HIPAA-regulations-for-Email

HIPAA regulations for Email

This is the most debatable topic since the changes were enacted in the Health Insurance Portability & Accountability act in 2013. Particular relevance is the language of the HIPAA Security Rule; which, although not expressly prohibiting the use of email to communicate PHI, introduces a number of requirements before email communications can be considered to be HIPAA compliant.

There are few things which need to be keep in mind like HIPAA email rule always require covered entities to implement access control, integrity control, ID authentication & transmission security have to be fulfilled in order to Restrict all the access of PHI.

Need to monitor how PHI is communicated. Have to ensure that Integrity of PHI at rest. Ensure 100% message accountability & have to protect PHI from unauthorized access during transit.

Most of the HIPAA covered entities have put forward the argument that encryption is sufficient to ensure HIPAA compliance for email. Although, HIPAA email rules always do not just cover encryption.

Encryption alone does not fulfill the audit control requirement of monitoring how PHI is communicated or the ID authentication requirement to ensure message accountability.

Moreover some required functions are like such as creation of an audit trail and preventing the improper modification of PHI is complex to resolve.

So, although emails can be HIPAA compliant, it requires significant IT resources and a continuing monitoring process to ensure that authorized users are communicating PHI in adherence with policies for HIPAA compliance for email. HIPAA compliance for email is not always essential if an organization has an internal email network protected by a proper firewall.

HIPAA regulations for email do not ban sending ePHI by email, there’s still an issue of how to send emails and remain HIPAA compliant.

Although the new regulation considered the sending of ePHI by email an “addressable” code, it was not proposed to be an “optional” consideration – somewhat one which had to be obeyed with if organizations were to avoid undecorated financial penalties from a breach of ePHI.

Is it a HIPAA Violation to Email Patient Names?

It is not a violation to email patient names but the name and other PHI should not be included in the subject lines of an email. The reason behind this is that if the name will be included in the subject lines, it could be easily viewed by unauthorized individuals. Other reason is that while email messages are protected with encryption in transit, to and from field are often not encrypted which could lead to a data breach.

How-to-create-a-GDPR-compliant-password-policy

How to create a GDPR compliant password policy

GDPR stands for General Data Protection Regulation which came into force in May 2018 for European Union. This rule applies to all the organizations that are doing business with European citizens even if they are not from EU.

As like other data-protection regulations, GDPR is vague when it comes to the exact details of how to implement a GDPR compliant security policy. For example, there’s no mention of passwords, but it does demand a high level of protection over personally identifiable data.

The procedures for accessing this data must take every reasonable measure to ensure compliance, as ignorance is not a valid excuse for failing to protect customer data.

First of all we need to make user to understand what strong password is. Policy should have specified some basic rules which constitute an acceptable password, namely passwords that are impossible to hack with a brute force attack.

A strong password should be difficult for a computer to guess by trying every possible combination of characters. The longer the password and the larger the character set, the longer it would take to crack. It should be always alpha numeric along with some special characters like symbols.

Personal information should be prohibited

most challenging aspect while preparing the compliant password policy is always finding the right comparison between what’s memorable & what is secure.

Few users choose to write the password to avoid forgetting them which is an extraordinarily bad idea. Some users also use like birthday, pet name & other family members name as password which is again incorrect.

This is often found that cybercriminals trace those kinds of passwords while checking the information on social media. Train your employees about the dangers of using personal information as passwords.

Single sign on implementation

It is normal that people with multiple accounts on different sites use different passwords. So it is possible for them to forget those passwords.

In the workplace especially, it makes sense to implement a single sign-on feature that provides employees with immediate access to every system they need to do their jobs.

Administrators can further manage access rights to ensure they follow the principle of least privilege. Single sign-on shouldn’t mean providing access to all the data in your company’s care.

Regular password reset should not be enforced

Industry experts have always recommended that users should regularly reset their passwords after every three months. But it is not necessary as chances are higher for the users to forget the new password.

GDPR-Compliance-for-US-Companies

GDPR Compliance for US Companies

As the GDPR states that each and every company (Both inside EU and outside EU) that have access to the individual’s data have to comply with GDPR regulations. So from the law, it is very clear that even US companies that can access EU resident’s data have complied with GDPR. If any US company fails to comply with GDPR then they have to pay heavy penalties for noncompliance. The main purpose of this regulation is to protect the data of the EU residents.

GDPR compliance checklist for US companies

  • Conduct an information audit for EU personal data

If you are a US company then you have to conduct an information audit for EU personal data.  Check if your organization needs to comply with GDPR or not. During the audit you must check what personal data your organization process and if the data belongs to EU residents then your organization have to comply with GDPR. If your company is processing services that are related to offering good or other IT services then you have to company with GDPR. If you need more information about GDPR data protection then you have go through the Article 23 of GDPR.

  • The Right to be Forgotten and Data Subject Rights

To the people of EU, GDPR has given then 2 additional rights. They are
i) the right to be forgotten (erasure) and ii) the right to portability of their data. The rights of data subjects are extensive under GDPR governed by Articles 15-22 of GDPR.  According to these rights, EU resident has the right to receive a copy of their personal data at any time period. They also have the right to object to processing including automated processing and profiling.

  • Controllers and Processors

There are two categories set by GDPR guideline and these are called data processors or data controllers. Here you have to check if your company is a data processor or a data controller. Data Processor Company processes the individual’s personal data on behalf of a controller whereas data controller determines the purposes and means of how customer data is to be processed. A company can be both data controller and data processor at the same time. Both Controllers and Processors have dissimilar implications regarding how they meet the terms with the GDPR for US organizations.

  • Designate a representative in the European UnionFor the non EU companies, it is required to appoint a representative based in one of the EU member states under article 27 of GDPR.

Above we have listed few of the important steps that will help you avoid drawing scrutiny from EU regulatory authorities.

Clarifying-the-HIPAA-Retention-Requirements

Clarifying the HIPAA Retention Requirements

HIPAA retention requirements are very simple. In this article we will discuss what records needs to be protected and for how long.

The first thing to remember is that there is no HIPAA medical records retention period. It is not clearly stated for how long medical records must be retained under Privacy rule. Each state has their own requirement regarding the retention of medical records in its laws. It is the duty of covered entities and business associates to known the laws of the state regarding the retention period of medical records.

Eventually, the retention periods are different from each type of record and who actually owns them. Below we have mentioned the medical records retention policies of some states:-

Florida:- In Florida, Physicians should maintain the medical records for at least 5 years and hospitals should maintain medical records for 7 years.

Nevada:- In Nevada, health care organizations must protect the medical records for at least 5 years. Medical records for minor should be kept until the patient reaches 23 years of age.

North Carolina:- In North Carolina, it is mandatory for hospitals to keep the medical records for 11 years from the date of the patient’s discharge. The law in North Carolina also states that Medical records for minor should be kept until the patient reaches 30 years of age.

Although HIPAA does not lay down any retention requirement for medical records, but there is a retention period requirement for other HIPAA-related data. CFR §164.316(b)(2)(i) specify that covered entities or business associates must retain the documents for at least 6 years from when the document was created, or from when it was last in effect.

Below we have mentioned few examples of most typical list of documents subject to the HIPAA retention requirements. A Covered Entity or Business Associate may or may not be required to have or retain copies of them depending on its nature of business:

  1. Permissions for the Disclosure of PHI.
  2. Business Associate Agreements
  3. Disaster Recovery and Contingency Plans
  4. Details of Information Security and Privacy Policies.
  5. Incident and Breach Notification Documentation
  6. Information on Complaint and Resolution.
  7. IT Security System Reviews (including new procedures or technologies implemented)
  8. Details of Access to and Updating of PHI.( Logs Recording Access to and Updating of PHI)
  9. Physical Security Maintenance Records
  10. Audits of IT Security Systems
6-Countries-with-GDPR-like-Data-Privacy-Laws

6 Countries with GDPR-like Data Privacy Laws

Since the GDPR has been introduced, many other countries are following the same trend to protect the personal data of their individuals. Surely it is true that GDPR is not the beginning and certainly it won’t be the end. With the advancement in technology today, it has been easy for cybercriminals and hackers to steal the data of an individual and that is why each country is bringing strict laws that will protect the user data.

To help you get started, here are six examples of countries who have adopted comparable data privacy laws:

1. Brazil:- After  GDPR was introduced in EU, Brazil also brought their LGPD which stands for Lei Geral de Proteçao de Dados. The law is very much similar to GDPR in terms of scope, applicability, and financial penalties for non-compliance. According to this law, any organizations that want to do business with Latin America’s largest economy have to comply with LGPD by February 2020. If any organization does not comply with LGPD in Brazil then they have to pay fine up to 50 million BRL (approximately 11.8 million EUR).

2. Australia:- In February 2018, Australia also brought the Privacy Amendment (Notifiable Data Breaches) to Australia’s Privacy Act. According to this law, any company that have annual turnover of over 3 milling AUD have to disclose data breaches that pose a “real threat of serious harm” within 30 days of their discovery. If an organization fails to do so then they have to pay up to 1.8 million AUD (approximately 1.1 million EUR).

3. USA: – In U.S.A, currently there is no data privacy law applicable to all industries on the federal level. Although, every state in the US has its own data privacy laws to protect the personal data of U.S individuals. These rules and regulation in each state have set their own scope, applicability, and penalties. But if we talk about these states then the most recent and strict law adopted by any U.S state is California Consumer Privacy Act (CCPA). CCPA has many codes and standards that overlap with GDPR.

4. Japan:-
In May 2017, Japan’s Act on Protection of Personal Information was enforced. The law is much similar to GDPR and all the organizations (Both foreign and domestic companies) that have access to the data of Japanese citizens have to comply with this law. Similar to GDPR, companies located outside of Japan also have to follow the guidelines laid down in Act.

5. South Korea: – In South Korea, the law that protects the data of South Korean residents was introduced way before GDPR. South Korea’s Personal Information Protection Act has been in effect since September of 2011.6.

6. Thailand: – Thailand introduced the PDPA (Personal Data Protection Act) in February 2019. This act will come into effect on 27 May 2020. PDPA is very much similar to GDPR in many ways including the protection of personal data of residents etc.

What-is-Phishing

What is Phishing? Phishing Attacks and Prevention Explored

What is Phishing? 

Phishing is known as online spam in which hackers or cyber criminals make attempts to deceive and take advantage of user’s data through electronic communications means such as emails, phone, social media, websites etc. Data which they steal can be your confidential information such as usernames, passwords, credit card information, network credentials, and more. Hackers send malicious link or attachments in a file that when downloaded can lead to data breaches. 

Not only individuals are at risk but also the organizations that save personal information of person. Moreover, some phishing scams can aim company’s data in order to support spying efforts or state-backed espionage on opposition groups.

Phishing Methods

Most of the Phishing scams are made by sending an email to person or organization and email contain a malicious link and infected attachment that when clicked or downloaded can transfer your sensitive information through some user interaction. Few phishing methods are listed below:

  • Most of the phishing scams are done through link manipulation. Many of the phishing emails starts with word “Dear Customer”.
  • Phishing scams may use website forgery, which employs JavaScript commands to make a website URL look legitimate.
  • Using covert redirection. Hackers send a pop up link that will redirect users to a phishing website.
  • Cyber criminals also send infected, such as .exe files, Microsoft Office files etc.  
  • Many phishing scams are also done though phone calls, messages and social media tools where fraudulent tricks individuals into providing their sensitive data.  

Types of Phishing Attacks

There are three most common phishing attacks and these are listed below:-

Spear Fishing

In this attack, attackers target individuals by sending an email that requires victims to fill their sensitive data on the link they send through email. 

Clone Phishing

In clone phishing, attackers make a nearly identical copy of legitimate email message that was previously delivered to customer and then change an attachment or link to something malicious.

Whaling

Whaling is a big phishing scam where attackers targets high profile executives in an organization. They aim of stealing money or sensitive information or gaining access to their computer systems for criminal purposes.

How to Prevent Phishing Attacks

  • The best method for any organization of preventing phishing attacks is by educating their employees about recognizing suspicious emails, links, and attachments.
  • Enable Two Factor Authentications. 
  • Use Email Filters that will automatically flag high-risk email messages.
  • Augmented password logins using personal images, identity cues, security skins, etc.