very serious things that we have to protect, and if we don’t protect these things, we’re gonna get ourselves in some hot water with the old HIPAA police or the OCR, the Office of Civil, civil Rights. So first thing, accidental insider threat. It can be an honest mistake. These are things that can happen within our office with the employees that we have, whether they’re associate doctors, our cas, our office managers, and they literally make an honest mistake.
It’s not like they’re trying to, maliciously attack our systems. These are our people. These things generally don’t happen. They do. It’s rare, perhaps they’re tricked by a phishing email campaign containing an embedded link, which then sends the email information to an unknown source.
I’m not even joking with this phishing, all these phishing escapades, I’ll call it. Were these bad actors out there? Send emails, they send links and they look so real. It’s insane. And then we accidentally will click on these things. There’s things that look so real. They’ll go to an actual true website to give you another link to click on.
So they’re getting even more sophisticated now, whereas before I would see links and if you went to it. They got you. But now people are starting to look at these things. So now what happens is they’ll send you to a legitimate website, but then that extra step, they’ll say, oh yeah, if you want to access this now click this.
So they’re getting a lot more sophisticated and a lot more tricky. You have to talk to your staff about these things. The other one is this intentional insider threat, kinda like I was talking about. The first one is accidental, and the second one would be something malicious or malicious lost or theft to our networks in our office infrastructure or our databases with an objective of a personal gain or inflicting harm to our offices.
So basically in this situation is that somebody within our organization, in our office, or maybe even a business associate, but they have access to our computers and our patient health information and they. Deliberately go to and try to steal PHI. Why? Because PHI is very valuable on the black market.
So the most prevalent threats of the three insider threats, careless or negligent employees, equally equal 56%. All of the incidences. So lemme just go back to this. I don’t even know if it’s truly negligence A lot of times, because in the real world it’s usually just accidental. Is it careless? It may be, but I think what it’s more than any of those things it’s the lack of training to your staffing, telling your staff and your associate doctors to be super, super careful on the links that they click, the websites that they go to, because this is where a lot of the hacking happens and when the hacking happens and they still, your protected health information.
It’s a mess. The steps you have to go through, it’s quite scary. So please talk to your employees about these things and train them on things such as phishing. We’ve done videos for ChiroSecure on this before, so go back and look through some of those things. Who’s behind the threats?
I know I’ve talked about a lot of these. Maybe it’s an office manager. The steals and sales. Like I said, they’ll steal and sell the PHI. Obviously it doesn’t happen very often. But it can happen. A maintenance technician cuts network server wires and starts a fire sabotaging operations. I don’t think that’s very common these days, but it’s happened in the past.
An intern associate doctor or ca unknowingly installs malware. This is where it’s crucial for you to have the education. If this happens and it, and the PHI is stolen by law, you have to report that to the OCR, the Office of Civil Rights, basically the government. And if you can’t show that you’ve done training, if you can’t show that you’ve done the things to help prevent these things from happening, that’s when you get yourselves in trouble.
The next one here, an associate. You know what’s an associate like? It can be anybody who has access to your patient information. It could be a billing company, for example, or they, they download contact information, which they get access to. They have to, if they’re gonna do some billing and they may email it to a personal account to a nefarious actor.
So we have to be very careful about these things. That’s why you have to have business associates agreements on file with anybody that has access to your PHI. And the last one here, front desk staff assesses patient financial information and sells it on a dock web. These things happen, doesn’t happen very often, but employees will see the financial benefits of selling these things.
And sometimes, yes, it’s not very often. I know that. It happens. So we have to be aware of this. So how could this happen? Here we go. I’m repeating myself, but I wanna jump into this. 61% of data breaches involve an insider, the primarily unintentionally caused by negligent insiders. The next one, this is the biggest one when it comes to hipaa, lack of awareness of security policies and training.
Massive emphasis on policies of training. That’s what HIP was all about. Make sure you do these things. The next one, leaving an unencrypted mobile device or laptop containing sensitive data, unattended, leaving the potential for thought loss or theft. Laptops get stolen all the time.
They get stolen from coffee places it get stolen from your cars that you leave in. You have to have specific policies and procedures in your HIPAA manuals that say, Hey, if we take a laptop outside of the office, this is how we’re gonna make sure we secure it. If we take a cell phone that contains this is how we have to secure it.
If you don’t have those things, that’s where you’re at risk from for HIPAA fines and penalties. And the next one, employee agreement, grievance against an organization. Yeah, unfortunately those things happen as well. Here’s a little quiz, I just want you to go over. And it is this. Here’s a question.
Insider threats are people who, A, have a legitimate access to computer systems and networks. B, have relatives working in the same department. C people who are in their probationary period, or none of the above. So what do you think it is here? Of course, it’s a insider. Threats are people who have legitimate access to our computer systems and our networks in our organization.
Really key phrase here and tell your staff to seriously emphasize to your staff, your associate doctors. If you see something, make sure you say it. If something looks crazy, if it looks funky, make sure you say something before you ever click on it or before you ever jump into it. Follow your instinct.
If it feels bad, maybe it’s not right. So always report what doesn’t look or feel right to you. Be aware of the social engineering techniques. We’ve had videos, again, that’s ChiroSecure responsiveness on these things about social engineering. So go back and watch those things. And you have to, this is the law.
You have to participate in regular security training. This is why we do ongoing monthly HIPAA training for all the offices that are in our group. Data loss and data security is important, but there is little that I can do as an individual. So that true or false? Of course it’s false that you are the first line of defense.
Us as the chiropractors, the staff members, the office members the associates, the interns. First line of defense. That’s why it’s so important to have this security training and awareness, and because they handle this sensitive data, right? The sensitive data is PHI every day in the office, being aware of unusual activity.
Questionable emails is the key. It is the key one. Little training to tell your staff what not to click can literally save you thousands and thousands of dollars and above and beyond that, the stress that’s involved. Yeah, money’s one thing and we don’t wanna have to spend thousands and thousands of dollars and investigating the potential of a breach or re anyways, or dealing with the OCR.
The stress that’s involved with these things is not worth it. That’s why you have to make sure you have your ducks in a row when it comes to HIPAA compliance. So quick summary, insider threats happen in every organization. Sometimes yes, they’re accidental and sometimes they’re malicious and nefarious in nature.
So ask questions and be sure you have your staff well trained. I know I’ve overemphasized that, but that’s the biggest and the key, the first line of defense. These threats can cost your office million and they really can, a ton of money and potentially cause it to shut down. If you see something, say something, if you’re a victim or you’ve made an honest mistake.
Reach out. We’re here to help. We’re more than happy to help you. So here’s some next steps. If you have any more questions, you can go to the website here, or sometimes Doc and staff, they just wanna have a conversation with me. I’m more than happy to ask, answer any questions, drperry@betterhipaablueprint.com.com.
If you want to and check, if you wanna check out our HIPAA program and what it’s all about, what it looks like and how you go through that, feel free to schedule a demo with us. You can scan the QR code here or you just go to go dot fearless provider.com/demo. In the meantime, thank you all for being here and I want you all to have a great and fantastic day.
Take care.
Click here for the best Chiropractic Malpractice Insurance
Get a Quick Quote and See What You Can Save