CIO Cyber-threat Checklist
1. Ensure everyone in your organization understands that cybersecurity is not just an IT problem; it is everyone's problem. All the advanced technologies, firewalls, passwords, tokens, SDNs and so on, will provide no value if someone inadvertently responds to a phishing, smishing, spoofing or similar low-tech/no-tech attack. Communicate, train, monitor, improve and communicate.
2. Hire, train and retain the best possible cyber talent you can afford. Cyber experts are in high demand, competition is great and compensation is greater. Do not be penny-wise and pound-foolish.
3. Executives have become an extremely popular target group for low-tech or social engineering cyber attacks. They tend to be the least tech-savvy and have access to the most valuable enterprise assets. Successful attacks and breaches on this group tend to be the most visible (and embarrassing), both internally and externally. Communicate, train, monitor, improve and communicate.
4. Most enterprises commonly accept the fact that becoming the target of a cyberattack is a "when" and not an "if." There is no such thing as too much communication, preparation and testing. Communicate, train, monitor, improve and communicate.
5. Ensure you and your team are fully versed in the latest set of external regulations and internal cyber-risk management policies and procedures. Compliance violations are not only embarrassing; fines and penalties are typically significant unbudgeted items. Communicate, train, monitor, improve and communicate.
6. Make sure your incident response process includes well-documented and tested escalation procedures to ensure all the right internal and external stakeholders are notified in a timely manner. Communicate, train, monitor, improve and communicate.
7. Most security experts agree that there is no perfect defense to completely prevent cyberintrusions and the best defense includes early detection of intruders and timely mitigation of the negative impact of malware after it has entered your environment. Acquire and install the best tools that your budget will allow.
8. Spending on cyber security should be managed by business case, similar to other IT investments. All enterprise assets are not created equal and some must be more fully protected than others. Identify, locate and classify assets based upon the business impact if asset classes are corrupted, lost or stolen, and budget for their individual protection accordingly.
9. IT spending on next-generation firewalls, cyberthreat intelligence and analytics are among the most popular areas of network security investment.
10. Ensure any existing or newly acquired network inspection tools you are running or implementing have the ability to inspect SSL-encrypted traffic as more and more websites are moving from HTTP to HTTPS protocols.
11. Containerization/microvirtualization technologies are considered "best practice" solutions for endpoint security.
12. When you think you have finished with everything you need to do, go back to No. 1 and start again.
Visit www.hipaawatchdog.com for assistance with training, monitoring, and reporting security incidents.
CMS and AMA Announce Efforts to Help Providers Get Ready For ICD-10 Frequently Asked Questions
CMS and AMA Announce Efforts to Help Providers Get Ready For ICD-10 Frequently Asked Questions
Q1. What if I run into a problem with the transition to ICD-10 on or after October 1st 2015?
A1. CMS understands that moving to ICD-10 is bringing significant changes to the provider community. CMS will set up a communication and collaboration center for monitoring the implementation of ICD-10. This center will quickly identify and initiate resolution of issues that arise as a result of the transition to ICD-10. As part of the center, CMS will have an ICD-10 Ombudsman to help receive and triage physician and provider issues. The Ombudsman will work closely with representatives in CMS’s regional offices to address physicians’ concerns. As we get closer to the October 1, 2015, compliance date, CMS will issue guidance about how to submit issues to the Ombudsman.
Q2. What happens if I use the wrong ICD-10 code, will my claim be denied?
A1. While diagnosis coding to the correct level of specificity is the goal for all claims, for 12 months after ICD-10 implementation, Medicare review contractors will not deny physician or other practitioner claims billed under the Part B physician fee schedule through either automated medical review or complex medical record review based solely on the specificity of the ICD-10 diagnosis code as long as the physician/practitioner used a valid code from the right family. However, a valid ICD-10 code will be required on all claims starting on October 1, 2015. It is possible a claim could be chosen for review for reasons other than the specificity of the ICD-10 code and the claim would continue to be reviewed for these reasons. This policy will be adopted by the Medicare Administrative Contractors, the Recovery Audit Contractors, the Zone Program Integrity Contractors, and the Supplemental Medical Review Contractor.
Q3. What happens if I use the wrong ICD-10 code for quality reporting? Will Medicare deny an informal review request?
A3. For all quality reporting completed for program year 2015 Medicare clinical quality data review contractors will not subject physicians or other Eligible Professionals (EP) to the Physician Quality Reporting System (PQRS), Value Based Modifier (VBM), or Meaningful Use 2 (MU) penalty during primary source verification or auditing related to the additional specificity of the ICD-10 diagnosis code, as long as the physician/EP used a code from the correct family of codes. Furthermore, an EP will not be subjected to a penalty if CMS experiences difficulty calculating the quality scores for PQRS, VBM, or MU due to the transition to ICD-10 codes. CMS will not deny any informal review request based on 2015 quality measures if it is found that the EP submitted the requisite number/type of measures and appropriate domains on the specified number/percentage of patients, and the EP’s only error(s) is/are related to the specificity of the ICD-10 diagnosis code (as long as the physician/EP used a code from the correct family of codes). CMS will continue to monitor the implementation and adjust the timeframe if needed.
Q4. What is advanced payment and how can I access this if needed?
A4. When the Part B Medicare Contractors are unable to process claims within established time limits because of administrative problems, such as contractor system malfunction or implementation problems, an advance payment may be available. An advance payment is a conditional partial payment, which requires repayment, and may be issued when the conditions described in CMS regulations at 42 CFR Section 421.214 are met. To apply for an advance payment, the Medicare physician/supplier is required to submit the request to their appropriate Medicare Administrative Contractor (MAC). Should there be Medicare systems issues that interfere with claims processing, CMS and the MACs will post information on how to access advance payments. CMS does not have the authority to make advance payments in the case where a physician is unable to submit a valid claim for services rendered.
HIPAA Watchdog is Launched!
PRWeb News Release - June 10, 2015
HIPAA Watchdog’s comprehensive and affordable HIPAA compliance software delivered as a service, annual subscription provides round-the-clock, round-the-year protection and guaranteed HIPAA compliance. We offer a confidential approach for healthcare organizations to maintain and track all of their privacy and security efforts. Torrance, California (PRWEB)
June 10, 2015 -- Over 100 customers have already used HIPAA Watchdog with complete satisfaction. HIPAA Watchdog is the only HIPAA security compliance product that comprehensively addresses all of an organization’s privacy and security compliance needs from one portal. Here’s what a few of our customers are saying.
"It was a great tool to quickly point out where the work needs to done. The process was great." - Office Manager, Big Sur, CA Health Center
"HIPAA Watchdog offered an easy and straightforward way to meet our HIPAA goals. The website and initial assessment at the office were very helpful." - Office Manager, Saleem A. Waraich, M.D.
"I was very new to this. They were a great help, I recommended them to several offices in our area." - Office Manager, Indian River Surgery Center, Vero Beach, FL
Annual Subscription includes:
HIPAA Risk Assessments: HIPAA Watchdog allows a covered entity or business associate to conduct their own privacy and security assessments.
Risk Management: HIPAA Watchdog assessments result in an organization’s Risk Management Plan based on risks and ratings identified in the assessments. You can store and update your ongoing Privacy and Security Risk improvements as you implement them in this plan.
Policies and Procedures: HIPAA Watchdog allows you to develop and maintain your health center’s Security Policies and Procedures.
HIPAA Compliance for Employees: Online Training and the ability to track employees’ completion of their annual HIPAA training is included in the Organizational Profile.
HIPAA Compliance for Vendors: HIPAA Watchdog allows organizations to send and track their vendors’ Business Associate Agreements (BAAs).
HIPAA Watchdog Alerts: Monthly Automatic notifications remind you when it’s time to update specific measures in your organization to remain HIPAA compliant.
Secure Email: Send and receive secure emails from one account for free or sign-up for multiple accounts.
Expert Support: Live help combined with support from a certified Security Expert ensure you understand and comply with the national privacy and security standards.
Media Contact: Suzanne Patterson
Division of e2o Health
Specialist Meaningful Use Assistance Available for Specialists in Orange County
Specialist Meaningful Use Assistance Program
COREC has partnered with e2o Health to assist Specialists with Meaningful Use assistance. This program is designed for specialists in Orange County who require professional assistance in order to select and implement an electronic health record (EHR), reach Meaningful Use Stage 1 (MU Stage 1), Meaningful Use Stage 2 (MU Stage 2), or expertise in privacy and security assessments for their practice.
CalOptima Foundation’s Board of Directors allocated funding to provide specialists in Orange County similar opportunities as PCPs for EHR assistance. Specialists interested in receiving assistance in this program must meet the following criteria:
• Specialist must be contracted with CalOptima either with CalOptima Direct (COD) or the CalOptima Community Network (CCN).
• Specialist must serve CalOptima Medi-Cal and/or Medicare members
• Specialist can belong to a medical group with 10 or fewer physicians, or be individual or partner practices.
The following are further details of assistance that are available:
1. EHR Install or upgrade: For specialists who do not have an EHR at all or need to change from one EHR to another due to attestation requirements. Service will include assessment and go-live.
2. Attestation and/or Year 1 assistance: Support for Meaningful Use Stage 1, Year 1 for Security Risk Assessment (SRA) and Privacy and Security for specialists with EHR who need to attest and if qualified
3. MU Stage 1, Year 2: For specialists needing Meaningful Use Stage 1, Year 2 assistance with SRA, and Privacy and Security and to reach Stage 2
4. MU Stage 2, Year 1: For specialists needing Meaningful Use Stage 2, Year 1 support in SRA, and Privacy and Security
There is limited funding available for this program and specialists interested will be enrolled into the program on a first come, first serve basis.
For more information about the program, please email us at email@example.com or call us at: 855-241-1145.
Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, May 2015
Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data
Activity Monitoring must be part of a security footprint in healthcare organizations. For the first time, criminal attacks are the #1 cause of data breaches.This percentage is up 125% compared to five years ago.
Criminal activity is part of everyday business in healthcare: 65% of healthcare organizations and 87% of BA’s report electronic health data based security incidents in the past two years. Many healthcare organizations believe that they don’t have adequate funding to combat this.
Over the past five years, the most often reported root cause of breaches moved from stolen computers to criminal attacks, and employee negligence remains a top concern.
Trends in Privacy & Security – 2010 - 2015
Root Causes of Data Breaches in Healthcare Organizations
|Lost/stolen computer devices
|Unintentional employee action
|Technical System glitch
Assessing Risks after a Security Incident
50% of healthcare organizations assess risks following a security incident.
|Ad hoc process
|Automated process or software tool
|Incident response management platform
|Engage 3rd parties